diff --git a/src/aphront/requeststream/AphrontRequestStream.php b/src/aphront/requeststream/AphrontRequestStream.php
index 6bd27712ed..009451c3ad 100644
--- a/src/aphront/requeststream/AphrontRequestStream.php
+++ b/src/aphront/requeststream/AphrontRequestStream.php
@@ -1,112 +1,113 @@
 <?php
 
 final class AphrontRequestStream extends Phobject {
 
   private $encoding;
   private $stream;
   private $closed;
   private $iterator;
 
   public function setEncoding($encoding) {
     $this->encoding = $encoding;
     return $this;
   }
 
   public function getEncoding() {
     return $this->encoding;
   }
 
   public function getIterator() {
     if (!$this->iterator) {
       $this->iterator = new PhutilStreamIterator($this->getStream());
     }
     return $this->iterator;
   }
 
   public function readData() {
     if (!$this->iterator) {
       $iterator = $this->getIterator();
       $iterator->rewind();
     } else {
       $iterator = $this->getIterator();
     }
 
     if (!$iterator->valid()) {
       return null;
     }
 
     $data = $iterator->current();
     $iterator->next();
 
     return $data;
   }
 
   private function getStream() {
     if (!$this->stream) {
       $this->stream = $this->newStream();
     }
 
     return $this->stream;
   }
 
   private function newStream() {
     $stream = fopen('php://input', 'rb');
     if (!$stream) {
       throw new Exception(
         pht(
           'Failed to open stream "%s" for reading.',
           'php://input'));
     }
 
     $encoding = $this->getEncoding();
     if ($encoding === 'gzip') {
       // This parameter is magic. Values 0-15 express a time/memory tradeoff,
       // but the largest value (15) corresponds to only 32KB of memory and
       // data encoded with a smaller window size than the one we pass can not
       // be decompressed. Always pass the maximum window size.
 
       // Additionally, you can add 16 (to enable gzip) or 32 (to enable both
       // gzip and zlib). Add 32 to support both.
       $zlib_window = 15 + 32;
 
       $ok = stream_filter_append(
         $stream,
         'zlib.inflate',
         STREAM_FILTER_READ,
         array(
           'window' => $zlib_window,
         ));
       if (!$ok) {
         throw new Exception(
           pht(
             'Failed to append filter "%s" to input stream while processing '.
             'a request with "%s" encoding.',
             'zlib.inflate',
             $encoding));
       }
     }
 
     return $stream;
   }
 
   public static function supportsGzip() {
     if (!function_exists('gzencode') || !function_exists('gzdecode')) {
       return false;
     }
 
     $has_zlib = false;
 
     // NOTE: At least locally, this returns "zlib.*", which is not terribly
     // reassuring. We care about "zlib.inflate".
 
     $filters = stream_get_filters();
     foreach ($filters as $filter) {
-      if (preg_match('/^zlib\\./', $filter)) {
+      if (!strncasecmp($filter, 'zlib.', strlen('zlib.'))) {
         $has_zlib = true;
+        break;
       }
     }
 
     return $has_zlib;
   }
 
 }
diff --git a/src/aphront/response/AphrontJSONResponse.php b/src/aphront/response/AphrontJSONResponse.php
index 3d1c429d41..228a1a1721 100644
--- a/src/aphront/response/AphrontJSONResponse.php
+++ b/src/aphront/response/AphrontJSONResponse.php
@@ -1,41 +1,41 @@
 <?php
 
 final class AphrontJSONResponse extends AphrontResponse {
 
   private $content;
   private $addJSONShield;
 
   public function setContent($content) {
     $this->content = $content;
     return $this;
   }
 
   public function setAddJSONShield($should_add) {
     $this->addJSONShield = $should_add;
     return $this;
   }
 
   public function shouldAddJSONShield() {
     if ($this->addJSONShield === null) {
       return true;
     }
     return (bool)$this->addJSONShield;
   }
 
   public function buildResponseString() {
     $response = $this->encodeJSONForHTTPResponse($this->content);
     if ($this->shouldAddJSONShield()) {
       $response = $this->addJSONShield($response);
     }
     return $response;
   }
 
   public function getHeaders() {
-    $headers = array(
-      array('Content-Type', 'application/json'),
-    );
-    $headers = array_merge(parent::getHeaders(), $headers);
+    $headers = parent::getHeaders();
+
+    $headers[] = array('Content-Type', 'application/json');
+
     return $headers;
   }
 
 }
diff --git a/src/aphront/response/AphrontResponse.php b/src/aphront/response/AphrontResponse.php
index 8a94adf38d..5dae168c73 100644
--- a/src/aphront/response/AphrontResponse.php
+++ b/src/aphront/response/AphrontResponse.php
@@ -1,440 +1,449 @@
 <?php
 
 abstract class AphrontResponse extends Phobject {
 
   private $request;
   private $cacheable = false;
   private $canCDN;
   private $responseCode = 200;
   private $lastModified = null;
   private $contentSecurityPolicyURIs;
   private $disableContentSecurityPolicy;
   protected $frameable;
-
+  private $headers = array();
 
   public function setRequest($request) {
     $this->request = $request;
     return $this;
   }
 
   public function getRequest() {
     return $this->request;
   }
 
   final public function addContentSecurityPolicyURI($kind, $uri) {
     if ($this->contentSecurityPolicyURIs === null) {
       $this->contentSecurityPolicyURIs = array(
          'script-src' => array(),
          'connect-src' => array(),
          'frame-src' => array(),
          'form-action' => array(),
          'object-src' => array(),
        );
     }
 
     if (!isset($this->contentSecurityPolicyURIs[$kind])) {
       throw new Exception(
         pht(
           'Unknown Content-Security-Policy URI kind "%s".',
           $kind));
     }
 
     $this->contentSecurityPolicyURIs[$kind][] = (string)$uri;
 
     return $this;
   }
 
   final public function setDisableContentSecurityPolicy($disable) {
     $this->disableContentSecurityPolicy = $disable;
     return $this;
   }
 
+  final public function addHeader($key, $value) {
+    $this->headers[] = array($key, $value);
+    return $this;
+  }
+
 
 /* -(  Content  )------------------------------------------------------------ */
 
 
   public function getContentIterator() {
     // By default, make sure responses are truly returning a string, not some
     // kind of object that behaves like a string.
 
     // We're going to remove the execution time limit before dumping the
     // response into the sink, and want any rendering that's going to occur
     // to happen BEFORE we release the limit.
 
     return array(
       (string)$this->buildResponseString(),
     );
   }
 
   public function buildResponseString() {
     throw new PhutilMethodNotImplementedException();
   }
 
 
 /* -(  Metadata  )----------------------------------------------------------- */
 
 
   public function getHeaders() {
     $headers = array();
     if (!$this->frameable) {
       $headers[] = array('X-Frame-Options', 'Deny');
     }
 
     if ($this->getRequest() && $this->getRequest()->isHTTPS()) {
       $hsts_key = 'security.strict-transport-security';
       $use_hsts = PhabricatorEnv::getEnvConfig($hsts_key);
       if ($use_hsts) {
         $duration = phutil_units('365 days in seconds');
       } else {
         // If HSTS has been disabled, tell browsers to turn it off. This may
         // not be effective because we can only disable it over a valid HTTPS
         // connection, but it best represents the configured intent.
         $duration = 0;
       }
 
       $headers[] = array(
         'Strict-Transport-Security',
         "max-age={$duration}; includeSubdomains; preload",
       );
     }
 
     $csp = $this->newContentSecurityPolicyHeader();
     if ($csp !== null) {
       $headers[] = array('Content-Security-Policy', $csp);
     }
 
     $headers[] = array('Referrer-Policy', 'no-referrer');
 
+    foreach ($this->headers as $header) {
+      $headers[] = $header;
+    }
+
     return $headers;
   }
 
   private function newContentSecurityPolicyHeader() {
     if ($this->disableContentSecurityPolicy) {
       return null;
     }
 
     // NOTE: We may return a response during preflight checks (for example,
     // if a user has a bad version of PHP).
 
     // In this case, setup isn't complete yet and we can't access environmental
     // configuration. If we aren't able to read the environment, just decline
     // to emit a Content-Security-Policy header.
 
     try {
       $cdn = PhabricatorEnv::getEnvConfig('security.alternate-file-domain');
       $base_uri = PhabricatorEnv::getURI('/');
     } catch (Exception $ex) {
       return null;
     }
 
     $csp = array();
     if ($cdn) {
       $default = $this->newContentSecurityPolicySource($cdn);
     } else {
       // If an alternate file domain is not configured and the user is viewing
       // a Phame blog on a custom domain or some other custom site, we'll still
       // serve resources from the main site. Include the main site explicitly.
       $base_uri = $this->newContentSecurityPolicySource($base_uri);
 
       $default = "'self' {$base_uri}";
     }
 
     $csp[] = "default-src {$default}";
 
     // We use "data:" URIs to inline small images into CSS. This policy allows
     // "data:" URIs to be used anywhere, but there doesn't appear to be a way
     // to say that "data:" URIs are okay in CSS files but not in the document.
     $csp[] = "img-src {$default} data:";
 
     // We use inline style="..." attributes in various places, many of which
     // are legitimate. We also currently use a <style> tag to implement the
     // "Monospaced Font Preference" setting.
     $csp[] = "style-src {$default} 'unsafe-inline'";
 
     // On a small number of pages, including the Stripe workflow and the
     // ReCAPTCHA challenge, we embed external Javascript directly.
     $csp[] = $this->newContentSecurityPolicy('script-src', $default);
 
     // We need to specify that we can connect to ourself in order for AJAX
     // requests to work.
     $csp[] = $this->newContentSecurityPolicy('connect-src', "'self'");
 
     // DarkConsole and PHPAST both use frames to render some content.
     $csp[] = $this->newContentSecurityPolicy('frame-src', "'self'");
 
     // This is a more modern flavor of of "X-Frame-Options" and prevents
     // clickjacking attacks where the page is included in a tiny iframe and
     // the user is convinced to click a element on the page, which really
     // clicks a dangerous button hidden under a picture of a cat.
     if ($this->frameable) {
       $csp[] = "frame-ancestors 'self'";
     } else {
       $csp[] = "frame-ancestors 'none'";
     }
 
     // Block relics of the old world: Flash, Java applets, and so on. Note
     // that Chrome prevents the user from viewing PDF documents if they are
     // served with a policy which excludes the domain they are served from.
     $csp[] = $this->newContentSecurityPolicy('object-src', "'none'");
 
     // Don't allow forms to submit offsite.
 
     // This can result in some trickiness with file downloads if applications
     // try to start downloads by submitting a dialog. Redirect to the file's
     // download URI instead of submitting a form to it.
     $csp[] = $this->newContentSecurityPolicy('form-action', "'self'");
 
     // Block use of "<base>" to change the origin of relative URIs on the page.
     $csp[] = "base-uri 'none'";
 
     $csp = implode('; ', $csp);
 
     return $csp;
   }
 
   private function newContentSecurityPolicy($type, $defaults) {
     if ($defaults === null) {
       $sources = array();
     } else {
       $sources = (array)$defaults;
     }
 
     $uris = $this->contentSecurityPolicyURIs;
     if (isset($uris[$type])) {
       foreach ($uris[$type] as $uri) {
         $sources[] = $this->newContentSecurityPolicySource($uri);
       }
     }
     $sources = array_unique($sources);
 
     return $type.' '.implode(' ', $sources);
   }
 
   private function newContentSecurityPolicySource($uri) {
     // Some CSP URIs are ultimately user controlled (like notification server
     // URIs and CDN URIs) so attempt to stop an attacker from injecting an
     // unsafe source (like 'unsafe-eval') into the CSP header.
 
     $uri = id(new PhutilURI($uri))
       ->setPath(null)
       ->setFragment(null)
       ->removeAllQueryParams();
 
     $uri = (string)$uri;
     if (preg_match('/[ ;\']/', $uri)) {
       throw new Exception(
         pht(
           'Attempting to emit a response with an unsafe source ("%s") in the '.
           'Content-Security-Policy header.',
           $uri));
     }
 
     return $uri;
   }
 
   public function setCacheDurationInSeconds($duration) {
     $this->cacheable = $duration;
     return $this;
   }
 
   public function setCanCDN($can_cdn) {
     $this->canCDN = $can_cdn;
     return $this;
   }
 
   public function setLastModified($epoch_timestamp) {
     $this->lastModified = $epoch_timestamp;
     return $this;
   }
 
   public function setHTTPResponseCode($code) {
     $this->responseCode = $code;
     return $this;
   }
 
   public function getHTTPResponseCode() {
     return $this->responseCode;
   }
 
   public function getHTTPResponseMessage() {
     switch ($this->getHTTPResponseCode()) {
       case 100: return 'Continue';
       case 101: return 'Switching Protocols';
       case 200: return 'OK';
       case 201: return 'Created';
       case 202: return 'Accepted';
       case 203: return 'Non-Authoritative Information';
       case 204: return 'No Content';
       case 205: return 'Reset Content';
       case 206: return 'Partial Content';
       case 300: return 'Multiple Choices';
       case 301: return 'Moved Permanently';
       case 302: return 'Found';
       case 303: return 'See Other';
       case 304: return 'Not Modified';
       case 305: return 'Use Proxy';
       case 306: return 'Switch Proxy';
       case 307: return 'Temporary Redirect';
       case 400: return 'Bad Request';
       case 401: return 'Unauthorized';
       case 402: return 'Payment Required';
       case 403: return 'Forbidden';
       case 404: return 'Not Found';
       case 405: return 'Method Not Allowed';
       case 406: return 'Not Acceptable';
       case 407: return 'Proxy Authentication Required';
       case 408: return 'Request Timeout';
       case 409: return 'Conflict';
       case 410: return 'Gone';
       case 411: return 'Length Required';
       case 412: return 'Precondition Failed';
       case 413: return 'Request Entity Too Large';
       case 414: return 'Request-URI Too Long';
       case 415: return 'Unsupported Media Type';
       case 416: return 'Requested Range Not Satisfiable';
       case 417: return 'Expectation Failed';
       case 418: return "I'm a teapot";
       case 426: return 'Upgrade Required';
       case 500: return 'Internal Server Error';
       case 501: return 'Not Implemented';
       case 502: return 'Bad Gateway';
       case 503: return 'Service Unavailable';
       case 504: return 'Gateway Timeout';
       case 505: return 'HTTP Version Not Supported';
       default:  return '';
     }
   }
 
   public function setFrameable($frameable) {
     $this->frameable = $frameable;
     return $this;
   }
 
   public static function processValueForJSONEncoding(&$value, $key) {
     if ($value instanceof PhutilSafeHTMLProducerInterface) {
       // This renders the producer down to PhutilSafeHTML, which will then
       // be simplified into a string below.
       $value = hsprintf('%s', $value);
     }
 
     if ($value instanceof PhutilSafeHTML) {
       // TODO: Javelin supports implicity conversion of '__html' objects to
       // JX.HTML, but only for Ajax responses, not behaviors. Just leave things
       // as they are for now (where behaviors treat responses as HTML or plain
       // text at their discretion).
       $value = $value->getHTMLContent();
     }
   }
 
   public static function encodeJSONForHTTPResponse(array $object) {
 
     array_walk_recursive(
       $object,
       array(__CLASS__, 'processValueForJSONEncoding'));
 
     $response = phutil_json_encode($object);
 
     // Prevent content sniffing attacks by encoding "<" and ">", so browsers
     // won't try to execute the document as HTML even if they ignore
     // Content-Type and X-Content-Type-Options. See T865.
     $response = str_replace(
       array('<', '>'),
       array('\u003c', '\u003e'),
       $response);
 
     return $response;
   }
 
   protected function addJSONShield($json_response) {
     // Add a shield to prevent "JSON Hijacking" attacks where an attacker
     // requests a JSON response using a normal <script /> tag and then uses
     // Object.prototype.__defineSetter__() or similar to read response data.
     // This header causes the browser to loop infinitely instead of handing over
     // sensitive data.
 
     $shield = 'for (;;);';
 
     $response = $shield.$json_response;
 
     return $response;
   }
 
   public function getCacheHeaders() {
     $headers = array();
     if ($this->cacheable) {
       $cache_control = array();
       $cache_control[] = sprintf('max-age=%d', $this->cacheable);
 
       if ($this->canCDN) {
         $cache_control[] = 'public';
       } else {
         $cache_control[] = 'private';
       }
 
       $headers[] = array(
         'Cache-Control',
         implode(', ', $cache_control),
       );
 
       $headers[] = array(
         'Expires',
         $this->formatEpochTimestampForHTTPHeader(time() + $this->cacheable),
       );
     } else {
       $headers[] = array(
         'Cache-Control',
         'no-store',
       );
       $headers[] = array(
         'Expires',
         'Sat, 01 Jan 2000 00:00:00 GMT',
       );
     }
 
     if ($this->lastModified) {
       $headers[] = array(
         'Last-Modified',
         $this->formatEpochTimestampForHTTPHeader($this->lastModified),
       );
     }
 
     // IE has a feature where it may override an explicit Content-Type
     // declaration by inferring a content type. This can be a security risk
     // and we always explicitly transmit the correct Content-Type header, so
     // prevent IE from using inferred content types. This only offers protection
     // on recent versions of IE; IE6/7 and Opera currently ignore this header.
     $headers[] = array('X-Content-Type-Options', 'nosniff');
 
     return $headers;
   }
 
   private function formatEpochTimestampForHTTPHeader($epoch_timestamp) {
     return gmdate('D, d M Y H:i:s', $epoch_timestamp).' GMT';
   }
 
   protected function shouldCompressResponse() {
     return true;
   }
 
   public function willBeginWrite() {
     // If we've already sent headers, these "ini_set()" calls will warn that
     // they have no effect. Today, this always happens because we're inside
     // a unit test, so just skip adjusting the setting.
 
     if (!headers_sent()) {
       if ($this->shouldCompressResponse()) {
         // Enable automatic compression here. Webservers sometimes do this for
         // us, but we now detect the absence of compression and warn users about
         // it so try to cover our bases more thoroughly.
         ini_set('zlib.output_compression', 1);
       } else {
         ini_set('zlib.output_compression', 0);
       }
     }
   }
 
   public function didCompleteWrite($aborted) {
     return;
   }
 
 }
diff --git a/src/applications/conduit/controller/PhabricatorConduitAPIController.php b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
index d34189125a..3b3e6ee423 100644
--- a/src/applications/conduit/controller/PhabricatorConduitAPIController.php
+++ b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
@@ -1,720 +1,737 @@
 <?php
 
 final class PhabricatorConduitAPIController
   extends PhabricatorConduitController {
 
   public function shouldRequireLogin() {
     return false;
   }
 
   public function handleRequest(AphrontRequest $request) {
     $method = $request->getURIData('method');
     $time_start = microtime(true);
 
     $api_request = null;
     $method_implementation = null;
 
     $log = new PhabricatorConduitMethodCallLog();
     $log->setMethod($method);
     $metadata = array();
 
     $multimeter = MultimeterControl::getInstance();
     if ($multimeter) {
       $multimeter->setEventContext('api.'.$method);
     }
 
     try {
 
       list($metadata, $params, $strictly_typed) = $this->decodeConduitParams(
         $request,
         $method);
 
       $call = new ConduitCall($method, $params, $strictly_typed);
       $method_implementation = $call->getMethodImplementation();
 
       $result = null;
 
       // TODO: The relationship between ConduitAPIRequest and ConduitCall is a
       // little odd here and could probably be improved. Specifically, the
       // APIRequest is a sub-object of the Call, which does not parallel the
       // role of AphrontRequest (which is an indepenent object).
       // In particular, the setUser() and getUser() existing independently on
       // the Call and APIRequest is very awkward.
 
       $api_request = $call->getAPIRequest();
 
       $allow_unguarded_writes = false;
       $auth_error = null;
       $conduit_username = '-';
       if ($call->shouldRequireAuthentication()) {
         $auth_error = $this->authenticateUser($api_request, $metadata, $method);
         // If we've explicitly authenticated the user here and either done
         // CSRF validation or are using a non-web authentication mechanism.
         $allow_unguarded_writes = true;
 
         if ($auth_error === null) {
           $conduit_user = $api_request->getUser();
           if ($conduit_user && $conduit_user->getPHID()) {
             $conduit_username = $conduit_user->getUsername();
           }
           $call->setUser($api_request->getUser());
         }
       }
 
       $access_log = PhabricatorAccessLog::getLog();
       if ($access_log) {
         $access_log->setData(
           array(
             'u' => $conduit_username,
             'm' => $method,
           ));
       }
 
       if ($call->shouldAllowUnguardedWrites()) {
         $allow_unguarded_writes = true;
       }
 
       if ($auth_error === null) {
         if ($allow_unguarded_writes) {
           $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
         }
 
         try {
           $result = $call->execute();
           $error_code = null;
           $error_info = null;
         } catch (ConduitException $ex) {
           $result = null;
           $error_code = $ex->getMessage();
           if ($ex->getErrorDescription()) {
             $error_info = $ex->getErrorDescription();
           } else {
             $error_info = $call->getErrorDescription($error_code);
           }
         }
         if ($allow_unguarded_writes) {
           unset($unguarded);
         }
       } else {
         list($error_code, $error_info) = $auth_error;
       }
     } catch (Exception $ex) {
       $result = null;
       $error_code = ($ex instanceof ConduitException
         ? 'ERR-CONDUIT-CALL'
         : 'ERR-CONDUIT-CORE');
       $error_info = $ex->getMessage();
     }
 
     $log
       ->setCallerPHID(
         isset($conduit_user)
           ? $conduit_user->getPHID()
           : null)
       ->setError((string)$error_code)
       ->setDuration(phutil_microseconds_since($time_start));
 
     if (!PhabricatorEnv::isReadOnly()) {
       $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
       $log->save();
       unset($unguarded);
     }
 
     $response = id(new ConduitAPIResponse())
       ->setResult($result)
       ->setErrorCode($error_code)
       ->setErrorInfo($error_info);
 
     switch ($request->getStr('output')) {
       case 'human':
         return $this->buildHumanReadableResponse(
           $method,
           $api_request,
           $response->toDictionary(),
           $method_implementation);
       case 'json':
       default:
-        return id(new AphrontJSONResponse())
+        $response = id(new AphrontJSONResponse())
           ->setAddJSONShield(false)
           ->setContent($response->toDictionary());
+
+        $capabilities = $this->getConduitCapabilities();
+        if ($capabilities) {
+          $capabilities = implode(' ', $capabilities);
+          $response->addHeader('X-Conduit-Capabilities', $capabilities);
+        }
+
+        return $response;
     }
   }
 
   /**
    * Authenticate the client making the request to a Phabricator user account.
    *
    * @param   ConduitAPIRequest Request being executed.
    * @param   dict              Request metadata.
    * @return  null|pair         Null to indicate successful authentication, or
    *                            an error code and error message pair.
    */
   private function authenticateUser(
     ConduitAPIRequest $api_request,
     array $metadata,
     $method) {
 
     $request = $this->getRequest();
 
     if ($request->getUser()->getPHID()) {
       $request->validateCSRF();
       return $this->validateAuthenticatedUser(
         $api_request,
         $request->getUser());
     }
 
     $auth_type = idx($metadata, 'auth.type');
     if ($auth_type === ConduitClient::AUTH_ASYMMETRIC) {
       $host = idx($metadata, 'auth.host');
       if (!$host) {
         return array(
           'ERR-INVALID-AUTH',
           pht(
             'Request is missing required "%s" parameter.',
             'auth.host'),
         );
       }
 
       // TODO: Validate that we are the host!
 
       $raw_key = idx($metadata, 'auth.key');
       $public_key = PhabricatorAuthSSHPublicKey::newFromRawKey($raw_key);
       $ssl_public_key = $public_key->toPKCS8();
 
       // First, verify the signature.
       try {
         $protocol_data = $metadata;
         ConduitClient::verifySignature(
           $method,
           $api_request->getAllParameters(),
           $protocol_data,
           $ssl_public_key);
       } catch (Exception $ex) {
         return array(
           'ERR-INVALID-AUTH',
           pht(
             'Signature verification failure. %s',
             $ex->getMessage()),
         );
       }
 
       // If the signature is valid, find the user or device which is
       // associated with this public key.
 
       $stored_key = id(new PhabricatorAuthSSHKeyQuery())
         ->setViewer(PhabricatorUser::getOmnipotentUser())
         ->withKeys(array($public_key))
         ->withIsActive(true)
         ->executeOne();
       if (!$stored_key) {
         $key_summary = id(new PhutilUTF8StringTruncator())
           ->setMaximumBytes(64)
           ->truncateString($raw_key);
         return array(
           'ERR-INVALID-AUTH',
           pht(
             'No user or device is associated with the public key "%s".',
             $key_summary),
         );
       }
 
       $object = $stored_key->getObject();
 
       if ($object instanceof PhabricatorUser) {
         $user = $object;
       } else {
         if (!$stored_key->getIsTrusted()) {
           return array(
             'ERR-INVALID-AUTH',
             pht(
               'The key which signed this request is not trusted. Only '.
               'trusted keys can be used to sign API calls.'),
           );
         }
 
         if (!PhabricatorEnv::isClusterRemoteAddress()) {
           return array(
             'ERR-INVALID-AUTH',
             pht(
               'This request originates from outside of the Phabricator '.
               'cluster address range. Requests signed with trusted '.
               'device keys must originate from within the cluster.'),
           );
         }
 
         $user = PhabricatorUser::getOmnipotentUser();
 
         // Flag this as an intracluster request.
         $api_request->setIsClusterRequest(true);
       }
 
       return $this->validateAuthenticatedUser(
         $api_request,
         $user);
     } else if ($auth_type === null) {
       // No specified authentication type, continue with other authentication
       // methods below.
     } else {
       return array(
         'ERR-INVALID-AUTH',
         pht(
           'Provided "%s" ("%s") is not recognized.',
           'auth.type',
           $auth_type),
       );
     }
 
     $token_string = idx($metadata, 'token');
     if (strlen($token_string)) {
 
       if (strlen($token_string) != 32) {
         return array(
           'ERR-INVALID-AUTH',
           pht(
             'API token "%s" has the wrong length. API tokens should be '.
             '32 characters long.',
             $token_string),
         );
       }
 
       $type = head(explode('-', $token_string));
       $valid_types = PhabricatorConduitToken::getAllTokenTypes();
       $valid_types = array_fuse($valid_types);
       if (empty($valid_types[$type])) {
         return array(
           'ERR-INVALID-AUTH',
           pht(
             'API token "%s" has the wrong format. API tokens should be '.
             '32 characters long and begin with one of these prefixes: %s.',
             $token_string,
             implode(', ', $valid_types)),
           );
       }
 
       $token = id(new PhabricatorConduitTokenQuery())
         ->setViewer(PhabricatorUser::getOmnipotentUser())
         ->withTokens(array($token_string))
         ->withExpired(false)
         ->executeOne();
       if (!$token) {
         $token = id(new PhabricatorConduitTokenQuery())
           ->setViewer(PhabricatorUser::getOmnipotentUser())
           ->withTokens(array($token_string))
           ->withExpired(true)
           ->executeOne();
         if ($token) {
           return array(
             'ERR-INVALID-AUTH',
             pht(
               'API token "%s" was previously valid, but has expired.',
               $token_string),
           );
         } else {
           return array(
             'ERR-INVALID-AUTH',
             pht(
               'API token "%s" is not valid.',
               $token_string),
           );
         }
       }
 
       // If this is a "cli-" token, it expires shortly after it is generated
       // by default. Once it is actually used, we extend its lifetime and make
       // it permanent. This allows stray tokens to get cleaned up automatically
       // if they aren't being used.
       if ($token->getTokenType() == PhabricatorConduitToken::TYPE_COMMANDLINE) {
         if ($token->getExpires()) {
           $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
             $token->setExpires(null);
             $token->save();
           unset($unguarded);
         }
       }
 
       // If this is a "clr-" token, Phabricator must be configured in cluster
       // mode and the remote address must be a cluster node.
       if ($token->getTokenType() == PhabricatorConduitToken::TYPE_CLUSTER) {
         if (!PhabricatorEnv::isClusterRemoteAddress()) {
           return array(
             'ERR-INVALID-AUTH',
             pht(
               'This request originates from outside of the Phabricator '.
               'cluster address range. Requests signed with cluster API '.
               'tokens must originate from within the cluster.'),
           );
         }
 
         // Flag this as an intracluster request.
         $api_request->setIsClusterRequest(true);
       }
 
       $user = $token->getObject();
       if (!($user instanceof PhabricatorUser)) {
         return array(
           'ERR-INVALID-AUTH',
           pht('API token is not associated with a valid user.'),
         );
       }
 
       return $this->validateAuthenticatedUser(
         $api_request,
         $user);
     }
 
     $access_token = idx($metadata, 'access_token');
     if ($access_token) {
       $token = id(new PhabricatorOAuthServerAccessToken())
         ->loadOneWhere('token = %s', $access_token);
       if (!$token) {
         return array(
           'ERR-INVALID-AUTH',
           pht('Access token does not exist.'),
         );
       }
 
       $oauth_server = new PhabricatorOAuthServer();
       $authorization = $oauth_server->authorizeToken($token);
       if (!$authorization) {
         return array(
           'ERR-INVALID-AUTH',
           pht('Access token is invalid or expired.'),
         );
       }
 
       $user = id(new PhabricatorPeopleQuery())
         ->setViewer(PhabricatorUser::getOmnipotentUser())
         ->withPHIDs(array($token->getUserPHID()))
         ->executeOne();
       if (!$user) {
         return array(
           'ERR-INVALID-AUTH',
           pht('Access token is for invalid user.'),
         );
       }
 
       $ok = $this->authorizeOAuthMethodAccess($authorization, $method);
       if (!$ok) {
         return array(
           'ERR-OAUTH-ACCESS',
           pht('You do not have authorization to call this method.'),
         );
       }
 
       $api_request->setOAuthToken($token);
 
       return $this->validateAuthenticatedUser(
         $api_request,
         $user);
     }
 
 
     // For intracluster requests, use a public user if no authentication
     // information is provided. We could do this safely for any request,
     // but making the API fully public means there's no way to disable badly
     // behaved clients.
     if (PhabricatorEnv::isClusterRemoteAddress()) {
       if (PhabricatorEnv::getEnvConfig('policy.allow-public')) {
         $api_request->setIsClusterRequest(true);
 
         $user = new PhabricatorUser();
         return $this->validateAuthenticatedUser(
           $api_request,
           $user);
       }
     }
 
 
     // Handle sessionless auth.
     // TODO: This is super messy.
     // TODO: Remove this in favor of token-based auth.
 
     if (isset($metadata['authUser'])) {
       $user = id(new PhabricatorUser())->loadOneWhere(
         'userName = %s',
         $metadata['authUser']);
       if (!$user) {
         return array(
           'ERR-INVALID-AUTH',
           pht('Authentication is invalid.'),
         );
       }
       $token = idx($metadata, 'authToken');
       $signature = idx($metadata, 'authSignature');
       $certificate = $user->getConduitCertificate();
       $hash = sha1($token.$certificate);
       if (!phutil_hashes_are_identical($hash, $signature)) {
         return array(
           'ERR-INVALID-AUTH',
           pht('Authentication is invalid.'),
         );
       }
       return $this->validateAuthenticatedUser(
         $api_request,
         $user);
     }
 
     // Handle session-based auth.
     // TODO: Remove this in favor of token-based auth.
 
     $session_key = idx($metadata, 'sessionKey');
     if (!$session_key) {
       return array(
         'ERR-INVALID-SESSION',
         pht('Session key is not present.'),
       );
     }
 
     $user = id(new PhabricatorAuthSessionEngine())
       ->loadUserForSession(PhabricatorAuthSession::TYPE_CONDUIT, $session_key);
 
     if (!$user) {
       return array(
         'ERR-INVALID-SESSION',
         pht('Session key is invalid.'),
       );
     }
 
     return $this->validateAuthenticatedUser(
       $api_request,
       $user);
   }
 
   private function validateAuthenticatedUser(
     ConduitAPIRequest $request,
     PhabricatorUser $user) {
 
     if (!$user->canEstablishAPISessions()) {
       return array(
         'ERR-INVALID-AUTH',
         pht('User account is not permitted to use the API.'),
       );
     }
 
     $request->setUser($user);
 
     id(new PhabricatorAuthSessionEngine())
       ->willServeRequestForUser($user);
 
     return null;
   }
 
   private function buildHumanReadableResponse(
     $method,
     ConduitAPIRequest $request = null,
     $result = null,
     ConduitAPIMethod $method_implementation = null) {
 
     $param_rows = array();
     $param_rows[] = array('Method', $this->renderAPIValue($method));
     if ($request) {
       foreach ($request->getAllParameters() as $key => $value) {
         $param_rows[] = array(
           $key,
           $this->renderAPIValue($value),
         );
       }
     }
 
     $param_table = new AphrontTableView($param_rows);
     $param_table->setColumnClasses(
       array(
         'header',
         'wide',
       ));
 
     $result_rows = array();
     foreach ($result as $key => $value) {
       $result_rows[] = array(
         $key,
         $this->renderAPIValue($value),
       );
     }
 
     $result_table = new AphrontTableView($result_rows);
     $result_table->setColumnClasses(
       array(
         'header',
         'wide',
       ));
 
     $param_panel = id(new PHUIObjectBoxView())
       ->setHeaderText(pht('Method Parameters'))
       ->setBackground(PHUIObjectBoxView::BLUE_PROPERTY)
       ->setTable($param_table);
 
     $result_panel = id(new PHUIObjectBoxView())
       ->setHeaderText(pht('Method Result'))
       ->setBackground(PHUIObjectBoxView::BLUE_PROPERTY)
       ->setTable($result_table);
 
     $method_uri = $this->getApplicationURI('method/'.$method.'/');
 
     $crumbs = $this->buildApplicationCrumbs()
       ->addTextCrumb($method, $method_uri)
       ->addTextCrumb(pht('Call'))
       ->setBorder(true);
 
     $example_panel = null;
     if ($request && $method_implementation) {
       $params = $request->getAllParameters();
       $example_panel = $this->renderExampleBox(
         $method_implementation,
         $params);
     }
 
     $title = pht('Method Call Result');
     $header = id(new PHUIHeaderView())
       ->setHeader($title)
       ->setHeaderIcon('fa-exchange');
 
     $view = id(new PHUITwoColumnView())
       ->setHeader($header)
       ->setFooter(array(
         $param_panel,
         $result_panel,
         $example_panel,
       ));
 
     $title = pht('Method Call Result');
 
     return $this->newPage()
       ->setTitle($title)
       ->setCrumbs($crumbs)
       ->appendChild($view);
 
   }
 
   private function renderAPIValue($value) {
     $json = new PhutilJSON();
     if (is_array($value)) {
       $value = $json->encodeFormatted($value);
     }
 
     $value = phutil_tag(
       'pre',
       array('style' => 'white-space: pre-wrap;'),
       $value);
 
     return $value;
   }
 
   private function decodeConduitParams(
     AphrontRequest $request,
     $method) {
 
     $content_type = $request->getHTTPHeader('Content-Type');
 
     if ($content_type == 'application/json') {
       throw new Exception(
         pht('Use form-encoded data to submit parameters to Conduit endpoints. '.
             'Sending a JSON-encoded body and setting \'Content-Type\': '.
             '\'application/json\' is not currently supported.'));
     }
 
     // Look for parameters from the Conduit API Console, which are encoded
     // as HTTP POST parameters in an array, e.g.:
     //
     //   params[name]=value&params[name2]=value2
     //
     // The fields are individually JSON encoded, since we require users to
     // enter JSON so that we avoid type ambiguity.
 
     $params = $request->getArr('params', null);
     if ($params !== null) {
       foreach ($params as $key => $value) {
         if ($value == '') {
           // Interpret empty string null (e.g., the user didn't type anything
           // into the box).
           $value = 'null';
         }
         $decoded_value = json_decode($value, true);
         if ($decoded_value === null && strtolower($value) != 'null') {
           // When json_decode() fails, it returns null. This almost certainly
           // indicates that a user was using the web UI and didn't put quotes
           // around a string value. We can either do what we think they meant
           // (treat it as a string) or fail. For now, err on the side of
           // caution and fail. In the future, if we make the Conduit API
           // actually do type checking, it might be reasonable to treat it as
           // a string if the parameter type is string.
           throw new Exception(
             pht(
               "The value for parameter '%s' is not valid JSON. All ".
               "parameters must be encoded as JSON values, including strings ".
               "(which means you need to surround them in double quotes). ".
               "Check your syntax. Value was: %s.",
               $key,
               $value));
         }
         $params[$key] = $decoded_value;
       }
 
       $metadata = idx($params, '__conduit__', array());
       unset($params['__conduit__']);
 
       return array($metadata, $params, true);
     }
 
     // Otherwise, look for a single parameter called 'params' which has the
     // entire param dictionary JSON encoded.
     $params_json = $request->getStr('params');
     if (strlen($params_json)) {
       $params = null;
       try {
         $params = phutil_json_decode($params_json);
       } catch (PhutilJSONParserException $ex) {
         throw new PhutilProxyException(
           pht(
             "Invalid parameter information was passed to method '%s'.",
             $method),
           $ex);
       }
 
       $metadata = idx($params, '__conduit__', array());
       unset($params['__conduit__']);
 
       return array($metadata, $params, true);
     }
 
     // If we do not have `params`, assume this is a simple HTTP request with
     // HTTP key-value pairs.
     $params = array();
     $metadata = array();
     foreach ($request->getPassthroughRequestData() as $key => $value) {
       $meta_key = ConduitAPIMethod::getParameterMetadataKey($key);
       if ($meta_key !== null) {
         $metadata[$meta_key] = $value;
       } else {
         $params[$key] = $value;
       }
     }
 
     return array($metadata, $params, false);
   }
 
   private function authorizeOAuthMethodAccess(
     PhabricatorOAuthClientAuthorization $authorization,
     $method_name) {
 
     $method = ConduitAPIMethod::getConduitMethod($method_name);
     if (!$method) {
       return false;
     }
 
     $required_scope = $method->getRequiredScope();
     switch ($required_scope) {
       case ConduitAPIMethod::SCOPE_ALWAYS:
         return true;
       case ConduitAPIMethod::SCOPE_NEVER:
         return false;
     }
 
     $authorization_scope = $authorization->getScope();
     if (!empty($authorization_scope[$required_scope])) {
       return true;
     }
 
     return false;
   }
 
+  private function getConduitCapabilities() {
+    $capabilities = array();
+
+    if (AphrontRequestStream::supportsGzip()) {
+      $capabilities[] = 'gzip';
+    }
+
+    return $capabilities;
+  }
 
 }