gui, man, authors: Update docs, translations, and contributors

### Purpose

Fix #9241 by expanding tildes in version paths.

When creating the versioner file system, first try to expand any leading
tildes to the user's home directory before handling relative paths. This
makes a version path `"~/p"` expand to `"$HOME/p"` instead of
`"/folder/~/p"`.

### Testing

Added a test to lib/versioner that exercises this code path. Also
manually tested with local syncthing instances.

.github/workflows/build-infra-dockers.yaml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - infrastructure
+      - infra-*
 
 env:
   GO_VERSION: "~1.21.5"
@@ -14,6 +15,7 @@ env:
 jobs:
   docker-syncthing:
     name: Build and push Docker images
+    if: github.repository == 'syncthing/syncthing'
     runs-on: ubuntu-latest
     environment: docker
     strategy:
@@ -49,6 +51,17 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Set Docker tags (all branches)
+        run: |
+          tags=syncthing/${{ matrix.pkg }}:${{ github.sha }}
+          echo "TAGS=$tags" >> $GITHUB_ENV
+
+      - name: Set Docker tags (latest)
+        if: github.ref == 'refs/heads/infrastructure'
+        run: |
+          tags=syncthing/${{ matrix.pkg }}:latest,${{ env.TAGS }}
+          echo "TAGS=$tags" >> $GITHUB_ENV
+
       - name: Build and push
         uses: docker/build-push-action@v5
         with:
@@ -56,6 +69,6 @@ jobs:
           file: ./Dockerfile.${{ matrix.pkg }}
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: syncthing/${{ matrix.pkg }}:latest,syncthing/${{ matrix.pkg }}:${{ github.sha }}
+          tags: ${{ env.TAGS }}
           labels: |
             org.opencontainers.image.revision=${{ github.sha }}

.github/workflows/build-syncthing.yaml

@@ -190,7 +190,7 @@ jobs:
           CODESIGN_TIMESTAMP_SERVER: ${{ secrets.CODESIGN_TIMESTAMP_SERVER }}
 
       - name: Archive artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: packages-windows
           path: syncthing-windows-*.zip
@@ -235,7 +235,7 @@ jobs:
           CGO_ENABLED: "0"
 
       - name: Archive artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: packages-linux
           path: syncthing-linux-*.tar.gz
@@ -334,7 +334,7 @@ jobs:
           zip -r "../$universal.zip" "$universal"
 
       - name: Archive artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: packages-macos
           path: syncthing-*.zip
@@ -349,7 +349,7 @@ jobs:
     runs-on: macos-latest
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: packages-macos
 
@@ -431,7 +431,7 @@ jobs:
           CGO_ENABLED: "0"
 
       - name: Archive artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: packages-other
           path: syncthing-*.tar.gz
@@ -471,7 +471,7 @@ jobs:
           mv "syncthing-source-$version.tar.gz" syncthing
 
       - name: Archive artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: packages-source
           path: syncthing-source-*.tar.gz
@@ -504,7 +504,7 @@ jobs:
           fetch-depth: 0
 
       - name: Download artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
 
       - name: Install signing tool
         run: |
@@ -543,7 +543,7 @@ jobs:
           GNUPG_SIGNING_KEY_BASE64: ${{ secrets.GNUPG_SIGNING_KEY_BASE64 }}
 
       - name: Archive artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: packages-signed
           path: packages/*
@@ -595,7 +595,7 @@ jobs:
           BUILD_USER: debian
 
       - name: Archive artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: debian-packages
           path: "*.deb"
@@ -620,7 +620,7 @@ jobs:
           fetch-depth: 0
 
       - name: Download artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: packages-signed
           path: packages
@@ -662,13 +662,13 @@ jobs:
           fetch-depth: 0
 
       - name: Download signed packages
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: packages-signed
           path: packages
 
       - name: Download debian packages
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: debian-packages
           path: packages

AUTHORS

@@ -93,6 +93,7 @@ Daniel Barczyk <46358936+DanielBarczyk@users.noreply.github.com>
 Daniel Bergmann (brgmnn) <dan.arne.bergmann@gmail.com> <brgmnn@users.noreply.github.com>
 Daniel Harte (norgeous) <daniel@harte.me> <daniel@danielharte.co.uk> <norgeous@users.noreply.github.com>
 Daniel Martí (mvdan) <mvdan@mvdan.cc>
+Daniel Padrta <64928366+danpadcz@users.noreply.github.com>
 Darshil Chanpura (dtchanpura) <dtchanpura@gmail.com> <dcprime314@gmail.com>
 David Rimmer (dinosore) <dinosore@dbrsoftware.co.uk>
 deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com>
@@ -105,6 +106,7 @@ derekriemer <derek.riemer@colorado.edu>
 DerRockWolf <50499906+DerRockWolf@users.noreply.github.com>
 desbma <desbma@users.noreply.github.com>
 Devon G. Redekopp <devon@redekopp.com>
+diemade <spamkill@posteo.ch>
 digital <didev@dinid.net>
 Dimitri Papadopoulos Orfanos <3234522+DimitriPapadopoulos@users.noreply.github.com>
 Dmitry Saveliev (dsaveliev) <d.e.saveliev@gmail.com>
@@ -179,6 +181,7 @@ Jonathan Cross <jcross@gmail.com>
 Jonta <359397+Jonta@users.noreply.github.com>
 Jose Manuel Delicado (jmdaweb) <jmdaweb@hotmail.com> <jmdaweb@users.noreply.github.com>
 jtagcat <git-514635f7@jtag.cat> <git-12dbd862@jtag.cat>
+Julian Lehrhuber <jul13579@users.noreply.github.com>
 Jörg Thalheim <Mic92@users.noreply.github.com>
 Jędrzej Kula <kula.jedrek@gmail.com>
 K.B.Dharun Krishna <kbdharunkrishna@gmail.com>
@@ -241,6 +244,7 @@ Mingxuan Lin <gdlmx@users.noreply.github.com>
 mv1005 <49659413+mv1005@users.noreply.github.com>
 Nate Morrison (nrm21) <natemorrison@gmail.com>
 Naveen <172697+naveensrinivasan@users.noreply.github.com>
+nf <nf@wh3rd.net>
 Nicholas Rishel (PrototypeNM1) <rishel.nick@gmail.com> <PrototypeNM1@users.noreply.github.com>
 Nick Busey <NickBusey@users.noreply.github.com>
 Nico Stapelbroek <3368018+nstapelbroek@users.noreply.github.com>
@@ -300,6 +304,7 @@ Stefan Kuntz (Stefan-Code) <stefan.github@gmail.com> <Stefan.github@gmail.com>
 Stefan Tatschner (rumpelsepp) <stefan@sevenbyte.org> <rumpelsepp@sevenbyte.org> <stefan@rumpelsepp.org>
 Steven Eckhoff <steven.eckhoff.opensource@gmail.com>
 Suhas Gundimeda (snugghash) <suhas.gundimeda@gmail.com> <snugghash@gmail.com>
+Sven Bachmann <dev@mcbachmann.de>
 Syncthing Automation <automation@syncthing.net>
 Syncthing Release Automation <release@syncthing.net>
 Taylor Khan (nelsonkhan) <nelsonkhan@gmail.com>

README.md

@@ -89,7 +89,7 @@ build process.
 ## Signed Releases
 
 As of v0.10.15 and onwards, release binaries are GPG signed with the key
-D26E6ED000654A3E, available from https://syncthing.net/security.html and
+D26E6ED000654A3E, available from https://syncthing.net/security/ and
 most key servers.
 
 There is also a built-in automatic upgrade mechanism (disabled in some

cmd/syncthing/main.go

@@ -32,6 +32,7 @@ import (
 
 	"github.com/alecthomas/kong"
 	"github.com/thejerf/suture/v4"
+	"github.com/willabides/kongplete"
 
 	"github.com/syncthing/syncthing/cmd/syncthing/cli"
 	"github.com/syncthing/syncthing/cmd/syncthing/cmdutil"
@@ -133,10 +134,11 @@ var (
 // commands and options here are top level commands to syncthing.
 // Cli is just a placeholder for the help text (see main).
 var entrypoint struct {
-	Serve    serveOptions `cmd:"" help:"Run Syncthing"`
-	Generate generate.CLI `cmd:"" help:"Generate key and config, then exit"`
-	Decrypt  decrypt.CLI  `cmd:"" help:"Decrypt or verify an encrypted folder"`
-	Cli      cli.CLI      `cmd:"" help:"Command line interface for Syncthing"`
+	Serve              serveOptions                 `cmd:"" help:"Run Syncthing"`
+	Generate           generate.CLI                 `cmd:"" help:"Generate key and config, then exit"`
+	Decrypt            decrypt.CLI                  `cmd:"" help:"Decrypt or verify an encrypted folder"`
+	Cli                cli.CLI                      `cmd:"" help:"Command line interface for Syncthing"`
+	InstallCompletions kongplete.InstallCompletions `cmd:"" help:"Print commands to install shell completions"`
 }
 
 // serveOptions are the options for the `syncthing serve` command.
@@ -247,6 +249,7 @@ func main() {
 		log.Fatal(err)
 	}
 
+	kongplete.Complete(parser)
 	ctx, err := parser.Parse(args)
 	parser.FatalIfErrorf(err)
 	ctx.BindTo(l, (*logger.Logger)(nil)) // main logger available to subcommands
@@ -862,6 +865,7 @@ func cleanConfigDirectory() {
 		"backup-of-v0.8":     30 * 24 * time.Hour, // these neither
 		"tmp-index-sorter.*": time.Minute,         // these should never exist on startup
 		"support-bundle-*":   30 * 24 * time.Hour, // keep old support bundle zip or folder for a month
+		"csrftokens.txt":     0,                   // deprecated, remove immediately
 	}
 
 	for pat, dur := range patterns {

go.mod

@@ -8,36 +8,27 @@ require (
 	github.com/calmh/incontainer v0.0.0-20221224152218-b3e71b103d7a
 	github.com/calmh/xdr v1.1.0
 	github.com/ccding/go-stun v0.1.4
-	github.com/certifi/gocertifi v0.0.0-20210507211836-431795d63e8d // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chmduquesne/rollinghash v4.0.0+incompatible
-	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
 	github.com/d4l3k/messagediff v1.2.1
 	github.com/flynn-archive/go-shlex v0.0.0-20150515145356-3f9db97f8568
 	github.com/getsentry/raven-go v0.2.0
-	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-ldap/ldap/v3 v3.4.6
 	github.com/gobwas/glob v0.2.3
 	github.com/gogo/protobuf v1.3.2
-	github.com/golang/snappy v0.0.4 // indirect
 	github.com/greatroar/blobloom v0.7.2
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/jackpal/gateway v1.0.10
 	github.com/jackpal/go-nat-pmp v1.0.2
 	github.com/julienschmidt/httprouter v1.3.0
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/cpuid/v2 v2.2.6 // indirect
 	github.com/lib/pq v1.10.9
 	github.com/maruel/panicparse/v2 v2.3.1
-	github.com/maxbrunsfeld/counterfeiter/v6 v6.5.0
+	github.com/maxbrunsfeld/counterfeiter/v6 v6.7.0
 	github.com/minio/sha256-simd v1.0.1
 	github.com/miscreant/miscreant.go v0.0.0-20200214223636-26d376326b75
 	github.com/oschwald/geoip2-golang v1.9.0
-	github.com/pierrec/lz4/v4 v4.1.18
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_golang v1.17.0
-	github.com/prometheus/common v0.45.0 // indirect
-	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/pierrec/lz4/v4 v4.1.19
+	github.com/prometheus/client_golang v1.18.0
 	github.com/quic-go/quic-go v0.40.1
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475
 	github.com/shirou/gopsutil/v3 v3.23.11
@@ -46,33 +37,54 @@ require (
 	github.com/thejerf/suture/v4 v4.0.2
 	github.com/urfave/cli v1.22.14
 	github.com/vitrun/qart v0.0.0-20160531060029-bf64b92db6b0
-	golang.org/x/crypto v0.16.0
-	golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb
-	golang.org/x/mod v0.14.0 // indirect
+	github.com/willabides/kongplete v0.3.0
+	golang.org/x/crypto v0.17.0
+	golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc
 	golang.org/x/net v0.19.0
 	golang.org/x/sys v0.15.0
 	golang.org/x/text v0.14.0
 	golang.org/x/time v0.5.0
 	golang.org/x/tools v0.16.1
-	google.golang.org/protobuf v1.31.0
+	google.golang.org/protobuf v1.32.0
 )
 
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/alecthomas/assert/v2 v2.4.1 // indirect
+	github.com/alecthomas/repr v0.3.0 // indirect
+	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/certifi/gocertifi v0.0.0-20210507211836-431795d63e8d // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
-	github.com/google/pprof v0.0.0-20231212022811-ec68065c825e // indirect
-	github.com/google/uuid v1.4.0 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/pprof v0.0.0-20231229205709-960ae82b1e42 // indirect
+	github.com/google/uuid v1.5.0 // indirect
+	github.com/hashicorp/errwrap v1.0.0 // indirect
+	github.com/hashicorp/go-multierror v1.0.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.6 // indirect
 	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
+	github.com/nxadm/tail v1.4.11 // indirect
 	github.com/onsi/ginkgo/v2 v2.13.2 // indirect
+	github.com/onsi/gomega v1.30.0 // indirect
 	github.com/oschwald/maxminddb-golang v1.12.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/posener/complete v1.2.3 // indirect
 	github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b // indirect
 	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/common v0.45.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
+	github.com/riywo/loginshell v0.0.0-20200815045211-7d26008be1ab // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
-	go.uber.org/mock v0.3.0 // indirect
+	go.uber.org/mock v0.4.0 // indirect
+	golang.org/x/mod v0.14.0 // indirect
 )
 
 // https://github.com/gobwas/glob/pull/55

go.sum

@@ -3,12 +3,15 @@ github.com/AudriusButkevicius/recli v0.0.7-0.20220911121932-d000ce8fbf0f/go.mod
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
-github.com/alecthomas/assert/v2 v2.1.0 h1:tbredtNcQnoSd3QBhQWI7QZ3XHOVkw1Moklp2ojoH/0=
+github.com/alecthomas/assert/v2 v2.4.1 h1:mwPZod/d35nlaCppr6sFP0rbCL05WH9fIo7lvsf47zo=
+github.com/alecthomas/assert/v2 v2.4.1/go.mod h1:fw5suVxB+wfYJ3291t0hRTqtGzFYdSwstnRQdaQx2DM=
 github.com/alecthomas/kong v0.8.1 h1:acZdn3m4lLRobeh3Zi2S2EpnXTd1mOL6U7xVml+vfkY=
 github.com/alecthomas/kong v0.8.1/go.mod h1:n1iCIO2xS46oE8ZfYCNDqdR0b0wZNrXAIAqro/2132U=
-github.com/alecthomas/repr v0.1.0 h1:ENn2e1+J3k09gyj2shc0dHr/yjaWSHRlrJ4DPMevDqE=
-github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
+github.com/alecthomas/repr v0.3.0 h1:NeYzUPfjjlqHY4KtzgKJiWd6sVq2eNUPTi34PiFGjY8=
+github.com/alecthomas/repr v0.3.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
 github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/calmh/glob v0.0.0-20220615080505-1d823af5017b h1:Fjm4GuJ+TGMgqfGHN42IQArJb77CfD/mAwLbDUoJe6g=
@@ -40,15 +43,18 @@ github.com/flynn-archive/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BMXYYRWT
 github.com/flynn-archive/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:rZfgFAXFS/z/lEd6LJmf9HVZ1LkgYiHx5pHhV5DR16M=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
+github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/getsentry/raven-go v0.2.0 h1:no+xWJRb5ZI7eE8TWgIq1jLulQiIoLG0IfYxv5JYMGs=
 github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ=
 github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A=
 github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc=
-github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
@@ -79,13 +85,17 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20231212022811-ec68065c825e h1:bwOy7hAFd0C91URzMIEBfr6BAz29yk7Qj0cy6S7DJlU=
-github.com/google/pprof v0.0.0-20231212022811-ec68065c825e/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
+github.com/google/pprof v0.0.0-20231229205709-960ae82b1e42 h1:dHLYa5D8/Ta0aLR2XcPsrkpAgGeFs6thhMcQK0oQ0n8=
+github.com/google/pprof v0.0.0-20231229205709-960ae82b1e42/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
-github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
+github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/greatroar/blobloom v0.7.2 h1:F30MGLHOcb4zr0pwCPTcKdlTM70rEgkf+LzdUPc5ss8=
 github.com/greatroar/blobloom v0.7.2/go.mod h1:mjMJ1hh1wjGVfr93QIHJ6FfDNVrA0IELv8OvMHJxHKs=
+github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
@@ -112,16 +122,17 @@ github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
 github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
-github.com/maxbrunsfeld/counterfeiter/v6 v6.5.0 h1:rBhB9Rls+yb8kA4x5a/cWxOufWfXt24E+kq4YlbGj3g=
-github.com/maxbrunsfeld/counterfeiter/v6 v6.5.0/go.mod h1:fJ0UAZc1fx3xZhU4eSHQDJ1ApFmTVhp5VTpV9tm2ogg=
+github.com/maxbrunsfeld/counterfeiter/v6 v6.7.0 h1:z0CfPybq3CxaJvrrpf7Gme1psZTqHhJxf83q6apkSpI=
+github.com/maxbrunsfeld/counterfeiter/v6 v6.7.0/go.mod h1:RVP6/F85JyxTrbJxWIdKU2vlSvK48iCMnMXRkSz7xtg=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
 github.com/minio/sha256-simd v1.0.1 h1:6kaan5IFmwTNynnKKpDHe6FWHohJOHhCPchzK49dzMM=
 github.com/minio/sha256-simd v1.0.1/go.mod h1:Pz6AKMiUdngCLpeTL/RJY1M9rUuPMYujV5xJjtbRSN8=
 github.com/miscreant/miscreant.go v0.0.0-20200214223636-26d376326b75 h1:cUVxyR+UfmdEAZGJ8IiKld1O0dbGotEnkMolG5hfMSY=
 github.com/miscreant/miscreant.go v0.0.0-20200214223636-26d376326b75/go.mod h1:pBbZyGwC5i16IBkjVKoy/sznA8jPD/K9iedwe1ESE6w=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
-github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
+github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=
+github.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
@@ -134,23 +145,26 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
-github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
+github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
+github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
 github.com/oschwald/geoip2-golang v1.9.0 h1:uvD3O6fXAXs+usU+UGExshpdP13GAqp4GBrzN7IgKZc=
 github.com/oschwald/geoip2-golang v1.9.0/go.mod h1:BHK6TvDyATVQhKNbQBdrj9eAvuwOMi2zSFXizL3K81Y=
 github.com/oschwald/maxminddb-golang v1.12.0 h1:9FnTOD0YOhP7DGxGsq4glzpGy5+w7pq50AS6wALUMYs=
 github.com/oschwald/maxminddb-golang v1.12.0/go.mod h1:q0Nob5lTCqyQ8WT6FYgS1L7PXKVVbgiymefNwIjPzgY=
-github.com/pierrec/lz4/v4 v4.1.18 h1:xaKrnTkyoqfh1YItXl56+6KJNVYWlEEPuAQW9xsplYQ=
-github.com/pierrec/lz4/v4 v4.1.18/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pierrec/lz4/v4 v4.1.19 h1:tYLzDnjDXh9qIxSTKHwXwOYmm9d887Y7Y1ZkyXYHAN4=
+github.com/pierrec/lz4/v4 v4.1.19/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/posener/complete v1.2.3 h1:NP0eAhjcjImqslEwo/1hq7gpajME0fTLTezBKDqfXqo=
+github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b h1:0LFwY6Q3gMACTjAbMZBjXAqTOzOwFaj2Ld6cjeQ7Rig=
 github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q=
-github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY=
+github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
+github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
 github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
 github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
 github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
@@ -163,6 +177,8 @@ github.com/quic-go/quic-go v0.40.1 h1:X3AGzUNFs0jVuO3esAGnTfvdgvL4fq655WaOi1snv1
 github.com/quic-go/quic-go v0.40.1/go.mod h1:PeN7kuVJ4xZbxSv/4OX6S1USOX8MJvydwpTx31vx60c=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
+github.com/riywo/loginshell v0.0.0-20200815045211-7d26008be1ab h1:ZjX6I48eZSFetPb41dHudEyVr5v953N15TsNZXlkcWY=
+github.com/riywo/loginshell v0.0.0-20200815045211-7d26008be1ab/go.mod h1:/PfPXh0EntGc3QAAyUaviy4S9tzy4Zp0e2ilq4voC6E=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sclevine/spec v1.4.0 h1:z/Q9idDcay5m5irkZ28M7PtQM4aOISzOpj4bUPkDee8=
@@ -173,6 +189,7 @@ github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnj
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -193,22 +210,24 @@ github.com/urfave/cli v1.22.14 h1:ebbhrRiGK2i4naQJr+1Xj92HXZCrK7MsyTS/ob3HnAk=
 github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA=
 github.com/vitrun/qart v0.0.0-20160531060029-bf64b92db6b0 h1:okhMind4q9H1OxF44gNegWkiP4H/gsTFLalHFa4OOUI=
 github.com/vitrun/qart v0.0.0-20160531060029-bf64b92db6b0/go.mod h1:TTbGUfE+cXXceWtbTHq6lqcTvYPBKLNejBEbnUsQJtU=
+github.com/willabides/kongplete v0.3.0 h1:8dJZ0r2a2YnSdYCQk9TjQDKzLrj1zUvIOPIG3bOV75c=
+github.com/willabides/kongplete v0.3.0/go.mod h1:VPdrG6LY+tP0LMkSBuTgIQ8c6+P8wvIDHVJzDdDh9Fw=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw=
 github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-go.uber.org/mock v0.3.0 h1:3mUxI1No2/60yUYax92Pt8eNOEecx2D3lcXZh2NEZJo=
-go.uber.org/mock v0.3.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
+go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU=
+go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
-golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
-golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb h1:c0vyKkb6yr3KR7jEfJaOSv4lG7xPkbN6r52aJz1d8a8=
-golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc h1:ao2WRsKSzW6KuUY9IWPwWahcHCgR0s52IfwutMfEbdM=
+golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -260,6 +279,7 @@ golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -305,8 +325,8 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
+google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=

gui/default/assets/lang/lang-ar.json

@@ -11,7 +11,7 @@
     "Add Device": "إضافة جهاز",
     "Add Folder": "إضافة مجلد",
     "Add Remote Device": "إضافة جهاز بعيد",
-    "Add devices from the introducer to our device list, for mutually shared folders.": "اضف أجهزة من المعرف/المقدم إلى قائمة الأجهزة الخاصة بنا، للمجلدات المشتركة بشكل متبادل.",
+    "Add devices from the introducer to our device list, for mutually shared folders.": "أضف أجهزة من الوسيط إلى قائمة الأجهزة الخاصة بنا، للمجلدات المشتركة بشكل متبادل.",
     "Add filter entry": "إضافة عامل التصفية",
     "Add ignore patterns": "أضف أنماط التجاهل",
     "Add new folder?": "إضافة مجلد جديد؟",
@@ -34,7 +34,7 @@
     "Apply": "تقدم",
     "Are you sure you want to override all remote changes?": "هل أنت متأكد أنك تريد تجاوز كافة التغييرات عن بُعد؟",
     "Are you sure you want to permanently delete all these files?": "هل أنت متأكد أنك تريد حذف كل هذه الملفات بشكل دائم؟",
-    "Are you sure you want to remove device {%name%}?": " هل انت متاكد من حذف الجهاز {{name}}? ",
+    "Are you sure you want to remove device {%name%}?": "هل أنت متيقِّن من حذف هذا الجهاز {{name}}؟",
     "Are you sure you want to remove folder {%label%}?": "هل انت متاكد من حذف المجلد {{label}}؟",
     "Are you sure you want to restore {%count%} files?": "هل انت متاكد من استعادة {{count}} ملف؟",
     "Are you sure you want to revert all local changes?": "هل أنت متأكد أنك تريد التراجع عن كافة التغييرات المحلية؟",
@@ -45,8 +45,8 @@
     "Automatic Crash Reporting": "التبليغ التلقائي للاخطاء",
     "Automatic upgrade now offers the choice between stable releases and release candidates.": "توفر الترقية التلقائية الاختيار بين النسخ الثابتة أو النسخ المرشحة.",
     "Automatic upgrades": "تحديث تلقائي",
-    "Automatic upgrades are always enabled for candidate releases.": "الترقية التلقائية مفعلة دائمًا للنسخ المرشحة. ",
-    "Automatically create or share folders that this device advertises at the default path.": "تلقائيا أنشئ وشارك المجلدات الموجودة في المسار الافتراضي.",
+    "Automatic upgrades are always enabled for candidate releases.": "الترقية التلقائية مفعلة دائمًا للنسخ المرشحة.",
+    "Automatically create or share folders that this device advertises at the default path.": "أنشئ وشارك المجلدات الموجودة في المسار الافتراضي تلقائيا.",
     "Available debug logging facilities:": "خدمات سجلات تدقيق البرمجيات المتوفرة:",
     "Be careful!": "احذر!",
     "Body:": "جسم:",
@@ -70,10 +70,10 @@
     "Connection Type": "نوع الاتصال",
     "Connections": "اتصالات",
     "Connections via relays might be rate limited by the relay": "قد يكون معدل التوصيلات عبر المرحلات محدودًا بواسطة المرحل",
-    "Continuously watching for changes is now available within Syncthing. This will detect changes on disk and issue a scan on only the modified paths. The benefits are that changes are propagated quicker and that less full scans are required.": "مراقبة الملفات بشكل مستمر متوفر في Syncthing. يتم فحص الملفات التي تم تغييرها في المسار فقط. هذا يساعد على تجنب فحص كامل المسار لأداء اسرع. ",
+    "Continuously watching for changes is now available within Syncthing. This will detect changes on disk and issue a scan on only the modified paths. The benefits are that changes are propagated quicker and that less full scans are required.": "مراقبة الملفات بشكل مستمر متوفر في Syncthing. يتم فحص الملفات التي تم تغييرها في المسار فقط. هذا يساعد على تجنب فحص كامل المسار لأداء اسرع.",
     "Copied from elsewhere": "منسوخ من مكان أخر",
     "Copied from original": "منسوخ من الأصل",
-    "Copied!": "تم النسخ",
+    "Copied!": "تم النسخ!",
     "Copy": "نسخ",
     "Copy failed! Try to select and copy manually.": "فشل النسخ! حاول التحديد والنسخ يدويًا.",
     "Currently Shared With Devices": "حاليًا تم مشاركته مع الأجهزة",
@@ -94,15 +94,15 @@
     "Deselect devices to stop sharing this folder with.": "قم بإلغاء تحديد الأجهزة لإيقاف مشاركة هذا المجلد معها.",
     "Deselect folders to stop sharing with this device.": "قم بإلغاء تحديد المجلدات لإيقاف المشاركة مع هذا الجهاز.",
     "Device": "جهاز",
-    "Device \"{%name%}\" ({%device%} at {%address%}) wants to connect. Add new device?": "الجهاز \"{{الاسم}}\" ({{الجهاز}} في {{العنوان}}) يرغب في الاتصال، إضافة جهاز جديد؟",
+    "Device \"{%name%}\" ({%device%} at {%address%}) wants to connect. Add new device?": "الجهاز \"{{name}}\" ({{device}} في {{address}}) يرغب في الاتصال، إضافة جهاز جديد؟",
     "Device Certificate": "شهادة الجهاز",
-    "Device ID": "هوية الجهاز",
-    "Device Identification": "هوية الجهاز",
-    "Device Name": "أسم الجهاز",
+    "Device ID": "معرف الجهاز",
+    "Device Identification": "معرف الجهاز",
+    "Device Name": "اسم الجهاز",
     "Device Status": "حالة الجهاز",
     "Device is untrusted, enter encryption password": "الجهاز غير موثوق به، أدخل كلمة مرور التشفير",
     "Device rate limits": "حدود معدل نقل البيانات",
-    "Device that last modified the item": "اخر جهاز جهاز عدل على العنصر",
+    "Device that last modified the item": "آخر من عدل على العنصر",
     "Devices": "الأجهزة",
     "Disable Crash Reporting": "تعطيل ميزة التبليغ عن الأخطاء",
     "Disabled": "معطل",
@@ -163,10 +163,10 @@
     "Files are protected from changes made on other devices, but changes made on this device will be sent to the rest of the cluster.": "الملفات محمية من التغييرات التي تم إجراؤها على الأجهزة الأخرى ، ولكن سيتم إرسال التغييرات التي تم إجراؤها على هذا الجهاز إلى بقية الأجهزة.",
     "Files are synchronized from the cluster, but any changes made locally will not be sent to other devices.": "تُزامَنُ الملفات من العنقود، لكن التغيرات المحلية على هذا الجهاز لاتُطَبَّقُ على غيره من الأجهزة.",
     "Filesystem Watcher Errors": "أخطاء مراقب نظام الملفات",
-    "Filter by date": "فلتره بالتاريخ ",
+    "Filter by date": "فلترة بالتاريخ",
     "Filter by name": "فلتر باستخدام الاسم",
     "Folder": "مجلد",
-    "Folder ID": "هوية المجلد",
+    "Folder ID": "مُعرِّف المجلد",
     "Folder Label": "تسمية المجلد",
     "Folder Path": "مسار المجلد",
     "Folder Status": "حالة المجلد",
@@ -176,25 +176,25 @@
     "Folders": "المجلدات",
     "For the following folders an error occurred while starting to watch for changes. It will be retried every minute, so the errors might go away soon. If they persist, try to fix the underlying issue and ask for help if you can't.": "للمجلدات التالية، حدث خطأ قبل بدء مشاهدة التغييرات. ستتم إعادة المحاولة كل دقيقة، نظرًا لذلك قد تختفي الأخطاء قريبًا. لكن إذا استمرت، فحاول حل المشكلة واطلب المساعدة إذا لم تستطع حل المشكلة.",
     "Forever": "للأبد",
-    "Full Rescan Interval (s)": "مدة أعاده الفحص الكامل (ثانية)",
+    "Full Rescan Interval (s)": "مدة إعادة الفحص الكامل (ثانية)",
     "GUI": "واجهة المستخدم الرسومية",
     "GUI / API HTTPS Certificate": "الواجهة / API وثيقة HTTPS",
     "GUI Authentication Password": "كلمة السر لتوثيق الواجهة",
-    "GUI Authentication User": "أسم المستخدم لدخول واجهة الرسومية",
+    "GUI Authentication User": "اسم المستخدم لدخول واجهة الرسومية",
     "GUI Authentication: Set User and Password": "توثيق الواجهة: أنشئ كلمة مرور للمستخدم",
     "GUI Listen Address": "واجهة الرسومية الاستماع الى العنوان",
     "GUI Override Directory": "مجلد إحلال الواجهة",
-    "GUI Theme": "شكل الواجه",
+    "GUI Theme": "شكل الواجهة",
     "General": "عام",
     "Generate": "توليد",
     "Global Discovery": "الاكتشاف العالمي",
     "Global Discovery Servers": "الاكتشاف العالمي",
-    "Global State": "الحالة العامة ",
+    "Global State": "الحالة العامة",
     "Help": "مساعدة",
     "Hint: only deny-rules detected while the default is deny. Consider adding \"permit any\" as last rule.": "ملحوظة: إذا كان الإعداد الافتراضي هو الرفض، وحدها قواعد الرفض تُرصد. جرب إضافة \"السماح للكل\" كخيار أخير.",
     "Home page": "الصفحة الرئيسية",
     "However, your current settings indicate you might not want it enabled. We have disabled automatic crash reporting for you.": "ومع ذلك، تشير إعداداتك الحالية إلى أنك قد لا ترغب في تمكينه. لذلك تم تعطيل الإبلاغ التلقائي عن الأعطال.",
-    "Identification": "التعرف",
+    "Identification": "المُعرِّف",
     "If untrusted, enter encryption password": "في حالة الرِّيبة، أدخل كلمة سر التشفير",
     "If you want to prevent other users on this computer from accessing Syncthing and through it your files, consider setting up authentication.": "إذا أردت منع المستخدمين الآخرين على هذا الحاسب من الوصول لملفاتك من خلال Syncthing، يُنصَح بإعداد وثائق الملكية.",
     "Ignore": "تجاهل",
@@ -206,11 +206,11 @@
     "Ignored at": "تجاهل عند",
     "Included Software": "البرامج المُضمَّنة",
     "Incoming Rate Limit (KiB/s)": "الحد الأقصى البيانات الواردة (KiB/s)",
-    "Incorrect configuration may damage your folder contents and render Syncthing inoperable.": "الإعدادات الغير صحيحه قد تدمر بيانات المجلد وتجعل المزامنة غير صالحه للعمل",
+    "Incorrect configuration may damage your folder contents and render Syncthing inoperable.": "الإعدادات الغير صحيحة قد تدمر بيانات المجلد وتُفْشِلُ المزامنة.",
     "Incorrect user name or password.": "رُصِدَ خطأ في اسم المستخدم أو كلمة المرور.",
     "Internally used paths:": "المسار المستخدم محليّا:",
     "Introduced By": "عرف بواسطة",
-    "Introducer": "المعرف",
+    "Introducer": "الوسيط",
     "Introduction": "تقديم",
     "Inversion of the given condition (i.e. do not exclude)": "عكس الحالة المذكورة (مثلا: لا تستثنِ)",
     "Keep Versions": "احتفظ بالاصدارات",
@@ -219,10 +219,10 @@
     "Last 30 Days": "الثلاثون يومًا السابقة",
     "Last 7 Days": "الأيام السبعة السابقة",
     "Last Month": "الشهر الماضي",
-    "Last Scan": "اخر فحص",
+    "Last Scan": "آخر فحص",
     "Last seen": "اخر ظهور",
     "Latest Change": "اخر التغييرات",
-    "Learn more": "اعرف اكثر ",
+    "Learn more": "اعرف أكثر",
     "Learn more at {%url%}": "اطلع على المزيد في {{url}}",
     "Limit": "الحد",
     "Listener Failures": "فشل المستمع",
@@ -264,7 +264,7 @@
     "Newest First": "الأحدث أولا",
     "No": "لا",
     "No File Versioning": "لا تقسيم لإصدارات الملفات",
-    "No files will be deleted as a result of this operation.": "لن يتم حذف اي ملفات بسبب هذا العملية",
+    "No files will be deleted as a result of this operation.": "لن يتم حذف أي ملفات بسبب هذا العملية.",
     "No rules set": "لم تحدد قواعد",
     "No upgrades": "لا يوجد ترقيات",
     "Not shared": "لم يُشارَك",
@@ -273,7 +273,7 @@
     "OK": "موافق",
     "Off": "اطفئ",
     "Oldest First": "الأقدم أولا",
-    "Optional descriptive label for the folder. Can be different on each device.": "تسمية وصفية اختيارية للمجلد . يمكن أن تكون مختلفة على كل جهاز. ",
+    "Optional descriptive label for the folder. Can be different on each device.": "تسمية وصفية اختيارية للمجلد. يمكن أن تكون مختلفة على كل جهاز.",
     "Options": "خيارات",
     "Out of Sync": "خارج التزامن",
     "Out of Sync Items": "عناصر خارج التزامن",
@@ -287,13 +287,13 @@
     "Path where versions should be stored (leave empty for the default .stversions directory in the shared folder).": "المسار حيث تخزن الإصدارات (يترك فارغًا لدليل .vversions الافتراضي في المجلد المشترك).",
     "Paths": "المسارات",
     "Pause": "إيقاف",
-    "Pause All": "أيقاف الكل ",
+    "Pause All": "إيقاف الكل",
     "Paused": "توقف",
     "Paused (Unused)": "متوقف (مهمل)",
     "Pending changes": "التغييرات المعلقة",
-    "Periodic scanning at given interval and disabled watching for changes": "المسح الدوري خلال فترة زمنية معينة وتعطيل مشاهدة التغييرات.",
-    "Periodic scanning at given interval and enabled watching for changes": "المسح الدوري خلال فترة زمنية معينة وتفعيل مشاهدة التغييرات.",
-    "Periodic scanning at given interval and failed setting up watching for changes, retrying every 1m:": "المسح الدوري خلال فترة زمنية معينة وفشل اعداد مشاهدة التغييرات، اعادة المحاولة كل 1 دقيقة.",
+    "Periodic scanning at given interval and disabled watching for changes": "الفحص الدوري خلال فترة زمنية معينة وتعطيل تَرقُّب التغييرات",
+    "Periodic scanning at given interval and enabled watching for changes": "المسح الدوري خلال فترة زمنية معينة وتفعيل تَرقُّب التغييرات",
+    "Periodic scanning at given interval and failed setting up watching for changes, retrying every 1m:": "المسح الدوري خلال فترة زمنية معينة وفشل إعداد تَرقُّب التغييرات، إعادة المحاولة كل 1 دقيقة:",
     "Permanently add it to the ignore list, suppressing further notifications.": "أدرجها أبداً على قائمة التجاهل، اكتم الإشعارات مستقبلا.",
     "Please consult the release notes before performing a major upgrade.": "يرجى العودة إلى ملاحظات الإصدار قبل تنفيذ ترقية رئيسية.",
     "Please set a GUI Authentication User and Password in the Settings dialog.": "تفضل بإنشاء مستخدما موثقا للواجهة وكلمة مرور من خلال قائمة الإعدادات.",
@@ -306,13 +306,13 @@
     "QR code": "الصورة المشفرة (QR)",
     "QUIC LAN": "اتصال QUIC للشبكة المحلية (LAN)",
     "QUIC WAN": "QUIC الشبكة العامة",
-    "Quick guide to supported patterns": "الدليل مختصر للأنماط المدعومة ",
+    "Quick guide to supported patterns": "دليل مختصر للأنماط المدعومة",
     "Random": "عشوائي",
     "Receive Encrypted": "استلام المشفَّر",
     "Receive Only": "استقبال فقط",
     "Received data is already encrypted": "البيانات المستوردة مشفرة بالفعل",
     "Recent Changes": "اخر التغييرات",
-    "Reduced by ignore patterns": "تقليص بواسطة تجاهل الأنماط. ",
+    "Reduced by ignore patterns": "تقليص بواسطة تجاهل الأنماط",
     "Relay LAN": "ترحيل الشبكة المحلية (LAN)",
     "Relay WAN": "ترحيل الشبكة العامة (WAN)",
     "Release Notes": "ملاحظات الإصدار",
@@ -322,32 +322,32 @@
     "Remove": "إزالة",
     "Remove Device": "حذف جهاز",
     "Remove Folder": "حذف مجلد",
-    "Required identifier for the folder. Must be the same on all cluster devices.": "يتطلب معرفًا للمجلد. يجب أن يستخدم نفس المعرف لبقية الأجهزة. ",
+    "Required identifier for the folder. Must be the same on all cluster devices.": "يتطلب معرفًا للمجلد. يجب أن يستخدم نفس المعرف لبقية الأجهزة.",
     "Rescan": "إعادة فحص",
-    "Rescan All": "أعادة فحص الكل",
+    "Rescan All": "إعادة فحص الكل",
     "Rescans": "يعيد الفحص",
     "Restart": "إعادة تشغيل",
     "Restart Needed": "مطلوب أعادة تشغيل",
     "Restarting": "يتم إعادة التشغيل",
     "Restore": "استعادة",
-    "Restore Versions": "استعادة أصدارات ",
+    "Restore Versions": "استعادة إصدارات",
     "Resume": "استرد",
-    "Resume All": "استعادة الكل ",
-    "Reused": "إعادة الاستخدام",
+    "Resume All": "استئناف الجميع",
+    "Reused": "مُعادة الاستخدام",
     "Revert": "الرجوع عن التغيير",
     "Revert Local Changes": "التراجع عن التغييرات",
     "Save": "حفظ",
     "Saving changes": "تُحفَظ التعديلات",
     "Scan Time Remaining": "فحص الوقت المتبقي",
     "Scanning": "يتم الفحص",
-    "See external versioning help for supported templated command line parameters.": "راجع تعليمات الإصدارات الخارجية لمعرفة القيم المدعومة في سطر الأوامر. ",
+    "See external versioning help for supported templated command line parameters.": "راجع تعليمات الإصدارات الخارجية لمعرفة القيم المدعومة في سطر الأوامر.",
     "Select All": "تحديد الكل",
-    "Select a version": "اختار أصدار ",
+    "Select a version": "اختر إصداراً",
     "Select additional devices to share this folder with.": "اختيار المزيد من الأجهزة التي ترغب في مشاركة هذا المجلد معها.",
     "Select additional folders to share with this device.": "اختيار المزيد من المجلدات لمشاركتها مع هذا الجهاز.",
-    "Select latest version": "اختار اخر أصدار ",
+    "Select latest version": "اختر آخر إصدار",
     "Select oldest version": "اختيار أقدم إصدار",
-    "Send & Receive": "إرسال واستقبال ",
+    "Send & Receive": "إرسال واستقبال",
     "Send Extended Attributes": "أرسل البيانات الثانوية",
     "Send Only": "إرسال فقط",
     "Send Ownership": "أرسل الملكية",
@@ -361,13 +361,13 @@
     "Shared Folders": "المجلدات المُشارَكة",
     "Shared With": "مشاركة مع",
     "Sharing": "مشاركه",
-    "Show ID": "عرض الهوية",
+    "Show ID": "عرض المُعرِّف",
     "Show QR": "اظهار QR",
     "Show detailed discovery status": "اعرض حالة الاكتشاف تفصيليا",
     "Show detailed listener status": "اعرض حالة الاستماع تفصيليا",
-    "Show diff with previous version": "اظهر الفرق مع النسخة السابقة ",
-    "Shown instead of Device ID in the cluster status. Will be advertised to other devices as an optional default name.": "يُعرَض بدلا من الهوية في حالة العنقود. سيُروَّج للأجهزة الأخرى على انه اسم اساسي محتمل.",
-    "Shown instead of Device ID in the cluster status. Will be updated to the name the device advertises if left empty.": "يُعرَض بدلا من الهوية في حالة العنقود. إذا تُرك فارغا، سيُحدَّث إلى الاسم المختار من قِبَل الجهاز.",
+    "Show diff with previous version": "أظهر الفرق مقارنةً بالنسخة السابقة",
+    "Shown instead of Device ID in the cluster status. Will be advertised to other devices as an optional default name.": "يُعرَض بدلا من المُعرِّف ضمن العناقيد. سيُروَّج للأجهزة الأخرى على أنه اسم أساسي محتمل.",
+    "Shown instead of Device ID in the cluster status. Will be updated to the name the device advertises if left empty.": "يُعرَض بدلا من المُعرِّف ضمن العناقيد. إذا تُرك فارغا، سيُحدَّث إلى الاسم المختار من قِبَل الجهاز.",
     "Shutdown": "إغلاق",
     "Shutdown Complete": "تم الإغلاق",
     "Simple": "بسيط",
@@ -379,13 +379,14 @@
     "Some items could not be restored:": "بعض العناصر لا يمكن استرجاعها:",
     "Some listening addresses could not be enabled to accept connections:": "بعض عناوين الاستماع لا يمكن تفعيلها لقبول الاتصالات:",
     "Source Code": "مصدر الشفرة",
-    "Stable releases and release candidates": "الإصدارات المستقرة والإصدارات المرشحة.",
+    "Stable releases and release candidates": "الإصدارات المستقرة والإصدارات المرشحة",
     "Stable releases are delayed by about two weeks. During this time they go through testing as release candidates.": "الإصدارات المستقرة تأخرت بنحو أسبوعين. خلال هذه الفترة يتم إجراء الاختبارات كإصدارات مرشحة.",
     "Stable releases only": "الإصدارات المستقرة فقط",
     "Staggered": "مترنِّح",
     "Staggered File Versioning": "تقسمات إصدارات الملف مهترئة",
     "Start Browser": "تشغيل المتصفح",
     "Statistics": "إحصائيات",
+    "Stay logged in": "ابقِ مُسجل الدخول",
     "Stopped": "متوقف",
     "Stores and syncs only encrypted data. Folders on all connected devices need to be set up with the same password or be of type \"{%receiveEncrypted%}\" too.": "يُزامن ويخزن البيانات المشفرة فقط. يجب أن تكون المجلدات على جميع الأجهزة مُجهزَّة بكلمة المرور نفسها، أو أن تكون من نوع \"{{receiveEncrypted}}\".",
     "Subject:": "الموضوع:",
@@ -396,7 +397,7 @@
     "Sync Protocol Listen Addresses": "عناوين بروتوكول استقبال المزامنة",
     "Sync Status": "وضع المزامنة",
     "Syncing": "يتم التزامن",
-    "Syncthing device ID for \"{%devicename%}\"": "هوية Syncthing الجهاز لـ {{devicename}}",
+    "Syncthing device ID for \"{%devicename%}\"": "مُعرِّف Syncthing للجهاز {{devicename}}",
     "Syncthing has been shut down.": "تم إيقاف Syncthing.",
     "Syncthing includes the following software or portions thereof:": "المزامنة تتضمن البرامج التالية أو أجزائها:",
     "Syncthing is Free and Open Source Software licensed as MPL v2.0.": "Syncthing هو برنامج حر مفتوح المصدر تحت ترخيص MPL v2.0 (ترخيص موزيلا العام النسخة الثانية).",
@@ -418,18 +419,18 @@
     "The aggregated statistics are publicly available at the URL below.": "الإحصاءات المجمعة متاحة للجميع على العنوان التالي.",
     "The cleanup interval cannot be blank.": "المدة بين عمليات التنظيف لا يمكن تركها فارغة.",
     "The configuration has been saved but not activated. Syncthing must restart to activate the new configuration.": "تم حفظ الإعدادات ولكن لم يتم تفعيلها بعد. يجب أعادة تشغيل Syncthing حتى تم تفعيل الإعدادات.",
-    "The device ID cannot be blank.": "هوية الجهاز لا يمكن أن تكون فارغة.",
-    "The device ID to enter here can be found in the \"Actions > Show ID\" dialog on the other device. Spaces and dashes are optional (ignored).": "يمكنك أن تجد هوية الجهاز الذي ينبغي استخدامه هنا في قائمة \"الإجراءات > عرض الهوية\" على الجهاز الآخر. المسافات والخطوط الاعتراضية تُتجاهَل.",
+    "The device ID cannot be blank.": "مُعرِّف الجهاز لا يمكن أن يكون فارغاً.",
+    "The device ID to enter here can be found in the \"Actions > Show ID\" dialog on the other device. Spaces and dashes are optional (ignored).": "يمكنك أن تجد مُعرِّف الجهاز الذي ينبغي استخدامه هنا في قائمة \"الإجراءات > عرض المُعرِّف\" على الجهاز الآخر. المسافات والخطوط الاعتراضية تُتجاهَل.",
     "The encrypted usage report is sent daily. It is used to track common platforms, folder sizes, and app versions. If the reported data set is changed you will be prompted with this dialog again.": "تقارير الاستخدام المشفرة ترسل يوميا. تُستخدم هذه التقارير لتتبع المنصات الشائعة، أحجام المجلدات، إصدارات التطبيق. إذا تغيرت بنود هذا التقرير، ستواجَهُ بهذه النافذة مرة أخرى.",
-    "The entered device ID does not look valid. It should be a 52 or 56 character string consisting of letters and numbers, with spaces and dashes being optional.": "الهوية المُقَدَّمَة ناقصة على ما يبدو. الهوية مكوَّنة من 52 أو 56 رمزا بين حروف وأرقام، مع تجاهل المسافات الفارغة وخطوط الاعتراض.",
-    "The folder ID cannot be blank.": "هوية المجلد لا يمكن أن تكون فارغة.",
-    "The folder ID must be unique.": "يجب أن يكون عنوان المجلد فريد ",
+    "The entered device ID does not look valid. It should be a 52 or 56 character string consisting of letters and numbers, with spaces and dashes being optional.": "المُعرِّف المُقَدَّم ناقص على ما يبدو. المُعرِّف مكوَّن من 52 أو 56 رمزاً بين حروف وأرقام، مع تجاهل المسافات الفارغة والخطوط الفاصلة.",
+    "The folder ID cannot be blank.": "معرف المجلد لا يمكن أن يكون فارغاً.",
+    "The folder ID must be unique.": "يجب أن يكون عنوان المجلد فريداً.",
     "The folder content on other devices will be overwritten to become identical with this device. Files not present here will be deleted on other devices.": "ستحل محتويات هذا المجلد محل محتويات مجلدات الأجهزة الأخرى. الملفات التي ليس لها وجود هنا ستحذف عن الأجهزة الأخرى.",
     "The folder content on this device will be overwritten to become identical with other devices. Files newly added here will be deleted.": "ستحل البيانات في الأجهزة الأخرى محل البيانات في هذا المجلد. ستحذف الملفات التي ستُنشأ هنا.",
-    "The folder path cannot be blank.": "مسار المجلد لا يمكن أن يكون فارغ",
+    "The folder path cannot be blank.": "مسار المجلد لا يمكن أن يكون فارغاً.",
     "The following intervals are used: for the first hour a version is kept every 30 seconds, for the first day a version is kept every hour, for the first 30 days a version is kept every day, until the maximum age a version is kept every week.": "المُدَد التالية مُستخدَمة: تُحفظ نسخة كل 30 ثانية في الساعة الأولى، ونسخة كل ساعة لبقية اليوم الأول، ونسخة يومية لأول ثلاثين يوما، ونسخة أسبوعية للأمد.",
-    "The following items could not be synchronized.": "فشل مزامنة العناصر التالية",
-    "The following items were changed locally.": "تم تغيير العناصر التالية محليا",
+    "The following items could not be synchronized.": "فشلت مزامنة العناصر التالية.",
+    "The following items were changed locally.": "غُيِّرت العناصر التالية محليا.",
     "The following methods are used to discover other devices on the network and announce this device to be found by others:": "الطرق التالية مستخدمة للإعلان عن هذا الجهاز، وإيجاد الأجهزة الأخرى أيضا:",
     "The following text will automatically be inserted into a new message.": "النص التالي سيُضمَّن تلقائيا في رسالة جديدة.",
     "The following unexpected items were found.": "عُثِر على المحتوى غير المتوقع التالي.",
@@ -440,7 +441,7 @@
     "The number of connections must be a non-negative number.": "عدد الاتصالات يجب ألا يكون سالبا.",
     "The number of days must be a number and cannot be blank.": "حقل عدد الأيام يجب أن يكون رقم ولا يمكن تركه فارغ.",
     "The number of days to keep files in the trash can. Zero means forever.": "عدد أيام حفظ الملفات في سلة المهملات. الصفر يعني إلى الأبد.",
-    "The number of old versions to keep, per file.": "عدد النسخ القديمة المحفوظة، لكل ملف. ",
+    "The number of old versions to keep, per file.": "عدد النسخ القديمة المحفوظة، لكل ملف.",
     "The number of versions must be a number and cannot be blank.": "حقل عدد النسخ يجب أن يكون رقم ولا يمكن أن تركة فارغا.",
     "The path cannot be blank.": "المسار لا يمكن أن يكون فارغ.",
     "The rate limit is applied to the accumulated traffic of all connections to this device.": "السرعة القصوى المختارة لنقل البيانات المتراكمة من جميع الاتصالات على هذا الجهاز.",
@@ -456,7 +457,7 @@
     "This Month": "هذا الشهر",
     "This can easily give hackers access to read and change any files on your computer.": "هذا قد يسبب في اختراق جهازك.",
     "This device cannot automatically discover other devices or announce its own address to be found by others.  Only devices with statically configured addresses can connect.": "لا يمكن لهذا الجهاز أن يرصد الأجهزة الأخرى تلقائيا، ولا أن يعلن عنوانه ليمكن الأجهزة الأخرى من إيجاده. الأجهزة ثابتة العناوين فقط يمكن أن تتصل.",
-    "This is a major version upgrade.": "ترقية أساسية ",
+    "This is a major version upgrade.": "ترقية أساسية.",
     "This setting controls the free space required on the home (i.e., index database) disk.": "هذا الخيار يتحكم في المساحة الفارغة المطلوبة من القرص الرئيسي.",
     "Time": "الوقت",
     "Time the item was last modified": "توقيت اخر تعديل للعنصر",
@@ -478,16 +479,16 @@
     "Unshared Devices": "الأجهزة غير المُشَارَكة",
     "Unshared Folders": "المجلدات غير المُشارَكة",
     "Untrusted": "غير موثوق",
-    "Up to Date": "اخز أصدار ",
+    "Up to Date": "مُزَامَن",
     "Updated {%file%}": "مُحَدَّث {{file}}",
     "Upgrade": "ترقية",
-    "Upgrade To {%version%}": "ترقية الى {{version}} ",
+    "Upgrade To {%version%}": "ترقية إلى النسخة {{version}}",
     "Upgrading": "جاري الترقية",
     "Upload Rate": "معدل الرفع",
     "Uptime": "وقت التشغيل",
     "Usage reporting is always enabled for candidate releases.": "تقارير الاستخدام مفعلة دائمًا للنسخ المرشحة.",
-    "Use HTTPS for GUI": "استخدام HTTPS مع الواجه الرسومية ",
-    "Use notifications from the filesystem to detect changed items.": "استخدم أشغارات نظام الملفات لمعرفة الملفات المتغيرة",
+    "Use HTTPS for GUI": "استخدم HTTPS لتأمين واجهة المستخدم",
+    "Use notifications from the filesystem to detect changed items.": "استخدم إشعارات نظام الملفات لمعرفة الملفات المتغيرة.",
     "User": "مستخدِم",
     "User Home": "منزل المستخدم",
     "Username/Password has not been set for the GUI authentication. Please consider setting it up.": "اسم المستخدم/كلمة المرور لم يُنشَآ لتوثيق الواجهة. يُرجى إنشاؤهما من فضلك.",
@@ -511,19 +512,19 @@
     "Watch for Changes": "راقب التغييرات",
     "Watching for Changes": "جاري مراقبة التغيرات",
     "Watching for changes discovers most changes without periodic scanning.": "مراقبة التغييرات تكشف معظم التغييرات دون إجراء المسح الدوري.",
-    "When adding a new device, keep in mind that this device must be added on the other side too.": "يجب أضافه الأجهزة الجديدة في الطرفين",
+    "When adding a new device, keep in mind that this device must be added on the other side too.": "يجب إضافة الأجهزة الجديدة في الطرفين.",
     "When adding a new folder, keep in mind that the Folder ID is used to tie folders together between devices. They are case sensitive and must match exactly between all devices.": "عند إضافة مجلد جديد ، ضع في الاعتبار أن معرف المجلد يُستخدم لربط المجلدات معًا بين الأجهزة المختلفة. وهي حساسة لحالة الأحرف لذا يجب أن تتطابق تمامًا بين جميع الأجهزة.",
     "When set to more than one on both devices, Syncthing will attempt to establish multiple concurrent connections. If the values differ, the highest will be used. Set to zero to let Syncthing decide.": "إذا عُرفَّ Syncthing بأنه أكثر من واحد على كلا الجهازين، فإنه سيحاول إقامة عدة اتصالات متوازية. إذا اختلفت القِيَم، أعلاها ستُستخدَم. صَفِّرها لتترك القرار لـ Syncthing.",
     "Yes": "نعم",
     "Yesterday": "أمس",
     "You can also copy and paste the text into a new message manually.": "يكنك نسخ النص لتدرجه في رسالة جديدة بنفسك.",
-    "You can also select one of these nearby devices:": "يمكنك أيضا اختيار واحد من الأجهزة القريبة ",
+    "You can also select one of these nearby devices:": "يمكنك أيضا اختيار واحدة من الأجهزة القريبة:",
     "You can change your choice at any time in the Settings dialog.": "يمكنك تغيير اختيارك في أي وقت بواسطة الاعدادات.",
     "You can read more about the two release channels at the link below.": "يمكنك قراءة المزيد عن إصداريّ القناتين عبر الرابط بالأسفل.",
-    "You have no ignored devices.": "لا يوجد أجهزة في قائمة التجاهل ",
-    "You have no ignored folders.": "لا يوجد مجلدات في قائمه التجاهل ",
-    "You have unsaved changes. Do you really want to discard them?": "الإعدادات لم تحفظ. هل انت متأكد من الإلغاء؟ ",
-    "You must keep at least one version.": "يجب الاحتفاظ بنسخة واحده على الاقل",
+    "You have no ignored devices.": "لا أجهزة مُتجاهَلَةٌ.",
+    "You have no ignored folders.": "لا مجلدات مُتجاهَلَةٌ.",
+    "You have unsaved changes. Do you really want to discard them?": "الإعدادات لم تُحفظ. هل أنت متأكد من الإلغاء؟",
+    "You must keep at least one version.": "يجب الاحتفاظ بنسخة واحدة على الأقل.",
     "You should never add or change anything locally in a \"{%receiveEncrypted%}\" folder.": "ينبغي ألا تغير شيئا في المجلد المحلي في حالة كان \"{{receiveEncrypted}}\".",
     "Your SMS app should open to let you choose the recipient and send it from your own number.": "ينبغي أن يسمح تطبيق SMS لديك بأن تختار مستلما ويرسلها من رقمك.",
     "Your email app should open to let you choose the recipient and send it from your own address.": "ينبغي أن يسمح تطبيق البريد الإلكتروني الخاص بك باختيار مستلم و أن يرسلها من عنوانك.",
@@ -544,11 +545,11 @@
             "black": "أسوَد",
             "dark": "داكن",
             "default": "افتراضي",
-            "light": "خفيف"
+            "light": "أبيض"
         }
     },
     "unknown device": "جهاز مجهول",
-    "{%device%} wants to share folder \"{%folder%}\".": "{{device}} يريد مشاركة مجلد \"{{folder}}\". ",
-    "{%device%} wants to share folder \"{%folderlabel%}\" ({%folder%}).": "{{device}} يريد مشاركة مجلد \"{{folderlabel}}\" ({{folder}}). ",
+    "{%device%} wants to share folder \"{%folder%}\".": "{{device}} يريد مشاركة هذا المجلد \"{{folder}}\".",
+    "{%device%} wants to share folder \"{%folderlabel%}\" ({%folder%}).": "{{device}} يريد مشاركة هذا المجلد \"{{folderlabel}}\" ({{folder}}).",
     "{%reintroducer%} might reintroduce this device.": "{{reintroducer}} يمكن أن يعيد تقديم هذا الجهاز."
 }

gui/default/assets/lang/lang-cs.json

@@ -282,7 +282,7 @@
     "Pending changes": "Čekající změny",
     "Periodic scanning at given interval and disabled watching for changes": "Periodické skenování podle zadaného intervalu; sledování změn vypnuto",
     "Periodic scanning at given interval and enabled watching for changes": "Periodické skenování podle zadaného intervalu; sledování změn zapnuto",
-    "Periodic scanning at given interval and failed setting up watching for changes, retrying every 1m:": "Periodické skenování podle zadaného intervalu; nastavení sledování změn se nezdařilo, opětovný pokus každou 1 min: ",
+    "Periodic scanning at given interval and failed setting up watching for changes, retrying every 1m:": "Periodické skenování podle zadaného intervalu; nastavení sledování změn se nezdařilo, opětovný pokus každou 1 min:",
     "Permanently add it to the ignore list, suppressing further notifications.": "Natrvalo ignorovat, takže oznámení již nebudou přicházet.",
     "Please consult the release notes before performing a major upgrade.": "Před přechodem na novější hlavní verzi si nejdříve přečtěte poznámky k vydání nové verze.",
     "Please set a GUI Authentication User and Password in the Settings dialog.": "V dialogu Nastavení zadejte uživatelské jméno a heslo pro ověření se v GUI.",

gui/default/assets/lang/lang-de.json

@@ -99,6 +99,7 @@
     "Device ID": "Gerätekennung",
     "Device Identification": "Geräteidentifikation",
     "Device Name": "Gerätename",
+    "Device Status": "Gerätestatus",
     "Device is untrusted, enter encryption password": "Gerät wird nicht vertraut, Verschlüsselungspasswort eingeben",
     "Device rate limits": "Datenratenbegrenzungen fürs Gerät",
     "Device that last modified the item": "Gerät, das das Element zuletzt geändert hat",
@@ -168,6 +169,7 @@
     "Folder ID": "Ordnerkennung",
     "Folder Label": "Ordnerbezeichnung",
     "Folder Path": "Ordnerpfad",
+    "Folder Status": "Ordnerstatus",
     "Folder Type": "Ordnertyp",
     "Folder type \"{%receiveEncrypted%}\" can only be set when adding a new folder.": "Ordnertyp „{{receiveEncrypted}}“ kann nur beim Hinzufügen eines neuen Ordners festgelegt werden.",
     "Folder type \"{%receiveEncrypted%}\" cannot be changed after adding the folder. You need to remove the folder, delete or decrypt the data on disk, and add the folder again.": "Der Ordnertyp „{{receiveEncrypted}}“ kann nach dem Hinzufügen nicht geändert werden. Sie müssen den Ordner entfernen, die Daten auf dem Speichermedium löschen oder entschlüsseln und anschließend den Ordner wieder neu hinzufügen.",
@@ -384,6 +386,7 @@
     "Staggered File Versioning": "Stufenweise Dateiversionierung",
     "Start Browser": "Browser starten",
     "Statistics": "Statistiken",
+    "Stay logged in": "Angemeldet bleiben",
     "Stopped": "Gestoppt",
     "Stores and syncs only encrypted data. Folders on all connected devices need to be set up with the same password or be of type \"{%receiveEncrypted%}\" too.": "Speichert und synchronisiert nur verschlüsselte Daten. Ordner auf allen verbundenen Geräten müssen mit dem selben Passwort eingerichtet werden oder vom Typ „{{receiveEncrypted}}“ sein.",
     "Subject:": "Betreff:",

gui/default/assets/lang/lang-en.json

@@ -386,6 +386,7 @@
     "Staggered File Versioning": "Staggered File Versioning",
     "Start Browser": "Start Browser",
     "Statistics": "Statistics",
+    "Stay logged in": "Stay logged in",
     "Stopped": "Stopped",
     "Stores and syncs only encrypted data. Folders on all connected devices need to be set up with the same password or be of type \"{%receiveEncrypted%}\" too.": "Stores and syncs only encrypted data. Folders on all connected devices need to be set up with the same password or be of type \"{{receiveEncrypted}}\" too.",
     "Subject:": "Subject:",

gui/default/assets/lang/lang-eo.json

@@ -192,7 +192,7 @@
     "Options": "Opcioj",
     "Out of Sync": "Elsinkronigita",
     "Out of Sync Items": "Elsinkronigitaj Eroj",
-    "Outgoing Rate Limit (KiB/s)": " Eliranta Rapideco Limo (KiB/s)",
+    "Outgoing Rate Limit (KiB/s)": "Eliranta Rapideco Limo (KiB/s)",
     "Override Changes": "Transpasi Ŝanĝojn",
     "Path": "Vojo",
     "Path to the folder on the local computer. Will be created if it does not exist. The tilde character (~) can be used as a shortcut for": "Vojo de la dosierujo en la loka komputilo. Kreiĝos se ne ekzistas. La tilda signo (~) povas esti uzata kiel mallongigilo por",

gui/default/assets/lang/lang-es.json

@@ -386,6 +386,7 @@
     "Staggered File Versioning": "Versionado escalonado de fichero",
     "Start Browser": "Iniciar el navegador",
     "Statistics": "Estadísticas",
+    "Stay logged in": "Permanecer conectado",
     "Stopped": "Detenido",
     "Stores and syncs only encrypted data. Folders on all connected devices need to be set up with the same password or be of type \"{%receiveEncrypted%}\" too.": "Almacena y sincroniza sólo los datos cifrados. Las carpetas de todos los dispositivos conectados deben estar configuradas con la misma contraseña o ser también del tipo \"{{receiveEncrypted}}\".",
     "Subject:": "Asunto:",

gui/default/assets/lang/lang-eu.json

@@ -289,7 +289,7 @@
     "See external versioning help for supported templated command line parameters.": "Ikusi kanpoko bertsioen kudeatzailearen laguntza txantiloi bat erabiltzen duten komandoen lerro-parametroetarako.",
     "Select All": "Hautatu guztia",
     "Select a version": "Bertsio bat aukeratu",
-    "Select additional devices to share this folder with.": " Tresna gehigarriak hauta itzazu partekatze honekin sinkronizatzeko ",
+    "Select additional devices to share this folder with.": "Tresna gehigarriak hauta itzazu partekatze honekin sinkronizatzeko",
     "Select additional folders to share with this device.": "Aukeratu karpeta osagarriak gailu honekin partekatzeko.",
     "Select latest version": "Aukeratu azken bertsioa",
     "Select oldest version": "Aukeratu bertsio zaharrena",
@@ -316,7 +316,7 @@
     "Size": "Tamaina",
     "Smallest First": "Ttipienak lehenik",
     "Some discovery methods could not be established for finding other devices or announcing this device:": "Aurkikuntza-metodo batzuk ezin izan dira ezarri beste gailu batzuk aurkitzeko edo gailu honen berri emateko:",
-    "Some items could not be restored:": "Zenbat fitxategi ezin izan dira berreskuratu",
+    "Some items could not be restored:": "Zenbat fitxategi ezin izan dira berreskuratu:",
     "Some listening addresses could not be enabled to accept connections:": "Entzuteko helbide batzuek ezin dituzte konexioak onartu:",
     "Source Code": "Iturri kodea",
     "Stable releases and release candidates": "iraunkor eta aintzin-bertsioak",

gui/default/assets/lang/lang-fr-CA.json

@@ -23,7 +23,7 @@
     "Automatic upgrades": "Mises à jour automatiques",
     "Be careful!": "Faites attention !",
     "Changelog": "Historique des versions",
-    "Clean out after": "Purger après :",
+    "Clean out after": "Purger après",
     "Close": "Fermer",
     "Command": "Commande",
     "Comment, when used at the start of a line": "Commentaire lorsque utilisé en début de ligne",

gui/default/assets/lang/lang-fy.json

@@ -82,7 +82,7 @@
     "Default Ignore Patterns": "Standert Negearpatroanen",
     "Defaults": "Standertwearden",
     "Delete": "Fuortsmite",
-    "Delete Unexpected Items": " Unferwachte items wiskje",
+    "Delete Unexpected Items": "Unferwachte items wiskje",
     "Deleted {%file%}": "{{file}} is fuortsmiten",
     "Deselect All": "Alles Deselektearje",
     "Deselect devices to stop sharing this folder with.": "Kies de apparaten om dizze map net langer mei te dielen.",
@@ -170,7 +170,7 @@
     "However, your current settings indicate you might not want it enabled. We have disabled automatic crash reporting for you.": "Lykwols, jo aktuele ynstellings litte sjen dat jo it miskien net oan sette wol. Wy hawwe automatysk rapportearjen fan fêstrinnen foar jo útsetten.",
     "Identification": "Identifikaasje",
     "If untrusted, enter encryption password": "As net fertroud, fier dan fersiferingswachtwurd yn",
-    "If you want to prevent other users on this computer from accessing Syncthing and through it your files, consider setting up authentication.": "As jo ​​wolle foarkomme dat oare brûkers op dizze kompjûter tagong krije ta Syncthing en dêrtroch jo bestannen, oerweeg dan it ynstellen fan ferifikaasje.",
+    "If you want to prevent other users on this computer from accessing Syncthing and through it your files, consider setting up authentication.": "As jo wolle foarkomme dat oare brûkers op dizze kompjûter tagong krije ta Syncthing en dêrtroch jo bestannen, oerweeg dan it ynstellen fan ferifikaasje.",
     "Ignore": "Negearje",
     "Ignore Patterns": "Negear-patroanen",
     "Ignore Permissions": "Negear-rjochten",
@@ -305,7 +305,7 @@
     "Single level wildcard (matches within a directory only)": "Inkel-nivo jokerteken (wildcard) (fergeliket allinnich binnen in map)",
     "Size": "Grutte",
     "Smallest First": "Lytste earst",
-    "Some items could not be restored:": "Guon uûnderdielen koenen net tebeksetten wurde.",
+    "Some items could not be restored:": "Guon uûnderdielen koenen net tebeksetten wurde:",
     "Source Code": "Boarnekoade",
     "Stable releases and release candidates": "Stabyle ferzjes en ferzje kanditaten",
     "Stable releases are delayed by about two weeks. During this time they go through testing as release candidates.": "Stabyle ferzjes wurde likernôch twa wiken útstelt. Yn die tiid wurde se testen as ferzje kandidaten.",

gui/default/assets/lang/lang-hu.json

@@ -193,7 +193,7 @@
     "Ignore patterns can only be added after the folder is created. If checked, an input field to enter ignore patterns will be presented after saving.": "Mellőzési minták csak a mappa létrehozása után adhatók hozzá. Bejelölve egy beviteli mező fog megjelenni mentés után a mellőzési minták számára.",
     "Ignored Devices": "Mellőzött eszközök",
     "Ignored Folders": "Mellőzött mappák",
-    "Ignored at": "Mellőzve:",
+    "Ignored at": "Mellőzve",
     "Included Software": "Felhasznált szoftver",
     "Incoming Rate Limit (KiB/s)": "Bejövő sebességkorlát (KiB/s)",
     "Incorrect configuration may damage your folder contents and render Syncthing inoperable.": "Helytelen konfiguráció esetén károsodhat a mappák tartalma és működésképtelenné válhat a Syncthing.",

gui/default/assets/lang/lang-it.json

@@ -99,6 +99,7 @@
     "Device ID": "ID Dispositivo",
     "Device Identification": "Identificazione Dispositivo",
     "Device Name": "Nome Dispositivo",
+    "Device Status": "Stato Dispositivo",
     "Device is untrusted, enter encryption password": "Il dispositivo non è attendibile, inserisci la password di crittografia",
     "Device rate limits": "Limiti di velocità del dispositivo",
     "Device that last modified the item": "Dispositivo che ha modificato l'elemento per ultimo",
@@ -168,6 +169,7 @@
     "Folder ID": "ID Cartella",
     "Folder Label": "Etichetta per la Cartella",
     "Folder Path": "Percorso Cartella",
+    "Folder Status": "Stato Cartella",
     "Folder Type": "Tipo di Cartella",
     "Folder type \"{%receiveEncrypted%}\" can only be set when adding a new folder.": "Il tipo di cartella \"{{receiveEncrypted}}\" può essere impostata solo quando si aggiunge una nuova cartella.",
     "Folder type \"{%receiveEncrypted%}\" cannot be changed after adding the folder. You need to remove the folder, delete or decrypt the data on disk, and add the folder again.": "Il tipo di cartella \"{{receiveEncrypted}}\" non può essere modificato dopo aver aggiunto la cartella. È necessario rimuovere la cartella, eliminare o decrittografare i dati sul disco e aggiungere nuovamente la cartella.",
@@ -236,6 +238,7 @@
     "Log": "Log",
     "Log File": "File Log",
     "Log In": "Login",
+    "Log Out": "Disconnetti",
     "Log in to see paths information.": "Accedere per visualizzare le informazioni sui percorsi.",
     "Log in to see version information.": "Accedere per visualizzare le informazioni sulla versione.",
     "Log tailing paused. Scroll to the bottom to continue.": "Visualizzazione log in pausa. Scorri fino in fondo per continuare.",
@@ -544,6 +547,7 @@
             "light": "Chiaro"
         }
     },
+    "unknown device": "dispositivo sconosciuto",
     "{%device%} wants to share folder \"{%folder%}\".": "{{device}} vuole condividere la cartella \"{{folder}}\".",
     "{%device%} wants to share folder \"{%folderlabel%}\" ({%folder%}).": "{{device}} vuole condividere la cartella \"{{folderlabel}}\" ({{folder}}).",
     "{%reintroducer%} might reintroduce this device.": "{{reintroducer}} potrebbe reintrodurre questo dispositivo."

gui/default/assets/lang/lang-pl.json

@@ -386,6 +386,7 @@
     "Staggered File Versioning": "Rozbudowane wersjonowanie plików",
     "Start Browser": "Uruchom przeglądarkę",
     "Statistics": "Statystyki",
+    "Stay logged in": "Pozostań zalogowany",
     "Stopped": "Zatrzymany",
     "Stores and syncs only encrypted data. Folders on all connected devices need to be set up with the same password or be of type \"{%receiveEncrypted%}\" too.": "Przechowuje i synchronizuje tylko zaszyfrowane dane. Foldery na wszystkich połączonych urządzeniach muszą używać tego samego hasła bądź też być rodzaju \"{{receiveEncrypted}}\".",
     "Subject:": "Tytuł:",

gui/default/assets/lang/lang-ru.json

@@ -15,7 +15,7 @@
     "Add filter entry": "Добавить правило фильтрации",
     "Add ignore patterns": "Добавить шаблоны для игнорирования",
     "Add new folder?": "Добавить новую папку?",
-    "Additionally the full rescan interval will be increased (times 60, i.e. new default of 1h). You can also configure it manually for every folder later after choosing No.": "Также будет увеличен интервал полного сканирования (в 60 раз, т. е. новое значение — 1 час). Вы можете вручную настроить интервал для каждой папки, выбрав \"Нет\".",
+    "Additionally the full rescan interval will be increased (times 60, i.e. new default of 1h). You can also configure it manually for every folder later after choosing No.": "Также будет увеличен интервал полного сканирования (в 60 раз, т. е. новое значение — 1 час). Вы можете вручную настроить интервал для каждой папки, выбрав «Нет».",
     "Address": "Адрес",
     "Addresses": "Адреса",
     "Advanced": "Дополнительно",
@@ -38,7 +38,7 @@
     "Are you sure you want to remove folder {%label%}?": "Уверены, что хотите удалить папку {{label}}?",
     "Are you sure you want to restore {%count%} files?": "Уверены, что хотите восстановить {{count}} файлов?",
     "Are you sure you want to revert all local changes?": "Уверены, что хотите отменить все локальные изменения?",
-    "Are you sure you want to upgrade?": "Уверены, что хотите обновить?",
+    "Are you sure you want to upgrade?": "Уверены, что хотите обновить версию приложения?",
     "Authentication Required": "Требуется Аутентификация",
     "Authors": "Авторы",
     "Auto Accept": "Автопринятие",
@@ -81,14 +81,14 @@
     "Danger!": "Опасно!",
     "Database Location": "Расположение базы данных",
     "Debugging Facilities": "Средства отладки",
-    "Default": "По-умолчанию",
+    "Default": "По умолчанию",
     "Default Configuration": "Настройки по умолчанию",
-    "Default Device": "Стандартное Устройство",
+    "Default Device": "Стандартное устройство",
     "Default Folder": "Стандартная папка",
     "Default Ignore Patterns": "Шаблон игнорирования по умолчанию",
     "Defaults": "Стандартные параметры",
     "Delete": "Удалить",
-    "Delete Unexpected Items": "Удалить неожиданные элементы",
+    "Delete Unexpected Items": "Удалить неожиданные объекты",
     "Deleted {%file%}": "{{file}} удалён",
     "Deselect All": "Снять выделение",
     "Deselect devices to stop sharing this folder with.": "Отмените выбор устройств, чтобы прекратить совместное использование этой папки.",
@@ -99,6 +99,7 @@
     "Device ID": "ID устройства",
     "Device Identification": "Идентификация устройства",
     "Device Name": "Имя устройства",
+    "Device Status": "Статус устройства",
     "Device is untrusted, enter encryption password": "Устройство ненадёжно, укажите пароль шифрования",
     "Device rate limits": "Ограничения скорости для устройства",
     "Device that last modified the item": "Устройство, последним изменившее объект",
@@ -107,7 +108,7 @@
     "Disabled": "Отключено",
     "Disabled periodic scanning and disabled watching for changes": "Периодическое сканирование и отслеживание изменений отключено",
     "Disabled periodic scanning and enabled watching for changes": "Периодическое сканирование и отслеживание изменений отключено",
-    "Disabled periodic scanning and failed setting up watching for changes, retrying every 1m:": "Периодическое сканирование отключено, не удалось включить отслеживание изменений, повторная попытка каждую минуту.",
+    "Disabled periodic scanning and failed setting up watching for changes, retrying every 1m:": "Периодическое сканирование отключено, не удалось включить отслеживание изменений, повторная попытка каждую минуту:",
     "Disables comparing and syncing file permissions. Useful on systems with nonexistent or custom permissions (e.g. FAT, exFAT, Synology, Android).": "Отключает сравнение и синхронизацию разрешений файлов. Полезно для систем с несуществующими или настраиваемыми разрешениями (например, FAT, exFAT, Synology, Android).",
     "Discard": "Отменить",
     "Disconnected": "Нет соединения",
@@ -133,8 +134,8 @@
     "Edit Folder Defaults": "Изменить умолчания папки",
     "Editing {%path%}.": "Правка {{path}}.",
     "Enable Crash Reporting": "Включить отчёты о сбоях",
-    "Enable NAT traversal": "Включить NAT traversal",
-    "Enable Relaying": "Включить релеи",
+    "Enable NAT traversal": "Использовать обход NAT",
+    "Enable Relaying": "Использовать ретрансляторы",
     "Enabled": "Включено",
     "Enables sending extended attributes to other devices, and applying incoming extended attributes. May require running with elevated privileges.": "Включает отправку расширенных атрибутов на другие устройства и применение расширенных атрибутов локально. Может потребовать запуска с повышенными правами.",
     "Enables sending extended attributes to other devices, but not applying incoming extended attributes. This can have a significant performance impact. Always enabled when \"Sync Extended Attributes\" is enabled.": "Включает отправку расширенных атрибутов на другие устройства, но не применение расширенных атрибутов с других устройств. Это может значительно повлиять на производительность. Всегда активно, если включено «Синхронизировать расширенные атрибуты».",
@@ -150,15 +151,15 @@
     "Extended Attributes Filter": "Фильтр расширенных атрибутов",
     "External": "Внешний",
     "External File Versioning": "Внешний контроль версий файлов",
-    "Failed Items": "Сбои",
+    "Failed Items": "Сбойные объекты",
     "Failed to load file versions.": "Не удалось загрузить версии файлов.",
     "Failed to load ignore patterns.": "Не удалось загрузить шаблоны игнорирования.",
     "Failed to setup, retrying": "Не удалось настроить, пробуем ещё",
     "Failure to connect to IPv6 servers is expected if there is no IPv6 connectivity.": "Если нет IPv6-соединений, при подключении к IPv6-серверам произойдёт ошибка.",
     "File Pull Order": "Порядок получения файлов",
     "File Versioning": "Управление версиями",
-    "Files are moved to .stversions directory when replaced or deleted by Syncthing.": "Когда Syncthing изменяет или удаляет файлы, они помещаются в папку .stversions",
-    "Files are moved to date stamped versions in a .stversions directory when replaced or deleted by Syncthing.": "Когда Syncthing изменяет или удаляет файлы, их версии с отметками времени помещаются в папку .stversions",
+    "Files are moved to .stversions directory when replaced or deleted by Syncthing.": "Когда Syncthing изменяет или удаляет файлы, они помещаются в папку .stversions.",
+    "Files are moved to date stamped versions in a .stversions directory when replaced or deleted by Syncthing.": "Когда Syncthing изменяет или удаляет файлы, их версии с отметками времени помещаются в папку .stversions.",
     "Files are protected from changes made on other devices, but changes made on this device will be sent to the rest of the cluster.": "Файлы защищены от изменений сделанных на других устройствах, но изменения сделанные на этом устройстве будут отправлены всему кластеру.",
     "Files are synchronized from the cluster, but any changes made locally will not be sent to other devices.": "Файлы синхронизируются из группы, но изменения, сделанные на этом устройстве, не будут отправлены на другие устройства группы.",
     "Filesystem Watcher Errors": "Ошибки отслеживания файловой системы",
@@ -168,6 +169,7 @@
     "Folder ID": "ID папки",
     "Folder Label": "Ярлык папки",
     "Folder Path": "Путь к папке",
+    "Folder Status": "Статус папки",
     "Folder Type": "Тип папки",
     "Folder type \"{%receiveEncrypted%}\" can only be set when adding a new folder.": "Тип папки «{{receiveEncrypted}}» может быть указан только при создании новой папки.",
     "Folder type \"{%receiveEncrypted%}\" cannot be changed after adding the folder. You need to remove the folder, delete or decrypt the data on disk, and add the folder again.": "Тип папки «{{receiveEncrypted}}» не может быть изменён после добавления. Вам необходимо убрать папку, удалить или дешифровать данные на диске, а затем снова добавить папку.",
@@ -226,8 +228,8 @@
     "Listener Failures": "Ошибки прослушивателя",
     "Listener Status": "Статус прослушивателя",
     "Listeners": "Прослушиватель",
-    "Loading data...": "Загрузка данных...",
-    "Loading...": "Загрузка...",
+    "Loading data...": "Загрузка данных…",
+    "Loading...": "Загрузка…",
     "Local Additions": "Локальные дополнения",
     "Local Discovery": "Локальное обнаружение",
     "Local State": "Локальное состояние",
@@ -240,7 +242,7 @@
     "Log in to see paths information.": "Войдите, чтобы увидеть информацию о путях.",
     "Log in to see version information.": "Войдите, чтобы просмотреть информацию о версии.",
     "Log tailing paused. Scroll to the bottom to continue.": "Вывод журнала приостановлен. Прокрутите вниз, чтобы продолжить.",
-    "Login failed, see Syncthing logs for details.": "Не удалось войти в систему. Посмотреть подробности можно в журнале Syncthing",
+    "Login failed, see Syncthing logs for details.": "Не удалось войти в систему. Посмотреть подробности можно в журнале Syncthing.",
     "Logs": "Журналы",
     "Major Upgrade": "Обновление основной версии",
     "Mass actions": "Массовые действия",
@@ -262,10 +264,10 @@
     "Newest First": "Сначала новые",
     "No": "Нет",
     "No File Versioning": "Без управления версиями файлов",
-    "No files will be deleted as a result of this operation.": "В результате этой операции никакие файлы не будут удалены",
+    "No files will be deleted as a result of this operation.": "В результате этой операции никакие файлы не будут удалены.",
     "No rules set": "Правила не заданы",
     "No upgrades": "Нет обновлений",
-    "Not shared": "Не зашаренный",
+    "Not shared": "Нет общего доступа",
     "Notice": "Внимание",
     "Number of Connections": "Количество подключений",
     "OK": "ОК",
@@ -291,10 +293,10 @@
     "Pending changes": "Несохранённые изменения",
     "Periodic scanning at given interval and disabled watching for changes": "Периодическое сканирование с заданным интервалом, отслеживание изменений отключено",
     "Periodic scanning at given interval and enabled watching for changes": "Периодическое сканирование с заданным интервалом и включено отслеживание изменений",
-    "Periodic scanning at given interval and failed setting up watching for changes, retrying every 1m:": "Периодическое сканирование с заданным интервалом, неудачная настройка отслеживания изменений, повторная попытка каждую минуту.",
+    "Periodic scanning at given interval and failed setting up watching for changes, retrying every 1m:": "Периодическое сканирование с заданным интервалом, неудачная настройка отслеживания изменений, повторная попытка каждую минуту:",
     "Permanently add it to the ignore list, suppressing further notifications.": "Добавление в список игнорирования навсегда с подавлением будущих уведомлений.",
-    "Please consult the release notes before performing a major upgrade.": "Перед проведением обновления основной версии ознакомьтесь, пожалуйста, с замечаниями к версии",
-    "Please set a GUI Authentication User and Password in the Settings dialog.": "Установите имя пользователя и пароль для интерфейса в настройках",
+    "Please consult the release notes before performing a major upgrade.": "Перед проведением обновления основной версии ознакомьтесь, пожалуйста, с замечаниями к версии.",
+    "Please set a GUI Authentication User and Password in the Settings dialog.": "Установите имя пользователя и пароль для интерфейса в настройках.",
     "Please wait": "Пожалуйста, подождите",
     "Prefix indicating that the file can be deleted if preventing directory removal": "Префикс, указывающий что файл может быть удалён, если он мешает удалить папку",
     "Prefix indicating that the pattern should be matched without case sensitivity": "Префикс, указывающий что шаблон должен сопоставляться без учёта регистра",
@@ -338,7 +340,7 @@
     "Saving changes": "Изменения сохраняются",
     "Scan Time Remaining": "Оставшееся время сканирования",
     "Scanning": "Сканирование",
-    "See external versioning help for supported templated command line parameters.": "Поддерживаемые шаблонные параметры командной строки см. в документации сторонней программы контроля версий",
+    "See external versioning help for supported templated command line parameters.": "Поддерживаемые шаблонные параметры командной строки см. в документации сторонней программы контроля версий.",
     "Select All": "Выбрать все",
     "Select a version": "Выберите версию",
     "Select additional devices to share this folder with.": "Выберите дополнительные устройства, для которых будет доступна эта папка.",
@@ -384,6 +386,7 @@
     "Staggered File Versioning": "Ступенчатое управление версиями файлов",
     "Start Browser": "Запускать браузер",
     "Statistics": "Статистика",
+    "Stay logged in": "Оставаться в системе",
     "Stopped": "Остановлено",
     "Stores and syncs only encrypted data. Folders on all connected devices need to be set up with the same password or be of type \"{%receiveEncrypted%}\" too.": "Хранит и синхронизирует только зашифрованные данные. Папки на всех подключённых устройствах должны быть настроены под один и тот же пароль или иметь тип «{{receiveEncrypted}}».",
     "Subject:": "Субьект:",
@@ -405,7 +408,7 @@
     "Syncthing is saving changes.": "Синхронизация это сохранение изменений.",
     "Syncthing is upgrading.": "Обновление Syncthing.",
     "Syncthing now supports automatically reporting crashes to the developers. This feature is enabled by default.": "Syncthing теперь поддерживает автоматическую отправку отчетов о сбоях разработчикам. Эта функция включена по умолчанию.",
-    "Syncthing seems to be down, or there is a problem with your Internet connection. Retrying…": "Кажется, Syncthing не запущен или есть проблемы с подключением к Интернету. Переподключаюсь...",
+    "Syncthing seems to be down, or there is a problem with your Internet connection. Retrying…": "Кажется, Syncthing не запущен или есть проблемы с подключением к Интернету. Переподключаюсь…",
     "Syncthing seems to be experiencing a problem processing your request. Please refresh the page or restart Syncthing if the problem persists.": "Syncthing столкнулся с проблемой при обработке Вашего запроса. Пожалуйста, обновите страницу или перезапустите Syncthing если проблема повторится.",
     "TCP LAN": "TCP LAN",
     "TCP WAN": "TCP WAN",
@@ -425,24 +428,24 @@
     "The folder content on other devices will be overwritten to become identical with this device. Files not present here will be deleted on other devices.": "Содержание папки на других устройствах будет перезаписано и станет идентично этому устройству. Файлы, отсутствующие здесь, будут удалены на других устройствах.",
     "The folder content on this device will be overwritten to become identical with other devices. Files newly added here will be deleted.": "Содержание папки на этом устройстве будет перезаписано и станет идентично другим устройствам. Новые файлы на этом устройстве будут удалены.",
     "The folder path cannot be blank.": "Путь к папке не должен быть пустым.",
-    "The following intervals are used: for the first hour a version is kept every 30 seconds, for the first day a version is kept every hour, for the first 30 days a version is kept every day, until the maximum age a version is kept every week.": "Используются следующие интервалы: в первый час версия меняется каждые 30 секунд, в первый день - каждый час, первые 30 дней - каждый день, после, до максимального срока - каждую неделю.",
-    "The following items could not be synchronized.": "Невозможно синхронизировать следующие объекты",
-    "The following items were changed locally.": "Следующие объекты были изменены локально",
+    "The following intervals are used: for the first hour a version is kept every 30 seconds, for the first day a version is kept every hour, for the first 30 days a version is kept every day, until the maximum age a version is kept every week.": "Используются следующие интервалы: в первый час версия меняется каждые 30 секунд, в первый день — каждый час, первые 30 дней — каждый день, после, до максимального срока — каждую неделю.",
+    "The following items could not be synchronized.": "Невозможно синхронизировать следующие объекты.",
+    "The following items were changed locally.": "Следующие объекты были изменены локально.",
     "The following methods are used to discover other devices on the network and announce this device to be found by others:": "Для обнаружения других устройств в сети и анонсирования этого устройства используются следующие методы:",
     "The following text will automatically be inserted into a new message.": "Следующий текст будет автоматически вставлен в новое сообщение.",
     "The following unexpected items were found.": "Были найдены следующие объекты.",
     "The interval must be a positive number of seconds.": "Интервал секунд должен быть положительным.",
     "The interval, in seconds, for running cleanup in the versions directory. Zero to disable periodic cleaning.": "Интервал в секундах для запуска очистки в каталоге версий. Ноль, чтобы отключить периодическую очистку.",
     "The maximum age must be a number and cannot be blank.": "Максимальный срок должен быть числом и не может быть пустым.",
-    "The maximum time to keep a version (in days, set to 0 to keep versions forever).": "Максимальный срок хранения версии (в днях, 0 значит вечное хранение).",
+    "The maximum time to keep a version (in days, set to 0 to keep versions forever).": "Максимальный срок хранения версии в днях (0 — бесконечно).",
     "The number of connections must be a non-negative number.": "Количество соединений должно быть неотрицательным.",
     "The number of days must be a number and cannot be blank.": "Количество дней должно быть числом и не может быть пустым.",
-    "The number of days to keep files in the trash can. Zero means forever.": "Количество дней хранения файлов в корзине. Ноль значит навсегда.",
+    "The number of days to keep files in the trash can. Zero means forever.": "Количество дней хранения файлов в корзине (0 — бесконечно).",
     "The number of old versions to keep, per file.": "Количество хранимых версий файла.",
     "The number of versions must be a number and cannot be blank.": "Количество версий должно быть числом и не может быть пустым.",
     "The path cannot be blank.": "Путь не может быть пустым.",
     "The rate limit is applied to the accumulated traffic of all connections to this device.": "Ограничение скорости применяется к накопленному трафику всех подключений к этому устройству.",
-    "The rate limit must be a non-negative number (0: no limit)": "Скорость должна быть неотрицательным числом (0: нет ограничения)",
+    "The rate limit must be a non-negative number (0: no limit)": "Скорость должна быть неотрицательным числом (0 — без ограничений)",
     "The remote device has not accepted sharing this folder.": "Удаленное устройство не разрешило общий доступ к этой папке.",
     "The remote device has paused this folder.": "Удаленное устройство приостановило эту папку.",
     "The rescan interval must be a non-negative number of seconds.": "Интервал пересканирования должен быть неотрицательным количеством секунд.",
@@ -468,8 +471,8 @@
     "Unavailable": "Недоступно",
     "Unavailable/Disabled by administrator or maintainer": "Недоступно или отключено администратором",
     "Undecided (will prompt)": "Не определено (запрашивать каждый раз)",
-    "Unexpected Items": "Неожиданные элементы",
-    "Unexpected items have been found in this folder.": "В папке найдены неожиданные элементы.",
+    "Unexpected Items": "Неожиданные объекты",
+    "Unexpected items have been found in this folder.": "В папке найдены неожиданные объекты.",
     "Unignore": "Не игнорировать",
     "Unknown": "Неизвестно",
     "Unshared": "Не общедоступно",
@@ -489,10 +492,10 @@
     "User": "Пользователь",
     "User Home": "Папка пользователя",
     "Username/Password has not been set for the GUI authentication. Please consider setting it up.": "Имя пользователя/пароль не был установлен для GUI-аутентификации. Настройте его.",
-    "Using a QUIC connection over LAN": "Использование QUIC-соединения по локальной сети",
-    "Using a QUIC connection over WAN": "Использование QUIC-соединения по всеобщей сети",
-    "Using a direct TCP connection over LAN": "Использование прямого TCP-соединения через LAN",
-    "Using a direct TCP connection over WAN": "Использование прямого TCP-соединения через WAN",
+    "Using a QUIC connection over LAN": "Использовать QUIC-соединения в LAN",
+    "Using a QUIC connection over WAN": "Использовать QUIC-соединения в WAN",
+    "Using a direct TCP connection over LAN": "Использовать прямые TCP-соединения в LAN",
+    "Using a direct TCP connection over WAN": "Использовать прямые TCP-соединения в WAN",
     "Version": "Версия",
     "Versions": "Версии",
     "Versions Path": "Путь к версиям",
@@ -533,7 +536,7 @@
     "files": "файлов",
     "folder": "папка",
     "full documentation": "полная документация",
-    "items": "элементы",
+    "items": "объекты",
     "modified": "изменено",
     "permit": "разрешить",
     "seconds": "сек.",

gui/default/assets/lang/lang-sv.json

@@ -386,6 +386,7 @@
     "Staggered File Versioning": "Filversionshantering i intervall",
     "Start Browser": "Starta webbläsaren",
     "Statistics": "Statistik",
+    "Stay logged in": "Förbli inloggad",
     "Stopped": "Stoppad",
     "Stores and syncs only encrypted data. Folders on all connected devices need to be set up with the same password or be of type \"{%receiveEncrypted%}\" too.": "Lagrar och synkroniserar endast krypterade data. Mappar på alla anslutna enheter måste ställas in med samma lösenord eller också vara av typen \"{{receiveEncrypted}}\".",
     "Subject:": "Ämne:",

gui/default/assets/lang/lang-tr.json

@@ -386,6 +386,7 @@
     "Staggered File Versioning": "Aşamalı Dosya Sürümlendirme",
     "Start Browser": "Tarayıcıyı başlat",
     "Statistics": "İstatistikler",
+    "Stay logged in": "Oturum açık kal",
     "Stopped": "Durduruldu",
     "Stores and syncs only encrypted data. Folders on all connected devices need to be set up with the same password or be of type \"{%receiveEncrypted%}\" too.": "Yalnızca şifrelenmiş verileri depolar ve eşitler. Tüm bağlı cihazlardaki klasörlerin de aynı parola ile ayarlanması veya \"{{receiveEncrypted}}\" türünde olması gerekir.",
     "Subject:": "Konu:",

gui/default/assets/lang/lang-zh-CN.json

@@ -386,6 +386,7 @@
     "Staggered File Versioning": "阶段版本控制",
     "Start Browser": "启动浏览器",
     "Statistics": "统计",
+    "Stay logged in": "保持登录",
     "Stopped": "已停止",
     "Stores and syncs only encrypted data. Folders on all connected devices need to be set up with the same password or be of type \"{%receiveEncrypted%}\" too.": "仅存储和同步加密的数据。所有连接的设备上的文件夹也需要使用相同的密码设置，或者也必须设置为“ {{receiveEncrypted}}”类型。",
     "Subject:": "主题：",

gui/default/assets/lang/lang-zh-TW.json

@@ -177,6 +177,7 @@
     "Ignore": "忽略",
     "Ignore Patterns": "忽略樣式",
     "Ignore Permissions": "忽略權限",
+    "Ignore patterns can only be added after the folder is created. If checked, an input field to enter ignore patterns will be presented after saving.": "忽略模式只能在建立資料夾之後新增。如果選取這個項目，會在儲存後顯示一個設定忽略模式的欄位。",
     "Ignored Devices": "已忽略的裝置",
     "Ignored Folders": "已忽略的資料夾",
     "Ignored at": "忽略時間",

gui/default/index.html

@@ -359,6 +359,12 @@
             <input id="password" class="form-control" type="password" name="password" ng-model="login.password" ng-trim="false" autocomplete="current-password" />
           </div>
 
+          <div class="form-group">
+            <label>
+              <input type="checkbox" ng-model="login.stayLoggedIn" >&nbsp;<span translate>Stay logged in</span>
+            </label>
+          </div>
+
           <div class="row">
             <div class="col-md-9 login-form-messages">
               <p ng-if="login.errors.badLogin" class="text-danger" translate>
@@ -910,7 +916,7 @@
                       </tr>
                       <tr ng-if="deviceCfg.introducedBy">
                         <th><span class="far fa-fw fa-handshake-o"></span>&nbsp;<span translate>Introduced By</span></th>
-                        <td class="text-right">{{ deviceName(devices[deviceCfg.introducedBy]) || deviceCfg.introducedBy.substring(0, 5) }}</td>
+                        <td class="text-right">{{ deviceName(devices[deviceCfg.introducedBy]) || deviceShortID(deviceCfg.introducedBy) }}</td>
                       </tr>
                       <tr ng-if="deviceCfg.autoAcceptFolders">
                         <th><span class="fa fa-fw fa-level-down"></span>&nbsp;<span translate>Auto Accept</span></th>

gui/default/syncthing/app.js

@@ -18,6 +18,9 @@ var syncthing = angular.module('syncthing', [
 var urlbase = 'rest';
 var authUrlbase = urlbase + '/noauth/auth';
 
+// keep consistent with ShortIDStringLength in lib/protocol/deviceid.go
+var shortIDStringLength = 7;
+
 syncthing.config(function ($httpProvider, $translateProvider, LocaleServiceProvider) {
     // language and localisation
 

gui/default/syncthing/core/aboutModalView.html

@@ -30,7 +30,7 @@
         <h4 class="text-center" translate>The Syncthing Authors</h4>
         <div class="row">
           <div class="col-md-12" id="contributor-list">
-Jakob Borg, Audrius Butkevicius, Jesse Lucas, Simon Frei, Tomasz Wilczyński, Alexander Graf, Alexandre Viau, Anderson Mesquita, André Colomb, Antony Male, Ben Schulz, Caleb Callaway, Daniel Harte, Eric P, Evgeny Kuznetsov, Lars K.W. Gohlke, Lode Hoste, Michael Ploujnikov, Nate Morrison, Philippe Schommers, Ryan Sullivan, Sergey Mishin, Stefan Tatschner, Wulf Weich, bt90, greatroar, Aaron Bieber, Adam Piggott, Adel Qalieh, Alan Pope, Alberto Donato, Aleksey Vasenev, Alessandro G., Alex Lindeman, Alex Xu, Alexander Seiler, Alexandre Alves, Aman Gupta, Anatoli Babenia, Andreas Sommer, Andrew Dunham, Andrew Meyer, Andrew Rabert, Andrey D, Anjan Momi, Anthony Goeckner, Antoine Lamielle, Anur, Aranjedeath, Arkadiusz Tymiński, Aroun, Arthur Axel fREW Schmidt, Artur Zubilewicz, Aurélien Rainone, BAHADIR YILMAZ, Bart De Vries, Ben Curthoys, Ben Shepherd, Ben Sidhom, Benedikt Heine, Benedikt Morbach, Benjamin Nater, Benno Fünfstück, Benny Ng, Boqin Qin, Boris Rybalkin, Brandon Philips, Brendan Long, Brian R. Becker, Carsten Hagemann, Catfriend1, Cathryne Linenweaver, Cedric Staniewski, Chih-Hsuan Yen, Choongkyu, Chris Howie, Chris Joel, Chris Tonkinson, Christian Kujau, Christian Prescott, Colin Kennedy, Cromefire_, Cyprien Devillez, Dale Visser, Dan, Daniel Barczyk, Daniel Bergmann, Daniel Martí, Darshil Chanpura, David Rimmer, DeflateAwning, Denis A., Dennis Wilson, DerRockWolf, Devon G. Redekopp, Dimitri Papadopoulos Orfanos, Dmitry Saveliev, Domenic Horner, Dominik Heidler, Elias Jarlebring, Elliot Huffman, Emil Hessman, Emil Lundberg, Eng Zer Jun, Eric Lesiuta, Erik Meitner, Evan Spensley, Federico Castagnini, Felix, Felix Ableitner, Felix Lampe, Felix Unterpaintner, Francois-Xavier Gsell, Frank Isemann, Gahl Saraf, Gilli Sigurdsson, Gleb Sinyavskiy, Graham Miln, Greg, Han Boetes, HansK-p, Harrison Jones, Heiko Zuerker, Hugo Locurcio, Iain Barnett, Ian Johnson, Ikko Ashimine, Ilya Brin, Iskander Sharipov, Jaakko Hannikainen, Jacek Szafarkiewicz, Jack Croft, Jacob, Jake Peterson, James O'Beirne, James Patterson, Jaroslav Lichtblau, Jaroslav Malec, Jauder Ho, Jaya Chithra, Jaya Kumar, Jeffery To, Jens Diemer, Jerry Jacobs, Jochen Voss, Johan Andersson, Johan Vromans, John Rinehart, Jonas Thelemann, Jonathan, Jonathan Cross, Jonta, Jose Manuel Delicado, Jörg Thalheim, Jędrzej Kula, K.B.Dharun Krishna, Kalle Laine, Karol Różycki, Kebin Liu, Keith Harrison, Keith Turner, Kelong Cong, Ken'ichi Kamada, Kevin Allen, Kevin Bushiri, Kevin White, Jr., Kurt Fitzner, LSmithx2, Lars Lehtonen, Laurent Arnoud, Laurent Etiemble, Leo Arias, Liu Siyuan, Lord Landon Agahnim, Lukas Lihotzki, Majed Abdulaziz, Marc Laporte, Marc Pujol, Marcin Dziadus, Marcus Legendre, Mario Majila, Mark Pulford, Martchus, Martin Polehla, Mateusz Naściszewski, Mateusz Ż, Matic Potočnik, Matt Burke, Matt Robenolt, Matteo Ruina, Maurizio Tomasi, Max, Max Schulze, MaximAL, Maxime Thirouin, Maximilian, MichaIng, Michael Jephcote, Michael Rienstra, Michael Tilli, Migelo, Mike Boone, MikeLund, MikolajTwarog, Mingxuan Lin, Naveen, Nicholas Rishel, Nick Busey, Nico Stapelbroek, Nicolas Braud-Santoni, Nicolas Perraut, Niels Peter Roest, Nils Jakobi, NinoM4ster, Nitroretro, NoLooseEnds, Oliver Freyermuth, Otiel, Oyebanji Jacob Mayowa, Pablo, Pascal Jungblut, Paul Brit, Pawel Palenica, Paweł Rozlach, Peter Badida, Peter Dave Hello, Peter Hoeg, Peter Marquardt, Phani Rithvij, Phil Davis, Phill Luby, Pier Paolo Ramon, Piotr Bejda, Pramodh KP, Quentin Hibon, Rahmi Pruitt, Richard Hartmann, Robert Carosi, Roberto Santalla, Robin Schoonover, Roman Zaynetdinov, Ross Smith II, Ruslan Yevdokymov, Ryan Qian, Sacheendra Talluri, Scott Klupfel, Sertonix, Shaarad Dalvi, Simon Mwepu, Sly_tom_cat, Stefan Kuntz, Steven Eckhoff, Suhas Gundimeda, Taylor Khan, Thomas Hipp, Tim Abell, Tim Howes, Tobias Klauser, Tobias Nygren, Tobias Tom, Tom Jakubowski, Tommy Thorn, Tully Robinson, Tyler Brazier, Tyler Kropp, Unrud, Veeti Paananen, Victor Buinsky, Vik, Vil Brekin, Vladimir Rusinov, Will Rouesnel, William A. Kennington III, Xavier O., Yannic A., andresvia, andyleap, boomsquared, chenrui, chucic, cjc7373, cui fliter, d-volution, derekriemer, desbma, digital, entity0xfe, georgespatton, ghjklw, guangwu, gudvinr, ignacy123, janost, jaseg, jelle van der Waa, jtagcat, klemens, luzpaz, marco-m, mclang, mv1005, orangekame3, otbutz, overkill, perewa, red_led, rubenbe, sec65, vapatel2, villekalliomaki, wangguoliang, wouter bolsterlee, xarx00, xjtdy888, 佛跳墙, 落心
+Jakob Borg, Audrius Butkevicius, Jesse Lucas, Simon Frei, Tomasz Wilczyński, Alexander Graf, Alexandre Viau, Anderson Mesquita, André Colomb, Antony Male, Ben Schulz, Caleb Callaway, Daniel Harte, Eric P, Evgeny Kuznetsov, Lars K.W. Gohlke, Lode Hoste, Michael Ploujnikov, Nate Morrison, Philippe Schommers, Ryan Sullivan, Sergey Mishin, Stefan Tatschner, Wulf Weich, bt90, greatroar, Aaron Bieber, Adam Piggott, Adel Qalieh, Alan Pope, Alberto Donato, Aleksey Vasenev, Alessandro G., Alex Lindeman, Alex Xu, Alexander Seiler, Alexandre Alves, Aman Gupta, Anatoli Babenia, Andreas Sommer, Andrew Dunham, Andrew Meyer, Andrew Rabert, Andrey D, Anjan Momi, Anthony Goeckner, Antoine Lamielle, Anur, Aranjedeath, Arkadiusz Tymiński, Aroun, Arthur Axel fREW Schmidt, Artur Zubilewicz, Aurélien Rainone, BAHADIR YILMAZ, Bart De Vries, Ben Curthoys, Ben Shepherd, Ben Sidhom, Benedikt Heine, Benedikt Morbach, Benjamin Nater, Benno Fünfstück, Benny Ng, Boqin Qin, Boris Rybalkin, Brandon Philips, Brendan Long, Brian R. Becker, Carsten Hagemann, Catfriend1, Cathryne Linenweaver, Cedric Staniewski, Chih-Hsuan Yen, Choongkyu, Chris Howie, Chris Joel, Chris Tonkinson, Christian Kujau, Christian Prescott, Colin Kennedy, Cromefire_, Cyprien Devillez, Dale Visser, Dan, Daniel Barczyk, Daniel Bergmann, Daniel Martí, Daniel Padrta, Darshil Chanpura, David Rimmer, DeflateAwning, Denis A., Dennis Wilson, DerRockWolf, Devon G. Redekopp, Dimitri Papadopoulos Orfanos, Dmitry Saveliev, Domenic Horner, Dominik Heidler, Elias Jarlebring, Elliot Huffman, Emil Hessman, Emil Lundberg, Eng Zer Jun, Eric Lesiuta, Erik Meitner, Evan Spensley, Federico Castagnini, Felix, Felix Ableitner, Felix Lampe, Felix Unterpaintner, Francois-Xavier Gsell, Frank Isemann, Gahl Saraf, Gilli Sigurdsson, Gleb Sinyavskiy, Graham Miln, Greg, Han Boetes, HansK-p, Harrison Jones, Heiko Zuerker, Hugo Locurcio, Iain Barnett, Ian Johnson, Ikko Ashimine, Ilya Brin, Iskander Sharipov, Jaakko Hannikainen, Jacek Szafarkiewicz, Jack Croft, Jacob, Jake Peterson, James O'Beirne, James Patterson, Jaroslav Lichtblau, Jaroslav Malec, Jauder Ho, Jaya Chithra, Jaya Kumar, Jeffery To, Jens Diemer, Jerry Jacobs, Jochen Voss, Johan Andersson, Johan Vromans, John Rinehart, Jonas Thelemann, Jonathan, Jonathan Cross, Jonta, Jose Manuel Delicado, Julian Lehrhuber, Jörg Thalheim, Jędrzej Kula, K.B.Dharun Krishna, Kalle Laine, Karol Różycki, Kebin Liu, Keith Harrison, Keith Turner, Kelong Cong, Ken'ichi Kamada, Kevin Allen, Kevin Bushiri, Kevin White, Jr., Kurt Fitzner, LSmithx2, Lars Lehtonen, Laurent Arnoud, Laurent Etiemble, Leo Arias, Liu Siyuan, Lord Landon Agahnim, Lukas Lihotzki, Majed Abdulaziz, Marc Laporte, Marc Pujol, Marcin Dziadus, Marcus Legendre, Mario Majila, Mark Pulford, Martchus, Martin Polehla, Mateusz Naściszewski, Mateusz Ż, Matic Potočnik, Matt Burke, Matt Robenolt, Matteo Ruina, Maurizio Tomasi, Max, Max Schulze, MaximAL, Maxime Thirouin, Maximilian, MichaIng, Michael Jephcote, Michael Rienstra, Michael Tilli, Migelo, Mike Boone, MikeLund, MikolajTwarog, Mingxuan Lin, Naveen, Nicholas Rishel, Nick Busey, Nico Stapelbroek, Nicolas Braud-Santoni, Nicolas Perraut, Niels Peter Roest, Nils Jakobi, NinoM4ster, Nitroretro, NoLooseEnds, Oliver Freyermuth, Otiel, Oyebanji Jacob Mayowa, Pablo, Pascal Jungblut, Paul Brit, Pawel Palenica, Paweł Rozlach, Peter Badida, Peter Dave Hello, Peter Hoeg, Peter Marquardt, Phani Rithvij, Phil Davis, Phill Luby, Pier Paolo Ramon, Piotr Bejda, Pramodh KP, Quentin Hibon, Rahmi Pruitt, Richard Hartmann, Robert Carosi, Roberto Santalla, Robin Schoonover, Roman Zaynetdinov, Ross Smith II, Ruslan Yevdokymov, Ryan Qian, Sacheendra Talluri, Scott Klupfel, Sertonix, Shaarad Dalvi, Simon Mwepu, Sly_tom_cat, Stefan Kuntz, Steven Eckhoff, Suhas Gundimeda, Sven Bachmann, Taylor Khan, Thomas Hipp, Tim Abell, Tim Howes, Tobias Klauser, Tobias Nygren, Tobias Tom, Tom Jakubowski, Tommy Thorn, Tully Robinson, Tyler Brazier, Tyler Kropp, Unrud, Veeti Paananen, Victor Buinsky, Vik, Vil Brekin, Vladimir Rusinov, Will Rouesnel, William A. Kennington III, Xavier O., Yannic A., andresvia, andyleap, boomsquared, chenrui, chucic, cjc7373, cui fliter, d-volution, derekriemer, desbma, diemade, digital, entity0xfe, georgespatton, ghjklw, guangwu, gudvinr, ignacy123, janost, jaseg, jelle van der Waa, jtagcat, klemens, luzpaz, marco-m, mclang, mv1005, nf, orangekame3, otbutz, overkill, perewa, red_led, rubenbe, sec65, vapatel2, villekalliomaki, wangguoliang, wouter bolsterlee, xarx00, xjtdy888, 佛跳墙, 落心
           </div>
         </div>
       </div>

gui/default/syncthing/core/syncthingController.js

@@ -103,6 +103,7 @@ angular.module('syncthing.core')
             $http.post(authUrlbase + '/password', {
               username: $scope.login.username,
               password: $scope.login.password,
+              stayLoggedIn: $scope.login.stayLoggedIn,
             }).then(function () {
                 location.reload();
             }).catch(function (response) {
@@ -1039,18 +1040,29 @@ angular.module('syncthing.core')
                 // Do the same thing in case we only have zero byte files to sync.
                 return 95;
             }
-            var pct = 100 * $scope.model[folder].inSyncBytes / $scope.model[folder].globalBytes;
-            return Math.floor(pct);
+            return progressIntegerPercentage($scope.model[folder].inSyncBytes, $scope.model[folder].globalBytes);
         };
 
         $scope.scanPercentage = function (folder) {
             if (!$scope.scanProgress[folder]) {
                 return undefined;
             }
-            var pct = 100 * $scope.scanProgress[folder].current / $scope.scanProgress[folder].total;
-            return Math.floor(pct);
+            return progressIntegerPercentage($scope.scanProgress[folder].current, $scope.scanProgress[folder].total);
         };
 
+        function progressIntegerPercentage(current, total) {
+            // Even after whatever is being tracked (e.g. hashed or synced
+            // bytes) is completed, there's likely some more work to be done to
+            // fully finish the process (db updates, ...). Users apparently
+            // don't like seeing 100%, so give them 99% to indicate "about to be
+            // finished".
+            if (current === total) {
+                return 99;
+            }
+            var pct = 100 * current / total;
+            return Math.floor(pct);
+        }
+
         $scope.scanRate = function (folder) {
             if (!$scope.scanProgress[folder]) {
                 return 0;
@@ -1449,7 +1461,7 @@ angular.module('syncthing.core')
 
         $scope.friendlyNameFromShort = function (shortID) {
             var matches = Object.keys($scope.devices).filter(function (id) {
-                return id.substr(0, 7) === shortID;
+                return id.substr(0, shortIDStringLength) === shortID;
             });
             if (matches.length !== 1) {
                 return shortID;
@@ -1462,7 +1474,7 @@ angular.module('syncthing.core')
             if (match) {
                 return $scope.deviceName(match);
             }
-            return deviceID.substr(0, 6);
+            return deviceID.substr(0, shortIDStringLength);
         };
 
         $scope.deviceName = function (deviceCfg) {
@@ -1479,7 +1491,7 @@ angular.module('syncthing.core')
             if (typeof deviceID === 'undefined') {
                 return "";
             }
-            return deviceID.substr(0, 6);
+            return deviceID.substr(0, shortIDStringLength);
         };
 
         $scope.thisDeviceName = function () {
@@ -1490,7 +1502,7 @@ angular.module('syncthing.core')
             if (device.name) {
                 return device.name;
             }
-            return device.deviceID.substr(0, 6);
+            return device.deviceID.substr(0, shortIDStringLength);
         };
 
         $scope.showDeviceIdentification = function (deviceCfg) {
@@ -3591,7 +3603,7 @@ angular.module('syncthing.core')
                 return n.match !== "";
             });
         };
-        
+
         // The showModal and hideModal functions are a bandaid for a Bootstrap
         // bug (see https://github.com/twbs/bootstrap/issues/3902) that causes
         // multiple consecutively shown or hidden modals to overlap which leads

gui/default/syncthing/folder/restoreVersionsModalView.html

@@ -1,5 +1,11 @@
 <modal id="restoreVersions" status="default" icon="fas fa-undo" heading="{{'Restore Versions' | translate}} ({{folderLabel(restoreVersions.folder)}})" large="yes" closeable="yes">
   <div class="modal-body">
+    <!--
+    Inform the user about loading data even before the tree is initialised
+    to avoid confusion where nothing is displayed on the screen for a while.
+    Ref: https://forum.syncthing.net/t/reversed-date-in-search-filter/21369/3
+    -->
+    <div ng-if="!restoreVersions.versions" translate>Loading data...</div>
     <div ng-if="restoreVersions.versions && !restoreVersions.errors">
       <div id="restoreTree-container">
         <table id="restoreTree">

lib/api/api.go

@@ -91,6 +91,7 @@ type service struct {
 	startupErr           error
 	listenerAddr         net.Addr
 	exitChan             chan *svcutil.FatalErr
+	miscDB               *db.NamespacedKV
 
 	guiErrors logger.Recorder
 	systemLog logger.Recorder
@@ -104,7 +105,7 @@ type Service interface {
 	WaitForStart() error
 }
 
-func New(id protocol.DeviceID, cfg config.Wrapper, assetDir, tlsDefaultCommonName string, m model.Model, defaultSub, diskSub events.BufferedSubscription, evLogger events.Logger, discoverer discover.Manager, connectionsService connections.Service, urService *ur.Service, fss model.FolderSummaryService, errors, systemLog logger.Recorder, noUpgrade bool) Service {
+func New(id protocol.DeviceID, cfg config.Wrapper, assetDir, tlsDefaultCommonName string, m model.Model, defaultSub, diskSub events.BufferedSubscription, evLogger events.Logger, discoverer discover.Manager, connectionsService connections.Service, urService *ur.Service, fss model.FolderSummaryService, errors, systemLog logger.Recorder, noUpgrade bool, miscDB *db.NamespacedKV) Service {
 	return &service{
 		id:      id,
 		cfg:     cfg,
@@ -127,6 +128,7 @@ func New(id protocol.DeviceID, cfg config.Wrapper, assetDir, tlsDefaultCommonNam
 		configChanged:        make(chan struct{}),
 		startedOnce:          make(chan struct{}),
 		exitChan:             make(chan *svcutil.FatalErr, 1),
+		miscDB:               miscDB,
 	}
 }
 
@@ -364,7 +366,7 @@ func (s *service) Serve(ctx context.Context) error {
 
 	// Wrap everything in CSRF protection. The /rest prefix should be
 	// protected, other requests will grant cookies.
-	var handler http.Handler = newCsrfManager(s.id.Short().String(), "/rest", guiCfg, mux, locations.Get(locations.CsrfTokens))
+	var handler http.Handler = newCsrfManager(s.id.Short().String(), "/rest", guiCfg, mux, s.miscDB)
 
 	// Add our version and ID as a header to responses
 	handler = withDetailsMiddleware(s.id, handler)
@@ -372,12 +374,13 @@ func (s *service) Serve(ctx context.Context) error {
 	// Wrap everything in basic auth, if user/password is set.
 	if guiCfg.IsAuthEnabled() {
 		sessionCookieName := "sessionid-" + s.id.Short().String()
-		handler = basicAuthAndSessionMiddleware(sessionCookieName, s.id.Short().String(), guiCfg, s.cfg.LDAP(), handler, s.evLogger)
-		handlePasswordAuth := passwordAuthHandler(sessionCookieName, guiCfg, s.cfg.LDAP(), s.evLogger)
-		restMux.Handler(http.MethodPost, "/rest/noauth/auth/password", handlePasswordAuth)
+		authMW := newBasicAuthAndSessionMiddleware(sessionCookieName, s.id.Short().String(), guiCfg, s.cfg.LDAP(), handler, s.evLogger, s.miscDB)
+		handler = authMW
+
+		restMux.Handler(http.MethodPost, "/rest/noauth/auth/password", http.HandlerFunc(authMW.passwordAuthHandler))
 
 		// Logout is a no-op without a valid session cookie, so /noauth/ is fine here
-		restMux.Handler(http.MethodPost, "/rest/noauth/auth/logout", handleLogout(sessionCookieName))
+		restMux.Handler(http.MethodPost, "/rest/noauth/auth/logout", http.HandlerFunc(authMW.handleLogout))
 	}
 
 	// Redirect to HTTPS if we are supposed to

lib/api/api_auth.go

@@ -16,15 +16,16 @@ import (
 
 	ldap "github.com/go-ldap/ldap/v3"
 	"github.com/syncthing/syncthing/lib/config"
+	"github.com/syncthing/syncthing/lib/db"
 	"github.com/syncthing/syncthing/lib/events"
 	"github.com/syncthing/syncthing/lib/rand"
-	"github.com/syncthing/syncthing/lib/sync"
 	"golang.org/x/exp/slices"
 )
 
-var (
-	sessions    = make(map[string]bool)
-	sessionsMut = sync.NewMutex()
+const (
+	maxSessionLifetime = 7 * 24 * time.Hour
+	maxActiveSessions  = 25
+	randomTokenLength  = 64
 )
 
 func emitLoginAttempt(success bool, username, address string, evLogger events.Logger) {
@@ -78,75 +79,91 @@ func isNoAuthPath(path string) bool {
 		})
 }
 
-func basicAuthAndSessionMiddleware(cookieName, shortID string, guiCfg config.GUIConfiguration, ldapCfg config.LDAPConfiguration, next http.Handler, evLogger events.Logger) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if hasValidAPIKeyHeader(r, guiCfg) {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		for _, cookie := range r.Cookies() {
-			// We iterate here since there may, historically, be multiple
-			// cookies with the same name but different path. Any "old" ones
-			// won't match an existing session and will be ignored, then
-			// later removed on logout or when timing out.
-			if cookie.Name == cookieName {
-				sessionsMut.Lock()
-				_, ok := sessions[cookie.Value]
-				sessionsMut.Unlock()
-				if ok {
-					next.ServeHTTP(w, r)
-					return
-				}
-			}
-		}
-
-		// Fall back to Basic auth if provided
-		if username, ok := attemptBasicAuth(r, guiCfg, ldapCfg, evLogger); ok {
-			createSession(cookieName, username, guiCfg, evLogger, w, r)
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		// Exception for static assets and REST calls that don't require authentication.
-		if isNoAuthPath(r.URL.Path) {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		// Some browsers don't send the Authorization request header unless prompted by a 401 response.
-		// This enables https://user:pass@localhost style URLs to keep working.
-		if guiCfg.SendBasicAuthPrompt {
-			unauthorized(w, shortID)
-			return
-		}
-
-		forbidden(w)
-	})
+type basicAuthAndSessionMiddleware struct {
+	cookieName string
+	shortID    string
+	guiCfg     config.GUIConfiguration
+	ldapCfg    config.LDAPConfiguration
+	next       http.Handler
+	evLogger   events.Logger
+	tokens     *tokenManager
 }
 
-func passwordAuthHandler(cookieName string, guiCfg config.GUIConfiguration, ldapCfg config.LDAPConfiguration, evLogger events.Logger) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		var req struct {
-			Username string
-			Password string
-		}
-		if err := unmarshalTo(r.Body, &req); err != nil {
-			l.Debugln("Failed to parse username and password:", err)
-			http.Error(w, "Failed to parse username and password.", http.StatusBadRequest)
-			return
-		}
+func newBasicAuthAndSessionMiddleware(cookieName, shortID string, guiCfg config.GUIConfiguration, ldapCfg config.LDAPConfiguration, next http.Handler, evLogger events.Logger, miscDB *db.NamespacedKV) *basicAuthAndSessionMiddleware {
+	return &basicAuthAndSessionMiddleware{
+		cookieName: cookieName,
+		shortID:    shortID,
+		guiCfg:     guiCfg,
+		ldapCfg:    ldapCfg,
+		next:       next,
+		evLogger:   evLogger,
+		tokens:     newTokenManager("sessions", miscDB, maxSessionLifetime, maxActiveSessions),
+	}
+}
 
-		if auth(req.Username, req.Password, guiCfg, ldapCfg) {
-			createSession(cookieName, req.Username, guiCfg, evLogger, w, r)
-			w.WriteHeader(http.StatusNoContent)
-			return
-		}
+func (m *basicAuthAndSessionMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if hasValidAPIKeyHeader(r, m.guiCfg) {
+		m.next.ServeHTTP(w, r)
+		return
+	}
 
-		emitLoginAttempt(false, req.Username, r.RemoteAddr, evLogger)
-		antiBruteForceSleep()
-		forbidden(w)
-	})
+	for _, cookie := range r.Cookies() {
+		// We iterate here since there may, historically, be multiple
+		// cookies with the same name but different path. Any "old" ones
+		// won't match an existing session and will be ignored, then
+		// later removed on logout or when timing out.
+		if cookie.Name == m.cookieName {
+			if m.tokens.Check(cookie.Value) {
+				m.next.ServeHTTP(w, r)
+				return
+			}
+		}
+	}
+
+	// Fall back to Basic auth if provided
+	if username, ok := attemptBasicAuth(r, m.guiCfg, m.ldapCfg, m.evLogger); ok {
+		m.createSession(username, false, w, r)
+		m.next.ServeHTTP(w, r)
+		return
+	}
+
+	// Exception for static assets and REST calls that don't require authentication.
+	if isNoAuthPath(r.URL.Path) {
+		m.next.ServeHTTP(w, r)
+		return
+	}
+
+	// Some browsers don't send the Authorization request header unless prompted by a 401 response.
+	// This enables https://user:pass@localhost style URLs to keep working.
+	if m.guiCfg.SendBasicAuthPrompt {
+		unauthorized(w, m.shortID)
+		return
+	}
+
+	forbidden(w)
+}
+
+func (m *basicAuthAndSessionMiddleware) passwordAuthHandler(w http.ResponseWriter, r *http.Request) {
+	var req struct {
+		Username     string
+		Password     string
+		StayLoggedIn bool
+	}
+	if err := unmarshalTo(r.Body, &req); err != nil {
+		l.Debugln("Failed to parse username and password:", err)
+		http.Error(w, "Failed to parse username and password.", http.StatusBadRequest)
+		return
+	}
+
+	if auth(req.Username, req.Password, m.guiCfg, m.ldapCfg) {
+		m.createSession(req.Username, req.StayLoggedIn, w, r)
+		w.WriteHeader(http.StatusNoContent)
+		return
+	}
+
+	emitLoginAttempt(false, req.Username, r.RemoteAddr, m.evLogger)
+	antiBruteForceSleep()
+	forbidden(w)
 }
 
 func attemptBasicAuth(r *http.Request, guiCfg config.GUIConfiguration, ldapCfg config.LDAPConfiguration, evLogger events.Logger) (string, bool) {
@@ -172,11 +189,8 @@ func attemptBasicAuth(r *http.Request, guiCfg config.GUIConfiguration, ldapCfg c
 	return "", false
 }
 
-func createSession(cookieName string, username string, guiCfg config.GUIConfiguration, evLogger events.Logger, w http.ResponseWriter, r *http.Request) {
-	sessionid := rand.String(32)
-	sessionsMut.Lock()
-	sessions[sessionid] = true
-	sessionsMut.Unlock()
+func (m *basicAuthAndSessionMiddleware) createSession(username string, persistent bool, w http.ResponseWriter, r *http.Request) {
+	sessionid := m.tokens.New()
 
 	// Best effort detection of whether the connection is HTTPS --
 	// either directly to us, or as used by the client towards a reverse
@@ -186,45 +200,45 @@ func createSession(cookieName string, username string, guiCfg config.GUIConfigur
 		strings.Contains(strings.ToLower(r.Header.Get("forwarded")), "proto=https")
 	// If the connection is HTTPS, or *should* be HTTPS, set the Secure
 	// bit in cookies.
-	useSecureCookie := connectionIsHTTPS || guiCfg.UseTLS()
+	useSecureCookie := connectionIsHTTPS || m.guiCfg.UseTLS()
 
+	maxAge := 0
+	if persistent {
+		maxAge = int(maxSessionLifetime.Seconds())
+	}
 	http.SetCookie(w, &http.Cookie{
-		Name:  cookieName,
+		Name:  m.cookieName,
 		Value: sessionid,
 		// In HTTP spec Max-Age <= 0 means delete immediately,
 		// but in http.Cookie MaxAge = 0 means unspecified (session) and MaxAge < 0 means delete immediately
-		MaxAge: 0,
+		MaxAge: maxAge,
 		Secure: useSecureCookie,
 		Path:   "/",
 	})
 
-	emitLoginAttempt(true, username, r.RemoteAddr, evLogger)
+	emitLoginAttempt(true, username, r.RemoteAddr, m.evLogger)
 }
 
-func handleLogout(cookieName string) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		for _, cookie := range r.Cookies() {
-			// We iterate here since there may, historically, be multiple
-			// cookies with the same name but different path. We drop them
-			// all.
-			if cookie.Name == cookieName {
-				sessionsMut.Lock()
-				delete(sessions, cookie.Value)
-				sessionsMut.Unlock()
+func (m *basicAuthAndSessionMiddleware) handleLogout(w http.ResponseWriter, r *http.Request) {
+	for _, cookie := range r.Cookies() {
+		// We iterate here since there may, historically, be multiple
+		// cookies with the same name but different path. We drop them
+		// all.
+		if cookie.Name == m.cookieName {
+			m.tokens.Delete(cookie.Value)
 
-				// Delete the cookie
-				http.SetCookie(w, &http.Cookie{
-					Name:   cookieName,
-					Value:  "",
-					MaxAge: -1,
-					Secure: cookie.Secure,
-					Path:   cookie.Path,
-				})
-			}
+			// Delete the cookie
+			http.SetCookie(w, &http.Cookie{
+				Name:   m.cookieName,
+				Value:  "",
+				MaxAge: -1,
+				Secure: cookie.Secure,
+				Path:   cookie.Path,
+			})
 		}
+	}
 
-		w.WriteHeader(http.StatusNoContent)
-	})
+	w.WriteHeader(http.StatusNoContent)
 }
 
 func auth(username string, password string, guiCfg config.GUIConfiguration, ldapCfg config.LDAPConfiguration) bool {

lib/api/api_auth_test.go

@@ -8,8 +8,12 @@ package api
 
 import (
 	"testing"
+	"time"
 
 	"github.com/syncthing/syncthing/lib/config"
+	"github.com/syncthing/syncthing/lib/db"
+	"github.com/syncthing/syncthing/lib/db/backend"
+	"github.com/syncthing/syncthing/lib/events"
 )
 
 var guiCfg config.GUIConfiguration
@@ -110,3 +114,76 @@ func TestEscapeForLDAPDN(t *testing.T) {
 		}
 	}
 }
+
+type mockClock struct {
+	now time.Time
+}
+
+func (c *mockClock) Now() time.Time {
+	c.now = c.now.Add(1) // time always ticks by at least 1 ns
+	return c.now
+}
+
+func (c *mockClock) wind(t time.Duration) {
+	c.now = c.now.Add(t)
+}
+
+func TestTokenManager(t *testing.T) {
+	t.Parallel()
+
+	mdb, _ := db.NewLowlevel(backend.OpenMemory(), events.NoopLogger)
+	kdb := db.NewNamespacedKV(mdb, "test")
+	clock := &mockClock{now: time.Now()}
+
+	// Token manager keeps up to three tokens with a validity time of 24 hours.
+	tm := newTokenManager("testTokens", kdb, 24*time.Hour, 3)
+	tm.timeNow = clock.Now
+
+	// Create three tokens
+	t0 := tm.New()
+	t1 := tm.New()
+	t2 := tm.New()
+
+	// Check that the tokens are valid
+	if !tm.Check(t0) {
+		t.Errorf("token %q should be valid", t0)
+	}
+	if !tm.Check(t1) {
+		t.Errorf("token %q should be valid", t1)
+	}
+	if !tm.Check(t2) {
+		t.Errorf("token %q should be valid", t2)
+	}
+
+	// Create a fourth token
+	t3 := tm.New()
+	// It should be valid
+	if !tm.Check(t3) {
+		t.Errorf("token %q should be valid", t3)
+	}
+	// But the first token should have been removed
+	if tm.Check(t0) {
+		t.Errorf("token %q should be invalid", t0)
+	}
+
+	// Wind the clock by 12 hours
+	clock.wind(12 * time.Hour)
+	// The second token should still be valid (and checking it will give it more life)
+	if !tm.Check(t1) {
+		t.Errorf("token %q should be valid", t1)
+	}
+
+	// Wind the clock by 12 hours
+	clock.wind(12 * time.Hour)
+	// The second token should still be valid
+	if !tm.Check(t1) {
+		t.Errorf("token %q should be valid", t1)
+	}
+	// But the third and fourth tokens should have expired
+	if tm.Check(t2) {
+		t.Errorf("token %q should be invalid", t2)
+	}
+	if tm.Check(t3) {
+		t.Errorf("token %q should be invalid", t3)
+	}
+}

lib/api/api_csrf.go

@@ -7,33 +7,24 @@
 package api
 
 import (
-	"bufio"
-	"fmt"
 	"net/http"
-	"os"
 	"strings"
+	"time"
 
-	"github.com/syncthing/syncthing/lib/osutil"
-	"github.com/syncthing/syncthing/lib/rand"
-	"github.com/syncthing/syncthing/lib/sync"
+	"github.com/syncthing/syncthing/lib/db"
 )
 
-const maxCsrfTokens = 25
+const (
+	maxCSRFTokenLifetime = time.Hour
+	maxActiveCSRFTokens  = 25
+)
 
 type csrfManager struct {
-	// tokens is a list of valid tokens. It is sorted so that the most
-	// recently used token is first in the list. New tokens are added to the front
-	// of the list (as it is the most recently used at that time). The list is
-	// pruned to a maximum of maxCsrfTokens, throwing away the least recently used
-	// tokens.
-	tokens    []string
-	tokensMut sync.Mutex
-
 	unique          string
 	prefix          string
 	apiKeyValidator apiKeyValidator
 	next            http.Handler
-	saveLocation    string
+	tokens          *tokenManager
 }
 
 type apiKeyValidator interface {
@@ -43,17 +34,14 @@ type apiKeyValidator interface {
 // Check for CSRF token on /rest/ URLs. If a correct one is not given, reject
 // the request with 403. For / and /index.html, set a new CSRF cookie if none
 // is currently set.
-func newCsrfManager(unique string, prefix string, apiKeyValidator apiKeyValidator, next http.Handler, saveLocation string) *csrfManager {
+func newCsrfManager(unique string, prefix string, apiKeyValidator apiKeyValidator, next http.Handler, miscDB *db.NamespacedKV) *csrfManager {
 	m := &csrfManager{
-		tokensMut:       sync.NewMutex(),
-		tokens:          make([]string, 0, maxCsrfTokens),
 		unique:          unique,
 		prefix:          prefix,
 		apiKeyValidator: apiKeyValidator,
 		next:            next,
-		saveLocation:    saveLocation,
+		tokens:          newTokenManager("csrfTokens", miscDB, maxCSRFTokenLifetime, maxActiveCSRFTokens),
 	}
-	m.load()
 	return m
 }
 
@@ -78,11 +66,11 @@ func (m *csrfManager) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	// and set a CSRF cookie if there isn't already a valid one.
 	if !strings.HasPrefix(r.URL.Path, m.prefix) {
 		cookie, err := r.Cookie("CSRF-Token-" + m.unique)
-		if err != nil || !m.validToken(cookie.Value) {
+		if err != nil || !m.tokens.Check(cookie.Value) {
 			l.Debugln("new CSRF cookie in response to request for", r.URL)
 			cookie = &http.Cookie{
 				Name:  "CSRF-Token-" + m.unique,
-				Value: m.newToken(),
+				Value: m.tokens.New(),
 			}
 			http.SetCookie(w, cookie)
 		}
@@ -99,7 +87,7 @@ func (m *csrfManager) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	// Verify the CSRF token
 	token := r.Header.Get("X-CSRF-Token-" + m.unique)
-	if !m.validToken(token) {
+	if !m.tokens.Check(token) {
 		http.Error(w, "CSRF Error", http.StatusForbidden)
 		return
 	}
@@ -107,78 +95,6 @@ func (m *csrfManager) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	m.next.ServeHTTP(w, r)
 }
 
-func (m *csrfManager) validToken(token string) bool {
-	m.tokensMut.Lock()
-	defer m.tokensMut.Unlock()
-	for i, t := range m.tokens {
-		if t == token {
-			if i > 0 {
-				// Move this token to the head of the list. Copy the tokens at
-				// the front one step to the right and then replace the token
-				// at the head.
-				copy(m.tokens[1:], m.tokens[:i])
-				m.tokens[0] = token
-			}
-			return true
-		}
-	}
-	return false
-}
-
-func (m *csrfManager) newToken() string {
-	token := rand.String(32)
-
-	m.tokensMut.Lock()
-	defer m.tokensMut.Unlock()
-
-	if len(m.tokens) < maxCsrfTokens {
-		m.tokens = append(m.tokens, "")
-	}
-	copy(m.tokens[1:], m.tokens)
-	m.tokens[0] = token
-
-	m.save()
-
-	return token
-}
-
-func (m *csrfManager) save() {
-	// We're ignoring errors in here. It's not super critical and there's
-	// nothing relevant we can do about them anyway...
-
-	if m.saveLocation == "" {
-		return
-	}
-
-	f, err := osutil.CreateAtomic(m.saveLocation)
-	if err != nil {
-		return
-	}
-
-	for _, t := range m.tokens {
-		fmt.Fprintln(f, t)
-	}
-
-	f.Close()
-}
-
-func (m *csrfManager) load() {
-	if m.saveLocation == "" {
-		return
-	}
-
-	f, err := os.Open(m.saveLocation)
-	if err != nil {
-		return
-	}
-	defer f.Close()
-
-	s := bufio.NewScanner(f)
-	for s.Scan() {
-		m.tokens = append(m.tokens, s.Text())
-	}
-}
-
 func hasValidAPIKeyHeader(r *http.Request, validator apiKeyValidator) bool {
 	if key := r.Header.Get("X-API-Key"); validator.IsValidAPIKey(key) {
 		return true

lib/api/api_test.go

@@ -18,7 +18,6 @@ import (
 	"net/http/httptest"
 	"os"
 	"path/filepath"
-	"reflect"
 	"strconv"
 	"strings"
 	"testing"
@@ -29,6 +28,8 @@ import (
 	"github.com/syncthing/syncthing/lib/build"
 	"github.com/syncthing/syncthing/lib/config"
 	connmocks "github.com/syncthing/syncthing/lib/connections/mocks"
+	"github.com/syncthing/syncthing/lib/db"
+	"github.com/syncthing/syncthing/lib/db/backend"
 	discovermocks "github.com/syncthing/syncthing/lib/discover/mocks"
 	"github.com/syncthing/syncthing/lib/events"
 	eventmocks "github.com/syncthing/syncthing/lib/events/mocks"
@@ -72,71 +73,6 @@ func TestMain(m *testing.M) {
 	os.Exit(exitCode)
 }
 
-func TestCSRFToken(t *testing.T) {
-	t.Parallel()
-
-	max := 10 * maxCsrfTokens
-	int := 5
-	if testing.Short() {
-		max = 1 + maxCsrfTokens
-		int = 2
-	}
-
-	m := newCsrfManager("unique", "prefix", config.GUIConfiguration{}, nil, "")
-
-	t1 := m.newToken()
-	t2 := m.newToken()
-
-	t3 := m.newToken()
-	if !m.validToken(t3) {
-		t.Fatal("t3 should be valid")
-	}
-
-	valid := make(map[string]struct{}, maxCsrfTokens)
-	for _, token := range m.tokens {
-		valid[token] = struct{}{}
-	}
-
-	for i := 0; i < max; i++ {
-		if i%int == 0 {
-			// t1 and t2 should remain valid by virtue of us checking them now
-			// and then.
-			if !m.validToken(t1) {
-				t.Fatal("t1 should be valid at iteration", i)
-			}
-			if !m.validToken(t2) {
-				t.Fatal("t2 should be valid at iteration", i)
-			}
-		}
-
-		if len(m.tokens) == maxCsrfTokens {
-			// We're about to add a token, which will remove the last token
-			// from m.tokens.
-			delete(valid, m.tokens[len(m.tokens)-1])
-		}
-
-		// The newly generated token is always valid
-		t4 := m.newToken()
-		if !m.validToken(t4) {
-			t.Fatal("t4 should be valid at iteration", i)
-		}
-		valid[t4] = struct{}{}
-
-		v := make(map[string]struct{}, maxCsrfTokens)
-		for _, token := range m.tokens {
-			v[token] = struct{}{}
-		}
-
-		if !reflect.DeepEqual(v, valid) {
-			t.Fatalf("want valid tokens %v, got %v", valid, v)
-		}
-	}
-
-	if m.validToken(t3) {
-		t.Fatal("t3 should have expired by now")
-	}
-}
-
 func TestStopAfterBrokenConfig(t *testing.T) {
 	t.Parallel()
 
@@ -148,7 +84,9 @@ func TestStopAfterBrokenConfig(t *testing.T) {
 	}
 	w := config.Wrap("/dev/null", cfg, protocol.LocalDeviceID, events.NoopLogger)
 
-	srv := New(protocol.LocalDeviceID, w, "", "syncthing", nil, nil, nil, events.NoopLogger, nil, nil, nil, nil, nil, nil, false).(*service)
+	mdb, _ := db.NewLowlevel(backend.OpenMemory(), events.NoopLogger)
+	kdb := db.NewMiscDataNamespace(mdb)
+	srv := New(protocol.LocalDeviceID, w, "", "syncthing", nil, nil, nil, events.NoopLogger, nil, nil, nil, nil, nil, nil, false, kdb).(*service)
 	defer os.Remove(token)
 
 	srv.started = make(chan string)
@@ -926,7 +864,9 @@ func startHTTP(cfg config.Wrapper) (string, context.CancelFunc, error) {
 
 	// Instantiate the API service
 	urService := ur.New(cfg, m, connections, false)
-	svc := New(protocol.LocalDeviceID, cfg, assetDir, "syncthing", m, eventSub, diskEventSub, events.NoopLogger, discoverer, connections, urService, mockedSummary, errorLog, systemLog, false).(*service)
+	mdb, _ := db.NewLowlevel(backend.OpenMemory(), events.NoopLogger)
+	kdb := db.NewMiscDataNamespace(mdb)
+	svc := New(protocol.LocalDeviceID, cfg, assetDir, "syncthing", m, eventSub, diskEventSub, events.NoopLogger, discoverer, connections, urService, mockedSummary, errorLog, systemLog, false, kdb).(*service)
 	defer os.Remove(token)
 	svc.started = addrChan
 
@@ -1467,7 +1407,9 @@ func TestEventMasks(t *testing.T) {
 	cfg := newMockedConfig()
 	defSub := new(eventmocks.BufferedSubscription)
 	diskSub := new(eventmocks.BufferedSubscription)
-	svc := New(protocol.LocalDeviceID, cfg, "", "syncthing", nil, defSub, diskSub, events.NoopLogger, nil, nil, nil, nil, nil, nil, false).(*service)
+	mdb, _ := db.NewLowlevel(backend.OpenMemory(), events.NoopLogger)
+	kdb := db.NewMiscDataNamespace(mdb)
+	svc := New(protocol.LocalDeviceID, cfg, "", "syncthing", nil, defSub, diskSub, events.NoopLogger, nil, nil, nil, nil, nil, nil, false, kdb).(*service)
 	defer os.Remove(token)
 
 	if mask := svc.getEventMask(""); mask != DefaultEventMask {

lib/api/tokenmanager.go

@@ -0,0 +1,137 @@
+// Copyright (C) 2024 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package api
+
+import (
+	"time"
+
+	"github.com/syncthing/syncthing/lib/db"
+	"github.com/syncthing/syncthing/lib/rand"
+	"github.com/syncthing/syncthing/lib/sync"
+	"golang.org/x/exp/slices"
+)
+
+type tokenManager struct {
+	key      string
+	miscDB   *db.NamespacedKV
+	lifetime time.Duration
+	maxItems int
+
+	timeNow func() time.Time // can be overridden for testing
+
+	mut       sync.Mutex
+	tokens    *TokenSet
+	saveTimer *time.Timer
+}
+
+func newTokenManager(key string, miscDB *db.NamespacedKV, lifetime time.Duration, maxItems int) *tokenManager {
+	tokens := &TokenSet{
+		Tokens: make(map[string]int64),
+	}
+	if bs, ok, _ := miscDB.Bytes(key); ok {
+		_ = tokens.Unmarshal(bs) // best effort
+	}
+	return &tokenManager{
+		key:      key,
+		miscDB:   miscDB,
+		lifetime: lifetime,
+		maxItems: maxItems,
+		timeNow:  time.Now,
+		mut:      sync.NewMutex(),
+		tokens:   tokens,
+	}
+}
+
+// Check returns true if the token is valid, and updates the token's expiry
+// time. The token is removed if it is expired.
+func (m *tokenManager) Check(token string) bool {
+	m.mut.Lock()
+	defer m.mut.Unlock()
+
+	expires, ok := m.tokens.Tokens[token]
+	if ok {
+		if expires < m.timeNow().UnixNano() {
+			// The token is expired.
+			m.saveLocked() // removes expired tokens
+			return false
+		}
+
+		// Give the token further life.
+		m.tokens.Tokens[token] = m.timeNow().Add(m.lifetime).UnixNano()
+		m.saveLocked()
+	}
+	return ok
+}
+
+// New creates a new token and returns it.
+func (m *tokenManager) New() string {
+	token := rand.String(randomTokenLength)
+
+	m.mut.Lock()
+	defer m.mut.Unlock()
+
+	m.tokens.Tokens[token] = m.timeNow().Add(m.lifetime).UnixNano()
+	m.saveLocked()
+
+	return token
+}
+
+// Delete removes a token.
+func (m *tokenManager) Delete(token string) {
+	m.mut.Lock()
+	defer m.mut.Unlock()
+
+	delete(m.tokens.Tokens, token)
+	m.saveLocked()
+}
+
+func (m *tokenManager) saveLocked() {
+	// Remove expired tokens.
+	now := m.timeNow().UnixNano()
+	for token, expiry := range m.tokens.Tokens {
+		if expiry < now {
+			delete(m.tokens.Tokens, token)
+		}
+	}
+
+	// If we have a limit on the number of tokens, remove the oldest ones.
+	if m.maxItems > 0 && len(m.tokens.Tokens) > m.maxItems {
+		// Sort the tokens by expiry time, oldest first.
+		type tokenExpiry struct {
+			token  string
+			expiry int64
+		}
+		var tokens []tokenExpiry
+		for token, expiry := range m.tokens.Tokens {
+			tokens = append(tokens, tokenExpiry{token, expiry})
+		}
+		slices.SortFunc(tokens, func(i, j tokenExpiry) int {
+			return int(i.expiry - j.expiry)
+		})
+		// Remove the oldest tokens.
+		for _, token := range tokens[:len(tokens)-m.maxItems] {
+			delete(m.tokens.Tokens, token.token)
+		}
+	}
+
+	// Postpone saving until one second of inactivity.
+	if m.saveTimer == nil {
+		m.saveTimer = time.AfterFunc(time.Second, m.scheduledSave)
+	} else {
+		m.saveTimer.Reset(time.Second)
+	}
+}
+
+func (m *tokenManager) scheduledSave() {
+	m.mut.Lock()
+	defer m.mut.Unlock()
+
+	m.saveTimer = nil
+
+	bs, _ := m.tokens.Marshal()      // can't fail
+	_ = m.miscDB.PutBytes(m.key, bs) // can fail, but what are we going to do?
+}

lib/api/tokenset.pb.go

@@ -0,0 +1,411 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: lib/api/tokenset.proto
+
+package api
+
+import (
+	fmt "fmt"
+	proto "github.com/gogo/protobuf/proto"
+	io "io"
+	math "math"
+	math_bits "math/bits"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+
+type TokenSet struct {
+	// token -> expiry time (epoch nanoseconds)
+	Tokens map[string]int64 `protobuf:"bytes,1,rep,name=tokens,proto3" json:"tokens" xml:"token" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"varint,2,opt,name=value,proto3"`
+}
+
+func (m *TokenSet) Reset()         { *m = TokenSet{} }
+func (m *TokenSet) String() string { return proto.CompactTextString(m) }
+func (*TokenSet) ProtoMessage()    {}
+func (*TokenSet) Descriptor() ([]byte, []int) {
+	return fileDescriptor_9ea8707737c33b38, []int{0}
+}
+func (m *TokenSet) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *TokenSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_TokenSet.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalToSizedBuffer(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (m *TokenSet) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_TokenSet.Merge(m, src)
+}
+func (m *TokenSet) XXX_Size() int {
+	return m.ProtoSize()
+}
+func (m *TokenSet) XXX_DiscardUnknown() {
+	xxx_messageInfo_TokenSet.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_TokenSet proto.InternalMessageInfo
+
+func init() {
+	proto.RegisterType((*TokenSet)(nil), "api.TokenSet")
+	proto.RegisterMapType((map[string]int64)(nil), "api.TokenSet.TokensEntry")
+}
+
+func init() { proto.RegisterFile("lib/api/tokenset.proto", fileDescriptor_9ea8707737c33b38) }
+
+var fileDescriptor_9ea8707737c33b38 = []byte{
+	// 260 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0x12, 0xcb, 0xc9, 0x4c, 0xd2,
+	0x4f, 0x2c, 0xc8, 0xd4, 0x2f, 0xc9, 0xcf, 0x4e, 0xcd, 0x2b, 0x4e, 0x2d, 0xd1, 0x2b, 0x28, 0xca,
+	0x2f, 0xc9, 0x17, 0x62, 0x4e, 0x2c, 0xc8, 0x54, 0x3a, 0xce, 0xc8, 0xc5, 0x11, 0x02, 0x12, 0x0f,
+	0x4e, 0x2d, 0x11, 0x0a, 0xe0, 0x62, 0x83, 0xa8, 0x91, 0x60, 0x54, 0x60, 0xd6, 0xe0, 0x36, 0x92,
+	0xd4, 0x4b, 0x2c, 0xc8, 0xd4, 0x83, 0x49, 0x43, 0x18, 0xc5, 0xae, 0x79, 0x25, 0x45, 0x95, 0x4e,
+	0xb2, 0x27, 0xee, 0xc9, 0x33, 0xbc, 0xba, 0x27, 0x0f, 0xd5, 0xf0, 0xe9, 0x9e, 0x3c, 0x77, 0x45,
+	0x6e, 0x8e, 0x95, 0x12, 0x98, 0xab, 0x14, 0x04, 0x15, 0x96, 0xca, 0xe4, 0xe2, 0x46, 0xd2, 0x25,
+	0xa4, 0xc6, 0xc5, 0x9c, 0x9d, 0x5a, 0x29, 0xc1, 0xa8, 0xc0, 0xa8, 0xc1, 0xe9, 0x24, 0xf2, 0xea,
+	0x9e, 0x3c, 0x88, 0xfb, 0xe9, 0x9e, 0x3c, 0x27, 0x58, 0x6f, 0x76, 0x6a, 0xa5, 0x52, 0x10, 0x48,
+	0x44, 0x48, 0x8f, 0x8b, 0xb5, 0x2c, 0x31, 0xa7, 0x34, 0x55, 0x82, 0x49, 0x81, 0x51, 0x83, 0xd9,
+	0x49, 0xe2, 0xd5, 0x3d, 0x79, 0x88, 0x00, 0xdc, 0x1e, 0x30, 0x4f, 0x29, 0x08, 0x22, 0x6a, 0xc5,
+	0x64, 0xc1, 0xe8, 0xe4, 0x71, 0xe2, 0xa1, 0x1c, 0xc3, 0x85, 0x87, 0x72, 0x0c, 0x27, 0x1e, 0xc9,
+	0x31, 0x5e, 0x78, 0x24, 0xc7, 0x38, 0xe1, 0xb1, 0x1c, 0xc3, 0x82, 0xc7, 0x72, 0x8c, 0x17, 0x1e,
+	0xcb, 0x31, 0xdc, 0x78, 0x2c, 0xc7, 0x10, 0xa5, 0x96, 0x9e, 0x59, 0x92, 0x51, 0x9a, 0xa4, 0x97,
+	0x9c, 0x9f, 0xab, 0x5f, 0x5c, 0x99, 0x97, 0x5c, 0x92, 0x91, 0x99, 0x97, 0x8e, 0xc4, 0x82, 0x86,
+	0x53, 0x12, 0x1b, 0x38, 0x7c, 0x8c, 0x01, 0x01, 0x00, 0x00, 0xff, 0xff, 0xfe, 0x25, 0x31, 0x49,
+	0x39, 0x01, 0x00, 0x00,
+}
+
+func (m *TokenSet) Marshal() (dAtA []byte, err error) {
+	size := m.ProtoSize()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *TokenSet) MarshalTo(dAtA []byte) (int, error) {
+	size := m.ProtoSize()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *TokenSet) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if len(m.Tokens) > 0 {
+		for k := range m.Tokens {
+			v := m.Tokens[k]
+			baseI := i
+			i = encodeVarintTokenset(dAtA, i, uint64(v))
+			i--
+			dAtA[i] = 0x10
+			i -= len(k)
+			copy(dAtA[i:], k)
+			i = encodeVarintTokenset(dAtA, i, uint64(len(k)))
+			i--
+			dAtA[i] = 0xa
+			i = encodeVarintTokenset(dAtA, i, uint64(baseI-i))
+			i--
+			dAtA[i] = 0xa
+		}
+	}
+	return len(dAtA) - i, nil
+}
+
+func encodeVarintTokenset(dAtA []byte, offset int, v uint64) int {
+	offset -= sovTokenset(v)
+	base := offset
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return base
+}
+func (m *TokenSet) ProtoSize() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if len(m.Tokens) > 0 {
+		for k, v := range m.Tokens {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovTokenset(uint64(len(k))) + 1 + sovTokenset(uint64(v))
+			n += mapEntrySize + 1 + sovTokenset(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func sovTokenset(x uint64) (n int) {
+	return (math_bits.Len64(x|1) + 6) / 7
+}
+func sozTokenset(x uint64) (n int) {
+	return sovTokenset(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *TokenSet) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowTokenset
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: TokenSet: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: TokenSet: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Tokens", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowTokenset
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthTokenset
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthTokenset
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Tokens == nil {
+				m.Tokens = make(map[string]int64)
+			}
+			var mapkey string
+			var mapvalue int64
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowTokenset
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= uint64(b&0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowTokenset
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= uint64(b&0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthTokenset
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey < 0 {
+						return ErrInvalidLengthTokenset
+					}
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowTokenset
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						mapvalue |= int64(b&0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipTokenset(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if (skippy < 0) || (iNdEx+skippy) < 0 {
+						return ErrInvalidLengthTokenset
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Tokens[mapkey] = mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipTokenset(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthTokenset
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipTokenset(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	depth := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowTokenset
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowTokenset
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+		case 1:
+			iNdEx += 8
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowTokenset
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if length < 0 {
+				return 0, ErrInvalidLengthTokenset
+			}
+			iNdEx += length
+		case 3:
+			depth++
+		case 4:
+			if depth == 0 {
+				return 0, ErrUnexpectedEndOfGroupTokenset
+			}
+			depth--
+		case 5:
+			iNdEx += 4
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+		if iNdEx < 0 {
+			return 0, ErrInvalidLengthTokenset
+		}
+		if depth == 0 {
+			return iNdEx, nil
+		}
+	}
+	return 0, io.ErrUnexpectedEOF
+}
+
+var (
+	ErrInvalidLengthTokenset        = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowTokenset          = fmt.Errorf("proto: integer overflow")
+	ErrUnexpectedEndOfGroupTokenset = fmt.Errorf("proto: unexpected end of group")
+)

lib/build/build.go

@@ -36,7 +36,7 @@ var (
 	LongVersion string
 	Extra       string
 
-	allowedVersionExp = regexp.MustCompile(`^v\d+\.\d+\.\d+(-[a-z0-9]+)*(\.\d+)*(\+\d+-g[0-9a-f]+)?(-[^\s]+)?$`)
+	allowedVersionExp = regexp.MustCompile(`^v\d+\.\d+\.\d+(-[a-z0-9]+)*(\.\d+)*(\+\d+-g[0-9a-f]+|\+[0-9a-z]+)?(-[^\s]+)?$`)
 
 	envTags = []string{
 		"STGUIASSETS",

lib/build/build_test.go

@@ -27,6 +27,11 @@ func TestAllowedVersions(t *testing.T) {
 		{"v0.13.0-some-weird-but-allowed-tag", true},
 		{"v0.13.0-allowed.to.do.this", true},
 		{"v0.13.0+not.allowed.to.do.this", false},
+		{"v1.27.0+xyz", true},
+		{"v1.27.0-abc.1+xyz", true},
+		{"v1.0.0+45", true},
+		{"v1.0.0-noupgrade", true},
+		{"v1.0.0+noupgrade", true},
 	}
 
 	for i, c := range testcases {

lib/fs/basicfs_watch.go

@@ -43,7 +43,7 @@ func (f *BasicFilesystem) Watch(name string, ignore Matcher, ctx context.Context
 			if err != nil {
 				return true
 			}
-			return ignore.ShouldIgnore(rel)
+			return ignore.Match(rel).IsIgnored()
 		}
 		err = notify.WatchWithFilter(watchPath, backendChan, absShouldIgnore, eventMask)
 	} else {
@@ -94,7 +94,7 @@ func (f *BasicFilesystem) watchLoop(ctx context.Context, name string, roots []st
 				return
 			}
 
-			if ignore.ShouldIgnore(relPath) {
+			if ignore.Match(relPath).IsIgnored() {
 				l.Debugln(f.Type(), f.URI(), "Watch: Ignoring", relPath)
 				continue
 			}

lib/fs/basicfs_watch_test.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/syncthing/notify"
 	"github.com/syncthing/syncthing/lib/build"
+	"github.com/syncthing/syncthing/lib/ignore/ignoreresult"
 )
 
 func TestMain(m *testing.M) {
@@ -99,7 +100,7 @@ func TestWatchInclude(t *testing.T) {
 
 	file := "file"
 	ignored := "ignored"
-	testFs.MkdirAll(filepath.Join(name, ignored), 0777)
+	testFs.MkdirAll(filepath.Join(name, ignored), 0o777)
 	included := filepath.Join(ignored, "included")
 
 	testCase := func() {
@@ -317,12 +318,12 @@ func TestWatchErrorLinuxInterpretation(t *testing.T) {
 		t.Skip("testing of linux specific error codes")
 	}
 
-	var errTooManyFiles = &os.PathError{
+	errTooManyFiles := &os.PathError{
 		Op:   "error while traversing",
 		Path: "foo",
 		Err:  syscall.Errno(24),
 	}
-	var errNoSpace = &os.PathError{
+	errNoSpace := &os.PathError{
 		Op:   "error while traversing",
 		Path: "bar",
 		Err:  syscall.Errno(28),
@@ -346,13 +347,13 @@ func TestWatchSymlinkedRoot(t *testing.T) {
 	}
 
 	name := "symlinkedRoot"
-	if err := testFs.MkdirAll(name, 0755); err != nil {
+	if err := testFs.MkdirAll(name, 0o755); err != nil {
 		panic(fmt.Sprintf("Failed to create directory %s: %s", name, err))
 	}
 	defer testFs.RemoveAll(name)
 
 	root := filepath.Join(name, "root")
-	if err := testFs.MkdirAll(root, 0777); err != nil {
+	if err := testFs.MkdirAll(root, 0o777); err != nil {
 		panic(err)
 	}
 	link := filepath.Join(name, "link")
@@ -369,7 +370,7 @@ func TestWatchSymlinkedRoot(t *testing.T) {
 		panic(err)
 	}
 
-	if err := linkedFs.MkdirAll("foo", 0777); err != nil {
+	if err := linkedFs.MkdirAll("foo", 0o777); err != nil {
 		panic(err)
 	}
 
@@ -507,7 +508,7 @@ func TestTruncateFileOnly(t *testing.T) {
 // path relative to folder root, also creates parent dirs if necessary
 func createTestFile(name string, file string) string {
 	joined := filepath.Join(name, file)
-	if err := testFs.MkdirAll(filepath.Dir(joined), 0755); err != nil {
+	if err := testFs.MkdirAll(filepath.Dir(joined), 0o755); err != nil {
 		panic(fmt.Sprintf("Failed to create parent directory for %s: %s", joined, err))
 	}
 	handle, err := testFs.Create(joined)
@@ -529,7 +530,7 @@ func renameTestFile(name string, old string, new string) {
 func modifyTestFile(name string, file string, content string) {
 	joined := filepath.Join(testDirAbs, name, file)
 
-	err := os.WriteFile(joined, []byte(content), 0755)
+	err := os.WriteFile(joined, []byte(content), 0o755)
 	if err != nil {
 		panic(fmt.Sprintf("Failed to modify test file %s: %s", joined, err))
 	}
@@ -540,7 +541,7 @@ func sleepMs(ms int) {
 }
 
 func testScenario(t *testing.T, name string, testCase func(), expectedEvents, allowedEvents []Event, fm fakeMatcher, ignorePerms bool) {
-	if err := testFs.MkdirAll(name, 0755); err != nil {
+	if err := testFs.MkdirAll(name, 0o755); err != nil {
 		panic(fmt.Sprintf("Failed to create directory %s: %s", name, err))
 	}
 	defer testFs.RemoveAll(name)
@@ -567,7 +568,7 @@ func testScenario(t *testing.T, name string, testCase func(), expectedEvents, al
 }
 
 func testWatchOutput(t *testing.T, name string, in <-chan Event, expectedEvents, allowedEvents []Event, ctx context.Context, cancel context.CancelFunc) {
-	var expected = make(map[Event]struct{})
+	expected := make(map[Event]struct{})
 	for _, ev := range expectedEvents {
 		ev.Name = filepath.Join(name, ev.Name)
 		expected[ev] = struct{}{}
@@ -613,8 +614,11 @@ type fakeMatcher struct {
 	skipIgnoredDirs bool
 }
 
-func (fm fakeMatcher) ShouldIgnore(name string) bool {
-	return name != fm.include && name == fm.ignore
+func (fm fakeMatcher) Match(name string) ignoreresult.R {
+	if name != fm.include && name == fm.ignore {
+		return ignoreresult.Ignored
+	}
+	return ignoreresult.NotIgnored
 }
 
 func (fm fakeMatcher) SkipIgnoredDirs() bool {

lib/fs/filesystem.go

@@ -16,6 +16,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/syncthing/syncthing/lib/ignore/ignoreresult"
 	"github.com/syncthing/syncthing/lib/protocol"
 )
 
@@ -127,14 +128,10 @@ type Usage struct {
 }
 
 type Matcher interface {
-	ShouldIgnore(name string) bool
+	Match(name string) ignoreresult.R
 	SkipIgnoredDirs() bool
 }
 
-type MatchResult interface {
-	IsIgnored() bool
-}
-
 type Event struct {
 	Name string
 	Type EventType

lib/ignore/cache.go

@@ -6,7 +6,11 @@
 
 package ignore
 
-import "time"
+import (
+	"time"
+
+	"github.com/syncthing/syncthing/lib/ignore/ignoreresult"
+)
 
 type nower interface {
 	Now() time.Time
@@ -20,7 +24,7 @@ type cache struct {
 }
 
 type cacheEntry struct {
-	result Result
+	result ignoreresult.R
 	access int64 // Unix nanosecond count. Sufficient until the year 2262.
 }
 
@@ -39,7 +43,7 @@ func (c *cache) clean(d time.Duration) {
 	}
 }
 
-func (c *cache) get(key string) (Result, bool) {
+func (c *cache) get(key string) (ignoreresult.R, bool) {
 	entry, ok := c.entries[key]
 	if ok {
 		entry.access = clock.Now().UnixNano()
@@ -48,7 +52,7 @@ func (c *cache) get(key string) (Result, bool) {
 	return entry.result, ok
 }
 
-func (c *cache) set(key string, result Result) {
+func (c *cache) set(key string, result ignoreresult.R) {
 	c.entries[key] = cacheEntry{result, time.Now().UnixNano()}
 }
 

lib/ignore/cache_test.go

@@ -9,6 +9,8 @@ package ignore
 import (
 	"testing"
 	"time"
+
+	"github.com/syncthing/syncthing/lib/ignore/ignoreresult"
 )
 
 func TestCache(t *testing.T) {
@@ -28,7 +30,7 @@ func TestCache(t *testing.T) {
 
 	// Set and check some items
 
-	c.set("true", resultInclude|resultDeletable)
+	c.set("true", ignoreresult.IgnoredDeletable)
 	c.set("false", 0)
 
 	res, ok = c.get("true")

lib/ignore/ignore.go

@@ -18,28 +18,13 @@ import (
 
 	"github.com/gobwas/glob"
 
-	"github.com/syncthing/syncthing/lib/build"
 	"github.com/syncthing/syncthing/lib/fs"
+	"github.com/syncthing/syncthing/lib/ignore/ignoreresult"
 	"github.com/syncthing/syncthing/lib/osutil"
 	"github.com/syncthing/syncthing/lib/sha256"
 	"github.com/syncthing/syncthing/lib/sync"
 )
 
-const (
-	resultNotMatched Result = 0
-	resultInclude    Result = 1 << iota
-	resultDeletable         = 1 << iota
-	resultFoldCase          = 1 << iota
-)
-
-var defaultResult Result = resultInclude
-
-func init() {
-	if build.IsDarwin || build.IsWindows {
-		defaultResult |= resultFoldCase
-	}
-}
-
 // A ParseError signifies an error with contents of an ignore file,
 // including I/O errors on included files. An I/O error on the root level
 // ignore file is not a ParseError.
@@ -70,18 +55,18 @@ func parseError(err error) error {
 type Pattern struct {
 	pattern string
 	match   glob.Glob
-	result  Result
+	result  ignoreresult.R
 }
 
 func (p Pattern) String() string {
 	ret := p.pattern
-	if p.result&resultInclude != resultInclude {
+	if !p.result.IsIgnored() {
 		ret = "!" + ret
 	}
-	if p.result&resultFoldCase == resultFoldCase {
+	if p.result.IsCaseFolded() {
 		ret = "(?i)" + ret
 	}
-	if p.result&resultDeletable == resultDeletable {
+	if p.result.IsDeletable() {
 		ret = "(?d)" + ret
 	}
 	return ret
@@ -101,20 +86,6 @@ func (p Pattern) allowsSkippingIgnoredDirs() bool {
 	return !strings.Contains(strings.TrimSuffix(p.pattern, "**"), "**")
 }
 
-type Result uint8
-
-func (r Result) IsIgnored() bool {
-	return r&resultInclude == resultInclude
-}
-
-func (r Result) IsDeletable() bool {
-	return r.IsIgnored() && r&resultDeletable == resultDeletable
-}
-
-func (r Result) IsCaseFolded() bool {
-	return r&resultFoldCase == resultFoldCase
-}
-
 // The ChangeDetector is responsible for determining if files have changed
 // on disk. It gets told to Remember() files (name and modtime) and will
 // then get asked if a file has been Seen() (i.e., Remember() has been
@@ -253,16 +224,24 @@ func (m *Matcher) parseLocked(r io.Reader, file string) error {
 	return err
 }
 
-func (m *Matcher) Match(file string) (result Result) {
-	if file == "." {
-		return resultNotMatched
+// Match matches the patterns plus temporary and internal files.
+func (m *Matcher) Match(file string) (result ignoreresult.R) {
+	switch {
+	case fs.IsTemporary(file):
+		return ignoreresult.Ignored
+
+	case fs.IsInternal(file):
+		return ignoreresult.Ignored
+
+	case file == ".":
+		return ignoreresult.NotIgnored
 	}
 
 	m.mut.Lock()
 	defer m.mut.Unlock()
 
 	if len(m.patterns) == 0 {
-		return resultNotMatched
+		return ignoreresult.NotIgnored
 	}
 
 	if m.matches != nil {
@@ -295,7 +274,7 @@ func (m *Matcher) Match(file string) (result Result) {
 	}
 
 	// Default to not matching.
-	return resultNotMatched
+	return ignoreresult.NotIgnored
 }
 
 // Lines return a list of the unprocessed lines in .stignore at last load
@@ -348,22 +327,6 @@ func (m *Matcher) clean(d time.Duration) {
 	}
 }
 
-// ShouldIgnore returns true when a file is temporary, internal or ignored
-func (m *Matcher) ShouldIgnore(filename string) bool {
-	switch {
-	case fs.IsTemporary(filename):
-		return true
-
-	case fs.IsInternal(filename):
-		return true
-
-	case m.Match(filename).IsIgnored():
-		return true
-	}
-
-	return false
-}
-
 func (m *Matcher) SkipIgnoredDirs() bool {
 	m.mut.Lock()
 	defer m.mut.Unlock()
@@ -414,7 +377,7 @@ func loadParseIncludeFile(filesystem fs.Filesystem, file string, cd ChangeDetect
 		// isNotExist is considered "ok" in a sense of that a folder doesn't have to act
 		// upon it. This is because it is allowed for .stignore to not exist. However,
 		// included ignore files are not allowed to be missing and these errors should be
-		// acted upon on. So we don't perserve the error chain here and manually set an
+		// acted upon on. So we don't preserve the error chain here and manually set an
 		// error instead, if the file is missing.
 		if fs.IsNotExist(err) {
 			err = errors.New("file not found")
@@ -431,7 +394,7 @@ func loadParseIncludeFile(filesystem fs.Filesystem, file string, cd ChangeDetect
 
 func parseLine(line string) ([]Pattern, error) {
 	pattern := Pattern{
-		result: defaultResult,
+		result: ignoreresult.Ignored,
 	}
 
 	// Allow prefixes to be specified in any order, but only once.
@@ -441,14 +404,14 @@ func parseLine(line string) ([]Pattern, error) {
 		if strings.HasPrefix(line, "!") && !seenPrefix[0] {
 			seenPrefix[0] = true
 			line = line[1:]
-			pattern.result ^= resultInclude
+			pattern.result = pattern.result.ToggleIgnored()
 		} else if strings.HasPrefix(line, "(?i)") && !seenPrefix[1] {
 			seenPrefix[1] = true
-			pattern.result |= resultFoldCase
+			pattern.result = pattern.result.WithFoldCase()
 			line = line[4:]
 		} else if strings.HasPrefix(line, "(?d)") && !seenPrefix[2] {
 			seenPrefix[2] = true
-			pattern.result |= resultDeletable
+			pattern.result = pattern.result.WithDeletable()
 			line = line[4:]
 		} else {
 			break

lib/ignore/ignore_test.go

@@ -17,6 +17,7 @@ import (
 
 	"github.com/syncthing/syncthing/lib/build"
 	"github.com/syncthing/syncthing/lib/fs"
+	"github.com/syncthing/syncthing/lib/ignore/ignoreresult"
 	"github.com/syncthing/syncthing/lib/osutil"
 	"github.com/syncthing/syncthing/lib/rand"
 )
@@ -415,7 +416,7 @@ func TestCommentsAndBlankLines(t *testing.T) {
 	}
 }
 
-var result Result
+var result ignoreresult.R
 
 func BenchmarkMatch(b *testing.B) {
 	testFs := newTestFS()

lib/ignore/ignoreresult/ignoreresult.go

@@ -0,0 +1,75 @@
+// Copyright (C) 2024 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package result provides the result type for ignore matching. This is a
+// separate package in order to break import cycles.
+package ignoreresult
+
+const (
+	NotIgnored R = 0
+	// `Ignored` is defined in platform specific files
+	IgnoredDeletable = Ignored | deletableBit
+)
+
+const (
+	// Private definitions of the bits that make up the result value
+	ignoreBit R = 1 << iota
+	deletableBit
+	foldCaseBit
+)
+
+type R uint8
+
+// IsIgnored returns true if the result is ignored.
+func (r R) IsIgnored() bool {
+	return r&ignoreBit != 0
+}
+
+// IsDeletable returns true if the result is ignored and deletable.
+func (r R) IsDeletable() bool {
+	return r.IsIgnored() && r&deletableBit != 0
+}
+
+// IsCaseFolded returns true if the result was a case-insensitive match.
+func (r R) IsCaseFolded() bool {
+	return r&foldCaseBit != 0
+}
+
+// ToggleIgnored returns a copy of the result with the ignored bit toggled.
+func (r R) ToggleIgnored() R {
+	return r ^ ignoreBit
+}
+
+// WithDeletable returns a copy of the result with the deletable bit set.
+func (r R) WithDeletable() R {
+	return r | deletableBit
+}
+
+// WithFoldCase returns a copy of the result with the fold case bit set.
+func (r R) WithFoldCase() R {
+	return r | foldCaseBit
+}
+
+// String returns a human readable representation of the result flags.
+func (r R) String() string {
+	var s string
+	if r&ignoreBit != 0 {
+		s += "i"
+	} else {
+		s += "-"
+	}
+	if r&deletableBit != 0 {
+		s += "d"
+	} else {
+		s += "-"
+	}
+	if r&foldCaseBit != 0 {
+		s += "f"
+	} else {
+		s += "-"
+	}
+	return s
+}

lib/ignore/ignoreresult/ignoreresult_foldcase.go

@@ -0,0 +1,11 @@
+// Copyright (C) 2024 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//go:build windows || darwin
+
+package ignoreresult
+
+const Ignored = ignoreBit | foldCaseBit

lib/ignore/ignoreresult/ignoreresult_nofoldcase.go

@@ -0,0 +1,11 @@
+// Copyright (C) 2024 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//go:build !windows && !darwin
+
+package ignoreresult
+
+const Ignored = ignoreBit

lib/locations/locations.go

@@ -29,7 +29,6 @@ const (
 	HTTPSKeyFile  LocationEnum = "httpsKeyFile"
 	Database      LocationEnum = "database"
 	LogFile       LocationEnum = "logFile"
-	CsrfTokens    LocationEnum = "csrfTokens"
 	PanicLog      LocationEnum = "panicLog"
 	AuditLog      LocationEnum = "auditLog"
 	GUIAssets     LocationEnum = "guiAssets"
@@ -121,7 +120,6 @@ var locationTemplates = map[LocationEnum]string{
 	HTTPSKeyFile:  "${config}/https-key.pem",
 	Database:      "${data}/" + LevelDBDir,
 	LogFile:       "${data}/syncthing.log", // --logfile on Windows
-	CsrfTokens:    "${data}/csrftokens.txt",
 	PanicLog:      "${data}/panic-%{timestamp}.log",
 	AuditLog:      "${data}/audit-%{timestamp}.log",
 	GUIAssets:     "${config}/gui",
@@ -170,7 +168,6 @@ func PrettyPaths() string {
 	fmt.Fprintf(&b, "Database location:\n\t%s\n\n", Get(Database))
 	fmt.Fprintf(&b, "Log file:\n\t%s\n\n", Get(LogFile))
 	fmt.Fprintf(&b, "GUI override directory:\n\t%s\n\n", Get(GUIAssets))
-	fmt.Fprintf(&b, "CSRF tokens file:\n\t%s\n\n", Get(CsrfTokens))
 	fmt.Fprintf(&b, "Default sync folder directory:\n\t%s\n\n", Get(DefFolder))
 	return b.String()
 }

lib/model/folder_recvonly_test.go

@@ -480,6 +480,74 @@ func TestRecvOnlyRevertOwnID(t *testing.T) {
 	}
 }
 
+func TestRecvOnlyLocalChangeDoesNotCauseConflict(t *testing.T) {
+	// Get us a model up and running
+
+	m, f, wcfgCancel := setupROFolder(t)
+	defer wcfgCancel()
+	ffs := f.Filesystem(nil)
+	defer cleanupModel(m)
+	conn := addFakeConn(m, device1, f.ID)
+
+	// Create some test data
+
+	must(t, ffs.MkdirAll(".stfolder", 0o755))
+	oldData := []byte("hello\n")
+	knownFiles := setupKnownFiles(t, ffs, oldData)
+
+	// Send an index update for the known stuff
+
+	must(t, m.Index(conn, "ro", knownFiles))
+	f.updateLocalsFromScanning(knownFiles)
+
+	// Scan the folder.
+
+	must(t, m.ScanFolder("ro"))
+
+	// Everything should be in sync.
+
+	size := globalSize(t, m, "ro")
+	if size.Files != 1 || size.Directories != 1 {
+		t.Fatalf("Global: expected 1 file and 1 directory: %+v", size)
+	}
+	size = localSize(t, m, "ro")
+	if size.Files != 1 || size.Directories != 1 {
+		t.Fatalf("Local: expected 1 file and 1 directory: %+v", size)
+	}
+	size = needSizeLocal(t, m, "ro")
+	if size.Files+size.Directories > 0 {
+		t.Fatalf("Need: expected nothing: %+v", size)
+	}
+	size = receiveOnlyChangedSize(t, m, "ro")
+	if size.Files+size.Directories > 0 {
+		t.Fatalf("ROChanged: expected nothing: %+v", size)
+	}
+
+	// Modify the file
+
+	writeFilePerm(t, ffs, "knownDir/knownFile", []byte("change1\n"), 0o644)
+
+	must(t, m.ScanFolder("ro"))
+
+	size = receiveOnlyChangedSize(t, m, "ro")
+	if size.Files != 1 {
+		t.Fatalf("Receive only: expected 1 file: %+v", size)
+	}
+
+	// Perform another modification. This should not cause the file to be needed.
+	// This is a regression test: Previously on scan the file version was changed to conflict with the global
+	// version, thus being needed and creating a conflict copy on next pull.
+
+	writeFilePerm(t, ffs, "knownDir/knownFile", []byte("change2\n"), 0o644)
+
+	must(t, m.ScanFolder("ro"))
+
+	size = needSizeLocal(t, m, "ro")
+	if size.Files != 0 {
+		t.Fatalf("Need: expected nothing: %+v", size)
+	}
+}
+
 func setupKnownFiles(t *testing.T, ffs fs.Filesystem, data []byte) []protocol.FileInfo {
 	t.Helper()
 

lib/model/folder_sendonly.go

@@ -53,7 +53,7 @@ func (f *sendOnlyFolder) pull() (bool, error) {
 
 		file := intf.(protocol.FileInfo)
 
-		if f.ignores.ShouldIgnore(intf.FileName()) {
+		if f.ignores.Match(intf.FileName()).IsIgnored() {
 			file.SetIgnored()
 			batch.Append(file)
 			l.Debugln(f, "Handling ignored file", file)

lib/model/folder_sendrecv.go

@@ -343,7 +343,7 @@ func (f *sendReceiveFolder) processNeeded(snap *db.Snapshot, dbUpdateChan chan<-
 		file := intf.(protocol.FileInfo)
 
 		switch {
-		case f.ignores.ShouldIgnore(file.Name):
+		case f.ignores.Match(file.Name).IsIgnored():
 			file.SetIgnored()
 			l.Debugln(f, "Handling ignored file", file)
 			dbUpdateChan <- dbUpdateJob{file, dbUpdateInvalidate}

lib/protocol/bep_extensions.go

@@ -568,7 +568,9 @@ func unixOwnershipEqual(a, b *UnixData) bool {
 	if a == nil || b == nil {
 		return false
 	}
-	return a.UID == b.UID && a.GID == b.GID && a.OwnerName == b.OwnerName && a.GroupName == b.GroupName
+	ownerEqual := a.OwnerName == "" || b.OwnerName == "" || a.OwnerName == b.OwnerName
+	groupEqual := a.GroupName == "" || b.GroupName == "" || a.GroupName == b.GroupName
+	return a.UID == b.UID && a.GID == b.GID && ownerEqual && groupEqual
 }
 
 func windowsOwnershipEqual(a, b *WindowsData) bool {

lib/protocol/deviceid.go

@@ -14,7 +14,8 @@ import (
 )
 
 const (
-	DeviceIDLength      = 32
+	DeviceIDLength = 32
+	// keep consistent with shortIDStringLength in gui/default/syncthing/app.js
 	ShortIDStringLength = 7
 )
 

lib/protocol/deviceid_test.go

@@ -84,6 +84,7 @@ func TestShortIDString(t *testing.T) {
 	id, _ := DeviceIDFromString(formatted)
 
 	sid := id.Short().String()
+	// keep consistent with ShortIDStringLength in lib/protocol/deviceid.go
 	if len(sid) != 7 {
 		t.Errorf("Wrong length for short ID: got %d, want 7", len(sid))
 	}

lib/scanner/walk.go

@@ -160,6 +160,11 @@ func (w *walker) walk(ctx context.Context) chan ScanResult {
 			total += file.Size
 		}
 
+		if len(filesToHash) == 0 {
+			close(finishedChan)
+			return
+		}
+
 		realToHashChan := make(chan protocol.FileInfo)
 		done := make(chan struct{})
 		progress := newByteCounter()
@@ -171,22 +176,27 @@ func (w *walker) walk(ctx context.Context) chan ScanResult {
 		go func() {
 			defer progress.Close()
 
+			emitProgressEvent := func() {
+				current := progress.Total()
+				rate := progress.Rate()
+				l.Debugf("%v: Walk %s %s current progress %d/%d at %.01f MiB/s (%d%%)", w, w.Folder, w.Subs, current, total, rate/1024/1024, current*100/total)
+				w.EventLogger.Log(events.FolderScanProgress, map[string]interface{}{
+					"folder":  w.Folder,
+					"current": current,
+					"total":   total,
+					"rate":    rate, // bytes per second
+				})
+			}
+
 			for {
 				select {
 				case <-done:
+					emitProgressEvent()
 					l.Debugln(w, "Walk progress done", w.Folder, w.Subs, w.Matcher)
 					ticker.Stop()
 					return
 				case <-ticker.C:
-					current := progress.Total()
-					rate := progress.Rate()
-					l.Debugf("%v: Walk %s %s current progress %d/%d at %.01f MiB/s (%d%%)", w, w.Folder, w.Subs, current, total, rate/1024/1024, current*100/total)
-					w.EventLogger.Log(events.FolderScanProgress, map[string]interface{}{
-						"folder":  w.Folder,
-						"current": current,
-						"total":   total,
-						"rate":    rate, // bytes per second
-					})
+					emitProgressEvent()
 				case <-ctx.Done():
 					ticker.Stop()
 					return
@@ -416,12 +426,14 @@ func (w *walker) walkRegular(ctx context.Context, relPath string, info fs.FileIn
 			l.Debugln(w, "unchanged:", curFile)
 			return nil
 		}
-		if curFile.ShouldConflict() {
+		if curFile.ShouldConflict() && !f.ShouldConflict() {
 			// The old file was invalid for whatever reason and probably not
 			// up to date with what was out there in the cluster. Drop all
 			// others from the version vector to indicate that we haven't
 			// taken their version into account, and possibly cause a
-			// conflict.
+			// conflict. However, only do this if the new file is not also
+			// invalid. This would indicate that the new file is not part
+			// of the cluster, but e.g. a local change.
 			f.Version = f.Version.DropOthers(w.ShortID)
 		}
 		l.Debugln(w, "rescan:", curFile)
@@ -461,12 +473,14 @@ func (w *walker) walkDir(ctx context.Context, relPath string, info fs.FileInfo,
 			l.Debugln(w, "unchanged:", curFile)
 			return nil
 		}
-		if curFile.ShouldConflict() {
+		if curFile.ShouldConflict() && !f.ShouldConflict() {
 			// The old file was invalid for whatever reason and probably not
 			// up to date with what was out there in the cluster. Drop all
 			// others from the version vector to indicate that we haven't
 			// taken their version into account, and possibly cause a
-			// conflict.
+			// conflict. However, only do this if the new file is not also
+			// invalid. This would indicate that the new file is not part
+			// of the cluster, but e.g. a local change.
 			f.Version = f.Version.DropOthers(w.ShortID)
 		}
 		l.Debugln(w, "rescan:", curFile)
@@ -514,12 +528,14 @@ func (w *walker) walkSymlink(ctx context.Context, relPath string, info fs.FileIn
 			l.Debugln(w, "unchanged:", curFile, info.ModTime().Unix(), info.Mode()&fs.ModePerm)
 			return nil
 		}
-		if curFile.ShouldConflict() {
+		if curFile.ShouldConflict() && !f.ShouldConflict() {
 			// The old file was invalid for whatever reason and probably not
 			// up to date with what was out there in the cluster. Drop all
 			// others from the version vector to indicate that we haven't
 			// taken their version into account, and possibly cause a
-			// conflict.
+			// conflict. However, only do this if the new file is not also
+			// invalid. This would indicate that the new file is not part
+			// of the cluster, but e.g. a local change.
 			f.Version = f.Version.DropOthers(w.ShortID)
 		}
 		l.Debugln(w, "rescan:", curFile)

lib/syncthing/syncthing.go

@@ -305,7 +305,7 @@ func (a *App) startup() error {
 
 	// GUI
 
-	if err := a.setupGUI(m, defaultSub, diskSub, discoveryManager, connectionsService, usageReportingSvc, errors, systemLog); err != nil {
+	if err := a.setupGUI(m, defaultSub, diskSub, discoveryManager, connectionsService, usageReportingSvc, errors, systemLog, miscDB); err != nil {
 		l.Warnln("Failed starting API:", err)
 		return err
 	}
@@ -407,7 +407,7 @@ func (a *App) stopWithErr(stopReason svcutil.ExitStatus, err error) svcutil.Exit
 	return a.exitStatus
 }
 
-func (a *App) setupGUI(m model.Model, defaultSub, diskSub events.BufferedSubscription, discoverer discover.Manager, connectionsService connections.Service, urService *ur.Service, errors, systemLog logger.Recorder) error {
+func (a *App) setupGUI(m model.Model, defaultSub, diskSub events.BufferedSubscription, discoverer discover.Manager, connectionsService connections.Service, urService *ur.Service, errors, systemLog logger.Recorder, miscDB *db.NamespacedKV) error {
 	guiCfg := a.cfg.GUI()
 
 	if !guiCfg.Enabled {
@@ -421,7 +421,7 @@ func (a *App) setupGUI(m model.Model, defaultSub, diskSub events.BufferedSubscri
 	summaryService := model.NewFolderSummaryService(a.cfg, m, a.myID, a.evLogger)
 	a.mainService.Add(summaryService)
 
-	apiSvc := api.New(a.myID, a.cfg, locations.Get(locations.GUIAssets), tlsDefaultCommonName, m, defaultSub, diskSub, a.evLogger, discoverer, connectionsService, urService, summaryService, errors, systemLog, a.opts.NoUpgrade)
+	apiSvc := api.New(a.myID, a.cfg, locations.Get(locations.GUIAssets), tlsDefaultCommonName, m, defaultSub, diskSub, a.evLogger, discoverer, connectionsService, urService, summaryService, errors, systemLog, a.opts.NoUpgrade, miscDB)
 	a.mainService.Add(apiSvc)
 
 	if err := apiSvc.WaitForStart(); err != nil {

lib/versioner/simple_test.go

@@ -8,7 +8,9 @@ package versioner
 
 import (
 	"math"
+	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 	"time"
 
@@ -93,3 +95,67 @@ func TestSimpleVersioningVersionCount(t *testing.T) {
 		time.Sleep(time.Second)
 	}
 }
+
+func TestPathTildes(t *testing.T) {
+	// Test that folder and version paths with leading tildes are expanded
+	// to the user's home directory. (issue #9241)
+	home := t.TempDir()
+	t.Setenv("HOME", home)
+	if vn := filepath.VolumeName(home); vn != "" {
+		// Legacy Windows home stuff
+		t.Setenv("HomeDrive", vn)
+		t.Setenv("HomePath", strings.TrimPrefix(home, vn))
+	}
+	os.Mkdir(filepath.Join(home, "folder"), 0o755)
+
+	cfg := config.FolderConfiguration{
+		FilesystemType: fs.FilesystemTypeBasic,
+		Path:           "~/folder",
+		Versioning: config.VersioningConfiguration{
+			FSPath: "~/versions",
+			FSType: fs.FilesystemTypeBasic,
+			Params: map[string]string{
+				"keep": "2",
+			},
+		},
+	}
+	fs := cfg.Filesystem(nil)
+	v := newSimple(cfg)
+
+	const testPath = "test"
+
+	f, err := fs.Create(testPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	f.Close()
+	if err := v.Archive(testPath); err != nil {
+		t.Fatal(err)
+	}
+
+	// Check that there are no entries in the folder directory; this is
+	// specifically to check that there is no directory named "~" there.
+	names, err := fs.DirNames(".")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(names) != 0 {
+		t.Fatalf("found %d files in folder dir, want 0", len(names))
+	}
+
+	// Check that the versions directory contains one file that begins with
+	// our test path.
+	des, err := os.ReadDir(filepath.Join(home, "versions"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, de := range des {
+		names = append(names, de.Name())
+	}
+	if len(names) != 1 {
+		t.Fatalf("found %d files in versions dir, want 1", len(names))
+	}
+	if got := names[0]; !strings.HasPrefix(got, testPath) {
+		t.Fatalf("found versioned file %q, want one that begins with %q", got, testPath)
+	}
+}

lib/versioner/util.go

@@ -262,10 +262,20 @@ func versionerFsFromFolderCfg(cfg config.FolderConfiguration) (versionsFs fs.Fil
 	folderFs := cfg.Filesystem(nil)
 	if cfg.Versioning.FSPath == "" {
 		versionsFs = fs.NewFilesystem(folderFs.Type(), filepath.Join(folderFs.URI(), DefaultPath))
-	} else if cfg.Versioning.FSType == fs.FilesystemTypeBasic && !filepath.IsAbs(cfg.Versioning.FSPath) {
-		// We only know how to deal with relative folders for basic filesystems, as that's the only one we know
+	} else if cfg.Versioning.FSType == fs.FilesystemTypeBasic {
+		// Expand any leading tildes for basic filesystems,
+		// before checking for absolute paths.
+		path, err := fs.ExpandTilde(cfg.Versioning.FSPath)
+		if err != nil {
+			path = cfg.Versioning.FSPath
+		}
+		// We only know how to deal with relative folders for
+		// basic filesystems, as that's the only one we know
 		// how to check if it's absolute or relative.
-		versionsFs = fs.NewFilesystem(cfg.Versioning.FSType, filepath.Join(folderFs.URI(), cfg.Versioning.FSPath))
+		if !filepath.IsAbs(path) {
+			path = filepath.Join(folderFs.URI(), path)
+		}
+		versionsFs = fs.NewFilesystem(cfg.Versioning.FSType, path)
 	} else {
 		versionsFs = fs.NewFilesystem(cfg.Versioning.FSType, cfg.Versioning.FSPath)
 	}

man/stdiscosrv.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "STDISCOSRV" "1" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "STDISCOSRV" "1" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 stdiscosrv \- Syncthing Discovery Server
 .SH SYNOPSIS

man/strelaysrv.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "STRELAYSRV" "1" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "STRELAYSRV" "1" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 strelaysrv \- Syncthing Relay Server
 .SH SYNOPSIS

man/syncthing-bep.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-BEP" "7" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "SYNCTHING-BEP" "7" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 syncthing-bep \- Block Exchange Protocol v1
 .SH INTRODUCTION AND DEFINITIONS

man/syncthing-config.5

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-CONFIG" "5" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "SYNCTHING-CONFIG" "5" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 syncthing-config \- Syncthing Configuration
 .SH SYNOPSIS
@@ -68,7 +68,7 @@ The location defaults to \fB$XDG_STATE_HOME/syncthing\fP or
 \fB$HOME/.local/state/syncthing\fP (Unix\-like), \fB$HOME/Library/Application
 Support/Syncthing\fP (Mac), or \fB%LOCALAPPDATA%\eSyncthing\fP (Windows). It can
 be changed at runtime using the \fB\-\-config\fP or \fB\-\-home\fP flags or the
-corresponding environment varibles (\fB$STCONFDIR\fP or \fBSTHOMEDIR\fP). The
+corresponding environment variables (\fB$STCONFDIR\fP or \fBSTHOMEDIR\fP). The
 following files are located in this directory:
 .INDENT 0.0
 .TP

man/syncthing-device-ids.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-DEVICE-IDS" "7" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "SYNCTHING-DEVICE-IDS" "7" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 syncthing-device-ids \- Understanding Device IDs
 .sp

man/syncthing-event-api.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-EVENT-API" "7" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "SYNCTHING-EVENT-API" "7" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 syncthing-event-api \- Event API
 .SH DESCRIPTION

man/syncthing-faq.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-FAQ" "7" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "SYNCTHING-FAQ" "7" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 syncthing-faq \- Frequently Asked Questions
 .INDENT 0.0

man/syncthing-globaldisco.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-GLOBALDISCO" "7" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "SYNCTHING-GLOBALDISCO" "7" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 syncthing-globaldisco \- Global Discovery Protocol v3
 .SH ANNOUNCEMENTS

man/syncthing-localdisco.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-LOCALDISCO" "7" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "SYNCTHING-LOCALDISCO" "7" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 syncthing-localdisco \- Local Discovery Protocol v4
 .SH MODE OF OPERATION

man/syncthing-networking.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-NETWORKING" "7" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "SYNCTHING-NETWORKING" "7" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 syncthing-networking \- Firewall Setup
 .SH ROUTER SETUP

man/syncthing-relay.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-RELAY" "7" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "SYNCTHING-RELAY" "7" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 syncthing-relay \- Relay Protocol v1
 .SH WHAT IS A RELAY?

man/syncthing-rest-api.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-REST-API" "7" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "SYNCTHING-REST-API" "7" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 syncthing-rest-api \- REST API
 .sp
@@ -1825,9 +1825,10 @@ long some events might be missed. This can be detected by noting a discontinuity
 in the event IDs.
 .sp
 If no new events are produced since \fB<lastSeenID>\fP, the HTTP call blocks and
-waits for new events to happen before returning. By default it times out after
-60 seconds returning an empty array. The time out duration can be customized
-with the optional parameter \fBtimeout=<seconds>\fP\&.
+waits for new events to happen before returning. If \fB<lastSeenID>\fP is a
+future ID, the HTTP call blocks until such ID is reached or timeouts. By
+default it times out after 60 seconds returning an empty array. The time out
+duration can be customized with the optional parameter \fBtimeout=<seconds>\fP\&.
 .sp
 To receive only a limited number of events, add the \fBlimit=<n>\fP parameter with a
 suitable value for \fBn\fP and only the \fIlast\fP \fBn\fP events will be returned. This

man/syncthing-security.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-SECURITY" "7" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "SYNCTHING-SECURITY" "7" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 syncthing-security \- Security Principles
 .sp

man/syncthing-stignore.5

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-STIGNORE" "5" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "SYNCTHING-STIGNORE" "5" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 syncthing-stignore \- Prevent files from being synchronized to other nodes
 .SH SYNOPSIS

man/syncthing-versioning.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-VERSIONING" "7" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "SYNCTHING-VERSIONING" "7" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 syncthing-versioning \- Keep automatic backups of deleted files by other nodes
 .sp

man/syncthing.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING" "1" "Dec 21, 2023" "v1.27.0" "Syncthing"
+.TH "SYNCTHING" "1" "Jan 04, 2024" "v1.27.2" "Syncthing"
 .SH NAME
 syncthing \- Syncthing
 .SH SYNOPSIS

next-gen-gui/src/app/api-utils.ts

@@ -1,6 +1,7 @@
 import { environment } from '../environments/environment'
 
 export const deviceID = (): String => {
+    // keep consistent with ShortIDStringLength in lib/protocol/deviceid.go
     return environment.production ? globalThis.metadata['deviceIDShort'] : '1234567';
 }
 

proto/generate.go

@@ -26,7 +26,7 @@ import (
 
 // Inception, go generate calls the script itself that then deals with generation.
 // This is only done because go:generate does not support wildcards in paths.
-//go:generate go run generate.go lib/protocol lib/config lib/fs lib/db lib/discover
+//go:generate go run generate.go lib/protocol lib/config lib/fs lib/db lib/discover lib/api
 
 func main() {
 	for _, path := range os.Args[1:] {

proto/lib/api/tokenset.proto

@@ -0,0 +1,8 @@
+syntax = "proto3";
+
+package api;
+
+message TokenSet {
+    // token -> expiry time (epoch nanoseconds)
+    map<string, int64> tokens = 1;
+}