element-hq · sandhose · Jul 17, 2025 · Jul 16, 2025 · Jul 16, 2025 · Jul 16, 2025
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -215,7 +215,7 @@ jobs:
         uses: actions/[email protected]
 
       - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@1.86.0
+        uses: dtolnay/rust-toolchain@1.87.0
         with:
           components: clippy
 

diff --git a/Dockerfile b/Dockerfile
@@ -12,7 +12,7 @@
 # The Debian version and version name must be in sync
 ARG DEBIAN_VERSION=12
 ARG DEBIAN_VERSION_NAME=bookworm
-ARG RUSTC_VERSION=1.86.0
+ARG RUSTC_VERSION=1.87.0
 ARG NODEJS_VERSION=20.15.0
 ARG OPA_VERSION=1.1.0
 ARG CARGO_AUDITABLE_VERSION=0.6.6

diff --git a/crates/cli/src/commands/config.rs b/crates/cli/src/commands/config.rs
@@ -72,7 +72,7 @@ impl Options {
             SC::Dump { output } => {
                 let _span = info_span!("cli.config.dump").entered();
 
-                let config = RootConfig::extract(figment)?;
+                let config = RootConfig::extract(figment).map_err(anyhow::Error::from_boxed)?;
                 let config = serde_yaml::to_string(&config)?;
 
                 if let Some(output) = output {
@@ -88,7 +88,7 @@ impl Options {
             SC::Check => {
                 let _span = info_span!("cli.config.check").entered();
 
-                let _config = RootConfig::extract(figment)?;
+                let _config = RootConfig::extract(figment).map_err(anyhow::Error::from_boxed)?;
                 info!("Configuration file looks good");
             }
 
@@ -105,7 +105,8 @@ impl Options {
 
                 if !synapse_config.is_empty() {
                     info!("Adjusting MAS config to match Synapse config from {synapse_config:?}");
-                    let synapse_config = syn2mas::synapse_config::Config::load(&synapse_config)?;
+                    let synapse_config = syn2mas::synapse_config::Config::load(&synapse_config)
+                        .map_err(anyhow::Error::from_boxed)?;
                     config = synapse_config.adjust_mas_config(config, &mut rng, clock.now());
                 }
 
@@ -121,7 +122,7 @@ impl Options {
             }
 
             SC::Sync { prune, dry_run } => {
-                let config = SyncConfig::extract(figment)?;
+                let config = SyncConfig::extract(figment).map_err(anyhow::Error::from_boxed)?;
                 let clock = SystemClock::default();
                 let encrypter = config.secrets.encrypter().await?;
 

diff --git a/crates/cli/src/commands/database.rs b/crates/cli/src/commands/database.rs
@@ -30,7 +30,8 @@ enum Subcommand {
 impl Options {
     pub async fn run(self, figment: &Figment) -> anyhow::Result<ExitCode> {
         let _span = info_span!("cli.database.migrate").entered();
-        let config = DatabaseConfig::extract_or_default(figment)?;
+        let config =
+            DatabaseConfig::extract_or_default(figment).map_err(anyhow::Error::from_boxed)?;
         let mut conn = database_connection_from_config(&config).await?;
 
         // Run pending migrations

diff --git a/crates/cli/src/commands/debug.rs b/crates/cli/src/commands/debug.rs
@@ -41,13 +41,16 @@ impl Options {
         match self.subcommand {
             SC::Policy { with_dynamic_data } => {
                 let _span = info_span!("cli.debug.policy").entered();
-                let config = PolicyConfig::extract_or_default(figment)?;
-                let matrix_config = MatrixConfig::extract(figment)?;
+                let config =
+                    PolicyConfig::extract_or_default(figment).map_err(anyhow::Error::from_boxed)?;
+                let matrix_config =
+                    MatrixConfig::extract(figment).map_err(anyhow::Error::from_boxed)?;
                 info!("Loading and compiling the policy module");
                 let policy_factory = policy_factory_from_config(&config, &matrix_config).await?;
 
                 if with_dynamic_data {
-                    let database_config = DatabaseConfig::extract(figment)?;
+                    let database_config =
+                        DatabaseConfig::extract(figment).map_err(anyhow::Error::from_boxed)?;
                     let pool = database_pool_from_config(&database_config).await?;
                     let repository_factory = PgRepositoryFactory::new(pool.clone());
                     load_policy_factory_dynamic_data(&policy_factory, &repository_factory).await?;

diff --git a/crates/cli/src/commands/doctor.rs b/crates/cli/src/commands/doctor.rs
@@ -33,7 +33,7 @@ impl Options {
             "💡 Running diagnostics, make sure that both MAS and Synapse are running, and that MAS is using the same configuration files as this tool."
         );
 
-        let config = RootConfig::extract(figment)?;
+        let config = RootConfig::extract(figment).map_err(anyhow::Error::from_boxed)?;
 
         // We'll need an HTTP client
         let http_client = mas_http::reqwest_client();

diff --git a/crates/cli/src/commands/manage.rs b/crates/cli/src/commands/manage.rs
@@ -223,8 +223,10 @@ impl Options {
                 let _span =
                     info_span!("cli.manage.set_password", user.username = %username).entered();
 
-                let database_config = DatabaseConfig::extract_or_default(figment)?;
-                let passwords_config = PasswordsConfig::extract_or_default(figment)?;
+                let database_config = DatabaseConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
+                let passwords_config = PasswordsConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
 
                 let mut conn = database_connection_from_config(&database_config).await?;
                 let password_manager = password_manager_from_config(&passwords_config).await?;
@@ -264,7 +266,8 @@ impl Options {
                 )
                 .entered();
 
-                let database_config = DatabaseConfig::extract_or_default(figment)?;
+                let database_config = DatabaseConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
                 let mut conn = database_connection_from_config(&database_config).await?;
                 let txn = conn.begin().await?;
                 let mut repo = PgRepository::from_conn(txn);
@@ -318,7 +321,8 @@ impl Options {
                 admin,
                 device_id,
             } => {
-                let database_config = DatabaseConfig::extract_or_default(figment)?;
+                let database_config = DatabaseConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
                 let mut conn = database_connection_from_config(&database_config).await?;
                 let txn = conn.begin().await?;
                 let mut repo = PgRepository::from_conn(txn);
@@ -376,7 +380,8 @@ impl Options {
                     (Some(_), true) => unreachable!(), // This should be handled by the clap group
                 };
 
-                let database_config = DatabaseConfig::extract_or_default(figment)?;
+                let database_config = DatabaseConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
                 let mut conn = database_connection_from_config(&database_config).await?;
                 let txn = conn.begin().await?;
                 let mut repo = PgRepository::from_conn(txn);
@@ -403,7 +408,8 @@ impl Options {
 
             SC::ProvisionAllUsers => {
                 let _span = info_span!("cli.manage.provision_all_users").entered();
-                let database_config = DatabaseConfig::extract_or_default(figment)?;
+                let database_config = DatabaseConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
                 let mut conn = database_connection_from_config(&database_config).await?;
                 let mut txn = conn.begin().await?;
 
@@ -429,7 +435,8 @@ impl Options {
             SC::KillSessions { username, dry_run } => {
                 let _span =
                     info_span!("cli.manage.kill_sessions", user.username = username).entered();
-                let database_config = DatabaseConfig::extract_or_default(figment)?;
+                let database_config = DatabaseConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
                 let mut conn = database_connection_from_config(&database_config).await?;
                 let txn = conn.begin().await?;
                 let mut repo = PgRepository::from_conn(txn);
@@ -501,7 +508,8 @@ impl Options {
                 deactivate,
             } => {
                 let _span = info_span!("cli.manage.lock_user", user.username = username).entered();
-                let config = DatabaseConfig::extract_or_default(figment)?;
+                let config = DatabaseConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
                 let mut conn = database_connection_from_config(&config).await?;
                 let txn = conn.begin().await?;
                 let mut repo = PgRepository::from_conn(txn);
@@ -537,7 +545,8 @@ impl Options {
             } => {
                 let _span =
                     info_span!("cli.manage.unlock_user", user.username = username).entered();
-                let config = DatabaseConfig::extract_or_default(figment)?;
+                let config = DatabaseConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
                 let mut conn = database_connection_from_config(&config).await?;
                 let txn = conn.begin().await?;
                 let mut repo = PgRepository::from_conn(txn);
@@ -574,9 +583,12 @@ impl Options {
                 ignore_password_complexity,
             } => {
                 let http_client = mas_http::reqwest_client();
-                let password_config = PasswordsConfig::extract_or_default(figment)?;
-                let database_config = DatabaseConfig::extract_or_default(figment)?;
-                let matrix_config = MatrixConfig::extract(figment)?;
+                let password_config = PasswordsConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
+                let database_config = DatabaseConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
+                let matrix_config =
+                    MatrixConfig::extract(figment).map_err(anyhow::Error::from_boxed)?;
 
                 let password_manager = password_manager_from_config(&password_config).await?;
                 let homeserver = homeserver_connection_from_config(&matrix_config, http_client);

diff --git a/crates/cli/src/commands/server.rs b/crates/cli/src/commands/server.rs
@@ -59,7 +59,7 @@ impl Options {
     pub async fn run(self, figment: &Figment) -> anyhow::Result<ExitCode> {
         let span = info_span!("cli.run.init").entered();
         let mut shutdown = LifecycleManager::new()?;
-        let config = AppConfig::extract(figment)?;
+        let config = AppConfig::extract(figment).map_err(anyhow::Error::from_boxed)?;
 
         info!(version = crate::VERSION, "Starting up");
 
@@ -101,8 +101,10 @@ impl Options {
         } else {
             // Sync the configuration with the database
             let mut conn = pool.acquire().await?;
-            let clients_config = ClientsConfig::extract_or_default(figment)?;
-            let upstream_oauth2_config = UpstreamOAuth2Config::extract_or_default(figment)?;
+            let clients_config =
+                ClientsConfig::extract_or_default(figment).map_err(anyhow::Error::from_boxed)?;
+            let upstream_oauth2_config = UpstreamOAuth2Config::extract_or_default(figment)
+                .map_err(anyhow::Error::from_boxed)?;
 
             crate::sync::config_sync(
                 upstream_oauth2_config,

diff --git a/crates/cli/src/commands/syn2mas.rs b/crates/cli/src/commands/syn2mas.rs
@@ -96,6 +96,7 @@ impl Options {
         }
 
         let synapse_config = synapse_config::Config::load(&self.synapse_configuration_files)
+            .map_err(anyhow::Error::from_boxed)
             .context("Failed to load Synapse configuration")?;
 
         // Establish a connection to Synapse's Postgres database
@@ -111,7 +112,8 @@ impl Options {
             .await
             .context("could not connect to Synapse Postgres database")?;
 
-        let config = DatabaseConfig::extract_or_default(figment)?;
+        let config =
+            DatabaseConfig::extract_or_default(figment).map_err(anyhow::Error::from_boxed)?;
 
         let mut mas_connection = database_connection_from_config_with_options(
             &config,
@@ -131,7 +133,7 @@ impl Options {
             // First perform a config sync
             // This is crucial to ensure we register upstream OAuth providers
             // in the MAS database
-            let config = SyncConfig::extract(figment)?;
+            let config = SyncConfig::extract(figment).map_err(anyhow::Error::from_boxed)?;
             let clock = SystemClock::default();
             let encrypter = config.secrets.encrypter().await?;
 
@@ -213,7 +215,8 @@ impl Options {
 
             Subcommand::Migrate { dry_run } => {
                 let provider_id_mappings: HashMap<String, Uuid> = {
-                    let mas_oauth2 = UpstreamOAuth2Config::extract_or_default(figment)?;
+                    let mas_oauth2 = UpstreamOAuth2Config::extract_or_default(figment)
+                        .map_err(anyhow::Error::from_boxed)?;
 
                     mas_oauth2
                         .providers
@@ -252,7 +255,8 @@ impl Options {
                 let occasional_progress_logger_task =
                     tokio::spawn(occasional_progress_logger(progress.clone()));
 
-                let mas_matrix = MatrixConfig::extract(figment)?;
+                let mas_matrix =
+                    MatrixConfig::extract(figment).map_err(anyhow::Error::from_boxed)?;
                 syn2mas::migrate(
                     reader,
                     writer,

diff --git a/crates/cli/src/commands/templates.rs b/crates/cli/src/commands/templates.rs
@@ -37,13 +37,20 @@ impl Options {
             SC::Check => {
                 let _span = info_span!("cli.templates.check").entered();
 
-                let template_config = TemplatesConfig::extract_or_default(figment)?;
-                let branding_config = BrandingConfig::extract_or_default(figment)?;
-                let matrix_config = MatrixConfig::extract(figment)?;
-                let experimental_config = ExperimentalConfig::extract_or_default(figment)?;
-                let password_config = PasswordsConfig::extract_or_default(figment)?;
-                let account_config = AccountConfig::extract_or_default(figment)?;
-                let captcha_config = CaptchaConfig::extract_or_default(figment)?;
+                let template_config = TemplatesConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
+                let branding_config = BrandingConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
+                let matrix_config =
+                    MatrixConfig::extract(figment).map_err(anyhow::Error::from_boxed)?;
+                let experimental_config = ExperimentalConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
+                let password_config = PasswordsConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
+                let account_config = AccountConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
+                let captcha_config = CaptchaConfig::extract_or_default(figment)
+                    .map_err(anyhow::Error::from_boxed)?;
 
                 let clock = SystemClock::default();
                 // XXX: we should disallow SeedableRng::from_entropy

diff --git a/crates/cli/src/commands/worker.rs b/crates/cli/src/commands/worker.rs
@@ -29,7 +29,7 @@ impl Options {
     pub async fn run(self, figment: &Figment) -> anyhow::Result<ExitCode> {
         let shutdown = LifecycleManager::new()?;
         let span = info_span!("cli.worker.init").entered();
-        let config = AppConfig::extract(figment)?;
+        let config = AppConfig::extract(figment).map_err(anyhow::Error::from_boxed)?;
 
         // Connect to the database
         info!("Connecting to the database");

diff --git a/crates/cli/src/main.rs b/crates/cli/src/main.rs
@@ -115,8 +115,9 @@ async fn try_main() -> anyhow::Result<ExitCode> {
     // Load the base configuration files
     let figment = opts.figment();
 
-    let telemetry_config =
-        TelemetryConfig::extract_or_default(&figment).context("Failed to load telemetry config")?;
+    let telemetry_config = TelemetryConfig::extract_or_default(&figment)
+        .map_err(anyhow::Error::from_boxed)
+        .context("Failed to load telemetry config")?;
 
     // Setup Sentry
     let sentry = sentry::init((

diff --git a/crates/config/src/sections/captcha.rs b/crates/config/src/sections/captcha.rs
@@ -51,7 +51,10 @@ impl CaptchaConfig {
 impl ConfigurationSection for CaptchaConfig {
     const PATH: Option<&'static str> = Some("captcha");
 
-    fn validate(&self, figment: &figment::Figment) -> Result<(), figment::Error> {
+    fn validate(
+        &self,
+        figment: &figment::Figment,
+    ) -> Result<(), Box<dyn std::error::Error + Send + Sync + 'static>> {
         let metadata = figment.find_metadata(Self::PATH.unwrap());
 
         let error_on_field = |mut error: figment::error::Error, field: &'static str| {
@@ -67,11 +70,11 @@ impl ConfigurationSection for CaptchaConfig {
 
         if let Some(CaptchaServiceKind::RecaptchaV2) = self.service {
             if self.site_key.is_none() {
-                return Err(missing_field("site_key"));
+                return Err(missing_field("site_key").into());
             }
 
             if self.secret_key.is_none() {
-                return Err(missing_field("secret_key"));
+                return Err(missing_field("secret_key").into());
             }
         }