matrix-synapse: route stream-backed client endpoints explicitly and add device_lists stream writer support

Some client API endpoints (e.g. keys/upload) are backed by Synapse stream writers and
should not rely on broad worker regexes or route-order fallthrough for correctness.

When explicit per-stream routing is missing, requests may be captured by generic, room, or client_reader workers, instead of:
- going to the configured stream writer
- or to `main` when that stream writer is not enabled

This refactors synapse-reverse-proxy-companion's routing so that web-facing stream-backed endpoint families
are handled explicitly and early, with deterministic writer-or-main fallback.

Add first-class support for the missing `device_lists` stream writer,
generalize the same routing model to `push_rules`,
and remove stale broad-route ownership for device-list-sensitive endpoints.

roles/custom/matrix-synapse/vars/main.yml

@@ -31,7 +31,7 @@ matrix_synapse_workers_sync_worker_client_server_endpoints:
 
 # Client reader workers handle generic client-server endpoints that don't contain a roomid or sync
 matrix_synapse_workers_client_reader_client_server_endpoints:
-  - ^/_matrix/client/(api/v1|r0|v3|unstable)/(room_keys/|keys/(query|changes|claim|upload/|room_keys/)|login|register(/available|/m.login.registration_token/validity|)|password_policy|profile|rooms/.*/(joined_members|context/.*|members|state|hierarchy|relations/|event/|aliases|timestamp_to_event|redact|send|state/|(join|invite|leave|ban|unban|kick))|createRoom|publicRooms|account/(3pid|whoami|devices)|versions|voip/turnServer|joined_rooms|search|user/.*/filter(/|$)|directory/room/.*|capabilities)
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/(room_keys/|keys/(query|changes|claim|room_keys/)|login|register(/available|/m.login.registration_token/validity|)|password_policy|profile|rooms/.*/(joined_members|context/.*|members|state|hierarchy|relations/|event/|aliases|timestamp_to_event|redact|send|state/|(join|invite|leave|ban|unban|kick))|createRoom|publicRooms|account/(3pid|whoami|devices)|versions|voip/turnServer|joined_rooms|search|user/.*/filter(/|$)|directory/room/.*|capabilities)
 
 # Federation reader workers handle generic federation endpoints that don't contain a roomid
 matrix_synapse_workers_federation_reader_federation_endpoints:
@@ -93,6 +93,20 @@ matrix_synapse_workers_stream_writer_receipts_stream_worker_client_server_endpoi
 matrix_synapse_workers_stream_writer_presence_stream_worker_client_server_endpoints:
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/
 
+# matrix_synapse_workers_stream_writer_push_rules_stream_worker_client_server_endpoints contains the endpoints serviced by the `push_rules` stream writer.
+# See: https://matrix-org.github.io/synapse/latest/workers.html#the-push_rules-stream
+matrix_synapse_workers_stream_writer_push_rules_stream_worker_client_server_endpoints:
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/pushrules/
+
+# matrix_synapse_workers_stream_writer_device_lists_stream_worker_client_server_endpoints contains the endpoints serviced by the `device_lists` stream writer.
+# See: https://matrix-org.github.io/synapse/latest/workers.html#the-device_lists-stream
+matrix_synapse_workers_stream_writer_device_lists_stream_worker_client_server_endpoints:
+  - ^/_matrix/client/(r0|v3)/delete_devices$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices(/|$)
+  - ^/_matrix/client/(r0|v3|unstable)/keys/upload(/|$)
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$
+
 # matrix_synapse_workers_user_dir_worker_client_server_endpoints contains the endpoints serviced by the `type = user_dir` (`app = generic_worker`) worker.
 # See: https://matrix-org.github.io/synapse/latest/workers.html#updating-the-user-directory
 matrix_synapse_workers_user_dir_worker_client_server_endpoints:
@@ -101,11 +115,11 @@ matrix_synapse_workers_user_dir_worker_client_server_endpoints:
 # matrix_synapse_workers_known_stream_writer_stream_types contains the list of stream writer stream types that the playbook recognizes.
 # This is used for validation purposes. If adding support for a new type, besides adding it to this list,
 # don't forget to actually configure it where appropriate (see worker.yaml.j2`, the nginx proxy configuration, etc).
-matrix_synapse_workers_known_stream_writer_stream_types: ['events', 'typing', 'to_device', 'account_data', 'receipts', 'presence']
+matrix_synapse_workers_known_stream_writer_stream_types: ['events', 'typing', 'to_device', 'account_data', 'receipts', 'presence', 'push_rules', 'device_lists']
 
 # matrix_synapse_workers_webserving_stream_writer_types contains a list of stream writer types that serve web (client) requests.
 # Not all stream writers serve web requests. Some just perform background tasks.
-matrix_synapse_workers_webserving_stream_writer_types: ['typing', 'to_device', 'account_data', 'receipts', 'presence']
+matrix_synapse_workers_webserving_stream_writer_types: ['typing', 'to_device', 'account_data', 'receipts', 'presence', 'push_rules', 'device_lists']
 
 # matrix_synapse_workers_systemd_services_list contains a list of systemd services (one for each worker systemd service which serves web requests).
 # This list is built during runtime.
@@ -190,7 +204,6 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$
   - ^/_matrix/client/(r0|v3|unstable)/account/3pid$
   - ^/_matrix/client/(r0|v3|unstable)/account/whoami$
-  - ^/_matrix/client/(r0|v3|unstable)/devices$
   - ^/_matrix/client/versions$
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/
@@ -208,9 +221,6 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/client/(r0|v3|unstable)/keys/changes$
   - ^/_matrix/client/(r0|v3|unstable)/keys/claim$
   - ^/_matrix/client/(r0|v3|unstable)/room_keys/
-  - ^/_matrix/client/(r0|v3|unstable)/keys/upload$
-  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$
-  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$
 
   # Registration/login requests
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$
@@ -236,11 +246,14 @@ matrix_synapse_workers_generic_worker_endpoints:
 
   # Start of intentionally-ignored-endpoints
   #
-  # We ignore these below, because they're better sent to dedicated workers (various stream writers).
-  # If a stream writer is enabled, the endpoint should be routed to the stream writer, not to a generic worker.
-  # If a stream writer of a given type is not enabled, then a generic worker may process it.
-  # Because it's difficult to handle these individually based on which stream writer is enabled and which isn't,
-  # we just disable them here.
+  # We ignore these below, because they are now supposed to be owned by explicit
+  # early stream-backed routing in the reverse proxy.
+  #
+  # The intended behavior is:
+  # - if a stream writer is enabled, route to that stream writer
+  # - otherwise, route to Synapse `main`
+  #
+  # Broad generic-worker routing must not decide fallback behavior for these.
   #
   # # Account data requests
   # - ^/_matrix/client/(r0|v3|unstable)/.*/tags
@@ -253,6 +266,16 @@ matrix_synapse_workers_generic_worker_endpoints:
   # # Presence requests
   # - ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/
   #
+  # # Push rules requests
+  # - ^/_matrix/client/(api/v1|r0|v3|unstable)/pushrules/
+  #
+  # # Device lists requests
+  # - ^/_matrix/client/(r0|v3)/delete_devices$
+  # - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices(/|$)
+  # - ^/_matrix/client/(r0|v3|unstable)/keys/upload(/|$)
+  # - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$
+  # - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$
+  #
   # # User directory search requests
   # - ^/_matrix/client/(r0|v3|unstable)/user_directory/search$
   # End of intentionally-ignored-endpoints