maunium
diff --git a/‎.github/workflows/go.yml‎
Lines changed: 6 additions & 2 deletions b/‎.github/workflows/go.yml‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎.gitlab-ci.yml‎
Lines changed: 1 addition & 0 deletions b/‎.gitlab-ci.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 2 additions & 2 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 14 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 2 additions & 1 deletion b/‎README.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎cmd/meowlnir/antispam.go‎
Lines changed: 32 additions & 1 deletion b/‎cmd/meowlnir/antispam.go‎
Lines changed: 32 additions & 1 deletion
diff --git a/‎cmd/meowlnir/botmanagement.go‎
Lines changed: 51 additions & 17 deletions b/‎cmd/meowlnir/botmanagement.go‎
Lines changed: 51 additions & 17 deletions
diff --git a/‎cmd/meowlnir/http.go‎
Lines changed: 19 additions & 15 deletions b/‎cmd/meowlnir/http.go‎
Lines changed: 19 additions & 15 deletions
diff --git a/‎cmd/meowlnir/main.go‎
Lines changed: 14 additions & 10 deletions b/‎cmd/meowlnir/main.go‎
Lines changed: 14 additions & 10 deletions
@@ -11,8 +11,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: ["1.23", "1.24"]
-    name: Lint ${{ matrix.go-version == '1.24' && '(latest)' || '(old)' }}
+        go-version: ["1.24", "1.25"]
+    name: Lint ${{ matrix.go-version == '1.25' && '(latest)' || '(old)' }}
 
     steps:
       - uses: actions/checkout@v4
@@ -32,5 +32,9 @@ jobs:
           go install honnef.co/go/tools/cmd/staticcheck@latest
           export PATH="$HOME/go/bin:$PATH"
 
+      - name: Enable jsonv2
+        run: export GOEXPERIMENT=jsonv2
+        if: matrix.go-version == '1.25'
+
       - name: Run pre-commit
         uses: pre-commit/action@v3.0.1
@@ -4,3 +4,4 @@ include:
 
 variables:
   BINARY_NAME: meowlnir
+  GOEXPERIMENT: jsonv2
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: trailing-whitespace
         exclude_types: [markdown]
@@ -9,7 +9,7 @@ repos:
       - id: check-added-large-files
 
   - repo: https://github.com/tekwizely/pre-commit-golang
-    rev: v1.0.0-rc.1
+    rev: v1.0.0-rc.2
     hooks:
       - id: go-imports-repo
         args:
 
@@ -1,3 +1,17 @@
+# v0.7.0 (2025-08-16)
+
+* Bumped minimum Go version to 1.24.
+* Added support for creator power in room v12.
+* Added appservice ping at startup to ensure homeserver -> meowlnir connection
+  works similar to what bridges do.
+* Added support for `federated_user_may_invite` callback and [MSC4311].
+* Added custom API for querying policy lists that Meowlnir has cached.
+* Fixed various bugs in experimental built-in policy server.
+  * Note that the policy server is not considered stable yet, so it should
+    not be used in production.
+
+[MSC4311]: https://github.com/matrix-org/matrix-spec-proposals/pull/4311
+
 # v0.6.0 (2025-06-16)
 
 * Added experimental built-in policy server as per [MSC4284]
 
@@ -1,6 +1,7 @@
 # Meowlnir
 An opinionated Matrix moderation bot. Optimized for Synapse, but works with
-other server implementations to some extent.
+other server implementations to some extent. Not a fork of Mjolnir/Draupnir
+despite the similar name.
 
 ## Documentation
 All setup and usage instructions are located on [docs.mau.fi](https://docs.mau.fi/meowlnir/).
 
@@ -8,6 +8,7 @@ import (
 	"github.com/rs/zerolog/hlog"
 	"go.mau.fi/util/exhttp"
 	"maunium.net/go/mautrix"
+	"maunium.net/go/mautrix/event"
 	"maunium.net/go/mautrix/id"
 )
 
@@ -17,6 +18,10 @@ type ReqUserMayInvite struct {
 	Room    id.RoomID `json:"room_id"`
 }
 
+type ReqFederatedUserMayInvite struct {
+	Event *event.Event `json:"event"`
+}
+
 type ReqUserMayJoinRoom struct {
 	UserID    id.UserID `json:"user"`
 	RoomID    id.RoomID `json:"room"`
@@ -33,6 +38,8 @@ func (m *Meowlnir) PostCallback(w http.ResponseWriter, r *http.Request) {
 	switch cbType {
 	case "user_may_invite":
 		m.PostUserMayInvite(w, r)
+	case "federated_user_may_invite":
+		m.PostFederatedUserMayInvite(w, r)
 	case "accept_make_join":
 		m.PostAcceptMakeJoin(w, r)
 	case "user_may_join_room":
@@ -114,7 +121,31 @@ func (m *Meowlnir) PostUserMayInvite(w http.ResponseWriter, r *http.Request) {
 		mautrix.MNotFound.WithMessage("Antispam configuration issue: policy list not found").Write(w)
 		return
 	}
-	errResp := mgmtRoom.HandleUserMayInvite(r.Context(), req.Inviter, req.Invitee, req.Room)
+	errResp := mgmtRoom.HandleUserMayInvite(r.Context(), req.Inviter, req.Invitee, req.Room, "")
+	if errResp != nil {
+		errResp.Write(w)
+	} else {
+		exhttp.WriteEmptyJSONResponse(w, http.StatusOK)
+	}
+}
+
+func (m *Meowlnir) PostFederatedUserMayInvite(w http.ResponseWriter, r *http.Request) {
+	var req ReqFederatedUserMayInvite
+	err := json.NewDecoder(r.Body).Decode(&req)
+	if err != nil {
+		hlog.FromRequest(r).Err(err).Msg("Failed to parse request body")
+		mautrix.MNotJSON.WithMessage("Antispam request error: invalid JSON").Write(w)
+		return
+	}
+
+	m.MapLock.RLock()
+	mgmtRoom, ok := m.EvaluatorByManagementRoom[id.RoomID(r.PathValue("policyListID"))]
+	m.MapLock.RUnlock()
+	if !ok {
+		mautrix.MNotFound.WithMessage("Antispam configuration issue: policy list not found").Write(w)
+		return
+	}
+	errResp := mgmtRoom.HandleFederatedUserMayInvite(r.Context(), req.Event)
 	if errResp != nil {
 		errResp.Write(w)
 	} else {
 
@@ -11,11 +11,13 @@ import (
 
 	"github.com/rs/zerolog/hlog"
 	"go.mau.fi/util/exhttp"
+	"go.mau.fi/util/exslices"
 	"go.mau.fi/util/ptr"
 	"maunium.net/go/mautrix"
 	"maunium.net/go/mautrix/id"
 
 	"go.mau.fi/meowlnir/database"
+	"go.mau.fi/meowlnir/policylist"
 	"go.mau.fi/meowlnir/util"
 )
 
@@ -39,26 +41,24 @@ type RespGetBots struct {
 	Bots []*RespBot `json:"bots"`
 }
 
-func (m *Meowlnir) ManagementAuth(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		authHash := util.SHA256String(strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer "))
-		if !hmac.Equal(authHash[:], m.ManagementSecret[:]) {
-			mautrix.MUnknownToken.WithMessage("Invalid management secret").Write(w)
-			return
-		}
-		next.ServeHTTP(w, r)
-	})
+func disabledAPI(w http.ResponseWriter, r *http.Request) {
+	mautrix.MUnknownToken.WithMessage("This API is disabled").Write(w)
 }
 
-func (m *Meowlnir) AntispamAuth(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		authHash := util.SHA256String(strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer "))
-		if !hmac.Equal(authHash[:], m.AntispamSecret[:]) {
-			mautrix.MUnknown.WithMessage("Invalid antispam secret").Write(w)
-			return
+func SecretAuth(secret *[32]byte) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		if secret == nil {
+			return http.HandlerFunc(disabledAPI)
 		}
-		next.ServeHTTP(w, r)
-	})
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			authHash := util.SHA256String(strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer "))
+			if !hmac.Equal(authHash[:], secret[:]) {
+				mautrix.MUnknownToken.WithMessage("Invalid authorization token").Write(w)
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
 }
 
 func (m *Meowlnir) GetBots(w http.ResponseWriter, r *http.Request) {
@@ -273,3 +273,37 @@ func (m *Meowlnir) PutManagementRoom(w http.ResponseWriter, r *http.Request) {
 		exhttp.WriteEmptyJSONResponse(w, http.StatusOK)
 	}
 }
+
+func getPolicyListIDs(r *http.Request) []id.RoomID {
+	listIDs := exslices.CastFuncFilter(r.URL.Query()["list_id"], func(s string) (id.RoomID, bool) {
+		return id.RoomID(s), strings.HasPrefix(s, "!")
+	})
+	if len(listIDs) == 0 {
+		listIDs = nil
+	}
+	return listIDs
+}
+
+func (m *Meowlnir) MatchPolicy(w http.ResponseWriter, r *http.Request) {
+	entityType := policylist.EntityType(r.PathValue("entityType"))
+	entity := r.PathValue("entity")
+	if !entityType.IsValid() {
+		mautrix.MInvalidParam.WithMessage("Invalid entity type").Write(w)
+		return
+	}
+	match := m.PolicyStore.Match(getPolicyListIDs(r), entityType, entity)
+	exhttp.WriteJSONResponse(w, http.StatusOK, match)
+}
+
+func (m *Meowlnir) ListPolicies(w http.ResponseWriter, r *http.Request) {
+	entityType := policylist.EntityType(r.PathValue("entityType"))
+	if !entityType.IsValid() {
+		mautrix.MInvalidParam.WithMessage("Invalid entity type").Write(w)
+		return
+	} else if entityType != policylist.EntityTypeServer {
+		mautrix.MInvalidParam.WithMessage("Only server policies can be listed").Write(w)
+		return
+	}
+	rules := m.PolicyStore.ListServerRules(getPolicyListIDs(r))
+	exhttp.WriteJSONResponse(w, http.StatusOK, rules)
+}
@@ -2,7 +2,6 @@ package main
 
 import (
 	"net/http"
-	"slices"
 
 	"github.com/rs/zerolog/hlog"
 	"go.mau.fi/util/exhttp"
@@ -14,7 +13,8 @@ func (m *Meowlnir) AddHTTPEndpoints() {
 	clientRouter.HandleFunc("POST /v3/rooms/{roomID}/report/{eventID}", m.PostReport)
 	clientRouter.HandleFunc("POST /v3/rooms/{roomID}/report", m.PostReport)
 	clientRouter.HandleFunc("POST /v3/users/{userID}/report", m.PostReport)
-	m.AS.Router.PathPrefix("/_matrix/client").Handler(applyMiddleware(
+
+	m.AS.Router.Handle("/_matrix/client/", exhttp.ApplyMiddleware(
 		http.StripPrefix("/_matrix/client", clientRouter),
 		hlog.NewHandler(m.Log.With().Str("component", "reporting api").Logger()),
 		hlog.RequestIDHandler("request_id", "X-Request-ID"),
@@ -26,7 +26,7 @@ func (m *Meowlnir) AddHTTPEndpoints() {
 	policyServerRouter := http.NewServeMux()
 	policyServerRouter.HandleFunc("POST /unstable/org.matrix.msc4284/event/{event_id}/check", m.PostMSC4284EventCheck)
 
-	m.AS.Router.PathPrefix("/_matrix/policy").Handler(applyMiddleware(
+	m.AS.Router.Handle("/_matrix/policy/", exhttp.ApplyMiddleware(
 		http.StripPrefix("/_matrix/policy", policyServerRouter),
 		hlog.NewHandler(m.Log.With().Str("component", "policy server").Logger()),
 		hlog.RequestIDHandler("request_id", "X-Request-ID"),
@@ -36,33 +36,37 @@ func (m *Meowlnir) AddHTTPEndpoints() {
 
 	antispamRouter := http.NewServeMux()
 	antispamRouter.HandleFunc("POST /{policyListID}/{callback}", m.PostCallback)
-	m.AS.Router.PathPrefix("/_meowlnir/antispam").Handler(applyMiddleware(
+	m.AS.Router.Handle("/_meowlnir/antispam/", exhttp.ApplyMiddleware(
 		http.StripPrefix("/_meowlnir/antispam", antispamRouter),
 		hlog.NewHandler(m.Log.With().Str("component", "antispam api").Logger()),
 		hlog.RequestIDHandler("request_id", "X-Request-ID"),
 		requestlog.AccessLogger(requestlog.Options{TrustXForwardedFor: true}),
-		m.AntispamAuth,
+		SecretAuth(m.loadSecret(m.Config.Antispam.Secret)),
+	))
+
+	dataRouter := http.NewServeMux()
+	dataRouter.HandleFunc("GET /v1/match/{entityType}/{entity}", m.MatchPolicy)
+	dataRouter.HandleFunc("GET /v1/list/{entityType}", m.ListPolicies)
+	m.AS.Router.Handle("/_meowlnir/data/", exhttp.ApplyMiddleware(
+		http.StripPrefix("/_meowlnir/data", dataRouter),
+		hlog.NewHandler(m.Log.With().Str("component", "data api").Logger()),
+		hlog.RequestIDHandler("request_id", "X-Request-ID"),
+		exhttp.CORSMiddleware,
+		requestlog.AccessLogger(requestlog.Options{TrustXForwardedFor: true}),
+		SecretAuth(m.loadSecret(m.Config.Meowlnir.DataSecret)),
 	))
 
 	managementRouter := http.NewServeMux()
 	managementRouter.HandleFunc("GET /v1/bots", m.GetBots)
 	managementRouter.HandleFunc("PUT /v1/bot/{username}", m.PutBot)
 	managementRouter.HandleFunc("POST /v1/bot/{username}/verify", m.PostVerifyBot)
 	managementRouter.HandleFunc("PUT /v1/management_room/{roomID}", m.PutManagementRoom)
-	m.AS.Router.PathPrefix("/_meowlnir").Handler(applyMiddleware(
+	m.AS.Router.Handle("/_meowlnir/", exhttp.ApplyMiddleware(
 		http.StripPrefix("/_meowlnir", managementRouter),
 		hlog.NewHandler(m.Log.With().Str("component", "management api").Logger()),
 		hlog.RequestIDHandler("request_id", "X-Request-ID"),
 		exhttp.CORSMiddleware,
 		requestlog.AccessLogger(requestlog.Options{TrustXForwardedFor: true}),
-		m.ManagementAuth,
+		SecretAuth(m.loadSecret(m.Config.Meowlnir.ManagementSecret)),
 	))
 }
-
-func applyMiddleware(router http.Handler, middleware ...func(http.Handler) http.Handler) http.Handler {
-	slices.Reverse(middleware)
-	for _, m := range middleware {
-		router = m(router)
-	}
-	return router
-}
 
@@ -58,20 +58,22 @@ type Meowlnir struct {
 	EventProcessor *appservice.EventProcessor
 	PolicyServer   *policyeval.PolicyServer
 
-	ManagementSecret [32]byte
-	AntispamSecret   [32]byte
-
 	PolicyStore               *policylist.Store
 	MapLock                   sync.RWMutex
 	Bots                      map[id.UserID]*bot.Bot
 	EvaluatorByProtectedRoom  map[id.RoomID]*policyeval.PolicyEvaluator
 	EvaluatorByManagementRoom map[id.RoomID]*policyeval.PolicyEvaluator
 	HackyAutoRedactPatterns   []glob.Glob
 
+	appservicePingOnce sync.Once
+
 	RoomHashes *roomhash.Map
 }
 
-func (m *Meowlnir) loadSecret(secret string) [32]byte {
+func (m *Meowlnir) loadSecret(secret string) *[32]byte {
+	if len(secret) == 0 || (strings.Contains(secret, "disable") && len(secret) < 10) {
+		return nil
+	}
 	if strings.HasPrefix(secret, "sha256:") {
 		var decoded []byte
 		var err error
@@ -83,9 +85,9 @@ func (m *Meowlnir) loadSecret(secret string) [32]byte {
 			m.Log.WithLevel(zerolog.FatalLevel).Msg("Secret hash is not 32 bytes long")
 			os.Exit(10)
 		}
-		return [32]byte(decoded)
+		return (*[32]byte)(decoded)
 	}
-	return util.SHA256String(secret)
+	return ptr.Ptr(util.SHA256String(secret))
 }
 
 func (m *Meowlnir) Init(configPath string, noSaveConfig bool) {
@@ -110,9 +112,6 @@ func (m *Meowlnir) Init(configPath string, noSaveConfig bool) {
 		Str("go_version", runtime.Version()).
 		Msg("Initializing Meowlnir")
 
-	m.ManagementSecret = m.loadSecret(m.Config.Meowlnir.ManagementSecret)
-	m.AntispamSecret = m.loadSecret(m.Config.Antispam.Secret)
-
 	var mainDB, synapseDB *dbutil.Database
 	mainDB, err = dbutil.NewFromConfig("meowlnir", m.Config.Database, dbutil.ZeroLogger(m.Log.With().Str("db_section", "main").Logger()))
 	if err != nil {
@@ -222,6 +221,9 @@ func (m *Meowlnir) initBot(ctx context.Context, db *database.Bot) *bot.Bot {
 	if wrapped.CryptoHelper != nil {
 		wrapped.CryptoHelper.CustomPostDecrypt = m.HandleMessage
 	}
+	m.appservicePingOnce.Do(func() {
+		intent.EnsureAppserviceConnection(ctx)
+	})
 	m.Bots[wrapped.Client.UserID] = wrapped
 
 	managementRooms, err := m.DB.ManagementRoom.GetAll(ctx, db.Username)
@@ -249,6 +251,7 @@ func (m *Meowlnir) newPolicyEvaluator(bot *bot.Bot, roomID id.RoomID) *policyeva
 		m.createPuppetClient,
 		m.Config.Antispam.AutoRejectInvitesToken != "",
 		m.Config.Antispam.FilterLocalInvites,
+		m.Config.Antispam.NotifyManagementRoom,
 		m.Config.Meowlnir.DryRun,
 		m.HackyAutoRedactPatterns,
 		m.PolicyServer,
@@ -303,6 +306,8 @@ func (m *Meowlnir) Run(ctx context.Context) {
 		}
 	}
 
+	go m.AS.Start()
+
 	bots, err := m.DB.Bot.GetAll(ctx)
 	if err != nil {
 		m.Log.WithLevel(zerolog.FatalLevel).Err(err).Msg("Failed to get bot list")
@@ -313,7 +318,6 @@ func (m *Meowlnir) Run(ctx context.Context) {
 	}
 
 	m.EventProcessor.Start(ctx)
-	go m.AS.Start()
 
 	var wg sync.WaitGroup
 	m.MapLock.Lock()
Original file line number	Diff line number	Diff line change
`@@ -4,3 +4,4 @@ include:`
`4`	`4`
`5`	`5`	`variables:`
`6`	`6`	`BINARY_NAME: meowlnir`
	`7`	`+ GOEXPERIMENT: jsonv2`