From dc9a11d59b09091238f0eeb4834a1889158eee1d Mon Sep 17 00:00:00 2001
From: aecsocket <aecsocket@tutanota.com>
Date: Tue, 3 Feb 2026 16:50:55 +0000
Subject: [PATCH 1/6] Add /_internal/globals route

---
 apps/labrinth/src/routes/internal/globals.rs | 39 ++++++++++++++++++++
 apps/labrinth/src/routes/internal/mod.rs     |  6 +++
 2 files changed, 45 insertions(+)
 create mode 100644 apps/labrinth/src/routes/internal/globals.rs

diff --git a/apps/labrinth/src/routes/internal/globals.rs b/apps/labrinth/src/routes/internal/globals.rs
new file mode 100644
index 0000000000..092af9ecc2
--- /dev/null
+++ b/apps/labrinth/src/routes/internal/globals.rs
@@ -0,0 +1,39 @@
+use std::{collections::HashMap, sync::LazyLock};
+
+use actix_web::{get, web};
+use serde::{Deserialize, Serialize};
+
+pub fn config(cfg: &mut utoipa_actix_web::service_config::ServiceConfig) {
+    cfg.service(get_globals);
+}
+
+/// See [`get`].
+#[derive(Debug, Clone, Serialize, Deserialize, utoipa::ToSchema)]
+pub struct Globals {
+    /// Map of years to how much a creator can withdraw in that year, in USD,
+    /// before they must fill in a tax compliance form.
+    ///
+    /// If the current year is not contained in this map:
+    /// - if the year is before the first year in the map, the threshold is the first year's.
+    /// - if the year is after the last year in the map, the threshold is the last year's threshold.
+    pub tax_compliance_thresholds: HashMap<u16, u64>,
+    /// If this backend instance has a Captcha enabled for password login.
+    ///
+    /// In production, this will always be true. On local testing builds, this
+    /// will always be false.
+    pub captcha_enabled: bool,
+}
+
+static GLOBALS: LazyLock<Globals> = LazyLock::new(|| Globals {
+    tax_compliance_thresholds: [(2025, 600), (2026, 2000)]
+        .into_iter()
+        .collect(),
+    captcha_enabled: dotenvy::var("HCAPTCHA_SECRET").is_ok_and(|x| x != "none"),
+});
+
+/// Gets configured global non-secret variables for this backend instance.
+#[utoipa::path]
+#[get("")]
+pub async fn get_globals() -> web::Json<Globals> {
+    web::Json(GLOBALS.clone())
+}
diff --git a/apps/labrinth/src/routes/internal/mod.rs b/apps/labrinth/src/routes/internal/mod.rs
index 13db90924a..e213bbf611 100644
--- a/apps/labrinth/src/routes/internal/mod.rs
+++ b/apps/labrinth/src/routes/internal/mod.rs
@@ -5,6 +5,7 @@ pub mod delphi;
 pub mod external_notifications;
 pub mod flows;
 pub mod gdpr;
+pub mod globals;
 pub mod gotenberg;
 pub mod medal;
 pub mod moderation;
@@ -55,5 +56,10 @@ pub fn utoipa_config(
         utoipa_actix_web::scope("/_internal/search-management")
             .wrap(default_cors())
             .configure(search::config),
+    )
+    .service(
+        utoipa_actix_web::scope("/_internal/globals")
+            .wrap(default_cors())
+            .configure(globals::config),
     );
 }

From b3d21bb5b7eeaddeeb8ba8d3399f9cc50d11fcc9 Mon Sep 17 00:00:00 2001
From: aecsocket <aecsocket@tutanota.com>
Date: Tue, 3 Feb 2026 16:58:35 +0000
Subject: [PATCH 2/6] Don't show login captcha if backend claims it's disabled

---
 apps/frontend/src/pages/auth/reset-password.vue | 12 ++++++++++--
 apps/frontend/src/pages/auth/sign-in.vue        |  8 ++++++--
 apps/frontend/src/pages/auth/sign-up.vue        |  8 ++++++--
 3 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/apps/frontend/src/pages/auth/reset-password.vue b/apps/frontend/src/pages/auth/reset-password.vue
index 2318d88d55..df89fe579e 100644
--- a/apps/frontend/src/pages/auth/reset-password.vue
+++ b/apps/frontend/src/pages/auth/reset-password.vue
@@ -22,9 +22,13 @@
 					/>
 				</div>
 
-				<HCaptcha ref="captcha" v-model="token" />
+				<HCaptcha v-if="globals?.captcha_enabled" ref="captcha" v-model="token" />
 
-				<button class="btn btn-primary centered-btn" :disabled="!token" @click="recovery">
+				<button
+					class="btn btn-primary centered-btn"
+					:disabled="globals?.captcha_enabled ? !token : false"
+					@click="recovery"
+				>
 					<SendIcon /> {{ formatMessage(methodChoiceMessages.action) }}
 				</button>
 			</template>
@@ -158,6 +162,10 @@ if (route.query.flow) {
 
 const captcha = ref()
 
+const { data: globals } = await useAsyncData('auth-globals', () =>
+	useBaseFetch('globals', { internal: true }),
+)
+
 const email = ref('')
 const token = ref('')
 
diff --git a/apps/frontend/src/pages/auth/sign-in.vue b/apps/frontend/src/pages/auth/sign-in.vue
index 6bdc2002db..454aeca3d3 100644
--- a/apps/frontend/src/pages/auth/sign-in.vue
+++ b/apps/frontend/src/pages/auth/sign-in.vue
@@ -89,11 +89,11 @@
 					/>
 				</div>
 
-				<HCaptcha ref="captcha" v-model="token" />
+				<HCaptcha v-if="globals?.captcha_enabled" ref="captcha" v-model="token" />
 
 				<button
 					class="btn btn-primary continue-btn centered-btn"
-					:disabled="!token"
+					:disabled="globals?.captcha_enabled ? !token : false"
 					@click="beginPasswordSignIn()"
 				>
 					{{ formatMessage(commonMessages.signInButton) }} <RightArrowIcon />
@@ -210,6 +210,10 @@ if (auth.value.user) {
 
 const captcha = ref()
 
+const { data: globals } = await useAsyncData('auth-globals', () =>
+	useBaseFetch('globals', { internal: true }),
+)
+
 const email = ref('')
 const password = ref('')
 const token = ref('')
diff --git a/apps/frontend/src/pages/auth/sign-up.vue b/apps/frontend/src/pages/auth/sign-up.vue
index df26b42297..4c910c2576 100644
--- a/apps/frontend/src/pages/auth/sign-up.vue
+++ b/apps/frontend/src/pages/auth/sign-up.vue
@@ -108,11 +108,11 @@
 				</IntlFormatted>
 			</p>
 
-			<HCaptcha ref="captcha" v-model="token" />
+			<HCaptcha v-if="globals?.captcha_enabled" ref="captcha" v-model="token" />
 
 			<button
 				class="btn btn-primary continue-btn centered-btn"
-				:disabled="!token"
+				:disabled="globals?.captcha_enabled ? !token : false"
 				@click="createAccount"
 			>
 				{{ formatMessage(messages.createAccountButton) }} <RightArrowIcon />
@@ -209,6 +209,10 @@ if (auth.value.user) {
 
 const captcha = ref()
 
+const { data: globals } = await useAsyncData('auth-globals', () =>
+	useBaseFetch('globals', { internal: true }),
+)
+
 const email = ref('')
 const username = ref('')
 const password = ref('')

From 38a935825e5f4cff488a274f6c71e97780c3c307 Mon Sep 17 00:00:00 2001
From: aecsocket <aecsocket@tutanota.com>
Date: Tue, 3 Feb 2026 17:12:49 +0000
Subject: [PATCH 3/6] try to re-add tombi

---
 .github/workflows/check-generic.yml | 20 +++++++++++---------
 Cargo.toml                          |  2 +-
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/check-generic.yml b/.github/workflows/check-generic.yml
index 35e99c1328..51899771e1 100644
--- a/.github/workflows/check-generic.yml
+++ b/.github/workflows/check-generic.yml
@@ -13,13 +13,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: crate-ci/typos@master
+      - uses: crate-ci/typos@1.43.1
 
-  # broken: <https://github.com/SchemaStore/schemastore/issues/5108>
-  # tombi:
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - uses: actions/checkout@v4
-  #     - uses: tombi-toml/setup-tombi@v1
-  #     - run: tombi lint
-  #     - run: tombi fmt --check
+  # see <https://github.com/influxdata/datafusion-udf-wasm/pull/275>
+  tombi:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: taiki-e/install-action@v2
+        with:
+          tool: tombi
+      - run: tombi lint
+      - run: tombi fmt --check
diff --git a/Cargo.toml b/Cargo.toml
index 3b1e5553e1..d5d9ba9131 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -60,7 +60,7 @@ const_format = "0.2.34"
 daedalus = { path = "packages/daedalus" }
 dashmap = "6.1.0"
 data-url = "0.3.2"
-deadpool-redis = { version = "0.22.1", git = "https://github.com/modrinth/deadpool", rev = "db5fb00b036ecc8fe5f18853c559b745ffe47bde" }
+deadpool-redis = { git = "https://github.com/modrinth/deadpool", rev = "db5fb00b036ecc8fe5f18853c559b745ffe47bde", version = "0.22.1" }
 derive_more = "2.0.1"
 directories = "6.0.0"
 dirs = "6.0.0"

From c37988af7d2a38ae9f3bcb9d5af5b4a21916da86 Mon Sep 17 00:00:00 2001
From: aecsocket <aecsocket@tutanota.com>
Date: Tue, 3 Feb 2026 17:50:34 +0000
Subject: [PATCH 4/6] typos

---
 .github/workflows/check-generic.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/check-generic.yml b/.github/workflows/check-generic.yml
index 51899771e1..03e3dc649a 100644
--- a/.github/workflows/check-generic.yml
+++ b/.github/workflows/check-generic.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: crate-ci/typos@1.43.1
+      - uses: crate-ci/typos@v1.43.1
 
   # see <https://github.com/influxdata/datafusion-udf-wasm/pull/275>
   tombi:

From 7a458f6b51ffa5c30b2190f9aff02dcb092e6950 Mon Sep 17 00:00:00 2001
From: aecsocket <aecsocket@tutanota.com>
Date: Wed, 4 Feb 2026 14:00:09 +0000
Subject: [PATCH 5/6] Assume captcha enabled if globals route is unreachable

---
 apps/frontend/src/pages/auth/reset-password.vue | 10 +++++++---
 apps/frontend/src/pages/auth/sign-in.vue        | 10 +++++++---
 apps/frontend/src/pages/auth/sign-up.vue        | 10 +++++++---
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/apps/frontend/src/pages/auth/reset-password.vue b/apps/frontend/src/pages/auth/reset-password.vue
index df89fe579e..8cb2927f3c 100644
--- a/apps/frontend/src/pages/auth/reset-password.vue
+++ b/apps/frontend/src/pages/auth/reset-password.vue
@@ -162,9 +162,13 @@ if (route.query.flow) {
 
 const captcha = ref()
 
-const { data: globals } = await useAsyncData('auth-globals', () =>
-	useBaseFetch('globals', { internal: true }),
-)
+const { data: globals } = await useAsyncData('auth-globals', async () => {
+	try {
+		return await useBaseFetch('globals', { internal: true })
+	} catch (err) {
+		return { captcha_enabled: true }
+	}
+})
 
 const email = ref('')
 const token = ref('')
diff --git a/apps/frontend/src/pages/auth/sign-in.vue b/apps/frontend/src/pages/auth/sign-in.vue
index 454aeca3d3..5f61eed409 100644
--- a/apps/frontend/src/pages/auth/sign-in.vue
+++ b/apps/frontend/src/pages/auth/sign-in.vue
@@ -210,9 +210,13 @@ if (auth.value.user) {
 
 const captcha = ref()
 
-const { data: globals } = await useAsyncData('auth-globals', () =>
-	useBaseFetch('globals', { internal: true }),
-)
+const { data: globals } = await useAsyncData('auth-globals', async () => {
+	try {
+		return await useBaseFetch('globals', { internal: true })
+	} catch (err) {
+		return { captcha_enabled: true }
+	}
+})
 
 const email = ref('')
 const password = ref('')
diff --git a/apps/frontend/src/pages/auth/sign-up.vue b/apps/frontend/src/pages/auth/sign-up.vue
index 4c910c2576..f288c799f9 100644
--- a/apps/frontend/src/pages/auth/sign-up.vue
+++ b/apps/frontend/src/pages/auth/sign-up.vue
@@ -209,9 +209,13 @@ if (auth.value.user) {
 
 const captcha = ref()
 
-const { data: globals } = await useAsyncData('auth-globals', () =>
-	useBaseFetch('globals', { internal: true }),
-)
+const { data: globals } = await useAsyncData('auth-globals', async () => {
+	try {
+		return await useBaseFetch('globals', { internal: true })
+	} catch (err) {
+		return { captcha_enabled: true }
+	}
+})
 
 const email = ref('')
 const username = ref('')

From 1472b9f85930e6f258a902221cecee95baa3f3c0 Mon Sep 17 00:00:00 2001
From: aecsocket <aecsocket@tutanota.com>
Date: Wed, 4 Feb 2026 17:53:27 +0000
Subject: [PATCH 6/6] Prepare frontend fixes

---
 apps/frontend/src/pages/auth/reset-password.vue | 1 +
 apps/frontend/src/pages/auth/sign-in.vue        | 1 +
 apps/frontend/src/pages/auth/sign-up.vue        | 1 +
 3 files changed, 3 insertions(+)

diff --git a/apps/frontend/src/pages/auth/reset-password.vue b/apps/frontend/src/pages/auth/reset-password.vue
index 8cb2927f3c..2a94afda99 100644
--- a/apps/frontend/src/pages/auth/reset-password.vue
+++ b/apps/frontend/src/pages/auth/reset-password.vue
@@ -166,6 +166,7 @@ const { data: globals } = await useAsyncData('auth-globals', async () => {
 	try {
 		return await useBaseFetch('globals', { internal: true })
 	} catch (err) {
+		console.error('Error fetching globals:', err)
 		return { captcha_enabled: true }
 	}
 })
diff --git a/apps/frontend/src/pages/auth/sign-in.vue b/apps/frontend/src/pages/auth/sign-in.vue
index 5f61eed409..927eba7448 100644
--- a/apps/frontend/src/pages/auth/sign-in.vue
+++ b/apps/frontend/src/pages/auth/sign-in.vue
@@ -214,6 +214,7 @@ const { data: globals } = await useAsyncData('auth-globals', async () => {
 	try {
 		return await useBaseFetch('globals', { internal: true })
 	} catch (err) {
+		console.error('Error fetching globals:', err)
 		return { captcha_enabled: true }
 	}
 })
diff --git a/apps/frontend/src/pages/auth/sign-up.vue b/apps/frontend/src/pages/auth/sign-up.vue
index f288c799f9..c1b566c870 100644
--- a/apps/frontend/src/pages/auth/sign-up.vue
+++ b/apps/frontend/src/pages/auth/sign-up.vue
@@ -213,6 +213,7 @@ const { data: globals } = await useAsyncData('auth-globals', async () => {
 	try {
 		return await useBaseFetch('globals', { internal: true })
 	} catch (err) {
+		console.error('Error fetching globals:', err)
 		return { captcha_enabled: true }
 	}
 })