From 95a251e091954a50840edd6c40e03358c843d803 Mon Sep 17 00:00:00 2001
From: csd113 <xxcsd113xx@gmail.com>
Date: Tue, 17 Mar 2026 21:20:20 -0700
Subject: [PATCH 1/8] Delete audit_report.md

---
 audit_report.md | 950 ------------------------------------------------
 1 file changed, 950 deletions(-)
 delete mode 100644 audit_report.md

diff --git a/audit_report.md b/audit_report.md
deleted file mode 100644
index 3195e08..0000000
--- a/audit_report.md
+++ /dev/null
@@ -1,950 +0,0 @@
-# RustChan — Comprehensive Security & Code Audit Report
-
-**Audited:** `src/` (Rust imageboard server)  
-**Date:** 2026-03-17  
-**Auditor:** Static analysis + manual review  
-
----
-
-## Summary
-
-| Severity | Count |
-|----------|-------|
-| **Critical** | 3 |
-| **High** | 8 |
-| **Medium** | 12 |
-| **Low** | 11 |
-| **Total** | **34** |
-
-**Overall assessment:** The codebase demonstrates strong security awareness — parameterized queries throughout, Argon2id password hashing, constant-time CSRF comparison, EXIF stripping, path-traversal guards, and extensive inline documentation of past fixes. However, several real production risks remain, including an unverified federation layer, a process-management bug that makes the ffmpeg timeout deceptive, and stored XSS via SVG uploads.
-
----
-
-## Complete Issue Index
-
-| # | Severity | Title | File |
-|---|----------|-------|------|
-| 12 | **Medium** | PoW nonce prune not rate-gated under concurrency | `utils/crypto.rs:~165` |
-| 13 | **Medium** | `constant_time_eq` in posts.rs — use `subtle` crate | `db/posts.rs:~270` |
-| 14 | **Medium** | `update_settings_file_site_names` matches comment lines | `config.rs:~320` |
-| 15 | **Medium** | `admin_ban_and_delete` ban+delete not transactional | `handlers/admin/moderation.rs:~160` |
-| 16 | **Medium** | Poll expiry not re-checked inside `cast_vote` | `db/posts.rs:cast_vote` |
-| 17 | **Medium** | `has_recent_appeal` TOCTOU — no schema constraint | `db/admin.rs` |
-| 18 | **Medium** | Gateway `insert_reply_into_thread` stores unescaped HTML | `db/chan_net.rs:~130` |
-| 19 | **Medium** | Admin restore doesn't validate SQLite magic bytes | `handlers/admin/backup.rs` |
-| 20 | **Medium** | Rate-limit IP hash uses hardcoded salt `"G"` not `cookie_secret` | `middleware/mod.rs:~155` |
-| 21 | **Medium** | `thread_updates` builds JSON by string interpolation | `handlers/thread.rs:~360` |
-| 22 | **Medium** | `Content-Disposition` header injection via `board` field | `chan_net/command.rs:140` |
-| 23 | **Medium** | `pool_size` hardcoded despite comment claiming config | `db/mod.rs:143` |
-| 24 | **Medium** | `classify_upload_error` fragile string-prefix matching | `handlers/mod.rs` |
-| 25 | **Low** | `edit_post` `edit_window_secs=0` semantic mismatch | `db/posts.rs:~200` |
-| 26 | **Low** | `delete_file` silently ignores filesystem errors | `utils/files.rs` |
-| 27 | **Low** | `sanitize_filename` truncates by char count, not bytes | `utils/sanitize.rs` |
-| 28 | **Low** | Tripcode uses unsalted SHA-256 | `utils/tripcode.rs` |
-| 29 | **Low** | `ffmpeg` encoder detection makes 3 separate subprocess calls | `media/ffmpeg.rs` |
-| 30 | **Low** | `encode_q` duplicated twice in backup.rs | `handlers/admin/backup.rs` |
-| 31 | **Low** | `collect_thread_file_paths` unbounded SQLite variable count | `db/threads.rs:~75` |
-| 32 | **Low** | `prune_login_fails` uses `Ordering::Relaxed` store | `handlers/admin/auth.rs:~83` |
-| 33 | **Low** | Log file never rotated — will grow unbounded | `logging.rs:~35` |
-| 34 | **Low** | `ACTIVE_IPS` prune clears entire map on first run after start | `server/server.rs:~305` |
-
----
-
-## Detailed Findings
-
----
-
-### [Critical] #1 — SVG Served Inline Without `Content-Disposition: attachment`
-
-**File:** `src/handlers/board.rs:753` and `src/utils/files.rs` (`detect_mime_type`)
-
-**Problem:**
-SVG files are accepted as uploads (`image/svg+xml` is explicitly allowed in `detect_mime_type`) and served back with `Content-Type: image/svg+xml` inline via the `media_content_type()` map. An SVG file can contain `<script>` tags, `onload=` event handlers, and JavaScript `href`s. When the browser receives `Content-Type: image/svg+xml` with no `Content-Disposition: attachment`, it renders the SVG as a top-level document and executes any embedded JavaScript — bypassing all of the application's HTML-escaping and CSP.
-
-**Impact:**
-Stored XSS via file upload. Any user who can post on a board can upload a crafted SVG, and anyone who views that attachment will execute attacker-controlled JavaScript in the forum's origin. The CSP (`script-src 'self'`) does **not** block inline scripts inside an SVG document served from `'self'`.
-
-**Fix:**
-
-Option A (recommended): Remove SVG from the allowed MIME types entirely. Imageboard SVG support is rarely needed and the attack surface is significant.
-
-Option B: Force download by adding `Content-Disposition: attachment` for all SVG responses in `serve_board_media`:
-
-```rust
-if let Some("svg") = target.extension().and_then(|e| e.to_str()) {
-    resp.headers_mut().insert(
-        axum::http::header::CONTENT_DISPOSITION,
-        axum::http::HeaderValue::from_static("attachment"),
-    );
-}
-```
-
----
-
-### [Critical] #2 — ChanNet Ed25519 Signatures Not Verified
-
-**File:** `src/chan_net/import.rs:~90`
-
-**Problem:**
-The `do_import` function explicitly logs a warning and continues processing when a snapshot carries an Ed25519 signature — verification is not implemented. Any remote node can send arbitrary content (boards, posts) and it will be inserted into the `chan_net_posts` mirror table without any authenticity check.
-
-```rust
-// From import.rs — current behavior:
-if let Some(ref sig) = metadata.signature {
-    tracing::warn!("... verification not yet implemented; signature will not be checked ...");
-}
-// Processing continues regardless
-```
-
-**Impact:**
-Any attacker who can reach the ChanNet listener (default `127.0.0.1:7070`) can inject arbitrary federation data. If this port is ever exposed (misconfiguration, container networking), the attack surface is zero-auth data injection. The inline comment itself says: *"Do NOT promote this instance to production without completing Ed25519 verification."*
-
-**Fix:**
-Reject signed snapshots until verification is implemented:
-
-```rust
-if metadata.signature.is_some() {
-    return Err(AppError::BadRequest(
-        "Ed25519 signature verification is not yet implemented. \
-         Signed snapshots are rejected until Phase N is complete.".into()
-    ));
-}
-```
-
----
-
-### [Critical] #3 — ffmpeg Process Not Actually Killed on Timeout
-
-**File:** `src/workers/mod.rs:460–476`
-
-**Problem:**
-The worker wraps `spawn_blocking` in `tokio::time::timeout(ffmpeg_timeout, spawn_blocking(...))`. When the timeout fires, Tokio stops polling the future — but the underlying OS process launched by `std::process::Command::output()` inside the blocking thread is **not killed**. It continues running until it finishes. The blocking thread also remains occupied. The log message `"ffmpeg killed"` is factually incorrect.
-
-```rust
-match timeout(
-    ffmpeg_timeout,
-    tokio::task::spawn_blocking(move || {
-        transcode_video_inner(...)  // ← std::process::Command::output() blocks here
-    }),
-).await {
-    Err(_elapsed) => {
-        // "ffmpeg killed" log is wrong — the OS process is still running
-        warn!("VideoTranscode: job ... timed out ... — ffmpeg killed");
-    }
-}
-```
-
-**Impact:**
-On a pathological input file, every blocking thread becomes permanently occupied. After `blocking_threads` (default: CPUs×4) such events, all `spawn_blocking` tasks stall indefinitely, making the entire server unresponsive.
-
-**Fix:**
-Switch to `tokio::process::Command` with `kill_on_drop(true)`:
-
-```rust
-use tokio::process::Command;
-
-let mut child = Command::new("ffmpeg")
-    .args(args)
-    .stderr(Stdio::piped())
-    .kill_on_drop(true)  // kills the OS process when Child is dropped
-    .spawn()?;
-
-match timeout(ffmpeg_timeout, child.wait_with_output()).await {
-    Ok(Ok(output)) => { /* check exit status */ }
-    Err(_elapsed) => {
-        let _ = child.kill().await;
-        return Err(anyhow::anyhow!("ffmpeg timed out after {}s", timeout_secs));
-    }
-}
-```
-
----
-
-### [High] #4 — Format String Arguments Swapped in Mod Log Entry
-
-**File:** `src/handlers/admin/moderation.rs:183`
-
-**Problem:**
-The `log_mod_action` detail string for `admin_ban_and_delete` has its format arguments reversed:
-
-```rust
-// BUG: "reason" and "ip_hash_log" are in each other's positions
-&format!("inline ban — ip_hash={reason}… reason={}", &ip_hash_log),
-```
-
-The result is that the mod log records `ip_hash=<reason text>… reason=<first 8 chars of hash>`. This makes forensic reconstruction from the mod log impossible for ban+delete actions.
-
-**Fix:**
-```rust
-&format!("inline ban — ip_hash={}… reason={}", &ip_hash_log, reason),
-```
-
----
-
-### [High] #5 — Unbounded Body on Admin Restore Endpoints
-
-**File:** `src/server/server.rs:598,606`
-
-**Problem:**
-Both `admin_restore` and `board_restore` use `DefaultBodyLimit::disable()`, removing all upload size limits. The `copy_limited()` helper in `backup.rs` limits *extraction* size, but it runs after the full body is already buffered into memory by Axum.
-
-```rust
-post(crate::handlers::admin::admin_restore).layer(DefaultBodyLimit::disable()),
-post(crate::handlers::admin::board_restore).layer(DefaultBodyLimit::disable()),
-```
-
-**Impact:**
-An authenticated admin (or a session-hijack) can send a request of arbitrary size and exhaust server RAM before the handler runs.
-
-**Fix:**
-Set a large but bounded limit:
-```rust
-.layer(DefaultBodyLimit::max(20 * 1024 * 1024 * 1024)) // 20 GiB
-```
-
----
-
-### [High] #6 — `edit_post` Misuses `execute_batch` for Transactions
-
-**File:** `src/db/posts.rs:~190`
-
-**Problem:**
-`edit_post` issues `conn.execute_batch("BEGIN IMMEDIATE")` / `"COMMIT"` / `"ROLLBACK"` manually on a `&rusqlite::Connection`. Rusqlite's internal transaction-tracking state is not updated by raw `execute_batch` calls. If another caller on the same pooled connection subsequently calls `unchecked_transaction()`, it can start a nested transaction on top of an already-committed one, producing `SQLITE_ERROR: cannot start a transaction within a transaction`.
-
-**Fix:**
-Use rusqlite's typed transaction API:
-
-```rust
-use rusqlite::TransactionBehavior;
-
-let tx = conn.transaction_with_behavior(TransactionBehavior::Immediate)?;
-let row: Option<(String, i64)> = tx.query_row(
-    "SELECT deletion_token, created_at FROM posts WHERE id = ?1",
-    params![post_id],
-    |r| Ok((r.get(0)?, r.get(1)?)),
-).optional()?;
-// ... rest of logic on tx ...
-tx.commit()?;
-```
-
----
-
-### [High] #7 — `insert_board_if_absent` Uses `last_insert_rowid()` (Racy)
-
-**File:** `src/db/chan_net.rs:~57`
-
-**Problem:**
-While `db/admin.rs` and `db/posts.rs` were audited and fixed to use `INSERT … RETURNING id`, `insert_board_if_absent` still uses `conn.last_insert_rowid()` after a plain `conn.execute(...)`. In a multi-connection SQLite pool, `last_insert_rowid()` is connection-local. If any other code on the same connection inserts a row between the board INSERT and `last_insert_rowid()`, the wrong ID is returned.
-
-**Fix:**
-```rust
-let id: i64 = conn.query_row(
-    "INSERT INTO boards (short_name, title, description, nsfw, max_threads, bump_limit)
-     VALUES (?1, ?2, '', 0, 100, 300) RETURNING id",
-    rusqlite::params![short_name, title],
-    |r| r.get(0),
-)?;
-Ok(id)
-```
-
----
-
-### [High] #8 — Catalog Endpoint Has No ETag Caching
-
-**File:** `src/handlers/board.rs:500`
-
-**Problem:**
-The catalog view calls `db::get_threads_for_board(&conn, board.id, 200, 0)` — always fetching up to 200 full thread rows — on every request. Unlike the board index and thread view, the catalog has no ETag computation or `304 Not Modified` path. Every catalog request performs a full DB scan and full HTML render regardless of whether anything changed.
-
-**Impact:**
-Under moderate load on an active board, the catalog is a significant repeated I/O and CPU cost with no caching benefit.
-
-**Fix:**
-Add ETag computation mirroring the board index handler:
-```rust
-let max_bump = threads.iter().map(|t| t.bumped_at).max().unwrap_or(0);
-let admin_tag = if is_admin { "-a" } else { "" };
-let etag = format!("\"{max_bump}-catalog{admin_tag}\"");
-
-// Return 304 if client ETag matches
-if req_headers.get("if-none-match").and_then(|v| v.to_str().ok()) == Some(&etag) {
-    return Ok((jar, StatusCode::NOT_MODIFIED).into_response());
-}
-```
-
----
-
-### [High] #9 — ChanNet `/chan/refresh` and `/chan/poll` Have No Authentication
-
-**File:** `src/chan_net/mod.rs:146–168`
-
-**Problem:**
-The ChanNet router exposes `/chan/refresh` and `/chan/poll` with no authentication. Any process reaching the ChanNet bind address can trigger a full database snapshot + push to RustWave (`/chan/refresh`), or instruct the server to pull and import remote data (`/chan/poll`).
-
-```rust
-.route("/chan/refresh", post(refresh::chan_refresh))  // ← no auth
-.route("/chan/poll",    post(poll::chan_poll))         // ← no auth
-```
-
-**Impact:**
-Unauthenticated refresh is a CPU/IO-intensive operation triggerable by anyone on the network. Unauthenticated poll triggers inbound data import (which also lacks Ed25519 verification — see finding #2). An operator who sets `chan_net_bind = "0.0.0.0:7070"` exposes these publicly with zero access control.
-
-**Fix:**
-Add a pre-shared API key middleware on the ChanNet router:
-
-```rust
-async fn verify_chan_api_key(req: Request, next: Next) -> Response {
-    let key = req.headers()
-        .get("X-ChanNet-Key")
-        .and_then(|v| v.to_str().ok())
-        .unwrap_or("");
-    if key != CONFIG.chan_net_api_key {
-        return StatusCode::UNAUTHORIZED.into_response();
-    }
-    next.run(req).await
-}
-```
-
----
-
-### [High] #10 — Worker `JoinHandle`s Discarded; Graceful Shutdown Is a Blind Sleep
-
-**File:** `src/server/server.rs:239`, `src/workers/mod.rs:171`
-
-**Problem:**
-`start_worker_pool` explicitly documents that callers must hold and await its `Vec<JoinHandle<()>>` to know when in-flight jobs have finished. The server discards the return value entirely:
-
-```rust
-// workers/mod.rs docstring says:
-// "Without holding these handles the caller has no way to know when
-//  in-progress jobs have actually finished"
-
-// server.rs actual code:
-crate::workers::start_worker_pool(&q, ffmpeg_available, ffmpeg_vp9_available);
-// ↑ return value silently dropped
-```
-
-Shutdown waits a hardcoded 10 seconds with no guarantee any worker has completed. If a video transcode takes 11 seconds, the process exits mid-write, leaving corrupted files and DB rows permanently stuck in `"running"` state.
-
-**Fix:**
-```rust
-let worker_handles = crate::workers::start_worker_pool(...);
-
-// In shutdown sequence:
-worker_cancel.cancel();
-for handle in worker_handles {
-    let _ = tokio::time::timeout(Duration::from_secs(30), handle).await;
-}
-```
-
----
-
-### [High] #11 — `get_per_board_stats` Uses Correlated Subqueries (N+1 in SQL)
-
-**File:** `src/db/boards.rs:416`
-
-**Problem:**
-While `get_all_boards_with_stats` was correctly fixed to use a `LEFT JOIN`, `get_per_board_stats` (used by the terminal stats display) still uses two correlated subqueries per board row:
-
-```sql
-SELECT b.short_name,
-    (SELECT COUNT(*) FROM threads WHERE board_id = b.id) AS tc,
-    (SELECT COUNT(*) FROM posts p JOIN threads t ON p.thread_id = t.id
-      WHERE t.board_id = b.id) AS pc
-FROM boards b
-```
-
-For a forum with 20 boards this executes 41 SQL statements. The per-board post-count subquery joins the full posts table once per board.
-
-**Fix:**
-```sql
-SELECT b.short_name,
-       COUNT(DISTINCT t.id) AS tc,
-       COUNT(DISTINCT p.id) AS pc
-FROM boards b
-LEFT JOIN threads t ON t.board_id = b.id
-LEFT JOIN posts   p ON p.thread_id = t.id
-GROUP BY b.id
-ORDER BY b.short_name
-```
-
----
-
-### [Medium] #12 — PoW Nonce Cache Pruning Is Not Rate-Gated Under Concurrency
-
-**File:** `src/utils/crypto.rs:~165`
-
-**Problem:**
-`verify_pow` calls `SEEN_NONCES.retain(...)` unconditionally before the per-shard `entry()` lock. Under high concurrency, many goroutines can call `retain` simultaneously, each acquiring and releasing individual DashMap shard locks in sequence. This is not atomic with the map as a whole and causes redundant prune work at high RPS.
-
-**Fix:**
-Guard the prune with a compare-exchange on a timestamp atomic:
-
-```rust
-static LAST_NONCE_PRUNE: std::sync::atomic::AtomicI64 = AtomicI64::new(0);
-
-let last = LAST_NONCE_PRUNE.load(Ordering::Relaxed);
-if now - last > POW_WINDOW_SECS {
-    if LAST_NONCE_PRUNE
-        .compare_exchange(last, now, Ordering::AcqRel, Ordering::Relaxed)
-        .is_ok()
-    {
-        SEEN_NONCES.retain(|_, ts| now - *ts < POW_WINDOW_SECS);
-    }
-}
-```
-
----
-
-### [Medium] #13 — `constant_time_eq` in `db/posts.rs` — Use `subtle` Crate
-
-**File:** `src/db/posts.rs:~270`
-
-**Problem:**
-The hand-rolled `constant_time_eq` uses a `u8::try_from(a.len() ^ b.len()).unwrap_or(u8::MAX)` to capture length differences. This is subtle and fragile: the `try_from` truncation can in theory produce false negatives for lengths differing by multiples of 256 (though not for the 32-char tokens in use today). A well-audited crate eliminates the risk entirely.
-
-**Fix:**
-```toml
-# Cargo.toml
-subtle = "2"
-```
-
-```rust
-use subtle::ConstantTimeEq;
-
-fn constant_time_eq(a: &[u8], b: &[u8]) -> bool {
-    a.ct_eq(b).into()
-}
-```
-
----
-
-### [Medium] #14 — `update_settings_file_site_names` Matches Comment Lines
-
-**File:** `src/config.rs:~320`
-
-**Problem:**
-The line-matching logic uses:
-```rust
-if line.trim_start().starts_with("forum_name") && line.contains('=') {
-```
-
-This will incorrectly match a commented-out line like `# forum_name = "old value"`, silently activating a previously commented setting.
-
-**Fix:**
-```rust
-if line.trim_start().starts_with("forum_name")
-    && !line.trim_start().starts_with('#')
-    && line.contains('=') {
-```
-
----
-
-### [Medium] #15 — `admin_ban_and_delete` Ban and Delete Not Transactional
-
-**File:** `src/handlers/admin/moderation.rs:~160`
-
-**Problem:**
-The handler bans the IP hash, then deletes the post. These are two separate DB operations with no wrapping transaction. If `delete_post` or `delete_thread` fails after `add_ban` succeeds, the IP is now banned but the offending post still exists — inconsistent moderation state.
-
-**Fix:**
-Wrap both operations in a single rusqlite transaction:
-```rust
-let tx = conn.transaction()?;
-db::add_ban_tx(&tx, &form.ip_hash, &reason, expires_at)?;
-if is_op {
-    db::delete_thread_tx(&tx, thread_id)?;
-} else {
-    db::delete_post_tx(&tx, post_id)?;
-}
-tx.commit()?;
-```
-
----
-
-### [Medium] #16 — Poll Expiry Not Re-Checked Inside `cast_vote`
-
-**File:** `src/db/posts.rs:cast_vote`, `src/handlers/thread.rs:vote_handler`
-
-**Problem:**
-`vote_handler` checks `expires_at <= now` before calling `cast_vote`. But `cast_vote` does not re-verify expiry atomically. There is a TOCTOU window: the expiry check passes, the poll expires, and `cast_vote` inserts a vote for an expired poll.
-
-**Fix:**
-Add expiry validation inside `cast_vote`'s INSERT:
-
-```sql
-INSERT OR IGNORE INTO poll_votes (poll_id, option_id, ip_hash)
-SELECT ?1, ?2, ?3
-WHERE EXISTS (
-    SELECT 1 FROM poll_options
-    WHERE id = ?2 AND poll_id = ?1
-)
-AND EXISTS (
-    SELECT 1 FROM polls
-    WHERE id = ?1 AND expires_at > unixepoch()
-)
-```
-
----
-
-### [Medium] #17 — `has_recent_appeal` / `file_ban_appeal` TOCTOU — No Schema Constraint
-
-**File:** `src/db/admin.rs`
-
-**Problem:**
-The `has_recent_appeal` + `file_ban_appeal` pair has an acknowledged race condition: two concurrent requests from the same IP can both pass the duplicate check and both insert appeals. A schema-level constraint is the correct fix and has been deferred.
-
-**Fix:**
-Add a partial unique index to enforce the one-appeal-per-window rule at the DB level:
-```sql
-CREATE UNIQUE INDEX IF NOT EXISTS idx_ban_appeals_ip_open
-ON ban_appeals(ip_hash) WHERE status = 'open';
-```
-
-Then use `INSERT OR IGNORE` in `file_ban_appeal` and check `conn.changes() == 0` to detect the duplicate case.
-
----
-
-### [Medium] #18 — `insert_reply_into_thread` Stores Unescaped Content in `body_html`
-
-**File:** `src/db/chan_net.rs:~130`
-
-**Problem:**
-The RustWave gateway writes plain `content` directly into both `body` and `body_html`:
-
-```rust
-// body_html = plain text content — the render pipeline is not invoked
-rusqlite::params![thread_id, board_id, author, content,
-                  content, // body_html = plain text content
-                  deletion_token]
-```
-
-This relies on every template that renders `body_html` to HTML-escape it. If any template renders `body_html` as raw HTML (the normal path for locally created posts), gateway-inserted content with HTML special characters causes display corruption or stored XSS.
-
-**Fix:**
-Escape and render at the point of insertion:
-```rust
-use crate::utils::sanitize::{escape_html, render_post_body};
-let escaped = escape_html(content);
-let body_html = render_post_body(&escaped);
-// Use body_html in the INSERT, not raw content
-```
-
----
-
-### [Medium] #19 — Admin Restore Does Not Validate SQLite Magic Bytes
-
-**File:** `src/handlers/admin/backup.rs:~353`
-
-**Problem:**
-The restore handler extracts a file from the uploaded ZIP and opens it directly with `rusqlite::Connection::open()` without first verifying it is a valid SQLite file. Passing a non-SQLite binary to rusqlite invokes the underlying SQLite C library's parser on arbitrary bytes.
-
-**Fix:**
-```rust
-const SQLITE_MAGIC: &[u8] = b"SQLite format 3\0";
-let header = std::fs::read(&temp_db)?;
-if !header.starts_with(SQLITE_MAGIC) {
-    anyhow::bail!("Uploaded file is not a valid SQLite database");
-}
-```
-
----
-
-### [Medium] #20 — Rate-Limit IP Hash Uses Hardcoded Salt `"G"` Instead of `cookie_secret`
-
-**File:** `src/middleware/mod.rs:~155`
-
-**Problem:**
-The rate-limit table hashes IPs with a single hardcoded byte `"G"` as the salt:
-
-```rust
-let ip_key = {
-    let mut h = Sha256::new();
-    h.update(ip.as_bytes());
-    h.update(b"G");  // ← hardcoded salt
-    hex::encode(h.finalize())
-};
-```
-
-This is inconsistent with `hash_ip()` in `utils/crypto.rs` which uses the `cookie_secret` as a proper salt. The hardcoded salt means IP hashes in the rate-limit table are reconstructible from a rainbow table with no knowledge of any application secret.
-
-**Fix:**
-Use the existing `hash_ip` function:
-```rust
-let ip_key = crate::utils::crypto::hash_ip(&ip, &CONFIG.cookie_secret);
-```
-
----
-
-### [Medium] #21 — `thread_updates` Builds JSON by String Interpolation
-
-**File:** `src/handlers/thread.rs:~360`
-
-**Problem:**
-The auto-update endpoint response is built via `format!()` with raw value interpolation for integers and booleans. Only string fields go through `serde_json::to_string`. If any field type changes, the JSON silently becomes malformed.
-
-```rust
-let json = format!(
-    r#"{{"html":{html_json},"last_id":{last_id},"count":{count},...}}"#,
-    last_id = last_id,   // raw i64 interpolation
-    locked = locked,     // raw bool interpolation
-    ...
-);
-```
-
-**Fix:**
-Use a `serde`-derived struct:
-```rust
-#[derive(Serialize)]
-struct UpdatesResponse {
-    html: String,
-    last_id: i64,
-    count: usize,
-    reply_count: i64,
-    bump_time: i64,
-    locked: bool,
-    sticky: bool,
-    boards_version: u64,
-    nav_html: String,
-}
-let json = serde_json::to_string(&UpdatesResponse { html, last_id, ... })
-    .unwrap_or_else(|_| r#"{"error":"serialization failed"}"#.to_string());
-```
-
----
-
-### [Medium] #22 — `Content-Disposition` Header Injection via Unsanitized `board` Field
-
-**File:** `src/chan_net/command.rs:140,150,200`
-
-**Problem:**
-The `board` field from the JSON request body is interpolated directly into the `Content-Disposition` filename header without sanitization:
-
-```rust
-Ok((zip, format!("rustchan_board_{board}_{now}.zip")))
-// ...
-let disposition = format!("attachment; filename=\"{filename}\"");
-```
-
-A `board` value containing `"` breaks the quoted filename syntax. A value with CRLF sequences could inject additional HTTP headers in some parsers.
-
-**Fix:**
-```rust
-let safe_board: String = board.chars()
-    .filter(|c| c.is_ascii_alphanumeric() || *c == '-' || *c == '_')
-    .take(32)
-    .collect();
-Ok((zip, format!("rustchan_board_{safe_board}_{now}.zip")))
-```
-
----
-
-### [Medium] #23 — `pool_size` Hardcoded Despite Comment Claiming Config Control
-
-**File:** `src/db/mod.rs:143–148`
-
-**Problem:**
-The comment says the pool size comes from config so it can be tuned without recompiling, but the implementation hardcodes `8u32`:
-
-```rust
-// FIX[LOW-15]: Pool size comes from config so it can be tuned without recompiling.
-// Falls back to 8 if not set.
-let pool_size = 8u32;  // ← always 8, CONFIG not consulted
-```
-
-`CONFIG` has no `pool_size` field. On a server with `blocking_threads = 32`, all 32 threads may queue waiting for one of only 8 DB connections.
-
-**Fix:**
-Add `pool_size` to `SettingsFile`, `Config`, and `settings.toml`:
-```rust
-// config.rs
-pub pool_size: u32, // default 8
-
-// db/mod.rs
-let pool_size = CONFIG.pool_size.clamp(2, 64);
-```
-
----
-
-### [Medium] #24 — `classify_upload_error` Uses Fragile Prefix-String Matching
-
-**File:** `src/handlers/mod.rs`
-
-**Problem:**
-HTTP status code mapping depends on error message string prefixes:
-
-```rust
-if lower.starts_with("file too large") || lower.starts_with("insufficient disk space") {
-    AppError::UploadTooLarge(msg)
-} else if lower.starts_with("file type not allowed") || lower.starts_with("not an audio file") {
-    AppError::InvalidMediaType(msg)
-}
-```
-
-Any rewording in `save_upload` or `detect_mime_type` silently changes the HTTP status code returned to clients. There are no tests asserting these prefix strings match.
-
-**Fix:**
-Define a typed error enum in `utils/files.rs` and use `downcast_ref`:
-```rust
-#[derive(thiserror::Error, Debug)]
-pub enum UploadError {
-    #[error("File too large: {0}")]  TooLarge(String),
-    #[error("File type not allowed: {0}")] InvalidMime(String),
-    #[error("{0}")] Other(String),
-}
-
-match e.downcast_ref::<UploadError>() {
-    Some(UploadError::TooLarge(m)) => AppError::UploadTooLarge(m.clone()),
-    Some(UploadError::InvalidMime(m)) => AppError::InvalidMediaType(m.clone()),
-    _ => AppError::BadRequest(e.to_string()),
-}
-```
-
----
-
-### [Low] #25 — `edit_post` `edit_window_secs=0` Semantic Mismatch
-
-**File:** `src/db/posts.rs:~200` vs `src/handlers/thread.rs:edit_post_get`
-
-**Problem:**
-The GET handler correctly treats `edit_window_secs = 0` as "no restriction — always editable." But the DB-layer `edit_post` function silently enforces a 5-minute default when `0` is passed:
-
-```rust
-// db/posts.rs — WRONG: treats 0 as "use 300s default"
-let window = if edit_window_secs <= 0 { 300 } else { edit_window_secs };
-```
-
-Users on boards with `edit_window_secs = 0` will see the edit form but have their edits rejected after 5 minutes.
-
-**Fix:**
-```rust
-// Treat 0 as unlimited
-let window = if edit_window_secs <= 0 { i64::MAX } else { edit_window_secs };
-```
-
----
-
-### [Low] #26 — `delete_file` Silently Ignores Filesystem Errors
-
-**File:** `src/utils/files.rs`
-
-**Problem:**
-```rust
-let _ = std::fs::remove_file(full_path);
-```
-
-Permission errors, broken filesystems, or partial deletes are silently discarded. Orphaned files accumulate with no visibility.
-
-**Fix:**
-```rust
-if let Err(e) = std::fs::remove_file(&full_path) {
-    if e.kind() != std::io::ErrorKind::NotFound {
-        tracing::warn!("Failed to delete file {:?}: {}", full_path, e);
-    }
-}
-```
-
----
-
-### [Low] #27 — `sanitize_filename` Truncates by Character Count, Not Byte Count
-
-**File:** `src/utils/sanitize.rs`
-
-**Problem:**
-```rust
-name.chars().take(100).collect()
-```
-
-100 CJK characters is 300 UTF-8 bytes. Some filesystems (ext4 path component limit: 255 bytes) reject names longer than 255 bytes. Since filenames here are display-only, this is cosmetic but worth fixing.
-
-**Fix:**
-```rust
-let s: String = name.chars().take(100).collect();
-if s.len() <= 200 { return s; }
-let mut end = 200;
-while end > 0 && !s.is_char_boundary(end) { end -= 1; }
-s[..end].to_string()
-```
-
----
-
-### [Low] #28 — Tripcodes Use Unsalted SHA-256
-
-**File:** `src/utils/tripcode.rs`
-
-**Problem:**
-Tripcodes are computed as `SHA-256(password)[..10 chars base64url]` with no application-specific salt. The file's own security note acknowledges this: rainbow tables for common passwords are portable across all RustChan instances, enabling cross-instance identity correlation.
-
-**Fix:**
-Use HMAC-SHA256 with `cookie_secret` as the key:
-```rust
-use hmac::{Hmac, Mac};
-type HmacSha256 = Hmac<sha2::Sha256>;
-
-fn compute_tripcode(password: &str) -> String {
-    let mut mac = HmacSha256::new_from_slice(
-        crate::config::CONFIG.cookie_secret.as_bytes()
-    ).expect("HMAC accepts any key length");
-    mac.update(password.as_bytes());
-    let result = mac.finalize().into_bytes();
-    // encode result as before
-}
-```
-
----
-
-### [Low] #29 — `ffmpeg` Encoder Detection Makes 3 Separate Subprocess Calls
-
-**File:** `src/media/ffmpeg.rs`
-
-**Problem:**
-`check_webp_encoder()`, `check_vp9_encoder()`, and `check_opus_encoder()` each spawn a separate `ffmpeg -encoders` process. Each call can take 100–300ms, adding up to ~900ms of startup latency for work that could be done in one pass.
-
-**Fix:**
-```rust
-pub fn detect_encoders() -> (bool, bool, bool) {
-    let output = Command::new("ffmpeg").args(["-encoders"])
-        .stdout(Stdio::piped()).stderr(Stdio::null()).output();
-    match output {
-        Ok(o) => {
-            let stdout = String::from_utf8_lossy(&o.stdout);
-            (
-                stdout.lines().any(|l| l.contains("libwebp")),
-                stdout.lines().any(|l| l.contains("libvpx-vp9")),
-                stdout.lines().any(|l| l.contains("libopus")),
-            )
-        }
-        Err(_) => (false, false, false),
-    }
-}
-```
-
----
-
-### [Low] #30 — `encode_q` Duplicated Twice in `backup.rs`
-
-**File:** `src/handlers/admin/backup.rs:1522,2260`
-
-**Problem:**
-A custom percent-encoder function `encode_q` appears verbatim at two locations in the same file. There are no tests for it and it encodes space as `+` (form-encoding) rather than `%20` (URL path encoding), which is a subtle difference future callers may not expect.
-
-**Fix:**
-Extract to a shared utility, or replace with `urlencoding::encode`:
-```rust
-use urlencoding::encode;
-let msg = encode(&app_err.to_string());
-```
-
----
-
-### [Low] #31 — `collect_thread_file_paths` Unbounded SQLite Variable Count
-
-**File:** `src/db/threads.rs:~75`
-
-**Problem:**
-The function builds a dynamic `WHERE thread_id IN (?, ?, ...)` clause with no upper bound on the number of parameters. SQLite's default `SQLITE_MAX_VARIABLE_NUMBER` is 999. A prune operation deleting 1000+ threads at once will fail with `SQLITE_RANGE`.
-
-**Fix:**
-Process in chunks:
-```rust
-const MAX_PARAMS: usize = 900;
-let mut all_paths = Vec::new();
-for chunk in thread_ids.chunks(MAX_PARAMS) {
-    all_paths.extend(collect_chunk_file_paths(conn, chunk)?);
-}
-```
-
----
-
-### [Low] #32 — `prune_login_fails` Uses `Ordering::Relaxed` Store
-
-**File:** `src/handlers/admin/auth.rs:~83`
-
-**Problem:**
-```rust
-LOGIN_CLEANUP_SECS.store(now, Ordering::Relaxed);
-```
-
-Unlike the rate-limit cleanup in middleware which uses `compare_exchange(AcqRel)`, the login-fail prune uses `Relaxed` for the throttle store. Under concurrent login attempts, multiple threads may all observe the window has expired and all run the prune simultaneously — wasting work and causing lock contention on the DashMap.
-
-**Fix:**
-```rust
-if LOGIN_CLEANUP_SECS
-    .compare_exchange(last, now, Ordering::AcqRel, Ordering::Relaxed)
-    .is_ok()
-{
-    ADMIN_LOGIN_FAILS.retain(|_, (_, window_start)|
-        now.saturating_sub(*window_start) <= LOGIN_FAIL_WINDOW);
-}
-```
-
----
-
-### [Low] #33 — Log File Never Rotated; Will Grow Without Bound
-
-**File:** `src/logging.rs:~35`
-
-**Problem:**
-```rust
-let file_appender = tracing_appender::rolling::never(log_dir, "rustchan.log");
-```
-
-The log file is opened in append mode and never rotated. On a busy instance it will grow indefinitely. If the filesystem fills, the server will crash or corrupt the SQLite WAL.
-
-**Fix:**
-Use daily rotation:
-```rust
-let file_appender = tracing_appender::rolling::daily(log_dir, "rustchan.log");
-```
-Or document and provide a `logrotate` configuration for production deployments.
-
----
-
-### [Low] #34 — `ACTIVE_IPS` Prune Clears Entire Map on First Run After Start
-
-**File:** `src/server/server.rs:~305`
-
-**Problem:**
-```rust
-let cutoff = Instant::now()
-    .checked_sub(Duration::from_secs(300))
-    .unwrap_or_else(Instant::now);  // ← fires in first 5 min of uptime
-```
-
-Within the first 300 seconds of process lifetime, `checked_sub` returns `None` and the fallback sets `cutoff = Instant::now()`. The retain closure `*last_seen > cutoff` then evaluates to false for all entries (no entry is in the future), silently clearing the entire `ACTIVE_IPS` map. The "users online" counter resets to zero on the first prune.
-
-**Fix:**
-```rust
-let now = Instant::now();
-if let Some(cutoff) = now.checked_sub(Duration::from_secs(300)) {
-    ACTIVE_IPS.retain(|_, last_seen| *last_seen > cutoff);
-}
-// else: skip prune — process is too young to have stale entries
-```
-
----
-
-## Architectural Notes
-
-### Areas Requiring Tests
-
-The following areas have no unit or integration tests and are high-priority candidates:
-
-- `insert_reply_into_thread` — the primary RustWave gateway write path
-- `edit_post` with `edit_window_secs = 0` — the semantic mismatch bug (#25)
-- `cast_vote` race condition — concurrent votes on an expiring poll (#16)
-- `serve_board_media` with SVG content — the inline-XSS path (#1)
-- `prune_old_threads` / `archive_old_threads` with sticky threads
-- `collect_thread_file_paths` with > 999 thread IDs — the SQLite variable limit (#31)
-- `transcode_video_inner` / `transcode_audio_inner` — with a known-good 1-second MP4
-- `admin_ban_and_delete` when the thread was concurrently deleted (#15)
-
-### Design Concerns
-
-**SQLite write-lock contention under load:** All write operations share a single write lock. Under a post flood, `spawn_blocking` tasks queuing for DB connections can exhaust the blocking thread pool (CPUs×4). There is no circuit breaker — the server will queue all requests into `spawn_blocking` and appear to hang. Add a connection-wait timeout and expose the pending-job count via metrics.
-
-**ChanNet is effectively unauthenticated in its current state:** Findings #2 (no Ed25519 verification) and #9 (no API key on endpoints) combine to make the entire federation layer a zero-auth data injection surface. The `--chan-net` flag should be treated as experimental and the loopback-only bind default should be enforced at startup, not just in the config default.
-
-**`JoinError` wrapping loses context:** The pattern `AppError::Internal(anyhow::anyhow!(e))` for `tokio::task::JoinError` appears throughout the codebase. Since `JoinError` does not implement `std::error::Error`, the resulting message is `"JoinError(...)"`. Use `anyhow::anyhow!("Worker panicked: {e}")` for more useful diagnostics.
-
-**`encode_q` duplication:** The custom percent-encoder at lines 1522 and 2260 in `backup.rs` is functionally identical. It should be extracted to a shared utility, or replaced with the `urlencoding` crate.

From 8268f89b0232ae2ba7730dc091b5e348c7cd8361 Mon Sep 17 00:00:00 2001
From: csd113 <xxcsd113xx@gmail.com>
Date: Wed, 18 Mar 2026 21:48:45 -0700
Subject: [PATCH 2/8] Rewrite to the terminal interface to make nicer

---
 src/config.rs                    |  14 +-
 src/db/mod.rs                    |  54 +-
 src/detect.rs                    | 671 +++++++++++-------------
 src/handlers/admin/auth.rs       |   4 +-
 src/handlers/admin/backup.rs     |  20 +-
 src/handlers/admin/content.rs    |  15 +-
 src/handlers/admin/moderation.rs |   7 +-
 src/handlers/admin/settings.rs   |  22 +-
 src/handlers/board.rs            |   3 +-
 src/handlers/thread.rs           |  13 +-
 src/logging.rs                   | 276 +++++++++-
 src/main.rs                      |   1 +
 src/server/console.rs            | 853 ++++++++++++++++++++++---------
 src/server/server.rs             |  88 ++--
 src/workers/mod.rs               |  42 +-
 15 files changed, 1338 insertions(+), 745 deletions(-)

diff --git a/src/config.rs b/src/config.rs
index 94ad46b..7defaab 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -585,7 +585,12 @@ pub fn update_settings_file_site_names(forum_name: &str, site_subtitle: &str) {
     let content = match std::fs::read_to_string(&path) {
         Ok(c) => c,
         Err(e) => {
-            eprintln!("Warning: could not read settings.toml for update: {e}");
+            tracing::warn!(
+                target: "config",
+                path = %path.display(),
+                error = %e,
+                "Could not read settings.toml for update"
+            );
             return;
         }
     };
@@ -615,7 +620,12 @@ pub fn update_settings_file_site_names(forum_name: &str, site_subtitle: &str) {
     }
 
     if let Err(e) = std::fs::write(&path, out) {
-        eprintln!("Warning: could not write updated settings.toml: {e}");
+        tracing::warn!(
+            target: "config",
+            path = %path.display(),
+            error = %e,
+            "Could not write updated settings.toml"
+        );
     }
 }
 
diff --git a/src/db/mod.rs b/src/db/mod.rs
index 70369ce..1997bda 100644
--- a/src/db/mod.rs
+++ b/src/db/mod.rs
@@ -45,7 +45,6 @@ use r2d2_sqlite::SqliteConnectionManager;
 use rusqlite::params;
 use std::collections::HashSet;
 use std::path::Path;
-use tracing::info;
 
 pub mod admin;
 pub mod boards;
@@ -153,14 +152,17 @@ pub fn init_pool() -> Result<DbPool> {
     let conn = pool.get().context("Failed to get DB connection")?;
     create_schema(&conn)?;
 
-    info!("Database initialised at {}", db_path);
+    tracing::info!(target: "db", path = db_path, "Database initialised");
     Ok(pool)
 }
 
 // ─── First-run check ─────────────────────────────────────────────────────────
 
 /// Check whether this is a first run (no boards and no admins).
-/// Prints a setup banner if so. Called once at server startup.
+///
+/// Logs an info event if no boards exist. The interactive admin-creation
+/// wizard is handled by the caller (server.rs) after this returns, using
+/// `has_no_admin()` to decide whether to prompt.
 ///
 /// # Errors
 /// Returns an error if the database connection cannot be obtained.
@@ -168,28 +170,40 @@ pub fn first_run_check(pool: &DbPool) -> anyhow::Result<()> {
     let conn = pool.get()?;
     let board_count: i64 = conn
         .query_row("SELECT COUNT(*) FROM boards", [], |r| r.get(0))
-        .unwrap_or(0);
+        .context("Failed to count boards during first-run check")?;
     let admin_count: i64 = conn
         .query_row("SELECT COUNT(*) FROM admin_users", [], |r| r.get(0))
-        .unwrap_or(0);
-
-    if board_count == 0 && admin_count == 0 {
-        println!();
-        println!("╔══════════════════════════════════════════════════════╗");
-        println!("║           FIRST RUN — SETUP REQUIRED                 ║");
-        println!("╠══════════════════════════════════════════════════════╣");
-        println!("║  No boards or admin accounts found.                  ║");
-        println!("║  Create your first admin and boards:                 ║");
-        println!("║                                                      ║");
-        println!("║  rustchan-cli admin create-admin admin mypassword    ║");
-        println!("║  rustchan-cli admin create-board b Random \"Anything\" ║");
-        println!("║  rustchan-cli admin create-board tech Technology     ║");
-        println!("╚══════════════════════════════════════════════════════╝");
-        println!();
+        .context("Failed to count admin users during first-run check")?;
+
+    if board_count == 0 {
+        tracing::info!(
+            target: "startup",
+            boards = 0,
+            admins = admin_count,
+            "No boards found — create boards via admin panel or: rustchan-cli admin create-board"
+        );
     }
     Ok(())
 }
 
+/// Returns `true` when the database contains no admin accounts.
+///
+/// Called at startup to decide whether to run the interactive first-run
+/// admin wizard. Returns `false` on any DB error (fail-safe: skip the
+/// wizard rather than blocking startup).
+#[must_use]
+pub fn has_no_admin(pool: &DbPool) -> bool {
+    pool.get()
+        .ok()
+        .and_then(|conn| {
+            conn.query_row("SELECT COUNT(*) FROM admin_users", [], |r| {
+                r.get::<_, i64>(0)
+            })
+            .ok()
+        })
+        .is_some_and(|count| count == 0)
+}
+
 // ─── Schema creation & migrations ────────────────────────────────────────────
 
 #[allow(clippy::too_many_lines)]
@@ -589,7 +603,7 @@ fn create_schema(conn: &rusqlite::Connection) -> Result<()> {
         )
         .context("Structural migration: make posts.ip_hash nullable failed")?;
 
-        info!("Applied structural migration: posts.ip_hash is now nullable");
+        tracing::info!(target: "db", "Applied structural migration: posts.ip_hash is now nullable");
     }
 
     // ─── One-time media_type backfill ────────────────────────────────────────
diff --git a/src/detect.rs b/src/detect.rs
index f7b3c73..2d16280 100644
--- a/src/detect.rs
+++ b/src/detect.rs
@@ -1,36 +1,13 @@
 // detect.rs — Startup detection for optional external tools.
 //
-// Responsibilities:
-//   • detect_ffmpeg() — probe ffmpeg via `ffmpeg -version`
-//   • detect_tor()    — probe tor, set up an isolated hidden-service instance,
-//                       launch it as a background process, and poll for the
-//                       hostname file.  Works alongside a system Tor that is
-//                       already running (brew, apt, systemd, etc.).
+// All terminal output goes through crate::logging helpers so it is
+// serialised with the tracing terminal layer (CONSOLE_MUTEX).  This
+// prevents interleaving with concurrent log events during startup.
 //
-// ── Why a second Tor process is safe ──────────────────────────────────────────
-// The torrc we write contains:
-//
-//   SocksPort  0                  ← disables SOCKS; no port conflict with
-//                                    the system Tor (which owns 9050)
-//   DataDirectory  <data_dir>/tor_data/
-//                                 ← separate lock-file + keys from system Tor
-//
-// This means RustChan's Tor instance owns only the hidden service and nothing
-// else.  It starts cleanly even when brew / apt / systemd Tor is running.
-//
-// ── Platform support ──────────────────────────────────────────────────────────
-//   macOS  (brew): /opt/homebrew/bin/tor  (Apple Silicon)
-//                  /usr/local/bin/tor     (Intel)
-//   Linux  (apt):  /usr/bin/tor  or  bare "tor" on PATH
-//   Other:         bare "tor" on PATH
-//
-// ── Security ──────────────────────────────────────────────────────────────────
-//   • Command arguments are always separate &str / Path values; no shell string.
-//   • We never eval or execute output from spawned processes.
-//   • HiddenServiceDir is mode 0700 so only the running user can read the
-//     private key and hostname files.
-//   • If the spawned Tor process exits within the first few seconds, we capture
-//     and display its stderr so the operator can diagnose the problem.
+// Structured events (info!/warn!/error!) capture the detection result in
+// the JSON log file with structured fields.  Human-readable install
+// instructions are written via console_print_raw so they appear only
+// on TTY-mode terminals and never pollute piped / systemd output.
 
 use std::path::Path;
 use std::process::{Command, Stdio};
@@ -43,21 +20,10 @@ pub enum ToolStatus {
     Missing,
 }
 
-// ─── Global Tor child handle (fix #5: orphan-process cleanup) ─────────────────
-//
-// Stored here so that:
-//   • `kill_tor()` can be called from a graceful-shutdown handler, and
-//   • the panic hook registered inside `detect_tor` can kill the child on panic.
-//
-// Callers should invoke `kill_tor()` during their own shutdown path (e.g. after
-// the HTTP server loop exits).  SIGKILL / abrupt process death is handled by the
-// OS on most platforms once the parent exits, but calling `kill_tor()` ensures
-// clean shutdown even for SIGTERM / normal `std::process::exit` paths.
+// ─── Global Tor child handle ──────────────────────────────────────────────────
+
 static TOR_CHILD: OnceLock<Arc<Mutex<std::process::Child>>> = OnceLock::new();
 
-/// Kill the background Tor process that `detect_tor` launched, if any.
-///
-/// Safe to call multiple times; subsequent calls are no-ops.
 pub fn kill_tor() {
     if let Some(child) = TOR_CHILD.get() {
         if let Ok(mut c) = child.lock() {
@@ -79,25 +45,34 @@ pub fn detect_ffmpeg(require_ffmpeg: bool) -> ToolStatus {
         .unwrap_or(false);
 
     if ok {
-        println!("[INFO] ffmpeg detected. Video thumbnails and transcoding enabled.");
+        tracing::info!(target: "detect", available = true, "ffmpeg detected — video thumbnails and transcoding enabled");
         ToolStatus::Available
     } else if require_ffmpeg {
-        eprintln!("[ERROR] ffmpeg required but not installed.");
-        eprintln!("        Install ffmpeg or set require_ffmpeg = false in settings.toml.");
+        tracing::error!(
+            target: "detect",
+            available = false,
+            "ffmpeg required but not installed — set require_ffmpeg = false in settings.toml to disable this check"
+        );
+        crate::logging::console_print_raw(
+            "  Install ffmpeg from: https://ffmpeg.org/download.html\n\n",
+        );
         std::process::exit(1);
     } else {
-        println!("[WARN] ffmpeg not detected. Video thumbnails disabled.");
-        println!("       Install from: https://ffmpeg.org/download.html");
+        tracing::warn!(
+            target: "detect",
+            available = false,
+            "ffmpeg not detected — video thumbnails and transcoding disabled"
+        );
+        if crate::logging::is_tty() {
+            crate::logging::console_print_raw(
+                "  Install from: https://ffmpeg.org/download.html\n\n",
+            );
+        }
         ToolStatus::Missing
     }
 }
 
-/// Probe whether the detected ffmpeg binary has `libwebp` compiled in, and
-/// print actionable install instructions if it does not.
-///
-/// Called immediately after `detect_ffmpeg` at server startup.  Returns
-/// `false` silently when `ffmpeg_ok` is `false` (no point checking encoders
-/// when ffmpeg itself is absent).
+/// Probe whether the detected ffmpeg has `libwebp` compiled in.
 pub fn detect_webp_encoder(ffmpeg_ok: bool) -> bool {
     if !ffmpeg_ok {
         return false;
@@ -106,58 +81,61 @@ pub fn detect_webp_encoder(ffmpeg_ok: bool) -> bool {
     let has_webp = crate::media::ffmpeg::check_webp_encoder();
 
     if has_webp {
-        println!("[INFO] ffmpeg libwebp encoder detected. Image→WebP conversion enabled.");
+        tracing::info!(
+            target: "detect",
+            webp = true,
+            "ffmpeg libwebp encoder available — image to WebP conversion enabled"
+        );
     } else {
-        println!();
-        println!("[WARN] ffmpeg is installed but the libwebp encoder is missing.");
-        println!("       JPEG / PNG / BMP / TIFF uploads will be stored in their");
-        println!("       original format instead of being converted to WebP.");
-        println!();
-
-        // Detect platform and print the appropriate reinstall instructions.
-        #[cfg(target_os = "macos")]
-        {
-            println!("  ── macOS — reinstall ffmpeg with libwebp support ──────────────────");
-            println!("  brew uninstall ffmpeg");
-            println!("  brew tap homebrew-ffmpeg/ffmpeg");
-            println!("  brew install homebrew-ffmpeg/ffmpeg/ffmpeg --with-webp");
-            println!();
-            println!("  Verify with:");
-            println!("    ffmpeg -encoders 2>/dev/null | grep webp");
-            println!("  You should see:");
-            println!("    V..... libwebp              libwebp WebP image (codec webp)");
-            println!("    V..... libwebp_anim         libwebp WebP image (codec webp)");
+        tracing::warn!(
+            target: "detect",
+            webp = false,
+            "ffmpeg libwebp encoder missing — JPEG/PNG/BMP/TIFF stored in original format"
+        );
+        if crate::logging::is_tty() {
+            crate::logging::console_print_raw(&webp_install_hint());
         }
+    }
 
-        #[cfg(target_os = "linux")]
-        {
-            println!("  ── Linux — install ffmpeg with libwebp support ────────────────────");
-            println!("  sudo apt update");
-            println!("  sudo apt install ffmpeg libwebp-dev");
-            println!();
-            println!("  Verify with:");
-            println!("    ffmpeg -encoders 2>/dev/null | grep webp");
-        }
+    has_webp
+}
 
-        #[cfg(not(any(target_os = "macos", target_os = "linux")))]
-        {
-            println!("  Reinstall ffmpeg with libwebp encoder support enabled.");
-            println!("  See: https://ffmpeg.org/download.html");
-        }
+fn webp_install_hint() -> String {
+    let mut s = String::new();
 
-        println!();
+    #[cfg(target_os = "macos")]
+    {
+        s.push_str(
+            "  ── macOS: reinstall ffmpeg with libwebp ─────────────────────────────\n\
+             \n\
+             \x1b[2m  brew uninstall ffmpeg\n\
+             \x1b[2m  brew tap homebrew-ffmpeg/ffmpeg\n\
+             \x1b[2m  brew install homebrew-ffmpeg/ffmpeg/ffmpeg --with-webp\x1b[0m\n\n",
+        );
+    }
+    #[cfg(target_os = "linux")]
+    {
+        s.push_str(
+            "  ── Linux: install ffmpeg with libwebp ───────────────────────────────\n\
+             \n\
+             \x1b[2m  sudo apt update && sudo apt install ffmpeg libwebp-dev\x1b[0m\n\n",
+        );
+    }
+    #[cfg(not(any(target_os = "macos", target_os = "linux")))]
+    {
+        s.push_str(
+            "  Reinstall ffmpeg with libwebp support. See: https://ffmpeg.org/download.html\n\n",
+        );
     }
 
-    has_webp
+    if !crate::logging::is_tty() {
+        // Strip any ANSI codes we added for TTY mode
+        s.retain(|c| c != '\x1b');
+    }
+    s
 }
 
-/// Probe whether the detected ffmpeg binary has both `libvpx-vp9` (video) and
-/// `libopus` (audio) compiled in, and print actionable install instructions if
-/// either is missing.
-///
-/// Both encoders are required for MP4→WebM transcoding and WebM/AV1→WebM/VP9
-/// re-encoding.  Called immediately after `detect_webp_encoder` at server
-/// startup.  Returns `false` silently when `ffmpeg_ok` is `false`.
+/// Probe whether the detected ffmpeg has `libvpx-vp9` + `libopus` compiled in.
 pub fn detect_webm_encoder(ffmpeg_ok: bool) -> bool {
     if !ffmpeg_ok {
         return false;
@@ -168,82 +146,68 @@ pub fn detect_webm_encoder(ffmpeg_ok: bool) -> bool {
     let has_webm = has_vp9 && has_opus;
 
     if has_webm {
-        println!("[INFO] ffmpeg libvpx-vp9 + libopus encoders detected. MP4→WebM transcoding and WebM/AV1→VP9 re-encoding enabled.");
+        tracing::info!(
+            target: "detect",
+            vp9 = true, opus = true,
+            "ffmpeg VP9 + Opus encoders available — MP4 to WebM transcoding enabled"
+        );
     } else {
-        println!();
-        println!("[WARN] ffmpeg is installed but required WebM encoders are missing.");
-
-        if !has_vp9 {
-            println!("       Missing: libvpx-vp9 (VP9 video encoder)");
-        }
-        if !has_opus {
-            println!("       Missing: libopus (Opus audio encoder)");
-        }
-
-        println!();
-        println!("       MP4 uploads will be stored as MP4 instead of being");
-        println!("       transcoded to WebM.  WebM files encoded with AV1 will");
-        println!("       not be re-encoded to the browser-compatible VP9 format.");
-        println!();
-
-        #[cfg(target_os = "macos")]
-        {
-            println!("  ── macOS — reinstall ffmpeg with VP9 + Opus support ───────────────");
-            println!("  brew uninstall ffmpeg");
-            println!("  brew install ffmpeg");
-            println!("  # Or for a fully-featured build:");
-            println!("  brew tap homebrew-ffmpeg/ffmpeg");
-            println!("  brew install homebrew-ffmpeg/ffmpeg/ffmpeg --with-libvpx --with-opus");
-            println!();
-            println!("  Verify with:");
-            println!("    ffmpeg -encoders 2>/dev/null | grep -E 'libvpx-vp9|libopus'");
-            println!("  You should see:");
-            println!("    V..... libvpx-vp9           libvpx VP9 (codec vp9)");
-            println!("    A..... libopus               libopus Opus (codec opus)");
+        tracing::warn!(
+            target: "detect",
+            vp9   = has_vp9,
+            opus  = has_opus,
+            "ffmpeg VP9/Opus encoders missing — MP4 uploads stored as MP4"
+        );
+        if crate::logging::is_tty() {
+            crate::logging::console_print_raw(&webm_install_hint(has_vp9, has_opus));
         }
+    }
 
-        #[cfg(target_os = "linux")]
-        {
-            println!("  ── Linux — install ffmpeg with VP9 + Opus support ─────────────────");
-            println!("  sudo apt update");
-            println!("  sudo apt install ffmpeg libvpx-dev libopus-dev");
-            println!();
-            println!("  Verify with:");
-            println!("    ffmpeg -encoders 2>/dev/null | grep -E 'libvpx-vp9|libopus'");
-        }
+    has_webm
+}
 
-        #[cfg(not(any(target_os = "macos", target_os = "linux")))]
-        {
-            println!("  Reinstall ffmpeg with libvpx-vp9 and libopus encoder support enabled.");
-            println!("  See: https://ffmpeg.org/download.html");
-        }
+fn webm_install_hint(has_vp9: bool, has_opus: bool) -> String {
+    let mut s = String::new();
+    if !has_vp9 {
+        s.push_str("  Missing: libvpx-vp9 (VP9 video encoder)\n");
+    }
+    if !has_opus {
+        s.push_str("  Missing: libopus   (Opus audio encoder)\n");
+    }
+    s.push('\n');
 
-        println!();
+    #[cfg(target_os = "macos")]
+    {
+        s.push_str(
+            "  ── macOS: reinstall ffmpeg with VP9 + Opus ──────────────────────────\n\
+             \n\
+             \x1b[2m  brew install ffmpeg\x1b[0m\n\n",
+        );
+    }
+    #[cfg(target_os = "linux")]
+    {
+        s.push_str(
+            "  ── Linux: install ffmpeg with VP9 + Opus ────────────────────────────\n\
+             \n\
+             \x1b[2m  sudo apt update && sudo apt install ffmpeg libvpx-dev libopus-dev\x1b[0m\n\n",
+        );
+    }
+    #[cfg(not(any(target_os = "macos", target_os = "linux")))]
+    {
+        s.push_str(
+            "  Reinstall ffmpeg with libvpx-vp9 and libopus support.\n\
+             See: https://ffmpeg.org/download.html\n\n",
+        );
     }
 
-    has_webm
+    if !crate::logging::is_tty() {
+        s.retain(|c| c != '\x1b');
+    }
+    s
 }
 
 // ─── Tor ─────────────────────────────────────────────────────────────────────
 
-/// Set up and launch a Tor hidden-service instance.
-///
-/// Creates inside `data_dir`:
-///   `tor_data`/           — Tor's `DataDirectory` (lock file, keys, etc.)
-///   `tor_hidden_service`/ — `HiddenServiceDir`  (private key + hostname)
-///   torrc               — auto-generated config
-///
-/// Launches `tor -f <torrc>` as a background process then polls for the
-/// hostname file in a background OS thread.  Returns immediately — the
-/// HTTP server is never blocked.
-///
-/// Returns `ToolStatus::Available` once Tor has been successfully spawned,
-/// or `ToolStatus::Missing` if Tor could not be found or started.
-///
-/// Call `kill_tor()` during graceful shutdown to avoid orphaned processes.
-//
-// Fix #7: function now returns ToolStatus so callers can branch on whether
-//         Tor is actually running.
 #[allow(clippy::too_many_lines)]
 #[allow(clippy::expect_used)]
 #[allow(clippy::arithmetic_side_effects)]
@@ -252,17 +216,14 @@ pub fn detect_tor(enable_tor_support: bool, bind_port: u16, data_dir: &Path) ->
         return ToolStatus::Missing;
     }
 
-    // ── 1. Find the tor binary ────────────────────────────────────────────────
     let candidates = [
-        "/opt/homebrew/bin/tor", // macOS Apple-Silicon brew
-        "/usr/local/bin/tor",    // macOS Intel brew
-        "/usr/bin/tor",          // Linux apt / rpm
-        "tor",                   // anything else on PATH
+        "/opt/homebrew/bin/tor",
+        "/usr/local/bin/tor",
+        "/usr/bin/tor",
+        "tor",
     ];
 
     let tor_bin: Option<&str> = candidates.iter().copied().find(|bin| {
-        // `--version` may return exit code 1 on some builds; treat any
-        // successful spawn (binary found) as "available".
         Command::new(bin)
             .arg("--version")
             .stdout(Stdio::null())
@@ -272,70 +233,59 @@ pub fn detect_tor(enable_tor_support: bool, bind_port: u16, data_dir: &Path) ->
     });
 
     let Some(tor_bin) = tor_bin else {
-        print_install_instructions(bind_port);
+        tracing::warn!(target: "detect", available = false, "Tor not found — onion service disabled");
+        if crate::logging::is_tty() {
+            crate::logging::console_print_raw(&tor_install_hint(bind_port));
+        }
         return ToolStatus::Missing;
     };
 
-    println!("[INFO] Tor binary: {tor_bin}");
+    tracing::info!(target: "detect", binary = tor_bin, "Tor binary found");
 
-    // ── 2. Create directories ─────────────────────────────────────────────────
     let hs_dir = data_dir.join("tor_hidden_service");
     let data_subdir = data_dir.join("tor_data");
 
     for dir in [&hs_dir, &data_subdir] {
         if let Err(e) = std::fs::create_dir_all(dir) {
-            println!(
-                "[WARN] Tor: cannot create directory '{}': {}",
-                dir.display(),
-                e
+            tracing::warn!(
+                target: "detect",
+                path = %dir.display(),
+                error = %e,
+                "Tor: cannot create directory"
             );
-            print_torrc_hint(&hs_dir, bind_port);
+            if crate::logging::is_tty() {
+                crate::logging::console_print_raw(&tor_torrc_hint(&hs_dir, bind_port));
+            }
             return ToolStatus::Missing;
         }
     }
 
-    // Tor refuses to use a HiddenServiceDir that is world- or group-readable.
     #[cfg(unix)]
     {
         use std::os::unix::fs::PermissionsExt;
         for dir in [&hs_dir, &data_subdir] {
             if let Err(e) = std::fs::set_permissions(dir, std::fs::Permissions::from_mode(0o700)) {
-                println!(
-                    "[WARN] Tor: cannot set 0700 on '{}': {} (Tor may reject it)",
-                    dir.display(),
-                    e
+                tracing::warn!(
+                    target: "detect",
+                    path = %dir.display(),
+                    error = %e,
+                    "Tor: cannot set 0700 permissions (Tor may reject directory)"
                 );
             }
         }
     }
 
-    // ── 3. Write torrc ────────────────────────────────────────────────────────
-    //
-    // Fix #6: torrc_path is now derived from the canonicalized data_dir so it
-    //         is always an absolute path, regardless of how RustChan was
-    //         invoked.  Tor is started with an absolute path argument, which
-    //         means it works even when Tor's working directory differs from ours.
-    //
-    // Canonical absolute paths avoid problems when Tor's working directory
-    // differs from ours.  canonicalize() is called after the directories exist.
     let canon = |p: &Path| p.canonicalize().unwrap_or_else(|_| p.to_path_buf());
     let hs_abs = canon(&hs_dir);
     let data_abs = canon(&data_subdir);
-    let torrc_path = canon(data_dir).join("torrc"); // fix #6: absolute torrc path
+    let torrc_path = canon(data_dir).join("torrc");
 
-    // Fix #2: paths are quoted so that a data_dir containing spaces does not
-    //         produce a syntactically invalid torrc (Tor treats unquoted
-    //         whitespace as a value delimiter).
     let torrc = format!(
         "# RustChan — auto-generated torrc  (do not edit while Tor is running)\n\
          \n\
-         ## Isolate this instance from any system-level Tor (brew / apt / systemd).\n\
-         ## SocksPort 0  → do not bind a SOCKS port; avoids conflict with port 9050.\n\
-         ## DataDirectory → separate lock file + state from the system Tor.\n\
          SocksPort 0\n\
          DataDirectory \"{data}\"\n\
          \n\
-         ## Hidden service — forwards .onion:80 to the local RustChan port.\n\
          HiddenServiceDir \"{hs}\"\n\
          HiddenServicePort 80 127.0.0.1:{port}\n",
         data = data_abs.display(),
@@ -344,21 +294,26 @@ pub fn detect_tor(enable_tor_support: bool, bind_port: u16, data_dir: &Path) ->
     );
 
     if let Err(e) = std::fs::write(&torrc_path, &torrc) {
-        println!(
-            "[WARN] Tor: cannot write torrc to '{}': {}",
-            torrc_path.display(),
-            e
+        tracing::warn!(
+            target: "detect",
+            path  = %torrc_path.display(),
+            error = %e,
+            "Tor: cannot write torrc"
         );
-        print_torrc_hint(&hs_dir, bind_port);
+        if crate::logging::is_tty() {
+            crate::logging::console_print_raw(&tor_torrc_hint(&hs_dir, bind_port));
+        }
         return ToolStatus::Missing;
     }
 
-    println!("[INFO] Tor: torrc          → {}", torrc_path.display());
-    println!("[INFO] Tor: hidden-svc dir → {}", hs_abs.display());
-    println!("[INFO] Tor: data dir       → {}", data_abs.display());
+    tracing::info!(
+        target: "detect",
+        torrc      = %torrc_path.display(),
+        hidden_svc = %hs_abs.display(),
+        data_dir   = %data_abs.display(),
+        "Tor configured"
+    );
 
-    // ── 4. Spawn Tor ──────────────────────────────────────────────────────────
-    // Stderr is piped so we can surface diagnostics if Tor exits early.
     let child = Command::new(tor_bin)
         .arg("-f")
         .arg(&torrc_path)
@@ -368,40 +323,36 @@ pub fn detect_tor(enable_tor_support: bool, bind_port: u16, data_dir: &Path) ->
 
     let mut child = match child {
         Err(e) => {
-            println!("[WARN] Tor: failed to start '{tor_bin}': {e}");
-            print_torrc_hint(&hs_dir, bind_port);
+            tracing::warn!(
+                target: "detect",
+                binary = tor_bin,
+                error  = %e,
+                "Tor: failed to start process"
+            );
+            if crate::logging::is_tty() {
+                crate::logging::console_print_raw(&tor_torrc_hint(&hs_dir, bind_port));
+            }
             return ToolStatus::Missing;
         }
         Ok(c) => c,
     };
 
-    // Fix #8: Drain stderr in a dedicated thread to prevent the pipe buffer
-    //         from filling up and blocking Tor.  Without this, a verbose Tor
-    //         (e.g. LogLevel debug) would stall once the OS pipe buffer (~64 KiB)
-    //         fills, causing try_wait() to never see an exit and the 120-second
-    //         poll timeout to fire instead.
     let stderr_lines: Arc<Mutex<Vec<String>>> = Arc::new(Mutex::new(Vec::new()));
     if let Some(pipe) = child.stderr.take() {
         let buf = Arc::clone(&stderr_lines);
         std::thread::spawn(move || {
             use std::io::{BufRead, BufReader};
-            // Cap at 500 lines to bound memory; Tor can be very verbose at
-            // higher log levels.
             for line in BufReader::new(pipe).lines().map_while(Result::ok).take(500) {
-                buf.lock().expect("stderr buffer mutex poisoned").push(line);
+                if let Ok(mut g) = buf.lock() {
+                    g.push(line);
+                }
             }
         });
     }
 
-    // Fix #5: Wrap child in Arc<Mutex<>> so it can be shared between:
-    //   • the background monitoring thread (which may call try_wait / kill)
-    //   • the global TOR_CHILD handle (for kill_tor() / panic hook)
     let child = Arc::new(Mutex::new(child));
-
-    // Store globally so kill_tor() works from any context.
     let _ = TOR_CHILD.set(Arc::clone(&child));
 
-    // Best-effort cleanup on panic: kill Tor before printing the panic message.
     let prev_hook = std::panic::take_hook();
     std::panic::set_hook(Box::new(move |info| {
         kill_tor();
@@ -409,9 +360,8 @@ pub fn detect_tor(enable_tor_support: bool, bind_port: u16, data_dir: &Path) ->
     }));
 
     let pid = child.lock().expect("child process mutex poisoned").id();
-    println!("[INFO] Tor: process started (pid {pid}). Waiting for .onion address…");
+    tracing::info!(target: "detect", pid = pid, "Tor process started — waiting for .onion address");
 
-    // ── 5. Quick health-check + hostname polling (background thread) ──────────
     let hostname_path = hs_abs.join("hostname");
     let torrc_display = torrc_path.display().to_string();
     let tor_bin_owned = tor_bin.to_string();
@@ -420,40 +370,43 @@ pub fn detect_tor(enable_tor_support: bool, bind_port: u16, data_dir: &Path) ->
     let stderr_bg = Arc::clone(&stderr_lines);
 
     std::thread::spawn(move || {
-        // Give Tor ~4 seconds to either establish itself or fail fast.
         std::thread::sleep(std::time::Duration::from_secs(4));
 
-        // Fix #4 (early-exit check): use the shared child Arc instead of
-        //         a moved value so the same handle can also be used by
-        //         poll_for_hostname to detect crashes during polling.
         let try_wait_result = child_bg
             .lock()
             .expect("child process mutex poisoned")
             .try_wait();
+
         match try_wait_result {
             Ok(Some(status)) => {
-                // Process already exited — surface stderr for the operator.
                 let lines = stderr_bg.lock().expect("stderr buffer mutex poisoned");
-                println!();
-                println!("[ERR ] Tor: process exited early ({status})");
-                if !lines.is_empty() {
-                    println!("────── Tor stderr ──────────────────────────────");
+                tracing::error!(
+                    target: "detect",
+                    exit_status = %status,
+                    "Tor process exited early"
+                );
+                if crate::logging::is_tty() && !lines.is_empty() {
+                    let mut block =
+                        String::from("\n  ── Tor stderr ──────────────────────────────────\n");
                     for line in lines.iter().take(20) {
-                        println!("  {line}");
+                        block.push_str("  ");
+                        block.push_str(line);
+                        block.push('\n');
                     }
-                    println!("────────────────────────────────────────────────");
+                    block.push_str("  ────────────────────────────────────────────────\n\n");
+                    drop(lines);
+                    crate::logging::console_print_raw(&block);
+                    crate::logging::console_print_raw(&tor_diagnosis_hint(
+                        &torrc_display,
+                        &tor_bin_owned,
+                        bind_port,
+                    ));
                 }
-                drop(lines);
-                println!();
-                print_diagnosis_hints(&torrc_display, &tor_bin_owned, bind_port);
                 return;
             }
-            Ok(None) => {
-                // Still running — good.
-            }
+            Ok(None) => {}
             Err(e) => {
-                println!("[WARN] Tor: could not query process status: {e}");
-                // Continue to poll for the hostname file anyway.
+                tracing::warn!(target: "detect", error = %e, "Tor: could not query process status");
             }
         }
 
@@ -476,39 +429,42 @@ pub fn detect_tor(enable_tor_support: bool, bind_port: u16, data_dir: &Path) ->
 #[allow(clippy::arithmetic_side_effects)]
 fn poll_for_hostname(
     hostname_path: &Path,
-    // Fix #4: child handle passed in so crashes mid-poll are detected promptly
-    //         instead of waiting for the full 120-second timeout.
     child: &Arc<Mutex<std::process::Child>>,
     stderr_lines: &Arc<Mutex<Vec<String>>>,
     torrc_display: &str,
     tor_bin: &str,
     bind_port: u16,
 ) {
-    const TIMEOUT_SECS: u64 = 120; // v3 onion keys can take ~60–90 s first run
+    const TIMEOUT_SECS: u64 = 120;
     const POLL_MS: u64 = 500;
-
     let deadline = std::time::Instant::now() + std::time::Duration::from_secs(TIMEOUT_SECS);
 
     loop {
-        // Fix #4: check for mid-poll crash every iteration.
-        //         try_lock() is used instead of lock() to be non-blocking;
-        //         if the mutex is momentarily held by the stderr-drain thread
-        //         we simply skip the check this iteration.
         if let Ok(mut c) = child.try_lock() {
             if let Ok(Some(status)) = c.try_wait() {
                 let lines = stderr_lines.lock().expect("stderr buffer mutex poisoned");
-                println!();
-                println!("[ERR ] Tor: process crashed during startup ({status})");
-                if !lines.is_empty() {
-                    println!("────── Tor stderr ──────────────────────────────");
+                tracing::error!(
+                    target: "detect",
+                    exit_status = %status,
+                    "Tor process crashed during startup"
+                );
+                if crate::logging::is_tty() && !lines.is_empty() {
+                    let mut block =
+                        String::from("\n  ── Tor stderr ──────────────────────────────────\n");
                     for line in lines.iter().take(20) {
-                        println!("  {line}");
+                        block.push_str("  ");
+                        block.push_str(line);
+                        block.push('\n');
                     }
-                    println!("────────────────────────────────────────────────");
+                    block.push_str("  ────────────────────────────────────────────────\n\n");
+                    drop(lines);
+                    crate::logging::console_print_raw(&block);
+                    crate::logging::console_print_raw(&tor_diagnosis_hint(
+                        torrc_display,
+                        tor_bin,
+                        bind_port,
+                    ));
                 }
-                drop(lines);
-                println!();
-                print_diagnosis_hints(torrc_display, tor_bin, bind_port);
                 return;
             }
         }
@@ -518,23 +474,40 @@ fn poll_for_hostname(
                 Ok(raw) => {
                     let onion = raw.trim();
                     if !onion.is_empty() {
-                        print_onion_banner(onion, hostname_path);
+                        tracing::info!(
+                            target: "detect",
+                            onion_address = onion,
+                            "Tor hidden service active"
+                        );
+                        if crate::logging::is_tty() {
+                            crate::logging::console_print_raw(&tor_onion_banner(
+                                onion,
+                                hostname_path,
+                            ));
+                        }
                         return;
                     }
-                    // Empty file — Tor is still writing; retry.
                 }
                 Err(e) => {
-                    println!("[WARN] Tor: hostname unreadable: {e}");
+                    tracing::warn!(target: "detect", error = %e, "Tor: hostname file unreadable");
                 }
             }
         }
 
         if std::time::Instant::now() >= deadline {
-            println!();
-            println!("[WARN] Tor: timed out after {TIMEOUT_SECS}s waiting for hostname file.");
-            println!("       Expected at: {}", hostname_path.display());
-            println!();
-            print_diagnosis_hints(torrc_display, tor_bin, bind_port);
+            tracing::warn!(
+                target: "detect",
+                timeout_secs = TIMEOUT_SECS,
+                hostname_path = %hostname_path.display(),
+                "Tor timed out waiting for hostname file"
+            );
+            if crate::logging::is_tty() {
+                crate::logging::console_print_raw(&tor_diagnosis_hint(
+                    torrc_display,
+                    tor_bin,
+                    bind_port,
+                ));
+            }
             return;
         }
 
@@ -542,111 +515,69 @@ fn poll_for_hostname(
     }
 }
 
-// ─── Success banner ───────────────────────────────────────────────────────────
-
-/// Print the .onion address in a bordered banner.
-///
-/// Fix #1: The box is wide enough (inner width = 72) to hold a v3 .onion URL
-///         (`http://` + 56-char address + `.onion` = 69 chars) without overflowing.
-///
-/// Fix #3: The private-key-path line used `{:<48}` with a 4-char indent inside
-///         the old 54-char-wide box, producing a line 2 characters short of the
-///         box edge.  Both field widths have been corrected for the new box size.
-fn print_onion_banner(onion: &str, hostname_path: &Path) {
-    // v3 .onion URL: "http://" (7) + 56-char base32 address + ".onion" (6) = 69 chars.
-    // Box inner width 72 gives 3 chars of right-margin after the longest URL.
+// ─── Tor print helpers (console_print_raw blocks) ────────────────────────────
+
+fn tor_onion_banner(onion: &str, hostname_path: &Path) -> String {
     let addr_line = format!("http://{onion}");
     let key_dir = hostname_path.parent().unwrap_or(hostname_path);
-
-    println!();
-    println!("╔════════════════════════════════════════════════════════════════════════╗");
-    println!("║        TOR ONION SERVICE ACTIVE  ✓                                     ║");
-    println!("╠════════════════════════════════════════════════════════════════════════╣");
-    println!("║  {addr_line:<70}║"); // fix #1: {:<70}, 2+70+1 = inner 72
-    println!("║                                                                        ║");
-    println!("║  Share this with Tor Browser users.                                    ║");
-    println!("║  Your private key is stored at:                                        ║");
-    println!("║    {:<68}║", key_dir.display()); // fix #3: {:<68}, 4+68+1 = inner 72
-    println!("║  Back it up — losing it means a new .onion address.                    ║");
-    println!("╚════════════════════════════════════════════════════════════════════════╝");
-    println!();
+    format!(
+        "\n\
+        ╔════════════════════════════════════════════════════════════════════════╗\n\
+        ║        TOR ONION SERVICE ACTIVE  ✓                                     ║\n\
+        ╠════════════════════════════════════════════════════════════════════════╣\n\
+        ║  {addr:<70}║\n\
+        ║                                                                        ║\n\
+        ║  Share this with Tor Browser users.                                    ║\n\
+        ║  Your private key is stored at:                                        ║\n\
+        ║    {key:<68}║\n\
+        ║  Back it up — losing it means a new .onion address.                    ║\n\
+        ╚════════════════════════════════════════════════════════════════════════╝\n\n",
+        addr = addr_line,
+        key = key_dir.display(),
+    )
 }
 
-// ─── Diagnostic helpers ───────────────────────────────────────────────────────
-
-/// Printed when we know Tor is not installed.
-fn print_install_instructions(bind_port: u16) {
-    println!("[INFO] Tor not found. This server supports Tor Onion Services.");
-    println!();
-    println!("  ── macOS (Homebrew) ────────────────────────────────────────");
-    println!("  brew install tor");
-    println!("  (Re-start RustChan after installing — it configures Tor automatically.)");
-    println!();
-    println!("  ── Debian / Ubuntu ─────────────────────────────────────────");
-    println!("  sudo apt-get install tor");
-    println!("  (Re-start RustChan after installing — it configures Tor automatically.)");
-    println!();
-    println!("  ── Manual (any OS) ─────────────────────────────────────────");
-    println!("  https://www.torproject.org/download/tor/");
-    println!("  Then add to your torrc:");
-    println!("    SocksPort 0");
-    println!("    HiddenServiceDir /path/to/tor_hidden_service/");
-    println!("    HiddenServicePort 80 127.0.0.1:{bind_port}");
-    println!();
+fn tor_install_hint(bind_port: u16) -> String {
+    format!(
+        "\n\
+        \x1b[2m  ── Install Tor ────────────────────────────────────────────────────────\n\
+          macOS:   brew install tor\n\
+          Linux:   sudo apt-get install tor\n\
+          Other:   https://www.torproject.org/download/tor/\n\
+        \n\
+          After installing, restart RustChan — it configures Tor automatically.\n\
+          Or add to your own torrc:\n\
+            HiddenServicePort 80 127.0.0.1:{bind_port}\x1b[0m\n\n"
+    )
 }
 
-/// Printed when Tor crashed or timed out, with actionable next steps.
-fn print_diagnosis_hints(torrc_path: &str, tor_bin: &str, bind_port: u16) {
-    println!("  ── Troubleshooting ─────────────────────────────────────────────────────");
-    println!();
-    println!("  1. Run Tor manually to see live error output:");
-    println!("       {tor_bin} -f {torrc_path}");
-    println!();
-    println!("  2. Common causes:");
-    println!();
-    println!("     a) SocksPort conflict  (rare with our torrc — SocksPort is set to 0)");
-    println!("        Check: lsof -i :9050   or   ss -tlnp | grep 9050");
-    println!();
-    println!("     b) DataDirectory permissions");
-    println!("        Tor requires its data dir to be owned by the current user.");
-    println!("        Fix: chmod 700 <data_dir>/tor_data/");
-    println!();
-    println!("     c) HiddenServiceDir permissions");
-    println!("        Fix: chmod 700 <data_dir>/tor_hidden_service/");
-    println!();
-    println!("     d) Firewall / network — Tor needs outbound TCP on ports 9001 & 443.");
-    println!("        Tor may take several minutes on a first run while it builds");
-    println!("        its circuits.  Try again; the timeout is now 120 seconds.");
-    println!();
-    println!("     e) macOS brew service conflict");
-    println!("        The brew service Tor and RustChan's Tor are independent");
-    println!("        (RustChan uses SocksPort 0 + its own DataDirectory).");
-    println!("        Both should coexist, but if you see lock-file errors, stop");
-    println!("        the brew service first:");
-    println!("          brew services stop tor");
-    println!("        Then restart RustChan.");
-    println!();
-    println!("     f) Linux: SELinux / AppArmor");
-    println!("        Check: sudo journalctl -u tor --since '5 min ago'");
-    println!("        Or:    sudo ausearch -c tor | tail -20");
-    println!();
-    println!("  3. If Tor works but you want to manage it yourself:");
-    println!("       Set  enable_tor_support = false  in settings.toml");
-    println!("       and add to your own torrc:");
-    println!("         HiddenServicePort 80 127.0.0.1:{bind_port}");
-    println!("  ────────────────────────────────────────────────────────────────────────");
-    println!();
+fn tor_torrc_hint(hs_dir: &Path, bind_port: u16) -> String {
+    format!(
+        "\n  Add to your torrc and restart Tor:\n\
+         \x1b[2m    SocksPort 0\n\
+           DataDirectory /var/lib/tor/rustchan-data/\n\
+           HiddenServiceDir {hs}\n\
+           HiddenServicePort 80 127.0.0.1:{bind_port}\x1b[0m\n\n",
+        hs = hs_dir.display(),
+    )
 }
 
-/// Printed when we cannot write the torrc / create directories.
-fn print_torrc_hint(hs_dir: &Path, bind_port: u16) {
-    println!("[HINT] Add the following to your torrc and restart Tor:");
-    println!("         SocksPort 0");
-    println!("         DataDirectory /var/lib/tor/rustchan-data/");
-    println!("         HiddenServiceDir {}", hs_dir.display());
-    println!("         HiddenServicePort 80 127.0.0.1:{bind_port}");
-    println!(
-        "       Your .onion address will appear in: {}/hostname",
-        hs_dir.display()
-    );
+fn tor_diagnosis_hint(torrc_path: &str, tor_bin: &str, bind_port: u16) -> String {
+    format!(
+        "\n  \x1b[2m── Tor troubleshooting ──────────────────────────────────────────────────\n\
+         \n\
+           1. Run manually to see live output:\n\
+                {tor_bin} -f {torrc_path}\n\
+         \n\
+           2. Common causes:\n\
+              a) DataDirectory permissions  — chmod 700 <data_dir>/tor_data/\n\
+              b) HiddenServiceDir perms     — chmod 700 <data_dir>/tor_hidden_service/\n\
+              c) Firewall: Tor needs outbound TCP on ports 9001 and 443.\n\
+              d) macOS brew conflict: brew services stop tor, then restart RustChan.\n\
+              e) Linux SELinux/AppArmor: sudo journalctl -u tor --since '5 min ago'\n\
+         \n\
+           3. To manage Tor yourself:\n\
+              Set enable_tor_support = false in settings.toml\n\
+              and add to your torrc:  HiddenServicePort 80 127.0.0.1:{bind_port}\x1b[0m\n\n"
+    )
 }
diff --git a/src/handlers/admin/auth.rs b/src/handlers/admin/auth.rs
index f714e4b..92a1a04 100644
--- a/src/handlers/admin/auth.rs
+++ b/src/handlers/admin/auth.rs
@@ -33,7 +33,7 @@ use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::LazyLock;
 use std::time::{SystemTime, UNIX_EPOCH};
 use time;
-use tracing::{info, warn};
+use tracing::warn;
 
 // ─── CRIT-6: Admin login brute-force lockout ──────────────────────────────────
 //
@@ -297,7 +297,7 @@ pub async fn admin_login(
             // configured session lifetime instead of persisting it indefinitely.
             cookie.set_max_age(time::Duration::seconds(CONFIG.session_duration));
 
-            info!("Admin {admin_id} logged in");
+            tracing::info!(target: "admin", admin_id = admin_id, "Admin logged in");
             Ok((jar.add(cookie), Redirect::to("/admin/panel")).into_response())
         }
     }
diff --git a/src/handlers/admin/backup.rs b/src/handlers/admin/backup.rs
index bb4b7f2..e5a1711 100644
--- a/src/handlers/admin/backup.rs
+++ b/src/handlers/admin/backup.rs
@@ -28,7 +28,7 @@ use std::sync::atomic::Ordering;
 use time;
 use tokio::io::AsyncWriteExt as _;
 use tokio_util::io::ReaderStream;
-use tracing::{info, warn};
+use tracing::warn;
 
 // ─── URL query-string encoder ─────────────────────────────────────────────────
 //
@@ -174,7 +174,7 @@ pub async fn admin_backup(State(state): State<AppState>, jar: CookieJar) -> Resu
 
             let ts = Utc::now().format("%Y%m%d_%H%M%S");
             let fname = format!("rustchan-backup-{ts}.zip");
-            info!("Admin downloaded full backup ({} bytes on disk)", file_size);
+            tracing::info!(target: "admin", bytes = file_size, "Full backup downloaded");
             progress
                 .phase
                 .store(crate::middleware::backup_phase::DONE, Ordering::Relaxed);
@@ -534,7 +534,7 @@ pub async fn admin_restore(
             let expires_at = Utc::now().timestamp() + CONFIG.session_duration;
             match db::create_session(&live_conn, &fresh_sid, admin_id, expires_at) {
                 Ok(()) => {
-                    info!("Admin restore completed; new session issued for admin_id={admin_id}");
+                    tracing::info!(target: "admin", admin_id = admin_id, "Restore completed, new session issued");
                     // Refresh live board list — the restored DB may have
                     // different boards than what was running before.
                     if let Ok(boards) = db::get_all_boards(&live_conn) {
@@ -899,7 +899,7 @@ pub async fn create_full_backup(
             })?;
 
             let size = std::fs::metadata(&final_path).map(|m| m.len()).unwrap_or(0);
-            info!("Admin created full backup: {} ({} bytes)", fname, size);
+            tracing::info!(target: "admin", filename = %fname, bytes = size, "Full backup created");
             progress
                 .phase
                 .store(crate::middleware::backup_phase::DONE, Ordering::Relaxed);
@@ -1219,7 +1219,7 @@ pub async fn create_board_backup(
             })?;
 
             let size = std::fs::metadata(&final_path).map(|m| m.len()).unwrap_or(0);
-            info!("Admin created board backup: {} ({} bytes)", fname, size);
+            tracing::info!(target: "admin", filename = %fname, bytes = size, "Board backup created");
             progress.phase.store(crate::middleware::backup_phase::DONE, Ordering::Relaxed);
             Ok(())
         }
@@ -1413,7 +1413,7 @@ pub async fn delete_backup(
             if path.exists() {
                 std::fs::remove_file(&path)
                     .map_err(|e| AppError::Internal(anyhow::anyhow!("Delete backup: {e}")))?;
-                info!("Admin deleted backup file: {safe_filename}");
+                tracing::info!(target: "admin", filename = %safe_filename, "Backup file deleted");
             }
             Ok(())
         }
@@ -1584,7 +1584,7 @@ pub async fn restore_saved_full_backup(
             let expires_at = Utc::now().timestamp() + CONFIG.session_duration;
             match db::create_session(&live_conn, &fresh_sid, admin_id, expires_at) {
                 Ok(()) => {
-                    info!("Admin restore-saved completed; new session for admin_id={admin_id}");
+                    tracing::info!(target: "admin", admin_id = admin_id, "Restore-saved completed");
                     Ok(fresh_sid)
                 }
                 Err(e) => {
@@ -1915,7 +1915,7 @@ pub async fn restore_saved_board_backup(
                 }
             }
 
-            info!("Admin board restore-saved completed for /{board_short}/");
+            tracing::info!(target: "admin", board = %board_short, "Board restore-saved completed");
             let safe_short: String = board_short
                 .chars()
                 .filter(char::is_ascii_alphanumeric)
@@ -2291,7 +2291,7 @@ pub async fn board_backup(
 
             let ts = chrono::Utc::now().format("%Y%m%d_%H%M%S");
             let fname = format!("rustchan-board-{board_short}-{ts}.zip");
-            info!("Admin downloaded board backup for /{}/  ({} bytes on disk)", board_short, file_size);
+            tracing::info!(target: "admin", board = %board_short, bytes = file_size, "Board backup downloaded");
             progress.phase.store(crate::middleware::backup_phase::DONE, Ordering::Relaxed);
             Ok((final_path, fname, file_size))
         }
@@ -2838,7 +2838,7 @@ pub async fn board_restore(
                     }
                 }
 
-                info!("Admin board restore completed for /{board_short}/");
+                tracing::info!(target: "admin", board = %board_short, "Board restore completed");
                 // Refresh live board list — board_restore may have created a
                 // board that didn't exist before, so the top bar must update.
                 if let Ok(boards) = db::get_all_boards(&conn) {
diff --git a/src/handlers/admin/content.rs b/src/handlers/admin/content.rs
index c25066c..d91ddab 100644
--- a/src/handlers/admin/content.rs
+++ b/src/handlers/admin/content.rs
@@ -16,7 +16,6 @@ use axum::{
 use axum_extra::extract::cookie::CookieJar;
 use serde::Deserialize;
 use std::path::PathBuf;
-use tracing::info;
 
 // ─── POST /admin/board/create ─────────────────────────────────────────────────
 
@@ -73,7 +72,7 @@ pub async fn create_board(
             let conn = pool.get()?;
             super::require_admin_session_sid(&conn, session_id.as_deref())?;
             db::create_board(&conn, &short, &name, &description, nsfw)?;
-            info!("Admin created board /{short}/");
+            tracing::info!(target: "admin", board = %short, "Board created");
             // Refresh live board list so the top bar on any subsequent error
             // page includes the newly created board.
             crate::templates::set_live_boards(db::get_all_boards(&conn)?);
@@ -142,11 +141,7 @@ pub async fn delete_board(
                 }
             }
 
-            info!(
-                "Admin deleted board id={} ({} file(s) removed)",
-                form.board_id,
-                paths.len()
-            );
+            tracing::info!(target: "admin", board_id = form.board_id, files_removed = paths.len(), "Board deleted");
             // Refresh live board list so the top bar immediately stops showing
             // the deleted board — important because error pages use this cache.
             crate::templates::set_live_boards(db::get_all_boards(&conn)?);
@@ -213,7 +208,7 @@ pub async fn thread_action(
                 &board_for_log,
                 "",
             );
-            info!("Admin {action} thread {thread_id}");
+            tracing::info!(target: "admin", action = %action, thread_id = thread_id, "Thread action");
             Ok(())
         }
     })
@@ -334,7 +329,7 @@ pub async fn admin_delete_post(
                 &board_name,
                 &post.body.chars().take(80).collect::<String>(),
             );
-            info!("Admin deleted post {post_id}");
+            tracing::info!(target: "admin", post_id = post_id, "Post deleted");
             // Return board_name + thread context so we can redirect back to the thread.
             // If the post was an OP, redirect to the board index (thread is gone).
             if is_op {
@@ -413,7 +408,7 @@ pub async fn admin_delete_thread(
                 &board_name,
                 "",
             );
-            info!("Admin deleted thread {thread_id}");
+            tracing::info!(target: "admin", thread_id = thread_id, "Thread deleted");
             Ok(board_name)
         }
     })
diff --git a/src/handlers/admin/moderation.rs b/src/handlers/admin/moderation.rs
index 694a6b9..2a0eca0 100644
--- a/src/handlers/admin/moderation.rs
+++ b/src/handlers/admin/moderation.rs
@@ -15,7 +15,6 @@ use axum::{
 use axum_extra::extract::cookie::CookieJar;
 use chrono::Utc;
 use serde::Deserialize;
-use tracing::info;
 
 // ─── POST /admin/ban/add ──────────────────────────────────────────────────────
 
@@ -65,7 +64,7 @@ pub async fn add_ban(
                 "",
                 &format!("ip_hash={}… reason={}", &ip_hash_log, form.reason),
             );
-            info!("Admin added ban for ip_hash {ip_hash_log}…");
+            tracing::info!(target: "admin", "Ban added");
             Ok(())
         }
     })
@@ -216,7 +215,7 @@ pub async fn admin_ban_and_delete(
                 );
             }
 
-            info!("Admin ban+delete: post={post_id} ip_hash={ip_hash_log}… board={board_short}");
+            tracing::info!(target: "admin", post_id = post_id, board = %board_short, "Ban and delete");
             Ok(())
         }
     })
@@ -525,7 +524,7 @@ pub async fn resolve_report(
                 "",
                 "",
             );
-            info!("Admin resolved report {}", form.report_id);
+            tracing::info!(target: "admin", report_id = form.report_id, "Report resolved");
             Ok(())
         }
     })
diff --git a/src/handlers/admin/settings.rs b/src/handlers/admin/settings.rs
index d36e36e..0bbc625 100644
--- a/src/handlers/admin/settings.rs
+++ b/src/handlers/admin/settings.rs
@@ -16,7 +16,6 @@ use axum::{
 };
 use axum_extra::extract::cookie::CookieJar;
 use serde::Deserialize;
-use tracing::info;
 
 // ─── POST /admin/board/settings ──────────────────────────────────────────────
 
@@ -111,7 +110,7 @@ pub async fn update_board_settings(
                 form.allow_captcha.as_deref() == Some("1"),
                 post_cooldown_secs,
             )?;
-            info!("Admin updated settings for board id={board_id}");
+            tracing::info!(target: "admin", board_id = board_id, "Board settings updated");
             crate::templates::set_live_boards(db::get_all_boards(&conn)?);
             Ok(())
         }
@@ -172,7 +171,7 @@ pub async fn update_site_settings(
                 "0"
             };
             db::set_site_setting(&conn, "collapse_greentext", val)?;
-            info!("Admin updated site setting: collapse_greentext={val}");
+            tracing::info!(target: "admin", value = val, "Site setting collapse_greentext updated");
 
             // Save the custom site name (trimmed, max 64 chars).
             let new_name = form
@@ -186,7 +185,7 @@ pub async fn update_site_settings(
             db::set_site_setting(&conn, "site_name", &new_name)?;
             // Update the in-memory live name so all pages reflect it immediately.
             crate::templates::set_live_site_name(&new_name);
-            info!("Admin updated site name to: {:?}", new_name);
+            tracing::info!(target: "admin", "Site name updated");
 
             // Save the custom subtitle.
             let new_subtitle = form
@@ -199,12 +198,12 @@ pub async fn update_site_settings(
                 .collect::<String>();
             db::set_site_setting(&conn, "site_subtitle", &new_subtitle)?;
             crate::templates::set_live_site_subtitle(&new_subtitle);
-            info!("Admin updated site subtitle to: {:?}", new_subtitle);
+            tracing::info!(target: "admin", "Site subtitle updated");
 
             // Persist both values back to settings.toml so they survive a
             // server restart without requiring a manual file edit.
             crate::config::update_settings_file_site_names(&new_name, &new_subtitle);
-            info!("settings.toml updated with new site_name and site_subtitle");
+            tracing::info!(target: "admin", "settings.toml updated");
 
             // Save the default theme slug (validated against allowed values).
             let new_theme = form
@@ -220,7 +219,7 @@ pub async fn update_site_settings(
             };
             db::set_site_setting(&conn, "default_theme", &new_theme)?;
             crate::templates::set_live_default_theme(&new_theme);
-            info!("Admin updated default theme to: {:?}", new_theme);
+            tracing::info!(target: "admin", "Default theme updated");
 
             Ok(())
         }
@@ -273,9 +272,12 @@ pub async fn admin_vacuum(
 
             let saved = size_before.saturating_sub(size_after);
 
-            info!(
-                "Admin ran VACUUM: {} → {} bytes ({} reclaimed)",
-                size_before, size_after, saved
+            tracing::info!(
+                target: "admin",
+                before_bytes = size_before,
+                after_bytes  = size_after,
+                saved_bytes  = saved,
+                "Admin ran VACUUM"
             );
 
             Ok(crate::templates::admin_vacuum_result_page(
diff --git a/src/handlers/board.rs b/src/handlers/board.rs
index ef768f5..0b39887 100644
--- a/src/handlers/board.rs
+++ b/src/handlers/board.rs
@@ -32,7 +32,6 @@ use axum::{
 };
 use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};
 use std::collections::HashMap;
-use tracing::info;
 
 const PREVIEW_REPLIES: i64 = 3;
 const THREADS_PER_PAGE: i64 = 10;
@@ -407,7 +406,7 @@ pub async fn create_thread(
                 allow_archive: board.allow_archive,
             });
 
-            info!("New thread {thread_id} created in /{}/", board.short_name);
+            tracing::info!(target: "board", thread_id = thread_id, board = %board.short_name, "New thread created");
             Ok(format!("/{}/thread/{thread_id}", board.short_name))
         }
     })
diff --git a/src/handlers/thread.rs b/src/handlers/thread.rs
index 6c2d974..c911938 100644
--- a/src/handlers/thread.rs
+++ b/src/handlers/thread.rs
@@ -27,7 +27,6 @@ use axum::{
 };
 use axum_extra::extract::cookie::CookieJar;
 use serde::Deserialize;
-use tracing::info;
 
 // ─── GET /:board/thread/:id ───────────────────────────────────────────────────
 
@@ -328,7 +327,7 @@ pub async fn post_reply(
                 &board.short_name,
             );
 
-            info!("Reply {post_id} posted in thread {thread_id} on /{}/", board.short_name);
+            tracing::info!(target: "board", post_id = post_id, thread_id = thread_id, board = %board.short_name, "Reply posted");
             Ok(format!("/{}/thread/{thread_id}#p{post_id}", board.short_name))
         }
     })
@@ -557,7 +556,7 @@ pub async fn edit_post_post(
                 return Ok(EditOutcome::ErrorPage(html));
             }
 
-            info!("Post {post_id} edited on /{}/", board.short_name);
+            tracing::info!(target: "board", post_id = post_id, board = %board.short_name, "Post edited");
             Ok(EditOutcome::Redirect(format!(
                 "/{}/thread/{}#p{post_id}",
                 board.short_name, post.thread_id
@@ -632,9 +631,11 @@ pub async fn vote_handler(
             }
 
             db::cast_vote(&conn, poll_id, option_id, &ip_hash)?;
-            info!(
-                "Vote cast on poll {poll_id} option {option_id} by {}",
-                &ip_hash[..8]
+            tracing::info!(
+                target: "board",
+                poll_id = poll_id,
+                option_id = option_id,
+                "Vote cast"
             );
             Ok(format!("/{board_short}/thread/{thread_id}#poll"))
         }
diff --git a/src/logging.rs b/src/logging.rs
index da6af6e..2df8648 100644
--- a/src/logging.rs
+++ b/src/logging.rs
@@ -1,5 +1,6 @@
 // db/logging.rs — Structured logging initialisation.
 //
+<<<<<<< Updated upstream
 // Sets up two output layers:
 //   1. stderr  — human-readable, `info` and above (terminal/systemd journal)
 //   2. file    — JSON formatted, `debug` and above, written to
@@ -11,12 +12,58 @@
 // database file rather than next to the binary.  The caller should pass the
 // same directory used for `chan.db` (typically the directory containing the
 // binary at first run, but overridable via config).
+=======
+// Two output channels:
+//
+//   1. Terminal (stdout, TTY-aware)
+//      • When stdout is a TTY (interactive terminal):
+//          HH:MM:SS [LEVEL] [component] message
+//        Coloured level tags; component tag in cyan; fits in 80 columns.
+//      • When stdout is not a TTY (piped, systemd, Docker, nohup):
+//          YYYY-MM-DDTHH:MM:SSZ [LEVEL] [component] message
+//        Zero ANSI codes — clean for log shippers and `grep`.
+//
+//      All writes go through `CONSOLE_MUTEX` so `console.rs` interactive
+//      output never interleaves with log events.
+//
+//   2. Log file (rustchan.YYYY-MM-DD.log, JSON, always-on, daily rotation)
+//      Full structured JSON with timestamps, file, line, and fields.
+//      Never interleaves — tracing-appender uses its own internal lock.
+//
+// `CONSOLE_MUTEX`
+// ───────────────
+// A `parking_lot::Mutex<()>` used as a coordinated write-lock on stdout.
+// Both this module's `ConsoleLock` `MakeWriter` (used by the tracing
+// terminal layer) and `console.rs`'s helpers acquire this same lock before
+// writing. This eliminates byte-level interleaving between log events and
+// stats/prompt output regardless of concurrent async activity.
+//
+// `IS_TTY`
+// ────────
+// Set once during `init_logging()` via `std::io::IsTerminal`.
+// Read at every log event and every `console.rs` write to decide whether
+// to emit ANSI escape codes. Exposed via `is_tty()`.
+//
+// Respects the RUST_LOG environment variable if set.
+>>>>>>> Stashed changes
 
+use std::fmt;
+use std::io::{self, Write};
 use std::path::Path;
-use tracing_subscriber::{fmt, layer::SubscriberExt, util::SubscriberInitExt, EnvFilter};
+use std::sync::atomic::{AtomicBool, Ordering};
+use std::sync::LazyLock;
+
+use tracing::{Event, Level, Subscriber};
+use tracing_subscriber::fmt::format::{FmtSpan, FormatEvent, FormatFields, Writer};
+use tracing_subscriber::fmt::{FmtContext, MakeWriter};
+use tracing_subscriber::registry::LookupSpan;
+use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter};
+
+// ─── Shared console write lock ────────────────────────────────────────────────
 
-/// Initialise the global tracing subscriber.
+/// Global mutex that serialises all stdout writes across the process.
 ///
+<<<<<<< Updated upstream
 /// `db_dir` is the directory where `rustchan.log` will be written.
 /// This should be the same directory as `chan.db` so that logs and the
 /// database stay together and are easy to locate, back up, and rotate as
@@ -42,26 +89,243 @@ use tracing_subscriber::{fmt, layer::SubscriberExt, util::SubscriberInitExt, Env
 /// }
 /// ```
 pub fn init_logging(db_dir: &Path) {
+=======
+/// Both the tracing terminal layer (via [`ConsoleLock`]) and the `console.rs`
+/// interactive helpers acquire this before writing. The result: log events
+/// and stats/prompt blocks never interleave, even under high async concurrency.
+static CONSOLE_MUTEX: LazyLock<parking_lot::Mutex<()>> =
+    LazyLock::new(|| parking_lot::Mutex::new(()));
+
+// ─── TTY detection ────────────────────────────────────────────────────────────
+
+static IS_TTY: AtomicBool = AtomicBool::new(false);
+
+/// Returns `true` when stdout was a real interactive terminal at startup.
+///
+/// Used by the log formatter and `console.rs` to decide whether to emit ANSI
+/// escape codes. Always `false` when output is piped, redirected, or captured
+/// by a process supervisor like systemd.
+pub fn is_tty() -> bool {
+    IS_TTY.load(Ordering::Relaxed)
+}
+
+// ─── Component name extraction ────────────────────────────────────────────────
+
+/// Extract the useful short name from a tracing target (module path).
+///
+/// `rustchan::server::server` → `server`
+/// `rustchan::db::mod`        → `db`
+/// `rustchan::workers`        → `workers`
+/// `tower_http::trace`        → `trace`
+fn extract_component(target: &str) -> &str {
+    let mut parts = target.rsplit("::");
+    let last = parts.next().unwrap_or(target);
+    if last == "mod" {
+        parts.next().unwrap_or(last)
+    } else {
+        last
+    }
+}
+
+// ─── Custom terminal event formatter ─────────────────────────────────────────
+
+/// Writes a compact, structured line per log event.
+///
+/// TTY mode:
+///   `14:22:01 [INFO ] [server  ] Listening on http://0.0.0.0:8080`
+///
+/// Non-TTY mode (piped / systemd / Docker):
+///   `2026-03-18T14:22:01Z [INFO ] [server  ] Listening on http://0.0.0.0:8080`
+///
+/// The component column is fixed at 8 characters (truncated or space-padded)
+/// so message text always starts at the same column.
+struct ConsoleFormatter;
+
+impl<S, N> FormatEvent<S, N> for ConsoleFormatter
+where
+    S: Subscriber + for<'a> LookupSpan<'a>,
+    N: for<'a> FormatFields<'a> + 'static,
+{
+    fn format_event(
+        &self,
+        ctx: &FmtContext<'_, S, N>,
+        mut writer: Writer<'_>,
+        event: &Event<'_>,
+    ) -> fmt::Result {
+        let tty = IS_TTY.load(Ordering::Relaxed);
+
+        // ── Timestamp ─────────────────────────────────────────────────────────
+        if tty {
+            let now = chrono::Local::now();
+            write!(writer, "{} ", now.format("%H:%M:%S"))?;
+        } else {
+            let now = chrono::Utc::now();
+            write!(writer, "{} ", now.format("%Y-%m-%dT%H:%M:%SZ"))?;
+        }
+
+        // ── Level tag (fixed 7 chars: "[LEVEL]") ────────────────────────────
+        let level = *event.metadata().level();
+        let (tag, open, close) = if tty {
+            match level {
+                Level::ERROR => ("[ERROR]", "\x1b[1;31m", "\x1b[0m"),
+                Level::WARN => ("[WARN ]", "\x1b[33m", "\x1b[0m"),
+                Level::INFO => ("[INFO ]", "", ""),
+                Level::DEBUG => ("[DEBUG]", "\x1b[2m", "\x1b[0m"),
+                Level::TRACE => ("[TRACE]", "\x1b[2m", "\x1b[0m"),
+            }
+        } else {
+            match level {
+                Level::ERROR => ("[ERROR]", "", ""),
+                Level::WARN => ("[WARN ]", "", ""),
+                Level::INFO => ("[INFO ]", "", ""),
+                Level::DEBUG => ("[DEBUG]", "", ""),
+                Level::TRACE => ("[TRACE]", "", ""),
+            }
+        };
+        write!(writer, "{open}{tag}{close} ")?;
+
+        // ── Component tag (8-char fixed column, cyan in TTY) ─────────────────
+        let target = event.metadata().target();
+        let component = extract_component(target);
+        let component_chars: Vec<char> = component.chars().collect();
+        let display_len = component_chars.len().min(8);
+        // Use .get() to avoid a panic on the slice if somehow display_len > len.
+        let display: String = component_chars
+            .get(..display_len)
+            .unwrap_or(&component_chars)
+            .iter()
+            .collect();
+
+        let (ctag_open, ctag_close) = if tty {
+            ("\x1b[36m", "\x1b[0m")
+        } else {
+            ("", "")
+        };
+        write!(writer, "{ctag_open}[{display:<8}]{ctag_close} ")?;
+
+        // ── Message and structured key=value fields ───────────────────────────
+        ctx.format_fields(writer.by_ref(), event)?;
+        writeln!(writer)
+    }
+}
+
+// ─── MakeWriter: routes terminal writes through CONSOLE_MUTEX ─────────────────
+
+/// Holds the console lock guard for the duration of one log event write.
+///
+/// The `_guard` field is held solely for its `Drop` side-effect (releasing
+/// `CONSOLE_MUTEX`). It is never accessed directly.
+struct LockedWriter {
+    _guard: parking_lot::MutexGuard<'static, ()>,
+}
+
+impl io::Write for LockedWriter {
+    fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
+        io::stdout().write(buf)
+    }
+
+    fn flush(&mut self) -> io::Result<()> {
+        io::stdout().flush()
+    }
+}
+
+/// `MakeWriter` that returns a [`LockedWriter`] for each log event.
+///
+/// The tracing layer calls `make_writer()` once per event, writes through
+/// the returned writer, then drops it — atomically releasing the stdout lock.
+struct ConsoleLock;
+
+impl<'a> MakeWriter<'a> for ConsoleLock {
+    type Writer = LockedWriter;
+
+    fn make_writer(&'a self) -> LockedWriter {
+        LockedWriter {
+            _guard: CONSOLE_MUTEX.lock(),
+        }
+    }
+}
+
+// ─── Initialisation ───────────────────────────────────────────────────────────
+
+/// Initialise the global tracing subscriber. Call exactly once at startup,
+/// before any `tracing::info!` or `tracing::warn!` calls are made.
+///
+/// Detects whether stdout is an interactive terminal and stores the result
+/// in `IS_TTY` for the process lifetime. Installs two layers:
+///
+/// 1. **Terminal layer** — `ConsoleFormatter` writes via `ConsoleLock`
+///    (`CONSOLE_MUTEX`). Human-readable, coloured when TTY, plain otherwise.
+///    Serialised with `console.rs` output via the shared mutex.
+///
+/// 2. **File layer** — JSON, daily rotation, `debug`+.
+///    Written to `{log_dir}/rustchan.YYYY-MM-DD.log`.
+///    Independent of the console lock; uses `tracing-appender`'s own lock.
+pub fn init_logging(log_dir: &Path) {
+    use std::io::IsTerminal;
+
+    let tty = io::stdout().is_terminal();
+    IS_TTY.store(tty, Ordering::Relaxed);
+
+>>>>>>> Stashed changes
     let env_filter = EnvFilter::try_from_default_env()
         .unwrap_or_else(|_| EnvFilter::new("rustchan=info,tower_http=warn"));
 
-    // stderr layer — compact human-readable output for the terminal.
-    let stderr_layer = fmt::layer().with_target(false).compact();
+    let terminal_layer = tracing_subscriber::fmt::layer()
+        .event_format(ConsoleFormatter)
+        .with_writer(ConsoleLock);
 
+<<<<<<< Updated upstream
     // File layer — JSON, includes file/line for structured log analysis.
     // FIX[#33]: daily rotation; files are named `rustchan.log.YYYY-MM-DD`.
     let file_appender = tracing_appender::rolling::daily(db_dir, "rustchan.log");
     let file_layer = fmt::layer()
+=======
+    let file_appender = tracing_appender::rolling::daily(log_dir, "rustchan.log");
+    let file_layer = tracing_subscriber::fmt::layer()
+>>>>>>> Stashed changes
         .json()
         .with_writer(file_appender)
         .with_target(true)
         .with_file(true)
         .with_line_number(true)
-        .with_span_events(fmt::format::FmtSpan::CLOSE);
+        .with_span_events(FmtSpan::CLOSE);
 
     tracing_subscriber::registry()
         .with(env_filter)
-        .with(stderr_layer)
+        .with(terminal_layer)
         .with(file_layer)
         .init();
 }
+
+// ─── Console print helpers ────────────────────────────────────────────────────
+//
+// All helpers acquire `CONSOLE_MUTEX` before writing so they serialise
+// correctly with the tracing terminal layer. Use these instead of
+// `println!`/`print!` in `console.rs` and `detect.rs`.
+
+/// Print `msg` followed by a newline to stdout, under the console lock.
+pub fn console_println(msg: &str) {
+    let _guard = CONSOLE_MUTEX.lock();
+    let _ = writeln!(io::stdout(), "{msg}");
+}
+
+/// Write a raw pre-formatted block exactly as provided (no trailing newline added).
+///
+/// Used for banners, install-hint blocks, and stats sections that are already
+/// fully formatted including their own newlines.
+pub fn console_print_raw(block: &str) {
+    let _guard = CONSOLE_MUTEX.lock();
+    let _ = write!(io::stdout(), "{block}");
+    let _ = io::stdout().flush();
+}
+
+/// Write a prompt string (no newline) and flush stdout, under the console lock.
+///
+/// The lock is released before returning so the subsequent blocking `read_line`
+/// call does not prevent log events from being written while waiting for input.
+pub fn console_prompt(msg: &str) {
+    let _guard = CONSOLE_MUTEX.lock();
+    let _ = write!(io::stdout(), "{msg}");
+    let _ = io::stdout().flush();
+    // _guard dropped here — stdin read happens outside the lock
+}
diff --git a/src/main.rs b/src/main.rs
index b4ec61d..f2435f3 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -62,6 +62,7 @@ fn main() -> anyhow::Result<()> {
     logging::init_logging(&binary_dir);
 
     tracing::info!(
+        target: "startup",
         version = env!("CARGO_PKG_VERSION"),
         log_dir = %binary_dir.display(),
         "rustchan starting",
diff --git a/src/server/console.rs b/src/server/console.rs
index 85e5eb8..e01c13e 100644
--- a/src/server/console.rs
+++ b/src/server/console.rs
@@ -1,19 +1,47 @@
 // server/console.rs — Terminal stats display and interactive keyboard console.
 //
-// Everything in this file is pure terminal I/O — it has no knowledge of HTTP
-// routing, middleware, or request handling.
+// All output goes through crate::logging helpers (console_println,
+// console_print_raw, console_prompt) which acquire CONSOLE_MUTEX before
+// writing.  This ensures log events from the tracing layer and console
+// output from this module never interleave on stdout.
+//
+// All ANSI escape codes are guarded by crate::logging::is_tty() so that
+// piped / systemd / Docker deployments receive plain text with zero escape
+// pollution.
 //
 // Exported entry points called from server/server.rs:
-//   print_banner()                           — startup box printed before bind
-//   spawn_keyboard_handler(pool, start_time) — spawns the stdin-reading thread
+//   print_banner()                                  — startup box before bind
+//   prompt_create_first_admin(pool, reader)         — first-run admin wizard
+//   spawn_keyboard_handler(pool, start_time)        — spawns the stdin thread
 
 use crate::config::CONFIG;
 use crate::db::DbPool;
 use crate::server::{ACTIVE_IPS, ACTIVE_UPLOADS, IN_FLIGHT, REQUEST_COUNT, SPINNER_TICK};
-use std::io::{BufRead, BufReader, Write};
+use std::io::{BufRead, BufReader};
 use std::sync::atomic::Ordering;
 use std::time::{Duration, Instant};
 
+// ─── ANSI helpers ─────────────────────────────────────────────────────────────
+
+/// Return `code` when in TTY mode, empty string otherwise.
+fn c(code: &'static str) -> &'static str {
+    if crate::logging::is_tty() {
+        code
+    } else {
+        ""
+    }
+}
+
+const RST: &str = "\x1b[0m";
+const RED: &str = "\x1b[31m";
+const GRN: &str = "\x1b[32m";
+const YLW: &str = "\x1b[33m";
+const CYN: &str = "\x1b[36m";
+const BLD: &str = "\x1b[1m";
+const DIM: &str = "\x1b[2m";
+const BLD_GRN: &str = "\x1b[1;32m";
+const BLD_YLW: &str = "\x1b[1;33m";
+
 // ─── Terminal stats ───────────────────────────────────────────────────────────
 
 pub struct TermStats {
@@ -23,157 +51,182 @@ pub struct TermStats {
     pub last_tick: Instant,
 }
 
+/// Format a byte count as a human-readable string (B / KiB / MiB / GiB).
+#[allow(clippy::cast_precision_loss)] // file-size display; f64 precision is adequate
+fn fmt_bytes(b: i64) -> String {
+    const KIB: i64 = 1024;
+    const MIB: i64 = 1024 * 1024;
+    const GIB: i64 = 1024 * 1024 * 1024;
+    if b < KIB {
+        format!("{b} B")
+    } else if b < MIB {
+        format!("{:.1} KiB", b as f64 / KIB as f64)
+    } else if b < GIB {
+        format!("{:.1} MiB", b as f64 / MIB as f64)
+    } else {
+        format!("{:.2} GiB", b as f64 / GIB as f64)
+    }
+}
+
 #[allow(clippy::too_many_lines)]
 #[allow(clippy::arithmetic_side_effects)]
+#[allow(clippy::many_single_char_names)]
 pub fn print_stats(pool: &DbPool, start: Instant, ts: &mut TermStats) {
-    // Uptime
-    let uptime = start.elapsed();
-    let h = uptime.as_secs() / 3600;
-    let m = (uptime.as_secs() % 3600) / 60;
+    use std::fmt::Write as _;
 
-    // req/s — delta since last tick
-    let now = Instant::now();
-    let elapsed_secs = now.duration_since(ts.last_tick).as_secs_f64().max(0.001);
-    ts.last_tick = now;
+    // ── Uptime ────────────────────────────────────────────────────────────────
+    let uptime = start.elapsed();
+    let up_h = uptime.as_secs() / 3600;
+    let up_m = (uptime.as_secs() % 3600) / 60;
+    let up_s = uptime.as_secs() % 60;
+
+    // ── req/s delta since last tick ───────────────────────────────────────────
+    let now_instant = Instant::now();
+    let elapsed_secs = now_instant
+        .duration_since(ts.last_tick)
+        .as_secs_f64()
+        .max(0.001);
+    ts.last_tick = now_instant;
     let curr_reqs = REQUEST_COUNT.load(Ordering::Relaxed);
     let req_delta = curr_reqs.saturating_sub(ts.prev_req_count);
     #[allow(clippy::cast_precision_loss)]
     let rps = req_delta as f64 / elapsed_secs;
     ts.prev_req_count = curr_reqs;
 
-    // DB query
-    let (boards, threads, posts, db_kb, board_stats) = pool.get().map_or_else(
+    // ── DB snapshot ───────────────────────────────────────────────────────────
+    let (boards, threads, posts, db_bytes, board_stats) = pool.get().map_or_else(
         |_| (0i64, 0i64, 0i64, 0i64, vec![]),
         |conn| {
-            let b: i64 = conn
+            let boards_n: i64 = conn
                 .query_row("SELECT COUNT(*) FROM boards", [], |r| r.get(0))
                 .unwrap_or(0);
-            let th: i64 = conn
-                .query_row("SELECT COUNT(*) FROM threads", [], |r| r.get(0))
+            let threads_n: i64 = conn
+                .query_row("SELECT COUNT(*) FROM threads WHERE archived = 0", [], |r| {
+                    r.get(0)
+                })
                 .unwrap_or(0);
-            let p: i64 = conn
+            let posts_n: i64 = conn
                 .query_row("SELECT COUNT(*) FROM posts", [], |r| r.get(0))
                 .unwrap_or(0);
-            let kb: i64 = {
+            let db_n: i64 = {
                 let pc: i64 = conn
                     .query_row("PRAGMA page_count", [], |r| r.get(0))
                     .unwrap_or(0);
                 let ps: i64 = conn
                     .query_row("PRAGMA page_size", [], |r| r.get(0))
                     .unwrap_or(4096);
-                pc * ps / 1024
+                pc * ps
             };
-            let bs = crate::db::get_per_board_stats(&conn);
-            (b, th, p, kb, bs)
+            let stats = crate::db::get_per_board_stats(&conn);
+            (boards_n, threads_n, posts_n, db_n, stats)
         },
     );
 
-    let upload_mb = dir_size_mb(&CONFIG.upload_dir);
+    let upload_bytes = dir_size_bytes(&CONFIG.upload_dir);
+    let in_flight = IN_FLIGHT.load(Ordering::Relaxed);
+    let online = ACTIVE_IPS.len();
+    let mem_bytes = process_rss_kb().cast_signed().saturating_mul(1024);
 
-    // New-event flash: bold+yellow when counts increased since last tick
+    // ── Delta highlights ──────────────────────────────────────────────────────
     let new_threads = (threads - ts.prev_thread_count).max(0);
     let new_posts = (posts - ts.prev_post_count).max(0);
-    let thread_str = if new_threads > 0 {
-        format!("\x1b[1;33mthreads {threads} (+{new_threads})\x1b[0m")
-    } else {
-        format!("threads {threads}")
-    };
-    let post_str = if new_posts > 0 {
-        format!("\x1b[1;33mposts {posts} (+{new_posts})\x1b[0m")
-    } else {
-        format!("posts {posts}")
-    };
     ts.prev_thread_count = threads;
     ts.prev_post_count = posts;
 
-    // Active connections / users online
-    // FIX[AUDIT-1]: IN_FLIGHT is now AtomicU64 — load directly, no .max(0) cast.
-    let in_flight = IN_FLIGHT.load(Ordering::Relaxed);
-    let online_count = ACTIVE_IPS.len();
-
-    // CRIT-5: Keys are SHA-256 hashes — show 8-char prefixes for diagnostics.
-    // FIX[AUDIT-3]: Use .get(..8) instead of direct [..8] byte-index so this
-    // stays safe if a key is ever shorter than 8 chars (defensive programming).
-    let ip_list: String = {
-        let mut hashes: Vec<String> = ACTIVE_IPS
-            .iter()
-            .map(|e| {
-                let key = e.key();
-                key.get(..8).unwrap_or(key.as_str()).to_string()
-            })
-            .collect();
-        hashes.sort_unstable();
-        hashes.truncate(5);
-        if hashes.is_empty() {
-            "none".into()
-        } else {
-            hashes.join(", ")
-        }
-    };
-
-    // Upload progress bar — shown only while uploads are active
-    // FIX[AUDIT-1]: ACTIVE_UPLOADS is now AtomicU64 — load directly.
+    // ── Active uploads spinner ────────────────────────────────────────────────
     let active_uploads = ACTIVE_UPLOADS.load(Ordering::Relaxed);
-    if active_uploads > 0 {
-        // Fix #5: SPINNER_TICK was read but never written anywhere, so the
-        // spinner was permanently frozen on frame 0 ("⠋").  Increment it here,
-        // inside the only branch that actually displays the spinner.
+    let upload_line = if active_uploads > 0 {
         let tick = SPINNER_TICK.fetch_add(1, Ordering::Relaxed);
-        let spinners = ["⠋", "⠙", "⠹", "⠸", "⠼", "⠴", "⠦", "⠧", "⠇", "⠏"];
-        let spin = spinners
-            .get((usize::try_from(tick).unwrap_or(0)) % spinners.len())
+        let frames = ["⠋", "⠙", "⠹", "⠸", "⠼", "⠴", "⠦", "⠧", "⠇", "⠏"];
+        let frame = frames
+            .get(usize::try_from(tick).unwrap_or(0) % frames.len())
             .copied()
             .unwrap_or("⠋");
-        let fill = ((tick % 20) as usize).min(10);
-        let bar = format!("{}{}", "█".repeat(fill), "░".repeat(10 - fill));
-        println!("  \x1b[36m{spin} UPLOAD  [{bar}]  {active_uploads} file(s) uploading\x1b[0m");
-    }
+        format!(
+            "  {}{frame}{}  {active_uploads} file(s) uploading\n",
+            c(CYN),
+            c(RST)
+        )
+    } else {
+        String::new()
+    };
 
-    // Main stats line
-    #[allow(clippy::cast_precision_loss)]
-    let stats_line = format!(
-        "── STATS  uptime {h}h{m:02}m  │  requests {curr_reqs}  │  \x1b[32m{rps:.1} req/s\x1b[0m  │  in-flight {in_flight}  │  boards {boards}  {thread_str}  {post_str}  │  db {db_kb} KiB  uploads {upload_mb:.1} MiB ──"
-    );
-    println!("{stats_line}");
+    // ── Value strings ─────────────────────────────────────────────────────────
+    let ts_str = chrono::Local::now().format("%H:%M:%S").to_string();
 
-    // Users online line
-    let mem_rss = process_rss_kb();
-    println!("   users online: {online_count}  │  IPs: {ip_list}  │  mem: {mem_rss} KiB RSS");
+    let thread_val = if new_threads > 0 {
+        format!("{}{threads}(+{new_threads}){}", c(BLD_YLW), c(RST))
+    } else {
+        threads.to_string()
+    };
+    let post_val = if new_posts > 0 {
+        format!("{}{posts}(+{new_posts}){}", c(BLD_YLW), c(RST))
+    } else {
+        posts.to_string()
+    };
+    let rps_val = if rps >= 1.0 {
+        format!("{}{rps:.1}/s{}", c(BLD_GRN), c(RST))
+    } else {
+        format!("{rps:.2}/s")
+    };
 
-    // Per-board breakdown
+    // ── Assemble the output block ─────────────────────────────────────────────
+    let mut block = String::new();
+
+    writeln!(
+        block,
+        "\n{dim}── stats {ts_str}{rst}",
+        dim = c(DIM),
+        rst = c(RST)
+    )
+    .ok();
+
+    writeln!(block,
+        "  uptime  {up_h}h {up_m:02}m {up_s:02}s    requests  {curr_reqs}    {rps_val}    in-flight {in_flight}").ok();
+
+    writeln!(
+        block,
+        "  boards  {boards:<5}  threads  {thread_val:<20}  posts  {post_val}"
+    )
+    .ok();
+
+    writeln!(
+        block,
+        "  db      {db:<12}  uploads  {upl:<12}  online  {online}    rss  {rss}",
+        db = fmt_bytes(db_bytes),
+        upl = fmt_bytes(upload_bytes),
+        rss = fmt_bytes(mem_bytes)
+    )
+    .ok();
+
+    // Board breakdown (two boards per line)
     if !board_stats.is_empty() {
-        let segments: Vec<String> = board_stats
-            .iter()
-            .map(|(short, t, p)| format!("/{short}/  threads:{t} posts:{p}"))
-            .collect();
-        let mut line = String::from("   ");
-        let mut line_len = 0usize;
-        for seg in &segments {
-            if line_len > 0 && line_len + seg.len() + 5 > 110 {
-                println!("{line}");
-                line = String::from("   ");
-                line_len = 0;
-            }
-            if line_len > 0 {
-                line.push_str("  │  ");
-                line_len += 5;
+        writeln!(block, "  {dim}", dim = c(DIM)).ok();
+        let mut col = 0usize;
+        for (short, thr, pst) in &board_stats {
+            let seg = format!("/{short}/ {thr}t {pst}p");
+            if col == 0 {
+                write!(block, "  {seg:<36}").ok();
+                col = 1;
+            } else {
+                writeln!(block, "  {seg}").ok();
+                col = 0;
             }
-            line.push_str(seg);
-            line_len += seg.len();
         }
-        if line_len > 0 {
-            println!("{line}");
+        if col == 1 {
+            block.push('\n');
         }
+        block.push_str(c(RST));
     }
+
+    block.push_str(&upload_line);
+    writeln!(block, "{dim}", dim = c(DIM)).ok();
+    block.push('\n');
+    block.push_str(c(RST));
+
+    crate::logging::console_print_raw(&block);
 }
 
-/// Read the process RSS (resident set size) in KiB.
-///
-/// * Linux  — parsed from `/proc/self/status` (`VmRSS` field, already in KiB).
-/// * macOS  — Fix #11: spawns `ps -o rss= -p <pid>` (output is KiB on macOS).
-///   Previously this returned 0 on macOS, showing a misleading
-///   `mem: 0 KiB RSS` in the terminal stats display.
-/// * Other  — returns 0 rather than showing a misleading value.
 fn process_rss_kb() -> u64 {
     #[cfg(target_os = "linux")]
     {
@@ -191,7 +244,6 @@ fn process_rss_kb() -> u64 {
     }
     #[cfg(target_os = "macos")]
     {
-        // `ps -o rss=` outputs the RSS in KiB on macOS (no header when '=' suffix used).
         let pid = std::process::id().to_string();
         if let Ok(out) = std::process::Command::new("ps")
             .args(["-o", "rss=", "-p", &pid])
@@ -206,10 +258,8 @@ fn process_rss_kb() -> u64 {
     0
 }
 
-fn dir_size_mb(path: &str) -> f64 {
-    #[allow(clippy::cast_precision_loss)]
-    let mb = walkdir_size(std::path::Path::new(path)) as f64 / (1024.0 * 1024.0);
-    mb
+fn dir_size_bytes(path: &str) -> i64 {
+    walkdir_size(std::path::Path::new(path)).cast_signed()
 }
 
 fn walkdir_size(path: &std::path::Path) -> u64 {
@@ -219,9 +269,6 @@ fn walkdir_size(path: &std::path::Path) -> u64 {
     entries
         .flatten()
         .map(|e| {
-            // Fix #10: use file_type() from the DirEntry (does NOT follow
-            // symlinks) instead of Path::is_dir() (which does).  A symlink
-            // loop via is_dir() causes unbounded recursion and a stack overflow.
             let is_real_dir = e.file_type().is_ok_and(|ft| ft.is_dir());
             if is_real_dir {
                 walkdir_size(&e.path())
@@ -236,16 +283,7 @@ fn walkdir_size(path: &std::path::Path) -> u64 {
 
 #[allow(clippy::arithmetic_side_effects)]
 pub fn print_banner() {
-    // Fix #3: All dynamic values (forum_name, bind_addr, paths, MiB sizes) are
-    // padded/truncated to exactly fill the fixed inner width, so the right-hand
-    // │ character is always aligned regardless of the actual value length.
     const INNER: usize = 53;
-
-    // FIX[AUDIT-4]: The original closure collected chars into a `Vec<char>` and
-    // had a dead `unwrap_or_else(|| s.clone())` branch — `get(..width)` on a
-    // slice of length >= width never returns None.  The rewrite uses
-    // `chars().count()` (no heap allocation) and `chars().take(width).collect()`
-    // (single pass), eliminating both the intermediate Vec and the dead code.
     let cell = |s: String, width: usize| -> String {
         let char_count = s.chars().count();
         if char_count >= width {
@@ -256,47 +294,226 @@ pub fn print_banner() {
     };
 
     let title = cell(
-        format!("{} v{}", env!("CARGO_PKG_VERSION"), CONFIG.forum_name),
-        INNER - 2, // 2 leading spaces in "│  <title>│"
+        format!("{} v{}", CONFIG.forum_name, env!("CARGO_PKG_VERSION")),
+        INNER - 2,
     );
-    let bind = cell(CONFIG.bind_addr.clone(), INNER - 10); // "│  Bind    <val>│"
-    let db = cell(CONFIG.database_path.clone(), INNER - 10); // "│  DB      <val>│"
-    let upl = cell(CONFIG.upload_dir.clone(), INNER - 10); // "│  Uploads <val>│"
+    let bind = cell(CONFIG.bind_addr.clone(), INNER - 10);
+    let db = cell(CONFIG.database_path.clone(), INNER - 10);
+    let upl = cell(CONFIG.upload_dir.clone(), INNER - 10);
     let img_mib = CONFIG.max_image_size / 1024 / 1024;
     let vid_mib = CONFIG.max_video_size / 1024 / 1024;
+    let aud_mib = CONFIG.max_audio_size / 1024 / 1024;
     let limits = cell(
-        format!("Images {img_mib} MiB max  │  Videos {vid_mib} MiB max"),
-        INNER - 4, // "│  <val>  │"
+        format!("img {img_mib} MiB  vid {vid_mib} MiB  audio {aud_mib} MiB"),
+        INNER - 4,
+    );
+
+    let block = format!(
+        "{cyan}┌─────────────────────────────────────────────────────┐\n\
+         │  {title}│\n\
+         ├─────────────────────────────────────────────────────┤\n\
+         │  Bind    {bind}│\n\
+         │  DB      {db}│\n\
+         │  Uploads {upl}│\n\
+         │  {limits}  │\n\
+         └─────────────────────────────────────────────────────┘{rst}\n",
+        cyan = c(CYN),
+        rst = c(RST),
     );
+    crate::logging::console_print_raw(&block);
+}
+
+// ─── First-run admin wizard ───────────────────────────────────────────────────
+
+/// Interactive wizard that creates the first admin account and optionally a
+/// first board. Called from `server.rs` on first run (no admin accounts in DB)
+/// when stdout is a TTY, before `spawn_keyboard_handler` so stdin is uncontested.
+///
+/// Reads from `reader` for input. Each prompt releases the console lock before
+/// blocking on `read_line` so log events are not stalled while waiting for input.
+#[allow(clippy::too_many_lines)]
+pub fn prompt_create_first_admin(pool: &DbPool, reader: &mut dyn BufRead) {
+    let header = format!(
+        "\n\
+        {cyan}╔══════════════════════════════════════════════════════╗\n\
+        ║         FIRST RUN — CREATE ADMIN ACCOUNT             ║\n\
+        ╠══════════════════════════════════════════════════════╣\n\
+        ║  No admin accounts found.                            ║\n\
+        ║  Create one now to access the admin panel at /admin  ║\n\
+        ║  after the server starts. (Ctrl+C to skip for now.)  ║\n\
+        ╚══════════════════════════════════════════════════════╝{rst}\n\n",
+        cyan = c(CYN),
+        rst = c(RST),
+    );
+    crate::logging::console_print_raw(&header);
+
+    let username = prompt_username(reader);
+    let Some(username) = username else {
+        return;
+    };
+
+    if crate::logging::is_tty() {
+        crate::logging::console_println(&format!(
+            "  {}Note: password input is visible — this is a one-time setup.{}",
+            c(YLW),
+            c(RST)
+        ));
+    }
+
+    let password = prompt_password(reader);
+    let Some(password) = password else {
+        return;
+    };
+
+    let Ok(hash) = crate::utils::crypto::hash_password(&password) else {
+        crate::logging::console_println(&format!(
+            "  {}[err]{} Failed to hash password.",
+            c(RED),
+            c(RST)
+        ));
+        return;
+    };
+
+    let Ok(conn) = pool.get() else {
+        crate::logging::console_println(&format!(
+            "  {}[err]{} DB connection failed.",
+            c(RED),
+            c(RST)
+        ));
+        return;
+    };
+
+    match crate::db::create_admin(&conn, &username, &hash) {
+        Ok(id) => {
+            tracing::info!(
+                target: "startup",
+                username = %username,
+                id = id,
+                "First admin account created via setup wizard"
+            );
+            crate::logging::console_print_raw(&format!(
+                "\n  {}✓{} Admin '{}{username}{}' created (id={id}).\n\
+                   {}→{} Log in at /admin once the server is running.\n\n",
+                c(GRN),
+                c(RST),
+                c(BLD),
+                c(RST),
+                c(CYN),
+                c(RST),
+            ));
+        }
+        Err(e) => {
+            crate::logging::console_println(&format!(
+                "  {}[err]{} Failed to create admin: {e}",
+                c(RED),
+                c(RST)
+            ));
+            return;
+        }
+    }
+
+    crate::logging::console_prompt(&format!(
+        "  {}Create a board now?{} [y/N]: ",
+        c(CYN),
+        c(RST)
+    ));
+    let mut ans = String::new();
+    if reader.read_line(&mut ans).is_ok()
+        && matches!(ans.trim().to_lowercase().as_str(), "y" | "yes")
+    {
+        crate::logging::console_println("");
+        kb_create_board(pool, reader);
+    }
 
-    println!("┌─────────────────────────────────────────────────────┐");
-    println!("│  {title}│");
-    println!("├─────────────────────────────────────────────────────┤");
-    println!("│  Bind    {bind}│");
-    println!("│  DB      {db}│");
-    println!("│  Uploads {upl}│");
-    println!("│  {limits}  │");
-    println!("└─────────────────────────────────────────────────────┘");
+    crate::logging::console_println("");
+}
+
+// ─── Shared prompt helpers ────────────────────────────────────────────────────
+
+/// Read and validate a username from `reader`. Returns `None` on EOF/Ctrl-C.
+fn prompt_username(reader: &mut dyn BufRead) -> Option<String> {
+    loop {
+        crate::logging::console_prompt(&format!("  {}Username:{} ", c(CYN), c(RST)));
+        let mut s = String::new();
+        match reader.read_line(&mut s) {
+            Ok(0) | Err(_) => {
+                crate::logging::console_println(
+                    "\n  Skipped — run: rustchan-cli admin create-admin <user> <pass>",
+                );
+                return None;
+            }
+            Ok(_) => {}
+        }
+        let u = s.trim().to_string();
+        if u.is_empty() {
+            crate::logging::console_println("  Username cannot be empty.");
+            continue;
+        }
+        if u.len() > 32 {
+            crate::logging::console_println("  Username must be 32 characters or fewer.");
+            continue;
+        }
+        if !u
+            .chars()
+            .all(|ch| ch.is_ascii_alphanumeric() || ch == '_' || ch == '-')
+        {
+            crate::logging::console_println(
+                "  Username must be alphanumeric (underscores and hyphens allowed).",
+            );
+            continue;
+        }
+        return Some(u);
+    }
+}
+
+/// Read and confirm a password from `reader`. Returns `None` on EOF/Ctrl-C.
+fn prompt_password(reader: &mut dyn BufRead) -> Option<String> {
+    loop {
+        crate::logging::console_prompt(&format!("  {}Password (min 8 chars):{} ", c(CYN), c(RST)));
+        let mut p1 = String::new();
+        match reader.read_line(&mut p1) {
+            Ok(0) | Err(_) => {
+                crate::logging::console_println("\n  Skipped.");
+                return None;
+            }
+            Ok(_) => {}
+        }
+        let p1 = p1.trim().to_string();
+
+        if let Err(e) = crate::utils::crypto::validate_password(&p1) {
+            crate::logging::console_println(&format!("  {}✗{} {e}", c(RED), c(RST)));
+            continue;
+        }
+
+        crate::logging::console_prompt(&format!("  {}Confirm password:{}   ", c(CYN), c(RST)));
+        let mut p2 = String::new();
+        if reader.read_line(&mut p2).is_err() {
+            crate::logging::console_println("\n  Skipped.");
+            return None;
+        }
+        let p2 = p2.trim().to_string();
+        if p1 != p2 {
+            crate::logging::console_println(&format!(
+                "  {}✗{} Passwords do not match. Try again.",
+                c(RED),
+                c(RST)
+            ));
+            continue;
+        }
+        return Some(p1);
+    }
 }
 
 // ─── Keyboard-driven admin console ───────────────────────────────────────────
 
-// `reader` (BufReader<StdinLock>) must persist for the entire loop because it
-// is passed by &mut into sub-commands; the lint's inline suggestion is invalid.
 #[allow(clippy::significant_drop_tightening)]
 pub fn spawn_keyboard_handler(pool: DbPool, start_time: Instant) {
     std::thread::spawn(move || {
-        // Small delay so startup messages settle first
         std::thread::sleep(Duration::from_millis(600));
         print_keyboard_help();
 
         let stdin = std::io::stdin();
 
-        // Fix #4: TermStats must persist across keypresses so that
-        // prev_req_count/prev_post_count/prev_thread_count reflect the values
-        // at the *previous* 's' press, not zero.  Initializing inside the
-        // match arm made every post/thread appear as "+N new" and reported the
-        // lifetime-average req/s instead of the current rate.
         let mut persistent_stats = TermStats {
             prev_req_count: REQUEST_COUNT.load(Ordering::Relaxed),
             prev_post_count: 0,
@@ -304,127 +521,182 @@ pub fn spawn_keyboard_handler(pool: DbPool, start_time: Instant) {
             last_tick: Instant::now(),
         };
 
-        // Acquire stdin lock only after all pre-loop setup is complete so the
-        // StdinLock (significant Drop) is held for the shortest possible scope.
-        // `reader` is passed into kb_create_board / kb_delete_thread inside the
-        // loop, so it must live for the full loop scope and cannot be inlined.
         let mut reader = BufReader::new(stdin.lock());
 
         loop {
             let mut line = String::new();
             match reader.read_line(&mut line) {
-                Ok(0) | Err(_) => break, // EOF — stdin closed (daemon mode)
+                Ok(0) | Err(_) => break,
                 Ok(_) => {}
             }
             let cmd = line.trim().to_lowercase();
             match cmd.as_str() {
-                "s" => {
-                    print_stats(&pool, start_time, &mut persistent_stats);
-                }
+                "s" => print_stats(&pool, start_time, &mut persistent_stats),
                 "l" => kb_list_boards(&pool),
                 "c" => kb_create_board(&pool, &mut reader),
+                "a" => kb_create_admin(&pool, &mut reader),
                 "d" => kb_delete_thread(&pool, &mut reader),
                 "h" => print_keyboard_help(),
-                "q" => println!("  \x1b[33m[!]\x1b[0m Use Ctrl+C or SIGTERM to stop the server."),
+                "q" => crate::logging::console_println(&format!(
+                    "  {}[!]{} Use Ctrl+C or SIGTERM to stop the server.",
+                    c(YLW),
+                    c(RST)
+                )),
                 "" => {}
-                other => println!("  Unknown command '{other}'. Press [h] for help."),
+                other => crate::logging::console_println(&format!(
+                    "  Unknown command '{other}'. Press [h] for help."
+                )),
             }
-            let _ = std::io::stdout().flush();
         }
     });
 }
 
 fn print_keyboard_help() {
-    println!();
-    println!("  \x1b[36m╔══ Admin Console ════════════════════════════════╗\x1b[0m");
-    println!("  \x1b[36m║\x1b[0m  [s] show stats now    [l] list boards          \x1b[36m║\x1b[0m");
-    println!("  \x1b[36m║\x1b[0m  [c] create board      [d] delete thread        \x1b[36m║\x1b[0m");
-    println!("  \x1b[36m║\x1b[0m  [h] help              [q] quit hint            \x1b[36m║\x1b[0m");
-    println!("  \x1b[36m╚═════════════════════════════════════════════════╝\x1b[0m");
-    println!();
+    let block = format!(
+        "\n\
+        {cyan}╔══ Admin Console ══════════════════════════════════╗{rst}\n\
+        {cyan}║{rst}  [s] show stats     [l] list boards             {cyan}║{rst}\n\
+        {cyan}║{rst}  [c] create board   [a] create admin account    {cyan}║{rst}\n\
+        {cyan}║{rst}  [d] delete thread  [h] help    [q] quit hint   {cyan}║{rst}\n\
+        {cyan}╚══════════════════════════════════════════════════╝{rst}\n\n",
+        cyan = c(CYN),
+        rst = c(RST),
+    );
+    crate::logging::console_print_raw(&block);
 }
 
+// ─── kb_list_boards ───────────────────────────────────────────────────────────
+
 fn kb_list_boards(pool: &DbPool) {
+    use std::fmt::Write as _;
+
     let Ok(conn) = pool.get() else {
-        println!("  \x1b[31m[err]\x1b[0m Could not get DB connection.");
+        crate::logging::console_println(&format!(
+            "  {}[err]{} Could not get DB connection.",
+            c(RED),
+            c(RST)
+        ));
         return;
     };
     let boards = match crate::db::get_all_boards(&conn) {
         Ok(b) => b,
         Err(e) => {
-            println!("  \x1b[31m[err]\x1b[0m {e}");
+            crate::logging::console_println(&format!("  {}[err]{} {e}", c(RED), c(RST)));
             return;
         }
     };
     if boards.is_empty() {
-        println!("  No boards found.");
+        crate::logging::console_println("  No boards found.");
         return;
     }
-    println!("  {:<5} {:<12} {:<24} NSFW", "ID", "Short", "Name");
-    println!("  {}", "─".repeat(48));
+
+    let mut block = format!(
+        "  {d}{:<5} {:<12} {:<24} NSFW{r}\n  {}\n",
+        "ID",
+        "Short",
+        "Name",
+        "─".repeat(48),
+        d = c(DIM),
+        r = c(RST),
+    );
     for b in &boards {
-        println!(
+        writeln!(
+            block,
             "  {:<5} /{:<11} {:<24} {}",
             b.id,
             format!("{}/", b.short_name),
             b.name,
-            if b.nsfw { "yes" } else { "no" }
-        );
+            if b.nsfw { "yes" } else { "no" },
+        )
+        .ok();
     }
-    println!();
+    block.push('\n');
+    crate::logging::console_print_raw(&block);
 }
 
-fn kb_create_board(pool: &DbPool, reader: &mut dyn std::io::BufRead) {
-    let mut prompt = |msg: &str| -> String {
-        print!("  \x1b[36m{msg}\x1b[0m ");
-        let _ = std::io::stdout().flush();
+// ─── kb_create_board ─────────────────────────────────────────────────────────
+
+#[allow(clippy::too_many_lines)]
+pub fn kb_create_board(pool: &DbPool, reader: &mut dyn BufRead) {
+    let prompt = |msg: &str, reader: &mut dyn BufRead| -> Option<String> {
+        crate::logging::console_prompt(msg);
         let mut s = String::new();
-        let _ = reader.read_line(&mut s);
-        s.trim().to_string()
+        match reader.read_line(&mut s) {
+            Ok(0) | Err(_) => None,
+            Ok(_) => Some(s.trim().to_string()),
+        }
     };
 
-    let short = prompt("Short name (e.g. 'tech'):");
-    if short.is_empty() {
-        println!("  Aborted.");
-        return;
-    }
+    let short = match prompt(
+        &format!("  {}Short name (e.g. 'tech'):{} ", c(CYN), c(RST)),
+        reader,
+    ) {
+        Some(v) if !v.is_empty() => v,
+        _ => {
+            crate::logging::console_println("  Aborted.");
+            return;
+        }
+    };
 
-    // FIX[AUDIT-5]: Validate short name immediately after reading it, before
-    // prompting for the remaining fields.  Previously validation happened at
-    // the bottom of the function, so the user would fill in all prompts before
-    // learning the short name was invalid.
     let short_lc = short.to_lowercase();
     if short_lc.is_empty()
         || short_lc.len() > 8
-        || !short_lc.chars().all(|c| c.is_ascii_alphanumeric())
+        || !short_lc.chars().all(|ch| ch.is_ascii_alphanumeric())
     {
-        println!("  \x1b[31m[err]\x1b[0m Short name must be 1-8 alphanumeric characters.");
+        crate::logging::console_println(&format!(
+            "  {}[err]{} Short name must be 1-8 alphanumeric characters.",
+            c(RED),
+            c(RST)
+        ));
         return;
     }
 
-    let name = prompt("Display name:");
-    if name.is_empty() {
-        println!("  Aborted.");
-        return;
-    }
-    let desc = prompt("Description (blank = none):");
-    let nsfw_raw = prompt("NSFW board? [y/N]:");
+    let name = match prompt(&format!("  {}Display name:{} ", c(CYN), c(RST)), reader) {
+        Some(v) if !v.is_empty() => v,
+        _ => {
+            crate::logging::console_println("  Aborted.");
+            return;
+        }
+    };
+
+    let desc = prompt(
+        &format!("  {}Description (blank = none):{} ", c(CYN), c(RST)),
+        reader,
+    )
+    .unwrap_or_default();
+    let nsfw_raw =
+        prompt(&format!("  {}NSFW? [y/N]:{} ", c(CYN), c(RST)), reader).unwrap_or_default();
     let nsfw = matches!(nsfw_raw.to_lowercase().as_str(), "y" | "yes");
 
-    // Fix #6: prompt for media flags and call create_board_with_media_flags so
-    // boards created from the console have the same capabilities as those
-    // created via `rustchan-cli admin create-board`.
-    let no_images_raw = prompt("Disable images? [y/N]:");
-    let no_videos_raw = prompt("Disable video?  [y/N]:");
-    let no_audio_raw = prompt("Disable audio?  [y/N]:");
-    let allow_images = !matches!(no_images_raw.to_lowercase().as_str(), "y" | "yes");
-    let allow_video = !matches!(no_videos_raw.to_lowercase().as_str(), "y" | "yes");
-    let allow_audio = !matches!(no_audio_raw.to_lowercase().as_str(), "y" | "yes");
+    let no_img = prompt(
+        &format!("  {}Disable images? [y/N]:{} ", c(CYN), c(RST)),
+        reader,
+    )
+    .unwrap_or_default();
+    let no_vid = prompt(
+        &format!("  {}Disable video?  [y/N]:{} ", c(CYN), c(RST)),
+        reader,
+    )
+    .unwrap_or_default();
+    let no_aud = prompt(
+        &format!("  {}Disable audio?  [y/N]:{} ", c(CYN), c(RST)),
+        reader,
+    )
+    .unwrap_or_default();
+
+    let allow_images = !matches!(no_img.to_lowercase().as_str(), "y" | "yes");
+    let allow_video = !matches!(no_vid.to_lowercase().as_str(), "y" | "yes");
+    let allow_audio = !matches!(no_aud.to_lowercase().as_str(), "y" | "yes");
 
     let Ok(conn) = pool.get() else {
-        println!("  \x1b[31m[err]\x1b[0m Could not get DB connection.");
+        crate::logging::console_println(&format!(
+            "  {}[err]{} Could not get DB connection.",
+            c(RED),
+            c(RST)
+        ));
         return;
     };
+
     match crate::db::create_board_with_media_flags(
         &conn,
         &short_lc,
@@ -435,40 +707,117 @@ fn kb_create_board(pool: &DbPool, reader: &mut dyn std::io::BufRead) {
         allow_video,
         allow_audio,
     ) {
-        Ok(id) => println!(
-            "  \x1b[32m✓\x1b[0m Board /{}/  — {}{}  created (id={}).  images:{} video:{} audio:{}",
-            short_lc,
-            name,
-            if nsfw { " [NSFW]" } else { "" },
-            id,
-            if allow_images { "yes" } else { "no" },
-            if allow_video { "yes" } else { "no" },
-            if allow_audio { "yes" } else { "no" },
-        ),
-        Err(e) => println!("  \x1b[31m[err]\x1b[0m {e}"),
+        Ok(id) => {
+            tracing::info!(
+                target: "console",
+                board = %short_lc,
+                name  = %name,
+                id    = id,
+                "Board created via console"
+            );
+            crate::logging::console_println(&format!(
+                "  {}✓{} Board /{short_lc}/  — {name}{}  created (id={id}).",
+                c(GRN),
+                c(RST),
+                if nsfw { " [NSFW]" } else { "" },
+            ));
+        }
+        Err(e) => crate::logging::console_println(&format!("  {}[err]{} {e}", c(RED), c(RST))),
     }
-    println!();
+    crate::logging::console_println("");
 }
 
-fn kb_delete_thread(pool: &DbPool, reader: &mut dyn std::io::BufRead) {
-    print!("  \x1b[36mThread ID to delete:\x1b[0m ");
-    let _ = std::io::stdout().flush();
+// ─── kb_create_admin ─────────────────────────────────────────────────────────
+
+/// Create an additional admin account from the interactive console.
+/// Also called by `prompt_create_first_admin` for the first-run wizard.
+#[allow(clippy::too_many_lines)]
+fn kb_create_admin(pool: &DbPool, reader: &mut dyn BufRead) {
+    crate::logging::console_print_raw(&format!(
+        "\n  {}── Create Admin Account ─────────────────────────────────{}\n\n",
+        c(CYN),
+        c(RST),
+    ));
+
+    if crate::logging::is_tty() {
+        crate::logging::console_println(&format!(
+            "  {}Note: password input is visible in terminal.{}",
+            c(YLW),
+            c(RST)
+        ));
+    }
+
+    let Some(username) = prompt_username(reader) else {
+        return;
+    };
+    let Some(password) = prompt_password(reader) else {
+        return;
+    };
+
+    let Ok(hash) = crate::utils::crypto::hash_password(&password) else {
+        crate::logging::console_println(&format!(
+            "  {}[err]{} Failed to hash password.",
+            c(RED),
+            c(RST)
+        ));
+        return;
+    };
+
+    let Ok(conn) = pool.get() else {
+        crate::logging::console_println(&format!(
+            "  {}[err]{} Could not get DB connection.",
+            c(RED),
+            c(RST)
+        ));
+        return;
+    };
+
+    match crate::db::create_admin(&conn, &username, &hash) {
+        Ok(id) => {
+            tracing::info!(
+                target: "console",
+                username = %username,
+                id = id,
+                "Admin account created via console"
+            );
+            crate::logging::console_println(&format!(
+                "  {}✓{} Admin '{username}' created (id={id}).",
+                c(GRN),
+                c(RST),
+            ));
+        }
+        Err(e) => crate::logging::console_println(&format!("  {}[err]{} {e}", c(RED), c(RST))),
+    }
+    crate::logging::console_println("");
+}
+
+// ─── kb_delete_thread ────────────────────────────────────────────────────────
+
+fn kb_delete_thread(pool: &DbPool, reader: &mut dyn BufRead) {
+    crate::logging::console_prompt(&format!("  {}Thread ID to delete:{} ", c(CYN), c(RST)));
     let mut s = String::new();
-    let _ = reader.read_line(&mut s);
-    let thread_id: i64 = if let Ok(n) = s.trim().parse() {
-        n
-    } else {
-        println!(
-            "  \x1b[31m[err]\x1b[0m '{}' is not a valid thread ID.",
+    if reader.read_line(&mut s).is_err() {
+        return;
+    }
+    let Ok(thread_id) = s.trim().parse::<i64>() else {
+        crate::logging::console_println(&format!(
+            "  {}[err]{} '{}' is not a valid thread ID.",
+            c(RED),
+            c(RST),
             s.trim()
-        );
+        ));
         return;
     };
 
     let Ok(conn) = pool.get() else {
-        println!("  \x1b[31m[err]\x1b[0m Could not get DB connection.");
+        crate::logging::console_println(&format!(
+            "  {}[err]{} Could not get DB connection.",
+            c(RED),
+            c(RST)
+        ));
         return;
     };
+
     let exists: i64 = conn
         .query_row(
             "SELECT COUNT(*) FROM threads WHERE id = ?1",
@@ -477,31 +826,47 @@ fn kb_delete_thread(pool: &DbPool, reader: &mut dyn std::io::BufRead) {
         )
         .unwrap_or(0);
     if exists == 0 {
-        println!("  \x1b[31m[err]\x1b[0m Thread {thread_id} not found.");
+        crate::logging::console_println(&format!(
+            "  {}[err]{} Thread {thread_id} not found.",
+            c(RED),
+            c(RST)
+        ));
         return;
     }
 
-    print!("  \x1b[33mDelete thread {thread_id} and all its posts? [y/N]:\x1b[0m ");
-    let _ = std::io::stdout().flush();
+    crate::logging::console_prompt(&format!(
+        "  {}Delete thread {thread_id} and all its posts? [y/N]:{} ",
+        c(YLW),
+        c(RST)
+    ));
     let mut confirm = String::new();
-    let _ = reader.read_line(&mut confirm);
+    if reader.read_line(&mut confirm).is_err() {
+        return;
+    }
     if !matches!(confirm.trim().to_lowercase().as_str(), "y" | "yes") {
-        println!("  Aborted.");
+        crate::logging::console_println("  Aborted.");
         return;
     }
 
     match crate::db::delete_thread(&conn, thread_id) {
         Ok(paths) => {
+            let n = paths.len();
             for p in &paths {
                 crate::utils::files::delete_file(&CONFIG.upload_dir, p);
             }
-            println!(
-                "  \x1b[32m✓\x1b[0m Thread {} deleted ({} file(s) removed).",
-                thread_id,
-                paths.len()
+            tracing::info!(
+                target: "console",
+                thread_id = thread_id,
+                files_removed = n,
+                "Thread deleted via console"
             );
+            crate::logging::console_println(&format!(
+                "  {}✓{} Thread {thread_id} deleted ({n} file(s) removed).",
+                c(GRN),
+                c(RST)
+            ));
         }
-        Err(e) => println!("  \x1b[31m[err]\x1b[0m {e}"),
+        Err(e) => crate::logging::console_println(&format!("  {}[err]{} {e}", c(RED), c(RST))),
     }
-    println!();
+    crate::logging::console_println("");
 }
diff --git a/src/server/server.rs b/src/server/server.rs
index d1f10d3..175f09d 100644
--- a/src/server/server.rs
+++ b/src/server/server.rs
@@ -26,7 +26,6 @@ use std::net::SocketAddr;
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::LazyLock;
 use std::time::{Duration, Instant};
-use tracing::info;
 use tracing::Instrument as _;
 
 use crate::config::{check_cookie_secret_rotation, generate_settings_file_if_missing, CONFIG};
@@ -228,7 +227,6 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
         .and_then(|(_, p)| p.parse::<u16>().ok())
         .unwrap_or(8080);
     crate::detect::detect_tor(CONFIG.enable_tor_support, bind_port, &data_dir);
-    println!();
 
     // FIX[High-10]: Capture JoinHandles from start_worker_pool so the shutdown
     // sequence can await each worker instead of blindly sleeping for 10 s.
@@ -265,7 +263,9 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
                 iv.tick().await;
                 if let Ok(conn) = bg.get() {
                     match crate::db::purge_expired_sessions(&conn) {
-                        Ok(n) if n > 0 => info!("Purged {n} expired sessions"),
+                        Ok(n) if n > 0 => {
+                            tracing::info!(target: "sessions", purged = n, "Expired sessions purged");
+                        }
                         Err(e) => tracing::error!("Session purge error: {e}"),
                         Ok(_) => {}
                     }
@@ -347,9 +347,12 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
                             Ok(()) => {
                                 let after = crate::db::get_db_size_bytes(&conn).unwrap_or(0);
                                 let saved = before.saturating_sub(after);
-                                info!(
-                                    "Scheduled VACUUM complete: {} → {} bytes ({} reclaimed)",
-                                    before, after, saved
+                                tracing::info!(
+                                    target: "db",
+                                    before_bytes = before,
+                                    after_bytes  = after,
+                                    saved_bytes  = saved,
+                                    "VACUUM complete"
                                 );
                             }
                             Err(e) => tracing::warn!("Scheduled VACUUM failed: {e}"),
@@ -380,7 +383,7 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
                         let cutoff = chrono::Utc::now().timestamp() - retention_cutoff_secs;
                         match crate::db::cleanup_expired_poll_votes(&conn, cutoff) {
                             Ok(n) if n > 0 => {
-                                info!("Poll vote cleanup: removed {} expired vote row(s)", n);
+                                tracing::info!(target: "polls", removed = n, "Expired poll vote rows purged");
                             }
                             Ok(_) => {}
                             Err(e) => tracing::warn!("Poll vote cleanup failed: {e}"),
@@ -417,10 +420,29 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
 
     let app = build_router(state.clone());
     let listener = tokio::net::TcpListener::bind(&bind_addr).await?;
-    info!("Listening on  http://{bind_addr}");
-    info!("Admin panel   http://{bind_addr}/admin");
-    info!("Data dir      {}", data_dir.display());
-    println!();
+    tracing::info!(target: "server", addr = %bind_addr, "HTTP server listening");
+    tracing::info!(target: "server", url = %format!("http://{bind_addr}/admin"), "Admin panel");
+    tracing::info!(target: "server", path = %data_dir.display(), "Data directory");
+
+    // First-run admin wizard: if no admin accounts exist and stdout is a TTY,
+    // prompt interactively before starting the keyboard handler (which also
+    // reads stdin).  In non-TTY mode (daemon/systemd) we log a warning instead
+    // so the operator knows to use the CLI.
+    if crate::db::has_no_admin(&pool) {
+        if crate::logging::is_tty() {
+            let stdin = std::io::stdin();
+            // Acquire and immediately pass the stdin lock to the wizard.
+            // The lock is released when `reader` drops at the end of this block,
+            // before spawn_keyboard_handler acquires its own stdin lock below.
+            let mut reader = std::io::BufReader::new(stdin.lock());
+            super::console::prompt_create_first_admin(&pool, &mut reader);
+        } else {
+            tracing::warn!(
+                target: "startup",
+                "No admin accounts exist — run: rustchan-cli admin create-admin <username> <password>"
+            );
+        }
+    }
 
     super::console::spawn_keyboard_handler(pool, start_time);
 
@@ -428,10 +450,10 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
         let chan_addr = crate::config::CONFIG.chan_net_bind.clone();
         let chan_app = crate::chan_net::chan_router(state.clone());
         let chan_listener = tokio::net::TcpListener::bind(&chan_addr).await?;
-        tracing::info!("ChanNet API listening on http://{chan_addr}/chan/status");
+        tracing::info!(target: "chan_net", addr = %chan_addr, "ChanNet API listening");
         tokio::spawn(async move {
             if let Err(e) = axum::serve(chan_listener, chan_app.into_make_service()).await {
-                tracing::error!("ChanNet server error: {e}");
+                tracing::error!(target: "chan_net", error = %e, "ChanNet server error");
             }
         });
     }
@@ -443,16 +465,21 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
     .with_graceful_shutdown(shutdown_signal())
     .await?;
 
+<<<<<<< Updated upstream
     // FIX[High-10]: Signal workers and then await each handle with a per-worker
     // timeout, replacing the previous blind 10-second sleep. Each worker is
     // given up to 30 seconds to finish its in-flight job before we give up.
     info!("Signalling background workers to shut down…");
+=======
+    // Signal background workers to drain and exit (#7).
+    tracing::info!(target: "server", "Signalling background workers to shut down…");
+>>>>>>> Stashed changes
     worker_cancel.cancel();
     for handle in worker_handles {
         let _ = tokio::time::timeout(Duration::from_secs(30), handle).await;
     }
 
-    info!("Server shut down gracefully.");
+    tracing::info!(target: "server", "Server shut down gracefully.");
     Ok(())
 }
 
@@ -704,34 +731,35 @@ fn build_router(state: AppState) -> Router {
         // checks both the request scheme and the X-Forwarded-Proto header
         // (set by TLS-terminating proxies) before adding the header.
         .layer(axum_middleware::from_fn(hsts_middleware))
-        // Structured per-request tracing: logs method, URI, status, and
-        // latency for every HTTP request.  Spans are emitted at `info` level;
-        // failures at `error`.  tower_http filter in RUST_LOG controls noise.
+        // HTTP tracing: silent for normal responses, loud for failures.
+        //
+        // on_response is intentionally omitted — logging every 200/304 at INFO
+        // floods the terminal with one line per user action and buries real events.
+        // Operators who want per-request access logs can set RUST_LOG=tower_http=debug.
+        //
+        // on_failure fires for 5xx responses and transport errors at ERROR level.
+        // on_eos fires when a streaming response body closes unexpectedly.
+        // make_span_with creates a DEBUG span so req_id / method / uri are available
+        // in the file log for correlation without appearing on the terminal at INFO.
         .layer(
             tower_http::trace::TraceLayer::new_for_http()
                 .make_span_with(|request: &axum::http::Request<_>| {
-                    tracing::info_span!(
-                        "http_request",
+                    tracing::debug_span!(
+                        "http",
                         method = %request.method(),
                         uri    = %request.uri(),
                     )
                 })
+                // No on_response — 200/304/etc. are completely silent at INFO level.
                 .on_response(
-                    |response: &axum::http::Response<_>,
-                     latency: std::time::Duration,
-                     _span: &tracing::Span| {
-                        tracing::info!(
-                            status = response.status().as_u16(),
-                            latency_ms = latency.as_millis(),
-                            "response sent",
-                        );
-                    },
+                    tower_http::trace::DefaultOnResponse::new().level(tracing::Level::TRACE),
                 )
                 .on_failure(
                     |error: tower_http::classify::ServerErrorsFailureClass,
                      latency: std::time::Duration,
                      _span: &tracing::Span| {
                         tracing::error!(
+                            target: "server",
                             %error,
                             latency_ms = latency.as_millis(),
                             "request failed",
@@ -890,7 +918,7 @@ async fn shutdown_signal() {
     #[cfg(not(unix))]
     let terminate = std::future::pending::<()>();
     tokio::select! {
-        () = ctrl_c => info!("Received Ctrl+C"),
-        () = terminate => info!("Received SIGTERM"),
+        () = ctrl_c =>   tracing::info!(target: "server", signal = "SIGINT",  "Shutdown signal received"),
+        () = terminate => tracing::info!(target: "server", signal = "SIGTERM", "Shutdown signal received"),
     }
 }
diff --git a/src/workers/mod.rs b/src/workers/mod.rs
index f8b4413..deafb21 100644
--- a/src/workers/mod.rs
+++ b/src/workers/mod.rs
@@ -39,7 +39,7 @@ use tokio::process::Command as TokioCommand;
 use tokio::sync::Notify;
 use tokio::time::{sleep, timeout, Duration};
 use tokio_util::sync::CancellationToken;
-use tracing::{debug, error, info, warn};
+use tracing::{debug, error, warn};
 
 // How many times a job may be attempted before being permanently failed.
 #[allow(dead_code)]
@@ -192,7 +192,7 @@ pub fn start_worker_pool(
         .unwrap_or(2)
         .min(4); // cap at 4 to avoid overwhelming SQLite's write lock
 
-    info!("Background worker pool: {} worker(s) online", n);
+    tracing::info!(target: "workers", count = n, "Background worker pool online");
 
     (0..n)
         .map(|idx| {
@@ -581,7 +581,7 @@ fn transcode_video_prepare(
             .ok_or_else(|| anyhow::anyhow!("Source path is non-UTF-8: {}", src.display()))?;
         match crate::media::ffmpeg::probe_video_codec(src_str) {
             Ok(ref codec) if codec == "av1" => {
-                info!("VideoTranscode: WebM/AV1 detected for post {post_id} — re-encoding to VP9");
+                tracing::info!(target: "workers", post_id = post_id, codec = "av1", "VideoTranscode: re-encoding WebM/AV1 to VP9");
             }
             Ok(ref codec) => {
                 debug!(
@@ -606,10 +606,7 @@ fn transcode_video_prepare(
         .ok_or_else(|| anyhow::anyhow!("Malformed filename: {}", src.display()))?
         .to_string();
 
-    info!(
-        "VideoTranscode: transcoding post {} ({})…",
-        post_id, file_path
-    );
+    tracing::info!(target: "workers", post_id = post_id, file = %file_path, "VideoTranscode: starting");
 
     let board_dir = PathBuf::from(upload_dir).join(board_short);
     let webm_name = format!("{stem}.webm");
@@ -713,13 +710,7 @@ fn transcode_video_finalise(
         let _ = std::fs::remove_file(src);
     }
 
-    info!(
-        "VideoTranscode done: post {} {} → {} ({} bytes)",
-        post_id,
-        file_path,
-        webm_rel,
-        webm_bytes.len()
-    );
+    tracing::info!(target: "workers", post_id = post_id, output = %webm_rel, bytes = webm_bytes.len(), "VideoTranscode done");
     Ok(())
 }
 
@@ -881,7 +872,12 @@ fn waveform_finalise(
         "UPDATE file_hashes SET thumb_path = ?1 WHERE sha256 = ?2",
         rusqlite::params![png_rel, audio_sha256],
     );
+<<<<<<< Updated upstream
     info!("AudioWaveform done: post {post_id} → {png_rel}");
+=======
+
+    tracing::info!(target: "workers", post_id = post_id, thumb = %png_rel, "AudioWaveform done");
+>>>>>>> Stashed changes
     Ok(())
 }
 
@@ -905,10 +901,7 @@ async fn prune_threads(
         if do_archive {
             let count = crate::db::archive_old_threads(&conn, board_id, max_threads)?;
             if count > 0 {
-                info!(
-                    "ThreadArchive: moved {} overflow thread(s) to archive in /{}/ (board_id={}, archive_before_prune={})",
-                    count, board_short, board_id, CONFIG.archive_before_prune
-                );
+                tracing::info!(target: "workers", count = count, board = %board_short, board_id = board_id, "ThreadArchive: threads archived");
             }
         } else {
             let paths = crate::db::prune_old_threads(&conn, board_id, max_threads)?;
@@ -917,10 +910,7 @@ async fn prune_threads(
                 crate::utils::files::delete_file(&CONFIG.upload_dir, p);
             }
             if count > 0 {
-                info!(
-                    "ThreadPrune: deleted {} overflow thread(s) from /{}/ (board_id={}), removed {} file(s)",
-                    count, board_short, board_id, paths.len()
-                );
+                tracing::info!(target: "workers", count = count, board = %board_short, board_id = board_id, files_removed = paths.len(), "ThreadPrune: threads deleted");
             }
         }
         Ok(())
@@ -1011,12 +1001,6 @@ pub fn evict_thumb_cache(upload_dir: &str, max_bytes: u64) {
         }
     }
     if deleted > 0 {
-        info!(
-            "evict_thumb_cache: removed {} file(s) ({} KiB), cache now {} KiB / {} KiB limit",
-            deleted,
-            deleted_bytes / 1024,
-            remaining / 1024,
-            max_bytes / 1024,
-        );
+        tracing::info!(target: "workers", files_removed = deleted, freed_kib = deleted_bytes / 1024, remaining_kib = remaining / 1024, limit_kib = max_bytes / 1024, "Thumbnail cache eviction complete");
     }
 }

From 5248ded21f4edf6c755b5a2e85a0861c895ad41c Mon Sep 17 00:00:00 2001
From: csd113 <xxcsd113xx@gmail.com>
Date: Wed, 18 Mar 2026 21:52:32 -0700
Subject: [PATCH 3/8] Rewrite to the terminal interface to make nicer

---
 .gitignore      |   1 +
 src/db/posts.rs | 141 ++++++++++++++++++++++--------------------------
 src/logging.rs  |  69 ++++--------------------
 3 files changed, 73 insertions(+), 138 deletions(-)

diff --git a/.gitignore b/.gitignore
index 69a6807..a86d7d7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@ target
 
 # These are backup files generated by rustfmt
 **/*.rs.bk
+/clippy_reports
diff --git a/src/db/posts.rs b/src/db/posts.rs
index 79138b8..5d33204 100644
--- a/src/db/posts.rs
+++ b/src/db/posts.rs
@@ -32,7 +32,6 @@
 use crate::models::Post;
 use anyhow::{Context, Result};
 use rusqlite::{params, OptionalExtension};
-use subtle::ConstantTimeEq as _;
 
 // ─── Retry budget constant ────────────────────────────────────────────────────
 
@@ -352,16 +351,8 @@ pub fn verify_deletion_token(
 
 /// Edit a post's body, verified against the deletion token and a per-board edit window.
 ///
-/// `edit_window_secs` semantics (FIX[#25]):
-///   - `> 0`  — use this many seconds as the edit window.
-///   - `== 0` — no time limit; editing is always allowed regardless of post age.
-///     Use this when the board's `edit_window_secs` column is 0.
-///   - `< 0`  — use the built-in default of 300 s.
-///
-/// Previously, both `0` and negative values mapped to 300 s, making it
-/// impossible for a board to configure "no time limit". The caller is
-/// responsible for checking `board.allow_editing` before calling this.
-///
+/// `edit_window_secs` comes from the board (0 means use the default 300s window).
+/// The caller is responsible for checking `board.allow_editing` before calling this.
 /// Returns `Ok(true)` on success, `Ok(false)` if the token is wrong or the
 /// edit window has closed; `Err` for database failures.
 ///
@@ -378,80 +369,85 @@ pub fn verify_deletion_token(
 /// # Errors
 /// Returns an error if the database operation fails.
 pub fn edit_post(
-    conn: &mut rusqlite::Connection,
+    conn: &rusqlite::Connection,
     post_id: i64,
     token: &str,
     new_body: &str,
     new_body_html: &str,
     edit_window_secs: i64,
 ) -> Result<bool> {
-    // FIX[#25]: `0` now means "no time limit". Negative values use the 300 s default.
-    let window_opt: Option<i64> = match edit_window_secs.cmp(&0) {
-        std::cmp::Ordering::Greater => Some(edit_window_secs),
-        std::cmp::Ordering::Equal => None, // no limit — skip the window check entirely
-        std::cmp::Ordering::Less => Some(300), // negative → built-in default
+    let window = if edit_window_secs <= 0 {
+        300
+    } else {
+        edit_window_secs
     };
 
-    // FIX[High-6]: Use rusqlite's typed transaction API instead of raw
-    // execute_batch("BEGIN IMMEDIATE"). Raw execute_batch does not update
-    // rusqlite's internal transaction-tracking state; a subsequent call to
-    // unchecked_transaction() on the same pooled connection would attempt to
-    // start a nested transaction on top of an already-committed one, causing
-    // SQLITE_ERROR: cannot start a transaction within a transaction.
-    let tx = conn
-        .transaction_with_behavior(rusqlite::TransactionBehavior::Immediate)
+    // BEGIN IMMEDIATE acquires the write lock now, preventing any concurrent
+    // writer from modifying the post between our SELECT and UPDATE.
+    conn.execute_batch("BEGIN IMMEDIATE")
         .context("Failed to begin IMMEDIATE transaction for edit_post")?;
 
-    // FIX[HIGH-2]: Fetch token and created_at in a single round-trip inside
-    // the IMMEDIATE transaction so no concurrent writer can modify the post
-    // between our SELECT and UPDATE.
-    let row: Option<(String, i64)> = tx
-        .query_row(
-            "SELECT deletion_token, created_at FROM posts WHERE id = ?1",
-            params![post_id],
-            |r| Ok((r.get(0)?, r.get(1)?)),
-        )
-        .optional()
-        .context("Failed to query post for edit")?;
-
-    let Some((stored_token, created_at)) = row else {
-        return Ok(false); // post does not exist
-    };
-
-    if !constant_time_eq(stored_token.as_bytes(), token.as_bytes()) {
-        return Ok(false);
-    }
+    let result: Result<bool> = (|| {
+        // FIX[HIGH-2]: Fetch token and created_at in a single round-trip.
+        let row: Option<(String, i64)> = conn
+            .query_row(
+                "SELECT deletion_token, created_at FROM posts WHERE id = ?1",
+                params![post_id],
+                |r| Ok((r.get(0)?, r.get(1)?)),
+            )
+            .optional()?;
+
+        let Some((stored_token, created_at)) = row else {
+            return Ok(false); // post does not exist
+        };
+
+        if !constant_time_eq(stored_token.as_bytes(), token.as_bytes()) {
+            return Ok(false);
+        }
 
-    let now = chrono::Utc::now().timestamp();
-    if let Some(window) = window_opt {
+        let now = chrono::Utc::now().timestamp();
         if now.saturating_sub(created_at) > window {
             return Ok(false);
         }
-    }
-    // window_opt == None → no time limit, skip the check
 
-    tx.execute(
-        "UPDATE posts SET body = ?1, body_html = ?2, edited_at = ?3 WHERE id = ?4",
-        params![new_body, new_body_html, now, post_id],
-    )
-    .context("Failed to update post body")?;
+        conn.execute(
+            "UPDATE posts SET body = ?1, body_html = ?2, edited_at = ?3 WHERE id = ?4",
+            params![new_body, new_body_html, now, post_id],
+        )?;
 
-    let updated = tx.changes() > 0;
-    tx.commit()
-        .context("Failed to commit edit_post transaction")?;
-    Ok(updated)
+        // Belt-and-suspenders: confirm the row was actually written.
+        Ok(conn.changes() > 0)
+    })();
+
+    match result {
+        Ok(updated) => {
+            conn.execute_batch("COMMIT")
+                .context("Failed to commit edit_post transaction")?;
+            Ok(updated)
+        }
+        Err(e) => {
+            let _ = conn.execute_batch("ROLLBACK");
+            Err(e)
+        }
+    }
 }
 
 /// Constant-time byte slice comparison to prevent timing side-channel attacks.
 ///
-/// FIX[#13]: Replaced hand-rolled implementation with the `subtle` crate's
-/// `ConstantTimeEq`. The previous hand-rolled version was correct, but using an
-/// audited crate is preferable to maintaining our own. Note: `subtle`'s
-/// implementation for `[u8]` short-circuits on a length mismatch (leaking
-/// length), but deletion tokens are always 32-char hex strings so lengths will
-/// never differ in practice.
+/// FIX[MED-7]: The previous implementation returned false immediately when
+/// lengths differed, leaking token length as a timing signal. The comparison
+/// now processes all bytes from the longer slice regardless of length, folding
+/// the length mismatch into the accumulator.
 fn constant_time_eq(a: &[u8], b: &[u8]) -> bool {
-    a.ct_eq(b).into()
+    let max_len = a.len().max(b.len());
+    // Non-zero when lengths differ.
+    let mut diff = u8::try_from(a.len() ^ b.len()).unwrap_or(u8::MAX);
+    for i in 0..max_len {
+        let x = a.get(i).copied().unwrap_or(0);
+        let y = b.get(i).copied().unwrap_or(0);
+        diff |= x ^ y;
+    }
+    diff == 0
 }
 
 // ─── LIKE escape helper ───────────────────────────────────────────────────────
@@ -693,17 +689,9 @@ pub fn get_poll_for_thread(
 /// the same INSERT statement via a correlated WHERE EXISTS. A mismatched
 /// (`poll_id`, `option_id`) pair inserts nothing and returns false.
 ///
-/// FIX[#16]: Poll expiry is now re-checked atomically inside the INSERT's
-/// WHERE clause. Previously, expiry was only verified by the handler before
-/// calling this function. A poll expiring between the handler's check and the
-/// INSERT would allow a vote on an expired poll. The `expires_at` guard here
-/// closes that race: the INSERT is a no-op if the poll has expired by the time
-/// `SQLite` evaluates it.
-///
-/// Note (MED-14): This function returns false for three distinct cases:
+/// Note (MED-14): This function returns false for two distinct cases:
 ///   1. The voter has already voted (UNIQUE constraint fires INSERT OR IGNORE)
 ///   2. The `option_id` does not belong to `poll_id` (EXISTS check fails)
-///   3. The poll has expired (`expires_at` guard in EXISTS fails)
 ///
 /// Callers that need to distinguish these cases should call `cast_vote` and, on
 /// false, separately query whether the IP has voted on this poll. A future
@@ -721,11 +709,8 @@ pub fn cast_vote(
         "INSERT OR IGNORE INTO poll_votes (poll_id, option_id, ip_hash)
          SELECT ?1, ?2, ?3
          WHERE EXISTS (
-             SELECT 1 FROM poll_options po
-             JOIN polls p ON p.id = po.poll_id
-             WHERE po.id = ?2
-               AND po.poll_id = ?1
-               AND (p.expires_at IS NULL OR p.expires_at > unixepoch())
+             SELECT 1 FROM poll_options
+             WHERE id = ?2 AND poll_id = ?1
          )",
         params![poll_id, option_id, ip_hash],
     )?;
diff --git a/src/logging.rs b/src/logging.rs
index 2df8648..0646b66 100644
--- a/src/logging.rs
+++ b/src/logging.rs
@@ -1,18 +1,5 @@
-// db/logging.rs — Structured logging initialisation.
+// logging.rs — Structured logging initialisation.
 //
-<<<<<<< Updated upstream
-// Sets up two output layers:
-//   1. stderr  — human-readable, `info` and above (terminal/systemd journal)
-//   2. file    — JSON formatted, `debug` and above, written to
-//               `rustchan.log` inside `db_dir`
-//
-// Respects `RUST_LOG` env var if set.
-//
-// NOTE: this module lives in `db/` so that log files are written alongside the
-// database file rather than next to the binary.  The caller should pass the
-// same directory used for `chan.db` (typically the directory containing the
-// binary at first run, but overridable via config).
-=======
 // Two output channels:
 //
 //   1. Terminal (stdout, TTY-aware)
@@ -45,7 +32,6 @@
 // to emit ANSI escape codes. Exposed via `is_tty()`.
 //
 // Respects the RUST_LOG environment variable if set.
->>>>>>> Stashed changes
 
 use std::fmt;
 use std::io::{self, Write};
@@ -54,7 +40,7 @@ use std::sync::atomic::{AtomicBool, Ordering};
 use std::sync::LazyLock;
 
 use tracing::{Event, Level, Subscriber};
-use tracing_subscriber::fmt::format::{FmtSpan, FormatEvent, FormatFields, Writer};
+use tracing_subscriber::fmt::format::{FormatEvent, FormatFields, FmtSpan, Writer};
 use tracing_subscriber::fmt::{FmtContext, MakeWriter};
 use tracing_subscriber::registry::LookupSpan;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter};
@@ -63,33 +49,6 @@ use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilte
 
 /// Global mutex that serialises all stdout writes across the process.
 ///
-<<<<<<< Updated upstream
-/// `db_dir` is the directory where `rustchan.log` will be written.
-/// This should be the same directory as `chan.db` so that logs and the
-/// database stay together and are easy to locate, back up, and rotate as
-/// a unit.
-///
-/// FIX[#33]: The file appender now uses daily rotation
-/// (`tracing_appender::rolling::daily`) instead of `rolling::never`.  A single
-/// append-only log file grows without bound on a busy instance; if the
-/// filesystem fills, `SQLite`'s WAL checkpoint will fail and can corrupt the
-/// database.  Daily rotation caps each log file to roughly one day of output
-/// and leaves old files on disk with a date suffix so they can be pruned by a
-/// standard `logrotate` rule or a cron job.
-///
-/// Suggested logrotate stanza (`/etc/logrotate.d/rustchan`):
-/// ```text
-/// /path/to/db/rustchan.log.* {
-///     daily
-///     rotate 14
-///     compress
-///     missingok
-///     notifempty
-///     copytruncate
-/// }
-/// ```
-pub fn init_logging(db_dir: &Path) {
-=======
 /// Both the tracing terminal layer (via [`ConsoleLock`]) and the `console.rs`
 /// interactive helpers acquire this before writing. The result: log events
 /// and stats/prompt blocks never interleave, even under high async concurrency.
@@ -168,16 +127,16 @@ where
         let (tag, open, close) = if tty {
             match level {
                 Level::ERROR => ("[ERROR]", "\x1b[1;31m", "\x1b[0m"),
-                Level::WARN => ("[WARN ]", "\x1b[33m", "\x1b[0m"),
-                Level::INFO => ("[INFO ]", "", ""),
-                Level::DEBUG => ("[DEBUG]", "\x1b[2m", "\x1b[0m"),
-                Level::TRACE => ("[TRACE]", "\x1b[2m", "\x1b[0m"),
+                Level::WARN  => ("[WARN ]", "\x1b[33m",   "\x1b[0m"),
+                Level::INFO  => ("[INFO ]", "",            ""),
+                Level::DEBUG => ("[DEBUG]", "\x1b[2m",    "\x1b[0m"),
+                Level::TRACE => ("[TRACE]", "\x1b[2m",    "\x1b[0m"),
             }
         } else {
             match level {
                 Level::ERROR => ("[ERROR]", "", ""),
-                Level::WARN => ("[WARN ]", "", ""),
-                Level::INFO => ("[INFO ]", "", ""),
+                Level::WARN  => ("[WARN ]", "", ""),
+                Level::INFO  => ("[INFO ]", "", ""),
                 Level::DEBUG => ("[DEBUG]", "", ""),
                 Level::TRACE => ("[TRACE]", "", ""),
             }
@@ -239,9 +198,7 @@ impl<'a> MakeWriter<'a> for ConsoleLock {
     type Writer = LockedWriter;
 
     fn make_writer(&'a self) -> LockedWriter {
-        LockedWriter {
-            _guard: CONSOLE_MUTEX.lock(),
-        }
+        LockedWriter { _guard: CONSOLE_MUTEX.lock() }
     }
 }
 
@@ -266,7 +223,6 @@ pub fn init_logging(log_dir: &Path) {
     let tty = io::stdout().is_terminal();
     IS_TTY.store(tty, Ordering::Relaxed);
 
->>>>>>> Stashed changes
     let env_filter = EnvFilter::try_from_default_env()
         .unwrap_or_else(|_| EnvFilter::new("rustchan=info,tower_http=warn"));
 
@@ -274,15 +230,8 @@ pub fn init_logging(log_dir: &Path) {
         .event_format(ConsoleFormatter)
         .with_writer(ConsoleLock);
 
-<<<<<<< Updated upstream
-    // File layer — JSON, includes file/line for structured log analysis.
-    // FIX[#33]: daily rotation; files are named `rustchan.log.YYYY-MM-DD`.
-    let file_appender = tracing_appender::rolling::daily(db_dir, "rustchan.log");
-    let file_layer = fmt::layer()
-=======
     let file_appender = tracing_appender::rolling::daily(log_dir, "rustchan.log");
     let file_layer = tracing_subscriber::fmt::layer()
->>>>>>> Stashed changes
         .json()
         .with_writer(file_appender)
         .with_target(true)

From ea96e837794377509f283346cecff1756430cf73 Mon Sep 17 00:00:00 2001
From: csd113 <xxcsd113xx@gmail.com>
Date: Wed, 18 Mar 2026 22:05:25 -0700
Subject: [PATCH 4/8] broke soemthing on my local git again so im force
 uploading

---
 src/logging.rs       | 22 ++++++++++++++++++++++
 src/server/server.rs |  8 ++++++++
 2 files changed, 30 insertions(+)

diff --git a/src/logging.rs b/src/logging.rs
index 0646b66..0102563 100644
--- a/src/logging.rs
+++ b/src/logging.rs
@@ -40,7 +40,11 @@ use std::sync::atomic::{AtomicBool, Ordering};
 use std::sync::LazyLock;
 
 use tracing::{Event, Level, Subscriber};
+<<<<<<< Updated upstream
 use tracing_subscriber::fmt::format::{FormatEvent, FormatFields, FmtSpan, Writer};
+=======
+use tracing_subscriber::fmt::format::{FmtSpan, FormatEvent, FormatFields, Writer};
+>>>>>>> Stashed changes
 use tracing_subscriber::fmt::{FmtContext, MakeWriter};
 use tracing_subscriber::registry::LookupSpan;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter};
@@ -127,16 +131,28 @@ where
         let (tag, open, close) = if tty {
             match level {
                 Level::ERROR => ("[ERROR]", "\x1b[1;31m", "\x1b[0m"),
+<<<<<<< Updated upstream
                 Level::WARN  => ("[WARN ]", "\x1b[33m",   "\x1b[0m"),
                 Level::INFO  => ("[INFO ]", "",            ""),
                 Level::DEBUG => ("[DEBUG]", "\x1b[2m",    "\x1b[0m"),
                 Level::TRACE => ("[TRACE]", "\x1b[2m",    "\x1b[0m"),
+=======
+                Level::WARN => ("[WARN ]", "\x1b[33m", "\x1b[0m"),
+                Level::INFO => ("[INFO ]", "", ""),
+                Level::DEBUG => ("[DEBUG]", "\x1b[2m", "\x1b[0m"),
+                Level::TRACE => ("[TRACE]", "\x1b[2m", "\x1b[0m"),
+>>>>>>> Stashed changes
             }
         } else {
             match level {
                 Level::ERROR => ("[ERROR]", "", ""),
+<<<<<<< Updated upstream
                 Level::WARN  => ("[WARN ]", "", ""),
                 Level::INFO  => ("[INFO ]", "", ""),
+=======
+                Level::WARN => ("[WARN ]", "", ""),
+                Level::INFO => ("[INFO ]", "", ""),
+>>>>>>> Stashed changes
                 Level::DEBUG => ("[DEBUG]", "", ""),
                 Level::TRACE => ("[TRACE]", "", ""),
             }
@@ -198,7 +214,13 @@ impl<'a> MakeWriter<'a> for ConsoleLock {
     type Writer = LockedWriter;
 
     fn make_writer(&'a self) -> LockedWriter {
+<<<<<<< Updated upstream
         LockedWriter { _guard: CONSOLE_MUTEX.lock() }
+=======
+        LockedWriter {
+            _guard: CONSOLE_MUTEX.lock(),
+        }
+>>>>>>> Stashed changes
     }
 }
 
diff --git a/src/server/server.rs b/src/server/server.rs
index 175f09d..6ef27ac 100644
--- a/src/server/server.rs
+++ b/src/server/server.rs
@@ -227,6 +227,7 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
         .and_then(|(_, p)| p.parse::<u16>().ok())
         .unwrap_or(8080);
     crate::detect::detect_tor(CONFIG.enable_tor_support, bind_port, &data_dir);
+<<<<<<< Updated upstream
 
     // FIX[High-10]: Capture JoinHandles from start_worker_pool so the shutdown
     // sequence can await each worker instead of blindly sleeping for 10 s.
@@ -235,6 +236,8 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
     let worker_queue = std::sync::Arc::new(crate::workers::JobQueue::new(pool.clone()));
     let worker_handles =
         crate::workers::start_worker_pool(&worker_queue, ffmpeg_available, ffmpeg_vp9_available);
+=======
+>>>>>>> Stashed changes
 
     let state = AppState {
         db: pool.clone(),
@@ -465,11 +468,16 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
     .with_graceful_shutdown(shutdown_signal())
     .await?;
 
+<<<<<<< Updated upstream
 <<<<<<< Updated upstream
     // FIX[High-10]: Signal workers and then await each handle with a per-worker
     // timeout, replacing the previous blind 10-second sleep. Each worker is
     // given up to 30 seconds to finish its in-flight job before we give up.
     info!("Signalling background workers to shut down…");
+=======
+    // Signal background workers to drain and exit (#7).
+    tracing::info!(target: "server", "Signalling background workers to shut down…");
+>>>>>>> Stashed changes
 =======
     // Signal background workers to drain and exit (#7).
     tracing::info!(target: "server", "Signalling background workers to shut down…");

From 8fe31e265564bc8adbc3f8776fa426d946aa8bbb Mon Sep 17 00:00:00 2001
From: csd113 <xxcsd113xx@gmail.com>
Date: Wed, 18 Mar 2026 22:31:20 -0700
Subject: [PATCH 5/8] fixed numerious bugs that impact reliability

---
 src/handlers/thread.rs |   4 +-
 src/logging.rs         |  20 ---
 src/server/server.rs   | 287 +++++++++++++++++++++++++++--------------
 src/workers/mod.rs     |   4 -
 4 files changed, 190 insertions(+), 125 deletions(-)

diff --git a/src/handlers/thread.rs b/src/handlers/thread.rs
index c911938..71179b7 100644
--- a/src/handlers/thread.rs
+++ b/src/handlers/thread.rs
@@ -487,7 +487,7 @@ pub async fn edit_post_post(
         let pool = state.db.clone();
         let csrf_clone = csrf_cookie.clone().unwrap_or_default();
         move || -> Result<EditOutcome> {
-            let mut conn = pool.get()?;
+            let conn = pool.get()?;
 
             let board = db::get_board_by_short(&conn, &board_short)?
                 .ok_or_else(|| AppError::NotFound(format!("Board /{board_short}/ not found")))?;
@@ -520,7 +520,7 @@ pub async fn edit_post_post(
             let body_html = crate::utils::sanitize::render_post_body(&escaped);
 
             let success = db::edit_post(
-                &mut conn,
+                &conn,
                 post_id,
                 &token,
                 &body_text,
diff --git a/src/logging.rs b/src/logging.rs
index 0102563..f2cb4c0 100644
--- a/src/logging.rs
+++ b/src/logging.rs
@@ -40,11 +40,7 @@ use std::sync::atomic::{AtomicBool, Ordering};
 use std::sync::LazyLock;
 
 use tracing::{Event, Level, Subscriber};
-<<<<<<< Updated upstream
-use tracing_subscriber::fmt::format::{FormatEvent, FormatFields, FmtSpan, Writer};
-=======
 use tracing_subscriber::fmt::format::{FmtSpan, FormatEvent, FormatFields, Writer};
->>>>>>> Stashed changes
 use tracing_subscriber::fmt::{FmtContext, MakeWriter};
 use tracing_subscriber::registry::LookupSpan;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter};
@@ -131,28 +127,16 @@ where
         let (tag, open, close) = if tty {
             match level {
                 Level::ERROR => ("[ERROR]", "\x1b[1;31m", "\x1b[0m"),
-<<<<<<< Updated upstream
-                Level::WARN  => ("[WARN ]", "\x1b[33m",   "\x1b[0m"),
-                Level::INFO  => ("[INFO ]", "",            ""),
-                Level::DEBUG => ("[DEBUG]", "\x1b[2m",    "\x1b[0m"),
-                Level::TRACE => ("[TRACE]", "\x1b[2m",    "\x1b[0m"),
-=======
                 Level::WARN => ("[WARN ]", "\x1b[33m", "\x1b[0m"),
                 Level::INFO => ("[INFO ]", "", ""),
                 Level::DEBUG => ("[DEBUG]", "\x1b[2m", "\x1b[0m"),
                 Level::TRACE => ("[TRACE]", "\x1b[2m", "\x1b[0m"),
->>>>>>> Stashed changes
             }
         } else {
             match level {
                 Level::ERROR => ("[ERROR]", "", ""),
-<<<<<<< Updated upstream
-                Level::WARN  => ("[WARN ]", "", ""),
-                Level::INFO  => ("[INFO ]", "", ""),
-=======
                 Level::WARN => ("[WARN ]", "", ""),
                 Level::INFO => ("[INFO ]", "", ""),
->>>>>>> Stashed changes
                 Level::DEBUG => ("[DEBUG]", "", ""),
                 Level::TRACE => ("[TRACE]", "", ""),
             }
@@ -214,13 +198,9 @@ impl<'a> MakeWriter<'a> for ConsoleLock {
     type Writer = LockedWriter;
 
     fn make_writer(&'a self) -> LockedWriter {
-<<<<<<< Updated upstream
-        LockedWriter { _guard: CONSOLE_MUTEX.lock() }
-=======
         LockedWriter {
             _guard: CONSOLE_MUTEX.lock(),
         }
->>>>>>> Stashed changes
     }
 }
 
diff --git a/src/server/server.rs b/src/server/server.rs
index 6ef27ac..883c14e 100644
--- a/src/server/server.rs
+++ b/src/server/server.rs
@@ -227,17 +227,14 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
         .and_then(|(_, p)| p.parse::<u16>().ok())
         .unwrap_or(8080);
     crate::detect::detect_tor(CONFIG.enable_tor_support, bind_port, &data_dir);
-<<<<<<< Updated upstream
 
-    // FIX[High-10]: Capture JoinHandles from start_worker_pool so the shutdown
+    // CRIT-1 FIX: Capture JoinHandles from start_worker_pool so the shutdown
     // sequence can await each worker instead of blindly sleeping for 10 s.
     // Previously the return value was silently discarded, making it impossible
     // to know whether in-flight jobs had finished before the process exited.
     let worker_queue = std::sync::Arc::new(crate::workers::JobQueue::new(pool.clone()));
     let worker_handles =
         crate::workers::start_worker_pool(&worker_queue, ffmpeg_available, ffmpeg_vp9_available);
-=======
->>>>>>> Stashed changes
 
     let state = AppState {
         db: pool.clone(),
@@ -260,17 +257,25 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
     // Background: purge expired sessions hourly
     {
         let bg = pool.clone();
+        let cancel_clone = worker_cancel.clone();
         tokio::spawn(async move {
             let mut iv = tokio::time::interval(Duration::from_secs(3600));
             loop {
-                iv.tick().await;
-                if let Ok(conn) = bg.get() {
-                    match crate::db::purge_expired_sessions(&conn) {
-                        Ok(n) if n > 0 => {
-                            tracing::info!(target: "sessions", purged = n, "Expired sessions purged");
+                tokio::select! {
+                    _ = iv.tick() => {
+                        if let Ok(conn) = bg.get() {
+                            match crate::db::purge_expired_sessions(&conn) {
+                                Ok(n) if n > 0 => {
+                                    tracing::info!(target: "sessions", purged = n, "Expired sessions purged");
+                                }
+                                Err(e) => tracing::error!("Session purge error: {e}"),
+                                Ok(_) => {}
+                            }
                         }
-                        Err(e) => tracing::error!("Session purge error: {e}"),
-                        Ok(_) => {}
+                    }
+                    () = cancel_clone.cancelled() => {
+                        tracing::debug!("Session purge task shutting down");
+                        return;
                     }
                 }
             }
@@ -283,87 +288,129 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
     if CONFIG.wal_checkpoint_interval > 0 {
         let bg = pool.clone();
         let interval_secs = CONFIG.wal_checkpoint_interval;
+        let cancel_clone = worker_cancel.clone();
         tokio::spawn(async move {
             // Stagger the first run by half the interval so it doesn't fire
             // immediately at startup alongside the session purge.
-            tokio::time::sleep(Duration::from_secs(interval_secs / 2 + 1)).await;
+            tokio::select! {
+                () = tokio::time::sleep(Duration::from_secs(interval_secs / 2 + 1)) => {}
+                () = cancel_clone.cancelled() => { return; }
+            }
             let mut iv = tokio::time::interval(Duration::from_secs(interval_secs));
             loop {
-                iv.tick().await;
-                if let Ok(conn) = bg.get() {
-                    match crate::db::run_wal_checkpoint(&conn) {
-                        Ok((pages, moved, backfill)) => {
-                            tracing::debug!("WAL checkpoint: {pages} pages total, {moved} moved, {backfill} backfilled");
+                tokio::select! {
+                    _ = iv.tick() => {
+                        if let Ok(conn) = bg.get() {
+                            match crate::db::run_wal_checkpoint(&conn) {
+                                Ok((pages, moved, backfill)) => {
+                                    tracing::debug!("WAL checkpoint: {pages} pages total, {moved} moved, {backfill} backfilled");
+                                }
+                                Err(e) => tracing::warn!("WAL checkpoint failed: {e}"),
+                            }
+                            // Fix #7: reuse `conn` instead of calling bg.get() again.
+                            // A second acquire while the first is still alive deadlocks
+                            // with a pool size of 1.
+                            let _ = conn.execute_batch("PRAGMA optimize;");
                         }
-                        Err(e) => tracing::warn!("WAL checkpoint failed: {e}"),
                     }
-                    // Fix #7: reuse `conn` instead of calling bg.get() again.
-                    // A second acquire while the first is still alive deadlocks
-                    // with a pool size of 1.
-                    let _ = conn.execute_batch("PRAGMA optimize;");
+                    () = cancel_clone.cancelled() => {
+                        tracing::debug!("WAL checkpoint task shutting down");
+                        return;
+                    }
                 }
             }
         });
     }
 
     // Background: prune stale IPs from ACTIVE_IPS every 5 min
-    tokio::spawn(async move {
-        let mut iv = tokio::time::interval(Duration::from_secs(300));
-        loop {
-            iv.tick().await;
-            let cutoff = Instant::now()
-                .checked_sub(Duration::from_secs(300))
-                .unwrap_or_else(Instant::now);
-            ACTIVE_IPS.retain(|_, last_seen| *last_seen > cutoff);
-        }
-    });
+    {
+        let cancel_clone = worker_cancel.clone();
+        tokio::spawn(async move {
+            let mut iv = tokio::time::interval(Duration::from_secs(300));
+            loop {
+                tokio::select! {
+                    _ = iv.tick() => {
+                        let cutoff = Instant::now()
+                            .checked_sub(Duration::from_secs(300))
+                            .unwrap_or_else(Instant::now);
+                        ACTIVE_IPS.retain(|_, last_seen| *last_seen > cutoff);
+                    }
+                    () = cancel_clone.cancelled() => {
+                        tracing::debug!("Active IP prune task shutting down");
+                        return;
+                    }
+                }
+            }
+        });
+    }
 
     // Background: prune expired entries from ADMIN_LOGIN_FAILS every 5 min.
     // Prevents unbounded growth under a sustained brute-force attack that
     // never produces a successful login (which would trigger the existing
     // opportunistic prune path inside clear_login_fails).
-    tokio::spawn(async move {
-        let mut iv = tokio::time::interval(Duration::from_secs(300));
-        loop {
-            iv.tick().await;
-            crate::handlers::admin::prune_login_fails();
-        }
-    });
+    {
+        let cancel_clone = worker_cancel.clone();
+        tokio::spawn(async move {
+            let mut iv = tokio::time::interval(Duration::from_secs(300));
+            loop {
+                tokio::select! {
+                    _ = iv.tick() => {
+                        crate::handlers::admin::prune_login_fails();
+                    }
+                    () = cancel_clone.cancelled() => {
+                        tracing::debug!("Login fail prune task shutting down");
+                        return;
+                    }
+                }
+            }
+        });
+    }
 
     // 1.6: Scheduled database VACUUM — reclaim disk space from deleted posts
     // and threads without requiring manual admin intervention.
     if CONFIG.auto_vacuum_interval_hours > 0 {
         let bg = pool.clone();
         let interval_secs = CONFIG.auto_vacuum_interval_hours * 3600;
+        let cancel_clone = worker_cancel.clone();
         tokio::spawn(async move {
             // Stagger the first run by half the interval to avoid hammering the
             // DB immediately at startup alongside WAL checkpoint and session purge.
-            tokio::time::sleep(Duration::from_secs(interval_secs / 2 + 7)).await;
+            tokio::select! {
+                () = tokio::time::sleep(Duration::from_secs(interval_secs / 2 + 7)) => {}
+                () = cancel_clone.cancelled() => { return; }
+            }
             let mut iv = tokio::time::interval(Duration::from_secs(interval_secs));
             loop {
-                iv.tick().await;
-                let bg2 = bg.clone();
-                tokio::task::spawn_blocking(move || {
-                    if let Ok(conn) = bg2.get() {
-                        let before = crate::db::get_db_size_bytes(&conn).unwrap_or(0);
-                        match crate::db::run_vacuum(&conn) {
-                            Ok(()) => {
-                                let after = crate::db::get_db_size_bytes(&conn).unwrap_or(0);
-                                let saved = before.saturating_sub(after);
-                                tracing::info!(
-                                    target: "db",
-                                    before_bytes = before,
-                                    after_bytes  = after,
-                                    saved_bytes  = saved,
-                                    "VACUUM complete"
-                                );
+                tokio::select! {
+                    _ = iv.tick() => {
+                        let bg2 = bg.clone();
+                        tokio::task::spawn_blocking(move || {
+                            if let Ok(conn) = bg2.get() {
+                                let before = crate::db::get_db_size_bytes(&conn).unwrap_or(0);
+                                match crate::db::run_vacuum(&conn) {
+                                    Ok(()) => {
+                                        let after = crate::db::get_db_size_bytes(&conn).unwrap_or(0);
+                                        let saved = before.saturating_sub(after);
+                                        tracing::info!(
+                                            target: "db",
+                                            before_bytes = before,
+                                            after_bytes  = after,
+                                            saved_bytes  = saved,
+                                            "VACUUM complete"
+                                        );
+                                    }
+                                    Err(e) => tracing::warn!("Scheduled VACUUM failed: {e}"),
+                                }
                             }
-                            Err(e) => tracing::warn!("Scheduled VACUUM failed: {e}"),
-                        }
+                        })
+                        .await
+                        .ok();
                     }
-                })
-                .await
-                .ok();
+                    () = cancel_clone.cancelled() => {
+                        tracing::debug!("VACUUM task shutting down");
+                        return;
+                    }
+                }
             }
         });
     }
@@ -374,27 +421,38 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
     if CONFIG.poll_cleanup_interval_hours > 0 {
         let bg = pool.clone();
         let interval_secs = CONFIG.poll_cleanup_interval_hours * 3600;
+        let cancel_clone = worker_cancel.clone();
         tokio::spawn(async move {
-            tokio::time::sleep(Duration::from_secs(600)).await; // initial delay
+            tokio::select! {
+                () = tokio::time::sleep(Duration::from_secs(600)) => {} // initial delay
+                () = cancel_clone.cancelled() => { return; }
+            }
             let mut iv = tokio::time::interval(Duration::from_secs(interval_secs));
             loop {
-                iv.tick().await;
-                let bg2 = bg.clone();
-                let retention_cutoff_secs = interval_secs.cast_signed();
-                tokio::task::spawn_blocking(move || {
-                    if let Ok(conn) = bg2.get() {
-                        let cutoff = chrono::Utc::now().timestamp() - retention_cutoff_secs;
-                        match crate::db::cleanup_expired_poll_votes(&conn, cutoff) {
-                            Ok(n) if n > 0 => {
-                                tracing::info!(target: "polls", removed = n, "Expired poll vote rows purged");
+                tokio::select! {
+                    _ = iv.tick() => {
+                        let bg2 = bg.clone();
+                        let retention_cutoff_secs = interval_secs.cast_signed();
+                        tokio::task::spawn_blocking(move || {
+                            if let Ok(conn) = bg2.get() {
+                                let cutoff = chrono::Utc::now().timestamp() - retention_cutoff_secs;
+                                match crate::db::cleanup_expired_poll_votes(&conn, cutoff) {
+                                    Ok(n) if n > 0 => {
+                                        tracing::info!(target: "polls", removed = n, "Expired poll vote rows purged");
+                                    }
+                                    Ok(_) => {}
+                                    Err(e) => tracing::warn!("Poll vote cleanup failed: {e}"),
+                                }
                             }
-                            Ok(_) => {}
-                            Err(e) => tracing::warn!("Poll vote cleanup failed: {e}"),
-                        }
+                        })
+                        .await
+                        .ok();
                     }
-                })
-                .await
-                .ok();
+                    () = cancel_clone.cancelled() => {
+                        tracing::debug!("Poll vote cleanup task shutting down");
+                        return;
+                    }
+                }
             }
         });
     }
@@ -406,17 +464,28 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
     // regenerated from the originals.  Uses 1-hour intervals.
     if CONFIG.waveform_cache_max_bytes > 0 {
         let max_bytes = CONFIG.waveform_cache_max_bytes;
+        let cancel_clone = worker_cancel.clone();
         tokio::spawn(async move {
-            tokio::time::sleep(Duration::from_secs(1800)).await; // initial stagger
+            tokio::select! {
+                () = tokio::time::sleep(Duration::from_secs(1800)) => {} // initial stagger
+                () = cancel_clone.cancelled() => { return; }
+            }
             let mut iv = tokio::time::interval(Duration::from_secs(3600));
             loop {
-                iv.tick().await;
-                let upload_dir = CONFIG.upload_dir.clone();
-                tokio::task::spawn_blocking(move || {
-                    crate::workers::evict_thumb_cache(&upload_dir, max_bytes);
-                })
-                .await
-                .ok();
+                tokio::select! {
+                    _ = iv.tick() => {
+                        let upload_dir = CONFIG.upload_dir.clone();
+                        tokio::task::spawn_blocking(move || {
+                            crate::workers::evict_thumb_cache(&upload_dir, max_bytes);
+                        })
+                        .await
+                        .ok();
+                    }
+                    () = cancel_clone.cancelled() => {
+                        tracing::debug!("Waveform cache eviction task shutting down");
+                        return;
+                    }
+                }
             }
         });
     }
@@ -454,8 +523,15 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
         let chan_app = crate::chan_net::chan_router(state.clone());
         let chan_listener = tokio::net::TcpListener::bind(&chan_addr).await?;
         tracing::info!(target: "chan_net", addr = %chan_addr, "ChanNet API listening");
+        // CRIT-2 FIX: Wire the same shutdown signal so in-flight federation
+        // requests are drained before the runtime is dropped. Without this the
+        // ChanNet task was detached and forcibly killed on SIGTERM, potentially
+        // corrupting a streaming snapshot response mid-transfer.
         tokio::spawn(async move {
-            if let Err(e) = axum::serve(chan_listener, chan_app.into_make_service()).await {
+            if let Err(e) = axum::serve(chan_listener, chan_app.into_make_service())
+                .with_graceful_shutdown(shutdown_signal())
+                .await
+            {
                 tracing::error!(target: "chan_net", error = %e, "ChanNet server error");
             }
         });
@@ -468,23 +544,14 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
     .with_graceful_shutdown(shutdown_signal())
     .await?;
 
-<<<<<<< Updated upstream
-<<<<<<< Updated upstream
-    // FIX[High-10]: Signal workers and then await each handle with a per-worker
+    // CRIT-1 FIX: Signal workers and then await each handle with a per-worker
     // timeout, replacing the previous blind 10-second sleep. Each worker is
-    // given up to 30 seconds to finish its in-flight job before we give up.
-    info!("Signalling background workers to shut down…");
-=======
-    // Signal background workers to drain and exit (#7).
-    tracing::info!(target: "server", "Signalling background workers to shut down…");
->>>>>>> Stashed changes
-=======
-    // Signal background workers to drain and exit (#7).
+    // given up to (ffmpeg_timeout + 10)s to finish its in-flight job.
     tracing::info!(target: "server", "Signalling background workers to shut down…");
->>>>>>> Stashed changes
     worker_cancel.cancel();
+    let shutdown_timeout = Duration::from_secs(CONFIG.ffmpeg_timeout_secs + 10);
     for handle in worker_handles {
-        let _ = tokio::time::timeout(Duration::from_secs(30), handle).await;
+        let _ = tokio::time::timeout(shutdown_timeout, handle).await;
     }
 
     tracing::info!(target: "server", "Server shut down gracefully.");
@@ -739,6 +806,28 @@ fn build_router(state: AppState) -> Router {
         // checks both the request scheme and the X-Forwarded-Proto header
         // (set by TLS-terminating proxies) before adding the header.
         .layer(axum_middleware::from_fn(hsts_middleware))
+        // MED-4 FIX: Hard per-request timeout to prevent slow-loris style
+        // attacks from holding async tasks indefinitely. Clients that open a
+        // connection but never finish sending the request body will be cut off
+        // after 30 seconds. This covers all routes including file upload
+        // endpoints where the multipart streaming loop could block forever.
+        //
+        // TimeoutLayer injects Box<dyn Error> into the service error type when
+        // a timeout fires. Axum's Router::layer requires all errors to be
+        // Into<Infallible>, so HandleErrorLayer must wrap TimeoutLayer and both
+        // must be bundled inside a ServiceBuilder — applying them as separate
+        // .layer() calls leaves the intermediate error type unresolved and
+        // causes E0277. ServiceBuilder fuses them into a single layer whose
+        // output error type is Infallible.
+        .layer(
+            tower::ServiceBuilder::new()
+                .layer(axum::error_handling::HandleErrorLayer::new(
+                    |_err: tower::BoxError| async {
+                        (axum::http::StatusCode::REQUEST_TIMEOUT, "Request timed out")
+                    },
+                ))
+                .layer(tower::timeout::TimeoutLayer::new(Duration::from_secs(30))),
+        )
         // HTTP tracing: silent for normal responses, loud for failures.
         //
         // on_response is intentionally omitted — logging every 200/304 at INFO
diff --git a/src/workers/mod.rs b/src/workers/mod.rs
index deafb21..f0ea6b0 100644
--- a/src/workers/mod.rs
+++ b/src/workers/mod.rs
@@ -872,12 +872,8 @@ fn waveform_finalise(
         "UPDATE file_hashes SET thumb_path = ?1 WHERE sha256 = ?2",
         rusqlite::params![png_rel, audio_sha256],
     );
-<<<<<<< Updated upstream
-    info!("AudioWaveform done: post {post_id} → {png_rel}");
-=======
 
     tracing::info!(target: "workers", post_id = post_id, thumb = %png_rel, "AudioWaveform done");
->>>>>>> Stashed changes
     Ok(())
 }
 

From 4cb520012957b3226b4ba93121669098d6370f7a Mon Sep 17 00:00:00 2001
From: csd113 <xxcsd113xx@gmail.com>
Date: Thu, 19 Mar 2026 15:43:54 -0700
Subject: [PATCH 6/8] lots of bug fixes, all presentin the changelog

---
 CHANGELOG.md                 |  201 ++-
 src/config.rs                |   52 +-
 src/db/admin.rs              |   47 +-
 src/db/boards.rs             |   91 +-
 src/db/mod.rs                |   11 +-
 src/db/posts.rs              |  151 +-
 src/db/threads.rs            |  219 ++-
 src/detect.rs                |   30 +-
 src/error.rs                 |   14 +-
 src/handlers/admin/backup.rs |    2 +-
 src/handlers/backup.rs       | 2942 ++++++++++++++++++++++++++++++++++
 src/handlers/board.rs        |    8 +-
 src/handlers/thread.rs       |    4 +-
 src/models.rs                |    9 +-
 src/templates/admin.rs       |    2 +-
 src/templates/thread.rs      |    2 +-
 16 files changed, 3545 insertions(+), 240 deletions(-)
 create mode 100644 src/handlers/backup.rs

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ff70d2f..c13ed15 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,7 +3,206 @@
 All notable changes to RustChan will be documented in this file.
 
 ---
-## [1.1.0]
+
+## [1.1.0 alpha 2]
+
+## Reliability & Shutdown Improvements
+
+---
+
+## Multipart Handling & Memory Safety (`src/handlers/mod.rs`)
+
+- Added strict per-field size limits for multipart text inputs:
+  - Post body capped (~100KB)
+  - Name, subject, and other fields capped (~4KB)
+- Replaced unbounded `field.text()` usage with controlled byte-reading logic
+- Prevented large heap allocations from oversized text fields
+- Eliminated OOM risk under concurrent large-form submissions
+
+- Hardened poll duration parsing:
+  - Added validation before multiplication
+  - Prevented intermediate integer overflow prior to clamping
+
+---
+
+## Backup System Reliability (`src/handlers/admin/backup.rs`)
+
+- Replaced fragile `VACUUM INTO` string-based SQL with `rusqlite::backup` API
+- Eliminated dependency on manual SQL escaping and path formatting
+- Improved cross-platform correctness and error transparency
+
+- Implemented guaranteed temporary file cleanup:
+  - Introduced RAII-style cleanup mechanism
+  - Ensures backup artifacts are removed even on:
+    - client disconnects
+    - early termination
+    - runtime drops
+
+- Improved error signaling:
+  - Database pool exhaustion now correctly returns retryable errors (503) instead of 500
+
+---
+
+## Tor Detection & Panic Safety (`src/detect.rs`)
+
+- Removed all `.expect()` usage on shared mutexes
+- Replaced with poison-tolerant locking strategies
+- Prevented cascade crashes caused by mutex poisoning
+
+- Hardened global panic hook:
+  - Eliminated potential for double-panic aborts
+  - Replaced blocking locks with `try_lock()` where required
+  - Ensured panic hook never panics under any condition
+
+- Restored original panic hook after Tor lifecycle completes
+- Reduced global side effects of detection logic
+
+---
+
+## Database Layer Improvements (`src/db/mod.rs`)
+
+- Made database connection pool size configurable via environment/config
+- Removed hardcoded pool limit to improve scalability under load
+
+- Corrected error mapping:
+  - `r2d2::Error` (pool exhaustion) now maps to `503 Service Unavailable`
+  - Prevents misclassification of load-related failures as internal errors
+
+- Removed silent fallback in initialization logic:
+  - Replaced `unwrap_or(0)` with proper error propagation
+  - Prevents incorrect “first-run” detection on DB failure
+
+---
+
+## Transaction Safety & Concurrency (`src/db/threads.rs`, `src/db/posts.rs`, `src/db/admin.rs`, `src/db/boards.rs`)
+
+- Replaced `unchecked_transaction()` (DEFERRED) with explicit `BEGIN IMMEDIATE`
+- Ensured write locks are acquired at transaction start
+- Eliminated mid-transaction lock upgrade failures (`SQLITE_BUSY`)
+- Improved consistency and reliability under concurrent write load
+
+---
+
+## Logging System Stability (`src/logging.rs`)
+
+- Replaced unbounded log file (`rolling::never`) with rotating log strategy
+- Prevented uncontrolled log growth and disk exhaustion
+- Improved long-term operational stability in production environments
+
+---
+
+## HTTP Response Correctness (`src/handlers/thread.rs`, `src/handlers/board.rs`)
+
+- Removed `.unwrap_or_default()` from 304 response builders
+- Replaced with explicit, safe response construction
+- Ensured correct HTTP semantics for cache validation responses
+
+---
+
+## Configuration File Safety (`src/config.rs`)
+
+- Replaced non-atomic file writes with atomic write pattern:
+  - write to temporary file
+  - persist via rename
+- Prevented configuration corruption on crash or partial write
+
+---
+
+## Cross-Cutting Improvements
+
+### Error Handling
+
+- Reduced silent error suppression patterns
+- Improved propagation and visibility of operational failures
+- Increased observability of system state under failure conditions
+
+---
+
+### Database Reliability
+
+- Standardized transaction patterns across modules
+- Improved behavior under high contention scenarios
+- Reduced retry loops and transient DB errors
+
+---
+
+## Summary
+
+These changes collectively improve:
+
+- Memory safety under user input
+- Database correctness under concurrency
+- Crash resilience and panic handling
+- Backup integrity and filesystem safety
+- Logging reliability and disk usage control
+- Accuracy of error reporting and HTTP responses
+
+Resulting in a significantly more robust and production-ready system.
+
+### Worker Lifecycle Management (`src/server/server.rs`, `src/workers/mod.rs`)
+
+- Persisted `JoinHandle`s returned by the worker pool instead of discarding them
+- Implemented proper graceful shutdown by:
+  - Signaling worker cancellation via `CancellationToken`
+  - Awaiting all worker tasks with bounded timeouts
+- Eliminated reliance on fixed sleep-based shutdown timing
+- Prevented corruption of in-progress jobs (e.g., FFmpeg transcodes)
+- Enabled deterministic shutdown behavior for background workers
+
+### Job Recovery
+
+- Added startup recovery logic to reset jobs stuck in `running` state
+- Ensures jobs interrupted during shutdown are retried instead of permanently stalled
+
+---
+
+## ChanNet Server Shutdown (`src/server/server.rs`)
+
+- Added graceful shutdown support to ChanNet server
+- Unified shutdown signal with main HTTP server
+- Prevents abrupt termination of in-flight federation requests
+- Eliminates risk of partial/corrupt response streams during shutdown
+
+---
+
+## Background Task Control (`src/server/server.rs`)
+
+- Integrated cancellation awareness into background tasks
+- Replaced infinite loops with `tokio::select!` to listen for shutdown signals
+- Ensures all periodic tasks (cleanup, pruning, etc.) terminate cleanly
+- Reduces risk of abrupt termination mid-operation
+
+---
+
+## HTTP Reliability (`src/server/server.rs`)
+
+- Added request timeout middleware
+- Protects against slow or stalled clients holding connections indefinitely
+- Improves resilience against slowloris-style behavior
+
+---
+
+## Worker System Stability (`src/workers/mod.rs`)
+
+- Ensured worker pool properly integrates with shutdown lifecycle
+- Improved coordination between job queue and worker threads
+- Reinforced guarantees around job completion and cancellation handling
+
+---
+
+## Summary
+
+These changes significantly improve:
+
+- Graceful shutdown correctness
+- Background task reliability
+- Job processing integrity
+- Resistance to partial writes and corruption
+- Operational stability under restart conditions
+
+---
+
+## [1.1.0 alpha 1]
 
 ## 🌐 New: ChanNet API (Port 7070)
 
diff --git a/src/config.rs b/src/config.rs
index 7defaab..3cc6d75 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -87,6 +87,9 @@ struct SettingsFile {
     /// Defaults to logical CPUs × 4. Increase if DB/render latency is a bottleneck
     /// under load.
     blocking_threads: Option<usize>,
+    /// `SQLite` connection pool size. Default: 8.
+    /// Increase on high-traffic deployments; each connection uses ~32 MiB page cache.
+    db_pool_size: Option<u32>,
     // ── ChanNet / RustWave gateway ────────────────────────────────────────────
     /// Base URL of the connected `RustWave` instance.
     /// Must begin with http:// or https://. Default: <http://localhost:7071>.
@@ -299,6 +302,8 @@ pub struct Config {
     pub waveform_cache_max_bytes: u64,
     /// Number of threads in Tokio's blocking pool. Default: logical CPUs × 4.
     pub blocking_threads: usize,
+    /// `SQLite` `r2d2` connection pool size (default 8).
+    pub db_pool_size: u32,
 
     // ── ChanNet / RustWave gateway (Step 1.2) ────────────────────────────────
     /// Base URL of the connected `RustWave` instance (must begin with http:// or https://).
@@ -476,6 +481,8 @@ impl Config {
                 }
             },
 
+            db_pool_size: env_parse("CHAN_DB_POOL_SIZE", s.db_pool_size.unwrap_or(8)),
+
             // ChanNet fields
             rustwave_url,
             chan_net_bind,
@@ -619,13 +626,44 @@ pub fn update_settings_file_site_names(forum_name: &str, site_subtitle: &str) {
         out.push('\n');
     }
 
-    if let Err(e) = std::fs::write(&path, out) {
-        tracing::warn!(
-            target: "config",
-            path = %path.display(),
-            error = %e,
-            "Could not write updated settings.toml"
-        );
+    // Atomic write: write to a temp file in the same directory, then rename
+    // over the target. This prevents a partial write from corrupting settings.toml
+    // if the process is killed mid-write (rename(2) is atomic on POSIX).
+    let dir = path.parent().unwrap_or_else(|| std::path::Path::new("."));
+    match tempfile::Builder::new()
+        .prefix(".settings_")
+        .suffix(".tmp")
+        .tempfile_in(dir)
+    {
+        Err(e) => {
+            tracing::warn!(
+                target: "config",
+                path = %path.display(),
+                error = %e,
+                "Could not create temp file for settings.toml update"
+            );
+        }
+        Ok(mut tmp) => {
+            use std::io::Write as _;
+            let write_result = tmp
+                .write_all(out.as_bytes())
+                .and_then(|()| tmp.as_file().sync_all());
+            if let Err(e) = write_result {
+                tracing::warn!(
+                    target: "config",
+                    path = %path.display(),
+                    error = %e,
+                    "Could not write settings.toml temp file"
+                );
+            } else if let Err(e) = tmp.persist(&path) {
+                tracing::warn!(
+                    target: "config",
+                    path = %path.display(),
+                    error = %e.error,
+                    "Could not atomically replace settings.toml"
+                );
+            }
+        }
     }
 }
 
diff --git a/src/db/admin.rs b/src/db/admin.rs
index 62f83ed..c8be55c 100644
--- a/src/db/admin.rs
+++ b/src/db/admin.rs
@@ -400,7 +400,7 @@ pub fn get_open_reports(
         };
         let board_short: String = row.get(10)?;
         let body: String = row.get(11)?;
-        let ip_hash: String = row.get(12)?;
+        let ip_hash: Option<String> = row.get(12)?;
         let preview: String = body.chars().take(120).collect();
         Ok(crate::models::ReportWithContext {
             report,
@@ -593,25 +593,36 @@ pub fn dismiss_ban_appeal(conn: &rusqlite::Connection, appeal_id: i64) -> Result
 /// # Errors
 /// Returns an error if the database operation fails.
 pub fn accept_ban_appeal(conn: &rusqlite::Connection, appeal_id: i64, ip_hash: &str) -> Result<()> {
-    // Both updates must succeed together.
-    let tx = conn
-        .unchecked_transaction()
+    // Both updates must succeed atomically; IMMEDIATE prevents write contention.
+    conn.execute_batch("BEGIN IMMEDIATE")
         .context("Failed to begin accept-appeal transaction")?;
-    let n = tx
-        .execute(
-            "UPDATE ban_appeals SET status='accepted' WHERE id=?1",
-            params![appeal_id],
-        )
-        .context("Failed to accept ban appeal")?;
-    if n == 0 {
-        tx.rollback().ok();
-        anyhow::bail!("Ban appeal id {appeal_id} not found");
+
+    let result: anyhow::Result<()> = (|| {
+        let n = conn
+            .execute(
+                "UPDATE ban_appeals SET status='accepted' WHERE id=?1",
+                params![appeal_id],
+            )
+            .context("Failed to accept ban appeal")?;
+        if n == 0 {
+            anyhow::bail!("Ban appeal id {appeal_id} not found");
+        }
+        conn.execute("DELETE FROM bans WHERE ip_hash=?1", params![ip_hash])
+            .context("Failed to lift ban during appeal acceptance")?;
+        Ok(())
+    })();
+
+    match result {
+        Ok(()) => {
+            conn.execute_batch("COMMIT")
+                .context("Failed to commit accept-appeal transaction")?;
+            Ok(())
+        }
+        Err(e) => {
+            let _ = conn.execute_batch("ROLLBACK");
+            Err(e)
+        }
     }
-    tx.execute("DELETE FROM bans WHERE ip_hash=?1", params![ip_hash])
-        .context("Failed to lift ban during appeal acceptance")?;
-    tx.commit()
-        .context("Failed to commit accept-appeal transaction")?;
-    Ok(())
 }
 
 /// Count of currently open ban appeals.
diff --git a/src/db/boards.rs b/src/db/boards.rs
index 9aa4d48..4d8d23e 100644
--- a/src/db/boards.rs
+++ b/src/db/boards.rs
@@ -361,53 +361,62 @@ pub fn get_seconds_since_last_post(
 /// # Errors
 /// Returns an error if the database operation fails.
 pub fn delete_board(conn: &rusqlite::Connection, id: i64) -> Result<Vec<String>> {
-    let tx = conn
-        .unchecked_transaction()
+    conn.execute_batch("BEGIN IMMEDIATE")
         .context("Failed to begin delete_board transaction")?;
 
-    // Collect every file path that belongs to this board before the CASCADE.
-    // The ON DELETE CASCADE on boards→threads→posts handles DB row removal, but
-    // on-disk files must be cleaned up by the caller.
-    let candidates = {
-        let mut stmt = tx.prepare_cached(
-            "SELECT file_path, thumb_path, audio_file_path
-             FROM posts WHERE board_id = ?1",
-        )?;
-        let rows: Vec<(Option<String>, Option<String>, Option<String>)> = stmt
-            .query_map(params![id], |r| Ok((r.get(0)?, r.get(1)?, r.get(2)?)))?
-            .collect::<rusqlite::Result<_>>()?;
-        let mut v = Vec::new();
-        for (f, t, a) in rows {
-            if let Some(p) = f {
-                v.push(p);
+    let result: anyhow::Result<Vec<String>> = (|| {
+        // Collect every file path that belongs to this board before the CASCADE.
+        // The ON DELETE CASCADE on boards→threads→posts handles DB row removal, but
+        // on-disk files must be cleaned up by the caller.
+        let candidates = {
+            let mut stmt = conn.prepare_cached(
+                "SELECT file_path, thumb_path, audio_file_path
+                 FROM posts WHERE board_id = ?1",
+            )?;
+            let rows: Vec<(Option<String>, Option<String>, Option<String>)> = stmt
+                .query_map(params![id], |r| Ok((r.get(0)?, r.get(1)?, r.get(2)?)))?
+                .collect::<rusqlite::Result<_>>()?;
+            let mut v = Vec::new();
+            for (f, t, a) in rows {
+                if let Some(p) = f {
+                    v.push(p);
+                }
+                if let Some(p) = t {
+                    v.push(p);
+                }
+                if let Some(p) = a {
+                    v.push(p);
+                }
             }
-            if let Some(p) = t {
-                v.push(p);
-            }
-            if let Some(p) = a {
-                v.push(p);
-            }
-        }
-        v
-    };
+            v
+        };
 
-    // Cascade-delete threads, posts, polls, etc. for this board.
-    let n = tx
-        .execute("DELETE FROM boards WHERE id = ?1", params![id])
-        .context("Failed to delete board")?;
-    if n == 0 {
-        tx.rollback().ok();
-        anyhow::bail!("Board id {id} not found");
-    }
+        // Cascade-delete threads, posts, polls, etc. for this board.
+        let n = conn
+            .execute("DELETE FROM boards WHERE id = ?1", params![id])
+            .context("Failed to delete board")?;
+        if n == 0 {
+            anyhow::bail!("Board id {id} not found");
+        }
 
-    // paths_safe_to_delete runs inside the transaction so it sees the post-delete
-    // state: any file exclusively used by this board's posts now has zero
-    // remaining references and is safe to remove.
-    let safe = super::paths_safe_to_delete(&tx, candidates);
+        // paths_safe_to_delete runs inside the transaction so it sees the
+        // post-delete state: any file exclusively used by this board's posts now
+        // has zero remaining references and is safe to remove.
+        let safe = super::paths_safe_to_delete(conn, candidates);
+        Ok(safe)
+    })();
 
-    tx.commit()
-        .context("Failed to commit delete_board transaction")?;
-    Ok(safe)
+    match result {
+        Ok(safe) => {
+            conn.execute_batch("COMMIT")
+                .context("Failed to commit delete_board transaction")?;
+            Ok(safe)
+        }
+        Err(e) => {
+            let _ = conn.execute_batch("ROLLBACK");
+            Err(e)
+        }
+    }
 }
 
 // ─── Per-board stats (terminal display) ──────────────────────────────────────
diff --git a/src/db/mod.rs b/src/db/mod.rs
index 1997bda..6edb0b9 100644
--- a/src/db/mod.rs
+++ b/src/db/mod.rs
@@ -139,9 +139,10 @@ pub fn init_pool() -> Result<DbPool> {
         )
     });
 
-    // FIX[LOW-15]: Pool size comes from config so it can be tuned without
-    // recompiling. Falls back to 8 if not set.
-    let pool_size = 8u32;
+    // Pool size is configurable via CHAN_DB_POOL_SIZE env var or settings.toml.
+    // Falls back to 8 if not set. Each connection holds ~32 MiB of page cache,
+    // so size × 32 MiB sets the upper bound on SQLite memory usage.
+    let pool_size = CONFIG.db_pool_size;
 
     let pool = Pool::builder()
         .max_size(pool_size)
@@ -552,7 +553,7 @@ fn create_schema(conn: &rusqlite::Connection) -> Result<()> {
             [],
             |r| r.get(0),
         )
-        .unwrap_or(0);
+        .context("Failed to read ip_hash nullability from pragma_table_info")?;
 
     if ip_hash_notnull == 1 {
         conn.execute_batch(
@@ -625,7 +626,7 @@ fn create_schema(conn: &rusqlite::Connection) -> Result<()> {
             [],
             |r| r.get(0),
         )
-        .unwrap_or(0);
+        .context("Failed to count posts needing media_type backfill")?;
 
     if needs_backfill > 0 {
         conn.execute_batch(
diff --git a/src/db/posts.rs b/src/db/posts.rs
index 5d33204..8578070 100644
--- a/src/db/posts.rs
+++ b/src/db/posts.rs
@@ -76,7 +76,7 @@ pub(super) fn map_post(row: &rusqlite::Row<'_>) -> rusqlite::Result<Post> {
         subject: row.get(5)?,
         body: row.get(6)?,
         body_html: row.get(7)?,
-        ip_hash: row.get(8)?,
+        ip_hash: row.get::<_, Option<String>>(8)?,
         file_path: row.get(9)?,
         file_name: row.get(10)?,
         file_size: row.get(11)?,
@@ -276,48 +276,58 @@ pub fn get_post_on_board(
 /// # Errors
 /// Returns an error if the database operation fails.
 pub fn delete_post(conn: &rusqlite::Connection, post_id: i64) -> Result<Vec<String>> {
-    let tx = conn
-        .unchecked_transaction()
+    conn.execute_batch("BEGIN IMMEDIATE")
         .context("Failed to begin delete_post transaction")?;
 
-    let candidates = {
-        let mut candidates = Vec::new();
-        let mut stmt = tx.prepare_cached(
-            "SELECT file_path, thumb_path, audio_file_path FROM posts WHERE id = ?1",
-        )?;
-        if let Some((f, t, a)) = stmt
-            .query_row(params![post_id], |r| {
-                Ok((
-                    r.get::<_, Option<String>>(0)?,
-                    r.get::<_, Option<String>>(1)?,
-                    r.get::<_, Option<String>>(2)?,
-                ))
-            })
-            .optional()?
-        {
-            if let Some(p) = f {
-                candidates.push(p);
-            }
-            if let Some(p) = t {
-                candidates.push(p);
-            }
-            if let Some(p) = a {
-                candidates.push(p);
+    let result: anyhow::Result<Vec<String>> = (|| {
+        let candidates = {
+            let mut candidates = Vec::new();
+            let mut stmt = conn.prepare_cached(
+                "SELECT file_path, thumb_path, audio_file_path FROM posts WHERE id = ?1",
+            )?;
+            if let Some((f, t, a)) = stmt
+                .query_row(params![post_id], |r| {
+                    Ok((
+                        r.get::<_, Option<String>>(0)?,
+                        r.get::<_, Option<String>>(1)?,
+                        r.get::<_, Option<String>>(2)?,
+                    ))
+                })
+                .optional()?
+            {
+                if let Some(p) = f {
+                    candidates.push(p);
+                }
+                if let Some(p) = t {
+                    candidates.push(p);
+                }
+                if let Some(p) = a {
+                    candidates.push(p);
+                }
             }
-        }
-        candidates
-    };
+            candidates
+        };
 
-    tx.execute("DELETE FROM posts WHERE id = ?1", params![post_id])
-        .context("Failed to delete post")?;
+        conn.execute("DELETE FROM posts WHERE id = ?1", params![post_id])
+            .context("Failed to delete post")?;
 
-    // Check which paths are now safe — runs inside the transaction so it sees
-    // the just-deleted state.
-    let safe = super::paths_safe_to_delete(&tx, candidates);
+        // Check which paths are now safe — runs inside the transaction so it sees
+        // the just-deleted state.
+        let safe = super::paths_safe_to_delete(conn, candidates);
+        Ok(safe)
+    })();
 
-    tx.commit()
-        .context("Failed to commit delete_post transaction")?;
-    Ok(safe)
+    match result {
+        Ok(safe) => {
+            conn.execute_batch("COMMIT")
+                .context("Failed to commit delete_post transaction")?;
+            Ok(safe)
+        }
+        Err(e) => {
+            let _ = conn.execute_batch("ROLLBACK");
+            Err(e)
+        }
+    }
 }
 
 /// Use constant-time byte comparison to prevent timing side-channel attacks on
@@ -570,37 +580,48 @@ pub fn create_poll(
     options: &[String],
     expires_at: i64,
 ) -> Result<i64> {
-    // Wrap poll row + all option rows in one transaction so a crash mid-loop
-    // cannot leave a poll with zero options (which would cause divide-by-zero
-    // in the vote-percentage display).
-    let tx = conn
-        .unchecked_transaction()
+    // Wrap poll row + all option rows in one IMMEDIATE transaction so a crash
+    // mid-loop cannot leave a poll with zero options (divide-by-zero in display),
+    // and so the write lock is held from the start (no DEFERRED upgrade race).
+    conn.execute_batch("BEGIN IMMEDIATE")
         .context("Failed to begin poll transaction")?;
 
-    let poll_id: i64 = tx
-        .query_row(
-            "INSERT INTO polls (thread_id, question, expires_at) VALUES (?1, ?2, ?3)
-             RETURNING id",
-            params![thread_id, question, expires_at],
-            |r| r.get(0),
-        )
-        .context("Failed to insert poll")?;
-
-    let mut opt_stmt = tx
-        .prepare_cached("INSERT INTO poll_options (poll_id, text, position) VALUES (?1, ?2, ?3)")?;
-    for (i, text) in options.iter().enumerate() {
-        opt_stmt
-            .execute(params![
-                poll_id,
-                text,
-                i64::try_from(i).context("poll option index overflow")?
-            ])
-            .context("Failed to insert poll option")?;
-    }
-    drop(opt_stmt); // release borrow on tx before commit
+    let result: anyhow::Result<i64> = (|| {
+        let poll_id: i64 = conn
+            .query_row(
+                "INSERT INTO polls (thread_id, question, expires_at) VALUES (?1, ?2, ?3)
+                 RETURNING id",
+                params![thread_id, question, expires_at],
+                |r| r.get(0),
+            )
+            .context("Failed to insert poll")?;
+
+        let mut opt_stmt = conn.prepare_cached(
+            "INSERT INTO poll_options (poll_id, text, position) VALUES (?1, ?2, ?3)",
+        )?;
+        for (i, text) in options.iter().enumerate() {
+            opt_stmt
+                .execute(params![
+                    poll_id,
+                    text,
+                    i64::try_from(i).context("poll option index overflow")?
+                ])
+                .context("Failed to insert poll option")?;
+        }
+        Ok(poll_id)
+    })();
 
-    tx.commit().context("Failed to commit poll transaction")?;
-    Ok(poll_id)
+    match result {
+        Ok(poll_id) => {
+            conn.execute_batch("COMMIT")
+                .context("Failed to commit poll transaction")?;
+            Ok(poll_id)
+        }
+        Err(e) => {
+            let _ = conn.execute_batch("ROLLBACK");
+            Err(e)
+        }
+    }
 }
 
 /// Fetch the full poll for a thread including vote counts and the user's choice.
diff --git a/src/db/threads.rs b/src/db/threads.rs
index fde1096..5427da7 100644
--- a/src/db/threads.rs
+++ b/src/db/threads.rs
@@ -334,25 +334,37 @@ pub fn set_thread_archived(
 /// # Errors
 /// Returns an error if the database operation fails.
 pub fn delete_thread(conn: &rusqlite::Connection, thread_id: i64) -> Result<Vec<String>> {
-    let tx = conn
-        .unchecked_transaction()
+    // BEGIN IMMEDIATE acquires the write lock up-front, preventing SQLITE_BUSY
+    // on the lock upgrade that DEFERRED (unchecked_transaction) suffers under WAL.
+    conn.execute_batch("BEGIN IMMEDIATE")
         .context("Failed to begin delete_thread transaction")?;
 
-    // Step 1: collect file paths from all posts in this thread.
-    let candidates = collect_thread_file_paths(&tx, &[thread_id])?;
+    let result: anyhow::Result<Vec<String>> = (|| {
+        // Step 1: collect file paths from all posts in this thread.
+        let candidates = collect_thread_file_paths(conn, &[thread_id])?;
 
-    // Step 2: delete thread (CASCADE removes posts).
-    tx.execute("DELETE FROM threads WHERE id = ?1", params![thread_id])
-        .context("Failed to delete thread")?;
+        // Step 2: delete thread (CASCADE removes posts).
+        conn.execute("DELETE FROM threads WHERE id = ?1", params![thread_id])
+            .context("Failed to delete thread")?;
 
-    // Step 3: determine which paths are now unreferenced.
-    // paths_safe_to_delete sees the post-delete state because we're still inside
-    // the same transaction.
-    let safe = super::paths_safe_to_delete(&tx, candidates);
+        // Step 3: determine which paths are now unreferenced.
+        // paths_safe_to_delete sees the post-delete state because we're still
+        // inside the same transaction.
+        let safe = super::paths_safe_to_delete(conn, candidates);
+        Ok(safe)
+    })();
 
-    tx.commit()
-        .context("Failed to commit delete_thread transaction")?;
-    Ok(safe)
+    match result {
+        Ok(safe) => {
+            conn.execute_batch("COMMIT")
+                .context("Failed to commit delete_thread transaction")?;
+            Ok(safe)
+        }
+        Err(e) => {
+            let _ = conn.execute_batch("ROLLBACK");
+            Err(e)
+        }
+    }
 }
 
 // ─── Archive / prune ──────────────────────────────────────────────────────────
@@ -377,43 +389,63 @@ pub fn delete_thread(conn: &rusqlite::Connection, thread_id: i64) -> Result<Vec<
 /// # Errors
 /// Returns an error if the database operation fails.
 pub fn archive_old_threads(conn: &rusqlite::Connection, board_id: i64, max: i64) -> Result<usize> {
-    let tx = conn
-        .unchecked_transaction()
+    conn.execute_batch("BEGIN IMMEDIATE")
         .context("Failed to begin archive_old_threads transaction")?;
 
-    // Collect inside the transaction to prevent races with concurrent bumps.
-    let ids: Vec<i64> = {
-        let mut stmt = tx.prepare_cached(
-            "SELECT id FROM threads
-             WHERE board_id = ?1 AND sticky = 0 AND archived = 0
-             ORDER BY bumped_at DESC LIMIT -1 OFFSET ?2",
-        )?;
-        let x = stmt
-            .query_map(params![board_id, max], |r| r.get(0))?
-            .collect::<rusqlite::Result<Vec<_>>>()?;
-        x
-    };
-
-    let count = ids.len();
-    if count == 0 {
-        tx.rollback().ok();
-        return Ok(0);
-    }
+    let result: anyhow::Result<usize> = (|| {
+        // Collect inside the transaction to prevent races with concurrent bumps.
+        let ids: Vec<i64> = {
+            let mut stmt = conn.prepare_cached(
+                "SELECT id FROM threads
+                 WHERE board_id = ?1 AND sticky = 0 AND archived = 0
+                 ORDER BY bumped_at DESC LIMIT -1 OFFSET ?2",
+            )?;
+            // Bind `collected` explicitly so `stmt` is dropped before the
+            // block ends — the MappedRows iterator borrows `stmt`, and the
+            // compiler requires the borrow to end before the binding goes out
+            // of scope at the closing `}`.
+            let collected = stmt
+                .query_map(params![board_id, max], |r| r.get(0))?
+                .collect::<rusqlite::Result<Vec<_>>>()?;
+            collected
+        };
 
-    // Single bulk UPDATE instead of N individual statements.
-    let placeholders: String = ids
-        .iter()
-        .enumerate()
-        .map(|(i, _)| format!("?{}", i.saturating_add(1)))
-        .collect::<Vec<_>>()
-        .join(", ");
-    let sql = format!("UPDATE threads SET archived = 1, locked = 1 WHERE id IN ({placeholders})");
-    tx.execute(&sql, rusqlite::params_from_iter(&ids))
-        .context("Failed to bulk archive threads")?;
+        let count = ids.len();
+        if count == 0 {
+            return Ok(0);
+        }
+
+        // Single bulk UPDATE instead of N individual statements.
+        let placeholders: String = ids
+            .iter()
+            .enumerate()
+            .map(|(i, _)| format!("?{}", i.saturating_add(1)))
+            .collect::<Vec<_>>()
+            .join(", ");
+        let sql =
+            format!("UPDATE threads SET archived = 1, locked = 1 WHERE id IN ({placeholders})");
+        conn.execute(&sql, rusqlite::params_from_iter(&ids))
+            .context("Failed to bulk archive threads")?;
+
+        Ok(count)
+    })();
 
-    tx.commit()
-        .context("Failed to commit archive_old_threads transaction")?;
-    Ok(count)
+    match result {
+        Ok(0) => {
+            // Nothing to archive — roll back the (empty) transaction cleanly.
+            let _ = conn.execute_batch("ROLLBACK");
+            Ok(0)
+        }
+        Ok(count) => {
+            conn.execute_batch("COMMIT")
+                .context("Failed to commit archive_old_threads transaction")?;
+            Ok(count)
+        }
+        Err(e) => {
+            let _ = conn.execute_batch("ROLLBACK");
+            Err(e)
+        }
+    }
 }
 
 /// Hard-delete oldest non-sticky, non-archived threads that exceed `max_threads`.
@@ -447,51 +479,64 @@ pub fn prune_old_threads(
     board_id: i64,
     max: i64,
 ) -> Result<Vec<String>> {
-    let tx = conn
-        .unchecked_transaction()
+    conn.execute_batch("BEGIN IMMEDIATE")
         .context("Failed to begin prune_old_threads transaction")?;
 
-    // Collect ids inside the transaction to prevent concurrent bumps from
-    // changing the ordering between the SELECT and the DELETE.
-    let ids: Vec<i64> = {
-        let mut stmt = tx.prepare_cached(
-            "SELECT id FROM threads
-             WHERE board_id = ?1 AND sticky = 0 AND archived = 0
-             ORDER BY bumped_at DESC LIMIT -1 OFFSET ?2",
-        )?;
-        let x = stmt
-            .query_map(params![board_id, max], |r| r.get(0))?
-            .collect::<rusqlite::Result<Vec<_>>>()?;
-        x
-    };
-
-    if ids.is_empty() {
-        tx.rollback().ok();
-        return Ok(Vec::new());
-    }
-
-    // Collect all file paths in a single query BEFORE the DELETEs.
-    let candidates = collect_thread_file_paths(&tx, &ids)?;
-
-    // Single bulk DELETE instead of N individual statements.
-    let placeholders: String = ids
-        .iter()
-        .enumerate()
-        .map(|(i, _)| format!("?{}", i.saturating_add(1)))
-        .collect::<Vec<_>>()
-        .join(", ");
-    let sql = format!("DELETE FROM threads WHERE id IN ({placeholders})");
-    tx.execute(&sql, rusqlite::params_from_iter(&ids))
-        .context("Failed to bulk delete pruned threads")?;
+    let result: anyhow::Result<Vec<String>> = (|| {
+        // Collect ids inside the transaction to prevent concurrent bumps from
+        // changing the ordering between the SELECT and the DELETE.
+        let ids: Vec<i64> = {
+            let mut stmt = conn.prepare_cached(
+                "SELECT id FROM threads
+                 WHERE board_id = ?1 AND sticky = 0 AND archived = 0
+                 ORDER BY bumped_at DESC LIMIT -1 OFFSET ?2",
+            )?;
+            let collected = stmt
+                .query_map(params![board_id, max], |r| r.get(0))?
+                .collect::<rusqlite::Result<Vec<_>>>()?;
+            collected
+        };
 
-    // Determine safe paths INSIDE the transaction so the check sees the
-    // post-delete state before any concurrent writer can insert new references.
-    let safe = super::paths_safe_to_delete(&tx, candidates);
+        if ids.is_empty() {
+            return Ok(Vec::new());
+        }
 
-    tx.commit()
-        .context("Failed to commit prune_old_threads transaction")?;
+        // Collect all file paths in a single query BEFORE the DELETEs.
+        let candidates = collect_thread_file_paths(conn, &ids)?;
+
+        // Single bulk DELETE instead of N individual statements.
+        let placeholders: String = ids
+            .iter()
+            .enumerate()
+            .map(|(i, _)| format!("?{}", i.saturating_add(1)))
+            .collect::<Vec<_>>()
+            .join(", ");
+        let sql = format!("DELETE FROM threads WHERE id IN ({placeholders})");
+        conn.execute(&sql, rusqlite::params_from_iter(&ids))
+            .context("Failed to bulk delete pruned threads")?;
+
+        // Determine safe paths INSIDE the transaction so the check sees the
+        // post-delete state before any concurrent writer can insert new references.
+        let safe = super::paths_safe_to_delete(conn, candidates);
+        Ok(safe)
+    })();
 
-    Ok(safe)
+    match result {
+        Ok(ref paths) if paths.is_empty() => {
+            // Nothing pruned — roll back cleanly.
+            let _ = conn.execute_batch("ROLLBACK");
+            Ok(Vec::new())
+        }
+        Ok(safe) => {
+            conn.execute_batch("COMMIT")
+                .context("Failed to commit prune_old_threads transaction")?;
+            Ok(safe)
+        }
+        Err(e) => {
+            let _ = conn.execute_batch("ROLLBACK");
+            Err(e)
+        }
+    }
 }
 
 // ─── Archive listing ──────────────────────────────────────────────────────────
diff --git a/src/detect.rs b/src/detect.rs
index 2d16280..79866fe 100644
--- a/src/detect.rs
+++ b/src/detect.rs
@@ -24,6 +24,7 @@ pub enum ToolStatus {
 
 static TOR_CHILD: OnceLock<Arc<Mutex<std::process::Child>>> = OnceLock::new();
 
+#[allow(dead_code)]
 pub fn kill_tor() {
     if let Some(child) = TOR_CHILD.get() {
         if let Ok(mut c) = child.lock() {
@@ -355,11 +356,26 @@ pub fn detect_tor(enable_tor_support: bool, bind_port: u16, data_dir: &Path) ->
 
     let prev_hook = std::panic::take_hook();
     std::panic::set_hook(Box::new(move |info| {
-        kill_tor();
+        // A panic hook MUST NOT panic — doing so causes an unconditional abort
+        // with no useful diagnostic output.  We therefore use try_lock() so
+        // that a poisoned or already-locked mutex is silently skipped; the OS
+        // will reap the Tor child on process exit regardless.
+        if let Some(child) = TOR_CHILD.get() {
+            if let Ok(mut c) = child.try_lock() {
+                let _ = c.kill();
+                let _ = c.wait();
+            }
+            // If try_lock fails (mutex poisoned or already held during unwind),
+            // skip the kill — do NOT call .lock()/.expect() here.
+        }
         prev_hook(info);
     }));
 
-    let pid = child.lock().expect("child process mutex poisoned").id();
+    // Recover from a poisoned mutex instead of crashing the process.
+    let pid = child
+        .lock()
+        .unwrap_or_else(std::sync::PoisonError::into_inner)
+        .id();
     tracing::info!(target: "detect", pid = pid, "Tor process started — waiting for .onion address");
 
     let hostname_path = hs_abs.join("hostname");
@@ -374,12 +390,14 @@ pub fn detect_tor(enable_tor_support: bool, bind_port: u16, data_dir: &Path) ->
 
         let try_wait_result = child_bg
             .lock()
-            .expect("child process mutex poisoned")
+            .unwrap_or_else(std::sync::PoisonError::into_inner)
             .try_wait();
 
         match try_wait_result {
             Ok(Some(status)) => {
-                let lines = stderr_bg.lock().expect("stderr buffer mutex poisoned");
+                let lines = stderr_bg
+                    .lock()
+                    .unwrap_or_else(std::sync::PoisonError::into_inner);
                 tracing::error!(
                     target: "detect",
                     exit_status = %status,
@@ -442,7 +460,9 @@ fn poll_for_hostname(
     loop {
         if let Ok(mut c) = child.try_lock() {
             if let Ok(Some(status)) = c.try_wait() {
-                let lines = stderr_lines.lock().expect("stderr buffer mutex poisoned");
+                let lines = stderr_lines
+                    .lock()
+                    .unwrap_or_else(std::sync::PoisonError::into_inner);
                 tracing::error!(
                     target: "detect",
                     exit_status = %status,
diff --git a/src/error.rs b/src/error.rs
index bed7c97..a609674 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -92,10 +92,20 @@ impl From<rusqlite::Error> for AppError {
     }
 }
 
-// Allow ? operator on r2d2::Error
+// Allow ? operator on r2d2::Error.
+// Pool connection timeouts → DbBusy (503) so clients know to retry.
+// Other pool errors (misconfiguration, driver failure) → Internal (500).
 impl From<r2d2::Error> for AppError {
     fn from(e: r2d2::Error) -> Self {
-        Self::Internal(anyhow::Error::new(e))
+        // r2d2 surfaces timeout as "timed out waiting for connection".
+        // Match on the message rather than a private variant so this keeps
+        // working across r2d2 minor versions.
+        let msg = e.to_string();
+        if msg.contains("timed out") || msg.contains("Timeout") {
+            Self::DbBusy
+        } else {
+            Self::Internal(anyhow::Error::new(e))
+        }
     }
 }
 
diff --git a/src/handlers/admin/backup.rs b/src/handlers/admin/backup.rs
index e5a1711..6dbedfb 100644
--- a/src/handlers/admin/backup.rs
+++ b/src/handlers/admin/backup.rs
@@ -2019,7 +2019,7 @@ mod board_backup_types {
         pub subject: Option<String>,
         pub body: String,
         pub body_html: String,
-        pub ip_hash: String,
+        pub ip_hash: Option<String>,
         pub file_path: Option<String>,
         pub file_name: Option<String>,
         pub file_size: Option<i64>,
diff --git a/src/handlers/backup.rs b/src/handlers/backup.rs
new file mode 100644
index 0000000..e43ba12
--- /dev/null
+++ b/src/handlers/backup.rs
@@ -0,0 +1,2942 @@
+// handlers/admin/backup.rs
+//
+// Backup and restore subsystem for the admin panel.
+// Covers full-site backups, board-level backups, streaming downloads,
+// saved-backup restoration, and live board.json restore.
+
+use crate::{
+    config::CONFIG,
+    db,
+    error::{AppError, Result},
+    middleware::AppState,
+    models::BackupInfo,
+    utils::crypto::new_session_id,
+};
+use axum::{
+    extract::{Form, Multipart, State},
+    http::header,
+    response::{IntoResponse, Redirect, Response},
+};
+use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};
+use chrono::Utc;
+use rusqlite::{backup::Backup, params};
+use serde::Deserialize;
+use serde_json;
+use std::io::{Seek, Write};
+use std::path::PathBuf;
+use std::sync::atomic::Ordering;
+use time;
+use tokio::io::AsyncWriteExt as _;
+use tokio_util::io::ReaderStream;
+use tracing::warn;
+
+// ─── URL query-string encoder ─────────────────────────────────────────────────
+//
+// FIX[#30]: `encode_q` was previously defined as an inner function inside two
+// separate async handlers, with one implementation slightly less efficient than
+// the other. Extracted here so both call sites share a single definition.
+//
+// Encodes `s` using percent-encoding, with spaces as `+` (form-URL encoding).
+// Used only for error messages in redirect query strings — not for URL paths.
+fn encode_q(s: &str) -> String {
+    const fn nibble(n: u8) -> char {
+        match n {
+            0 => '0',
+            1 => '1',
+            2 => '2',
+            3 => '3',
+            4 => '4',
+            5 => '5',
+            6 => '6',
+            7 => '7',
+            8 => '8',
+            9 => '9',
+            10 => 'A',
+            11 => 'B',
+            12 => 'C',
+            13 => 'D',
+            14 => 'E',
+            _ => 'F',
+        }
+    }
+    let mut out = String::with_capacity(s.len());
+    for b in s.bytes() {
+        match b {
+            b'A'..=b'Z' | b'a'..=b'z' | b'0'..=b'9' | b'-' | b'_' | b'.' | b'~' => {
+                out.push(b as char);
+            }
+            b' ' => out.push('+'),
+            b => {
+                out.push('%');
+                out.push(nibble(b >> 4));
+                out.push(nibble(b & 0xf));
+            }
+        }
+    }
+    out
+}
+
+// FIX[#19]: Module-level constant so it can be referenced inside closures and
+// loops without triggering the "item after statements" clippy lint.
+const SQLITE_HEADER: &[u8; 16] = b"SQLite format 3\0";
+
+// ─── RAII temp-file cleanup guard ─────────────────────────────────────────────
+//
+// Deletes the wrapped path when dropped — even on early return, panic, or
+// client disconnect.  This replaces the previous 10-minute timer approach that
+// leaked temp files on server restart before the timer fired.
+
+struct TempFileGuard(std::path::PathBuf);
+
+impl Drop for TempFileGuard {
+    fn drop(&mut self) {
+        if let Err(e) = std::fs::remove_file(&self.0) {
+            // NotFound is fine — means we already cleaned up explicitly.
+            if e.kind() != std::io::ErrorKind::NotFound {
+                tracing::warn!(
+                    path = %self.0.display(),
+                    error = %e,
+                    "Failed to clean up temp backup file"
+                );
+            }
+        }
+    }
+}
+
+// ─── RAII streaming body wrapper ──────────────────────────────────────────────
+//
+// Holds a `NamedTempFile` alongside the byte stream so the temp file is
+// deleted when the stream is fully consumed OR when the client disconnects
+// early (axum drops the body, which drops this stream, which drops the guard).
+
+struct TempFileStream {
+    inner: ReaderStream<tokio::fs::File>,
+    // Kept for its Drop impl only — deleted when this stream is dropped.
+    _guard: tempfile::NamedTempFile,
+}
+
+// NamedTempFile wraps a File + PathBuf, both Unpin — safe to declare Unpin.
+impl Unpin for TempFileStream {}
+
+impl futures_core::Stream for TempFileStream {
+    type Item = std::io::Result<bytes::Bytes>;
+
+    fn poll_next(
+        mut self: std::pin::Pin<&mut Self>,
+        cx: &mut std::task::Context<'_>,
+    ) -> std::task::Poll<Option<Self::Item>> {
+        // inner is Unpin (ReaderStream<tokio::fs::File>), so Pin::new is safe.
+        std::pin::Pin::new(&mut self.inner).poll_next(cx)
+    }
+}
+
+#[allow(clippy::too_many_lines)]
+pub async fn admin_backup(State(state): State<AppState>, jar: CookieJar) -> Result<Response> {
+    let session_id = jar
+        .get(super::SESSION_COOKIE)
+        .map(|c| c.value().to_string());
+    let upload_dir = CONFIG.upload_dir.clone();
+    let progress = state.backup_progress.clone();
+
+    let (tmp_path, filename, file_size) = tokio::task::spawn_blocking({
+        let pool = state.db.clone();
+        move || -> Result<(PathBuf, String, u64)> {
+            let conn = pool.get()?;
+            super::require_admin_session_sid(&conn, session_id.as_deref())?;
+
+            progress.reset(crate::middleware::backup_phase::SNAPSHOT_DB);
+
+            let temp_dir = std::env::temp_dir();
+            let tmp_id = uuid::Uuid::new_v4().simple().to_string();
+            let temp_db = temp_dir.join(format!("chan_backup_{tmp_id}.db"));
+
+            // RAII guard: temp_db is always removed when this guard drops,
+            // including on early return or error.
+            let _temp_db_guard = TempFileGuard(temp_db.clone());
+
+            // FIX[CRIT-3]: Replace VACUUM INTO with rusqlite's backup API.
+            // VACUUM INTO does not accept bound parameters; using format-string
+            // SQL with path escaping is fragile (backslashes, newlines).
+            // Backup::new(src, dst) copies the live DB into `temp_db` safely,
+            // with no SQL string construction.
+            {
+                let mut dst = rusqlite::Connection::open(&temp_db)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Open temp DB: {e}")))?;
+                let bk = Backup::new(&conn, &mut dst)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Backup init: {e}")))?;
+                bk.run_to_completion(100, std::time::Duration::from_millis(0), None)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Backup copy: {e}")))?;
+            }
+            drop(conn);
+
+            // Count files for progress bar before compressing.
+            progress.reset(crate::middleware::backup_phase::COUNT_FILES);
+            let uploads_base = std::path::Path::new(&upload_dir);
+            let file_count = count_files_in_dir(uploads_base);
+            // +1 for chan.db
+            progress
+                .files_total
+                .store(file_count.saturating_add(1), Ordering::Relaxed);
+
+            // MEM-FIX: write zip directly to a NamedTempFile instead of Vec<u8>.
+            let zip_tmp = tempfile::NamedTempFile::new()
+                .map_err(|e| AppError::Internal(anyhow::anyhow!("Create temp zip: {e}")))?;
+            {
+                let out_file =
+                    std::io::BufWriter::new(zip_tmp.as_file().try_clone().map_err(|e| {
+                        AppError::Internal(anyhow::anyhow!("Clone temp file handle: {e}"))
+                    })?);
+                let mut zip = zip::ZipWriter::new(out_file);
+                let opts = zip::write::SimpleFileOptions::default()
+                    .compression_method(zip::CompressionMethod::Deflated);
+
+                progress.reset(crate::middleware::backup_phase::COMPRESS);
+                progress
+                    .files_total
+                    .store(file_count.saturating_add(1), Ordering::Relaxed);
+
+                // ── Database snapshot (streamed, not read into RAM) ────────
+                zip.start_file("chan.db", opts)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Zip DB entry: {e}")))?;
+                let mut db_src = std::fs::File::open(&temp_db)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Open DB snapshot: {e}")))?;
+                let copied = std::io::copy(&mut db_src, &mut zip)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Stream DB to zip: {e}")))?;
+                drop(db_src);
+                // _temp_db_guard will clean up temp_db when the closure returns.
+                progress.files_done.fetch_add(1, Ordering::Relaxed);
+                progress.bytes_done.fetch_add(copied, Ordering::Relaxed);
+
+                // ── Upload files (streamed file-by-file via io::copy) ──────
+                if uploads_base.exists() {
+                    add_dir_to_zip(&mut zip, uploads_base, uploads_base, opts, &progress)?;
+                }
+
+                // Flush the BufWriter explicitly so I/O errors are not
+                // silently swallowed by the implicit Drop-flush.
+                let writer = zip
+                    .finish()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Finalise zip: {e}")))?;
+                writer
+                    .into_inner()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Flush zip writer: {e}")))?
+                    .sync_all()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Sync zip file: {e}")))?;
+            }
+
+            let file_size = zip_tmp.as_file().metadata().map(|m| m.len()).unwrap_or(0);
+
+            // Seek the zip temp file back to the beginning so the async reader
+            // starts from byte 0.  We keep zip_tmp as NamedTempFile (not
+            // persisted) so it auto-deletes when the TempFileStream is dropped —
+            // whether that happens after a clean transfer or an early disconnect.
+            zip_tmp
+                .as_file()
+                .seek(std::io::SeekFrom::Start(0))
+                .map_err(|e| AppError::Internal(anyhow::anyhow!("Seek zip to start: {e}")))?;
+
+            let ts = Utc::now().format("%Y%m%d_%H%M%S");
+            let fname = format!("rustchan-backup-{ts}.zip");
+            tracing::info!(target: "admin", bytes = file_size, "Full backup downloaded");
+            progress
+                .phase
+                .store(crate::middleware::backup_phase::DONE, Ordering::Relaxed);
+            Ok((zip_tmp, fname, file_size))
+        }
+    })
+    .await
+    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))??;
+
+    // FIX[MED-8]: Use TempFileStream — a RAII stream wrapper that holds the
+    // NamedTempFile alongside the reader.  When the body is fully consumed OR
+    // when the client disconnects (axum drops the body), the stream is dropped,
+    // which drops the NamedTempFile, which deletes the temp file.
+    // This replaces the previous 10-minute sleep task that leaked files on restart.
+    let std_file = zip_tmp
+        .as_file()
+        .try_clone()
+        .map_err(|e| AppError::Internal(anyhow::anyhow!("Clone zip fd: {e}")))?;
+    let tokio_file = tokio::fs::File::from_std(std_file);
+    let body = axum::body::Body::from_stream(TempFileStream {
+        inner: ReaderStream::new(tokio_file),
+        _guard: zip_tmp,
+    });
+
+    let disposition = format!("attachment; filename=\"{filename}\"");
+    Ok((
+        [
+            (header::CONTENT_TYPE, "application/zip".to_string()),
+            (header::CONTENT_DISPOSITION, disposition),
+            (header::CONTENT_LENGTH, file_size.to_string()),
+        ],
+        body,
+    )
+        .into_response())
+}
+
+/// Count regular files (not directories) under `dir` recursively.
+/// Used to initialise the progress bar's `files_total` before compression starts.
+#[allow(clippy::arithmetic_side_effects)]
+fn count_files_in_dir(dir: &std::path::Path) -> u64 {
+    if !dir.is_dir() {
+        return 0;
+    }
+    let Ok(entries) = std::fs::read_dir(dir) else {
+        return 0;
+    };
+    entries.flatten().fold(0u64, |acc, entry| {
+        let p = entry.path();
+        if p.is_dir() {
+            acc + count_files_in_dir(&p)
+        } else if p.is_file() {
+            acc + 1
+        } else {
+            acc
+        }
+    })
+}
+
+/// Recursively add every file under `dir` into the zip as `uploads/{rel_path}`.
+///
+/// MEM-FIX: Uses `std::io::copy` with the zip writer directly, streaming each
+/// file through a kernel buffer (~8 KiB) instead of reading the whole file
+/// into a Vec<u8> first.  Peak RAM per file = `io::copy`'s 8 KiB stack buffer.
+///
+/// Progress tracking: increments `progress.files_done` and `progress.bytes_done`
+/// after each file is written to the zip.
+fn add_dir_to_zip<W: Write + Seek>(
+    zip: &mut zip::ZipWriter<W>,
+    base: &std::path::Path,
+    dir: &std::path::Path,
+    opts: zip::write::SimpleFileOptions,
+    progress: &crate::middleware::BackupProgress,
+) -> Result<()> {
+    let entries = std::fs::read_dir(dir)
+        .map_err(|e| AppError::Internal(anyhow::anyhow!("read_dir {}: {}", dir.display(), e)))?;
+
+    for entry in entries {
+        let entry = entry.map_err(|e| AppError::Internal(anyhow::anyhow!("dir entry: {e}")))?;
+        let path = entry.path();
+
+        let relative = path
+            .strip_prefix(base)
+            .map_err(|e| AppError::Internal(anyhow::anyhow!("strip_prefix: {e}")))?;
+        let rel_str = relative.to_string_lossy().replace('\\', "/");
+        let zip_path = format!("uploads/{rel_str}");
+
+        if path.is_dir() {
+            zip.add_directory(&zip_path, opts)
+                .map_err(|e| AppError::Internal(anyhow::anyhow!("zip dir: {e}")))?;
+            add_dir_to_zip(zip, base, &path, opts, progress)?;
+        } else if path.is_file() {
+            // MEM-FIX: open file, stream through io::copy — no Vec<u8> allocation.
+            let mut src = std::fs::File::open(&path).map_err(|e| {
+                AppError::Internal(anyhow::anyhow!("open {}: {}", path.display(), e))
+            })?;
+            zip.start_file(&zip_path, opts)
+                .map_err(|e| AppError::Internal(anyhow::anyhow!("zip file entry: {e}")))?;
+            let copied = std::io::copy(&mut src, zip).map_err(|e| {
+                AppError::Internal(anyhow::anyhow!("copy {} to zip: {}", path.display(), e))
+            })?;
+            progress.files_done.fetch_add(1, Ordering::Relaxed);
+            progress.bytes_done.fetch_add(copied, Ordering::Relaxed);
+        }
+    }
+    Ok(())
+}
+
+// ─── POST /admin/restore ──────────────────────────────────────────────────────
+
+/// Replace the live database with the contents of a backup zip.
+///
+/// Design — why we use `SQLite`'s backup API instead of swapping files:
+///
+///   The r2d2 pool keeps up to 8 `SQLite` connections open permanently.  On
+///   Linux, renaming a new file over chan.db does NOT update the connections
+///   already open — they still hold file descriptors to the old inode.  File-
+///   swapping therefore leaves the pool reading stale data until the process
+///   restarts, and deleting the WAL while live connections are active can
+///   corrupt the database.
+///
+///   `rusqlite::backup::Backup` wraps `SQLite`'s `sqlite3_backup_init()` API,
+///   which copies data directly into the destination connection's live file —
+///   through the WAL, through the same file descriptors, safely.  After
+///   `run_to_completion()` returns, every connection in the pool immediately
+///   sees the restored data.  No file swapping, no WAL deletion, no restart
+///   required.
+///
+/// Security:
+///   • Admin session + CSRF required before any data is touched.
+///   • Zip path-traversal entries (containing ".." or absolute paths) are
+///     rejected.
+///   • Only "chan.db" and "uploads/…" entries are extracted; everything else
+///     is silently ignored.
+///   • The uploaded DB is written to a temp file then opened read-only as the
+///     backup source; it is deleted on success or failure.
+#[allow(clippy::too_many_lines)]
+#[allow(clippy::arithmetic_side_effects)]
+pub async fn admin_restore(
+    State(state): State<AppState>,
+    jar: CookieJar,
+    mut multipart: Multipart,
+) -> Result<Response> {
+    let session_id = jar
+        .get(super::SESSION_COOKIE)
+        .map(|c| c.value().to_string());
+
+    // FIX[A7]: Stream the uploaded zip to a NamedTempFile on disk instead of
+    // buffering the entire upload into a Vec<u8>.  Full-site backups can be
+    // several GiB; loading them entirely into the heap exhausts available memory.
+    let mut zip_tmp: Option<tempfile::NamedTempFile> = None;
+    let mut form_csrf: Option<String> = None;
+
+    while let Some(field) = multipart
+        .next_field()
+        .await
+        .map_err(|e| AppError::BadRequest(format!("Multipart error: {e}")))?
+    {
+        match field.name() {
+            Some("_csrf") => {
+                form_csrf = Some(
+                    field
+                        .text()
+                        .await
+                        .map_err(|e| AppError::BadRequest(e.to_string()))?,
+                );
+            }
+            Some("backup_file") => {
+                let tmp = tempfile::NamedTempFile::new()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Tempfile: {e}")))?;
+                // Clone the underlying fd for async writing; the original
+                // NamedTempFile retains ownership and the delete-on-drop guard.
+                let std_clone = tmp
+                    .as_file()
+                    .try_clone()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Clone fd: {e}")))?;
+                let async_file = tokio::fs::File::from_std(std_clone);
+                let mut writer = tokio::io::BufWriter::new(async_file);
+                let mut field = field;
+                while let Some(chunk) = field
+                    .chunk()
+                    .await
+                    .map_err(|e| AppError::BadRequest(e.to_string()))?
+                {
+                    writer
+                        .write_all(&chunk)
+                        .await
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Write chunk: {e}")))?;
+                }
+                writer
+                    .flush()
+                    .await
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Flush: {e}")))?;
+                zip_tmp = Some(tmp);
+            }
+            _ => {
+                // Drain unknown fields so the multipart stream advances.
+                let _ = field.bytes().await;
+            }
+        }
+    }
+
+    // CSRF check.
+    let csrf_cookie = jar.get("csrf_token").map(|c| c.value().to_string());
+    if !crate::middleware::validate_csrf(csrf_cookie.as_deref(), form_csrf.as_deref().unwrap_or(""))
+    {
+        return Err(AppError::Forbidden("CSRF token mismatch.".into()));
+    }
+
+    let zip_tmp = zip_tmp.ok_or_else(|| AppError::BadRequest("No backup file uploaded.".into()))?;
+    // Determine size without reading into RAM: seeking to end gives the byte count.
+    let zip_size = zip_tmp
+        .as_file()
+        .seek(std::io::SeekFrom::End(0))
+        .map_err(|e| AppError::Internal(anyhow::anyhow!("Seek check: {e}")))?;
+    if zip_size == 0 {
+        return Err(AppError::BadRequest(
+            "Uploaded backup file is empty.".into(),
+        ));
+    }
+
+    let upload_dir = CONFIG.upload_dir.clone();
+
+    let fresh_sid: String = tokio::task::spawn_blocking({
+        let pool = state.db.clone();
+        move || -> Result<String> {
+            // ── Auth ──────────────────────────────────────────────────────
+            // Hold this connection open for the entire restore so the pool
+            // can't recycle it and open a fresh one mid-copy.
+            let mut live_conn = pool.get()?;
+            // Save admin_id now — we'll need it to create a new session
+            // in the restored DB once the backup completes.
+            let admin_id = super::require_admin_session_sid(&live_conn, session_id.as_deref())?;
+
+            // ── Open the on-disk zip (FIX[A7]) ───────────────────────────
+            // reopen() gives a fresh File descriptor seeked to position 0,
+            // so ZipArchive can navigate entries without loading into RAM.
+            let zip_file = zip_tmp
+                .reopen()
+                .map_err(|e| AppError::Internal(anyhow::anyhow!("Reopen zip: {e}")))?;
+            let mut archive = zip::ZipArchive::new(std::io::BufReader::new(zip_file))
+                .map_err(|e| AppError::BadRequest(format!("Invalid zip: {e}")))?;
+
+            // Quick pre-flight: make sure there is a chan.db entry.
+            // file_names() is a stable iterator available in zip 2+ and zip 8+.
+            let has_db = archive.file_names().any(|n| n == "chan.db");
+            if !has_db {
+                return Err(AppError::BadRequest(
+                    "Invalid backup: zip must contain 'chan.db' at the root.".into(),
+                ));
+            }
+
+            // ── Single-pass extraction ────────────────────────────────────
+            let temp_dir = std::env::temp_dir();
+            let tmp_id = uuid::Uuid::new_v4().simple().to_string();
+            let temp_db = temp_dir.join(format!("chan_restore_{tmp_id}.db"));
+            let mut db_extracted = false;
+
+            for i in 0..archive.len() {
+                let mut entry = archive.by_index(i)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Zip read [{i}]: {e}")))?;
+                let name = entry.name().to_string();
+
+                // Security: skip any path-traversal attempts.
+                if name.contains("..") || name.starts_with('/') || name.starts_with('\\') {
+                    warn!("Restore: skipping suspicious zip entry '{name}'");
+                    continue;
+                }
+
+                if name == "chan.db" {
+                    let mut out = std::fs::File::create(&temp_db)
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Create temp DB: {e}")))?;
+                    copy_limited(&mut entry, &mut out, ZIP_ENTRY_MAX_BYTES)
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Write temp DB: {e}")))?;
+
+                    // FIX[#19]: Validate SQLite magic bytes before handing this
+                    // file to the backup API. Without this check a malicious or
+                    // corrupted "chan.db" inside the zip (e.g. a shell script or
+                    // truncated file) would be opened by rusqlite, which could
+                    // panic or return opaque internal errors. The magic sequence
+                    // is the first 16 bytes of every valid SQLite 3 database.
+                    let mut header = [0u8; 16];
+                    {
+                        use std::io::Read;
+                        let mut f = std::fs::File::open(&temp_db).map_err(|e| {
+                            AppError::Internal(anyhow::anyhow!("Magic check open: {e}"))
+                        })?;
+                        if f.read_exact(&mut header).is_err() {
+                            let _ = std::fs::remove_file(&temp_db);
+                            return Err(AppError::BadRequest(
+                                "Uploaded chan.db is not a valid SQLite database (file too small)."
+                                    .into(),
+                            ));
+                        }
+                    }
+                    if &header != SQLITE_HEADER {
+                        let _ = std::fs::remove_file(&temp_db);
+                        return Err(AppError::BadRequest(
+                            "Uploaded chan.db is not a valid SQLite database (invalid magic bytes)."
+                                .into(),
+                        ));
+                    }
+
+                    db_extracted = true;
+
+                } else if let Some(rel) = name.strip_prefix("uploads/") {
+                    if rel.is_empty() { continue; }
+                    let target = PathBuf::from(&upload_dir).join(rel);
+
+                    if entry.is_dir() {
+                        std::fs::create_dir_all(&target)
+                            .map_err(|e| AppError::Internal(anyhow::anyhow!("mkdir {}: {}", target.display(), e)))?;
+                    } else {
+                        if let Some(parent) = target.parent() {
+                            std::fs::create_dir_all(parent)
+                                .map_err(|e| AppError::Internal(anyhow::anyhow!("mkdir parent: {e}")))?;
+                        }
+                        let mut out = std::fs::File::create(&target)
+                            .map_err(|e| AppError::Internal(anyhow::anyhow!("Create {}: {}", target.display(), e)))?;
+                        copy_limited(&mut entry, &mut out, ZIP_ENTRY_MAX_BYTES)
+                            .map_err(|e| AppError::Internal(anyhow::anyhow!("Write {}: {}", target.display(), e)))?;
+                    }
+                }
+            }
+            drop(archive);
+
+            if !db_extracted {
+                return Err(AppError::Internal(anyhow::anyhow!(
+                    "chan.db was found in pre-flight but not extracted — corrupted zip?"
+                )));
+            }
+
+            // ── SQLite backup API: copy temp DB → live DB ─────────────────
+            let backup_result = (|| -> Result<()> {
+                let src = rusqlite::Connection::open(&temp_db)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Open backup source: {e}")))?;
+                                let backup = Backup::new(&src, &mut live_conn)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Backup init: {e}")))?;
+                backup.run_to_completion(100, std::time::Duration::from_millis(0), None)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Backup copy: {e}")))?;
+                Ok(())
+            })();
+
+            let _ = std::fs::remove_file(&temp_db);
+            backup_result?;
+
+            // ── Re-issue session cookie ───────────────────────────────────
+            //
+            // The backup API just replaced the admin_sessions table with the
+            // one from the backup file, so the browser's current session ID is
+            // now invalid against the restored DB.  Create a fresh session for
+            // the same admin_id so the redirect to /admin/panel succeeds.
+            //
+            // If admin_id doesn't exist in the restored DB (e.g. restoring
+            // from a much older backup) the INSERT will fail with a FK error.
+            // We catch that, log it, and return an empty string to signal that
+            // the handler should redirect to the login page instead.
+            let fresh_sid = new_session_id();
+            let expires_at = Utc::now().timestamp() + CONFIG.session_duration;
+            match db::create_session(&live_conn, &fresh_sid, admin_id, expires_at) {
+                Ok(()) => {
+                    tracing::info!(target: "admin", admin_id = admin_id, "Restore completed, new session issued");
+                    // Refresh live board list — the restored DB may have
+                    // different boards than what was running before.
+                    if let Ok(boards) = db::get_all_boards(&live_conn) {
+                        crate::templates::set_live_boards(boards);
+                    }
+                    Ok(fresh_sid)
+                }
+                Err(e) => {
+                    warn!("Restore: could not create new session (admin_id={} may not exist in backup): {}", admin_id, e);
+                    Ok(String::new())
+                }
+            }
+        }
+    })
+    .await
+    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))??;
+
+    // If we got a valid session ID back, replace the cookie and go to the
+    // panel.  If not (admin didn't exist in the backup), go to login instead.
+    if fresh_sid.is_empty() {
+        let jar = jar.remove(Cookie::from(super::SESSION_COOKIE));
+        return Ok((jar, Redirect::to("/admin")).into_response());
+    }
+
+    let mut new_cookie = Cookie::new(super::SESSION_COOKIE, fresh_sid);
+    new_cookie.set_http_only(true);
+    new_cookie.set_same_site(SameSite::Strict);
+    new_cookie.set_path("/");
+    new_cookie.set_secure(CONFIG.https_cookies);
+    // FIX[A5]: Set Max-Age so the browser expires the cookie after the configured
+    // session lifetime — matching the behaviour of the normal login handler.
+    new_cookie.set_max_age(time::Duration::seconds(CONFIG.session_duration));
+
+    Ok((jar.add(new_cookie), Redirect::to("/admin/panel?restored=1")).into_response())
+}
+
+// ─── CRIT-4: Zip decompression size limiter ────────────────────────────────────
+//
+// std::io::copy() has no bound on how much data it will write.  A malicious
+// 1 KiB zip (a "zip bomb") can expand to gigabytes, exhausting disk or memory.
+// copy_limited() caps the decompressed size of each entry.
+
+// Maximum bytes to extract from any single zip entry.
+// Set to 16 GiB — these are admin-only restore endpoints, so individual
+// entries (large videos, the SQLite DB) can legitimately be several GiB.
+// ─── Quotelink ID remapping ───────────────────────────────────────────────────
+//
+// When a board backup is restored, posts receive new auto-incremented IDs
+// because other boards' posts already occupy the original IDs in the global
+// `posts` table.  `remap_body_quotelinks` and `remap_body_html_quotelinks`
+// rewrite the raw text and rendered HTML of each restored post so that in-board
+// quotelinks point to the new IDs instead of the now-stale original ones.
+//
+// Design constraints:
+//
+// 1. ONLY same-board links are remapped.  Cross-board references (`>>>/b/N`)
+//    point to other boards whose IDs are unchanged by this restore operation
+//    and must not be altered.
+//
+// 2. `pairs` must be sorted by old-ID string length *descending* before being
+//    passed to these functions.  This prevents a shorter ID (e.g. "10") from
+//    being substituted as a prefix of a longer one ("1000") before the longer
+//    match has a chance to fire.  Example:
+//      pairs = [("1000","2500"), ("100","800"), ("10","50"), ("1","3")]
+//    Processing "1000" before "100" prevents "1000" → "8000" (wrong first).
+//
+// 3. `body` stores the original markdown-like text the user typed.  In-board
+//    quotelinks appear as `>>{old_id}` (e.g. `>>500`).  A regex-free approach
+//    is used: for each (old, new) pair, replace `>>{old}` followed by a
+//    non-digit (or end-of-string) to avoid `>>100` matching inside `>>1000`.
+//
+// 4. `body_html` stores pre-rendered HTML.  In-board quotelinks look like:
+//      <a href="#p{N}" class="quotelink" data-pid="{N}">&gt;&gt;{N}</a>
+//    Cross-board quotelinks look like:
+//      <a href="/board/post/{N}" class="quotelink crosslink" ...>&gt;&gt;&gt;/…</a>
+//    We replace `href="#p{old}"` (exclusively in-board) and
+//    `data-pid="{old}">&gt;&gt;{old}</a>` (display text also exclusive to
+//    in-board links — cross-board display text has `&gt;&gt;&gt;/` prefix).
+
+// Rewrite in-board `>>{old_id}` references in the raw post body.
+// `pairs` must be pre-sorted by old-ID string length descending.
+#[allow(clippy::arithmetic_side_effects)]
+fn remap_body_quotelinks(body: &str, pairs: &[(String, String)]) -> String {
+    // Avoid cloning when there is nothing to change.
+    if pairs.is_empty() {
+        return body.to_string();
+    }
+    let mut result = body.to_string();
+    for (old, new) in pairs {
+        // Match `>>{old}` only when NOT immediately followed by another digit,
+        // so we don't turn `>>1000` into `>>new_id_for_1000` when processing
+        // the `>>100` entry first.
+        //
+        // Implementation: scan for every occurrence of `>>{old}` in the string
+        // and check the next character.  Replace left-to-right using byte indices
+        // to avoid re-scanning already-replaced sections.
+        let needle = format!(">>{old}");
+        let mut out = String::with_capacity(result.len());
+        let mut pos = 0;
+        let bytes = result.as_bytes();
+        while pos < bytes.len() {
+            match result[pos..].find(&needle) {
+                None => {
+                    out.push_str(&result[pos..]);
+                    break;
+                }
+                Some(rel) => {
+                    let abs = pos + rel;
+                    let after = abs + needle.len();
+                    // Only replace when the char after the match is not a digit.
+                    let next_is_digit = bytes.get(after).is_some_and(u8::is_ascii_digit);
+                    out.push_str(&result[pos..abs]);
+                    if next_is_digit {
+                        // Not the right match — keep the original text.
+                        out.push_str(&needle);
+                    } else {
+                        out.push_str(">>");
+                        out.push_str(new);
+                    }
+                    pos = after;
+                }
+            }
+        }
+        result = out;
+    }
+    result
+}
+
+/// Rewrite in-board quotelink IDs in pre-rendered `body_html`.
+///
+/// Targets two patterns that are exclusive to same-board quotelinks:
+///   • `href="#p{old}"` — the anchor href
+///   • `data-pid="{old}">&gt;&gt;{old}</a>` — the data attribute + display text
+///
+/// Cross-board links use `href="/board/post/{N}"` and display `&gt;&gt;&gt;/…`
+/// so neither pattern matches them.
+///
+/// `pairs` must be pre-sorted by old-ID string length descending.
+fn remap_body_html_quotelinks(body_html: &str, pairs: &[(String, String)]) -> String {
+    if pairs.is_empty() {
+        return body_html.to_string();
+    }
+    let mut result = body_html.to_string();
+    for (old, new) in pairs {
+        // Pattern 1: href="#p{old}" → href="#p{new}"
+        let old_href = format!("href=\"#p{old}\"");
+        let new_href = format!("href=\"#p{new}\"");
+        result = result.replace(&old_href, &new_href);
+
+        // Pattern 2: data-pid="{old}">&gt;&gt;{old}</a>
+        // This uniquely identifies in-board quotelinks: cross-board links have
+        // "&gt;&gt;&gt;/" as their display text, never bare "&gt;&gt;{N}".
+        let old_tail = format!("data-pid=\"{old}\">&gt;&gt;{old}</a>");
+        let new_tail = format!("data-pid=\"{new}\">&gt;&gt;{new}</a>");
+        result = result.replace(&old_tail, &new_tail);
+    }
+    result
+}
+
+const ZIP_ENTRY_MAX_BYTES: u64 = 16 * 1024 * 1024 * 1024;
+
+/// Like `std::io::copy` but returns `InvalidData` if more than `max_bytes`
+/// would be written.  Reads in 64 KiB chunks; aborts as soon as the limit
+/// is exceeded so disk space is not wasted.
+#[allow(clippy::arithmetic_side_effects)]
+fn copy_limited<R: std::io::Read, W: std::io::Write>(
+    reader: &mut R,
+    writer: &mut W,
+    max_bytes: u64,
+) -> std::io::Result<u64> {
+    let mut buf = vec![0u8; 65536];
+    let mut total: u64 = 0;
+    loop {
+        let n = reader.read(&mut buf)?;
+        if n == 0 {
+            break;
+        }
+        total += n as u64;
+        if total > max_bytes {
+            return Err(std::io::Error::new(
+                std::io::ErrorKind::InvalidData,
+                format!(
+                    "Decompressed entry exceeds {} MiB limit — possible zip bomb",
+                    max_bytes / 1024 / 1024
+                ),
+            ));
+        }
+        if let Some(slice) = buf.get(..n) {
+            writer.write_all(slice)?;
+        }
+    }
+    Ok(total)
+}
+
+// ─── Internal helpers ─────────────────────────────────────────────────────────
+
+/// Check CSRF using the cookie jar. Returns error on mismatch.
+/// Verify admin session and also return the admin's username.
+/// For use inside `spawn_blocking` closures.
+fn db_dir() -> PathBuf {
+    PathBuf::from(&CONFIG.database_path)
+        .parent()
+        .map_or_else(|| PathBuf::from("."), std::path::Path::to_path_buf)
+}
+
+/// rustchan-data/full-backups/
+pub fn full_backup_dir() -> PathBuf {
+    db_dir().join("full-backups")
+}
+
+/// rustchan-data/board-backups/
+pub fn board_backup_dir() -> PathBuf {
+    db_dir().join("board-backups")
+}
+
+/// List `.zip` files in `dir`, newest-filename-first.
+pub fn list_backup_files(dir: &std::path::Path) -> Vec<BackupInfo> {
+    let mut files = Vec::new();
+    if let Ok(entries) = std::fs::read_dir(dir) {
+        for entry in entries.flatten() {
+            let path = entry.path();
+            if path.extension().and_then(|e| e.to_str()) != Some("zip") {
+                continue;
+            }
+            if let (Some(name), Ok(meta)) = (
+                path.file_name()
+                    .and_then(|n| n.to_str())
+                    .map(ToString::to_string),
+                std::fs::metadata(&path),
+            ) {
+                let modified = meta
+                    .modified()
+                    .ok()
+                    .and_then(|t| t.duration_since(std::time::UNIX_EPOCH).ok())
+                    .map(|d| {
+                        let secs = d.as_secs().cast_signed();
+                        #[allow(deprecated)]
+                        chrono::DateTime::<Utc>::from_timestamp(secs, 0)
+                            .map(|dt| dt.format("%Y-%m-%d %H:%M UTC").to_string())
+                            .unwrap_or_default()
+                    })
+                    .unwrap_or_default();
+                files.push(BackupInfo {
+                    filename: name,
+                    size_bytes: meta.len(),
+                    modified,
+                });
+            }
+        }
+    }
+    // Sort newest first (filename encodes timestamp for full/board backups).
+    files.sort_by(|a, b| b.filename.cmp(&a.filename));
+    files
+}
+
+// ─── POST /admin/backup/create ────────────────────────────────────────────────
+
+/// Create a full backup and save it to rustchan-data/full-backups/.
+///
+/// MEM-FIX: The zip is written directly to the final destination file via a
+/// `BufWriter`, so peak RAM usage is O(compression-buffer) not O(zip-size).
+/// A `.tmp` suffix is used during writing; the file is renamed on success so
+/// the backup list never shows a partial/corrupt zip.
+#[allow(clippy::arithmetic_side_effects)]
+pub async fn create_full_backup(
+    State(state): State<AppState>,
+    jar: CookieJar,
+    Form(form): Form<super::CsrfOnly>,
+) -> Result<Response> {
+    let session_id = jar
+        .get(super::SESSION_COOKIE)
+        .map(|c| c.value().to_string());
+    super::check_csrf_jar(&jar, form.csrf.as_deref())?;
+
+    let upload_dir = CONFIG.upload_dir.clone();
+    let progress = state.backup_progress.clone();
+
+    tokio::task::spawn_blocking({
+        let pool = state.db.clone();
+        move || -> Result<()> {
+            let conn = pool.get()?;
+            super::require_admin_session_sid(&conn, session_id.as_deref())?;
+
+            progress.reset(crate::middleware::backup_phase::SNAPSHOT_DB);
+
+            // FIX[CRIT-3]: Replace VACUUM INTO with rusqlite's backup API.
+            // VACUUM INTO uses format-string SQL which is fragile (backslashes,
+            // newlines in temp paths). Backup::new(src, dst) copies the live DB
+            // safely with no SQL string construction.
+            let temp_dir = std::env::temp_dir();
+            let tmp_id = uuid::Uuid::new_v4().simple().to_string();
+            let temp_db = temp_dir.join(format!("chan_backup_{tmp_id}.db"));
+
+            // RAII guard: temp_db is always removed on drop, even on early return.
+            let _temp_db_guard = TempFileGuard(temp_db.clone());
+
+            {
+                let mut dst = rusqlite::Connection::open(&temp_db)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Open temp DB: {e}")))?;
+                let bk = Backup::new(&conn, &mut dst)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Backup init: {e}")))?;
+                bk.run_to_completion(100, std::time::Duration::from_millis(0), None)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Backup copy: {e}")))?;
+            }
+            drop(conn);
+
+            // Count files for progress bar before compressing.
+            progress.reset(crate::middleware::backup_phase::COUNT_FILES);
+            let uploads_base = std::path::Path::new(&upload_dir);
+            let file_count = count_files_in_dir(uploads_base);
+            progress
+                .files_total
+                .store(file_count.saturating_add(1), Ordering::Relaxed);
+
+            // MEM-FIX: write zip directly to a .tmp file on disk, not a Vec<u8>.
+            let backup_dir = full_backup_dir();
+            std::fs::create_dir_all(&backup_dir)
+                .map_err(|e| AppError::Internal(anyhow::anyhow!("Create full-backups dir: {e}")))?;
+            let ts = Utc::now().format("%Y%m%d_%H%M%S");
+            let fname = format!("rustchan-backup-{ts}.zip");
+            let final_path = backup_dir.join(&fname);
+            let tmp_path = backup_dir.join(format!("{fname}.tmp"));
+
+            {
+                let out_file = std::io::BufWriter::new(
+                    std::fs::File::create(&tmp_path)
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Create zip tmp: {e}")))?,
+                );
+                let mut zip = zip::ZipWriter::new(out_file);
+                let opts = zip::write::SimpleFileOptions::default()
+                    .compression_method(zip::CompressionMethod::Deflated);
+
+                progress.reset(crate::middleware::backup_phase::COMPRESS);
+                progress
+                    .files_total
+                    .store(file_count.saturating_add(1), Ordering::Relaxed);
+
+                // ── Database snapshot (streamed, not read into RAM) ────────
+                zip.start_file("chan.db", opts)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Zip DB: {e}")))?;
+                let mut db_src = std::fs::File::open(&temp_db)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Open DB snapshot: {e}")))?;
+                let copied = std::io::copy(&mut db_src, &mut zip)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Stream DB to zip: {e}")))?;
+                drop(db_src);
+                let _ = std::fs::remove_file(&temp_db);
+                progress.files_done.fetch_add(1, Ordering::Relaxed);
+                progress.bytes_done.fetch_add(copied, Ordering::Relaxed);
+
+                // ── Upload files (streamed via io::copy) ───────────────────
+                if uploads_base.exists() {
+                    add_dir_to_zip(&mut zip, uploads_base, uploads_base, opts, &progress)?;
+                }
+
+                let writer = zip
+                    .finish()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Finalise zip: {e}")))?;
+                // Flush the BufWriter so the OS buffer is committed to disk.
+                writer
+                    .into_inner()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Flush zip writer: {e}")))?
+                    .sync_all()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Sync zip file: {e}")))?;
+            }
+
+            // Atomic rename: only becomes visible in the list when complete.
+            std::fs::rename(&tmp_path, &final_path).map_err(|e| {
+                let _ = std::fs::remove_file(&tmp_path);
+                AppError::Internal(anyhow::anyhow!("Rename backup: {e}"))
+            })?;
+
+            let size = std::fs::metadata(&final_path).map(|m| m.len()).unwrap_or(0);
+            tracing::info!(target: "admin", filename = %fname, bytes = size, "Full backup created");
+            progress
+                .phase
+                .store(crate::middleware::backup_phase::DONE, Ordering::Relaxed);
+            Ok(())
+        }
+    })
+    .await
+    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))??;
+
+    Ok(Redirect::to("/admin/panel?backup_created=1").into_response())
+}
+
+// ─── POST /admin/board/backup/create ─────────────────────────────────────────
+
+#[derive(Deserialize)]
+pub struct BoardBackupCreateForm {
+    board_short: String,
+    #[serde(rename = "_csrf")]
+    csrf: Option<String>,
+}
+
+/// Create a board backup and save it to rustchan-data/board-backups/.
+#[allow(clippy::too_many_lines)]
+pub async fn create_board_backup(
+    State(state): State<AppState>,
+    jar: CookieJar,
+    Form(form): Form<BoardBackupCreateForm>,
+) -> Result<Response> {
+    let session_id = jar
+        .get(super::SESSION_COOKIE)
+        .map(|c| c.value().to_string());
+    super::check_csrf_jar(&jar, form.csrf.as_deref())?;
+
+    let board_short = form
+        .board_short
+        .chars()
+        .filter(char::is_ascii_alphanumeric)
+        .take(8)
+        .collect::<String>();
+    if board_short.is_empty() {
+        return Err(AppError::BadRequest("Invalid board name.".into()));
+    }
+
+    let upload_dir = CONFIG.upload_dir.clone();
+    let progress = state.backup_progress.clone();
+
+    tokio::task::spawn_blocking({
+        let pool = state.db.clone();
+        move || -> Result<()> {
+    use board_backup_types::{BoardRow, ThreadRow, PostRow, PollRow, PollOptionRow, PollVoteRow, FileHashRow, BoardBackupManifest};
+
+            let conn = pool.get()?;
+            super::require_admin_session_sid(&conn, session_id.as_deref())?;
+            progress.reset(crate::middleware::backup_phase::SNAPSHOT_DB);
+            let board: BoardRow = conn
+                .query_row(
+                    "SELECT id, short_name, name, description, nsfw, max_threads, bump_limit,
+                             allow_images, allow_video, allow_audio, allow_tripcodes, edit_window_secs,
+                             allow_editing, allow_archive, allow_video_embeds, allow_captcha,
+                             post_cooldown_secs, created_at
+                      FROM boards WHERE short_name = ?1",
+                    params![board_short],
+                    |r| {
+                        Ok(BoardRow {
+                            id: r.get(0)?,
+                            short_name: r.get(1)?,
+                            name: r.get(2)?,
+                            description: r.get(3)?,
+                            nsfw: r.get::<_, i64>(4)? != 0,
+                            max_threads: r.get(5)?,
+                            bump_limit: r.get(6)?,
+                            allow_images: r.get::<_, i64>(7)? != 0,
+                            allow_video: r.get::<_, i64>(8)? != 0,
+                            allow_audio: r.get::<_, i64>(9)? != 0,
+                            allow_tripcodes: r.get::<_, i64>(10)? != 0,
+                            edit_window_secs: r.get(11)?,
+                            allow_editing: r.get::<_, i64>(12)? != 0,
+                            allow_archive: r.get::<_, i64>(13)? != 0,
+                            allow_video_embeds: r.get::<_, i64>(14)? != 0,
+                            allow_captcha: r.get::<_, i64>(15)? != 0,
+                            post_cooldown_secs: r.get(16)?,
+                            created_at: r.get(17)?,
+                        })
+                    },
+                )
+                .map_err(|_| AppError::NotFound(format!("Board '{board_short}' not found")))?;
+
+            let board_id = board.id;
+
+            let threads: Vec<ThreadRow> = {
+                let mut s = conn
+                    .prepare(
+                        "SELECT id, board_id, subject, created_at, bumped_at, locked, sticky, reply_count
+                         FROM threads WHERE board_id = ?1 ORDER BY id ASC",
+                    )
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                let rows = s
+                    .query_map(params![board_id], |r| {
+                        Ok(ThreadRow {
+                            id: r.get(0)?,
+                            board_id: r.get(1)?,
+                            subject: r.get(2)?,
+                            created_at: r.get(3)?,
+                            bumped_at: r.get(4)?,
+                            locked: r.get::<_, i64>(5)? != 0,
+                            sticky: r.get::<_, i64>(6)? != 0,
+                            reply_count: r.get(7)?,
+                        })
+                    })
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?
+                    .collect::<std::result::Result<Vec<_>, _>>()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                rows
+            };
+
+            let posts: Vec<PostRow> = {
+                let mut s = conn
+                    .prepare(
+                        "SELECT id, thread_id, board_id, name, tripcode, subject, body, body_html,
+                                ip_hash, file_path, file_name, file_size, thumb_path, mime_type,
+                                media_type, created_at, deletion_token, is_op
+                         FROM posts WHERE board_id = ?1 ORDER BY id ASC",
+                    )
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                let rows = s
+                    .query_map(params![board_id], |r| {
+                        Ok(PostRow {
+                            id: r.get(0)?,
+                            thread_id: r.get(1)?,
+                            board_id: r.get(2)?,
+                            name: r.get(3)?,
+                            tripcode: r.get(4)?,
+                            subject: r.get(5)?,
+                            body: r.get(6)?,
+                            body_html: r.get(7)?,
+                            ip_hash: r.get(8)?,
+                            file_path: r.get(9)?,
+                            file_name: r.get(10)?,
+                            file_size: r.get(11)?,
+                            thumb_path: r.get(12)?,
+                            mime_type: r.get(13)?,
+                            media_type: r.get(14)?,
+                            created_at: r.get(15)?,
+                            deletion_token: r.get(16)?,
+                            is_op: r.get::<_, i64>(17)? != 0,
+                        })
+                    })
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?
+                    .collect::<std::result::Result<Vec<_>, _>>()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                rows
+            };
+
+            let polls: Vec<PollRow> = {
+                let mut s = conn
+                    .prepare(
+                        "SELECT p.id, p.thread_id, p.question, p.expires_at, p.created_at
+                         FROM polls p JOIN threads t ON t.id = p.thread_id
+                         WHERE t.board_id = ?1 ORDER BY p.id ASC",
+                    )
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                let rows = s
+                    .query_map(params![board_id], |r| {
+                        Ok(PollRow {
+                            id: r.get(0)?,
+                            thread_id: r.get(1)?,
+                            question: r.get(2)?,
+                            expires_at: r.get(3)?,
+                            created_at: r.get(4)?,
+                        })
+                    })
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?
+                    .collect::<std::result::Result<Vec<_>, _>>()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                rows
+            };
+
+            let poll_options: Vec<PollOptionRow> = {
+                let mut s = conn
+                    .prepare(
+                        "SELECT po.id, po.poll_id, po.text, po.position
+                         FROM poll_options po
+                         JOIN polls p ON p.id = po.poll_id
+                         JOIN threads t ON t.id = p.thread_id
+                         WHERE t.board_id = ?1 ORDER BY po.id ASC",
+                    )
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                let rows = s
+                    .query_map(params![board_id], |r| {
+                        Ok(PollOptionRow {
+                            id: r.get(0)?,
+                            poll_id: r.get(1)?,
+                            text: r.get(2)?,
+                            position: r.get(3)?,
+                        })
+                    })
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?
+                    .collect::<std::result::Result<Vec<_>, _>>()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                rows
+            };
+
+            let poll_votes: Vec<PollVoteRow> = {
+                let mut s = conn
+                    .prepare(
+                        "SELECT pv.id, pv.poll_id, pv.option_id, pv.ip_hash
+                         FROM poll_votes pv
+                         JOIN polls p ON p.id = pv.poll_id
+                         JOIN threads t ON t.id = p.thread_id
+                         WHERE t.board_id = ?1 ORDER BY pv.id ASC",
+                    )
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                let rows = s
+                    .query_map(params![board_id], |r| {
+                        Ok(PollVoteRow {
+                            id: r.get(0)?,
+                            poll_id: r.get(1)?,
+                            option_id: r.get(2)?,
+                            ip_hash: r.get(3)?,
+                        })
+                    })
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?
+                    .collect::<std::result::Result<Vec<_>, _>>()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                rows
+            };
+
+            let file_hashes: Vec<FileHashRow> = {
+                let mut s = conn
+                    .prepare(
+                        "SELECT DISTINCT fh.sha256, fh.file_path, fh.thumb_path, fh.mime_type, fh.created_at
+                         FROM file_hashes fh
+                         JOIN posts po ON po.file_path = fh.file_path
+                         WHERE po.board_id = ?1 ORDER BY fh.created_at ASC",
+                    )
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                let rows = s
+                    .query_map(params![board_id], |r| {
+                        Ok(FileHashRow {
+                            sha256: r.get(0)?,
+                            file_path: r.get(1)?,
+                            thumb_path: r.get(2)?,
+                            mime_type: r.get(3)?,
+                            created_at: r.get(4)?,
+                        })
+                    })
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?
+                    .collect::<std::result::Result<Vec<_>, _>>()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                rows
+            };
+
+            let manifest = BoardBackupManifest {
+                version: 1,
+                board,
+                threads,
+                posts,
+                polls,
+                poll_options,
+                poll_votes,
+                file_hashes,
+            };
+            let manifest_json = serde_json::to_vec_pretty(&manifest)
+                .map_err(|e| AppError::Internal(anyhow::anyhow!("JSON: {e}")))?;
+
+            // MEM-FIX: write zip directly to a .tmp file on disk, not a Vec<u8>.
+            let backup_dir = board_backup_dir();
+            std::fs::create_dir_all(&backup_dir).map_err(|e| {
+                AppError::Internal(anyhow::anyhow!("Create board-backups dir: {e}"))
+            })?;
+            let ts = Utc::now().format("%Y%m%d_%H%M%S");
+            let fname = format!("rustchan-board-{board_short}-{ts}.zip");
+            let final_path = backup_dir.join(&fname);
+            let tmp_path = backup_dir.join(format!("{fname}.tmp"));
+
+            let uploads_base = std::path::Path::new(&upload_dir);
+            let board_upload_path = uploads_base.join(&board_short);
+            let file_count = count_files_in_dir(&board_upload_path);
+            progress.reset(crate::middleware::backup_phase::COMPRESS);
+            // +1 for board.json manifest
+            progress.files_total.store(file_count.saturating_add(1), Ordering::Relaxed);
+
+            {
+                let out_file = std::io::BufWriter::new(
+                    std::fs::File::create(&tmp_path).map_err(|e| {
+                        AppError::Internal(anyhow::anyhow!("Create zip tmp: {e}"))
+                    })?,
+                );
+                let mut zip = zip::ZipWriter::new(out_file);
+                let opts = zip::write::SimpleFileOptions::default()
+                    .compression_method(zip::CompressionMethod::Deflated);
+
+                zip.start_file("board.json", opts)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Zip manifest: {e}")))?;
+                zip.write_all(&manifest_json)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Write manifest: {e}")))?;
+                progress.files_done.fetch_add(1, Ordering::Relaxed);
+                progress.bytes_done.fetch_add(manifest_json.len() as u64, Ordering::Relaxed);
+
+                if board_upload_path.exists() {
+                    add_dir_to_zip(&mut zip, uploads_base, &board_upload_path, opts, &progress)?;
+                }
+
+                let writer = zip
+                    .finish()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Finalise zip: {e}")))?;
+                writer
+                    .into_inner()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Flush zip writer: {e}")))?
+                    .sync_all()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Sync zip file: {e}")))?;
+            }
+
+            std::fs::rename(&tmp_path, &final_path).map_err(|e| {
+                let _ = std::fs::remove_file(&tmp_path);
+                AppError::Internal(anyhow::anyhow!("Rename board backup: {e}"))
+            })?;
+
+            let size = std::fs::metadata(&final_path).map(|m| m.len()).unwrap_or(0);
+            tracing::info!(target: "admin", filename = %fname, bytes = size, "Board backup created");
+            progress.phase.store(crate::middleware::backup_phase::DONE, Ordering::Relaxed);
+            Ok(())
+        }
+    })
+    .await
+    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))??;
+
+    Ok(Redirect::to("/admin/panel?backup_created=1").into_response())
+}
+
+// ─── GET /admin/backup/download/{kind}/{filename} ────────────────────────────
+
+/// Download a saved backup file.  `kind` must be "full" or "board".
+///
+/// MEM-FIX (original bug): The old implementation used `tokio::fs::read()`
+/// which loaded the entire file into a Vec<u8> before beginning the HTTP
+/// response.  For a 5 GiB backup on a slow connection that means 5 GiB of
+/// heap held for the entire download duration.
+///
+/// The fix: open a `tokio::fs::File` and wrap it in a `ReaderStream` so Axum
+/// sends the data in 64 KiB chunks pulled directly from the OS page cache.
+/// Peak heap = one 64 KiB chunk; the rest stays on disk.
+pub async fn download_backup(
+    State(state): State<AppState>,
+    jar: CookieJar,
+    axum::extract::Path((kind, filename)): axum::extract::Path<(String, String)>,
+) -> Result<Response> {
+    let session_id = jar
+        .get(super::SESSION_COOKIE)
+        .map(|c| c.value().to_string());
+
+    // Auth check.
+    tokio::task::spawn_blocking({
+        let pool = state.db.clone();
+        move || -> Result<()> {
+            let conn = pool.get()?;
+            super::require_admin_session_sid(&conn, session_id.as_deref())?;
+            Ok(())
+        }
+    })
+    .await
+    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))??;
+
+    // Validate filename — only allow safe characters to prevent path traversal.
+    let safe_filename: String = filename
+        .chars()
+        .filter(|c| c.is_ascii_alphanumeric() || *c == '-' || *c == '_' || *c == '.')
+        .collect();
+    if safe_filename != filename || safe_filename.contains("..") {
+        return Err(AppError::BadRequest("Invalid filename.".into()));
+    }
+    if !std::path::Path::new(&safe_filename)
+        .extension()
+        .is_some_and(|e: &std::ffi::OsStr| e.eq_ignore_ascii_case("zip"))
+    {
+        return Err(AppError::BadRequest(
+            "Only .zip files can be downloaded.".into(),
+        ));
+    }
+
+    let backup_dir = match kind.as_str() {
+        "full" => full_backup_dir(),
+        "board" => board_backup_dir(),
+        _ => return Err(AppError::BadRequest("Unknown backup kind.".into())),
+    };
+
+    let path = backup_dir.join(&safe_filename);
+
+    // Get file size for Content-Length (so the browser shows a progress bar).
+    let file_size = tokio::fs::metadata(&path)
+        .await
+        .map_err(|_| AppError::NotFound("Backup file not found.".into()))?
+        .len();
+
+    // MEM-FIX: stream the file in 64 KiB chunks instead of loading it all.
+    let file = tokio::fs::File::open(&path)
+        .await
+        .map_err(|_| AppError::NotFound("Backup file not found.".into()))?;
+    let stream = ReaderStream::new(file);
+    let body = axum::body::Body::from_stream(stream);
+
+    let disposition = format!("attachment; filename=\"{safe_filename}\"");
+    Ok((
+        [
+            (header::CONTENT_TYPE, "application/zip".to_string()),
+            (header::CONTENT_DISPOSITION, disposition),
+            (header::CONTENT_LENGTH, file_size.to_string()),
+        ],
+        body,
+    )
+        .into_response())
+}
+
+// ─── GET /admin/backup/progress ──────────────────────────────────────────────
+
+/// Return current backup progress as JSON.  Polled by the admin panel JS.
+///
+/// Response: { phase: u64, `files_done`: u64, `files_total`: u64,
+///              `bytes_done`: u64, `bytes_total`: u64 }
+///
+/// phase codes: `0=idle`, `1=snapshot_db`, `2=count_files`, `3=compress`, `4=save`, `5=done`
+///
+/// Auth is required to prevent any guest from watching backup progress.
+pub async fn backup_progress_json(
+    State(state): State<AppState>,
+    jar: CookieJar,
+) -> Result<Response> {
+    let session_id = jar
+        .get(super::SESSION_COOKIE)
+        .map(|c| c.value().to_string());
+    tokio::task::spawn_blocking({
+        let pool = state.db.clone();
+        move || -> Result<()> {
+            let conn = pool.get()?;
+            super::require_admin_session_sid(&conn, session_id.as_deref())?;
+            Ok(())
+        }
+    })
+    .await
+    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))??;
+
+    let p = &state.backup_progress;
+    let json = format!(
+        r#"{{"phase":{},"files_done":{},"files_total":{},"bytes_done":{},"bytes_total":{}}}"#,
+        p.phase.load(Ordering::Relaxed),
+        p.files_done.load(Ordering::Relaxed),
+        p.files_total.load(Ordering::Relaxed),
+        p.bytes_done.load(Ordering::Relaxed),
+        p.bytes_total.load(Ordering::Relaxed),
+    );
+
+    Ok((
+        [(header::CONTENT_TYPE, "application/json".to_string())],
+        json,
+    )
+        .into_response())
+}
+
+// ─── POST /admin/backup/delete ────────────────────────────────────────────────
+
+#[derive(Deserialize)]
+pub struct DeleteBackupForm {
+    kind: String, // "full" or "board"
+    filename: String,
+    #[serde(rename = "_csrf")]
+    csrf: Option<String>,
+}
+
+/// Delete a saved backup file from disk.
+pub async fn delete_backup(
+    State(state): State<AppState>,
+    jar: CookieJar,
+    Form(form): Form<DeleteBackupForm>,
+) -> Result<Response> {
+    let session_id = jar
+        .get(super::SESSION_COOKIE)
+        .map(|c| c.value().to_string());
+    super::check_csrf_jar(&jar, form.csrf.as_deref())?;
+
+    // Validate filename.
+    let safe_filename: String = form
+        .filename
+        .chars()
+        .filter(|c| c.is_ascii_alphanumeric() || *c == '-' || *c == '_' || *c == '.')
+        .collect();
+    if safe_filename != form.filename || safe_filename.contains("..") {
+        return Err(AppError::BadRequest("Invalid filename.".into()));
+    }
+    if !std::path::Path::new(&safe_filename)
+        .extension()
+        .is_some_and(|e: &std::ffi::OsStr| e.eq_ignore_ascii_case("zip"))
+    {
+        return Err(AppError::BadRequest(
+            "Only .zip files can be deleted.".into(),
+        ));
+    }
+
+    let backup_dir = match form.kind.as_str() {
+        "full" => full_backup_dir(),
+        "board" => board_backup_dir(),
+        _ => return Err(AppError::BadRequest("Unknown backup kind.".into())),
+    };
+
+    tokio::task::spawn_blocking({
+        let pool = state.db.clone();
+        move || -> Result<()> {
+            let conn = pool.get()?;
+            super::require_admin_session_sid(&conn, session_id.as_deref())?;
+
+            let path = backup_dir.join(&safe_filename);
+            if path.exists() {
+                std::fs::remove_file(&path)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Delete backup: {e}")))?;
+                tracing::info!(target: "admin", filename = %safe_filename, "Backup file deleted");
+            }
+            Ok(())
+        }
+    })
+    .await
+    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))??;
+
+    Ok(Redirect::to("/admin/panel?backup_deleted=1").into_response())
+}
+
+// ─── POST /admin/backup/restore-saved ────────────────────────────────────────
+
+#[derive(Deserialize)]
+pub struct RestoreSavedForm {
+    filename: String,
+    #[serde(rename = "_csrf")]
+    csrf: Option<String>,
+}
+
+/// Restore a full backup from a saved file in full-backups/.
+#[allow(clippy::too_many_lines)]
+#[allow(clippy::arithmetic_side_effects)]
+pub async fn restore_saved_full_backup(
+    State(state): State<AppState>,
+    jar: CookieJar,
+    Form(form): Form<RestoreSavedForm>,
+) -> Result<Response> {
+    let session_id = jar
+        .get(super::SESSION_COOKIE)
+        .map(|c| c.value().to_string());
+    super::check_csrf_jar(&jar, form.csrf.as_deref())?;
+
+    let safe_filename: String = form
+        .filename
+        .chars()
+        .filter(|c| c.is_ascii_alphanumeric() || *c == '-' || *c == '_' || *c == '.')
+        .collect();
+    if safe_filename != form.filename
+        || safe_filename.contains("..")
+        || !std::path::Path::new(&safe_filename)
+            .extension()
+            .is_some_and(|e: &std::ffi::OsStr| e.eq_ignore_ascii_case("zip"))
+    {
+        return Err(AppError::BadRequest("Invalid filename.".into()));
+    }
+
+    let path = full_backup_dir().join(&safe_filename);
+    // FIX[A3]: Do NOT read the file in the async context before auth is verified.
+    // std::fs::read() blocks the Tokio runtime and an unauthenticated caller could
+    // force the server to read gigabytes off disk before being rejected.  The read
+    // is deferred into spawn_blocking where it runs only after the session check.
+    let upload_dir = CONFIG.upload_dir.clone();
+
+    let fresh_sid: String = tokio::task::spawn_blocking({
+        let pool = state.db.clone();
+        move || -> Result<String> {
+            let mut live_conn = pool.get()?;
+            // Auth check first — only read the (potentially huge) file if valid.
+            let admin_id = super::require_admin_session_sid(&live_conn, session_id.as_deref())?;
+
+            // MEM-FIX: open the zip as a seekable BufReader<File> instead of
+            // reading the whole file into a Vec<u8>.  The FIX[A3] comment above
+            // correctly deferred the read to after auth, but std::fs::read still
+            // loaded the entire zip into heap.  A 5 GiB backup would exhaust RAM.
+            let zip_file = std::fs::File::open(&path)
+                .map_err(|_| AppError::NotFound("Backup file not found.".into()))?;
+            let mut archive = zip::ZipArchive::new(std::io::BufReader::new(zip_file))
+                .map_err(|e| AppError::BadRequest(format!("Invalid zip: {e}")))?;
+
+            let has_db = archive.file_names().any(|n| n == "chan.db");
+            if !has_db {
+                return Err(AppError::BadRequest(
+                    "Invalid backup: zip must contain 'chan.db' at the root.".into(),
+                ));
+            }
+
+            let temp_dir = std::env::temp_dir();
+            let tmp_id = uuid::Uuid::new_v4().simple().to_string();
+            let temp_db = temp_dir.join(format!("chan_restore_{tmp_id}.db"));
+            let mut db_extracted = false;
+
+            for i in 0..archive.len() {
+                let mut entry = archive
+                    .by_index(i)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Zip[{i}]: {e}")))?;
+                let name = entry.name().to_string();
+                if name.contains("..") || name.starts_with('/') || name.starts_with('\\') {
+                    warn!("Restore-saved: skipping suspicious entry '{name}'");
+                    continue;
+                }
+                if name == "chan.db" {
+                    let mut out = std::fs::File::create(&temp_db)
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Create temp DB: {e}")))?;
+                    copy_limited(&mut entry, &mut out, ZIP_ENTRY_MAX_BYTES)
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Write temp DB: {e}")))?;
+
+                    // FIX[#19]: Validate SQLite magic bytes (same guard as admin_restore).
+                    let mut header = [0u8; 16];
+                    {
+                        use std::io::Read;
+                        let mut f = std::fs::File::open(&temp_db).map_err(|e| {
+                            AppError::Internal(anyhow::anyhow!("Magic check open: {e}"))
+                        })?;
+                        if f.read_exact(&mut header).is_err() {
+                            let _ = std::fs::remove_file(&temp_db);
+                            return Err(AppError::BadRequest(
+                                "Uploaded chan.db is not a valid SQLite database (file too small)."
+                                    .into(),
+                            ));
+                        }
+                    }
+                    if &header != SQLITE_HEADER {
+                        let _ = std::fs::remove_file(&temp_db);
+                        return Err(AppError::BadRequest(
+                            "Uploaded chan.db is not a valid SQLite database (invalid magic bytes)."
+                                .into(),
+                        ));
+                    }
+
+                    db_extracted = true;
+                } else if let Some(rel) = name.strip_prefix("uploads/") {
+                    if rel.is_empty() {
+                        continue;
+                    }
+                    let target = PathBuf::from(&upload_dir).join(rel);
+                    if entry.is_dir() {
+                        std::fs::create_dir_all(&target)
+                            .map_err(|e| AppError::Internal(anyhow::anyhow!("mkdir: {e}")))?;
+                    } else {
+                        if let Some(parent) = target.parent() {
+                            std::fs::create_dir_all(parent).map_err(|e| {
+                                AppError::Internal(anyhow::anyhow!("mkdir parent: {e}"))
+                            })?;
+                        }
+                        let mut out = std::fs::File::create(&target).map_err(|e| {
+                            AppError::Internal(anyhow::anyhow!(
+                                "Create {}: {}",
+                                target.display(),
+                                e
+                            ))
+                        })?;
+                        copy_limited(&mut entry, &mut out, ZIP_ENTRY_MAX_BYTES).map_err(|e| {
+                            AppError::Internal(anyhow::anyhow!("Write {}: {}", target.display(), e))
+                        })?;
+                    }
+                }
+            }
+            drop(archive);
+
+            if !db_extracted {
+                return Err(AppError::Internal(anyhow::anyhow!("chan.db not extracted")));
+            }
+
+            let backup_result = (|| -> Result<()> {
+                let src = rusqlite::Connection::open(&temp_db)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Open source: {e}")))?;
+                let backup = Backup::new(&src, &mut live_conn)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Backup init: {e}")))?;
+                backup
+                    .run_to_completion(100, std::time::Duration::from_millis(0), None)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Backup copy: {e}")))?;
+                Ok(())
+            })();
+            let _ = std::fs::remove_file(&temp_db);
+            backup_result?;
+
+            let fresh_sid = new_session_id();
+            let expires_at = Utc::now().timestamp() + CONFIG.session_duration;
+            match db::create_session(&live_conn, &fresh_sid, admin_id, expires_at) {
+                Ok(()) => {
+                    tracing::info!(target: "admin", admin_id = admin_id, "Restore-saved completed");
+                    Ok(fresh_sid)
+                }
+                Err(e) => {
+                    warn!("Restore-saved: could not create session: {e}");
+                    Ok(String::new())
+                }
+            }
+        }
+    })
+    .await
+    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))??;
+
+    if fresh_sid.is_empty() {
+        let jar = jar.remove(Cookie::from(super::SESSION_COOKIE));
+        return Ok((jar, Redirect::to("/admin")).into_response());
+    }
+
+    let mut new_cookie = Cookie::new(super::SESSION_COOKIE, fresh_sid);
+    new_cookie.set_http_only(true);
+    new_cookie.set_same_site(SameSite::Strict);
+    new_cookie.set_path("/");
+    new_cookie.set_secure(CONFIG.https_cookies);
+    // FIX[A5]: Set Max-Age to match normal login behaviour.
+    new_cookie.set_max_age(time::Duration::seconds(CONFIG.session_duration));
+    Ok((jar.add(new_cookie), Redirect::to("/admin/panel?restored=1")).into_response())
+}
+
+// ─── POST /admin/board/backup/restore-saved ───────────────────────────────────
+
+/// Restore a board backup from a saved file in board-backups/.
+#[allow(clippy::too_many_lines)]
+#[allow(clippy::arithmetic_side_effects)]
+pub async fn restore_saved_board_backup(
+    State(state): State<AppState>,
+    jar: CookieJar,
+    Form(form): Form<RestoreSavedForm>,
+) -> Result<Response> {
+    let session_id = jar
+        .get(super::SESSION_COOKIE)
+        .map(|c| c.value().to_string());
+    super::check_csrf_jar(&jar, form.csrf.as_deref())?;
+
+    let safe_filename: String = form
+        .filename
+        .chars()
+        .filter(|c| c.is_ascii_alphanumeric() || *c == '-' || *c == '_' || *c == '.')
+        .collect();
+    if safe_filename != form.filename
+        || safe_filename.contains("..")
+        || !std::path::Path::new(&safe_filename)
+            .extension()
+            .is_some_and(|e: &std::ffi::OsStr| e.eq_ignore_ascii_case("zip"))
+    {
+        return Err(AppError::BadRequest("Invalid filename.".into()));
+    }
+
+    let path = board_backup_dir().join(&safe_filename);
+    // FIX[A4]: Defer the blocking file read until after auth is verified inside
+    // spawn_blocking — mirrors the fix applied to restore_saved_full_backup (A3).
+    let upload_dir = CONFIG.upload_dir.clone();
+
+    let board_short_result: Result<Result<String>> = tokio::task::spawn_blocking({
+        let pool = state.db.clone();
+        move || -> Result<String> {
+    use board_backup_types::BoardBackupManifest;
+                        use std::collections::HashMap;
+
+            let conn = pool.get()?;
+            // Auth check first — only read the file if the session is valid.
+            super::require_admin_session_sid(&conn, session_id.as_deref())?;
+
+            // MEM-FIX: open the zip as BufReader<File> instead of loading the
+            // entire file into a Vec<u8>.  Board backups can be hundreds of MB.
+            let zip_file = std::fs::File::open(&path)
+                .map_err(|_| AppError::NotFound("Backup file not found.".into()))?;
+            let mut archive = zip::ZipArchive::new(std::io::BufReader::new(zip_file))
+                .map_err(|e| AppError::BadRequest(format!("Invalid zip: {e}")))?;
+
+            if !archive.file_names().any(|n| n == "board.json") {
+                return Err(AppError::BadRequest(
+                    "Invalid board backup: zip must contain 'board.json'.".into(),
+                ));
+            }
+
+            let manifest: BoardBackupManifest = {
+                let mut entry = archive
+                    .by_name("board.json")
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Read board.json: {e}")))?;
+                let mut buf = Vec::new();
+                std::io::Read::read_to_end(&mut entry, &mut buf)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Read bytes: {e}")))?;
+                serde_json::from_slice(&buf)
+                    .map_err(|e| AppError::BadRequest(format!("Invalid board.json: {e}")))?
+            };
+
+            let board_short = manifest.board.short_name.clone();
+
+            let existing_id: Option<i64> = conn
+                .query_row(
+                    "SELECT id FROM boards WHERE short_name = ?1",
+                    params![board_short],
+                    |r| r.get(0),
+                )
+                .ok();
+
+            // FIX[A6]: BEGIN IMMEDIATE must cover the DELETE + UPDATE/INSERT of the
+            // board row as well as the thread/post/poll inserts.  Previously those
+            // DDL statements ran outside any transaction, so a crash between the
+            // DELETE and the first INSERT left the board with zero threads and no way
+            // to recover without manual intervention.
+            conn.execute("BEGIN IMMEDIATE", [])
+                .map_err(|e| AppError::Internal(anyhow::anyhow!("Begin tx: {e}")))?;
+
+            let restore_result = (|| -> Result<()> {
+                let live_board_id: i64 = if let Some(eid) = existing_id {
+                    conn.execute("DELETE FROM threads WHERE board_id = ?1", params![eid])
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Clear threads: {e}")))?;
+                    conn.execute(
+                        "UPDATE boards SET name=?1, description=?2, nsfw=?3,
+                         max_threads=?4, bump_limit=?5,
+                         allow_images=?6, allow_video=?7, allow_audio=?8, allow_tripcodes=?9,
+                         edit_window_secs=?10, allow_editing=?11, allow_archive=?12,
+                         allow_video_embeds=?13, allow_captcha=?14, post_cooldown_secs=?15
+                         WHERE id=?16",
+                        params![
+                            manifest.board.name,
+                            manifest.board.description,
+                            i64::from(manifest.board.nsfw),
+                            manifest.board.max_threads,
+                            manifest.board.bump_limit,
+                            i64::from(manifest.board.allow_images),
+                            i64::from(manifest.board.allow_video),
+                            i64::from(manifest.board.allow_audio),
+                            i64::from(manifest.board.allow_tripcodes),
+                            manifest.board.edit_window_secs,
+                            i64::from(manifest.board.allow_editing),
+                            i64::from(manifest.board.allow_archive),
+                            i64::from(manifest.board.allow_video_embeds),
+                            i64::from(manifest.board.allow_captcha),
+                            manifest.board.post_cooldown_secs,
+                            eid,
+                        ],
+                    )
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Update board: {e}")))?;
+                    eid
+                } else {
+                    conn.execute(
+                        "INSERT INTO boards (short_name, name, description, nsfw, max_threads,
+                         bump_limit, allow_images, allow_video, allow_audio, allow_tripcodes,
+                         edit_window_secs, allow_editing, allow_archive, allow_video_embeds, allow_captcha,
+                         post_cooldown_secs, created_at)
+                         VALUES (?1,?2,?3,?4,?5,?6,?7,?8,?9,?10,?11,?12,?13,?14,?15,?16,?17)",
+                        params![
+                            manifest.board.short_name,
+                            manifest.board.name,
+                            manifest.board.description,
+                            i64::from(manifest.board.nsfw),
+                            manifest.board.max_threads,
+                            manifest.board.bump_limit,
+                            i64::from(manifest.board.allow_images),
+                            i64::from(manifest.board.allow_video),
+                            i64::from(manifest.board.allow_audio),
+                            i64::from(manifest.board.allow_tripcodes),
+                            manifest.board.edit_window_secs,
+                            i64::from(manifest.board.allow_editing),
+                            i64::from(manifest.board.allow_archive),
+                            i64::from(manifest.board.allow_video_embeds),
+                            i64::from(manifest.board.allow_captcha),
+                            manifest.board.post_cooldown_secs,
+                            manifest.board.created_at,
+                        ],
+                    )
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Insert board: {e}")))?;
+                    conn.last_insert_rowid()
+                };
+
+                let mut thread_id_map: HashMap<i64, i64> = HashMap::new();
+                for t in &manifest.threads {
+                    conn.execute(
+                        "INSERT INTO threads (board_id, subject, created_at, bumped_at,
+                         locked, sticky, reply_count) VALUES (?1,?2,?3,?4,?5,?6,?7)",
+                        params![
+                            live_board_id,
+                            t.subject,
+                            t.created_at,
+                            t.bumped_at,
+                            i64::from(t.locked),
+                            i64::from(t.sticky),
+                            t.reply_count,
+                        ],
+                    )
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Insert thread: {e}")))?;
+                    thread_id_map.insert(t.id, conn.last_insert_rowid());
+                }
+
+                for p in &manifest.posts {
+                    let new_tid = *thread_id_map.get(&p.thread_id).ok_or_else(|| {
+                        AppError::Internal(anyhow::anyhow!("Unknown thread {}", p.thread_id))
+                    })?;
+                    conn.execute(
+                        "INSERT INTO posts (thread_id, board_id, name, tripcode, subject,
+                         body, body_html, ip_hash, file_path, file_name, file_size,
+                         thumb_path, mime_type, media_type, created_at, deletion_token, is_op)
+                         VALUES (?1,?2,?3,?4,?5,?6,?7,?8,?9,?10,?11,?12,?13,?14,?15,?16,?17)",
+                        params![
+                            new_tid,
+                            live_board_id,
+                            p.name,
+                            p.tripcode,
+                            p.subject,
+                            p.body,
+                            p.body_html,
+                            p.ip_hash,
+                            p.file_path,
+                            p.file_name,
+                            p.file_size,
+                            p.thumb_path,
+                            p.mime_type,
+                            p.media_type,
+                            p.created_at,
+                            p.deletion_token,
+                            i64::from(p.is_op),
+                        ],
+                    )
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Insert post: {e}")))?;
+                }
+
+                let mut poll_id_map: HashMap<i64, i64> = HashMap::new();
+                for p in &manifest.polls {
+                    let new_tid = *thread_id_map.get(&p.thread_id).ok_or_else(|| {
+                        AppError::Internal(anyhow::anyhow!("Unknown thread {}", p.thread_id))
+                    })?;
+                    conn.execute(
+                        "INSERT INTO polls (thread_id, question, expires_at, created_at)
+                         VALUES (?1,?2,?3,?4)",
+                        params![new_tid, p.question, p.expires_at, p.created_at],
+                    )
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Insert poll: {e}")))?;
+                    poll_id_map.insert(p.id, conn.last_insert_rowid());
+                }
+
+                let mut option_id_map: HashMap<i64, i64> = HashMap::new();
+                for o in &manifest.poll_options {
+                    let new_poll_id = *poll_id_map.get(&o.poll_id).ok_or_else(|| {
+                        AppError::Internal(anyhow::anyhow!("Unknown poll {}", o.poll_id))
+                    })?;
+                    conn.execute(
+                        "INSERT INTO poll_options (poll_id, text, position) VALUES (?1,?2,?3)",
+                        params![new_poll_id, o.text, o.position],
+                    )
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Insert option: {e}")))?;
+                    option_id_map.insert(o.id, conn.last_insert_rowid());
+                }
+
+                for v in &manifest.poll_votes {
+                    let new_poll_id = *poll_id_map.get(&v.poll_id).ok_or_else(|| {
+                        AppError::Internal(anyhow::anyhow!("Unknown poll {}", v.poll_id))
+                    })?;
+                    let new_option_id = *option_id_map.get(&v.option_id).ok_or_else(|| {
+                        AppError::Internal(anyhow::anyhow!("Unknown option {}", v.option_id))
+                    })?;
+                    conn.execute(
+                        "INSERT OR IGNORE INTO poll_votes
+                         (poll_id, option_id, ip_hash) VALUES (?1,?2,?3)",
+                        params![new_poll_id, new_option_id, v.ip_hash],
+                    )
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Insert vote: {e}")))?;
+                }
+
+                for fh in &manifest.file_hashes {
+                    conn.execute(
+                        "INSERT OR IGNORE INTO file_hashes
+                         (sha256, file_path, thumb_path, mime_type, created_at)
+                         VALUES (?1,?2,?3,?4,?5)",
+                        params![
+                            fh.sha256,
+                            fh.file_path,
+                            fh.thumb_path,
+                            fh.mime_type,
+                            fh.created_at,
+                        ],
+                    )
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Insert file_hash: {e}")))?;
+                }
+                Ok(())
+            })();
+
+            match restore_result {
+                Ok(()) => {
+                    conn.execute("COMMIT", [])
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Commit: {e}")))?;
+                }
+                Err(e) => {
+                    let _ = conn.execute("ROLLBACK", []);
+                    return Err(e);
+                }
+            }
+
+            // Extract upload files.
+            for i in 0..archive.len() {
+                let mut entry = archive
+                    .by_index(i)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Zip[{i}]: {e}")))?;
+                let name = entry.name().to_string();
+                if name.contains("..") || name.starts_with('/') || name.starts_with('\\') {
+                    warn!("Board restore-saved: skipping suspicious entry '{name}'");
+                    continue;
+                }
+                if let Some(rel) = name.strip_prefix("uploads/") {
+                    if rel.is_empty() {
+                        continue;
+                    }
+                    let target = PathBuf::from(&upload_dir).join(rel);
+                    if entry.is_dir() {
+                        std::fs::create_dir_all(&target)
+                            .map_err(|e| AppError::Internal(anyhow::anyhow!("mkdir: {e}")))?;
+                    } else {
+                        if let Some(p) = target.parent() {
+                            std::fs::create_dir_all(p).map_err(|e| {
+                                AppError::Internal(anyhow::anyhow!("mkdir parent: {e}"))
+                            })?;
+                        }
+                        let mut out = std::fs::File::create(&target)
+                            .map_err(|e| AppError::Internal(anyhow::anyhow!("Create: {e}")))?;
+                        copy_limited(&mut entry, &mut out, ZIP_ENTRY_MAX_BYTES)
+                            .map_err(|e| AppError::Internal(anyhow::anyhow!("Write: {e}")))?;
+                    }
+                }
+            }
+
+            tracing::info!(target: "admin", board = %board_short, "Board restore-saved completed");
+            let safe_short: String = board_short
+                .chars()
+                .filter(char::is_ascii_alphanumeric)
+                .take(8)
+                .collect();
+            Ok(safe_short)
+        }
+    })
+    .await
+    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)));
+
+    match board_short_result {
+        Ok(Ok(board_short)) => {
+            Ok(Redirect::to(&format!("/admin/panel?board_restored={board_short}")).into_response())
+        }
+        Ok(Err(app_err)) => {
+            let msg = encode_q(&app_err.to_string());
+            Ok(Redirect::to(&format!("/admin/panel?restore_error={msg}")).into_response())
+        }
+        Err(join_err) => {
+            let msg = encode_q(&join_err.to_string());
+            Ok(Redirect::to(&format!("/admin/panel?restore_error={msg}")).into_response())
+        }
+    }
+}
+
+// ─── Board-level backup / restore ─────────────────────────────────────────────
+
+/// Flat structs used exclusively for board-level backup serialisation.
+mod board_backup_types {
+    use serde::{Deserialize, Serialize};
+
+    #[derive(Serialize, Deserialize)]
+    #[allow(clippy::struct_excessive_bools)]
+    pub struct BoardRow {
+        pub id: i64,
+        pub short_name: String,
+        pub name: String,
+        pub description: String,
+        pub nsfw: bool,
+        pub max_threads: i64,
+        pub bump_limit: i64,
+        /// Added via ALTER TABLE — absent in oldest backups; default true.
+        #[serde(default = "default_true")]
+        pub allow_images: bool,
+        /// Added via ALTER TABLE — absent in oldest backups; default true.
+        #[serde(default = "default_true")]
+        pub allow_video: bool,
+        /// Added via ALTER TABLE — absent in oldest backups; default false.
+        #[serde(default)]
+        pub allow_audio: bool,
+        /// Added via ALTER TABLE — absent in oldest backups; default true.
+        #[serde(default = "default_true")]
+        pub allow_tripcodes: bool,
+        /// Added in a later version — absent in older backups; default to 300 s.
+        #[serde(default = "default_edit_window_secs")]
+        pub edit_window_secs: i64,
+        /// Added in a later version — absent in older backups; default to false.
+        #[serde(default)]
+        pub allow_editing: bool,
+        /// Added in a later version — absent in older backups; default to true.
+        #[serde(default = "default_true")]
+        pub allow_archive: bool,
+        /// Added in v1.0.10 — absent in older backups; default to false.
+        #[serde(default)]
+        pub allow_video_embeds: bool,
+        /// Added in v1.0.10 — absent in older backups; default to false.
+        #[serde(default)]
+        pub allow_captcha: bool,
+        /// Added for per-board post cooldowns — absent in older backups; default 0 (disabled).
+        #[serde(default)]
+        pub post_cooldown_secs: i64,
+        pub created_at: i64,
+    }
+
+    const fn default_true() -> bool {
+        true
+    }
+
+    const fn default_edit_window_secs() -> i64 {
+        300
+    }
+    #[derive(Serialize, Deserialize)]
+    pub struct ThreadRow {
+        pub id: i64,
+        pub board_id: i64,
+        pub subject: Option<String>,
+        pub created_at: i64,
+        pub bumped_at: i64,
+        pub locked: bool,
+        pub sticky: bool,
+        pub reply_count: i64,
+    }
+    #[derive(Serialize, Deserialize)]
+    pub struct PostRow {
+        pub id: i64,
+        pub thread_id: i64,
+        pub board_id: i64,
+        pub name: String,
+        pub tripcode: Option<String>,
+        pub subject: Option<String>,
+        pub body: String,
+        pub body_html: String,
+        pub ip_hash: String,
+        pub file_path: Option<String>,
+        pub file_name: Option<String>,
+        pub file_size: Option<i64>,
+        pub thumb_path: Option<String>,
+        pub mime_type: Option<String>,
+        pub media_type: Option<String>,
+        pub created_at: i64,
+        pub deletion_token: String,
+        pub is_op: bool,
+    }
+    #[derive(Serialize, Deserialize)]
+    pub struct PollRow {
+        pub id: i64,
+        pub thread_id: i64,
+        pub question: String,
+        pub expires_at: i64,
+        pub created_at: i64,
+    }
+    #[derive(Serialize, Deserialize)]
+    pub struct PollOptionRow {
+        pub id: i64,
+        pub poll_id: i64,
+        pub text: String,
+        pub position: i64,
+    }
+    #[derive(Serialize, Deserialize)]
+    pub struct PollVoteRow {
+        pub id: i64,
+        pub poll_id: i64,
+        pub option_id: i64,
+        pub ip_hash: String,
+    }
+    #[derive(Serialize, Deserialize)]
+    pub struct FileHashRow {
+        pub sha256: String,
+        pub file_path: String,
+        pub thumb_path: String,
+        pub mime_type: String,
+        pub created_at: i64,
+    }
+    #[derive(Serialize, Deserialize)]
+    pub struct BoardBackupManifest {
+        pub version: u32,
+        pub board: BoardRow,
+        pub threads: Vec<ThreadRow>,
+        pub posts: Vec<PostRow>,
+        pub polls: Vec<PollRow>,
+        pub poll_options: Vec<PollOptionRow>,
+        pub poll_votes: Vec<PollVoteRow>,
+        pub file_hashes: Vec<FileHashRow>,
+    }
+}
+
+/// Stream a board-level backup zip: manifest JSON + that board's upload files.
+///
+/// MEM-FIX: Same approach as `admin_backup` — build zip into a `NamedTempFile` on
+/// disk, then stream the result in 64 KiB chunks.
+#[allow(clippy::too_many_lines)]
+#[allow(clippy::arithmetic_side_effects)]
+pub async fn board_backup(
+    State(state): State<AppState>,
+    jar: CookieJar,
+    axum::extract::Path(board_short): axum::extract::Path<String>,
+) -> Result<Response> {
+    let session_id = jar
+        .get(super::SESSION_COOKIE)
+        .map(|c| c.value().to_string());
+    let upload_dir = CONFIG.upload_dir.clone();
+    let progress = state.backup_progress.clone();
+
+    let (tmp_path, filename, file_size) = tokio::task::spawn_blocking({
+        let pool = state.db.clone();
+        move || -> Result<(PathBuf, String, u64)> {
+    use board_backup_types::{BoardRow, ThreadRow, PostRow, PollRow, PollOptionRow, PollVoteRow, FileHashRow, BoardBackupManifest};
+
+            let conn = pool.get()?;
+            super::require_admin_session_sid(&conn, session_id.as_deref())?;
+
+            progress.reset(crate::middleware::backup_phase::SNAPSHOT_DB);
+            let board: BoardRow = conn.query_row(
+                "SELECT id, short_name, name, description, nsfw, max_threads, bump_limit,
+                        allow_images, allow_video, allow_audio, allow_tripcodes, edit_window_secs,
+                        allow_editing, allow_archive, allow_video_embeds, allow_captcha,
+                        post_cooldown_secs, created_at
+                 FROM boards WHERE short_name = ?1",
+                params![board_short],
+                |r| Ok(BoardRow {
+                    id: r.get(0)?,
+                    short_name: r.get(1)?,
+                    name: r.get(2)?,
+                    description: r.get(3)?,
+                    nsfw: r.get::<_, i64>(4)? != 0,
+                    max_threads: r.get(5)?,
+                    bump_limit: r.get(6)?,
+                    allow_images: r.get::<_, i64>(7)? != 0,
+                    allow_video: r.get::<_, i64>(8)? != 0,
+                    allow_audio: r.get::<_, i64>(9)? != 0,
+                    allow_tripcodes: r.get::<_, i64>(10)? != 0,
+                    edit_window_secs: r.get(11)?,
+                    allow_editing: r.get::<_, i64>(12)? != 0,
+                    allow_archive: r.get::<_, i64>(13)? != 0,
+                    allow_video_embeds: r.get::<_, i64>(14)? != 0,
+                    allow_captcha: r.get::<_, i64>(15)? != 0,
+                    post_cooldown_secs: r.get(16)?,
+                    created_at: r.get(17)?,
+                }),
+            ).map_err(|_| AppError::NotFound(format!("Board '{board_short}' not found")))?;
+
+            let board_id = board.id;
+
+            // ── Threads ───────────────────────────────────────────────────
+            let threads: Vec<ThreadRow> = {
+                let mut s = conn.prepare(
+                    "SELECT id, board_id, subject, created_at, bumped_at, locked, sticky, reply_count
+                     FROM threads WHERE board_id = ?1 ORDER BY id ASC"
+                ).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                let rows = s.query_map(params![board_id], |r| Ok(ThreadRow {
+                    id: r.get(0)?, board_id: r.get(1)?, subject: r.get(2)?,
+                    created_at: r.get(3)?, bumped_at: r.get(4)?,
+                    locked: r.get::<_,i64>(5)? != 0, sticky: r.get::<_,i64>(6)? != 0,
+                    reply_count: r.get(7)?,
+                })).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?
+                .collect::<std::result::Result<Vec<_>,_>>()
+                .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?; rows
+            };
+
+            // ── Posts ─────────────────────────────────────────────────────
+            let posts: Vec<PostRow> = {
+                let mut s = conn.prepare(
+                    "SELECT id, thread_id, board_id, name, tripcode, subject, body, body_html,
+                            ip_hash, file_path, file_name, file_size, thumb_path, mime_type,
+                            media_type, created_at, deletion_token, is_op
+                     FROM posts WHERE board_id = ?1 ORDER BY id ASC"
+                ).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                let rows = s.query_map(params![board_id], |r| Ok(PostRow {
+                    id: r.get(0)?, thread_id: r.get(1)?, board_id: r.get(2)?,
+                    name: r.get(3)?, tripcode: r.get(4)?, subject: r.get(5)?,
+                    body: r.get(6)?, body_html: r.get(7)?, ip_hash: r.get(8)?,
+                    file_path: r.get(9)?, file_name: r.get(10)?, file_size: r.get(11)?,
+                    thumb_path: r.get(12)?, mime_type: r.get(13)?, media_type: r.get(14)?,
+                    created_at: r.get(15)?, deletion_token: r.get(16)?,
+                    is_op: r.get::<_,i64>(17)? != 0,
+                })).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?
+                .collect::<std::result::Result<Vec<_>,_>>()
+                .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?; rows
+            };
+
+            // ── Polls ─────────────────────────────────────────────────────
+            let polls: Vec<PollRow> = {
+                let mut s = conn.prepare(
+                    "SELECT p.id, p.thread_id, p.question, p.expires_at, p.created_at
+                     FROM polls p JOIN threads t ON t.id = p.thread_id
+                     WHERE t.board_id = ?1 ORDER BY p.id ASC"
+                ).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                let rows = s.query_map(params![board_id], |r| Ok(PollRow {
+                    id: r.get(0)?, thread_id: r.get(1)?, question: r.get(2)?,
+                    expires_at: r.get(3)?, created_at: r.get(4)?,
+                })).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?
+                .collect::<std::result::Result<Vec<_>,_>>()
+                .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?; rows
+            };
+
+            // ── Poll options ──────────────────────────────────────────────
+            let poll_options: Vec<PollOptionRow> = {
+                let mut s = conn.prepare(
+                    "SELECT po.id, po.poll_id, po.text, po.position
+                     FROM poll_options po
+                     JOIN polls p ON p.id = po.poll_id
+                     JOIN threads t ON t.id = p.thread_id
+                     WHERE t.board_id = ?1 ORDER BY po.id ASC"
+                ).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                let rows = s.query_map(params![board_id], |r| Ok(PollOptionRow {
+                    id: r.get(0)?, poll_id: r.get(1)?, text: r.get(2)?, position: r.get(3)?,
+                })).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?
+                .collect::<std::result::Result<Vec<_>,_>>()
+                .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?; rows
+            };
+
+            // ── Poll votes ────────────────────────────────────────────────
+            let poll_votes: Vec<PollVoteRow> = {
+                let mut s = conn.prepare(
+                    "SELECT pv.id, pv.poll_id, pv.option_id, pv.ip_hash
+                     FROM poll_votes pv
+                     JOIN polls p ON p.id = pv.poll_id
+                     JOIN threads t ON t.id = p.thread_id
+                     WHERE t.board_id = ?1 ORDER BY pv.id ASC"
+                ).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                let rows = s.query_map(params![board_id], |r| Ok(PollVoteRow {
+                    id: r.get(0)?, poll_id: r.get(1)?, option_id: r.get(2)?,
+                    ip_hash: r.get(3)?,
+                })).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?
+                .collect::<std::result::Result<Vec<_>,_>>()
+                .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?; rows
+            };
+
+            // ── File hashes referenced by this board ──────────────────────
+            let file_hashes: Vec<FileHashRow> = {
+                let mut s = conn.prepare(
+                    "SELECT DISTINCT fh.sha256, fh.file_path, fh.thumb_path, fh.mime_type, fh.created_at
+                     FROM file_hashes fh
+                     JOIN posts po ON po.file_path = fh.file_path
+                     WHERE po.board_id = ?1 ORDER BY fh.created_at ASC"
+                ).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
+                let rows = s.query_map(params![board_id], |r| Ok(FileHashRow {
+                    sha256: r.get(0)?, file_path: r.get(1)?, thumb_path: r.get(2)?,
+                    mime_type: r.get(3)?, created_at: r.get(4)?,
+                })).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?
+                .collect::<std::result::Result<Vec<_>,_>>()
+                .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?; rows
+            };
+
+            // ── Serialise manifest ────────────────────────────────────────
+            let manifest = BoardBackupManifest {
+                version: 1, board, threads, posts, polls,
+                poll_options, poll_votes, file_hashes,
+            };
+
+            // ── Build zip to NamedTempFile (MEM-FIX) ─────────────────────
+            let manifest_json = serde_json::to_vec_pretty(&manifest)
+                .map_err(|e| AppError::Internal(anyhow::anyhow!("JSON serialise: {e}")))?;
+
+            let uploads_base = std::path::Path::new(&upload_dir);
+            let board_upload_path = uploads_base.join(&board_short);
+            let file_count = count_files_in_dir(&board_upload_path);
+            progress.reset(crate::middleware::backup_phase::COMPRESS);
+            progress.files_total.store(file_count.saturating_add(1), Ordering::Relaxed);
+
+            let zip_tmp = tempfile::NamedTempFile::new()
+                .map_err(|e| AppError::Internal(anyhow::anyhow!("Create temp zip: {e}")))?;
+            {
+                let out_file = std::io::BufWriter::new(
+                    zip_tmp.as_file().try_clone().map_err(|e| {
+                        AppError::Internal(anyhow::anyhow!("Clone temp file handle: {e}"))
+                    })?,
+                );
+                let mut zip = zip::ZipWriter::new(out_file);
+                let opts = zip::write::SimpleFileOptions::default()
+                    .compression_method(zip::CompressionMethod::Deflated);
+
+                zip.start_file("board.json", opts)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Zip manifest: {e}")))?;
+                zip.write_all(&manifest_json)
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Write manifest: {e}")))?;
+                progress.files_done.fetch_add(1, Ordering::Relaxed);
+                progress.bytes_done.fetch_add(manifest_json.len() as u64, Ordering::Relaxed);
+
+                if board_upload_path.exists() {
+                    add_dir_to_zip(&mut zip, uploads_base, &board_upload_path, opts, &progress)?;
+                }
+
+                // Flush the BufWriter explicitly so I/O errors are not
+                // silently swallowed by the implicit Drop-flush.
+                let writer = zip
+                    .finish()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Finalise zip: {e}")))?;
+                writer
+                    .into_inner()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Flush zip writer: {e}")))?
+                    .sync_all()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Sync zip file: {e}")))?;
+            }
+
+            let file_size = zip_tmp.as_file().metadata().map(|m| m.len()).unwrap_or(0);
+
+            let (_, tmp_path_obj) = zip_tmp.into_parts();
+            let final_path = tmp_path_obj.keep().map_err(|e| {
+                AppError::Internal(anyhow::anyhow!("Persist temp zip: {e}"))
+            })?;
+
+            let ts = chrono::Utc::now().format("%Y%m%d_%H%M%S");
+            let fname = format!("rustchan-board-{board_short}-{ts}.zip");
+            tracing::info!(target: "admin", board = %board_short, bytes = file_size, "Board backup downloaded");
+            progress.phase.store(crate::middleware::backup_phase::DONE, Ordering::Relaxed);
+            Ok((final_path, fname, file_size))
+        }
+    })
+    .await
+    .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))??;
+
+    let file = tokio::fs::File::open(&tmp_path)
+        .await
+        .map_err(|e| AppError::Internal(anyhow::anyhow!("Open board backup for streaming: {e}")))?;
+    let stream = ReaderStream::new(file);
+    let body = axum::body::Body::from_stream(stream);
+
+    let cleanup_path = tmp_path;
+    tokio::spawn(async move {
+        tokio::time::sleep(tokio::time::Duration::from_secs(600)).await;
+        let _ = tokio::fs::remove_file(cleanup_path).await;
+    });
+
+    let disposition = format!("attachment; filename=\"{filename}\"");
+    Ok((
+        [
+            (header::CONTENT_TYPE, "application/zip".to_string()),
+            (header::CONTENT_DISPOSITION, disposition),
+            (header::CONTENT_LENGTH, file_size.to_string()),
+        ],
+        body,
+    )
+        .into_response())
+}
+
+/// Restore a single board from a board-level backup zip or raw board.json.
+///
+/// Returns `Response` (not `Result<Response>`) so ALL errors — including
+/// CSRF failures and multipart parse errors — redirect to the admin panel
+/// with a flash message instead of producing a blank crash page.
+#[allow(clippy::too_many_lines)]
+#[allow(clippy::arithmetic_side_effects)]
+pub async fn board_restore(
+    State(state): State<AppState>,
+    jar: CookieJar,
+    mut multipart: Multipart,
+) -> Response {
+    // Run the whole operation as a fallible async block so any early return
+    // with Err(...) is caught below and turned into a redirect.
+    let result: Result<String> = async {
+        let session_id = jar
+            .get(super::SESSION_COOKIE)
+            .map(|c| c.value().to_string());
+        let upload_dir = CONFIG.upload_dir.clone();
+
+        // MEM-FIX: stream the uploaded file to a NamedTempFile on disk instead
+        // of buffering the entire zip into a Vec<u8>.  Board backups can be
+        // hundreds of MB for active boards with many uploads.
+        let mut zip_tmp: Option<tempfile::NamedTempFile> = None;
+        let mut form_csrf: Option<String> = None;
+
+        while let Some(field) = multipart
+            .next_field()
+            .await
+            .map_err(|e| AppError::BadRequest(format!("Multipart error: {e}")))?
+        {
+            match field.name() {
+                Some("_csrf") => {
+                    form_csrf = Some(
+                        field
+                            .text()
+                            .await
+                            .map_err(|e| AppError::BadRequest(e.to_string()))?,
+                    );
+                }
+                Some("backup_file") => {
+                    let tmp = tempfile::NamedTempFile::new()
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Tempfile: {e}")))?;
+                    // Clone the underlying fd for async writing; the original
+                    // NamedTempFile retains ownership and the delete-on-drop guard.
+                    let std_clone = tmp
+                        .as_file()
+                        .try_clone()
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Clone fd: {e}")))?;
+                    let async_file = tokio::fs::File::from_std(std_clone);
+                    let mut writer = tokio::io::BufWriter::new(async_file);
+                    let mut field = field;
+                    while let Some(chunk) = field
+                        .chunk()
+                        .await
+                        .map_err(|e| AppError::BadRequest(e.to_string()))?
+                    {
+                        writer
+                            .write_all(&chunk)
+                            .await
+                            .map_err(|e| AppError::Internal(anyhow::anyhow!("Write chunk: {e}")))?;
+                    }
+                    writer
+                        .flush()
+                        .await
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Flush: {e}")))?;
+                    zip_tmp = Some(tmp);
+                }
+                _ => {}
+            }
+        }
+
+        let csrf_cookie = jar.get("csrf_token").map(|c| c.value().to_string());
+        if !crate::middleware::validate_csrf(
+            csrf_cookie.as_deref(),
+            form_csrf.as_deref().unwrap_or(""),
+        ) {
+            return Err(AppError::Forbidden("CSRF token mismatch.".into()));
+        }
+
+        let zip_tmp =
+            zip_tmp.ok_or_else(|| AppError::BadRequest("No backup file uploaded.".into()))?;
+        // Determine size without reading into RAM.
+        let file_size = zip_tmp
+            .as_file()
+            .seek(std::io::SeekFrom::End(0))
+            .map_err(|e| AppError::Internal(anyhow::anyhow!("Seek check: {e}")))?;
+        if file_size == 0 {
+            return Err(AppError::BadRequest(
+                "Uploaded backup file is empty.".into(),
+            ));
+        }
+
+        tokio::task::spawn_blocking({
+            let pool = state.db.clone();
+            move || -> Result<String> {
+                use board_backup_types::BoardBackupManifest;
+                use std::collections::HashMap;
+                use std::io::Read;
+
+                let conn = pool.get()?;
+                super::require_admin_session_sid(&conn, session_id.as_deref())?;
+
+                // Detect format from the first four bytes (ZIP magic or JSON '{').
+                let mut magic = [0u8; 4];
+                let mut probe = zip_tmp
+                    .reopen()
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Reopen: {e}")))?;
+                let n = probe.read(&mut magic).unwrap_or(0);
+                drop(probe);
+
+                let is_zip = n >= 4
+                    && magic[0] == b'P'
+                    && magic[1] == b'K'
+                    && magic[2] == 0x03
+                    && magic[3] == 0x04;
+                // Skip optional UTF-8 BOM (EF BB BF) before the JSON '{'.
+                let is_json = if n >= 3 && magic[0] == 0xef && magic[1] == 0xbb && magic[2] == 0xbf
+                {
+                    n >= 4 && magic[3] == b'{'
+                } else {
+                    n >= 1 && magic[0] == b'{'
+                };
+
+                if !is_zip && !is_json {
+                    return Err(AppError::BadRequest(
+                        "Unrecognized format. Upload a .zip board backup or a raw board.json file."
+                            .into(),
+                    ));
+                }
+
+                // We need two re-openings: one for the manifest (BufReader<File>)
+                // and one for the archive used during file extraction.  Both derive
+                // independent file descriptors from the same NamedTempFile so the
+                // underlying bytes are always available.
+                let (manifest, mut archive_opt): (
+                    BoardBackupManifest,
+                    Option<zip::ZipArchive<std::io::BufReader<std::fs::File>>>,
+                ) = if is_zip {
+                    let f = zip_tmp
+                        .reopen()
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Reopen zip: {e}")))?;
+                    let mut archive = zip::ZipArchive::new(std::io::BufReader::new(f))
+                        .map_err(|e| AppError::BadRequest(format!("Invalid zip: {e}")))?;
+                    if !archive.file_names().any(|n| n == "board.json") {
+                        return Err(AppError::BadRequest(
+                            "Invalid board backup: zip must contain 'board.json'. \
+                             (Did you upload a full-site backup instead?)"
+                                .into(),
+                        ));
+                    }
+                    let manifest: BoardBackupManifest = {
+                        let mut entry = archive.by_name("board.json").map_err(|e| {
+                            AppError::Internal(anyhow::anyhow!("Read board.json: {e}"))
+                        })?;
+                        let mut buf = Vec::new();
+                        entry
+                            .read_to_end(&mut buf)
+                            .map_err(|e| AppError::Internal(anyhow::anyhow!("Read bytes: {e}")))?;
+                        serde_json::from_slice(&buf)
+                            .map_err(|e| AppError::BadRequest(format!("Invalid board.json: {e}")))?
+                    };
+                    // Re-open a fresh archive for file extraction in the second pass.
+                    let f2 = zip_tmp
+                        .reopen()
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Reopen zip (2): {e}")))?;
+                    let archive2 = zip::ZipArchive::new(std::io::BufReader::new(f2))
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Reopen archive: {e}")))?;
+                    (manifest, Some(archive2))
+                } else {
+                    // Raw board.json — read fully (manifests are small).
+                    let mut f = zip_tmp
+                        .reopen()
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Reopen json: {e}")))?;
+                    let mut buf = Vec::new();
+                    f.read_to_end(&mut buf)
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Read json: {e}")))?;
+                    let manifest: BoardBackupManifest = serde_json::from_slice(&buf)
+                        .map_err(|e| AppError::BadRequest(format!("Invalid board.json: {e}")))?;
+                    (manifest, None)
+                };
+
+                let board_short = manifest.board.short_name.clone();
+
+                let existing_id: Option<i64> = conn
+                    .query_row(
+                        "SELECT id FROM boards WHERE short_name = ?1",
+                        params![board_short],
+                        |r| r.get(0),
+                    )
+                    .ok();
+
+                // FIX[A6]: BEGIN IMMEDIATE must cover the DELETE + UPDATE/INSERT of the
+                // board row.  Previously those statements ran outside any transaction.
+                conn.execute("BEGIN IMMEDIATE", [])
+                    .map_err(|e| AppError::Internal(anyhow::anyhow!("Begin tx: {e}")))?;
+
+                let restore_result = (|| -> Result<()> {
+                    let live_board_id: i64 = if let Some(eid) = existing_id {
+                        conn.execute("DELETE FROM threads WHERE board_id = ?1", params![eid])
+                            .map_err(|e| {
+                                AppError::Internal(anyhow::anyhow!("Clear threads: {e}"))
+                            })?;
+                        conn.execute(
+                            "UPDATE boards SET name=?1, description=?2, nsfw=?3,
+                             max_threads=?4, bump_limit=?5,
+                             allow_images=?6, allow_video=?7, allow_audio=?8, allow_tripcodes=?9,
+                             edit_window_secs=?10, allow_editing=?11, allow_archive=?12,
+                             allow_video_embeds=?13, allow_captcha=?14, post_cooldown_secs=?15
+                             WHERE id=?16",
+                            params![
+                                manifest.board.name,
+                                manifest.board.description,
+                                i64::from(manifest.board.nsfw),
+                                manifest.board.max_threads,
+                                manifest.board.bump_limit,
+                                i64::from(manifest.board.allow_images),
+                                i64::from(manifest.board.allow_video),
+                                i64::from(manifest.board.allow_audio),
+                                i64::from(manifest.board.allow_tripcodes),
+                                manifest.board.edit_window_secs,
+                                i64::from(manifest.board.allow_editing),
+                                i64::from(manifest.board.allow_archive),
+                                i64::from(manifest.board.allow_video_embeds),
+                                i64::from(manifest.board.allow_captcha),
+                                manifest.board.post_cooldown_secs,
+                                eid,
+                            ],
+                        )
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Update board: {e}")))?;
+                        eid
+                    } else {
+                        conn.execute(
+                            "INSERT INTO boards (short_name, name, description, nsfw, max_threads,
+                             bump_limit, allow_images, allow_video, allow_audio, allow_tripcodes,
+                             edit_window_secs, allow_editing, allow_archive, allow_video_embeds,
+                             allow_captcha, post_cooldown_secs, created_at)
+                             VALUES (?1,?2,?3,?4,?5,?6,?7,?8,?9,?10,?11,?12,?13,?14,?15,?16,?17)",
+                            params![
+                                manifest.board.short_name,
+                                manifest.board.name,
+                                manifest.board.description,
+                                i64::from(manifest.board.nsfw),
+                                manifest.board.max_threads,
+                                manifest.board.bump_limit,
+                                i64::from(manifest.board.allow_images),
+                                i64::from(manifest.board.allow_video),
+                                i64::from(manifest.board.allow_audio),
+                                i64::from(manifest.board.allow_tripcodes),
+                                manifest.board.edit_window_secs,
+                                i64::from(manifest.board.allow_editing),
+                                i64::from(manifest.board.allow_archive),
+                                i64::from(manifest.board.allow_video_embeds),
+                                i64::from(manifest.board.allow_captcha),
+                                manifest.board.post_cooldown_secs,
+                                manifest.board.created_at,
+                            ],
+                        )
+                        .map_err(|e| AppError::Internal(anyhow::anyhow!("Insert board: {e}")))?;
+                        conn.last_insert_rowid()
+                    };
+
+                    let mut thread_id_map: HashMap<i64, i64> = HashMap::new();
+                    for t in &manifest.threads {
+                        conn.execute(
+                            "INSERT INTO threads (board_id, subject, created_at, bumped_at,
+                             locked, sticky, reply_count)
+                             VALUES (?1,?2,?3,?4,?5,?6,?7)",
+                            params![
+                                live_board_id,
+                                t.subject,
+                                t.created_at,
+                                t.bumped_at,
+                                i64::from(t.locked),
+                                i64::from(t.sticky),
+                                t.reply_count,
+                            ],
+                        )
+                        .map_err(|e| {
+                            AppError::Internal(anyhow::anyhow!("Insert thread {}: {e}", t.id))
+                        })?;
+                        thread_id_map.insert(t.id, conn.last_insert_rowid());
+                    }
+
+                    // ── Insert posts, recording old → new ID mapping ──────
+                    //
+                    // Board restore cannot reuse original post IDs because
+                    // other boards' posts may already occupy those rows in the
+                    // global `posts` table (SQLite AUTOINCREMENT is site-wide,
+                    // not per-board).  The posts therefore land at new IDs.
+                    //
+                    // `post_id_map` captures every (old_id → new_id) pair so
+                    // that we can fix up in-board quotelink references in
+                    // `body` and `body_html` in the second pass below.
+                    // Without this, `>>500` in a restored post still points to
+                    // old ID 500 which no longer exists — clicks produce 404s
+                    // and hover previews show "Post not found".
+                    let mut post_id_map: HashMap<i64, i64> = HashMap::new();
+                    for p in &manifest.posts {
+                        let new_tid = *thread_id_map.get(&p.thread_id).ok_or_else(|| {
+                            AppError::Internal(anyhow::anyhow!(
+                                "Post {} refs unknown thread {}",
+                                p.id,
+                                p.thread_id
+                            ))
+                        })?;
+                        conn.execute(
+                            "INSERT INTO posts (thread_id, board_id, name, tripcode, subject,
+                             body, body_html, ip_hash, file_path, file_name, file_size,
+                             thumb_path, mime_type, media_type, created_at, deletion_token, is_op)
+                             VALUES (?1,?2,?3,?4,?5,?6,?7,?8,?9,?10,?11,?12,?13,?14,?15,?16,?17)",
+                            params![
+                                new_tid,
+                                live_board_id,
+                                p.name,
+                                p.tripcode,
+                                p.subject,
+                                p.body,
+                                p.body_html,
+                                p.ip_hash,
+                                p.file_path,
+                                p.file_name,
+                                p.file_size,
+                                p.thumb_path,
+                                p.mime_type,
+                                p.media_type,
+                                p.created_at,
+                                p.deletion_token,
+                                i64::from(p.is_op),
+                            ],
+                        )
+                        .map_err(|e| {
+                            AppError::Internal(anyhow::anyhow!("Insert post {}: {e}", p.id))
+                        })?;
+                        post_id_map.insert(p.id, conn.last_insert_rowid());
+                    }
+
+                    // ── Quotelink fixup pass ──────────────────────────────
+                    //
+                    // If any post IDs changed (which they almost always do
+                    // when restoring into a live DB), rewrite `body` and
+                    // `body_html` for every restored post so that in-board
+                    // quotelinks point at the new IDs.
+                    //
+                    // Only same-board references are remapped.  Cross-board
+                    // links (`>>>/board/N`) point to other boards whose IDs
+                    // are unchanged; they are deliberately left untouched.
+                    let any_changed = post_id_map.iter().any(|(old, new)| old != new);
+                    if any_changed {
+                        // Sort by old-ID string length descending so that
+                        // longer IDs are replaced before any prefix of theirs.
+                        // e.g. replace >>1000 before >>100 before >>10 before >>1.
+                        let mut pairs: Vec<(String, String)> = post_id_map
+                            .iter()
+                            .filter(|(old, new)| old != new)
+                            .map(|(old, new)| (old.to_string(), new.to_string()))
+                            .collect();
+                        pairs.sort_by(|a, b| b.0.len().cmp(&a.0.len()).then(b.0.cmp(&a.0)));
+
+                        for p in &manifest.posts {
+                            let Some(&new_post_id) = post_id_map.get(&p.id) else {
+                                continue;
+                            };
+
+                            let new_body = remap_body_quotelinks(&p.body, &pairs);
+                            let new_body_html = remap_body_html_quotelinks(&p.body_html, &pairs);
+
+                            // Only issue the UPDATE when the text actually
+                            // changed — avoids unnecessary I/O when none of
+                            // the post IDs appear in this post's body.
+                            if new_body != p.body || new_body_html != p.body_html {
+                                conn.execute(
+                                    "UPDATE posts SET body = ?1, body_html = ?2 WHERE id = ?3",
+                                    params![new_body, new_body_html, new_post_id],
+                                )
+                                .map_err(|e| {
+                                    AppError::Internal(anyhow::anyhow!(
+                                        "Fixup quotelinks for post {new_post_id}: {e}"
+                                    ))
+                                })?;
+                            }
+                        }
+                    }
+
+                    let mut poll_id_map: HashMap<i64, i64> = HashMap::new();
+                    for p in &manifest.polls {
+                        let new_tid = *thread_id_map.get(&p.thread_id).ok_or_else(|| {
+                            AppError::Internal(anyhow::anyhow!(
+                                "Poll {} refs unknown thread {}",
+                                p.id,
+                                p.thread_id
+                            ))
+                        })?;
+                        conn.execute(
+                            "INSERT INTO polls (thread_id, question, expires_at, created_at)
+                             VALUES (?1,?2,?3,?4)",
+                            params![new_tid, p.question, p.expires_at, p.created_at],
+                        )
+                        .map_err(|e| {
+                            AppError::Internal(anyhow::anyhow!("Insert poll {}: {e}", p.id))
+                        })?;
+                        poll_id_map.insert(p.id, conn.last_insert_rowid());
+                    }
+
+                    let mut option_id_map: HashMap<i64, i64> = HashMap::new();
+                    for o in &manifest.poll_options {
+                        let new_poll_id = *poll_id_map.get(&o.poll_id).ok_or_else(|| {
+                            AppError::Internal(anyhow::anyhow!(
+                                "Option {} refs unknown poll {}",
+                                o.id,
+                                o.poll_id
+                            ))
+                        })?;
+                        conn.execute(
+                            "INSERT INTO poll_options (poll_id, text, position) VALUES (?1,?2,?3)",
+                            params![new_poll_id, o.text, o.position],
+                        )
+                        .map_err(|e| {
+                            AppError::Internal(anyhow::anyhow!("Insert option {}: {e}", o.id))
+                        })?;
+                        option_id_map.insert(o.id, conn.last_insert_rowid());
+                    }
+
+                    for v in &manifest.poll_votes {
+                        let new_poll_id = *poll_id_map.get(&v.poll_id).ok_or_else(|| {
+                            AppError::Internal(anyhow::anyhow!(
+                                "Vote {} refs unknown poll {}",
+                                v.id,
+                                v.poll_id
+                            ))
+                        })?;
+                        let new_option_id = *option_id_map.get(&v.option_id).ok_or_else(|| {
+                            AppError::Internal(anyhow::anyhow!(
+                                "Vote {} refs unknown option {}",
+                                v.id,
+                                v.option_id
+                            ))
+                        })?;
+                        conn.execute(
+                            "INSERT OR IGNORE INTO poll_votes
+                             (poll_id, option_id, ip_hash) VALUES (?1,?2,?3)",
+                            params![new_poll_id, new_option_id, v.ip_hash],
+                        )
+                        .map_err(|e| {
+                            AppError::Internal(anyhow::anyhow!("Insert vote {}: {e}", v.id))
+                        })?;
+                    }
+
+                    for fh in &manifest.file_hashes {
+                        conn.execute(
+                            "INSERT OR IGNORE INTO file_hashes
+                             (sha256, file_path, thumb_path, mime_type, created_at)
+                             VALUES (?1,?2,?3,?4,?5)",
+                            params![
+                                fh.sha256,
+                                fh.file_path,
+                                fh.thumb_path,
+                                fh.mime_type,
+                                fh.created_at
+                            ],
+                        )
+                        .map_err(|e| {
+                            AppError::Internal(anyhow::anyhow!("Insert file_hash: {e}"))
+                        })?;
+                    }
+                    Ok(())
+                })();
+
+                match restore_result {
+                    Ok(()) => {
+                        conn.execute("COMMIT", [])
+                            .map_err(|e| AppError::Internal(anyhow::anyhow!("Commit tx: {e}")))?;
+                    }
+                    Err(e) => {
+                        let _ = conn.execute("ROLLBACK", []);
+                        return Err(e);
+                    }
+                }
+
+                if let Some(ref mut archive) = archive_opt {
+                    for i in 0..archive.len() {
+                        let mut entry = archive
+                            .by_index(i)
+                            .map_err(|e| AppError::Internal(anyhow::anyhow!("Zip[{i}]: {e}")))?;
+                        let name = entry.name().to_string();
+                        if name.contains("..") || name.starts_with('/') || name.starts_with('\\') {
+                            warn!("Board restore: skipping suspicious entry '{name}'");
+                            continue;
+                        }
+                        if let Some(rel) = name.strip_prefix("uploads/") {
+                            if rel.is_empty() {
+                                continue;
+                            }
+                            let target = PathBuf::from(&upload_dir).join(rel);
+                            if entry.is_dir() {
+                                std::fs::create_dir_all(&target).map_err(|e| {
+                                    AppError::Internal(anyhow::anyhow!("mkdir: {e}"))
+                                })?;
+                            } else {
+                                if let Some(p) = target.parent() {
+                                    std::fs::create_dir_all(p).map_err(|e| {
+                                        AppError::Internal(anyhow::anyhow!("mkdir parent: {e}"))
+                                    })?;
+                                }
+                                let mut out = std::fs::File::create(&target).map_err(|e| {
+                                    AppError::Internal(anyhow::anyhow!("Create file: {e}"))
+                                })?;
+                                copy_limited(&mut entry, &mut out, ZIP_ENTRY_MAX_BYTES).map_err(
+                                    |e| AppError::Internal(anyhow::anyhow!("Write file: {e}")),
+                                )?;
+                            }
+                        }
+                    }
+                }
+
+                tracing::info!(target: "admin", board = %board_short, "Board restore completed");
+                // Refresh live board list — board_restore may have created a
+                // board that didn't exist before, so the top bar must update.
+                if let Ok(boards) = db::get_all_boards(&conn) {
+                    crate::templates::set_live_boards(boards);
+                }
+                let safe_short: String = board_short
+                    .chars()
+                    .filter(char::is_ascii_alphanumeric)
+                    .take(8)
+                    .collect();
+                Ok(safe_short)
+            }
+        })
+        .await
+        .unwrap_or_else(|e| Err(AppError::Internal(anyhow::anyhow!("Task panicked: {e}"))))
+    }
+    .await;
+
+    match result {
+        Ok(board_short) => {
+            Redirect::to(&format!("/admin/panel?board_restored={board_short}")).into_response()
+        }
+        Err(e) => Redirect::to(&format!(
+            "/admin/panel?restore_error={}",
+            encode_q(&e.to_string())
+        ))
+        .into_response(),
+    }
+}
diff --git a/src/handlers/board.rs b/src/handlers/board.rs
index 0b39887..3be86e7 100644
--- a/src/handlers/board.rs
+++ b/src/handlers/board.rs
@@ -169,10 +169,12 @@ pub async fn board_index(
         .and_then(|v| v.to_str().ok())
         .unwrap_or("");
     if client_etag == etag {
+        // StatusCode::NOT_MODIFIED and Body::empty() are always valid constants;
+        // this builder call is infallible.
         let mut resp = axum::http::Response::builder()
             .status(axum::http::StatusCode::NOT_MODIFIED)
             .body(axum::body::Body::empty())
-            .unwrap_or_default();
+            .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
         resp.headers_mut().insert(
             "etag",
             axum::http::HeaderValue::from_str(&etag)
@@ -526,10 +528,12 @@ pub async fn catalog(
         .and_then(|v| v.to_str().ok())
         .unwrap_or("");
     if client_etag == etag {
+        // StatusCode::NOT_MODIFIED and Body::empty() are always valid constants;
+        // this builder call is infallible.
         let mut resp = axum::http::Response::builder()
             .status(axum::http::StatusCode::NOT_MODIFIED)
             .body(axum::body::Body::empty())
-            .unwrap_or_default();
+            .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
         resp.headers_mut().insert(
             "etag",
             axum::http::HeaderValue::from_str(&etag)
diff --git a/src/handlers/thread.rs b/src/handlers/thread.rs
index 71179b7..ca1411a 100644
--- a/src/handlers/thread.rs
+++ b/src/handlers/thread.rs
@@ -102,10 +102,12 @@ pub async fn view_thread(
         .and_then(|v| v.to_str().ok())
         .unwrap_or("");
     if client_etag == etag {
+        // StatusCode::NOT_MODIFIED and Body::empty() are always valid; this
+        // builder call is infallible in practice.
         let mut resp = axum::http::Response::builder()
             .status(axum::http::StatusCode::NOT_MODIFIED)
             .body(axum::body::Body::empty())
-            .unwrap_or_default();
+            .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
         resp.headers_mut().insert(
             "etag",
             axum::http::HeaderValue::from_str(&etag)
diff --git a/src/models.rs b/src/models.rs
index a037fd6..0a9eb9a 100644
--- a/src/models.rs
+++ b/src/models.rs
@@ -138,7 +138,9 @@ pub struct Post {
     pub subject: Option<String>,
     pub body: String,
     pub body_html: String, // pre-rendered HTML (greentext, links, >>refs)
-    pub ip_hash: String,
+    /// SHA-256(IP + secret). `None` for gateway-inserted federation posts
+    /// which have no inbound client IP.
+    pub ip_hash: Option<String>,
     pub file_path: Option<String>,
     pub file_name: Option<String>,
     pub file_size: Option<i64>,
@@ -390,8 +392,9 @@ pub struct ReportWithContext {
     pub board_short: String,
     /// First 120 chars of the reported post body for preview
     pub post_preview: String,
-    /// IP hash of the post's author (for quick ban from the inbox)
-    pub post_ip_hash: String,
+    /// IP hash of the post's author (for quick ban from the inbox).
+    /// `None` for gateway-inserted federation posts which have no client IP.
+    pub post_ip_hash: Option<String>,
 }
 
 /// A single entry in the moderation action log
diff --git a/src/templates/admin.rs b/src/templates/admin.rs
index ffeec33..44063ae 100644
--- a/src/templates/admin.rs
+++ b/src/templates/admin.rs
@@ -321,7 +321,7 @@ pub fn admin_panel_page(
             age = escape_html(&age),
             csrf = escape_html(csrf_token),
             rid = rc.report.id,
-            ip_hash = escape_html(&rc.post_ip_hash)
+            ip_hash = escape_html(rc.post_ip_hash.as_deref().unwrap_or(""))
         );
     }
 
diff --git a/src/templates/thread.rs b/src/templates/thread.rs
index 5fc904e..66f74f8 100644
--- a/src/templates/thread.rs
+++ b/src/templates/thread.rs
@@ -607,7 +607,7 @@ pub fn render_post(
             csrf = escape_html(csrf_token),
             pid = post.id,
             board = escape_html(board_short),
-            ip_hash = escape_html(&post.ip_hash),
+            ip_hash = escape_html(post.ip_hash.as_deref().unwrap_or("")),
             tid = post.thread_id,
             is_op = is_op_val
         );

From 4684dc9c0a7dae62ea2c949d6d81b17aeff1a5fb Mon Sep 17 00:00:00 2001
From: csd113 <xxcsd113xx@gmail.com>
Date: Thu, 19 Mar 2026 20:46:28 -0700
Subject: [PATCH 7/8] readme update and fixed logging being empty

---
 CHANGELOG.md   |  36 ++++++++
 README.md      | 171 +++++++++++++++++++++++++++++-----
 SETUP.md       | 173 ++++++++++++++++++++++++++++++++--
 src/logging.rs | 246 +++++++++++++++++++++++++++++++++++--------------
 src/main.rs    |  19 +++-
 5 files changed, 540 insertions(+), 105 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c13ed15..9f712c7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,42 @@ All notable changes to RustChan will be documented in this file.
 
 ## [1.1.0 alpha 2]
 
+### Fixed
+
+#### 🔴 Critical — HTTP 500 errors on pages with gateway posts
+**Problem:** Posts from the ChanNet gateway have no IP address, causing crashes when pages try to display them.
+
+**Solution:** Changed `ip_hash` from `String` to `Option<String>` throughout the codebase so `NULL` values are handled gracefully instead of panicking.
+
+**Files changed:**
+- `src/models.rs`, `src/db/posts.rs`, `src/db/admin.rs` — Handle optional IP hashes
+- `src/templates/thread.rs`, `src/templates/admin.rs` — Render empty string for missing IPs
+- `src/handlers/admin/backup.rs`, `src/handlers/backup.rs` — Preserve `NULL` on backup/restore
+
+---
+
+#### 🟠 Log files written to wrong directory
+**Problem:** Logs were created in the executable folder instead of `rustchan-data/`.
+
+**Solution:** Pass `data_dir` instead of `binary_dir` to the logger, and create the directory *before* logging initializes.
+
+**Files changed:** `src/main.rs`
+
+---
+
+#### 🟠 Log file names have wrong extension
+**Problem:** Rotated logs named `rustchan.log.2024-01-15` instead of `rustchan.2024-01-15.log`.
+
+**Solution:** Use `RollingFileAppender::builder()` with `.filename_prefix()` and `.filename_suffix()` for correct naming.
+
+**Files changed:** `src/logging.rs`
+
+---
+
+#### 🟡 Log files changed from JSON to readable text
+**Problem:** Logs were dense JSON, hard to read with `tail`, `grep`, etc.
+
+
 ## Reliability & Shutdown Improvements
 
 ---
diff --git a/README.md b/README.md
index 933edc2..65676cf 100644
--- a/README.md
+++ b/README.md
@@ -17,11 +17,11 @@
 [![SQLite](https://img.shields.io/badge/SQLite-WAL_Mode-003B57?style=for-the-badge&logo=sqlite&logoColor=white)](https://www.sqlite.org/)
 [![Axum](https://img.shields.io/badge/Axum-0.8-7c3aed?style=for-the-badge)](https://github.com/tokio-rs/axum)
 [![License: MIT](https://img.shields.io/badge/License-MIT-22c55e?style=for-the-badge)](LICENSE)
-[![Version](https://img.shields.io/badge/Version-1.0.13-0ea5e9?style=for-the-badge)](#changelog)
+[![Version](https://img.shields.io/badge/Version-1.1.0--alpha.2-0ea5e9?style=for-the-badge)](#changelog)
 
 <br>
 
-[**Quick Start**](#-quick-start) · [**Features**](#-features) · [**Optional Integrations**](#-optional-integrations-ffmpeg--tor) · [**Configuration**](#-configuration) · [**Backup System**](#-backup--restore) · [**Deployment**](#-production-deployment) · [**Themes**](#-themes) · [**Changelog**](CHANGELOG.md)
+[**Quick Start**](#-quick-start) · [**Features**](#-features) · [**ChanNet API**](#-channet-api) · [**Optional Integrations**](#-optional-integrations-ffmpeg--tor) · [**Configuration**](#-configuration) · [**Backup System**](#-backup--restore) · [**Deployment**](#-production-deployment) · [**Themes**](#-themes) · [**Changelog**](CHANGELOG.md)
 
 <br>
 
@@ -62,18 +62,19 @@ Two external tools are supported as **optional enhancements**: [**ffmpeg**](#ffm
 <td width="50%" valign="top">
 
 ### 🖼️ Media
-- **Images:** JPEG *(EXIF-stripped and orientation-corrected on upload)*, PNG, GIF, WebP
+- **Images:** JPEG *(EXIF-stripped and orientation-corrected on upload)*, PNG, GIF, WebP, BMP, TIFF, SVG
 - **Video:** MP4, WebM — auto-transcoded to VP9+Opus WebM via ffmpeg; AV1 streams re-encoded to VP9
+- **GIF → WebM** — animated GIFs are converted to WebM inline at upload time (VP9, no background job)
 - **Audio:** MP3, OGG, FLAC, WAV, M4A, AAC (up to 150 MB default)
 - **Image + audio combo posts** — attach both an image and an audio file simultaneously
 - **Audio waveform thumbnails** — generated via ffmpeg's `showwavespic` filter for standalone audio uploads
 - **Waveform cache eviction** — background task prunes oldest thumbnails when the cache exceeds `waveform_cache_max_mb` (default 200 MiB); originals never touched
 - **Video embed unfurling** — per-board opt-in; YouTube, Invidious, and Streamable URLs render as thumbnail + click-to-play widgets
-- Auto-generated thumbnails with configurable dimensions
+- Auto-generated **WebP thumbnails** with configurable dimensions; SVG placeholders used for video (without ffmpeg), audio, and SVG sources
 - Resizable inline image expansion via drag-to-resize
 - **Client-side auto-compression** — oversized files are compressed in-browser before upload with a live progress bar
-- **Streaming multipart** — uploads are validated against size limits in flight; never fully buffered in RAM
-- Two-layer file validation: Content-Type header + magic byte inspection (extensions are never trusted)
+- **Streaming multipart** — uploads are validated against size limits in flight; never fully buffered in RAM; per-field text caps prevent OOM from oversized form fields
+- Two-layer file validation: Content-Type header + magic byte inspection (extensions are never trusted); BMP, TIFF, and SVG magic bytes supported
 
 </td>
 </tr>
@@ -158,6 +159,102 @@ Two external tools are supported as **optional enhancements**: [**ffmpeg**](#ffm
 
 <br>
 
+## 🌐 ChanNet API
+
+RustChan includes a two-layer federation and gateway system that runs automatically on **port 7070** alongside the main web server. No additional configuration is required to enable it — if you want to federate with another RustChan node or integrate with a RustWave client, just start talking to port 7070.
+
+> **Text only.** No images, no media, and no binary data cross the ChanNet interface by design. All payloads are ZIP archives containing structured text (JSON manifests + plain `.txt` post bodies). Full schema documentation is in `channet_api_reference.docx`.
+
+### Layer 1 — Node Federation
+
+These endpoints let RustChan nodes sync content with each other. All responses are ZIP archives.
+
+| Endpoint | Method | Description |
+|---|---|---|
+| `/chan/export` | `GET` | Export all posts from this node as a ZIP snapshot |
+| `/chan/import` | `POST` | Import a ZIP snapshot from a remote node |
+| `/chan/refresh` | `POST` | Pull fresh content from a known remote and apply it locally |
+| `/chan/poll` | `GET` | Lightweight poll — returns only new content since a given timestamp |
+
+**Quick example — pull content from a remote node:**
+
+```bash
+# Export your node's posts
+curl http://localhost:7070/chan/export -o my-export.zip
+
+# Import a ZIP from another node
+curl -X POST http://localhost:7070/chan/import \
+     -H "Content-Type: application/zip" \
+     --data-binary @remote-export.zip
+
+# Refresh from a peer (supply the peer's export URL as the body)
+curl -X POST http://localhost:7070/chan/refresh \
+     -H "Content-Type: text/plain" \
+     -d "http://peer.example.com:7070/chan/export"
+
+# Poll for posts newer than a Unix timestamp
+curl "http://localhost:7070/chan/poll?since=1741900000" -o delta.zip
+```
+
+### Layer 2 — RustWave Gateway
+
+The `/chan/command` endpoint exposes a typed JSON command interface for the [RustWave](https://github.com/a2kiti/rustwave) audio transport client. Send a JSON command, receive a ZIP back. `reply_push` is the only command that writes anything to the database.
+
+```bash
+# Full export via command interface
+curl -X POST http://localhost:7070/chan/command \
+     -H "Content-Type: application/json" \
+     -d '{"command": "full_export"}' \
+     -o full.zip
+
+# Export a single board
+curl -X POST http://localhost:7070/chan/command \
+     -H "Content-Type: application/json" \
+     -d '{"command": "board_export", "board": "b"}' \
+     -o board-b.zip
+
+# Export a single thread
+curl -X POST http://localhost:7070/chan/command \
+     -H "Content-Type: application/json" \
+     -d '{"command": "thread_export", "board": "b", "thread_id": 42}' \
+     -o thread-42.zip
+
+# Export the archive for a board
+curl -X POST http://localhost:7070/chan/command \
+     -H "Content-Type: application/json" \
+     -d '{"command": "archive_export", "board": "b"}' \
+     -o archive.zip
+
+# Force a refresh from a peer
+curl -X POST http://localhost:7070/chan/command \
+     -H "Content-Type: application/json" \
+     -d '{"command": "force_refresh", "peer": "http://peer.example.com:7070"}' \
+     -o result.zip
+
+# Push a reply (the only write command)
+curl -X POST http://localhost:7070/chan/command \
+     -H "Content-Type: application/json" \
+     -d '{
+       "command": "reply_push",
+       "board": "b",
+       "thread_id": 42,
+       "body": "Hello from RustWave"
+     }' \
+     -o result.zip
+```
+
+### Firewall Note
+
+Port 7070 is for node-to-node communication and RustWave integration. If you are running a public-facing instance and do not need federation, block port 7070 externally:
+
+```bash
+sudo ufw deny 7070/tcp
+```
+
+If you do want to federate with other nodes, allow port 7070 selectively rather than opening it to the world.
+
+---
+
 ## 🔌 Optional Integrations: ffmpeg & Tor
 
 RustChan is fully functional without either tool. When detected at startup, additional capabilities activate automatically.
@@ -431,35 +528,54 @@ RustChan is intentionally minimal — no template engine, no ORM, no JavaScript
 |---|---|
 | Web framework | [Axum](https://github.com/tokio-rs/axum) 0.8 |
 | Async runtime | [Tokio](https://tokio.rs/) 1.x (manually sized blocking pool) |
-| Database | SQLite via [rusqlite](https://github.com/rusqlite/rusqlite) (bundled, 32 MiB page cache) |
-| Connection pool | r2d2 + r2d2_sqlite (5-second acquisition timeout) |
-| Image processing | [`image`](https://github.com/image-rs/image) crate + `kamadak-exif` for JPEG orientation |
-| Video transcoding | ffmpeg (optional, configurable timeout) |
+| Database | SQLite via [rusqlite](https://github.com/rusqlite/rusqlite) (bundled, 32 MiB page cache, `BEGIN IMMEDIATE` transactions) |
+| Connection pool | r2d2 + r2d2_sqlite (configurable size, 5-second acquisition timeout; exhaustion → 503) |
+| Image processing | [`image`](https://github.com/image-rs/image) crate + `kamadak-exif` for JPEG orientation; BMP/TIFF/SVG supported |
+| Video transcoding | ffmpeg (optional, configurable timeout); GIF→WebM converted inline |
 | Audio waveforms | ffmpeg `showwavespic` filter (optional) |
+| Thumbnails | WebP output via ffmpeg or image crate fallback; SVG placeholders for video/audio/SVG |
 | Password hashing | `argon2` crate (Argon2id) |
 | Timing-safe comparison | `subtle` crate |
 | Response compression | `tower-http` CompressionLayer (gzip, Brotli, zstd) |
+| Request timeout | `tower-http` TimeoutLayer |
+| Logging | `tracing` + `tracing-subscriber` + daily-rotating file appender; logs in `rustchan-data/` |
 | HTML rendering | Plain Rust `format!` strings |
-| Configuration | `settings.toml` + env var overrides via `once_cell::Lazy` |
-| Logging | `tracing` + `tracing-subscriber` |
+| Configuration | `settings.toml` (atomic writes) + env var overrides via `once_cell::Lazy` |
+| Federation | ChanNet API on port 7070 (ZIP-based, text-only) |
 
 ### Source Layout
 
 ```
 src/
-├── main.rs             — entry point, router, background tasks, keyboard console
-├── config.rs           — settings.toml + env var resolution
+├── main.rs             — entry point (~50 lines): runtime construction, CLI parsing, dispatch
+├── config.rs           — settings.toml + env var resolution (atomic writes)
 ├── error.rs            — error handling and ban page rendering
-├── models.rs           — database row structs
-├── middleware/mod.rs    — rate limiting, CSRF, IP hashing, proxy trust
+├── models.rs           — database row structs (ip_hash is Option<String>)
+├── middleware/mod.rs    — rate limiting, CSRF, IP hashing, proxy trust, request timeout
 ├── workers/mod.rs       — background job queue, media transcoding, cache eviction
+├── server/
+│   ├── server.rs       — HTTP router, background task spawns, graceful shutdown
+│   ├── console.rs      — terminal stats, keyboard console, startup banner
+│   └── cli.rs          — Cli / Command / AdminAction clap types, run_admin()
+├── media/
+│   ├── mod.rs          — MediaProcessor, ProcessedMedia; public API
+│   ├── ffmpeg.rs       — FFmpeg detection, subprocess execution, all ffmpeg helpers
+│   ├── convert.rs      — per-format conversion logic (ConversionAction, convert_file)
+│   ├── thumbnail.rs    — WebP thumbnail generation, SVG placeholders
+│   └── exif.rs         — EXIF orientation read/apply
 ├── handlers/
-│   ├── admin.rs        — admin panel, moderation, backup/restore, appeals
+│   ├── admin/
+│   │   ├── mod.rs      — shared session helpers, re-exports
+│   │   ├── backup.rs   — all backup and restore handlers (rusqlite backup API)
+│   │   ├── auth.rs     — login, logout, session management
+│   │   ├── moderation.rs — bans, reports, appeals, word filters, mod log
+│   │   ├── content.rs  — post/thread actions, board management
+│   │   └── settings.rs — site settings, VACUUM, admin panel
 │   ├── board.rs        — board index, catalog, archive, search, thread creation
 │   ├── mod.rs          — streaming multipart, shared upload helpers
 │   └── thread.rs       — thread view, replies, polls, editing
 ├── db/
-│   ├── mod.rs          — connection pool, schema init, shared helpers
+│   ├── mod.rs          — connection pool (configurable size), schema init, shared helpers
 │   ├── boards.rs       — site settings, board CRUD, stats
 │   ├── threads.rs      — thread listing, creation, mutation, archiving, pruning
 │   ├── posts.rs        — post CRUD, file deduplication, polls, job queue
@@ -471,8 +587,8 @@ src/
 │   ├── admin.rs        — login page, admin panel, mod log, VACUUM results, IP history
 │   └── forms.rs        — new thread and reply forms
 └── utils/
-    ├── crypto.rs       — Argon2id, CSRF, sessions, IP hashing, PoW verification
-    ├── files.rs        — upload validation, thumbnails, EXIF stripping + orientation
+    ├── crypto.rs       — Argon2id, CSRF, sessions, IP hashing, PoW verification, password validation
+    ├── files.rs        — upload validation, thumbnails (delegates to media/), EXIF stripping
     ├── sanitize.rs     — HTML escaping, markup (greentext, spoilers, dice, embeds)
     └── tripcode.rs     — SHA-256 tripcode generation
 ```
@@ -500,11 +616,14 @@ src/
 | **Redirect hardening** | Backslash and percent-encoded variants blocked on `return_to` parameters |
 | **Path traversal** | Backup filenames validated against `[a-zA-Z0-9._-]` before filesystem access |
 | **Body limits** | Per-route limits on small endpoints (64 KiB) to prevent memory exhaustion |
-| **Connection pool** | 5-second acquisition timeout prevents thread-pool exhaustion under load |
+| **Connection pool** | Configurable pool size; 5-second acquisition timeout; pool exhaustion returns 503 (not 500) |
 | **PoW CAPTCHA** | SHA-256 hashcash (20-bit difficulty), verified server-side with 5-minute grace window; covers threads and replies |
 | **PoW nonce replay** | Used nonces tracked in memory; stale entries auto-pruned after the validity window expires |
 | **Job queue** | Capped at `job_queue_capacity`; excess jobs logged and dropped, never causing OOM |
-| **Streaming uploads** | Multipart fields validated against size limits in flight; memory use bounded regardless of payload |
+| **Streaming uploads** | Multipart fields validated against size limits in flight; per-field text caps (~100 KB body, ~4 KB name/subject) prevent OOM from oversized forms |
+| **Request timeout** | Middleware terminates slow or stalled client connections; guards against slowloris-style attacks |
+| **Gateway IP safety** | ChanNet gateway posts carry no IP address; `ip_hash` is nullable throughout — `NULL` rendered as empty string, never causes a 500 |
+| **Atomic config writes** | `settings.toml` written via temp-file-then-rename; config never partially written on crash |
 
 <br>
 
@@ -543,7 +662,13 @@ Six built-in themes, selectable via the floating picker on every page. Persisted
 
 See **[CHANGELOG.md](CHANGELOG.md)** for the full version history.
 
-**Latest — v1.0.13:**
+**Latest — v1.1.0-alpha.2:**
+Critical fix: ChanNet gateway posts have no IP — `ip_hash` changed to `Option<String>` throughout (no more 500s on pages with gateway posts) · Log files now written to `rustchan-data/` (not the binary directory) · Log file names fixed (`rustchan.2024-01-15.log` format) · Logs changed from dense JSON to human-readable text · Per-field multipart size caps (~100 KB body, ~4 KB name/subject) eliminate OOM risk from oversized form submissions · Poll duration overflow hardened · Backup system rewrites: `rusqlite::backup` API replaces fragile SQL string, RAII temp-file cleanup, pool exhaustion → 503 · Tor detection mutex poisoning fixed; panic hook hardened with `try_lock()` · DB pool size configurable; `r2d2::Error` correctly maps to 503 · All write transactions upgraded from DEFERRED to `BEGIN IMMEDIATE` · Rotating log files prevent disk exhaustion · 304 response builders fixed · Atomic `settings.toml` writes · Request timeout middleware (slowloris protection) · Worker `JoinHandle`s persisted; graceful shutdown via `CancellationToken` + bounded await · Job recovery on startup for interrupted jobs · ChanNet server graceful shutdown unified with main HTTP server · Background tasks use `tokio::select!` for clean cancellation
+
+**v1.1.0-alpha.1:**
+ChanNet API on port 7070 (federation + RustWave gateway) · Major codebase refactor: `main.rs` shrunk from 1,757 → ~50 lines; `handlers/admin.rs` split into 6 focused files; new `server/` module (server, console, CLI); new `src/media/` module (ffmpeg, convert, thumbnail, exif) · BMP, TIFF, SVG upload support · GIF→WebM inline conversion · All thumbnails output as WebP · SVG placeholders for video/audio/SVG sources · PNG→WebP with size-check fallback · Atomic temp-then-rename for all conversions
+
+**v1.0.13:**
 Scheduled VACUUM · expired poll vote cleanup · DB size warning banner · job queue back-pressure · duplicate media job coalescing · configurable ffmpeg timeout · global `archive_before_prune` flag · waveform cache eviction · streaming multipart · ETag / Conditional GET (304) · gzip/Brotli/zstd response compression · manual Tokio blocking pool sizing · EXIF orientation correction · streaming backup I/O (peak RAM ~64 KiB) · **ChanClassic** theme · `default_theme` + `site_subtitle` in `settings.toml` · default theme selector in admin panel · admin panel reorganised · prepared statement caching audit · `RETURNING` clause for inserts · 32 MiB SQLite page cache · two new DB indexes (`idx_posts_thread_id`, `idx_posts_ip_hash`)
 
 **v1.0.12:** Database module split into 5 focused files · template module split into 5 focused files · PoW bypass on replies fixed (critical) · PoW nonce replay protection · inline JS fully eliminated (`script-src 'self'` CSP) · backup upload size cap (512 MiB) · post rate limiting simplified · `/api/` routes excluded from GET rate limit · trailing slash 404s fixed
diff --git a/SETUP.md b/SETUP.md
index 167a0db..61120f0 100644
--- a/SETUP.md
+++ b/SETUP.md
@@ -15,13 +15,14 @@ Complete setup instructions for Linux, macOS, and Windows.
 7. [First-Run Configuration](#first-run-configuration)
 8. [nginx + TLS](#nginx--tls)
 9. [Tor Hidden Service](#tor-hidden-service)
-10. [Configuration Reference](#configuration-reference)
-11. [Admin Panel](#admin-panel)
-12. [Backups](#backups)
-13. [Raspberry Pi Tips](#raspberry-pi-tips)
-14. [Security Checklist](#security-checklist)
-15. [Updating](#updating)
-16. [Troubleshooting](#troubleshooting)
+10. [ChanNet API](#channet-api)
+11. [Configuration Reference](#configuration-reference)
+12. [Admin Panel](#admin-panel)
+13. [Backups](#backups)
+14. [Raspberry Pi Tips](#raspberry-pi-tips)
+15. [Security Checklist](#security-checklist)
+16. [Updating](#updating)
+17. [Troubleshooting](#troubleshooting)
 
 ---
 
@@ -395,6 +396,143 @@ Environment=CHAN_TOR_HOSTNAME_FILE=/custom/path/hostname
 
 ---
 
+## ChanNet API
+
+RustChan includes a built-in federation and gateway server that starts automatically on **port 7070** whenever you run `rustchan-cli`. No extra flags or config keys are needed to enable it — it is always running alongside the main web server on port 8080.
+
+> **Text only.** No images, no media, and no binary data cross the ChanNet interface by design. All payloads are ZIP archives containing structured text (JSON manifests + plain post bodies). Full schema documentation is in `channet_api_reference.docx`.
+
+### Starting the server
+
+Nothing extra is required. When you start RustChan normally, the ChanNet API is already available:
+
+```bash
+# Development
+./rustchan-cli
+
+# Production (systemd)
+sudo systemctl start rustchan-cli
+```
+
+Both the web UI (port 8080) and the ChanNet API (port 7070) start in the same process. Logs for both appear in `rustchan-data/rustchan.YYYY-MM-DD.log`.
+
+### Firewall
+
+If you do **not** need federation, block port 7070 from external access. It is fine to leave it reachable on `localhost` for local tooling.
+
+```bash
+sudo ufw deny 7070/tcp      # block external federation
+sudo ufw allow 8080/tcp     # or let nginx handle 80/443 and deny 8080 externally
+```
+
+If you **do** want to federate with specific peers, allow selectively rather than opening to all:
+
+```bash
+sudo ufw allow from <peer-ip> to any port 7070
+```
+
+### Layer 1 — Node Federation
+
+These endpoints let RustChan nodes sync content with each other. All responses are ZIP archives.
+
+| Endpoint | Method | Description |
+|---|---|---|
+| `/chan/export` | `GET` | Export all posts from this node as a ZIP snapshot |
+| `/chan/import` | `POST` | Import a ZIP snapshot from a remote node |
+| `/chan/refresh` | `POST` | Pull fresh content from a peer and apply it locally |
+| `/chan/poll` | `GET` | Lightweight delta — returns only content since a given timestamp |
+
+```bash
+# Export your node's posts
+curl http://localhost:7070/chan/export -o my-export.zip
+
+# Import a ZIP from another node
+curl -X POST http://localhost:7070/chan/import \
+     -H "Content-Type: application/zip" \
+     --data-binary @remote-export.zip
+
+# Refresh from a peer (body is the peer's export URL)
+curl -X POST http://localhost:7070/chan/refresh \
+     -H "Content-Type: text/plain" \
+     -d "http://peer.example.com:7070/chan/export"
+
+# Poll for posts newer than a Unix timestamp
+curl "http://localhost:7070/chan/poll?since=1741900000" -o delta.zip
+```
+
+### Layer 2 — RustWave Gateway
+
+`POST /chan/command` accepts a JSON body and returns a ZIP. The `reply_push` command is the only one that writes to the database — all others are read-only exports.
+
+```bash
+# Full export
+curl -X POST http://localhost:7070/chan/command \
+     -H "Content-Type: application/json" \
+     -d '{"command": "full_export"}' \
+     -o full.zip
+
+# Export a single board
+curl -X POST http://localhost:7070/chan/command \
+     -H "Content-Type: application/json" \
+     -d '{"command": "board_export", "board": "b"}' \
+     -o board-b.zip
+
+# Export a single thread
+curl -X POST http://localhost:7070/chan/command \
+     -H "Content-Type: application/json" \
+     -d '{"command": "thread_export", "board": "b", "thread_id": 42}' \
+     -o thread-42.zip
+
+# Export the archive for a board
+curl -X POST http://localhost:7070/chan/command \
+     -H "Content-Type: application/json" \
+     -d '{"command": "archive_export", "board": "b"}' \
+     -o archive.zip
+
+# Force a refresh from a peer
+curl -X POST http://localhost:7070/chan/command \
+     -H "Content-Type: application/json" \
+     -d '{"command": "force_refresh", "peer": "http://peer.example.com:7070"}' \
+     -o result.zip
+
+# Push a reply (only write command)
+curl -X POST http://localhost:7070/chan/command \
+     -H "Content-Type: application/json" \
+     -d '{
+       "command": "reply_push",
+       "board": "b",
+       "thread_id": 42,
+       "body": "Hello from RustWave"
+     }' \
+     -o result.zip
+```
+
+### nginx + ChanNet
+
+If you want to expose the ChanNet API through nginx (e.g. to serve it over HTTPS or from a subdomain), add a second server block:
+
+```nginx
+server {
+    listen 443 ssl;
+    server_name channet.your-domain.com;
+
+    location / {
+        proxy_pass         http://127.0.0.1:7070;
+        proxy_set_header   Host              $host;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+    }
+}
+```
+
+Then lock port 7070 from direct external access and let nginx handle it:
+
+```bash
+sudo ufw deny 7070/tcp
+```
+
+---
+
 ## Configuration Reference
 
 All settings can be overridden via environment variables (take precedence over `settings.toml`).
@@ -556,6 +694,7 @@ Before exposing your instance to the internet:
 - [ ] Default admin password changed immediately after first login
 - [ ] Running as `chan` user, not root
 - [ ] Port 8080 firewalled from external access (`ufw deny 8080/tcp`)
+- [ ] Port 7070 (ChanNet API) firewalled unless you intend to federate (`ufw deny 7070/tcp`)
 - [ ] nginx configured with HTTPS (Let's Encrypt)
 - [ ] `CHAN_BEHIND_PROXY=true` set — required for bans and rate limits to work with nginx
 - [ ] `client_max_body_size` in nginx matches your video size limit
@@ -565,7 +704,7 @@ Before exposing your instance to the internet:
 - [ ] Tor hidden service directory owned by `tor` user with mode `700` (if applicable)
 - [ ] `db_warn_threshold_mb` set to a value appropriate for your disk (default: 2048 MiB)
 - [ ] `auto_vacuum_interval_hours` enabled (default: 24) to prevent unbounded DB growth
-- [ ] Log monitoring in place (`journalctl -u rustchan-cli -f`)
+- [ ] Log monitoring in place (`journalctl -u rustchan-cli -f` or `tail -f rustchan-data/rustchan.$(date +%F).log`)
 
 ---
 
@@ -599,15 +738,23 @@ Database migrations run automatically on startup — no manual SQL is ever neede
 **Service won't start:**
 ```bash
 sudo journalctl -u rustchan-cli -n 50 --no-pager
+# Or read the rotating log file directly:
+sudo -u chan tail -n 50 /var/lib/chan/rustchan-data/rustchan.$(date +%F).log
 ```
 Common causes: path doesn't exist or wrong ownership, port already in use, wrong architecture.
 
+**Log files not appearing:**
+Logs are written to `rustchan-data/` (e.g. `rustchan-data/rustchan.2026-03-19.log`), not the directory of the binary. Ensure the `chan` user has write permission to `rustchan-data/`. The directory is created automatically on first run, but will fail silently if permissions are wrong — check `journalctl` output in that case.
+
 **ffmpeg not detected:**
 ```bash
 which ffmpeg && ffmpeg -version
 ```
 If installed to a custom path, add it to PATH in the systemd override. If large videos time out during transcoding, increase `ffmpeg_timeout_secs` in `settings.toml`.
 
+**GIF uploads not converting:**
+GIF→WebM conversion now happens inline at upload time, not in the background worker. If GIF conversion fails, the original GIF is kept and a warning is logged. No restart is needed.
+
 **Tor address not showing:**
 1. Verify Tor is running: `sudo systemctl status tor`
 2. Check hostname file exists: `sudo cat /var/lib/tor/rustchan/hostname`
@@ -620,7 +767,7 @@ If installed to a custom path, add it to PATH in the systemd override. If large
 ls -la /var/lib/chan/rustchan-data/boards/   # check ownership
 sudo nginx -T | grep client_max_body_size    # check nginx limit
 ```
-Large uploads rejected mid-stream indicate the nginx `client_max_body_size` is lower than RustChan's configured limit.
+Large uploads rejected mid-stream indicate the nginx `client_max_body_size` is lower than RustChan's configured limit. Text field rejections (413) indicate the post body exceeded ~100 KB or name/subject fields exceeded ~4 KB.
 
 **Admin login fails:**
 ```bash
@@ -633,7 +780,7 @@ If the login page shows a lockout message, wait for the progressive delay to exp
 Ensure `CHAN_BEHIND_PROXY=true` is set in the systemd override. Without it, RustChan sees all requests as coming from `127.0.0.1`.
 
 **Background jobs not processing:**
-Check `RUST_LOG=rustchan-cli=debug` output for job queue warnings. If jobs are being dropped with "queue at capacity", increase `job_queue_capacity`. If ffmpeg jobs are timing out, increase `ffmpeg_timeout_secs`.
+Check `RUST_LOG=rustchan-cli=debug` output for job queue warnings. If jobs are being dropped with "queue at capacity", increase `job_queue_capacity`. If ffmpeg jobs are timing out, increase `ffmpeg_timeout_secs`. On startup, any jobs that were interrupted mid-run (e.g. by an unclean shutdown) are automatically reset to pending and retried.
 
 **Database integrity:**
 ```bash
@@ -644,4 +791,10 @@ sqlite3 /var/lib/chan/rustchan-data/chan.db "PRAGMA integrity_check;"
 **DB growing unboundedly:**
 Verify `auto_vacuum_interval_hours` is non-zero and check the admin panel Database Maintenance section. If the DB exceeds `db_warn_threshold_mb` a red banner will appear. Run a manual VACUUM from the panel after bulk deletions.
 
+**Backup restore returns 503:**
+The backup system now correctly maps database pool exhaustion to 503 (Service Unavailable) instead of 500. This is a retryable condition — wait a moment and try again, or check if the instance is under heavy load.
+
+**ChanNet API not reachable:**
+Verify port 7070 is not firewalled. RustChan logs a startup message confirming the ChanNet server is listening. Check `rustchan-data/rustchan.$(date +%F).log` for any bind errors. If you are behind nginx, ensure you have a separate proxy block for port 7070.
+
 **Memory usage:** Typical idle footprint is 30–60 MiB. Connection pool under load uses ~32 MiB. Image processing may spike to ~64 MiB temporarily. Backup I/O peaks at ~64 KiB regardless of backup size. Well within Raspberry Pi 4 limits when `blocking_threads` is tuned appropriately.
diff --git a/src/logging.rs b/src/logging.rs
index f2cb4c0..fc8583f 100644
--- a/src/logging.rs
+++ b/src/logging.rs
@@ -4,18 +4,24 @@
 //
 //   1. Terminal (stdout, TTY-aware)
 //      • When stdout is a TTY (interactive terminal):
-//          HH:MM:SS [LEVEL] [component] message
+//          HH:MM:SS.mmm [LEVEL] [component] message  key=val …
 //        Coloured level tags; component tag in cyan; fits in 80 columns.
 //      • When stdout is not a TTY (piped, systemd, Docker, nohup):
-//          YYYY-MM-DDTHH:MM:SSZ [LEVEL] [component] message
+//          YYYY-MM-DD HH:MM:SS.mmm [LEVEL] [component] message  key=val …
 //        Zero ANSI codes — clean for log shippers and `grep`.
 //
 //      All writes go through `CONSOLE_MUTEX` so `console.rs` interactive
 //      output never interleaves with log events.
 //
-//   2. Log file (rustchan.YYYY-MM-DD.log, JSON, always-on, daily rotation)
-//      Full structured JSON with timestamps, file, line, and fields.
-//      Never interleaves — tracing-appender uses its own internal lock.
+//   2. Log file (rustchan.YYYY-MM-DD.log, human-readable text, daily rotation)
+//      Same fixed-column format as the non-TTY terminal output, with two extras:
+//        • Millisecond precision on every timestamp.
+//        • WARN and ERROR lines append  (src/file.rs:line)  at the end so you
+//          can jump straight to the source without grepping the codebase.
+//      One event per line — easy to tail, grep, and read in any text editor.
+//      If you need machine-parseable output for a log shipper (Loki, Datadog,
+//      etc.) swap the FileFormatter layer for .json() — see the comment in
+//      init_logging().
 //
 // `CONSOLE_MUTEX`
 // ───────────────
@@ -37,10 +43,10 @@ use std::fmt;
 use std::io::{self, Write};
 use std::path::Path;
 use std::sync::atomic::{AtomicBool, Ordering};
-use std::sync::LazyLock;
+use std::sync::{LazyLock, OnceLock};
 
 use tracing::{Event, Level, Subscriber};
-use tracing_subscriber::fmt::format::{FmtSpan, FormatEvent, FormatFields, Writer};
+use tracing_subscriber::fmt::format::{FormatEvent, FormatFields, Writer};
 use tracing_subscriber::fmt::{FmtContext, MakeWriter};
 use tracing_subscriber::registry::LookupSpan;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter};
@@ -55,6 +61,19 @@ use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilte
 static CONSOLE_MUTEX: LazyLock<parking_lot::Mutex<()>> =
     LazyLock::new(|| parking_lot::Mutex::new(()));
 
+// ─── Non-blocking file writer guard ─────────────────────────────────────────────
+//
+// `tracing_appender::non_blocking()` spawns a background thread that drains a
+// channel and flushes writes to disk after every batch.  The returned
+// `WorkerGuard` MUST stay alive for the entire process lifetime — dropping it
+// stops the background thread, which silently discards any buffered log lines
+// that have not yet been flushed, producing blank or truncated log files.
+//
+// Using a module-level OnceLock means the guard is stored here without
+// requiring callers to thread it through their own state, and without changing
+// the public `init_logging(&Path)` signature.
+static FILE_GUARD: OnceLock<tracing_appender::non_blocking::WorkerGuard> = OnceLock::new();
+
 // ─── TTY detection ────────────────────────────────────────────────────────────
 
 static IS_TTY: AtomicBool = AtomicBool::new(false);
@@ -86,21 +105,61 @@ fn extract_component(target: &str) -> &str {
     }
 }
 
-// ─── Custom terminal event formatter ─────────────────────────────────────────
+// ─── Shared formatting helpers ────────────────────────────────────────────────
+
+/// Write the fixed-width level tag.  Returns the ANSI open/close codes for
+/// the tag (empty strings when `ansi` is false).
+fn write_level_tag(writer: &mut Writer<'_>, level: Level, ansi: bool) -> fmt::Result {
+    let (tag, open, close) = if ansi {
+        match level {
+            Level::ERROR => ("[ERROR]", "\x1b[1;31m", "\x1b[0m"),
+            Level::WARN => ("[WARN ]", "\x1b[33m", "\x1b[0m"),
+            Level::INFO => ("[INFO ]", "", ""),
+            Level::DEBUG => ("[DEBUG]", "\x1b[2m", "\x1b[0m"),
+            Level::TRACE => ("[TRACE]", "\x1b[2m", "\x1b[0m"),
+        }
+    } else {
+        match level {
+            Level::ERROR => ("[ERROR]", "", ""),
+            Level::WARN => ("[WARN ]", "", ""),
+            Level::INFO => ("[INFO ]", "", ""),
+            Level::DEBUG => ("[DEBUG]", "", ""),
+            Level::TRACE => ("[TRACE]", "", ""),
+        }
+    };
+    write!(writer, "{open}{tag}{close} ")
+}
+
+/// Write the fixed-width (8-char) component tag, cyan when `ansi` is true.
+fn write_component_tag(writer: &mut Writer<'_>, target: &str, ansi: bool) -> fmt::Result {
+    let component = extract_component(target);
+    let chars: Vec<char> = component.chars().collect();
+    let len = chars.len().min(8);
+    let display: String = chars.get(..len).unwrap_or(&chars).iter().collect();
+
+    let (open, close) = if ansi {
+        ("\x1b[36m", "\x1b[0m")
+    } else {
+        ("", "")
+    };
+    write!(writer, "{open}[{display:<8}]{close} ")
+}
+
+// ─── Terminal formatter ───────────────────────────────────────────────────────
 
-/// Writes a compact, structured line per log event.
+/// Writes one compact line per log event to the terminal.
 ///
-/// TTY mode:
-///   `14:22:01 [INFO ] [server  ] Listening on http://0.0.0.0:8080`
+/// TTY mode (local dev):
+///   `14:22:01.123 [INFO ] [server  ] HTTP server listening  addr=0.0.0.0:8080`
 ///
 /// Non-TTY mode (piped / systemd / Docker):
-///   `2026-03-18T14:22:01Z [INFO ] [server  ] Listening on http://0.0.0.0:8080`
+///   `2026-03-18 14:22:01.123 [INFO ] [server  ] HTTP server listening  addr=0.0.0.0:8080`
 ///
-/// The component column is fixed at 8 characters (truncated or space-padded)
-/// so message text always starts at the same column.
-struct ConsoleFormatter;
+/// Columns are fixed-width so the message text always starts at the same
+/// horizontal position, making it easy to scan down a busy log stream.
+struct TerminalFormatter;
 
-impl<S, N> FormatEvent<S, N> for ConsoleFormatter
+impl<S, N> FormatEvent<S, N> for TerminalFormatter
 where
     S: Subscriber + for<'a> LookupSpan<'a>,
     N: for<'a> FormatFields<'a> + 'static,
@@ -113,57 +172,84 @@ where
     ) -> fmt::Result {
         let tty = IS_TTY.load(Ordering::Relaxed);
 
-        // ── Timestamp ─────────────────────────────────────────────────────────
+        // ── Timestamp (with milliseconds) ─────────────────────────────────────
         if tty {
             let now = chrono::Local::now();
-            write!(writer, "{} ", now.format("%H:%M:%S"))?;
+            write!(writer, "{} ", now.format("%H:%M:%S%.3f"))?;
         } else {
             let now = chrono::Utc::now();
-            write!(writer, "{} ", now.format("%Y-%m-%dT%H:%M:%SZ"))?;
+            write!(writer, "{} ", now.format("%Y-%m-%d %H:%M:%S%.3f"))?;
         }
 
-        // ── Level tag (fixed 7 chars: "[LEVEL]") ────────────────────────────
+        // ── Level + component columns ─────────────────────────────────────────
         let level = *event.metadata().level();
-        let (tag, open, close) = if tty {
-            match level {
-                Level::ERROR => ("[ERROR]", "\x1b[1;31m", "\x1b[0m"),
-                Level::WARN => ("[WARN ]", "\x1b[33m", "\x1b[0m"),
-                Level::INFO => ("[INFO ]", "", ""),
-                Level::DEBUG => ("[DEBUG]", "\x1b[2m", "\x1b[0m"),
-                Level::TRACE => ("[TRACE]", "\x1b[2m", "\x1b[0m"),
-            }
-        } else {
-            match level {
-                Level::ERROR => ("[ERROR]", "", ""),
-                Level::WARN => ("[WARN ]", "", ""),
-                Level::INFO => ("[INFO ]", "", ""),
-                Level::DEBUG => ("[DEBUG]", "", ""),
-                Level::TRACE => ("[TRACE]", "", ""),
-            }
-        };
-        write!(writer, "{open}{tag}{close} ")?;
-
-        // ── Component tag (8-char fixed column, cyan in TTY) ─────────────────
-        let target = event.metadata().target();
-        let component = extract_component(target);
-        let component_chars: Vec<char> = component.chars().collect();
-        let display_len = component_chars.len().min(8);
-        // Use .get() to avoid a panic on the slice if somehow display_len > len.
-        let display: String = component_chars
-            .get(..display_len)
-            .unwrap_or(&component_chars)
-            .iter()
-            .collect();
-
-        let (ctag_open, ctag_close) = if tty {
-            ("\x1b[36m", "\x1b[0m")
-        } else {
-            ("", "")
-        };
-        write!(writer, "{ctag_open}[{display:<8}]{ctag_close} ")?;
+        write_level_tag(&mut writer, level, tty)?;
+        write_component_tag(&mut writer, event.metadata().target(), tty)?;
+
+        // ── Message and structured fields ─────────────────────────────────────
+        // tracing_subscriber writes the `message` field first, then all other
+        // key=value fields separated by spaces — e.g.:
+        //   "Request received  method=GET path=/b/ latency_ms=4"
+        ctx.format_fields(writer.by_ref(), event)?;
+        writeln!(writer)
+    }
+}
+
+// ─── File formatter ───────────────────────────────────────────────────────────
+
+/// Writes one human-readable line per log event to the log file.
+///
+/// Format:
+///   `2026-03-18 14:22:01.123 [INFO ] [server  ] HTTP server listening  addr=0.0.0.0:8080`
+///   `2026-03-18 14:22:01.456 [ERROR] [error   ] DB query failed  err=no such table  (src/db/posts.rs:79)`
+///
+/// Differences from the terminal format:
+///   • Always UTC with the full date — the file is an archive, not a live view.
+///   • No ANSI colour codes — clean for `grep`, `less`, and text editors.
+///   • WARN and ERROR lines append `(file:line)` at the end so you can jump
+///     directly to the call site without having to search the source tree.
+struct FileFormatter;
+
+impl<S, N> FormatEvent<S, N> for FileFormatter
+where
+    S: Subscriber + for<'a> LookupSpan<'a>,
+    N: for<'a> FormatFields<'a> + 'static,
+{
+    fn format_event(
+        &self,
+        ctx: &FmtContext<'_, S, N>,
+        mut writer: Writer<'_>,
+        event: &Event<'_>,
+    ) -> fmt::Result {
+        // ── Timestamp — UTC, full date, millisecond precision ─────────────────
+        let now = chrono::Utc::now();
+        write!(writer, "{} ", now.format("%Y-%m-%d %H:%M:%S%.3f"))?;
+
+        // ── Level + component columns (no colour) ─────────────────────────────
+        let level = *event.metadata().level();
+        let meta = event.metadata();
+        write_level_tag(&mut writer, level, false)?;
+        write_component_tag(&mut writer, meta.target(), false)?;
 
         // ── Message and structured key=value fields ───────────────────────────
         ctx.format_fields(writer.by_ref(), event)?;
+
+        // ── Source location suffix for WARN and ERROR ─────────────────────────
+        // Only attached at these levels because:
+        //   • INFO/DEBUG events fire thousands of times per minute on a busy
+        //     board; the call site is rarely the interesting part.
+        //   • WARN/ERROR events are rare and almost always need follow-up —
+        //     having the exact file:line avoids a grep → blame cycle.
+        if matches!(level, Level::ERROR | Level::WARN) {
+            if let (Some(file), Some(line)) = (meta.file(), meta.line()) {
+                // Trim the leading "src/" that Rust adds to all file paths so
+                // the suffix stays compact: "(db/posts.rs:79)" not
+                // "(src/db/posts.rs:79)".
+                let trimmed = file.strip_prefix("src/").unwrap_or(file);
+                write!(writer, "  ({trimmed}:{line})")?;
+            }
+        }
+
         writeln!(writer)
     }
 }
@@ -212,13 +298,18 @@ impl<'a> MakeWriter<'a> for ConsoleLock {
 /// Detects whether stdout is an interactive terminal and stores the result
 /// in `IS_TTY` for the process lifetime. Installs two layers:
 ///
-/// 1. **Terminal layer** — `ConsoleFormatter` writes via `ConsoleLock`
+/// 1. **Terminal layer** — `TerminalFormatter` writes via `ConsoleLock`
 ///    (`CONSOLE_MUTEX`). Human-readable, coloured when TTY, plain otherwise.
 ///    Serialised with `console.rs` output via the shared mutex.
 ///
-/// 2. **File layer** — JSON, daily rotation, `debug`+.
+/// 2. **File layer** — `FileFormatter`, daily rotation, `debug`+.
 ///    Written to `{log_dir}/rustchan.YYYY-MM-DD.log`.
+///    One human-readable line per event; WARN/ERROR include source location.
 ///    Independent of the console lock; uses `tracing-appender`'s own lock.
+///
+/// To switch the file layer to JSON for a log aggregator (Loki, Datadog, …):
+/// replace `FileFormatter` with `.json()` and add `.with_file(true)
+/// .with_line_number(true)` to the layer builder.
 pub fn init_logging(log_dir: &Path) {
     use std::io::IsTerminal;
 
@@ -229,17 +320,38 @@ pub fn init_logging(log_dir: &Path) {
         .unwrap_or_else(|_| EnvFilter::new("rustchan=info,tower_http=warn"));
 
     let terminal_layer = tracing_subscriber::fmt::layer()
-        .event_format(ConsoleFormatter)
+        .event_format(TerminalFormatter)
         .with_writer(ConsoleLock);
 
-    let file_appender = tracing_appender::rolling::daily(log_dir, "rustchan.log");
+    // Build the rolling file appender.
+    // FIX (filename): tracing_appender::rolling::daily(dir, "rustchan.log")
+    // appends the date *after* the full string → "rustchan.log.2024-01-15"
+    // (no .log extension on rotated files).  The builder API separates
+    // prefix from suffix → "rustchan.2024-01-15.log".
+    let rolling = tracing_appender::rolling::RollingFileAppender::builder()
+        .rotation(tracing_appender::rolling::Rotation::DAILY)
+        .filename_prefix("rustchan")
+        .filename_suffix("log")
+        .build(log_dir)
+        .unwrap_or_else(|e| {
+            eprintln!("Warning: could not create log file appender: {e}");
+            tracing_appender::rolling::never(log_dir, "rustchan.log")
+        });
+
+    // FIX (blank files): wrap the appender in a non-blocking writer.
+    // RollingFileAppender uses an internal BufWriter that only flushes when
+    // the buffer fills to 8 KB or the appender is dropped.  On a quiet server
+    // you never hit 8 KB between restarts, so the file stays empty.
+    // non_blocking() moves writes to a background thread that flushes after
+    // every batch, guaranteeing data reaches disk promptly.
+    // The WorkerGuard is stored in FILE_GUARD so it lives for the entire
+    // process — see the comment on that static for why this matters.
+    let (non_blocking_writer, guard) = tracing_appender::non_blocking(rolling);
+    let _ = FILE_GUARD.set(guard);
+
     let file_layer = tracing_subscriber::fmt::layer()
-        .json()
-        .with_writer(file_appender)
-        .with_target(true)
-        .with_file(true)
-        .with_line_number(true)
-        .with_span_events(FmtSpan::CLOSE);
+        .event_format(FileFormatter)
+        .with_writer(non_blocking_writer);
 
     tracing_subscriber::registry()
         .with(env_filter)
diff --git a/src/main.rs b/src/main.rs
index f2435f3..e7af48d 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -51,20 +51,29 @@ use config::CONFIG;
 #[allow(clippy::arithmetic_side_effects)]
 #[allow(clippy::expect_used)]
 fn main() -> anyhow::Result<()> {
-    // Resolve the binary directory so the log file lands alongside the
-    // executable (e.g. /opt/rustchan/rustchan.log).  Falls back to "." if the
-    // path cannot be determined.
+    // Resolve the binary directory, then derive rustchan-data/ so the log
+    // file lands in <exe-dir>/rustchan-data/ alongside the database and
+    // uploads.  Falls back to "./rustchan-data" if the exe path cannot be
+    // determined.
     let binary_dir = std::env::current_exe()
         .ok()
         .and_then(|p| p.parent().map(std::path::PathBuf::from))
         .unwrap_or_else(|| std::path::PathBuf::from("."));
 
-    logging::init_logging(&binary_dir);
+    // Create rustchan-data/ before init_logging so the rolling file appender
+    // can open the directory immediately on startup.  run_server() also calls
+    // create_dir_all on this path; calling it twice is safe.
+    let data_dir = binary_dir.join("rustchan-data");
+    if let Err(e) = std::fs::create_dir_all(&data_dir) {
+        eprintln!("Warning: could not create rustchan-data directory: {e}");
+    }
+
+    logging::init_logging(&data_dir);
 
     tracing::info!(
         target: "startup",
         version = env!("CARGO_PKG_VERSION"),
-        log_dir = %binary_dir.display(),
+        log_dir = %data_dir.display(),
         "rustchan starting",
     );
 

From 0f13a5c8d178207dcc56a2830700a3b7febe0fb2 Mon Sep 17 00:00:00 2001
From: csd113 <xxcsd113xx@gmail.com>
Date: Fri, 20 Mar 2026 12:38:00 -0700
Subject: [PATCH 8/8] replaced tor with arti

---
 CHANGELOG.md                   |   20 +-
 Cargo.lock                     | 6000 ++++++++++++++++++++++++++------
 Cargo.toml                     |    9 +-
 README.md                      |   25 +-
 audit.toml                     |    3 +
 deny.toml                      |  181 +-
 ffmpeg-migration.md            | 1233 +++++++
 src/config.rs                  |    8 +-
 src/detect.rs                  |  543 +--
 src/handlers/admin/mod.rs      |   26 +-
 src/handlers/admin/settings.rs |   26 +-
 src/handlers/board.rs          |   14 +-
 src/middleware/mod.rs          |    3 +
 src/server/server.rs           |   18 +-
 14 files changed, 6580 insertions(+), 1529 deletions(-)
 create mode 100644 audit.toml
 create mode 100644 ffmpeg-migration.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9f712c7..3b5f9e2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -79,19 +79,19 @@ All notable changes to RustChan will be documented in this file.
 
 ---
 
-## Tor Detection & Panic Safety (`src/detect.rs`)
+## Tor — Arti In-Process Migration
 
-- Removed all `.expect()` usage on shared mutexes
-- Replaced with poison-tolerant locking strategies
-- Prevented cascade crashes caused by mutex poisoning
+Replaced the subprocess-based C Tor launcher with **[Arti](https://gitlab.torproject.org/tpo/core/arti)** running fully in-process. **No system `tor` installation is required.**
 
-- Hardened global panic hook:
-  - Eliminated potential for double-panic aborts
-  - Replaced blocking locks with `try_lock()` where required
-  - Ensured panic hook never panics under any condition
+**How it works:** at startup a single Tokio task bootstraps Arti, derives a `.onion` address from a persistent Ed25519 keypair, launches the hidden service, and proxies inbound onion connections to the local HTTP port — all without spawning a child process, writing a `torrc`, or polling a `hostname` file.
 
-- Restored original panic hook after Tor lifecycle completes
-- Reduced global side effects of detection logic
+- Bootstrap takes ~30 s on first run (Arti downloads ~2 MB of directory data) and ~5 s on subsequent runs (consensus cached in `arti_cache/`)
+- The onion address is published to `AppState` the moment the service is ready; handlers read it from memory with zero filesystem I/O per request
+- Service keypair lives in `rustchan-data/arti_state/keys/` — back this directory up to preserve your `.onion` address; delete it to rotate to a new one
+- Old `rustchan-data/tor_data/`, `rustchan-data/tor_hidden_service/`, and `rustchan-data/torrc` are no longer created and can be safely deleted after migration
+- **Note:** the keypair location changed on migration (`tor_hidden_service/` → `arti_state/keys/`), so a new `.onion` address is generated on first run unless the old Ed25519 key is manually imported via Arti's key management tooling
+
+**Files changed:** `Cargo.toml` (+6 deps: `arti-client`, `tor-hsservice`, `tor-cell`, `futures`, `sha3`, `data-encoding`), `src/detect.rs`, `src/middleware/mod.rs`, `src/server/server.rs`, `src/handlers/board.rs`, `src/handlers/admin/mod.rs`, `src/handlers/admin/settings.rs`, `src/config.rs`
 
 ---
 
diff --git a/Cargo.lock b/Cargo.lock
index b91e553..7435085 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -8,6 +8,18 @@ version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
 
+[[package]]
+name = "aes"
+version = "0.8.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0"
+dependencies = [
+ "cfg-if",
+ "cipher",
+ "cpufeatures 0.2.17",
+ "zeroize",
+]
+
 [[package]]
 name = "aho-corasick"
 version = "1.1.4"
@@ -32,6 +44,61 @@ dependencies = [
  "alloc-no-stdlib",
 ]
 
+[[package]]
+name = "alloca"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5a7d05ea6aea7e9e64d25b9156ba2fee3fdd659e34e41063cd2fc7cd020d7f4"
+dependencies = [
+ "cc",
+]
+
+[[package]]
+name = "amplify"
+version = "4.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f7fb4ac7c881e54a8e7015e399b6112a2a5bc958b6c89ac510840ff20273b31"
+dependencies = [
+ "amplify_derive",
+ "amplify_num",
+ "ascii",
+ "getrandom 0.2.17",
+ "getrandom 0.3.4",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "amplify_derive"
+version = "4.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a6309e6b8d89b36b9f959b7a8fa093583b94922a0f6438a24fb08936de4d428"
+dependencies = [
+ "amplify_syn",
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "amplify_num"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "99bcb75a2982047f733547042fc3968c0f460dfcf7d90b90dea3b2744580e9ad"
+dependencies = [
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "amplify_syn"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7736fb8d473c0d83098b5bac44df6a561e20470375cd8bcae30516dc889fd62a"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+]
+
 [[package]]
 name = "android_system_properties"
 version = "0.1.5"
@@ -41,6 +108,12 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "anes"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4b46cbb362ab8752921c97e041f5e366ee6297bd428a31275b9fcf1e380f7299"
+
 [[package]]
 name = "anstream"
 version = "1.0.0"
@@ -109,6 +182,114 @@ dependencies = [
  "password-hash",
 ]
 
+[[package]]
+name = "arrayvec"
+version = "0.7.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
+
+[[package]]
+name = "arti-client"
+version = "0.40.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e89842cae6e3bda0fd128a5c66eb3392ed412065dc698c77d9fcc4b77e4159f2"
+dependencies = [
+ "async-trait",
+ "cfg-if",
+ "derive-deftly",
+ "derive_builder_fork_arti",
+ "derive_more",
+ "educe",
+ "fs-mistrust",
+ "futures",
+ "hostname-validator",
+ "humantime",
+ "humantime-serde",
+ "libc",
+ "once_cell",
+ "postage",
+ "rand 0.9.2",
+ "safelog",
+ "serde",
+ "thiserror 2.0.18",
+ "time",
+ "tor-async-utils",
+ "tor-basic-utils",
+ "tor-chanmgr",
+ "tor-circmgr",
+ "tor-config",
+ "tor-config-path",
+ "tor-dircommon",
+ "tor-dirmgr",
+ "tor-error",
+ "tor-guardmgr",
+ "tor-hsclient",
+ "tor-hscrypto",
+ "tor-hsservice",
+ "tor-keymgr",
+ "tor-linkspec",
+ "tor-llcrypto",
+ "tor-memquota",
+ "tor-netdir",
+ "tor-netdoc",
+ "tor-persist",
+ "tor-proto",
+ "tor-protover",
+ "tor-rtcompat",
+ "tracing",
+ "void",
+]
+
+[[package]]
+name = "ascii"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d92bec98840b8f03a5ff5413de5293bfcd8bf96467cf5452609f939ec6f5de16"
+
+[[package]]
+name = "asn1-rs"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56624a96882bb8c26d61312ae18cb45868e5a9992ea73c58e45c3101e56a1e60"
+dependencies = [
+ "asn1-rs-derive",
+ "asn1-rs-impl",
+ "displaydoc",
+ "nom",
+ "num-traits",
+ "rusticata-macros",
+ "thiserror 2.0.18",
+]
+
+[[package]]
+name = "asn1-rs-derive"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3109e49b1e4909e9db6515a30c633684d68cdeaa252f215214cb4fa1a5bfee2c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+ "synstructure",
+]
+
+[[package]]
+name = "asn1-rs-impl"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "assert_matches"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b34d609dfbaf33d6889b2b7106d3ca345eacad44200913df5ba02bfd31d2ba9"
+
 [[package]]
 name = "async-compression"
 version = "0.4.41"
@@ -117,10 +298,77 @@ checksum = "d0f9ee0f6e02ffd7ad5816e9464499fba7b3effd01123b515c41d1697c43dad1"
 dependencies = [
  "compression-codecs",
  "compression-core",
+ "futures-io",
  "pin-project-lite",
  "tokio",
 ]
 
+[[package]]
+name = "async-native-tls"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9343dc5acf07e79ff82d0c37899f079db3534d99f189a1837c8e549c99405bec"
+dependencies = [
+ "futures-util",
+ "native-tls",
+ "thiserror 1.0.69",
+ "url",
+]
+
+[[package]]
+name = "async-trait"
+version = "0.1.89"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9035ad2d096bed7955a320ee7e2230574d28fd3c3a0f186cbea1ff3c7eed5dbb"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "async_executors"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a982d2f86de6137cc05c9db9a915a19886c97911f9790d04f174cede74be01a5"
+dependencies = [
+ "blanket",
+ "futures-core",
+ "futures-task",
+ "futures-util",
+ "pin-project",
+ "rustc_version",
+ "tokio",
+]
+
+[[package]]
+name = "asynchronous-codec"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a860072022177f903e59730004fb5dc13db9275b79bb2aef7ba8ce831956c233"
+dependencies = [
+ "bytes",
+ "futures-sink",
+ "futures-util",
+ "memchr",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "atomic"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c59bdb34bc650a32731b31bd8f0829cc15d24a708ee31559e0bb34f2bc320cba"
+
+[[package]]
+name = "atomic"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a89cbf775b137e9b968e67227ef7f775587cde3fd31b0d8599dbd0f598a48340"
+dependencies = [
+ "bytemuck",
+]
+
 [[package]]
 name = "atomic-waker"
 version = "1.1.2"
@@ -208,6 +456,12 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "base16ct"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"
+
 [[package]]
 name = "base64"
 version = "0.22.1"
@@ -220,12 +474,40 @@ version = "1.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06"
 
+[[package]]
+name = "bincode"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "36eaf5d7b090263e8150820482d5d93cd964a81e4019913c972f4edcc6edb740"
+dependencies = [
+ "serde",
+ "unty",
+]
+
+[[package]]
+name = "bitflags"
+version = "1.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
+
 [[package]]
 name = "bitflags"
 version = "2.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"
 
+[[package]]
+name = "bitvec"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1bc2832c24239b0141d5674bb9174f9d68a8b5b3f2753311927c172ca46f7e9c"
+dependencies = [
+ "funty",
+ "radium",
+ "tap",
+ "wyz",
+]
+
 [[package]]
 name = "blake2"
 version = "0.10.6"
@@ -235,6 +517,17 @@ dependencies = [
  "digest",
 ]
 
+[[package]]
+name = "blanket"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e0b121a9fe0df916e362fb3271088d071159cdf11db0e4182d02152850756eff"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
 [[package]]
 name = "block-buffer"
 version = "0.10.4"
@@ -265,18 +558,41 @@ dependencies = [
  "alloc-stdlib",
 ]
 
+[[package]]
+name = "bstr"
+version = "1.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "63044e1ae8e69f3b5a92c736ca6269b8d12fa7efe39bf34ddb06d102cf0e2cab"
+dependencies = [
+ "memchr",
+ "regex-automata",
+ "serde",
+]
+
 [[package]]
 name = "bumpalo"
 version = "3.20.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb"
 
+[[package]]
+name = "by_address"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "64fa3c856b712db6612c019f14756e64e4bcea13337a6b33b696333a9eaa2d06"
+
 [[package]]
 name = "bytemuck"
 version = "1.25.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c8efb64bd706a16a1bdde310ae86b351e4d21550d98d056f22f8a7f7a2183fec"
 
+[[package]]
+name = "byteorder"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
+
 [[package]]
 name = "byteorder-lite"
 version = "0.1.0"
@@ -289,6 +605,18 @@ version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33"
 
+[[package]]
+name = "caret"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "beae2cb9f60bc3f21effaaf9c64e51f6627edd54eedc9199ba07f519ef2a2101"
+
+[[package]]
+name = "cast"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5"
+
 [[package]]
 name = "cc"
 version = "1.2.56"
@@ -335,7 +663,45 @@ dependencies = [
  "num-traits",
  "serde",
  "wasm-bindgen",
- "windows-link",
+ "windows-link 0.2.1",
+]
+
+[[package]]
+name = "ciborium"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42e69ffd6f0917f5c029256a24d0161db17cea3997d185db0d35926308770f0e"
+dependencies = [
+ "ciborium-io",
+ "ciborium-ll",
+ "serde",
+]
+
+[[package]]
+name = "ciborium-io"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05afea1e0a06c9be33d539b876f1ce3692f4afea2cb41f740e7743225ed1c757"
+
+[[package]]
+name = "ciborium-ll"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57663b653d948a338bfb3eeba9bb2fd5fcfaecb9e199e87e1eda4d9e8b240fd9"
+dependencies = [
+ "ciborium-io",
+ "half",
+]
+
+[[package]]
+name = "cipher"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
+dependencies = [
+ "crypto-common",
+ "inout",
+ "zeroize",
 ]
 
 [[package]]
@@ -357,7 +723,7 @@ dependencies = [
  "anstream",
  "anstyle",
  "clap_lex",
- "strsim",
+ "strsim 0.11.1",
 ]
 
 [[package]]
@@ -369,7 +735,7 @@ dependencies = [
  "heck",
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -378,6 +744,17 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
 
+[[package]]
+name = "coarsetime"
+version = "0.1.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e58eb270476aa4fc7843849f8a35063e8743b4dbcdf6dd0f8ea0886980c204c2"
+dependencies = [
+ "libc",
+ "wasix",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "color_quant"
 version = "1.1.0"
@@ -399,6 +776,7 @@ dependencies = [
  "brotli",
  "compression-core",
  "flate2",
+ "liblzma",
  "memchr",
  "zstd",
  "zstd-safe",
@@ -410,6 +788,30 @@ version = "0.4.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "75984efb6ed102a0d42db99afb6c1948f0380d1d91808d5529916e6c08b49d8d"
 
+[[package]]
+name = "concurrent-queue"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ca0197aee26d1ae37445ee532fefce43251d24cc7c166799f4d46817f1d3973"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "const-oid"
+version = "0.9.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
+
+[[package]]
+name = "convert_case"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "633458d4ef8c78b72454de2d54fd6ab2e60f9e02be22f3c6104cdc8a4e0fceb9"
+dependencies = [
+ "unicode-segmentation",
+]
+
 [[package]]
 name = "cookie"
 version = "0.18.1"
@@ -421,6 +823,25 @@ dependencies = [
  "version_check",
 ]
 
+[[package]]
+name = "cookie-factory"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9885fa71e26b8ab7855e2ec7cae6e9b380edff76cd052e07c683a0319d51b3a2"
+dependencies = [
+ "futures",
+]
+
+[[package]]
+name = "core-foundation"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
 [[package]]
 name = "core-foundation-sys"
 version = "0.8.7"
@@ -455,14 +876,87 @@ dependencies = [
 ]
 
 [[package]]
-name = "crossbeam-channel"
-version = "0.5.15"
+name = "criterion"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "950046b2aa2492f9a536f5f4f9a3de7b9e2476e575e05bd6c333371add4d98f3"
+dependencies = [
+ "alloca",
+ "anes",
+ "cast",
+ "ciborium",
+ "clap",
+ "criterion-plot",
+ "itertools 0.13.0",
+ "num-traits",
+ "oorandom",
+ "page_size",
+ "plotters",
+ "rayon",
+ "regex",
+ "serde",
+ "serde_json",
+ "tinytemplate",
+ "walkdir",
+]
+
+[[package]]
+name = "criterion-cycles-per-byte"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5396de42a52e9e5d8f67ef0702dae30451f310a9ba1c3094dcf228f0be0e54bc"
+dependencies = [
+ "cfg-if",
+ "criterion",
+]
+
+[[package]]
+name = "criterion-plot"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d8d80a2f4f5b554395e47b5d8305bc3d27813bacb73493eb1001e8f76dae29ea"
+dependencies = [
+ "cast",
+ "itertools 0.13.0",
+]
+
+[[package]]
+name = "crossbeam-channel"
+version = "0.5.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "82b8f8f868b36967f9606790d1903570de9ceaf870a7bf9fbbd3016d636a2cb2"
 dependencies = [
  "crossbeam-utils",
 ]
 
+[[package]]
+name = "crossbeam-deque"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9dd111b7b7f7d55b72c0a6ae361660ee5853c9af73f70c3c2ef6858b950e2e51"
+dependencies = [
+ "crossbeam-epoch",
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-epoch"
+version = "0.9.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b82ac4a3c2ca9c3460964f020e1402edd5753411d7737aa39c3714ad1b5420e"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-queue"
+version = "0.3.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0f58bbc28f91df819d0aa2a2c00cd19754769c2fad90579b3592b1c9ba7a3115"
+dependencies = [
+ "crossbeam-utils",
+]
+
 [[package]]
 name = "crossbeam-utils"
 version = "0.8.21"
@@ -476,1790 +970,4889 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "460fbee9c2c2f33933d720630a6a0bac33ba7053db5344fac858d4b8952d77d5"
 
 [[package]]
-name = "crypto-common"
-version = "0.1.7"
+name = "crypto-bigint"
+version = "0.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
+checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
 dependencies = [
  "generic-array",
- "typenum",
+ "rand_core 0.6.4",
+ "subtle",
+ "zeroize",
 ]
 
 [[package]]
-name = "dashmap"
-version = "6.1.0"
+name = "crypto-common"
+version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5041cc499144891f3790297212f32a74fb938e5136a14943f338ef9e0ae276cf"
+checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
 dependencies = [
- "cfg-if",
- "crossbeam-utils",
- "hashbrown 0.14.5",
- "lock_api",
- "once_cell",
- "parking_lot_core",
+ "generic-array",
+ "typenum",
 ]
 
 [[package]]
-name = "deranged"
-version = "0.5.8"
+name = "ctr"
+version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c"
+checksum = "0369ee1ad671834580515889b80f2ea915f23b8be8d0daa4bbaf2ac5c7590835"
 dependencies = [
- "powerfmt",
+ "cipher",
 ]
 
 [[package]]
-name = "digest"
-version = "0.10.7"
+name = "curve25519-dalek"
+version = "4.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
 dependencies = [
- "block-buffer",
- "crypto-common",
+ "cfg-if",
+ "cpufeatures 0.2.17",
+ "curve25519-dalek-derive",
+ "digest",
+ "fiat-crypto",
+ "rustc_version",
  "subtle",
+ "zeroize",
 ]
 
 [[package]]
-name = "displaydoc"
-version = "0.2.5"
+name = "curve25519-dalek-derive"
+version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
+checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
-name = "encoding_rs"
-version = "0.8.35"
+name = "darling"
+version = "0.14.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3"
+checksum = "7b750cb3417fd1b327431a470f388520309479ab0bf5e323505daf0290cd3850"
 dependencies = [
- "cfg-if",
+ "darling_core 0.14.4",
+ "darling_macro 0.14.4",
 ]
 
 [[package]]
-name = "equivalent"
-version = "1.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
-
-[[package]]
-name = "errno"
-version = "0.3.14"
+name = "darling"
+version = "0.21.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
+checksum = "9cdf337090841a411e2a7f3deb9187445851f91b309c0c0a29e05f74a00a48c0"
 dependencies = [
- "libc",
- "windows-sys 0.61.2",
+ "darling_core 0.21.3",
+ "darling_macro 0.21.3",
 ]
 
 [[package]]
-name = "fallible-iterator"
-version = "0.3.0"
+name = "darling"
+version = "0.23.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2acce4a10f12dc2fb14a218589d4f1f62ef011b2d0cc4b3cb1bba8e94da14649"
+checksum = "25ae13da2f202d56bd7f91c25fba009e7717a1e4a1cc98a76d844b65ae912e9d"
+dependencies = [
+ "darling_core 0.23.0",
+ "darling_macro 0.23.0",
+]
 
 [[package]]
-name = "fallible-streaming-iterator"
-version = "0.1.9"
+name = "darling_core"
+version = "0.14.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7360491ce676a36bf9bb3c56c1aa791658183a54d2744120f27285738d90465a"
+checksum = "109c1ca6e6b7f82cc233a97004ea8ed7ca123a9af07a8230878fcfda9b158bf0"
+dependencies = [
+ "fnv",
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "strsim 0.10.0",
+ "syn 1.0.109",
+]
 
 [[package]]
-name = "fastrand"
-version = "2.3.0"
+name = "darling_core"
+version = "0.21.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
+checksum = "1247195ecd7e3c85f83c8d2a366e4210d588e802133e1e355180a9870b517ea4"
+dependencies = [
+ "fnv",
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
 
 [[package]]
-name = "fax"
-version = "0.2.6"
+name = "darling_core"
+version = "0.23.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f05de7d48f37cd6730705cbca900770cab77a89f413d23e100ad7fad7795a0ab"
+checksum = "9865a50f7c335f53564bb694ef660825eb8610e0a53d3e11bf1b0d3df31e03b0"
 dependencies = [
- "fax_derive",
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "strsim 0.11.1",
+ "syn 2.0.117",
 ]
 
 [[package]]
-name = "fax_derive"
-version = "0.2.0"
+name = "darling_macro"
+version = "0.14.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a0aca10fb742cb43f9e7bb8467c91aa9bcb8e3ffbc6a6f7389bb93ffc920577d"
+checksum = "a4aab4dbc9f7611d8b55048a3a16d2d010c2c8334e46304b40ac1cc14bf3b48e"
 dependencies = [
- "proc-macro2",
+ "darling_core 0.14.4",
  "quote",
- "syn",
+ "syn 1.0.109",
 ]
 
 [[package]]
-name = "fdeflate"
-version = "0.3.7"
+name = "darling_macro"
+version = "0.21.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e6853b52649d4ac5c0bd02320cddc5ba956bdb407c4b75a2c6b75bf51500f8c"
+checksum = "d38308df82d1080de0afee5d069fa14b0326a88c14f15c5ccda35b4a6c414c81"
 dependencies = [
- "simd-adler32",
+ "darling_core 0.21.3",
+ "quote",
+ "syn 2.0.117",
 ]
 
 [[package]]
-name = "find-msvc-tools"
-version = "0.1.9"
+name = "darling_macro"
+version = "0.23.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
+checksum = "ac3984ec7bd6cfa798e62b4a642426a5be0e68f9401cfc2a01e3fa9ea2fcdb8d"
+dependencies = [
+ "darling_core 0.23.0",
+ "quote",
+ "syn 2.0.117",
+]
 
 [[package]]
-name = "flate2"
-version = "1.1.9"
+name = "dashmap"
+version = "6.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "843fba2746e448b37e26a819579957415c8cef339bf08564fe8b7ddbd959573c"
+checksum = "5041cc499144891f3790297212f32a74fb938e5136a14943f338ef9e0ae276cf"
 dependencies = [
- "crc32fast",
- "miniz_oxide",
- "zlib-rs",
+ "cfg-if",
+ "crossbeam-utils",
+ "hashbrown 0.14.5",
+ "lock_api",
+ "once_cell",
+ "parking_lot_core",
 ]
 
 [[package]]
-name = "foldhash"
-version = "0.1.5"
+name = "data-encoding"
+version = "2.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
+checksum = "d7a1e2f27636f116493b8b860f5546edb47c8d8f8ea73e1d2a20be88e28d1fea"
 
 [[package]]
-name = "foldhash"
-version = "0.2.0"
+name = "der"
+version = "0.7.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"
+checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb"
+dependencies = [
+ "const-oid",
+ "pem-rfc7468",
+ "zeroize",
+]
 
 [[package]]
-name = "form_urlencoded"
-version = "1.2.2"
+name = "der-parser"
+version = "10.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cb4cb245038516f5f85277875cdaa4f7d2c9a0fa0468de06ed190163b1581fcf"
+checksum = "07da5016415d5a3c4dd39b11ed26f915f52fc4e0dc197d87908bc916e51bc1a6"
 dependencies = [
- "percent-encoding",
+ "asn1-rs",
+ "cookie-factory",
+ "displaydoc",
+ "nom",
+ "num-traits",
+ "rusticata-macros",
 ]
 
 [[package]]
-name = "futures-channel"
-version = "0.3.32"
+name = "deranged"
+version = "0.5.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d"
+checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c"
 dependencies = [
- "futures-core",
+ "powerfmt",
+ "serde_core",
 ]
 
 [[package]]
-name = "futures-core"
-version = "0.3.32"
+name = "derive-deftly"
+version = "1.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d"
+checksum = "284db66a66f03c3dafbe17360d959eb76b83f77cfe191677e2a7899c0da291f3"
+dependencies = [
+ "derive-deftly-macros",
+ "heck",
+]
 
 [[package]]
-name = "futures-sink"
-version = "0.3.32"
+name = "derive-deftly-macros"
+version = "1.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893"
+checksum = "caef6056a5788d05d173cdc3c562ac28ae093828f851f69378b74e4e3d578e41"
+dependencies = [
+ "heck",
+ "indexmap 2.13.0",
+ "itertools 0.14.0",
+ "proc-macro-crate",
+ "proc-macro2",
+ "quote",
+ "sha3",
+ "strum",
+ "syn 2.0.117",
+ "void",
+]
 
 [[package]]
-name = "futures-task"
-version = "0.3.32"
+name = "derive_builder_core_fork_arti"
+version = "0.11.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393"
+checksum = "24c1b715c79be6328caa9a5e1a387a196ea503740f0722ec3dd8f67a9e72314d"
+dependencies = [
+ "darling 0.14.4",
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+]
 
 [[package]]
-name = "futures-util"
-version = "0.3.32"
+name = "derive_builder_fork_arti"
+version = "0.11.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6"
+checksum = "c3eae24d595f4d0ecc90a9a5a6d11c2bd8dafe2375ec4a1ec63250e5ade7d228"
 dependencies = [
- "futures-core",
- "futures-task",
- "pin-project-lite",
- "slab",
+ "derive_builder_macro_fork_arti",
 ]
 
 [[package]]
-name = "generic-array"
-version = "0.14.7"
+name = "derive_builder_macro_fork_arti"
+version = "0.11.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+checksum = "69887769a2489cd946bf782eb2b1bb2cb7bc88551440c94a765d4f040c08ebf3"
 dependencies = [
- "typenum",
- "version_check",
+ "derive_builder_core_fork_arti",
+ "syn 1.0.109",
 ]
 
 [[package]]
-name = "getrandom"
-version = "0.2.17"
+name = "derive_more"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
+checksum = "d751e9e49156b02b44f9c1815bcb94b984cdcc4396ecc32521c739452808b134"
 dependencies = [
- "cfg-if",
- "js-sys",
- "libc",
- "wasi",
- "wasm-bindgen",
+ "derive_more-impl",
 ]
 
 [[package]]
-name = "getrandom"
-version = "0.3.4"
+name = "derive_more-impl"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
+checksum = "799a97264921d8623a957f6c3b9011f3b5492f557bbb7a5a19b7fa6d06ba8dcb"
 dependencies = [
- "cfg-if",
- "js-sys",
- "libc",
- "r-efi 5.3.0",
- "wasip2",
- "wasm-bindgen",
+ "convert_case",
+ "proc-macro2",
+ "quote",
+ "rustc_version",
+ "syn 2.0.117",
+ "unicode-xid",
 ]
 
 [[package]]
-name = "getrandom"
-version = "0.4.2"
+name = "digest"
+version = "0.10.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555"
+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
 dependencies = [
- "cfg-if",
- "libc",
- "r-efi 6.0.0",
- "rand_core 0.10.0",
- "wasip2",
- "wasip3",
+ "block-buffer",
+ "const-oid",
+ "crypto-common",
+ "subtle",
 ]
 
 [[package]]
-name = "gif"
-version = "0.14.1"
+name = "directories"
+version = "6.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f5df2ba84018d80c213569363bdcd0c64e6933c67fe4c1d60ecf822971a3c35e"
+checksum = "16f5094c54661b38d03bd7e50df373292118db60b585c08a411c6d840017fe7d"
 dependencies = [
- "color_quant",
- "weezl",
+ "dirs-sys",
 ]
 
 [[package]]
-name = "half"
-version = "2.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6ea2d84b969582b4b1864a92dc5d27cd2b77b622a8d79306834f1be5ba20d84b"
-dependencies = [
- "cfg-if",
- "crunchy",
- "zerocopy",
-]
-
-[[package]]
-name = "hashbrown"
-version = "0.14.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1"
-
-[[package]]
-name = "hashbrown"
-version = "0.15.5"
+name = "dirs"
+version = "6.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
+checksum = "c3e8aa94d75141228480295a7d0e7feb620b1a5ad9f12bc40be62411e38cce4e"
 dependencies = [
- "foldhash 0.1.5",
+ "dirs-sys",
 ]
 
 [[package]]
-name = "hashbrown"
-version = "0.16.1"
+name = "dirs-sys"
+version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
+checksum = "e01a3366d27ee9890022452ee61b2b63a67e6f13f58900b651ff5665f0bb1fab"
 dependencies = [
- "foldhash 0.2.0",
+ "libc",
+ "option-ext",
+ "redox_users",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
-name = "hashlink"
-version = "0.11.0"
+name = "displaydoc"
+version = "0.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ea0b22561a9c04a7cb1a302c013e0259cd3b4bb619f145b32f72b8b4bcbed230"
+checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
 dependencies = [
- "hashbrown 0.16.1",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
 ]
 
 [[package]]
-name = "heck"
-version = "0.5.0"
+name = "downcast-rs"
+version = "2.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+checksum = "117240f60069e65410b3ae1bb213295bd828f707b5bec6596a1afc8793ce0cbc"
 
 [[package]]
-name = "hex"
-version = "0.4.3"
+name = "dyn-clone"
+version = "1.0.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+checksum = "d0881ea181b1df73ff77ffaaf9c7544ecc11e82fba9b5f27b262a3c73a332555"
 
 [[package]]
-name = "http"
-version = "1.4.0"
+name = "ecdsa"
+version = "0.16.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a"
+checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"
 dependencies = [
- "bytes",
- "itoa",
+ "der",
+ "digest",
+ "elliptic-curve",
+ "rfc6979",
+ "signature",
+ "spki",
 ]
 
 [[package]]
-name = "http-body"
-version = "1.0.1"
+name = "ed25519"
+version = "2.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184"
+checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53"
 dependencies = [
- "bytes",
- "http",
+ "pkcs8",
+ "signature",
 ]
 
 [[package]]
-name = "http-body-util"
-version = "0.1.3"
+name = "ed25519-dalek"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b021d93e26becf5dc7e1b75b1bed1fd93124b374ceb73f43d4d4eafec896a64a"
+checksum = "70e796c081cee67dc755e1a36a0a172b897fab85fc3f6bc48307991f64e4eca9"
 dependencies = [
- "bytes",
- "futures-core",
- "http",
- "http-body",
- "pin-project-lite",
+ "curve25519-dalek",
+ "ed25519",
+ "merlin",
+ "rand_core 0.6.4",
+ "serde",
+ "sha2",
+ "subtle",
+ "zeroize",
 ]
 
 [[package]]
-name = "http-range-header"
-version = "0.4.2"
+name = "educe"
+version = "0.4.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9171a2ea8a68358193d15dd5d70c1c10a2afc3e7e4c5bc92bc9f025cebd7359c"
+checksum = "0f0042ff8246a363dbe77d2ceedb073339e85a804b9a47636c6e016a9a32c05f"
+dependencies = [
+ "enum-ordinalize",
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+]
 
 [[package]]
-name = "httparse"
-version = "1.10.1"
+name = "either"
+version = "1.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87"
+checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
 
 [[package]]
-name = "httpdate"
-version = "1.0.3"
+name = "elliptic-curve"
+version = "0.13.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
+checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47"
+dependencies = [
+ "base16ct",
+ "crypto-bigint",
+ "digest",
+ "ff",
+ "generic-array",
+ "group",
+ "pkcs8",
+ "rand_core 0.6.4",
+ "sec1",
+ "subtle",
+ "zeroize",
+]
 
 [[package]]
-name = "hyper"
-version = "1.8.1"
+name = "encoding_rs"
+version = "0.8.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ab2d4f250c3d7b1c9fcdff1cece94ea4e2dfbec68614f7b87cb205f24ca9d11"
+checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3"
 dependencies = [
- "atomic-waker",
- "bytes",
- "futures-channel",
- "futures-core",
- "http",
- "http-body",
- "httparse",
- "httpdate",
- "itoa",
- "pin-project-lite",
- "pin-utils",
- "smallvec",
- "tokio",
- "want",
+ "cfg-if",
 ]
 
 [[package]]
-name = "hyper-rustls"
-version = "0.27.7"
+name = "enum-ordinalize"
+version = "3.1.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58"
+checksum = "1bf1fa3f06bbff1ea5b1a9c7b14aa992a39657db60a2759457328d7e058f49ee"
 dependencies = [
- "http",
- "hyper",
- "hyper-util",
- "rustls",
- "rustls-pki-types",
- "tokio",
- "tokio-rustls",
- "tower-service",
- "webpki-roots",
+ "num-bigint",
+ "num-traits",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
 ]
 
 [[package]]
-name = "hyper-util"
-version = "0.1.20"
+name = "enum_dispatch"
+version = "0.3.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0"
+checksum = "aa18ce2bc66555b3218614519ac839ddb759a7d6720732f979ef8d13be147ecd"
 dependencies = [
- "base64",
- "bytes",
- "futures-channel",
- "futures-util",
- "http",
- "http-body",
- "hyper",
- "ipnet",
- "libc",
- "percent-encoding",
- "pin-project-lite",
- "socket2",
- "tokio",
- "tower-service",
- "tracing",
+ "once_cell",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
 ]
 
 [[package]]
-name = "iana-time-zone"
-version = "0.1.65"
+name = "enumset"
+version = "1.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e31bc9ad994ba00e440a8aa5c9ef0ec67d5cb5e5cb0cc7f8b744a35b389cc470"
+checksum = "25b07a8dfbbbfc0064c0a6bdf9edcf966de6b1c33ce344bdeca3b41615452634"
 dependencies = [
- "android_system_properties",
- "core-foundation-sys",
- "iana-time-zone-haiku",
- "js-sys",
- "log",
- "wasm-bindgen",
- "windows-core",
+ "enumset_derive",
 ]
 
 [[package]]
-name = "iana-time-zone-haiku"
-version = "0.1.2"
+name = "enumset_derive"
+version = "0.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
+checksum = "f43e744e4ea338060faee68ed933e46e722fb7f3617e722a5772d7e856d8b3ce"
 dependencies = [
- "cc",
+ "darling 0.21.3",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
 ]
 
 [[package]]
-name = "icu_collections"
-version = "2.1.1"
+name = "equivalent"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c6b649701667bbe825c3b7e6388cb521c23d88644678e83c0c4d0a621a34b43"
-dependencies = [
- "displaydoc",
- "potential_utf",
- "yoke",
- "zerofrom",
- "zerovec",
-]
+checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
 
 [[package]]
-name = "icu_locale_core"
-version = "2.1.1"
+name = "errno"
+version = "0.3.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "edba7861004dd3714265b4db54a3c390e880ab658fec5f7db895fae2046b5bb6"
+checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
- "displaydoc",
- "litemap",
- "tinystr",
- "writeable",
- "zerovec",
+ "libc",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
-name = "icu_normalizer"
-version = "2.1.1"
+name = "event-listener"
+version = "5.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f6c8828b67bf8908d82127b2054ea1b4427ff0230ee9141c54251934ab1b599"
+checksum = "e13b66accf52311f30a0db42147dadea9850cb48cd070028831ae5f5d4b856ab"
 dependencies = [
- "icu_collections",
- "icu_normalizer_data",
- "icu_properties",
- "icu_provider",
- "smallvec",
- "zerovec",
+ "concurrent-queue",
+ "parking",
+ "pin-project-lite",
 ]
 
 [[package]]
-name = "icu_normalizer_data"
-version = "2.1.1"
+name = "fallible-iterator"
+version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a"
+checksum = "2acce4a10f12dc2fb14a218589d4f1f62ef011b2d0cc4b3cb1bba8e94da14649"
 
 [[package]]
-name = "icu_properties"
-version = "2.1.2"
+name = "fallible-streaming-iterator"
+version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec"
-dependencies = [
- "icu_collections",
- "icu_locale_core",
- "icu_properties_data",
- "icu_provider",
- "zerotrie",
- "zerovec",
-]
+checksum = "7360491ce676a36bf9bb3c56c1aa791658183a54d2744120f27285738d90465a"
 
 [[package]]
-name = "icu_properties_data"
-version = "2.1.2"
+name = "fastrand"
+version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af"
+checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
 
 [[package]]
-name = "icu_provider"
-version = "2.1.1"
+name = "fax"
+version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "85962cf0ce02e1e0a629cc34e7ca3e373ce20dda4c4d7294bbd0bf1fdb59e614"
+checksum = "f05de7d48f37cd6730705cbca900770cab77a89f413d23e100ad7fad7795a0ab"
 dependencies = [
- "displaydoc",
- "icu_locale_core",
- "writeable",
- "yoke",
- "zerofrom",
- "zerotrie",
- "zerovec",
+ "fax_derive",
 ]
 
 [[package]]
-name = "id-arena"
-version = "2.3.0"
+name = "fax_derive"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"
+checksum = "a0aca10fb742cb43f9e7bb8467c91aa9bcb8e3ffbc6a6f7389bb93ffc920577d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
 
 [[package]]
-name = "idna"
-version = "1.1.0"
+name = "fdeflate"
+version = "0.3.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de"
+checksum = "1e6853b52649d4ac5c0bd02320cddc5ba956bdb407c4b75a2c6b75bf51500f8c"
 dependencies = [
- "idna_adapter",
- "smallvec",
- "utf8_iter",
+ "simd-adler32",
 ]
 
 [[package]]
-name = "idna_adapter"
-version = "1.2.1"
+name = "ff"
+version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
+checksum = "c0b50bfb653653f9ca9095b427bed08ab8d75a137839d9ad64eb11810d5b6393"
 dependencies = [
- "icu_normalizer",
- "icu_properties",
+ "rand_core 0.6.4",
+ "subtle",
 ]
 
 [[package]]
-name = "image"
-version = "0.25.10"
+name = "fiat-crypto"
+version = "0.2.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "85ab80394333c02fe689eaf900ab500fbd0c2213da414687ebf995a65d5a6104"
-dependencies = [
- "bytemuck",
- "byteorder-lite",
- "color_quant",
- "gif",
- "image-webp",
- "moxcms",
- "num-traits",
- "png",
- "tiff",
- "zune-core",
- "zune-jpeg",
-]
+checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
 
 [[package]]
-name = "image-webp"
-version = "0.2.4"
+name = "figment"
+version = "0.10.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "525e9ff3e1a4be2fbea1fdf0e98686a6d98b4d8f937e1bf7402245af1909e8c3"
+checksum = "8cb01cd46b0cf372153850f4c6c272d9cbea2da513e07538405148f95bd789f3"
 dependencies = [
- "byteorder-lite",
- "quick-error",
+ "atomic 0.6.1",
+ "serde",
+ "toml 0.8.23",
+ "uncased",
+ "version_check",
 ]
 
 [[package]]
-name = "indexmap"
-version = "2.13.0"
+name = "filetime"
+version = "0.2.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017"
+checksum = "f98844151eee8917efc50bd9e8318cb963ae8b297431495d3f758616ea5c57db"
 dependencies = [
- "equivalent",
- "hashbrown 0.16.1",
- "serde",
- "serde_core",
+ "cfg-if",
+ "libc",
+ "libredox",
 ]
 
 [[package]]
-name = "ipnet"
-version = "2.12.0"
+name = "find-msvc-tools"
+version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
+checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
 
 [[package]]
-name = "iri-string"
-version = "0.7.10"
+name = "flate2"
+version = "1.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c91338f0783edbd6195decb37bae672fd3b165faffb89bf7b9e6942f8b1a731a"
+checksum = "843fba2746e448b37e26a819579957415c8cef339bf08564fe8b7ddbd959573c"
 dependencies = [
- "memchr",
- "serde",
+ "crc32fast",
+ "miniz_oxide",
+ "zlib-rs",
 ]
 
 [[package]]
-name = "is_terminal_polyfill"
-version = "1.70.2"
+name = "fluid-let"
+version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
+checksum = "749cff877dc1af878a0b31a41dd221a753634401ea0ef2f87b62d3171522485a"
 
 [[package]]
-name = "itoa"
-version = "1.0.17"
+name = "fnv"
+version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
 [[package]]
-name = "jobserver"
-version = "0.1.34"
+name = "foldhash"
+version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9afb3de4395d6b3e67a780b6de64b51c978ecf11cb9a462c66be7d4ca9039d33"
-dependencies = [
- "getrandom 0.3.4",
- "libc",
-]
+checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
 
 [[package]]
-name = "js-sys"
-version = "0.3.91"
+name = "foldhash"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b49715b7073f385ba4bc528e5747d02e66cb39c6146efb66b781f131f0fb399c"
+checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"
+
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
 dependencies = [
- "once_cell",
- "wasm-bindgen",
+ "foreign-types-shared",
 ]
 
 [[package]]
-name = "kamadak-exif"
-version = "0.5.5"
+name = "foreign-types-shared"
+version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ef4fc70d0ab7e5b6bafa30216a6b48705ea964cdfc29c050f2412295eba58077"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
+[[package]]
+name = "form_urlencoded"
+version = "1.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cb4cb245038516f5f85277875cdaa4f7d2c9a0fa0468de06ed190163b1581fcf"
 dependencies = [
- "mutate_once",
+ "percent-encoding",
 ]
 
 [[package]]
-name = "lazy_static"
-version = "1.5.0"
+name = "fs-mistrust"
+version = "0.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
+checksum = "189ebb6d350de8d03181999fa9ebe8a021c5ab041004388f29e4dd2c52dc88a2"
+dependencies = [
+ "derive_builder_fork_arti",
+ "dirs",
+ "libc",
+ "pwd-grp",
+ "serde",
+ "thiserror 2.0.18",
+ "walkdir",
+]
 
 [[package]]
-name = "leb128fmt"
-version = "0.1.0"
+name = "fslock"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
+checksum = "04412b8935272e3a9bae6f48c7bfff74c2911f60525404edfdd28e49884c3bfb"
+dependencies = [
+ "libc",
+ "winapi",
+]
 
 [[package]]
-name = "libc"
-version = "0.2.183"
+name = "fslock-arti-fork"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5b646652bf6661599e1da8901b3b9522896f01e736bad5f723fe7a3a27f899d"
+checksum = "8b21bd626aaab7b904b20bef6d9e06298914a0c8d9fb8b010483766b2e532791"
+dependencies = [
+ "libc",
+ "winapi",
+]
 
 [[package]]
-name = "libsqlite3-sys"
-version = "0.36.0"
+name = "fslock-guard"
+version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95b4103cffefa72eb8428cb6b47d6627161e51c2739fc5e3b734584157bc642a"
+checksum = "75f62cb7d296f7d1fabdce7291281d9f0147b06a6e79afae05e1230eab667d85"
 dependencies = [
- "cc",
- "pkg-config",
- "vcpkg",
+ "fslock-arti-fork",
+ "thiserror 2.0.18",
+ "winapi",
 ]
 
 [[package]]
-name = "linux-raw-sys"
-version = "0.12.1"
+name = "funty"
+version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"
+checksum = "e6d5a32815ae3f33302d95fdcb2ce17862f8c65363dcfd29360480ba1001fc9c"
 
 [[package]]
-name = "litemap"
-version = "0.8.1"
+name = "futures"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6373607a59f0be73a39b6fe456b8192fcc3585f602af20751600e974dd455e77"
+checksum = "8b147ee9d1f6d097cef9ce628cd2ee62288d963e16fb287bd9286455b241382d"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "futures-executor",
+ "futures-io",
+ "futures-sink",
+ "futures-task",
+ "futures-util",
+]
 
 [[package]]
-name = "lock_api"
-version = "0.4.14"
+name = "futures-channel"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
+checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d"
 dependencies = [
- "scopeguard",
+ "futures-core",
+ "futures-sink",
 ]
 
 [[package]]
-name = "log"
-version = "0.4.29"
+name = "futures-core"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
+checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d"
 
 [[package]]
-name = "lru-slab"
-version = "0.1.2"
+name = "futures-executor"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
+checksum = "baf29c38818342a3b26b5b923639e7b1f4a61fc5e76102d4b1981c6dc7a7579d"
+dependencies = [
+ "futures-core",
+ "futures-task",
+ "futures-util",
+]
 
 [[package]]
-name = "matchers"
-version = "0.2.0"
+name = "futures-io"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d1525a2a28c7f4fa0fc98bb91ae755d1e2d1505079e05539e35bc876b5d65ae9"
+checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718"
+
+[[package]]
+name = "futures-macro"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b"
 dependencies = [
- "regex-automata",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
 ]
 
 [[package]]
-name = "matchit"
-version = "0.8.4"
+name = "futures-sink"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3"
+checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893"
 
 [[package]]
-name = "memchr"
-version = "2.8.0"
+name = "futures-task"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
+checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393"
 
 [[package]]
-name = "mime"
-version = "0.3.17"
+name = "futures-util"
+version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
+checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "futures-macro",
+ "futures-sink",
+ "futures-task",
+ "memchr",
+ "pin-project-lite",
+ "slab",
+]
 
 [[package]]
-name = "mime_guess"
-version = "2.0.5"
+name = "generic-array"
+version = "0.14.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f7c44f8e672c00fe5308fa235f821cb4198414e1c77935c1ab6948d3fd78550e"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
 dependencies = [
- "mime",
- "unicase",
+ "typenum",
+ "version_check",
+ "zeroize",
 ]
 
 [[package]]
-name = "miniz_oxide"
-version = "0.8.9"
+name = "getrandom"
+version = "0.2.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
+checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
 dependencies = [
- "adler2",
- "simd-adler32",
+ "cfg-if",
+ "js-sys",
+ "libc",
+ "wasi",
+ "wasm-bindgen",
 ]
 
 [[package]]
-name = "mio"
-version = "1.1.1"
+name = "getrandom"
+version = "0.3.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc"
+checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
 dependencies = [
+ "cfg-if",
+ "js-sys",
  "libc",
- "wasi",
- "windows-sys 0.61.2",
+ "r-efi 5.3.0",
+ "wasip2",
+ "wasm-bindgen",
 ]
 
 [[package]]
-name = "moxcms"
-version = "0.8.1"
+name = "getrandom"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb85c154ba489f01b25c0d36ae69a87e4a1c73a72631fc6c0eb6dde34a73e44b"
+checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555"
 dependencies = [
- "num-traits",
- "pxfm",
+ "cfg-if",
+ "libc",
+ "r-efi 6.0.0",
+ "rand_core 0.10.0",
+ "wasip2",
+ "wasip3",
 ]
 
 [[package]]
-name = "multer"
-version = "3.1.0"
+name = "getset"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83e87776546dc87511aa5ee218730c92b666d7264ab6ed41f9d215af9cd5224b"
+checksum = "9cf0fc11e47561d47397154977bc219f4cf809b2974facc3ccb3b89e2436f912"
 dependencies = [
- "bytes",
- "encoding_rs",
- "futures-util",
- "http",
- "httparse",
- "memchr",
- "mime",
- "spin",
- "version_check",
+ "proc-macro-error2",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
 ]
 
 [[package]]
-name = "mutate_once"
-version = "0.1.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "13d2233c9842d08cfe13f9eac96e207ca6a2ea10b80259ebe8ad0268be27d2af"
-
-[[package]]
-name = "nu-ansi-term"
-version = "0.50.3"
+name = "gif"
+version = "0.14.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
+checksum = "f5df2ba84018d80c213569363bdcd0c64e6933c67fe4c1d60ecf822971a3c35e"
 dependencies = [
- "windows-sys 0.61.2",
+ "color_quant",
+ "weezl",
 ]
 
 [[package]]
-name = "num-conv"
-version = "0.2.0"
+name = "glob-match"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf97ec579c3c42f953ef76dbf8d55ac91fb219dde70e49aa4a6b7d74e9919050"
+checksum = "9985c9503b412198aa4197559e9a318524ebc4519c229bfa05a535828c950b9d"
 
 [[package]]
-name = "num-traits"
-version = "0.2.19"
+name = "group"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
 dependencies = [
- "autocfg",
+ "ff",
+ "rand_core 0.6.4",
+ "subtle",
 ]
 
 [[package]]
-name = "once_cell"
-version = "1.21.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
-
-[[package]]
-name = "once_cell_polyfill"
-version = "1.70.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
-
-[[package]]
-name = "parking_lot"
-version = "0.12.5"
+name = "growable-bloom-filter"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a"
+checksum = "d174ccb4ba660d431329e7f0797870d0a4281e36353ec4b4a3c5eab6c2cfb6f1"
 dependencies = [
- "lock_api",
- "parking_lot_core",
+ "serde",
+ "serde_bytes",
+ "serde_derive",
+ "xxhash-rust",
 ]
 
 [[package]]
-name = "parking_lot_core"
-version = "0.9.12"
+name = "half"
+version = "2.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1"
+checksum = "6ea2d84b969582b4b1864a92dc5d27cd2b77b622a8d79306834f1be5ba20d84b"
 dependencies = [
  "cfg-if",
- "libc",
- "redox_syscall",
- "smallvec",
- "windows-link",
-]
-
-[[package]]
-name = "password-hash"
-version = "0.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "346f04948ba92c43e8469c1ee6736c7563d71012b17d40745260fe106aac2166"
-dependencies = [
- "base64ct",
- "rand_core 0.6.4",
- "subtle",
+ "crunchy",
+ "zerocopy",
 ]
 
 [[package]]
-name = "percent-encoding"
-version = "2.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
-
-[[package]]
-name = "pin-project-lite"
-version = "0.2.17"
+name = "hashbrown"
+version = "0.12.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd"
+checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
 
 [[package]]
-name = "pin-utils"
-version = "0.1.0"
+name = "hashbrown"
+version = "0.14.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1"
 
 [[package]]
-name = "pkg-config"
-version = "0.3.32"
+name = "hashbrown"
+version = "0.15.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
+checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
+dependencies = [
+ "foldhash 0.1.5",
+]
 
 [[package]]
-name = "png"
-version = "0.18.1"
+name = "hashbrown"
+version = "0.16.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "60769b8b31b2a9f263dae2776c37b1b28ae246943cf719eb6946a1db05128a61"
+checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
 dependencies = [
- "bitflags",
- "crc32fast",
- "fdeflate",
- "flate2",
- "miniz_oxide",
+ "foldhash 0.2.0",
 ]
 
 [[package]]
-name = "potential_utf"
-version = "0.1.4"
+name = "hashlink"
+version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b73949432f5e2a09657003c25bca5e19a0e9c84f8058ca374f49e0ebe605af77"
+checksum = "ea0b22561a9c04a7cb1a302c013e0259cd3b4bb619f145b32f72b8b4bcbed230"
 dependencies = [
- "zerovec",
+ "hashbrown 0.16.1",
 ]
 
 [[package]]
-name = "powerfmt"
-version = "0.2.0"
+name = "heck"
+version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
 
 [[package]]
-name = "ppv-lite86"
-version = "0.2.21"
+name = "hex"
+version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9"
-dependencies = [
- "zerocopy",
-]
+checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 
 [[package]]
-name = "prettyplease"
-version = "0.2.37"
+name = "hkdf"
+version = "0.12.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
+checksum = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7"
 dependencies = [
- "proc-macro2",
- "syn",
+ "hmac",
 ]
 
 [[package]]
-name = "proc-macro2"
-version = "1.0.106"
+name = "hmac"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
+checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
 dependencies = [
- "unicode-ident",
+ "digest",
 ]
 
 [[package]]
-name = "pxfm"
-version = "0.1.28"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5a041e753da8b807c9255f28de81879c78c876392ff2469cde94799b2896b9d"
-
-[[package]]
-name = "quick-error"
-version = "2.0.1"
+name = "hostname-validator"
+version = "1.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a993555f31e5a609f617c12db6250dedcac1b0a85076912c436e6fc9b2c8e6a3"
+checksum = "f558a64ac9af88b5ba400d99b579451af0d39c6d360980045b91aac966d705e2"
 
 [[package]]
-name = "quinn"
-version = "0.11.9"
+name = "http"
+version = "1.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b9e20a958963c291dc322d98411f541009df2ced7b5a4f2bd52337638cfccf20"
+checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a"
 dependencies = [
  "bytes",
- "cfg_aliases",
- "pin-project-lite",
- "quinn-proto",
- "quinn-udp",
- "rustc-hash",
- "rustls",
- "socket2",
- "thiserror",
- "tokio",
- "tracing",
- "web-time",
+ "itoa",
 ]
 
 [[package]]
-name = "quinn-proto"
-version = "0.11.14"
+name = "http-body"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
+checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184"
 dependencies = [
  "bytes",
- "getrandom 0.3.4",
- "lru-slab",
- "rand 0.9.2",
- "ring",
- "rustc-hash",
- "rustls",
- "rustls-pki-types",
- "slab",
- "thiserror",
- "tinyvec",
- "tracing",
- "web-time",
+ "http",
 ]
 
 [[package]]
-name = "quinn-udp"
-version = "0.5.14"
+name = "http-body-util"
+version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "addec6a0dcad8a8d96a771f815f0eaf55f9d1805756410b39f5fa81332574cbd"
+checksum = "b021d93e26becf5dc7e1b75b1bed1fd93124b374ceb73f43d4d4eafec896a64a"
 dependencies = [
- "cfg_aliases",
- "libc",
- "once_cell",
- "socket2",
- "tracing",
- "windows-sys 0.60.2",
+ "bytes",
+ "futures-core",
+ "http",
+ "http-body",
+ "pin-project-lite",
 ]
 
 [[package]]
-name = "quote"
-version = "1.0.45"
+name = "http-range-header"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
-dependencies = [
- "proc-macro2",
-]
+checksum = "9171a2ea8a68358193d15dd5d70c1c10a2afc3e7e4c5bc92bc9f025cebd7359c"
 
 [[package]]
-name = "r-efi"
-version = "5.3.0"
+name = "httparse"
+version = "1.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
+checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87"
 
 [[package]]
-name = "r-efi"
-version = "6.0.0"
+name = "httpdate"
+version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
+checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
 
 [[package]]
-name = "r2d2"
-version = "0.8.10"
+name = "humantime"
+version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "51de85fb3fb6524929c8a2eb85e6b6d363de4e8c48f9e2c2eac4944abc181c93"
-dependencies = [
- "log",
- "parking_lot",
- "scheduled-thread-pool",
-]
+checksum = "135b12329e5e3ce057a9f972339ea52bc954fe1e9358ef27f95e89716fbc5424"
 
 [[package]]
-name = "r2d2_sqlite"
-version = "0.32.0"
+name = "humantime-serde"
+version = "1.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a2ebd03c29250cdf191da93a35118b4567c2ef0eacab54f65e058d6f4c9965f6"
+checksum = "57a3db5ea5923d99402c94e9feb261dc5ee9b4efa158b0315f788cf549cc200c"
 dependencies = [
- "r2d2",
- "rusqlite",
- "uuid",
+ "humantime",
+ "serde",
 ]
 
 [[package]]
-name = "rand"
-version = "0.9.2"
+name = "hyper"
+version = "1.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
+checksum = "2ab2d4f250c3d7b1c9fcdff1cece94ea4e2dfbec68614f7b87cb205f24ca9d11"
 dependencies = [
- "rand_chacha",
- "rand_core 0.9.5",
-]
-
-[[package]]
+ "atomic-waker",
+ "bytes",
+ "futures-channel",
+ "futures-core",
+ "http",
+ "http-body",
+ "httparse",
+ "httpdate",
+ "itoa",
+ "pin-project-lite",
+ "pin-utils",
+ "smallvec",
+ "tokio",
+ "want",
+]
+
+[[package]]
+name = "hyper-rustls"
+version = "0.27.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58"
+dependencies = [
+ "http",
+ "hyper",
+ "hyper-util",
+ "rustls",
+ "rustls-pki-types",
+ "tokio",
+ "tokio-rustls",
+ "tower-service",
+ "webpki-roots",
+]
+
+[[package]]
+name = "hyper-util"
+version = "0.1.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0"
+dependencies = [
+ "base64",
+ "bytes",
+ "futures-channel",
+ "futures-util",
+ "http",
+ "http-body",
+ "hyper",
+ "ipnet",
+ "libc",
+ "percent-encoding",
+ "pin-project-lite",
+ "socket2",
+ "tokio",
+ "tower-service",
+ "tracing",
+]
+
+[[package]]
+name = "iana-time-zone"
+version = "0.1.65"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e31bc9ad994ba00e440a8aa5c9ef0ec67d5cb5e5cb0cc7f8b744a35b389cc470"
+dependencies = [
+ "android_system_properties",
+ "core-foundation-sys",
+ "iana-time-zone-haiku",
+ "js-sys",
+ "log",
+ "wasm-bindgen",
+ "windows-core 0.62.2",
+]
+
+[[package]]
+name = "iana-time-zone-haiku"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
+dependencies = [
+ "cc",
+]
+
+[[package]]
+name = "icu_collections"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c6b649701667bbe825c3b7e6388cb521c23d88644678e83c0c4d0a621a34b43"
+dependencies = [
+ "displaydoc",
+ "potential_utf",
+ "yoke",
+ "zerofrom",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_locale_core"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "edba7861004dd3714265b4db54a3c390e880ab658fec5f7db895fae2046b5bb6"
+dependencies = [
+ "displaydoc",
+ "litemap",
+ "tinystr",
+ "writeable",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f6c8828b67bf8908d82127b2054ea1b4427ff0230ee9141c54251934ab1b599"
+dependencies = [
+ "icu_collections",
+ "icu_normalizer_data",
+ "icu_properties",
+ "icu_provider",
+ "smallvec",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer_data"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a"
+
+[[package]]
+name = "icu_properties"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec"
+dependencies = [
+ "icu_collections",
+ "icu_locale_core",
+ "icu_properties_data",
+ "icu_provider",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_properties_data"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af"
+
+[[package]]
+name = "icu_provider"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85962cf0ce02e1e0a629cc34e7ca3e373ce20dda4c4d7294bbd0bf1fdb59e614"
+dependencies = [
+ "displaydoc",
+ "icu_locale_core",
+ "writeable",
+ "yoke",
+ "zerofrom",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "id-arena"
+version = "2.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"
+
+[[package]]
+name = "ident_case"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
+
+[[package]]
+name = "idna"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de"
+dependencies = [
+ "idna_adapter",
+ "smallvec",
+ "utf8_iter",
+]
+
+[[package]]
+name = "idna_adapter"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
+dependencies = [
+ "icu_normalizer",
+ "icu_properties",
+]
+
+[[package]]
+name = "image"
+version = "0.25.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85ab80394333c02fe689eaf900ab500fbd0c2213da414687ebf995a65d5a6104"
+dependencies = [
+ "bytemuck",
+ "byteorder-lite",
+ "color_quant",
+ "gif",
+ "image-webp",
+ "moxcms",
+ "num-traits",
+ "png",
+ "tiff",
+ "zune-core",
+ "zune-jpeg",
+]
+
+[[package]]
+name = "image-webp"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "525e9ff3e1a4be2fbea1fdf0e98686a6d98b4d8f937e1bf7402245af1909e8c3"
+dependencies = [
+ "byteorder-lite",
+ "quick-error",
+]
+
+[[package]]
+name = "indexmap"
+version = "1.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bd070e393353796e801d209ad339e89596eb4c8d430d18ede6a1cced8fafbd99"
+dependencies = [
+ "autocfg",
+ "hashbrown 0.12.3",
+ "serde",
+]
+
+[[package]]
+name = "indexmap"
+version = "2.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017"
+dependencies = [
+ "equivalent",
+ "hashbrown 0.16.1",
+ "serde",
+ "serde_core",
+]
+
+[[package]]
+name = "inotify"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bd5b3eaf1a28b758ac0faa5a4254e8ab2705605496f1b1f3fbbc3988ad73d199"
+dependencies = [
+ "bitflags 2.11.0",
+ "inotify-sys",
+ "libc",
+]
+
+[[package]]
+name = "inotify-sys"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e05c02b5e89bff3b946cedeca278abc628fe811e604f027c45a8aa3cf793d0eb"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "inout"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "879f10e63c20629ecabbb64a8010319738c66a5cd0c29b02d63d272b03751d01"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "inventory"
+version = "0.3.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "009ae045c87e7082cb72dab0ccd01ae075dd00141ddc108f43a0ea150a9e7227"
+dependencies = [
+ "rustversion",
+]
+
+[[package]]
+name = "ipnet"
+version = "2.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
+
+[[package]]
+name = "iri-string"
+version = "0.7.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c91338f0783edbd6195decb37bae672fd3b165faffb89bf7b9e6942f8b1a731a"
+dependencies = [
+ "memchr",
+ "serde",
+]
+
+[[package]]
+name = "is_terminal_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
+
+[[package]]
+name = "itertools"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "413ee7dfc52ee1a4949ceeb7dbc8a33f2d6c088194d9f922fb8318faf1f01186"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "itertools"
+version = "0.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b192c782037fadd9cfa75548310488aabdbf3d2da73885b31bd0abd03351285"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "itoa"
+version = "1.0.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
+
+[[package]]
+name = "jobserver"
+version = "0.1.34"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9afb3de4395d6b3e67a780b6de64b51c978ecf11cb9a462c66be7d4ca9039d33"
+dependencies = [
+ "getrandom 0.3.4",
+ "libc",
+]
+
+[[package]]
+name = "js-sys"
+version = "0.3.91"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b49715b7073f385ba4bc528e5747d02e66cb39c6146efb66b781f131f0fb399c"
+dependencies = [
+ "once_cell",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "k12"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f4dc5fdb62af2f520116927304f15d25b3c2667b4817b90efdc045194c912c54"
+dependencies = [
+ "digest",
+ "sha3",
+]
+
+[[package]]
+name = "kamadak-exif"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ef4fc70d0ab7e5b6bafa30216a6b48705ea964cdfc29c050f2412295eba58077"
+dependencies = [
+ "mutate_once",
+]
+
+[[package]]
+name = "keccak"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cb26cec98cce3a3d96cbb7bced3c4b16e3d13f27ec56dbd62cbc8f39cfb9d653"
+dependencies = [
+ "cpufeatures 0.2.17",
+]
+
+[[package]]
+name = "kqueue"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eac30106d7dce88daf4a3fcb4879ea939476d5074a9b7ddd0fb97fa4bed5596a"
+dependencies = [
+ "kqueue-sys",
+ "libc",
+]
+
+[[package]]
+name = "kqueue-sys"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed9625ffda8729b85e45cf04090035ac368927b8cebc34898e7c120f52e4838b"
+dependencies = [
+ "bitflags 1.3.2",
+ "libc",
+]
+
+[[package]]
+name = "lazy_static"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
+dependencies = [
+ "spin",
+]
+
+[[package]]
+name = "leb128fmt"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
+
+[[package]]
+name = "libc"
+version = "0.2.183"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5b646652bf6661599e1da8901b3b9522896f01e736bad5f723fe7a3a27f899d"
+
+[[package]]
+name = "liblzma"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6033b77c21d1f56deeae8014eb9fbe7bdf1765185a6c508b5ca82eeaed7f899"
+dependencies = [
+ "liblzma-sys",
+]
+
+[[package]]
+name = "liblzma-sys"
+version = "0.4.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9f2db66f3268487b5033077f266da6777d057949b8f93c8ad82e441df25e6186"
+dependencies = [
+ "cc",
+ "libc",
+ "pkg-config",
+]
+
+[[package]]
+name = "libm"
+version = "0.2.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981"
+
+[[package]]
+name = "libredox"
+version = "0.1.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1744e39d1d6a9948f4f388969627434e31128196de472883b39f148769bfe30a"
+dependencies = [
+ "bitflags 2.11.0",
+ "libc",
+ "plain",
+ "redox_syscall 0.7.3",
+]
+
+[[package]]
+name = "libsqlite3-sys"
+version = "0.36.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "95b4103cffefa72eb8428cb6b47d6627161e51c2739fc5e3b734584157bc642a"
+dependencies = [
+ "cc",
+ "pkg-config",
+ "vcpkg",
+]
+
+[[package]]
+name = "linux-raw-sys"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"
+
+[[package]]
+name = "litemap"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6373607a59f0be73a39b6fe456b8192fcc3585f602af20751600e974dd455e77"
+
+[[package]]
+name = "lock_api"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
+dependencies = [
+ "scopeguard",
+]
+
+[[package]]
+name = "log"
+version = "0.4.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
+
+[[package]]
+name = "lru-slab"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
+
+[[package]]
+name = "matchers"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d1525a2a28c7f4fa0fc98bb91ae755d1e2d1505079e05539e35bc876b5d65ae9"
+dependencies = [
+ "regex-automata",
+]
+
+[[package]]
+name = "matchit"
+version = "0.8.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3"
+
+[[package]]
+name = "memchr"
+version = "2.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
+
+[[package]]
+name = "memmap2"
+version = "0.9.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "714098028fe011992e1c3962653c96b2d578c4b4bce9036e15ff220319b1e0e3"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "merlin"
+version = "3.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "58c38e2799fc0978b65dfff8023ec7843e2330bb462f19198840b34b6582397d"
+dependencies = [
+ "byteorder",
+ "keccak",
+ "rand_core 0.6.4",
+ "zeroize",
+]
+
+[[package]]
+name = "mime"
+version = "0.3.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
+
+[[package]]
+name = "mime_guess"
+version = "2.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f7c44f8e672c00fe5308fa235f821cb4198414e1c77935c1ab6948d3fd78550e"
+dependencies = [
+ "mime",
+ "unicase",
+]
+
+[[package]]
+name = "minimal-lexical"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+
+[[package]]
+name = "miniz_oxide"
+version = "0.8.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
+dependencies = [
+ "adler2",
+ "simd-adler32",
+]
+
+[[package]]
+name = "mio"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc"
+dependencies = [
+ "libc",
+ "log",
+ "wasi",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "moxcms"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bb85c154ba489f01b25c0d36ae69a87e4a1c73a72631fc6c0eb6dde34a73e44b"
+dependencies = [
+ "num-traits",
+ "pxfm",
+]
+
+[[package]]
+name = "multer"
+version = "3.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "83e87776546dc87511aa5ee218730c92b666d7264ab6ed41f9d215af9cd5224b"
+dependencies = [
+ "bytes",
+ "encoding_rs",
+ "futures-util",
+ "http",
+ "httparse",
+ "memchr",
+ "mime",
+ "spin",
+ "version_check",
+]
+
+[[package]]
+name = "mutate_once"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13d2233c9842d08cfe13f9eac96e207ca6a2ea10b80259ebe8ad0268be27d2af"
+
+[[package]]
+name = "native-tls"
+version = "0.2.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "465500e14ea162429d264d44189adc38b199b62b1c21eea9f69e4b73cb03bbf2"
+dependencies = [
+ "libc",
+ "log",
+ "openssl",
+ "openssl-probe",
+ "openssl-sys",
+ "schannel",
+ "security-framework",
+ "security-framework-sys",
+ "tempfile",
+]
+
+[[package]]
+name = "nom"
+version = "7.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
+dependencies = [
+ "memchr",
+ "minimal-lexical",
+]
+
+[[package]]
+name = "nonany"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6b8866ec53810a9a4b3d434a29801e78c707430a9ae11c2db4b8b62bb9675a0"
+
+[[package]]
+name = "notify"
+version = "8.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4d3d07927151ff8575b7087f245456e549fea62edf0ec4e565a5ee50c8402bc3"
+dependencies = [
+ "bitflags 2.11.0",
+ "inotify",
+ "kqueue",
+ "libc",
+ "log",
+ "mio",
+ "notify-types",
+ "walkdir",
+ "windows-sys 0.60.2",
+]
+
+[[package]]
+name = "notify-types"
+version = "2.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42b8cfee0e339a0337359f3c88165702ac6e600dc01c0cc9579a92d62b08477a"
+dependencies = [
+ "bitflags 2.11.0",
+]
+
+[[package]]
+name = "ntapi"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3b335231dfd352ffb0f8017f3b6027a4917f7df785ea2143d8af2adc66980ae"
+dependencies = [
+ "winapi",
+]
+
+[[package]]
+name = "nu-ansi-term"
+version = "0.50.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "num-bigint"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
+dependencies = [
+ "num-integer",
+ "num-traits",
+]
+
+[[package]]
+name = "num-bigint-dig"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e661dda6640fad38e827a6d4a310ff4763082116fe217f279885c97f511bb0b7"
+dependencies = [
+ "lazy_static",
+ "libm",
+ "num-integer",
+ "num-iter",
+ "num-traits",
+ "rand 0.8.5",
+ "smallvec",
+ "zeroize",
+]
+
+[[package]]
+name = "num-conv"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cf97ec579c3c42f953ef76dbf8d55ac91fb219dde70e49aa4a6b7d74e9919050"
+
+[[package]]
+name = "num-integer"
+version = "0.1.46"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "num-iter"
+version = "0.1.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf"
+dependencies = [
+ "autocfg",
+ "num-integer",
+ "num-traits",
+]
+
+[[package]]
+name = "num-traits"
+version = "0.2.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+dependencies = [
+ "autocfg",
+ "libm",
+]
+
+[[package]]
+name = "num_enum"
+version = "0.7.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d0bca838442ec211fa11de3a8b0e0e8f3a4522575b5c4c06ed722e005036f26"
+dependencies = [
+ "num_enum_derive",
+ "rustversion",
+]
+
+[[package]]
+name = "num_enum_derive"
+version = "0.7.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "680998035259dcfcafe653688bf2aa6d3e2dc05e98be6ab46afb089dc84f1df8"
+dependencies = [
+ "proc-macro-crate",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "objc2-core-foundation"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a180dd8642fa45cdb7dd721cd4c11b1cadd4929ce112ebd8b9f5803cc79d536"
+dependencies = [
+ "bitflags 2.11.0",
+]
+
+[[package]]
+name = "objc2-io-kit"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "33fafba39597d6dc1fb709123dfa8289d39406734be322956a69f0931c73bb15"
+dependencies = [
+ "libc",
+ "objc2-core-foundation",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.21.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
+
+[[package]]
+name = "once_cell_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
+
+[[package]]
+name = "oneshot-fused-workaround"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e17b52d0e4a06a4c7eb8d2943c0015fa628cf4ccc409429cebc0f5bed6d33a82"
+dependencies = [
+ "futures",
+]
+
+[[package]]
+name = "oorandom"
+version = "11.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d6790f58c7ff633d8771f42965289203411a5e5c68388703c06e14f24770b41e"
+
+[[package]]
+name = "openssl"
+version = "0.10.76"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "951c002c75e16ea2c65b8c7e4d3d51d5530d8dfa7d060b4776828c88cfb18ecf"
+dependencies = [
+ "bitflags 2.11.0",
+ "cfg-if",
+ "foreign-types",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "openssl-probe"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"
+
+[[package]]
+name = "openssl-sys"
+version = "0.9.112"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57d55af3b3e226502be1526dfdba67ab0e9c96fc293004e79576b2b9edb0dbdb"
+dependencies = [
+ "cc",
+ "libc",
+ "pkg-config",
+ "vcpkg",
+]
+
+[[package]]
+name = "option-ext"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d"
+
+[[package]]
+name = "ordered-float"
+version = "2.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68f19d67e5a2795c94e73e0bb1cc1a7edeb2e28efd39e2e1c9b7a40c1108b11c"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "os_str_bytes"
+version = "6.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e2355d85b9a3786f481747ced0e0ff2ba35213a1f9bd406ed906554d7af805a1"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "p256"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b"
+dependencies = [
+ "ecdsa",
+ "elliptic-curve",
+ "primeorder",
+ "sha2",
+]
+
+[[package]]
+name = "p384"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fe42f1670a52a47d448f14b6a5c61dd78fce51856e68edaa38f7ae3a46b8d6b6"
+dependencies = [
+ "ecdsa",
+ "elliptic-curve",
+ "primeorder",
+ "sha2",
+]
+
+[[package]]
+name = "p521"
+version = "0.13.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fc9e2161f1f215afdfce23677034ae137bbd45016a880c2eb3ba8eb95f085b2"
+dependencies = [
+ "base16ct",
+ "ecdsa",
+ "elliptic-curve",
+ "primeorder",
+ "rand_core 0.6.4",
+ "sha2",
+]
+
+[[package]]
+name = "page_size"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "30d5b2194ed13191c1999ae0704b7839fb18384fa22e49b57eeaa97d79ce40da"
+dependencies = [
+ "libc",
+ "winapi",
+]
+
+[[package]]
+name = "parking"
+version = "2.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f38d5652c16fde515bb1ecef450ab0f6a219d619a7274976324d5e377f7dceba"
+
+[[package]]
+name = "parking_lot"
+version = "0.12.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a"
+dependencies = [
+ "lock_api",
+ "parking_lot_core",
+]
+
+[[package]]
+name = "parking_lot_core"
+version = "0.9.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "redox_syscall 0.5.18",
+ "smallvec",
+ "windows-link 0.2.1",
+]
+
+[[package]]
+name = "password-hash"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "346f04948ba92c43e8469c1ee6736c7563d71012b17d40745260fe106aac2166"
+dependencies = [
+ "base64ct",
+ "rand_core 0.6.4",
+ "subtle",
+]
+
+[[package]]
+name = "paste"
+version = "1.0.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
+
+[[package]]
+name = "pem-rfc7468"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412"
+dependencies = [
+ "base64ct",
+]
+
+[[package]]
+name = "percent-encoding"
+version = "2.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
+
+[[package]]
+name = "phf"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c1562dc717473dbaa4c1f85a36410e03c047b2e7df7f45ee938fbef64ae7fadf"
+dependencies = [
+ "phf_macros",
+ "phf_shared",
+ "serde",
+]
+
+[[package]]
+name = "phf_generator"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "135ace3a761e564ec88c03a77317a7c6b80bb7f7135ef2544dbe054243b89737"
+dependencies = [
+ "fastrand",
+ "phf_shared",
+]
+
+[[package]]
+name = "phf_macros"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "812f032b54b1e759ccd5f8b6677695d5268c588701effba24601f6932f8269ef"
+dependencies = [
+ "phf_generator",
+ "phf_shared",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "phf_shared"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e57fef6bc5981e38c2ce2d63bfa546861309f875b8a75f092d1d54ae2d64f266"
+dependencies = [
+ "siphasher",
+]
+
+[[package]]
+name = "pin-project"
+version = "1.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1749c7ed4bcaf4c3d0a3efc28538844fb29bcdd7d2b67b2be7e20ba861ff517"
+dependencies = [
+ "pin-project-internal",
+]
+
+[[package]]
+name = "pin-project-internal"
+version = "1.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9b20ed30f105399776b9c883e68e536ef602a16ae6f596d2c473591d6ad64c6"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "pin-project-lite"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd"
+
+[[package]]
+name = "pin-utils"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+
+[[package]]
+name = "pkcs1"
+version = "0.7.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f"
+dependencies = [
+ "der",
+ "pkcs8",
+ "spki",
+]
+
+[[package]]
+name = "pkcs8"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
+dependencies = [
+ "der",
+ "spki",
+]
+
+[[package]]
+name = "pkg-config"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
+
+[[package]]
+name = "plain"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b4596b6d070b27117e987119b4dac604f3c58cfb0b191112e24771b2faeac1a6"
+
+[[package]]
+name = "plotters"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5aeb6f403d7a4911efb1e33402027fc44f29b5bf6def3effcc22d7bb75f2b747"
+dependencies = [
+ "num-traits",
+ "plotters-backend",
+ "plotters-svg",
+ "wasm-bindgen",
+ "web-sys",
+]
+
+[[package]]
+name = "plotters-backend"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df42e13c12958a16b3f7f4386b9ab1f3e7933914ecea48da7139435263a4172a"
+
+[[package]]
+name = "plotters-svg"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51bae2ac328883f7acdfea3d66a7c35751187f870bc81f94563733a154d7a670"
+dependencies = [
+ "plotters-backend",
+]
+
+[[package]]
+name = "png"
+version = "0.18.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "60769b8b31b2a9f263dae2776c37b1b28ae246943cf719eb6946a1db05128a61"
+dependencies = [
+ "bitflags 2.11.0",
+ "crc32fast",
+ "fdeflate",
+ "flate2",
+ "miniz_oxide",
+]
+
+[[package]]
+name = "postage"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "af3fb618632874fb76937c2361a7f22afd393c982a2165595407edc75b06d3c1"
+dependencies = [
+ "atomic 0.5.3",
+ "crossbeam-queue",
+ "futures",
+ "parking_lot",
+ "pin-project",
+ "static_assertions",
+ "thiserror 1.0.69",
+]
+
+[[package]]
+name = "potential_utf"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b73949432f5e2a09657003c25bca5e19a0e9c84f8058ca374f49e0ebe605af77"
+dependencies = [
+ "zerovec",
+]
+
+[[package]]
+name = "powerfmt"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
+
+[[package]]
+name = "ppv-lite86"
+version = "0.2.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9"
+dependencies = [
+ "zerocopy",
+]
+
+[[package]]
+name = "prettyplease"
+version = "0.2.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
+dependencies = [
+ "proc-macro2",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "primeorder"
+version = "0.13.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6"
+dependencies = [
+ "elliptic-curve",
+]
+
+[[package]]
+name = "priority-queue"
+version = "2.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93980406f12d9f8140ed5abe7155acb10bb1e69ea55c88960b9c2f117445ef96"
+dependencies = [
+ "equivalent",
+ "indexmap 2.13.0",
+ "serde",
+]
+
+[[package]]
+name = "proc-macro-crate"
+version = "3.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e67ba7e9b2b56446f1d419b1d807906278ffa1a658a8a5d8a39dcb1f5a78614f"
+dependencies = [
+ "toml_edit 0.25.4+spec-1.1.0",
+]
+
+[[package]]
+name = "proc-macro-error-attr2"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "96de42df36bb9bba5542fe9f1a054b8cc87e172759a1868aa05c1f3acc89dfc5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+]
+
+[[package]]
+name = "proc-macro-error2"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "11ec05c52be0a07b08061f7dd003e7d7092e0472bc731b4af7bb1ef876109802"
+dependencies = [
+ "proc-macro-error-attr2",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.106"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "pwd-grp"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0e2023f41b5fcb7c30eb5300a5733edfaa9e0e0d502d51b586f65633fd39e40c"
+dependencies = [
+ "derive-deftly",
+ "libc",
+ "paste",
+ "thiserror 2.0.18",
+]
+
+[[package]]
+name = "pxfm"
+version = "0.1.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5a041e753da8b807c9255f28de81879c78c876392ff2469cde94799b2896b9d"
+
+[[package]]
+name = "quick-error"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a993555f31e5a609f617c12db6250dedcac1b0a85076912c436e6fc9b2c8e6a3"
+
+[[package]]
+name = "quinn"
+version = "0.11.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e20a958963c291dc322d98411f541009df2ced7b5a4f2bd52337638cfccf20"
+dependencies = [
+ "bytes",
+ "cfg_aliases",
+ "pin-project-lite",
+ "quinn-proto",
+ "quinn-udp",
+ "rustc-hash",
+ "rustls",
+ "socket2",
+ "thiserror 2.0.18",
+ "tokio",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-proto"
+version = "0.11.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
+dependencies = [
+ "bytes",
+ "getrandom 0.3.4",
+ "lru-slab",
+ "rand 0.9.2",
+ "ring",
+ "rustc-hash",
+ "rustls",
+ "rustls-pki-types",
+ "slab",
+ "thiserror 2.0.18",
+ "tinyvec",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-udp"
+version = "0.5.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "addec6a0dcad8a8d96a771f815f0eaf55f9d1805756410b39f5fa81332574cbd"
+dependencies = [
+ "cfg_aliases",
+ "libc",
+ "once_cell",
+ "socket2",
+ "tracing",
+ "windows-sys 0.60.2",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "r-efi"
+version = "5.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
+
+[[package]]
+name = "r-efi"
+version = "6.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
+
+[[package]]
+name = "r2d2"
+version = "0.8.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51de85fb3fb6524929c8a2eb85e6b6d363de4e8c48f9e2c2eac4944abc181c93"
+dependencies = [
+ "log",
+ "parking_lot",
+ "scheduled-thread-pool",
+]
+
+[[package]]
+name = "r2d2_sqlite"
+version = "0.32.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a2ebd03c29250cdf191da93a35118b4567c2ef0eacab54f65e058d6f4c9965f6"
+dependencies = [
+ "r2d2",
+ "rusqlite",
+ "uuid",
+]
+
+[[package]]
+name = "radium"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc33ff2d4973d518d823d61aa239014831e521c75da58e3df4840d3f47749d09"
+
+[[package]]
+name = "rand"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+dependencies = [
+ "rand_chacha 0.3.1",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand"
+version = "0.9.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
+dependencies = [
+ "rand_chacha 0.9.0",
+ "rand_core 0.9.5",
+]
+
+[[package]]
 name = "rand"
 version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bc266eb313df6c5c09c1c7b1fbe2510961e5bcd3add930c1e31f7ed9da0feff8"
+checksum = "bc266eb313df6c5c09c1c7b1fbe2510961e5bcd3add930c1e31f7ed9da0feff8"
+dependencies = [
+ "chacha20",
+ "getrandom 0.4.2",
+ "rand_core 0.10.0",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.9.5",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+dependencies = [
+ "getrandom 0.2.17",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c"
+dependencies = [
+ "getrandom 0.3.4",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c8d0fd677905edcbeedbf2edb6494d676f0e98d54d5cf9bda0b061cb8fb8aba"
+
+[[package]]
+name = "rand_jitter"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b16df48f071248e67b8fc5e866d9448d45c08ad8b672baaaf796e2f15e606ff0"
+dependencies = [
+ "libc",
+ "rand_core 0.9.5",
+ "winapi",
+]
+
+[[package]]
+name = "rayon"
+version = "1.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "368f01d005bf8fd9b1206fb6fa653e6c4a81ceb1466406b81792d87c5677a58f"
+dependencies = [
+ "either",
+ "rayon-core",
+]
+
+[[package]]
+name = "rayon-core"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22e18b0f0062d30d4230b2e85ff77fdfe4326feb054b9783a3460d8435c8ab91"
+dependencies = [
+ "crossbeam-deque",
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "rdrand"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d92195228612ac8eed47adbc2ed0f04e513a4ccb98175b6f2bd04d963b533655"
+dependencies = [
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.5.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
+dependencies = [
+ "bitflags 2.11.0",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce70a74e890531977d37e532c34d45e9055d2409ed08ddba14529471ed0be16"
+dependencies = [
+ "bitflags 2.11.0",
+]
+
+[[package]]
+name = "redox_users"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4e608c6638b9c18977b00b475ac1f28d14e84b27d8d42f70e0bf1e3dec127ac"
+dependencies = [
+ "getrandom 0.2.17",
+ "libredox",
+ "thiserror 2.0.18",
+]
+
+[[package]]
+name = "ref-cast"
+version = "1.0.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f354300ae66f76f1c85c5f84693f0ce81d747e2c3f21a45fef496d89c960bf7d"
+dependencies = [
+ "ref-cast-impl",
+]
+
+[[package]]
+name = "ref-cast-impl"
+version = "1.0.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7186006dcb21920990093f30e3dea63b7d6e977bf1256be20c3563a5db070da"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "regex"
+version = "1.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e10754a14b9137dd7b1e3e5b0493cc9171fdd105e0ab477f51b72e7f3ac0e276"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-automata",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-automata"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e1dd4122fc1595e8162618945476892eefca7b88c52820e74af6262213cae8f"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-syntax"
+version = "0.8.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
+
+[[package]]
+name = "reqwest"
+version = "0.12.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147"
+dependencies = [
+ "base64",
+ "bytes",
+ "futures-core",
+ "futures-util",
+ "http",
+ "http-body",
+ "http-body-util",
+ "hyper",
+ "hyper-rustls",
+ "hyper-util",
+ "js-sys",
+ "log",
+ "mime_guess",
+ "percent-encoding",
+ "pin-project-lite",
+ "quinn",
+ "rustls",
+ "rustls-pki-types",
+ "serde",
+ "serde_json",
+ "serde_urlencoded",
+ "sync_wrapper",
+ "tokio",
+ "tokio-rustls",
+ "tower",
+ "tower-http",
+ "tower-service",
+ "url",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
+ "webpki-roots",
+]
+
+[[package]]
+name = "retry-error"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c322ea521636c5a3f13685a6266055b2dda7e54e2be35214d7c2a5d0672a5db"
+dependencies = [
+ "humantime",
+]
+
+[[package]]
+name = "rfc6979"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2"
+dependencies = [
+ "hmac",
+ "subtle",
+]
+
+[[package]]
+name = "ring"
+version = "0.17.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
+dependencies = [
+ "cc",
+ "cfg-if",
+ "getrandom 0.2.17",
+ "libc",
+ "untrusted",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "rsa"
+version = "0.9.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8573f03f5883dcaebdfcf4725caa1ecb9c15b2ef50c43a07b816e06799bb12d"
+dependencies = [
+ "const-oid",
+ "digest",
+ "num-bigint-dig",
+ "num-integer",
+ "num-traits",
+ "pkcs1",
+ "pkcs8",
+ "rand_core 0.6.4",
+ "sha2",
+ "signature",
+ "spki",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "rsqlite-vfs"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8a1f2315036ef6b1fbacd1972e8ee7688030b0a2121edfc2a6550febd41574d"
+dependencies = [
+ "hashbrown 0.16.1",
+ "thiserror 2.0.18",
+]
+
+[[package]]
+name = "rusqlite"
+version = "0.38.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1c93dd1c9683b438c392c492109cb702b8090b2bfc8fed6f6e4eb4523f17af3"
+dependencies = [
+ "bitflags 2.11.0",
+ "fallible-iterator",
+ "fallible-streaming-iterator",
+ "hashlink",
+ "libsqlite3-sys",
+ "smallvec",
+ "sqlite-wasm-rs",
+ "time",
+]
+
+[[package]]
+name = "rustc-hash"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
+
+[[package]]
+name = "rustc_version"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92"
+dependencies = [
+ "semver",
+]
+
+[[package]]
+name = "rustchan"
+version = "1.1.0"
+dependencies = [
+ "anyhow",
+ "argon2",
+ "arti-client",
+ "axum",
+ "axum-extra",
+ "chrono",
+ "clap",
+ "dashmap",
+ "data-encoding",
+ "futures",
+ "hex",
+ "image",
+ "kamadak-exif",
+ "libc",
+ "once_cell",
+ "parking_lot",
+ "r2d2",
+ "r2d2_sqlite",
+ "rand_core 0.6.4",
+ "regex",
+ "reqwest",
+ "rusqlite",
+ "serde",
+ "serde_json",
+ "sha2",
+ "sha3",
+ "subtle",
+ "tempfile",
+ "thiserror 2.0.18",
+ "time",
+ "tokio",
+ "tokio-util",
+ "toml 1.0.6+spec-1.1.0",
+ "tor-cell",
+ "tor-hsservice",
+ "tower",
+ "tower-http",
+ "tracing",
+ "tracing-appender",
+ "tracing-subscriber",
+ "uuid",
+ "zip",
+]
+
+[[package]]
+name = "rusticata-macros"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+dependencies = [
+ "nom",
+]
+
+[[package]]
+name = "rustix"
+version = "1.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
+dependencies = [
+ "bitflags 2.11.0",
+ "errno",
+ "libc",
+ "linux-raw-sys",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "rustls"
+version = "0.23.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4"
+dependencies = [
+ "once_cell",
+ "ring",
+ "rustls-pki-types",
+ "rustls-webpki",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "rustls-pki-types"
+version = "1.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
+dependencies = [
+ "web-time",
+ "zeroize",
+]
+
+[[package]]
+name = "rustls-webpki"
+version = "0.103.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
+dependencies = [
+ "ring",
+ "rustls-pki-types",
+ "untrusted",
+]
+
+[[package]]
+name = "rustversion"
+version = "1.0.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d"
+
+[[package]]
+name = "ryu"
+version = "1.0.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f"
+
+[[package]]
+name = "safelog"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8949ab2810bf603caef654634e5b4cedcbc05c120342a177cf8aaa122ef4bb76"
+dependencies = [
+ "derive_more",
+ "educe",
+ "either",
+ "fluid-let",
+ "thiserror 2.0.18",
+]
+
+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
+[[package]]
+name = "sanitize-filename"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bc984f4f9ceb736a7bb755c3e3bd17dc56370af2600c9780dcc48c66453da34d"
+dependencies = [
+ "regex",
+]
+
+[[package]]
+name = "saturating-time"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b63583a1dd0647d1484228529ab4ecaa874048d2956f117362aa5f5826456230"
+
+[[package]]
+name = "schannel"
+version = "0.1.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91c1b7e4904c873ef0710c1f407dde2e6287de2bebc1bbbf7d430bb7cbffd939"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "scheduled-thread-pool"
+version = "0.2.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3cbc66816425a074528352f5789333ecff06ca41b36b0b0efdfbb29edc391a19"
+dependencies = [
+ "parking_lot",
+]
+
+[[package]]
+name = "schemars"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4cd191f9397d57d581cddd31014772520aa448f65ef991055d7f61582c65165f"
+dependencies = [
+ "dyn-clone",
+ "ref-cast",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "schemars"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a2b42f36aa1cd011945615b92222f6bf73c599a102a300334cd7f8dbeec726cc"
+dependencies = [
+ "dyn-clone",
+ "ref-cast",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "scopeguard"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+
+[[package]]
+name = "sec1"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
+dependencies = [
+ "base16ct",
+ "der",
+ "generic-array",
+ "pkcs8",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "security-framework"
+version = "3.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d"
+dependencies = [
+ "bitflags 2.11.0",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce2691df843ecc5d231c0b14ece2acc3efb62c0a398c7e1d875f3983ce020e3"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "semver"
+version = "1.0.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
+
+[[package]]
+name = "serde"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
+dependencies = [
+ "serde_core",
+ "serde_derive",
+]
+
+[[package]]
+name = "serde-value"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f3a1a3341211875ef120e117ea7fd5228530ae7e7036a779fdc9117be6b3282c"
+dependencies = [
+ "ordered-float",
+ "serde",
+]
+
+[[package]]
+name = "serde_bytes"
+version = "0.11.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5d440709e79d88e51ac01c4b72fc6cb7314017bb7da9eeff678aa94c10e3ea8"
+dependencies = [
+ "serde",
+ "serde_core",
+]
+
+[[package]]
+name = "serde_core"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "serde_ignored"
+version = "0.1.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "115dffd5f3853e06e746965a20dcbae6ee747ae30b543d91b0e089668bb07798"
+dependencies = [
+ "serde",
+ "serde_core",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.149"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
+dependencies = [
+ "itoa",
+ "memchr",
+ "serde",
+ "serde_core",
+ "zmij",
+]
+
+[[package]]
+name = "serde_path_to_error"
+version = "0.1.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "10a9ff822e371bb5403e391ecd83e182e0e77ba7f6fe0160b795797109d1b457"
+dependencies = [
+ "itoa",
+ "serde",
+ "serde_core",
+]
+
+[[package]]
+name = "serde_spanned"
+version = "0.6.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bf41e0cfaf7226dca15e8197172c295a782857fcb97fad1808a166870dee75a3"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "serde_spanned"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8bbf91e5a4d6315eee45e704372590b30e260ee83af6639d64557f51b067776"
+dependencies = [
+ "serde_core",
+]
+
+[[package]]
+name = "serde_urlencoded"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd"
+dependencies = [
+ "form_urlencoded",
+ "itoa",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "serde_with"
+version = "3.18.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dd5414fad8e6907dbdd5bc441a50ae8d6e26151a03b1de04d89a5576de61d01f"
+dependencies = [
+ "base64",
+ "chrono",
+ "hex",
+ "indexmap 1.9.3",
+ "indexmap 2.13.0",
+ "schemars 0.9.0",
+ "schemars 1.2.1",
+ "serde_core",
+ "serde_json",
+ "serde_with_macros",
+ "time",
+]
+
+[[package]]
+name = "serde_with_macros"
+version = "3.18.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3db8978e608f1fe7357e211969fd9abdcae80bac1ba7a3369bb7eb6b404eb65"
+dependencies = [
+ "darling 0.23.0",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "sha1"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
+dependencies = [
+ "cfg-if",
+ "cpufeatures 0.2.17",
+ "digest",
+]
+
+[[package]]
+name = "sha2"
+version = "0.10.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
+dependencies = [
+ "cfg-if",
+ "cpufeatures 0.2.17",
+ "digest",
+]
+
+[[package]]
+name = "sha3"
+version = "0.10.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75872d278a8f37ef87fa0ddbda7802605cb18344497949862c0d4dcb291eba60"
+dependencies = [
+ "digest",
+ "keccak",
+]
+
+[[package]]
+name = "sharded-slab"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f40ca3c46823713e0d4209592e8d6e826aa57e928f09752619fc696c499637f6"
+dependencies = [
+ "lazy_static",
+]
+
+[[package]]
+name = "shellexpand"
+version = "3.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32824fab5e16e6c4d86dc1ba84489390419a39f97699852b66480bb87d297ed8"
+dependencies = [
+ "bstr",
+ "dirs",
+ "os_str_bytes",
+]
+
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
+[[package]]
+name = "signal-hook-registry"
+version = "1.4.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c4db69cba1110affc0e9f7bcd48bbf87b3f4fc7c61fc9155afd4c469eb3d6c1b"
+dependencies = [
+ "errno",
+ "libc",
+]
+
+[[package]]
+name = "signature"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
+dependencies = [
+ "digest",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "simd-adler32"
+version = "0.3.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e320a6c5ad31d271ad523dcf3ad13e2767ad8b1cb8f047f75a8aeaf8da139da2"
+
+[[package]]
+name = "siphasher"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2aa850e253778c88a04c3d7323b043aeda9d3e30d5971937c1855769763678e"
+
+[[package]]
+name = "slab"
+version = "0.4.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5"
+
+[[package]]
+name = "slotmap"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bdd58c3c93c3d278ca835519292445cb4b0d4dc59ccfdf7ceadaab3f8aeb4038"
+dependencies = [
+ "serde",
+ "version_check",
+]
+
+[[package]]
+name = "slotmap-careful"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed92816c1fbb29891a525b92d5fa95757c9dee47044f76c8e06ceb1e052a8d64"
 dependencies = [
- "chacha20",
- "getrandom 0.4.2",
- "rand_core 0.10.0",
+ "paste",
+ "serde",
+ "slotmap",
+ "thiserror 2.0.18",
+ "void",
 ]
 
 [[package]]
-name = "rand_chacha"
-version = "0.9.0"
+name = "smallvec"
+version = "1.15.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
+checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
+
+[[package]]
+name = "socket2"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e"
 dependencies = [
- "ppv-lite86",
- "rand_core 0.9.5",
+ "libc",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
-name = "rand_core"
-version = "0.6.4"
+name = "spin"
+version = "0.9.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
+
+[[package]]
+name = "spki"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
 dependencies = [
- "getrandom 0.2.17",
+ "base64ct",
+ "der",
 ]
 
 [[package]]
-name = "rand_core"
-version = "0.9.5"
+name = "sqlite-wasm-rs"
+version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c"
+checksum = "2f4206ed3a67690b9c29b77d728f6acc3ce78f16bf846d83c94f76400320181b"
 dependencies = [
- "getrandom 0.3.4",
+ "cc",
+ "js-sys",
+ "rsqlite-vfs",
+ "wasm-bindgen",
 ]
 
 [[package]]
-name = "rand_core"
+name = "ssh-cipher"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "caac132742f0d33c3af65bfcde7f6aa8f62f0e991d80db99149eb9d44708784f"
+dependencies = [
+ "cipher",
+ "ssh-encoding",
+]
+
+[[package]]
+name = "ssh-encoding"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eb9242b9ef4108a78e8cd1a2c98e193ef372437f8c22be363075233321dd4a15"
+dependencies = [
+ "base64ct",
+ "pem-rfc7468",
+ "sha2",
+]
+
+[[package]]
+name = "ssh-key"
+version = "0.6.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b86f5297f0f04d08cabaa0f6bff7cb6aec4d9c3b49d87990d63da9d9156a8c3"
+dependencies = [
+ "num-bigint-dig",
+ "p256",
+ "p384",
+ "p521",
+ "rand_core 0.6.4",
+ "rsa",
+ "sec1",
+ "sha2",
+ "signature",
+ "ssh-cipher",
+ "ssh-encoding",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "stable_deref_trait"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"
+
+[[package]]
+name = "static_assertions"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"
+
+[[package]]
+name = "strsim"
 version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c8d0fd677905edcbeedbf2edb6494d676f0e98d54d5cf9bda0b061cb8fb8aba"
+checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
 
 [[package]]
-name = "redox_syscall"
-version = "0.5.18"
+name = "strsim"
+version = "0.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+
+[[package]]
+name = "strum"
+version = "0.27.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "af23d6f6c1a224baef9d3f61e287d2761385a5b88fdab4eb4c6f11aeb54c4bcf"
 dependencies = [
- "bitflags",
+ "strum_macros",
 ]
 
 [[package]]
-name = "regex"
-version = "1.12.3"
+name = "strum_macros"
+version = "0.27.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e10754a14b9137dd7b1e3e5b0493cc9171fdd105e0ab477f51b72e7f3ac0e276"
+checksum = "7695ce3845ea4b33927c055a39dc438a45b059f7c1b3d91d38d10355fb8cbca7"
 dependencies = [
- "aho-corasick",
- "memchr",
- "regex-automata",
- "regex-syntax",
+ "heck",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
 ]
 
 [[package]]
-name = "regex-automata"
-version = "0.4.14"
+name = "subtle"
+version = "2.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e1dd4122fc1595e8162618945476892eefca7b88c52820e74af6262213cae8f"
+checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
+
+[[package]]
+name = "syn"
+version = "1.0.109"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
 dependencies = [
- "aho-corasick",
- "memchr",
- "regex-syntax",
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
 ]
 
 [[package]]
-name = "regex-syntax"
-version = "0.8.10"
+name = "syn"
+version = "2.0.117"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
+checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
 
 [[package]]
-name = "reqwest"
-version = "0.12.28"
+name = "sync_wrapper"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147"
+checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"
 dependencies = [
- "base64",
- "bytes",
  "futures-core",
- "futures-util",
- "http",
- "http-body",
- "http-body-util",
- "hyper",
- "hyper-rustls",
- "hyper-util",
- "js-sys",
- "log",
- "mime_guess",
- "percent-encoding",
- "pin-project-lite",
- "quinn",
- "rustls",
- "rustls-pki-types",
- "serde",
- "serde_json",
- "serde_urlencoded",
- "sync_wrapper",
- "tokio",
- "tokio-rustls",
- "tower",
- "tower-http",
- "tower-service",
- "url",
- "wasm-bindgen",
- "wasm-bindgen-futures",
- "web-sys",
- "webpki-roots",
 ]
 
 [[package]]
-name = "ring"
-version = "0.17.14"
+name = "synstructure"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "sysinfo"
+version = "0.36.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "252800745060e7b9ffb7b2badbd8b31cfa4aa2e61af879d0a3bf2a317c20217d"
+dependencies = [
+ "libc",
+ "memchr",
+ "ntapi",
+ "objc2-core-foundation",
+ "objc2-io-kit",
+ "windows",
+]
+
+[[package]]
+name = "tap"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369"
+
+[[package]]
+name = "tempfile"
+version = "3.27.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
+dependencies = [
+ "fastrand",
+ "getrandom 0.4.2",
+ "once_cell",
+ "rustix",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "thiserror"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
+dependencies = [
+ "thiserror-impl 1.0.69",
+]
+
+[[package]]
+name = "thiserror"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
+dependencies = [
+ "thiserror-impl 2.0.18",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "thread_local"
+version = "1.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f60246a4944f24f6e018aa17cdeffb7818b76356965d03b07d6a9886e8962185"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "tiff"
+version = "0.11.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b63feaf3343d35b6ca4d50483f94843803b0f51634937cc2ec519fc32232bc52"
+dependencies = [
+ "fax",
+ "flate2",
+ "half",
+ "quick-error",
+ "weezl",
+ "zune-jpeg",
+]
+
+[[package]]
+name = "time"
+version = "0.3.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
+checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c"
 dependencies = [
- "cc",
- "cfg-if",
- "getrandom 0.2.17",
- "libc",
- "untrusted",
- "windows-sys 0.52.0",
+ "deranged",
+ "itoa",
+ "js-sys",
+ "num-conv",
+ "powerfmt",
+ "serde_core",
+ "time-core",
+ "time-macros",
 ]
 
 [[package]]
-name = "rsqlite-vfs"
-version = "0.1.0"
+name = "time-core"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8a1f2315036ef6b1fbacd1972e8ee7688030b0a2121edfc2a6550febd41574d"
-dependencies = [
- "hashbrown 0.16.1",
- "thiserror",
-]
+checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
 
 [[package]]
-name = "rusqlite"
-version = "0.38.0"
+name = "time-macros"
+version = "0.2.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1c93dd1c9683b438c392c492109cb702b8090b2bfc8fed6f6e4eb4523f17af3"
+checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215"
 dependencies = [
- "bitflags",
- "fallible-iterator",
- "fallible-streaming-iterator",
- "hashlink",
- "libsqlite3-sys",
- "smallvec",
- "sqlite-wasm-rs",
+ "num-conv",
+ "time-core",
 ]
 
 [[package]]
-name = "rustc-hash"
-version = "2.1.1"
+name = "tinystr"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
+checksum = "42d3e9c45c09de15d06dd8acf5f4e0e399e85927b7f00711024eb7ae10fa4869"
+dependencies = [
+ "displaydoc",
+ "serde_core",
+ "zerovec",
+]
 
 [[package]]
-name = "rustchan"
-version = "1.1.0"
+name = "tinytemplate"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "be4d6b5f19ff7664e8c98d03e2139cb510db9b0a60b55f8e8709b689d939b6bc"
 dependencies = [
- "anyhow",
- "argon2",
- "axum",
- "axum-extra",
- "chrono",
- "clap",
- "dashmap",
- "hex",
- "image",
- "kamadak-exif",
- "libc",
- "once_cell",
- "parking_lot",
- "r2d2",
- "r2d2_sqlite",
- "rand_core 0.6.4",
- "regex",
- "reqwest",
- "rusqlite",
  "serde",
  "serde_json",
- "sha2",
- "subtle",
- "tempfile",
- "thiserror",
- "time",
- "tokio",
- "tokio-util",
- "toml",
- "tower",
- "tower-http",
- "tracing",
- "tracing-appender",
- "tracing-subscriber",
- "uuid",
- "zip",
 ]
 
 [[package]]
-name = "rustix"
-version = "1.1.4"
+name = "tinyvec"
+version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
+checksum = "bfa5fdc3bce6191a1dbc8c02d5c8bffcf557bafa17c124c5264a458f1b0613fa"
 dependencies = [
- "bitflags",
- "errno",
+ "tinyvec_macros",
+]
+
+[[package]]
+name = "tinyvec_macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
+
+[[package]]
+name = "tokio"
+version = "1.50.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "27ad5e34374e03cfffefc301becb44e9dc3c17584f414349ebe29ed26661822d"
+dependencies = [
+ "bytes",
  "libc",
- "linux-raw-sys",
+ "mio",
+ "parking_lot",
+ "pin-project-lite",
+ "signal-hook-registry",
+ "socket2",
+ "tokio-macros",
  "windows-sys 0.61.2",
 ]
 
 [[package]]
-name = "rustls"
-version = "0.23.37"
+name = "tokio-macros"
+version = "2.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4"
+checksum = "5c55a2eff8b69ce66c84f85e1da1c233edc36ceb85a2058d11b0d6a3c7e7569c"
 dependencies = [
- "once_cell",
- "ring",
- "rustls-pki-types",
- "rustls-webpki",
- "subtle",
- "zeroize",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
 ]
 
 [[package]]
-name = "rustls-pki-types"
-version = "1.14.0"
+name = "tokio-rustls"
+version = "0.26.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
+checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
 dependencies = [
- "web-time",
- "zeroize",
+ "rustls",
+ "tokio",
 ]
 
 [[package]]
-name = "rustls-webpki"
-version = "0.103.9"
+name = "tokio-util"
+version = "0.7.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
+checksum = "9ae9cec805b01e8fc3fd2fe289f89149a9b66dd16786abd8b19cfa7b48cb0098"
 dependencies = [
- "ring",
- "rustls-pki-types",
- "untrusted",
+ "bytes",
+ "futures-core",
+ "futures-io",
+ "futures-sink",
+ "pin-project-lite",
+ "tokio",
 ]
 
 [[package]]
-name = "rustversion"
-version = "1.0.22"
+name = "toml"
+version = "0.8.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d"
+checksum = "dc1beb996b9d83529a9e75c17a1686767d148d70663143c7854d8b4a09ced362"
+dependencies = [
+ "serde",
+ "serde_spanned 0.6.9",
+ "toml_datetime 0.6.11",
+ "toml_edit 0.22.27",
+]
 
 [[package]]
-name = "ryu"
-version = "1.0.23"
+name = "toml"
+version = "0.9.12+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f"
+checksum = "cf92845e79fc2e2def6a5d828f0801e29a2f8acc037becc5ab08595c7d5e9863"
+dependencies = [
+ "indexmap 2.13.0",
+ "serde_core",
+ "serde_spanned 1.0.4",
+ "toml_datetime 0.7.5+spec-1.1.0",
+ "toml_parser",
+ "toml_writer",
+ "winnow",
+]
 
 [[package]]
-name = "scheduled-thread-pool"
-version = "0.2.7"
+name = "toml"
+version = "1.0.6+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3cbc66816425a074528352f5789333ecff06ca41b36b0b0efdfbb29edc391a19"
+checksum = "399b1124a3c9e16766831c6bba21e50192572cdd98706ea114f9502509686ffc"
 dependencies = [
- "parking_lot",
+ "indexmap 2.13.0",
+ "serde_core",
+ "serde_spanned 1.0.4",
+ "toml_datetime 1.0.0+spec-1.1.0",
+ "toml_parser",
+ "toml_writer",
+ "winnow",
 ]
 
 [[package]]
-name = "scopeguard"
-version = "1.2.0"
+name = "toml_datetime"
+version = "0.6.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+checksum = "22cddaf88f4fbc13c51aebbf5f8eceb5c7c5a9da2ac40a13519eb5b0a0e8f11c"
+dependencies = [
+ "serde",
+]
 
 [[package]]
-name = "semver"
-version = "1.0.27"
+name = "toml_datetime"
+version = "0.7.5+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
+checksum = "92e1cfed4a3038bc5a127e35a2d360f145e1f4b971b551a2ba5fd7aedf7e1347"
+dependencies = [
+ "serde_core",
+]
 
 [[package]]
-name = "serde"
-version = "1.0.228"
+name = "toml_datetime"
+version = "1.0.0+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
+checksum = "32c2555c699578a4f59f0cc68e5116c8d7cabbd45e1409b989d4be085b53f13e"
 dependencies = [
  "serde_core",
- "serde_derive",
 ]
 
 [[package]]
-name = "serde_core"
-version = "1.0.228"
+name = "toml_edit"
+version = "0.22.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
+checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a"
 dependencies = [
- "serde_derive",
+ "indexmap 2.13.0",
+ "serde",
+ "serde_spanned 0.6.9",
+ "toml_datetime 0.6.11",
+ "toml_write",
+ "winnow",
 ]
 
 [[package]]
-name = "serde_derive"
-version = "1.0.228"
+name = "toml_edit"
+version = "0.25.4+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
+checksum = "7193cbd0ce53dc966037f54351dbbcf0d5a642c7f0038c382ef9e677ce8c13f2"
 dependencies = [
- "proc-macro2",
- "quote",
- "syn",
+ "indexmap 2.13.0",
+ "toml_datetime 1.0.0+spec-1.1.0",
+ "toml_parser",
+ "winnow",
 ]
 
 [[package]]
-name = "serde_json"
-version = "1.0.149"
+name = "toml_parser"
+version = "1.0.9+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
+checksum = "702d4415e08923e7e1ef96cd5727c0dfed80b4d2fa25db9647fe5eb6f7c5a4c4"
 dependencies = [
- "itoa",
- "memchr",
- "serde",
- "serde_core",
- "zmij",
+ "winnow",
 ]
 
 [[package]]
-name = "serde_path_to_error"
-version = "0.1.20"
+name = "toml_write"
+version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "10a9ff822e371bb5403e391ecd83e182e0e77ba7f6fe0160b795797109d1b457"
+checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801"
+
+[[package]]
+name = "toml_writer"
+version = "1.0.6+spec-1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ab16f14aed21ee8bfd8ec22513f7287cd4a91aa92e44edfe2c17ddd004e92607"
+
+[[package]]
+name = "tor-async-utils"
+version = "0.40.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "895c61a46909134501c6815eceeb66c9c80fc494ee89429821b0f05ccf34b4f5"
 dependencies = [
- "itoa",
+ "derive-deftly",
+ "educe",
+ "futures",
+ "oneshot-fused-workaround",
+ "pin-project",
+ "postage",
+ "thiserror 2.0.18",
+ "void",
+]
+
+[[package]]
+name = "tor-basic-utils"
+version = "0.40.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fac6e4d7e131b7d69bc85558383cd4ac61e46b4dd0d4ed51632f28fac98cac0c"
+dependencies = [
+ "derive_more",
+ "hex",
+ "itertools 0.14.0",
+ "libc",
+ "paste",
+ "rand 0.9.2",
+ "rand_chacha 0.9.0",
  "serde",
- "serde_core",
+ "slab",
+ "smallvec",
+ "thiserror 2.0.18",
+ "weak-table",
 ]
 
 [[package]]
-name = "serde_spanned"
-version = "1.0.4"
+name = "tor-bytes"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8bbf91e5a4d6315eee45e704372590b30e260ee83af6639d64557f51b067776"
+checksum = "64454947258e49f238a5f06a06250a0c54598a1c7409898b5c79505e6a99e7af"
 dependencies = [
- "serde_core",
+ "bytes",
+ "derive-deftly",
+ "digest",
+ "educe",
+ "getrandom 0.4.2",
+ "safelog",
+ "thiserror 2.0.18",
+ "tor-error",
+ "tor-llcrypto",
+ "zeroize",
 ]
 
 [[package]]
-name = "serde_urlencoded"
-version = "0.7.1"
+name = "tor-cell"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd"
+checksum = "4ab0c79bc92a957e85959cf397a2d8f9c8294c35fa4f65247a9393b20ac95551"
 dependencies = [
- "form_urlencoded",
- "itoa",
- "ryu",
- "serde",
+ "amplify",
+ "bitflags 2.11.0",
+ "bytes",
+ "caret",
+ "derive-deftly",
+ "derive_more",
+ "educe",
+ "itertools 0.14.0",
+ "paste",
+ "rand 0.9.2",
+ "smallvec",
+ "thiserror 2.0.18",
+ "tor-basic-utils",
+ "tor-bytes",
+ "tor-cert",
+ "tor-error",
+ "tor-hscrypto",
+ "tor-linkspec",
+ "tor-llcrypto",
+ "tor-memquota",
+ "tor-protover",
+ "tor-units",
+ "void",
 ]
 
 [[package]]
-name = "sha2"
-version = "0.10.9"
+name = "tor-cert"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
+checksum = "debc911738298ee801fce4577c36a50c55295b0bb9c5519461b83cc486a1f86e"
 dependencies = [
- "cfg-if",
- "cpufeatures 0.2.17",
+ "caret",
+ "derive_builder_fork_arti",
+ "derive_more",
  "digest",
+ "thiserror 2.0.18",
+ "tor-bytes",
+ "tor-checkable",
+ "tor-error",
+ "tor-llcrypto",
 ]
 
 [[package]]
-name = "sharded-slab"
-version = "0.1.7"
+name = "tor-chanmgr"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f40ca3c46823713e0d4209592e8d6e826aa57e928f09752619fc696c499637f6"
+checksum = "7af5b7c2f1e16d1304b5185fcbc91ca5c8df991c21be00702f925f055573eea1"
 dependencies = [
- "lazy_static",
+ "async-trait",
+ "caret",
+ "cfg-if",
+ "derive-deftly",
+ "derive_more",
+ "educe",
+ "futures",
+ "oneshot-fused-workaround",
+ "percent-encoding",
+ "postage",
+ "rand 0.9.2",
+ "safelog",
+ "serde",
+ "serde_with",
+ "thiserror 2.0.18",
+ "tor-async-utils",
+ "tor-basic-utils",
+ "tor-cell",
+ "tor-config",
+ "tor-error",
+ "tor-keymgr",
+ "tor-linkspec",
+ "tor-llcrypto",
+ "tor-memquota",
+ "tor-netdir",
+ "tor-proto",
+ "tor-rtcompat",
+ "tor-socksproto",
+ "tor-units",
+ "tracing",
+ "url",
+ "void",
 ]
 
 [[package]]
-name = "shlex"
-version = "1.3.0"
+name = "tor-checkable"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+checksum = "15b13a5b50bb55037f2e81b25dde42f420d57c75154216b8ef989006cea3ebee"
+dependencies = [
+ "humantime",
+ "signature",
+ "thiserror 2.0.18",
+ "tor-llcrypto",
+]
 
 [[package]]
-name = "signal-hook-registry"
-version = "1.4.8"
+name = "tor-circmgr"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c4db69cba1110affc0e9f7bcd48bbf87b3f4fc7c61fc9155afd4c469eb3d6c1b"
+checksum = "b878f3f7c6be0c7f130d90b347ada2e7c46519dfbdde8273eae2e5d1792caa87"
 dependencies = [
- "errno",
- "libc",
+ "amplify",
+ "async-trait",
+ "cfg-if",
+ "derive-deftly",
+ "derive_builder_fork_arti",
+ "derive_more",
+ "downcast-rs",
+ "dyn-clone",
+ "educe",
+ "futures",
+ "humantime-serde",
+ "itertools 0.14.0",
+ "once_cell",
+ "oneshot-fused-workaround",
+ "pin-project",
+ "rand 0.9.2",
+ "retry-error",
+ "safelog",
+ "serde",
+ "thiserror 2.0.18",
+ "tor-async-utils",
+ "tor-basic-utils",
+ "tor-cell",
+ "tor-chanmgr",
+ "tor-config",
+ "tor-dircommon",
+ "tor-error",
+ "tor-guardmgr",
+ "tor-linkspec",
+ "tor-memquota",
+ "tor-netdir",
+ "tor-netdoc",
+ "tor-persist",
+ "tor-proto",
+ "tor-protover",
+ "tor-relay-selection",
+ "tor-rtcompat",
+ "tor-units",
+ "tracing",
+ "void",
+ "weak-table",
 ]
 
 [[package]]
-name = "simd-adler32"
-version = "0.3.8"
+name = "tor-config"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e320a6c5ad31d271ad523dcf3ad13e2767ad8b1cb8f047f75a8aeaf8da139da2"
+checksum = "3cbc74a00ab15bb986e3747c6969e40a58a63065d6f99077e7ee2f4657bb8b03"
+dependencies = [
+ "amplify",
+ "cfg-if",
+ "derive-deftly",
+ "derive_builder_fork_arti",
+ "educe",
+ "either",
+ "figment",
+ "fs-mistrust",
+ "futures",
+ "humantime-serde",
+ "itertools 0.14.0",
+ "notify",
+ "paste",
+ "postage",
+ "regex",
+ "serde",
+ "serde-value",
+ "serde_ignored",
+ "strum",
+ "thiserror 2.0.18",
+ "toml 0.9.12+spec-1.1.0",
+ "tor-basic-utils",
+ "tor-error",
+ "tor-rtcompat",
+ "tracing",
+ "void",
+]
 
 [[package]]
-name = "slab"
-version = "0.4.12"
+name = "tor-config-path"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5"
+checksum = "3005ab7b9a26a7271e5adf3dfb4ae18c09a943e32aeccc4f6d1c53a60de74b8d"
+dependencies = [
+ "directories",
+ "serde",
+ "shellexpand",
+ "thiserror 2.0.18",
+ "tor-error",
+ "tor-general-addr",
+]
 
 [[package]]
-name = "smallvec"
-version = "1.15.1"
+name = "tor-consdiff"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
+checksum = "6bfa2b7b71c72830f61c48da4bb3e13191e0c0e1404b9c5168c795e4f5feb4a8"
+dependencies = [
+ "digest",
+ "hex",
+ "thiserror 2.0.18",
+ "tor-llcrypto",
+]
 
 [[package]]
-name = "socket2"
-version = "0.6.3"
+name = "tor-dirclient"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e"
+checksum = "8ccd6fac844ac77c33ccdfcb56bf23ff40ebbb821ea708be79a481ec30e8c39c"
 dependencies = [
- "libc",
- "windows-sys 0.61.2",
+ "async-compression",
+ "base64ct",
+ "derive_more",
+ "futures",
+ "hex",
+ "http",
+ "httparse",
+ "httpdate",
+ "itertools 0.14.0",
+ "memchr",
+ "thiserror 2.0.18",
+ "tor-circmgr",
+ "tor-error",
+ "tor-hscrypto",
+ "tor-linkspec",
+ "tor-llcrypto",
+ "tor-netdoc",
+ "tor-proto",
+ "tor-rtcompat",
+ "tracing",
 ]
 
 [[package]]
-name = "spin"
-version = "0.9.8"
+name = "tor-dircommon"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
+checksum = "dd0cf39a3c30321d145a4d60753ae7ef5bb58a66a00ac9e2bfc30bd823faf2a4"
+dependencies = [
+ "base64ct",
+ "derive-deftly",
+ "getset",
+ "humantime",
+ "humantime-serde",
+ "serde",
+ "tor-basic-utils",
+ "tor-checkable",
+ "tor-config",
+ "tor-linkspec",
+ "tor-llcrypto",
+ "tor-netdoc",
+ "tracing",
+]
 
 [[package]]
-name = "sqlite-wasm-rs"
-version = "0.5.2"
+name = "tor-dirmgr"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2f4206ed3a67690b9c29b77d728f6acc3ce78f16bf846d83c94f76400320181b"
+checksum = "b52919aa9dbb82a354c5b904bef82e91beb702b9f8ad14e6eac4237d6128bf67"
 dependencies = [
- "cc",
- "js-sys",
- "rsqlite-vfs",
- "wasm-bindgen",
+ "async-trait",
+ "base64ct",
+ "derive_builder_fork_arti",
+ "derive_more",
+ "digest",
+ "educe",
+ "event-listener",
+ "fs-mistrust",
+ "fslock",
+ "futures",
+ "hex",
+ "humantime",
+ "humantime-serde",
+ "itertools 0.14.0",
+ "memmap2",
+ "oneshot-fused-workaround",
+ "paste",
+ "postage",
+ "rand 0.9.2",
+ "rusqlite",
+ "safelog",
+ "scopeguard",
+ "serde",
+ "serde_json",
+ "signature",
+ "static_assertions",
+ "strum",
+ "thiserror 2.0.18",
+ "time",
+ "tor-async-utils",
+ "tor-basic-utils",
+ "tor-checkable",
+ "tor-circmgr",
+ "tor-config",
+ "tor-consdiff",
+ "tor-dirclient",
+ "tor-dircommon",
+ "tor-error",
+ "tor-guardmgr",
+ "tor-llcrypto",
+ "tor-netdir",
+ "tor-netdoc",
+ "tor-persist",
+ "tor-proto",
+ "tor-protover",
+ "tor-rtcompat",
+ "tracing",
 ]
 
 [[package]]
-name = "stable_deref_trait"
-version = "1.2.1"
+name = "tor-error"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"
+checksum = "595b005e6f571ac3890a34a00f361200aab781fd0218f2c528c86fc7af088df5"
+dependencies = [
+ "derive_more",
+ "futures",
+ "paste",
+ "retry-error",
+ "static_assertions",
+ "strum",
+ "thiserror 2.0.18",
+ "tracing",
+ "void",
+]
 
 [[package]]
-name = "strsim"
-version = "0.11.1"
+name = "tor-general-addr"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+checksum = "727b8c8bc01c1587486055edab5c2cd0d5c960f5bb3fac796fc9911872b8b397"
+dependencies = [
+ "derive_more",
+ "thiserror 2.0.18",
+ "void",
+]
 
 [[package]]
-name = "subtle"
-version = "2.6.1"
+name = "tor-guardmgr"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
+checksum = "d337f465a477c0fb3b2faafa4654d70ff9df3590e57d22707591dddb4e4450c1"
+dependencies = [
+ "amplify",
+ "base64ct",
+ "derive-deftly",
+ "derive_builder_fork_arti",
+ "derive_more",
+ "dyn-clone",
+ "educe",
+ "futures",
+ "humantime",
+ "humantime-serde",
+ "itertools 0.14.0",
+ "num_enum",
+ "oneshot-fused-workaround",
+ "pin-project",
+ "postage",
+ "rand 0.9.2",
+ "safelog",
+ "serde",
+ "strum",
+ "thiserror 2.0.18",
+ "tor-async-utils",
+ "tor-basic-utils",
+ "tor-config",
+ "tor-dircommon",
+ "tor-error",
+ "tor-linkspec",
+ "tor-llcrypto",
+ "tor-netdir",
+ "tor-netdoc",
+ "tor-persist",
+ "tor-proto",
+ "tor-relay-selection",
+ "tor-rtcompat",
+ "tor-units",
+ "tracing",
+]
 
 [[package]]
-name = "syn"
-version = "2.0.117"
+name = "tor-hsclient"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
+checksum = "4c701ef4eccab73f23d619ef5650c886239d1215e6d4aa0c3dec6342072a8178"
 dependencies = [
- "proc-macro2",
- "quote",
- "unicode-ident",
+ "async-trait",
+ "derive-deftly",
+ "derive_more",
+ "educe",
+ "either",
+ "futures",
+ "itertools 0.14.0",
+ "oneshot-fused-workaround",
+ "postage",
+ "rand 0.9.2",
+ "retry-error",
+ "safelog",
+ "slotmap-careful",
+ "strum",
+ "thiserror 2.0.18",
+ "tor-async-utils",
+ "tor-basic-utils",
+ "tor-bytes",
+ "tor-cell",
+ "tor-checkable",
+ "tor-circmgr",
+ "tor-config",
+ "tor-dirclient",
+ "tor-error",
+ "tor-hscrypto",
+ "tor-keymgr",
+ "tor-linkspec",
+ "tor-llcrypto",
+ "tor-memquota",
+ "tor-netdir",
+ "tor-netdoc",
+ "tor-persist",
+ "tor-proto",
+ "tor-protover",
+ "tor-rtcompat",
+ "tracing",
 ]
 
 [[package]]
-name = "sync_wrapper"
-version = "1.0.2"
+name = "tor-hscrypto"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"
+checksum = "a3693cd43f05cd01ac0aaa060dae5c5e53c4364f89e0d769e33cd629a2fd3118"
 dependencies = [
- "futures-core",
+ "cipher",
+ "data-encoding",
+ "derive-deftly",
+ "derive_more",
+ "digest",
+ "hex",
+ "humantime",
+ "itertools 0.14.0",
+ "paste",
+ "rand 0.9.2",
+ "safelog",
+ "serde",
+ "signature",
+ "subtle",
+ "thiserror 2.0.18",
+ "tor-basic-utils",
+ "tor-bytes",
+ "tor-error",
+ "tor-key-forge",
+ "tor-llcrypto",
+ "tor-memquota",
+ "tor-units",
+ "void",
+ "zeroize",
 ]
 
 [[package]]
-name = "synstructure"
-version = "0.13.2"
+name = "tor-hsservice"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
+checksum = "6c2d6a533ffd01b6764bfa59526f12883d6025fd64fdc73e219033ec29936aa3"
 dependencies = [
- "proc-macro2",
- "quote",
- "syn",
+ "amplify",
+ "async-trait",
+ "base64ct",
+ "cfg-if",
+ "derive-deftly",
+ "derive_builder_fork_arti",
+ "derive_more",
+ "digest",
+ "educe",
+ "fs-mistrust",
+ "futures",
+ "growable-bloom-filter",
+ "hex",
+ "humantime",
+ "itertools 0.14.0",
+ "k12",
+ "once_cell",
+ "oneshot-fused-workaround",
+ "postage",
+ "rand 0.9.2",
+ "rand_core 0.9.5",
+ "retry-error",
+ "safelog",
+ "serde",
+ "serde_with",
+ "strum",
+ "thiserror 2.0.18",
+ "tor-async-utils",
+ "tor-basic-utils",
+ "tor-bytes",
+ "tor-cell",
+ "tor-circmgr",
+ "tor-config",
+ "tor-config-path",
+ "tor-dirclient",
+ "tor-error",
+ "tor-hscrypto",
+ "tor-keymgr",
+ "tor-linkspec",
+ "tor-llcrypto",
+ "tor-log-ratelim",
+ "tor-netdir",
+ "tor-netdoc",
+ "tor-persist",
+ "tor-proto",
+ "tor-protover",
+ "tor-relay-selection",
+ "tor-rtcompat",
+ "tracing",
+ "void",
 ]
 
 [[package]]
-name = "tempfile"
-version = "3.27.0"
+name = "tor-key-forge"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
+checksum = "3ade9065ae49cfe2ab020ca9ca9f2b3c5c9b5fc0d8980fa681d8b3a0668e042f"
 dependencies = [
- "fastrand",
- "getrandom 0.4.2",
- "once_cell",
- "rustix",
- "windows-sys 0.61.2",
+ "derive-deftly",
+ "derive_more",
+ "downcast-rs",
+ "paste",
+ "rand 0.9.2",
+ "rsa",
+ "signature",
+ "ssh-key",
+ "thiserror 2.0.18",
+ "tor-bytes",
+ "tor-cert",
+ "tor-checkable",
+ "tor-error",
+ "tor-llcrypto",
 ]
 
 [[package]]
-name = "thiserror"
-version = "2.0.18"
+name = "tor-keymgr"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
+checksum = "243c3163d376c4723cd67271fcd6e5d6b498a6865c6b98299640e1be01c38826"
 dependencies = [
- "thiserror-impl",
+ "amplify",
+ "arrayvec",
+ "cfg-if",
+ "derive-deftly",
+ "derive_builder_fork_arti",
+ "derive_more",
+ "downcast-rs",
+ "dyn-clone",
+ "fs-mistrust",
+ "glob-match",
+ "humantime",
+ "inventory",
+ "itertools 0.14.0",
+ "rand 0.9.2",
+ "safelog",
+ "serde",
+ "signature",
+ "ssh-key",
+ "thiserror 2.0.18",
+ "tor-basic-utils",
+ "tor-bytes",
+ "tor-config",
+ "tor-config-path",
+ "tor-error",
+ "tor-hscrypto",
+ "tor-key-forge",
+ "tor-llcrypto",
+ "tor-persist",
+ "tracing",
+ "visibility",
+ "walkdir",
+ "zeroize",
 ]
 
 [[package]]
-name = "thiserror-impl"
-version = "2.0.18"
+name = "tor-linkspec"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
+checksum = "05f1ea8786900d6fbe4c9f775d341b1ba01bbd1f750d89bd63be78b6b01e1836"
 dependencies = [
- "proc-macro2",
- "quote",
- "syn",
+ "base64ct",
+ "by_address",
+ "caret",
+ "derive-deftly",
+ "derive_builder_fork_arti",
+ "derive_more",
+ "hex",
+ "itertools 0.14.0",
+ "safelog",
+ "serde",
+ "serde_with",
+ "strum",
+ "thiserror 2.0.18",
+ "tor-basic-utils",
+ "tor-bytes",
+ "tor-config",
+ "tor-llcrypto",
+ "tor-memquota",
+ "tor-protover",
 ]
 
 [[package]]
-name = "thread_local"
-version = "1.1.9"
+name = "tor-llcrypto"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f60246a4944f24f6e018aa17cdeffb7818b76356965d03b07d6a9886e8962185"
+checksum = "1c6989a1c6d06ffd6835e2917edaae4aeef544f8e5fdd68b54cc365f2af523de"
 dependencies = [
- "cfg-if",
+ "aes",
+ "base64ct",
+ "ctr",
+ "curve25519-dalek",
+ "der-parser",
+ "derive-deftly",
+ "derive_more",
+ "digest",
+ "ed25519-dalek",
+ "educe",
+ "getrandom 0.4.2",
+ "hex",
+ "rand 0.9.2",
+ "rand_chacha 0.9.0",
+ "rand_core 0.6.4",
+ "rand_core 0.9.5",
+ "rand_jitter",
+ "rdrand",
+ "rsa",
+ "safelog",
+ "serde",
+ "sha1",
+ "sha2",
+ "sha3",
+ "signature",
+ "subtle",
+ "thiserror 2.0.18",
+ "tor-error",
+ "tor-memquota-cost",
+ "visibility",
+ "x25519-dalek",
+ "zeroize",
 ]
 
 [[package]]
-name = "tiff"
-version = "0.11.3"
+name = "tor-log-ratelim"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b63feaf3343d35b6ca4d50483f94843803b0f51634937cc2ec519fc32232bc52"
+checksum = "3f1cd642180923d12e3fab5996b4aa2189718da7f465df6eb196ce2b9c70e293"
 dependencies = [
- "fax",
- "flate2",
- "half",
- "quick-error",
- "weezl",
- "zune-jpeg",
+ "futures",
+ "humantime",
+ "thiserror 2.0.18",
+ "tor-error",
+ "tor-rtcompat",
+ "tracing",
+ "weak-table",
 ]
 
 [[package]]
-name = "time"
-version = "0.3.47"
+name = "tor-memquota"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c"
+checksum = "599daea60fd3272eb72a795d1c593b45bbe15343cbc702340a81db124c06eed5"
 dependencies = [
- "deranged",
- "itoa",
- "num-conv",
- "powerfmt",
- "serde_core",
- "time-core",
- "time-macros",
+ "cfg-if",
+ "derive-deftly",
+ "derive_more",
+ "dyn-clone",
+ "educe",
+ "futures",
+ "itertools 0.14.0",
+ "paste",
+ "pin-project",
+ "serde",
+ "slotmap-careful",
+ "static_assertions",
+ "sysinfo",
+ "thiserror 2.0.18",
+ "tor-async-utils",
+ "tor-basic-utils",
+ "tor-config",
+ "tor-error",
+ "tor-log-ratelim",
+ "tor-memquota-cost",
+ "tor-rtcompat",
+ "tracing",
+ "void",
 ]
 
 [[package]]
-name = "time-core"
-version = "0.1.8"
+name = "tor-memquota-cost"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
+checksum = "dd92b07c0fc24e6d8166a5ff45e5b8654e68d89743c46d01889a16ab74c0b578"
+dependencies = [
+ "derive-deftly",
+ "itertools 0.14.0",
+ "paste",
+ "void",
+]
 
 [[package]]
-name = "time-macros"
-version = "0.2.27"
+name = "tor-netdir"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215"
+checksum = "41be8f47f521fc95206d2ba5facac8fb1a5b5b82169bd41ebeecdf46d1e77246"
 dependencies = [
- "num-conv",
- "time-core",
+ "async-trait",
+ "bitflags 2.11.0",
+ "derive_more",
+ "digest",
+ "futures",
+ "hex",
+ "humantime",
+ "itertools 0.14.0",
+ "num_enum",
+ "rand 0.9.2",
+ "serde",
+ "strum",
+ "thiserror 2.0.18",
+ "time",
+ "tor-basic-utils",
+ "tor-error",
+ "tor-hscrypto",
+ "tor-linkspec",
+ "tor-llcrypto",
+ "tor-netdoc",
+ "tor-protover",
+ "tor-units",
+ "tracing",
+ "typed-index-collections",
 ]
 
 [[package]]
-name = "tinystr"
-version = "0.8.2"
+name = "tor-netdoc"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "42d3e9c45c09de15d06dd8acf5f4e0e399e85927b7f00711024eb7ae10fa4869"
+checksum = "ea8bce73d2c78bd78a2a927336ca639cf6bd5d8ad092ebcd0b3fdeaa47dcc77e"
 dependencies = [
- "displaydoc",
- "zerovec",
+ "amplify",
+ "base64ct",
+ "cipher",
+ "derive-deftly",
+ "derive_builder_fork_arti",
+ "derive_more",
+ "digest",
+ "educe",
+ "enumset",
+ "hex",
+ "humantime",
+ "itertools 0.14.0",
+ "memchr",
+ "paste",
+ "phf",
+ "rand 0.9.2",
+ "saturating-time",
+ "serde",
+ "serde_with",
+ "signature",
+ "smallvec",
+ "strum",
+ "subtle",
+ "thiserror 2.0.18",
+ "time",
+ "tinystr",
+ "tor-basic-utils",
+ "tor-bytes",
+ "tor-cell",
+ "tor-cert",
+ "tor-checkable",
+ "tor-error",
+ "tor-hscrypto",
+ "tor-linkspec",
+ "tor-llcrypto",
+ "tor-protover",
+ "tor-units",
+ "void",
+ "zeroize",
 ]
 
 [[package]]
-name = "tinyvec"
-version = "1.10.0"
+name = "tor-persist"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bfa5fdc3bce6191a1dbc8c02d5c8bffcf557bafa17c124c5264a458f1b0613fa"
+checksum = "507ab4b6a3d59ed0df5804eeed66dcacde75e3be13d3694216cdfdb666bce625"
 dependencies = [
- "tinyvec_macros",
+ "amplify",
+ "derive-deftly",
+ "derive_more",
+ "filetime",
+ "fs-mistrust",
+ "fslock",
+ "fslock-guard",
+ "futures",
+ "itertools 0.14.0",
+ "oneshot-fused-workaround",
+ "paste",
+ "sanitize-filename",
+ "serde",
+ "serde_json",
+ "thiserror 2.0.18",
+ "time",
+ "tor-async-utils",
+ "tor-basic-utils",
+ "tor-error",
+ "tracing",
+ "void",
 ]
 
 [[package]]
-name = "tinyvec_macros"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
-
-[[package]]
-name = "tokio"
-version = "1.50.0"
+name = "tor-proto"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "27ad5e34374e03cfffefc301becb44e9dc3c17584f414349ebe29ed26661822d"
+checksum = "bbfc552d535d36539d5782bb02028590bc472d219e49da51a96810725e80ff56"
 dependencies = [
+ "amplify",
+ "async-trait",
+ "asynchronous-codec",
+ "bitvec",
  "bytes",
- "libc",
- "mio",
- "parking_lot",
- "pin-project-lite",
- "signal-hook-registry",
- "socket2",
- "tokio-macros",
- "windows-sys 0.61.2",
+ "caret",
+ "cfg-if",
+ "cipher",
+ "coarsetime",
+ "criterion-cycles-per-byte",
+ "derive-deftly",
+ "derive_builder_fork_arti",
+ "derive_more",
+ "digest",
+ "educe",
+ "enum_dispatch",
+ "futures",
+ "futures-util",
+ "hkdf",
+ "hmac",
+ "itertools 0.14.0",
+ "nonany",
+ "oneshot-fused-workaround",
+ "pin-project",
+ "postage",
+ "rand 0.9.2",
+ "rand_core 0.9.5",
+ "safelog",
+ "slotmap-careful",
+ "smallvec",
+ "static_assertions",
+ "subtle",
+ "sync_wrapper",
+ "thiserror 2.0.18",
+ "tokio",
+ "tokio-util",
+ "tor-async-utils",
+ "tor-basic-utils",
+ "tor-bytes",
+ "tor-cell",
+ "tor-cert",
+ "tor-checkable",
+ "tor-config",
+ "tor-error",
+ "tor-hscrypto",
+ "tor-linkspec",
+ "tor-llcrypto",
+ "tor-log-ratelim",
+ "tor-memquota",
+ "tor-protover",
+ "tor-relay-crypto",
+ "tor-rtcompat",
+ "tor-rtmock",
+ "tor-units",
+ "tracing",
+ "typenum",
+ "visibility",
+ "void",
+ "zeroize",
 ]
 
 [[package]]
-name = "tokio-macros"
-version = "2.6.1"
+name = "tor-protover"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c55a2eff8b69ce66c84f85e1da1c233edc36ceb85a2058d11b0d6a3c7e7569c"
+checksum = "aed88527d070c4b7ea4e55a36d2d56d0500e30ca66298b5264f047f7f2f89cfa"
 dependencies = [
- "proc-macro2",
- "quote",
- "syn",
+ "caret",
+ "paste",
+ "serde_with",
+ "thiserror 2.0.18",
+ "tor-basic-utils",
+ "tor-bytes",
 ]
 
 [[package]]
-name = "tokio-rustls"
-version = "0.26.4"
+name = "tor-relay-crypto"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
+checksum = "f7e57e9f71b22ae1df63dbccc8e428cb07feec0abd654735109fa563c10bbb90"
 dependencies = [
- "rustls",
- "tokio",
+ "derive-deftly",
+ "derive_more",
+ "humantime",
+ "tor-cert",
+ "tor-checkable",
+ "tor-error",
+ "tor-key-forge",
+ "tor-keymgr",
+ "tor-llcrypto",
+ "tor-persist",
 ]
 
 [[package]]
-name = "tokio-util"
-version = "0.7.18"
+name = "tor-relay-selection"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9ae9cec805b01e8fc3fd2fe289f89149a9b66dd16786abd8b19cfa7b48cb0098"
+checksum = "a372072ac9dea7d17e49693cc3f3ae77b3abf8125630516c9f2d622239b1920a"
 dependencies = [
- "bytes",
- "futures-core",
- "futures-sink",
- "pin-project-lite",
- "tokio",
+ "rand 0.9.2",
+ "serde",
+ "tor-basic-utils",
+ "tor-linkspec",
+ "tor-netdir",
+ "tor-netdoc",
 ]
 
 [[package]]
-name = "toml"
-version = "1.0.6+spec-1.1.0"
+name = "tor-rtcompat"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "399b1124a3c9e16766831c6bba21e50192572cdd98706ea114f9502509686ffc"
+checksum = "14428b930e59003e801c0c32697c0aeb9b0495ad33ecbe8c6753bdb596233270"
 dependencies = [
- "indexmap",
- "serde_core",
- "serde_spanned",
- "toml_datetime",
- "toml_parser",
- "toml_writer",
- "winnow",
+ "async-native-tls",
+ "async-trait",
+ "async_executors",
+ "asynchronous-codec",
+ "cfg-if",
+ "coarsetime",
+ "derive_more",
+ "dyn-clone",
+ "educe",
+ "futures",
+ "hex",
+ "libc",
+ "native-tls",
+ "paste",
+ "pin-project",
+ "socket2",
+ "thiserror 2.0.18",
+ "tokio",
+ "tokio-util",
+ "tor-error",
+ "tor-general-addr",
+ "tracing",
+ "void",
+ "zeroize",
 ]
 
 [[package]]
-name = "toml_datetime"
-version = "1.0.0+spec-1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32c2555c699578a4f59f0cc68e5116c8d7cabbd45e1409b989d4be085b53f13e"
-dependencies = [
- "serde_core",
+name = "tor-rtmock"
+version = "0.40.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d2da91a432cdaee8a93e0bb21b02f3e9c7667832ccbb4b54e00d9c1214638e70"
+dependencies = [
+ "amplify",
+ "assert_matches",
+ "async-trait",
+ "derive-deftly",
+ "derive_more",
+ "educe",
+ "futures",
+ "humantime",
+ "itertools 0.14.0",
+ "oneshot-fused-workaround",
+ "pin-project",
+ "priority-queue",
+ "slotmap-careful",
+ "strum",
+ "thiserror 2.0.18",
+ "tor-error",
+ "tor-general-addr",
+ "tor-rtcompat",
+ "tracing",
+ "tracing-test",
+ "void",
 ]
 
 [[package]]
-name = "toml_parser"
-version = "1.0.9+spec-1.1.0"
+name = "tor-socksproto"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "702d4415e08923e7e1ef96cd5727c0dfed80b4d2fa25db9647fe5eb6f7c5a4c4"
+checksum = "adbc9115a2f506d9bb86ae4446f0ca70eb523dc2f5e900a33582e7c39decc23a"
 dependencies = [
- "winnow",
+ "amplify",
+ "caret",
+ "derive-deftly",
+ "educe",
+ "safelog",
+ "subtle",
+ "thiserror 2.0.18",
+ "tor-bytes",
+ "tor-error",
 ]
 
 [[package]]
-name = "toml_writer"
-version = "1.0.6+spec-1.1.0"
+name = "tor-units"
+version = "0.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ab16f14aed21ee8bfd8ec22513f7287cd4a91aa92e44edfe2c17ddd004e92607"
+checksum = "da90e93b4b4aa4ec356ecbe9e19aced36fdd655e94ca459d1915120d873363f0"
+dependencies = [
+ "derive-deftly",
+ "derive_more",
+ "serde",
+ "thiserror 2.0.18",
+ "tor-memquota",
+]
 
 [[package]]
 name = "tower"
@@ -2284,7 +5877,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
 dependencies = [
  "async-compression",
- "bitflags",
+ "bitflags 2.11.0",
  "bytes",
  "futures-core",
  "futures-util",
@@ -2337,7 +5930,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "786d480bce6247ab75f005b14ae1624ad978d3029d9113f0a22fa1ac773faeaf"
 dependencies = [
  "crossbeam-channel",
- "thiserror",
+ "thiserror 2.0.18",
  "time",
  "tracing-subscriber",
 ]
@@ -2350,7 +5943,7 @@ checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2405,12 +5998,43 @@ dependencies = [
  "tracing-serde",
 ]
 
+[[package]]
+name = "tracing-test"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "19a4c448db514d4f24c5ddb9f73f2ee71bfb24c526cf0c570ba142d1119e0051"
+dependencies = [
+ "tracing-core",
+ "tracing-subscriber",
+ "tracing-test-macro",
+]
+
+[[package]]
+name = "tracing-test-macro"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ad06847b7afb65c7866a36664b75c40b895e318cea4f71299f013fb22965329d"
+dependencies = [
+ "quote",
+ "syn 2.0.117",
+]
+
 [[package]]
 name = "try-lock"
 version = "0.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
 
+[[package]]
+name = "typed-index-collections"
+version = "3.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "898160f1dfd383b4e92e17f0512a7d62f3c51c44937b23b6ffc3a1614a8eaccd"
+dependencies = [
+ "bincode",
+ "serde",
+]
+
 [[package]]
 name = "typed-path"
 version = "0.12.3"
@@ -2423,6 +6047,15 @@ version = "1.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb"
 
+[[package]]
+name = "uncased"
+version = "0.9.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e1b88fcfe09e89d3866a5c11019378088af2d24c3fbd4f0543f96b479ec90697"
+dependencies = [
+ "version_check",
+]
+
 [[package]]
 name = "unicase"
 version = "2.9.0"
@@ -2435,6 +6068,12 @@ version = "1.0.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
 
+[[package]]
+name = "unicode-segmentation"
+version = "1.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6ccf251212114b54433ec949fd6a7841275f9ada20dddd2f29e9ceea4501493"
+
 [[package]]
 name = "unicode-xid"
 version = "0.2.6"
@@ -2447,6 +6086,12 @@ version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
+[[package]]
+name = "unty"
+version = "0.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d49784317cd0d1ee7ec5c716dd598ec5b4483ea832a2dced265471cc0f690ae"
+
 [[package]]
 name = "url"
 version = "2.5.8"
@@ -2502,6 +6147,33 @@ version = "0.9.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
 
+[[package]]
+name = "visibility"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d674d135b4a8c1d7e813e2f8d1c9a58308aee4a680323066025e53132218bd91"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
+[[package]]
+name = "void"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a02e4885ed3bc0f2de90ea6dd45ebcbb66dacffe03547fadbb0eeae2770887d"
+
+[[package]]
+name = "walkdir"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
+dependencies = [
+ "same-file",
+ "winapi-util",
+]
+
 [[package]]
 name = "want"
 version = "0.3.1"
@@ -2535,6 +6207,15 @@ dependencies = [
  "wit-bindgen",
 ]
 
+[[package]]
+name = "wasix"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1757e0d1f8456693c7e5c6c629bdb54884e032aa0bb53c155f6a39f94440d332"
+dependencies = [
+ "wasi",
+]
+
 [[package]]
 name = "wasm-bindgen"
 version = "0.2.114"
@@ -2581,7 +6262,7 @@ dependencies = [
  "bumpalo",
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
  "wasm-bindgen-shared",
 ]
 
@@ -2611,7 +6292,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909"
 dependencies = [
  "anyhow",
- "indexmap",
+ "indexmap 2.13.0",
  "wasm-encoder",
  "wasmparser",
 ]
@@ -2622,12 +6303,18 @@ version = "0.244.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe"
 dependencies = [
- "bitflags",
+ "bitflags 2.11.0",
  "hashbrown 0.15.5",
- "indexmap",
+ "indexmap 2.13.0",
  "semver",
 ]
 
+[[package]]
+name = "weak-table"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "323f4da9523e9a669e1eaf9c6e763892769b1d38c623913647bfdc1532fe4549"
+
 [[package]]
 name = "web-sys"
 version = "0.3.91"
@@ -2663,6 +6350,72 @@ version = "0.1.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a28ac98ddc8b9274cb41bb4d9d4d5c425b6020c50c46f25559911905610b4a88"
 
+[[package]]
+name = "winapi"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+dependencies = [
+ "winapi-i686-pc-windows-gnu",
+ "winapi-x86_64-pc-windows-gnu",
+]
+
+[[package]]
+name = "winapi-i686-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+
+[[package]]
+name = "winapi-util"
+version = "0.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "winapi-x86_64-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+
+[[package]]
+name = "windows"
+version = "0.61.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9babd3a767a4c1aef6900409f85f5d53ce2544ccdfaa86dad48c91782c6d6893"
+dependencies = [
+ "windows-collections",
+ "windows-core 0.61.2",
+ "windows-future",
+ "windows-link 0.1.3",
+ "windows-numerics",
+]
+
+[[package]]
+name = "windows-collections"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3beeceb5e5cfd9eb1d76b381630e82c4241ccd0d27f1a39ed41b2760b255c5e8"
+dependencies = [
+ "windows-core 0.61.2",
+]
+
+[[package]]
+name = "windows-core"
+version = "0.61.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c0fdd3ddb90610c7638aa2b3a3ab2904fb9e5cdbecc643ddb3647212781c4ae3"
+dependencies = [
+ "windows-implement",
+ "windows-interface",
+ "windows-link 0.1.3",
+ "windows-result 0.3.4",
+ "windows-strings 0.4.2",
+]
+
 [[package]]
 name = "windows-core"
 version = "0.62.2"
@@ -2671,9 +6424,20 @@ checksum = "b8e83a14d34d0623b51dce9581199302a221863196a1dde71a7663a4c2be9deb"
 dependencies = [
  "windows-implement",
  "windows-interface",
- "windows-link",
- "windows-result",
- "windows-strings",
+ "windows-link 0.2.1",
+ "windows-result 0.4.1",
+ "windows-strings 0.5.1",
+]
+
+[[package]]
+name = "windows-future"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc6a41e98427b19fe4b73c550f060b59fa592d7d686537eebf9385621bfbad8e"
+dependencies = [
+ "windows-core 0.61.2",
+ "windows-link 0.1.3",
+ "windows-threading",
 ]
 
 [[package]]
@@ -2684,7 +6448,7 @@ checksum = "053e2e040ab57b9dc951b72c264860db7eb3b0200ba345b4e4c3b14f67855ddf"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2695,22 +6459,56 @@ checksum = "3f316c4a2570ba26bbec722032c4099d8c8bc095efccdc15688708623367e358"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
+[[package]]
+name = "windows-link"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e6ad25900d524eaabdbbb96d20b4311e1e7ae1699af4fb28c17ae66c80d798a"
+
 [[package]]
 name = "windows-link"
 version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
 
+[[package]]
+name = "windows-numerics"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9150af68066c4c5c07ddc0ce30421554771e528bde427614c61038bc2c92c2b1"
+dependencies = [
+ "windows-core 0.61.2",
+ "windows-link 0.1.3",
+]
+
+[[package]]
+name = "windows-result"
+version = "0.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56f42bd332cc6c8eac5af113fc0c1fd6a8fd2aa08a0119358686e5160d0586c6"
+dependencies = [
+ "windows-link 0.1.3",
+]
+
 [[package]]
 name = "windows-result"
 version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7781fa89eaf60850ac3d2da7af8e5242a5ea78d1a11c49bf2910bb5a73853eb5"
 dependencies = [
- "windows-link",
+ "windows-link 0.2.1",
+]
+
+[[package]]
+name = "windows-strings"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56e6c93f3a0c3b36176cb1327a4958a0353d5d166c2a35cb268ace15e91d3b57"
+dependencies = [
+ "windows-link 0.1.3",
 ]
 
 [[package]]
@@ -2719,7 +6517,7 @@ version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7837d08f69c77cf6b07689544538e017c1bfcf57e34b4c0ff58e6c2cd3b37091"
 dependencies = [
- "windows-link",
+ "windows-link 0.2.1",
 ]
 
 [[package]]
@@ -2746,7 +6544,7 @@ version = "0.61.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
 dependencies = [
- "windows-link",
+ "windows-link 0.2.1",
 ]
 
 [[package]]
@@ -2771,7 +6569,7 @@ version = "0.53.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4945f9f551b88e0d65f3db0bc25c33b8acea4d9e41163edf90dcd0b19f9069f3"
 dependencies = [
- "windows-link",
+ "windows-link 0.2.1",
  "windows_aarch64_gnullvm 0.53.1",
  "windows_aarch64_msvc 0.53.1",
  "windows_i686_gnu 0.53.1",
@@ -2782,6 +6580,15 @@ dependencies = [
  "windows_x86_64_msvc 0.53.1",
 ]
 
+[[package]]
+name = "windows-threading"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b66463ad2e0ea3bbf808b7f1d371311c80e115c0b71d60efc142cafbcfb057a6"
+dependencies = [
+ "windows-link 0.1.3",
+]
+
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.52.6"
@@ -2883,6 +6690,9 @@ name = "winnow"
 version = "0.7.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "df79d97927682d2fd8adb29682d1140b343be4ac0f08fd68b7765d9c059d3945"
+dependencies = [
+ "memchr",
+]
 
 [[package]]
 name = "wit-bindgen"
@@ -2912,9 +6722,9 @@ checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21"
 dependencies = [
  "anyhow",
  "heck",
- "indexmap",
+ "indexmap 2.13.0",
  "prettyplease",
- "syn",
+ "syn 2.0.117",
  "wasm-metadata",
  "wit-bindgen-core",
  "wit-component",
@@ -2930,7 +6740,7 @@ dependencies = [
  "prettyplease",
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
  "wit-bindgen-core",
  "wit-bindgen-rust",
 ]
@@ -2942,8 +6752,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2"
 dependencies = [
  "anyhow",
- "bitflags",
- "indexmap",
+ "bitflags 2.11.0",
+ "indexmap 2.13.0",
  "log",
  "serde",
  "serde_derive",
@@ -2962,7 +6772,7 @@ checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736"
 dependencies = [
  "anyhow",
  "id-arena",
- "indexmap",
+ "indexmap 2.13.0",
  "log",
  "semver",
  "serde",
@@ -2978,6 +6788,33 @@ version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
 
+[[package]]
+name = "wyz"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05f360fc0b24296329c78fda852a1e9ae82de9cf7b27dae4b7f62f118f77b9ed"
+dependencies = [
+ "tap",
+]
+
+[[package]]
+name = "x25519-dalek"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c7e468321c81fb07fa7f4c636c3972b9100f0346e5b6a9f2bd0603a52f7ed277"
+dependencies = [
+ "curve25519-dalek",
+ "rand_core 0.6.4",
+ "serde",
+ "zeroize",
+]
+
+[[package]]
+name = "xxhash-rust"
+version = "0.8.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fdd20c5420375476fbd4394763288da7eb0cc0b8c11deed431a91562af7335d3"
+
 [[package]]
 name = "yoke"
 version = "0.8.1"
@@ -2997,7 +6834,7 @@ checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
  "synstructure",
 ]
 
@@ -3018,7 +6855,7 @@ checksum = "7e6cc098ea4d3bd6246687de65af3f920c430e236bee1e3bf2e441463f08a02f"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3038,7 +6875,7 @@ checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
  "synstructure",
 ]
 
@@ -3047,6 +6884,20 @@ name = "zeroize"
 version = "1.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
+dependencies = [
+ "zeroize_derive",
+]
+
+[[package]]
+name = "zeroize_derive"
+version = "1.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85a5b4158499876c763cb03bc4e49185d3cccbabb15b33c627f7884f43db852e"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
 
 [[package]]
 name = "zerotrie"
@@ -3065,6 +6916,7 @@ version = "0.11.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6c28719294829477f525be0186d13efa9a3c602f7ec202ca9e353d310fb9a002"
 dependencies = [
+ "serde",
  "yoke",
  "zerofrom",
  "zerovec-derive",
@@ -3078,7 +6930,7 @@ checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3089,7 +6941,7 @@ checksum = "b680f2a0cd479b4cff6e1233c483fdead418106eae419dc60200ae9850f6d004"
 dependencies = [
  "crc32fast",
  "flate2",
- "indexmap",
+ "indexmap 2.13.0",
  "memchr",
  "typed-path",
  "zopfli",
diff --git a/Cargo.toml b/Cargo.toml
index 23fa9b4..585f8c0 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -3,7 +3,7 @@ name = "rustchan"
 version = "1.1.0"
 edition = "2021"
 # axum 0.8 requires Rust 1.75; that is the effective floor for this project.
-rust-version = "1.88.0"
+rust-version = "1.90"
 license = "MIT"
 # FIX[LOW-1]: Removed hardware-specific description. This binary is portable
 # and targets any architecture/OS that Rust supports.
@@ -94,6 +94,13 @@ thiserror = "2"
 tempfile  = "3"
 libc      = "0.2"
 
+arti-client   = { version = "0.40", features = ["tokio", "native-tls", "onion-service-service"] }
+tor-hsservice = { version = "0.40" }
+tor-cell      = { version = "0.40" }
+futures       = "0.3"
+sha3          = "0.10"
+data-encoding = "2"
+
 [lints.clippy]
 too_many_arguments             = "allow"
 manual_pattern_char_comparison = "allow"
diff --git a/README.md b/README.md
index 65676cf..cf3d68e 100644
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@
 
 RustChan is a fully-featured imageboard engine compiled into a **single Rust binary**. Deploy it on a VPS, a Raspberry Pi, or a local machine — no containers, no runtime, no package manager required. All persistent data lives in a single directory alongside the binary, making migrations as simple as `cp -r`.
 
-Two external tools are supported as **optional enhancements**: [**ffmpeg**](#ffmpeg--video--audio-processing) for video transcoding and audio waveforms, and [**Tor**](#tor--onion-service) for anonymous `.onion` access. Neither is required — RustChan degrades gracefully without them.
+**[ffmpeg](#ffmpeg--video--audio-processing)** is supported as an optional enhancement for video transcoding and audio waveforms. **[Tor](#tor--onion-service)** onion service hosting is built in via [Arti](https://gitlab.torproject.org/tpo/core/arti) — no system `tor` installation required. Both degrade gracefully when disabled.
 
 <br>
 
@@ -274,14 +274,18 @@ See **[SETUP.md — Installing ffmpeg](SETUP.md#installing-ffmpeg)** for platfor
 
 ### Tor — Onion Service
 
-When `enable_tor_support = true` and a Tor daemon is running:
+RustChan includes **built-in Tor onion service support via [Arti](https://gitlab.torproject.org/tpo/core/arti)** — no system `tor` installation required. Set `enable_tor_support = true` in `settings.toml` and restart. On first launch RustChan will:
 
-- The `.onion` address is read from the hidden-service `hostname` file and displayed on the home page and admin panel
-- Setup hints are printed to the console if Tor is detected but not yet configured
+1. Download ~2 MB of Tor directory data and bootstrap to the network (~30 seconds)
+2. Generate a persistent Ed25519 keypair in `rustchan-data/arti_state/keys/`
+3. Derive your permanent `.onion` address from that keypair and start the hidden service
+4. Begin accepting and proxying inbound onion connections to the local HTTP port
 
-Tor handles all onion routing independently — RustChan binds to its normal port while your `torrc` forwards `.onion` traffic to it.
+The `.onion` address appears on the home page and in the admin panel as soon as the service is ready. Subsequent starts are ready in ~5 seconds using the cached consensus in `rustchan-data/arti_cache/`.
 
-See **[SETUP.md — Installing Tor](SETUP.md#installing-tor)** for configuration details.
+**Back up `rustchan-data/arti_state/keys/`** — this directory contains your service keypair. Losing it means a new `.onion` address on the next start. Delete it intentionally to rotate to a new address.
+
+See **[SETUP.md — Tor](SETUP.md#tor--onion-service)** for details on key management and migrating from a previous system `tor` installation.
 
 <br>
 
@@ -360,7 +364,8 @@ max_audio_size_mb = 150
 # existing IP hashes and bans will become invalid.
 cookie_secret = "<auto-generated 32-byte hex>"
 
-# Display .onion address if a Tor daemon is running.
+# Built-in Tor onion service (via Arti — no system tor required).
+# First run bootstraps in ~30 s; keypair in rustchan-data/arti_state/keys/.
 enable_tor_support = false
 
 # Hard-exit if ffmpeg is not found (default: warn only).
@@ -434,7 +439,6 @@ All settings can be overridden via environment variables, which take precedence
 | `CHAN_WAVEFORM_CACHE_MB` | `200` | Max waveform thumbnail cache per board (MiB) |
 | `CHAN_BLOCKING_THREADS` | `cpus × 4` | Tokio blocking thread pool size |
 | `CHAN_ARCHIVE_BEFORE_PRUNE` | `true` | Archive globally before any hard-delete |
-| `CHAN_TOR_HOSTNAME_FILE` | *(auto-detected)* | Override path to the Tor `hostname` file |
 | `RUST_LOG` | `rustchan-cli=info` | Log verbosity |
 
 <br>
@@ -542,6 +546,7 @@ RustChan is intentionally minimal — no template engine, no ORM, no JavaScript
 | HTML rendering | Plain Rust `format!` strings |
 | Configuration | `settings.toml` (atomic writes) + env var overrides via `once_cell::Lazy` |
 | Federation | ChanNet API on port 7070 (ZIP-based, text-only) |
+| Tor onion service | [Arti](https://gitlab.torproject.org/tpo/core/arti) in-process (`onion-service-service` feature); keypair in `arti_state/keys/` |
 
 ### Source Layout
 
@@ -663,7 +668,7 @@ Six built-in themes, selectable via the floating picker on every page. Persisted
 See **[CHANGELOG.md](CHANGELOG.md)** for the full version history.
 
 **Latest — v1.1.0-alpha.2:**
-Critical fix: ChanNet gateway posts have no IP — `ip_hash` changed to `Option<String>` throughout (no more 500s on pages with gateway posts) · Log files now written to `rustchan-data/` (not the binary directory) · Log file names fixed (`rustchan.2024-01-15.log` format) · Logs changed from dense JSON to human-readable text · Per-field multipart size caps (~100 KB body, ~4 KB name/subject) eliminate OOM risk from oversized form submissions · Poll duration overflow hardened · Backup system rewrites: `rusqlite::backup` API replaces fragile SQL string, RAII temp-file cleanup, pool exhaustion → 503 · Tor detection mutex poisoning fixed; panic hook hardened with `try_lock()` · DB pool size configurable; `r2d2::Error` correctly maps to 503 · All write transactions upgraded from DEFERRED to `BEGIN IMMEDIATE` · Rotating log files prevent disk exhaustion · 304 response builders fixed · Atomic `settings.toml` writes · Request timeout middleware (slowloris protection) · Worker `JoinHandle`s persisted; graceful shutdown via `CancellationToken` + bounded await · Job recovery on startup for interrupted jobs · ChanNet server graceful shutdown unified with main HTTP server · Background tasks use `tokio::select!` for clean cancellation
+**Tor migrated to Arti (built-in, no system `tor` required)** — Arti bootstraps in-process at startup, derives a `.onion` address from a persistent keypair in `arti_state/keys/`, and proxies onion connections to the local HTTP port; no subprocess, no `torrc`, no hostname file polling · Critical fix: ChanNet gateway posts have no IP — `ip_hash` changed to `Option<String>` throughout (no more 500s on pages with gateway posts) · Log files now written to `rustchan-data/` (not the binary directory) · Log file names fixed (`rustchan.2024-01-15.log` format) · Logs changed from dense JSON to human-readable text · Per-field multipart size caps (~100 KB body, ~4 KB name/subject) eliminate OOM risk from oversized form submissions · Poll duration overflow hardened · Backup system rewrites: `rusqlite::backup` API replaces fragile SQL string, RAII temp-file cleanup, pool exhaustion → 503 · DB pool size configurable; `r2d2::Error` correctly maps to 503 · All write transactions upgraded from DEFERRED to `BEGIN IMMEDIATE` · Rotating log files prevent disk exhaustion · 304 response builders fixed · Atomic `settings.toml` writes · Request timeout middleware (slowloris protection) · Worker `JoinHandle`s persisted; graceful shutdown via `CancellationToken` + bounded await · Job recovery on startup for interrupted jobs · ChanNet server graceful shutdown unified with main HTTP server · Background tasks use `tokio::select!` for clean cancellation
 
 **v1.1.0-alpha.1:**
 ChanNet API on port 7070 (federation + RustWave gateway) · Major codebase refactor: `main.rs` shrunk from 1,757 → ~50 lines; `handlers/admin.rs` split into 6 focused files; new `server/` module (server, console, CLI); new `src/media/` module (ffmpeg, convert, thumbnail, exif) · BMP, TIFF, SVG upload support · GIF→WebM inline conversion · All thumbnails output as WebP · SVG placeholders for video/audio/SVG sources · PNG→WebP with size-check fallback · Atomic temp-then-rename for all conversions
@@ -691,7 +696,7 @@ Scheduled VACUUM · expired poll vote cleanup · DB size warning banner · job q
 
 <div align="center">
 
-Built with 🦀 Rust &nbsp;·&nbsp; Powered by SQLite &nbsp;·&nbsp; Optional integrations: ffmpeg · Tor
+Built with 🦀 Rust &nbsp;·&nbsp; Powered by SQLite &nbsp;·&nbsp; Optional: ffmpeg &nbsp;·&nbsp; Tor built-in via Arti
 
 *Drop it anywhere. It just runs.*
 
diff --git a/audit.toml b/audit.toml
new file mode 100644
index 0000000..373e1e0
--- /dev/null
+++ b/audit.toml
@@ -0,0 +1,3 @@
+# audit.toml
+[advisories]
+ignore = ["RUSTSEC-2023-0071"]
\ No newline at end of file
diff --git a/deny.toml b/deny.toml
index a325889..d9863f6 100644
--- a/deny.toml
+++ b/deny.toml
@@ -8,6 +8,20 @@ all-features = false
 unmaintained = "all"
 yanked = "deny"
 
+# RUSTSEC-2023-0071: Marvin Attack timing side-channel in rsa 0.9.x.
+# No fixed version available. rsa is a transitive dep pulled in by arti-client;
+# we do not use RSA decryption directly, and Arti uses it only for TLS relay
+# connections where an adaptive chosen-ciphertext oracle is not exposed.
+[[advisories.ignore]]
+id = "RUSTSEC-2023-0071"
+
+# RUSTSEC-2024-0436: paste crate marked unmaintained by its author.
+# paste is a transitive dep of arti-client / tor-hsservice. No direct usage
+# in RustChan code; no functional impact. Will be resolved when Arti updates
+# its dependency tree.
+[[advisories.ignore]]
+id = "RUSTSEC-2024-0436"
+
 [licenses]
 confidence-threshold = 0.8
 
@@ -24,6 +38,14 @@ allow = [
     "ISC",
     # Used by webpki-roots (Mozilla CA certificate bundle)
     "CDLA-Permissive-2.0",
+    # Used by notify (arti-client transitive dep)
+    "CC0-1.0",
+    # Used by option-ext and priority-queue (arti-client transitive deps)
+    "MPL-2.0",
+    # Used by priority-queue (arti-client transitive dep)
+    "LGPL-3.0-or-later",
+    # Used by xxhash-rust (arti-client transitive dep)
+    "BSL-1.0",
 ]
 
 [[licenses.exceptions]]
@@ -34,6 +56,8 @@ allow   = ["MIT", "Apache-2.0", "BSD-2-Clause"]
 [bans]
 multiple-versions = "warn"
 
+# ── Pre-existing skips ─────────────────────────────────────────────────────────
+
 # argon2 → password-hash → rand_core 0.6
 [[bans.skip]]
 name    = "rand_core"
@@ -71,15 +95,164 @@ version = "0.16"
 name    = "windows-sys"
 version = "0.61"
 
+# ── Arti transitive dep duplicates ────────────────────────────────────────────
+# These arise from arti-client / tor-hsservice pulling in newer versions of
+# crates that other parts of the tree already depend on at an older version.
+# All are benign version splits with no API conflicts in RustChan code.
+
 [[bans.skip]]
-name    = "zune-core"
+name    = "atomic"
 version = "0.5"
 
 [[bans.skip]]
-name    = "zune-jpeg"
-version = "0.5"
+name    = "bitflags"
+version = "1"
+
+[[bans.skip]]
+name    = "cpufeatures"
+version = "0.2"
+
+[[bans.skip]]
+name    = "darling"
+version = "0.14"
+
+[[bans.skip]]
+name    = "darling"
+version = "0.21"
+
+[[bans.skip]]
+name    = "darling_core"
+version = "0.14"
+
+[[bans.skip]]
+name    = "darling_core"
+version = "0.21"
+
+[[bans.skip]]
+name    = "darling_macro"
+version = "0.14"
+
+[[bans.skip]]
+name    = "darling_macro"
+version = "0.21"
+
+[[bans.skip]]
+name    = "itertools"
+version = "0.13"
+
+[[bans.skip]]
+name    = "rand"
+version = "0.8"
+
+[[bans.skip]]
+name    = "rand"
+version = "0.9"
+
+[[bans.skip]]
+name    = "rand_chacha"
+version = "0.3"
+
+[[bans.skip]]
+name    = "rand_core"
+version = "0.9"
+
+[[bans.skip]]
+name    = "serde_spanned"
+version = "0.6"
+
+[[bans.skip]]
+name    = "strsim"
+version = "0.10"
+
+[[bans.skip]]
+name    = "syn"
+version = "1"
+
+[[bans.skip]]
+name    = "thiserror"
+version = "1"
+
+[[bans.skip]]
+name    = "thiserror-impl"
+version = "1"
+
+[[bans.skip]]
+name    = "toml"
+version = "0.8"
+
+[[bans.skip]]
+name    = "toml"
+version = "0.9"
+
+[[bans.skip]]
+name    = "toml_datetime"
+version = "0.6"
+
+[[bans.skip]]
+name    = "toml_datetime"
+version = "0.7"
+
+[[bans.skip]]
+name    = "toml_edit"
+version = "0.22"
+
+[[bans.skip]]
+name    = "windows-core"
+version = "0.61"
+
+[[bans.skip]]
+name    = "windows-link"
+version = "0.1"
+
+[[bans.skip]]
+name    = "windows-result"
+version = "0.3"
+
+[[bans.skip]]
+name    = "windows-strings"
+version = "0.4"
+
+[[bans.skip]]
+name    = "windows-sys"
+version = "0.52"
+
+[[bans.skip]]
+name    = "windows-targets"
+version = "0.52"
+
+[[bans.skip]]
+name    = "windows_aarch64_gnullvm"
+version = "0.52"
+
+[[bans.skip]]
+name    = "windows_aarch64_msvc"
+version = "0.52"
+
+[[bans.skip]]
+name    = "windows_i686_gnu"
+version = "0.52"
+
+[[bans.skip]]
+name    = "windows_i686_gnullvm"
+version = "0.52"
+
+[[bans.skip]]
+name    = "windows_i686_msvc"
+version = "0.52"
+
+[[bans.skip]]
+name    = "windows_x86_64_gnu"
+version = "0.52"
+
+[[bans.skip]]
+name    = "windows_x86_64_gnullvm"
+version = "0.52"
+
+[[bans.skip]]
+name    = "windows_x86_64_msvc"
+version = "0.52"
 
 [sources]
 unknown-registry = "deny"
 unknown-git      = "deny"
-allow-registry   = ["https://github.com/rust-lang/crates.io-index"]
\ No newline at end of file
+allow-registry   = ["https://github.com/rust-lang/crates.io-index"]
diff --git a/ffmpeg-migration.md b/ffmpeg-migration.md
new file mode 100644
index 0000000..555e5f7
--- /dev/null
+++ b/ffmpeg-migration.md
@@ -0,0 +1,1233 @@
+# FFmpeg Static Migration — Full Implementation
+
+Replace every `Command::new("ffmpeg")` / `TokioCommand::new("ffmpeg")` call with
+in-process `ffmpeg-next` library calls. After this migration the binary requires
+no system ffmpeg or ffprobe installation.
+
+---
+
+## 1. Cargo.toml
+
+```toml
+[dependencies]
+# Add this block. Remove nothing else.
+ffmpeg-next = { version = "7", default-features = false, features = [
+    "static",              # compiles libav* from source into the binary
+    "codec",               # libavcodec  — encode / decode
+    "format",              # libavformat — container mux / demux
+    "filter",              # libavfilter — scale, showwavespic
+    "software-resampling", # libswresample — audio resampling for Opus
+    "software-scaling",    # libswscale   — pixel-format conversion
+] }
+```
+
+Pin the ffmpeg source version and supply build flags via `.cargo/config.toml`
+(create this file if it does not exist):
+
+```toml
+# .cargo/config.toml
+[env]
+FFMPEG_BUILD_VERSION = "7.1"
+# If nasm is absent on the build machine, add:
+# FFMPEG_EXTRA_FLAGS = "--disable-x86asm"
+```
+
+Build-tool requirements (install once per machine):
+
+| Tool | Ubuntu/Debian | macOS |
+|---|---|---|
+| nasm | `apt install nasm` | `brew install nasm` |
+| cmake | `apt install cmake` | `brew install cmake` |
+| pkg-config | `apt install pkg-config` | `brew install pkg-config` |
+
+CI (GitHub Actions Ubuntu runner) — add before `cargo build`:
+
+```yaml
+- name: Install ffmpeg build deps
+  run: sudo apt-get install -y nasm cmake pkg-config libssl-dev
+```
+
+---
+
+## 2. `src/media/ffmpeg.rs` — complete replacement
+
+Drop the entire existing file and replace with the following.
+All public function signatures are **identical** to the originals.
+
+```rust
+// media/ffmpeg.rs
+//
+// FFmpeg wrappers using statically linked libav* (ffmpeg-next).
+//
+// All public signatures are unchanged from the subprocess-based version so
+// that no caller in convert.rs, thumbnail.rs, workers/, or detect.rs needs
+// to be modified for signature reasons.
+//
+// Call site changes required elsewhere:
+//   • detect.rs   — detection functions become no-ops (see §4 below)
+//   • workers/    — TokioCommand::new("ffmpeg") blocks replaced (see §3 below)
+//
+// Thread safety: ffmpeg-next is safe to call from multiple threads once
+// init_ffmpeg() has been called. Call it once from main() or detect.rs.
+
+use anyhow::{Context, Result};
+use ffmpeg_next as ffmpeg;
+use ffmpeg_next::{
+    codec, filter, format, frame, media,
+    software::scaling::{context::Context as SwsContext, flag::Flags as SwsFlags},
+    Dictionary, Rational,
+};
+use std::path::Path;
+
+// ─── Library initialisation ───────────────────────────────────────────────────
+
+/// Initialise the ffmpeg library. Idempotent and thread-safe.
+///
+/// Call once at startup (from detect.rs or main.rs) before any codec
+/// operation. Safe to call multiple times — subsequent calls are no-ops.
+pub fn init_ffmpeg() {
+    ffmpeg::init().expect("ffmpeg library init failed — this is a build error");
+    // Suppress ffmpeg's internal log output. rustchan's tracing handles all
+    // user-facing diagnostics.
+    unsafe {
+        ffmpeg_next::ffi::av_log_set_level(ffmpeg_next::ffi::AV_LOG_QUIET);
+    }
+}
+
+// ─── Detection stubs (always true — codecs are compiled in) ──────────────────
+
+/// Always returns true: ffmpeg is compiled into the binary.
+#[must_use]
+pub fn detect_ffmpeg() -> bool {
+    true
+}
+
+/// Always returns true: libwebp is compiled in.
+#[must_use]
+pub fn check_webp_encoder() -> bool {
+    true
+}
+
+/// Always returns true: libvpx-vp9 is compiled in.
+#[must_use]
+pub fn check_vp9_encoder() -> bool {
+    true
+}
+
+/// Always returns true: libopus is compiled in.
+#[must_use]
+pub fn check_opus_encoder() -> bool {
+    true
+}
+
+// ─── run_ffmpeg (no longer used — kept for any external callers) ──────────────
+
+/// Deprecated: previously spawned a subprocess. Now always returns Ok(()).
+/// Remove callers and delete this function in a follow-up cleanup.
+#[allow(dead_code)]
+pub fn run_ffmpeg(_args: &[&str]) -> Result<()> {
+    Ok(())
+}
+
+// ─── Image → WebP ─────────────────────────────────────────────────────────────
+
+/// Convert any ffmpeg-readable image (JPEG, PNG, BMP, TIFF, GIF) to WebP.
+///
+/// Animated GIF inputs produce animated WebP (loop 0 = loop forever).
+/// Metadata is stripped. Quality is fixed at 85 per project spec.
+///
+/// # Errors
+/// Returns an error if the input cannot be decoded or the output cannot be
+/// written.
+pub fn ffmpeg_image_to_webp(input: &Path, output: &Path) -> Result<()> {
+    init_ffmpeg();
+
+    // ── Open input ────────────────────────────────────────────────────────
+    let mut ictx = format::input(input)
+        .with_context(|| format!("ffmpeg_image_to_webp: cannot open {}", input.display()))?;
+
+    let in_stream = ictx
+        .streams()
+        .best(media::Type::Video)
+        .context("ffmpeg_image_to_webp: no video/image stream in input")?;
+    let in_idx = in_stream.index();
+    let in_tb = in_stream.time_base();
+
+    let mut decoder = codec::context::Context::from_parameters(in_stream.parameters())
+        .context("ffmpeg_image_to_webp: decoder context")?
+        .decoder()
+        .video()
+        .context("ffmpeg_image_to_webp: open video decoder")?;
+
+    // ── Open output ───────────────────────────────────────────────────────
+    let mut octx = format::output(output)
+        .with_context(|| format!("ffmpeg_image_to_webp: cannot open output {}", output.display()))?;
+
+    let webp_codec = codec::encoder::find_by_name("libwebp")
+        .context("libwebp encoder not found — static build is missing the codec")?;
+
+    let mut enc_ctx = codec::context::Context::new_with_codec(webp_codec)
+        .encoder()
+        .video()
+        .context("ffmpeg_image_to_webp: encoder context")?;
+
+    // Dimensions and format are set from the first decoded frame because some
+    // inputs (e.g. TIFF) report wrong dimensions in stream parameters.
+    // We defer the actual encoder open until after decoding the first frame.
+
+    let mut out_stream = octx.add_stream(webp_codec)
+        .context("ffmpeg_image_to_webp: add output stream")?;
+
+    let global_header = octx
+        .format()
+        .flags()
+        .contains(format::flag::Flags::GLOBAL_HEADER);
+    if global_header {
+        enc_ctx.set_flags(codec::flag::Flags::GLOBAL_HEADER);
+    }
+
+    // ── Decode → scale → encode loop ─────────────────────────────────────
+    let mut encoder_opened = false;
+    let mut sws: Option<SwsContext> = None;
+    let mut frame_count = 0u64;
+
+    let mut encode_and_write = |enc: &mut codec::encoder::video::Encoder,
+                                 octx: &mut format::context::Output,
+                                 frame: Option<&frame::Video>|
+     -> Result<()> {
+        enc.send_frame(frame).context("ffmpeg_image_to_webp: send_frame")?;
+        let mut pkt = ffmpeg_next::Packet::empty();
+        while enc.receive_packet(&mut pkt).is_ok() {
+            pkt.set_stream(0);
+            pkt.rescale_ts(Rational(1, 25), out_stream.time_base());
+            pkt.write_interleaved(octx)
+                .context("ffmpeg_image_to_webp: write_interleaved")?;
+        }
+        Ok(())
+    };
+
+    for (stream, packet) in ictx.packets() {
+        if stream.index() != in_idx {
+            continue;
+        }
+        decoder
+            .send_packet(&packet)
+            .context("ffmpeg_image_to_webp: send_packet")?;
+
+        let mut decoded = frame::Video::empty();
+        while decoder.receive_frame(&mut decoded).is_ok() {
+            if !encoder_opened {
+                // First frame: configure encoder dimensions and open it.
+                enc_ctx.set_width(decoded.width());
+                enc_ctx.set_height(decoded.height());
+                enc_ctx.set_format(ffmpeg_next::format::Pixel::YUVA420P);
+                enc_ctx.set_time_base(Rational(1, 25));
+
+                let mut opts = Dictionary::new();
+                opts.set("quality", "85");
+                opts.set("loop", "0"); // animated WebP loops forever (GIF parity)
+                opts.set("lossless", "0");
+
+                enc_ctx
+                    .open_with(opts)
+                    .context("ffmpeg_image_to_webp: open encoder")?;
+                out_stream.set_parameters(&enc_ctx);
+
+                octx.write_header()
+                    .context("ffmpeg_image_to_webp: write_header")?;
+                encoder_opened = true;
+
+                // Pixel format converter: input format → YUVA420P for libwebp.
+                sws = Some(
+                    SwsContext::get(
+                        decoded.format(),
+                        decoded.width(),
+                        decoded.height(),
+                        ffmpeg_next::format::Pixel::YUVA420P,
+                        decoded.width(),
+                        decoded.height(),
+                        SwsFlags::BILINEAR,
+                    )
+                    .context("ffmpeg_image_to_webp: sws_getContext")?,
+                );
+            }
+
+            // Convert pixel format.
+            let mut rgb_frame = frame::Video::new(
+                ffmpeg_next::format::Pixel::YUVA420P,
+                decoded.width(),
+                decoded.height(),
+            );
+            if let Some(ref mut s) = sws {
+                s.run(&decoded, &mut rgb_frame)
+                    .context("ffmpeg_image_to_webp: sws_scale")?;
+            }
+            rgb_frame.set_pts(Some(frame_count as i64));
+            frame_count += 1;
+
+            // We need mutable enc_ctx below — restructure to avoid borrow conflict.
+            enc_ctx
+                .send_frame(Some(&rgb_frame))
+                .context("ffmpeg_image_to_webp: send_frame")?;
+            let mut pkt = ffmpeg_next::Packet::empty();
+            while enc_ctx.receive_packet(&mut pkt).is_ok() {
+                pkt.set_stream(0);
+                pkt.rescale_ts(Rational(1, 25), out_stream.time_base());
+                pkt.write_interleaved(&mut octx)
+                    .context("ffmpeg_image_to_webp: write_interleaved")?;
+            }
+        }
+    }
+
+    // Flush decoder.
+    decoder
+        .send_eof()
+        .context("ffmpeg_image_to_webp: send_eof to decoder")?;
+    let mut decoded = frame::Video::empty();
+    while decoder.receive_frame(&mut decoded).is_ok() {
+        // (same encode block as above — flush remaining frames)
+        let mut rgb_frame = frame::Video::new(
+            ffmpeg_next::format::Pixel::YUVA420P,
+            decoded.width(),
+            decoded.height(),
+        );
+        if let Some(ref mut s) = sws {
+            s.run(&decoded, &mut rgb_frame)
+                .context("ffmpeg_image_to_webp: sws_scale flush")?;
+        }
+        rgb_frame.set_pts(Some(frame_count as i64));
+        frame_count += 1;
+        enc_ctx
+            .send_frame(Some(&rgb_frame))
+            .context("ffmpeg_image_to_webp: flush send_frame")?;
+        let mut pkt = ffmpeg_next::Packet::empty();
+        while enc_ctx.receive_packet(&mut pkt).is_ok() {
+            pkt.set_stream(0);
+            pkt.rescale_ts(Rational(1, 25), out_stream.time_base());
+            pkt.write_interleaved(&mut octx)
+                .context("ffmpeg_image_to_webp: flush write")?;
+        }
+    }
+
+    // Flush encoder.
+    enc_ctx
+        .send_eof()
+        .context("ffmpeg_image_to_webp: send_eof to encoder")?;
+    let mut pkt = ffmpeg_next::Packet::empty();
+    while enc_ctx.receive_packet(&mut pkt).is_ok() {
+        pkt.set_stream(0);
+        pkt.rescale_ts(Rational(1, 25), out_stream.time_base());
+        pkt.write_interleaved(&mut octx)
+            .context("ffmpeg_image_to_webp: final write")?;
+    }
+
+    octx.write_trailer()
+        .context("ffmpeg_image_to_webp: write_trailer")?;
+
+    Ok(())
+}
+
+// ─── Thumbnail ────────────────────────────────────────────────────────────────
+
+/// Extract the first frame from an image or video, scale to fit within
+/// `max_dim × max_dim` (aspect preserved), and save as WebP quality 80.
+///
+/// Equivalent to:
+///   ffmpeg -i <input> -vframes 1
+///     -vf "scale='if(gt(iw,ih),MAX,-2)':'if(gt(iw,ih),-2,MAX)'"
+///     -c:v libwebp -quality 80 <output>
+///
+/// # Errors
+/// Returns an error if the input cannot be demuxed/decoded or the output
+/// cannot be written.
+pub fn ffmpeg_thumbnail(input: &Path, output: &Path, max_dim: u32) -> Result<()> {
+    init_ffmpeg();
+
+    let mut ictx = format::input(input)
+        .with_context(|| format!("ffmpeg_thumbnail: cannot open {}", input.display()))?;
+
+    let in_stream = ictx
+        .streams()
+        .best(media::Type::Video)
+        .context("ffmpeg_thumbnail: no video stream")?;
+    let in_idx = in_stream.index();
+
+    let mut decoder = codec::context::Context::from_parameters(in_stream.parameters())
+        .context("ffmpeg_thumbnail: decoder context")?
+        .decoder()
+        .video()
+        .context("ffmpeg_thumbnail: open decoder")?;
+
+    // Seek to the first key frame (important for video sources).
+    let _ = ictx.seek(0, ..0);
+
+    // Decode until we get one complete frame.
+    let mut first_frame: Option<frame::Video> = None;
+    'outer: for (stream, packet) in ictx.packets() {
+        if stream.index() != in_idx {
+            continue;
+        }
+        decoder
+            .send_packet(&packet)
+            .context("ffmpeg_thumbnail: send_packet")?;
+        let mut f = frame::Video::empty();
+        while decoder.receive_frame(&mut f).is_ok() {
+            first_frame = Some(f);
+            break 'outer;
+        }
+    }
+    // Flush decoder in case the frame was buffered.
+    if first_frame.is_none() {
+        let _ = decoder.send_eof();
+        let mut f = frame::Video::empty();
+        if decoder.receive_frame(&mut f).is_ok() {
+            first_frame = Some(f);
+        }
+    }
+
+    let src_frame = first_frame.context("ffmpeg_thumbnail: no frame decoded from input")?;
+
+    // ── Scale to fit max_dim × max_dim, preserving aspect ratio ──────────
+    let (src_w, src_h) = (src_frame.width(), src_frame.height());
+    let (dst_w, dst_h) = scale_dims(src_w, src_h, max_dim);
+
+    let mut scaled = frame::Video::new(
+        ffmpeg_next::format::Pixel::YUVA420P,
+        dst_w,
+        dst_h,
+    );
+    let mut sws = SwsContext::get(
+        src_frame.format(),
+        src_w,
+        src_h,
+        ffmpeg_next::format::Pixel::YUVA420P,
+        dst_w,
+        dst_h,
+        SwsFlags::LANCZOS,
+    )
+    .context("ffmpeg_thumbnail: sws_getContext")?;
+    sws.run(&src_frame, &mut scaled)
+        .context("ffmpeg_thumbnail: sws_scale")?;
+    scaled.set_pts(Some(0));
+
+    // ── Encode as WebP quality 80 ─────────────────────────────────────────
+    let webp_codec = codec::encoder::find_by_name("libwebp")
+        .context("ffmpeg_thumbnail: libwebp encoder missing")?;
+
+    let mut octx = format::output(output)
+        .with_context(|| format!("ffmpeg_thumbnail: cannot open output {}", output.display()))?;
+
+    let mut enc_ctx = codec::context::Context::new_with_codec(webp_codec)
+        .encoder()
+        .video()
+        .context("ffmpeg_thumbnail: encoder context")?;
+
+    enc_ctx.set_width(dst_w);
+    enc_ctx.set_height(dst_h);
+    enc_ctx.set_format(ffmpeg_next::format::Pixel::YUVA420P);
+    enc_ctx.set_time_base(Rational(1, 1));
+
+    let global_header = octx
+        .format()
+        .flags()
+        .contains(format::flag::Flags::GLOBAL_HEADER);
+    if global_header {
+        enc_ctx.set_flags(codec::flag::Flags::GLOBAL_HEADER);
+    }
+
+    let mut opts = Dictionary::new();
+    opts.set("quality", "80");
+    opts.set("lossless", "0");
+
+    let mut enc = enc_ctx
+        .open_with(opts)
+        .context("ffmpeg_thumbnail: open encoder")?;
+
+    let mut out_stream = octx.add_stream(webp_codec)
+        .context("ffmpeg_thumbnail: add output stream")?;
+    out_stream.set_parameters(&enc);
+
+    octx.write_header()
+        .context("ffmpeg_thumbnail: write_header")?;
+
+    enc.send_frame(Some(&scaled))
+        .context("ffmpeg_thumbnail: send_frame")?;
+    enc.send_eof()
+        .context("ffmpeg_thumbnail: send_eof")?;
+
+    let mut pkt = ffmpeg_next::Packet::empty();
+    while enc.receive_packet(&mut pkt).is_ok() {
+        pkt.set_stream(0);
+        pkt.rescale_ts(Rational(1, 1), out_stream.time_base());
+        pkt.write_interleaved(&mut octx)
+            .context("ffmpeg_thumbnail: write_interleaved")?;
+    }
+
+    octx.write_trailer()
+        .context("ffmpeg_thumbnail: write_trailer")?;
+
+    Ok(())
+}
+
+// ─── Codec probe ──────────────────────────────────────────────────────────────
+
+/// Return the lowercase codec name for the primary video stream in `path`.
+///
+/// Replaces the `ffprobe` subprocess. Opens the container, reads the stream
+/// parameters, and returns the codec descriptor name — no decoding is done.
+///
+/// Returns e.g. `"vp9"`, `"av1"`, `"h264"`.
+///
+/// # Errors
+/// Returns an error if the file cannot be opened or contains no video stream.
+pub fn probe_video_codec(path: &str) -> Result<String> {
+    init_ffmpeg();
+
+    let ictx = format::input(&path)
+        .with_context(|| format!("probe_video_codec: cannot open {path}"))?;
+
+    let stream = ictx
+        .streams()
+        .best(media::Type::Video)
+        .with_context(|| format!("probe_video_codec: no video stream in {path}"))?;
+
+    let codec_id = stream.parameters().id();
+
+    // ffmpeg_next exposes the codec name through the descriptor.
+    let name = unsafe {
+        let desc = ffmpeg_next::ffi::avcodec_descriptor_get(codec_id.into());
+        if desc.is_null() {
+            return Err(anyhow::anyhow!(
+                "probe_video_codec: no codec descriptor for id {:?}",
+                codec_id
+            ));
+        }
+        std::ffi::CStr::from_ptr((*desc).name)
+            .to_string_lossy()
+            .to_ascii_lowercase()
+    };
+
+    if name.is_empty() {
+        return Err(anyhow::anyhow!(
+            "probe_video_codec: empty codec name for {path}"
+        ));
+    }
+
+    Ok(name)
+}
+
+// ─── Video transcode (MP4 / WebM-AV1 → WebM VP9+Opus) ───────────────────────
+
+/// Transcode `input` to WebM with VP9 video and Opus audio, writing to `output`.
+///
+/// Equivalent to:
+///   ffmpeg -i <input> -c:v libvpx-vp9 -crf 30 -b:v 0
+///                     -c:a libopus -b:a 128k -map_metadata -1 <output>
+///
+/// Called from `workers/mod.rs` inside `spawn_blocking`.
+///
+/// # Errors
+/// Returns an error if any stage of the transcode fails.
+pub fn ffmpeg_transcode_to_webm(input: &Path, output: &Path) -> Result<()> {
+    init_ffmpeg();
+
+    // ── Input context ─────────────────────────────────────────────────────
+    let mut ictx = format::input(input)
+        .with_context(|| format!("ffmpeg_transcode_to_webm: cannot open {}", input.display()))?;
+
+    // Find video and audio streams.
+    let video_in_idx = ictx
+        .streams()
+        .best(media::Type::Video)
+        .map(|s| s.index());
+    let audio_in_idx = ictx
+        .streams()
+        .best(media::Type::Audio)
+        .map(|s| s.index());
+
+    if video_in_idx.is_none() {
+        return Err(anyhow::anyhow!(
+            "ffmpeg_transcode_to_webm: no video stream in {}",
+            input.display()
+        ));
+    }
+
+    // ── Output context ────────────────────────────────────────────────────
+    let mut octx = format::output(output)
+        .with_context(|| format!("ffmpeg_transcode_to_webm: cannot open output {}", output.display()))?;
+
+    // ── Video encoder (VP9) ───────────────────────────────────────────────
+    let vp9_codec = codec::encoder::find_by_name("libvpx-vp9")
+        .context("libvpx-vp9 encoder missing from static build")?;
+
+    let in_video = ictx
+        .stream(video_in_idx.unwrap())
+        .context("ffmpeg_transcode_to_webm: get video stream")?;
+
+    let mut v_dec = codec::context::Context::from_parameters(in_video.parameters())
+        .context("ffmpeg_transcode_to_webm: video decoder context")?
+        .decoder()
+        .video()
+        .context("ffmpeg_transcode_to_webm: open video decoder")?;
+
+    let mut venc_ctx = codec::context::Context::new_with_codec(vp9_codec)
+        .encoder()
+        .video()
+        .context("ffmpeg_transcode_to_webm: video encoder context")?;
+
+    venc_ctx.set_width(v_dec.width());
+    venc_ctx.set_height(v_dec.height());
+    venc_ctx.set_format(ffmpeg_next::format::Pixel::YUV420P);
+    venc_ctx.set_time_base(in_video.avg_frame_rate().invert());
+
+    let mut v_opts = Dictionary::new();
+    v_opts.set("crf", "30");
+    v_opts.set("b:v", "0"); // constant quality mode
+    v_opts.set("deadline", "good");
+    v_opts.set("cpu-used", "2");
+
+    if octx.format().flags().contains(format::flag::Flags::GLOBAL_HEADER) {
+        venc_ctx.set_flags(codec::flag::Flags::GLOBAL_HEADER);
+    }
+
+    let mut v_enc = venc_ctx
+        .open_with(v_opts)
+        .context("ffmpeg_transcode_to_webm: open VP9 encoder")?;
+    let mut out_v = octx.add_stream(vp9_codec)
+        .context("ffmpeg_transcode_to_webm: add video stream")?;
+    out_v.set_parameters(&v_enc);
+
+    // ── Audio encoder (Opus) ──────────────────────────────────────────────
+    let mut a_dec_opt: Option<codec::decoder::Audio> = None;
+    let mut a_enc_opt: Option<codec::encoder::Audio> = None;
+    let mut out_a_idx: Option<usize> = None;
+    let mut swr_opt: Option<ffmpeg_next::software::resampling::context::Context> = None;
+
+    if let Some(a_idx) = audio_in_idx {
+        let opus_codec = codec::encoder::find_by_name("libopus")
+            .context("libopus encoder missing from static build")?;
+
+        let in_audio = ictx
+            .stream(a_idx)
+            .context("ffmpeg_transcode_to_webm: get audio stream")?;
+
+        let a_dec = codec::context::Context::from_parameters(in_audio.parameters())
+            .context("ffmpeg_transcode_to_webm: audio decoder context")?
+            .decoder()
+            .audio()
+            .context("ffmpeg_transcode_to_webm: open audio decoder")?;
+
+        let mut aenc_ctx = codec::context::Context::new_with_codec(opus_codec)
+            .encoder()
+            .audio()
+            .context("ffmpeg_transcode_to_webm: audio encoder context")?;
+
+        aenc_ctx.set_rate(48000); // Opus native rate
+        aenc_ctx.set_channel_layout(ffmpeg_next::channel_layout::ChannelLayout::STEREO);
+        aenc_ctx.set_format(ffmpeg_next::format::Sample::F32(
+            ffmpeg_next::format::sample::Type::Packed,
+        ));
+        aenc_ctx.set_time_base(Rational(1, 48000));
+        if octx.format().flags().contains(format::flag::Flags::GLOBAL_HEADER) {
+            aenc_ctx.set_flags(codec::flag::Flags::GLOBAL_HEADER);
+        }
+
+        let mut a_opts = Dictionary::new();
+        a_opts.set("b:a", "128k");
+
+        let a_enc = aenc_ctx
+            .open_with(a_opts)
+            .context("ffmpeg_transcode_to_webm: open Opus encoder")?;
+
+        // Resampler: source format → Opus (48 kHz stereo f32).
+        let swr = ffmpeg_next::software::resampling::context::Context::get(
+            a_dec.format(),
+            a_dec.channel_layout(),
+            a_dec.rate(),
+            ffmpeg_next::format::Sample::F32(ffmpeg_next::format::sample::Type::Packed),
+            ffmpeg_next::channel_layout::ChannelLayout::STEREO,
+            48000,
+        )
+        .context("ffmpeg_transcode_to_webm: swr_alloc_set_opts")?;
+
+        let mut out_a = octx.add_stream(opus_codec)
+            .context("ffmpeg_transcode_to_webm: add audio stream")?;
+        out_a.set_parameters(&a_enc);
+        out_a_idx = Some(out_a.index());
+
+        a_dec_opt = Some(a_dec);
+        a_enc_opt = Some(a_enc);
+        swr_opt = Some(swr);
+    }
+
+    // ── Transcode loop ────────────────────────────────────────────────────
+    octx.write_header()
+        .context("ffmpeg_transcode_to_webm: write_header")?;
+
+    let mut v_pts: i64 = 0;
+    let mut a_pts: i64 = 0;
+
+    let video_in_idx = video_in_idx.unwrap();
+
+    for (stream, packet) in ictx.packets() {
+        let idx = stream.index();
+
+        if idx == video_in_idx {
+            v_dec.send_packet(&packet)
+                .context("ffmpeg_transcode_to_webm: send video packet")?;
+            let mut vf = frame::Video::empty();
+            while v_dec.receive_frame(&mut vf).is_ok() {
+                // Reformat to YUV420P if needed.
+                let enc_frame = if vf.format() == ffmpeg_next::format::Pixel::YUV420P {
+                    vf.clone()
+                } else {
+                    let mut converted = frame::Video::new(
+                        ffmpeg_next::format::Pixel::YUV420P,
+                        vf.width(),
+                        vf.height(),
+                    );
+                    let mut sws = SwsContext::get(
+                        vf.format(), vf.width(), vf.height(),
+                        ffmpeg_next::format::Pixel::YUV420P, vf.width(), vf.height(),
+                        SwsFlags::BILINEAR,
+                    ).context("ffmpeg_transcode_to_webm: sws for video reformat")?;
+                    sws.run(&vf, &mut converted)
+                        .context("ffmpeg_transcode_to_webm: sws_scale video")?;
+                    converted
+                };
+                let mut enc_frame = enc_frame;
+                enc_frame.set_pts(Some(v_pts));
+                v_pts += 1;
+
+                v_enc.send_frame(Some(&enc_frame))
+                    .context("ffmpeg_transcode_to_webm: send video frame")?;
+                let mut pkt = ffmpeg_next::Packet::empty();
+                while v_enc.receive_packet(&mut pkt).is_ok() {
+                    pkt.set_stream(0);
+                    pkt.rescale_ts(v_enc.time_base(), out_v.time_base());
+                    pkt.write_interleaved(&mut octx)
+                        .context("ffmpeg_transcode_to_webm: write video pkt")?;
+                }
+            }
+        } else if Some(idx) == audio_in_idx {
+            if let (Some(ref mut a_dec), Some(ref mut a_enc), Some(ref mut swr), Some(out_a)) =
+                (&mut a_dec_opt, &mut a_enc_opt, &mut swr_opt, out_a_idx)
+            {
+                a_dec.send_packet(&packet)
+                    .context("ffmpeg_transcode_to_webm: send audio packet")?;
+                let mut af = frame::Audio::empty();
+                while a_dec.receive_frame(&mut af).is_ok() {
+                    let mut resampled = frame::Audio::empty();
+                    swr.run(&af, &mut resampled)
+                        .context("ffmpeg_transcode_to_webm: swr_convert")?;
+                    resampled.set_pts(Some(a_pts));
+                    a_pts += resampled.samples() as i64;
+
+                    a_enc.send_frame(Some(&resampled))
+                        .context("ffmpeg_transcode_to_webm: send audio frame")?;
+                    let mut pkt = ffmpeg_next::Packet::empty();
+                    while a_enc.receive_packet(&mut pkt).is_ok() {
+                        pkt.set_stream(out_a);
+                        pkt.rescale_ts(a_enc.time_base(), octx.stream(out_a).unwrap().time_base());
+                        pkt.write_interleaved(&mut octx)
+                            .context("ffmpeg_transcode_to_webm: write audio pkt")?;
+                    }
+                }
+            }
+        }
+    }
+
+    // ── Flush video encoder ───────────────────────────────────────────────
+    v_dec.send_eof().ok();
+    let mut vf = frame::Video::empty();
+    while v_dec.receive_frame(&mut vf).is_ok() {
+        vf.set_pts(Some(v_pts));
+        v_pts += 1;
+        v_enc.send_frame(Some(&vf)).ok();
+        let mut pkt = ffmpeg_next::Packet::empty();
+        while v_enc.receive_packet(&mut pkt).is_ok() {
+            pkt.set_stream(0);
+            pkt.rescale_ts(v_enc.time_base(), out_v.time_base());
+            pkt.write_interleaved(&mut octx).ok();
+        }
+    }
+    v_enc.send_eof().ok();
+    let mut pkt = ffmpeg_next::Packet::empty();
+    while v_enc.receive_packet(&mut pkt).is_ok() {
+        pkt.set_stream(0);
+        pkt.rescale_ts(v_enc.time_base(), out_v.time_base());
+        pkt.write_interleaved(&mut octx).ok();
+    }
+
+    // ── Flush audio encoder ───────────────────────────────────────────────
+    if let (Some(ref mut a_dec), Some(ref mut a_enc), Some(out_a)) =
+        (a_dec_opt, a_enc_opt, out_a_idx)
+    {
+        a_dec.send_eof().ok();
+        let mut af = frame::Audio::empty();
+        while a_dec.receive_frame(&mut af).is_ok() {
+            a_enc.send_frame(Some(&af)).ok();
+        }
+        a_enc.send_eof().ok();
+        let mut pkt = ffmpeg_next::Packet::empty();
+        while a_enc.receive_packet(&mut pkt).is_ok() {
+            pkt.set_stream(out_a);
+            pkt.write_interleaved(&mut octx).ok();
+        }
+    }
+
+    octx.write_trailer()
+        .context("ffmpeg_transcode_to_webm: write_trailer")?;
+
+    Ok(())
+}
+
+// ─── Audio waveform PNG ───────────────────────────────────────────────────────
+
+/// Render a waveform image for an audio file via libavfilter's `showwavespic`.
+///
+/// Equivalent to:
+///   ffmpeg -i <input>
+///     -filter_complex "showwavespic=s=WxH:colors=0x888888"
+///     -frames:v 1 <output.png>
+///
+/// Called from `workers/mod.rs` inside `spawn_blocking`.
+///
+/// # Errors
+/// Returns an error if the filtergraph cannot be built or the PNG cannot be
+/// written.
+pub fn ffmpeg_audio_waveform(
+    input: &Path,
+    output: &Path,
+    width: u32,
+    height: u32,
+) -> Result<()> {
+    init_ffmpeg();
+
+    // ── Build filter graph ────────────────────────────────────────────────
+    // showwavespic reads the *entire* audio stream and produces a single
+    // frame. We route it through a buffer source → showwavespic → buffersink.
+    let mut ictx = format::input(input)
+        .with_context(|| format!("ffmpeg_audio_waveform: cannot open {}", input.display()))?;
+
+    let in_stream = ictx
+        .streams()
+        .best(media::Type::Audio)
+        .context("ffmpeg_audio_waveform: no audio stream")?;
+    let in_idx = in_stream.index();
+
+    let mut a_dec = codec::context::Context::from_parameters(in_stream.parameters())
+        .context("ffmpeg_audio_waveform: decoder context")?
+        .decoder()
+        .audio()
+        .context("ffmpeg_audio_waveform: open decoder")?;
+
+    // Build lavfi graph:
+    //   abuffer → showwavespic=s=WxH:colors=0x888888 → buffersink
+    let filter_str = format!("showwavespic=s={width}x{height}:colors=0x888888");
+
+    let mut graph = filter::Graph::new();
+
+    // abuffer: feed raw audio frames into the graph.
+    let abuf_args = format!(
+        "sample_rate={}:sample_fmt={}:channel_layout=0x{:x}:time_base={}/{}",
+        a_dec.rate(),
+        ffmpeg_next::format::Sample::name(a_dec.format()),
+        a_dec.channel_layout().bits(),
+        in_stream.time_base().0,
+        in_stream.time_base().1,
+    );
+    graph
+        .add(&filter::find("abuffer").context("abuffer filter not found")?, "in", &abuf_args)
+        .context("ffmpeg_audio_waveform: add abuffer")?;
+
+    // showwavespic filter
+    graph
+        .add(
+            &filter::find("showwavespic").context("showwavespic filter not found")?,
+            "showwavespic",
+            &filter_str,
+        )
+        .context("ffmpeg_audio_waveform: add showwavespic")?;
+
+    // buffersink: pull the rendered frame out.
+    graph
+        .add(
+            &filter::find("buffersink").context("buffersink filter not found")?,
+            "out",
+            "",
+        )
+        .context("ffmpeg_audio_waveform: add buffersink")?;
+
+    // Link: in → showwavespic → out
+    {
+        let mut in_node   = graph.get("in").context("ffmpeg_audio_waveform: get abuffer")?;
+        let mut wave_node = graph.get("showwavespic").context("ffmpeg_audio_waveform: get showwavespic")?;
+        let mut out_node  = graph.get("out").context("ffmpeg_audio_waveform: get buffersink")?;
+        in_node
+            .output("default", 0)
+            .context("ffmpeg_audio_waveform: abuffer output")?
+            .input("default", 0)
+            .context("ffmpeg_audio_waveform: showwavespic input")?
+            .add()
+            .context("ffmpeg_audio_waveform: link in→wave")?;
+        wave_node
+            .output("default", 0)
+            .context("ffmpeg_audio_waveform: showwavespic output")?
+            .input("default", 0)
+            .context("ffmpeg_audio_waveform: buffersink input")?
+            .add()
+            .context("ffmpeg_audio_waveform: link wave→out")?;
+    }
+    graph
+        .validate()
+        .context("ffmpeg_audio_waveform: filter graph validate")?;
+
+    // ── Feed all audio frames into the graph ──────────────────────────────
+    for (stream, packet) in ictx.packets() {
+        if stream.index() != in_idx {
+            continue;
+        }
+        a_dec
+            .send_packet(&packet)
+            .context("ffmpeg_audio_waveform: send_packet")?;
+        let mut frame = frame::Audio::empty();
+        while a_dec.receive_frame(&mut frame).is_ok() {
+            graph
+                .get("in")
+                .context("ffmpeg_audio_waveform: get abuffer for push")?
+                .source()
+                .add(&frame.into())
+                .context("ffmpeg_audio_waveform: push frame")?;
+        }
+    }
+    // Signal EOF so showwavespic renders the final frame.
+    a_dec.send_eof().ok();
+    let mut frame = frame::Audio::empty();
+    while a_dec.receive_frame(&mut frame).is_ok() {
+        graph
+            .get("in")
+            .unwrap()
+            .source()
+            .add(&frame.into())
+            .ok();
+    }
+    graph
+        .get("in")
+        .unwrap()
+        .source()
+        .flush()
+        .context("ffmpeg_audio_waveform: flush abuffer")?;
+
+    // ── Pull the rendered video frame from the sink ───────────────────────
+    let mut rendered = frame::Video::empty();
+    graph
+        .get("out")
+        .context("ffmpeg_audio_waveform: get buffersink for pull")?
+        .sink()
+        .frame(&mut rendered)
+        .context("ffmpeg_audio_waveform: pull rendered frame")?;
+
+    // ── Encode rendered frame as PNG ──────────────────────────────────────
+    let png_codec = codec::encoder::find_by_name("png")
+        .context("png encoder not found in static build")?;
+
+    let mut octx = format::output(output)
+        .with_context(|| format!("ffmpeg_audio_waveform: cannot open output {}", output.display()))?;
+
+    let mut enc_ctx = codec::context::Context::new_with_codec(png_codec)
+        .encoder()
+        .video()
+        .context("ffmpeg_audio_waveform: PNG encoder context")?;
+
+    enc_ctx.set_width(width);
+    enc_ctx.set_height(height);
+    enc_ctx.set_format(ffmpeg_next::format::Pixel::RGB24);
+    enc_ctx.set_time_base(Rational(1, 1));
+
+    let mut enc = enc_ctx
+        .open()
+        .context("ffmpeg_audio_waveform: open PNG encoder")?;
+
+    // showwavespic outputs RGBA; convert to RGB24 for PNG encoder.
+    let mut rgb = frame::Video::new(ffmpeg_next::format::Pixel::RGB24, width, height);
+    let mut sws = SwsContext::get(
+        rendered.format(), width, height,
+        ffmpeg_next::format::Pixel::RGB24, width, height,
+        SwsFlags::BILINEAR,
+    )
+    .context("ffmpeg_audio_waveform: sws for RGB24 convert")?;
+    sws.run(&rendered, &mut rgb)
+        .context("ffmpeg_audio_waveform: sws_scale to RGB24")?;
+    rgb.set_pts(Some(0));
+
+    let mut out_stream = octx.add_stream(png_codec)
+        .context("ffmpeg_audio_waveform: add PNG stream")?;
+    out_stream.set_parameters(&enc);
+
+    octx.write_header()
+        .context("ffmpeg_audio_waveform: write_header")?;
+
+    enc.send_frame(Some(&rgb))
+        .context("ffmpeg_audio_waveform: send_frame")?;
+    enc.send_eof()
+        .context("ffmpeg_audio_waveform: send_eof")?;
+
+    let mut pkt = ffmpeg_next::Packet::empty();
+    while enc.receive_packet(&mut pkt).is_ok() {
+        pkt.set_stream(0);
+        pkt.write_interleaved(&mut octx)
+            .context("ffmpeg_audio_waveform: write_interleaved")?;
+    }
+
+    octx.write_trailer()
+        .context("ffmpeg_audio_waveform: write_trailer")?;
+
+    Ok(())
+}
+
+// ─── Dead-code stubs (kept for API compatibility) ─────────────────────────────
+
+/// Formerly converted GIF → WebM/VP9. Superseded by animated WebP path.
+/// Retained as dead code. Remove in a follow-up cleanup.
+#[allow(dead_code)]
+pub fn ffmpeg_gif_to_webm(input: &Path, output: &Path) -> Result<()> {
+    ffmpeg_transcode_to_webm(input, output)
+}
+
+// ─── Internal helpers ─────────────────────────────────────────────────────────
+
+/// Compute output dimensions that fit within `max_dim × max_dim` while
+/// preserving the source aspect ratio. The smaller axis is rounded to an
+/// even number (required by many YUV codecs).
+fn scale_dims(src_w: u32, src_h: u32, max_dim: u32) -> (u32, u32) {
+    if src_w == 0 || src_h == 0 {
+        return (max_dim, max_dim);
+    }
+    let (w, h) = if src_w >= src_h {
+        let h = (src_h * max_dim / src_w).max(2) & !1;
+        (max_dim, h)
+    } else {
+        let w = (src_w * max_dim / src_h).max(2) & !1;
+        (w, max_dim)
+    };
+    (w, h)
+}
+```
+
+---
+
+## 3. `src/workers/mod.rs` — surgical changes only
+
+Only the two sections that spawn `TokioCommand::new("ffmpeg")` change.
+Everything else (prepare, finalise, timeout logic, DB updates) is untouched.
+
+### 3a. Remove the import
+
+```rust
+// REMOVE this line:
+use tokio::process::Command as TokioCommand;
+// REMOVE this if only used by ffmpeg spawn:
+use std::process::Stdio;
+```
+
+### 3b. `transcode_video()` — replace the subprocess block
+
+The function currently has three phases: `transcode_video_prepare` (spawn_blocking),
+subprocess spawn + wait, `transcode_video_finalise` (spawn_blocking).
+Replace only **phase 2** (lines roughly 490–520):
+
+```rust
+// ── REMOVE: TokioCommand subprocess spawn ─────────────────────────────────
+// let child = TokioCommand::new("ffmpeg")
+//     .args(&args)
+//     .stderr(Stdio::piped())
+//     .stdout(Stdio::null())
+//     .kill_on_drop(true)
+//     .spawn()
+//     .map_err(|e| anyhow::anyhow!("failed to spawn ffmpeg: {e}"))?;
+//
+// match timeout(ffmpeg_timeout, child.wait_with_output()).await { ... }
+
+// ── REPLACE WITH: in-process library call ────────────────────────────────
+// `args` is no longer needed — pass src/dst paths directly.
+// Re-derive them from the prepare result (src_path and tmp.path()).
+let src_path2  = src_path.clone();
+let tmp_path2  = tmp.path().to_path_buf();
+let timed_out  = timeout(
+    ffmpeg_timeout,
+    tokio::task::spawn_blocking(move || {
+        crate::media::ffmpeg::ffmpeg_transcode_to_webm(&src_path2, &tmp_path2)
+    }),
+)
+.await;
+
+match timed_out {
+    Ok(Ok(Ok(()))) => {}
+    Ok(Ok(Err(e))) => return Err(e),
+    Ok(Err(join_err)) => {
+        return Err(anyhow::anyhow!("spawn_blocking panicked: {join_err}"))
+    }
+    Err(_elapsed) => {
+        // tmp is still alive here — NamedTempFile drops and removes the
+        // partial output when this function returns, so no cleanup needed.
+        warn!(
+            "VideoTranscode: post {post_id} timed out after {timeout_secs}s"
+        );
+        return Err(anyhow::anyhow!(
+            "transcode timed out after {timeout_secs}s"
+        ));
+    }
+}
+```
+
+> **Note on `args`**: `transcode_video_prepare` builds a `Vec<String>` of
+> ffmpeg CLI arguments. After migration this vector is unused. You can either
+> leave the prepare function as-is (the `args` binding is silently dropped) or
+> simplify `transcode_video_prepare` to return only
+> `(src_path, webm_abs, webm_rel, webm_name, tmp)` by removing the argument
+> construction block. The prepare function is only called from one place, so
+> either approach is safe.
+
+### 3b. `generate_waveform()` — replace the subprocess block
+
+Same pattern. Replace only the `TokioCommand` phase between `waveform_prepare`
+and `waveform_finalise`:
+
+```rust
+// ── REMOVE: TokioCommand subprocess spawn ─────────────────────────────────
+// let child = TokioCommand::new("ffmpeg")
+//     .args(&args)
+//     .stderr(Stdio::piped())
+//     .stdout(Stdio::null())
+//     .kill_on_drop(true)
+//     .spawn()
+//     .map_err(...)?;
+// match timeout(ffmpeg_timeout, child.wait_with_output()).await { ... }
+
+// ── REPLACE WITH ──────────────────────────────────────────────────────────
+let src_path3   = src.clone(); // src comes from waveform_prepare
+let out_path3   = png_abs.clone();
+let thumb_size  = CONFIG.thumb_size;
+
+let timed_out = timeout(
+    ffmpeg_timeout,
+    tokio::task::spawn_blocking(move || {
+        crate::media::ffmpeg::ffmpeg_audio_waveform(
+            &src_path3,
+            &out_path3,
+            thumb_size,
+            thumb_size / 2,
+        )
+    }),
+)
+.await;
+
+match timed_out {
+    Ok(Ok(Ok(()))) => {}
+    Ok(Ok(Err(e))) => return Err(e),
+    Ok(Err(join_err)) => {
+        return Err(anyhow::anyhow!("spawn_blocking panicked: {join_err}"))
+    }
+    Err(_elapsed) => {
+        warn!("AudioWaveform: post {post_id} timed out after {timeout_secs}s");
+        return Err(anyhow::anyhow!(
+            "waveform timed out after {timeout_secs}s"
+        ));
+    }
+}
+```
+
+> **Note**: `waveform_prepare` currently passes `src_str` and `tmp_str` as
+> strings for the CLI arg list. After migration the only paths needed are the
+> original `src: PathBuf` and the temp file path from `tmp_png.path()`.
+> The prepare function can be simplified to not build a `Vec<String>` at all,
+> but this is optional cleanup.
+
+---
+
+## 4. `src/detect.rs` — ffmpeg section replacement
+
+Replace the entire ffmpeg detection section (roughly lines 38–175) with:
+
+```rust
+// ─── ffmpeg ───────────────────────────────────────────────────────────────────
+
+/// Initialise the statically linked ffmpeg library and report it as available.
+///
+/// Previously probed for the `ffmpeg` binary on PATH. Now just calls
+/// `init_ffmpeg()` and always returns `Available`.
+///
+/// The `require_ffmpeg` parameter is retained for API compatibility; it is
+/// ignored because ffmpeg is always present in a static build.
+pub fn detect_ffmpeg(_require_ffmpeg: bool) -> ToolStatus {
+    crate::media::ffmpeg::init_ffmpeg();
+    tracing::info!(
+        target: "detect",
+        available = true,
+        "ffmpeg compiled-in — media conversion and thumbnails always enabled"
+    );
+    ToolStatus::Available
+}
+
+/// Always returns true: libwebp is compiled into the static ffmpeg build.
+pub fn detect_webp_encoder(_ffmpeg_ok: bool) -> bool {
+    tracing::info!(target: "detect", webp = true, "libwebp compiled-in");
+    true
+}
+
+/// Always returns true: libvpx-vp9 and libopus are compiled in.
+pub fn detect_webm_encoder(_ffmpeg_ok: bool) -> bool {
+    tracing::info!(
+        target: "detect",
+        vp9 = true,
+        opus = true,
+        "VP9 + Opus compiled-in — MP4→WebM transcoding always enabled"
+    );
+    true
+}
+```
+
+Delete the following functions entirely (they are only reached when a codec is
+absent, which can never happen with a static build):
+
+- `webp_install_hint()`
+- `webm_install_hint(has_vp9, has_opus)`
+
+---
+
+## 5. Optional: simplify `src/media/mod.rs`
+
+`MediaProcessor::new()` currently probes for ffmpeg at construction time.
+With a static build the probes always succeed, so the constructor can be
+simplified. This is safe to skip — the existing code still works correctly.
+
+```rust
+// Optional simplification of MediaProcessor::new()
+#[must_use]
+pub fn new() -> Self {
+    // ffmpeg is compiled in — no runtime probe needed.
+    crate::media::ffmpeg::init_ffmpeg();
+    Self {
+        ffmpeg_available: true,
+        ffmpeg_webp_available: true,
+    }
+}
+```
+
+---
+
+## 6. Summary of changed files
+
+| File | Change |
+|---|---|
+| `Cargo.toml` | Add `ffmpeg-next` with `static` feature |
+| `.cargo/config.toml` | New file — pin `FFMPEG_BUILD_VERSION` |
+| `src/media/ffmpeg.rs` | Complete replacement (see §2) |
+| `src/workers/mod.rs` | Replace two `TokioCommand` blocks (see §3) |
+| `src/detect.rs` | Replace ffmpeg detection section (see §4) |
+| `src/media/mod.rs` | Optional simplification of `new()` (see §5) |
+| `src/media/convert.rs` | **No changes** |
+| `src/media/thumbnail.rs` | **No changes** |
+| `src/server/server.rs` | **No changes** |
+| `src/middleware/mod.rs` | **No changes** |
diff --git a/src/config.rs b/src/config.rs
index 3cc6d75..ed2cbc7 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -161,9 +161,11 @@ max_video_size_mb = 50
 # Maximum size for audio uploads in megabytes (mp3, ogg, flac, wav, m4a, aac).
 max_audio_size_mb = 150
 
-# Tor Onion Service support.
-# When true, the server probes for `tor` at startup and prints torrc hints.
-# The server always starts regardless — this is purely informational.
+# Tor Onion Service support (powered by Arti — no system tor required).
+# When true, Arti bootstraps at startup and hosts a .onion hidden service.
+# First run downloads ~2 MB of directory data and takes ~30 s.
+# The service keypair lives in rustchan-data/arti_state/keys/ — back it up.
+# Delete that directory to rotate to a new .onion address.
 enable_tor_support = true
 
 # Set to true to hard-exit at startup when ffmpeg is not found.
diff --git a/src/detect.rs b/src/detect.rs
index 79866fe..9b809ee 100644
--- a/src/detect.rs
+++ b/src/detect.rs
@@ -11,7 +11,7 @@
 
 use std::path::Path;
 use std::process::{Command, Stdio};
-use std::sync::{Arc, Mutex, OnceLock};
+use std::sync::Arc;
 
 /// Result of probing for a tool at startup.
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
@@ -20,20 +20,6 @@ pub enum ToolStatus {
     Missing,
 }
 
-// ─── Global Tor child handle ──────────────────────────────────────────────────
-
-static TOR_CHILD: OnceLock<Arc<Mutex<std::process::Child>>> = OnceLock::new();
-
-#[allow(dead_code)]
-pub fn kill_tor() {
-    if let Some(child) = TOR_CHILD.get() {
-        if let Ok(mut c) = child.lock() {
-            let _ = c.kill();
-            let _ = c.wait();
-        }
-    }
-}
-
 // ─── ffmpeg ───────────────────────────────────────────────────────────────────
 
 pub fn detect_ffmpeg(require_ffmpeg: bool) -> ToolStatus {
@@ -207,397 +193,200 @@ fn webm_install_hint(has_vp9: bool, has_opus: bool) -> String {
     s
 }
 
-// ─── Tor ─────────────────────────────────────────────────────────────────────
-
-#[allow(clippy::too_many_lines)]
-#[allow(clippy::expect_used)]
-#[allow(clippy::arithmetic_side_effects)]
-pub fn detect_tor(enable_tor_support: bool, bind_port: u16, data_dir: &Path) -> ToolStatus {
+// ─── Tor (Arti in-process) ────────────────────────────────────────────────────
+//
+// Previously: spawned the system `tor` binary as a subprocess, wrote a torrc,
+// created two directories with chmod 0700, and polled for the hostname file
+// for up to 120 seconds.
+//
+// Now: spawns one Tokio task that bootstraps Arti in-process, launches the
+// onion service, and proxies incoming connections to the local HTTP server.
+// No subprocess, no torrc, no hostname file, no polling loop.
+
+use arti_client::{config::TorClientConfigBuilder, TorClient};
+use futures::StreamExt;
+use tokio::net::TcpStream;
+use tokio::sync::RwLock;
+use tor_cell::relaycell::msg::Connected;
+use tor_hsservice::{config::OnionServiceConfigBuilder, handle_rend_requests, HsId, StreamRequest};
+
+/// Spawn the Arti in-process Tor task.
+///
+/// Returns `Available` immediately. The onion address becomes available in
+/// `onion_address` roughly 30 seconds later on first run or ~5 seconds on
+/// subsequent runs (consensus served from `arti_cache/`).
+///
+/// If `enable_tor_support` is false this is a no-op and returns `Missing`.
+pub fn detect_tor(
+    enable_tor_support: bool,
+    bind_port: u16,
+    data_dir: &Path,
+    onion_address: Arc<RwLock<Option<String>>>,
+) -> ToolStatus {
     if !enable_tor_support {
         return ToolStatus::Missing;
     }
 
-    let candidates = [
-        "/opt/homebrew/bin/tor",
-        "/usr/local/bin/tor",
-        "/usr/bin/tor",
-        "tor",
-    ];
-
-    let tor_bin: Option<&str> = candidates.iter().copied().find(|bin| {
-        Command::new(bin)
-            .arg("--version")
-            .stdout(Stdio::null())
-            .stderr(Stdio::null())
-            .status()
-            .is_ok()
-    });
+    let data_dir = data_dir.to_path_buf();
 
-    let Some(tor_bin) = tor_bin else {
-        tracing::warn!(target: "detect", available = false, "Tor not found — onion service disabled");
-        if crate::logging::is_tty() {
-            crate::logging::console_print_raw(&tor_install_hint(bind_port));
+    tokio::spawn(async move {
+        if let Err(e) = run_arti(data_dir, bind_port, onion_address).await {
+            tracing::error!(target: "detect", error = %e, "Tor: fatal error in Arti task");
         }
-        return ToolStatus::Missing;
-    };
+    });
 
-    tracing::info!(target: "detect", binary = tor_bin, "Tor binary found");
+    tracing::info!(
+        target: "detect",
+        "Tor: Arti task spawned — bootstrapping in background (first run ~30 s)"
+    );
+    ToolStatus::Available
+}
 
-    let hs_dir = data_dir.join("tor_hidden_service");
-    let data_subdir = data_dir.join("tor_data");
+/// No-op. Previously killed the tor subprocess.
+/// The [`TorClient`] is owned by the `tokio::spawn` task; dropping the runtime
+/// closes all circuits cleanly.
+#[allow(dead_code)]
+pub const fn kill_tor() {}
 
-    for dir in [&hs_dir, &data_subdir] {
-        if let Err(e) = std::fs::create_dir_all(dir) {
-            tracing::warn!(
-                target: "detect",
-                path = %dir.display(),
-                error = %e,
-                "Tor: cannot create directory"
-            );
-            if crate::logging::is_tty() {
-                crate::logging::console_print_raw(&tor_torrc_hint(&hs_dir, bind_port));
-            }
-            return ToolStatus::Missing;
-        }
-    }
+// ─── Core Arti task ───────────────────────────────────────────────────────────
 
-    #[cfg(unix)]
-    {
-        use std::os::unix::fs::PermissionsExt;
-        for dir in [&hs_dir, &data_subdir] {
-            if let Err(e) = std::fs::set_permissions(dir, std::fs::Permissions::from_mode(0o700)) {
-                tracing::warn!(
-                    target: "detect",
-                    path = %dir.display(),
-                    error = %e,
-                    "Tor: cannot set 0700 permissions (Tor may reject directory)"
-                );
-            }
-        }
-    }
+async fn run_arti(
+    data_dir: std::path::PathBuf,
+    bind_port: u16,
+    onion_address: Arc<RwLock<Option<String>>>,
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    // arti_cache/ — consensus cache (safe to delete; re-fetched on next start).
+    // arti_state/ — service keypair. Back this up.
+    //   Delete it only if you want a new .onion address.
+    //
+    // NOTE: TorClientConfigBuilder::from_directories takes AsRef<Path> directly.
+    // Do NOT use the builder().storage().cache_dir(PathBuf) path — CfgPath does
+    // not implement From<PathBuf> and it will not compile.
+    let config = TorClientConfigBuilder::from_directories(
+        data_dir.join("arti_state"),
+        data_dir.join("arti_cache"),
+    )
+    .build()?;
 
-    let canon = |p: &Path| p.canonicalize().unwrap_or_else(|_| p.to_path_buf());
-    let hs_abs = canon(&hs_dir);
-    let data_abs = canon(&data_subdir);
-    let torrc_path = canon(data_dir).join("torrc");
-
-    let torrc = format!(
-        "# RustChan — auto-generated torrc  (do not edit while Tor is running)\n\
-         \n\
-         SocksPort 0\n\
-         DataDirectory \"{data}\"\n\
-         \n\
-         HiddenServiceDir \"{hs}\"\n\
-         HiddenServicePort 80 127.0.0.1:{port}\n",
-        data = data_abs.display(),
-        hs = hs_abs.display(),
-        port = bind_port,
+    tracing::info!(
+        target: "detect",
+        cache_dir  = %data_dir.join("arti_cache").display(),
+        state_dir  = %data_dir.join("arti_state").display(),
+        "Tor: bootstrapping — first run downloads ~2 MB of directory data"
     );
 
-    if let Err(e) = std::fs::write(&torrc_path, &torrc) {
-        tracing::warn!(
-            target: "detect",
-            path  = %torrc_path.display(),
-            error = %e,
-            "Tor: cannot write torrc"
-        );
-        if crate::logging::is_tty() {
-            crate::logging::console_print_raw(&tor_torrc_hint(&hs_dir, bind_port));
-        }
-        return ToolStatus::Missing;
-    }
+    let tor_client = TorClient::create_bootstrapped(config)
+        .await
+        .map_err(|e| format!("Tor bootstrap failed: {e}"))?;
+
+    tracing::info!(target: "detect", "Tor: connected to the Tor network");
+
+    let svc_config = OnionServiceConfigBuilder::default()
+        .nickname("rustchan".parse()?)
+        .build()?;
+
+    let (onion_service, rend_requests) = tor_client
+        .launch_onion_service(svc_config)?
+        .ok_or("launch_onion_service returned None — unexpected with code-only config")?;
+
+    let hsid = onion_service
+        .onion_address()
+        .ok_or("onion_address() returned None immediately after launch")?;
+    let onion_name = hsid_to_onion_address(hsid);
 
     tracing::info!(
         target: "detect",
-        torrc      = %torrc_path.display(),
-        hidden_svc = %hs_abs.display(),
-        data_dir   = %data_abs.display(),
-        "Tor configured"
+        onion_address = %onion_name,
+        keys_dir = %data_dir.join("arti_state").join("keys").display(),
+        "Tor: hidden service active"
     );
 
-    let child = Command::new(tor_bin)
-        .arg("-f")
-        .arg(&torrc_path)
-        .stdout(Stdio::null())
-        .stderr(Stdio::piped())
-        .spawn();
-
-    let mut child = match child {
-        Err(e) => {
-            tracing::warn!(
-                target: "detect",
-                binary = tor_bin,
-                error  = %e,
-                "Tor: failed to start process"
-            );
-            if crate::logging::is_tty() {
-                crate::logging::console_print_raw(&tor_torrc_hint(&hs_dir, bind_port));
-            }
-            return ToolStatus::Missing;
-        }
-        Ok(c) => c,
-    };
-
-    let stderr_lines: Arc<Mutex<Vec<String>>> = Arc::new(Mutex::new(Vec::new()));
-    if let Some(pipe) = child.stderr.take() {
-        let buf = Arc::clone(&stderr_lines);
-        std::thread::spawn(move || {
-            use std::io::{BufRead, BufReader};
-            for line in BufReader::new(pipe).lines().map_while(Result::ok).take(500) {
-                if let Ok(mut g) = buf.lock() {
-                    g.push(line);
-                }
-            }
-        });
+    *onion_address.write().await = Some(onion_name.clone());
+
+    if crate::logging::is_tty() {
+        crate::logging::console_print_raw(&format!(
+            "\n\
+            ╔══════════════════════════════════════════════════════╗\n\
+            ║  TOR ONION SERVICE ACTIVE  ✓                         ║\n\
+            ╠══════════════════════════════════════════════════════╣\n\
+            ║  http://{onion:<44}║\n\
+            ║                                                      ║\n\
+            ║  Keys stored at:                                     ║\n\
+            ║    {keys:<50}║\n\
+            ║  Back up this directory to preserve your address.    ║\n\
+            ╚══════════════════════════════════════════════════════╝\n\n",
+            onion = onion_name,
+            keys = data_dir.join("arti_state/keys").display(),
+        ));
     }
 
-    let child = Arc::new(Mutex::new(child));
-    let _ = TOR_CHILD.set(Arc::clone(&child));
-
-    let prev_hook = std::panic::take_hook();
-    std::panic::set_hook(Box::new(move |info| {
-        // A panic hook MUST NOT panic — doing so causes an unconditional abort
-        // with no useful diagnostic output.  We therefore use try_lock() so
-        // that a poisoned or already-locked mutex is silently skipped; the OS
-        // will reap the Tor child on process exit regardless.
-        if let Some(child) = TOR_CHILD.get() {
-            if let Ok(mut c) = child.try_lock() {
-                let _ = c.kill();
-                let _ = c.wait();
-            }
-            // If try_lock fails (mutex poisoned or already held during unwind),
-            // skip the kill — do NOT call .lock()/.expect() here.
-        }
-        prev_hook(info);
-    }));
-
-    // Recover from a poisoned mutex instead of crashing the process.
-    let pid = child
-        .lock()
-        .unwrap_or_else(std::sync::PoisonError::into_inner)
-        .id();
-    tracing::info!(target: "detect", pid = pid, "Tor process started — waiting for .onion address");
-
-    let hostname_path = hs_abs.join("hostname");
-    let torrc_display = torrc_path.display().to_string();
-    let tor_bin_owned = tor_bin.to_string();
-
-    let child_bg = Arc::clone(&child);
-    let stderr_bg = Arc::clone(&stderr_lines);
-
-    std::thread::spawn(move || {
-        std::thread::sleep(std::time::Duration::from_secs(4));
-
-        let try_wait_result = child_bg
-            .lock()
-            .unwrap_or_else(std::sync::PoisonError::into_inner)
-            .try_wait();
-
-        match try_wait_result {
-            Ok(Some(status)) => {
-                let lines = stderr_bg
-                    .lock()
-                    .unwrap_or_else(std::sync::PoisonError::into_inner);
-                tracing::error!(
-                    target: "detect",
-                    exit_status = %status,
-                    "Tor process exited early"
-                );
-                if crate::logging::is_tty() && !lines.is_empty() {
-                    let mut block =
-                        String::from("\n  ── Tor stderr ──────────────────────────────────\n");
-                    for line in lines.iter().take(20) {
-                        block.push_str("  ");
-                        block.push_str(line);
-                        block.push('\n');
-                    }
-                    block.push_str("  ────────────────────────────────────────────────\n\n");
-                    drop(lines);
-                    crate::logging::console_print_raw(&block);
-                    crate::logging::console_print_raw(&tor_diagnosis_hint(
-                        &torrc_display,
-                        &tor_bin_owned,
-                        bind_port,
-                    ));
-                }
-                return;
-            }
-            Ok(None) => {}
-            Err(e) => {
-                tracing::warn!(target: "detect", error = %e, "Tor: could not query process status");
-            }
-        }
-
-        poll_for_hostname(
-            &hostname_path,
-            &child_bg,
-            &stderr_bg,
-            &torrc_display,
-            &tor_bin_owned,
-            bind_port,
-        );
-    });
-
-    ToolStatus::Available
-}
+    let mut stream_requests = handle_rend_requests(rend_requests);
 
-// ─── Hostname polling ─────────────────────────────────────────────────────────
-
-#[allow(clippy::expect_used)]
-#[allow(clippy::arithmetic_side_effects)]
-fn poll_for_hostname(
-    hostname_path: &Path,
-    child: &Arc<Mutex<std::process::Child>>,
-    stderr_lines: &Arc<Mutex<Vec<String>>>,
-    torrc_display: &str,
-    tor_bin: &str,
-    bind_port: u16,
-) {
-    const TIMEOUT_SECS: u64 = 120;
-    const POLL_MS: u64 = 500;
-    let deadline = std::time::Instant::now() + std::time::Duration::from_secs(TIMEOUT_SECS);
-
-    loop {
-        if let Ok(mut c) = child.try_lock() {
-            if let Ok(Some(status)) = c.try_wait() {
-                let lines = stderr_lines
-                    .lock()
-                    .unwrap_or_else(std::sync::PoisonError::into_inner);
-                tracing::error!(
+    while let Some(stream_req) = stream_requests.next().await {
+        let local_addr = format!("127.0.0.1:{bind_port}");
+        tokio::spawn(async move {
+            if let Err(e) = proxy_tor_stream(stream_req, &local_addr).await {
+                tracing::debug!(
                     target: "detect",
-                    exit_status = %status,
-                    "Tor process crashed during startup"
+                    error = %e,
+                    "Tor: stream closed"
                 );
-                if crate::logging::is_tty() && !lines.is_empty() {
-                    let mut block =
-                        String::from("\n  ── Tor stderr ──────────────────────────────────\n");
-                    for line in lines.iter().take(20) {
-                        block.push_str("  ");
-                        block.push_str(line);
-                        block.push('\n');
-                    }
-                    block.push_str("  ────────────────────────────────────────────────\n\n");
-                    drop(lines);
-                    crate::logging::console_print_raw(&block);
-                    crate::logging::console_print_raw(&tor_diagnosis_hint(
-                        torrc_display,
-                        tor_bin,
-                        bind_port,
-                    ));
-                }
-                return;
-            }
-        }
-
-        if hostname_path.exists() {
-            match std::fs::read_to_string(hostname_path) {
-                Ok(raw) => {
-                    let onion = raw.trim();
-                    if !onion.is_empty() {
-                        tracing::info!(
-                            target: "detect",
-                            onion_address = onion,
-                            "Tor hidden service active"
-                        );
-                        if crate::logging::is_tty() {
-                            crate::logging::console_print_raw(&tor_onion_banner(
-                                onion,
-                                hostname_path,
-                            ));
-                        }
-                        return;
-                    }
-                }
-                Err(e) => {
-                    tracing::warn!(target: "detect", error = %e, "Tor: hostname file unreadable");
-                }
             }
-        }
-
-        if std::time::Instant::now() >= deadline {
-            tracing::warn!(
-                target: "detect",
-                timeout_secs = TIMEOUT_SECS,
-                hostname_path = %hostname_path.display(),
-                "Tor timed out waiting for hostname file"
-            );
-            if crate::logging::is_tty() {
-                crate::logging::console_print_raw(&tor_diagnosis_hint(
-                    torrc_display,
-                    tor_bin,
-                    bind_port,
-                ));
-            }
-            return;
-        }
-
-        std::thread::sleep(std::time::Duration::from_millis(POLL_MS));
+        });
     }
-}
 
-// ─── Tor print helpers (console_print_raw blocks) ────────────────────────────
-
-fn tor_onion_banner(onion: &str, hostname_path: &Path) -> String {
-    let addr_line = format!("http://{onion}");
-    let key_dir = hostname_path.parent().unwrap_or(hostname_path);
-    format!(
-        "\n\
-        ╔════════════════════════════════════════════════════════════════════════╗\n\
-        ║        TOR ONION SERVICE ACTIVE  ✓                                     ║\n\
-        ╠════════════════════════════════════════════════════════════════════════╣\n\
-        ║  {addr:<70}║\n\
-        ║                                                                        ║\n\
-        ║  Share this with Tor Browser users.                                    ║\n\
-        ║  Your private key is stored at:                                        ║\n\
-        ║    {key:<68}║\n\
-        ║  Back it up — losing it means a new .onion address.                    ║\n\
-        ╚════════════════════════════════════════════════════════════════════════╝\n\n",
-        addr = addr_line,
-        key = key_dir.display(),
-    )
+    tracing::warn!(
+        target: "detect",
+        "Tor: rendezvous stream ended — onion service offline"
+    );
+    Ok(())
 }
 
-fn tor_install_hint(bind_port: u16) -> String {
-    format!(
-        "\n\
-        \x1b[2m  ── Install Tor ────────────────────────────────────────────────────────\n\
-          macOS:   brew install tor\n\
-          Linux:   sudo apt-get install tor\n\
-          Other:   https://www.torproject.org/download/tor/\n\
-        \n\
-          After installing, restart RustChan — it configures Tor automatically.\n\
-          Or add to your own torrc:\n\
-            HiddenServicePort 80 127.0.0.1:{bind_port}\x1b[0m\n\n"
-    )
-}
+// ─── Connection proxy ─────────────────────────────────────────────────────────
 
-fn tor_torrc_hint(hs_dir: &Path, bind_port: u16) -> String {
-    format!(
-        "\n  Add to your torrc and restart Tor:\n\
-         \x1b[2m    SocksPort 0\n\
-           DataDirectory /var/lib/tor/rustchan-data/\n\
-           HiddenServiceDir {hs}\n\
-           HiddenServicePort 80 127.0.0.1:{bind_port}\x1b[0m\n\n",
-        hs = hs_dir.display(),
-    )
+async fn proxy_tor_stream(
+    stream_req: StreamRequest,
+    local_addr: &str,
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    let mut tor_stream = stream_req.accept(Connected::new_empty()).await?;
+    let mut local = TcpStream::connect(local_addr).await?;
+    tokio::io::copy_bidirectional(&mut tor_stream, &mut local).await?;
+    Ok(())
 }
 
-fn tor_diagnosis_hint(torrc_path: &str, tor_bin: &str, bind_port: u16) -> String {
-    format!(
-        "\n  \x1b[2m── Tor troubleshooting ──────────────────────────────────────────────────\n\
-         \n\
-           1. Run manually to see live output:\n\
-                {tor_bin} -f {torrc_path}\n\
-         \n\
-           2. Common causes:\n\
-              a) DataDirectory permissions  — chmod 700 <data_dir>/tor_data/\n\
-              b) HiddenServiceDir perms     — chmod 700 <data_dir>/tor_hidden_service/\n\
-              c) Firewall: Tor needs outbound TCP on ports 9001 and 443.\n\
-              d) macOS brew conflict: brew services stop tor, then restart RustChan.\n\
-              e) Linux SELinux/AppArmor: sudo journalctl -u tor --since '5 min ago'\n\
-         \n\
-           3. To manage Tor yourself:\n\
-              Set enable_tor_support = false in settings.toml\n\
-              and add to your torrc:  HiddenServicePort 80 127.0.0.1:{bind_port}\x1b[0m\n\n"
-    )
+// ─── Onion address encoding ───────────────────────────────────────────────────
+
+/// Encode an [`HsId`] (Ed25519 public key) as a v3 `.onion` address string.
+///
+/// [`HsId`] does not implement `std::fmt::Display` in arti-client 0.40.
+/// Encoded manually using `HsId: AsRef<[u8; 32]>`.
+///
+/// Format: `base32( pubkey || sha3_256(".onion checksum" || pubkey || version)[..2] || version )`
+fn hsid_to_onion_address(hsid: HsId) -> String {
+    use sha3::{Digest, Sha3_256};
+
+    let pubkey: &[u8; 32] = hsid.as_ref();
+    let version: u8 = 3;
+
+    let mut hasher = Sha3_256::new();
+    hasher.update(b".onion checksum");
+    hasher.update(pubkey);
+    hasher.update([version]);
+    let hash = hasher.finalize();
+
+    // Destructure via iterator — avoids the indexing_slicing lint.
+    // Safe: Sha3_256 always produces exactly 32 bytes.
+    let mut iter = hash.iter().copied();
+    let checksum = [iter.next().unwrap_or(0), iter.next().unwrap_or(0)];
+
+    let mut address_bytes = [0u8; 35];
+    address_bytes[..32].copy_from_slice(pubkey);
+    address_bytes[32..34].copy_from_slice(&checksum);
+    address_bytes[34] = version;
+
+    let encoded = data_encoding::BASE32_NOPAD
+        .encode(&address_bytes)
+        .to_ascii_lowercase();
+
+    format!("{encoded}.onion")
 }
diff --git a/src/handlers/admin/mod.rs b/src/handlers/admin/mod.rs
index 72a0c12..43ee27f 100644
--- a/src/handlers/admin/mod.rs
+++ b/src/handlers/admin/mod.rs
@@ -123,6 +123,14 @@ pub async fn admin_panel(
         None
     };
 
+    // Read onion address before entering spawn_blocking — await is not allowed
+    // inside the synchronous closure.
+    let onion_address_val: Option<String> = if CONFIG.enable_tor_support {
+        state.onion_address.read().await.clone()
+    } else {
+        None
+    };
+
     let html = tokio::task::spawn_blocking({
         let pool = state.db.clone();
         move || -> Result<String> {
@@ -161,22 +169,8 @@ pub async fn admin_panel(
                 false
             };
 
-            // Read the tor onion address from the hostname file if tor is enabled.
-            let tor_address: Option<String> = if CONFIG.enable_tor_support {
-                let data_dir = std::path::PathBuf::from(&CONFIG.database_path)
-                    .parent()
-                    .map_or_else(
-                        || std::path::PathBuf::from("."),
-                        std::path::Path::to_path_buf,
-                    );
-                let hostname_path = data_dir.join("tor_hidden_service").join("hostname");
-                std::fs::read_to_string(&hostname_path)
-                    .ok()
-                    .map(|s| s.trim().to_string())
-                    .filter(|s| !s.is_empty())
-            } else {
-                None
-            };
+            // Onion address resolved before spawn_blocking (see above).
+            let tor_address: Option<String> = onion_address_val;
 
             let flash_ref = flash.as_ref().map(|(is_err, msg)| (*is_err, msg.as_str()));
 
diff --git a/src/handlers/admin/settings.rs b/src/handlers/admin/settings.rs
index 0bbc625..ac7b053 100644
--- a/src/handlers/admin/settings.rs
+++ b/src/handlers/admin/settings.rs
@@ -332,6 +332,14 @@ pub async fn admin_panel(
         None
     };
 
+    // Read onion address before entering spawn_blocking — await is not allowed
+    // inside the synchronous closure.
+    let onion_address_val: Option<String> = if CONFIG.enable_tor_support {
+        state.onion_address.read().await.clone()
+    } else {
+        None
+    };
+
     let html = tokio::task::spawn_blocking({
         let pool = state.db.clone();
         move || -> Result<String> {
@@ -370,22 +378,8 @@ pub async fn admin_panel(
                 false
             };
 
-            // Read the tor onion address from the hostname file if tor is enabled.
-            let tor_address: Option<String> = if CONFIG.enable_tor_support {
-                let data_dir = std::path::PathBuf::from(&CONFIG.database_path)
-                    .parent()
-                    .map_or_else(
-                        || std::path::PathBuf::from("."),
-                        std::path::Path::to_path_buf,
-                    );
-                let hostname_path = data_dir.join("tor_hidden_service").join("hostname");
-                std::fs::read_to_string(&hostname_path)
-                    .ok()
-                    .map(|s| s.trim().to_string())
-                    .filter(|s| !s.is_empty())
-            } else {
-                None
-            };
+            // Onion address resolved before spawn_blocking (see above).
+            let tor_address: Option<String> = onion_address_val;
 
             let flash_ref = flash.as_ref().map(|(is_err, msg)| (*is_err, msg.as_str()));
 
diff --git a/src/handlers/board.rs b/src/handlers/board.rs
index 3be86e7..a7e4848 100644
--- a/src/handlers/board.rs
+++ b/src/handlers/board.rs
@@ -56,19 +56,9 @@ pub async fn index(
     .await
     .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))??;
 
-    // Read the tor onion address from the hostname file if tor is enabled.
+    // Read the onion address from AppState (populated by the Arti task on startup).
     let onion_address: Option<String> = if crate::config::CONFIG.enable_tor_support {
-        let data_dir = std::path::PathBuf::from(&crate::config::CONFIG.database_path)
-            .parent()
-            .map_or_else(
-                || std::path::PathBuf::from("."),
-                std::path::Path::to_path_buf,
-            );
-        let hostname_path = data_dir.join("tor_hidden_service").join("hostname");
-        std::fs::read_to_string(&hostname_path)
-            .ok()
-            .map(|s| s.trim().to_string())
-            .filter(|s| !s.is_empty())
+        state.onion_address.read().await.clone()
     } else {
         None
     };
diff --git a/src/middleware/mod.rs b/src/middleware/mod.rs
index 7eea105..a7c336b 100644
--- a/src/middleware/mod.rs
+++ b/src/middleware/mod.rs
@@ -137,6 +137,9 @@ pub struct AppState {
     /// even if the ledger is cleared by a server restart.
     pub chan_ledger:
         Option<std::sync::Arc<parking_lot::Mutex<std::collections::HashSet<uuid::Uuid>>>>,
+    /// Onion address populated by the Arti task once the hidden service is ready.
+    /// `None` until Arti has bootstrapped (~30 s first run, ~5 s subsequent runs).
+    pub onion_address: std::sync::Arc<tokio::sync::RwLock<Option<String>>>,
 }
 
 /// Get current Unix timestamp in seconds.
diff --git a/src/server/server.rs b/src/server/server.rs
index 883c14e..0fa5e46 100644
--- a/src/server/server.rs
+++ b/src/server/server.rs
@@ -216,17 +216,12 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
     // only these codecs still enables image conversion and thumbnail generation.
     let ffmpeg_vp9_available = crate::detect::detect_webm_encoder(ffmpeg_available);
 
-    // Tor: create hidden-service directory + torrc, launch tor as a background
-    // process, and poll for the hostname file (all non-blocking).
-    // Fix #1: derive bind_port from `bind_addr` (which already incorporates
-    // port_override) rather than CONFIG.bind_addr.  Previously, starting with
-    // `--port 9000` would still pass 8080 to Tor's HiddenServicePort.
+    // Derive bind_port from `bind_addr` (which already incorporates port_override).
     // rsplit_once(':') handles both IPv4 ("0.0.0.0:9000") and IPv6 ("[::1]:9000").
     let bind_port = bind_addr
         .rsplit_once(':')
         .and_then(|(_, p)| p.parse::<u16>().ok())
         .unwrap_or(8080);
-    crate::detect::detect_tor(CONFIG.enable_tor_support, bind_port, &data_dir);
 
     // CRIT-1 FIX: Capture JoinHandles from start_worker_pool so the shutdown
     // sequence can await each worker instead of blindly sleeping for 10 s.
@@ -249,7 +244,18 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
         } else {
             None
         },
+        onion_address: std::sync::Arc::new(tokio::sync::RwLock::new(None)),
     };
+
+    // Tor: spawn Arti in-process. The onion address is written to
+    // state.onion_address once Arti has bootstrapped and the hidden service
+    // is active (~30 s first run, ~5 s on subsequent runs).
+    crate::detect::detect_tor(
+        CONFIG.enable_tor_support,
+        bind_port,
+        &data_dir,
+        state.onion_address.clone(),
+    );
     // Keep a reference to the job queue cancel token for graceful shutdown (#7).
     let worker_cancel = state.job_queue.cancel.clone();
     let start_time = Instant::now();