docs: Update change notes.

build: This will probably be the November release.
ssb: Try not very successfully to make the welcome line format less awkwardly.
2025-11-25 18:08:01 -05:00 · 2025-11-25 12:51:13 -05:00 · 2025-11-25 12:50:33 -05:00 · 2025-11-23 20:08:51 -05:00 · 2025-11-23 16:37:00 -05:00 · 2025-11-22 09:28:34 -05:00
104 changed files with 8138 additions and 6592 deletions
--- a/.gitmodules
+++ b/.gitmodules
@@ -19,10 +19,6 @@
 [submodule "deps/picohttpparser"]
 	path = deps/picohttpparser
 	url = https://github.com/h2o/picohttpparser.git
-[submodule "deps/openssl_src"]
-	path = deps/openssl_src
-	url = https://github.com/openssl/openssl.git
-	shallow = true
 [submodule "deps/c-ares"]
 	path = deps/c-ares
 	url = https://github.com/c-ares/c-ares.git
--- a/.prettierignore
+++ b/.prettierignore
@@ -3,6 +3,7 @@ src
 deps
 .clang-format
 flake.lock
+apps/trace/speedscope/**

 # Minified files
 **/*.min.css
--- a/1
+++ b/1
@@ -4,7 +4,6 @@ RUN apt-get update && \
 	apt-get install -y --no-install-recommends \
 		gcc \
 		libc6-dev \
-		perl \
 		make

 COPY . /app
--- a/1
+++ b/1
@@ -910,7 +910,6 @@ INPUT                  = README.md \
                         core/app.js \
                         core/client.js \
                         core/core.js \
-                         core/http.js \
                         core/tfrpc.js \
                         docs/ \
                         src/
--- a/159
+++ b/159
@@ -16,15 +16,15 @@ MAKEFLAGS += --no-builtin-rules
 ## LD := Linker.
 ## ANDROID_SDK := Path to the Android SDK.

-VERSION_CODE := 44
-VERSION_CODE_IOS := 18
-VERSION_NUMBER := 0.2025.10-wip
+VERSION_CODE := 48
+VERSION_CODE_IOS := 26
+VERSION_NUMBER := 0.2025.11
 VERSION_NAME := This program kills fascists.

-IPHONEOS_VERSION_MIN=14.0
+IPHONEOS_VERSION_MIN=14.5

-SQLITE_URL := https://www.sqlite.org/2025/sqlite-amalgamation-3500400.zip
-BUNDLETOOL_URL := https://github.com/google/bundletool/releases/download/1.17.0/bundletool-all-1.17.0.jar
+SQLITE_URL := https://www.sqlite.org/2025/sqlite-amalgamation-3510000.zip
+BUNDLETOOL_URL := https://github.com/google/bundletool/releases/download/1.18.2/bundletool-all-1.18.2.jar
 APPIMAGETOOL_URL := https://github.com/AppImage/AppImageKit/releases/download/continuous/appimagetool-x86_64.AppImage
 APPIMAGETOOL_MD5 := e989fadfc4d685fd3d6aeeb9b525d74d  out/appimagetool

@@ -38,7 +38,6 @@ BUNDLETOOL = out/bundletool.jar

 HAVE_WIN :=
 HAVE_CROSS_AARCH64 :=
-USE_SYSTEM_SSL :=

 export SOURCE_DATE_EPOCH=1
 export TZ=UTC
@@ -65,7 +64,6 @@ LDFLAGS += \
 	-lbsd \
 	-lnetwork \
 	-Wno-stringop-overflow
-USE_SYSTEM_SSL := 1
 HAVE_ANDROID = 0
 HAVE_LINUX_IOS = 0
 HAVE_LINUX_MACOS = 0
@@ -80,13 +78,12 @@ LDFLAGS += \
 HAVE_ANDROID :=
 HAVE_LINUX_IOS :=
 HAVE_LINUX_MACOS :=
-USE_SYSTEM_SSL := 1
 else
 $(error Unexpected host platform $(UNAME_S).)
 endif

 # Everything is set above.
-$(info Building Tilde Friends $(VERSION_NUMBER) android=$(if $(HAVE_ANDROID),1,0) win=$(if $(HAVE_WIN),1,0) cross_aarch64=$(if $(HAVE_CROSS_AARCH64),1,0) cross_ios=$(if $(HAVE_LINUX_IOS),1,0) cross_macos=$(if $(HAVE_LINUX_MACOS),1,0) system_ssl=$(if $(USE_SYSTEM_SSL),1,0))
+$(info Building Tilde Friends $(VERSION_NUMBER) android=$(if $(HAVE_ANDROID),1,0) win=$(if $(HAVE_WIN),1,0) cross_aarch64=$(if $(HAVE_CROSS_AARCH64),1,0) cross_ios=$(if $(HAVE_LINUX_IOS),1,0) cross_macos=$(if $(HAVE_LINUX_MACOS),1,0))

 CFLAGS += \
 	-std=gnu11 \
@@ -270,16 +267,12 @@ $(WINDOWS_TARGETS): AS = $(CC)
 $(WINDOWS_TARGETS): CFLAGS += \
 	-D_WIN32_WINNT=0x0A00 \
 	-DWINVER=0x0A00 \
-	-DNTDDI_VERSION=NTDDI_WIN10 \
-	-Iout/openssl/$(UNAME_S)/mingw64/usr/local/include
+	-DNTDDI_VERSION=NTDDI_WIN10
 $(WINDOWS_TARGETS): LDFLAGS += \
 	-static \
-	-lm \
-	-Lout/openssl/$(UNAME_S)/mingw64/usr/local/lib
+	-lm
 $(AARCH64_TARGETS): CC = aarch64-linux-gnu-gcc
 $(AARCH64_TARGETS): AS = $(CC)
-$(AARCH64_TARGETS): CFLAGS += -Iout/openssl/Linux/aarch64/usr/local/include
-$(AARCH64_TARGETS): LDFLAGS += -Lout/openssl/Linux/aarch64/usr/local/lib
 ifeq ($(UNAME_S),Darwin)
 $(HOST_TARGETS): CC = xcrun clang
 $(IOS_TARGETS): IOS_SYSROOT := $(shell xcrun --sdk iphoneos --show-sdk-path)
@@ -304,39 +297,12 @@ $(ANDROID_TARGETS): AS = $(CC)
 $(ANDROID_TARGETS): CFLAGS += \
 	-target $(ANDROID_NDK_TARGET_TRIPLE)$(ANDROID_MIN_SDK_VERSION) \
 	-Wno-unknown-warning-option
-$(ANDROID_ARMV7A_TARGETS): CFLAGS += -Iout/openssl/android/armeabi-v7a/usr/local/include
-$(ANDROID_ARMV7A_TARGETS): LDFLAGS += -Lout/openssl/android/armeabi-v7a/usr/local/lib
-$(ANDROID_ARM64_TARGETS): CFLAGS += -Iout/openssl/android/arm64-v8a/usr/local/include
-$(ANDROID_ARM64_TARGETS): LDFLAGS += -Lout/openssl/android/arm64-v8a/usr/local/lib
-$(ANDROID_X86_TARGETS): CFLAGS += -Iout/openssl/android/x86/usr/local/include
 $(ANDROID_X86_TARGETS): CFLAGS += -Wno-atomic-alignment
-$(ANDROID_X86_TARGETS): LDFLAGS += -Lout/openssl/android/x86/usr/local/lib
-$(ANDROID_X86_64_TARGETS): CFLAGS += -Iout/openssl/android/x86_64/usr/local/include
-$(ANDROID_X86_64_TARGETS): LDFLAGS += -Lout/openssl/android/x86_64/usr/local/lib
 $(NONMACOS_TARGETS): CFLAGS += -Wno-cast-function-type
 $(MACOS_TARGETS): LDFLAGS += -Wl,-dead_strip
 $(NONMACOS_TARGETS): LDFLAGS += -Wl,--gc-sections -Wl,--as-needed
 $(IOS_TARGETS): CFLAGS += -miphoneos-version-min=$(IPHONEOS_VERSION_MIN)
 $(IOS_TARGETS): LDFLAGS += -miphoneos-version-min=$(IPHONEOS_VERSION_MIN)
-ifeq ($(UNAME_S),Darwin)
-$(IOS_TARGETS): CFLAGS += -Iout/openssl/ios/ios64-xcrun/usr/local/include
-$(IOS_TARGETS): LDFLAGS += -Lout/openssl/ios/ios64-xcrun/usr/local/lib
-else
-$(IOS_TARGETS): CFLAGS += -Iout/openssl/$(UNAME_S)/ios64-cross/usr/local/include
-$(IOS_TARGETS): LDFLAGS += -Lout/openssl/$(UNAME_S)/ios64-cross/usr/local/lib
-$(filter $(BUILD_DIR)/macosdebug-x86_64/%,$(ALL_TARGETS)): CFLAGS += -Iout/openssl/$(UNAME_S)/macos-x86_64/usr/local/include
-$(filter $(BUILD_DIR)/macosdebug-arm/%,$(ALL_TARGETS)): CFLAGS += -Iout/openssl/$(UNAME_S)/macos-arm/usr/local/include
-$(filter $(BUILD_DIR)/macosdebug-x86_64/%,$(ALL_TARGETS)): LDFLAGS += -Lout/openssl/$(UNAME_S)/macos-x86_64/usr/local/lib
-$(filter $(BUILD_DIR)/macosdebug-arm/%,$(ALL_TARGETS)): LDFLAGS += -Lout/openssl/$(UNAME_S)/macos-arm/usr/local/lib
-$(filter $(BUILD_DIR)/macosrelease-x86_64/%,$(ALL_TARGETS)): CFLAGS += -Iout/openssl/$(UNAME_S)/macos-x86_64/usr/local/include
-$(filter $(BUILD_DIR)/macosrelease-arm/%,$(ALL_TARGETS)): CFLAGS += -Iout/openssl/$(UNAME_S)/macos-arm/usr/local/include
-$(filter $(BUILD_DIR)/macosrelease-x86_64/%,$(ALL_TARGETS)): LDFLAGS += -Lout/openssl/$(UNAME_S)/macos-x86_64/usr/local/lib
-$(filter $(BUILD_DIR)/macosrelease-arm/%,$(ALL_TARGETS)): LDFLAGS += -Lout/openssl/$(UNAME_S)/macos-arm/usr/local/lib
-endif
-$(IOSSIM_TARGETS): CFLAGS += -Iout/openssl/ios/iossimulator-xcrun/usr/local/include
-$(IOSSIM_TARGETS): LDFLAGS += -Lout/openssl/ios/iossimulator-xcrun/usr/local/lib
-$(HOST_TARGETS): CFLAGS += -Iout/openssl/$(UNAME_S)/$(UNAME_M)/usr/local/include
-$(HOST_TARGETS): LDFLAGS += -Lout/openssl/$(UNAME_S)/$(UNAME_M)/usr/local/lib

 ifeq ($(UNAME_M),x86_64)
 ifeq ($(UNAME_S),Linux)
@@ -824,9 +790,6 @@ $(MINIUNZIP_OBJS): CFLAGS += \
 LDFLAGS += \
 	-pthread \
 	-lm
-$(HOST_TARGETS) $(IOS_TARGETS) $(IOSSIM_TARGETS) $(AARCH64_TARGETS) $(filter-out $(HOST_TARGETS),$(MACOS_TARGETS)): LDFLAGS += \
-	-lssl \
-	-lcrypto
 ifneq ($(UNAME_S),Haiku)
 ifneq ($(UNAME_S),OpenBSD)
 $(HOST_TARGETS) $(IOS_TARGETS) $(IOSSIM_TARGETS): LDFLAGS += \
@@ -834,8 +797,6 @@ $(HOST_TARGETS) $(IOS_TARGETS) $(IOSSIM_TARGETS): LDFLAGS += \
 endif
 endif
 $(WINDOWS_TARGETS): LDFLAGS += \
-	-lssl \
-	-lcrypto \
 	-lcrypt32 \
 	-ldbghelp \
 	-liphlpapi \
@@ -848,15 +809,15 @@ $(WINDOWS_TARGETS): LDFLAGS += \
 $(ANDROID_TARGETS): LDFLAGS += \
 	-target $(ANDROID_NDK_TARGET_TRIPLE)$(ANDROID_MIN_SDK_VERSION) \
 	-ldl \
-	-llog \
-	-lssl \
-	-lcrypto
+	-llog
 $(MACOS_TARGETS) $(IOS_TARGETS) $(IOSSIM_TARGETS): CFLAGS += \
 	-Wno-unknown-warning-option
 $(IOS_TARGETS) $(IOSSIM_TARGETS): LDFLAGS += \
 	-framework Foundation \
 	-framework CoreFoundation \
+	-framework CoreSpotlight \
 	-framework UIKit \
+	-framework UniformTypeIdentifiers \
 	-framework WebKit

 ##
@@ -998,8 +959,7 @@ PACKAGE_DIRS := \
 	core \
 	deps/codemirror \
 	deps/prettier \
-	deps/lit \
-	deps/speedscope
+	deps/lit

 RAW_FILES := $(sort $(filter-out apps/blog% apps/issues% apps/welcome% apps/journal% %.map, $(shell find $(PACKAGE_DIRS) -type f -not -name '.*')))

@@ -1193,6 +1153,7 @@ out/tildefriends-%.ipa: out/tildefriends-ios%.app/tildefriends
 	@echo "[ipa] $@"
 	@rm -rf $@.tmp $@
 	@mkdir -p $@.tmp/Payload/tildefriends.app/
+	@cp src/ios/tildefriends512.png $@.tmp/iTunesArtwork
 	@cp -R $(dir $<)/* $@.tmp/Payload/tildefriends.app/
 	@cd $@.tmp/ && zip -u ../../$@ -q -9 -r ./
 	@rm -rf $@.tmp/
@@ -1220,98 +1181,11 @@ ios%go: out/tildefriends-ios%.app/tildefriends
 	ideviceinstaller -i $(realpath $(dir $<))

 iossimdebuggo: out/tildefriends-iossimdebug.app/tildefriends ## Build, install, and run an iOS debug build.
+	xcrun -sdk iphoneos codesign -f -s 'Apple Distribution' --entitlements src/ios/Entitlements.plist --generate-entitlement-der out/tildefriends-iossimdebug.app
 	xcrun simctl install booted out/tildefriends-iossimdebug.app/
-	xcrun simctl launch booted com.unprompted.tildefriends
+	xcrun simctl launch --console booted com.unprompted.tildefriends
 .PHONY: iossimdebuggo

-ANDROID_DEPS := out/openssl/android/arm64-v8a/usr/local/lib/libssl.a
-$(ANDROID_DEPS):
-	+@export ANDROID_NDK_ROOT=$(ANDROID_NDK)
-	+@export BUILD_PLATFORM=android
-	+@export TOOLCHAIN=$(ANDROID_NDK)/toolchains/llvm/prebuilt/linux-x86_64
-	+@PATH="$$TOOLCHAIN/x86_64-linux-android/bin:$$TOOLCHAIN/bin:$$PATH" BUILD_TARGET=x86_64 SSL_TARGET=android-x86_64 OPTIONS="-D__ANDROID_API__=$(ANDROID_MIN_SDK_VERSION) -Wno-macro-redefined" tools/ssl-local
-	+@PATH="$$TOOLCHAIN/i686-linux-android/bin:$$TOOLCHAIN/bin:$$PATH" BUILD_TARGET=x86 SSL_TARGET=android-x86 OPTIONS="-D__ANDROID_API__=$(ANDROID_MIN_SDK_VERSION) -Wno-macro-redefined" tools/ssl-local
-	+@PATH="$$TOOLCHAIN/arm-linux-androideabi/bin:$$TOOLCHAIN/bin:$$PATH" BUILD_TARGET=armeabi-v7a SSL_TARGET=android-arm OPTIONS="--target=armv7a-linux-androideabi -Wl,--fix-cortex-a8 -D__ANDROID_API__=$(ANDROID_MIN_SDK_VERSION) -Wno-macro-redefined" tools/ssl-local
-	+@PATH="$$TOOLCHAIN/aarch64-linux-android/bin:$$TOOLCHAIN/bin:$$PATH" BUILD_TARGET=arm64-v8a SSL_TARGET=android-arm64 OPTIONS="-D__ANDROID_API__=$(ANDROID_MIN_SDK_VERSION) -Wno-macro-redefined" tools/ssl-local
-$(filter $(BUILD_DIR)/android%,$(APP_OBJS)): | $(ANDROID_DEPS)
-
-ifeq ($(UNAME_S),Linux)
-ifneq ($(USE_SYSTEM_SSL),1)
-LOCAL_DEPS := out/openssl/$(UNAME_S)/$(UNAME_M)/usr/local/lib/libssl.a
-$(LOCAL_DEPS):
-	+@tools/ssl-local
-$(filter $(BUILD_DIR)/debug/%,$(APP_OBJS)) $(filter $(BUILD_DIR)/release/%,$(APP_OBJS)): | $(LOCAL_DEPS)
-endif
-
-ifeq ($(HAVE_CROSS_AARCH64),1)
-LOCAL_DEPS := out/openssl/$(UNAME_S)/aarch64/usr/local/lib/libssl.a
-$(LOCAL_DEPS):
-	+@OPTIONS="--cross-compile-prefix=aarch64-linux-gnu-" BUILD_TARGET=aarch64 SSL_TARGET=linux-aarch64 tools/ssl-local
-$(filter $(BUILD_DIR)/armdebug/%,$(APP_OBJS)) $(filter $(BUILD_DIR)/armrelease/%,$(APP_OBJS)): | $(LOCAL_DEPS)
-endif
-
-ifeq ($(HAVE_LINUX_IOS),1)
-LOCAL_DEPS := out/openssl/$(UNAME_S)/ios64-cross/usr/local/lib/libssl.a
-$(LOCAL_DEPS):
-	+@PATH=deps/ios_toolchain/target/bin:$$PATH \
-		BUILD_TARGET=ios64-cross \
-		SSL_TARGET=ios64-cross \
-		CROSS_COMPILE=../../deps/ios_toolchain/target/bin/arm-apple-darwin11- \
-		CROSS_TOP=../../deps/ios_toolchain/target \
-		CROSS_SDK=iPhoneOS18.2.sdk \
-		CC=clang \
-		OPTIONS=-miphoneos-version-min=$(IPHONEOS_VERSION_MIN) \
-		tools/ssl-local
-$(filter $(BUILD_DIR)/ios%,$(APP_OBJS)): | $(LOCAL_DEPS)
-endif
-
-ifeq ($(HAVE_LINUX_MACOS),1)
-LOCAL_DEPS := out/openssl/$(UNAME_S)/macos-arm/usr/local/lib/libssl.a
-$(LOCAL_DEPS):
-	+@PATH=../../deps/macos_toolchain/bin:$$PATH \
-		BUILD_TARGET=macos-arm \
-		SSL_TARGET=darwin64-arm64 \
-		CC=../../deps/macos_toolchain/bin/oa64-clang \
-		RANLIB=../../deps/macos_toolchain/bin/x86_64-apple-darwin24-ranlib \
-		AR=../../deps/macos_toolchain/bin/arm64-apple-darwin24-ar \
-		tools/ssl-local
-$(filter $(BUILD_DIR)/macosrelease-arm/% $(BUILD_DIR)/macosdebug-arm/%,$(APP_OBJS)): | $(LOCAL_DEPS)
-
-LOCAL_DEPS := out/openssl/$(UNAME_S)/macos-x86_64/usr/local/lib/libssl.a
-$(LOCAL_DEPS):
-	+@PATH=../../deps/macos_toolchain/bin:$$PATH \
-		BUILD_TARGET=macos-x86_64 \
-		SSL_TARGET=darwin64-x86_64 \
-		CC=../../deps/macos_toolchain/bin/o64-clang \
-		RANLIB=../../deps/macos_toolchain/bin/x86_64-apple-darwin24-ranlib \
-		AR=../../deps/macos_toolchain/bin/x86_64-apple-darwin24-ar \
-		tools/ssl-local
-$(filter $(BUILD_DIR)/macosrelease-x86_64/% $(BUILD_DIR)/macosdebug-x86_64/%,$(APP_OBJS)): | $(LOCAL_DEPS)
-endif
-endif
-
-ifeq ($(UNAME_S),Darwin)
-LOCAL_DEPS := out/openssl/$(UNAME_S)/$(UNAME_M)/usr/local/lib/libssl.a
-$(LOCAL_DEPS):
-	+@tools/ssl-local
-$(filter $(BUILD_DIR)/debug/%,$(APP_OBJS)) $(filter $(BUILD_DIR)/release/%,$(APP_OBJS)): | $(LOCAL_DEPS)
-endif
-
-ifeq ($(HAVE_WIN),1)
-WINDOWS_DEPS := out/openssl/$(UNAME_S)/mingw64/usr/local/lib/libssl.a
-$(WINDOWS_DEPS):
-	+@BUILD_TARGET=mingw64 SSL_TARGET=mingw64 OPTIONS="--cross-compile-prefix=x86_64-w64-mingw32-" tools/ssl-local
-$(filter $(BUILD_DIR)/win%,$(APP_OBJS)): | $(WINDOWS_DEPS)
-endif
-
-ifeq ($(UNAME_S),Darwin)
-IOS_DEPS := out/openssl/ios/ios64-xcrun/usr/local/lib/libssl.a
-$(IOS_DEPS):
-	+@BUILD_PLATFORM=ios BUILD_TARGET=ios64-xcrun SSL_TARGET=ios64-xcrun OPTIONS="-fPIC -Wno-macro-redefined -miphoneos-version-min=$(IPHONEOS_VERSION_MIN)" tools/ssl-local
-	+@BUILD_PLATFORM=ios BUILD_TARGET=iossimulator-xcrun SSL_TARGET=iossimulator-xcrun OPTIONS="-fPIC -Wno-macro-redefined" tools/ssl-local
-$(filter $(BUILD_DIR)/ios%,$(APP_OBJS)): | $(IOS_DEPS)
-endif
-
 out/macos%/tildefriends: out/macos%-arm/tildefriends out/macos%-x86_64/tildefriends
 	@echo [lipo] $@
 	@mkdir -p $(@D)
@@ -1385,7 +1259,6 @@ tarball: ## Build an all-inclusive source tarball (.tar.xz).
 		--exclude=deps/libsodium/test \
 		--exclude=deps/libuv/docs \
 		--exclude=deps/libuv/test \
-		--exclude=deps/speedscope/*.map \
 		--exclude=deps/sqlite/shell.c \
 		--exclude=deps/zlib/contrib/vstudio \
 		--exclude=deps/zlib/doc \
--- a/README.md
+++ b/README.md
@@ -38,8 +38,6 @@ dependencies in the right places.

 ### Requirements

-System OpenSSL libraries are assumed to be available on Haiku and OpenBSD.
-
 On MacOS, Xcode's command-line tools are expected to be available.

 ### Build Commands
--- a/apps/api.json
+++ b/apps/api.json
@@ -1,5 +1,5 @@
 {
 	"type": "tildefriends-app",
 	"emoji": "📜",
-	"previous": "&BEf0nraBdHk/+PWqx6tOSu5rheWVaxaL7orAOz3285M=.sha256"
+	"previous": "&sJqeyYjHys6Z8IqqtZ2ij2ZC1E2xieu/FU/u2hE+O1U=.sha256"
 }
--- a/apps/api/app.js
+++ b/apps/api/app.js
@@ -55,6 +55,9 @@ app.setDocument(`<head>
 </head>
 <body style="color:#fff">
 	${markdown(docs.docs.global)}
+	<!--
+	${Object.keys(docs.docs).filter(x => [...treeify('', globalThis)].indexOf(x) == -1).map(x => `<p>STALE: ${x}</p>`).join('')}
+	-->
 	${[...treeify('', globalThis)].map(x => document(x)).join('\n')}
 	<a id="Database"></a>
 	${markdown(docs.docs.database)}
--- a/apps/api/docs.js
+++ b/apps/api/docs.js
@@ -195,51 +195,6 @@ Call a function after some delay.
 * *Number* **timeout** Number of milliseconds to wait before calling the callback function.
 `;

-docs['parseHttpRequest()'] = `
-Parses an HTTP request.
-### Parameters
- * *Uint8Array* **request** The request data.  Maybe be partial or contain extra data.  The return value will
-    indicate when and where it is complete.
- * *Number* **last_length** The length of the data passed on a previous attempt for the same request, or 0 initially.
-### Returns
- * *Integer* **-2** if the request is incomplete.
- * *Integer* **-1** if the request could not be parsed.
- * *Object* An object with **bytes_parsed**, **minor_version**, **path**, and **headers** fields on successful parse.
-`;
-
-docs['parseHttpResponse()'] = `
-Parses an HTTP response.
-### Parameters
- * *Uint8Array* **response** The response data.  Maybe be partial or contain extra data.  The return value will
-    indicate when and where it is complete.
- * *Number* **last_length** The length of the data passed on a previous attempt for the same response, or 0 initially.
-### Returns
- * *Integer* **-2** if the response is incomplete.
- * *Integer* **-1** if the response could not be parsed.
- * *Object* An object with **bytes_parsed**, **minor_version**, **status**, **message**, and **headers** fields on successful parse.
-`;
-
-docs['sha1Digest()'] = `
-Calculates a SHA1 digest.
-
-Completes synchronously.
-### Parameters
- * *String* **value** The value for which to calculate the digest.
-### Returns
-*String* The SHA1 digest of UTF-8 encoded \`value\`.
-`;
-
-docs['maskBytes()'] = `
-Masks bytes for WebSocket communication.
-
-Completes synchronously.
-### Parameters
- * *Uint8Array* **bytes** The byte array of data to mask.
- * *Uint32* **mask** The mask to apply.
-### Returns
-*Uint32Array* The masked bytes.
-`;
-
 docs['exit()'] = `
 Exits the app.  But why would you want to do that?

--- a/apps/ssb.json
+++ b/apps/ssb.json
@@ -1,5 +1,5 @@
 {
 	"type": "tildefriends-app",
 	"emoji": "🦀",
-	"previous": "&01jXxJgs24zTcJk+csXeUWfm/MQ/+94Zy7K0r2OYmWw=.sha256"
+	"previous": "&7dPNAI4sffljUTiwGr3XEUeB8sBD72CFkWMk/o0Z2pw=.sha256"
 }
--- a/apps/ssb/app.js
+++ b/apps/ssb/app.js
@@ -2,6 +2,7 @@ import * as tfrpc from '/tfrpc.js';

 let g_database;
 let g_hash;
+let g_sql_cache = {};

 tfrpc.register(async function localStorageGet(key) {
 	return app.localStorageGet(key);
@@ -51,11 +52,38 @@ tfrpc.register(async function connect(token) {
 tfrpc.register(async function closeConnection(id) {
 	await ssb.closeConnection(id);
 });
-tfrpc.register(async function query(sql, args) {
+tfrpc.register(async function query(sql, args, options) {
+	let start = new Date();
 	let result = [];
-	await ssb.sqlAsync(sql, args, function callback(row) {
-		result.push(row);
-	});
+	let key = options?.cacheable ? JSON.stringify([sql, args]) : undefined;
+	let entry = key ? g_sql_cache[key] : undefined;
+	const k_ideal_count = 64;
+	if (entry) {
+		result = entry.result;
+	} else {
+		await ssb.sqlAsync(sql, args, function callback(row) {
+			result.push(row);
+		});
+		if (key) {
+			g_sql_cache[key] = {
+				result: result,
+				time: new Date().valueOf(),
+			};
+			if (Object.keys(g_sql_cache).length > k_ideal_count * 2) {
+				let aged = Object.entries(g_sql_cache).map(([k, v]) => [v.time, k]);
+				aged.sort();
+				for (let i = 0; i < aged.length / 2; i++) {
+					delete g_sql_cache[aged[i][1]];
+				}
+			}
+		}
+	}
+	let end = new Date();
+	print(
+		(end - start) / 1000,
+		entry ? 'from cache' : 'from db',
+		sql.replaceAll(/\s+/g, ' ').trim()
+	);
 	return result;
 });
 tfrpc.register(async function appendMessage(id, message) {
--- a/apps/ssb/emojis.js
+++ b/apps/ssb/emojis.js
@@ -1,6 +1,6 @@
 import * as tfrpc from '/static/tfrpc.js';
 import {html, render} from './lit-all.min.js';
-import {styles} from './tf-styles.js';
+import {styles, generate_theme} from './tf-styles.js';

 let g_emojis;

@@ -140,6 +140,9 @@ export async function picker(callback, anchor, author, recent) {
 		<style>
 			${styles}
 		</style>
+		<style>
+			${generate_theme()}
+		</style>
 		<div
 			class="w3-modal"
 			style="display: block; box-sizing: border-box; z-index: 10"
--- a/apps/ssb/emojis.json
+++ b/apps/ssb/emojis.json
--- a/apps/ssb/script.js
+++ b/apps/ssb/script.js
@@ -12,12 +12,14 @@ import * as tf_tab_news from './tf-tab-news.js';
 import * as tf_tab_news_feed from './tf-tab-news-feed.js';
 import * as tf_tab_search from './tf-tab-search.js';
 import * as tf_tab_connections from './tf-tab-connections.js';
-import * as tf_tab_query from './tf-tab-query.js';
 import * as tf_tag from './tf-tag.js';
 import * as tf_styles from './tf-styles.js';

 window.addEventListener('load', function () {
 	let style = document.createElement('style');
 	style.innerText = tf_styles.styles;
+	Promise.resolve(tf_styles.generate_theme()).then(function (x) {
+		style.innerText += x;
+	});
 	document.body.appendChild(style);
 });
--- a/apps/ssb/tf-app.js
+++ b/apps/ssb/tf-app.js
@@ -1,6 +1,6 @@
 import {LitElement, html, css, guard, until} from './lit-all.min.js';
 import * as tfrpc from '/static/tfrpc.js';
-import {styles} from './tf-styles.js';
+import {styles, generate_theme} from './tf-styles.js';

 class TfElement extends LitElement {
 	static get properties() {
@@ -206,8 +206,6 @@ class TfElement extends LitElement {
 			this.tab = 'search';
 		} else if (this.hash === '#connections') {
 			this.tab = 'connections';
-		} else if (this.hash.startsWith('#sql=')) {
-			this.tab = 'query';
 		} else {
 			this.tab = 'news';
 		}
@@ -405,14 +403,6 @@ class TfElement extends LitElement {
 		return [cache.latest, cache.messages];
 	}

-	async query_timed(sql, args) {
-		let start = new Date();
-		let result = await tfrpc.rpc.query(sql, args);
-		let end = new Date();
-		console.log((end - start) / 1000, sql.replaceAll(/\s+/g, ' ').trim());
-		return result;
-	}
-
 	async group_private_messages(messages) {
 		let groups = {};
 		let result = await this.decrypt(
@@ -454,7 +444,7 @@ class TfElement extends LitElement {
 		];
 		let channels = (
 			await Promise.all([
-				this.query_timed(
+				tfrpc.rpc.query(
 					`
 					SELECT channels.value AS channel, MAX(messages.rowid) AS rowid FROM messages
 					JOIN json_each(?1) AS channels ON messages.content ->> 'channel' = channels.value
@@ -467,7 +457,7 @@ class TfElement extends LitElement {
 				`,
 					k_args
 				),
-				this.query_timed(
+				tfrpc.rpc.query(
 					`
 					SELECT channels.value AS channel, MAX(messages.rowid) AS rowid FROM messages
 					JOIN messages_refs ON messages.id = messages_refs.message
@@ -481,7 +471,7 @@ class TfElement extends LitElement {
 				`,
 					k_args
 				),
-				this.query_timed(
+				tfrpc.rpc.query(
 					`
 					SELECT '' AS channel, MAX(messages.rowid) AS rowid FROM messages
 					JOIN json_each(?2) AS following ON messages.author = following.value
@@ -492,7 +482,7 @@ class TfElement extends LitElement {
 				`,
 					k_args
 				),
-				this.query_timed(
+				tfrpc.rpc.query(
 					`
 					SELECT '@' AS channel, MAX(messages.rowid) AS rowid FROM messages_fts(?3)
 					JOIN messages ON messages.rowid = messages_fts.rowid
@@ -503,7 +493,7 @@ class TfElement extends LitElement {
 				),
 			])
 		).flat();
-		let latest = {};
+		let latest = {'🔐': undefined};
 		for (let row of channels) {
 			if (!latest[row.channel]) {
 				latest[row.channel] = row.rowid;
@@ -516,14 +506,13 @@ class TfElement extends LitElement {
 		let self = this;
 		start_time = new Date();
 		latest_private.then(async function (latest) {
+			let grouped = await self.group_private_messages(latest[1]);
 			self.channels_latest = Object.assign({}, self.channels_latest, {
 				'🔐': latest[0],
 			});
-			console.log('private took', (new Date() - start_time) / 1000.0);
 			self.private_messages = latest[1];
-			self.grouped_private_messages = await self.group_private_messages(
-				latest[1]
-			);
+			self.grouped_private_messages = grouped;
+			console.log('private took', (new Date() - start_time) / 1000.0);
 		});
 	}

@@ -711,7 +700,8 @@ class TfElement extends LitElement {
 					@closeprivatechat=${this.close_private_chat}
 					.connections=${this.connections}
 					.private_messages=${this.private_messages}
-					.grouped_private_messages=${this.visible_private()}
+					.visible_private_messages=${this.visible_private()}
+					.grouped_private_messages=${this.grouped_private_messages}
 					.recent_reactions=${this.recent_reactions}
 					?is_administrator=${this.is_administrator}
 					?stay_connected=${this.stay_connected}
@@ -736,17 +726,6 @@ class TfElement extends LitElement {
 						: null}
 				></tf-tab-search>
 			`;
-		} else if (this.tab === 'query') {
-			return html`
-				<tf-tab-query
-					.following=${this.following}
-					whoami=${this.whoami}
-					.users=${this.users}
-					query=${this.hash?.startsWith('#sql=')
-						? this.hash.substring(5)
-						: null}
-				></tf-tab-query>
-			`;
 		}
 	}

@@ -757,8 +736,6 @@ class TfElement extends LitElement {
 			await tfrpc.rpc.setHash('#');
 		} else if (tab === 'connections') {
 			await tfrpc.rpc.setHash('#connections');
-		} else if (tab === 'query') {
-			await tfrpc.rpc.setHash('#sql=');
 		}
 	}

@@ -778,6 +755,17 @@ class TfElement extends LitElement {
 		}
 	}

+	async pick_color() {
+		let input = document.createElement('input');
+		input.type = 'color';
+		input.value = (await tfrpc.rpc.localStorageGet('color')) ?? '#ff0000';
+		input.addEventListener('change', async function () {
+			await tfrpc.rpc.localStorageSet('color', input.value);
+			window.location.reload();
+		});
+		input.click();
+	}
+
 	render() {
 		let self = this;

@@ -792,7 +780,6 @@ class TfElement extends LitElement {
 			'📰': 'news',
 			'📡': 'connections',
 			'🔍': 'search',
-			'👩‍💻': 'query',
 		};

 		let tabs = html`
@@ -835,6 +822,12 @@ class TfElement extends LitElement {
 						</button>
 					`
 				)}
+				<button
+					class="w3-bar-item w3-button w3-right"
+					@click=${this.pick_color}
+				>
+					🎨<span class="w3-hide-small">Color</span>
+				</button>
 			</div>
 		`;
 		let contents = this.guest
@@ -870,6 +863,9 @@ class TfElement extends LitElement {
 					`
 				: undefined;
 		return html`
+			<style>
+				${generate_theme()}
+			</style>
 			<div
 				style="width: 100vw; min-height: 100vh; height: 100vh; display: flex; flex-direction: column"
 				class="w3-theme-dark"
--- a/apps/ssb/tf-compose.js
+++ b/apps/ssb/tf-compose.js
@@ -1,7 +1,7 @@
 import {LitElement, html, unsafeHTML, live} from './lit-all.min.js';
 import * as tfutils from './tf-utils.js';
 import * as tfrpc from '/static/tfrpc.js';
-import {styles} from './tf-styles.js';
+import {styles, generate_theme} from './tf-styles.js';
 import Tribute from './tribute.esm.js';

 class TfComposeElement extends LitElement {
@@ -603,6 +603,9 @@ class TfComposeElement extends LitElement {
 						🔐 Encrypt
 					</button>`;
 		let result = html`
+			<style>
+				${generate_theme()}
+			</style>
 			<style>
 				.w3-input:empty::before {
 					content: attr(placeholder);
--- a/apps/ssb/tf-message.js
+++ b/apps/ssb/tf-message.js
@@ -4,12 +4,14 @@ import {
 	html,
 	repeat,
 	render,
+	unsafeCSS,
 	unsafeHTML,
+	until,
 } from './lit-all.min.js';
 import * as tfrpc from '/static/tfrpc.js';
 import * as tfutils from './tf-utils.js';
 import * as emojis from './emojis.js';
-import {styles} from './tf-styles.js';
+import {styles, generate_theme} from './tf-styles.js';

 class TfMessageElement extends LitElement {
 	static get properties() {
@@ -24,6 +26,7 @@ class TfMessageElement extends LitElement {
 			channel: {type: String},
 			channel_unread: {type: Number},
 			recent_reactions: {type: Array},
+			depth: {type: Number},
 		};
 	}

@@ -40,6 +43,7 @@ class TfMessageElement extends LitElement {
 		this.expanded = {};
 		this.channel_unread = -1;
 		this.recent_reactions = [];
+		this.depth = 0;
 	}

 	connectedCallback() {
@@ -324,7 +328,9 @@ class TfMessageElement extends LitElement {
 	}

 	expanded_key() {
-		return this.message?.id || this.messages?.map((x) => x.id).join(':');
+		return (
+			this.message?.id || this.message?.messages?.map((x) => x.id).join(':')
+		);
 	}

 	set_expanded(expanded, tag) {
@@ -362,12 +368,13 @@ class TfMessageElement extends LitElement {
 					</button>
 				`;
 			} else {
-				return html` <div class="w3-container w3-margin-bottom">
-						${repeat(
-							this.message.child_messages || [],
-							(x) => x.id,
-							(x) =>
-								html`<tf-message
+				return html` <ul class="w3-container w3-margin-bottom w3-ul w3-card-4">
+					${repeat(
+						this.message.child_messages || [],
+						(x) => x.id,
+						(x) =>
+							html`<li style="padding: 0">
+								<tf-message
 									.message=${x}
 									whoami=${this.whoami}
 									.users=${this.users}
@@ -376,16 +383,20 @@ class TfMessageElement extends LitElement {
 									channel=${this.channel}
 									channel_unread=${this.channel_unread}
 									.recent_reactions=${this.recent_reactions}
-								></tf-message>`
-						)}
-					</div>
-					<button
-						class="w3-button w3-theme-d1 w3-block w3-bar"
-						style="box-sizing: border-box"
-						@click=${() => self.set_expanded(false)}
-					>
-						Collapse
-					</button>`;
+									depth=${this.depth + 1}
+								></tf-message>
+							</li>`
+					)}
+					<li style="padding: 0" class="w3-margin-bottom">
+						<button
+							class="w3-button w3-theme-d1 w3-block w3-bar"
+							style="box-sizing: border-box"
+							@click=${() => self.set_expanded(false)}
+						>
+							Collapse
+						</button>
+					</li>
+				</ul>`;
 			}
 		} else {
 			return undefined;
@@ -549,7 +560,10 @@ class TfMessageElement extends LitElement {
 				}
 			</style>
 			<div
-				class="w3-card-4 ${this.class_background()} w3-border-theme w3-margin-top"
+				class="w3-card-4 ${this.class_background()} w3-border-theme ${this
+					.depth == 0
+					? 'w3-margin-top'
+					: ''}"
 				style="overflow-wrap: anywhere; display: block; max-width: 100%"
 			>
 				${inner}
@@ -576,6 +590,7 @@ class TfMessageElement extends LitElement {
 						channel=${self.channel}
 						channel_unread=${self.channel_unread}
 						.recent_reactions=${self.recent_reactions}
+						depth=${self.depth + 1}
 					></tf-message>
 				`
 			)}
@@ -611,15 +626,17 @@ class TfMessageElement extends LitElement {
 		let sorted = this.message.messages
 			.map((x) => [
 				x.author,
-				x.content.blocking !== undefined
-					? x.content.blocking
-						? 'is blocking'
-						: 'is no longer blocking'
-					: x.content.following !== undefined
-						? x.content.following
-							? 'is following'
-							: 'is no longer following'
-						: '',
+				x.content.following && x.content.blocking
+					? 'is following and blocking'
+					: x.content.following
+						? 'is following'
+						: x.content.blocking
+							? 'is blocking'
+							: x.content.blocking !== undefined
+								? 'is no longer blocking'
+								: x.content.following !== undefined
+									? 'is no longer following'
+									: '',
 				x.content.contact,
 				x,
 			])
@@ -686,7 +703,7 @@ class TfMessageElement extends LitElement {
 			: undefined;
 	}

-	render() {
+	_render() {
 		let content = this.message?.content;
 		if (this.message?.decrypted?.type == 'post') {
 			content = this.message.decrypted;
@@ -707,6 +724,7 @@ class TfMessageElement extends LitElement {
 									.expanded=${this.expanded}
 									channel=${this.channel}
 									channel_unread=${this.channel_unread}
+									depth=${this.depth + 1}
 								></tf-message>`
 						)}
 					</div>
@@ -762,6 +780,7 @@ class TfMessageElement extends LitElement {
 									.expanded=${this.expanded}
 									channel=${this.channel}
 									channel_unread=${this.channel_unread}
+									depth=${this.depth + 1}
 								></tf-message>`
 						)}
 					</div>
@@ -842,6 +861,7 @@ class TfMessageElement extends LitElement {
 								.expanded=${this.expanded}
 								channel=${this.channel}
 								channel_unread=${this.channel_unread}
+								depth=${this.depth + 1}
 							></tf-message>
 						`
 					)}
@@ -1077,6 +1097,15 @@ class TfMessageElement extends LitElement {
 			return this.render_small_frame(this.render_raw());
 		}
 	}
+
+	render() {
+		return html`
+			<style>
+				${generate_theme()}
+			</style>
+			${this._render()}
+		`;
+	}
 }

 customElements.define('tf-message', TfMessageElement);
--- a/apps/ssb/tf-news.js
+++ b/apps/ssb/tf-news.js
@@ -1,6 +1,6 @@
 import {LitElement, html, unsafeHTML, repeat, until} from './lit-all.min.js';
 import * as tfrpc from '/static/tfrpc.js';
-import {styles} from './tf-styles.js';
+import {styles, generate_theme} from './tf-styles.js';

 class TfNewsElement extends LitElement {
 	static get properties() {
@@ -231,6 +231,9 @@ class TfNewsElement extends LitElement {
 			}
 		}
 		return html`
+			<style>
+				${generate_theme()}
+			</style>
 			<div>
 				${repeat(
 					final_messages,
--- a/apps/ssb/tf-profile.js
+++ b/apps/ssb/tf-profile.js
@@ -1,7 +1,7 @@
 import {LitElement, html, until, unsafeHTML} from './lit-all.min.js';
 import * as tfrpc from '/static/tfrpc.js';
 import * as tfutils from './tf-utils.js';
-import {styles} from './tf-styles.js';
+import {styles, generate_theme} from './tf-styles.js';

 class TfProfileElement extends LitElement {
 	static get properties() {
@@ -37,16 +37,22 @@ class TfProfileElement extends LitElement {
 			this.following = undefined;
 			this.blocking = undefined;

+			let latest = (
+				await tfrpc.rpc.query('SELECT MAX(rowid) AS latest FROM messages')
+			)[0].latest;
+
 			let result = await tfrpc.rpc.query(
 				`
 				SELECT json_extract(content, '$.following') AS following
 				FROM messages WHERE author = ? AND
 				json_extract(content, '$.type') = 'contact' AND
 				json_extract(content, '$.contact') = ? AND
-				following IS NOT NULL
+				following IS NOT NULL AND
+				messages.rowid <= ?
 				ORDER BY sequence DESC LIMIT 1
 			`,
-				[this.whoami, this.id]
+				[this.whoami, this.id, latest],
+				{cacheable: true}
 			);
 			this.following = result?.[0]?.following ?? false;
 			result = await tfrpc.rpc.query(
@@ -55,10 +61,12 @@ class TfProfileElement extends LitElement {
 				FROM messages WHERE author = ? AND
 				json_extract(content, '$.type') = 'contact' AND
 				json_extract(content, '$.contact') = ? AND
-				blocking IS NOT NULL
+				blocking IS NOT NULL AND
+				messages.rowid <= ?
 				ORDER BY sequence DESC LIMIT 1
 			`,
-				[this.whoami, this.id]
+				[this.whoami, this.id, latest],
+				{cacheable: true}
 			);
 			this.blocking = result?.[0]?.blocking ?? false;
 		}
@@ -238,7 +246,7 @@ class TfProfileElement extends LitElement {
 		let profile = this.users[this.id] || {};
 		tfrpc.rpc
 			.query(
-				`SELECT SUM(LENGTH(content)) AS size, MAX(sequence) AS sequence FROM messages WHERE author = ?`,
+				`SELECT size AS size, max_sequence AS sequence FROM messages_stats WHERE author = ?`,
 				[this.id]
 			)
 			.then(function (result) {
@@ -316,7 +324,9 @@ class TfProfileElement extends LitElement {
 		}
 		image = this.editing?.image ?? image;
 		let description = this.editing?.description ?? profile.description;
-		return html`<div class="w3-card-4 w3-container w3-theme-d3" style="box-sizing: border-box">
+		return html`
+			<style>${generate_theme()}</style>
+			<div class="w3-card-4 w3-container w3-theme-d3" style="box-sizing: border-box">
 			<header class="w3-container">
 				<p><tf-user id=${this.id} .users=${this.users}></tf-user> (${tfutils.human_readable_size(this.size)} in ${this.sequence} messages)</p>
 			</header>
--- a/apps/ssb/tf-reactions-modal.js
+++ b/apps/ssb/tf-reactions-modal.js
@@ -1,5 +1,5 @@
 import {LitElement, html, unsafeHTML} from './lit-all.min.js';
-import {styles} from './tf-styles.js';
+import {styles, generate_theme} from './tf-styles.js';

 class TfReactionsModalElement extends LitElement {
 	static get properties() {
@@ -24,50 +24,57 @@ class TfReactionsModalElement extends LitElement {
 	render() {
 		let self = this;
 		return this.votes?.length
-			? html` <div
-					class="w3-modal w3-animate-opacity"
-					style="display: block; box-sizing: border-box; z-index: 10"
-					@click=${this.clear}
-				>
+			? html` <style>
+						${generate_theme()}
+					</style>
 					<div
-						class="w3-modal-content w3-card-4 w3-theme-d1"
-						onclick="event.stopPropagation()"
+						class="w3-modal w3-animate-opacity"
+						style="display: block; box-sizing: border-box; z-index: 10"
+						@click=${this.clear}
 					>
-						<div class="w3-container w3-padding">
-							<header class="w3-container">
-								<h2>Reactions</h2>
-								<span class="w3-button w3-display-topright" @click=${this.clear}
-									>&times;</span
-								>
-							</header>
-							<ul class="w3-theme-dark w3-container w3-ul">
-								${this.votes
-									.sort((x, y) => y.timestamp - x.timestamp)
-									.map(
-										(x) => html`
-											<li style="display: flex; flex-direction: row; gap: 4px">
-												<span style="flex-basis: 3em"
-													>${x?.content?.vote?.expression}</span
+						<div
+							class="w3-modal-content w3-card-4 w3-theme-d1"
+							onclick="event.stopPropagation()"
+						>
+							<div class="w3-container w3-padding">
+								<header class="w3-container">
+									<h2>Reactions</h2>
+									<span
+										class="w3-button w3-display-topright"
+										@click=${this.clear}
+										>&times;</span
+									>
+								</header>
+								<ul class="w3-theme-dark w3-container w3-ul">
+									${this.votes
+										.sort((x, y) => y.timestamp - x.timestamp)
+										.map(
+											(x) => html`
+												<li
+													style="display: flex; flex-direction: row; gap: 4px"
 												>
-												<tf-user
-													style="flex: 1 1"
-													id=${x.author}
-													.users=${this.users}
-												></tf-user>
-												<span
-													style="flex-shrink: 1; white-space: nowrap; overflow: hidden; text-overflow: ellipsis"
-													>${new Date(x?.timestamp).toLocaleString()}</span
-												>
-											</li>
-										`
-									)}
-							</ul>
-							<footer class="w3-container w3-padding">
-								<button class="w3-button" @click=${this.clear}>Close</button>
-							</footer>
+													<span style="flex-basis: 3em"
+														>${x?.content?.vote?.expression}</span
+													>
+													<tf-user
+														style="flex: 1 1; overflow: hidden"
+														id=${x.author}
+														.users=${this.users}
+													></tf-user>
+													<span
+														style="flex-shrink: 1; white-space: nowrap; overflow: hidden; text-overflow: ellipsis"
+														>${new Date(x?.timestamp).toLocaleString()}</span
+													>
+												</li>
+											`
+										)}
+								</ul>
+								<footer class="w3-container w3-padding">
+									<button class="w3-button" @click=${this.clear}>Close</button>
+								</footer>
+							</div>
 						</div>
-					</div>
-				</div>`
+					</div>`
 			: undefined;
 	}
 }
--- a/apps/ssb/tf-styles.js
+++ b/apps/ssb/tf-styles.js
@@ -1,4 +1,5 @@
-import {css, unsafeCSS} from './lit-all.min.js';
+import {css, unsafeCSS, until} from './lit-all.min.js';
+import * as tfrpc from '/static/tfrpc.js';

 const tf = css`
 	img {
@@ -408,16 +409,8 @@ function is_dark(hex, value) {
 	return (r * 299 + g * 587 + b * 114) / 1000 < value;
 }

-function generated() {
-	let now = new Date();
-	let k_color = rgb_to_hex([
-		(now.getDay() * 128) / 6,
-		(now.getHours() * 128) / 23,
-		(now.getSeconds() * 128) / 59,
-	]);
-	//let k_color = '#034f84';
-	//let k_color = rgb_to_hex([Math.random() * 256, Math.random() * 256, Math.random() * 256]);
-	let [r, g, b] = hex_to_rgb(k_color);
+export function generate(color) {
+	let [r, g, b] = hex_to_rgb(color);
 	let [h, s, l] = rgb_to_hsl(r, g, b);

 	let theme1 = {
@@ -461,4 +454,28 @@ function generated() {
 	return unsafeCSS(result);
 }

-export let styles = [tf, w3, generated()];
+let g_theme;
+export function generate_theme() {
+	return g_theme
+		? g_theme
+		: until(
+				tfrpc.rpc.localStorageGet('color').then(function (value) {
+					g_theme = generate(value ?? '#034f84');
+					return g_theme;
+				}),
+				generated_now()
+			);
+}
+
+function generated_now() {
+	let now = new Date();
+	return generate(
+		rgb_to_hex([
+			(now.getDay() * 128) / 6,
+			(now.getHours() * 128) / 23,
+			(now.getSeconds() * 128) / 59,
+		])
+	);
+}
+
+export let styles = [tf, w3];
--- a/apps/ssb/tf-tab-connections.js
+++ b/apps/ssb/tf-tab-connections.js
@@ -1,6 +1,6 @@
 import {LitElement, html} from './lit-all.min.js';
 import * as tfrpc from '/static/tfrpc.js';
-import {styles} from './tf-styles.js';
+import {styles, generate_theme} from './tf-styles.js';

 class TfTabConnectionsElement extends LitElement {
 	static get properties() {
@@ -15,6 +15,7 @@ class TfTabConnectionsElement extends LitElement {
 			connect_attempt: {type: Object},
 			connect_message: {type: String},
 			connect_success: {type: Boolean},
+			peer_exchange: {type: Boolean},
 		};
 	}

@@ -47,6 +48,20 @@ class TfTabConnectionsElement extends LitElement {
 		tfrpc.rpc.getServerIdentity().then(function (identity) {
 			self.server_identity = identity;
 		});
+		this.check_peer_exchange();
+	}
+
+	async check_peer_exchange() {
+		if (await tfrpc.rpc.isAdministrator()) {
+			this.peer_exchange = await tfrpc.rpc.globalSettingsGet('peer_exchange');
+		} else {
+			this.peer_exchange = undefined;
+		}
+	}
+
+	async enable_peer_exchange() {
+		await tfrpc.rpc.globalSettingsSet('peer_exchange', true);
+		await this.check_peer_exchange();
 	}

 	render_connection_summary(connection) {
@@ -251,7 +266,26 @@ class TfTabConnectionsElement extends LitElement {
 	render() {
 		let self = this;
 		return html`
+			<style>
+				${generate_theme()}
+			</style>
 			<div class="w3-container" style="box-sizing: border-box">
+				<div
+					class=${'w3-panel w3-padding w3-theme-l3' +
+					(this.peer_exchange !== false ? ' w3-hide' : '')}
+				>
+					<p>
+						Looking for connections? Enabling this option will include publicly
+						advertised rooms and pubs among the list of discovered connections
+						to help you replicate.
+					</p>
+					<button
+						class="w3-button w3-theme-d1"
+						@click=${this.enable_peer_exchange}
+					>
+						🔍🌐 Use publicly advertised peers
+					</button>
+				</div>
 				<h2>New Connection</h2>
 				<textarea class="w3-input w3-theme-d1" id="code"></textarea>
 				${this.render_message(this.renderRoot.getElementById('code')?.value)}
--- a/apps/ssb/tf-tab-news-feed.js
+++ b/apps/ssb/tf-tab-news-feed.js
@@ -1,6 +1,6 @@
 import {LitElement, cache, html, unsafeHTML, until} from './lit-all.min.js';
 import * as tfrpc from '/static/tfrpc.js';
-import {styles} from './tf-styles.js';
+import {styles, generate_theme} from './tf-styles.js';

 class TfTabNewsFeedElement extends LitElement {
 	static get properties() {
@@ -175,7 +175,6 @@ class TfTabNewsFeedElement extends LitElement {
 				[this.hash.substring(1)]
 			);
 		} else if (this.hash.startsWith('##')) {
-			let t0 = new Date();
 			let initial_messages = await tfrpc.rpc.query(
 				`
 					WITH
@@ -203,12 +202,7 @@ class TfTabNewsFeedElement extends LitElement {
 					k_max_results,
 				]
 			);
-			let t1 = new Date();
 			result = await this._fetch_related_messages(initial_messages);
-			let t2 = new Date();
-			console.log(
-				`load of ${result.length} rows took ${(t2 - t0) / 1000} (${(t1 - t0) / 1000} to find ${initial_messages.length} initial messages, ${(t2 - t1) / 1000} to find ${result.length} total messages) following=${this.following.length} st=${start_time} et=${end_time}`
-			);
 		} else if (this.hash.startsWith('#🔐')) {
 			let ids =
 				this.hash == '#🔐' ? [] : this.hash.substring('#🔐'.length).split(',');
@@ -253,24 +247,32 @@ class TfTabNewsFeedElement extends LitElement {
 				[JSON.stringify(this.following), start_time, end_time, k_max_results]
 			);
 		} else {
-			let t0 = new Date();
 			let initial_messages = await tfrpc.rpc.query(
 				`
+					WITH
+						channels AS (SELECT '#' || value AS value FROM json_each(?5))
 					SELECT TRUE AS is_primary, messages.rowid, messages.id, messages.previous, messages.author, messages.sequence, messages.timestamp, messages.hash, json(messages.content) AS content, messages.signature
-					FROM messages
-					JOIN json_each(?) AS following ON messages.author = following.value
-					WHERE messages.timestamp < ?3 AND (?2 IS NULL OR messages.timestamp >= ?2) AND
-						messages.content ->> 'type' != 'vote'
+							FROM messages
+							JOIN json_each(?1) AS following ON messages.author = following.value
+							WHERE messages.timestamp < ?3 AND (?2 IS NULL OR messages.timestamp >= ?2) AND
+								messages.content ->> 'type' != 'vote' AND
+								(messages.content ->> 'root' IS NULL OR (
+									NOT EXISTS (SELECT * FROM messages root JOIN channels ON ('#' || (root.content ->> 'channel')) = channels.value WHERE root.id = messages.content ->> 'root') AND
+									NOT EXISTS (SELECT * FROM messages root JOIN messages_refs ON root.id = messages.content ->> 'root' JOIN channels ON messages_refs.message = root.id AND messages_refs.ref = channels.value)
+								)) AND
+								(messages.content ->> 'channel' IS NULL OR ('#' || (messages.content ->> 'channel')) NOT IN (SELECT * FROM channels)) AND
+								NOT EXISTS (SELECT * FROM messages_refs JOIN channels ON messages_refs.message = messages.id AND messages_refs.ref = channels.value)
 					ORDER BY timestamp DESC LIMIT ?4
 				`,
-				[JSON.stringify(this.following), start_time, end_time, k_max_results]
+				[
+					JSON.stringify(this.following),
+					start_time,
+					end_time,
+					k_max_results,
+					JSON.stringify(Object.keys(this.channels_latest)),
+				]
 			);
-			let t1 = new Date();
 			result = await this._fetch_related_messages(initial_messages);
-			let t2 = new Date();
-			console.log(
-				`load of ${result.length} rows took ${(t2 - t0) / 1000} (${(t1 - t0) / 1000} to find ${initial_messages.length} initial messages, ${(t2 - t1) / 1000} to find ${result.length} total messages) following=${this.following.length} st=${start_time} et=${end_time}`
-			);
 		}
 		this.time_loading = undefined;
 		return result;
@@ -393,9 +395,13 @@ class TfTabNewsFeedElement extends LitElement {
 				this._messages_hash = this.hash;
 			}
 			this._messages_following = JSON.stringify(this.following);
-			this._private_messages =
-				JSON.stringify(this.private_messages) +
-				JSON.stringify(this.grouped_private_messages);
+			this._private_messages = JSON.stringify([
+				this.private_messages,
+				this.grouped_private_messages,
+			]);
+			this._channels_latest = JSON.stringify(
+				Object.keys(this.channels_latest ?? {})
+			);
 			let now = new Date().valueOf();
 			let start_time = now - 24 * 60 * 60 * 1000;
 			this.start_time = start_time;
@@ -470,11 +476,15 @@ class TfTabNewsFeedElement extends LitElement {
 			this._messages_hash !== this.hash ||
 			this._messages_following !== JSON.stringify(this.following) ||
 			this._private_messages !==
-				JSON.stringify(this.private_messages) +
-					JSON.stringify(this.grouped_private_messages)
+				JSON.stringify([
+					this.private_messages,
+					this.grouped_private_messages,
+				]) ||
+			this._channels_latest !==
+				JSON.stringify(Object.keys(this.channels_latest))
 		) {
 			console.log(
-				`loading messages for ${this.whoami} (following ${this.following.length})`
+				`loading messages for ${this.whoami} (messages=${!this.messages},${this._messages_hash != this.hash} following=${this._messages_following !== JSON.stringify(this.following)}, channels=${this._channels_latest !== JSON.stringify(Object.keys(this.channels_latest))}, private=${this._private_messages !== JSON.stringify([this.private_messages, this.grouped_private_messages])},${this.private_messages?.length},${Object.keys(this.grouped_private_messages ?? {}).length})`
 			);
 			this.load_messages();
 		}
@@ -523,6 +533,9 @@ class TfTabNewsFeedElement extends LitElement {
 			`;
 		}
 		return cache(html`
+			<style>
+				${generate_theme()}
+			</style>
 			${this.unread_allowed()
 				? html`<button
 						class="w3-button w3-theme-d1"
--- a/apps/ssb/tf-tab-news.js
+++ b/apps/ssb/tf-tab-news.js
@@ -7,7 +7,7 @@ import {
 	until,
 } from './lit-all.min.js';
 import * as tfrpc from '/static/tfrpc.js';
-import {styles} from './tf-styles.js';
+import {styles, generate_theme} from './tf-styles.js';

 class TfTabNewsElement extends LitElement {
 	static get properties() {
@@ -25,6 +25,7 @@ class TfTabNewsElement extends LitElement {
 			connections: {type: Array},
 			private_messages: {type: Array},
 			grouped_private_messages: {type: Object},
+			visible_private_messages: {type: Object},
 			recent_reactions: {type: Array},
 			peer_exchange: {type: Boolean},
 			is_administrator: {type: Boolean},
@@ -211,35 +212,6 @@ class TfTabNewsElement extends LitElement {
 				>
 					&times;
 				</div>
-				${this.is_administrator
-					? html`
-							<button
-								class="w3-bar-item w3-button"
-								@click=${() =>
-									this.dispatchEvent(
-										new Event('refresh', {bubbles: true, composed: true})
-									)}
-							>
-								<span style="display: inline-block; width: 1.8em">↻</span>
-								Sync now
-							</button>
-							<button
-								class="w3-bar-item w3-button w3-ripple"
-								@click=${() =>
-									this.dispatchEvent(
-										new Event('toggle_stay_connected', {
-											bubbles: true,
-											composed: true,
-										})
-									)}
-							>
-								<span style="display: inline-block; width: 1.8em"
-									>${this.stay_connected ? '🔗' : '⛓️‍💥'}</span
-								>
-								${this.stay_connected ? 'Online mode' : 'Passive mode'}
-							</button>
-						`
-					: undefined}
 				${this.hash.startsWith('##') &&
 				this.channels.indexOf(this.hash.substring(2)) == -1
 					? html`
@@ -248,7 +220,7 @@ class TfTabNewsElement extends LitElement {
 								href="#"
 								class="w3-bar-item w3-button"
 								style="font-weight: bold"
-								>${this.hash.substring(2)}</a
+								>${this.hash.substring(1)}</a
 							>
 						`
 					: undefined}
@@ -271,7 +243,7 @@ class TfTabNewsElement extends LitElement {
 					style=${this.hash == '#👍' ? 'font-weight: bold' : undefined}
 					>${this.unread_status('👍')}👍votes</a
 				>
-				${Object.keys(this?.grouped_private_messages ?? [])
+				${Object.keys(this?.visible_private_messages ?? [])
 					?.sort()
 					?.map(
 						(key) => html`
@@ -335,11 +307,26 @@ class TfTabNewsElement extends LitElement {
 								↻ Sync now
 							</button>
 							<button
-								class=${'w3-bar-item w3-button' +
+								class="w3-bar-item w3-button w3-ripple"
+								@click=${() =>
+									this.dispatchEvent(
+										new Event('toggle_stay_connected', {
+											bubbles: true,
+											composed: true,
+										})
+									)}
+							>
+								<span style="display: inline-block; width: 1.8em"
+									>${this.stay_connected ? '🔗' : '⛓️‍💥'}</span
+								>
+								${this.stay_connected ? 'Online mode' : 'Passive mode'}
+							</button>
+							<button
+								class=${'w3-bar-item w3-button w3-border w3-leftbar w3-rightbar' +
 								(this.peer_exchange !== false ? ' w3-hide' : '')}
 								@click=${this.enable_peer_exchange}
 							>
-								Enable peer exchange
+								🔍🌐 Use publicly advertised peers
 							</button>
 						`
 					: undefined}
@@ -409,6 +396,9 @@ class TfTabNewsElement extends LitElement {
 			</div>`;
 		}
 		return cache(html`
+			<style>
+				${generate_theme()}
+			</style>
 			${this.render_sidebar()}
 			<div
 				style="margin-left: 2in; padding: 0px; top: 0; height: 100vh; max-height: 100%; overflow: auto; contain: layout"
@@ -438,7 +428,12 @@ class TfTabNewsElement extends LitElement {
 						>
 							${this.unread_status()}&#9776;
 						</div>
-						Welcome, <tf-user id=${this.whoami} .users=${this.users}></tf-user>!
+						<span
+							style="display: inline-block; width: 100%; max-width: 100%; white-space: nowrap; overflow: hidden"
+						>
+							Welcome,
+							<tf-user id=${this.whoami} .users=${this.users}></tf-user>!
+						</span>
 						${edit_profile}
 					</div>
 					<div>
--- a/apps/ssb/tf-tab-query.js
+++ b/apps/ssb/tf-tab-query.js
@@ -1,136 +0,0 @@
-import {LitElement, html, unsafeHTML} from './lit-all.min.js';
-import * as tfrpc from '/static/tfrpc.js';
-import {styles} from './tf-styles.js';
-
-class TfTabQueryElement extends LitElement {
-	static get properties() {
-		return {
-			whoami: {type: String},
-			users: {type: Object},
-			following: {type: Array},
-			query: {type: String},
-			expanded: {type: Object},
-			results: {type: Array},
-			error: {type: Object},
-			duration: {type: Number},
-		};
-	}
-
-	static styles = styles;
-
-	constructor() {
-		super();
-		let self = this;
-		this.whoami = null;
-		this.users = {};
-		this.following = [];
-		this.expanded = {};
-		this.duration = undefined;
-	}
-
-	async search(query) {
-		console.log('Searching...', this.whoami, query);
-		this.results = [];
-		this.error = undefined;
-		this.duration = undefined;
-		let search = this.renderRoot.getElementById('search');
-		if (search) {
-			search.value = query;
-			search.focus();
-		}
-		await tfrpc.rpc.setHash('#sql=' + encodeURIComponent(query));
-		let start_time = new Date();
-		try {
-			this.results = await tfrpc.rpc.query(query, []);
-		} catch (error) {
-			this.error = error;
-		}
-		let end_time = new Date();
-		this.duration = (end_time - start_time).valueOf();
-		console.log('Done.');
-		search = this.renderRoot.getElementById('search');
-		if (search) {
-			search.value = query;
-			search.focus();
-		}
-	}
-
-	search_keydown(event) {
-		if (event.keyCode == 13 && event.ctrlKey) {
-			this.query = this.renderRoot.getElementById('search').value;
-			event.preventDefault();
-		}
-	}
-
-	on_expand(event) {
-		if (event.detail.expanded) {
-			let expand = {};
-			expand[event.detail.id] = true;
-			this.expanded = Object.assign({}, this.expanded, expand);
-		} else {
-			delete this.expanded[event.detail.id];
-			this.expanded = Object.assign({}, this.expanded);
-		}
-	}
-
-	render_results() {
-		if (!this.results?.length) {
-			return html`<div>No results.</div>`;
-		} else {
-			let keys = Object.keys(this.results[0]).sort();
-			return html`<table style="width: 100%; max-width: 100%">
-				<tr>
-					${keys.map((key) => html`<th>${key}</th>`)}
-				</tr>
-				${this.results.map(
-					(row) =>
-						html`<tr>
-							${keys.map((key) => html`<td>${row[key]}</td>`)}
-						</tr>`
-				)}
-			</table>`;
-		}
-	}
-
-	render_error() {
-		if (this.error) {
-			return html`<h2 style="color: red">${this.error.message}</h2>
-				<pre style="color: red">${this.error.stack}</pre>`;
-		}
-	}
-
-	render() {
-		if (this.query !== this.last_query) {
-			this.last_query = this.query;
-			this.search(this.query);
-		}
-		let self = this;
-		return html`
-			<div style="display: flex; flex-direction: row; gap: 4px">
-				<textarea
-					id="search"
-					rows="8"
-					class="w3-input w3-theme-d1"
-					style="flex: 1; resize: vertical"
-					@keydown=${this.search_keydown}
-				>
-${this.query}</textarea
-				>
-				<button
-					class="w3-button w3-theme-d1"
-					@click=${(event) =>
-						self.search(self.renderRoot.getElementById('search').value)}
-				>
-					Execute
-				</button>
-			</div>
-			<div ?hidden=${this.duration === undefined}>
-				Took ${this.duration / 1000.0} seconds.
-			</div>
-			<div ?hidden=${this.duration !== undefined}>Executing...</div>
-			${this.render_error()} ${this.render_results()}
-		`;
-	}
-}
-
-customElements.define('tf-tab-query', TfTabQueryElement);
--- a/apps/ssb/tf-tab-search.js
+++ b/apps/ssb/tf-tab-search.js
@@ -1,6 +1,6 @@
 import {LitElement, html, unsafeHTML} from './lit-all.min.js';
 import * as tfrpc from '/static/tfrpc.js';
-import {styles} from './tf-styles.js';
+import {styles, generate_theme} from './tf-styles.js';

 class TfTabSearchElement extends LitElement {
 	static get properties() {
@@ -11,6 +11,9 @@ class TfTabSearchElement extends LitElement {
 			following: {type: Array},
 			query: {type: String},
 			expanded: {type: Object},
+			messages: {type: Array},
+			results: {type: Array},
+			error: {type: Object},
 		};
 	}

@@ -38,24 +41,40 @@ class TfTabSearchElement extends LitElement {
 			search.select();
 		}
 		await tfrpc.rpc.setHash('#q=' + encodeURIComponent(query));
-		let results = await tfrpc.rpc.query(
-			`
-				SELECT messages.id, messages.previous, messages.author, messages.sequence, messages.timestamp, messages.hash, json(messages.content) AS content, messages.signature
-				FROM messages_fts(?)
-				JOIN messages ON messages.rowid = messages_fts.rowid
-				JOIN json_each(?) AS following ON messages.author = following.value
-				ORDER BY timestamp DESC limit 100
-			`,
-			['"' + query.replace('"', '""') + '"', JSON.stringify(this.following)]
-		);
-		console.log('Done.');
-		search = this.renderRoot.getElementById('search');
-		if (search) {
-			search.value = query;
-			search.focus();
-			search.select();
+		this.error = undefined;
+		this.results = [];
+		this.messages = [];
+		if (query.startsWith('sql:')) {
+			this.messages = [];
+			try {
+				this.results = await tfrpc.rpc.query(
+					query.substring('sql:'.length),
+					[]
+				);
+			} catch (e) {
+				this.results = [];
+				this.error = e;
+			}
+		} else {
+			let results = await tfrpc.rpc.query(
+				`
+					SELECT messages.id, messages.previous, messages.author, messages.sequence, messages.timestamp, messages.hash, json(messages.content) AS content, messages.signature
+					FROM messages_fts(?)
+					JOIN messages ON messages.rowid = messages_fts.rowid
+					JOIN json_each(?) AS following ON messages.author = following.value
+					ORDER BY timestamp DESC limit 100
+				`,
+				['"' + query.replace('"', '""') + '"', JSON.stringify(this.following)]
+			);
+			console.log('Done.');
+			search = this.renderRoot.getElementById('search');
+			if (search) {
+				search.value = query;
+				search.focus();
+				search.select();
+			}
+			this.messages = results;
 		}
-		this.renderRoot.getElementById('news').messages = results;
 	}

 	search_keydown(event) {
@@ -87,6 +106,39 @@ class TfTabSearchElement extends LitElement {
 		tfrpc.rpc.localStorageSet('drafts', JSON.stringify(this.drafts));
 	}

+	render_results() {
+		if (this.error) {
+			return html`<h2 style="color: red">${this.error.message}</h2>
+				<pre style="color: red">${this.error.stack}</pre>`;
+		} else if (this.messages?.length) {
+			return html`<tf-news
+				id="news"
+				whoami=${this.whoami}
+				.messages=${this.messages}
+				.users=${this.users}
+				.expanded=${this.expanded}
+				.drafts=${this.drafts}
+				@tf-expand=${this.on_expand}
+				@tf-draft=${this.draft}
+			></tf-news>`;
+		} else if (this.results?.length) {
+			let keys = Object.keys(this.results[0]).sort();
+			return html`<table style="width: 100%; max-width: 100%">
+				<tr>
+					${keys.map((key) => html`<th>${key}</th>`)}
+				</tr>
+				${this.results.map(
+					(row) =>
+						html`<tr>
+							${keys.map((key) => html`<td>${row[key]}</td>`)}
+						</tr>`
+				)}
+			</table>`;
+		} else {
+			return html`<div>No results.</div>`;
+		}
+	}
+
 	render() {
 		if (this.query !== this.last_query) {
 			this.last_query = this.query;
@@ -94,11 +146,14 @@ class TfTabSearchElement extends LitElement {
 		}
 		let self = this;
 		return html`
-			<div style="display: flex; flex-direction: row; gap: 4px">
-				<input type="text" class="w3-input w3-theme-d1" id="search" value=${this.query} style="flex: 1" @keydown=${this.search_keydown}></input>
-				<button class="w3-button w3-theme-d1" @click=${(event) => self.search(self.renderRoot.getElementById('search').value)}>Search</button>
+			<style>${generate_theme()}</style>
+			<div class="w3-padding">
+				<div style="display: flex; flex-direction: row; gap: 4px">
+					<input type="text" class="w3-input w3-theme-d1" id="search" value=${this.query} style="flex: 1" @keydown=${this.search_keydown}></input>
+					<button class="w3-button w3-theme-d1" @click=${(event) => self.search(self.renderRoot.getElementById('search').value)}>Search</button>
+				</div>
+				${this.render_results()}
 			</div>
-			<tf-news id="news" whoami=${this.whoami} .messages=${this.messages} .users=${this.users} .expanded=${this.expanded} .drafts=${this.drafts} @tf-expand=${this.on_expand} @tf-draft=${this.draft}></tf-news>
 		`;
 	}
 }
--- a/apps/ssb/tf-tag.js
+++ b/apps/ssb/tf-tag.js
@@ -1,5 +1,5 @@
 import {LitElement, html, unsafeHTML} from './lit-all.min.js';
-import {styles} from './tf-styles.js';
+import {styles, generate_theme} from './tf-styles.js';

 class TfTagElement extends LitElement {
 	static get properties() {
@@ -17,11 +17,15 @@ class TfTagElement extends LitElement {

 	render() {
 		let number = this.count ? html` (${this.count})` : undefined;
-		return html`<a
-			href=${'#' + encodeURIComponent(this.tag)}
-			class="w3-tag w3-theme-d1 w3-round-4 w3-button"
-			>${this.tag}${number}</a
-		> `;
+		return html`
+			<style>
+				${generate_theme()}</style
+			><a
+				href=${'#' + encodeURIComponent(this.tag)}
+				class="w3-tag w3-theme-d1 w3-round-4 w3-button"
+				>${this.tag}${number}</a
+			>
+		`;
 	}
 }

--- a/apps/ssb/tf-user.js
+++ b/apps/ssb/tf-user.js
@@ -1,6 +1,6 @@
 import {LitElement, html} from './lit-all.min.js';
 import * as tfrpc from '/static/tfrpc.js';
-import {styles} from './tf-styles.js';
+import {styles, generate_theme} from './tf-styles.js';

 class TfUserElement extends LitElement {
 	static get properties() {
@@ -58,12 +58,15 @@ class TfUserElement extends LitElement {
 				/>`;
 			}
 		}
-		return html` <div
-			style=${'display: inline-block; vertical-align: middle; text-wrap: nowrap; max-width: 100%; overflow: hidden; text-overflow: ellipsis' +
-			(this.nolink ? '' : '; font-weight: bold')}
-		>
-			${image} ${name}
-		</div>`;
+		return html` <style>
+				${generate_theme()}
+			</style>
+			<div
+				style=${'display: inline-block; vertical-align: middle; text-wrap: nowrap; max-width: 100%; overflow: hidden; text-overflow: ellipsis' +
+				(this.nolink ? '' : '; font-weight: bold')}
+			>
+				${image} ${name}
+			</div>`;
 	}
 }

--- a/apps/trace.json
+++ b/apps/trace.json
@@ -0,0 +1,5 @@
+{
+	"type": "tildefriends-app",
+	"emoji": "📦",
+	"previous": "&mhBOscDHiJ4VNnod27NOdRVC+4cXYZXIdYjsQBfmTYg=.sha256"
+}
--- a/apps/trace/app.js
+++ b/apps/trace/app.js
@@ -0,0 +1,27 @@
+async function main() {
+	let speedscope_js = await utf8Decode(
+		getFile('speedscope/speedscope-432XE7GS.js')
+	);
+	speedscope_js = speedscope_js.replace(/alert\(`Cannot load.*?return/, '');
+	app.setDocument(`
+		<!DOCTYPE html>
+		<html>
+			<head>
+				<meta charset="UTF-8">
+				<meta name="viewport" content="width=device-width, initial-scale=1.0">
+				<meta http-equiv="X-UA-Compatible" content="ie=edge">
+				<title>speedscope</title>
+				<link rel="stylesheet" href="speedscope/speedscope-GHPHNKXC.css">
+			</head>
+			<body>
+				<script>
+					delete window.localStorage;
+					window.location.hash = '#profileURL=${core.url}../../trace';
+				</script>
+				<script>${speedscope_js}</script>
+			</body>
+		</html>
+	`);
+}
+
+main();
--- a/apps/trace/speedscope/LICENSE
+++ b/apps/trace/speedscope/LICENSE
--- a/apps/trace/speedscope/README
+++ b/apps/trace/speedscope/README
--- a/apps/trace/speedscope/SourceCodePro-Regular.ttf-ILST5JV6.woff2
+++ b/apps/trace/speedscope/SourceCodePro-Regular.ttf-ILST5JV6.woff2
--- a/apps/trace/speedscope/favicon-16x16-V2DMIAZS.js
+++ b/apps/trace/speedscope/favicon-16x16-V2DMIAZS.js
--- a/apps/trace/speedscope/favicon-16x16-VSI62OPJ.png
+++ b/apps/trace/speedscope/favicon-16x16-VSI62OPJ.png
--- a/apps/trace/speedscope/favicon-32x32-3EB2YCUY.png
+++ b/apps/trace/speedscope/favicon-32x32-3EB2YCUY.png
--- a/apps/trace/speedscope/favicon-32x32-THY3JDJL.js
+++ b/apps/trace/speedscope/favicon-32x32-THY3JDJL.js
--- a/apps/trace/speedscope/favicon-FOKUP5Y5.ico
+++ b/apps/trace/speedscope/favicon-FOKUP5Y5.ico
--- a/apps/trace/speedscope/favicon-M34RF7BI.js
+++ b/apps/trace/speedscope/favicon-M34RF7BI.js
--- a/apps/trace/speedscope/file-format-schema.json
+++ b/apps/trace/speedscope/file-format-schema.json
--- a/apps/trace/speedscope/index.html
+++ b/apps/trace/speedscope/index.html
@@ -11,7 +11,7 @@
    <link rel="icon" type="image/x-icon" href="favicon-FOKUP5Y5.ico">
  </head>
  <body>
-    <script src="speedscope-HCR63FMT.js"></script>
+    <script src="speedscope-432XE7GS.js"></script>
    
    
    
--- a/apps/trace/speedscope/perf-vertx-stacks-01-collapsed-all-ZNUIGAJL.txt
+++ b/apps/trace/speedscope/perf-vertx-stacks-01-collapsed-all-ZNUIGAJL.txt
--- a/apps/trace/speedscope/release.txt
+++ b/apps/trace/speedscope/release.txt
@@ -0,0 +1,3 @@
+speedscope@1.24.0
+Mon Oct 20 18:11:29 PDT 2025
+fc76932551754a442cd5c4f0afdba28032d14d8a
--- a/apps/trace/speedscope/source-code-pro.LICENSE.md
+++ b/apps/trace/speedscope/source-code-pro.LICENSE.md
--- a/apps/trace/speedscope/speedscope-432XE7GS.js
+++ b/apps/trace/speedscope/speedscope-432XE7GS.js
--- a/apps/trace/speedscope/speedscope-GHPHNKXC.css
+++ b/apps/trace/speedscope/speedscope-GHPHNKXC.css
--- a/apps/welcome.json
+++ b/apps/welcome.json
@@ -1,5 +1,5 @@
 {
 	"type": "tildefriends-app",
 	"emoji": "👋",
-	"previous": "&ijyL/pyTwguBd9njagU7Vpc/1EyRermZuzrlq1mnzbY=.sha256"
+	"previous": "&n1QkPkB5JoduFSx8UKOY3IlZqS2GwLiTUZv4ZrEOthQ=.sha256"
 }
--- a/apps/welcome/index.html
+++ b/apps/welcome/index.html
@@ -340,10 +340,6 @@
 					<i class="fa fa-lock w3-text-purple w3-jumbo"></i>
 					<p>libsodium</p>
 				</a>
-				<a href="https://github.com/openssl/openssl/releases" class="w3-col s3">
-					<i class="fa fa-shield-halved w3-text-green w3-jumbo"></i>
-					<p>OpenSSL</p>
-				</a>
 				<a
 					href="https://github.com/ianlancetaylor/libbacktrace"
 					class="w3-col s3"
@@ -351,13 +347,13 @@
 					<i class="fa fa-burst w3-text-pink w3-jumbo"></i>
 					<p>libbacktrace</p>
 				</a>
-			</div>
-
-			<div class="w3-row" style="margin-top: 64px">
 				<a href="https://codemirror.net/docs/changelog/" class="w3-col s3">
 					<i class="fa fa-keyboard w3-text-indigo w3-jumbo"></i>
 					<p>CodeMirror</p>
 				</a>
+			</div>
+
+			<div class="w3-row" style="margin-top: 64px">
 				<a href="https://github.com/jlfwong/speedscope/" class="w3-col s3">
 					<i class="fa fa-microscope w3-text-orange w3-jumbo"></i>
 					<p>Speedscope</p>
@@ -370,9 +366,6 @@
 					<i class="fa fa-book-atlas w3-text-purple w3-jumbo"></i>
 					<p>c-ares</p>
 				</a>
-			</div>
-
-			<div class="w3-row" style="margin-top: 64px">
 				<a href="https://www.gnu.org/software/make/" class="w3-col s3">
 					<i class="fa fa-hammer w3-text-teal w3-jumbo"></i>
 					<p>GNU Make</p>
--- a/core/app.js
+++ b/core/app.js
@@ -149,7 +149,7 @@ exports.app_socket = async function socket(request, response) {
 								parentApp: parentApp,
 								id: blobId,
 							},
-							await ssb.getIdentityInfo(
+							await ssb_internal.getIdentityInfo(
 								credentials?.session?.name,
 								packageOwner,
 								packageName
--- a/core/auth.html
+++ b/core/auth.html
@@ -75,6 +75,10 @@
 								margin-bottom: 1em;
 								padding: 1em;
 							}
+							#code_of_conduct:has(>textarea:empty) {
+								display: none;
+								width: 100%;
+							}
 						</style>
 						<div style="display: flex; flex-direction: column; max-width: 1280px; margin: auto">
 							<h1 ?hidden=${this.name}>Welcome.</h1>
@@ -126,8 +130,10 @@
 								There is currently no administrator.  You will be made administrator.
 							</div>

-							<h2>Code of Conduct</h2>
-							<textarea readonly rows="20" cols="80" style="resize: none">${this.code_of_conduct}</textarea>
+							<div id="code_of_conduct">
+								<h2>Code of Conduct</h2>
+								<textarea readonly rows="20" style="resize: none; width: 100%">${this.code_of_conduct}</textarea>
+							</div>
 						</div>
 					`;
 				}
--- a/core/client.js
+++ b/core/client.js
@@ -9,18 +9,17 @@
 import {LitElement, html, css, svg} from '/lit/lit-all.min.js';

 let cm6;
-let gSocket;

-let gCurrentFile;
-let gFiles = {};
-let gApp = {files: {}, emoji: '📦'};
-let gEditor;
-let gOriginalInput;
-let gUnloading;
+let g_socket;
+let g_current_file;
+let g_files = {};
+let g_app = {files: {}, emoji: '📦'};
+let g_editor;
+let g_unloading;

-let kErrorColor = '#dc322f';
-let kDisconnectColor = '#f00';
-let kStatusColor = '#fff';
+let k_color_error = '#dc322f';
+let k_color_disconnect = '#f00';
+let k_color_status = '#fff';
 /** \endcond */

 /** Functions that server-side app code can call through the app object. */
@@ -30,7 +29,10 @@ const k_api = {
 	error: {args: ['error'], func: api_error},
 	localStorageSet: {args: ['key', 'value'], func: api_localStorageSet},
 	localStorageGet: {args: ['key'], func: api_localStorageGet},
-	requestPermission: {args: ['permission', 'id'], func: api_requestPermission},
+	requestPermission: {
+		args: ['permission', 'id', 'description'],
+		func: api_requestPermission,
+	},
 	print: {args: ['...'], func: api_print},
 	setHash: {args: ['hash'], func: api_setHash},
 };
@@ -370,16 +372,15 @@ class TfNavigationElement extends LitElement {
 					>${this.version?.number}</span
 				>
 				<a
-					class="w3-bar-item"
+					class="w3-bar-item w3-button w3-text-white"
 					accesskey="h"
 					@mouseover=${set_access_key_title}
 					data-tip="Open home app."
 					href="/"
-					style="color: #fff; white-space: nowrap"
 					>TF</a
 				>
 				<a
-					class="w3-bar-item"
+					class="w3-bar-item w3-button w3-text-light-gray"
 					accesskey="a"
 					@mouseover=${set_access_key_title}
 					data-tip="Open apps list."
@@ -387,7 +388,7 @@ class TfNavigationElement extends LitElement {
 					>apps</a
 				>
 				<a
-					class="w3-bar-item"
+					class="w3-bar-item w3-button w3-text-light-gray"
 					accesskey="e"
 					@mouseover=${set_access_key_title}
 					data-tip="Toggle the app editor."
@@ -396,7 +397,7 @@ class TfNavigationElement extends LitElement {
 					>edit</a
 				>
 				<a
-					class="w3-bar-item"
+					class="w3-bar-item w3-button"
 					accesskey="p"
 					@mouseover=${set_access_key_title}
 					data-tip="View and change permissions."
@@ -410,7 +411,7 @@ class TfNavigationElement extends LitElement {
 							<link type="text/css" rel="stylesheet" href="/static/w3.css" />
 							<div
 								class="w3-bar-item"
-								style="color: ${this.status.color ?? kStatusColor}"
+								style="color: ${this.status.color ?? k_color_status}"
 							>
 								${this.status.message}
 							</div>
@@ -429,7 +430,7 @@ class TfNavigationElement extends LitElement {
 					<div class="w3-model w3-animate-top" style="position: absolute; left: 50%; transform: translate(-50%); z-index: 1">
 						<dijv class="w3-modal-content w3-card-4" style="display: block; padding: 1em">
 							<span id="close_error" @click=${self.clear_error} class="w3-button w3-display-topright">&times;</span>
-							<div style="color: ${this.status.color ?? kErrorColor}"><b>ERROR:</b><p id="error" style="white-space: pre">${this.status.message}</p></div>
+							<div style="color: ${this.status.color ?? k_color_error}"><b>ERROR:</b><p id="error" style="white-space: pre">${this.status.message}</p></div>
 						</div>
 					</div>
 					`
@@ -521,7 +522,7 @@ class TfFilesElement extends LitElement {
 		for (let file of event.dataTransfer.files) {
 			let buffer = await file.arrayBuffer();
 			let text = new TextDecoder('latin1').decode(buffer);
-			gFiles[file.name] = {
+			g_files[file.name] = {
 				doc: cm6.EditorState.create({
 					doc: text,
 					extensions: cm6.extensions,
@@ -529,9 +530,9 @@ class TfFilesElement extends LitElement {
 				buffer: buffer,
 				isNew: true,
 			};
-			gCurrentFile = file.name;
+			g_current_file = file.name;
 		}
-		openFile(gCurrentFile);
+		openFile(g_current_file);
 		updateFiles();
 	}

@@ -895,11 +896,11 @@ async function edit() {
 		: 'flex';

 	try {
-		if (!gEditor) {
+		if (!g_editor) {
 			cm6 = await import('/codemirror/cm6.js');
-			gEditor = cm6.TildeFriendsEditorView(document.getElementById('editor'));
+			g_editor = cm6.TildeFriendsEditorView(document.getElementById('editor'));
 		}
-		gEditor.onDocChange = updateFiles;
+		g_editor.onDocChange = updateFiles;
 		await load();
 	} catch (error) {
 		alert(`${error.message}\n\n${error.stack}`);
@@ -911,7 +912,7 @@ async function edit() {
 * Open a performance trace.
 */
 function trace() {
-	window.open(`/speedscope/#profileURL=${encodeURIComponent('/trace')}`);
+	window.open(`/~core/trace/`);
 }

 /**
@@ -932,13 +933,13 @@ function loadFile(name, id) {
 			return response.text();
 		})
 		.then(function (text) {
-			gFiles[name].doc = cm6.EditorState.create({
+			g_files[name].doc = cm6.EditorState.create({
 				doc: text,
 				extensions: cm6.extensions,
 			});
-			gFiles[name].original = gFiles[name].doc.doc.toString();
-			if (!Object.values(gFiles).some((x) => !x.doc)) {
-				openFile(Object.keys(gFiles).sort()[0]);
+			g_files[name].original = g_files[name].doc.doc.toString();
+			if (!Object.values(g_files).some((x) => !x.doc)) {
+				openFile(Object.keys(g_files).sort()[0]);
 			}
 		});
 }
@@ -956,31 +957,31 @@ async function load(path) {
 	} else if (response.status != 404) {
 		throw new Error(response.status + ' ' + response.statusText);
 	}
-	gFiles = {};
+	g_files = {};
 	let isApp = false;
 	let promises = [];

 	if (json && json['type'] == 'tildefriends-app') {
 		isApp = true;
 		Object.keys(json['files']).forEach(function (name) {
-			gFiles[name] = {};
+			g_files[name] = {};
 			promises.push(loadFile(name, json['files'][name]));
 		});
 		if (Object.keys(json['files']).length == 0) {
 			document.getElementById('editPane').style.display = 'flex';
 		}
-		gApp = json;
-		gApp.emoji = gApp.emoji || '📦';
-		document.getElementById('icon').innerHTML = gApp.emoji;
+		g_app = json;
+		g_app.emoji = g_app.emoji || '📦';
+		document.getElementById('icon').innerHTML = g_app.emoji;
 	}
 	if (!isApp) {
 		document.getElementById('editPane').style.display = 'flex';
 		let text = '// New script.\n';
-		gCurrentFile = 'app.js';
-		gFiles[gCurrentFile] = {
+		g_current_file = 'app.js';
+		g_files[g_current_file] = {
 			doc: cm6.EditorState.create({doc: text, extensions: cm6.extensions}),
 		};
-		openFile(gCurrentFile);
+		openFile(g_current_file);
 	}
 	return Promise.all(promises);
 }
@@ -1001,13 +1002,14 @@ function closeEditor() {
 */
 function save(save_to) {
 	document.getElementById('save').disabled = true;
-	if (gCurrentFile) {
-		gFiles[gCurrentFile].doc = gEditor.state;
+	if (g_current_file) {
+		g_files[g_current_file].doc = g_editor.state;
 		if (
-			!gFiles[gCurrentFile].isNew &&
-			!gFiles[gCurrentFile].doc.doc.toString() == gFiles[gCurrentFile].original
+			!g_files[g_current_file].isNew &&
+			!g_files[g_current_file].doc.doc.toString() ==
+				g_files[g_current_file].original
 		) {
-			delete gFiles[gCurrentFile].buffer;
+			delete g_files[g_current_file].buffer;
 		}
 	}

@@ -1022,8 +1024,8 @@ function save(save_to) {
 	}

 	let promises = [];
-	for (let name of Object.keys(gFiles)) {
-		let file = gFiles[name];
+	for (let name of Object.keys(g_files)) {
+		let file = g_files[name];
 		if (!file.isNew && file.doc.doc.toString() == file.original) {
 			continue;
 		}
@@ -1065,14 +1067,14 @@ function save(save_to) {
 			let app = {
 				type: 'tildefriends-app',
 				files: Object.fromEntries(
-					Object.keys(gFiles).map((x) => [x, gFiles[x].id || gApp.files[x]])
+					Object.keys(g_files).map((x) => [x, g_files[x].id || g_app.files[x]])
 				),
-				emoji: gApp.emoji || '📦',
+				emoji: g_app.emoji || '📦',
 			};
-			Object.values(gFiles).forEach(function (file) {
+			Object.values(g_files).forEach(function (file) {
 				delete file.id;
 			});
-			gApp = JSON.parse(JSON.stringify(app));
+			g_app = JSON.parse(JSON.stringify(app));

 			return fetch(save_path + 'save', {
 				method: 'POST',
@@ -1087,7 +1089,7 @@ function save(save_to) {

 				if (save_path != window.location.pathname) {
 					alert('Saved to ' + save_path + '.');
-				} else if (!gFiles['app.js']) {
+				} else if (!g_files['app.js']) {
 					window.location.reload();
 				} else {
 					reconnect(save_path);
@@ -1099,7 +1101,7 @@ function save(save_to) {
 		})
 		.finally(function () {
 			document.getElementById('save').disabled = false;
-			Object.values(gFiles).forEach(function (file) {
+			Object.values(g_files).forEach(function (file) {
 				file.original = file.doc.doc.toString();
 			});
 			updateFiles();
@@ -1112,8 +1114,8 @@ function save(save_to) {
 function changeIcon() {
 	let value = prompt('Enter a new app icon emoji:');
 	if (value !== undefined) {
-		gApp.emoji = value || '📦';
-		document.getElementById('icon').innerHTML = gApp.emoji;
+		g_app.emoji = value || '📦';
+		document.getElementById('icon').innerHTML = g_app.emoji;
 	}
 }

@@ -1190,9 +1192,12 @@ function api_postMessage(message) {
 function api_error(error) {
 	if (error) {
 		if (typeof error == 'string') {
-			setStatusMessage('⚠️ ' + error, kErrorColor);
+			setStatusMessage('⚠️ ' + error, k_color_error);
 		} else {
-			setStatusMessage('⚠️ ' + error.message + '\n' + error.stack, kErrorColor);
+			setStatusMessage(
+				'⚠️ ' + error.message + '\n' + error.stack,
+				k_color_error
+			);
 		}
 	}
 	console.log('error', error);
@@ -1219,10 +1224,10 @@ function api_localStorageGet(key) {
 /**
 * Request a permission
 * @param permission The permission to request.
- * @param id The id requeesting the permission.
+ * @param description An optional human-readable description of the action for which the permission is being requested.
 * @return A promise fulfilled if the permission was granted.
 */
-function api_requestPermission(permission, id) {
+function api_requestPermission(permission, description) {
 	let outer = document.createElement('div');
 	outer.classList.add('permissions');

@@ -1239,6 +1244,18 @@ function api_requestPermission(permission, id) {
 	div.appendChild(span);
 	container.appendChild(div);

+	if (description) {
+		container.appendChild(document.createTextNode('for the action:'));
+		let description_div = document.createElement('div');
+		description_div.classList.add('w3-border');
+		description_div.classList.add('w3-padding');
+		description_div.style.backgroundColor = '#666';
+		description_div.style.maxHeight = '3em';
+		description_div.style.overflow = 'auto';
+		description_div.appendChild(document.createTextNode(description));
+		container.appendChild(description_div);
+	}
+
 	div = document.createElement('div');
 	div.style = 'padding: 1em';
 	let check = document.createElement('input');
@@ -1309,7 +1326,7 @@ function api_setHash(hash) {
 */
 function _receive_websocket_message(message) {
 	if (message && message.action == 'session') {
-		setStatusMessage('🟢 Executing...', kStatusColor);
+		setStatusMessage('🟢 Executing...', k_color_status);
 		let navigation = document.getElementsByTagName('tf-navigation')[0];
 		navigation.credentials = message.credentials;
 		navigation.identities = message.identities;
@@ -1409,7 +1426,7 @@ function setStatusMessage(message, color) {
 	document.getElementsByTagName('tf-navigation')[0].status = {
 		message: message,
 		color: color,
-		is_error: color == kErrorColor,
+		is_error: color == k_color_error,
 	};
 }

@@ -1419,11 +1436,11 @@ function setStatusMessage(message, color) {
 */
 function send(value) {
 	try {
-		if (gSocket && gSocket.readyState == gSocket.OPEN) {
-			gSocket.send(JSON.stringify(value));
+		if (g_socket && g_socket.readyState == g_socket.OPEN) {
+			g_socket.send(JSON.stringify(value));
 		}
 	} catch (error) {
-		setStatusMessage('🤷 Send failed: ' + error.toString(), kErrorColor);
+		setStatusMessage('🤷 Send failed: ' + error.toString(), k_color_error);
 	}
 }

@@ -1438,7 +1455,7 @@ function hashChange() {
 * Make sure the app is connected on window focus, and notify the app.
 */
 function focus() {
-	if (gSocket && gSocket.readyState == gSocket.CLOSED) {
+	if (g_socket && g_socket.readyState == g_socket.CLOSED) {
 		connectSocket();
 	} else {
 		send({event: 'focus'});
@@ -1449,9 +1466,7 @@ function focus() {
 * Notify the app of lost focus.
 */
 function blur() {
-	if (gSocket && gSocket.readyState == gSocket.OPEN) {
-		send({event: 'blur'});
-	}
+	send({event: 'blur'});
 }

 /**
@@ -1508,8 +1523,8 @@ function message(event) {
 * @param path The path to which the WebSocket should be connected.
 */
 function reconnect(path) {
-	let oldSocket = gSocket;
-	gSocket = null;
+	let oldSocket = g_socket;
+	g_socket = null;
 	if (oldSocket) {
 		oldSocket.onopen = null;
 		oldSocket.onclose = null;
@@ -1524,24 +1539,24 @@ function reconnect(path) {
 * @param path The path to which to connect.
 */
 function connectSocket(path) {
-	if (!gSocket || gSocket.readyState != gSocket.OPEN) {
-		if (gSocket) {
-			gSocket.onopen = null;
-			gSocket.onclose = null;
-			gSocket.onmessage = null;
-			gSocket.close();
+	if (!g_socket || g_socket.readyState != g_socket.OPEN) {
+		if (g_socket) {
+			g_socket.onopen = null;
+			g_socket.onclose = null;
+			g_socket.onmessage = null;
+			g_socket.close();
 		}
-		setStatusMessage('⚪ Connecting...', kStatusColor);
-		gSocket = new WebSocket(
+		setStatusMessage('⚪ Connecting...', k_color_status);
+		g_socket = new WebSocket(
 			(window.location.protocol == 'https:' ? 'wss://' : 'ws://') +
 				window.location.hostname +
 				(window.location.port.length ? ':' + window.location.port : '') +
 				'/app/socket'
 		);
-		gSocket.onopen = function () {
-			setStatusMessage('🟡 Authenticating...', kStatusColor);
+		g_socket.onopen = function () {
+			setStatusMessage('🟡 Authenticating...', k_color_status);
 			let connect_path = path ?? window.location.pathname;
-			gSocket.send(
+			g_socket.send(
 				JSON.stringify({
 					action: 'hello',
 					path: connect_path,
@@ -1553,12 +1568,12 @@ function connectSocket(path) {
 				})
 			);
 		};
-		gSocket.onmessage = function (event) {
+		g_socket.onmessage = function (event) {
 			_receive_websocket_message(JSON.parse(event.data));
 		};
-		gSocket.onclose = function (event) {
-			if (gUnloading) {
-				setStatusMessage('⚪ Closing...', kStatusColor);
+		g_socket.onclose = function (event) {
+			if (g_unloading) {
+				setStatusMessage('⚪ Closing...', k_color_status);
 			} else {
 				const k_codes = {
 					1000: 'Normal closure',
@@ -1579,7 +1594,7 @@ function connectSocket(path) {
 				};
 				setStatusMessage(
 					'🔴 Closed: ' + (k_codes[event.code] || event.code),
-					kDisconnectColor
+					k_color_disconnect
 				);
 			}
 		};
@@ -1592,24 +1607,24 @@ function connectSocket(path) {
 */
 function openFile(name) {
 	let newDoc =
-		name && gFiles[name]
-			? gFiles[name].doc
+		name && g_files[name]
+			? g_files[name].doc
 			: cm6.EditorState.create({doc: '', extensions: cm6.extensions});
-	let oldDoc = gEditor.state;
-	gEditor.setState(newDoc);
+	let oldDoc = g_editor.state;
+	g_editor.setState(newDoc);

-	if (gFiles[gCurrentFile]) {
-		gFiles[gCurrentFile].doc = oldDoc;
+	if (g_files[g_current_file]) {
+		g_files[g_current_file].doc = oldDoc;
 		if (
-			!gFiles[gCurrentFile].isNew &&
-			gFiles[gCurrentFile].doc.doc.toString() == oldDoc.doc.toString()
+			!g_files[g_current_file].isNew &&
+			g_files[g_current_file].doc.doc.toString() == oldDoc.doc.toString()
 		) {
-			delete gFiles[gCurrentFile].buffer;
+			delete g_files[g_current_file].buffer;
 		}
 	}
-	gCurrentFile = name;
+	g_current_file = name;
 	updateFiles();
-	gEditor.focus();
+	g_editor.focus();
 }

 /**
@@ -1619,19 +1634,19 @@ function updateFiles() {
 	let files = document.getElementsByTagName('tf-files-pane')[0];
 	if (files) {
 		files.files = Object.fromEntries(
-			Object.keys(gFiles).map((file) => [
+			Object.keys(g_files).map((file) => [
 				file,
 				{
 					clean:
-						(file == gCurrentFile
-							? gEditor.state.doc.toString()
-							: gFiles[file].doc.doc.toString()) == gFiles[file].original,
+						(file == g_current_file
+							? g_editor.state.doc.toString()
+							: g_files[file].doc.doc.toString()) == g_files[file].original,
 				},
 			])
 		);
-		files.current = gCurrentFile;
+		files.current = g_current_file;
 	}
-	gEditor.focus();
+	g_editor.focus();
 }

 /**
@@ -1639,7 +1654,7 @@ function updateFiles() {
 * @param name The file's name.
 */
 function makeNewFile(name) {
-	gFiles[name] = {
+	g_files[name] = {
 		doc: cm6.EditorState.create({extensions: cm6.extensions}),
 	};
 	openFile(name);
@@ -1650,7 +1665,7 @@ function makeNewFile(name) {
 */
 function newFile() {
 	let name = prompt('Name of new file:', 'file.js');
-	if (name && !gFiles[name]) {
+	if (name && !g_files[name]) {
 		makeNewFile(name);
 	}
 }
@@ -1659,9 +1674,9 @@ function newFile() {
 * Prompt to remove a file.
 */
 function removeFile() {
-	if (confirm('Remove ' + gCurrentFile + '?')) {
-		delete gFiles[gCurrentFile];
-		openFile(Object.keys(gFiles)[0]);
+	if (confirm('Remove ' + g_current_file + '?')) {
+		delete g_files[g_current_file];
+		openFile(Object.keys(g_files)[0]);
 	}
 }

@@ -1677,13 +1692,13 @@ async function appExport() {
 		`${name}.json`,
 		JSON.stringify({
 			type: 'tildefriends-app',
-			emoji: gApp.emoji || '📦',
+			emoji: g_app.emoji || '📦',
 		})
 	);
-	for (let file of Object.keys(gFiles)) {
+	for (let file of Object.keys(g_files)) {
 		zip.file(
 			`${name}/${file}`,
-			gFiles[file].buffer ?? gFiles[file].doc.doc.toString()
+			g_files[file].buffer ?? g_files[file].doc.doc.toString()
 		);
 	}
 	let content = await zip.generateAsync({
@@ -1802,9 +1817,9 @@ async function sourcePretty() {
 	let babel = (await import('/prettier/babel.mjs')).default;
 	let estree = (await import('/prettier/estree.mjs')).default;
 	let prettier_html = (await import('/prettier/html.mjs')).default;
-	let source = gEditor.state.doc.toString();
+	let source = g_editor.state.doc.toString();
 	let formatted = await prettier.format(source, {
-		parser: gCurrentFile?.toLowerCase()?.endsWith('.html') ? 'html' : 'babel',
+		parser: g_current_file?.toLowerCase()?.endsWith('.html') ? 'html' : 'babel',
 		plugins: [babel, estree, prettier_html],
 		trailingComma: 'es5',
 		useTabs: true,
@@ -1813,10 +1828,10 @@ async function sourcePretty() {
 		bracketSpacing: false,
 	});
 	if (source !== formatted) {
-		gEditor.dispatch({
+		g_editor.dispatch({
 			changes: {
 				from: 0,
-				to: gEditor.state.doc.length,
+				to: g_editor.state.doc.length,
 				insert: formatted,
 			},
 		});
@@ -1861,7 +1876,7 @@ window.addEventListener('load', function () {
 	window.addEventListener('message', message, false);
 	window.addEventListener('online', connectSocket);
 	window.addEventListener('beforeunload', function () {
-		gUnloading = true;
+		g_unloading = true;
 	});
 	document.getElementById('name').value = window.location.pathname;
 	document
--- a/core/core.js
+++ b/core/core.js
@@ -7,7 +7,6 @@

 /** \cond */
 import * as app from './app.js';
-import * as http from './http.js';

 export {invoke, getProcessBlob};
 /** \endcond */
@@ -18,6 +17,8 @@ let gProcesses = {};
 let gStatsTimer = false;
 /** Effectively a process ID. */
 let g_handler_index = 0;
+/** Whether updating accounts information is currently scheduled. */
+let g_update_accounts_scheduled;
 /** Time between pings, in milliseconds. */
 const k_ping_interval = 60 * 1000;

@@ -179,6 +180,7 @@ async function getProcessBlob(blobId, key, options) {
 			process.task = new Task();
 			process.packageOwner = options.packageOwner;
 			process.packageName = options.packageName;
+			process.url = options?.url;
 			process.eventHandlers = {};
 			if (!options?.script || options?.script === 'app.js') {
 				process.app = new app.App();
@@ -192,7 +194,6 @@ async function getProcessBlob(blobId, key, options) {
 			});
 			gProcesses[key] = process;
 			process.task.onExit = function (exitCode, terminationSignal) {
-				broadcastEvent('onSessionEnd', [getUser(process, process)]);
 				process.task = null;
 				delete gProcesses[key];
 			};
@@ -200,29 +201,6 @@ async function getProcessBlob(blobId, key, options) {
 				core: {
 					broadcast: broadcast.bind(process),
 					user: getUser(process, process),
-					users: async function () {
-						try {
-							return JSON.parse(await new Database('auth').get('users'));
-						} catch {
-							return [];
-						}
-					},
-					permissionsGranted: async function () {
-						let user = process?.credentials?.session?.name;
-						let settings = await loadSettings();
-						if (
-							user &&
-							options?.packageOwner &&
-							options?.packageName &&
-							settings.userPermissions &&
-							settings.userPermissions[user] &&
-							settings.userPermissions[user][options.packageOwner]
-						) {
-							return settings.userPermissions[user][options.packageOwner][
-								options.packageName
-							];
-						}
-					},
 					allPermissionsGranted: async function () {
 						let user = process?.credentials?.session?.name;
 						let settings = await loadSettings();
@@ -236,12 +214,7 @@ async function getProcessBlob(blobId, key, options) {
 							return settings.userPermissions[user];
 						}
 					},
-					permissionsForUser: async function (user) {
-						let settings = await loadSettings();
-						return settings?.permissions?.[user] ?? [];
-					},
-					getSockets: getSockets,
-					permissionTest: async function (permission) {
+					permissionTest: async function (permission, description) {
 						let user = process?.credentials?.session?.name;
 						let settings = await loadSettings();
 						if (!user || !options?.packageOwner || !options?.packageName) {
@@ -268,7 +241,7 @@ async function getProcessBlob(blobId, key, options) {
 							}
 						} else if (process.app) {
 							return process.app
-								.makeFunction(['requestPermission'])(permission)
+								.makeFunction(['requestPermission'])(permission, description)
 								.then(async function (value) {
 									if (value == 'allow') {
 										await ssb.setUserPermission(
@@ -301,26 +274,26 @@ async function getProcessBlob(blobId, key, options) {
 							throw Error(`Permission denied: ${permission}.`);
 						}
 					},
-					app: {
-						owner: options?.packageOwner,
-						name: options?.packageName,
-					},
-					url: options?.url,
 				},
 			};
 			process.sendIdentities = async function () {
-				process.app.send(
-					Object.assign(
-						{
-							action: 'identities',
-						},
-						await ssb.getIdentityInfo(
-							process?.credentials?.session?.name,
-							options?.packageOwner,
-							options?.packageName
-						)
-					)
+				let identities = await ssb_internal.getIdentityInfo(
+					process?.credentials?.session?.name,
+					options?.packageOwner,
+					options?.packageName
 				);
+				let json = JSON.stringify(identities);
+				if (process._last_sent_identities !== json) {
+					process.app.send(
+						Object.assign(
+							{
+								action: 'identities',
+							},
+							identities
+						)
+					);
+					process._last_sent_identities = json;
+				}
 			};
 			process.setActiveIdentity = async function (identity) {
 				if (
@@ -357,7 +330,7 @@ async function getProcessBlob(blobId, key, options) {
 						options.packageName,
 						'setActiveIdentity',
 						[
-							await ssb.getActiveIdentity(
+							await imports.ssb.getActiveIdentity(
 								process.credentials?.session?.name,
 								options.packageOwner,
 								options.packageName
@@ -370,21 +343,11 @@ async function getProcessBlob(blobId, key, options) {
 				}
 			};
 			if (process.credentials?.permissions?.administration) {
-				imports.core.globalSettingsDescriptions = async function () {
-					let settings = Object.assign({}, defaultGlobalSettings());
-					for (let [key, value] of Object.entries(await loadSettings())) {
-						if (settings[key]) {
-							settings[key].value = value;
-						}
-					}
-					return settings;
-				};
-				imports.core.globalSettingsGet = async function (key) {
-					let settings = await loadSettings();
-					return settings?.[key];
-				};
 				imports.core.globalSettingsSet = async function (key, value) {
-					await imports.core.permissionTest('set_global_setting');
+					await imports.core.permissionTest(
+						'set_global_setting',
+						`Set ${JSON.stringify(key)} to ${JSON.stringify(value)}.`
+					);
 					print('Setting', key, value);
 					let settings = await loadSettings();
 					settings[key] = value;
@@ -464,26 +427,6 @@ async function getProcessBlob(blobId, key, options) {
 				}
 			};
 			imports.ssb.setActiveIdentity = (id) => process.setActiveIdentity(id);
-			imports.ssb.getActiveIdentity = () =>
-				ssb.getActiveIdentity(
-					process.credentials?.session?.name,
-					options.packageOwner,
-					options.packageName
-				);
-			imports.ssb.getOwnerIdentities = function () {
-				if (options.packageOwner) {
-					return ssb.getIdentities(options.packageOwner);
-				}
-			};
-			imports.ssb.getIdentities = function () {
-				if (
-					process.credentials &&
-					process.credentials.session &&
-					process.credentials.session.name
-				) {
-					return ssb.getIdentities(process.credentials.session.name);
-				}
-			};
 			imports.ssb.getPrivateKey = function (id) {
 				if (
 					process.credentials &&
@@ -503,8 +446,18 @@ async function getProcessBlob(blobId, key, options) {
 					process.credentials.session &&
 					process.credentials.session.name
 				) {
+					let action;
+					try {
+						if (message?.type === 'vote' && message?.vote?.expression) {
+							action = `React with ${message?.vote?.expression}.`;
+						} else if (typeof message === 'string') {
+							action = `Post a private message.`;
+						} else {
+							action = `Publish ${'aeiou'.indexOf(message?.type?.toLowerCase()?.substring(0, 1)) != -1 ? 'an' : 'a'} "${message?.type}" message.`;
+						}
+					} catch {}
 					return Promise.resolve(
-						imports.core.permissionTest('ssb_append')
+						imports.core.permissionTest('ssb_append', action)
 					).then(function () {
 						return ssb.appendMessageWithIdentity(
 							process.credentials.session.name,
@@ -553,13 +506,6 @@ async function getProcessBlob(blobId, key, options) {
 					);
 				}
 			};
-			imports.ssb.addEventListener = undefined;
-			imports.ssb.removeEventListener = undefined;
-			imports.ssb.getIdentityInfo = undefined;
-			imports.fetch = async function (url, options) {
-				let settings = await loadSettings();
-				return http.fetch(url, options, settings?.fetch_hosts);
-			};

 			if (
 				process.credentials &&
@@ -663,7 +609,6 @@ async function getProcessBlob(blobId, key, options) {
 			} catch (e) {
 				printError(e);
 			}
-			broadcastEvent('onSessionBegin', [getUser(process, process)]);
 			if (process.app) {
 				process.app.send({action: 'ready', version: version()});
 				await process.sendPermissions();
@@ -686,22 +631,39 @@ async function getProcessBlob(blobId, key, options) {
 	return process;
 }

+/**
+ * Send any changed account information.
+ */
+function updateAccounts() {
+	g_update_accounts_scheduled = false;
+	let promises = [];
+	for (let process of Object.values(gProcesses)) {
+		promises.push(process.sendIdentities());
+	}
+	return Promise.all(promises);
+}
+
 /**
 * SSB message added callback.
 */
-ssb.addEventListener('message', function () {
+ssb_internal.addEventListener('message', function () {
 	broadcastEvent('onMessage', [...arguments]);
+
+	if (!g_update_accounts_scheduled) {
+		setTimeout(updateAccounts, 1000);
+		g_update_accounts_scheduled = true;
+	}
 });

-ssb.addEventListener('blob', function () {
+ssb_internal.addEventListener('blob', function () {
 	broadcastEvent('onBlob', [...arguments]);
 });

-ssb.addEventListener('broadcasts', function () {
+ssb_internal.addEventListener('broadcasts', function () {
 	broadcastEvent('onBroadcastsChanged', []);
 });

-ssb.addEventListener('connections', function () {
+ssb_internal.addEventListener('connections', function () {
 	broadcastEvent('onConnectionsChanged', []);
 });

--- a/core/eula.html
+++ b/core/eula.html
@@ -0,0 +1,67 @@
+<!doctype html>
+<html>
+	<head>
+		<title>Tilde Friends Usage Agreement</title>
+		<link type="text/css" rel="stylesheet" href="/static/w3.css" />
+		<meta name="viewport" content="width=device-width, initial-scale=1" />
+	</head>
+	<body class="w3-container">
+		<h1>Tilde Friends Usage Agreement</h1>
+		<p>
+			Tilde Friends is an app that enables communication with other users
+			through the
+			<a href="https://ssbc.github.io/scuttlebutt-protocol-guide/"
+				>Secure Scuttlebutt</a
+			>
+			protocol.
+		</p>
+		<h2>Your actions are your responsibility</h2>
+		<p>
+			Apple tolerates no objectionable content or abusive users on their
+			platforms.
+		</p>
+		<p>
+			You are responsible for your own actions within this app. You are
+			responsible for complying with all applicable rules and laws.
+		</p>
+		<h2>You choose what you see</h2>
+		<p>
+			You are in full control of the content you see in Tilde Friends. The peers
+			to which you choose to connect and the users you choose to follow directly
+			determine the content presented to you. Initially you will be following no
+			one with no connections and as a result see no user-generated content.
+		</p>
+		<p>
+			If you encounter objectionable content, you can filter it from your view
+			by blocking the user who posted it. This also makes it so that users
+			following you will not see it as a consequence of following you.
+		</p>
+		<p>
+			The <code>admin</code> app contains a variety of settings that control the
+			types of connections Tilde Friends will make or accept, including whether
+			the app will even accept or make connections at all.
+		</p>
+		<h2>This app is not a service</h2>
+		<p>
+			Tilde Friends is an app. It relies on no servers. The author of this app
+			has no more ability to see or filter what you post or read than any other
+			user of the network.
+		</p>
+		<p>
+			If you believe objectionable content obtained from a service that is
+			running as part of the Secure Scuttlebutt network should be flagged,
+			report it to the operator of the service, generally by contacting the
+			email address listed when visiting the server address in a web browser.
+		</p>
+		<h2>Agreement</h2>
+		<p>
+			If you do not accept these terms, do not use this app. You may close and
+			delete it now.
+		</p>
+		<div class="w3-center w3-margin">
+			<a class="w3-button w3-blue w3-round-large" href="/eula/accept"
+				>Accept Agreement</a
+			>
+		</div>
+	</body>
+</html>
--- a/core/http.js
+++ b/core/http.js
@@ -1,121 +0,0 @@
-/**
- * \file
- * \defgroup tfhttp Tilde Friends HTTP Client JS
- * Tilde Friends server-side HTTP client.
- * @{
- */
-
-/**
- * Parse a URL into protocol, host, path, and port parts.
- * @param url
- * @return An object of the URL parts.
- */
-function parseUrl(url) {
-	// XXX: Hack.
-	let match = url.match(new RegExp('(\\w+)://([^/:]+)(?::(\\d+))?(.*)'));
-	return {
-		protocol: match[1],
-		host: match[2],
-		path: match[4],
-		port: match[3] ? parseInt(match[3]) : match[1] == 'http' ? 80 : 443,
-	};
-}
-
-/**
- * Parse an HTTP response into headers and body content.
- * @param data The response data, headers and body included.
- * @return headers and body data.
- */
-function parseResponse(data) {
-	let firstLine;
-	let headers = {};
-	while (true) {
-		let endLine = data.indexOf('\r\n');
-		let line = data.substring(0, endLine);
-		data = data.substring(endLine + 2);
-		if (!line.length) {
-			break;
-		} else if (!firstLine) {
-			firstLine = line;
-		} else {
-			let colon = line.indexOf(':');
-			headers[line.substring(colon)] = line.substring(colon + 1);
-		}
-	}
-	return {headers: headers, body: data};
-}
-
-/**
- * Make an HTTP request.
- * @param url The URL.
- * @param options Request options.
- * @param allowed_hosts List of allowed hosts.
- * @return A promise resolved with the response headers and body.
- */
-export function fetch(url, options, allowed_hosts) {
-	let parsed = parseUrl(url);
-	return new Promise(function (resolve, reject) {
-		if ((allowed_hosts ?? []).indexOf(parsed.host) == -1) {
-			throw new Error(`fetch() request to host ${parsed.host} is not allowed.`);
-		}
-		let socket = new Socket();
-		let buffer = new Uint8Array(0);
-
-		return socket
-			.connect(parsed.host, parsed.port)
-			.then(function () {
-				socket.read(function (data) {
-					if (data && data.length) {
-						let newBuffer = new Uint8Array(buffer.length + data.length);
-						newBuffer.set(buffer, 0);
-						newBuffer.set(data, buffer.length);
-						buffer = newBuffer;
-					} else {
-						let result = parseHttpResponse(buffer);
-						if (!result) {
-							reject(new Exception('Parse failed.'));
-						}
-						if (typeof result == 'number') {
-							if (result == -2) {
-								reject('Incomplete request.');
-							} else {
-								reject('Bad request.');
-							}
-						} else if (typeof result == 'object') {
-							resolve({
-								body: buffer.slice(result.bytes_parsed),
-								status: result.status,
-								message: result.message,
-								headers: result.headers,
-							});
-						} else {
-							reject(new Exception('Unexpected parse result.'));
-						}
-						resolve(parseResponse(utf8Decode(buffer)));
-					}
-				});
-
-				if (parsed.port == 443) {
-					return socket.startTls();
-				}
-			})
-			.then(function () {
-				let body =
-					typeof options?.body == 'string'
-						? utf8Encode(options.body)
-						: options.body || new Uint8Array(0);
-				let headers = utf8Encode(
-					`${options?.method ?? 'GET'} ${parsed.path} HTTP/1.0\r\nHost: ${parsed.host}\r\nConnection: close\r\nContent-Length: ${body.length}\r\n\r\n`
-				);
-				let fullRequest = new Uint8Array(headers.length + body.length);
-				fullRequest.set(headers, 0);
-				fullRequest.set(body, headers.length);
-				socket.write(fullRequest);
-			})
-			.catch(function (error) {
-				reject(error);
-			});
-	});
-}
-
-/** @} */
--- a/core/index.html
+++ b/core/index.html
@@ -5,7 +5,10 @@
 		<link type="text/css" rel="stylesheet" href="/static/style.css" />
 		<link type="text/css" rel="stylesheet" href="/static/w3.css" />
 		<link type="image/svg+xml" rel="icon" href="/static/tildefriends.svg" />
-		<meta name="viewport" content="width=device-width, initial-scale=1" />
+		<meta
+			name="viewport"
+			content="width=device-width, initial-scale=1, maximum-scale=1"
+		/>
 		<meta
 			name="title"
 			content="Tilde Friends - Make friends and apps from your web browser."
--- a/core/style.css
+++ b/core/style.css
@@ -152,4 +152,5 @@ body {
 	border-bottom: 4px solid #fff;
 	padding: 1em;
 	margin: 0 auto;
+	max-width: 80%;
 }
--- a/deps/codemirror/cm6.js
+++ b/deps/codemirror/cm6.js
--- a/deps/codemirror_src/package-lock.json
+++ b/deps/codemirror_src/package-lock.json
@@ -19,9 +19,9 @@
      }
    },
    "node_modules/@codemirror/autocomplete": {
-      "version": "6.18.7",
-      "resolved": "https://registry.npmjs.org/@codemirror/autocomplete/-/autocomplete-6.18.7.tgz",
-      "integrity": "sha512-8EzdeIoWPJDsMBwz3zdzwXnUpCzMiCyz5/A3FIPpriaclFCGDkAzK13sMcnsu5rowqiyeQN2Vs2TsOcoDPZirQ==",
+      "version": "6.20.0",
+      "resolved": "https://registry.npmjs.org/@codemirror/autocomplete/-/autocomplete-6.20.0.tgz",
+      "integrity": "sha512-bOwvTOIJcG5FVo5gUUupiwYh8MioPLQ4UcqbcRf7UQ98X90tCa9E1kZ3Z7tqwpZxYyOvh1YTYbmZE9RTfTp5hg==",
      "license": "MIT",
      "dependencies": {
        "@codemirror/language": "^6.0.0",
@@ -31,9 +31,9 @@
      }
    },
    "node_modules/@codemirror/commands": {
-      "version": "6.8.1",
-      "resolved": "https://registry.npmjs.org/@codemirror/commands/-/commands-6.8.1.tgz",
-      "integrity": "sha512-KlGVYufHMQzxbdQONiLyGQDUW0itrLZwq3CcY7xpv9ZLRHqzkBSoteocBHtMCoY7/Ci4xhzSrToIeLg7FxHuaw==",
+      "version": "6.10.0",
+      "resolved": "https://registry.npmjs.org/@codemirror/commands/-/commands-6.10.0.tgz",
+      "integrity": "sha512-2xUIc5mHXQzT16JnyOFkh8PvfeXuIut3pslWGfsGOhxP/lpgRm9HOl/mpzLErgt5mXDovqA0d11P21gofRLb9w==",
      "license": "MIT",
      "dependencies": {
        "@codemirror/language": "^6.0.0",
@@ -56,9 +56,9 @@
      }
    },
    "node_modules/@codemirror/lang-html": {
-      "version": "6.4.10",
-      "resolved": "https://registry.npmjs.org/@codemirror/lang-html/-/lang-html-6.4.10.tgz",
-      "integrity": "sha512-h/SceTVsN5r+WE+TVP2g3KDvNoSzbSrtZXCKo4vkKdbfT5t4otuVgngGdFukOO/rwRD2++pCxoh6xD4TEVMkQA==",
+      "version": "6.4.11",
+      "resolved": "https://registry.npmjs.org/@codemirror/lang-html/-/lang-html-6.4.11.tgz",
+      "integrity": "sha512-9NsXp7Nwp891pQchI7gPdTwBuSuT3K65NGTHWHNJ55HjYcHLllr0rbIZNdOzas9ztc1EUVBlHou85FFZS4BNnw==",
      "license": "MIT",
      "dependencies": {
        "@codemirror/autocomplete": "^6.0.0",
@@ -69,7 +69,7 @@
        "@codemirror/view": "^6.17.0",
        "@lezer/common": "^1.0.0",
        "@lezer/css": "^1.1.0",
-        "@lezer/html": "^1.3.0"
+        "@lezer/html": "^1.3.12"
      }
    },
    "node_modules/@codemirror/lang-javascript": {
@@ -112,9 +112,9 @@
      }
    },
    "node_modules/@codemirror/lint": {
-      "version": "6.8.5",
-      "resolved": "https://registry.npmjs.org/@codemirror/lint/-/lint-6.8.5.tgz",
-      "integrity": "sha512-s3n3KisH7dx3vsoeGMxsbRAgKe4O1vbrnKBClm99PU0fWxmxsx5rR2PfqQgIt+2MMJBHbiJ5rfIdLYfB9NNvsA==",
+      "version": "6.9.2",
+      "resolved": "https://registry.npmjs.org/@codemirror/lint/-/lint-6.9.2.tgz",
+      "integrity": "sha512-sv3DylBiIyi+xKwRCJAAsBZZZWo82shJ/RTMymLabAdtbkV5cSKwWDeCgtUq3v8flTaXS2y1kKkICuRYtUswyQ==",
      "license": "MIT",
      "dependencies": {
        "@codemirror/state": "^6.0.0",
@@ -155,9 +155,9 @@
      }
    },
    "node_modules/@codemirror/view": {
-      "version": "6.38.3",
-      "resolved": "https://registry.npmjs.org/@codemirror/view/-/view-6.38.3.tgz",
-      "integrity": "sha512-x2t87+oqwB1mduiQZ6huIghjMt4uZKFEdj66IcXw7+a5iBEvv9lh7EWDRHI7crnD4BMGpnyq/RzmCGbiEZLcvQ==",
+      "version": "6.38.8",
+      "resolved": "https://registry.npmjs.org/@codemirror/view/-/view-6.38.8.tgz",
+      "integrity": "sha512-XcE9fcnkHCbWkjeKyi0lllwXmBLtyYb5dt89dJyx23I9+LSh5vZDIuk7OLG4VM1lgrXZQcY6cxyZyk5WVPRv/A==",
      "license": "MIT",
      "dependencies": {
        "@codemirror/state": "^6.5.0",
@@ -217,9 +217,9 @@
      }
    },
    "node_modules/@lezer/common": {
-      "version": "1.2.3",
-      "resolved": "https://registry.npmjs.org/@lezer/common/-/common-1.2.3.tgz",
-      "integrity": "sha512-w7ojc8ejBqr2REPsWxJjrMFsA/ysDCFICn8zEOR9mrqzOu2amhITYuLD8ag6XZf0CFXDrhKqw7+tW8cX66NaDA==",
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@lezer/common/-/common-1.3.0.tgz",
+      "integrity": "sha512-L9X8uHCYU310o99L3/MpJKYxPzXPOS7S0NmBaM7UO/x2Kb2WbmMLSkfvdr1KxRIFYOpbY0Jhn7CfLSUDzL8arQ==",
      "license": "MIT"
    },
    "node_modules/@lezer/css": {
@@ -234,18 +234,18 @@
      }
    },
    "node_modules/@lezer/highlight": {
-      "version": "1.2.1",
-      "resolved": "https://registry.npmjs.org/@lezer/highlight/-/highlight-1.2.1.tgz",
-      "integrity": "sha512-Z5duk4RN/3zuVO7Jq0pGLJ3qynpxUVsh7IbUbGj88+uV2ApSAn6kWg2au3iJb+0Zi7kKtqffIESgNcRXWZWmSA==",
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/@lezer/highlight/-/highlight-1.2.3.tgz",
+      "integrity": "sha512-qXdH7UqTvGfdVBINrgKhDsVTJTxactNNxLk7+UMwZhU13lMHaOBlJe9Vqp907ya56Y3+ed2tlqzys7jDkTmW0g==",
      "license": "MIT",
      "dependencies": {
-        "@lezer/common": "^1.0.0"
+        "@lezer/common": "^1.3.0"
      }
    },
    "node_modules/@lezer/html": {
-      "version": "1.3.10",
-      "resolved": "https://registry.npmjs.org/@lezer/html/-/html-1.3.10.tgz",
-      "integrity": "sha512-dqpT8nISx/p9Do3AchvYGV3qYc4/rKr3IBZxlHmpIKam56P47RSHkSF5f13Vu9hebS1jM0HmtJIwLbWz1VIY6w==",
+      "version": "1.3.12",
+      "resolved": "https://registry.npmjs.org/@lezer/html/-/html-1.3.12.tgz",
+      "integrity": "sha512-RJ7eRWdaJe3bsiiLLHjCFT1JMk8m1YP9kaUbvu2rMLEoOnke9mcTVDyfOslsln0LtujdWespjJ39w6zo+RsQYw==",
      "license": "MIT",
      "dependencies": {
        "@lezer/common": "^1.2.0",
@@ -276,9 +276,9 @@
      }
    },
    "node_modules/@lezer/lr": {
-      "version": "1.4.2",
-      "resolved": "https://registry.npmjs.org/@lezer/lr/-/lr-1.4.2.tgz",
-      "integrity": "sha512-pu0K1jCIdnQ12aWNaAVU5bzi7Bd1w54J3ECgANPmYLtQKP0HBj2cE/5coBD66MT10xbtIuUr7tg0Shbsvk0mDA==",
+      "version": "1.4.3",
+      "resolved": "https://registry.npmjs.org/@lezer/lr/-/lr-1.4.3.tgz",
+      "integrity": "sha512-yenN5SqAxAPv/qMnpWW0AT7l+SxVrgG+u0tNsRQWqbrz66HIl8DnEbBObvy21J5K7+I1v7gsAnlE2VQ5yYVSeA==",
      "license": "MIT",
      "dependencies": {
        "@lezer/common": "^1.0.0"
@@ -360,9 +360,9 @@
      }
    },
    "node_modules/@rollup/rollup-android-arm-eabi": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.52.2.tgz",
-      "integrity": "sha512-o3pcKzJgSGt4d74lSZ+OCnHwkKBeAbFDmbEm5gg70eA8VkyCuC/zV9TwBnmw6VjDlRdF4Pshfb+WE9E6XY1PoQ==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.53.3.tgz",
+      "integrity": "sha512-mRSi+4cBjrRLoaal2PnqH82Wqyb+d3HsPUN/W+WslCXsZsyHa9ZeQQX/pQsZaVIWDkPcpV6jJ+3KLbTbgnwv8w==",
      "cpu": [
        "arm"
      ],
@@ -373,9 +373,9 @@
      ]
    },
    "node_modules/@rollup/rollup-android-arm64": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.52.2.tgz",
-      "integrity": "sha512-cqFSWO5tX2vhC9hJTK8WAiPIm4Q8q/cU8j2HQA0L3E1uXvBYbOZMhE2oFL8n2pKB5sOCHY6bBuHaRwG7TkfJyw==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.53.3.tgz",
+      "integrity": "sha512-CbDGaMpdE9sh7sCmTrTUyllhrg65t6SwhjlMJsLr+J8YjFuPmCEjbBSx4Z/e4SmDyH3aB5hGaJUP2ltV/vcs4w==",
      "cpu": [
        "arm64"
      ],
@@ -386,9 +386,9 @@
      ]
    },
    "node_modules/@rollup/rollup-darwin-arm64": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.52.2.tgz",
-      "integrity": "sha512-vngduywkkv8Fkh3wIZf5nFPXzWsNsVu1kvtLETWxTFf/5opZmflgVSeLgdHR56RQh71xhPhWoOkEBvbehwTlVA==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.53.3.tgz",
+      "integrity": "sha512-Nr7SlQeqIBpOV6BHHGZgYBuSdanCXuw09hon14MGOLGmXAFYjx1wNvquVPmpZnl0tLjg25dEdr4IQ6GgyToCUA==",
      "cpu": [
        "arm64"
      ],
@@ -399,9 +399,9 @@
      ]
    },
    "node_modules/@rollup/rollup-darwin-x64": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.52.2.tgz",
-      "integrity": "sha512-h11KikYrUCYTrDj6h939hhMNlqU2fo/X4NB0OZcys3fya49o1hmFaczAiJWVAFgrM1NCP6RrO7lQKeVYSKBPSQ==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.53.3.tgz",
+      "integrity": "sha512-DZ8N4CSNfl965CmPktJ8oBnfYr3F8dTTNBQkRlffnUarJ2ohudQD17sZBa097J8xhQ26AwhHJ5mvUyQW8ddTsQ==",
      "cpu": [
        "x64"
      ],
@@ -412,9 +412,9 @@
      ]
    },
    "node_modules/@rollup/rollup-freebsd-arm64": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.52.2.tgz",
-      "integrity": "sha512-/eg4CI61ZUkLXxMHyVlmlGrSQZ34xqWlZNW43IAU4RmdzWEx0mQJ2mN/Cx4IHLVZFL6UBGAh+/GXhgvGb+nVxw==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.53.3.tgz",
+      "integrity": "sha512-yMTrCrK92aGyi7GuDNtGn2sNW+Gdb4vErx4t3Gv/Tr+1zRb8ax4z8GWVRfr3Jw8zJWvpGHNpss3vVlbF58DZ4w==",
      "cpu": [
        "arm64"
      ],
@@ -425,9 +425,9 @@
      ]
    },
    "node_modules/@rollup/rollup-freebsd-x64": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.52.2.tgz",
-      "integrity": "sha512-QOWgFH5X9+p+S1NAfOqc0z8qEpJIoUHf7OWjNUGOeW18Mx22lAUOiA9b6r2/vpzLdfxi/f+VWsYjUOMCcYh0Ng==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.53.3.tgz",
+      "integrity": "sha512-lMfF8X7QhdQzseM6XaX0vbno2m3hlyZFhwcndRMw8fbAGUGL3WFMBdK0hbUBIUYcEcMhVLr1SIamDeuLBnXS+Q==",
      "cpu": [
        "x64"
      ],
@@ -438,9 +438,9 @@
      ]
    },
    "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.52.2.tgz",
-      "integrity": "sha512-kDWSPafToDd8LcBYd1t5jw7bD5Ojcu12S3uT372e5HKPzQt532vW+rGFFOaiR0opxePyUkHrwz8iWYEyH1IIQA==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.53.3.tgz",
+      "integrity": "sha512-k9oD15soC/Ln6d2Wv/JOFPzZXIAIFLp6B+i14KhxAfnq76ajt0EhYc5YPeX6W1xJkAdItcVT+JhKl1QZh44/qw==",
      "cpu": [
        "arm"
      ],
@@ -451,9 +451,9 @@
      ]
    },
    "node_modules/@rollup/rollup-linux-arm-musleabihf": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.52.2.tgz",
-      "integrity": "sha512-gKm7Mk9wCv6/rkzwCiUC4KnevYhlf8ztBrDRT9g/u//1fZLapSRc+eDZj2Eu2wpJ+0RzUKgtNijnVIB4ZxyL+w==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.53.3.tgz",
+      "integrity": "sha512-vTNlKq+N6CK/8UktsrFuc+/7NlEYVxgaEgRXVUVK258Z5ymho29skzW1sutgYjqNnquGwVUObAaxae8rZ6YMhg==",
      "cpu": [
        "arm"
      ],
@@ -464,9 +464,9 @@
      ]
    },
    "node_modules/@rollup/rollup-linux-arm64-gnu": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.52.2.tgz",
-      "integrity": "sha512-66lA8vnj5mB/rtDNwPgrrKUOtCLVQypkyDa2gMfOefXK6rcZAxKLO9Fy3GkW8VkPnENv9hBkNOFfGLf6rNKGUg==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.53.3.tgz",
+      "integrity": "sha512-RGrFLWgMhSxRs/EWJMIFM1O5Mzuz3Xy3/mnxJp/5cVhZ2XoCAxJnmNsEyeMJtpK+wu0FJFWz+QF4mjCA7AUQ3w==",
      "cpu": [
        "arm64"
      ],
@@ -477,9 +477,9 @@
      ]
    },
    "node_modules/@rollup/rollup-linux-arm64-musl": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.52.2.tgz",
-      "integrity": "sha512-s+OPucLNdJHvuZHuIz2WwncJ+SfWHFEmlC5nKMUgAelUeBUnlB4wt7rXWiyG4Zn07uY2Dd+SGyVa9oyLkVGOjA==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.53.3.tgz",
+      "integrity": "sha512-kASyvfBEWYPEwe0Qv4nfu6pNkITLTb32p4yTgzFCocHnJLAHs+9LjUu9ONIhvfT/5lv4YS5muBHyuV84epBo/A==",
      "cpu": [
        "arm64"
      ],
@@ -490,9 +490,9 @@
      ]
    },
    "node_modules/@rollup/rollup-linux-loong64-gnu": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.52.2.tgz",
-      "integrity": "sha512-8wTRM3+gVMDLLDdaT6tKmOE3lJyRy9NpJUS/ZRWmLCmOPIJhVyXwjBo+XbrrwtV33Em1/eCTd5TuGJm4+DmYjw==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.53.3.tgz",
+      "integrity": "sha512-JiuKcp2teLJwQ7vkJ95EwESWkNRFJD7TQgYmCnrPtlu50b4XvT5MOmurWNrCj3IFdyjBQ5p9vnrX4JM6I8OE7g==",
      "cpu": [
        "loong64"
      ],
@@ -503,9 +503,9 @@
      ]
    },
    "node_modules/@rollup/rollup-linux-ppc64-gnu": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.52.2.tgz",
-      "integrity": "sha512-6yqEfgJ1anIeuP2P/zhtfBlDpXUb80t8DpbYwXQ3bQd95JMvUaqiX+fKqYqUwZXqdJDd8xdilNtsHM2N0cFm6A==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.53.3.tgz",
+      "integrity": "sha512-EoGSa8nd6d3T7zLuqdojxC20oBfNT8nexBbB/rkxgKj5T5vhpAQKKnD+h3UkoMuTyXkP5jTjK/ccNRmQrPNDuw==",
      "cpu": [
        "ppc64"
      ],
@@ -516,9 +516,9 @@
      ]
    },
    "node_modules/@rollup/rollup-linux-riscv64-gnu": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.52.2.tgz",
-      "integrity": "sha512-sshYUiYVSEI2B6dp4jMncwxbrUqRdNApF2c3bhtLAU0qA8Lrri0p0NauOsTWh3yCCCDyBOjESHMExonp7Nzc0w==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.53.3.tgz",
+      "integrity": "sha512-4s+Wped2IHXHPnAEbIB0YWBv7SDohqxobiiPA1FIWZpX+w9o2i4LezzH/NkFUl8LRci/8udci6cLq+jJQlh+0g==",
      "cpu": [
        "riscv64"
      ],
@@ -529,9 +529,9 @@
      ]
    },
    "node_modules/@rollup/rollup-linux-riscv64-musl": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.52.2.tgz",
-      "integrity": "sha512-duBLgd+3pqC4MMwBrKkFxaZerUxZcYApQVC5SdbF5/e/589GwVvlRUnyqMFbM8iUSb1BaoX/3fRL7hB9m2Pj8Q==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.53.3.tgz",
+      "integrity": "sha512-68k2g7+0vs2u9CxDt5ktXTngsxOQkSEV/xBbwlqYcUrAVh6P9EgMZvFsnHy4SEiUl46Xf0IObWVbMvPrr2gw8A==",
      "cpu": [
        "riscv64"
      ],
@@ -542,9 +542,9 @@
      ]
    },
    "node_modules/@rollup/rollup-linux-s390x-gnu": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.52.2.tgz",
-      "integrity": "sha512-tzhYJJidDUVGMgVyE+PmxENPHlvvqm1KILjjZhB8/xHYqAGeizh3GBGf9u6WdJpZrz1aCpIIHG0LgJgH9rVjHQ==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.53.3.tgz",
+      "integrity": "sha512-VYsFMpULAz87ZW6BVYw3I6sWesGpsP9OPcyKe8ofdg9LHxSbRMd7zrVrr5xi/3kMZtpWL/wC+UIJWJYVX5uTKg==",
      "cpu": [
        "s390x"
      ],
@@ -555,9 +555,9 @@
      ]
    },
    "node_modules/@rollup/rollup-linux-x64-gnu": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.52.2.tgz",
-      "integrity": "sha512-opH8GSUuVcCSSyHHcl5hELrmnk4waZoVpgn/4FDao9iyE4WpQhyWJ5ryl5M3ocp4qkRuHfyXnGqg8M9oKCEKRA==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.53.3.tgz",
+      "integrity": "sha512-3EhFi1FU6YL8HTUJZ51imGJWEX//ajQPfqWLI3BQq4TlvHy4X0MOr5q3D2Zof/ka0d5FNdPwZXm3Yyib/UEd+w==",
      "cpu": [
        "x64"
      ],
@@ -568,9 +568,9 @@
      ]
    },
    "node_modules/@rollup/rollup-linux-x64-musl": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.52.2.tgz",
-      "integrity": "sha512-LSeBHnGli1pPKVJ79ZVJgeZWWZXkEe/5o8kcn23M8eMKCUANejchJbF/JqzM4RRjOJfNRhKJk8FuqL1GKjF5oQ==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.53.3.tgz",
+      "integrity": "sha512-eoROhjcc6HbZCJr+tvVT8X4fW3/5g/WkGvvmwz/88sDtSJzO7r/blvoBDgISDiCjDRZmHpwud7h+6Q9JxFwq1Q==",
      "cpu": [
        "x64"
      ],
@@ -581,9 +581,9 @@
      ]
    },
    "node_modules/@rollup/rollup-openharmony-arm64": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.52.2.tgz",
-      "integrity": "sha512-uPj7MQ6/s+/GOpolavm6BPo+6CbhbKYyZHUDvZ/SmJM7pfDBgdGisFX3bY/CBDMg2ZO4utfhlApkSfZ92yXw7Q==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.53.3.tgz",
+      "integrity": "sha512-OueLAWgrNSPGAdUdIjSWXw+u/02BRTcnfw9PN41D2vq/JSEPnJnVuBgw18VkN8wcd4fjUs+jFHVM4t9+kBSNLw==",
      "cpu": [
        "arm64"
      ],
@@ -594,9 +594,9 @@
      ]
    },
    "node_modules/@rollup/rollup-win32-arm64-msvc": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.52.2.tgz",
-      "integrity": "sha512-Z9MUCrSgIaUeeHAiNkm3cQyst2UhzjPraR3gYYfOjAuZI7tcFRTOD+4cHLPoS/3qinchth+V56vtqz1Tv+6KPA==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.53.3.tgz",
+      "integrity": "sha512-GOFuKpsxR/whszbF/bzydebLiXIHSgsEUp6M0JI8dWvi+fFa1TD6YQa4aSZHtpmh2/uAlj/Dy+nmby3TJ3pkTw==",
      "cpu": [
        "arm64"
      ],
@@ -607,9 +607,9 @@
      ]
    },
    "node_modules/@rollup/rollup-win32-ia32-msvc": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.52.2.tgz",
-      "integrity": "sha512-+GnYBmpjldD3XQd+HMejo+0gJGwYIOfFeoBQv32xF/RUIvccUz20/V6Otdv+57NE70D5pa8W/jVGDoGq0oON4A==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.53.3.tgz",
+      "integrity": "sha512-iah+THLcBJdpfZ1TstDFbKNznlzoxa8fmnFYK4V67HvmuNYkVdAywJSoteUszvBQ9/HqN2+9AZghbajMsFT+oA==",
      "cpu": [
        "ia32"
      ],
@@ -620,9 +620,9 @@
      ]
    },
    "node_modules/@rollup/rollup-win32-x64-gnu": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.52.2.tgz",
-      "integrity": "sha512-ApXFKluSB6kDQkAqZOKXBjiaqdF1BlKi+/eqnYe9Ee7U2K3pUDKsIyr8EYm/QDHTJIM+4X+lI0gJc3TTRhd+dA==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.53.3.tgz",
+      "integrity": "sha512-J9QDiOIZlZLdcot5NXEepDkstocktoVjkaKUtqzgzpt2yWjGlbYiKyp05rWwk4nypbYUNoFAztEgixoLaSETkg==",
      "cpu": [
        "x64"
      ],
@@ -633,9 +633,9 @@
      ]
    },
    "node_modules/@rollup/rollup-win32-x64-msvc": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.52.2.tgz",
-      "integrity": "sha512-ARz+Bs8kY6FtitYM96PqPEVvPXqEZmPZsSkXvyX19YzDqkCaIlhCieLLMI5hxO9SRZ2XtCtm8wxhy0iJ2jxNfw==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.53.3.tgz",
+      "integrity": "sha512-UhTd8u31dXadv0MopwGgNOBpUVROFKWVQgAg5N1ESyCz8AuBcMqm4AuTjrwgQKGDfoFuz02EuMRHQIw/frmYKQ==",
      "cpu": [
        "x64"
      ],
@@ -805,12 +805,12 @@
      }
    },
    "node_modules/resolve": {
-      "version": "1.22.10",
-      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.10.tgz",
-      "integrity": "sha512-NPRy+/ncIMeDlTAsuqwKIiferiawhefFJtkNSW0qZJEqMEb+qBt/77B/jGeeek+F0uOeN05CDa6HXbbIgtVX4w==",
+      "version": "1.22.11",
+      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.11.tgz",
+      "integrity": "sha512-RfqAvLnMl313r7c9oclB1HhUEAezcpLjz95wFH4LVuhk9JF/r22qmVP9AMmOU4vMX7Q8pN8jwNg/CSpdFnMjTQ==",
      "license": "MIT",
      "dependencies": {
-        "is-core-module": "^2.16.0",
+        "is-core-module": "^2.16.1",
        "path-parse": "^1.0.7",
        "supports-preserve-symlinks-flag": "^1.0.0"
      },
@@ -825,9 +825,9 @@
      }
    },
    "node_modules/rollup": {
-      "version": "4.52.2",
-      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.52.2.tgz",
-      "integrity": "sha512-I25/2QgoROE1vYV+NQ1En9T9UFB9Cmfm2CJ83zZOlaDpvz29wGQSZXWKw7MiNXau7wYgB/T9fVIdIuEQ+KbiiA==",
+      "version": "4.53.3",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.53.3.tgz",
+      "integrity": "sha512-w8GmOxZfBmKknvdXU1sdM9NHcoQejwF/4mNgj2JuEEdRaHwwF12K7e9eXn1nLZ07ad+du76mkVsyeb2rKGllsA==",
      "license": "MIT",
      "dependencies": {
        "@types/estree": "1.0.8"
@@ -840,28 +840,28 @@
        "npm": ">=8.0.0"
      },
      "optionalDependencies": {
-        "@rollup/rollup-android-arm-eabi": "4.52.2",
-        "@rollup/rollup-android-arm64": "4.52.2",
-        "@rollup/rollup-darwin-arm64": "4.52.2",
-        "@rollup/rollup-darwin-x64": "4.52.2",
-        "@rollup/rollup-freebsd-arm64": "4.52.2",
-        "@rollup/rollup-freebsd-x64": "4.52.2",
-        "@rollup/rollup-linux-arm-gnueabihf": "4.52.2",
-        "@rollup/rollup-linux-arm-musleabihf": "4.52.2",
-        "@rollup/rollup-linux-arm64-gnu": "4.52.2",
-        "@rollup/rollup-linux-arm64-musl": "4.52.2",
-        "@rollup/rollup-linux-loong64-gnu": "4.52.2",
-        "@rollup/rollup-linux-ppc64-gnu": "4.52.2",
-        "@rollup/rollup-linux-riscv64-gnu": "4.52.2",
-        "@rollup/rollup-linux-riscv64-musl": "4.52.2",
-        "@rollup/rollup-linux-s390x-gnu": "4.52.2",
-        "@rollup/rollup-linux-x64-gnu": "4.52.2",
-        "@rollup/rollup-linux-x64-musl": "4.52.2",
-        "@rollup/rollup-openharmony-arm64": "4.52.2",
-        "@rollup/rollup-win32-arm64-msvc": "4.52.2",
-        "@rollup/rollup-win32-ia32-msvc": "4.52.2",
-        "@rollup/rollup-win32-x64-gnu": "4.52.2",
-        "@rollup/rollup-win32-x64-msvc": "4.52.2",
+        "@rollup/rollup-android-arm-eabi": "4.53.3",
+        "@rollup/rollup-android-arm64": "4.53.3",
+        "@rollup/rollup-darwin-arm64": "4.53.3",
+        "@rollup/rollup-darwin-x64": "4.53.3",
+        "@rollup/rollup-freebsd-arm64": "4.53.3",
+        "@rollup/rollup-freebsd-x64": "4.53.3",
+        "@rollup/rollup-linux-arm-gnueabihf": "4.53.3",
+        "@rollup/rollup-linux-arm-musleabihf": "4.53.3",
+        "@rollup/rollup-linux-arm64-gnu": "4.53.3",
+        "@rollup/rollup-linux-arm64-musl": "4.53.3",
+        "@rollup/rollup-linux-loong64-gnu": "4.53.3",
+        "@rollup/rollup-linux-ppc64-gnu": "4.53.3",
+        "@rollup/rollup-linux-riscv64-gnu": "4.53.3",
+        "@rollup/rollup-linux-riscv64-musl": "4.53.3",
+        "@rollup/rollup-linux-s390x-gnu": "4.53.3",
+        "@rollup/rollup-linux-x64-gnu": "4.53.3",
+        "@rollup/rollup-linux-x64-musl": "4.53.3",
+        "@rollup/rollup-openharmony-arm64": "4.53.3",
+        "@rollup/rollup-win32-arm64-msvc": "4.53.3",
+        "@rollup/rollup-win32-ia32-msvc": "4.53.3",
+        "@rollup/rollup-win32-x64-gnu": "4.53.3",
+        "@rollup/rollup-win32-x64-msvc": "4.53.3",
        "fsevents": "~2.3.2"
      }
    },
@@ -925,9 +925,9 @@
      }
    },
    "node_modules/style-mod": {
-      "version": "4.1.2",
-      "resolved": "https://registry.npmjs.org/style-mod/-/style-mod-4.1.2.tgz",
-      "integrity": "sha512-wnD1HyVqpJUI2+eKZ+eo1UwghftP6yuFheBqqe+bWCotBjC2K1YnteJILRMs3SM4V/0dLEW1SC27MWP5y+mwmw==",
+      "version": "4.1.3",
+      "resolved": "https://registry.npmjs.org/style-mod/-/style-mod-4.1.3.tgz",
+      "integrity": "sha512-i/n8VsZydrugj3Iuzll8+x/00GH2vnYsk1eomD8QiRrSAeW6ItbCQDtfXCeJHd0iwiNagqjQkvpvREEPtW3IoQ==",
      "license": "MIT"
    },
    "node_modules/supports-preserve-symlinks-flag": {
@@ -943,9 +943,9 @@
      }
    },
    "node_modules/terser": {
-      "version": "5.44.0",
-      "resolved": "https://registry.npmjs.org/terser/-/terser-5.44.0.tgz",
-      "integrity": "sha512-nIVck8DK+GM/0Frwd+nIhZ84pR/BX7rmXMfYwyg+Sri5oGVE99/E3KvXqpC2xHFxyqXyGHTKBSioxxplrO4I4w==",
+      "version": "5.44.1",
+      "resolved": "https://registry.npmjs.org/terser/-/terser-5.44.1.tgz",
+      "integrity": "sha512-t/R3R/n0MSwnnazuPpPNVO60LX0SKL45pyl9YlvxIdkH0Of7D5qM2EVe+yASRIlY5pZ73nclYJfNANGWPwFDZw==",
      "dev": true,
      "license": "BSD-2-Clause",
      "dependencies": {
--- a/deps/libbacktrace
+++ b/deps/libbacktrace
--- a/deps/openssl_src
+++ b/deps/openssl_src
--- a/deps/speedscope/release.txt
+++ b/deps/speedscope/release.txt
@@ -1,3 +0,0 @@
-speedscope@1.23.1
-Mon Aug 11 11:43:09 PDT 2025
-0cec0f82c334aed6cf19d43cabeadcda0d95e0fc
--- a/deps/sqlite/shell.c
+++ b/deps/sqlite/shell.c
--- a/deps/sqlite/sqlite3.c
+++ b/deps/sqlite/sqlite3.c
--- a/deps/sqlite/sqlite3.h
+++ b/deps/sqlite/sqlite3.h
@@ -146,9 +146,12 @@ extern "C" {
 ** [sqlite3_libversion_number()], [sqlite3_sourceid()],
 ** [sqlite_version()] and [sqlite_source_id()].
 */
-#define SQLITE_VERSION        "3.50.4"
-#define SQLITE_VERSION_NUMBER 3050004
-#define SQLITE_SOURCE_ID      "2025-07-30 19:33:53 4d8adfb30e03f9cf27f800a2c1ba3c48fb4ca1b08b0f5ed59a4d5ecbf45e20a3"
+#define SQLITE_VERSION        "3.51.0"
+#define SQLITE_VERSION_NUMBER 3051000
+#define SQLITE_SOURCE_ID      "2025-11-04 19:38:17 fb2c931ae597f8d00a37574ff67aeed3eced4e5547f9120744ae4bfa8e74527b"
+#define SQLITE_SCM_BRANCH     "trunk"
+#define SQLITE_SCM_TAGS       "release major-release version-3.51.0"
+#define SQLITE_SCM_DATETIME   "2025-11-04T19:38:17.314Z"

 /*
 ** CAPI3REF: Run-Time Library Version Numbers
@@ -168,9 +171,9 @@ extern "C" {
 ** assert( strcmp(sqlite3_libversion(),SQLITE_VERSION)==0 );
 ** </pre></blockquote>)^
 **
-** ^The sqlite3_version[] string constant contains the text of [SQLITE_VERSION]
-** macro.  ^The sqlite3_libversion() function returns a pointer to the
-** to the sqlite3_version[] string constant.  The sqlite3_libversion()
+** ^The sqlite3_version[] string constant contains the text of the
+** [SQLITE_VERSION] macro.  ^The sqlite3_libversion() function returns a
+** pointer to the sqlite3_version[] string constant.  The sqlite3_libversion()
 ** function is provided for use in DLLs since DLL users usually do not have
 ** direct access to string constants within the DLL.  ^The
 ** sqlite3_libversion_number() function returns an integer equal to
@@ -370,7 +373,7 @@ typedef int (*sqlite3_callback)(void*,int,char**, char**);
 ** without having to use a lot of C code.
 **
 ** ^The sqlite3_exec() interface runs zero or more UTF-8 encoded,
-** semicolon-separate SQL statements passed into its 2nd argument,
+** semicolon-separated SQL statements passed into its 2nd argument,
 ** in the context of the [database connection] passed in as its 1st
 ** argument.  ^If the callback function of the 3rd argument to
 ** sqlite3_exec() is not NULL, then it is invoked for each result row
@@ -403,7 +406,7 @@ typedef int (*sqlite3_callback)(void*,int,char**, char**);
 ** result row is NULL then the corresponding string pointer for the
 ** sqlite3_exec() callback is a NULL pointer.  ^The 4th argument to the
 ** sqlite3_exec() callback is an array of pointers to strings where each
-** entry represents the name of corresponding result column as obtained
+** entry represents the name of a corresponding result column as obtained
 ** from [sqlite3_column_name()].
 **
 ** ^If the 2nd parameter to sqlite3_exec() is a NULL pointer, a pointer
@@ -497,6 +500,9 @@ SQLITE_API int sqlite3_exec(
 #define SQLITE_ERROR_MISSING_COLLSEQ   (SQLITE_ERROR | (1<<8))
 #define SQLITE_ERROR_RETRY             (SQLITE_ERROR | (2<<8))
 #define SQLITE_ERROR_SNAPSHOT          (SQLITE_ERROR | (3<<8))
+#define SQLITE_ERROR_RESERVESIZE       (SQLITE_ERROR | (4<<8))
+#define SQLITE_ERROR_KEY               (SQLITE_ERROR | (5<<8))
+#define SQLITE_ERROR_UNABLE            (SQLITE_ERROR | (6<<8))
 #define SQLITE_IOERR_READ              (SQLITE_IOERR | (1<<8))
 #define SQLITE_IOERR_SHORT_READ        (SQLITE_IOERR | (2<<8))
 #define SQLITE_IOERR_WRITE             (SQLITE_IOERR | (3<<8))
@@ -531,6 +537,8 @@ SQLITE_API int sqlite3_exec(
 #define SQLITE_IOERR_DATA              (SQLITE_IOERR | (32<<8))
 #define SQLITE_IOERR_CORRUPTFS         (SQLITE_IOERR | (33<<8))
 #define SQLITE_IOERR_IN_PAGE           (SQLITE_IOERR | (34<<8))
+#define SQLITE_IOERR_BADKEY            (SQLITE_IOERR | (35<<8))
+#define SQLITE_IOERR_CODEC             (SQLITE_IOERR | (36<<8))
 #define SQLITE_LOCKED_SHAREDCACHE      (SQLITE_LOCKED |  (1<<8))
 #define SQLITE_LOCKED_VTAB             (SQLITE_LOCKED |  (2<<8))
 #define SQLITE_BUSY_RECOVERY           (SQLITE_BUSY   |  (1<<8))
@@ -589,7 +597,7 @@ SQLITE_API int sqlite3_exec(
 ** Note in particular that passing the SQLITE_OPEN_EXCLUSIVE flag into
 ** [sqlite3_open_v2()] does *not* cause the underlying database file
 ** to be opened using O_EXCL.  Passing SQLITE_OPEN_EXCLUSIVE into
-** [sqlite3_open_v2()] has historically be a no-op and might become an
+** [sqlite3_open_v2()] has historically been a no-op and might become an
 ** error in future versions of SQLite.
 */
 #define SQLITE_OPEN_READONLY         0x00000001  /* Ok for sqlite3_open_v2() */
@@ -683,7 +691,7 @@ SQLITE_API int sqlite3_exec(
 ** SQLite uses one of these integer values as the second
 ** argument to calls it makes to the xLock() and xUnlock() methods
 ** of an [sqlite3_io_methods] object.  These values are ordered from
-** lest restrictive to most restrictive.
+** least restrictive to most restrictive.
 **
 ** The argument to xLock() is always SHARED or higher.  The argument to
 ** xUnlock is either SHARED or NONE.
@@ -924,7 +932,7 @@ struct sqlite3_io_methods {
 ** connection.  See also [SQLITE_FCNTL_FILE_POINTER].
 **
 ** <li>[[SQLITE_FCNTL_SYNC_OMITTED]]
-** No longer in use.
+** The SQLITE_FCNTL_SYNC_OMITTED file-control is no longer used.
 **
 ** <li>[[SQLITE_FCNTL_SYNC]]
 ** The [SQLITE_FCNTL_SYNC] opcode is generated internally by SQLite and
@@ -999,7 +1007,7 @@ struct sqlite3_io_methods {
 **
 ** <li>[[SQLITE_FCNTL_VFSNAME]]
 ** ^The [SQLITE_FCNTL_VFSNAME] opcode can be used to obtain the names of
-** all [VFSes] in the VFS stack.  The names are of all VFS shims and the
+** all [VFSes] in the VFS stack.  The names of all VFS shims and the
 ** final bottom-level VFS are written into memory obtained from
 ** [sqlite3_malloc()] and the result is stored in the char* variable
 ** that the fourth parameter of [sqlite3_file_control()] points to.
@@ -1013,7 +1021,7 @@ struct sqlite3_io_methods {
 ** ^The [SQLITE_FCNTL_VFS_POINTER] opcode finds a pointer to the top-level
 ** [VFSes] currently in use.  ^(The argument X in
 ** sqlite3_file_control(db,SQLITE_FCNTL_VFS_POINTER,X) must be
-** of type "[sqlite3_vfs] **".  This opcodes will set *X
+** of type "[sqlite3_vfs] **".  This opcode will set *X
 ** to a pointer to the top-level VFS.)^
 ** ^When there are multiple VFS shims in the stack, this opcode finds the
 ** upper-most shim only.
@@ -1203,7 +1211,7 @@ struct sqlite3_io_methods {
 ** <li>[[SQLITE_FCNTL_EXTERNAL_READER]]
 ** The EXPERIMENTAL [SQLITE_FCNTL_EXTERNAL_READER] opcode is used to detect
 ** whether or not there is a database client in another process with a wal-mode
-** transaction open on the database or not. It is only available on unix.The
+** transaction open on the database or not. It is only available on unix. The
 ** (void*) argument passed with this file-control should be a pointer to a
 ** value of type (int). The integer value is set to 1 if the database is a wal
 ** mode database and there exists at least one client in another process that
@@ -1221,6 +1229,15 @@ struct sqlite3_io_methods {
 ** database is not a temp db, then the [SQLITE_FCNTL_RESET_CACHE] file-control
 ** purges the contents of the in-memory page cache. If there is an open
 ** transaction, or if the db is a temp-db, this opcode is a no-op, not an error.
+**
+** <li>[[SQLITE_FCNTL_FILESTAT]]
+** The [SQLITE_FCNTL_FILESTAT] opcode returns low-level diagnostic information
+** about the [sqlite3_file] objects used access the database and journal files
+** for the given schema.  The fourth parameter to [sqlite3_file_control()]
+** should be an initialized [sqlite3_str] pointer.  JSON text describing
+** various aspects of the sqlite3_file object is appended to the sqlite3_str.
+** The SQLITE_FCNTL_FILESTAT opcode is usually a no-op, unless compile-time
+** options are used to enable it.
 ** </ul>
 */
 #define SQLITE_FCNTL_LOCKSTATE               1
@@ -1266,6 +1283,7 @@ struct sqlite3_io_methods {
 #define SQLITE_FCNTL_RESET_CACHE            42
 #define SQLITE_FCNTL_NULL_IO                43
 #define SQLITE_FCNTL_BLOCK_ON_CONNECT       44
+#define SQLITE_FCNTL_FILESTAT               45

 /* deprecated names */
 #define SQLITE_GET_LOCKPROXYFILE      SQLITE_FCNTL_GET_LOCKPROXYFILE
@@ -1628,7 +1646,7 @@ struct sqlite3_vfs {
 ** SQLite interfaces so that an application usually does not need to
 ** invoke sqlite3_initialize() directly.  For example, [sqlite3_open()]
 ** calls sqlite3_initialize() so the SQLite library will be automatically
-** initialized when [sqlite3_open()] is called if it has not be initialized
+** initialized when [sqlite3_open()] is called if it has not been initialized
 ** already.  ^However, if SQLite is compiled with the [SQLITE_OMIT_AUTOINIT]
 ** compile-time option, then the automatic calls to sqlite3_initialize()
 ** are omitted and the application must call sqlite3_initialize() directly
@@ -1885,21 +1903,21 @@ struct sqlite3_mem_methods {
 ** The [sqlite3_mem_methods]
 ** structure is filled with the currently defined memory allocation routines.)^
 ** This option can be used to overload the default memory allocation
-** routines with a wrapper that simulations memory allocation failure or
+** routines with a wrapper that simulates memory allocation failure or
 ** tracks memory usage, for example. </dd>
 **
 ** [[SQLITE_CONFIG_SMALL_MALLOC]] <dt>SQLITE_CONFIG_SMALL_MALLOC</dt>
-** <dd> ^The SQLITE_CONFIG_SMALL_MALLOC option takes single argument of
+** <dd> ^The SQLITE_CONFIG_SMALL_MALLOC option takes a single argument of
 ** type int, interpreted as a boolean, which if true provides a hint to
 ** SQLite that it should avoid large memory allocations if possible.
 ** SQLite will run faster if it is free to make large memory allocations,
-** but some application might prefer to run slower in exchange for
+** but some applications might prefer to run slower in exchange for
 ** guarantees about memory fragmentation that are possible if large
 ** allocations are avoided.  This hint is normally off.
 ** </dd>
 **
 ** [[SQLITE_CONFIG_MEMSTATUS]] <dt>SQLITE_CONFIG_MEMSTATUS</dt>
-** <dd> ^The SQLITE_CONFIG_MEMSTATUS option takes single argument of type int,
+** <dd> ^The SQLITE_CONFIG_MEMSTATUS option takes a single argument of type int,
 ** interpreted as a boolean, which enables or disables the collection of
 ** memory allocation statistics. ^(When memory allocation statistics are
 ** disabled, the following SQLite interfaces become non-operational:
@@ -1944,7 +1962,7 @@ struct sqlite3_mem_methods {
 ** ^If pMem is NULL and N is non-zero, then each database connection
 ** does an initial bulk allocation for page cache memory
 ** from [sqlite3_malloc()] sufficient for N cache lines if N is positive or
-** of -1024*N bytes if N is negative, . ^If additional
+** of -1024*N bytes if N is negative. ^If additional
 ** page cache memory is needed beyond what is provided by the initial
 ** allocation, then SQLite goes to [sqlite3_malloc()] separately for each
 ** additional cache line. </dd>
@@ -1973,7 +1991,7 @@ struct sqlite3_mem_methods {
 ** <dd> ^(The SQLITE_CONFIG_MUTEX option takes a single argument which is a
 ** pointer to an instance of the [sqlite3_mutex_methods] structure.
 ** The argument specifies alternative low-level mutex routines to be used
-** in place the mutex routines built into SQLite.)^  ^SQLite makes a copy of
+** in place of the mutex routines built into SQLite.)^  ^SQLite makes a copy of
 ** the content of the [sqlite3_mutex_methods] structure before the call to
 ** [sqlite3_config()] returns. ^If SQLite is compiled with
 ** the [SQLITE_THREADSAFE | SQLITE_THREADSAFE=0] compile-time option then
@@ -2015,7 +2033,7 @@ struct sqlite3_mem_methods {
 **
 ** [[SQLITE_CONFIG_GETPCACHE2]] <dt>SQLITE_CONFIG_GETPCACHE2</dt>
 ** <dd> ^(The SQLITE_CONFIG_GETPCACHE2 option takes a single argument which
-** is a pointer to an [sqlite3_pcache_methods2] object.  SQLite copies of
+** is a pointer to an [sqlite3_pcache_methods2] object.  SQLite copies off
 ** the current page cache implementation into that object.)^ </dd>
 **
 ** [[SQLITE_CONFIG_LOG]] <dt>SQLITE_CONFIG_LOG</dt>
@@ -2032,7 +2050,7 @@ struct sqlite3_mem_methods {
 ** the logger function is a copy of the first parameter to the corresponding
 ** [sqlite3_log()] call and is intended to be a [result code] or an
 ** [extended result code].  ^The third parameter passed to the logger is
-** log message after formatting via [sqlite3_snprintf()].
+** a log message after formatting via [sqlite3_snprintf()].
 ** The SQLite logging interface is not reentrant; the logger function
 ** supplied by the application must not invoke any SQLite interface.
 ** In a multi-threaded application, the application-defined logger
@@ -2223,7 +2241,7 @@ struct sqlite3_mem_methods {
 ** These constants are the available integer configuration options that
 ** can be passed as the second parameter to the [sqlite3_db_config()] interface.
 **
-** The [sqlite3_db_config()] interface is a var-args functions.  It takes a
+** The [sqlite3_db_config()] interface is a var-args function.  It takes a
 ** variable number of parameters, though always at least two.  The number of
 ** parameters passed into sqlite3_db_config() depends on which of these
 ** constants is given as the second parameter.  This documentation page
@@ -2335,17 +2353,20 @@ struct sqlite3_mem_methods {
 **
 ** [[SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER]]
 ** <dt>SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER</dt>
-** <dd> ^This option is used to enable or disable the
-** [fts3_tokenizer()] function which is part of the
-** [FTS3] full-text search engine extension.
-** There must be two additional arguments.
-** The first argument is an integer which is 0 to disable fts3_tokenizer() or
-** positive to enable fts3_tokenizer() or negative to leave the setting
-** unchanged.
-** The second parameter is a pointer to an integer into which
-** is written 0 or 1 to indicate whether fts3_tokenizer is disabled or enabled
-** following this call.  The second parameter may be a NULL pointer, in
-** which case the new setting is not reported back. </dd>
+** <dd> ^This option is used to enable or disable using the
+** [fts3_tokenizer()] function - part of the [FTS3] full-text search engine
+** extension - without using bound parameters as the parameters. Doing so
+** is disabled by default. There must be two additional arguments. The first
+** argument is an integer. If it is passed 0, then using fts3_tokenizer()
+** without bound parameters is disabled. If it is passed a positive value,
+** then calling fts3_tokenizer without bound parameters is enabled. If it
+** is passed a negative value, this setting is not modified - this can be
+** used to query for the current setting. The second parameter is a pointer
+** to an integer into which is written 0 or 1 to indicate the current value
+** of this setting (after it is modified, if applicable).  The second
+** parameter may be a NULL pointer, in which case the value of the setting
+** is not reported back. Refer to [FTS3] documentation for further details.
+** </dd>
 **
 ** [[SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION]]
 ** <dt>SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION</dt>
@@ -2357,8 +2378,8 @@ struct sqlite3_mem_methods {
 ** When the first argument to this interface is 1, then only the C-API is
 ** enabled and the SQL function remains disabled.  If the first argument to
 ** this interface is 0, then both the C-API and the SQL function are disabled.
-** If the first argument is -1, then no changes are made to state of either the
-** C-API or the SQL function.
+** If the first argument is -1, then no changes are made to the state of either
+** the C-API or the SQL function.
 ** The second parameter is a pointer to an integer into which
 ** is written 0 or 1 to indicate whether [sqlite3_load_extension()] interface
 ** is disabled or enabled following this call.  The second parameter may
@@ -2476,7 +2497,7 @@ struct sqlite3_mem_methods {
 ** [[SQLITE_DBCONFIG_LEGACY_ALTER_TABLE]]
 ** <dt>SQLITE_DBCONFIG_LEGACY_ALTER_TABLE</dt>
 ** <dd>The SQLITE_DBCONFIG_LEGACY_ALTER_TABLE option activates or deactivates
-** the legacy behavior of the [ALTER TABLE RENAME] command such it
+** the legacy behavior of the [ALTER TABLE RENAME] command such that it
 ** behaves as it did prior to [version 3.24.0] (2018-06-04).  See the
 ** "Compatibility Notice" on the [ALTER TABLE RENAME documentation] for
 ** additional information. This feature can also be turned on and off
@@ -2525,7 +2546,7 @@ struct sqlite3_mem_methods {
 ** <dt>SQLITE_DBCONFIG_LEGACY_FILE_FORMAT</dt>
 ** <dd>The SQLITE_DBCONFIG_LEGACY_FILE_FORMAT option activates or deactivates
 ** the legacy file format flag.  When activated, this flag causes all newly
-** created database file to have a schema format version number (the 4-byte
+** created database files to have a schema format version number (the 4-byte
 ** integer found at offset 44 into the database header) of 1.  This in turn
 ** means that the resulting database file will be readable and writable by
 ** any SQLite version back to 3.0.0 ([dateof:3.0.0]).  Without this setting,
@@ -2552,7 +2573,7 @@ struct sqlite3_mem_methods {
 ** the database handle both when the SQL statement is prepared and when it
 ** is stepped. The flag is set (collection of statistics is enabled)
 ** by default. <p>This option takes two arguments: an integer and a pointer to
-** an integer..  The first argument is 1, 0, or -1 to enable, disable, or
+** an integer.  The first argument is 1, 0, or -1 to enable, disable, or
 ** leave unchanged the statement scanstatus option.  If the second argument
 ** is not NULL, then the value of the statement scanstatus setting after
 ** processing the first argument is written into the integer that the second
@@ -2595,8 +2616,8 @@ struct sqlite3_mem_methods {
 ** <dd>The SQLITE_DBCONFIG_ENABLE_ATTACH_WRITE option enables or disables the
 ** ability of the [ATTACH DATABASE] SQL command to open a database for writing.
 ** This capability is enabled by default.  Applications can disable or
-** reenable this capability using the current DBCONFIG option.  If the
-** the this capability is disabled, the [ATTACH] command will still work,
+** reenable this capability using the current DBCONFIG option.  If
+** this capability is disabled, the [ATTACH] command will still work,
 ** but the database will be opened read-only.  If this option is disabled,
 ** then the ability to create a new database using [ATTACH] is also disabled,
 ** regardless of the value of the [SQLITE_DBCONFIG_ENABLE_ATTACH_CREATE]
@@ -2630,7 +2651,7 @@ struct sqlite3_mem_methods {
 **
 ** <p>Most of the SQLITE_DBCONFIG options take two arguments, so that the
 ** overall call to [sqlite3_db_config()] has a total of four parameters.
-** The first argument (the third parameter to sqlite3_db_config()) is a integer.
+** The first argument (the third parameter to sqlite3_db_config()) is an integer.
 ** The second argument is a pointer to an integer.  If the first argument is 1,
 ** then the option becomes enabled.  If the first integer argument is 0, then the
 ** option is disabled.  If the first argument is -1, then the option setting
@@ -2920,7 +2941,7 @@ SQLITE_API int sqlite3_is_interrupted(sqlite3*);
 ** ^These routines return 0 if the statement is incomplete.  ^If a
 ** memory allocation fails, then SQLITE_NOMEM is returned.
 **
-** ^These routines do not parse the SQL statements thus
+** ^These routines do not parse the SQL statements and thus
 ** will not detect syntactically incorrect SQL.
 **
 ** ^(If SQLite has not been initialized using [sqlite3_initialize()] prior
@@ -3037,7 +3058,7 @@ SQLITE_API int sqlite3_busy_timeout(sqlite3*, int ms);
 ** indefinitely if possible. The results of passing any other negative value
 ** are undefined.
 **
-** Internally, each SQLite database handle store two timeout values - the
+** Internally, each SQLite database handle stores two timeout values - the
 ** busy-timeout (used for rollback mode databases, or if the VFS does not
 ** support blocking locks) and the setlk-timeout (used for blocking locks
 ** on wal-mode databases). The sqlite3_busy_timeout() method sets both
@@ -3067,7 +3088,7 @@ SQLITE_API int sqlite3_setlk_timeout(sqlite3*, int ms, int flags);
 ** This is a legacy interface that is preserved for backwards compatibility.
 ** Use of this interface is not recommended.
 **
-** Definition: A <b>result table</b> is memory data structure created by the
+** Definition: A <b>result table</b> is a memory data structure created by the
 ** [sqlite3_get_table()] interface.  A result table records the
 ** complete query results from one or more queries.
 **
@@ -3210,7 +3231,7 @@ SQLITE_API char *sqlite3_vsnprintf(int,char*,const char*, va_list);
 ** ^Calling sqlite3_free() with a pointer previously returned
 ** by sqlite3_malloc() or sqlite3_realloc() releases that memory so
 ** that it might be reused.  ^The sqlite3_free() routine is
-** a no-op if is called with a NULL pointer.  Passing a NULL pointer
+** a no-op if it is called with a NULL pointer.  Passing a NULL pointer
 ** to sqlite3_free() is harmless.  After being freed, memory
 ** should neither be read nor written.  Even reading previously freed
 ** memory might result in a segmentation fault or other severe error.
@@ -3228,13 +3249,13 @@ SQLITE_API char *sqlite3_vsnprintf(int,char*,const char*, va_list);
 ** sqlite3_free(X).
 ** ^sqlite3_realloc(X,N) returns a pointer to a memory allocation
 ** of at least N bytes in size or NULL if insufficient memory is available.
-** ^If M is the size of the prior allocation, then min(N,M) bytes
-** of the prior allocation are copied into the beginning of buffer returned
+** ^If M is the size of the prior allocation, then min(N,M) bytes of the
+** prior allocation are copied into the beginning of the buffer returned
 ** by sqlite3_realloc(X,N) and the prior allocation is freed.
 ** ^If sqlite3_realloc(X,N) returns NULL and N is positive, then the
 ** prior allocation is not freed.
 **
-** ^The sqlite3_realloc64(X,N) interfaces works the same as
+** ^The sqlite3_realloc64(X,N) interface works the same as
 ** sqlite3_realloc(X,N) except that N is a 64-bit unsigned integer instead
 ** of a 32-bit signed integer.
 **
@@ -3284,7 +3305,7 @@ SQLITE_API sqlite3_uint64 sqlite3_msize(void*);
 ** was last reset.  ^The values returned by [sqlite3_memory_used()] and
 ** [sqlite3_memory_highwater()] include any overhead
 ** added by SQLite in its implementation of [sqlite3_malloc()],
-** but not overhead added by the any underlying system library
+** but not overhead added by any underlying system library
 ** routines that [sqlite3_malloc()] may call.
 **
 ** ^The memory high-water mark is reset to the current value of
@@ -3736,7 +3757,7 @@ SQLITE_API void sqlite3_progress_handler(sqlite3*, int, int(*)(void*), void*);
 ** there is no harm in trying.)
 **
 ** ^(<dt>[SQLITE_OPEN_SHAREDCACHE]</dt>
-** <dd>The database is opened [shared cache] enabled, overriding
+** <dd>The database is opened with [shared cache] enabled, overriding
 ** the default shared cache setting provided by
 ** [sqlite3_enable_shared_cache()].)^
 ** The [use of shared cache mode is discouraged] and hence shared cache
@@ -3744,7 +3765,7 @@ SQLITE_API void sqlite3_progress_handler(sqlite3*, int, int(*)(void*), void*);
 ** this option is a no-op.
 **
 ** ^(<dt>[SQLITE_OPEN_PRIVATECACHE]</dt>
-** <dd>The database is opened [shared cache] disabled, overriding
+** <dd>The database is opened with [shared cache] disabled, overriding
 ** the default shared cache setting provided by
 ** [sqlite3_enable_shared_cache()].)^
 **
@@ -4162,7 +4183,7 @@ SQLITE_API void sqlite3_free_filename(sqlite3_filename);
 ** subsequent calls to other SQLite interface functions.)^
 **
 ** ^The sqlite3_errstr(E) interface returns the English-language text
-** that describes the [result code] E, as UTF-8, or NULL if E is not an
+** that describes the [result code] E, as UTF-8, or NULL if E is not a
 ** result code for which a text error message is available.
 ** ^(Memory to hold the error message string is managed internally
 ** and must not be freed by the application)^.
@@ -4170,7 +4191,7 @@ SQLITE_API void sqlite3_free_filename(sqlite3_filename);
 ** ^If the most recent error references a specific token in the input
 ** SQL, the sqlite3_error_offset() interface returns the byte offset
 ** of the start of that token.  ^The byte offset returned by
-** sqlite3_error_offset() assumes that the input SQL is UTF8.
+** sqlite3_error_offset() assumes that the input SQL is UTF-8.
 ** ^If the most recent error does not reference a specific token in the input
 ** SQL, then the sqlite3_error_offset() function returns -1.
 **
@@ -4195,6 +4216,34 @@ SQLITE_API const void *sqlite3_errmsg16(sqlite3*);
 SQLITE_API const char *sqlite3_errstr(int);
 SQLITE_API int sqlite3_error_offset(sqlite3 *db);

+/*
+** CAPI3REF: Set Error Codes And Message
+** METHOD: sqlite3
+**
+** Set the error code of the database handle passed as the first argument
+** to errcode, and the error message to a copy of nul-terminated string
+** zErrMsg. If zErrMsg is passed NULL, then the error message is set to
+** the default message associated with the supplied error code.  Subsequent
+** calls to [sqlite3_errcode()] and [sqlite3_errmsg()] and similar will
+** return the values set by this routine in place of what was previously
+** set by SQLite itself.
+**
+** This function returns SQLITE_OK if the error code and error message are
+** successfully set, SQLITE_NOMEM if an OOM occurs, and SQLITE_MISUSE if
+** the database handle is NULL or invalid.
+**
+** The error code and message set by this routine remains in effect until
+** they are changed, either by another call to this routine or until they are
+** changed to by SQLite itself to reflect the result of some subsquent
+** API call.
+**
+** This function is intended for use by SQLite extensions or wrappers.  The
+** idea is that an extension or wrapper can use this routine to set error
+** messages and error codes and thus behave more like a core SQLite
+** feature from the point of view of an application.
+*/
+SQLITE_API int sqlite3_set_errmsg(sqlite3 *db, int errcode, const char *zErrMsg);
+
 /*
 ** CAPI3REF: Prepared Statement Object
 ** KEYWORDS: {prepared statement} {prepared statements}
@@ -4269,8 +4318,8 @@ SQLITE_API int sqlite3_limit(sqlite3*, int id, int newVal);
 **
 ** These constants define various performance limits
 ** that can be lowered at run-time using [sqlite3_limit()].
-** The synopsis of the meanings of the various limits is shown below.
-** Additional information is available at [limits | Limits in SQLite].
+** A concise description of these limits follows, and additional information
+** is available at [limits | Limits in SQLite].
 **
 ** <dl>
 ** [[SQLITE_LIMIT_LENGTH]] ^(<dt>SQLITE_LIMIT_LENGTH</dt>
@@ -4335,7 +4384,7 @@ SQLITE_API int sqlite3_limit(sqlite3*, int id, int newVal);
 /*
 ** CAPI3REF: Prepare Flags
 **
-** These constants define various flags that can be passed into
+** These constants define various flags that can be passed into the
 ** "prepFlags" parameter of the [sqlite3_prepare_v3()] and
 ** [sqlite3_prepare16_v3()] interfaces.
 **
@@ -4422,7 +4471,7 @@ SQLITE_API int sqlite3_limit(sqlite3*, int id, int newVal);
 ** there is a small performance advantage to passing an nByte parameter that
 ** is the number of bytes in the input string <i>including</i>
 ** the nul-terminator.
-** Note that nByte measure the length of the input in bytes, not
+** Note that nByte measures the length of the input in bytes, not
 ** characters, even for the UTF-16 interfaces.
 **
 ** ^If pzTail is not NULL then *pzTail is made to point to the first byte
@@ -4556,7 +4605,7 @@ SQLITE_API int sqlite3_prepare16_v3(
 **
 ** ^The sqlite3_expanded_sql() interface returns NULL if insufficient memory
 ** is available to hold the result, or if the result would exceed the
-** the maximum string length determined by the [SQLITE_LIMIT_LENGTH].
+** maximum string length determined by the [SQLITE_LIMIT_LENGTH].
 **
 ** ^The [SQLITE_TRACE_SIZE_LIMIT] compile-time option limits the size of
 ** bound parameter expansions.  ^The [SQLITE_OMIT_TRACE] compile-time
@@ -4744,7 +4793,7 @@ typedef struct sqlite3_value sqlite3_value;
 **
 ** The context in which an SQL function executes is stored in an
 ** sqlite3_context object.  ^A pointer to an sqlite3_context object
-** is always first parameter to [application-defined SQL functions].
+** is always the first parameter to [application-defined SQL functions].
 ** The application-defined SQL function implementation will pass this
 ** pointer through into calls to [sqlite3_result_int | sqlite3_result()],
 ** [sqlite3_aggregate_context()], [sqlite3_user_data()],
@@ -4868,9 +4917,11 @@ typedef struct sqlite3_context sqlite3_context;
 ** associated with the pointer P of type T.  ^D is either a NULL pointer or
 ** a pointer to a destructor function for P. ^SQLite will invoke the
 ** destructor D with a single argument of P when it is finished using
-** P.  The T parameter should be a static string, preferably a string
-** literal. The sqlite3_bind_pointer() routine is part of the
-** [pointer passing interface] added for SQLite 3.20.0.
+** P, even if the call to sqlite3_bind_pointer() fails.  Due to a
+** historical design quirk, results are undefined if D is
+** SQLITE_TRANSIENT. The T parameter should be a static string,
+** preferably a string literal. The sqlite3_bind_pointer() routine is
+** part of the [pointer passing interface] added for SQLite 3.20.0.
 **
 ** ^If any of the sqlite3_bind_*() routines are called with a NULL pointer
 ** for the [prepared statement] or with a prepared statement for which
@@ -5481,7 +5532,7 @@ SQLITE_API int sqlite3_column_type(sqlite3_stmt*, int iCol);
 **
 ** ^The sqlite3_finalize() function is called to delete a [prepared statement].
 ** ^If the most recent evaluation of the statement encountered no errors
-** or if the statement is never been evaluated, then sqlite3_finalize() returns
+** or if the statement has never been evaluated, then sqlite3_finalize() returns
 ** SQLITE_OK.  ^If the most recent evaluation of statement S failed, then
 ** sqlite3_finalize(S) returns the appropriate [error code] or
 ** [extended error code].
@@ -5713,7 +5764,7 @@ SQLITE_API int sqlite3_create_window_function(
 /*
 ** CAPI3REF: Text Encodings
 **
-** These constant define integer codes that represent the various
+** These constants define integer codes that represent the various
 ** text encodings supported by SQLite.
 */
 #define SQLITE_UTF8           1    /* IMP: R-37514-35566 */
@@ -5805,7 +5856,7 @@ SQLITE_API int sqlite3_create_window_function(
 ** result.
 ** Every function that invokes [sqlite3_result_subtype()] should have this
 ** property.  If it does not, then the call to [sqlite3_result_subtype()]
-** might become a no-op if the function is used as term in an
+** might become a no-op if the function is used as a term in an
 ** [expression index].  On the other hand, SQL functions that never invoke
 ** [sqlite3_result_subtype()] should avoid setting this property, as the
 ** purpose of this property is to disable certain optimizations that are
@@ -5932,7 +5983,7 @@ SQLITE_API SQLITE_DEPRECATED int sqlite3_memory_alarm(void(*)(void*,sqlite3_int6
 ** sqlite3_value_nochange(X) interface returns true if and only if
 ** the column corresponding to X is unchanged by the UPDATE operation
 ** that the xUpdate method call was invoked to implement and if
-** and the prior [xColumn] method call that was invoked to extracted
+** the prior [xColumn] method call that was invoked to extract
 ** the value for that column returned without setting a result (probably
 ** because it queried [sqlite3_vtab_nochange()] and found that the column
 ** was unchanging).  ^Within an [xUpdate] method, any value for which
@@ -6205,6 +6256,7 @@ SQLITE_API void sqlite3_set_auxdata(sqlite3_context*, int N, void*, void (*)(voi
 ** or a NULL pointer if there were no prior calls to
 ** sqlite3_set_clientdata() with the same values of D and N.
 ** Names are compared using strcmp() and are thus case sensitive.
+** It returns 0 on success and SQLITE_NOMEM on allocation failure.
 **
 ** If P and X are both non-NULL, then the destructor X is invoked with
 ** argument P on the first of the following occurrences:
@@ -8881,9 +8933,18 @@ SQLITE_API int sqlite3_status64(
 ** ^The sqlite3_db_status() routine returns SQLITE_OK on success and a
 ** non-zero [error code] on failure.
 **
+** ^The sqlite3_db_status64(D,O,C,H,R) routine works exactly the same
+** way as sqlite3_db_status(D,O,C,H,R) routine except that the C and H
+** parameters are pointer to 64-bit integers (type: sqlite3_int64) instead
+** of pointers to 32-bit integers, which allows larger status values
+** to be returned.  If a status value exceeds 2,147,483,647 then
+** sqlite3_db_status() will truncate the value whereas sqlite3_db_status64()
+** will return the full value.
+**
 ** See also: [sqlite3_status()] and [sqlite3_stmt_status()].
 */
 SQLITE_API int sqlite3_db_status(sqlite3*, int op, int *pCur, int *pHiwtr, int resetFlg);
+SQLITE_API int sqlite3_db_status64(sqlite3*,int,sqlite3_int64*,sqlite3_int64*,int);

 /*
 ** CAPI3REF: Status Parameters for database connections
@@ -8980,6 +9041,10 @@ SQLITE_API int sqlite3_db_status(sqlite3*, int op, int *pCur, int *pHiwtr, int r
 ** If an IO or other error occurs while writing a page to disk, the effect
 ** on subsequent SQLITE_DBSTATUS_CACHE_WRITE requests is undefined.)^ ^The
 ** highwater mark associated with SQLITE_DBSTATUS_CACHE_WRITE is always 0.
+** <p>
+** ^(There is overlap between the quantities measured by this parameter
+** (SQLITE_DBSTATUS_CACHE_WRITE) and SQLITE_DBSTATUS_TEMPBUF_SPILL.
+** Resetting one will reduce the other.)^
 ** </dd>
 **
 ** [[SQLITE_DBSTATUS_CACHE_SPILL]] ^(<dt>SQLITE_DBSTATUS_CACHE_SPILL</dt>
@@ -8995,6 +9060,18 @@ SQLITE_API int sqlite3_db_status(sqlite3*, int op, int *pCur, int *pHiwtr, int r
 ** <dd>This parameter returns zero for the current value if and only if
 ** all foreign key constraints (deferred or immediate) have been
 ** resolved.)^  ^The highwater mark is always 0.
+**
+** [[SQLITE_DBSTATUS_TEMPBUF_SPILL] ^(<dt>SQLITE_DBSTATUS_TEMPBUF_SPILL</dt>
+** <dd>^(This parameter returns the number of bytes written to temporary
+** files on disk that could have been kept in memory had sufficient memory
+** been available.  This value includes writes to intermediate tables that
+** are part of complex queries, external sorts that spill to disk, and
+** writes to TEMP tables.)^
+** ^The highwater mark is always 0.
+** <p>
+** ^(There is overlap between the quantities measured by this parameter
+** (SQLITE_DBSTATUS_TEMPBUF_SPILL) and SQLITE_DBSTATUS_CACHE_WRITE.
+** Resetting one will reduce the other.)^
 ** </dd>
 ** </dl>
 */
@@ -9011,7 +9088,8 @@ SQLITE_API int sqlite3_db_status(sqlite3*, int op, int *pCur, int *pHiwtr, int r
 #define SQLITE_DBSTATUS_DEFERRED_FKS        10
 #define SQLITE_DBSTATUS_CACHE_USED_SHARED   11
 #define SQLITE_DBSTATUS_CACHE_SPILL         12
-#define SQLITE_DBSTATUS_MAX                 12   /* Largest defined DBSTATUS */
+#define SQLITE_DBSTATUS_TEMPBUF_SPILL       13
+#define SQLITE_DBSTATUS_MAX                 13   /* Largest defined DBSTATUS */


 /*
@@ -9776,7 +9854,7 @@ SQLITE_API void sqlite3_log(int iErrCode, const char *zFormat, ...);
 ** is the number of pages currently in the write-ahead log file,
 ** including those that were just committed.
 **
-** The callback function should normally return [SQLITE_OK].  ^If an error
+** ^The callback function should normally return [SQLITE_OK].  ^If an error
 ** code is returned, that error will propagate back up through the
 ** SQLite code base to cause the statement that provoked the callback
 ** to report an error, though the commit will have still occurred. If the
@@ -9784,13 +9862,26 @@ SQLITE_API void sqlite3_log(int iErrCode, const char *zFormat, ...);
 ** that does not correspond to any valid SQLite error code, the results
 ** are undefined.
 **
-** A single database handle may have at most a single write-ahead log callback
-** registered at one time. ^Calling [sqlite3_wal_hook()] replaces any
-** previously registered write-ahead log callback. ^The return value is
-** a copy of the third parameter from the previous call, if any, or 0.
-** ^Note that the [sqlite3_wal_autocheckpoint()] interface and the
-** [wal_autocheckpoint pragma] both invoke [sqlite3_wal_hook()] and will
-** overwrite any prior [sqlite3_wal_hook()] settings.
+** ^A single database handle may have at most a single write-ahead log
+** callback registered at one time. ^Calling [sqlite3_wal_hook()]
+** replaces the default behavior or previously registered write-ahead
+** log callback.
+**
+** ^The return value is a copy of the third parameter from the
+** previous call, if any, or 0.
+**
+** ^The [sqlite3_wal_autocheckpoint()] interface and the
+** [wal_autocheckpoint pragma] both invoke [sqlite3_wal_hook()] and
+** will overwrite any prior [sqlite3_wal_hook()] settings.
+**
+** ^If a write-ahead log callback is set using this function then
+** [sqlite3_wal_checkpoint_v2()] or [PRAGMA wal_checkpoint]
+** should be invoked periodically to keep the write-ahead log file
+** from growing without bound.
+**
+** ^Passing a NULL pointer for the callback disables automatic
+** checkpointing entirely. To re-enable the default behavior, call
+** sqlite3_wal_autocheckpoint(db,1000) or use [PRAGMA wal_checkpoint].
 */
 SQLITE_API void *sqlite3_wal_hook(
  sqlite3*,
@@ -9807,7 +9898,7 @@ SQLITE_API void *sqlite3_wal_hook(
 ** to automatically [checkpoint]
 ** after committing a transaction if there are N or
 ** more frames in the [write-ahead log] file.  ^Passing zero or
-** a negative value as the nFrame parameter disables automatic
+** a negative value as the N parameter disables automatic
 ** checkpoints entirely.
 **
 ** ^The callback registered by this function replaces any existing callback
@@ -9823,9 +9914,10 @@ SQLITE_API void *sqlite3_wal_hook(
 **
 ** ^Every new [database connection] defaults to having the auto-checkpoint
 ** enabled with a threshold of 1000 or [SQLITE_DEFAULT_WAL_AUTOCHECKPOINT]
-** pages.  The use of this interface
-** is only necessary if the default setting is found to be suboptimal
-** for a particular application.
+** pages.
+**
+** ^The use of this interface is only necessary if the default setting
+** is found to be suboptimal for a particular application.
 */
 SQLITE_API int sqlite3_wal_autocheckpoint(sqlite3 *db, int N);

@@ -9890,6 +9982,11 @@ SQLITE_API int sqlite3_wal_checkpoint(sqlite3 *db, const char *zDb);
 **   ^This mode works the same way as SQLITE_CHECKPOINT_RESTART with the
 **   addition that it also truncates the log file to zero bytes just prior
 **   to a successful return.
+**
+** <dt>SQLITE_CHECKPOINT_NOOP<dd>
+**   ^This mode always checkpoints zero frames. The only reason to invoke
+**   a NOOP checkpoint is to access the values returned by
+**   sqlite3_wal_checkpoint_v2() via output parameters *pnLog and *pnCkpt.
 ** </dl>
 **
 ** ^If pnLog is not NULL, then *pnLog is set to the total number of frames in
@@ -9960,6 +10057,7 @@ SQLITE_API int sqlite3_wal_checkpoint_v2(
 ** See the [sqlite3_wal_checkpoint_v2()] documentation for details on the
 ** meaning of each of these checkpoint modes.
 */
+#define SQLITE_CHECKPOINT_NOOP    -1  /* Do no work at all */
 #define SQLITE_CHECKPOINT_PASSIVE  0  /* Do as much as possible w/o blocking */
 #define SQLITE_CHECKPOINT_FULL     1  /* Wait for writers, then checkpoint */
 #define SQLITE_CHECKPOINT_RESTART  2  /* Like FULL but wait for readers */
@@ -10787,7 +10885,7 @@ typedef struct sqlite3_snapshot {
 ** The [sqlite3_snapshot_get()] interface is only available when the
 ** [SQLITE_ENABLE_SNAPSHOT] compile-time option is used.
 */
-SQLITE_API SQLITE_EXPERIMENTAL int sqlite3_snapshot_get(
+SQLITE_API int sqlite3_snapshot_get(
  sqlite3 *db,
  const char *zSchema,
  sqlite3_snapshot **ppSnapshot
@@ -10836,7 +10934,7 @@ SQLITE_API SQLITE_EXPERIMENTAL int sqlite3_snapshot_get(
 ** The [sqlite3_snapshot_open()] interface is only available when the
 ** [SQLITE_ENABLE_SNAPSHOT] compile-time option is used.
 */
-SQLITE_API SQLITE_EXPERIMENTAL int sqlite3_snapshot_open(
+SQLITE_API int sqlite3_snapshot_open(
  sqlite3 *db,
  const char *zSchema,
  sqlite3_snapshot *pSnapshot
@@ -10853,7 +10951,7 @@ SQLITE_API SQLITE_EXPERIMENTAL int sqlite3_snapshot_open(
 ** The [sqlite3_snapshot_free()] interface is only available when the
 ** [SQLITE_ENABLE_SNAPSHOT] compile-time option is used.
 */
-SQLITE_API SQLITE_EXPERIMENTAL void sqlite3_snapshot_free(sqlite3_snapshot*);
+SQLITE_API void sqlite3_snapshot_free(sqlite3_snapshot*);

 /*
 ** CAPI3REF: Compare the ages of two snapshot handles.
@@ -10880,7 +10978,7 @@ SQLITE_API SQLITE_EXPERIMENTAL void sqlite3_snapshot_free(sqlite3_snapshot*);
 ** This interface is only available if SQLite is compiled with the
 ** [SQLITE_ENABLE_SNAPSHOT] option.
 */
-SQLITE_API SQLITE_EXPERIMENTAL int sqlite3_snapshot_cmp(
+SQLITE_API int sqlite3_snapshot_cmp(
  sqlite3_snapshot *p1,
  sqlite3_snapshot *p2
 );
@@ -10908,7 +11006,7 @@ SQLITE_API SQLITE_EXPERIMENTAL int sqlite3_snapshot_cmp(
 ** This interface is only available if SQLite is compiled with the
 ** [SQLITE_ENABLE_SNAPSHOT] option.
 */
-SQLITE_API SQLITE_EXPERIMENTAL int sqlite3_snapshot_recover(sqlite3 *db, const char *zDb);
+SQLITE_API int sqlite3_snapshot_recover(sqlite3 *db, const char *zDb);

 /*
 ** CAPI3REF: Serialize a database
@@ -10982,12 +11080,13 @@ SQLITE_API unsigned char *sqlite3_serialize(
 **
 ** The sqlite3_deserialize(D,S,P,N,M,F) interface causes the
 ** [database connection] D to disconnect from database S and then
-** reopen S as an in-memory database based on the serialization contained
-** in P.  The serialized database P is N bytes in size.  M is the size of
-** the buffer P, which might be larger than N.  If M is larger than N, and
-** the SQLITE_DESERIALIZE_READONLY bit is not set in F, then SQLite is
-** permitted to add content to the in-memory database as long as the total
-** size does not exceed M bytes.
+** reopen S as an in-memory database based on the serialization
+** contained in P.  If S is a NULL pointer, the main database is
+** used. The serialized database P is N bytes in size.  M is the size
+** of the buffer P, which might be larger than N.  If M is larger than
+** N, and the SQLITE_DESERIALIZE_READONLY bit is not set in F, then
+** SQLite is permitted to add content to the in-memory database as
+** long as the total size does not exceed M bytes.
 **
 ** If the SQLITE_DESERIALIZE_FREEONCLOSE bit is set in F, then SQLite will
 ** invoke sqlite3_free() on the serialization buffer when the database
@@ -11054,6 +11153,54 @@ SQLITE_API int sqlite3_deserialize(
 #define SQLITE_DESERIALIZE_RESIZEABLE  2 /* Resize using sqlite3_realloc64() */
 #define SQLITE_DESERIALIZE_READONLY    4 /* Database is read-only */

+/*
+** CAPI3REF: Bind array values to the CARRAY table-valued function
+**
+** The sqlite3_carray_bind(S,I,P,N,F,X) interface binds an array value to
+** one of the first argument of the [carray() table-valued function].  The
+** S parameter is a pointer to the [prepared statement] that uses the carray()
+** functions.  I is the parameter index to be bound.  P is a pointer to the
+** array to be bound, and N is the number of eements in the array.  The
+** F argument is one of constants [SQLITE_CARRAY_INT32], [SQLITE_CARRAY_INT64],
+** [SQLITE_CARRAY_DOUBLE], [SQLITE_CARRAY_TEXT], or [SQLITE_CARRAY_BLOB] to
+** indicate the datatype of the array being bound.  The X argument is not a
+** NULL pointer, then SQLite will invoke the function X on the P parameter
+** after it has finished using P, even if the call to
+** sqlite3_carray_bind() fails. The special-case finalizer
+** SQLITE_TRANSIENT has no effect here.
+*/
+SQLITE_API int sqlite3_carray_bind(
+  sqlite3_stmt *pStmt,        /* Statement to be bound */
+  int i,                      /* Parameter index */
+  void *aData,                /* Pointer to array data */
+  int nData,                  /* Number of data elements */
+  int mFlags,                 /* CARRAY flags */
+  void (*xDel)(void*)         /* Destructor for aData */
+);
+
+/*
+** CAPI3REF: Datatypes for the CARRAY table-valued function
+**
+** The fifth argument to the [sqlite3_carray_bind()] interface musts be
+** one of the following constants, to specify the datatype of the array
+** that is being bound into the [carray table-valued function].
+*/
+#define SQLITE_CARRAY_INT32     0    /* Data is 32-bit signed integers */
+#define SQLITE_CARRAY_INT64     1    /* Data is 64-bit signed integers */
+#define SQLITE_CARRAY_DOUBLE    2    /* Data is doubles */
+#define SQLITE_CARRAY_TEXT      3    /* Data is char* */
+#define SQLITE_CARRAY_BLOB      4    /* Data is struct iovec */
+
+/*
+** Versions of the above #defines that omit the initial SQLITE_, for
+** legacy compatibility.
+*/
+#define CARRAY_INT32     0    /* Data is 32-bit signed integers */
+#define CARRAY_INT64     1    /* Data is 64-bit signed integers */
+#define CARRAY_DOUBLE    2    /* Data is doubles */
+#define CARRAY_TEXT      3    /* Data is char* */
+#define CARRAY_BLOB      4    /* Data is struct iovec */
+
 /*
 ** Undo the hack that converts floating point types to integer for
 ** builds on processors without floating point support.
@@ -12313,14 +12460,32 @@ SQLITE_API void sqlite3changegroup_delete(sqlite3_changegroup*);
 ** update the "main" database attached to handle db with the changes found in
 ** the changeset passed via the second and third arguments.
 **
+** All changes made by these functions are enclosed in a savepoint transaction.
+** If any other error (aside from a constraint failure when attempting to
+** write to the target database) occurs, then the savepoint transaction is
+** rolled back, restoring the target database to its original state, and an
+** SQLite error code returned. Additionally, starting with version 3.51.0,
+** an error code and error message that may be accessed using the
+** [sqlite3_errcode()] and [sqlite3_errmsg()] APIs are left in the database
+** handle.
+**
 ** The fourth argument (xFilter) passed to these functions is the "filter
-** callback". If it is not NULL, then for each table affected by at least one
-** change in the changeset, the filter callback is invoked with
-** the table name as the second argument, and a copy of the context pointer
-** passed as the sixth argument as the first. If the "filter callback"
-** returns zero, then no attempt is made to apply any changes to the table.
-** Otherwise, if the return value is non-zero or the xFilter argument to
-** is NULL, all changes related to the table are attempted.
+** callback". This may be passed NULL, in which case all changes in the
+** changeset are applied to the database. For sqlite3changeset_apply() and
+** sqlite3_changeset_apply_v2(), if it is not NULL, then it is invoked once
+** for each table affected by at least one change in the changeset. In this
+** case the table name is passed as the second argument, and a copy of
+** the context pointer passed as the sixth argument to apply() or apply_v2()
+** as the first. If the "filter callback" returns zero, then no attempt is
+** made to apply any changes to the table. Otherwise, if the return value is
+** non-zero, all changes related to the table are attempted.
+**
+** For sqlite3_changeset_apply_v3(), the xFilter callback is invoked once
+** per change. The second argument in this case is an sqlite3_changeset_iter
+** that may be queried using the usual APIs for the details of the current
+** change. If the "filter callback" returns zero in this case, then no attempt
+** is made to apply the current change. If it returns non-zero, the change
+** is applied.
 **
 ** For each table that is not excluded by the filter callback, this function
 ** tests that the target database contains a compatible table. A table is
@@ -12341,11 +12506,11 @@ SQLITE_API void sqlite3changegroup_delete(sqlite3_changegroup*);
 ** one such warning is issued for each table in the changeset.
 **
 ** For each change for which there is a compatible table, an attempt is made
-** to modify the table contents according to the UPDATE, INSERT or DELETE
-** change. If a change cannot be applied cleanly, the conflict handler
-** function passed as the fifth argument to sqlite3changeset_apply() may be
-** invoked. A description of exactly when the conflict handler is invoked for
-** each type of change is below.
+** to modify the table contents according to each UPDATE, INSERT or DELETE
+** change that is not excluded by a filter callback. If a change cannot be
+** applied cleanly, the conflict handler function passed as the fifth argument
+** to sqlite3changeset_apply() may be invoked. A description of exactly when
+** the conflict handler is invoked for each type of change is below.
 **
 ** Unlike the xFilter argument, xConflict may not be passed NULL. The results
 ** of passing anything other than a valid function pointer as the xConflict
@@ -12441,12 +12606,6 @@ SQLITE_API void sqlite3changegroup_delete(sqlite3_changegroup*);
 ** This can be used to further customize the application's conflict
 ** resolution strategy.
 **
-** All changes made by these functions are enclosed in a savepoint transaction.
-** If any other error (aside from a constraint failure when attempting to
-** write to the target database) occurs, then the savepoint transaction is
-** rolled back, restoring the target database to its original state, and an
-** SQLite error code returned.
-**
 ** If the output parameters (ppRebase) and (pnRebase) are non-NULL and
 ** the input is a changeset (not a patchset), then sqlite3changeset_apply_v2()
 ** may set (*ppRebase) to point to a "rebase" that may be used with the
@@ -12496,6 +12655,23 @@ SQLITE_API int sqlite3changeset_apply_v2(
  void **ppRebase, int *pnRebase, /* OUT: Rebase data */
  int flags                       /* SESSION_CHANGESETAPPLY_* flags */
 );
+SQLITE_API int sqlite3changeset_apply_v3(
+  sqlite3 *db,                    /* Apply change to "main" db of this handle */
+  int nChangeset,                 /* Size of changeset in bytes */
+  void *pChangeset,               /* Changeset blob */
+  int(*xFilter)(
+    void *pCtx,                   /* Copy of sixth arg to _apply() */
+    sqlite3_changeset_iter *p     /* Handle describing change */
+  ),
+  int(*xConflict)(
+    void *pCtx,                   /* Copy of sixth arg to _apply() */
+    int eConflict,                /* DATA, MISSING, CONFLICT, CONSTRAINT */
+    sqlite3_changeset_iter *p     /* Handle describing change and conflict */
+  ),
+  void *pCtx,                     /* First argument passed to xConflict */
+  void **ppRebase, int *pnRebase, /* OUT: Rebase data */
+  int flags                       /* SESSION_CHANGESETAPPLY_* flags */
+);

 /*
 ** CAPI3REF: Flags for sqlite3changeset_apply_v2
@@ -12915,6 +13091,23 @@ SQLITE_API int sqlite3changeset_apply_v2_strm(
  void **ppRebase, int *pnRebase,
  int flags
 );
+SQLITE_API int sqlite3changeset_apply_v3_strm(
+  sqlite3 *db,                    /* Apply change to "main" db of this handle */
+  int (*xInput)(void *pIn, void *pData, int *pnData), /* Input function */
+  void *pIn,                                          /* First arg for xInput */
+  int(*xFilter)(
+    void *pCtx,                   /* Copy of sixth arg to _apply() */
+    sqlite3_changeset_iter *p
+  ),
+  int(*xConflict)(
+    void *pCtx,                   /* Copy of sixth arg to _apply() */
+    int eConflict,                /* DATA, MISSING, CONFLICT, CONSTRAINT */
+    sqlite3_changeset_iter *p     /* Handle describing change and conflict */
+  ),
+  void *pCtx,                     /* First argument passed to xConflict */
+  void **ppRebase, int *pnRebase,
+  int flags
+);
 SQLITE_API int sqlite3changeset_concat_strm(
  int (*xInputA)(void *pIn, void *pData, int *pnData),
  void *pInA,
--- a/deps/sqlite/sqlite3ext.h
+++ b/deps/sqlite/sqlite3ext.h
@@ -368,6 +368,10 @@ struct sqlite3_api_routines {
  int (*set_clientdata)(sqlite3*, const char*, void*, void(*)(void*));
  /* Version 3.50.0 and later */
  int (*setlk_timeout)(sqlite3*,int,int);
+  /* Version 3.51.0 and later */
+  int (*set_errmsg)(sqlite3*,int,const char*);
+  int (*db_status64)(sqlite3*,int,sqlite3_int64*,sqlite3_int64*,int);
+  
 };

 /*
@@ -703,6 +707,9 @@ typedef int (*sqlite3_loadext_entry)(
 #define sqlite3_set_clientdata         sqlite3_api->set_clientdata
 /* Version 3.50.0 and later */
 #define sqlite3_setlk_timeout          sqlite3_api->setlk_timeout
+/* Version 3.51.0 and later */
+#define sqlite3_set_errmsg             sqlite3_api->set_errmsg
+#define sqlite3_db_status64            sqlite3_api->db_status64
 #endif /* !defined(SQLITE_CORE) && !defined(SQLITE_OMIT_LOAD_EXTENSION) */

 #if !defined(SQLITE_CORE) && !defined(SQLITE_OMIT_LOAD_EXTENSION)
--- a/docs/model.md
+++ b/docs/model.md
@@ -0,0 +1,32 @@
+# Model
+
+A reasonable mental model of Tilde Friends is as a virtual computer. User
+interace is through a web browser. Communication with the outside world is
+through the Secure Scuttlebutt (SSB) network protocol. Persistence is through
+an SSB store and an additional key-value store in an sqlite database.
+
+The schema for the sqlite database is primarily a `messages` table and a
+`blobs` table, which are what one would expect from the SSB specifications.
+
+```dot
+digraph {
+    web_browser -> tilde_friends_web_interface [dir=both];
+    web_browser [shape=rect,label="Web Browser"];
+    subgraph cluster_tilde_friends {
+        label = "Tilde Friends";
+        tilde_friends_web_interface -> example_app [dir=both];
+        subgraph cluster_sandbox {
+            label = "app sandbox";
+            example_app;
+        }
+        example_app -> tilde_friends_core;
+        tilde_friends_core -> example_app;
+        tilde_friends_web_interface -> tilde_friends_core;
+        tilde_friends_core -> "db.sqlite";
+        tilde_friends_core -> ssb;
+        "db.sqlite" [shape=cylinder];
+    }
+    ssb -> other_ssb_clients [label="Secure Handshake",dir=both];
+    other_ssb_clients [shape=rect,label="SSB Peers"];
+}
+```
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -41,11 +41,9 @@ options:
                                 ssb_port (default: 8008): Port on which to listen for SSB secure handshake connections.
                                 http_local_only (default: false): Whether to bind http(s) to the loopback address.  Otherwise any.
                                 http_port (default: 12345): Port on which to listen for HTTP connections.
-                                 https_port (default: 0): Port on which to listen for secure HTTP connections.
                                 out_http_port_file (default: ""): File to which to write bound HTTP port.
                                 blob_fetch_age_seconds (default: -1): Only blobs mentioned more recently than this age will be automatically fetched.
                                 blob_expire_age_seconds (default: -1): Blobs older than this will be automatically deleted.
-                                 fetch_hosts (default: ""): Comma-separated list of host names to which HTTP fetch requests are allowed.  None if empty.
                                 http_redirect (default: ""): If connecting by HTTP and HTTPS is configured, Location header prefix (ie, "http://example.com")
                                 index (default: "/~core/intro/"): Default path.
                                 index_map (default: ""): Mappings from hostname to redirect path, one per line, as in: "www.tildefriends.net=/~core/index/"
@@ -62,6 +60,7 @@ options:
                                 broadcast (default: true): Send network discovery broadcasts.
                                 discovery (default: true): Receive network discovery broadcasts.
                                 stay_connected (default: false): Whether to attempt to keep several peer connections open.
+                                 accepted_eula_version (default: 0): The version of the last accepted EULA.
  -o, --one-proc             Run everything in one process (unsafely!).
  -z, --zip path             Zip archive from which to load files.
  -v, --verbose              Log raw messages.
--- a/metadata/en-US/changelogs/44.txt
+++ b/metadata/en-US/changelogs/44.txt
@@ -0,0 +1,10 @@
+* Faster load times.
+* Private message fixes.
+* Fix contact groups expanding/collapsing.
+* Manual SSB theme color picker.
+* Give channel subscribe/unsubscribe similar grouping treatment to follows/blocks.
+* Slightly improved following/blocking message display.
+* Remove the query tab in favor of searching for "sql:SELECT ...".
+* Exclude messages for subscribed channels from the general feed.
+* Remove OpenSSL.
+* Updates: CodeMirror, libbacktrace, and speedscope 1.24.0.
--- a/metadata/en-US/changelogs/48.txt
+++ b/metadata/en-US/changelogs/48.txt
@@ -0,0 +1,9 @@
+* Fixed disagreement in identity information.
+* Show more context when prompting for permissions.
+* Reduce redundant queries to improve load times.
+* Improved profile load times.
+* Don't show an empty code of conduct.
+* Resolve ambiguity when a user is both followed and blocked (they're blocked).
+* Move perf tracing viewer into a trace app.
+* Minor UI improvements.
+* Updates: CodeMirror, emojis, libbacktrace, sqlite 3.51.0.
--- a/src/android/AndroidManifest.xml
+++ b/src/android/AndroidManifest.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="utf-8"?>
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
 	package="com.unprompted.tildefriends"
-	android:versionCode="44"
-	android:versionName="0.2025.10-wip">
+	android:versionCode="48"
+	android:versionName="0.2025.11">
 	<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
 	<uses-permission android:name="android.permission.INTERNET"/>
 	<application
--- a/src/android/com/unprompted/tildefriends/TildeFriendsActivity.java
+++ b/src/android/com/unprompted/tildefriends/TildeFriendsActivity.java
@@ -292,7 +292,7 @@ public class TildeFriendsActivity extends Activity {
 		StrictMode.setThreadPolicy(
 			new StrictMode.ThreadPolicy.Builder()
 				.detectAll()
-				.penaltyDialog()
+				//.penaltyDialog()
 				.penaltyLog()
 				.build());
 		StrictMode.setVmPolicy(
--- a/src/api.js.c
+++ b/src/api.js.c
@@ -74,7 +74,7 @@ static void _tf_api_core_apps_after_work(tf_ssb_t* ssb, int status, void* user_d
 	JSValue result = JS_NewObject(context);
 	for (int i = 0; i < work->count; i++)
 	{
-		JS_SetPropertyStr(context, result, work->apps[i].app, JS_NewString(context, work->apps[i].path));
+		JS_SetPropertyStr(context, result, work->apps[i].app, JS_NewString(context, work->apps[i].path ? work->apps[i].path : ""));
 	}
 	JSValue error = JS_Call(context, work->promise[0], JS_UNDEFINED, 1, &result);
 	tf_util_report_error(context, error);
@@ -147,6 +147,55 @@ static JSValue _tf_api_core_apps(JSContext* context, JSValueConst this_val, int
 	return result;
 }

+typedef struct _users_t
+{
+	const char* users;
+	JSContext* context;
+	JSValue promise[2];
+} users_t;
+
+static void _tf_api_core_users_work(tf_ssb_t* ssb, void* user_data)
+{
+	users_t* work = user_data;
+	work->users = tf_ssb_db_get_property(ssb, "auth", "users");
+}
+
+static void _tf_api_core_users_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	users_t* work = user_data;
+	JSContext* context = work->context;
+	JSValue result = JS_UNDEFINED;
+	if (work->users)
+	{
+		result = JS_ParseJSON(context, work->users, strlen(work->users), NULL);
+		tf_free((void*)work->users);
+	}
+	if (JS_IsUndefined(result))
+	{
+		result = JS_NewArray(context);
+	}
+	JSValue error = JS_Call(context, JS_IsArray(context, result) ? work->promise[0] : work->promise[1], JS_UNDEFINED, 1, &result);
+	tf_util_report_error(context, error);
+	JS_FreeValue(context, error);
+	JS_FreeValue(context, result);
+	JS_FreeValue(context, work->promise[0]);
+	JS_FreeValue(context, work->promise[1]);
+	tf_free(work);
+}
+
+static JSValue _tf_api_core_users(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv, int magic, JSValue* data)
+{
+	tf_task_t* task = tf_task_get(context);
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	users_t* work = tf_malloc(sizeof(users_t));
+	*work = (users_t) {
+		.context = context,
+	};
+	JSValue result = JS_NewPromiseCapability(context, work->promise);
+	tf_ssb_run_work(ssb, _tf_api_core_users_work, _tf_api_core_users_after_work, work);
+	return result;
+}
+
 static JSValue _tf_api_core_register(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv, int magic, JSValue* data)
 {
 	JSValue event_name = argv[0];
@@ -210,6 +259,543 @@ static JSValue _tf_api_core_unregister(JSContext* context, JSValueConst this_val
 	return JS_UNDEFINED;
 }

+typedef struct _permissions_for_user_t
+{
+	const char* user;
+	const char* settings;
+	JSContext* context;
+	JSValue promise[2];
+} permissions_for_user_t;
+
+static void _tf_api_core_permissions_for_user_work(tf_ssb_t* ssb, void* user_data)
+{
+	permissions_for_user_t* work = user_data;
+	work->settings = tf_ssb_db_get_property(ssb, "core", "settings");
+}
+
+static void _tf_api_core_permissions_for_user_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	permissions_for_user_t* work = user_data;
+	JSContext* context = work->context;
+	JSValue result = JS_UNDEFINED;
+	if (work->settings)
+	{
+		JSValue json = JS_ParseJSON(context, work->settings, strlen(work->settings), NULL);
+		if (JS_IsObject(json))
+		{
+			JSValue permissions = JS_GetPropertyStr(context, json, "permissions");
+			if (JS_IsObject(permissions))
+			{
+				result = JS_GetPropertyStr(context, permissions, work->user);
+			}
+			JS_FreeValue(context, permissions);
+		}
+		JS_FreeValue(context, json);
+		tf_free((void*)work->settings);
+	}
+	if (JS_IsUndefined(result))
+	{
+		result = JS_NewArray(context);
+	}
+	JSValue error = JS_Call(context, JS_IsArray(context, result) ? work->promise[0] : work->promise[1], JS_UNDEFINED, 1, &result);
+	tf_util_report_error(context, error);
+	JS_FreeValue(context, error);
+	JS_FreeValue(context, result);
+	JS_FreeValue(context, work->promise[0]);
+	JS_FreeValue(context, work->promise[1]);
+	JS_FreeCString(context, work->user);
+	tf_free(work);
+}
+
+static JSValue _tf_api_core_permissionsForUser(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv, int magic, JSValue* data)
+{
+	tf_task_t* task = tf_task_get(context);
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	permissions_for_user_t* work = tf_malloc(sizeof(permissions_for_user_t));
+	*work = (permissions_for_user_t) {
+		.context = context,
+		.user = JS_ToCString(context, argv[0]),
+	};
+	JSValue result = JS_NewPromiseCapability(context, work->promise);
+	tf_ssb_run_work(ssb, _tf_api_core_permissions_for_user_work, _tf_api_core_permissions_for_user_after_work, work);
+	return result;
+}
+
+typedef struct _permissions_granted_t
+{
+	JSContext* context;
+	const char* user;
+	const char* package_owner;
+	const char* package_name;
+	const char* settings;
+	JSValue promise[2];
+} permissions_granted_t;
+
+static void _tf_api_core_permissions_granted_work(tf_ssb_t* ssb, void* user_data)
+{
+	permissions_granted_t* work = user_data;
+	work->settings = tf_ssb_db_get_property(ssb, "core", "settings");
+}
+
+static void _tf_api_core_permissions_granted_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	permissions_granted_t* work = user_data;
+	JSContext* context = work->context;
+	JSValue result = JS_UNDEFINED;
+	if (work->settings)
+	{
+		JSValue json = JS_ParseJSON(context, work->settings, strlen(work->settings), NULL);
+		if (JS_IsObject(json) && work->user && work->package_owner && work->package_name)
+		{
+			JSValue user_permissions = JS_GetPropertyStr(context, json, "userPermissions");
+			if (JS_IsObject(user_permissions))
+			{
+				JSValue user = JS_GetPropertyStr(context, user_permissions, work->user);
+				if (JS_IsObject(user))
+				{
+					JSValue package_owner = JS_GetPropertyStr(context, user, work->package_owner);
+					if (JS_IsObject(package_owner))
+					{
+						result = JS_GetPropertyStr(context, package_owner, work->package_name);
+					}
+					JS_FreeValue(context, package_owner);
+				}
+				JS_FreeValue(context, user);
+			}
+			JS_FreeValue(context, user_permissions);
+		}
+		JS_FreeValue(context, json);
+		tf_free((void*)work->settings);
+	}
+
+	JSValue error = JS_Call(context, work->promise[0], JS_UNDEFINED, 1, &result);
+	tf_util_report_error(context, error);
+	JS_FreeValue(context, error);
+	JS_FreeValue(context, result);
+	JS_FreeValue(context, work->promise[0]);
+	JS_FreeValue(context, work->promise[1]);
+	tf_free((void*)work->user);
+	tf_free((void*)work->package_owner);
+	tf_free((void*)work->package_name);
+	tf_free(work);
+}
+
+static const char* _tf_ssb_get_process_credentials_session_name(JSContext* context, JSValue process)
+{
+	JSValue credentials = JS_IsObject(process) ? JS_GetPropertyStr(context, process, "credentials") : JS_UNDEFINED;
+	JSValue session = JS_IsObject(credentials) ? JS_GetPropertyStr(context, credentials, "session") : JS_UNDEFINED;
+	JSValue name_value = JS_IsObject(session) ? JS_GetPropertyStr(context, session, "name") : JS_UNDEFINED;
+	const char* name = JS_IsString(name_value) ? JS_ToCString(context, name_value) : NULL;
+	const char* result = tf_strdup(name);
+	JS_FreeCString(context, name);
+	JS_FreeValue(context, name_value);
+	JS_FreeValue(context, session);
+	JS_FreeValue(context, credentials);
+	return result;
+}
+
+static JSValue _tf_api_core_permissionsGranted(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv, int magic, JSValue* data)
+{
+	tf_task_t* task = tf_task_get(context);
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	JSValue process = data[0];
+	JSValue package_owner_value = JS_GetPropertyStr(context, process, "packageOwner");
+	JSValue package_name_value = JS_GetPropertyStr(context, process, "packageName");
+	const char* package_owner = JS_ToCString(context, package_owner_value);
+	const char* package_name = JS_ToCString(context, package_name_value);
+	permissions_granted_t* work = tf_malloc(sizeof(permissions_granted_t));
+	*work = (permissions_granted_t) {
+		.context = context,
+		.user = _tf_ssb_get_process_credentials_session_name(context, process),
+		.package_owner = tf_strdup(package_owner),
+		.package_name = tf_strdup(package_name),
+	};
+	JS_FreeCString(context, package_owner);
+	JS_FreeCString(context, package_name);
+	JS_FreeValue(context, package_owner_value);
+	JS_FreeValue(context, package_name_value);
+	JSValue result = JS_NewPromiseCapability(context, work->promise);
+	tf_ssb_run_work(ssb, _tf_api_core_permissions_granted_work, _tf_api_core_permissions_granted_after_work, work);
+	return result;
+}
+
+typedef struct _active_identity_work_t
+{
+	JSContext* context;
+	const char* name;
+	const char* package_owner;
+	const char* package_name;
+	char identity[k_id_base64_len];
+	int result;
+	JSValue promise[2];
+} active_identity_work_t;
+
+static void _tf_ssb_getActiveIdentity_visit(const char* identity, void* user_data)
+{
+	active_identity_work_t* request = user_data;
+	if (!*request->identity)
+	{
+		snprintf(request->identity, sizeof(request->identity), "@%s", identity);
+	}
+}
+
+static void _tf_ssb_getActiveIdentity_work(tf_ssb_t* ssb, void* user_data)
+{
+	active_identity_work_t* request = user_data;
+	sqlite3* db = tf_ssb_acquire_db_reader(ssb);
+	tf_ssb_db_identity_get_active(db, request->name, request->package_owner, request->package_name, request->identity, sizeof(request->identity));
+	tf_ssb_release_db_reader(ssb, db);
+
+	if (!*request->identity && tf_ssb_db_user_has_permission(ssb, NULL, request->name, "administration"))
+	{
+		tf_ssb_whoami(ssb, request->identity, sizeof(request->identity));
+	}
+
+	if (!*request->identity)
+	{
+		tf_ssb_db_identity_visit(ssb, request->name, _tf_ssb_getActiveIdentity_visit, request);
+	}
+}
+
+static void _tf_ssb_getActiveIdentity_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	active_identity_work_t* request = user_data;
+	JSContext* context = request->context;
+	if (request->result == 0)
+	{
+		JSValue identity = JS_NewString(context, request->identity);
+		JSValue error = JS_Call(context, request->promise[0], JS_UNDEFINED, 1, &identity);
+		JS_FreeValue(context, identity);
+		tf_util_report_error(context, error);
+		JS_FreeValue(context, error);
+	}
+	else
+	{
+		JSValue error = JS_Call(context, request->promise[1], JS_UNDEFINED, 0, NULL);
+		tf_util_report_error(context, error);
+		JS_FreeValue(context, error);
+	}
+	JS_FreeValue(context, request->promise[0]);
+	JS_FreeValue(context, request->promise[1]);
+	tf_free((void*)request->name);
+	tf_free((void*)request->package_owner);
+	tf_free((void*)request->package_name);
+	tf_free(request);
+}
+
+static JSValue _tf_ssb_getActiveIdentity(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv, int magic, JSValue* data)
+{
+	tf_task_t* task = tf_task_get(context);
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	JSValue process = data[0];
+	JSValue package_owner_value = JS_GetPropertyStr(context, process, "packageOwner");
+	JSValue package_name_value = JS_GetPropertyStr(context, process, "packageName");
+
+	const char* name = _tf_ssb_get_process_credentials_session_name(context, process);
+	const char* package_owner = JS_ToCString(context, package_owner_value);
+	const char* package_name = JS_ToCString(context, package_name_value);
+	active_identity_work_t* work = tf_malloc(sizeof(active_identity_work_t));
+	*work = (active_identity_work_t) {
+		.context = context,
+		.name = tf_strdup(name),
+		.package_owner = tf_strdup(package_owner),
+		.package_name = tf_strdup(package_name),
+	};
+	JSValue result = JS_NewPromiseCapability(context, work->promise);
+	tf_free((void*)name);
+	JS_FreeCString(context, package_owner);
+	JS_FreeCString(context, package_name);
+
+	JS_FreeValue(context, package_owner_value);
+	JS_FreeValue(context, package_name_value);
+	tf_ssb_run_work(ssb, _tf_ssb_getActiveIdentity_work, _tf_ssb_getActiveIdentity_after_work, work);
+	return result;
+}
+
+typedef struct _identities_visit_t
+{
+	JSContext* context;
+	JSValue promise[2];
+	const char** identities;
+	int count;
+	char user[];
+} identities_visit_t;
+
+static void _tf_ssb_getIdentities_visit(const char* identity, void* user_data)
+{
+	identities_visit_t* work = user_data;
+	work->identities = tf_resize_vec(work->identities, (work->count + 1) * sizeof(const char*));
+	char id[k_id_base64_len];
+	snprintf(id, sizeof(id), "@%s", identity);
+	work->identities[work->count++] = tf_strdup(id);
+}
+
+static void _tf_ssb_get_all_identities_work(tf_ssb_t* ssb, void* user_data)
+{
+	tf_ssb_db_identity_visit_all(ssb, _tf_ssb_getIdentities_visit, user_data);
+}
+
+static void _tf_ssb_get_identities_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	identities_visit_t* work = user_data;
+	JSContext* context = tf_ssb_get_context(ssb);
+	JSValue result = JS_NewArray(context);
+	for (int i = 0; i < work->count; i++)
+	{
+		JS_SetPropertyUint32(context, result, i, JS_NewString(context, work->identities[i]));
+		tf_free((void*)work->identities[i]);
+	}
+	tf_free(work->identities);
+
+	JSValue error = JS_Call(context, work->promise[0], JS_UNDEFINED, 1, &result);
+	JS_FreeValue(context, result);
+	tf_util_report_error(context, error);
+	JS_FreeValue(context, error);
+	JS_FreeValue(context, work->promise[0]);
+	JS_FreeValue(context, work->promise[1]);
+	tf_free(work);
+}
+
+static JSValue _tf_ssb_getAllIdentities(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
+{
+	JSValue result = JS_UNDEFINED;
+	tf_task_t* task = tf_task_get(context);
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	if (ssb)
+	{
+		identities_visit_t* work = tf_malloc(sizeof(identities_visit_t));
+		*work = (identities_visit_t) {
+			.context = context,
+		};
+
+		result = JS_NewPromiseCapability(context, work->promise);
+		tf_ssb_run_work(ssb, _tf_ssb_get_all_identities_work, _tf_ssb_get_identities_after_work, work);
+	}
+	return result;
+}
+
+static void _tf_ssb_get_identities_work(tf_ssb_t* ssb, void* user_data)
+{
+	identities_visit_t* work = user_data;
+	if (tf_ssb_db_user_has_permission(ssb, NULL, work->user, "administration"))
+	{
+		char id[k_id_base64_len] = "";
+		if (tf_ssb_whoami(ssb, id, sizeof(id)))
+		{
+			_tf_ssb_getIdentities_visit(*id == '@' ? id + 1 : id, work);
+		}
+	}
+	tf_ssb_db_identity_visit(ssb, work->user, _tf_ssb_getIdentities_visit, user_data);
+}
+
+static JSValue _tf_ssb_getIdentities(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv, int magic, JSValue* data)
+{
+	JSValue result = JS_UNDEFINED;
+	tf_task_t* task = tf_task_get(context);
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	JSValue process = data[0];
+	if (ssb)
+	{
+		const char* user = _tf_ssb_get_process_credentials_session_name(context, process);
+		if (user)
+		{
+			size_t user_length = user ? strlen(user) : 0;
+			identities_visit_t* work = tf_malloc(sizeof(identities_visit_t) + user_length + 1);
+			*work = (identities_visit_t) {
+				.context = context,
+			};
+			memcpy(work->user, user, user_length + 1);
+			tf_free((void*)user);
+
+			result = JS_NewPromiseCapability(context, work->promise);
+			tf_ssb_run_work(ssb, _tf_ssb_get_identities_work, _tf_ssb_get_identities_after_work, work);
+		}
+	}
+	return result;
+}
+
+static JSValue _tf_ssb_getOwnerIdentities(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv, int magic, JSValue* data)
+{
+	JSValue result = JS_UNDEFINED;
+	tf_task_t* task = tf_task_get(context);
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	JSValue process = data[0];
+	if (ssb)
+	{
+		JSValue value = JS_GetPropertyStr(context, process, "packageOwner");
+		const char* user = JS_ToCString(context, value);
+		size_t user_length = user ? strlen(user) : 0;
+		identities_visit_t* work = tf_malloc(sizeof(identities_visit_t) + user_length + 1);
+		*work = (identities_visit_t) {
+			.context = context,
+		};
+		memcpy(work->user, user, user_length + 1);
+		JS_FreeCString(context, user);
+		JS_FreeValue(context, value);
+
+		result = JS_NewPromiseCapability(context, work->promise);
+		tf_ssb_run_work(ssb, _tf_ssb_get_identities_work, _tf_ssb_get_identities_after_work, work);
+	}
+	return result;
+}
+
+typedef struct _settings_descriptions_get_t
+{
+	const char* settings;
+	JSContext* context;
+	JSValue promise[2];
+} settings_descriptions_get_t;
+
+static void _tf_ssb_get_settings_descriptions_work(tf_ssb_t* ssb, void* user_data)
+{
+	settings_descriptions_get_t* work = user_data;
+	work->settings = tf_ssb_db_get_property(ssb, "core", "settings");
+}
+
+static void _tf_ssb_get_settings_descriptions_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	settings_descriptions_get_t* work = user_data;
+	JSContext* context = work->context;
+	JSValue result = JS_NewObject(context);
+	JSValue settings = JS_ParseJSON(context, work->settings ? work->settings : "", work->settings ? strlen(work->settings) : 0, NULL);
+	const char* name;
+	const char* type;
+	tf_setting_kind_t kind;
+	const char* description;
+	for (int i = 0; tf_util_get_global_setting_by_index(i, &name, &type, &kind, &description); i++)
+	{
+		JSValue entry = JS_NewObject(context);
+		JS_SetPropertyStr(context, entry, "type", JS_NewString(context, type));
+		JS_SetPropertyStr(context, entry, "description", JS_NewString(context, description));
+		switch (kind)
+		{
+		case k_kind_unknown:
+			break;
+		case k_kind_bool:
+			JS_SetPropertyStr(context, entry, "default_value", JS_NewBool(context, tf_util_get_default_global_setting_bool(name)));
+			break;
+		case k_kind_int:
+			JS_SetPropertyStr(context, entry, "default_value", JS_NewInt32(context, tf_util_get_default_global_setting_int(name)));
+			break;
+		case k_kind_string:
+			JS_SetPropertyStr(context, entry, "default_value", JS_NewString(context, tf_util_get_default_global_setting_string(name)));
+			break;
+		}
+		if (JS_IsObject(settings))
+		{
+			JS_SetPropertyStr(context, entry, "value", JS_GetPropertyStr(context, settings, name));
+		}
+		JS_SetPropertyStr(context, result, name, entry);
+	}
+	JS_FreeValue(context, settings);
+	JSValue error = JS_Call(context, work->promise[0], JS_UNDEFINED, 1, &result);
+	tf_util_report_error(context, error);
+	JS_FreeValue(context, error);
+	JS_FreeValue(context, result);
+	JS_FreeValue(context, work->promise[0]);
+	JS_FreeValue(context, work->promise[1]);
+	tf_free((void*)work->settings);
+	tf_free(work);
+}
+
+static JSValue _tf_ssb_globalSettingsDescriptions(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
+{
+	tf_task_t* task = tf_task_get(context);
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	settings_descriptions_get_t* work = tf_malloc(sizeof(settings_descriptions_get_t));
+	*work = (settings_descriptions_get_t) { .context = context };
+	JSValue result = JS_NewPromiseCapability(context, work->promise);
+	tf_ssb_run_work(ssb, _tf_ssb_get_settings_descriptions_work, _tf_ssb_get_settings_descriptions_after_work, work);
+	return result;
+}
+
+typedef struct _settings_get_t
+{
+	const char* key;
+	tf_setting_kind_t kind;
+	void* value;
+	JSContext* context;
+	JSValue promise[2];
+} settings_get_t;
+
+static void _tf_ssb_settings_get_work(tf_ssb_t* ssb, void* user_data)
+{
+	settings_get_t* work = user_data;
+	work->kind = tf_util_get_global_setting_kind(work->key);
+	switch (work->kind)
+	{
+	case k_kind_unknown:
+		break;
+	case k_kind_bool:
+		{
+			sqlite3* db = tf_ssb_acquire_db_reader(ssb);
+			bool value = false;
+			tf_ssb_db_get_global_setting_bool(db, work->key, &value);
+			work->value = (void*)(intptr_t)value;
+			tf_ssb_release_db_reader(ssb, db);
+		}
+		break;
+	case k_kind_int:
+		{
+			sqlite3* db = tf_ssb_acquire_db_reader(ssb);
+			int64_t value = 0;
+			tf_ssb_db_get_global_setting_int64(db, work->key, &value);
+			work->value = (void*)(intptr_t)value;
+			tf_ssb_release_db_reader(ssb, db);
+		}
+		break;
+	case k_kind_string:
+		{
+			sqlite3* db = tf_ssb_acquire_db_reader(ssb);
+			work->value = (void*)tf_ssb_db_get_global_setting_string_alloc(db, work->key);
+			tf_ssb_release_db_reader(ssb, db);
+		}
+		break;
+	}
+}
+
+static void _tf_ssb_settings_get_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	settings_get_t* work = user_data;
+	JSContext* context = tf_ssb_get_context(ssb);
+	JSValue result = JS_UNDEFINED;
+	switch (work->kind)
+	{
+	case k_kind_unknown:
+		break;
+	case k_kind_bool:
+		result = work->value ? JS_TRUE : JS_FALSE;
+		break;
+	case k_kind_int:
+		result = JS_NewInt64(context, (int64_t)(intptr_t)work->value);
+		break;
+	case k_kind_string:
+		result = JS_NewString(context, (const char*)work->value);
+		tf_free(work->value);
+		break;
+	}
+
+	JSValue error = JS_Call(context, work->promise[0], JS_UNDEFINED, 1, &result);
+	tf_util_report_error(context, error);
+	JS_FreeValue(context, error);
+	JS_FreeValue(context, result);
+	JS_FreeValue(context, work->promise[0]);
+	JS_FreeValue(context, work->promise[1]);
+	JS_FreeCString(context, work->key);
+	tf_free(work);
+}
+
+static JSValue _tf_ssb_globalSettingsGet(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
+{
+	tf_task_t* task = tf_task_get(context);
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	settings_get_t* work = tf_malloc(sizeof(settings_get_t));
+	*work = (settings_get_t) { .context = context, .key = JS_ToCString(context, argv[0]) };
+	JSValue result = JS_NewPromiseCapability(context, work->promise);
+	tf_ssb_run_work(ssb, _tf_ssb_settings_get_work, _tf_ssb_settings_get_after_work, work);
+	return result;
+}
+
 static JSValue _tf_api_register_imports(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
 {
 	JSValue imports = argv[0];
@@ -218,6 +804,38 @@ static JSValue _tf_api_register_imports(JSContext* context, JSValueConst this_va
 	JS_SetPropertyStr(context, core, "apps", JS_NewCFunctionData(context, _tf_api_core_apps, 1, 0, 1, &process));
 	JS_SetPropertyStr(context, core, "register", JS_NewCFunctionData(context, _tf_api_core_register, 2, 0, 1, &process));
 	JS_SetPropertyStr(context, core, "unregister", JS_NewCFunctionData(context, _tf_api_core_unregister, 2, 0, 1, &process));
+
+	JS_SetPropertyStr(context, core, "users", JS_NewCFunctionData(context, _tf_api_core_users, 0, 0, 1, &process));
+
+	JS_SetPropertyStr(context, core, "permissionsForUser", JS_NewCFunctionData(context, _tf_api_core_permissionsForUser, 1, 0, 1, &process));
+	JS_SetPropertyStr(context, core, "permissionsGranted", JS_NewCFunctionData(context, _tf_api_core_permissionsGranted, 0, 0, 1, &process));
+
+	JSValue app = JS_NewObject(context);
+	JS_SetPropertyStr(context, app, "owner", JS_GetPropertyStr(context, process, "packageOwner"));
+	JS_SetPropertyStr(context, app, "name", JS_GetPropertyStr(context, process, "packageName"));
+	JS_SetPropertyStr(context, core, "app", app);
+
+	JS_SetPropertyStr(context, core, "url", JS_GetPropertyStr(context, process, "url"));
+
+	JSValue ssb = JS_GetPropertyStr(context, imports, "ssb");
+	JS_SetPropertyStr(context, ssb, "getAllIdentities", JS_NewCFunction(context, _tf_ssb_getAllIdentities, "getAllIdentities", 0));
+	JS_SetPropertyStr(context, ssb, "getActiveIdentity", JS_NewCFunctionData(context, _tf_ssb_getActiveIdentity, 0, 0, 1, &process));
+	JS_SetPropertyStr(context, ssb, "getIdentities", JS_NewCFunctionData(context, _tf_ssb_getIdentities, 0, 0, 1, &process));
+	JS_SetPropertyStr(context, ssb, "getOwnerIdentities", JS_NewCFunctionData(context, _tf_ssb_getOwnerIdentities, 0, 0, 1, &process));
+	JS_FreeValue(context, ssb);
+
+	JSValue credentials = JS_GetPropertyStr(context, process, "credentials");
+	JSValue permissions = JS_IsObject(credentials) ? JS_GetPropertyStr(context, credentials, "permissions") : JS_UNDEFINED;
+	JSValue administration = JS_IsObject(permissions) ? JS_GetPropertyStr(context, permissions, "administration") : JS_UNDEFINED;
+	if (JS_ToBool(context, administration) > 0)
+	{
+		JS_SetPropertyStr(context, core, "globalSettingsDescriptions", JS_NewCFunction(context, _tf_ssb_globalSettingsDescriptions, "globalSettingsDescriptions", 0));
+		JS_SetPropertyStr(context, core, "globalSettingsGet", JS_NewCFunction(context, _tf_ssb_globalSettingsGet, "globalSettingsGet", 1));
+	}
+	JS_FreeValue(context, administration);
+	JS_FreeValue(context, permissions);
+	JS_FreeValue(context, credentials);
+
 	JS_FreeValue(context, core);
 	return JS_UNDEFINED;
 }
--- a/src/http.c
+++ b/src/http.c
@@ -2,7 +2,6 @@

 #include "log.h"
 #include "mem.h"
-#include "tls.h"
 #include "trace.h"
 #include "util.js.h"

@@ -20,10 +19,12 @@

 static const int k_timeout_ms = 60000;

+static tf_http_t** s_http_instances;
+int s_http_instance_count;
+
 typedef struct _tf_http_connection_t
 {
 	tf_http_t* http;
-	tf_tls_session_t* tls;
 	uv_tcp_t tcp;
 	uv_shutdown_t shutdown;
 	uv_timer_t timeout;
@@ -75,7 +76,6 @@ typedef struct _tf_http_handler_t
 typedef struct _tf_http_listener_t
 {
 	tf_http_t* http;
-	tf_tls_context_t* tls;
 	uv_tcp_t tcp;
 	tf_http_cleanup_t* cleanup;
 	void* user_data;
@@ -106,7 +106,6 @@ typedef struct _tf_http_t
 static const char* _http_connection_get_header(const tf_http_connection_t* connection, const char* name);
 static void _http_connection_destroy(tf_http_connection_t* connection, const char* reason);
 static void _http_timer_reset(tf_http_connection_t* connection);
-static void _http_tls_update(tf_http_connection_t* connection);
 static void _http_builtin_404_handler(tf_http_request_t* request);

 tf_http_t* tf_http_create(uv_loop_t* loop)
@@ -115,6 +114,8 @@ tf_http_t* tf_http_create(uv_loop_t* loop)
 	*http = (tf_http_t) {
 		.loop = loop,
 	};
+	s_http_instances = tf_resize_vec(s_http_instances, sizeof(tf_http_t*) * (s_http_instance_count + 1));
+	s_http_instances[s_http_instance_count++] = http;
 	return http;
 }

@@ -255,11 +256,6 @@ static void _http_connection_destroy(tf_http_connection_t* connection, const cha
 	{
 		uv_close((uv_handle_t*)&connection->timeout, _http_connection_on_close);
 	}
-	if (connection->tls)
-	{
-		tf_tls_session_destroy(connection->tls);
-		connection->tls = NULL;
-	}

 	if (connection->ref_count == 0 && !connection->tcp.data && !connection->shutdown.data && !connection->timeout.data)
 	{
@@ -441,7 +437,6 @@ static void _http_add_body_bytes(tf_http_connection_t* connection, const void* d
 			*request = (tf_http_request_t) {
 				.http = connection->http,
 				.connection = connection,
-				.is_tls = connection->tls != NULL,
 				.method = connection->method,
 				.path = connection->path,
 				.query = connection->query,
@@ -582,21 +577,7 @@ static void _http_on_read(uv_stream_t* stream, ssize_t read_size, const uv_buf_t
 	_http_timer_reset(connection);
 	if (read_size > 0)
 	{
-		if (connection->tls)
-		{
-			if (tf_tls_session_write_encrypted(connection->tls, buffer->base, read_size) < 0)
-			{
-				_http_connection_destroy(connection, "tf_tls_session_write_encrypted");
-			}
-			else
-			{
-				_http_tls_update(connection);
-			}
-		}
-		else
-		{
-			_http_on_read_plain(connection, buffer->base, read_size);
-		}
+		_http_on_read_plain(connection, buffer->base, read_size);
 	}
 	else if (read_size < 0)
 	{
@@ -638,17 +619,6 @@ static void _http_on_connection(uv_stream_t* stream, int status)

 	tf_http_connection_t* connection = tf_malloc(sizeof(tf_http_connection_t));
 	*connection = (tf_http_connection_t) { .http = http, .tcp = { .data = connection }, .is_receiving_headers = true };
-	if (listener->tls)
-	{
-		connection->tls = tf_tls_context_create_session(listener->tls);
-		if (!connection->tls)
-		{
-			_http_connection_destroy(connection, "tf_tls_context_create_session");
-			return;
-		}
-		tf_tls_session_start_accept(connection->tls);
-		connection->is_handshaking = true;
-	}
 	int r = uv_tcp_init(connection->http->loop, &connection->tcp);
 	if (r)
 	{
@@ -689,21 +659,15 @@ static void _http_on_connection(uv_stream_t* stream, int status)
 		return;
 	}

-	if (connection->tls)
-	{
-		_http_tls_update(connection);
-	}
-
 	http->connections = tf_resize_vec(http->connections, sizeof(tf_http_connection_t*) * (http->connections_count + 1));
 	http->connections[http->connections_count++] = connection;
 }

-int tf_http_listen(tf_http_t* http, int port, bool local_only, tf_tls_context_t* tls, tf_http_cleanup_t* cleanup, void* user_data)
+int tf_http_listen(tf_http_t* http, int port, bool local_only, tf_http_cleanup_t* cleanup, void* user_data)
 {
 	tf_http_listener_t* listener = tf_malloc(sizeof(tf_http_listener_t));
 	*listener = (tf_http_listener_t) {
 		.http = http,
-		.tls = tls,
 		.tcp = { .data = listener },
 		.cleanup = cleanup,
 		.user_data = user_data,
@@ -872,6 +836,21 @@ void tf_http_destroy(tf_http_t* http)
 		http->handlers_count = 0;

 		tf_free(http);
+
+		for (int i = 0; i < s_http_instance_count; i++)
+		{
+			if (s_http_instances[i] == http)
+			{
+				s_http_instances[i] = s_http_instances[--s_http_instance_count];
+				break;
+			}
+		}
+		if (s_http_instance_count == 0)
+		{
+			tf_free(s_http_instances);
+			s_http_instances = NULL;
+		}
+		tf_printf("http %p destroyed\n", http);
 	}
 	else
 	{
@@ -928,71 +907,10 @@ static void _http_write_internal(tf_http_connection_t* connection, const void* d
 	}
 }

-static void _http_tls_update(tf_http_connection_t* connection)
-{
-	bool again = true;
-	while (again)
-	{
-		again = false;
-
-		if (connection->is_handshaking && connection->tls)
-		{
-			switch (tf_tls_session_handshake(connection->tls))
-			{
-			case k_tls_handshake_done:
-				connection->is_handshaking = false;
-				break;
-			case k_tls_handshake_more:
-				break;
-			case k_tls_handshake_failed:
-				_http_connection_destroy(connection, "tf_tls_session_handshake");
-				return;
-			}
-		}
-
-		/* Maybe we became disconnected and cleaned up our TLS session. */
-		if (connection->tls)
-		{
-			char buffer[8192];
-			int r = tf_tls_session_read_encrypted(connection->tls, buffer, sizeof(buffer));
-			if (r > 0)
-			{
-				_http_write_internal(connection, buffer, r);
-				again = true;
-			}
-		}
-
-		if (connection->tls)
-		{
-			char buffer[8192];
-			int r = tf_tls_session_read_plain(connection->tls, buffer, sizeof(buffer));
-			if (r > 0)
-			{
-				_http_on_read_plain(connection, buffer, r);
-				again = true;
-			}
-		}
-	}
-}
-
 static void _http_write(tf_http_connection_t* connection, const void* data, size_t size)
 {
 	_http_timer_reset(connection);
-	if (connection->tls)
-	{
-		int r = tf_tls_session_write_plain(connection->tls, data, size);
-		if (r < (ssize_t)size)
-		{
-			char buffer[8192];
-			tf_tls_session_get_error(connection->tls, buffer, sizeof(buffer));
-			tf_printf("tf_tls_session_write_plain: %s\n", buffer);
-		}
-		_http_tls_update(connection);
-	}
-	else
-	{
-		_http_write_internal(connection, data, size);
-	}
+	_http_write_internal(connection, data, size);
 }

 void tf_http_request_websocket_send(tf_http_request_t* request, int op_code, const void* data, size_t size)
@@ -1215,3 +1133,19 @@ const char* tf_http_get_cookie(const char* cookie_header, const char* name)
 	}
 	return NULL;
 }
+
+void tf_http_debug_destroy()
+{
+	for (int i = 0; i < s_http_instance_count; i++)
+	{
+		tf_http_t* http = s_http_instances[i];
+		tf_printf("http %p[%d]\n", http, i);
+		tf_printf("  connections = %d\n", http->connections_count);
+		for (int j = 0; j < http->connections_count; j++)
+		{
+			tf_http_connection_t* connection = http->connections[j];
+			tf_printf("    connection %p[%d] %s tcp=%p timeout=%p shutdown=%p rc=%d\n", connection, j, connection->trace_name, connection->tcp.data, connection->timeout.data,
+				connection->shutdown.data, connection->ref_count);
+		}
+	}
+}
--- a/src/http.h
+++ b/src/http.h
@@ -23,9 +23,6 @@ typedef struct _tf_http_request_t tf_http_request_t;
 /** An HTTP instance. */
 typedef struct _tf_http_t tf_http_t;

-/** A TLS context. */
-typedef struct _tf_tls_context_t tf_tls_context_t;
-
 /** A trace instance. */
 typedef struct _tf_trace_t tf_trace_t;

@@ -68,8 +65,6 @@ typedef struct _tf_http_request_t
 	tf_http_t* http;
 	/** The HTTP connection associated with this request. */
 	tf_http_connection_t* connection;
-	/** True if this is an HTTPS session. */
-	bool is_tls;
 	/** The HTTP method of the request (GET/POST/...). */
 	const char* method;
 	/** The HTTP request path. */
@@ -117,12 +112,11 @@ void tf_http_set_trace(tf_http_t* http, tf_trace_t* trace);
 ** @param http The HTTP instance.
 ** @param port The port on which to listen, or 0 to assign a free port.
 ** @param local_only Only access connections on localhost, otherwise any address.
-** @param tls An optional TLS context to use for HTTPS requests.
 ** @param cleanup A function called when the HTTP instance is being cleaned up.
 ** @param user_data User data passed to the cleanup callback.
 ** @return The port number on which the HTTP instance is now listening.
 */
-int tf_http_listen(tf_http_t* http, int port, bool local_only, tf_tls_context_t* tls, tf_http_cleanup_t* cleanup, void* user_data);
+int tf_http_listen(tf_http_t* http, int port, bool local_only, tf_http_cleanup_t* cleanup, void* user_data);

 /**
 ** Add an HTTP request handler.
@@ -238,4 +232,9 @@ const char* tf_http_status_text(int status);
 */
 bool tf_http_pattern_matches(const char* pattern, const char* path);

+/**
+** Log debug information to diagnose shutdown problems.
+*/
+void tf_http_debug_destroy();
+
 /** @} */
--- a/src/httpd.js.c
+++ b/src/httpd.js.c
@@ -7,7 +7,6 @@
 #include "sha1.h"
 #include "ssb.db.h"
 #include "task.h"
-#include "tls.h"
 #include "trace.h"
 #include "util.js.h"
 #include "version.h"
@@ -15,11 +14,17 @@
 #include "sodium/crypto_sign.h"
 #include "sodium/utils.h"

+#if defined(__APPLE__)
+#include <TargetConditionals.h>
+#endif
+
 #define CYAN "\e[1;36m"
 #define MAGENTA "\e[1;35m"
 #define YELLOW "\e[1;33m"
 #define RESET "\e[0m"

+static const int k_eula_version = 1;
+
 static JSClassID _httpd_request_class_id;

 typedef struct _http_user_data_t
@@ -257,11 +262,6 @@ JSValue tf_httpd_make_response_object(JSContext* context, tf_http_request_t* req

 bool tf_httpd_redirect(tf_http_request_t* request)
 {
-	if (request->is_tls)
-	{
-		return false;
-	}
-
 	http_user_data_t* user_data = tf_http_get_user_data(request->http);
 	if (!user_data || !*user_data->redirect)
 	{
@@ -276,16 +276,12 @@ bool tf_httpd_redirect(tf_http_request_t* request)

 typedef struct _httpd_listener_t
 {
-	tf_tls_context_t* tls;
+	int padding;
 } httpd_listener_t;

 static void _httpd_listener_cleanup(void* user_data)
 {
 	httpd_listener_t* listener = user_data;
-	if (listener->tls)
-	{
-		tf_tls_context_destroy(listener->tls);
-	}
 	tf_free(listener);
 }

@@ -574,7 +570,7 @@ static void _httpd_endpoint_add_slash(tf_http_request_t* request)
 		host = tf_http_request_get_header(request, "host");
 	}
 	char url[1024];
-	snprintf(url, sizeof(url), "%s%s%s/", request->is_tls ? "https://" : "http://", host, request->path);
+	snprintf(url, sizeof(url), "%s%s%s/", "http://", host, request->path);
 	const char* headers[] = {
 		"Location",
 		url,
@@ -626,28 +622,97 @@ tf_httpd_user_app_t* tf_httpd_parse_user_app_from_path(const char* path, const c
 	return result;
 }

-static void _httpd_endpoint_root_callback(const char* path, void* user_data)
+typedef struct _root_t
 {
-	tf_http_request_t* request = user_data;
-	const char* headers[] = {
-		"Location",
-		path ? path : "/~core/apps/",
-	};
-	tf_http_respond(request, 303, headers, tf_countof(headers) / 2, NULL, 0);
-	tf_http_request_unref(request);
-}
+	tf_http_request_t* request;
+	const char* path;
+} root_t;

-static void _httpd_endpoint_root(tf_http_request_t* request)
+static void _httpd_root_work(tf_ssb_t* ssb, void* user_data)
 {
+	root_t* root = user_data;
+	tf_http_request_t* request = root->request;
 	const char* host = tf_http_request_get_header(request, "x-forwarded-host");
 	if (!host)
 	{
 		host = tf_http_request_get_header(request, "host");
 	}
+
+	bool require_eula =
+#if TARGET_OS_IPHONE
+		true;
+#else
+		false;
+#endif
+
+	int64_t accepted_eula_version = 0;
+
+	sqlite3* db = tf_ssb_acquire_db_reader(ssb);
+	tf_ssb_db_get_global_setting_int64(db, "accepted_eula_version", &accepted_eula_version);
+	if (require_eula && accepted_eula_version != k_eula_version)
+	{
+		root->path = tf_strdup("/static/eula.html");
+	}
+	else
+	{
+		root->path = tf_ssb_db_resolve_index(db, host);
+	}
+	tf_ssb_release_db_reader(ssb, db);
+}
+
+static void _httpd_root_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	root_t* root = user_data;
+	tf_http_request_t* request = root->request;
+	const char* headers[] = {
+		"Location",
+		root->path ? root->path : "/~core/apps/",
+	};
+	tf_http_respond(request, 303, headers, tf_countof(headers) / 2, NULL, 0);
+	tf_http_request_unref(request);
+	tf_free((void*)root->path);
+	tf_free(root);
+}
+
+static void _httpd_endpoint_root(tf_http_request_t* request)
+{
+	root_t* root = tf_malloc(sizeof(root_t));
+	*root = (root_t) {
+		.request = request,
+	};
+	tf_http_request_ref(request);
 	tf_task_t* task = request->user_data;
 	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	tf_ssb_run_work(ssb, _httpd_root_work, _httpd_root_after_work, root);
+}
+
+static void _httpd_accept_eula_work(tf_ssb_t* ssb, void* user_data)
+{
+	char buffer[64];
+	snprintf(buffer, sizeof(buffer), "%d", k_eula_version);
+
+	sqlite3* db = tf_ssb_acquire_db_writer(ssb);
+	tf_ssb_db_set_global_setting_from_string(db, "accepted_eula_version", buffer);
+	tf_ssb_release_db_writer(ssb, db);
+}
+
+static void _httpd_accept_eula_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	tf_http_request_t* request = user_data;
+	const char* headers[] = {
+		"Location",
+		"/",
+	};
+	tf_http_respond(request, 303, headers, tf_countof(headers) / 2, NULL, 0);
+	tf_http_request_unref(request);
+}
+
+static void _httpd_endpoint_accept_eula(tf_http_request_t* request)
+{
 	tf_http_request_ref(request);
-	tf_ssb_db_resolve_index_async(ssb, host, _httpd_endpoint_root_callback, request);
+	tf_task_t* task = request->user_data;
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	tf_ssb_run_work(ssb, _httpd_accept_eula_work, _httpd_accept_eula_after_work, request);
 }

 static void _httpd_endpoint_robots_txt(tf_http_request_t* request)
@@ -860,31 +925,6 @@ bool tf_httpd_is_name_valid(const char* name)
 	return true;
 }

-static void _httpd_free_user_data(void* user_data)
-{
-	tf_free(user_data);
-}
-
-static const char* _httpd_read_file(tf_task_t* task, const char* path)
-{
-	const char* actual = tf_task_get_path_with_root(task, path);
-	const size_t k_max_read = 8 * 1024 * 1024;
-	char* result = NULL;
-	char* buffer = tf_malloc(k_max_read);
-	FILE* file = fopen(actual, "rb");
-	if (file)
-	{
-		size_t size = fread(buffer, 1, k_max_read, file);
-		result = tf_malloc(size + 1);
-		memcpy(result, buffer, size);
-		result[size] = '\0';
-		fclose(file);
-	}
-	tf_free(buffer);
-	tf_free((char*)actual);
-	return result;
-}
-
 void tf_httpd_register(JSContext* context)
 {
 	JS_NewClassID(&_httpd_request_class_id);
@@ -913,41 +953,18 @@ tf_http_t* tf_httpd_create(JSContext* context)
 	tf_http_set_trace(http, tf_task_get_trace(task));

 	int64_t http_port = 0;
-	int64_t https_port = 0;
 	char out_http_port_file[512] = "";
 	bool local_only = false;
 	sqlite3* db = tf_ssb_acquire_db_reader(ssb);
 	tf_ssb_db_get_global_setting_int64(db, "http_port", &http_port);
-	tf_ssb_db_get_global_setting_int64(db, "https_port", &https_port);
 	tf_ssb_db_get_global_setting_string(db, "out_http_port_file", out_http_port_file, sizeof(out_http_port_file));
 	tf_ssb_db_get_global_setting_bool(db, "http_local_only", &local_only);
 	tf_ssb_release_db_reader(ssb, db);

-	if (https_port)
-	{
-		http_user_data_t* user_data = tf_http_get_user_data(http);
-		if (!user_data)
-		{
-			user_data = tf_malloc(sizeof(http_user_data_t));
-			memset(user_data, 0, sizeof(http_user_data_t));
-			tf_http_set_user_data(http, user_data, _httpd_free_user_data);
-		}
-		sqlite3* db = tf_ssb_acquire_db_reader(ssb);
-		tf_ssb_db_get_global_setting_string(db, "http_redirect", user_data->redirect, sizeof(user_data->redirect));
-		tf_ssb_release_db_reader(ssb, db);
-
-		/* Workaround. */
-		if (strcmp(user_data->redirect, "0") == 0)
-		{
-			*user_data->redirect = '\0';
-		}
-	}
-
 	tf_http_add_handler(http, "/", _httpd_endpoint_root, NULL, task);
 	tf_http_add_handler(http, "/codemirror/*", tf_httpd_endpoint_static, NULL, task);
 	tf_http_add_handler(http, "/lit/*", tf_httpd_endpoint_static, NULL, task);
 	tf_http_add_handler(http, "/prettier/*", tf_httpd_endpoint_static, NULL, task);
-	tf_http_add_handler(http, "/speedscope/*", tf_httpd_endpoint_static, NULL, task);
 	tf_http_add_handler(http, "/static/*", tf_httpd_endpoint_static, NULL, task);
 	tf_http_add_handler(http, "/.well-known/*", tf_httpd_endpoint_static, NULL, task);
 	tf_http_add_handler(http, "/&*.sha256", _httpd_endpoint_add_slash, NULL, task);
@@ -970,6 +987,7 @@ tf_http_t* tf_httpd_create(JSContext* context)
 	tf_http_add_handler(http, "/login/logout", tf_httpd_endpoint_logout, NULL, task);
 	tf_http_add_handler(http, "/login/auto", tf_httpd_endpoint_login_auto, NULL, task);
 	tf_http_add_handler(http, "/login", tf_httpd_endpoint_login, NULL, task);
+	tf_http_add_handler(http, "/eula/accept", _httpd_endpoint_accept_eula, NULL, task);

 	tf_http_add_handler(http, "/app/socket", tf_httpd_endpoint_app_socket, NULL, task);

@@ -977,7 +995,7 @@ tf_http_t* tf_httpd_create(JSContext* context)
 	{
 		httpd_listener_t* listener = tf_malloc(sizeof(httpd_listener_t));
 		*listener = (httpd_listener_t) { 0 };
-		int assigned_port = tf_http_listen(http, http_port, local_only, NULL, _httpd_listener_cleanup, listener);
+		int assigned_port = tf_http_listen(http, http_port, local_only, _httpd_listener_cleanup, listener);
 		tf_printf(CYAN "~😎 Tilde Friends" RESET " " YELLOW VERSION_NUMBER RESET " is now up at " MAGENTA "http://127.0.0.1:%d/" RESET ".\n", assigned_port);

 		if (*out_http_port_file)
@@ -996,26 +1014,6 @@ tf_http_t* tf_httpd_create(JSContext* context)
 			}
 			tf_free((char*)actual_http_port_file);
 		}
-
-		if (https_port)
-		{
-			const char* k_certificate = "data/httpd/certificate.pem";
-			const char* k_private_key = "data/httpd/privatekey.pem";
-			const char* certificate = _httpd_read_file(task, k_certificate);
-			const char* private_key = _httpd_read_file(task, k_private_key);
-			if (certificate && private_key)
-			{
-				tf_tls_context_t* tls = tf_tls_context_create();
-				tf_tls_context_set_certificate(tls, certificate);
-				tf_tls_context_set_private_key(tls, private_key);
-				httpd_listener_t* listener = tf_malloc(sizeof(httpd_listener_t));
-				*listener = (httpd_listener_t) { .tls = tls };
-				int assigned_port = tf_http_listen(http, https_port, local_only, tls, _httpd_listener_cleanup, listener);
-				tf_printf(CYAN "~😎 Tilde Friends" RESET " " YELLOW VERSION_NUMBER RESET " is now up at " MAGENTA "https://127.0.0.1:%d/" RESET ".\n", assigned_port);
-			}
-			tf_free((char*)certificate);
-			tf_free((char*)private_key);
-		}
 	}
 	return http;
 }
--- a/src/httpd.login.c
+++ b/src/httpd.login.c
@@ -37,11 +37,11 @@ typedef struct _login_request_t
 const char* tf_httpd_make_set_session_cookie_header(tf_http_request_t* request, const char* session_cookie)
 {
 	const char* k_pattern = "session=%s; path=/; Max-Age=%" PRId64 "; %sSameSite=Strict; HttpOnly";
-	int length = session_cookie ? snprintf(NULL, 0, k_pattern, session_cookie, k_httpd_auth_refresh_interval, request->is_tls ? "Secure; " : "") : 0;
+	int length = session_cookie ? snprintf(NULL, 0, k_pattern, session_cookie, k_httpd_auth_refresh_interval, "") : 0;
 	char* cookie = length ? tf_malloc(length + 1) : NULL;
 	if (cookie)
 	{
-		snprintf(cookie, length + 1, k_pattern, session_cookie, k_httpd_auth_refresh_interval, request->is_tls ? "Secure; " : "");
+		snprintf(cookie, length + 1, k_pattern, session_cookie, k_httpd_auth_refresh_interval, "");
 	}
 	return cookie;
 }
@@ -226,7 +226,7 @@ static void _httpd_endpoint_login_work(tf_ssb_t* ssb, void* user_data)
 		}
 		else
 		{
-			snprintf(login->location_header, sizeof(login->location_header), "%s%s/", request->is_tls ? "https://" : "http://", tf_http_request_get_header(request, "host"));
+			snprintf(login->location_header, sizeof(login->location_header), "%s%s/", "http://", tf_http_request_get_header(request, "host"));
 		}
 		goto done;
 	}
@@ -332,7 +332,7 @@ static void _httpd_endpoint_login_work(tf_ssb_t* ssb, void* user_data)
 		}
 		else
 		{
-			snprintf(login->location_header, sizeof(login->location_header), "%s%s/", request->is_tls ? "https://" : "http://", tf_http_request_get_header(request, "host"));
+			snprintf(login->location_header, sizeof(login->location_header), "%s%s/", "http://", tf_http_request_get_header(request, "host"));
 		}
 		login->set_cookie_header = tf_httpd_make_set_session_cookie_header(request, send_session);
 		tf_free((void*)send_session);
@@ -352,7 +352,7 @@ static void _httpd_endpoint_login_work(tf_ssb_t* ssb, void* user_data)
 		{
 			JSValue settings_value = JS_ParseJSON(context, login->settings, strlen(login->settings), NULL);
 			JSValue code_of_conduct_value = JS_GetPropertyStr(context, settings_value, "code_of_conduct");
-			const char* code_of_conduct = JS_ToCString(context, code_of_conduct_value);
+			const char* code_of_conduct = JS_IsString(code_of_conduct_value) ? JS_ToCString(context, code_of_conduct_value) : NULL;
 			const char* result = tf_strdup(code_of_conduct);
 			JS_FreeCString(context, code_of_conduct);
 			JS_FreeValue(context, code_of_conduct_value);
@@ -416,8 +416,7 @@ void tf_httpd_endpoint_login(tf_http_request_t* request)

 void tf_httpd_endpoint_logout(tf_http_request_t* request)
 {
-	const char* k_set_cookie = request->is_tls ? "session=; path=/; Secure; SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly"
-											   : "session=; path=/; SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly";
+	const char* k_set_cookie = "session=; path=/; SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly";
 	const char* k_location_format = "/login%s%s";
 	int length = snprintf(NULL, 0, k_location_format, request->query ? "?" : "", request->query);
 	char* location = alloca(length + 1);
--- a/src/httpd.static.c
+++ b/src/httpd.static.c
@@ -124,6 +124,7 @@ void tf_httpd_endpoint_static(tf_http_request_t* request)

 	const char* k_static_files[] = {
 		"index.html",
+		"eula.html",
 		"client.js",
 		"tildefriends.svg",
 		"jszip.min.js",
@@ -137,7 +138,6 @@ void tf_httpd_endpoint_static(tf_http_request_t* request)
 		{ "/lit/", "deps/lit/" },
 		{ "/codemirror/", "deps/codemirror/" },
 		{ "/prettier/", "deps/prettier/" },
-		{ "/speedscope/", "deps/speedscope/" },
 		{ "/.well-known/", "data/global/.well-known/" },
 	};

--- a/src/ios.m
+++ b/src/ios.m
@@ -1,19 +1,28 @@
+#import <CoreSpotlight/CSSearchableIndex.h>
+#import <CoreSpotlight/CSSearchableItem.h>
+#import <CoreSpotlight/CSSearchableItemAttributeSet.h>
 #import <UIKit/UIKit.h>
+#import <WebKit/WKDownload.h>
+#import <WebKit/WKDownloadDelegate.h>
+#import <WebKit/WKNavigationAction.h>
 #import <WebKit/WKNavigationDelegate.h>
+#import <WebKit/WKNavigationResponse.h>
 #import <WebKit/WKUIDelegate.h>
 #import <WebKit/WKWebView.h>
 #import <WebKit/WKWebViewConfiguration.h>

 #include "log.h"
+#include "util.js.h"

 #include <libgen.h>
 #include <string.h>

 void tf_run_thread_start(const char* zip_path);

-@interface ViewController : UINavigationController <WKUIDelegate, WKNavigationDelegate>
+@interface ViewController : UINavigationController <WKUIDelegate, WKNavigationDelegate, WKDownloadDelegate, UIDocumentPickerDelegate>
@property (strong, nonatomic) WKWebView* web_view;
@property bool initial_load_complete;
+@property (retain) NSURL* download_url;
@end

 static void _start_initial_load(WKWebView* web_view)
@@ -26,20 +35,17 @@ static void _start_initial_load(WKWebView* web_view)
 {
 	[super viewDidLoad];

-	[self setToolbarHidden:false animated:false];
-	self.toolbar.items = @[
-		[[UIBarButtonItem alloc] initWithTitle:@"Back" style:UIBarButtonItemStylePlain target:self action:@selector(goBack)],
-		[[UIBarButtonItem alloc] initWithTitle:@"Forward" style:UIBarButtonItemStylePlain target:self action:@selector(goForward)],
-		[[UIBarButtonItem alloc] initWithTitle:@"Refresh" style:UIBarButtonItemStylePlain target:self action:@selector(reload)]
-	];
-
 	WKWebViewConfiguration* configuration = [[WKWebViewConfiguration alloc] init];
 	self.web_view = [[WKWebView alloc] initWithFrame:self.view.frame configuration:configuration];
 	self.web_view.UIDelegate = self;
 	self.web_view.navigationDelegate = self;
 	self.web_view.autoresizingMask = UIViewAutoresizingFlexibleHeight | UIViewAutoresizingFlexibleWidth;
 	self.web_view.translatesAutoresizingMaskIntoConstraints = false;
+	self.web_view.allowsBackForwardNavigationGestures = true;
 	[self.view addSubview:self.web_view];
+	UIRefreshControl* refresh = [[UIRefreshControl alloc] init];
+	[refresh addTarget:self action:@selector(handleRefresh:) forControlEvents:UIControlEventValueChanged];
+	self.web_view.scrollView.refreshControl = refresh;

 	[self.view addConstraint:[NSLayoutConstraint constraintWithItem:self.web_view attribute:NSLayoutAttributeTop relatedBy:NSLayoutRelationEqual toItem:self.view
 														  attribute:NSLayoutAttributeTop
@@ -61,30 +67,21 @@ static void _start_initial_load(WKWebView* web_view)
 	_start_initial_load(self.web_view);
 }

- (void)goBack
-{
-	if (self.web_view.canGoBack)
-	{
-		[self.web_view goBack];
-	}
-}
-
- (void)goForward
-{
-	if (self.web_view.canGoForward)
-	{
-		[self.web_view goForward];
-	}
-}
-
- (void)reload
+- (void)handleRefresh:(id)sender
 {
+	tf_printf("refresh\n");
 	[self.web_view reload];
 }

 - (void)webView:(WKWebView*)webView didFinishNavigation:(WKNavigation*)navigation
 {
-	self.initial_load_complete = true;
+	if (!self.initial_load_complete)
+	{
+		tf_printf("initial load complete\n");
+		self.initial_load_complete = true;
+	}
+	self.navigationController.interactivePopGestureRecognizer.enabled = self.web_view.canGoBack;
+	[self.web_view.scrollView.refreshControl endRefreshing];
 }

 - (void)webView:(WKWebView*)webView didFailProvisionalNavigation:(WKNavigation*)navigation withError:(NSError*)error
@@ -133,6 +130,59 @@ static void _start_initial_load(WKWebView* web_view)
 	[alertController addAction:[UIAlertAction actionWithTitle:@"Cancel" style:UIAlertActionStyleCancel handler:^(UIAlertAction* action) { completionHandler(nil); }]];
 	[self presentViewController:alertController animated:YES completion:^ {}];
 }
+
+- (void)webView:(WKWebView*)webView decidePolicyForNavigationAction:(WKNavigationAction*)navigationAction decisionHandler:(void (^)(enum WKNavigationActionPolicy))decisionHandler
+{
+	decisionHandler(navigationAction.shouldPerformDownload ? WKNavigationActionPolicyDownload : WKNavigationActionPolicyAllow);
+}
+
+- (void)webView:(WKWebView*)webView
+	decidePolicyForNavigationResponse:(WKNavigationResponse*)navigationResponse
+					  decisionHandler:(void (^)(enum WKNavigationResponsePolicy))decisionHandler
+{
+	decisionHandler(navigationResponse.canShowMIMEType ? WKNavigationResponsePolicyAllow : WKNavigationResponsePolicyDownload);
+}
+
+- (void)webView:(WKWebView*)webView navigationAction:(WKNavigationAction*)navigationAction didBecomeDownload:(WKDownload*)download
+{
+	download.delegate = self;
+}
+
+- (void)webView:(WKWebView*)webView navigationResponse:(WKNavigationResponse*)navigationResponse didBecomeDownload:(WKDownload*)download
+{
+	download.delegate = self;
+}
+
+- (void)download:(WKDownload*)download
+	decideDestinationUsingResponse:(NSURLResponse*)response
+				 suggestedFilename:(NSString*)suggestedFilename
+				 completionHandler:(void (^)(NSURL*))completionHandler
+{
+	self.download_url = [[NSURL fileURLWithPath:NSTemporaryDirectory()] URLByAppendingPathComponent:suggestedFilename];
+	completionHandler(self.download_url);
+}
+
+- (void)downloadDidFinish:(WKDownload*)download
+{
+	UIDocumentPickerViewController* picker = [[UIDocumentPickerViewController alloc] initForExportingURLs:@[ self.download_url ]];
+	picker.delegate = self;
+	[self presentViewController:picker animated:YES completion:nil];
+}
+
+- (void)download:(WKDownload*)download didFailWithError:(NSError*)error resumeData:(NSData*)resumeData
+{
+	tf_printf("download didFailWithError:%s\n", [error.localizedDescription UTF8String]);
+}
+
+- (void)documentPicker:(UIDocumentPickerViewController*)controller didPickDocumentAtURLs:(NSArray<NSURL*>*)urls
+{
+	[[NSFileManager defaultManager] removeItemAtURL:self.download_url error:nil];
+}
+
+- (void)documentPickerWasCancelled:(UIDocumentPickerViewController*)controller
+{
+	[[NSFileManager defaultManager] removeItemAtURL:self.download_url error:nil];
+}
@end

@interface AppDelegate : UIResponder <UIApplicationDelegate>
@@ -148,8 +198,50 @@ static void _start_initial_load(WKWebView* web_view)
 	[self.window makeKeyAndVisible];
 	return YES;
 }
+
+- (BOOL)application:(UIApplication*)application
+	continueUserActivity:(NSUserActivity*)activity
+	  restorationHandler:(void (^)(NSArray<id<UIUserActivityRestoring>>*))restorationHandler
+{
+	if ([activity.activityType isEqual:CSSearchableItemActionType])
+	{
+		const char* identifier = [[activity.userInfo valueForKey:CSSearchableItemActivityIdentifier] UTF8String];
+		tf_printf("Jumping to search result: %s.\n", identifier);
+
+		char url[1024];
+		snprintf(url, sizeof(url), "http://localhost:12345/~core/ssb/#%s", identifier);
+		tf_printf("Navigating to %s.", url);
+		ViewController* view_controller = (ViewController*)self.window.rootViewController;
+		[view_controller.web_view loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithUTF8String:url]]]];
+	}
+	else
+	{
+		tf_printf("no search\n");
+	}
+	return NO;
+}
@end

+void tf_notify_message_added_ios(const char* identifier, const char* title, const char* content)
+{
+	tf_printf("indexing: identifier=%s title=%s content=%s\n", identifier, title, content);
+	CSSearchableItemAttributeSet* attribute_set = [[CSSearchableItemAttributeSet alloc] initWithContentType:UTTypeText];
+	attribute_set.title = [NSString stringWithUTF8String:content];
+	attribute_set.contentDescription = [NSString stringWithUTF8String:title];
+	CSSearchableItem* item = [[CSSearchableItem alloc] initWithUniqueIdentifier:[NSString stringWithUTF8String:identifier] domainIdentifier:@"com.unprompted.tildefriends.messages"
+																   attributeSet:attribute_set];
+	[[CSSearchableIndex defaultSearchableIndex] indexSearchableItems:@[ item ] completionHandler:^(NSError* _Nullable error) {
+		if (error)
+		{
+			tf_printf("indexing error: %s.\n", [error.localizedDescription UTF8String]);
+		}
+		else
+		{
+			tf_printf("indexed successfully.\n");
+		}
+	}];
+}
+
 int main(int argc, char* argv[])
 {
 	NSFileManager* file_manager = [NSFileManager defaultManager];
--- a/src/ios/Info.plist
+++ b/src/ios/Info.plist
@@ -13,19 +13,19 @@
 	<key>CFBundlePackageType</key>
 	<string>APPL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>0.2025.10</string>
+	<string>0.2025.11</string>
 	<key>CFBundleSupportedPlatforms</key>
 	<array>
 		<string>iPhoneOS</string>
 	</array>
 	<key>CFBundleVersion</key>
-	<string>18</string>
+	<string>26</string>
 	<key>DTPlatformName</key>
 	<string>iphoneos</string>
 	<key>LSRequiresIPhoneOS</key>
 	<true/>
 	<key>MinimumOSVersion</key>
-	<string>14.0</string>
+	<string>14.5</string>
 	<key>UIDeviceFamily</key>
 	<array>
 		<integer>1</integer>
@@ -83,5 +83,13 @@
 	</dict>
 	<key>ITSAppUsesNonExemptEncryption</key>
 	<false/>
+	<key>NSCameraUsageDescription</key>
+	<string>Camera access is used to take pictures to add to posts.</string>
+	<key>NSMicrophoneUsageDescription</key>
+	<string>Microphone access is used to capture audio to add to posts.</string>
+	<key>NSPhotoLibraryUsageDescription</key>
+	<string>Photo library access is used to select images to add to posts.</string>
+	<key>NSDownlodasFolderUsageDescription</key>
+	<string>Downloads folder access is used to export and import apps.</string>
 </dict>
 </plist>
--- a/src/ios/tildefriends512.png
+++ b/src/ios/tildefriends512.png
--- a/src/log.h
+++ b/src/log.h
@@ -17,12 +17,15 @@
 #include <TargetConditionals.h>
 #if TARGET_OS_IPHONE
 #include <os/log.h>
+#include <stdio.h>
 #define tf_printf(...) \
 	do \
 	{ \
 		char buffer##__LINE__[2048]; \
 		snprintf(buffer##__LINE__, sizeof(buffer##__LINE__), __VA_ARGS__); \
 		os_log(OS_LOG_DEFAULT, "%{public}s", buffer##__LINE__); \
+		fputs(buffer##__LINE__, stdout); \
+		fflush(stdout); \
 	} while (0)
 #else
 #include <stdio.h>
--- a/src/main.c
+++ b/src/main.c
@@ -1502,13 +1502,11 @@ static int _tf_run_task(const tf_run_args_t* args, int index)
 	tf_ssb_t* ssb = tf_task_get_ssb(task);
 	sqlite3* db = tf_ssb_acquire_db_reader(ssb);
 	int64_t http_port = 0;
-	int64_t https_port = 0;
 	char out_http_port_file[512] = "";
 	tf_ssb_db_get_global_setting_int64(db, "http_port", &http_port);
-	tf_ssb_db_get_global_setting_int64(db, "https_port", &https_port);
 	tf_ssb_db_get_global_setting_string(db, "out_http_port_file", out_http_port_file, sizeof(out_http_port_file));
 	tf_ssb_release_db_reader(ssb, db);
-	if (http_port || https_port || *out_http_port_file)
+	if (http_port || *out_http_port_file)
 	{
 		if (args->zip)
 		{
@@ -1869,7 +1867,6 @@ static void _startup(int argc, char* argv[])
 	prctl(PR_SET_PDEATHSIG, SIGKILL);
 #endif
 	tf_mem_replace_uv_allocator();
-	tf_mem_replace_tls_allocator();
 	tf_mem_replace_sqlite_allocator();
 	uv_setup_args(argc, argv);
 	tf_taskstub_startup();
--- a/src/mem.c
+++ b/src/mem.c
@@ -7,8 +7,6 @@
 #include "sqlite3.h"
 #include "uv.h"

-#include <openssl/crypto.h>
-
 #include <stdbool.h>
 #include <string.h>

@@ -19,7 +17,6 @@ static bool s_mem_tracking;
 static tf_mem_node_t* s_mem_tracked;
 static int64_t s_tf_malloc_size;
 static int64_t s_uv_malloc_size;
-static int64_t s_tls_malloc_size;
 static int64_t s_js_malloc_size;
 static int64_t s_sqlite_malloc_size;

@@ -387,31 +384,6 @@ size_t tf_mem_get_uv_malloc_size()
 	return s_uv_malloc_size;
 }

-static void* _tf_tls_alloc(size_t size, const char* file, int line)
-{
-	return _tf_alloc(&s_tls_malloc_size, size);
-}
-
-static void* _tf_tls_realloc(void* ptr, size_t size, const char* file, int line)
-{
-	return _tf_realloc(&s_tls_malloc_size, ptr, size);
-}
-
-static void _tf_tls_free(void* ptr, const char* file, int line)
-{
-	_tf_free(&s_tls_malloc_size, ptr);
-}
-
-void tf_mem_replace_tls_allocator()
-{
-	CRYPTO_set_mem_functions(_tf_tls_alloc, _tf_tls_realloc, _tf_tls_free);
-}
-
-size_t tf_mem_get_tls_malloc_size()
-{
-	return s_tls_malloc_size;
-}
-
 void* tf_malloc(size_t size)
 {
 	return _tf_alloc(&s_tf_malloc_size, size);
--- a/src/mem.h
+++ b/src/mem.h
@@ -3,7 +3,7 @@
 /**
 ** \defgroup mem Memory management
 ** tf_malloc() and friends use malloc() behind the scenes but optionally
-** track memory per system (OpenSSL, sqlite, libuv, ...) and store callstacks
+** track memory per system (sqlite, libuv, ...) and store callstacks
 ** to help debug leaks.
 ** @{
 */
@@ -38,17 +38,6 @@ void tf_mem_replace_uv_allocator();
 */
 size_t tf_mem_get_uv_malloc_size();

-/**
-** Register a custom allocator with OpenSSL.
-*/
-void tf_mem_replace_tls_allocator();
-
-/**
-** Get the number of bytes currently allocated by OpenSSL.
-** @return The allocated size in bytes.
-*/
-size_t tf_mem_get_tls_malloc_size();
-
 /**
 ** Register a custom allocator with SQLite.
 */
--- a/src/socket.js.c
+++ b/src/socket.js.c
--- a/src/socket.js.h
+++ b/src/socket.js.h
@@ -1,30 +0,0 @@
-#pragma once
-
-/**
-** \defgroup socket_js Socket Interface
-** Exposes network sockets to script.
-** @{
-*/
-
-#include "quickjs.h"
-
-/**
-** Register the socket script interface.
-** @param context The JS context.
-** @return The Socket constructor.
-*/
-JSValue tf_socket_register(JSContext* context);
-
-/**
-** Get the number of active socket objects.
-** @return The count.
-*/
-int tf_socket_get_count();
-
-/**
-** Get the number of connected socket objects.
-** @return the count.
-*/
-int tf_socket_get_open_count();
-
-/** @} */
--- a/src/ssb.c
+++ b/src/ssb.c
@@ -1,5 +1,6 @@
 #include "ssb.h"

+#include "http.h"
 #include "log.h"
 #include "mem.h"
 #include "ssb.connections.h"
@@ -2711,6 +2712,7 @@ void tf_ssb_destroy(tf_ssb_t* ssb)
 			tf_printf("--\n");
 			uv_print_all_handles(ssb->loop, stdout);
 		}
+		tf_http_debug_destroy();
 		uv_run(ssb->loop, UV_RUN_ONCE);
 	}

--- a/src/ssb.db.c
+++ b/src/ssb.db.c
@@ -623,6 +623,12 @@ static char* _tf_ssb_db_get_message_blob_wants(sqlite3* db, int64_t rowid)
 	return result;
 }

+typedef enum _message_type_t
+{
+	k_message_type_other,
+	k_message_type_post,
+} message_type_t;
+
 typedef struct _message_store_t
 {
 	char id[k_id_base64_len];
@@ -635,6 +641,7 @@ typedef struct _message_store_t
 	const char* content;
 	size_t length;

+	message_type_t type;
 	bool out_stored;
 	char* out_blob_wants;

@@ -716,6 +723,28 @@ static void _tf_ssb_db_store_message_after_work(tf_ssb_t* ssb, int status, void*
 			tf_trace_end(trace);
 		}

+#if TARGET_OS_IPHONE
+		if (store->type == k_message_type_post)
+		{
+			JSContext* context = tf_ssb_get_context(ssb);
+			JSValue content = JS_ParseJSON(context, store->content, strlen(store->content), NULL);
+			if (JS_IsObject(content))
+			{
+				JSValue type_value = JS_GetPropertyStr(context, content, "type");
+				const char* type = JS_ToCString(context, type_value);
+				JSValue text_value = JS_GetPropertyStr(context, content, "text");
+				const char* text = JS_ToCString(context, text_value);
+				void tf_notify_message_added_ios(const char* identifier, const char* title, const char* content);
+				tf_notify_message_added_ios(store->id, type, text);
+				JS_FreeCString(context, text);
+				JS_FreeValue(context, text_value);
+				JS_FreeCString(context, type);
+				JS_FreeValue(context, type_value);
+			}
+			JS_FreeValue(context, content);
+		}
+#endif
+
 		if (store->callback)
 		{
 			store->callback(store->id, store->out_stored, store->user_data);
@@ -777,6 +806,16 @@ void tf_ssb_db_store_message(
 	JS_FreeValue(context, timestampval);

 	JSValue contentval = JS_GetPropertyStr(context, val, "content");
+	JSValue typeval = JS_IsObject(contentval) ? JS_GetPropertyStr(context, contentval, "type") : JS_UNDEFINED;
+	const char* type = JS_IsString(typeval) ? JS_ToCString(context, typeval) : NULL;
+	message_type_t message_type = k_message_type_other;
+	if (type)
+	{
+		message_type = strcmp(type, "post") == 0 ? k_message_type_post : k_message_type_other;
+	}
+	JS_FreeCString(context, type);
+	JS_FreeValue(context, typeval);
+
 	JSValue content = JS_JSONStringify(context, contentval, JS_NULL, JS_NULL);
 	size_t content_len;
 	const char* contentstr = JS_ToCStringLen(context, &content_len, content);
@@ -788,6 +827,7 @@ void tf_ssb_db_store_message(
 		.sequence = sequence,
 		.timestamp = timestamp,
 		.content = contentstr,
+		.type = message_type,
 		.length = content_len,
 		.flags = flags,

@@ -1557,8 +1597,10 @@ typedef struct _following_t
 	int depth;
 	following_t** following;
 	following_t** blocking;
+	following_t** both;
 	int following_count;
 	int blocking_count;
+	int both_count;
 	int ref_count;
 	int block_ref_count;
 } following_t;
@@ -1675,14 +1717,27 @@ static void _populate_follows_and_blocks(
 					{
 						if (_add_following_entry(&entry->following, &entry->following_count, next))
 						{
-							next->ref_count++;
+							if (next->ref_count++ == 0 && next->block_ref_count)
+							{
+								if (_remove_following_entry(&entry->blocking, &entry->blocking_count, next))
+								{
+									_remove_following_entry(&entry->following, &entry->following_count, next);
+									_add_following_entry(&entry->both, &entry->both_count, next);
+								}
+							}
 						}
 					}
 					else
 					{
 						if (_remove_following_entry(&entry->following, &entry->following_count, next))
 						{
-							next->ref_count--;
+							if (next->ref_count-- == 1 && next->block_ref_count)
+							{
+								if (_remove_following_entry(&entry->both, &entry->both_count, next))
+								{
+									_add_following_entry(&entry->blocking, &entry->blocking_count, next);
+								}
+							}
 						}
 					}
 				}
@@ -1697,14 +1752,29 @@ static void _populate_follows_and_blocks(
 					{
 						if (_add_following_entry(&entry->blocking, &entry->blocking_count, next))
 						{
-							next->block_ref_count++;
+							if (next->block_ref_count++ == 0 && next->ref_count)
+							{
+								if (_remove_following_entry(&entry->following, &entry->following_count, next))
+								{
+									next->ref_count--;
+									_remove_following_entry(&entry->blocking, &entry->blocking_count, next);
+									_add_following_entry(&entry->both, &entry->both_count, next);
+								}
+							}
 						}
 					}
 					else
 					{
 						if (_remove_following_entry(&entry->blocking, &entry->blocking_count, next))
 						{
-							next->block_ref_count--;
+							if (next->block_ref_count-- == 1)
+							{
+								if (_remove_following_entry(&entry->both, &entry->both_count, next))
+								{
+									next->ref_count++;
+									_add_following_entry(&entry->following, &entry->following_count, next);
+								}
+							}
 						}
 					}
 				}
@@ -1801,6 +1871,7 @@ tf_ssb_following_t* tf_ssb_db_following_deep(tf_ssb_t* ssb, const char** ids, in
 	{
 		tf_free(following[i]->following);
 		tf_free(following[i]->blocking);
+		tf_free(following[i]->both);
 		tf_free(following[i]);
 	}
 	tf_free(following);
@@ -1852,6 +1923,7 @@ const char** tf_ssb_db_following_deep_ids(tf_ssb_t* ssb, const char** ids, int c
 	{
 		tf_free(following[i]->following);
 		tf_free(following[i]->blocking);
+		tf_free(following[i]->both);
 		tf_free(following[i]);
 	}
 	tf_free(following);
@@ -2186,56 +2258,40 @@ bool tf_ssb_db_identity_get_active(sqlite3* db, const char* user, const char* pa
 	return found;
 }

-typedef struct _resolve_index_t
+const char* tf_ssb_db_resolve_index(sqlite3* db, const char* host)
 {
-	const char* host;
-	const char* path;
-	void (*callback)(const char* path, void* user_data);
-	void* user_data;
-} resolve_index_t;
+	const char* result = NULL;

-static void _tf_ssb_db_resolve_index_work(tf_ssb_t* ssb, void* user_data)
-{
-	resolve_index_t* request = user_data;
-
-	sqlite3* db = tf_ssb_acquire_db_reader(ssb);
-	sqlite3_stmt* statement;
-	if (sqlite3_prepare_v2(db, "SELECT json_extract(value, '$.index_map') FROM properties WHERE id = 'core' AND key = 'settings'", -1, &statement, NULL) == SQLITE_OK)
+	if (!result)
 	{
-		if (sqlite3_step(statement) == SQLITE_ROW)
-		{
-			const char* index_map = (const char*)sqlite3_column_text(statement, 0);
-			const char* start = index_map;
-			while (start)
-			{
-				const char* end = strchr(start, '\n');
-				const char* equals = strchr(start, '=');
-				if (equals && strncasecmp(request->host, start, equals - start) == 0)
-				{
-					size_t value_length = end && equals < end ? (size_t)(end - (equals + 1)) : strlen(equals + 1);
-					char* path = tf_malloc(value_length + 1);
-					memcpy(path, equals + 1, value_length);
-					path[value_length] = '\0';
-					request->path = path;
-					break;
-				}
-				start = end ? end + 1 : NULL;
-			}
-		}
-		sqlite3_finalize(statement);
-	}
-	else
-	{
-		tf_printf("prepare failed: %s\n", sqlite3_errmsg(db));
+		/* Maybe we need to force the EULA first. */
 	}

-	if (!request->path)
+	if (!result)
 	{
-		if (sqlite3_prepare_v2(db, "SELECT json_extract(value, '$.index') FROM properties WHERE id = 'core' AND key = 'settings'", -1, &statement, NULL) == SQLITE_OK)
+		/* Use the index_map setting. */
+		sqlite3_stmt* statement;
+		if (sqlite3_prepare_v2(db, "SELECT json_extract(value, '$.index_map') FROM properties WHERE id = 'core' AND key = 'settings'", -1, &statement, NULL) == SQLITE_OK)
 		{
 			if (sqlite3_step(statement) == SQLITE_ROW)
 			{
-				request->path = tf_strdup((const char*)sqlite3_column_text(statement, 0));
+				const char* index_map = (const char*)sqlite3_column_text(statement, 0);
+				const char* start = index_map;
+				while (start)
+				{
+					const char* end = strchr(start, '\n');
+					const char* equals = strchr(start, '=');
+					if (equals && strncasecmp(host, start, equals - start) == 0)
+					{
+						size_t value_length = end && equals < end ? (size_t)(end - (equals + 1)) : strlen(equals + 1);
+						char* path = tf_malloc(value_length + 1);
+						memcpy(path, equals + 1, value_length);
+						path[value_length] = '\0';
+						result = path;
+						break;
+					}
+					start = end ? end + 1 : NULL;
+				}
 			}
 			sqlite3_finalize(statement);
 		}
@@ -2244,32 +2300,32 @@ static void _tf_ssb_db_resolve_index_work(tf_ssb_t* ssb, void* user_data)
 			tf_printf("prepare failed: %s\n", sqlite3_errmsg(db));
 		}
 	}
-	tf_ssb_release_db_reader(ssb, db);

-	if (!request->path)
+	if (!result)
 	{
-		request->path = tf_strdup(tf_util_get_default_global_setting_string("index"));
+		/* Use the index setting. */
+		sqlite3_stmt* statement;
+		if (sqlite3_prepare_v2(db, "SELECT json_extract(value, '$.index') FROM properties WHERE id = 'core' AND key = 'settings'", -1, &statement, NULL) == SQLITE_OK)
+		{
+			if (sqlite3_step(statement) == SQLITE_ROW)
+			{
+				result = tf_strdup((const char*)sqlite3_column_text(statement, 0));
+			}
+			sqlite3_finalize(statement);
+		}
+		else
+		{
+			tf_printf("prepare failed: %s\n", sqlite3_errmsg(db));
+		}
 	}
-}

-static void _tf_ssb_db_resolve_index_after_work(tf_ssb_t* ssb, int status, void* user_data)
-{
-	resolve_index_t* request = user_data;
-	request->callback(request->path, request->user_data);
-	tf_free((void*)request->host);
-	tf_free((void*)request->path);
-	tf_free(request);
-}
+	if (!result)
+	{
+		/* Use the default index. */
+		result = tf_strdup(tf_util_get_default_global_setting_string("index"));
+	}

-void tf_ssb_db_resolve_index_async(tf_ssb_t* ssb, const char* host, void (*callback)(const char* path, void* user_data), void* user_data)
-{
-	resolve_index_t* request = tf_malloc(sizeof(resolve_index_t));
-	*request = (resolve_index_t) {
-		.host = tf_strdup(host),
-		.callback = callback,
-		.user_data = user_data,
-	};
-	tf_ssb_run_work(ssb, _tf_ssb_db_resolve_index_work, _tf_ssb_db_resolve_index_after_work, request);
+	return result;
 }

 static void _tf_ssb_db_set_flags(tf_ssb_t* ssb, const char* message_id, int flags)
@@ -2465,6 +2521,32 @@ bool tf_ssb_db_get_global_setting_string(sqlite3* db, const char* name, char* ou
 	return result;
 }

+const char* tf_ssb_db_get_global_setting_string_alloc(sqlite3* db, const char* name)
+{
+	const char* result = NULL;
+	sqlite3_stmt* statement;
+	if (sqlite3_prepare_v2(db, "SELECT json_extract(value, '$.' || ?) FROM properties WHERE id = 'core' AND key = 'settings'", -1, &statement, NULL) == SQLITE_OK)
+	{
+		if (sqlite3_bind_text(statement, 1, name, -1, NULL) == SQLITE_OK)
+		{
+			if (sqlite3_step(statement) == SQLITE_ROW && sqlite3_column_type(statement, 0) != SQLITE_NULL)
+			{
+				result = tf_strdup((const char*)sqlite3_column_text(statement, 0));
+			}
+		}
+		sqlite3_finalize(statement);
+	}
+	else
+	{
+		tf_printf("prepare failed: %s\n", sqlite3_errmsg(db));
+	}
+	if (!result)
+	{
+		result = tf_strdup(tf_util_get_default_global_setting_string(name));
+	}
+	return result;
+}
+
 bool tf_ssb_db_set_global_setting_from_string(sqlite3* db, const char* name, char* value)
 {
 	tf_setting_kind_t kind = tf_util_get_global_setting_kind(name);
@@ -2488,7 +2570,7 @@ bool tf_ssb_db_set_global_setting_from_string(sqlite3* db, const char* name, cha
 				bound = sqlite3_bind_int(statement, 2, value && (strcmp(value, "true") == 0 || atoi(value))) == SQLITE_OK;
 				break;
 			case k_kind_int:
-				bound = sqlite3_bind_int(statement, 2, atoi(value)) == SQLITE_OK;
+				bound = sqlite3_bind_int64(statement, 2, atoll(value)) == SQLITE_OK;
 				break;
 			case k_kind_string:
 				bound = sqlite3_bind_text(statement, 2, value, -1, NULL) == SQLITE_OK;
--- a/src/ssb.db.h
+++ b/src/ssb.db.h
@@ -445,12 +445,11 @@ bool tf_ssb_db_add_value_to_array_property(tf_ssb_t* ssb, const char* id, const

 /**
 ** Resolve a hostname to its index path by global settings.
-** @param ssb The SSB instance.
+** @param db The database.
 ** @param host The hostname.
-** @param callback The callback.
-** @param user_data The callback user data.
+** @return The resolved index.  Free with tf_free().
 */
-void tf_ssb_db_resolve_index_async(tf_ssb_t* ssb, const char* host, void (*callback)(const char* path, void* user_data), void* user_data);
+const char* tf_ssb_db_resolve_index(sqlite3* db, const char* host);

 /**
 ** Verify an author's feed.
@@ -500,6 +499,14 @@ bool tf_ssb_db_get_global_setting_int64(sqlite3* db, const char* name, int64_t*
 */
 bool tf_ssb_db_get_global_setting_string(sqlite3* db, const char* name, char* out_value, size_t size);

+/**
+** Get a string global setting value.
+** @param db The database.
+** @param name The setting name.
+** @return The setting if found.
+*/
+const char* tf_ssb_db_get_global_setting_string_alloc(sqlite3* db, const char* name);
+
 /**
 ** Set a global setting from a string representation of its value.
 ** @param db The database.
--- a/src/ssb.import.c
+++ b/src/ssb.import.c
@@ -151,6 +151,14 @@ static void _tf_ssb_import_recursive_add_files(tf_ssb_t* ssb, uv_loop_t* loop, J
 				tf_free(blob);
 				tf_free(full_path);
 			}
+			else if (ent.type == UV_DIRENT_DIR)
+			{
+				size_t len = strlen(path) + strlen(ent.name) + 2;
+				char* full_path = tf_malloc(len);
+				snprintf(full_path, len, "%s/%s", path, ent.name);
+				_tf_ssb_import_recursive_add_files(ssb, loop, context, files, root, full_path);
+				tf_free(full_path);
+			}
 		}
 	}
 	else
--- a/src/ssb.js.c
+++ b/src/ssb.js.c
@@ -363,85 +363,6 @@ static JSValue _tf_ssb_swap_with_server_identity(JSContext* context, JSValueCons
 	return result;
 }

-typedef struct _identities_visit_t
-{
-	JSContext* context;
-	JSValue promise[2];
-	const char** identities;
-	int count;
-	char user[];
-} identities_visit_t;
-
-static void _tf_ssb_getIdentities_visit(const char* identity, void* user_data)
-{
-	identities_visit_t* work = user_data;
-	work->identities = tf_resize_vec(work->identities, (work->count + 1) * sizeof(const char*));
-	char id[k_id_base64_len];
-	snprintf(id, sizeof(id), "@%s", identity);
-	work->identities[work->count++] = tf_strdup(id);
-}
-
-static void _tf_ssb_get_identities_work(tf_ssb_t* ssb, void* user_data)
-{
-	identities_visit_t* work = user_data;
-	if (tf_ssb_db_user_has_permission(ssb, NULL, work->user, "administration"))
-	{
-		char id[k_id_base64_len] = "";
-		if (tf_ssb_whoami(ssb, id, sizeof(id)))
-		{
-			_tf_ssb_getIdentities_visit(*id == '@' ? id + 1 : id, work);
-		}
-	}
-	tf_ssb_db_identity_visit(ssb, work->user, _tf_ssb_getIdentities_visit, user_data);
-}
-
-static void _tf_ssb_get_all_identities_work(tf_ssb_t* ssb, void* user_data)
-{
-	tf_ssb_db_identity_visit_all(ssb, _tf_ssb_getIdentities_visit, user_data);
-}
-
-static void _tf_ssb_get_identities_after_work(tf_ssb_t* ssb, int status, void* user_data)
-{
-	identities_visit_t* work = user_data;
-	JSContext* context = tf_ssb_get_context(ssb);
-	JSValue result = JS_NewArray(context);
-	for (int i = 0; i < work->count; i++)
-	{
-		JS_SetPropertyUint32(context, result, i, JS_NewString(context, work->identities[i]));
-		tf_free((void*)work->identities[i]);
-	}
-	tf_free(work->identities);
-
-	JSValue error = JS_Call(context, work->promise[0], JS_UNDEFINED, 1, &result);
-	JS_FreeValue(context, result);
-	tf_util_report_error(context, error);
-	JS_FreeValue(context, error);
-	JS_FreeValue(context, work->promise[0]);
-	JS_FreeValue(context, work->promise[1]);
-	tf_free(work);
-}
-
-static JSValue _tf_ssb_getIdentities(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
-{
-	JSValue result = JS_UNDEFINED;
-	tf_ssb_t* ssb = JS_GetOpaque(this_val, _tf_ssb_classId);
-	if (ssb)
-	{
-		size_t user_length = 0;
-		const char* user = JS_ToCStringLen(context, &user_length, argv[0]);
-		identities_visit_t* work = tf_malloc(sizeof(identities_visit_t) + user_length + 1);
-		*work = (identities_visit_t) {
-			.context = context,
-		};
-		memcpy(work->user, user, user_length + 1);
-		JS_FreeCString(context, user);
-
-		result = JS_NewPromiseCapability(context, work->promise);
-		tf_ssb_run_work(ssb, _tf_ssb_get_identities_work, _tf_ssb_get_identities_after_work, work);
-	}
-	return result;
-}
-
 typedef struct _get_private_key_t
 {
 	JSContext* context;
@@ -513,109 +434,6 @@ static JSValue _tf_ssb_getServerIdentity(JSContext* context, JSValueConst this_v
 	return result;
 }

-static JSValue _tf_ssb_getAllIdentities(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
-{
-	JSValue result = JS_UNDEFINED;
-	tf_ssb_t* ssb = JS_GetOpaque(this_val, _tf_ssb_classId);
-	if (ssb)
-	{
-		identities_visit_t* work = tf_malloc(sizeof(identities_visit_t));
-		*work = (identities_visit_t) {
-			.context = context,
-		};
-
-		result = JS_NewPromiseCapability(context, work->promise);
-		tf_ssb_run_work(ssb, _tf_ssb_get_all_identities_work, _tf_ssb_get_identities_after_work, work);
-	}
-	return result;
-}
-
-typedef struct _active_identity_work_t
-{
-	JSContext* context;
-	const char* name;
-	const char* package_owner;
-	const char* package_name;
-	char identity[k_id_base64_len];
-	int result;
-	JSValue promise[2];
-} active_identity_work_t;
-
-static void _tf_ssb_getActiveIdentity_visit(const char* identity, void* user_data)
-{
-	active_identity_work_t* request = user_data;
-	if (!*request->identity)
-	{
-		snprintf(request->identity, sizeof(request->identity), "@%s", identity);
-	}
-}
-
-static void _tf_ssb_getActiveIdentity_work(tf_ssb_t* ssb, void* user_data)
-{
-	active_identity_work_t* request = user_data;
-	sqlite3* db = tf_ssb_acquire_db_reader(ssb);
-	tf_ssb_db_identity_get_active(db, request->name, request->package_owner, request->package_name, request->identity, sizeof(request->identity));
-	tf_ssb_release_db_reader(ssb, db);
-
-	if (!*request->identity)
-	{
-		tf_ssb_db_identity_visit(ssb, request->name, _tf_ssb_getActiveIdentity_visit, request);
-	}
-
-	if (!*request->identity && tf_ssb_db_user_has_permission(ssb, NULL, request->name, "administration"))
-	{
-		tf_ssb_whoami(ssb, request->identity, sizeof(request->identity));
-	}
-}
-
-static void _tf_ssb_getActiveIdentity_after_work(tf_ssb_t* ssb, int status, void* user_data)
-{
-	active_identity_work_t* request = user_data;
-	JSContext* context = request->context;
-	if (request->result == 0)
-	{
-		JSValue identity = JS_NewString(context, request->identity);
-		JSValue error = JS_Call(context, request->promise[0], JS_UNDEFINED, 1, &identity);
-		JS_FreeValue(context, identity);
-		tf_util_report_error(context, error);
-		JS_FreeValue(context, error);
-	}
-	else
-	{
-		JSValue error = JS_Call(context, request->promise[1], JS_UNDEFINED, 0, NULL);
-		tf_util_report_error(context, error);
-		JS_FreeValue(context, error);
-	}
-	JS_FreeValue(context, request->promise[0]);
-	JS_FreeValue(context, request->promise[1]);
-	tf_free((void*)request->name);
-	tf_free((void*)request->package_owner);
-	tf_free((void*)request->package_name);
-	tf_free(request);
-}
-
-static JSValue _tf_ssb_getActiveIdentity(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
-{
-	tf_ssb_t* ssb = JS_GetOpaque(this_val, _tf_ssb_classId);
-	const char* name = JS_ToCString(context, argv[0]);
-	const char* package_owner = JS_ToCString(context, argv[1]);
-	const char* package_name = JS_ToCString(context, argv[2]);
-	active_identity_work_t* work = tf_malloc(sizeof(active_identity_work_t));
-	*work = (active_identity_work_t) {
-		.context = context,
-		.name = tf_strdup(name),
-		.package_owner = tf_strdup(package_owner),
-		.package_name = tf_strdup(package_name),
-	};
-	JSValue result = JS_NewPromiseCapability(context, work->promise);
-	JS_FreeCString(context, name);
-	JS_FreeCString(context, package_owner);
-	JS_FreeCString(context, package_name);
-
-	tf_ssb_run_work(ssb, _tf_ssb_getActiveIdentity_work, _tf_ssb_getActiveIdentity_after_work, work);
-	return result;
-}
-
 typedef struct _identity_info_work_t
 {
 	JSContext* context;
@@ -2370,12 +2188,15 @@ void tf_ssb_register(JSContext* context, tf_ssb_t* ssb)
 	JS_SetPropertyStr(context, global, "ssb", object);
 	JS_SetOpaque(object, ssb);

+	JSValue object_internal = JS_NewObjectClass(context, _tf_ssb_classId);
+	JS_SetPropertyStr(context, global, "ssb_internal", object_internal);
+	JS_SetOpaque(object_internal, ssb);
+
 	/* Requires an identity. */
 	JS_SetPropertyStr(context, object, "createIdentity", JS_NewCFunction(context, _tf_ssb_createIdentity, "createIdentity", 1));
 	JS_SetPropertyStr(context, object, "addIdentity", JS_NewCFunction(context, _tf_ssb_addIdentity, "addIdentity", 2));
 	JS_SetPropertyStr(context, object, "deleteIdentity", JS_NewCFunction(context, _tf_ssb_deleteIdentity, "deleteIdentity", 2));
 	JS_SetPropertyStr(context, object, "swapWithServerIdentity", JS_NewCFunction(context, _tf_ssb_swap_with_server_identity, "swapWithServerIdentity", 2));
-	JS_SetPropertyStr(context, object, "getIdentities", JS_NewCFunction(context, _tf_ssb_getIdentities, "getIdentities", 1));
 	JS_SetPropertyStr(context, object, "getPrivateKey", JS_NewCFunction(context, _tf_ssb_getPrivateKey, "getPrivateKey", 2));
 	JS_SetPropertyStr(context, object, "privateMessageEncrypt", JS_NewCFunction(context, _tf_ssb_private_message_encrypt, "privateMessageEncrypt", 4));
 	JS_SetPropertyStr(context, object, "privateMessageDecrypt", JS_NewCFunction(context, _tf_ssb_private_message_decrypt, "privateMessageDecrypt", 3));
@@ -2385,9 +2206,6 @@ void tf_ssb_register(JSContext* context, tf_ssb_t* ssb)

 	/* Does not require an identity. */
 	JS_SetPropertyStr(context, object, "getServerIdentity", JS_NewCFunction(context, _tf_ssb_getServerIdentity, "getServerIdentity", 0));
-	JS_SetPropertyStr(context, object, "getAllIdentities", JS_NewCFunction(context, _tf_ssb_getAllIdentities, "getAllIdentities", 0));
-	JS_SetPropertyStr(context, object, "getActiveIdentity", JS_NewCFunction(context, _tf_ssb_getActiveIdentity, "getActiveIdentity", 3));
-	JS_SetPropertyStr(context, object, "getIdentityInfo", JS_NewCFunction(context, _tf_ssb_getIdentityInfo, "getIdentityInfo", 3));
 	JS_SetPropertyStr(context, object, "blobGet", JS_NewCFunction(context, _tf_ssb_blobGet, "blobGet", 1));
 	JS_SetPropertyStr(context, object, "connections", JS_NewCFunction(context, _tf_ssb_connections, "connections", 0));
 	JS_SetPropertyStr(context, object, "storedConnections", JS_NewCFunction(context, _tf_ssb_storedConnections, "storedConnections", 0));
@@ -2406,8 +2224,9 @@ void tf_ssb_register(JSContext* context, tf_ssb_t* ssb)
 	JS_SetPropertyStr(context, object, "blobStore", JS_NewCFunction(context, _tf_ssb_blobStore, "blobStore", 1));

 	/* Trusted only. */
-	JS_SetPropertyStr(context, object, "addEventListener", JS_NewCFunction(context, _tf_ssb_add_event_listener, "addEventListener", 2));
-	JS_SetPropertyStr(context, object, "removeEventListener", JS_NewCFunction(context, _tf_ssb_remove_event_listener, "removeEventListener", 2));
+	JS_SetPropertyStr(context, object_internal, "getIdentityInfo", JS_NewCFunction(context, _tf_ssb_getIdentityInfo, "getIdentityInfo", 3));
+	JS_SetPropertyStr(context, object_internal, "addEventListener", JS_NewCFunction(context, _tf_ssb_add_event_listener, "addEventListener", 2));
+	JS_SetPropertyStr(context, object_internal, "removeEventListener", JS_NewCFunction(context, _tf_ssb_remove_event_listener, "removeEventListener", 2));

 	JS_FreeValue(context, global);
 }
--- a/src/ssb.tests.c
+++ b/src/ssb.tests.c
@@ -639,8 +639,14 @@ void tf_ssb_test_following(const tf_test_options_t* options)
 	message = JS_NewObject(context); \
 	JS_SetPropertyStr(context, message, "type", JS_NewString(context, "contact")); \
 	JS_SetPropertyStr(context, message, "contact", JS_NewString(context, contact)); \
-	JS_SetPropertyStr(context, message, "following", follow ? JS_TRUE : JS_FALSE); \
-	JS_SetPropertyStr(context, message, "blocking", block ? JS_TRUE : JS_FALSE); \
+	if (follow) \
+	{ \
+		JS_SetPropertyStr(context, message, "following", JS_TRUE); \
+	} \
+	if (block) \
+	{ \
+		JS_SetPropertyStr(context, message, "blocking", JS_TRUE); \
+	} \
 	signed_message = tf_ssb_sign_message(ssb0, id, priv, message, NULL, 0); \
 	stored = false; \
 	tf_ssb_verify_strip_and_store_message(ssb0, signed_message, _message_stored, &stored); \
@@ -660,6 +666,11 @@ void tf_ssb_test_following(const tf_test_options_t* options)
 	_assert_visible(ssb0, id0, id1, true);
 	_assert_visible(ssb0, id0, id2, true);
 	_assert_visible(ssb0, id0, id3, false);
+	FOLLOW_BLOCK(id0, priv0, id1, false, true);
+	_assert_visible(ssb0, id0, id0, true);
+	_assert_visible(ssb0, id0, id1, false);
+	_assert_visible(ssb0, id0, id2, false);
+	_assert_visible(ssb0, id0, id3, false);

 #undef FOLLOW_BLOCK

@@ -923,7 +934,7 @@ static void _write_file(const char* path, const char* contents)
 	fclose(file);
 }

-#define TEST_ARGS " --args=ssb_port=0,http_port=0,https_port=0"
+#define TEST_ARGS " --args=ssb_port=0,http_port=0"

 void tf_ssb_test_encrypt(const tf_test_options_t* options)
 {
@@ -1220,7 +1231,181 @@ void tf_ssb_test_replicate(const tf_test_options_t* options)
 	tf_printf("done\n");

 	tf_printf("Waiting for blob.\n");
-	while (!tf_ssb_db_blob_get(ssb0, blob_id, NULL, NULL))
+	while (!tf_ssb_db_blob_get(ssb1, blob_id, NULL, NULL))
+	{
+		tf_ssb_set_main_thread(ssb1, true);
+		uv_run(&loop, UV_RUN_ONCE);
+		tf_ssb_set_main_thread(ssb1, false);
+	}
+	tf_printf("done\n");
+
+	tf_ssb_send_close(ssb1);
+
+	uv_close((uv_handle_t*)&idle0, NULL);
+	uv_close((uv_handle_t*)&idle1, NULL);
+
+	tf_printf("final run\n");
+	tf_ssb_set_main_thread(ssb0, true);
+	tf_ssb_set_main_thread(ssb1, true);
+	uv_run(&loop, UV_RUN_DEFAULT);
+	tf_ssb_set_main_thread(ssb0, false);
+	tf_ssb_set_main_thread(ssb1, false);
+	tf_printf("done\n");
+
+	tf_printf("destroy 0\n");
+	tf_ssb_destroy(ssb0);
+	tf_printf("destroy 1\n");
+	tf_ssb_destroy(ssb1);
+
+	tf_printf("close\n");
+	uv_loop_close(&loop);
+}
+
+void tf_ssb_test_replicate_blob(const tf_test_options_t* options)
+{
+	tf_printf("Testing blob replication.\n");
+
+	uv_loop_t loop = { 0 };
+	uv_loop_init(&loop);
+
+	unlink("out/test_db0.sqlite");
+	tf_ssb_t* ssb0 = tf_ssb_create(&loop, NULL, "file:out/test_db0.sqlite", NULL);
+	tf_ssb_register(tf_ssb_get_context(ssb0), ssb0);
+	unlink("out/test_db1.sqlite");
+	tf_ssb_t* ssb1 = tf_ssb_create(&loop, NULL, "file:out/test_db1.sqlite", NULL);
+	tf_ssb_register(tf_ssb_get_context(ssb1), ssb1);
+
+	uv_idle_t idle0 = { .data = ssb0 };
+	uv_idle_init(&loop, &idle0);
+	uv_idle_start(&idle0, _ssb_test_idle);
+
+	uv_idle_t idle1 = { .data = ssb1 };
+	uv_idle_init(&loop, &idle1);
+	uv_idle_start(&idle1, _ssb_test_idle);
+
+	test_t test = {
+		.ssb0 = ssb0,
+		.ssb1 = ssb1,
+	};
+
+	tf_ssb_add_connections_changed_callback(ssb0, _ssb_test_connections_changed, NULL, &test);
+	tf_ssb_add_connections_changed_callback(ssb1, _ssb_test_connections_changed, NULL, &test);
+
+	tf_ssb_generate_keys(ssb0);
+	tf_ssb_generate_keys(ssb1);
+
+	uint8_t priv0[crypto_sign_SECRETKEYBYTES] = { 0 };
+	uint8_t priv1[crypto_sign_SECRETKEYBYTES] = { 0 };
+	tf_ssb_get_private_key(ssb0, priv0, sizeof(priv0));
+	tf_ssb_get_private_key(ssb1, priv1, sizeof(priv1));
+
+	char id0[k_id_base64_len] = { 0 };
+	char id1[k_id_base64_len] = { 0 };
+	bool b = tf_ssb_whoami(ssb0, id0, sizeof(id0));
+	(void)b;
+	assert(b);
+	b = tf_ssb_whoami(ssb1, id1, sizeof(id1));
+	assert(b);
+	tf_printf("ID %s and %s\n", id0, id1);
+
+	char priv0_str[512] = { 0 };
+	char priv1_str[512] = { 0 };
+	tf_base64_encode(priv0, sizeof(priv0), priv0_str, sizeof(priv0_str));
+	tf_base64_encode(priv1, sizeof(priv0), priv1_str, sizeof(priv1_str));
+	tf_ssb_db_identity_add(ssb0, "test", id0 + 1, priv0_str);
+	tf_ssb_db_identity_add(ssb1, "test", id1 + 1, priv1_str);
+
+	static const int k_key_count = 5;
+	char public[k_key_count][k_id_base64_len - 1];
+	char private[k_key_count][512];
+	for (int i = 0; i < k_key_count; i++)
+	{
+		tf_ssb_generate_keys_buffer(public[i], sizeof(public[i]), private[i], sizeof(private[i]));
+		bool added = tf_ssb_db_identity_add(ssb0, "test", public[i], private[i]);
+		tf_printf("%s user %d = %s private=%s\n", added ? "added" : "failed", i, public[i], private[i]);
+	}
+
+	tf_printf("ssb0\n");
+	tf_ssb_db_identity_visit_all(ssb0, _test_print_identity, ssb0);
+	tf_printf("ssb1\n");
+	tf_ssb_db_identity_visit_all(ssb1, _test_print_identity, ssb1);
+
+	tf_ssb_server_open(ssb0, 12347);
+
+	uint8_t id0bin[k_id_bin_len];
+	tf_ssb_id_str_to_bin(id0bin, id0);
+	tf_ssb_connect(ssb1, "127.0.0.1", 12347, id0bin, 0, NULL, NULL);
+
+	tf_printf("Waiting for connection.\n");
+	while (test.connection_count0 != 1 || test.connection_count1 != 1)
+	{
+		tf_ssb_set_main_thread(ssb0, true);
+		tf_ssb_set_main_thread(ssb1, true);
+		uv_run(&loop, UV_RUN_ONCE);
+		tf_ssb_set_main_thread(ssb0, false);
+		tf_ssb_set_main_thread(ssb1, false);
+	}
+	tf_ssb_server_close(ssb0);
+
+	char blob_id[k_id_base64_len] = { 0 };
+	const char* k_blob = "Hello, new blob!";
+	b = tf_ssb_db_blob_store(ssb0, (const uint8_t*)k_blob, strlen(k_blob), blob_id, sizeof(blob_id), NULL);
+	assert(b);
+
+	JSContext* context0 = tf_ssb_get_context(ssb0);
+	for (int i = 0; i < k_key_count - 1; i++)
+	{
+		JSValue obj = JS_NewObject(context0);
+		JS_SetPropertyStr(context0, obj, "type", JS_NewString(context0, "contact"));
+		char self[k_id_base64_len];
+		snprintf(self, sizeof(self), "@%s", public[i]);
+		char contact[k_id_base64_len];
+		snprintf(contact, sizeof(contact), "@%s", public[i + 1]);
+		JS_SetPropertyStr(context0, obj, "contact", JS_NewString(context0, contact));
+		JS_SetPropertyStr(context0, obj, "following", JS_TRUE);
+		bool stored = false;
+		uint8_t private_bin[512] = { 0 };
+		tf_base64_decode(private[i], strlen(private[i]) - strlen(".ed25519"), private_bin, sizeof(private_bin));
+		tf_printf("ssb0 %s following %s\n", self, contact);
+		JSValue signed_message = tf_ssb_sign_message(ssb0, self, private_bin, obj, NULL, 0);
+		tf_ssb_verify_strip_and_store_message(ssb0, signed_message, _message_stored, &stored);
+		JS_FreeValue(context0, signed_message);
+		_wait_stored(ssb0, &stored);
+		JS_FreeValue(context0, obj);
+
+		obj = JS_NewObject(context0);
+		JS_SetPropertyStr(context0, obj, "type", JS_NewString(context0, "post"));
+		JS_SetPropertyStr(context0, obj, "text", JS_NewString(context0, "Hello, world!"));
+		JS_SetPropertyStr(context0, obj, "arbitrary_reference", JS_NewString(context0, blob_id));
+		stored = false;
+		signed_message = tf_ssb_sign_message(ssb0, self, private_bin, obj, NULL, 0);
+		tf_ssb_verify_strip_and_store_message(ssb0, signed_message, _message_stored, &stored);
+		JS_FreeValue(context0, signed_message);
+		_wait_stored(ssb0, &stored);
+		JS_FreeValue(context0, obj);
+	}
+
+	JSContext* context1 = tf_ssb_get_context(ssb1);
+	{
+		JSValue obj = JS_NewObject(context1);
+		JS_SetPropertyStr(context1, obj, "type", JS_NewString(context1, "contact"));
+		char self[k_id_base64_len];
+		tf_string_set(self, sizeof(self), id1);
+		char contact[k_id_base64_len];
+		snprintf(contact, sizeof(contact), "@%s", public[0]);
+		JS_SetPropertyStr(context1, obj, "contact", JS_NewString(context1, contact));
+		JS_SetPropertyStr(context1, obj, "following", JS_TRUE);
+		bool stored = false;
+		tf_printf("ssb1 %s following %s\n", self, contact);
+		JSValue signed_message = tf_ssb_sign_message(ssb1, self, priv1, obj, NULL, 0);
+		tf_ssb_verify_strip_and_store_message(ssb1, signed_message, _message_stored, &stored);
+		JS_FreeValue(context1, signed_message);
+		_wait_stored(ssb1, &stored);
+		JS_FreeValue(context1, obj);
+	}
+
+	tf_printf("Waiting for blob.\n");
+	while (!tf_ssb_db_blob_get(ssb1, blob_id, NULL, NULL))
 	{
 		tf_ssb_set_main_thread(ssb1, true);
 		uv_run(&loop, UV_RUN_ONCE);
@@ -1379,12 +1564,6 @@ void tf_ssb_test_invite(const tf_test_options_t* options)
 	tf_ssb_release_db_writer(ssb0, writer);
 	tf_printf("invite: %s\n", invite);

-	int count0 = 0;
-	int count1 = 0;
-
-	tf_ssb_add_message_added_callback(ssb0, _message_added, NULL, &count0);
-	tf_ssb_add_message_added_callback(ssb1, _message_added, NULL, &count1);
-
 	tf_ssb_connect_str(ssb1, invite, 0, NULL, NULL);

 	tf_printf("Waiting for connection.\n");
@@ -1400,11 +1579,19 @@ void tf_ssb_test_invite(const tf_test_options_t* options)
 	tf_printf("waiting for messages\n");
 	tf_ssb_set_main_thread(ssb0, true);
 	tf_ssb_set_main_thread(ssb1, true);
-	while (count0 != 3 || count1 != 3)
+
+	int32_t sequence0 = 0;
+	int32_t sequence1 = 0;
+	while (sequence0 != 1 || sequence1 != 2)
 	{
 		uv_run(&loop, UV_RUN_ONCE);
-
-		tf_printf("count0=%d count1=%d\n", count0, count1);
+		tf_ssb_set_main_thread(ssb0, false);
+		tf_ssb_set_main_thread(ssb1, false);
+		tf_ssb_db_get_latest_message_by_author(ssb0, id0, &sequence0, NULL, 0);
+		tf_ssb_db_get_latest_message_by_author(ssb1, id1, &sequence1, NULL, 0);
+		tf_ssb_set_main_thread(ssb0, true);
+		tf_ssb_set_main_thread(ssb1, true);
+		tf_printf("sequence0=%d sequence1=%d\n", sequence0, sequence1);
 	}
 	tf_ssb_set_main_thread(ssb0, false);
 	tf_ssb_set_main_thread(ssb1, false);
--- a/src/ssb.tests.h
+++ b/src/ssb.tests.h
@@ -66,13 +66,19 @@ void tf_ssb_test_peer_exchange(const tf_test_options_t* options);
 void tf_ssb_test_publish(const tf_test_options_t* options);

 /**
-** Test connecting by string.
+** Test message and replication.
 ** @param options The test options.
 */
 void tf_ssb_test_replicate(const tf_test_options_t* options);

 /**
-** Test invites.
+** Test blob replication for a message received while already connected.
+** @param options The test options.
+*/
+void tf_ssb_test_replicate_blob(const tf_test_options_t* options);
+
+/**
+** Test connecting by string.
 ** @param options The test options.
 */
 void tf_ssb_test_connect_str(const tf_test_options_t* options);
--- a/src/task.c
+++ b/src/task.c
@@ -3,17 +3,16 @@
 #include "api.js.h"
 #include "database.js.h"
 #include "file.js.h"
+#include "http.h"
 #include "httpd.js.h"
 #include "log.h"
 #include "mem.h"
 #include "packetstream.h"
 #include "serialize.h"
-#include "socket.js.h"
 #include "ssb.db.h"
 #include "ssb.h"
 #include "ssb.js.h"
 #include "taskstub.js.h"
-#include "tlscontext.js.h"
 #include "trace.h"
 #include "util.js.h"
 #include "version.h"
@@ -27,8 +26,6 @@
 #include "uv.h"
 #include "zlib.h"

-#include <openssl/crypto.h>
-
 #include <assert.h>
 #include <stdio.h>
 #include <string.h>
@@ -708,11 +705,6 @@ static JSValue _tf_task_version(JSContext* context, JSValueConst this_val, int a
 	JS_SetPropertyStr(context, version, "name", JS_NewString(context, VERSION_NAME));
 	JS_SetPropertyStr(context, version, "libuv", JS_NewString(context, uv_version_string()));
 	JS_SetPropertyStr(context, version, "sqlite", JS_NewString(context, sqlite3_libversion()));
-#if defined(OPENSSL_VERSION_STRING)
-	JS_SetPropertyStr(context, version, "openssl", JS_NewString(context, OpenSSL_version(OPENSSL_VERSION_STRING)));
-#else
-	JS_SetPropertyStr(context, version, "openssl", JS_NewString(context, OpenSSL_version(OPENSSL_VERSION)));
-#endif
 	const char* sodium_version_string();
 	JS_SetPropertyStr(context, version, "c-ares", JS_NewString(context, ares_version(NULL)));
 	JS_SetPropertyStr(context, version, "libsodium", JS_NewString(context, sodium_version_string()));
@@ -823,12 +815,8 @@ static JSValue _tf_task_getStats(JSContext* context, JSValueConst this_val, int
 	JS_SetPropertyStr(context, result, "sqlite3_memory_percent", JS_NewFloat64(context, 100.0 * tf_mem_get_sqlite_malloc_size() / total_memory));
 	JS_SetPropertyStr(context, result, "js_malloc_percent", JS_NewFloat64(context, 100.0 * tf_mem_get_js_malloc_size() / total_memory));
 	JS_SetPropertyStr(context, result, "uv_malloc_percent", JS_NewFloat64(context, 100.0 * tf_mem_get_uv_malloc_size() / total_memory));
-	JS_SetPropertyStr(context, result, "tls_malloc_percent", JS_NewFloat64(context, 100.0 * tf_mem_get_tls_malloc_size() / total_memory));
 	JS_SetPropertyStr(context, result, "tf_malloc_percent", JS_NewFloat64(context, 100.0 * tf_mem_get_tf_malloc_size() / total_memory));

-	JS_SetPropertyStr(context, result, "socket_count", JS_NewInt32(context, tf_socket_get_count()));
-	JS_SetPropertyStr(context, result, "socket_open_count", JS_NewInt32(context, tf_socket_get_open_count()));
-
 	if (task->_ssb)
 	{
 		tf_ssb_stats_t ssb_stats = { 0 };
@@ -1665,8 +1653,6 @@ void tf_task_activate(tf_task_t* task)
 		sqlite3_open(task->_db_path, &task->_db);

 		JS_SetPropertyStr(context, global, "Task", tf_taskstub_register(context));
-		JS_SetPropertyStr(context, global, "Socket", tf_socket_register(context));
-		JS_SetPropertyStr(context, global, "TlsContext", tf_tls_context_register(context));
 		tf_file_register(context);
 		tf_database_register(context);

@@ -1882,6 +1868,7 @@ void tf_task_destroy(tf_task_t* task)
 			tf_printf("--\n");
 			uv_print_all_handles(&task->_loop, stdout);
 		}
+		tf_http_debug_destroy();
 		uv_run(&task->_loop, UV_RUN_ONCE);
 	}
 	if (task->_trace)
--- a/src/tests.c
+++ b/src/tests.c
@@ -32,7 +32,7 @@
 #include <TargetConditionals.h>
 #endif

-#define TEST_ARGS " --args=ssb_port=0,http_port=0,https_port=0"
+#define TEST_ARGS " --args=ssb_port=0,http_port=0"

 #if !TARGET_OS_IPHONE
 static void _write_file(const char* path, const char* contents)
@@ -549,93 +549,6 @@ static void _test_float(const tf_test_options_t* options)
 	unlink("out/child.js");
 }

-static void _test_socket(const tf_test_options_t* options)
-{
-	_write_file("out/test.js",
-		"'use strict';\n"
-		"\n"
-		"var s = new Socket();\n"
-		"print('connecting');\n"
-		"print('before connect', s.isConnected);\n"
-		"s.onError(function(e) {\n"
-		"	print(e);\n"
-		"});\n"
-		"print('noDelay', s.noDelay);\n"
-		"s.noDelay = true;\n"
-		"s.connect('www.unprompted.com', 80).then(function() {\n"
-		"	print('connected', 'www.unprompted.com', 80, s.isConnected);\n"
-		"	print(s.peerName);\n"
-		"	s.read(function(data) {\n"
-		"		print('read', data ? data.length : null);\n"
-		"	});\n"
-		"	s.write('GET / HTTP/1.0\\r\\n\\r\\n');\n"
-		"}).then(function(e) {\n"
-		"	print('closed 1');\n"
-		"});\n"
-		"\n"
-		"var s2 = new Socket();\n"
-		"print('connecting');\n"
-		"print('before connect', s2.isConnected);\n"
-		"s2.onError(function(e) {\n"
-		"	print('error');\n"
-		"	print(e);\n"
-		"});\n"
-		"print('noDelay', s2.noDelay);\n"
-		"s2.noDelay = true;\n"
-		"s2.connect('www.unprompted.com', 443).then(function() {\n"
-		"	print('connected', 'www.unprompted.com', 443);\n"
-		"	s2.read(function(data) {\n"
-		"		print('read', data ? data.length : null);\n"
-		"	});\n"
-		"	return s2.startTls();\n"
-		"}).then(function() {\n"
-		"	print('ready');\n"
-		"	print(s2.peerName);\n"
-		"	s2.write('GET / HTTP/1.0\\r\\nConnection: close\\r\\n\\r\\n').then(function() {\n"
-		"		s2.shutdown();\n"
-		"	});\n"
-		"}).catch(function(e) {\n"
-		"	print('caught');\n"
-		"	print(e);\n"
-		"});\n"
-		"var s3 = new Socket();\n"
-		"print('connecting s3');\n"
-		"print('before connect', s3.isConnected);\n"
-		"s3.onError(function(e) {\n"
-		"	print('error');\n"
-		"	print(e);\n"
-		"});\n"
-		"print('noDelay', s3.noDelay);\n"
-		"s3.noDelay = true;\n"
-		"s3.connect('0.0.0.0', 443).then(function() {\n"
-		"	print('connected', '0.0.0.0', 443);\n"
-		"	s3.read(function(data) {\n"
-		"		print('read', data ? data.length : null);\n"
-		"	});\n"
-		"	return s3.startTls();\n"
-		"}).then(function() {\n"
-		"	print('ready');\n"
-		"	print(s3.peerName);\n"
-		"	s3.write('GET / HTTP/1.0\\r\\nConnection: close\\r\\n\\r\\n').then(function() {\n"
-		"		s3.shutdown();\n"
-		"	});\n"
-		"}).catch(function(e) {\n"
-		"	print('caught');\n"
-		"	print(e);\n"
-		"});\n");
-
-	char command[256];
-	unlink("out/test_db0.sqlite");
-	snprintf(command, sizeof(command), "%s run --db-path=out/test_db0.sqlite -s out/test.js" TEST_ARGS, options->exe_path);
-	tf_printf("%s\n", command);
-	int result = system(command);
-	tf_printf("returned %d\n", WEXITSTATUS(result));
-	assert(WIFEXITED(result));
-	assert(WEXITSTATUS(result) == 0);
-
-	unlink("out/test.js");
-}
-
 static void _test_file(const tf_test_options_t* options)
 {
 	_write_file("out/test.js",
@@ -781,7 +694,7 @@ static void _test_http(const tf_test_options_t* options)
 	tf_http_t* http = tf_http_create(&loop);
 	tf_http_add_handler(http, "/hello", _test_http_handler, NULL, NULL);
 	tf_http_add_handler(http, "/post", _test_http_handler_post, NULL, NULL);
-	tf_http_listen(http, 23456, true, NULL, NULL, NULL);
+	tf_http_listen(http, 23456, true, NULL, NULL);

 	test_http_t test = { .loop = &loop };
 	uv_async_init(&loop, &test.async, _test_http_async);
@@ -873,7 +786,7 @@ static void _test_httpd(const tf_test_options_t* options)
 	uv_spawn(&loop, &process,
 		&(uv_process_options_t) {
 			.file = options->exe_path,
-			.args = (char*[]) { (char*)options->exe_path, "run", "--db-path=out/test_db0.sqlite", "--args=ssb_port=0,http_port=8080,https_port=0", NULL },
+			.args = (char*[]) { (char*)options->exe_path, "run", "--db-path=out/test_db0.sqlite", "--args=ssb_port=0,http_port=8080", NULL },
 			.stdio_count = sizeof(stdio) / sizeof(*stdio),
 			.stdio = stdio,
 		});
@@ -1065,7 +978,6 @@ void tf_tests(const tf_test_options_t* options)
 	_tf_test_run(options, "icu", _test_icu, false);
 	_tf_test_run(options, "uint8array", _test_uint8array, false);
 	_tf_test_run(options, "float", _test_float, false);
-	_tf_test_run(options, "socket", _test_socket, false);
 	_tf_test_run(options, "file", _test_file, false);
 	_tf_test_run(options, "b64", _test_b64, false);
 	_tf_test_run(options, "rooms", tf_ssb_test_rooms, false);
@@ -1076,6 +988,7 @@ void tf_tests(const tf_test_options_t* options)
 	_tf_test_run(options, "peer_exchange", tf_ssb_test_peer_exchange, false);
 	_tf_test_run(options, "publish", tf_ssb_test_publish, false);
 	_tf_test_run(options, "replicate", tf_ssb_test_replicate, false);
+	_tf_test_run(options, "replicate_blob", tf_ssb_test_replicate_blob, false);
 	_tf_test_run(options, "connect_str", tf_ssb_test_connect_str, false);
 	_tf_test_run(options, "invite", tf_ssb_test_invite, false);
 	_tf_test_run(options, "triggers", tf_ssb_test_triggers, false);
--- a/src/tls.c
+++ b/src/tls.c
@@ -1,384 +0,0 @@
-#include "tls.h"
-
-#include "mem.h"
-
-#include <string.h>
-
-#include <openssl/bio.h>
-#include <openssl/err.h>
-#include <openssl/pem.h>
-#include <openssl/ssl.h>
-#include <openssl/x509v3.h>
-
-typedef enum _direction_t
-{
-	k_direction_undetermined,
-	k_direction_accept,
-	k_direction_connect,
-} direction_t;
-
-typedef struct _tf_tls_context_t
-{
-	SSL_CTX* context;
-} tf_tls_context_t;
-
-typedef struct _tf_tls_session_t
-{
-	tf_tls_context_t* context;
-	BIO* bio_in;
-	BIO* bio_out;
-	SSL* ssl;
-	const char* hostname;
-	direction_t direction;
-} tf_tls_session_t;
-
-tf_tls_context_t* tf_tls_context_create()
-{
-	tf_tls_context_t* context = tf_malloc(sizeof(tf_tls_context_t));
-	memset(context, 0, sizeof(*context));
-	OPENSSL_init_ssl(0, NULL);
-	context->context = SSL_CTX_new(SSLv23_method());
-	SSL_CTX_set_default_verify_paths(context->context);
-	return context;
-}
-
-bool tf_tls_context_set_certificate(tf_tls_context_t* context, const char* certificate)
-{
-	int result = 0;
-	BIO* bio = BIO_new(BIO_s_mem());
-	BIO_puts(bio, certificate);
-	X509* x509 = PEM_read_bio_X509(bio, 0, 0, 0);
-	result = SSL_CTX_use_certificate(context->context, x509);
-	X509_free(x509);
-	while (true)
-	{
-		x509 = PEM_read_bio_X509(bio, 0, 0, 0);
-		if (x509)
-		{
-			SSL_CTX_add_extra_chain_cert(context->context, x509);
-			/* Docs say don't x509_free: https://www.openssl.org/docs/man3.2/man3/SSL_CTX_add_extra_chain_cert.html. */
-		}
-		else
-		{
-			break;
-		}
-	}
-	BIO_free(bio);
-	return result == 1;
-}
-
-bool tf_tls_context_set_private_key(tf_tls_context_t* context, const char* private_key)
-{
-	int result = 0;
-	BIO* bio = BIO_new(BIO_s_mem());
-	BIO_puts(bio, private_key);
-	EVP_PKEY* key = PEM_read_bio_PrivateKey(bio, 0, 0, 0);
-	result = SSL_CTX_use_PrivateKey(context->context, key);
-	EVP_PKEY_free(key);
-	BIO_free(bio);
-	return result == 1;
-}
-
-bool tf_tls_context_add_trusted_certificate(tf_tls_context_t* context, const char* certificate)
-{
-	bool result = false;
-	BIO* bio = BIO_new_mem_buf(certificate, -1);
-	X509* x509 = PEM_read_bio_X509(bio, 0, 0, 0);
-	BIO_free(bio);
-
-	if (x509)
-	{
-		X509_STORE* store = SSL_CTX_get_cert_store(context->context);
-		if (store && X509_STORE_add_cert(store, x509) == 1)
-		{
-			result = true;
-		}
-		X509_free(x509);
-	}
-
-	return result;
-}
-
-tf_tls_session_t* tf_tls_context_create_session(tf_tls_context_t* context)
-{
-	tf_tls_session_t* session = tf_malloc(sizeof(tf_tls_session_t));
-	memset(session, 0, sizeof(*session));
-	session->context = context;
-	session->bio_in = BIO_new(BIO_s_mem());
-	session->bio_out = BIO_new(BIO_s_mem());
-	return session;
-}
-
-void tf_tls_context_destroy(tf_tls_context_t* context)
-{
-	SSL_CTX_free(context->context);
-	OPENSSL_cleanup();
-	tf_free(context);
-}
-
-void tf_tls_session_destroy(tf_tls_session_t* session)
-{
-	if (session->ssl)
-	{
-		SSL_free(session->ssl);
-	}
-	if (session->hostname)
-	{
-		tf_free((void*)session->hostname);
-	}
-	tf_free(session);
-}
-
-void tf_tls_session_set_hostname(tf_tls_session_t* session, const char* hostname)
-{
-	if (session->hostname)
-	{
-		tf_free((void*)session->hostname);
-		session->hostname = NULL;
-	}
-	if (hostname)
-	{
-		session->hostname = tf_strdup(hostname);
-	}
-}
-
-void tf_tls_session_start_accept(tf_tls_session_t* session)
-{
-	session->direction = k_direction_accept;
-	session->ssl = SSL_new(session->context->context);
-	SSL_set_bio(session->ssl, session->bio_in, session->bio_out);
-	SSL_accept(session->ssl);
-	tf_tls_session_handshake(session);
-}
-
-void tf_tls_session_start_connect(tf_tls_session_t* session)
-{
-	session->direction = k_direction_connect;
-	session->ssl = SSL_new(session->context->context);
-	X509_VERIFY_PARAM* param = SSL_get0_param(session->ssl);
-	X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-	X509_VERIFY_PARAM_set1_host(param, session->hostname, 0);
-	SSL_set_tlsext_host_name(session->ssl, session->hostname);
-	SSL_set_bio(session->ssl, session->bio_in, session->bio_out);
-	SSL_connect(session->ssl);
-	tf_tls_session_handshake(session);
-}
-
-void tf_tls_session_shutdown(tf_tls_session_t* session)
-{
-	SSL_shutdown(session->ssl);
-}
-
-int tf_tls_session_get_peer_certificate(tf_tls_session_t* session, char* buffer, size_t bytes)
-{
-	int result = -1;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-	X509* certificate = SSL_get_peer_certificate(session->ssl);
-#else
-	X509* certificate = SSL_get1_peer_certificate(session->ssl);
-#endif
-	BIO* bio = BIO_new(BIO_s_mem());
-	PEM_write_bio_X509(bio, certificate);
-	X509_free(certificate);
-	BUF_MEM* mem;
-	BIO_get_mem_ptr(bio, &mem);
-	if (mem->length <= bytes)
-	{
-		memcpy(buffer, mem->data, mem->length);
-		result = mem->length;
-	}
-	BIO_free(bio);
-	return result;
-}
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-static bool _tls_session_wildcard_match(const char* pattern, size_t pattern_length, const char* name)
-{
-	const char* it = pattern;
-	while (it - pattern < pattern_length && *name)
-	{
-		if (*it == '*')
-		{
-			for (const char* p = name; *p; ++p)
-			{
-				if (_tls_session_wildcard_match(it + 1, pattern_length - 1, p))
-				{
-					return true;
-				}
-			}
-			return false;
-		}
-		else if (tolower(*it) == tolower(*name))
-		{
-			++it;
-			++name;
-		}
-		else
-		{
-			break;
-		}
-	}
-	return it - pattern <= pattern_length && *name == 0;
-}
-
-static bool _tls_session_verify_hostname(X509* certificate, const char* hostname)
-{
-	bool verified = false;
-	void* names = X509_get_ext_d2i(certificate, NID_subject_alt_name, 0, 0);
-	if (names)
-	{
-		int count = sk_GENERAL_NAME_num(names);
-		for (int i = 0; i < count; ++i)
-		{
-			const GENERAL_NAME* check = sk_GENERAL_NAME_value(names, i);
-			if (!verified)
-			{
-#if OPENSSL_VERSION_NUMBER <= 0x1000211fL
-				const unsigned char* name = ASN1_STRING_data(check->d.ia5);
-#else
-				const char* name = ASN1_STRING_get0_data(check->d.ia5);
-#endif
-				size_t length = ASN1_STRING_length(check->d.ia5);
-				if (_tls_session_wildcard_match((const char*)name, length, hostname))
-				{
-					verified = true;
-				}
-			}
-		}
-		sk_GENERAL_NAMES_free(names);
-	}
-
-	if (!verified)
-	{
-		int index = X509_NAME_get_index_by_NID(X509_get_subject_name(certificate), NID_commonName, -1);
-		if (index >= 0)
-		{
-			X509_NAME_ENTRY* entry = X509_NAME_get_entry(X509_get_subject_name(certificate), index);
-			if (entry)
-			{
-				ASN1_STRING* asn1 = X509_NAME_ENTRY_get_data(entry);
-				if (asn1)
-				{
-#if OPENSSL_VERSION_NUMBER <= 0x1000211fL
-					const unsigned char* commonName = ASN1_STRING_data(asn1);
-#else
-					const char* commonName = ASN1_STRING_get0_data(asn1);
-#endif
-					if ((size_t)(ASN1_STRING_length(asn1)) == strlen((const char*)commonName))
-					{
-						verified = _tls_session_wildcard_match((const char*)commonName, ASN1_STRING_length(asn1), hostname);
-					}
-				}
-			}
-		}
-	}
-
-	return verified;
-}
-#endif
-
-static bool _tls_session_verify_peer_certificate(tf_tls_session_t* session)
-{
-	bool verified = false;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-	X509* certificate = SSL_get_peer_certificate(session->ssl);
-#else
-	X509* certificate = SSL_get1_peer_certificate(session->ssl);
-#endif
-	if (certificate)
-	{
-		if (SSL_get_verify_result(session->ssl) == X509_V_OK)
-		{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-			if (_tls_session_verify_hostname(certificate, session->hostname))
-			{
-				verified = true;
-			}
-#else
-			verified = true;
-#endif
-		}
-		X509_free(certificate);
-	}
-	return verified;
-}
-
-tf_tls_handshake_t tf_tls_session_handshake(tf_tls_session_t* session)
-{
-	tf_tls_handshake_t result = k_tls_handshake_done;
-	if (!SSL_is_init_finished(session->ssl))
-	{
-		int value = SSL_do_handshake(session->ssl);
-		if (value <= 0)
-		{
-			int error = SSL_get_error(session->ssl, value);
-			if (error != SSL_ERROR_WANT_READ && error != SSL_ERROR_WANT_WRITE)
-			{
-				result = k_tls_handshake_failed;
-			}
-			else
-			{
-				result = k_tls_handshake_more;
-			}
-		}
-	}
-	if (result == k_tls_handshake_done && session->direction == k_direction_connect && !_tls_session_verify_peer_certificate(session))
-	{
-		result = k_tls_handshake_failed;
-	}
-	return result;
-}
-
-int tf_tls_session_read_plain(tf_tls_session_t* session, char* buffer, size_t bytes)
-{
-	int result = SSL_read(session->ssl, buffer, bytes);
-	if (result <= 0)
-	{
-		int error = SSL_get_error(session->ssl, result);
-		if (error == SSL_ERROR_WANT_READ || error == SSL_ERROR_WANT_WRITE)
-		{
-			result = 0;
-		}
-		else if (error == SSL_ERROR_ZERO_RETURN)
-		{
-			if ((SSL_get_shutdown(session->ssl) & SSL_RECEIVED_SHUTDOWN) != 0)
-			{
-				result = k_tls_read_zero;
-			}
-			else
-			{
-				result = 0;
-			}
-		}
-		else
-		{
-			result = k_tls_read_failed;
-		}
-	}
-	return result;
-}
-
-int tf_tls_session_write_plain(tf_tls_session_t* session, const char* buffer, size_t bytes)
-{
-	return SSL_write(session->ssl, buffer, bytes);
-}
-
-int tf_tls_session_read_encrypted(tf_tls_session_t* session, char* buffer, size_t bytes)
-{
-	return BIO_read(session->bio_out, buffer, bytes);
-}
-
-int tf_tls_session_write_encrypted(tf_tls_session_t* session, const char* buffer, size_t bytes)
-{
-	return BIO_write(session->bio_in, buffer, bytes);
-}
-
-bool tf_tls_session_get_error(tf_tls_session_t* session, char* buffer, size_t bytes)
-{
-	unsigned long error = ERR_get_error();
-	if (error != 0)
-	{
-		ERR_error_string_n(error, buffer, bytes);
-	}
-	return error != 0;
-}
--- a/src/tls.h
+++ b/src/tls.h
@@ -1,177 +0,0 @@
-#pragma once
-
-/**
-** \defgroup tls TLS
-** A minimal wrapper around OpenSSL.
-** @{
-*/
-
-#include <stdbool.h>
-#include <stddef.h>
-
-/**
-** A TLS context.  May have many tf_tls_session_t instances.
-*/
-typedef struct _tf_tls_context_t tf_tls_context_t;
-
-/**
-** A TLS session.  Belongs to one tf_tls_context_t and represents a single connection.
-*/
-typedef struct _tf_tls_session_t tf_tls_session_t;
-
-/**
-** The state of a TLS handshake.
-*/
-typedef enum _tf_tls_handshake_t
-{
-	k_tls_handshake_done,
-	k_tls_handshake_more,
-	k_tls_handshake_failed,
-} tf_tls_handshake_t;
-
-/**
-** Possible error statuses from tf_tls_session_read_plain.
-*/
-typedef enum _tf_tls_read_t
-{
-	k_tls_read_zero = -1,
-	k_tls_read_failed = -2,
-} tf_tls_read_t;
-
-/**
-** Create a TLS context.  Clean up with tf_tls_context_destroy().
-** @return A new TLS context.
-*/
-tf_tls_context_t* tf_tls_context_create();
-
-/**
-** Set the TLS context's server certificate.
-** @param context The TLS context.
-** @param certificate The certificate in PEM format.
-** @return true if set successfully.
-*/
-bool tf_tls_context_set_certificate(tf_tls_context_t* context, const char* certificate);
-
-/**
-** Set the TLS context's server certificate's private key.
-** @param context The TLS context.
-** @param private_key The private key in PEM format.
-** @return true if set successfully.
-*/
-bool tf_tls_context_set_private_key(tf_tls_context_t* context, const char* private_key);
-
-/**
-** Add a trusted certificate.
-** @param context The TLS context.
-** @param certificate The certificate in PEM format.
-** @return true if the certificate was added to the trusted list successfully.
-*/
-bool tf_tls_context_add_trusted_certificate(tf_tls_context_t* context, const char* certificate);
-
-/**
-** Create a TLS session from a context.  Once created, call
-** tf_tls_session_handshake() until it returns k_tls_handshake_done.  Call
-** tf_tls_session_[read/write]_[plain/encrypted]() as data is available.
-** @param context The TLS context.  Clean up with tf_tls_session_destroy().
-** @return A new TLS session.
-*/
-tf_tls_session_t* tf_tls_context_create_session(tf_tls_context_t* context);
-
-/**
-** Destroy a TLS context.
-** @param context The TLS contextx created by tf_tls_context_create().
-*/
-void tf_tls_context_destroy(tf_tls_context_t* context);
-
-/**
-** Destroy a TLS session.
-** @param session A TLS sesssion created by tf_tls_context_create_session().
-*/
-void tf_tls_session_destroy(tf_tls_session_t* session);
-
-/**
-** Set the remote hostname for a session.
-** @param session The TLS session.
-** @param hostname The hostname.
-*/
-void tf_tls_session_set_hostname(tf_tls_session_t* session, const char* hostname);
-
-/**
-** Begin an outgoing TLS session.
-** @param session The TLS session.
-*/
-void tf_tls_session_start_accept(tf_tls_session_t* session);
-
-/**
-** Begin an incoming TLS session.
-** @param session The TLS session.
-*/
-void tf_tls_session_start_connect(tf_tls_session_t* session);
-
-/**
-** Begin the clean shutdown process for a TLS session.
-** @param session The TLS session.
-*/
-void tf_tls_session_shutdown(tf_tls_session_t* session);
-
-/**
-** Get the certificate from the remote end of a TLS session if available.
-** @param session The TLS session.
-** @param buffer A buffer to receive the certificate.
-** @param bytes The size of the buffer.
-** @return The size of the returned certificate, or -1 on failure.
-*/
-int tf_tls_session_get_peer_certificate(tf_tls_session_t* session, char* buffer, size_t bytes);
-
-/**
-** Update the TLS handshake.  Call repeatedly as new data is available until it returns done.
-** @param session The TLS session.
-** @return The current state of the handshake process.
-*/
-tf_tls_handshake_t tf_tls_session_handshake(tf_tls_session_t* session);
-
-/**
-** Read decrypted data from the TLS session.
-** @param session The TLS session.
-** @param buffer A buffer to receive the data.
-** @param bytes The size of the buffer.
-** @return The number of bytes returned.
-*/
-int tf_tls_session_read_plain(tf_tls_session_t* session, char* buffer, size_t bytes);
-
-/**
-** Write unencrypted data to the TLS session.
-** @param session The TLS session.
-** @param buffer The data to encrypt.
-** @param bytes The size of the data.
-** @return 1 on success, 0 on failure.
-*/
-int tf_tls_session_write_plain(tf_tls_session_t* session, const char* buffer, size_t bytes);
-
-/**
-** Read encrypted data from the TLS session that needs to be sent.
-** @param session The TLS session.
-** @param buffer A buffer to receive the data.
-** @param bytes The size of the buffer.
-** @return The number of bytes returned.
-*/
-int tf_tls_session_read_encrypted(tf_tls_session_t* session, char* buffer, size_t bytes);
-
-/**
-** Write encrypted data to the TLS session.
-** @param session The TLS session.
-** @param buffer The encrypted data.
-** @param bytes The number of bytes written.
-*/
-int tf_tls_session_write_encrypted(tf_tls_session_t* session, const char* buffer, size_t bytes);
-
-/**
-** Retrieve the last error from a TLS session.
-** @param session The TLS session.
-** @param buffer A buffer to receive the error text.
-** @param bytes The size of the buffer.
-** @return true if an error was retrieved.
-*/
-bool tf_tls_session_get_error(tf_tls_session_t* session, char* buffer, size_t bytes);
-
-/** @} */
--- a/src/tlscontext.js.c
+++ b/src/tlscontext.js.c
@@ -1,105 +0,0 @@
-#include "tlscontext.js.h"
-
-#include "log.h"
-#include "mem.h"
-#include "task.h"
-#include "tls.h"
-
-#include <stdlib.h>
-#include <string.h>
-
-static JSClassID _classId;
-static int _count;
-
-typedef struct _tf_tls_context_t
-{
-	tf_tls_context_t* context;
-	tf_task_t* task;
-	JSValue object;
-} tf_tls_context_t;
-
-static JSValue _tls_context_create(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv);
-static void _tls_context_finalizer(JSRuntime* runtime, JSValue value);
-
-static JSValue _tls_context_set_certificate(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
-{
-	tf_tls_context_t* tls = JS_GetOpaque(this_val, _classId);
-	const char* value = JS_ToCString(context, argv[0]);
-	tf_tls_context_set_certificate(tls->context, value);
-	JS_FreeCString(context, value);
-	return JS_UNDEFINED;
-}
-
-static JSValue _tls_context_set_private_key(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
-{
-	tf_tls_context_t* tls = JS_GetOpaque(this_val, _classId);
-	const char* value = JS_ToCString(context, argv[0]);
-	tf_tls_context_set_private_key(tls->context, value);
-	JS_FreeCString(context, value);
-	return JS_UNDEFINED;
-}
-
-static JSValue _tls_context_add_trusted_certificate(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
-{
-	tf_tls_context_t* tls = JS_GetOpaque(this_val, _classId);
-	const char* value = JS_ToCString(context, argv[0]);
-	tf_tls_context_add_trusted_certificate(tls->context, value);
-	JS_FreeCString(context, value);
-	return JS_UNDEFINED;
-}
-
-JSValue tf_tls_context_register(JSContext* context)
-{
-	JS_NewClassID(&_classId);
-	JSClassDef def = {
-		.class_name = "TlsContext",
-		.finalizer = _tls_context_finalizer,
-	};
-	if (JS_NewClass(JS_GetRuntime(context), _classId, &def) != 0)
-	{
-		fprintf(stderr, "Failed to register TlsContext.\n");
-	}
-	return JS_NewCFunction2(context, _tls_context_create, "TlsContext", 0, JS_CFUNC_constructor, 0);
-}
-
-tf_tls_context_t* tf_tls_context_get(JSValue value)
-{
-	tf_tls_context_t* tls = JS_GetOpaque(value, _classId);
-	return tls ? tls->context : NULL;
-}
-
-int tf_tls_context_get_count()
-{
-	return _count;
-}
-
-static JSValue _tls_context_create(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
-{
-	tf_tls_context_t* tls = tf_malloc(sizeof(tf_tls_context_t));
-	memset(tls, 0, sizeof(*tls));
-
-	++_count;
-	tls->object = JS_NewObjectClass(context, _classId);
-	JS_SetOpaque(tls->object, tls);
-
-	JS_SetPropertyStr(context, tls->object, "setCertificate", JS_NewCFunction(context, _tls_context_set_certificate, "setCertificate", 1));
-	JS_SetPropertyStr(context, tls->object, "setPrivateKey", JS_NewCFunction(context, _tls_context_set_private_key, "setPrivateKey", 1));
-	JS_SetPropertyStr(context, tls->object, "addTrustedCertificate", JS_NewCFunction(context, _tls_context_add_trusted_certificate, "addTrustedCertificate", 1));
-
-	tls->context = tf_tls_context_create();
-	tls->task = tf_task_get(context);
-
-	return tls->object;
-}
-
-static void _tls_context_finalizer(JSRuntime* runtime, JSValue value)
-{
-	tf_tls_context_t* tls = JS_GetOpaque(value, _classId);
-	if (tls->context)
-	{
-		tf_tls_context_destroy(tls->context);
-		tls->context = NULL;
-	}
-	--_count;
-	tf_free(tls);
-}
--- a/src/tlscontext.js.h
+++ b/src/tlscontext.js.h
@@ -1,37 +0,0 @@
-#pragma once
-
-/**
-** \defgroup tls_js TLS Interface
-** Exposes \ref tls to JS.
-** @{
-*/
-
-#include "quickjs.h"
-
-/**
-** A TLS context instance.
-*/
-typedef struct _tf_tls_context_t tf_tls_context_t;
-
-/**
-** Register TLS script interface.
-** @param context The TLS context.
-** @return the TlsContext constructor.
-*/
-JSValue tf_tls_context_register(JSContext* context);
-
-/**
-** Get a TLS context instance from its JS object.
-** @param value A TlsContext JS object.
-** @return The corresponding instance.
-*/
-tf_tls_context_t* tf_tls_context_get(JSValue value);
-
-/**
-** Get the number of active TLS context instances.
-** @return The number of TlsContext objects created that have not been
-** finalized.
-*/
-int tf_tls_context_get_count();
-
-/** @} */
--- a/src/util.js.c
+++ b/src/util.js.c
@@ -253,66 +253,6 @@ bool tf_util_report_error(JSContext* context, JSValue value)
 	return is_error;
 }

-static JSValue _util_parseHttpResponse(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
-{
-	JSValue result = JS_UNDEFINED;
-	int status = 0;
-	int minor_version = 0;
-	const char* message = NULL;
-	size_t message_length = 0;
-	struct phr_header headers[100];
-	size_t header_count = sizeof(headers) / sizeof(*headers);
-	int previous_length = 0;
-	JS_ToInt32(context, &previous_length, argv[1]);
-
-	JSValue buffer = JS_UNDEFINED;
-	size_t length;
-	uint8_t* array = tf_util_try_get_array_buffer(context, &length, argv[0]);
-	if (!array)
-	{
-		size_t offset;
-		size_t element_size;
-		buffer = tf_util_try_get_typed_array_buffer(context, argv[0], &offset, &length, &element_size);
-		if (!JS_IsException(buffer))
-		{
-			array = tf_util_try_get_array_buffer(context, &length, buffer);
-		}
-	}
-
-	if (array)
-	{
-		int parse_result = phr_parse_response((const char*)array, length, &minor_version, &status, &message, &message_length, headers, &header_count, previous_length);
-		if (parse_result > 0)
-		{
-			result = JS_NewObject(context);
-			JS_SetPropertyStr(context, result, "bytes_parsed", JS_NewInt32(context, parse_result));
-			JS_SetPropertyStr(context, result, "minor_version", JS_NewInt32(context, minor_version));
-			JS_SetPropertyStr(context, result, "status", JS_NewInt32(context, status));
-			JS_SetPropertyStr(context, result, "message", JS_NewStringLen(context, message, message_length));
-			JSValue header_object = JS_NewObject(context);
-			for (int i = 0; i < (int)header_count; i++)
-			{
-				char name[256];
-				snprintf(name, sizeof(name), "%.*s", (int)headers[i].name_len, headers[i].name);
-				JS_SetPropertyStr(context, header_object, name, JS_NewStringLen(context, headers[i].value, headers[i].value_len));
-			}
-			JS_SetPropertyStr(context, result, "headers", header_object);
-		}
-		else
-		{
-			result = JS_NewInt32(context, parse_result);
-		}
-	}
-	else
-	{
-		result = JS_ThrowTypeError(context, "Could not convert argument to array.");
-	}
-
-	JS_FreeValue(context, buffer);
-
-	return result;
-}
-
 static const char* k_kind_name[] = {
 	[k_kind_bool] = "bool",
 	[k_kind_int] = "int",
@@ -349,7 +289,6 @@ static const setting_t k_settings[] = {
 		.description = "Whether to bind http(s) to the loopback address.  Otherwise any.",
 		.default_value = { .kind = k_kind_bool, .bool_value = TF_IS_MOBILE ? true : false } },
 	{ .name = "http_port", .type = "integer", .description = "Port on which to listen for HTTP connections.", .default_value = { .kind = k_kind_int, .int_value = 12345 } },
-	{ .name = "https_port", .type = "integer", .description = "Port on which to listen for secure HTTP connections.", .default_value = { .kind = k_kind_int, .int_value = 0 } },
 	{ .name = "out_http_port_file", .type = "hidden", .description = "File to which to write bound HTTP port.", .default_value = { .kind = k_kind_string, .string_value = NULL } },
 	{ .name = "blob_fetch_age_seconds",
 		.type = "integer",
@@ -359,10 +298,6 @@ static const setting_t k_settings[] = {
 		.type = "integer",
 		.description = "Blobs older than this will be automatically deleted.",
 		.default_value = { .kind = k_kind_int, .int_value = TF_IS_MOBILE ? (int)(1.0f * 365 * 24 * 60 * 60) : -1 } },
-	{ .name = "fetch_hosts",
-		.type = "string",
-		.description = "Comma-separated list of host names to which HTTP fetch requests are allowed.  None if empty.",
-		.default_value = { .kind = k_kind_string, .string_value = NULL } },
 	{ .name = "http_redirect",
 		.type = "string",
 		.description = "If connecting by HTTP and HTTPS is configured, Location header prefix (ie, \"http://example.com\")",
@@ -403,6 +338,7 @@ static const setting_t k_settings[] = {
 		.type = "boolean",
 		.description = "Whether to attempt to keep several peer connections open.",
 		.default_value = { .kind = k_kind_bool, .bool_value = false } },
+	{ .name = "accepted_eula_version", .type = "hidden", .description = "The version of the last accepted EULA.", .default_value = { .kind = k_kind_int, .int_value = 0 } },
 };

 static const setting_t* _util_get_setting(const char* name, tf_setting_kind_t kind)
@@ -445,6 +381,31 @@ const char* tf_util_get_default_global_setting_string(const char* name)
 	return setting && setting->default_value.string_value ? setting->default_value.string_value : "";
 }

+bool tf_util_get_global_setting_by_index(int index, const char** out_name, const char** out_type, tf_setting_kind_t* out_kind, const char** out_description)
+{
+	if (index >= 0 && index < tf_countof(k_settings))
+	{
+		if (out_name)
+		{
+			*out_name = k_settings[index].name;
+		}
+		if (out_type)
+		{
+			*out_type = k_settings[index].type;
+		}
+		if (out_kind)
+		{
+			*out_kind = k_settings[index].default_value.kind;
+		}
+		if (out_description)
+		{
+			*out_description = k_settings[index].description;
+		}
+		return true;
+	}
+	return false;
+}
+
 static JSValue _util_defaultGlobalSettings(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
 {
 	JSValue settings = JS_NewObject(context);
@@ -523,7 +484,6 @@ void tf_util_register(JSContext* context)
 	JS_SetPropertyStr(context, global, "bip39Words", JS_NewCFunction(context, _util_bip39_words, "bip39Words", 1));
 	JS_SetPropertyStr(context, global, "bip39Bytes", JS_NewCFunction(context, _util_bip39_bytes, "bip39Bytes", 1));
 	JS_SetPropertyStr(context, global, "print", JS_NewCFunction(context, _util_print, "print", 1));
-	JS_SetPropertyStr(context, global, "parseHttpResponse", JS_NewCFunction(context, _util_parseHttpResponse, "parseHttpResponse", 2));
 	JS_SetPropertyStr(context, global, "defaultGlobalSettings", JS_NewCFunction(context, _util_defaultGlobalSettings, "defaultGlobalSettings", 2));
 	JS_FreeValue(context, global);
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Cory McWilliams	ba8253fa30	docs: Update change notes. All checks were successful Build Tilde Friends / Build-All (push) Successful in 8m50s Details	2025-11-25 18:08:01 -05:00
Cory McWilliams	f5bd389183	build: This will probably be the November release. All checks were successful Build Tilde Friends / Build-All (push) Successful in 20m28s Details	2025-11-25 12:51:13 -05:00
Cory McWilliams	0c34a38e15	ssb: Try not very successfully to make the welcome line format less awkwardly.	2025-11-25 12:50:33 -05:00
Cory McWilliams	7c7857a6cd	core: Move speedscope into a trace app. Isolate all the things. All checks were successful Build Tilde Friends / Build-All (push) Successful in 10m11s Details	2025-11-23 20:08:51 -05:00
Cory McWilliams	716bce2bb0	update: CodeMirror. All checks were successful Build Tilde Friends / Build-All (push) Successful in 10m10s Details	2025-11-23 16:37:00 -05:00
Cory McWilliams	33fb96b120	core: Fix a disagreement determining the active identity. All checks were successful Build Tilde Friends / Build-All (push) Successful in 9m34s Details	2025-11-22 09:28:34 -05:00
Cory McWilliams	28a4accabf	build: Bump ios => 25. All checks were successful Build Tilde Friends / Build-All (push) Successful in 10m35s Details	2025-11-21 19:42:53 -05:00
Cory McWilliams	31c7394c17	core: Make the navigation bar feel slightly less web-y. All checks were successful Build Tilde Friends / Build-All (push) Successful in 10m8s Details	2025-11-20 12:35:40 -05:00
Cory McWilliams	e2974d34e2	update: bundletool 1.18.2. All checks were successful Build Tilde Friends / Build-All (push) Successful in 9m2s Details	2025-11-19 20:32:50 -05:00
Cory McWilliams	4a06c84511	docs: Prepare some release notes. All checks were successful Build Tilde Friends / Build-All (push) Successful in 10m17s Details	2025-11-19 19:56:14 -05:00
Cory McWilliams	4960a1d9d6	build: Bump iOS. All checks were successful Build Tilde Friends / Build-All (push) Successful in 9m1s Details	2025-11-19 19:20:51 -05:00
Cory McWilliams	75dd8889e9	update: CodeMirror. All checks were successful Build Tilde Friends / Build-All (push) Successful in 8m49s Details	2025-11-19 19:08:55 -05:00
Cory McWilliams	111a6c3c6e	ssb: Follow + block = block. All checks were successful Build Tilde Friends / Build-All (push) Successful in 9m4s Details	2025-11-19 18:49:08 -05:00
Cory McWilliams	775fdafa63	core: Fix updating identity info muliple times. All checks were successful Build Tilde Friends / Build-All (push) Successful in 10m16s Details	2025-11-19 18:19:19 -05:00
Cory McWilliams	dae38bbd83	login: Don't show an empty / undefined code of conduct. All checks were successful Build Tilde Friends / Build-All (push) Successful in 10m26s Details	2025-11-19 12:39:06 -05:00
Cory McWilliams	35f374047a	ssb: Faster loads around the profile page. An experiment with caching SQL queries, and make one query just plain faster. All checks were successful Build Tilde Friends / Build-All (push) Successful in 8m53s Details	2025-11-16 14:20:26 -05:00
Cory McWilliams	aea4a14a62	ssb: Emoji 17.0. All checks were successful Build Tilde Friends / Build-All (push) Successful in 9m8s Details	2025-11-16 13:53:46 -05:00
Cory McWilliams	98f7504a4c	core: Refresh identity info so that you see your name at the top right when editing your profile in ssb. All checks were successful Build Tilde Friends / Build-All (push) Successful in 9m34s Details	2025-11-16 13:40:50 -05:00
Cory McWilliams	bb52cdd7c2	ssb: Reduce redundant queries. All checks were successful Build Tilde Friends / Build-All (push) Successful in 10m1s Details	2025-11-16 12:36:12 -05:00
Cory McWilliams	07b660a0d6	core: Explain what global setting we're setting when we ask permission. All checks were successful Build Tilde Friends / Build-All (push) Successful in 10m35s Details	2025-11-16 12:01:35 -05:00
Cory McWilliams	2b9d712d48	ssb: Remove now-duplicate logs. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-11-16 12:01:23 -05:00
Cory McWilliams	3c1f60b62d	ssb: Log all the query timing. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-11-16 11:59:18 -05:00
Cory McWilliams	bb75edfd42	update: CodeMirror. All checks were successful Build Tilde Friends / Build-All (push) Successful in 9m13s Details	2025-11-15 18:45:06 -05:00
Cory McWilliams	c2b61cec2c	ios: Bump. All checks were successful Build Tilde Friends / Build-All (push) Successful in 9m2s Details	2025-11-15 07:32:11 -05:00
Cory McWilliams	05c3107b27	prettier All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m40s Details	2025-11-13 12:42:28 -05:00
Cory McWilliams	bb67df7846	core: Fix some grammar and style issues with the permission prompt. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-11-13 12:30:42 -05:00
Cory McWilliams	89ec523ea2	format All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m24s Details	2025-11-12 20:09:10 -05:00
Cory McWilliams	f30458d953	ios: Bump. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-11-12 20:01:07 -05:00
Cory McWilliams	42df0d830e	ios: Replace the browser navigation buttons with gestures, disable pinch to zoom, and round a button to make it feel more like a native app. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m30s Details	2025-11-12 19:31:33 -05:00
Cory McWilliams	50b2c0c7f4	ios: Expose post text to Core Spotlight search. All checks were successful Build Tilde Friends / Build-All (push) Successful in 17m54s Details	2025-11-11 21:40:17 -05:00
Cory McWilliams	0edb76b678	build: Still trying to do an ios thing as 0.2025.10. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m53s Details	2025-11-11 18:16:13 -05:00
Cory McWilliams	2d71af3243	ssb: Shore more context when presenting a request for permissions to post a message. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m38s Details	2025-11-10 12:50:05 -05:00
Cory McWilliams	b571cd213b	update: libbacktrace. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m38s Details	2025-11-09 19:25:12 -05:00
Cory McWilliams	b52c79ac4e	build: Oops, correct the year. All checks were successful Build Tilde Friends / Build-All (push) Successful in 17m46s Details	2025-11-09 12:16:19 -05:00
Cory McWilliams	63c6a5ab07	format: I don't know hot to configure clang-format to make Objective-C look remotely OK. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-11-09 12:00:54 -05:00
Cory McWilliams	4447ea63e2	ios: Fix exporting/downloading to file. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-11-09 11:54:37 -05:00
Cory McWilliams	61200c4a7d	ios: Declare reasons we might use some permissions to avoid crashes. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m57s Details	2025-11-08 17:10:02 -05:00
Cory McWilliams	62dc9d6cc0	docs: Add a little diagram of how I think about Tilde Friends. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m50s Details	2025-11-05 20:00:20 -05:00
Cory McWilliams	a28d41e1ee	docs: Usage. All checks were successful Build Tilde Friends / Build-All (push) Successful in 16m54s Details	2025-11-05 18:54:48 -05:00
Cory McWilliams	6a05e3770b	update: CodeMirror. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m48s Details	2025-11-05 12:27:00 -05:00
Cory McWilliams	53a93e510c	update: sqlite 3.51.0. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-11-05 12:25:07 -05:00
Cory McWilliams	1cb3ecf1ea	ios: Just kidding, iOS doesn't allow four number versions. All checks were successful Build Tilde Friends / Build-All (push) Successful in 17m53s Details	2025-11-02 20:32:17 -05:00
Cory McWilliams	687665cd6b	ios: Revise the iOS agreement somewhat. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-11-02 20:30:17 -05:00
Cory McWilliams	7879ab1d50	ios: Add a EULA to try to appease Apple's Guideline 1.2 - Safety - User-Generated Content. All checks were successful Build Tilde Friends / Build-All (push) Successful in 22m0s Details	2025-11-02 14:30:25 -05:00
Cory McWilliams	24f0cdb398	update: CodeMirror. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m35s Details	2025-10-30 12:43:05 -04:00
Cory McWilliams	6d5555e596	build: Let's start building 0.2025.11. All checks were successful Build Tilde Friends / Build-All (push) Successful in 17m45s Details	2025-10-29 20:26:56 -04:00
Cory McWilliams	4052e3235f	format All checks were successful Build Tilde Friends / Build-All (push) Successful in 17m35s Details	2025-10-29 18:37:17 -04:00
Cory McWilliams	13302ad1c7	build: Let's build v0.2025.10. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m14s Details	2025-10-29 12:43:50 -04:00
Cory McWilliams	0f8687e473	ssb: Improve peer exchange wording. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-10-29 12:40:51 -04:00
Cory McWilliams	9399ccd684	ssb: Restore missing # when viewing an unsubscribed channel. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m54s Details	2025-10-28 12:41:59 -04:00
Cory McWilliams	b3604039fa	ssb: Try harder to not show off-channel messages in the general feed. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m35s Details	2025-10-27 12:56:04 -04:00
Cory McWilliams	732089da2c	ssb: Fix an issue where private messages weren't showing up after marked read. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m26s Details	2025-10-26 12:46:06 -04:00
Cory McWilliams	b3e7e4b196	ssb: Fix names extending off the reactions list dialog. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m6s Details	2025-10-26 12:19:58 -04:00
Cory McWilliams	09a0cfd349	core: core.permissionsGranted() JS => C. All checks were successful Build Tilde Friends / Build-All (push) Successful in 17m47s Details	2025-10-26 09:09:52 -04:00
Cory McWilliams	5bf7346321	android: Disable strict mode dialogs. They're apparently problematic on some devices. #135 All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m23s Details	2025-10-26 08:24:12 -04:00
Cory McWilliams	dd558c57e0	update: CodeMirror. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m59s Details	2025-10-23 12:33:52 -04:00
Cory McWilliams	5647196924	ssb: Add a manual theme color picker. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m1s Details	2025-10-22 19:39:20 -04:00
Cory McWilliams	49b1834bc6	docs: Prep release notes. All checks were successful Build Tilde Friends / Build-All (push) Successful in 19m14s Details	2025-10-22 18:40:29 -04:00
Cory McWilliams	d111647ea8	ssb: Merge the query tab into the search tab. Search for something starting with sql: to search for arbitrary SQL. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-10-22 18:21:22 -04:00
Cory McWilliams	d7580dab9b	update: CodeMirror. All checks were successful Build Tilde Friends / Build-All (push) Successful in 19m29s Details	2025-10-22 12:22:09 -04:00
Cory McWilliams	28db8a8d5f	update: speedscope 1.24.0. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-10-22 12:20:35 -04:00
Cory McWilliams	e64d5617e7	ssb: Fix contact groups expanding/collapsing together. All checks were successful Build Tilde Friends / Build-All (push) Successful in 19m23s Details	2025-10-19 08:39:46 -04:00
Cory McWilliams	acd114650a	ssb: Slightly improved following/blocking messages. following=true blocking=false is a common situation that should be described as following. All checks were successful Build Tilde Friends / Build-All (push) Successful in 18m46s Details	2025-10-16 12:48:49 -04:00
Cory McWilliams	7a47ffaa61	welcome: -OpenSSL. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-10-15 20:19:03 -04:00
Cory McWilliams	42f7f66f35	cleanup: Some OpenSSL cruft. All checks were successful Build Tilde Friends / Build-All (push) Successful in 19m37s Details	2025-10-15 20:10:15 -04:00
Cory McWilliams	b2b4ffeeae	cleanup: Remove OpenSSL and consequently https support. Run behind a reverse proxy if you need https. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-10-15 20:02:59 -04:00
Cory McWilliams	26de1f7daa	update: CodeMirror. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-10-15 19:22:57 -04:00
Cory McWilliams	07605933dc	core: core.globalSettingsDescriptions JS => C. All checks were successful Build Tilde Friends / Build-All (push) Successful in 31m48s Details	2025-10-15 19:09:41 -04:00
Cory McWilliams	4bdc7ec616	core: core.globalSettingsGet JS => C.	2025-10-15 18:24:38 -04:00
Cory McWilliams	8ca64550e5	test: Messages added callbacks are not a reliable way to count messages. Fix -t=invite sometimes stalling. All checks were successful Build Tilde Friends / Build-All (push) Successful in 32m38s Details	2025-10-09 12:50:25 -04:00
Cory McWilliams	25dbac804c	core: Minor cleanup and style.	2025-10-09 12:45:38 -04:00
Cory McWilliams	6ab3fd168b	update: CodeMirror. All checks were successful Build Tilde Friends / Build-All (push) Successful in 32m43s Details	2025-10-08 19:17:08 -04:00
Cory McWilliams	94858e2371	core: ssb.getIdentities() + ssb.getOwnerIdentities() JS => C. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-10-08 19:13:54 -04:00
Cory McWilliams	6d13502e94	core: ssb.getActiveIdentity JS => C.	2025-10-08 18:30:38 -04:00
Cory McWilliams	77001e595c	ssb: Faster queries through lots of trial and error. All checks were successful Build Tilde Friends / Build-All (push) Successful in 33m5s Details	2025-10-07 21:15:09 -04:00
Cory McWilliams	6fad20ffa3	ssb: Recover some of the load time lost in filtering out subscribed channels. All checks were successful Build Tilde Friends / Build-All (push) Successful in 33m20s Details	2025-10-06 12:45:40 -04:00
Cory McWilliams	00fb6c9839	update: CoreMirror.	2025-10-06 06:56:08 -04:00
Cory McWilliams	97fcf72d63	core: Move some simple properties JS => C.	2025-10-06 06:53:41 -04:00
Cory McWilliams	5d8d02515d	ssb: This query is slightly faster but not fast enough. All checks were successful Build Tilde Friends / Build-All (push) Successful in 31m48s Details	2025-10-02 12:47:57 -04:00
Cory McWilliams	859fe1feb0	ssb: Exclude followed mentions from the general channel, too. All checks were successful Build Tilde Friends / Build-All (push) Successful in 33m18s Details	2025-10-01 20:02:37 -04:00
Cory McWilliams	8f61d83f41	ssb: Exclude subscribed channels from general posts.	2025-10-01 19:52:02 -04:00
Cory McWilliams	6423b3e479	ssb: Consolidate the connection sidebar options. Three copies on-screen is too many. All checks were successful Build Tilde Friends / Build-All (push) Successful in 32m47s Details	2025-10-01 19:12:31 -04:00
Cory McWilliams	2bc8cec8a2	core: Move users()+permissionsForUser() from JS to C.	2025-10-01 18:36:50 -04:00
Cory McWilliams	b49a6cd685	ssb: Place the message collapse better with the messages it collapses. All checks were successful Build Tilde Friends / Build-All (push) Successful in 33m8s Details	2025-10-01 18:06:45 -04:00
Cory McWilliams	2885380f40	core: Remove some unused events. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-10-01 17:55:32 -04:00
Cory McWilliams	2ec3b6a249	http: Add some logging to try to diagnose an intermittent shutdown issue.	2025-10-01 17:48:23 -04:00
Cory McWilliams	3ef795452d	ssb: Condense child messages a bit. All checks were successful Build Tilde Friends / Build-All (push) Successful in 32m55s Details	2025-10-01 12:27:04 -04:00
Cory McWilliams	479d87c8b8	update: OpenSSL 3.6.0.	2025-10-01 12:10:07 -04:00
Cory McWilliams	a56077dcc7	update: libbacktrace. All checks were successful Build Tilde Friends / Build-All (push) Successful in 34m24s Details	2025-09-30 12:56:51 -04:00
Cory McWilliams	d3f4587c3b	update: OpenSSL 3.5.4.	2025-09-30 12:52:22 -04:00
Cory McWilliams	623705b7a1	core: Fix a crash in the apps app. All checks were successful Build Tilde Friends / Build-All (push) Successful in 30m36s Details	2025-09-28 21:15:28 -04:00
Cory McWilliams	8f87f4751d	ios: Add iTunesArtwork icon. All checks were successful Build Tilde Friends / Build-All (push) Successful in 31m19s Details	2025-09-28 17:55:36 -04:00
Cory McWilliams	2ac6dfde9d	test: Make the testing replicating a blob check the correct client, and add another test that does it while already connected. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-09-28 17:35:54 -04:00
Cory McWilliams	81ade7a400	core: Make the internal ssb.* API more explicitly not exposed to apps. Some checks failed Build Tilde Friends / Build-All (push) Has been cancelled Details	2025-09-28 17:19:58 -04:00
Cory McWilliams	63f7ff9f27	update: CodeMirror. All checks were successful Build Tilde Friends / Build-All (push) Successful in 31m20s Details	2025-09-28 16:01:02 -04:00
Cory McWilliams	8a0fa17a79	build: Remove stale include. Fix clean builds. All checks were successful Build Tilde Friends / Build-All (push) Successful in 30m56s Details	2025-09-28 15:23:44 -04:00
Cory McWilliams	0ead5ed967	cleanup: Remove server-side JS socket and HTTP request support. Not used/useful enough to justify keeping all this code around. Some checks failed Build Tilde Friends / Build-All (push) Failing after 5m6s Details	2025-09-28 13:43:28 -04:00
Cory McWilliams	53261a6fbc	docs: Remove some stale docs from the api app.	2025-09-28 13:27:37 -04:00