From af33e4053977ef19148e4d1b0bdeb0dbff246d7a Mon Sep 17 00:00:00 2001
From: nexy7574 <git@nexy7574.co.uk>
Date: Wed, 30 Jul 2025 19:19:32 +0100
Subject: [PATCH 01/18] feat: Force leave remote rooms admin command

---
 src/admin/user/commands.rs         | 30 ++++++++++++++++++++++++++++--
 src/admin/user/mod.rs              |  6 ++++++
 src/api/client/membership/leave.rs |  2 +-
 src/api/client/membership/mod.rs   |  2 +-
 4 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/src/admin/user/commands.rs b/src/admin/user/commands.rs
index 56864a32..37ab030c 100644
--- a/src/admin/user/commands.rs
+++ b/src/admin/user/commands.rs
@@ -1,8 +1,8 @@
 use std::{collections::BTreeMap, fmt::Write as _};
 
 use api::client::{
-	full_user_deactivate, join_room_by_id_helper, leave_all_rooms, leave_room, update_avatar_url,
-	update_displayname,
+	full_user_deactivate, join_room_by_id_helper, leave_all_rooms, leave_room, remote_leave_room,
+	update_avatar_url, update_displayname,
 };
 use conduwuit::{
 	Err, Result, debug, debug_warn, error, info, is_equal_to,
@@ -926,3 +926,29 @@ pub(super) async fn redact_event(&self, event_id: OwnedEventId) -> Result {
 	))
 	.await
 }
+
+#[admin_command]
+pub(super) async fn force_leave_remote_room(
+	&self,
+	user_id: String,
+	room_id: OwnedRoomOrAliasId,
+) -> Result {
+	let user_id = parse_local_user_id(self.services, &user_id)?;
+	let (room_id, _) = self
+		.services
+		.rooms
+		.alias
+		.resolve_with_servers(&room_id, None)
+		.await?;
+
+	assert!(
+		self.services.globals.user_is_local(&user_id),
+		"Parsed user_id must be a local user"
+	);
+	remote_leave_room(self.services, &user_id, &room_id, None)
+		.boxed()
+		.await?;
+
+	self.write_str(&format!("{user_id} has been joined to {room_id}.",))
+		.await
+}
diff --git a/src/admin/user/mod.rs b/src/admin/user/mod.rs
index 656cacaf..366f7dd5 100644
--- a/src/admin/user/mod.rs
+++ b/src/admin/user/mod.rs
@@ -103,6 +103,12 @@ pub enum UserCommand {
 		room_id: OwnedRoomOrAliasId,
 	},
 
+	/// - Manually leave a remote room for a local user.
+	ForceLeaveRemoteRoom {
+		user_id: String,
+		room_id: OwnedRoomOrAliasId,
+	},
+
 	/// - Forces the specified user to drop their power levels to the room
 	///   default, if their permissions allow and the auth check permits
 	ForceDemote {
diff --git a/src/api/client/membership/leave.rs b/src/api/client/membership/leave.rs
index f4f1666b..0aadd833 100644
--- a/src/api/client/membership/leave.rs
+++ b/src/api/client/membership/leave.rs
@@ -215,7 +215,7 @@ pub async fn leave_room(
 	Ok(())
 }
 
-async fn remote_leave_room(
+pub async fn remote_leave_room(
 	services: &Services,
 	user_id: &UserId,
 	room_id: &RoomId,
diff --git a/src/api/client/membership/mod.rs b/src/api/client/membership/mod.rs
index 7a6f19ad..691419f6 100644
--- a/src/api/client/membership/mod.rs
+++ b/src/api/client/membership/mod.rs
@@ -29,7 +29,7 @@ pub(crate) use self::{
 };
 pub use self::{
 	join::join_room_by_id_helper,
-	leave::{leave_all_rooms, leave_room},
+	leave::{leave_all_rooms, leave_room, remote_leave_room},
 };
 use crate::{Ruma, client::full_user_deactivate};
 

From 5f35ebbce0ecd12c7ea7312bf5567a4fbe2b00d4 Mon Sep 17 00:00:00 2001
From: nexy7574 <git@nexy7574.co.uk>
Date: Wed, 30 Jul 2025 19:29:33 +0100
Subject: [PATCH 02/18] fix: Make remote leave helper a public fn

---
 src/api/client/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/api/client/mod.rs b/src/api/client/mod.rs
index e4be20b7..be335cba 100644
--- a/src/api/client/mod.rs
+++ b/src/api/client/mod.rs
@@ -55,7 +55,7 @@ pub(super) use keys::*;
 pub(super) use media::*;
 pub(super) use media_legacy::*;
 pub(super) use membership::*;
-pub use membership::{join_room_by_id_helper, leave_all_rooms, leave_room};
+pub use membership::{join_room_by_id_helper, leave_all_rooms, leave_room, remote_leave_room};
 pub(super) use message::*;
 pub(super) use openid::*;
 pub(super) use presence::*;

From e903390b980397a2af28a9ea0044693f25214402 Mon Sep 17 00:00:00 2001
From: nexy7574 <git@nexy7574.co.uk>
Date: Thu, 31 Jul 2025 17:48:30 +0100
Subject: [PATCH 03/18] feat: Only inject vias when manual ones aren't provided
 during join

---
 src/api/client/membership/join.rs | 49 ++++++++++++++++---------------
 1 file changed, 26 insertions(+), 23 deletions(-)

diff --git a/src/api/client/membership/join.rs b/src/api/client/membership/join.rs
index dc170cbf..f3434bf5 100644
--- a/src/api/client/membership/join.rs
+++ b/src/api/client/membership/join.rs
@@ -156,31 +156,34 @@ pub(crate) async fn join_room_by_id_or_alias_route(
 			.await?;
 
 			let mut servers = body.via.clone();
-			servers.extend(
-				services
-					.rooms
-					.state_cache
-					.servers_invite_via(&room_id)
-					.map(ToOwned::to_owned)
-					.collect::<Vec<_>>()
-					.await,
-			);
+			if servers.is_empty() {
+				debug!("No via servers provided for join, injecting some.");
+				servers.extend(
+					services
+						.rooms
+						.state_cache
+						.servers_invite_via(&room_id)
+						.map(ToOwned::to_owned)
+						.collect::<Vec<_>>()
+						.await,
+				);
 
-			servers.extend(
-				services
-					.rooms
-					.state_cache
-					.invite_state(sender_user, &room_id)
-					.await
-					.unwrap_or_default()
-					.iter()
-					.filter_map(|event| event.get_field("sender").ok().flatten())
-					.filter_map(|sender: &str| UserId::parse(sender).ok())
-					.map(|user| user.server_name().to_owned()),
-			);
+				servers.extend(
+					services
+						.rooms
+						.state_cache
+						.invite_state(sender_user, &room_id)
+						.await
+						.unwrap_or_default()
+						.iter()
+						.filter_map(|event| event.get_field("sender").ok().flatten())
+						.filter_map(|sender: &str| UserId::parse(sender).ok())
+						.map(|user| user.server_name().to_owned()),
+				);
 
-			if let Some(server) = room_id.server_name() {
-				servers.push(server.to_owned());
+				if let Some(server) = room_id.server_name() {
+					servers.push(server.to_owned());
+				}
 			}
 
 			servers.sort_unstable();

From 83e3de55a493eb0508a57c9a1a3f8fe700eb81b6 Mon Sep 17 00:00:00 2001
From: nexy7574 <git@nexy7574.co.uk>
Date: Sat, 30 Aug 2025 16:00:46 +0100
Subject: [PATCH 04/18] fix(sync/v2): Room leaves being omitted incorrectly

Partially borrowed from https://github.com/matrix-construct/tuwunel/commit/85a84f93c7ef7184a8eee1bb17116e5f0f0faf5a
---
 src/api/client/sync/v3.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/api/client/sync/v3.rs b/src/api/client/sync/v3.rs
index 01428c08..298a6e4b 100644
--- a/src/api/client/sync/v3.rs
+++ b/src/api/client/sync/v3.rs
@@ -430,7 +430,7 @@ async fn handle_left_room(
 		.ok();
 
 	// Left before last sync
-	if Some(since) >= left_count {
+	if (Some(since) >= left_count && !include_leave) || Some(next_batch) < left_count {
 		return Ok(None);
 	}
 

From 15d3e2c47639fbd0b3822c0b9507c1b6df20b7d1 Mon Sep 17 00:00:00 2001
From: nexy7574 <git@nexy7574.co.uk>
Date: Sat, 30 Aug 2025 21:31:23 +0100
Subject: [PATCH 05/18] chore(PR956): Update admin docs

---
 docs/admin_reference.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/docs/admin_reference.md b/docs/admin_reference.md
index 18e039e4..1c9d4fb0 100644
--- a/docs/admin_reference.md
+++ b/docs/admin_reference.md
@@ -21,6 +21,7 @@ This document contains the help content for the `admin` command-line program.
 * [`admin users list-joined-rooms`↴](#admin-users-list-joined-rooms)
 * [`admin users force-join-room`↴](#admin-users-force-join-room)
 * [`admin users force-leave-room`↴](#admin-users-force-leave-room)
+* [`admin users force-leave-remote-room`↴](#admin-users-force-leave-remote-room)
 * [`admin users force-demote`↴](#admin-users-force-demote)
 * [`admin users make-user-admin`↴](#admin-users-make-user-admin)
 * [`admin users put-room-tag`↴](#admin-users-put-room-tag)
@@ -295,6 +296,7 @@ You can find the ID using the `list-appservices` command.
 * `list-joined-rooms` — - Lists all the rooms (local and remote) that the specified user is joined in
 * `force-join-room` — - Manually join a local user to a room
 * `force-leave-room` — - Manually leave a local user from a room
+* `force-leave-remote-room` — - Manually leave a remote room for a local user
 * `force-demote` — - Forces the specified user to drop their power levels to the room default, if their permissions allow and the auth check permits
 * `make-user-admin` — - Grant server-admin privileges to a user
 * `put-room-tag` — - Puts a room tag for the specified user and room ID
@@ -449,6 +451,19 @@ Reverses the effects of the `suspend` command, allowing the user to send message
 
 
 
+## `admin users force-leave-remote-room`
+
+- Manually leave a remote room for a local user
+
+**Usage:** `admin users force-leave-remote-room <USER_ID> <ROOM_ID>`
+
+###### **Arguments:**
+
+* `<USER_ID>`
+* `<ROOM_ID>`
+
+
+
 ## `admin users force-demote`
 
 - Forces the specified user to drop their power levels to the room default, if their permissions allow and the auth check permits

From b934898f51a2d3fa80ece879ef5fc2774a7f5881 Mon Sep 17 00:00:00 2001
From: Jade Ellis <jade@ellis.link>
Date: Sun, 31 Aug 2025 00:25:41 +0100
Subject: [PATCH 06/18] chore: Update renovate config, limit cargo updates

---
 .editorconfig |   4 ++
 renovate.json | 115 ++++++++++++++++++++++++--------------------------
 2 files changed, 60 insertions(+), 59 deletions(-)

diff --git a/.editorconfig b/.editorconfig
index 3e7fd1b8..95843e73 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -26,3 +26,7 @@ max_line_length = 98
 [*.yml]
 indent_size = 2
 indent_style = space
+
+[*.json]
+indent_size = 4
+indent_style = space
diff --git a/renovate.json b/renovate.json
index deb428af..68d21b9d 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,62 +1,59 @@
 {
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended"
-  ],
-  "lockFileMaintenance": {
-    "enabled": true,
-    "schedule": [
-      "at any time"
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": ["config:recommended"],
+    "lockFileMaintenance": {
+        "enabled": true,
+        "schedule": ["at any time"]
+    },
+    "nix": {
+        "enabled": true
+    },
+    "labels": ["Dependencies", "Dependencies/Renovate"],
+    "ignoreDeps": [
+        "tikv-jemallocator",
+        "tikv-jemalloc-sys",
+        "tikv-jemalloc-ctl",
+        "opentelemetry",
+        "opentelemetry_sdk",
+        "opentelemetry-jaeger",
+        "tracing-opentelemetry"
+    ],
+    "github-actions": {
+        "enabled": true,
+        "managerFilePatterns": [
+            "/(^|/)\\.forgejo/workflows/[^/]+\\.ya?ml$/",
+            "/(^|/)\\.forgejo/actions/[^/]+/action\\.ya?ml$/",
+            "/(^|/)\\.github/workflows/[^/]+\\.ya?ml$/",
+            "/(^|/)\\.github/actions/[^/]+/action\\.ya?ml$/"
+        ]
+    },
+    "packageRules": [
+        {
+            "description": "Batch minor and patch GitHub Actions updates",
+            "matchManagers": ["github-actions"],
+            "matchUpdateTypes": ["minor", "patch"],
+            "groupName": "github-actions-non-major"
+        },
+        {
+            "description": "Group Rust toolchain updates into a single PR",
+            "matchManagers": ["custom.regex"],
+            "matchPackageNames": ["rust", "rustc", "cargo"],
+            "groupName": "rust-toolchain"
+        },
+        {
+            "description": "Group lockfile updates into a single PR",
+            "matchUpdateTypes": ["lockFileMaintenance"],
+            "groupName": "lockfile-maintenance"
+        },
+        {
+            "description": "Batch patch-level Rust dependency updates",
+            "matchManagers": ["cargo"],
+            "matchUpdateTypes": ["patch"],
+            "groupName": "rust-patch-updates"
+        },
+        {
+            "matchManagers": ["cargo"],
+            "prConcurrentLimit": 5
+        }
     ]
-  },
-  "nix": {
-    "enabled": true
-  },
-  "labels": [
-    "Dependencies",
-    "Dependencies/Renovate"
-  ],
-  "ignoreDeps": [
-    "tikv-jemallocator",
-    "tikv-jemalloc-sys",
-    "tikv-jemalloc-ctl",
-    "opentelemetry",
-    "opentelemetry_sdk",
-    "opentelemetry-jaeger",
-    "tracing-opentelemetry"
-  ],
-  "github-actions": {
-    "enabled": true,
-    "fileMatch": [
-      "(^|/)\\.forgejo/workflows/[^/]+\\.ya?ml$",
-      "(^|/)\\.forgejo/actions/[^/]+/action\\.ya?ml$",
-      "(^|/)\\.github/workflows/[^/]+\\.ya?ml$",
-      "(^|/)\\.github/actions/[^/]+/action\\.ya?ml$"
-    ]
-  },
-  "packageRules": [
-    {
-      "description": "Batch minor and patch GitHub Actions updates",
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor", "patch"],
-      "groupName": "github-actions-non-major"
-    },
-    {
-      "description": "Group Rust toolchain updates into a single PR",
-      "matchManagers": ["regex"],
-      "matchPackageNames": ["rust", "rustc", "cargo"],
-      "groupName": "rust-toolchain"
-    },
-    {
-      "description": "Group lockfile updates into a single PR",
-      "matchUpdateTypes": ["lockFileMaintenance"],
-      "groupName": "lockfile-maintenance"
-    },
-    {
-      "description": "Batch patch-level Rust dependency updates",
-      "matchManagers": ["cargo"],
-      "matchUpdateTypes": ["patch"],
-      "groupName": "rust-patch-updates"
-    }
-  ]
 }

From e87c461b8d1d03d9e7b7b727f9a2fe8456c7338e Mon Sep 17 00:00:00 2001
From: Jade Ellis <jade@ellis.link>
Date: Sun, 31 Aug 2025 00:38:47 +0100
Subject: [PATCH 07/18] feat: Cache renovate data, RO GitHub token

---
 .forgejo/workflows/renovate.yml | 69 ++++++++++++++++++++++++++++-----
 1 file changed, 59 insertions(+), 10 deletions(-)

diff --git a/.forgejo/workflows/renovate.yml b/.forgejo/workflows/renovate.yml
index e8522bec..0152b387 100644
--- a/.forgejo/workflows/renovate.yml
+++ b/.forgejo/workflows/renovate.yml
@@ -39,24 +39,73 @@ jobs:
   renovate:
     name: Renovate
     runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/renovatebot/renovate:41
+      options: --tmpfs /tmp:exec
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          show-progress: false
+
+      - name: print node heap
+        run: /usr/local/renovate/node -e 'console.log(`node heap limit = ${require("v8").getHeapStatistics().heap_size_limit / (1024 * 1024)} Mb`)'
+
+      - name: Restore renovate repo cache
+        uses: https://github.com/actions/cache@v4
+        with:
+          path: |
+            /tmp/renovate/cache/renovate/repository
+          key: repo-cache-${{ github.run_id }}
+          restore-keys: |
+            repo-cache-
+
+      - name: Restore renovate package cache
+        uses: https://github.com/actions/cache@v4
+        with:
+          path: |
+            /tmp/renovate/cache/renovate/renovate-cache-sqlite
+          key: package-cache-${{ github.run_id }}
+          restore-keys: |
+            package-cache-
 
       - name: Self-hosted Renovate
-        uses: https://github.com/renovatebot/github-action@v40.1.0
+        uses: https://github.com/renovatebot/github-action@v43.0.9
         env:
           LOG_LEVEL: ${{ inputs.logLevel || 'info' }}
-          RENOVATE_AUTODISCOVER: 'false'
-          RENOVATE_BINARY_SOURCE: 'install'
           RENOVATE_DRY_RUN: ${{ inputs.dryRun || 'false' }}
-          RENOVATE_ENDPOINT: ${{ github.server_url }}/api/v1
-          RENOVATE_GIT_TIMEOUT: 60000
-          RENOVATE_GIT_URL: 'endpoint'
-          RENOVATE_GITHUB_TOKEN_WARN: 'false'
-          RENOVATE_ONBOARDING: 'false'
-          RENOVATE_PLATFORM: 'forgejo'
-          RENOVATE_PR_COMMITS_PER_RUN_LIMIT: 3
+
+          RENOVATE_PLATFORM: forgejo
+          RENOVATE_ENDPOINT: ${{ github.server_url }}
+          RENOVATE_AUTODISCOVER: 'false'
           RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'
+
+          RENOVATE_GIT_TIMEOUT: 60000
+
           RENOVATE_REQUIRE_CONFIG: 'required'
+          RENOVATE_ONBOARDING: 'false'
+
+          RENOVATE_PR_COMMITS_PER_RUN_LIMIT: 3
+
+          RENOVATE_GITHUB_TOKEN_WARN: 'false'
           RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
+          GITHUB_COM_TOKEN: ${{ secrets.GH_PUBLIC_RO }}
+
+          RENOVATE_REPOSITORY_CACHE: 'enabled'
+          RENOVATE_X_SQLITE_PACKAGE_CACHE: true
+
+      - name: Save renovate repo cache
+        if: always() && env.RENOVATE_DRY_RUN != 'full'
+        uses: https://github.com/actions/cache@v4
+        with:
+          path: |
+            /tmp/renovate/cache/renovate/repository
+          key: repo-cache-${{ github.run_id }}
+
+      - name: Save renovate package cache
+        if: always() && env.RENOVATE_DRY_RUN != 'full'
+        uses: https://github.com/actions/cache@v4
+        with:
+          path: |
+            /tmp/renovate/cache/renovate/renovate-cache-sqlite
+          key: package-cache-${{ github.run_id }}

From 5cce02484146e62b34e7228f603cb42559c76eff Mon Sep 17 00:00:00 2001
From: Renovate Bot <renovate@mail.ellis.link>
Date: Sun, 31 Aug 2025 00:44:28 +0000
Subject: [PATCH 08/18] chore(deps): update
 https://github.com/reproducible-containers/buildkit-cache-dance action to
 v3.3.0

---
 .forgejo/workflows/release-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/release-image.yml b/.forgejo/workflows/release-image.yml
index 04fc9de9..58d6cab2 100644
--- a/.forgejo/workflows/release-image.yml
+++ b/.forgejo/workflows/release-image.yml
@@ -161,7 +161,7 @@ jobs:
             var-lib-apt-${{ matrix.slug }}
           key: var-lib-apt-${{ matrix.slug }}
       - name: inject cache into docker
-        uses: https://github.com/reproducible-containers/buildkit-cache-dance@v3.1.0
+        uses: https://github.com/reproducible-containers/buildkit-cache-dance@v3.3.0
         with:
           cache-map: |
             {

From fedd22998750159f9cd11e62309ced1e6dc0550f Mon Sep 17 00:00:00 2001
From: nexy7574 <git@nexy7574.co.uk>
Date: Sun, 31 Aug 2025 16:55:47 +0100
Subject: [PATCH 09/18] feat(MSC4323): Implement agnostic suspension endpoint

---
 Cargo.lock                      | 22 +++++-----
 Cargo.toml                      |  2 +-
 src/api/client/admin/mod.rs     |  3 ++
 src/api/client/admin/suspend.rs | 77 +++++++++++++++++++++++++++++++++
 src/api/client/mod.rs           |  2 +
 src/api/router.rs               |  2 +
 6 files changed, 96 insertions(+), 12 deletions(-)
 create mode 100644 src/api/client/admin/mod.rs
 create mode 100644 src/api/client/admin/suspend.rs

diff --git a/Cargo.lock b/Cargo.lock
index 2b044a1f..a3962c31 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4058,7 +4058,7 @@ checksum = "88f8660c1ff60292143c98d08fc6e2f654d722db50410e3f3797d40baaf9d8f3"
 [[package]]
 name = "ruma"
 version = "0.10.1"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "assign",
  "js_int",
@@ -4078,7 +4078,7 @@ dependencies = [
 [[package]]
 name = "ruma-appservice-api"
 version = "0.10.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "js_int",
  "ruma-common",
@@ -4090,7 +4090,7 @@ dependencies = [
 [[package]]
 name = "ruma-client-api"
 version = "0.18.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "as_variant",
  "assign",
@@ -4113,7 +4113,7 @@ dependencies = [
 [[package]]
 name = "ruma-common"
 version = "0.13.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "as_variant",
  "base64 0.22.1",
@@ -4145,7 +4145,7 @@ dependencies = [
 [[package]]
 name = "ruma-events"
 version = "0.28.1"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "as_variant",
  "indexmap 2.10.0",
@@ -4170,7 +4170,7 @@ dependencies = [
 [[package]]
 name = "ruma-federation-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "bytes",
  "headers",
@@ -4192,7 +4192,7 @@ dependencies = [
 [[package]]
 name = "ruma-identifiers-validation"
 version = "0.9.5"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "js_int",
  "thiserror 2.0.12",
@@ -4201,7 +4201,7 @@ dependencies = [
 [[package]]
 name = "ruma-identity-service-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "js_int",
  "ruma-common",
@@ -4211,7 +4211,7 @@ dependencies = [
 [[package]]
 name = "ruma-macros"
 version = "0.13.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "cfg-if",
  "proc-macro-crate",
@@ -4226,7 +4226,7 @@ dependencies = [
 [[package]]
 name = "ruma-push-gateway-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "js_int",
  "ruma-common",
@@ -4238,7 +4238,7 @@ dependencies = [
 [[package]]
 name = "ruma-signatures"
 version = "0.15.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "base64 0.22.1",
  "ed25519-dalek",
diff --git a/Cargo.toml b/Cargo.toml
index 9452066c..e2af2d94 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -352,7 +352,7 @@ version = "0.1.2"
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
 #branch = "conduwuit-changes"
-rev = "b753738047d1f443aca870896ef27ecaacf027da"
+rev = "8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 features = [
     "compat",
     "rand",
diff --git a/src/api/client/admin/mod.rs b/src/api/client/admin/mod.rs
new file mode 100644
index 00000000..8355a600
--- /dev/null
+++ b/src/api/client/admin/mod.rs
@@ -0,0 +1,3 @@
+mod suspend;
+
+pub(crate) use self::suspend::*;
diff --git a/src/api/client/admin/suspend.rs b/src/api/client/admin/suspend.rs
new file mode 100644
index 00000000..29682694
--- /dev/null
+++ b/src/api/client/admin/suspend.rs
@@ -0,0 +1,77 @@
+use axum::extract::State;
+use conduwuit::{Err, Result};
+use ruma::api::client::admin::{get_suspended, set_suspended};
+
+use crate::Ruma;
+
+/// # `GET /_matrix/client/v1/admin/suspend/{userId}`
+///
+/// Check the suspension status of a target user
+pub(crate) async fn get_suspended_status(
+	State(services): State<crate::State>,
+	body: Ruma<get_suspended::v1::Request>,
+) -> Result<get_suspended::v1::Response> {
+	let sender_user = body.sender_user();
+	if !services.users.is_admin(sender_user).await {
+		return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
+	};
+	if !services.globals.user_is_local(&body.user_id) {
+		return Err!(Request(InvalidParam("Can only check the suspended status of local users")));
+	};
+	if !services.users.is_active(&body.user_id).await {
+		return Err!(Request(NotFound("Unknown user")));
+	}
+	Ok(get_suspended::v1::Response::new(
+		services.users.is_suspended(&body.user_id).await?,
+	))
+}
+
+/// # `PUT /_matrix/client/v1/admin/suspend/{userId}`
+///
+/// Set the suspension status of a target user
+pub(crate) async fn put_suspended_status(
+	State(services): State<crate::State>,
+	body: Ruma<set_suspended::v1::Request>,
+) -> Result<set_suspended::v1::Response> {
+	let sender_user = body.sender_user();
+	if !services.users.is_admin(sender_user).await {
+		return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
+	};
+	if !services.globals.user_is_local(&body.user_id) {
+		return Err!(Request(InvalidParam("Can only set the suspended status of local users")));
+	};
+	if !services.users.is_active(&body.user_id).await {
+		return Err!(Request(NotFound("Unknown user")));
+	}
+	if body.user_id == *sender_user {
+		return Err!(Request(Forbidden("You cannot suspend yourself")));
+	}
+	if services.users.is_admin(&body.user_id).await {
+		return Err!(Request(Forbidden("You cannot suspend another admin")));
+	}
+	if services.users.is_suspended(&body.user_id).await? == body.suspended {
+		// No change
+		return Ok(set_suspended::v1::Response::new(body.suspended));
+	}
+
+	let action = if body.suspended {
+		services
+			.users
+			.suspend_account(&body.user_id, sender_user)
+			.await;
+		"suspended"
+	} else {
+		services.users.unsuspend_account(&body.user_id).await;
+		"unsuspended"
+	};
+
+	if services.config.admin_room_notices {
+		// Notify the admin room that an account has been un/suspended
+		services
+			.admin
+			.send_text(&format!("{} has been {} by {}.", body.user_id, action, sender_user))
+			.await;
+	}
+
+	Ok(set_suspended::v1::Response::new(body.suspended))
+}
diff --git a/src/api/client/mod.rs b/src/api/client/mod.rs
index be335cba..c8ca7757 100644
--- a/src/api/client/mod.rs
+++ b/src/api/client/mod.rs
@@ -1,5 +1,6 @@
 pub(super) mod account;
 pub(super) mod account_data;
+pub(super) mod admin;
 pub(super) mod alias;
 pub(super) mod appservice;
 pub(super) mod backup;
@@ -43,6 +44,7 @@ pub(super) mod well_known;
 pub use account::full_user_deactivate;
 pub(super) use account::*;
 pub(super) use account_data::*;
+pub(super) use admin::*;
 pub(super) use alias::*;
 pub(super) use appservice::*;
 pub(super) use backup::*;
diff --git a/src/api/router.rs b/src/api/router.rs
index 8072fa5b..42934f70 100644
--- a/src/api/router.rs
+++ b/src/api/router.rs
@@ -184,6 +184,8 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 			"/_matrix/client/unstable/im.nheko.summary/rooms/:room_id_or_alias/summary",
 			get(client::get_room_summary_legacy)
 		)
+		.ruma_route(&client::get_suspended_status)
+		.ruma_route(&client::put_suspended_status)
 		.ruma_route(&client::well_known_support)
 		.ruma_route(&client::well_known_client)
 		.route("/_conduwuit/server_version", get(client::conduwuit_server_version))

From ab1ca2764aed088cf3351ba6a4bc9133144a2f68 Mon Sep 17 00:00:00 2001
From: nexy7574 <git@nexy7574.co.uk>
Date: Sun, 31 Aug 2025 17:07:19 +0100
Subject: [PATCH 10/18] feat(MSC4323): Advertise suspension support in
 capabilities

---
 src/api/client/capabilities.rs | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/api/client/capabilities.rs b/src/api/client/capabilities.rs
index c42c6dfd..2f9d6299 100644
--- a/src/api/client/capabilities.rs
+++ b/src/api/client/capabilities.rs
@@ -23,6 +23,11 @@ pub(crate) async fn get_capabilities_route(
 ) -> Result<get_capabilities::v3::Response> {
 	let available: BTreeMap<RoomVersionId, RoomVersionStability> =
 		Server::available_room_versions().collect();
+	let authenticated = _body.sender_user.as_ref().is_some()
+		&& services
+			.users
+			.is_active_local(_body.sender_user.as_ref().unwrap())
+			.await;
 
 	let mut capabilities = Capabilities::default();
 	capabilities.room_versions = RoomVersionsCapability {
@@ -45,5 +50,15 @@ pub(crate) async fn get_capabilities_route(
 		json!({"enabled": services.config.forget_forced_upon_leave}),
 	)?;
 
+	if authenticated
+		&& services
+			.users
+			.is_admin(_body.sender_user.as_ref().unwrap())
+			.await
+	{
+		// Advertise suspension API
+		capabilities.set("uk.timedout.msc4323", json!({"suspend":true, "lock": false}))?;
+	}
+
 	Ok(get_capabilities::v3::Response { capabilities })
 }

From 6402a0e58fd55b070ed35fb95db6efe9e96e8edc Mon Sep 17 00:00:00 2001
From: nexy7574 <git@nexy7574.co.uk>
Date: Wed, 30 Jul 2025 19:19:32 +0100
Subject: [PATCH 11/18] feat: Force leave remote rooms admin command

---
 src/admin/user/commands.rs         | 30 ++++++++++++++++++++++++++++--
 src/admin/user/mod.rs              |  6 ++++++
 src/api/client/membership/leave.rs |  2 +-
 src/api/client/membership/mod.rs   |  2 +-
 4 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/src/admin/user/commands.rs b/src/admin/user/commands.rs
index 56864a32..37ab030c 100644
--- a/src/admin/user/commands.rs
+++ b/src/admin/user/commands.rs
@@ -1,8 +1,8 @@
 use std::{collections::BTreeMap, fmt::Write as _};
 
 use api::client::{
-	full_user_deactivate, join_room_by_id_helper, leave_all_rooms, leave_room, update_avatar_url,
-	update_displayname,
+	full_user_deactivate, join_room_by_id_helper, leave_all_rooms, leave_room, remote_leave_room,
+	update_avatar_url, update_displayname,
 };
 use conduwuit::{
 	Err, Result, debug, debug_warn, error, info, is_equal_to,
@@ -926,3 +926,29 @@ pub(super) async fn redact_event(&self, event_id: OwnedEventId) -> Result {
 	))
 	.await
 }
+
+#[admin_command]
+pub(super) async fn force_leave_remote_room(
+	&self,
+	user_id: String,
+	room_id: OwnedRoomOrAliasId,
+) -> Result {
+	let user_id = parse_local_user_id(self.services, &user_id)?;
+	let (room_id, _) = self
+		.services
+		.rooms
+		.alias
+		.resolve_with_servers(&room_id, None)
+		.await?;
+
+	assert!(
+		self.services.globals.user_is_local(&user_id),
+		"Parsed user_id must be a local user"
+	);
+	remote_leave_room(self.services, &user_id, &room_id, None)
+		.boxed()
+		.await?;
+
+	self.write_str(&format!("{user_id} has been joined to {room_id}.",))
+		.await
+}
diff --git a/src/admin/user/mod.rs b/src/admin/user/mod.rs
index 656cacaf..366f7dd5 100644
--- a/src/admin/user/mod.rs
+++ b/src/admin/user/mod.rs
@@ -103,6 +103,12 @@ pub enum UserCommand {
 		room_id: OwnedRoomOrAliasId,
 	},
 
+	/// - Manually leave a remote room for a local user.
+	ForceLeaveRemoteRoom {
+		user_id: String,
+		room_id: OwnedRoomOrAliasId,
+	},
+
 	/// - Forces the specified user to drop their power levels to the room
 	///   default, if their permissions allow and the auth check permits
 	ForceDemote {
diff --git a/src/api/client/membership/leave.rs b/src/api/client/membership/leave.rs
index f4f1666b..0aadd833 100644
--- a/src/api/client/membership/leave.rs
+++ b/src/api/client/membership/leave.rs
@@ -215,7 +215,7 @@ pub async fn leave_room(
 	Ok(())
 }
 
-async fn remote_leave_room(
+pub async fn remote_leave_room(
 	services: &Services,
 	user_id: &UserId,
 	room_id: &RoomId,
diff --git a/src/api/client/membership/mod.rs b/src/api/client/membership/mod.rs
index 7a6f19ad..691419f6 100644
--- a/src/api/client/membership/mod.rs
+++ b/src/api/client/membership/mod.rs
@@ -29,7 +29,7 @@ pub(crate) use self::{
 };
 pub use self::{
 	join::join_room_by_id_helper,
-	leave::{leave_all_rooms, leave_room},
+	leave::{leave_all_rooms, leave_room, remote_leave_room},
 };
 use crate::{Ruma, client::full_user_deactivate};
 

From 3b6a0ec48a9bb140de110e6372fc339418a2ad3e Mon Sep 17 00:00:00 2001
From: nexy7574 <git@nexy7574.co.uk>
Date: Wed, 30 Jul 2025 19:29:33 +0100
Subject: [PATCH 12/18] fix: Make remote leave helper a public fn

---
 src/api/client/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/api/client/mod.rs b/src/api/client/mod.rs
index e4be20b7..be335cba 100644
--- a/src/api/client/mod.rs
+++ b/src/api/client/mod.rs
@@ -55,7 +55,7 @@ pub(super) use keys::*;
 pub(super) use media::*;
 pub(super) use media_legacy::*;
 pub(super) use membership::*;
-pub use membership::{join_room_by_id_helper, leave_all_rooms, leave_room};
+pub use membership::{join_room_by_id_helper, leave_all_rooms, leave_room, remote_leave_room};
 pub(super) use message::*;
 pub(super) use openid::*;
 pub(super) use presence::*;

From a32aba6989a80b78df31de7cbdf5dbe2c4aa52ea Mon Sep 17 00:00:00 2001
From: nexy7574 <git@nexy7574.co.uk>
Date: Thu, 31 Jul 2025 17:48:30 +0100
Subject: [PATCH 13/18] feat: Only inject vias when manual ones aren't provided
 during join

---
 src/api/client/membership/join.rs | 49 ++++++++++++++++---------------
 1 file changed, 26 insertions(+), 23 deletions(-)

diff --git a/src/api/client/membership/join.rs b/src/api/client/membership/join.rs
index dc170cbf..f3434bf5 100644
--- a/src/api/client/membership/join.rs
+++ b/src/api/client/membership/join.rs
@@ -156,31 +156,34 @@ pub(crate) async fn join_room_by_id_or_alias_route(
 			.await?;
 
 			let mut servers = body.via.clone();
-			servers.extend(
-				services
-					.rooms
-					.state_cache
-					.servers_invite_via(&room_id)
-					.map(ToOwned::to_owned)
-					.collect::<Vec<_>>()
-					.await,
-			);
+			if servers.is_empty() {
+				debug!("No via servers provided for join, injecting some.");
+				servers.extend(
+					services
+						.rooms
+						.state_cache
+						.servers_invite_via(&room_id)
+						.map(ToOwned::to_owned)
+						.collect::<Vec<_>>()
+						.await,
+				);
 
-			servers.extend(
-				services
-					.rooms
-					.state_cache
-					.invite_state(sender_user, &room_id)
-					.await
-					.unwrap_or_default()
-					.iter()
-					.filter_map(|event| event.get_field("sender").ok().flatten())
-					.filter_map(|sender: &str| UserId::parse(sender).ok())
-					.map(|user| user.server_name().to_owned()),
-			);
+				servers.extend(
+					services
+						.rooms
+						.state_cache
+						.invite_state(sender_user, &room_id)
+						.await
+						.unwrap_or_default()
+						.iter()
+						.filter_map(|event| event.get_field("sender").ok().flatten())
+						.filter_map(|sender: &str| UserId::parse(sender).ok())
+						.map(|user| user.server_name().to_owned()),
+				);
 
-			if let Some(server) = room_id.server_name() {
-				servers.push(server.to_owned());
+				if let Some(server) = room_id.server_name() {
+					servers.push(server.to_owned());
+				}
 			}
 
 			servers.sort_unstable();

From 143d39e371f7ec9857d06b64a20e25498dc4e5b4 Mon Sep 17 00:00:00 2001
From: nexy7574 <git@nexy7574.co.uk>
Date: Sat, 30 Aug 2025 21:31:23 +0100
Subject: [PATCH 14/18] chore(PR956): Update admin docs

---
 docs/admin_reference.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/docs/admin_reference.md b/docs/admin_reference.md
index 18e039e4..1c9d4fb0 100644
--- a/docs/admin_reference.md
+++ b/docs/admin_reference.md
@@ -21,6 +21,7 @@ This document contains the help content for the `admin` command-line program.
 * [`admin users list-joined-rooms`↴](#admin-users-list-joined-rooms)
 * [`admin users force-join-room`↴](#admin-users-force-join-room)
 * [`admin users force-leave-room`↴](#admin-users-force-leave-room)
+* [`admin users force-leave-remote-room`↴](#admin-users-force-leave-remote-room)
 * [`admin users force-demote`↴](#admin-users-force-demote)
 * [`admin users make-user-admin`↴](#admin-users-make-user-admin)
 * [`admin users put-room-tag`↴](#admin-users-put-room-tag)
@@ -295,6 +296,7 @@ You can find the ID using the `list-appservices` command.
 * `list-joined-rooms` — - Lists all the rooms (local and remote) that the specified user is joined in
 * `force-join-room` — - Manually join a local user to a room
 * `force-leave-room` — - Manually leave a local user from a room
+* `force-leave-remote-room` — - Manually leave a remote room for a local user
 * `force-demote` — - Forces the specified user to drop their power levels to the room default, if their permissions allow and the auth check permits
 * `make-user-admin` — - Grant server-admin privileges to a user
 * `put-room-tag` — - Puts a room tag for the specified user and room ID
@@ -449,6 +451,19 @@ Reverses the effects of the `suspend` command, allowing the user to send message
 
 
 
+## `admin users force-leave-remote-room`
+
+- Manually leave a remote room for a local user
+
+**Usage:** `admin users force-leave-remote-room <USER_ID> <ROOM_ID>`
+
+###### **Arguments:**
+
+* `<USER_ID>`
+* `<ROOM_ID>`
+
+
+
 ## `admin users force-demote`
 
 - Forces the specified user to drop their power levels to the room default, if their permissions allow and the auth check permits

From 6068db1345b9538c42fedb13b25e9e5d11971616 Mon Sep 17 00:00:00 2001
From: nexy7574 <git@nexy7574.co.uk>
Date: Sun, 31 Aug 2025 16:55:47 +0100
Subject: [PATCH 15/18] feat(MSC4323): Implement agnostic suspension endpoint

---
 Cargo.lock                      | 22 +++++-----
 Cargo.toml                      |  2 +-
 src/api/client/admin/mod.rs     |  3 ++
 src/api/client/admin/suspend.rs | 77 +++++++++++++++++++++++++++++++++
 src/api/client/mod.rs           |  2 +
 src/api/router.rs               |  2 +
 6 files changed, 96 insertions(+), 12 deletions(-)
 create mode 100644 src/api/client/admin/mod.rs
 create mode 100644 src/api/client/admin/suspend.rs

diff --git a/Cargo.lock b/Cargo.lock
index 2b044a1f..a3962c31 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4058,7 +4058,7 @@ checksum = "88f8660c1ff60292143c98d08fc6e2f654d722db50410e3f3797d40baaf9d8f3"
 [[package]]
 name = "ruma"
 version = "0.10.1"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "assign",
  "js_int",
@@ -4078,7 +4078,7 @@ dependencies = [
 [[package]]
 name = "ruma-appservice-api"
 version = "0.10.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "js_int",
  "ruma-common",
@@ -4090,7 +4090,7 @@ dependencies = [
 [[package]]
 name = "ruma-client-api"
 version = "0.18.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "as_variant",
  "assign",
@@ -4113,7 +4113,7 @@ dependencies = [
 [[package]]
 name = "ruma-common"
 version = "0.13.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "as_variant",
  "base64 0.22.1",
@@ -4145,7 +4145,7 @@ dependencies = [
 [[package]]
 name = "ruma-events"
 version = "0.28.1"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "as_variant",
  "indexmap 2.10.0",
@@ -4170,7 +4170,7 @@ dependencies = [
 [[package]]
 name = "ruma-federation-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "bytes",
  "headers",
@@ -4192,7 +4192,7 @@ dependencies = [
 [[package]]
 name = "ruma-identifiers-validation"
 version = "0.9.5"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "js_int",
  "thiserror 2.0.12",
@@ -4201,7 +4201,7 @@ dependencies = [
 [[package]]
 name = "ruma-identity-service-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "js_int",
  "ruma-common",
@@ -4211,7 +4211,7 @@ dependencies = [
 [[package]]
 name = "ruma-macros"
 version = "0.13.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "cfg-if",
  "proc-macro-crate",
@@ -4226,7 +4226,7 @@ dependencies = [
 [[package]]
 name = "ruma-push-gateway-api"
 version = "0.9.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "js_int",
  "ruma-common",
@@ -4238,7 +4238,7 @@ dependencies = [
 [[package]]
 name = "ruma-signatures"
 version = "0.15.0"
-source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=b753738047d1f443aca870896ef27ecaacf027da#b753738047d1f443aca870896ef27ecaacf027da"
+source = "git+https://forgejo.ellis.link/continuwuation/ruwuma?rev=8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd#8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 dependencies = [
  "base64 0.22.1",
  "ed25519-dalek",
diff --git a/Cargo.toml b/Cargo.toml
index 9452066c..e2af2d94 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -352,7 +352,7 @@ version = "0.1.2"
 [workspace.dependencies.ruma]
 git = "https://forgejo.ellis.link/continuwuation/ruwuma"
 #branch = "conduwuit-changes"
-rev = "b753738047d1f443aca870896ef27ecaacf027da"
+rev = "8fb268fa2771dfc3a1c8075ef1246e7c9a0a53fd"
 features = [
     "compat",
     "rand",
diff --git a/src/api/client/admin/mod.rs b/src/api/client/admin/mod.rs
new file mode 100644
index 00000000..8355a600
--- /dev/null
+++ b/src/api/client/admin/mod.rs
@@ -0,0 +1,3 @@
+mod suspend;
+
+pub(crate) use self::suspend::*;
diff --git a/src/api/client/admin/suspend.rs b/src/api/client/admin/suspend.rs
new file mode 100644
index 00000000..29682694
--- /dev/null
+++ b/src/api/client/admin/suspend.rs
@@ -0,0 +1,77 @@
+use axum::extract::State;
+use conduwuit::{Err, Result};
+use ruma::api::client::admin::{get_suspended, set_suspended};
+
+use crate::Ruma;
+
+/// # `GET /_matrix/client/v1/admin/suspend/{userId}`
+///
+/// Check the suspension status of a target user
+pub(crate) async fn get_suspended_status(
+	State(services): State<crate::State>,
+	body: Ruma<get_suspended::v1::Request>,
+) -> Result<get_suspended::v1::Response> {
+	let sender_user = body.sender_user();
+	if !services.users.is_admin(sender_user).await {
+		return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
+	};
+	if !services.globals.user_is_local(&body.user_id) {
+		return Err!(Request(InvalidParam("Can only check the suspended status of local users")));
+	};
+	if !services.users.is_active(&body.user_id).await {
+		return Err!(Request(NotFound("Unknown user")));
+	}
+	Ok(get_suspended::v1::Response::new(
+		services.users.is_suspended(&body.user_id).await?,
+	))
+}
+
+/// # `PUT /_matrix/client/v1/admin/suspend/{userId}`
+///
+/// Set the suspension status of a target user
+pub(crate) async fn put_suspended_status(
+	State(services): State<crate::State>,
+	body: Ruma<set_suspended::v1::Request>,
+) -> Result<set_suspended::v1::Response> {
+	let sender_user = body.sender_user();
+	if !services.users.is_admin(sender_user).await {
+		return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
+	};
+	if !services.globals.user_is_local(&body.user_id) {
+		return Err!(Request(InvalidParam("Can only set the suspended status of local users")));
+	};
+	if !services.users.is_active(&body.user_id).await {
+		return Err!(Request(NotFound("Unknown user")));
+	}
+	if body.user_id == *sender_user {
+		return Err!(Request(Forbidden("You cannot suspend yourself")));
+	}
+	if services.users.is_admin(&body.user_id).await {
+		return Err!(Request(Forbidden("You cannot suspend another admin")));
+	}
+	if services.users.is_suspended(&body.user_id).await? == body.suspended {
+		// No change
+		return Ok(set_suspended::v1::Response::new(body.suspended));
+	}
+
+	let action = if body.suspended {
+		services
+			.users
+			.suspend_account(&body.user_id, sender_user)
+			.await;
+		"suspended"
+	} else {
+		services.users.unsuspend_account(&body.user_id).await;
+		"unsuspended"
+	};
+
+	if services.config.admin_room_notices {
+		// Notify the admin room that an account has been un/suspended
+		services
+			.admin
+			.send_text(&format!("{} has been {} by {}.", body.user_id, action, sender_user))
+			.await;
+	}
+
+	Ok(set_suspended::v1::Response::new(body.suspended))
+}
diff --git a/src/api/client/mod.rs b/src/api/client/mod.rs
index be335cba..c8ca7757 100644
--- a/src/api/client/mod.rs
+++ b/src/api/client/mod.rs
@@ -1,5 +1,6 @@
 pub(super) mod account;
 pub(super) mod account_data;
+pub(super) mod admin;
 pub(super) mod alias;
 pub(super) mod appservice;
 pub(super) mod backup;
@@ -43,6 +44,7 @@ pub(super) mod well_known;
 pub use account::full_user_deactivate;
 pub(super) use account::*;
 pub(super) use account_data::*;
+pub(super) use admin::*;
 pub(super) use alias::*;
 pub(super) use appservice::*;
 pub(super) use backup::*;
diff --git a/src/api/router.rs b/src/api/router.rs
index 8072fa5b..42934f70 100644
--- a/src/api/router.rs
+++ b/src/api/router.rs
@@ -184,6 +184,8 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 			"/_matrix/client/unstable/im.nheko.summary/rooms/:room_id_or_alias/summary",
 			get(client::get_room_summary_legacy)
 		)
+		.ruma_route(&client::get_suspended_status)
+		.ruma_route(&client::put_suspended_status)
 		.ruma_route(&client::well_known_support)
 		.ruma_route(&client::well_known_client)
 		.route("/_conduwuit/server_version", get(client::conduwuit_server_version))

From f29a881b236fa770484c9a43e09b48314b2908db Mon Sep 17 00:00:00 2001
From: nexy7574 <git@nexy7574.co.uk>
Date: Sun, 31 Aug 2025 17:07:19 +0100
Subject: [PATCH 16/18] feat(MSC4323): Advertise suspension support in
 capabilities

---
 src/api/client/capabilities.rs | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/api/client/capabilities.rs b/src/api/client/capabilities.rs
index c42c6dfd..2f9d6299 100644
--- a/src/api/client/capabilities.rs
+++ b/src/api/client/capabilities.rs
@@ -23,6 +23,11 @@ pub(crate) async fn get_capabilities_route(
 ) -> Result<get_capabilities::v3::Response> {
 	let available: BTreeMap<RoomVersionId, RoomVersionStability> =
 		Server::available_room_versions().collect();
+	let authenticated = _body.sender_user.as_ref().is_some()
+		&& services
+			.users
+			.is_active_local(_body.sender_user.as_ref().unwrap())
+			.await;
 
 	let mut capabilities = Capabilities::default();
 	capabilities.room_versions = RoomVersionsCapability {
@@ -45,5 +50,15 @@ pub(crate) async fn get_capabilities_route(
 		json!({"enabled": services.config.forget_forced_upon_leave}),
 	)?;
 
+	if authenticated
+		&& services
+			.users
+			.is_admin(_body.sender_user.as_ref().unwrap())
+			.await
+	{
+		// Advertise suspension API
+		capabilities.set("uk.timedout.msc4323", json!({"suspend":true, "lock": false}))?;
+	}
+
 	Ok(get_capabilities::v3::Response { capabilities })
 }

From d21f07a3ccb0dee0ad20a830838dfc5d66d3febe Mon Sep 17 00:00:00 2001
From: nexy7574 <git@nexy7574.co.uk>
Date: Sun, 31 Aug 2025 17:10:56 +0100
Subject: [PATCH 17/18] style(MSC4323): Satisfy our linting overlords

---
 src/api/client/admin/suspend.rs | 8 ++++----
 src/api/client/capabilities.rs  | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/api/client/admin/suspend.rs b/src/api/client/admin/suspend.rs
index 29682694..0d3493f6 100644
--- a/src/api/client/admin/suspend.rs
+++ b/src/api/client/admin/suspend.rs
@@ -14,10 +14,10 @@ pub(crate) async fn get_suspended_status(
 	let sender_user = body.sender_user();
 	if !services.users.is_admin(sender_user).await {
 		return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
-	};
+	}
 	if !services.globals.user_is_local(&body.user_id) {
 		return Err!(Request(InvalidParam("Can only check the suspended status of local users")));
-	};
+	}
 	if !services.users.is_active(&body.user_id).await {
 		return Err!(Request(NotFound("Unknown user")));
 	}
@@ -36,10 +36,10 @@ pub(crate) async fn put_suspended_status(
 	let sender_user = body.sender_user();
 	if !services.users.is_admin(sender_user).await {
 		return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
-	};
+	}
 	if !services.globals.user_is_local(&body.user_id) {
 		return Err!(Request(InvalidParam("Can only set the suspended status of local users")));
-	};
+	}
 	if !services.users.is_active(&body.user_id).await {
 		return Err!(Request(NotFound("Unknown user")));
 	}
diff --git a/src/api/client/capabilities.rs b/src/api/client/capabilities.rs
index 2f9d6299..1fcb073f 100644
--- a/src/api/client/capabilities.rs
+++ b/src/api/client/capabilities.rs
@@ -19,14 +19,14 @@ use crate::Ruma;
 /// of this server.
 pub(crate) async fn get_capabilities_route(
 	State(services): State<crate::State>,
-	_body: Ruma<get_capabilities::v3::Request>,
+	body: Ruma<get_capabilities::v3::Request>,
 ) -> Result<get_capabilities::v3::Response> {
 	let available: BTreeMap<RoomVersionId, RoomVersionStability> =
 		Server::available_room_versions().collect();
-	let authenticated = _body.sender_user.as_ref().is_some()
+	let authenticated = body.sender_user.as_ref().is_some()
 		&& services
 			.users
-			.is_active_local(_body.sender_user.as_ref().unwrap())
+			.is_active_local(body.sender_user.as_ref().unwrap())
 			.await;
 
 	let mut capabilities = Capabilities::default();
@@ -53,7 +53,7 @@ pub(crate) async fn get_capabilities_route(
 	if authenticated
 		&& services
 			.users
-			.is_admin(_body.sender_user.as_ref().unwrap())
+			.is_admin(body.sender_user.as_ref().unwrap())
 			.await
 	{
 		// Advertise suspension API

From 338f1a4c4f18589133f52c72d2fc5ade239fdfd7 Mon Sep 17 00:00:00 2001
From: nexy7574 <git@nexy7574.co.uk>
Date: Sun, 31 Aug 2025 17:44:32 +0100
Subject: [PATCH 18/18] feat(MSC4323): Add versions flag

---
 src/api/client/unversioned.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/api/client/unversioned.rs b/src/api/client/unversioned.rs
index a4136d1a..7f19bc94 100644
--- a/src/api/client/unversioned.rs
+++ b/src/api/client/unversioned.rs
@@ -58,6 +58,7 @@ pub(crate) async fn get_supported_versions_route(
 			("uk.tcpip.msc4133".to_owned(), true), /* Extending User Profile API with Key:Value Pairs (https://github.com/matrix-org/matrix-spec-proposals/pull/4133) */
 			("us.cloke.msc4175".to_owned(), true), /* Profile field for user time zone (https://github.com/matrix-org/matrix-spec-proposals/pull/4175) */
 			("org.matrix.simplified_msc3575".to_owned(), true), /* Simplified Sliding sync (https://github.com/matrix-org/matrix-spec-proposals/pull/4186) */
+			("uk.timedout.msc4323".to_owned(), true), /* agnostic suspend (https://github.com/matrix-org/matrix-spec-proposals/pull/4323) */
 		]),
 	};