diff --git a/.mailmap b/.mailmap
new file mode 100644
index 00000000000..aa646abbd3c
--- /dev/null
+++ b/.mailmap
@@ -0,0 +1,35 @@
+# This makes it easier to find GitHub usernames for History.md.
+#
+# This controls 'git shortlog'. eg, run:
+#   git shortlog -s release/0.6.5.1..HEAD
+# to get a sorted list of all committers to revisions in HEAD but not
+# in 0.6.5.1.
+#
+# For any emails that show up in the shortlog that aren't in one of
+# these lists, figure out their GitHub username and add them.
+
+GITHUB: ansman <nicklas@ansman.se>
+GITHUB: awwx <andrew.wilcox@gmail.com>
+GITHUB: codeinthehole <david.winterbottom@gmail.com>
+GITHUB: jacott <geoffjacobsen@gmail.com>
+GITHUB: Maxhodges <Max@whiterabbitpress.com>
+GITHUB: meawoppl <meawoppl@gmail.com>
+GITHUB: mitar <mitar.git@tnode.com>
+GITHUB: mizzao <mizzao@gmail.com>
+GITHUB: mquandalle <maxime.quandalle@gmail.com>
+GITHUB: nathan-muir <ndmuir@gmail.com>
+GITHUB: RobertLowe <robert@iblargz.com>
+GITHUB: ryw <ry@rywalker.com>
+GITHUB: sdarnell <stephen@darnell.plus.com>
+GITHUB: timhaines <tmhaines@gmail.com>
+
+METEOR: avital <avital@thewe.net>
+METEOR: debergalis <matt@meteor.com>
+METEOR: dgreensp <dgreenspan@alum.mit.edu>
+METEOR: estark37 <emily@meteor.com>
+METEOR: estark37 <estark37@gmail.com>
+METEOR: glasser <glasser@meteor.com>
+METEOR: gschmidt <geoff@geoffschmidt.com>
+METEOR: n1mmy <nim@meteor.com>
+METEOR: sixolet <naomi@meteor.com>
+METEOR: Slava <slava@meteor.com>
diff --git a/History.md b/History.md
index 3db302fed6b..eb777bb6242 100644
--- a/History.md
+++ b/History.md
@@ -1,22 +1,185 @@
 ## vNEXT
 
-* Better error when passing a string to {{#each}}. #722
+* Fail explicitly when publishing non-cursors.
 
-* Write dates to Mongo as ISODate rather than Integer; existing data can be
-  converted by passing it through `new Date()`. #1228
+* Implement `$each`, `$sort`, and `$slice` options for minimongo's `$push`
+  modifier.
 
-* Login token deletion: Expire login tokens periodically. Add
-  Meteor._logoutAllOthers() for logging out other connections logged in as the
-  current user. Log out and close connections for deleted users and tokens.
+* Upgraded dependencies:
+  * SockJS server from 0.3.7 to 0.3.8
+
+
+## v0.6.6.1
+
+* Fix file watching on OSX. Work around Node issue #6251 by not using
+  fs.watch. #1483
+
+## v0.6.6
+
+
+#### Security
+
+* Add `browser-policy` package for configuring and sending
+  Content-Security-Policy and X-Frame-Options HTTP headers.
+  [See the docs](http://docs.meteor.com/#browserpolicy) for more.
+
+* Use cryptographically strong pseudorandom number generators when available.
+
+#### MongoDB
+
+* Add upsert support. `Collection.update` now supports the `{upsert:
+  true}` option. Additionally, add a `Collection.upsert` method which
+  returns the newly inserted object id if applicable.
+
+* `update` and `remove` now return the number of documents affected.  #1046
+
+* `$near` operator for `2d` and `2dsphere` indices.
+
+* The `fields` option to the collection methods `find` and `findOne` now works
+  on the client as well.  (Operators such as `$elemMatch` and `$` are not yet
+  supported in `fields` projections.) #1287
+
+* Pass an index and the cursor itself to the callbacks in `cursor.forEach` and
+  `cursor.map`, just like the corresponding `Array` methods.  #63
+
+* Support `c.find(query, {limit: N}).count()` on the client.  #654
+
+* Improve behavior of `$ne`, `$nin`, and `$not` selectors with objects containing
+  arrays.  #1451
+
+* Fix various bugs if you had two documents with the same _id field in
+  String and ObjectID form.
+
+#### Accounts
+
+* [Behavior Change] Expire login tokens periodically. Defaults to 90
+  days. Use `Accounts.config({loginExpirationInDays: null})` to disable
+  token expiration.
+
+* [Behavior Change] Write dates generated by Meteor Accounts to Mongo as
+  Date instead of number; existing data can be converted by passing it
+  through `new Date()`. #1228
+
+* Log out and close connections for users if they are deleted from the
+  database.
+
+* Add Meteor.logoutOtherClients() for logging out other connections
+  logged in as the current user.
+
+* `restrictCreationByEmailDomain` option in `Accounts.config` to restrict new
+  users to emails of specific domain (eg. only users with @meteor.com emails) or
+  a custom validator. #1332
+
+* Support OAuth1 services that require request token secrets as well as
+  authentication token secrets.  #1253
+
+* Warn if `Accounts.config` is only called on the client.  #828
+
+* Fix bug where callbacks to login functions could be called multiple
+  times when the client reconnects.
+
+#### DDP
+
+* Fix infinite loop if a client disconnects while a long yielding method is
+  running.
+
+* Unfinished code to support DDP session resumption has been removed. Meteor
+  servers now stop processing messages from clients and reclaim memory
+  associated with them as soon as they are disconnected instead of a few minutes
+  later.
+
+#### Tools
 
 * The pre-0.6.5 `Package.register_extension` API has been removed. Use
   `Package._transitional_registerBuildPlugin` instead, which was introduced in
   0.6.5. (A bug prevented the 0.6.5 reimplementation of `register_extension`
   from working properly anyway.)
 
+* Support using an HTTP proxy in the `meteor` command line tool. This
+  allows the `update`, `deploy`, `logs`, and `mongo` commands to work
+  behind a proxy. Use the standard `http_proxy` environment variable to
+  specify your proxy endpoint.  #429, #689, #1338
+
 * Build Linux binaries on an older Linux machine. Meteor now supports
   running on Linux machines with glibc 2.9 or newer (Ubuntu 10.04+, RHEL
-  and CentOS 6+, Fedora 10+, Debian 6+).
+  and CentOS 6+, Fedora 10+, Debian 6+). Improve error message when running
+  on Linux with unsupported glibc, and include Mongo stderr if it fails
+  to start.
+
+* Install NPM modules with `--force` to avoid corrupted local caches.
+
+* Rebuild NPM modules in packages when upgrading to a version of Meteor that
+  uses a different version of Node.
+
+* Disable the Mongo http interface. This lets you run meteor on two ports
+  differing by 1000 at the same time.
+
+#### Misc
+
+* [Known issue] Breaks support for pre-release OSX 10.9 'Mavericks'.
+  Will be addressed shortly. See issues:
+  https://github.com/joyent/node/issues/6251
+  https://github.com/joyent/node/issues/6296
+
+* `EJSON.stringify` now takes options:
+  - `canonical` causes objects keys to be stringified in sorted order
+  - `indent` allows formatting control over the EJSON stringification
+
+* EJSON now supports `Infinity`, `-Infinity` and `NaN`.
+
+* Check that the argument to `EJSON.parse` is a string.  #1401
+
+* Better error from functions that use `Meteor._wrapAsync` (eg collection write
+  methods and `HTTP` methods) and in DDP server message processing.  #1387
+
+* Support `appcache` on Chrome for iOS.
+
+* Support literate CoffeeScript files with the extension `.coffee.md` (in
+  addition to the already-supported `.litcoffee` extension). #1407
+
+* Make `madewith` package work again (broken in 0.6.5).  #1448
+
+* Better error when passing a string to `{{#each}}`. #722
+
+* Add support for JSESSIONID cookies for sticky sessions. Set the
+  `USE_JSESSIONID` environment variable to enable placing a JSESSIONID
+  cookie on sockjs requests.
+
+* Simplify the static analysis used to detect package-scope variables.
+
+* Upgraded dependencies:
+  * Node from 0.8.24 to 0.10.20
+  * MongoDB from 2.4.4 to 2.4.6
+  * MongoDB driver from 1.3.17 to 1.3.19
+  * http-proxy from 0.10.1 to a pre-release of 1.0.0
+  * stylus from 0.30.1 to 0.37.0
+  * nib from 0.8.2 to 1.0.0
+  * optimist from 0.3.5 to 0.6.0
+  * semver from 1.1.0 to 2.1.0
+  * request from 2.12.0 to 2.27.0
+  * keypress from 0.1.0 to 0.2.1
+  * underscore from 1.5.1 to 1.5.2
+  * fstream from 0.1.21 to 0.1.24
+  * tar from 0.1.14 to 0.1.18
+  * source-map from 0.1.26 to 0.1.30
+  * source-map-support from a fork of 0.1.8 to 0.2.3
+  * escope from a fork of 0.0.15 to 1.0.0
+  * estraverse from 1.1.2-1 to 1.3.1
+  * simplesmtp from 0.1.25 to 0.3.10
+  * stream-buffers from 0.2.3 to 0.2.5
+  * websocket from 1.0.7 to 1.0.8
+  * cli-color from 0.2.2 to 0.2.3
+  * clean-css from 1.0.11 to 1.1.2
+  * UglifyJS2 from a fork of 2.3.6 to a different fork of 2.4.0
+  * connect from 2.7.10 to 2.9.0
+  * send from 0.1.0 to 0.1.4
+  * useragent from 2.0.1 to 2.0.7
+  * replaced byline with eachline 2.3.3
+
+Patches contributed by GitHub users ansman, awwx, codeinthehole, jacott,
+Maxhodges, meawoppl, mitar, mizzao, mquandalle, nathan-muir, RobertLowe, ryw,
+sdarnell, and timhaines.
+
 
 ## v0.6.5.1
 
diff --git a/LICENSE.txt b/LICENSE.txt
index 319a50a9637..8facf5235db 100644
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -90,6 +90,7 @@ github-url-from-git: https://github.com/visionmedia/node-github-url-from-git
 pause: https://github.com/visionmedia/node-pause
 range-parser: https://github.com/visionmedia/node-range-parser
 send: https://github.com/visionmedia/send
+methods: https://github.com/visionmedia/node-methods
 ----------
 
 Copyright (c) 2010 TJ Holowaychuk <tj@vision-media.ca>
@@ -191,13 +192,6 @@ rbytes: https://github.com/akdubya/rbytes
 Copyright (c) 2010 Aleksander Williams
 
 
-----------
-formidable: https://github.com/felixge/node-formidable
-----------
-
-By Felix Geisendörfer and Tim Koschuetzki, Debuggable, Ltd.
-
-
 ----------
 colors: https://github.com/Marak/colors.js
 ----------
@@ -245,9 +239,11 @@ Copyright (c) 2012 Nathan Rajlich <nathan@tootallnate.net>
 
 ----------
 faye-websocket: https://github.com/faye/faye-websocket-node
+websocket-driver: https://github.com/faye/websocket-driver-node
 ----------
 
-Copyright (c) 2009-2012 James Coglan
+Copyright (c) 2009-2013 James Coglan
+Copyright (c) 2010-2013 James Coglan
 
 
 ----------
@@ -291,6 +287,7 @@ archy: https://github.com/substack/node-archy
 shell-quote: https://github.com/substack/node-shell-quote
 deep-equal: https://github.com/substack/node-deep-equal
 editor: https://github.com/substack/node-editor
+minimist: https://github.com/substack/node-minimist
 ----------
 
 Copyright 2010, 2011, 2012, 2013 James Halliday (mail@substack.net)
@@ -328,6 +325,7 @@ Felix Geisendörfer (felix@debuggable.com)
 
 ----------
 form-data: https://github.com/felixge/node-form-data
+multiparty: https://github.com/superjoe30/node-multiparty
 ----------
 
 Copyright (c) 2012 Felix Geisendörfer (felix@debuggable.com) and contributors
@@ -377,13 +375,6 @@ buffer-crc32: https://github.com/brianloveswords/buffer-crc32
 Copyright (c) 2013 Brian J. Brennan
 
 
-----------
-byline: https://github.com/jahewson/node-byline
-----------
-
-node-byline (C) 2011-2013 John Hewson
-
-
 ----------
 child-process-close: https://github.com/piscisaureus/child-process-close
 ----------
@@ -475,6 +466,8 @@ Copyright (c) 2011 SDA Software Associates Inc.
 
 ----------
 sha: https://github.com/ForbesLindesay/sha
+type-of: https://github.com/ForbesLindesay/type-of
+uglify-to-browserify: https://github.com/ForbesLindesay/uglify-to-browserify
 ----------
 
 Copyright (c) 2013 Forbes Lindesay
@@ -516,6 +509,38 @@ Copyright 2011, Robert Mustacchi. All rights reserved.
 Copyright 2011, Joyent, Inc. All rights reserved.
 
 
+----------
+eachline: https://github.com/williamwicks/node-eachline
+----------
+
+Copyright (c) 2013 William Wicks
+
+
+----------
+eventemitter2: https://github.com/hij1nx/EventEmitter2
+----------
+
+Copyright (c) 2011 hij1nx http://www.twitter.com/hij1nx
+
+
+----------
+stream-counter: https://github.com/superjoe30/node-stream-counter
+----------
+
+Copyright (c) 2013 Andrew Kelley
+
+----------
+uid2: https://github.com/coreh/uid2
+----------
+
+Copyright (c) 2013 Marco Aurelio
+
+----------
+geojson-utils: https://github.com/maxogden/geojson-js-utils
+----------
+
+Copyright (c) 2010 Max Ogden
+
 ==============
 Apache License
 ==============
@@ -531,7 +556,8 @@ Unless required by applicable law or agreed to in writing, software distributed
 """
 
 ----------
-mongo-drivers: https://github.com/mongodb/node-mongodb-native
+mongodb: (Node driver) https://github.com/mongodb/node-mongodb-native
+kerberos: https://github.com/christkv/kerberos
 ----------
 
 Copyright 2009 - 2010 Christian Amor Kvalheim.
@@ -1309,7 +1335,7 @@ Other
 =====
 
 ----------
-mimelib: https://github.com/andris9/mimelib
+mimelib-noiconv: https://github.com/andris9/mimelib
 mailcomposer: https://github.com/andris9/mailcomposer
 simplesmtp: https://github.com/andris9/simplesmtp
 rai: https://github.com/andris9/rai
@@ -1407,7 +1433,7 @@ For more information, please refer to <http://unlicense.org/>
 
 
 ----------
-mongodb: http://www.mongodb.org/
+MongoDB: http://www.mongodb.org/
 ----------
 
 LICENSE
@@ -1711,6 +1737,7 @@ The externally maintained libraries used by libuv are:
 
 ----------
 nodejs: http://nodejs.org/
+readable-stream: https://github.com/isaacs/readable-stream/
 ----------
 
 
diff --git a/README.md b/README.md
index 9545721dba8..f128f12057b 100644
--- a/README.md
+++ b/README.md
@@ -56,8 +56,8 @@ From your checkout, you can read the docs locally. The `/docs` directory is a
 meteor application, so simply change into the `/docs` directory and launch
 the app:
 
-	cd docs/
-	meteor
+    cd docs/
+    ../meteor
 
 You'll then be able to read the docs locally in your browser at
 `http://localhost:3000/`
diff --git a/docs/.meteor/release b/docs/.meteor/release
index 3f50c3b8052..62a4661cc6e 100644
--- a/docs/.meteor/release
+++ b/docs/.meteor/release
@@ -1 +1 @@
-galaxy-appconfig-2
+galaxy-follower-5
diff --git a/docs/client/api.html b/docs/client/api.html
index 3aa992a512e..1d6a2be2629 100644
--- a/docs/client/api.html
+++ b/docs/client/api.html
@@ -62,9 +62,9 @@ <h2 id="publishandsubscribe"><span>Publish and subscribe</span></h2>
 
 Publish functions can return a
 [`Collection.Cursor`](#meteor_collection_cursor), in which case Meteor
-will publish that cursor's documents. You can also return an array of
-`Collection.Cursor`s, in which case Meteor will publish all of the
-cursors.
+will publish that cursor's documents to each subscribed client. You can
+also return an array of `Collection.Cursor`s, in which case Meteor will
+publish all of the cursors.
 
 {{#warning}}
 If you return multiple cursors in an array, they currently must all be from
@@ -92,16 +92,15 @@ <h2 id="publishandsubscribe"><span>Publish and subscribe</span></h2>
       ];
     });
 
-Otherwise, the publish function should call the functions
-[`added`](#publish_added) (when a new document is added to the published record
-set), [`changed`](#publish_changed) (when some fields on a document in the
-record set are changed or cleared), and [`removed`](#publish_removed) (when
-documents are removed from the published record set) to inform subscribers about
-documents.  These methods are provided by `this` in your publish function.
-
-
-
-<!-- TODO discuss ready -->
+Alternatively, a publish function can directly control its published
+record set by calling the functions [`added`](#publish_added) (to add a
+new document to the published record set), [`changed`](#publish_changed)
+(to change or clear some fields on a document already in the published
+record set), and [`removed`](#publish_removed) (to remove documents from
+the published record set).  Publish functions that use these functions
+should also call [`ready`](#publish_ready) once the initial record set
+is complete.  These methods are provided by `this` in your publish
+function.
 
 Example:
 
@@ -634,7 +633,7 @@ <h2 id="collections"><span>Collections</span></h2>
 of selectors.
 * `$` to denote the matched array position is not
 supported in modifier.
-* `findAndModify`, upsert, aggregate functions, and
+* `findAndModify`, aggregate functions, and
 map/reduce aren't supported.
 
 All of these will be addressed in a future release. For full
@@ -723,24 +722,27 @@ <h2 id="collections"><span>Collections</span></h2>
   `multi` to true, and can use an arbitrary [Mongo
   selector](#selectors) to find the documents to modify. It bypasses
   any access control rules set up by [`allow`](#allow) and
-  [`deny`](#deny).
+  [`deny`](#deny). The number of affected documents will be returned
+  from the `update` call if you don't pass a callback.
 
 - Untrusted code can only modify a single document at once, specified
   by its `_id`. The modification is allowed only after checking any
-  applicable [`allow`](#allow) and [`deny`](#deny) rules.
+  applicable [`allow`](#allow) and [`deny`](#deny) rules. The number
+  of affected documents will be returned to the callback. Untrusted
+  code cannot perform upserts, except in insecure mode.
 
 On the server, if you don't provide a callback, then `update` blocks
 until the database acknowledges the write, or throws an exception if
 something went wrong.  If you do provide a callback, `update` returns
 immediately.  Once the update completes, the callback is called with a
-single error argument in the case of failure, or no arguments if the
-update was successful.
+single error argument in the case of failure, or a second argument
+indicating the number of affected documents if the update was successful.
 
 On the client, `update` never blocks.  If you do not provide a callback
 and the update fails on the server, then Meteor will log a warning to
 the console.  If you provide a callback, Meteor will call that function
-with an error argument if there was an error, or no arguments if the
-update was successful.
+with an error argument if there was an error, or a second argument
+indicating the number of affected documents if the update was successful.
 
 Client example:
 
@@ -766,9 +768,18 @@ <h2 id="collections"><span>Collections</span></h2>
       }
     });
 
-{{#warning}}
-The Mongo `upsert` feature is not implemented.
-{{/warning}}
+You can use `update` to perform a Mongo upsert by setting the `upsert`
+option to true. You can also use the [`upsert`](#upsert) method to perform an
+upsert that returns the _id of the document that was inserted (if there was one)
+in addition to the number of affected documents.
+
+{{> api_box upsert}}
+
+Modify documents that match `selector` according to `modifier`, or insert
+a document if no documents were modified. `upsert` is the same as calling
+`update` with the `upsert` option set to true, except that the return
+value of `upsert` is an object that contain the keys `numberAffected`
+and `insertedId`. (`update` returns only the number of affected documents.)
 
 {{> api_box remove}}
 
@@ -784,7 +795,8 @@ <h2 id="collections"><span>Collections</span></h2>
   find the documents to remove, and can remove more than one document
   at once by passing a selector that matches multiple documents. It
   bypasses any access control rules set up by [`allow`](#allow) and
-  [`deny`](#deny).
+  [`deny`](#deny). The number of removed documents will be returned
+  from `remove` if you don't pass a callback.
 
   As a safety measure, if `selector` is omitted (or is `undefined`),
   no documents will be removed. Set `selector` to `{}` if you really
@@ -792,20 +804,22 @@ <h2 id="collections"><span>Collections</span></h2>
 
 - Untrusted code can only remove a single document at a time,
   specified by its `_id`. The document is removed only after checking
-  any applicable [`allow`](#allow) and [`deny`](#deny) rules.
+  any applicable [`allow`](#allow) and [`deny`](#deny) rules. The
+  number of removed documents will be returned to the callback.
 
 On the server, if you don't provide a callback, then `remove` blocks
-until the database acknowledges the write, or throws an exception if
+until the database acknowledges the write and then returns the number
+of removed documents, or throws an exception if
 something went wrong.  If you do provide a callback, `remove` returns
 immediately.  Once the remove completes, the callback is called with a
-single error argument in the case of failure, or no arguments if the
-remove was successful.
+single error argument in the case of failure, or a second argument
+indicating the number of removed documents if the remove was successful.
 
 On the client, `remove` never blocks.  If you do not provide a callback
-and the remove fails on the server, then Meteor will log a warning to
-the console.  If you provide a callback, Meteor will call that function
-with an error argument if there was an error, or no arguments if the
-remove was successful.
+and the remove fails on the server, then Meteor will log a warning to the
+console.  If you provide a callback, Meteor will call that function with an
+error argument if there was an error, or a second argument indicating the number
+of removed documents if the remove was successful.
 
 Client example:
 
@@ -966,6 +980,8 @@ <h2 id="meteor_collection_cursor"><span>Cursors</span></h2>
 
 {{> api_box cursor_foreach}}
 
+This interface is compatible with [Array.forEach](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/forEach).
+
 When called from a reactive computation, `forEach` registers dependencies on
 the matching documents.
 
@@ -981,6 +997,8 @@ <h2 id="meteor_collection_cursor"><span>Cursors</span></h2>
 
 {{> api_box cursor_map}}
 
+This interface is compatible with [Array.map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/map).
+
 When called from a reactive computation, `map` registers dependencies on
 the matching documents.
 
@@ -1258,12 +1276,13 @@ <h2 id="meteor_collection_cursor"><span>Cursors</span></h2>
     // Users.find({}, {fields: {password: 0, hash: 0}})
 
 To return an object that only includes the specified field, use `1` as
-the value.  The `_id` field is still included in the result.
+the value. The `_id` field is still included in the result.
 
     // Users.find({}, {fields: {firstname: 1, lastname: 1}})
 
-It is not possible to mix inclusion and exclusion styles (exception for `_id`).
-Field operators such as `$` and `$elemMatch` are not available on client side yet.
+It is not possible to mix inclusion and exclusion styles (except for the cases
+when `_id` is included by default or explicitly excluded). Field operators such
+as `$` and `$elemMatch` are not available on the client side yet.
 
 More advanced example:
 
@@ -1275,7 +1294,8 @@ <h2 id="meteor_collection_cursor"><span>Cursors</span></h2>
 
     // returns { alterEgos: [{ name: "Kira" }, { name: "L" }] }
 
-Notice the nested field rule and array behavior, learn more in MongoDB docs.
+See <a href="http://docs.mongodb.org/manual/tutorial/project-fields-from-query-results/#projection">
+the MongoDB docs</a> for details of the nested field rules and array behavior.
 
 {{/api_box_inline}}
 
@@ -1495,6 +1515,12 @@ <h2 id="accounts_api"><span>Accounts</span></h2>
 
 {{> api_box logout}}
 
+{{> api_box logoutOtherClients}}
+
+For example, when called in a user's browser, connections in that browser
+remain logged in, but any other browsers or DDP clients logged in as that user
+will be logged out.
+
 {{> api_box loginWithPassword}}
 
 This function is provided by the `accounts-password` package. See the
diff --git a/docs/client/api.js b/docs/client/api.js
index 1ca9cbce0fe..d7e9cfa033f 100644
--- a/docs/client/api.js
+++ b/docs/client/api.js
@@ -73,8 +73,7 @@ Template.api.release = {
   descr: ["`Meteor.release` is a string containing the name of the " +
           "[release](#meteorupdate) with which the project was built (for " +
           "example, `\"" +
-          // Put the current release in the docs as the example)
-          (Meteor.release ? Meteor.release : '0.6.0') +
+          Meteor.release +
           "\"`). It is `undefined` if the project was built using a git " +
           "checkout of Meteor."]
 };
@@ -89,9 +88,17 @@ Template.api.ejsonParse = {
 
 Template.api.ejsonStringify = {
   id: "ejson_stringify",
-  name: "EJSON.stringify(val)",
+  name: "EJSON.stringify(val, [options])",
   locus: "Anywhere",
   args: [ {name: "val", type: "EJSON-compatible value", descr: "A value to stringify."} ],
+  options: [
+    {name: "indent",
+     type: "Boolean, Integer, or String",
+     descr: "Indents objects and arrays for easy readability.  When `true`, indents by 2 spaces; when an integer, indents by that number of spaces; and when a string, uses the string as the indentation pattern."},
+    {name: "canonical",
+     type: "Boolean",
+     descr: "When `true`, stringifies keys in an object in sorted order."}
+  ],
   descr: ["Serialize a value to a string.\n\nFor EJSON values, the serialization " +
           "fully represents the value. For non-EJSON values, serializes the " +
           "same way as `JSON.stringify`."]
@@ -116,10 +123,15 @@ Template.api.ejsonToJSONValue = {
 
 Template.api.ejsonEquals = {
   id: "ejson_equals",
-  name: "EJSON.equals(a, b)", //doc options?
+  name: "EJSON.equals(a, b, [options])",
   locus: "Anywhere",
   args: [ {name: "a", type: "EJSON-compatible object"},
           {name: "b", type: "EJSON-compatible object"} ],
+  options: [
+    {name: "keyOrderSensitive",
+     type: "Boolean",
+     descr: "Compare in key sensitive order, if supported by the JavaScript implementation.  For example, `{a: 1, b: 2}` is equal to `{b: 2, a: 1}` only when `keyOrderSensitive` is `false`.  The default is `false`."}
+  ],
   descr: ["Return true if `a` and `b` are equal to each other.  Return false otherwise." +
           "  Uses the `equals` method on `a` if present, otherwise performs a deep comparison."]
 },
@@ -482,7 +494,7 @@ Template.api.meteor_collection = {
   options: [
     {name: "connection",
      type: "Object",
-     descr: "The Meteor connection that will manage this collection. Uses the default connection if not specified. Pass `null` to specify no connection. Unmanaged (`name` is null) collections cannot specify a connection."
+     descr: "The server connection that will manage this collection. Uses the default connection if not specified.  Pass the return value of calling [`DDP.connect`](#ddp_connect) to specify a different server. Pass `null` to specify no connection. Unmanaged (`name` is null) collections cannot specify a connection."
     },
     {name: "idGeneration",
      type: "String",
@@ -585,7 +597,7 @@ Template.api.update = {
   id: "update",
   name: "<em>collection</em>.update(selector, modifier, [options], [callback])",
   locus: "Anywhere",
-  descr: ["Modify one or more documents in the collection"],
+  descr: ["Modify one or more documents in the collection. Returns the number of affected documents."],
   args: [
     {name: "selector",
      type: "Mongo selector, or object id",
@@ -597,7 +609,37 @@ Template.api.update = {
      descr: "Specifies how to modify the documents"},
     {name: "callback",
      type: "Function",
-     descr: "Optional.  If present, called with an error object as its argument."}
+     descr: "Optional.  If present, called with an error object as the first argument and, if no error, the number of affected documents as the second."}
+  ],
+  options: [
+    {name: "multi",
+     type: "Boolean",
+     descr: "True to modify all matching documents; false to only modify one of the matching documents (the default)."},
+    {name: "upsert",
+     type: "Boolean",
+     descr: "True to insert a document if no matching documents are found."}
+  ]
+};
+
+Template.api.upsert = {
+  id: "upsert",
+  name: "<em>collection</em>.upsert(selector, modifier, [options], [callback])",
+  locus: "Anywhere",
+  descr: ["Modify one or more documents in the collection, or insert one if no matching documents were found. " +
+          "Returns an object with keys `numberAffected` (the number of documents modified) " +
+          " and `insertedId` (the unique _id of the document that was inserted, if any)."],
+  args: [
+    {name: "selector",
+     type: "Mongo selector, or object id",
+     type_link: "selectors",
+     descr: "Specifies which documents to modify"},
+    {name: "modifier",
+     type: "Mongo modifier",
+     type_link: "modifiers",
+     descr: "Specifies how to modify the documents"},
+    {name: "callback",
+     type: "Function",
+     descr: "Optional.  If present, called with an error object as the first argument and, if no error, the number of affected documents as the second."}
   ],
   options: [
     {name: "multi",
@@ -606,6 +648,7 @@ Template.api.update = {
   ]
 };
 
+
 Template.api.remove = {
   id: "remove",
   name: "<em>collection</em>.remove(selector, [callback])",
@@ -675,25 +718,31 @@ Template.api.cursor_fetch = {
 
 Template.api.cursor_foreach = {
   id: "foreach",
-  name: "<em>cursor</em>.forEach(callback)",
+  name: "<em>cursor</em>.forEach(callback, [thisArg])",
   locus: "Anywhere",
   descr: ["Call `callback` once for each matching document, sequentially and synchronously."],
   args: [
     {name: "callback",
      type: "Function",
-     descr: "Function to call."}
+     descr: "Function to call. It will be called with three arguments: the document, a 0-based index, and <em>cursor</em> itself."},
+    {name: "thisArg",
+     type: "Any",
+     descr: "An object which will be the value of `this` inside `callback`."}
   ]
 };
 
 Template.api.cursor_map = {
   id: "map",
-  name: "<em>cursor</em>.map(callback)",
+  name: "<em>cursor</em>.map(callback, [thisArg])",
   locus: "Anywhere",
   descr: ["Map callback over all matching documents.  Returns an Array."],
   args: [
     {name: "callback",
      type: "Function",
-     descr: "Function to call."}
+     descr: "Function to call. It will be called with three arguments: the document, a 0-based index, and <em>cursor</em> itself."},
+    {name: "thisArg",
+     type: "Any",
+     descr: "An object which will be the value of `this` inside `callback`."}
   ]
 };
 
@@ -1026,6 +1075,20 @@ Template.api.logout = {
   ]
 };
 
+Template.api.logoutOtherClients = {
+  id: "meteor_logoutotherclients",
+  name: "Meteor.logoutOtherClients([callback])",
+  locus: "Client",
+  descr: ["Log out other clients logged in as the current user, but does not log out the client that calls this function."],
+  args: [
+    {
+      name: "callback",
+      type: "Function",
+      descr: "Optional callback. Called with no arguments on success, or with a single `Error` argument on failure."
+    }
+  ]
+};
+
 
 Template.api.loginWithPassword = {
   id: "meteor_loginwithpassword",
@@ -1100,6 +1163,16 @@ Template.api.accounts_config = {
       name: "forbidClientAccountCreation",
       type: "Boolean",
       descr: "Calls to [`createUser`](#accounts_createuser) from the client will be rejected. In addition, if you are using [accounts-ui](#accountsui), the \"Create account\" link will not be available."
+    },
+    {
+      name: "restrictCreationByEmailDomain",
+      type: "String Or Function",
+      descr: "If set, only allow new users with an email in the specified domain or if the predicate function returns true. Works with password-based sign-in and external services that expose email addresses (Google, Facebook, GitHub). All existing users still can log in after enabling this option. Example: `Accounts.config({ restrictCreationByEmailDomain: 'school.edu' })`."
+    },
+    {
+      name: "loginExpirationInDays",
+      type: "Number",
+      descr: "The number of days from when a user logs in until their token expires and they are logged out. Defaults to 90. Set to `null` to disable login expiration."
     }
   ]
 };
diff --git a/docs/client/concepts.html b/docs/client/concepts.html
index 61d47d7c18e..375bf90e9c7 100644
--- a/docs/client/concepts.html
+++ b/docs/client/concepts.html
@@ -824,9 +824,9 @@ <h3 class="nosection">Running on your own infrastructure</h3>
     $ meteor bundle myapp.tgz
 
 This command will generate a fully-contained Node.js application in the form of
-a tarball.  To run this application, you need to provide Node.js 0.8 and a
+a tarball.  To run this application, you need to provide Node.js 0.10 and a
 MongoDB server.  (The current release of Meteor has been tested with Node
-0.8.24.) You can then run the application by invoking node, specifying the HTTP
+0.10.20.) You can then run the application by invoking node, specifying the HTTP
 port for the application to listen on, and the MongoDB endpoint.  If you don't
 already have a MongoDB server, we can recommend our friends at
 [MongoHQ](http://mongohq.com).
diff --git a/docs/client/docs.js b/docs/client/docs.js
index c057ef71bd1..f32972da78a 100644
--- a/docs/client/docs.js
+++ b/docs/client/docs.js
@@ -1,8 +1,5 @@
 Template.headline.release = function () {
-  // XXX This is commented out because for now galaxy apps have to be on a
-  // different Meteor release that has a bug fix.
-  return "0.6.5.1";
-  //  return Meteor.release || "(checkout)";
+  return Meteor.release || "(checkout)";
 };
 
 
@@ -155,6 +152,7 @@ var toc = [
         {instance: "collection", name: "findOne"},
         {instance: "collection", name: "insert"},
         {instance: "collection", name: "update"},
+        {instance: "collection", name: "upsert"},
         {instance: "collection", name: "remove"},
         {instance: "collection", name: "allow"},
         {instance: "collection", name: "deny"}
@@ -191,6 +189,7 @@ var toc = [
       "Meteor.users",
       "Meteor.loggingIn",
       "Meteor.logout",
+      "Meteor.logoutOtherClients",
       "Meteor.loginWithPassword",
       {name: "Meteor.loginWithFacebook", id: "meteor_loginwithexternalservice"},
       {name: "Meteor.loginWithGithub", id: "meteor_loginwithexternalservice"},
@@ -335,6 +334,7 @@ var toc = [
     "audit-argument-checks",
     "backbone",
     "bootstrap",
+    "browser-policy",
     "coffeescript",
     "d3",
     "force-ssl",
diff --git a/docs/client/packages.html b/docs/client/packages.html
index 0ee701bbe8f..077e4f1cd19 100644
--- a/docs/client/packages.html
+++ b/docs/client/packages.html
@@ -22,6 +22,7 @@ <h1 id="packages">Packages</h1>
 {{> pkg_audit_argument_checks}}
 {{> pkg_backbone}}
 {{> pkg_bootstrap}}
+{{> pkg_browser_policy}}
 {{> pkg_coffeescript}}
 {{> pkg_d3}}
 {{> pkg_force_ssl}}
diff --git a/docs/client/packages/browser-policy.html b/docs/client/packages/browser-policy.html
new file mode 100644
index 00000000000..d89437e46e7
--- /dev/null
+++ b/docs/client/packages/browser-policy.html
@@ -0,0 +1,165 @@
+<template name="pkg_browser_policy">
+{{#better_markdown}}
+## `browser-policy`
+
+The `browser-policy` package lets you set security-related policies that will be
+enforced by newer browsers. These policies help you prevent and mitigate common
+attacks like cross-site scripting and clickjacking.
+
+When you add `browser-policy` to your app, you get default configurations for
+the HTTP headers X-Frame-Options and Content-Security-Policy. X-Frame-Options
+tells the browser which websites are allowed to frame your app. You should only
+let trusted websites frame your app, because malicious sites could harm your
+users with <a href="https://www.owasp.org/index.php/Clickjacking">clickjacking
+attacks</a>.
+<a href="https://developer.mozilla.org/en-US/docs/Security/CSP/Introducing_Content_Security_Policy">Content-Security-Policy</a>
+tells the browser where your app can load content from, which encourages safe
+practices and mitigates the damage of a cross-site-scripting attack.
+`browser-policy` also provides functions for you to configure these policies if
+the defaults are not suitable.
+
+If you only want to use Content-Security-Policy or X-Frame-Options but not both,
+you can add the individual packages `browser-policy-content` or
+`browser-policy-framing` instead of `browser-policy`.
+
+For most apps, we recommend that you take the following steps:
+
+* Add `browser-policy` to your app to enable a starter policy. With this starter
+policy, your app's client code will be able to load content (images, scripts,
+fonts, etc.) only from its own origin, except that XMLHttpRequests and WebSocket
+connections can go to any origin. Further, your app's client code will not be
+able to use functions such as `eval()` that convert strings to code. Users'
+browsers will only let your app be framed by web pages on the same origin as
+your app.
+* You can use the functions described below to customize the policies. If your
+app does not need any inline Javascript such as inline `<script>` tags, we
+recommend that you modify the policy by calling
+`BrowserPolicy.content.disallowInlineScripts()` in server code. This will result
+in one extra round trip when your app is loaded, but will help prevent
+cross-site scripting attacks by disabling all scripts except those loaded from a
+`script src` attribute.
+
+Meteor determines the browser policy when the server starts up, so you should
+call `BrowserPolicy` functions in top-level application code or in
+`Meteor.startup`.
+
+#### Frame options
+
+By default, if you add `browser-policy` or `browser-policy-framing`, only web
+pages on the same origin as your app are allowed to frame your app. You can use
+the following functions to modify this policy.
+<dl class="callbacks">
+{{#dtdd "BrowserPolicy.framing.disallow()"}}
+Your app will never render inside a frame or iframe.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.framing.restrictToOrigin(origin)"}}
+Your app will only render inside frames loaded by `origin`. You can only call
+this function once with a single origin, and cannot use wildcards or specify
+multiple origins that are allowed to frame your app. (This is a limitation of
+the X-Frame-Options header.) Example values of `origin` include
+"http://example.com" and "https://foo.example.com".
+{{#warning}}
+This value of the X-Frame-Options header is not yet supported in Chrome or
+Safari and will be ignored in those browsers.
+{{/warning}}
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.framing.allowAll()"}}
+This unsets the X-Frame-Options header, so that your app can be framed by
+any webpage.
+{{/dtdd}}
+</dl>
+
+#### Content options
+
+You can use the functions in this section to control how different types of
+content can be loaded on your site.
+
+You can use the following functions to adjust policies on where Javascript and
+CSS can be run:
+
+<dl class="callbacks">
+{{#dtdd "BrowserPolicy.content.allowInlineScripts()"}}
+Allows inline `<script>` tags, `javascript:` URLs, and inline event handlers.
+The default policy already allows inline scripts.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.content.disallowInlineScripts()"}}
+Disallows inline Javascript. Calling this function results in an extra
+round-trip on page load to retrieve Meteor runtime configuration that is usually
+part of an inline script tag.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.content.allowEval()"}}
+Allows the creation of Javascript code from strings using function such as `eval()`.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.content.disallowEval()"}}
+Disallows eval and related functions. The default policy already disallows eval.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.content.allowInlineStyles()"}}
+Allows inline style tags and style attributes. The default policy already allows
+inline styles.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.content.disallowInlineStyles()"}}
+Disallows inline CSS.
+{{/dtdd}}
+</dl>
+
+Finally, you can configure a whitelist of allowed requests that various types of
+content can make. The following functions are defined for the content types
+script, object, image, media, font, and connect.
+
+<dl class="callbacks">
+{{#dtdd "BrowserPolicy.content.allow&lt;ContentType&gt;Origin(origin)"}}
+Allows this type of content to be loaded from the given origin. `origin` is a
+string and can include an optional scheme (such as `http` or `https`), an
+optional wildcard at the beginning, and an optional port which can be a
+wildcard. Examples include `example.com`, `https://*.example.com`, and
+`example.com:*`. You can call these functions multiple times with different
+origins to specify a whitelist of allowed origins.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.content.allow&lt;ContentType&gt;DataUrl()"}}
+Allows this type of content to be loaded from a `data:` URL.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.content.allow&lt;ContentType&gt;SameOrigin()"}}
+Allows this type of content to be loaded from the same origin as your app.
+{{/dtdd}}
+
+{{#dtdd "BrowserPolicy.content.disallow&lt;ContentType&gt;()"}}
+Disallows this type of content on your app.
+{{/dtdd}}
+</dl>
+
+You can also set policies for all these types of content at once, using these
+functions:
+
+* `BrowserPolicy.content.allowSameOriginForAll()`,
+* `BrowserPolicy.content.allowDataUrlForAll()`,
+* `BrowserPolicy.content.allowOriginForAll(origin)`
+* `BrowserPolicy.content.disallowAll()`
+
+For example, if you want to allow the
+origin `https://foo.com` for all types of content but you want to disable
+`<object>` tags, you can call
+`BrowserPolicy.content.allowOriginForAll("https://foo.com")` followed by
+`BrowserPolicy.content.disallowObject()`.
+
+Other examples of using the `BrowserPolicy.content` API:
+
+* `BrowserPolicy.content.disallowFont()` causes the browser to disallow all
+`<font>` tags.
+* `BrowserPolicy.content.allowImageOrigin("https://example.com")`
+allows images to have their `src` attributes point to images served from
+`https://example.com`.
+* `BrowserPolicy.content.allowConnectOrigin("https://example.com")` allows XMLHttpRequest
+and WebSocket connections to `https://example.com`.
+
+
+{{/better_markdown}}
+</template>
diff --git a/docs/client/packages/random.html b/docs/client/packages/random.html
index 8f0490613d1..72c7ce9f51b 100644
--- a/docs/client/packages/random.html
+++ b/docs/client/packages/random.html
@@ -3,8 +3,11 @@
 ## `random`
 
 The `random` package provides several functions for generating random
-numbers. It uses a Meteor-provided random number generator that does not depend
-on the browser's facilities.
+numbers. It uses a cryptographically strong pseudorandom number generator when
+possible, but falls back to a weaker random number generator when
+cryptographically strong randomness is not available (on older browsers or on
+servers that don't have enough entropy to seed the cryptographically strong
+generator).
 
 <dl class="callbacks">
 {{#dtdd "Random.id()"}}
@@ -25,10 +28,5 @@
 {{/dtdd}}
 </dl>
 
-{{#note}}
-In the current implementation, random values do not come from a
-cryptographically strong pseudorandom number generator. Future releases will
-improve this, particularly on the server.
-{{/note}}
 {{/better_markdown}}
 </template>
diff --git a/docs/lib/release-override.js b/docs/lib/release-override.js
new file mode 100644
index 00000000000..153af4fdb2a
--- /dev/null
+++ b/docs/lib/release-override.js
@@ -0,0 +1,5 @@
+// While galaxy apps are on their own special meteor releases, override
+// Meteor.release here.
+if (Meteor.isClient) {
+  Meteor.release = Meteor.release ? "0.6.6.1" : undefined;
+}
diff --git a/examples/leaderboard/.meteor/packages b/examples/leaderboard/.meteor/packages
index a5eb137152e..240f0484208 100644
--- a/examples/leaderboard/.meteor/packages
+++ b/examples/leaderboard/.meteor/packages
@@ -7,4 +7,3 @@ standard-app-packages
 autopublish
 insecure
 preserve-inputs
-random
diff --git a/examples/leaderboard/.meteor/release b/examples/leaderboard/.meteor/release
index dd8bfff626e..f6895d22a5e 100644
--- a/examples/leaderboard/.meteor/release
+++ b/examples/leaderboard/.meteor/release
@@ -1 +1 @@
-0.6.5.1
+0.6.6.1
diff --git a/examples/parties/.meteor/release b/examples/parties/.meteor/release
index dd8bfff626e..f6895d22a5e 100644
--- a/examples/parties/.meteor/release
+++ b/examples/parties/.meteor/release
@@ -1 +1 @@
-0.6.5.1
+0.6.6.1
diff --git a/examples/parties/client/client.js b/examples/parties/client/client.js
index cbd3a65aa8e..972b5538d43 100644
--- a/examples/parties/client/client.js
+++ b/examples/parties/client/client.js
@@ -3,13 +3,16 @@
 Meteor.subscribe("directory");
 Meteor.subscribe("parties");
 
-// If no party selected, select one.
+// If no party selected, or if the selected party was deleted, select one.
 Meteor.startup(function () {
   Deps.autorun(function () {
-    if (! Session.get("selected")) {
+    var selected = Session.get("selected");
+    if (! selected || ! Parties.findOne(selected)) {
       var party = Parties.findOne();
       if (party)
         Session.set("selected", party._id);
+      else
+        Session.set("selected", null);
     }
   });
 });
@@ -213,19 +216,17 @@ Template.createDialog.events({
     var coords = Session.get("createCoords");
 
     if (title.length && description.length) {
-      Meteor.call('createParty', {
+      var id = createParty({
         title: title,
         description: description,
         x: coords.x,
         y: coords.y,
         public: public
-      }, function (error, party) {
-        if (! error) {
-          Session.set("selected", party);
-          if (! public && Meteor.users.find().count() > 1)
-            openInviteDialog();
-        }
       });
+
+      Session.set("selected", id);
+      if (! public && Meteor.users.find().count() > 1)
+        openInviteDialog();
       Session.set("showCreateDialog", false);
     } else {
       Session.set("createError",
diff --git a/examples/parties/model.js b/examples/parties/model.js
index 6eb086aae60..14fe2f79458 100644
--- a/examples/parties/model.js
+++ b/examples/parties/model.js
@@ -52,6 +52,12 @@ var Coordinate = Match.Where(function (x) {
   return x >= 0 && x <= 1;
 });
 
+createParty = function (options) {
+  var id = Random.id();
+  Meteor.call('createParty', _.extend({ _id: id }, options));
+  return id;
+};
+
 Meteor.methods({
   // options should include: title, description, x, y, public
   createParty: function (options) {
@@ -60,7 +66,8 @@ Meteor.methods({
       description: NonEmptyString,
       x: Coordinate,
       y: Coordinate,
-      public: Match.Optional(Boolean)
+      public: Match.Optional(Boolean),
+      _id: Match.Optional(NonEmptyString)
     });
 
     if (options.title.length > 100)
@@ -70,7 +77,9 @@ Meteor.methods({
     if (! this.userId)
       throw new Meteor.Error(403, "You must be logged in");
 
-    return Parties.insert({
+    var id = options._id || Random.id();
+    Parties.insert({
+      _id: id,
       owner: this.userId,
       x: options.x,
       y: options.y,
@@ -80,6 +89,7 @@ Meteor.methods({
       invited: [],
       rsvps: []
     });
+    return id;
   },
 
   invite: function (partyId, userId) {
diff --git a/examples/todos/.meteor/release b/examples/todos/.meteor/release
index dd8bfff626e..f6895d22a5e 100644
--- a/examples/todos/.meteor/release
+++ b/examples/todos/.meteor/release
@@ -1 +1 @@
-0.6.5.1
+0.6.6.1
diff --git a/examples/wordplay/.meteor/packages b/examples/wordplay/.meteor/packages
index 1c4346821c7..e695b93a6fd 100644
--- a/examples/wordplay/.meteor/packages
+++ b/examples/wordplay/.meteor/packages
@@ -7,4 +7,3 @@ standard-app-packages
 insecure
 jquery
 preserve-inputs
-random
diff --git a/examples/wordplay/.meteor/release b/examples/wordplay/.meteor/release
index dd8bfff626e..f6895d22a5e 100644
--- a/examples/wordplay/.meteor/release
+++ b/examples/wordplay/.meteor/release
@@ -1 +1 @@
-0.6.5.1
+0.6.6.1
diff --git a/examples/wordplay/client/wordplay.js b/examples/wordplay/client/wordplay.js
index f49212923b0..acff55aaeb3 100644
--- a/examples/wordplay/client/wordplay.js
+++ b/examples/wordplay/client/wordplay.js
@@ -132,9 +132,8 @@ Template.scratchpad.events({
   'click button, keyup input': function (evt) {
     var textbox = $('#scratchpad input');
     // if we clicked the button or hit enter
-    if (evt.type === "click" ||
-        (evt.type === "keyup" && evt.which === 13)) {
-
+    if ((evt.type === "click" || (evt.type === "keyup" && evt.which === 13))
+        && textbox.val()) {
       var word_id = Words.insert({player_id: Session.get('player_id'),
                                   game_id: game() && game()._id,
                                   word: textbox.val().toUpperCase(),
diff --git a/examples/wordplay/model.js b/examples/wordplay/model.js
index 3851c2639fa..416c4db1224 100644
--- a/examples/wordplay/model.js
+++ b/examples/wordplay/model.js
@@ -102,9 +102,12 @@ Meteor.methods({
     var word = Words.findOne(word_id);
     var game = Games.findOne(word.game_id);
 
-    // client and server can both check: must be at least three chars
-    // long, not already used, and possible to make on the board.
-    if (word.length < 3
+    // client and server can both check that the game has time remaining, and
+    // that the word is at least three chars, isn't already used, and is
+    // possible to make on the board.
+    if (game.clock === 0
+        || !word.word
+        || word.word.length < 3
         || Words.find({game_id: word.game_id, word: word.word}).count() > 1
         || paths_for_word(game.board, word.word).length === 0) {
       Words.update(word._id, {$set: {score: 0, state: 'bad'}});
@@ -127,8 +130,8 @@ Meteor.methods({
 if (Meteor.isServer) {
   DICTIONARY = {};
   _.each(Assets.getText("enable2k.txt").split("\n"), function (line) {
-    // Skip comment lines
-    if (line.indexOf("//") !== 0) {
+    // Skip blanks and comment lines
+    if (line && line.indexOf("//") !== 0) {
       DICTIONARY[line] = true;
     }
   });
diff --git a/meteor b/meteor
index 5584e6c2a42..1ac2d57ed49 100755
--- a/meteor
+++ b/meteor
@@ -1,6 +1,8 @@
 #!/bin/bash
 
-BUNDLE_VERSION=0.3.15
+BUNDLE_VERSION=0.3.19 # 0.3.20 is already built but was not used. next
+# time you bump this version number, go to 0.3.21 and remove this
+# comment.
 
 # OS Check. Put here because here is where we download the precompiled
 # bundles that are arch specific.
diff --git a/packages/accounts-base/accounts_client.js b/packages/accounts-base/accounts_client.js
index 9aef4bdc97b..579ec34474c 100644
--- a/packages/accounts-base/accounts_client.js
+++ b/packages/accounts-base/accounts_client.js
@@ -70,6 +70,8 @@ Accounts.callLoginMethod = function (options) {
     if (!options[f])
       options[f] = function () {};
   });
+  // make sure we only call the user's callback once.
+  var onceUserCallback = _.once(options.userCallback);
 
   var reconnected = false;
 
@@ -116,7 +118,10 @@ Accounts.callLoginMethod = function (options) {
               if (error) {
                 makeClientLoggedOut();
               }
-              options.userCallback(error);
+              // Possibly a weird callback to call, but better than nothing if
+              // there is a reconnect between "login result received" and "data
+              // ready".
+              onceUserCallback(error);
             }});
         }
       };
@@ -142,19 +147,19 @@ Accounts.callLoginMethod = function (options) {
     if (error || !result) {
       error = error || new Error(
         "No result from call to " + options.methodName);
-      options.userCallback(error);
+      onceUserCallback(error);
       return;
     }
     try {
       options.validateResult(result);
     } catch (e) {
-      options.userCallback(e);
+      onceUserCallback(e);
       return;
     }
 
     // Make the client logged in. (The user data should already be loaded!)
     makeClientLoggedIn(result.id, result.token, result.tokenExpires);
-    options.userCallback();
+    onceUserCallback();
   };
 
   if (!options._suppressLoggingIn)
@@ -188,7 +193,7 @@ Meteor.logout = function (callback) {
   });
 };
 
-Meteor._logoutAllOthers = function (callback) {
+Meteor.logoutOtherClients = function (callback) {
   // Our connection is going to be closed, but we don't want to call the
   // onReconnect handler until the result comes back for this method, because
   // the token will have been deleted on the server. Instead, wait until we get
@@ -198,7 +203,7 @@ Meteor._logoutAllOthers = function (callback) {
   var origOnReconnect = Meteor.connection.onReconnect;
   var userId = Meteor.userId();
   Meteor.connection.onReconnect = null;
-  Meteor.apply('_logoutAllOthers', [], { wait: true },
+  Meteor.apply('logoutOtherClients', [], { wait: true },
                function (error, result) {
                  Meteor.connection.onReconnect = origOnReconnect;
                  if (! error)
diff --git a/packages/accounts-base/accounts_common.js b/packages/accounts-base/accounts_common.js
index 1de58f1b2d8..9c2a8816929 100644
--- a/packages/accounts-base/accounts_common.js
+++ b/packages/accounts-base/accounts_common.js
@@ -4,6 +4,18 @@ Accounts = {};
 // and accounts-ui-unstyled.
 Accounts._options = {};
 
+// how long (in days) until a login token expires
+var DEFAULT_LOGIN_EXPIRATION_DAYS = 90;
+// Clients don't try to auto-login with a token that is going to expire within
+// .1 * DEFAULT_LOGIN_EXPIRATION_DAYS, capped at MIN_TOKEN_LIFETIME_CAP_SECS.
+// Tries to avoid abrupt disconnects from expiring tokens.
+var MIN_TOKEN_LIFETIME_CAP_SECS = 3600; // one hour
+// how often (in milliseconds) we check for expired tokens
+EXPIRE_TOKENS_INTERVAL_MS = 600 * 1000; // 10 minutes
+// how long we wait before logging out clients when Meteor.logoutOtherClients is
+// called
+CONNECTION_CLOSE_DELAY_MS = 10 * 1000;
+
 // Set up config for the accounts system. Call this on both the client
 // and the server.
 //
@@ -19,23 +31,31 @@ Accounts._options = {};
 //     client signups.
 // - forbidClientAccountCreation {Boolean}
 //     Do not allow clients to create accounts directly.
-// - _tokenLifetimeSecs {Number}
-//     Seconds until a login token expires.
-// - _tokenExpirationIntervalSecs {Number}
-//     How often (in seconds) to check for expired tokens
-// - _minTokenLifetimeSecs {Number}
-//     The minimum number of seconds until a token expires in order for the
-//     client to be willing to connect with that token.
-// - _connectionCloseDelaySecs {Number}
-//     The number of seconds to wait before closing connections that when a user
-//     is logged out by the server. Defaults to 10, to allow clients to store a
-//     fresh token in localStorage when calling _logoutAllOthers.
+// - restrictCreationByEmailDomain {Function or String}
+//     Require created users to have an email matching the function or
+//     having the string as domain.
+// - loginExpirationInDays {Number}
+//     Number of days since login until a user is logged out (login token
+//     expires).
 //
 Accounts.config = function(options) {
+  // We don't want users to accidentally only call Accounts.config on the
+  // client, where some of the options will have partial effects (eg removing
+  // the "create account" button from accounts-ui if forbidClientAccountCreation
+  // is set, or redirecting Google login to a specific-domain page) without
+  // having their full effects.
+  if (Meteor.isServer) {
+    __meteor_runtime_config__.accountsConfigCalled = true;
+  } else if (!__meteor_runtime_config__.accountsConfigCalled) {
+    // XXX would be nice to "crash" the client and replace the UI with an error
+    // message, but there's no trivial way to do this.
+    Meteor._debug("Accounts.config was called on the client but not on the " +
+                  "server; some configuration options may not take effect.");
+  }
+
   // validate option keys
   var VALID_KEYS = ["sendVerificationEmail", "forbidClientAccountCreation",
-                    "_tokenLifetimeSecs", "_tokenExpirationIntervalSecs",
-                    "_minTokenLifetimeSecs", "_connectionCloseDelaySecs"];
+                    "restrictCreationByEmailDomain", "loginExpirationInDays"];
   _.each(_.keys(options), function (key) {
     if (!_.contains(VALID_KEYS, key)) {
       throw new Error("Accounts.config: Invalid key: " + key);
@@ -49,11 +69,14 @@ Accounts.config = function(options) {
         throw new Error("Can't set `" + key + "` more than once");
       } else {
         Accounts._options[key] = options[key];
-        if (key === "_tokenExpirationInterval" && Meteor.isServer)
-          initExpireTokenInterval();
       }
     }
   });
+
+  // If the user set loginExpirationInDays to null, then we need to clear the
+  // timer that periodically expires tokens.
+  if (Meteor.isServer)
+    maybeStopExpireTokensInterval();
 };
 
 // Users table. Don't use the normal autopublish, since we want to hide
@@ -81,20 +104,21 @@ Accounts.LoginCancelledError.numericError = 0x8acdc2f;
 Accounts.LoginCancelledError.prototype = new Error();
 Accounts.LoginCancelledError.prototype.name = 'Accounts.LoginCancelledError';
 
-// how long (in seconds) until a login token expires
-DEFAULT_TOKEN_LIFETIME_SECS = 604800; // one week
-// We don't try to auto-login with a token that is going to expire within
-// MIN_TOKEN_LIFETIME seconds, to avoid abrupt disconnects from expiring tokens.
-var DEFAULT_MIN_TOKEN_LIFETIME_SECS = 3600; // one hour
+getTokenLifetimeMs = function () {
+  return (Accounts._options.loginExpirationInDays ||
+          DEFAULT_LOGIN_EXPIRATION_DAYS) * 24 * 60 * 60 * 1000;
+};
 
 Accounts._tokenExpiration = function (when) {
-  var tokenLifetimeSecs = Accounts._options._tokenLifetimeSecs ||
-        DEFAULT_TOKEN_LIFETIME_SECS;
-  return new Date(when.getTime() + tokenLifetimeSecs * 1000);
+  // We pass when through the Date constructor for backwards compatibility;
+  // `when` used to be a number.
+  return new Date((new Date(when)).getTime() + getTokenLifetimeMs());
 };
 
 Accounts._tokenExpiresSoon = function (when) {
-  var minLifetimeSecs = Accounts._options._minTokenLifetimeSecs ||
-        DEFAULT_MIN_TOKEN_LIFETIME_SECS;
-  return new Date() > (new Date(when) - minLifetimeSecs * 1000);
+  var minLifetimeMs = .1 * getTokenLifetimeMs();
+  var minLifetimeCapMs = MIN_TOKEN_LIFETIME_CAP_SECS * 1000;
+  if (minLifetimeMs > minLifetimeCapMs)
+    minLifetimeMs = minLifetimeCapMs;
+  return new Date() > (new Date(when) - minLifetimeMs);
 };
diff --git a/packages/accounts-base/accounts_server.js b/packages/accounts-base/accounts_server.js
index c97f0e17abd..1c6ba48ce22 100644
--- a/packages/accounts-base/accounts_server.js
+++ b/packages/accounts-base/accounts_server.js
@@ -91,10 +91,13 @@ Meteor.methods({
     this.setUserId(null);
   },
 
-  // Nuke everything: delete all the current user's tokens and close all open
-  // connections logged in as this user. Returns a fresh new login token that
-  // this client can use.
-  _logoutAllOthers: function () {
+  // Delete all the current user's tokens and close all open connections logged
+  // in as this user. Returns a fresh new login token that this client can
+  // use. Tests set Accounts._noConnectionCloseDelayForTest to delete tokens
+  // immediately instead of using a delay.
+  //
+  // @returns {Object} Object with token and tokenExpires keys.
+  logoutOtherClients: function () {
     var self = this;
     var user = Meteor.users.findOne(self.userId, {
       fields: {
@@ -102,13 +105,27 @@ Meteor.methods({
       }
     });
     if (user) {
+      // Save the current tokens in the database to be deleted in
+      // CONNECTION_CLOSE_DELAY_MS ms. This gives other connections in the
+      // caller's browser time to find the fresh token in localStorage. We save
+      // the tokens in the database in case we crash before actually deleting
+      // them.
       var tokens = user.services.resume.loginTokens;
       var newToken = Accounts._generateStampedLoginToken();
+      var userId = self.userId;
       Meteor.users.update(self.userId, {
         $set: {
-          "services.resume.loginTokens": [newToken]
-        }
+          "services.resume.loginTokensToDelete": tokens,
+          "services.resume.haveLoginTokensToDelete": true
+        },
+        $push: { "services.resume.loginTokens": newToken }
       });
+      Meteor.setTimeout(function () {
+        // The observe on Meteor.users will take care of closing the connections
+        // associated with `tokens`.
+        deleteSavedTokens(userId, tokens);
+      }, Accounts._noConnectionCloseDelayForTest ? 0 :
+                        CONNECTION_CLOSE_DELAY_MS);
       // We do not set the login token on this connection, but instead the
       // observe closes the connection and the client will reconnect with the
       // new token.
@@ -127,9 +144,6 @@ Meteor.methods({
 ///
 /// support reconnecting using a meteor login token
 
-// how often (in seconds) we check for expired tokens
-var DEFAULT_EXPIRE_TOKENS_INTERVAL_SECS = 600; // 10 minutes
-
 // Login handler for resume tokens.
 Accounts.registerLoginHandler(function(options) {
   if (!options.resume)
@@ -183,19 +197,39 @@ var removeLoginToken = function (userId, loginToken) {
 var expireTokenInterval;
 
 // Deletes expired tokens from the database and closes all open connections
-// associated with these tokens. Exported for tests.
-var expireTokens = Accounts._expireTokens = function (oldestValidDate) {
-  var tokenLifetimeSecs = Accounts._options._tokenLifetimeSecs ||
-        DEFAULT_TOKEN_LIFETIME_SECS;
-  oldestValidDate = oldestValidDate ||
-    (new Date(new Date() - tokenLifetimeSecs * 1000));
+// associated with these tokens.
+//
+// Exported for tests. Also, the arguments are only used by
+// tests. oldestValidDate is simulate expiring tokens without waiting
+// for them to actually expire. userId is used by tests to only expire
+// tokens for the test user.
+var expireTokens = Accounts._expireTokens = function (oldestValidDate, userId) {
+  var tokenLifetimeMs = getTokenLifetimeMs();
+
+  // when calling from a test with extra arguments, you must specify both!
+  if ((oldestValidDate && !userId) || (!oldestValidDate && userId)) {
+    throw new Error("Bad test. Must specify both oldestValidDate and userId.");
+  }
 
-  Meteor.users.update({
-    "services.resume.loginTokens.when": { $lt: oldestValidDate }
-  }, {
+  oldestValidDate = oldestValidDate ||
+    (new Date(new Date() - tokenLifetimeMs));
+  var userFilter = userId ? {_id: userId} : {};
+
+
+  // Backwards compatible with older versions of meteor that stored login token
+  // timestamps as numbers.
+  Meteor.users.update(_.extend(userFilter, {
+    $or: [
+      { "services.resume.loginTokens.when": { $lt: oldestValidDate } },
+      { "services.resume.loginTokens.when": { $lt: +oldestValidDate } }
+    ]
+  }), {
     $pull: {
       "services.resume.loginTokens": {
-        when: { $lt: oldestValidDate }
+        $or: [
+          { when: { $lt: oldestValidDate } },
+          { when: { $lt: +oldestValidDate } }
+        ]
       }
     }
   }, { multi: true });
@@ -203,16 +237,17 @@ var expireTokens = Accounts._expireTokens = function (oldestValidDate) {
   // expired tokens.
 };
 
-Meteor.users._ensureIndex("services.resume.loginTokens.when", { sparse: true });
-
-initExpireTokenInterval = function () {
-  if (expireTokenInterval)
+maybeStopExpireTokensInterval = function () {
+  if (_.has(Accounts._options, "loginExpirationInDays") &&
+      Accounts._options.loginExpirationInDays === null &&
+      expireTokenInterval) {
     Meteor.clearInterval(expireTokenInterval);
-  var expirePeriodSecs = Accounts._options._tokenExpirationIntervalSecs ||
-        DEFAULT_EXPIRE_TOKENS_INTERVAL_SECS;
-  expireTokenInterval = Meteor.setInterval(expireTokens, expirePeriodSecs * 1000);
+    expireTokenInterval = null;
+  }
 };
-initExpireTokenInterval();
+
+expireTokenInterval = Meteor.setInterval(expireTokens,
+                                         EXPIRE_TOKENS_INTERVAL_MS);
 
 ///
 /// CREATE USER HOOKS
@@ -304,6 +339,49 @@ Accounts.validateNewUser = function (func) {
   validateNewUserHooks.push(func);
 };
 
+// XXX Find a better place for this utility function
+// Like Perl's quotemeta: quotes all regexp metacharacters. See
+//   https://github.com/substack/quotemeta/blob/master/index.js
+var quotemeta = function (str) {
+    return String(str).replace(/(\W)/g, '\\$1');
+};
+
+// Helper function: returns false if email does not match company domain from
+// the configuration.
+var testEmailDomain = function (email) {
+  var domain = Accounts._options.restrictCreationByEmailDomain;
+  return !domain ||
+    (_.isFunction(domain) && domain(email)) ||
+    (_.isString(domain) &&
+      (new RegExp('@' + quotemeta(domain) + '$', 'i')).test(email));
+};
+
+// Validate new user's email or Google/Facebook/GitHub account's email
+Accounts.validateNewUser(function (user) {
+  var domain = Accounts._options.restrictCreationByEmailDomain;
+  if (!domain)
+    return true;
+
+  var emailIsGood = false;
+  if (!_.isEmpty(user.emails)) {
+    emailIsGood = _.any(user.emails, function (email) {
+      return testEmailDomain(email.address);
+    });
+  } else if (!_.isEmpty(user.services)) {
+    // Find any email of any service and check it
+    emailIsGood = _.any(user.services, function (service) {
+      return service.email && testEmailDomain(service.email);
+    });
+  }
+
+  if (emailIsGood)
+    return true;
+
+  if (_.isString(domain))
+    throw new Meteor.Error(403, "@" + domain + " email required");
+  else
+    throw new Meteor.Error(403, "Email doesn't match the criteria.");
+});
 
 ///
 /// MANAGING USER OBJECTS
@@ -521,28 +599,59 @@ Meteor.users._ensureIndex('username', {unique: 1, sparse: 1});
 Meteor.users._ensureIndex('emails.address', {unique: 1, sparse: 1});
 Meteor.users._ensureIndex('services.resume.loginTokens.token',
                           {unique: 1, sparse: 1});
+// For taking care of logoutOtherClients calls that crashed before the tokens
+// were deleted.
+Meteor.users._ensureIndex('services.resume.haveLoginTokensToDelete',
+                          { sparse: 1 });
+// For expiring login tokens
+Meteor.users._ensureIndex("services.resume.loginTokens.when", { sparse: 1 });
 
 ///
-/// LOGGING OUT DELETED USERS
+/// CLEAN UP FOR `logoutOtherClients`
 ///
 
-var DEFAULT_CONNECTION_CLOSE_DELAY_SECS = 10;
+var deleteSavedTokens = function (userId, tokensToDelete) {
+  if (tokensToDelete) {
+    Meteor.users.update(userId, {
+      $unset: {
+        "services.resume.haveLoginTokensToDelete": 1,
+        "services.resume.loginTokensToDelete": 1
+      },
+      $pullAll: {
+        "services.resume.loginTokens": tokensToDelete
+      }
+    });
+  }
+};
+
+Meteor.startup(function () {
+  // If we find users who have saved tokens to delete on startup, delete them
+  // now. It's possible that the server could have crashed and come back up
+  // before new tokens are found in localStorage, but this shouldn't happen very
+  // often. We shouldn't put a delay here because that would give a lot of power
+  // to an attacker with a stolen login token and the ability to crash the
+  // server.
+  var users = Meteor.users.find({
+    "services.resume.haveLoginTokensToDelete": true
+  }, {
+    "services.resume.loginTokensToDelete": 1
+  });
+  users.forEach(function (user) {
+    deleteSavedTokens(user._id, user.services.resume.loginTokensToDelete);
+  });
+});
+
+///
+/// LOGGING OUT DELETED USERS
+///
 
-// By default, connections are closed with a 10 second delay, to give other
-// clients a chance to find a new token in localStorage before
-// reconnecting. Delay can be configured with Accounts.config.
 var closeTokensForUser = function (userTokens) {
-  var delaySecs = DEFAULT_CONNECTION_CLOSE_DELAY_SECS;
-  if (_.has(Accounts._options, "_connectionCloseDelaySecs"))
-    delaySecs = Accounts._options._connectionCloseDelaySecs;
-  Meteor.setTimeout(function () {
-    Meteor.server._closeAllForTokens(_.map(userTokens, function (token) {
-      return token.token;
-    }));
-  }, delaySecs * 1000);
+  Meteor.server._closeAllForTokens(_.map(userTokens, function (token) {
+    return token.token;
+  }));
 };
 
-Meteor.users.find().observe({
+Meteor.users.find({}, { fields: { "services.resume": 1 }}).observe({
   changed: function (newUser, oldUser) {
     var removedTokens = [];
     if (newUser.services && newUser.services.resume &&
diff --git a/packages/accounts-base/accounts_tests.js b/packages/accounts-base/accounts_tests.js
index 82cf135fa18..5326704e43b 100644
--- a/packages/accounts-base/accounts_tests.js
+++ b/packages/accounts-base/accounts_tests.js
@@ -178,3 +178,33 @@ Tinytest.add('accounts - insertUserDoc email', function (test) {
   Meteor.users.remove(result.id);
   Meteor.users.remove(result3.id);
 });
+
+// More token expiration tests are in accounts-password
+Tinytest.addAsync('accounts - expire numeric token', function (test, onComplete) {
+  var userIn = { username: Random.id() };
+  var result = Accounts.insertUserDoc({ profile: {
+    name: 'Foo Bar'
+  } }, userIn);
+  var date = new Date(new Date() - 5000);
+  Meteor.users.update(result.id, {
+    $set: {
+      "services.resume.loginTokens": [{
+        token: Random.id(),
+        when: date
+      }, {
+        token: Random.id(),
+        when: +date
+      }]
+    }
+  });
+  var observe = Meteor.users.find(result.id).observe({
+    changed: function (newUser) {
+      if (newUser.services && newUser.services.resume &&
+          _.isEmpty(newUser.services.resume.loginTokens)) {
+        observe.stop();
+        onComplete();
+      }
+    }
+  });
+  Accounts._expireTokens(new Date(), result.id);
+});
diff --git a/packages/accounts-password/package.js b/packages/accounts-password/package.js
index 676ac1c91f4..f53f8c2d10f 100644
--- a/packages/accounts-password/package.js
+++ b/packages/accounts-password/package.js
@@ -1,5 +1,5 @@
 Package.describe({
-  summary: "Password support for accounts."
+  summary: "Password support for accounts"
 });
 
 Package.on_use(function(api) {
diff --git a/packages/accounts-password/password_server.js b/packages/accounts-password/password_server.js
index 1771cb1e919..f85676c8130 100644
--- a/packages/accounts-password/password_server.js
+++ b/packages/accounts-password/password_server.js
@@ -316,20 +316,35 @@ Meteor.methods({resetPassword: function (token, newVerifier) {
 
   var stampedLoginToken = Accounts._generateStampedLoginToken();
 
-  // Update the user record by:
-  // - Changing the password verifier to the new one
-  // - Replacing all valid login tokens with new ones (changing
-  //   password should invalidate existing sessions).
-  // - Forgetting about the reset token that was just used
-  // - Verifying their email, since they got the password reset via email.
-  Meteor.users.update({_id: user._id, 'emails.address': email}, {
-    $set: {'services.password.srp': newVerifier,
-           'services.resume.loginTokens': [stampedLoginToken],
-           'emails.$.verified': true},
-    $unset: {'services.password.reset': 1}
-  });
+  // NOTE: We're about to invalidate tokens on the user, who we might be
+  // logged in as. Make sure to avoid logging ourselves out if this
+  // happens. But also make sure not to leave the connection in a state
+  // of having a bad token set if things fail.
+  var oldToken = this._getLoginToken();
+  this._setLoginToken(null);
+
+  try {
+    // Update the user record by:
+    // - Changing the password verifier to the new one
+    // - Replacing all valid login tokens with new ones (changing
+    //   password should invalidate existing sessions).
+    // - Forgetting about the reset token that was just used
+    // - Verifying their email, since they got the password reset via email.
+    Meteor.users.update({_id: user._id, 'emails.address': email}, {
+      $set: {'services.password.srp': newVerifier,
+             'services.resume.loginTokens': [stampedLoginToken],
+             'emails.$.verified': true},
+      $unset: {'services.password.reset': 1}
+    });
+  } catch (err) {
+    // update failed somehow. reset to old token.
+    this._setLoginToken(oldToken);
+    throw err;
+  }
 
+  this._setLoginToken(stampedLoginToken.token);
   this.setUserId(user._id);
+
   return {
     token: stampedLoginToken.token,
     tokenExpires: Accounts._tokenExpiration(stampedLoginToken.when),
@@ -421,6 +436,7 @@ Meteor.methods({verifyEmail: function (token) {
      $push: {'services.resume.loginTokens': stampedLoginToken}});
 
   this.setUserId(user._id);
+  this._setLoginToken(stampedLoginToken.token);
   return {
     token: stampedLoginToken.token,
     tokenExpires: Accounts._tokenExpiration(stampedLoginToken.when),
@@ -499,6 +515,7 @@ Meteor.methods({createUser: function (options) {
 
   // client gets logged in as the new user afterwards.
   this.setUserId(result.id);
+  this._setLoginToken(result.token);
   return result;
 }});
 
@@ -533,5 +550,5 @@ Accounts.createUser = function (options, callback) {
 ///
 Meteor.users._ensureIndex('emails.validationTokens.token',
                           {unique: 1, sparse: 1});
-Meteor.users._ensureIndex('emails.password.reset.token',
+Meteor.users._ensureIndex('services.password.reset.token',
                           {unique: 1, sparse: 1});
diff --git a/packages/accounts-password/password_tests.js b/packages/accounts-password/password_tests.js
index 00b525f9664..b8d0417221c 100644
--- a/packages/accounts-password/password_tests.js
+++ b/packages/accounts-password/password_tests.js
@@ -1,6 +1,4 @@
-Accounts.config({
-  _connectionCloseDelaySecs: 0
-});
+Accounts._noConnectionCloseDelayForTest = true;
 
 if (Meteor.isClient) (function () {
 
@@ -21,40 +19,30 @@ if (Meteor.isClient) (function () {
       test.equal(Meteor.user().username, someUsername);
     });
   };
+  var waitForLoggedOutStep = function (test, expect) {
+    pollUntil(expect, function () {
+      return Meteor.userId() === null;
+    }, 10 * 1000, 100);
+  };
 
-  // declare variable outside the testAsyncMulti, so we can refer to
-  // them from multiple tests, but initialize them to new values inside
-  // the test so when we use the 'debug' link in the tests, they get new
-  // values and the tests don't fail.
-  var username, username2, username3;
-  var userId1, userId3;
-  var email;
-  var password, password2, password3;
-
-  testAsyncMulti("passwords - long series", [
-    function (test, expect) {
-      username = Random.id();
-      username2 = Random.id();
-      username3 = Random.id();
-      // use -intercept so that we don't print to the console
-      email = Random.id() + '-intercept@example.com';
-      password = 'password';
-      password2 = 'password2';
-      password3 = 'password3';
-    },
+  testAsyncMulti("passwords - basic login with password", [
     function (test, expect) {
+      // setup
+      this.username = Random.id();
+      this.email = Random.id() + '-intercept@example.com';
+      this.password = 'password';
+
       Accounts.createUser(
-        {username: username, email: email, password: password},
-        loggedInAs(username, test, expect));
+        {username: this.username, email: this.email, password: this.password},
+        loggedInAs(this.username, test, expect));
     },
     function (test, expect) {
-      userId1 = Meteor.userId();
-      test.notEqual(userId1, null);
+      test.notEqual(Meteor.userId(), null);
     },
     logoutStep,
     function (test, expect) {
-      Meteor.loginWithPassword(username, password,
-                               loggedInAs(username, test, expect));
+      Meteor.loginWithPassword(this.username, this.password,
+                               loggedInAs(this.username, test, expect));
     },
     logoutStep,
     // This next step tests reactive contexts which are reactive on
@@ -69,7 +57,7 @@ if (Meteor.isClient) (function () {
       });
       // At the beginning, we're not logged in.
       test.isFalse(loaded);
-      Meteor.loginWithPassword(username, password, expect(function (error) {
+      Meteor.loginWithPassword(this.username, this.password, expect(function (error) {
         test.equal(error, undefined);
         test.notEqual(Meteor.userId(), null);
         // By the time of the login callback, the user should be loaded.
@@ -82,18 +70,43 @@ if (Meteor.isClient) (function () {
     },
     logoutStep,
     function (test, expect) {
-      Meteor.loginWithPassword({username: username}, password,
-                               loggedInAs(username, test, expect));
+      Meteor.loginWithPassword({username: this.username}, this.password,
+                               loggedInAs(this.username, test, expect));
     },
     logoutStep,
     function (test, expect) {
-      Meteor.loginWithPassword(email, password,
-                               loggedInAs(username, test, expect));
+      Meteor.loginWithPassword(this.email, this.password,
+                               loggedInAs(this.username, test, expect));
     },
     logoutStep,
     function (test, expect) {
-      Meteor.loginWithPassword({email: email}, password,
-                               loggedInAs(username, test, expect));
+      Meteor.loginWithPassword({email: this.email}, this.password,
+                               loggedInAs(this.username, test, expect));
+    },
+    logoutStep
+  ]);
+
+
+  testAsyncMulti("passwords - plain text passwords", [
+    function (test, expect) {
+      // setup
+      this.username = Random.id();
+      this.email = Random.id() + '-intercept@example.com';
+      this.password = 'password';
+
+      // create user with raw password (no API, need to invoke callLoginMethod
+      // directly)
+      Accounts.callLoginMethod({
+        methodName: 'createUser',
+        methodArguments: [{username: this.username, password: this.password}],
+        userCallback: loggedInAs(this.username, test, expect)
+      });
+    },
+    logoutStep,
+    // check can login normally with this password.
+    function(test, expect) {
+      Meteor.loginWithPassword({username: this.username}, this.password,
+                               loggedInAs(this.username, test, expect));
     },
     logoutStep,
     // plain text password. no API for this, have to invoke callLoginMethod
@@ -101,7 +114,7 @@ if (Meteor.isClient) (function () {
     function (test, expect) {
       Accounts.callLoginMethod({
         // wrong password
-        methodArguments: [{user: {email: email}, password: password2}],
+        methodArguments: [{user: {username: this.username}, password: 'wrong'}],
         userCallback: expect(function (error) {
           test.isTrue(error);
           test.isFalse(Meteor.user());
@@ -110,105 +123,179 @@ if (Meteor.isClient) (function () {
     function (test, expect) {
       Accounts.callLoginMethod({
         // right password
-        methodArguments: [{user: {email: email}, password: password}],
-        userCallback: loggedInAs(username, test, expect)
+        methodArguments: [{user: {username: this.username},
+                           password: this.password}],
+        userCallback: loggedInAs(this.username, test, expect)
       });
     },
+    logoutStep
+  ]);
+
+
+  testAsyncMulti("passwords - changing passwords", [
+    function (test, expect) {
+      // setup
+      this.username = Random.id();
+      this.email = Random.id() + '-intercept@example.com';
+      this.password = 'password';
+      this.password2 = 'password2';
+
+      Accounts.createUser(
+        {username: this.username, email: this.email, password: this.password},
+        loggedInAs(this.username, test, expect));
+    },
     // change password with bad old password. we stay logged in.
     function (test, expect) {
-      Accounts.changePassword(password2, password2, expect(function (error) {
+      var self = this;
+      Accounts.changePassword('wrong', 'doesntmatter', expect(function (error) {
         test.isTrue(error);
-        test.equal(Meteor.user().username, username);
+        test.equal(Meteor.user().username, self.username);
       }));
     },
     // change password with good old password.
     function (test, expect) {
-      Accounts.changePassword(password, password2,
-                              loggedInAs(username, test, expect));
+      Accounts.changePassword(this.password, this.password2,
+                              loggedInAs(this.username, test, expect));
     },
     logoutStep,
     // old password, failed login
     function (test, expect) {
-      Meteor.loginWithPassword(email, password, expect(function (error) {
+      Meteor.loginWithPassword(this.email, this.password, expect(function (error) {
         test.isTrue(error);
         test.isFalse(Meteor.user());
       }));
     },
     // new password, success
     function (test, expect) {
-      Meteor.loginWithPassword(email, password2,
-                               loggedInAs(username, test, expect));
+      Meteor.loginWithPassword(this.email, this.password2,
+                               loggedInAs(this.username, test, expect));
     },
-    logoutStep,
-    // create user with raw password (no API, need to invoke callLoginMethod
-    // directly)
+    logoutStep
+  ]);
+
+
+  testAsyncMulti("passwords - new user hooks", [
     function (test, expect) {
-      Accounts.callLoginMethod({
-        methodName: 'createUser',
-        methodArguments: [{username: username2, password: password2}],
-        userCallback: loggedInAs(username2, test, expect)
-      });
+      // setup
+      this.username = Random.id();
+      this.email = Random.id() + '-intercept@example.com';
+      this.password = 'password';
     },
-    logoutStep,
-    function(test, expect) {
-      Meteor.loginWithPassword({username: username2}, password2,
-                               loggedInAs(username2, test, expect));
-    },
-    logoutStep,
     // test Accounts.validateNewUser
     function(test, expect) {
-      Accounts.createUser({username: username3, password: password3,
-                           // should fail the new user validators
-                           profile: {invalid: true}},
-                          expect(function (error) {
-                            test.equal(error.error, 403);
-                            test.equal(
-                              error.reason,
-                              "User validation failed");
-                          }));
+      Accounts.createUser(
+        {username: this.username, password: this.password,
+         // should fail the new user validators
+         profile: {invalid: true}},
+        expect(function (error) {
+          test.equal(error.error, 403);
+          test.equal(error.reason, "User validation failed");
+        }));
     },
     logoutStep,
     function(test, expect) {
-      Accounts.createUser({username: username3, password: password3,
-                           // should fail the new user validator with a special
-                           // exception
-                           profile: {invalidAndThrowException: true}},
-                        expect(function (error) {
-                          test.equal(
-                            error.reason,
-                            "An exception thrown within Accounts.validateNewUser");
-                        }));
+      Accounts.createUser(
+        {username: this.username, password: this.password,
+         // should fail the new user validator with a special
+         // exception
+         profile: {invalidAndThrowException: true}},
+        expect(function (error) {
+          test.equal(
+            error.reason,
+            "An exception thrown within Accounts.validateNewUser");
+        }));
     },
     // test Accounts.onCreateUser
     function(test, expect) {
       Accounts.createUser(
-        {username: username3, password: password3,
+        {username: this.username, password: this.password,
          testOnCreateUserHook: true},
-        loggedInAs(username3, test, expect));
+        loggedInAs(this.username, test, expect));
     },
     function(test, expect) {
       test.equal(Meteor.user().profile.touchedByOnCreateUser, true);
     },
+    logoutStep
+  ]);
+
+
+  testAsyncMulti("passwords - Meteor.user()", [
+    function (test, expect) {
+      // setup
+      this.username = Random.id();
+      this.password = 'password';
+
+      Accounts.createUser(
+        {username: this.username, password: this.password,
+         testOnCreateUserHook: true},
+        loggedInAs(this.username, test, expect));
+    },
     // test Meteor.user(). This test properly belongs in
     // accounts-base/accounts_tests.js, but this is where the tests that
     // actually log in are.
     function(test, expect) {
+      var self = this;
       var clientUser = Meteor.user();
       Meteor.call('testMeteorUser', expect(function (err, result) {
         test.equal(result._id, clientUser._id);
+        test.equal(result.username, clientUser.username);
+        test.equal(result.username, self.username);
         test.equal(result.profile.touchedByOnCreateUser, true);
         test.equal(err, undefined);
       }));
     },
+    function(test, expect) {
+      // Test that even with no published fields, we still have a document.
+      Meteor.call('clearUsernameAndProfile', expect(function() {
+        test.isTrue(Meteor.userId());
+        var user = Meteor.user();
+        test.equal(user, {_id: Meteor.userId()});
+      }));
+    },
+    logoutStep,
+    function(test, expect) {
+      var clientUser = Meteor.user();
+      test.equal(clientUser, null);
+      test.equal(Meteor.userId(), null);
+      Meteor.call('testMeteorUser', expect(function (err, result) {
+        test.equal(err, undefined);
+        test.equal(result, null);
+      }));
+    }
+  ]);
+
+  testAsyncMulti("passwords - allow rules", [
+    // create a second user to have an id for in a later test
+    function (test, expect) {
+      this.otherUsername = Random.id();
+      Accounts.createUser(
+        {username: this.otherUsername, password: 'dontcare',
+         testOnCreateUserHook: true},
+        loggedInAs(this.otherUsername, test, expect));
+    },
+    function (test, expect) {
+      this.otherUserId = Meteor.userId();
+    },
+    function (test, expect) {
+      // real setup
+      this.username = Random.id();
+      this.password = 'password';
+
+      Accounts.createUser(
+        {username: this.username, password: this.password,
+         testOnCreateUserHook: true},
+        loggedInAs(this.username, test, expect));
+    },
     // test the default Meteor.users allow rule. This test properly belongs in
     // accounts-base/accounts_tests.js, but this is where the tests that
     // actually log in are.
     function(test, expect) {
-      userId3 = Meteor.userId();
-      test.notEqual(userId3, null);
+      this.userId = Meteor.userId();
+      test.notEqual(this.userId, null);
+      test.notEqual(this.userId, this.otherUserId);
       // Can't update fields other than profile.
       Meteor.users.update(
-        userId3, {$set: {disallowed: true, 'profile.updated': 42}},
+        this.userId, {$set: {disallowed: true, 'profile.updated': 42}},
         expect(function (err) {
           test.isTrue(err);
           test.equal(err.error, 403);
@@ -219,7 +306,7 @@ if (Meteor.isClient) (function () {
     function(test, expect) {
       // Can't update another user.
       Meteor.users.update(
-        userId1, {$set: {'profile.updated': 42}},
+        this.otherUserId, {$set: {'profile.updated': 42}},
         expect(function (err) {
           test.isTrue(err);
           test.equal(err.error, 403);
@@ -229,155 +316,166 @@ if (Meteor.isClient) (function () {
       // Can't update using a non-ID selector. (This one is thrown client-side.)
       test.throws(function () {
         Meteor.users.update(
-          {username: username3}, {$set: {'profile.updated': 42}});
+          {username: this.username}, {$set: {'profile.updated': 42}});
       });
       test.isFalse(_.has(Meteor.user().profile, 'updated'));
     },
     function(test, expect) {
       // Can update own profile using ID.
       Meteor.users.update(
-        userId3, {$set: {'profile.updated': 42}},
+        this.userId, {$set: {'profile.updated': 42}},
         expect(function (err) {
           test.isFalse(err);
           test.equal(42, Meteor.user().profile.updated);
         }));
     },
-    function(test, expect) {
-      // Test that even with no published fields, we still have a document.
-      Meteor.call('clearUsernameAndProfile', expect(function() {
-        test.isTrue(Meteor.userId());
-        var user = Meteor.user();
-        test.equal(user, {_id: Meteor.userId()});
-      }));
-    },
-    logoutStep,
-    function(test, expect) {
-      var clientUser = Meteor.user();
-      test.equal(clientUser, null);
-      Meteor.call('testMeteorUser', expect(function (err, result) {
-        test.equal(err, undefined);
-        test.equal(result, null);
-      }));
+    logoutStep
+  ]);
+
+
+  testAsyncMulti("passwords - tokens", [
+    function (test, expect) {
+      // setup
+      this.username = Random.id();
+      this.password = 'password';
+
+      Accounts.createUser(
+        {username: this.username, password: this.password},
+        loggedInAs(this.username, test, expect));
     },
-    logoutStep,
+
     function(test, expect) {
+      // test logging out invalidates our token
       var expectLoginError = expect(function (err) {
         test.isTrue(err);
       });
-      Meteor.loginWithPassword(username, password2, function (error) {
-        test.equal(error, undefined);
-        test.equal(Meteor.user().username, username);
-        var token = Accounts._storedLoginToken();
-        Meteor.logout(function () {
-          Meteor.loginWithToken(token, expectLoginError);
-        });
+      var token = Accounts._storedLoginToken();
+      test.isTrue(token);
+      Meteor.logout(function () {
+        Meteor.loginWithToken(token, expectLoginError);
       });
     },
-    logoutStep,
+
     function(test, expect) {
+      var self = this;
       // Test that login tokens get expired. We should get logged out when a
       // token expires, and not be able to log in again with the same token.
       var expectNoError = expect(function (err) {
         test.isFalse(err);
       });
-      var expectLoginError = expect(function (err) {
-        test.isTrue(err);
-      });
-      var firstLoginCallback = true;
-
-      Meteor.loginWithPassword(username, password2, function (error) {
-        var token = Accounts._storedLoginToken();
-        if (firstLoginCallback) {
-          test.isTrue(token);
-          expectNoError(error);
-          Meteor.call("expireTokens", new Date());
-        } else {
-          test.isFalse(token);
-          expectLoginError(error);
-        }
-        firstLoginCallback = false;
+
+      Meteor.loginWithPassword(this.username, this.password, function (error) {
+        self.token = Accounts._storedLoginToken();
+        test.isTrue(self.token);
+        expectNoError(error);
+        Meteor.call("expireTokens");
       });
     },
-    logoutStep,
+    waitForLoggedOutStep,
     function (test, expect) {
+      var token = Accounts._storedLoginToken();
+      test.isFalse(token);
+    },
+    function (test, expect) {
+      // Test that once expireTokens is finished, we can't login again with our
+      // previous token.
+      Meteor.loginWithToken(this.token, expect(function (err, result) {
+        test.isTrue(err);
+        test.equal(Meteor.userId(), null);
+      }));
+    },
+    function (test, expect) {
+      var self = this;
+
       // copied from livedata/client_convenience.js
       var ddpUrl = '/';
       if (typeof __meteor_runtime_config__ !== "undefined") {
         if (__meteor_runtime_config__.DDP_DEFAULT_CONNECTION_URL)
           ddpUrl = __meteor_runtime_config__.DDP_DEFAULT_CONNECTION_URL;
       }
+      // XXX can we get the url from the existing connection somehow
+      // instead?
 
-      // Test that Meteor._logoutAllOthers logs out a second authenticated
+      // Test that Meteor.logoutOtherClients logs out a second authenticated
       // connection while leaving Meteor.connection logged in.
       var token;
-      var secondConn = DDP.connect(ddpUrl);
-      var firstLoginCallback = true;
       var userId;
+      self.secondConn = DDP.connect(ddpUrl);
 
-      var expectNoError = expect(function (err) {
-        test.isFalse(err);
-      });
       var expectLoginError = expect(function (err) {
         test.isTrue(err);
       });
-      var expectLoggedIn = expect(function () {
-        test.equal(userId, Meteor.userId());
+      var expectValidToken = expect(function (err, result) {
+        test.isFalse(err);
+        test.isTrue(result);
+        self.tokenFromLogoutOthers = result.token;
       });
       var expectSecondConnLoggedIn = expect(function (err, result) {
         test.equal(result.token, token);
         test.isFalse(err);
-        secondConn.onReconnect = function () {
-          secondConn.call("login", { resume: token }, expectLoginError);
+        // This test will fail if an unrelated reconnect triggers before the
+        // connection is logged out. In general our tests aren't resilient to
+        // mid-test reconnects.
+        self.secondConn.onReconnect = function () {
+          self.secondConn.call("login", { resume: token }, expectLoginError);
         };
-        Meteor.call("_logoutAllOthers", expectLoggedIn);
+        Meteor.call("logoutOtherClients", expectValidToken);
       });
 
-      Meteor.loginWithPassword(username, password2, function (err) {
-        if (firstLoginCallback) {
-          expectNoError(err);
-          token = Accounts._storedLoginToken();
-          test.isTrue(token);
-          userId = Meteor.userId();
-          secondConn.call("login", { resume: token }, expectSecondConnLoggedIn);
-        }
-        firstLoginCallback = false;
-      });
+      Meteor.loginWithPassword(this.username, this.password, expect(function (err) {
+        test.isFalse(err);
+        token = Accounts._storedLoginToken();
+        self.beforeLogoutOthersToken = token;
+        test.isTrue(token);
+        userId = Meteor.userId();
+        self.secondConn.call("login", { resume: token },
+                             expectSecondConnLoggedIn);
+      }));
+    },
+    // Test that logoutOtherClients logged out Meteor.connection and that the
+    // previous token is no longer valid.
+    waitForLoggedOutStep,
+    function (test, expect) {
+      var self = this;
+      var token = Accounts._storedLoginToken();
+      test.isFalse(token);
+      this.secondConn.close();
+      Meteor.loginWithToken(
+        self.beforeLogoutOthersToken,
+        expect(function (err) {
+          test.isTrue(err);
+          test.isFalse(Meteor.userId());
+        })
+      );
+    },
+    // Test that logoutOtherClients returned a new token that we can use to
+    // log in.
+    function (test, expect) {
+      var self = this;
+      Meteor.loginWithToken(
+        self.tokenFromLogoutOthers,
+        expect(function (err) {
+          test.isFalse(err);
+          test.isTrue(Meteor.userId());
+        })
+      );
     },
     logoutStep,
     function (test, expect) {
+      var self = this;
       // Test that deleting a user logs out that user's connections.
-      var expectLoginError = expect(function (err) {
-        test.isTrue(err);
-      });
-      var firstLoginCallback = true;
-      Meteor.loginWithPassword(username, password2, function (err) {
-        if (firstLoginCallback) {
-          test.isFalse(err);
-          Meteor.call("removeUser", username);
-          // When the user is deleted, our connection will be closed, triggering
-          // a reconnect, which will trigger a login attempt.
-        } else {
-          expectLoginError(err);
-        }
-        firstLoginCallback = false;
+      Meteor.loginWithPassword(this.username, this.password, function (err) {
+        test.isFalse(err);
+        Meteor.call("removeUser", self.username);
       });
-    }
+    },
+    waitForLoggedOutStep
   ]);
-
 }) ();
 
 
 if (Meteor.isServer) (function () {
 
-  Meteor.methods({
-    expireTokens: function (oldestValidDate) {
-      Accounts._expireTokens(oldestValidDate);
-    },
-    removeUser: function (username) {
-      Meteor.users.remove({ "username": username });
-    }
-  });
-
   Tinytest.add(
     'passwords - setup more than one onCreateUserHook',
     function (test) {
diff --git a/packages/accounts-password/password_tests_setup.js b/packages/accounts-password/password_tests_setup.js
index e1142de7428..666819f226b 100644
--- a/packages/accounts-password/password_tests_setup.js
+++ b/packages/accounts-password/password_tests_setup.js
@@ -32,8 +32,6 @@ Accounts.config({
 });
 
 
-// This test properly belongs in accounts-base/accounts_tests.js, but
-// this is where the tests that actually log in are.
 Meteor.methods({
   testMeteorUser: function () { return Meteor.user(); },
   clearUsernameAndProfile: function () {
@@ -41,5 +39,12 @@ Meteor.methods({
       throw new Error("Not logged in!");
     Meteor.users.update(this.userId,
                         {$unset: {profile: 1, username: 1}});
+  },
+
+  expireTokens: function () {
+    Accounts._expireTokens(new Date(), this.userId);
+  },
+  removeUser: function (username) {
+    Meteor.users.remove({ "username": username });
   }
 });
diff --git a/packages/accounts-ui/package.js b/packages/accounts-ui/package.js
index 97d6ec4e26c..14560f5e9ef 100644
--- a/packages/accounts-ui/package.js
+++ b/packages/accounts-ui/package.js
@@ -1,5 +1,5 @@
 Package.describe({
-  summary: "Simple templates to add login widgets to an app."
+  summary: "Simple templates to add login widgets to an app"
 });
 
 Package.on_use(function (api) {
diff --git a/packages/appcache/package.js b/packages/appcache/package.js
index 27700a35ec6..9edc1c5bb8e 100644
--- a/packages/appcache/package.js
+++ b/packages/appcache/package.js
@@ -1,5 +1,5 @@
 Package.describe({
-  summary: "enable the application cache in the browser"
+  summary: "Enable the application cache in the browser"
 });
 
 Package.on_use(function (api) {
diff --git a/packages/browser-policy-common/.gitignore b/packages/browser-policy-common/.gitignore
new file mode 100644
index 00000000000..677a6fc2637
--- /dev/null
+++ b/packages/browser-policy-common/.gitignore
@@ -0,0 +1 @@
+.build*
diff --git a/packages/browser-policy-common/browser-policy-common.js b/packages/browser-policy-common/browser-policy-common.js
new file mode 100644
index 00000000000..9dd18f8556a
--- /dev/null
+++ b/packages/browser-policy-common/browser-policy-common.js
@@ -0,0 +1,27 @@
+BrowserPolicy = {};
+
+var inTest = false;
+
+BrowserPolicy._runningTest = function () {
+  return inTest;
+};
+
+BrowserPolicy._setRunningTest = function () {
+  inTest = true;
+};
+
+WebApp.connectHandlers.use(function (req, res, next) {
+  // Never set headers inside tests because they could break other tests.
+  if (BrowserPolicy._runningTest())
+    return next();
+
+  var xFrameOptions = BrowserPolicy.framing &&
+        BrowserPolicy.framing._constructXFrameOptions();
+  var csp = BrowserPolicy.content &&
+        BrowserPolicy.content._constructCsp();
+  if (xFrameOptions)
+    res.setHeader("X-Frame-Options", xFrameOptions);
+  if (csp)
+    res.setHeader("Content-Security-Policy", csp);
+  next();
+});
diff --git a/packages/browser-policy-common/package.js b/packages/browser-policy-common/package.js
new file mode 100644
index 00000000000..b4ae9276039
--- /dev/null
+++ b/packages/browser-policy-common/package.js
@@ -0,0 +1,10 @@
+Package.describe({
+  summary: "Common code for browser-policy packages",
+  internal: true
+});
+
+Package.on_use(function (api) {
+  api.use('webapp', 'server');
+  api.add_files('browser-policy-common.js', 'server');
+  api.export('BrowserPolicy', 'server');
+});
diff --git a/packages/browser-policy-content/.gitignore b/packages/browser-policy-content/.gitignore
new file mode 100644
index 00000000000..677a6fc2637
--- /dev/null
+++ b/packages/browser-policy-content/.gitignore
@@ -0,0 +1 @@
+.build*
diff --git a/packages/browser-policy-content/browser-policy-content.js b/packages/browser-policy-content/browser-policy-content.js
new file mode 100644
index 00000000000..b9ef18c27b9
--- /dev/null
+++ b/packages/browser-policy-content/browser-policy-content.js
@@ -0,0 +1,238 @@
+// By adding this package, you get the following default policy:
+// No eval or other string-to-code, and content can only be loaded from the
+// same origin as the app (except for XHRs and websocket connections, which can
+// go to any origin).
+//
+// Apps should call BrowserPolicy.content.disallowInlineScripts() if they are
+// not using any inline script tags and are willing to accept an extra round
+// trip on page load.
+//
+// BrowserPolicy.content functions for tweaking CSP:
+// allowInlineScripts()
+// disallowInlineScripts(): adds extra round-trip to page load time
+// allowInlineStyles()
+// disallowInlineStyles()
+// allowEval()
+// disallowEval()
+//
+// For each type of content (script, object, image, media, font, connect,
+// style), there are the following functions:
+// allow<content type>Origin(origin): allows the type of content to be loaded
+// from the given origin
+// allow<content type>DataUrl(): allows the content to be loaded from data: URLs
+// allow<content type>SameOrigin(): allows the content to be loaded from the
+// same origin
+// disallow<content type>(): disallows this type of content all together (can't
+// be called for script)
+//
+// The following functions allow you to set rules for all types of content at
+// once:
+// allowAllContentOrigin(origin)
+// allowAllContentDataUrl()
+// allowAllContentSameOrigin()
+// disallowAllContent()
+//
+
+var cspSrcs;
+var cachedCsp; // Avoid constructing the header out of cspSrcs when possible.
+
+// CSP keywords have to be single-quoted.
+var unsafeInline = "'unsafe-inline'";
+var unsafeEval = "'unsafe-eval'";
+var selfKeyword = "'self'";
+var noneKeyword = "'none'";
+
+BrowserPolicy.content = {};
+
+var parseCsp = function (csp) {
+  var policies = csp.split("; ");
+  cspSrcs = {};
+  _.each(policies, function (policy) {
+    if (policy[policy.length - 1] === ";")
+      policy = policy.substring(0, policy.length - 1);
+    var srcs = policy.split(" ");
+    var directive = srcs[0];
+    if (_.indexOf(srcs, noneKeyword) !== -1)
+      cspSrcs[directive] = null;
+    else
+      cspSrcs[directive] = srcs.slice(1);
+  });
+
+  if (cspSrcs["default-src"] === undefined)
+    throw new Error("Content Security Policies used with " +
+                    "browser-policy must specify a default-src.");
+
+  // Copy default-src sources to other directives.
+  _.each(cspSrcs, function (sources, directive) {
+    cspSrcs[directive] = _.union(sources || [], cspSrcs["default-src"] || []);
+  });
+};
+
+var removeCspSrc = function (directive, src) {
+  cspSrcs[directive] = _.without(cspSrcs[directive] || [], src);
+};
+
+// Prepare for a change to cspSrcs. Ensure that we have a key in the dictionary
+// and clear any cached CSP.
+var prepareForCspDirective = function (directive) {
+  cspSrcs = cspSrcs || {};
+  cachedCsp = null;
+  if (! _.has(cspSrcs, directive))
+    cspSrcs[directive] = _.clone(cspSrcs["default-src"]);
+};
+
+var setDefaultPolicy = function () {
+  // By default, unsafe inline scripts and styles are allowed, since we expect
+  // many apps will use them for analytics, etc. Unsafe eval is disallowed, and
+  // the only allowable content source is the same origin or data, except for
+  // connect which allows anything (since meteor.com apps make websocket
+  // connections to a lot of different origins).
+  BrowserPolicy.content.setPolicy("default-src 'self'; " +
+                                  "script-src 'self' 'unsafe-inline'; " +
+                                  "connect-src *; " +
+                                  "img-src data: 'self'; " +
+                                  "style-src 'self' 'unsafe-inline';");
+};
+
+var setWebAppInlineScripts = function (value) {
+  if (! BrowserPolicy._runningTest())
+    WebAppInternals.setInlineScriptsAllowed(value);
+};
+
+_.extend(BrowserPolicy.content, {
+  // Exported for tests and browser-policy-common.
+  _constructCsp: function () {
+    if (! cspSrcs || _.isEmpty(cspSrcs))
+      return null;
+
+    if (cachedCsp)
+      return cachedCsp;
+
+    var header = _.map(cspSrcs, function (srcs, directive) {
+      srcs = srcs || [];
+      if (_.isEmpty(srcs))
+        srcs = [noneKeyword];
+      var directiveCsp = _.uniq(srcs).join(" ");
+      return directive + " " + directiveCsp + ";";
+    });
+
+    header = header.join(" ");
+    cachedCsp = header;
+    return header;
+  },
+  _reset: function () {
+    cachedCsp = null;
+    setDefaultPolicy();
+  },
+
+  setPolicy: function (csp) {
+    cachedCsp = null;
+    parseCsp(csp);
+    setWebAppInlineScripts(
+      BrowserPolicy.content._keywordAllowed("script-src", unsafeInline)
+    );
+  },
+
+  _keywordAllowed: function (directive, keyword) {
+    return (cspSrcs[directive] &&
+            _.indexOf(cspSrcs[directive], keyword) !== -1);
+  },
+
+  // Helpers for creating content security policies
+
+  allowInlineScripts: function () {
+    prepareForCspDirective("script-src");
+    cspSrcs["script-src"].push(unsafeInline);
+    setWebAppInlineScripts(true);
+  },
+  disallowInlineScripts: function () {
+    prepareForCspDirective("script-src");
+    removeCspSrc("script-src", unsafeInline);
+    setWebAppInlineScripts(false);
+  },
+  allowEval: function () {
+    prepareForCspDirective("script-src");
+    cspSrcs["script-src"].push(unsafeEval);
+  },
+  disallowEval: function () {
+    prepareForCspDirective("script-src");
+    removeCspSrc("script-src", unsafeEval);
+  },
+  allowInlineStyles: function () {
+    prepareForCspDirective("style-src");
+    cspSrcs["style-src"].push(unsafeInline);
+  },
+  disallowInlineStyles: function () {
+    prepareForCspDirective("style-src");
+    removeCspSrc("style-src", unsafeInline);
+  },
+
+  // Functions for setting defaults
+  allowSameOriginForAll: function () {
+    BrowserPolicy.content.allowOriginForAll(selfKeyword);
+  },
+  allowDataUrlForAll: function () {
+    BrowserPolicy.content.allowOriginForAll("data:");
+  },
+  allowOriginForAll: function (origin) {
+    prepareForCspDirective("default-src");
+    _.each(_.keys(cspSrcs), function (directive) {
+      cspSrcs[directive].push(origin);
+    });
+  },
+  disallowAll: function () {
+    cachedCsp = null;
+    cspSrcs = {
+      "default-src": []
+    };
+    setWebAppInlineScripts(false);
+  }
+});
+
+// allow<Resource>Origin, allow<Resource>Data, allow<Resource>self, and
+// disallow<Resource> methods for each type of resource.
+_.each(["script", "object", "img", "media",
+        "font", "connect", "style"],
+       function (resource) {
+         var directive = resource + "-src";
+         var methodResource;
+         if (resource !== "img") {
+           methodResource = resource.charAt(0).toUpperCase() +
+             resource.slice(1);
+         } else {
+           methodResource = "Image";
+         }
+         var allowMethodName = "allow" + methodResource + "Origin";
+         var disallowMethodName = "disallow" + methodResource;
+         var allowDataMethodName = "allow" + methodResource + "DataUrl";
+         var allowSelfMethodName = "allow" + methodResource + "SameOrigin";
+
+         var disallow = function () {
+           cachedCsp = null;
+           cspSrcs[directive] = [];
+         };
+
+         BrowserPolicy.content[allowMethodName] = function (src) {
+           prepareForCspDirective(directive);
+           cspSrcs[directive].push(src);
+         };
+         if (resource === "script") {
+           BrowserPolicy.content[disallowMethodName] = function () {
+             disallow();
+             setWebAppInlineScripts(false);
+           };
+         } else {
+           BrowserPolicy.content[disallowMethodName] = disallow;
+         }
+         BrowserPolicy.content[allowDataMethodName] = function () {
+           prepareForCspDirective(directive);
+           cspSrcs[directive].push("data:");
+         };
+         BrowserPolicy.content[allowSelfMethodName] = function () {
+           prepareForCspDirective(directive);
+           cspSrcs[directive].push(selfKeyword);
+         };
+       });
+
+
+setDefaultPolicy();
diff --git a/packages/browser-policy-content/package.js b/packages/browser-policy-content/package.js
new file mode 100644
index 00000000000..49d29a7a17a
--- /dev/null
+++ b/packages/browser-policy-content/package.js
@@ -0,0 +1,9 @@
+Package.describe({
+  summary: "Configure content security policies"
+});
+
+Package.on_use(function (api) {
+  api.imply(["browser-policy-common"], "server");
+  api.add_files("browser-policy-content.js", "server");
+  api.use(["underscore", "browser-policy-common", "webapp"], "server");
+});
diff --git a/packages/browser-policy-framing/.gitignore b/packages/browser-policy-framing/.gitignore
new file mode 100644
index 00000000000..677a6fc2637
--- /dev/null
+++ b/packages/browser-policy-framing/.gitignore
@@ -0,0 +1 @@
+.build*
diff --git a/packages/browser-policy-framing/browser-policy-framing.js b/packages/browser-policy-framing/browser-policy-framing.js
new file mode 100644
index 00000000000..6b7439c3755
--- /dev/null
+++ b/packages/browser-policy-framing/browser-policy-framing.js
@@ -0,0 +1,39 @@
+// By adding this package, you get a default policy where only web pages on the
+// same origin as your app can frame your app.
+//
+// For controlling which origins can frame this app,
+// BrowserPolicy.framing.disallow()
+// BrowserPolicy.framing.restrictToOrigin(origin)
+// BrowserPolicy.framing.allowByAnyOrigin()
+
+var defaultXFrameOptions = "SAMEORIGIN";
+var xFrameOptions = defaultXFrameOptions;
+
+BrowserPolicy.framing = {};
+
+_.extend(BrowserPolicy.framing, {
+  // Exported for tests and browser-policy-common.
+  _constructXFrameOptions: function () {
+    return xFrameOptions;
+  },
+  _reset: function () {
+    xFrameOptions = defaultXFrameOptions;
+  },
+
+  disallow: function () {
+    xFrameOptions = "DENY";
+  },
+  // ALLOW-FROM not supported in Chrome or Safari.
+  restrictToOrigin: function (origin) {
+    // Trying to specify two allow-from throws to prevent users from
+    // accidentally overwriting an allow-from origin when they think they are
+    // adding multiple origins.
+    if (xFrameOptions && xFrameOptions.indexOf("ALLOW-FROM") === 0)
+      throw new Error("You can only specify one origin that is allowed to" +
+                      " frame this app.");
+    xFrameOptions = "ALLOW-FROM " + origin;
+  },
+  allowAll: function () {
+    xFrameOptions = null;
+  }
+});
diff --git a/packages/browser-policy-framing/package.js b/packages/browser-policy-framing/package.js
new file mode 100644
index 00000000000..e21a0ad8f86
--- /dev/null
+++ b/packages/browser-policy-framing/package.js
@@ -0,0 +1,9 @@
+Package.describe({
+  summary: "Restrict which websites can frame your app"
+});
+
+Package.on_use(function (api) {
+  api.imply(["browser-policy-common"], "server");
+  api.use(["underscore", "browser-policy-common"], "server");
+  api.add_files("browser-policy-framing.js", "server");
+});
diff --git a/packages/browser-policy/.gitignore b/packages/browser-policy/.gitignore
new file mode 100644
index 00000000000..677a6fc2637
--- /dev/null
+++ b/packages/browser-policy/.gitignore
@@ -0,0 +1 @@
+.build*
diff --git a/packages/browser-policy/browser-policy-test.js b/packages/browser-policy/browser-policy-test.js
new file mode 100644
index 00000000000..e8b00b20a18
--- /dev/null
+++ b/packages/browser-policy/browser-policy-test.js
@@ -0,0 +1,129 @@
+BrowserPolicy._setRunningTest();
+
+var cspsEqual = function (csp1, csp2) {
+  var cspToObj = function (csp) {
+    csp = csp.substring(0, csp.length - 1);
+    var parts = _.map(csp.split("; "), function (part) {
+      return part.split(" ");
+    });
+    var keys = _.map(parts, _.first);
+    var values = _.map(parts, _.rest);
+    _.each(values, function (value) {
+      value.sort();
+    });
+    return _.object(keys, values);
+  };
+
+  return EJSON.equals(cspToObj(csp1), cspToObj(csp2));
+};
+
+// It's important to call _reset() at the beginnning of these tests; otherwise
+// the headers left over at the end of the last test run will be used.
+
+Tinytest.add("browser-policy - csp", function (test) {
+  var defaultCsp = "default-src 'self'; script-src 'self' 'unsafe-inline'; " +
+        "connect-src * 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline';"
+
+  BrowserPolicy.content._reset();
+  // Default policy
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(), defaultCsp));
+  test.isTrue(BrowserPolicy.content._keywordAllowed("script-src", "'unsafe-inline'"));
+
+  // Redundant whitelisting (inline scripts already allowed in default policy)
+  BrowserPolicy.content.allowInlineScripts();
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(), defaultCsp));
+
+  // Disallow inline scripts
+  BrowserPolicy.content.disallowInlineScripts();
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(),
+                        "default-src 'self'; script-src 'self'; " +
+                        "connect-src * 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline';"));
+  test.isFalse(BrowserPolicy.content._keywordAllowed("script-src", "'unsafe-inline'"));
+
+  // Allow eval
+  BrowserPolicy.content.allowEval();
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(), "default-src 'self'; script-src 'self' 'unsafe-eval'; " +
+                        "connect-src * 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline';"));
+
+  // Disallow inline styles
+  BrowserPolicy.content.disallowInlineStyles();
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(), "default-src 'self'; script-src 'self' 'unsafe-eval'; " +
+                        "connect-src * 'self'; img-src data: 'self'; style-src 'self';"));
+
+  // Allow data: urls everywhere
+  BrowserPolicy.content.allowDataUrlForAll();
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(),
+                        "default-src 'self' data:; script-src 'self' 'unsafe-eval' data:; " +
+                        "connect-src * data: 'self'; img-src data: 'self'; style-src 'self' data:;"));
+
+  // Disallow everything
+  BrowserPolicy.content.disallowAll();
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(), "default-src 'none';"));
+  test.isFalse(BrowserPolicy.content._keywordAllowed("script-src", "'unsafe-inline'"));
+
+  // Put inline scripts back in
+  BrowserPolicy.content.allowInlineScripts();
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(),
+                        "default-src 'none'; script-src 'unsafe-inline';"));
+  test.isTrue(BrowserPolicy.content._keywordAllowed("script-src", "'unsafe-inline'"));
+
+  // Add 'self' to all content types
+  BrowserPolicy.content.allowSameOriginForAll();
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(),
+                        "default-src 'self'; script-src 'self' 'unsafe-inline';"));
+  test.isTrue(BrowserPolicy.content._keywordAllowed("script-src", "'unsafe-inline'"));
+
+  // Disallow all content except same-origin scripts
+  BrowserPolicy.content.disallowAll();
+  BrowserPolicy.content.allowScriptSameOrigin();
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(),
+                        "default-src 'none'; script-src 'self';"));
+  test.isFalse(BrowserPolicy.content._keywordAllowed("script-src", "'unsafe-inline'"));
+
+  // Starting with all content same origin, disallowScript() and then allow
+  // inline scripts. Result should be that that only inline scripts can execute,
+  // not same-origin scripts.
+  BrowserPolicy.content.disallowAll();
+  BrowserPolicy.content.allowSameOriginForAll();
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(), "default-src 'self';"));
+  BrowserPolicy.content.disallowScript();
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(),
+                        "default-src 'self'; script-src 'none';"));
+  test.isFalse(BrowserPolicy.content._keywordAllowed("script-src", "'unsafe-inline'"));
+  BrowserPolicy.content.allowInlineScripts();
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(),
+                        "default-src 'self'; script-src 'unsafe-inline';"));
+  test.isTrue(BrowserPolicy.content._keywordAllowed("script-src", "'unsafe-inline'"));
+
+  // Starting with all content same origin, allow inline scripts. (Should result
+  // in both same origin and inline scripts allowed.)
+  BrowserPolicy.content.disallowAll();
+  BrowserPolicy.content.allowSameOriginForAll();
+  BrowserPolicy.content.allowInlineScripts();
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(),
+                        "default-src 'self'; script-src 'self' 'unsafe-inline';"));
+  BrowserPolicy.content.disallowInlineScripts();
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(),
+                        "default-src 'self'; script-src 'self';"));
+
+  // Allow same origin for all content, then disallow object entirely.
+  BrowserPolicy.content.disallowAll();
+  BrowserPolicy.content.allowSameOriginForAll();
+  BrowserPolicy.content.disallowObject();
+  test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(),
+                        "default-src 'self'; object-src 'none';"));
+});
+
+Tinytest.add("browser-policy - x-frame-options", function (test) {
+  BrowserPolicy.framing._reset();
+  test.equal(BrowserPolicy.framing._constructXFrameOptions(), "SAMEORIGIN");
+  BrowserPolicy.framing.disallow();
+  test.equal(BrowserPolicy.framing._constructXFrameOptions(), "DENY");
+  BrowserPolicy.framing.allowAll();
+  test.equal(BrowserPolicy.framing._constructXFrameOptions(), null);
+  BrowserPolicy.framing.restrictToOrigin("foo.com");
+  test.equal(BrowserPolicy.framing._constructXFrameOptions(), "ALLOW-FROM foo.com");
+  test.throws(function () {
+    BrowserPolicy.framing.restrictToOrigin("bar.com");
+  });
+});
diff --git a/packages/browser-policy/package.js b/packages/browser-policy/package.js
new file mode 100644
index 00000000000..0addf3d458f
--- /dev/null
+++ b/packages/browser-policy/package.js
@@ -0,0 +1,13 @@
+Package.describe({
+  summary: "Configure security policies enforced by the browser"
+});
+
+Package.on_use(function (api) {
+  api.use(['browser-policy-content', 'browser-policy-framing'], 'server');
+  api.imply(['browser-policy-common'], 'server');
+});
+
+Package.on_test(function (api) {
+  api.use(["tinytest", "browser-policy", "ejson"], "server");
+  api.add_files("browser-policy-test.js", "server");
+});
diff --git a/packages/ctl-helper/.npm/package/npm-shrinkwrap.json b/packages/ctl-helper/.npm/package/npm-shrinkwrap.json
index 2608d0fcd04..18e7c137adc 100644
--- a/packages/ctl-helper/.npm/package/npm-shrinkwrap.json
+++ b/packages/ctl-helper/.npm/package/npm-shrinkwrap.json
@@ -1,10 +1,13 @@
 {
   "dependencies": {
     "optimist": {
-      "version": "0.4.0",
+      "version": "0.6.0",
       "dependencies": {
         "wordwrap": {
           "version": "0.0.2"
+        },
+        "minimist": {
+          "version": "0.0.5"
         }
       }
     }
diff --git a/packages/ctl-helper/package.js b/packages/ctl-helper/package.js
index 52a53942379..d72a7f51800 100644
--- a/packages/ctl-helper/package.js
+++ b/packages/ctl-helper/package.js
@@ -1,8 +1,9 @@
 Package.describe({
-  summary: "Helpers for control programs"
+  summary: "Helpers for control programs",
+  internal: true
 });
 
-Npm.depends({optimist: '0.4.0'});
+Npm.depends({optimist: '0.6.0'});
 
 Package.on_use(function (api) {
   api.use(['underscore', 'livedata', 'mongo-livedata'], 'server');
diff --git a/packages/ctl/package.js b/packages/ctl/package.js
index a8966c19ccf..200c4a14083 100644
--- a/packages/ctl/package.js
+++ b/packages/ctl/package.js
@@ -1,5 +1,6 @@
 Package.describe({
-  summary: "Default control program for an application"
+  summary: "Default control program for an application",
+  internal: true
 });
 
 Package.on_use(function (api) {
diff --git a/packages/d3/package.js b/packages/d3/package.js
index eac342c7e38..c03f6d656ad 100644
--- a/packages/d3/package.js
+++ b/packages/d3/package.js
@@ -1,5 +1,5 @@
 Package.describe({
-  summary: "Library for manipulating documents based on data."
+  summary: "Library for manipulating documents based on data"
 });
 
 Package.on_use(function (api) {
diff --git a/packages/ejson/ejson.js b/packages/ejson/ejson.js
index 222a289e50c..7bb28ef20ba 100644
--- a/packages/ejson/ejson.js
+++ b/packages/ejson/ejson.js
@@ -18,6 +18,10 @@ EJSON.addType = function (name, factory) {
   customTypes[name] = factory;
 };
 
+var isInfOrNan = function (obj) {
+  return _.isNaN(obj) || obj === Infinity || obj === -Infinity;
+};
+
 var builtinConverters = [
   { // Date
     matchJSONValue: function (obj) {
@@ -33,6 +37,26 @@ var builtinConverters = [
       return new Date(obj.$date);
     }
   },
+  { // NaN, Inf, -Inf. (These are the only objects with typeof !== 'object'
+    // which we match.)
+    matchJSONValue: function (obj) {
+      return _.has(obj, '$InfNaN') && _.size(obj) === 1;
+    },
+    matchObject: isInfOrNan,
+    toJSONValue: function (obj) {
+      var sign;
+      if (_.isNaN(obj))
+        sign = 0;
+      else if (obj === Infinity)
+        sign = 1;
+      else
+        sign = -1;
+      return {$InfNaN: sign};
+    },
+    fromJSONValue: function (obj) {
+      return obj.$InfNaN/0;
+    }
+  },
   { // Binary
     matchJSONValue: function (obj) {
       return _.has(obj, '$binary') && _.size(obj) === 1;
@@ -104,14 +128,23 @@ EJSON._isCustomType = function (obj) {
 // for both arrays and objects, in-place modification.
 var adjustTypesToJSONValue =
 EJSON._adjustTypesToJSONValue = function (obj) {
+  // Is it an atom that we need to adjust?
   if (obj === null)
     return null;
   var maybeChanged = toJSONValueHelper(obj);
   if (maybeChanged !== undefined)
     return maybeChanged;
+
+  // Other atoms are unchanged.
+  if (typeof obj !== 'object')
+    return obj;
+
+  // Iterate over array or object structure.
   _.each(obj, function (value, key) {
-    if (typeof value !== 'object' && value !== undefined)
+    if (typeof value !== 'object' && value !== undefined &&
+        !isInfOrNan(value))
       return; // continue
+
     var changed = toJSONValueHelper(value);
     if (changed) {
       obj[key] = changed;
@@ -158,6 +191,11 @@ EJSON._adjustTypesFromJSONValue = function (obj) {
   var maybeChanged = fromJSONValueHelper(obj);
   if (maybeChanged !== obj)
     return maybeChanged;
+
+  // Other atoms are unchanged.
+  if (typeof obj !== 'object')
+    return obj;
+
   _.each(obj, function (value, key) {
     if (typeof value === 'object') {
       var changed = fromJSONValueHelper(value);
@@ -206,8 +244,13 @@ EJSON.fromJSONValue = function (item) {
   }
 };
 
-EJSON.stringify = function (item) {
-  return JSON.stringify(EJSON.toJSONValue(item));
+EJSON.stringify = function (item, options) {
+  var json = EJSON.toJSONValue(item);
+  if (options && (options.canonical || options.indent)) {
+    return EJSON._canonicalStringify(json, options);
+  } else {
+    return JSON.stringify(json);
+  }
 };
 
 EJSON.parse = function (item) {
@@ -226,6 +269,9 @@ EJSON.equals = function (a, b, options) {
   var keyOrderSensitive = !!(options && options.keyOrderSensitive);
   if (a === b)
     return true;
+  if (_.isNaN(a) && _.isNaN(b))
+    return true; // This differs from the IEEE spec for NaN equality, b/c we don't want
+                 // anything ever with a NaN to be poisoned from becoming equal to anything.
   if (!a || !b) // if either one is falsy, they'd have to be === to be equal
     return false;
   if (!(typeof a === 'object' && typeof b === 'object'))
@@ -307,6 +353,7 @@ EJSON.clone = function (v) {
     }
     return ret;
   }
+  // XXX: Use something better than underscore's isArray
   if (_.isArray(v) || _.isArguments(v)) {
     // For some reason, _.map doesn't work in this context on Opera (weird test
     // failures).
diff --git a/packages/ejson/ejson_test.js b/packages/ejson/ejson_test.js
index 27c39d60856..a87c17cb17f 100644
--- a/packages/ejson/ejson_test.js
+++ b/packages/ejson/ejson_test.js
@@ -52,6 +52,31 @@ Tinytest.add("ejson - equality and falsiness", function (test) {
   test.isFalse(EJSON.equals({foo: "foo"}, undefined));
 });
 
+Tinytest.add("ejson - NaN and Inf", function (test) {
+  test.equal(EJSON.parse("{\"$InfNaN\": 1}"), Infinity);
+  test.equal(EJSON.parse("{\"$InfNaN\": -1}"), -Infinity);
+  test.isTrue(_.isNaN(EJSON.parse("{\"$InfNaN\": 0}")));
+  test.equal(EJSON.parse(EJSON.stringify(Infinity)), Infinity);
+  test.equal(EJSON.parse(EJSON.stringify(-Infinity)), -Infinity);
+  test.isTrue(_.isNaN(EJSON.parse(EJSON.stringify(NaN))));
+  test.isTrue(EJSON.equals(NaN, NaN));
+  test.isTrue(EJSON.equals(Infinity, Infinity));
+  test.isTrue(EJSON.equals(-Infinity, -Infinity));
+  test.isFalse(EJSON.equals(Infinity, -Infinity));
+  test.isFalse(EJSON.equals(Infinity, NaN));
+  test.isFalse(EJSON.equals(Infinity, 0));
+  test.isFalse(EJSON.equals(NaN, 0));
+
+  test.isTrue(EJSON.equals(
+    EJSON.parse("{\"a\": {\"$InfNaN\": 1}}"),
+    {a: Infinity}
+  ));
+  test.isTrue(EJSON.equals(
+    EJSON.parse("{\"a\": {\"$InfNaN\": 0}}"),
+    {a: NaN}
+  ));
+});
+
 Tinytest.add("ejson - clone", function (test) {
   var cloneTest = function (x, identical) {
     var y = EJSON.clone(x);
@@ -73,6 +98,85 @@ Tinytest.add("ejson - clone", function (test) {
   testCloneArgs(1, 2, "foo", [4]);
 });
 
+Tinytest.add("ejson - stringify", function (test) {
+  test.equal(EJSON.stringify(null), "null");
+  test.equal(EJSON.stringify(true), "true");
+  test.equal(EJSON.stringify(false), "false");
+  test.equal(EJSON.stringify(123), "123");
+  test.equal(EJSON.stringify("abc"), "\"abc\"");
+
+  test.equal(EJSON.stringify([1, 2, 3]),
+     "[1,2,3]"
+  );
+  test.equal(EJSON.stringify([1, 2, 3], {indent: true}),
+    "[\n  1,\n  2,\n  3\n]"
+  );
+  test.equal(EJSON.stringify([1, 2, 3], {canonical: false}),
+    "[1,2,3]"
+  );
+  test.equal(EJSON.stringify([1, 2, 3], {indent: true, canonical: false}),
+    "[\n  1,\n  2,\n  3\n]"
+  );
+
+  test.equal(EJSON.stringify([1, 2, 3], {indent: 4}),
+    "[\n    1,\n    2,\n    3\n]"
+  );
+  test.equal(EJSON.stringify([1, 2, 3], {indent: '--'}),
+    "[\n--1,\n--2,\n--3\n]"
+  );
+
+  test.equal(
+    EJSON.stringify(
+      {b: [2, {d: 4, c: 3}], a: 1},
+      {canonical: true}
+    ),
+    "{\"a\":1,\"b\":[2,{\"c\":3,\"d\":4}]}"
+  );
+  test.equal(
+    EJSON.stringify(
+      {b: [2, {d: 4, c: 3}], a: 1},
+      {
+        indent: true,
+        canonical: true
+      }
+    ),
+    "{\n" +
+    "  \"a\": 1,\n" +
+    "  \"b\": [\n" +
+    "    2,\n" +
+    "    {\n" +
+    "      \"c\": 3,\n" +
+    "      \"d\": 4\n" +
+    "    }\n" +
+    "  ]\n" +
+    "}"
+  );
+  test.equal(
+    EJSON.stringify(
+      {b: [2, {d: 4, c: 3}], a: 1},
+      {canonical: false}
+    ),
+    "{\"b\":[2,{\"d\":4,\"c\":3}],\"a\":1}"
+  );
+  test.equal(
+    EJSON.stringify(
+      {b: [2, {d: 4, c: 3}], a: 1},
+      {indent: true, canonical: false}
+    ),
+    "{\n" +
+    "  \"b\": [\n" +
+    "    2,\n" +
+    "    {\n" +
+    "      \"d\": 4,\n" +
+    "      \"c\": 3\n" +
+    "    }\n" +
+    "  ],\n" +
+    "  \"a\": 1\n" +
+    "}"
+
+  );
+});
+
 Tinytest.add("ejson - parse", function (test) {
   test.equal(EJSON.parse("[1,2,3]"), [1,2,3]);
   test.throws(
diff --git a/packages/ejson/package.js b/packages/ejson/package.js
index f3b93dbc2b1..226c233bafb 100644
--- a/packages/ejson/package.js
+++ b/packages/ejson/package.js
@@ -8,6 +8,7 @@ Package.on_use(function (api) {
   api.export('EJSON');
   api.export('EJSONTest', {testOnly: true});
   api.add_files('ejson.js', ['client', 'server']);
+  api.add_files('stringify.js', ['client', 'server']);
   api.add_files('base64.js', ['client', 'server']);
 });
 
diff --git a/packages/ejson/stringify.js b/packages/ejson/stringify.js
new file mode 100644
index 00000000000..1ce9ad6baf1
--- /dev/null
+++ b/packages/ejson/stringify.js
@@ -0,0 +1,118 @@
+// Based on json2.js from https://github.com/douglascrockford/JSON-js
+//
+//    json2.js
+//    2012-10-08
+//
+//    Public Domain.
+//
+//    NO WARRANTY EXPRESSED OR IMPLIED. USE AT YOUR OWN RISK.
+
+function quote(string) {
+  return JSON.stringify(string);
+}
+
+var str = function (key, holder, singleIndent, outerIndent, canonical) {
+
+  // Produce a string from holder[key].
+
+  var i;          // The loop counter.
+  var k;          // The member key.
+  var v;          // The member value.
+  var length;
+  var innerIndent = outerIndent;
+  var partial;
+  var value = holder[key];
+
+  // What happens next depends on the value's type.
+
+  switch (typeof value) {
+  case 'string':
+    return quote(value);
+  case 'number':
+    // JSON numbers must be finite. Encode non-finite numbers as null.
+    return isFinite(value) ? String(value) : 'null';
+  case 'boolean':
+    return String(value);
+  // If the type is 'object', we might be dealing with an object or an array or
+  // null.
+  case 'object':
+    // Due to a specification blunder in ECMAScript, typeof null is 'object',
+    // so watch out for that case.
+    if (!value) {
+      return 'null';
+    }
+    // Make an array to hold the partial results of stringifying this object value.
+    innerIndent = outerIndent + singleIndent;
+    partial = [];
+
+    // Is the value an array?
+    if (_.isArray(value) || _.isArguments(value)) {
+
+      // The value is an array. Stringify every element. Use null as a placeholder
+      // for non-JSON values.
+
+      length = value.length;
+      for (i = 0; i < length; i += 1) {
+        partial[i] = str(i, value, singleIndent, innerIndent, canonical) || 'null';
+      }
+
+      // Join all of the elements together, separated with commas, and wrap them in
+      // brackets.
+
+      if (partial.length === 0) {
+        v = '[]';
+      } else if (innerIndent) {
+        v = '[\n' + innerIndent + partial.join(',\n' + innerIndent) + '\n' + outerIndent + ']';
+      } else {
+        v = '[' + partial.join(',') + ']';
+      }
+      return v;
+    }
+
+
+    // Iterate through all of the keys in the object.
+    var keys = _.keys(value);
+    if (canonical)
+      keys = keys.sort();
+    _.each(keys, function (k) {
+      v = str(k, value, singleIndent, innerIndent, canonical);
+      if (v) {
+        partial.push(quote(k) + (innerIndent ? ': ' : ':') + v);
+      }
+    });
+
+
+    // Join all of the member texts together, separated with commas,
+    // and wrap them in braces.
+
+    if (partial.length === 0) {
+      v = '{}';
+    } else if (innerIndent) {
+      v = '{\n' + innerIndent + partial.join(',\n' + innerIndent) + '\n' + outerIndent + '}';
+    } else {
+      v = '{' + partial.join(',') + '}';
+    }
+    return v;
+  }
+}
+
+// If the JSON object does not yet have a stringify method, give it one.
+
+EJSON._canonicalStringify = function (value, options) {
+  // Make a fake root object containing our value under the key of ''.
+  // Return the result of stringifying the value.
+  options = _.extend({
+    indent: "",
+    canonical: false
+  }, options);
+  if (options.indent === true) {
+    options.indent = "  ";
+  } else if (typeof options.indent === 'number') {
+    var newIndent = "";
+    for (var i = 0; i < options.indent; i++) {
+      newIndent += ' ';
+    }
+    options.indent = newIndent;
+  }
+  return str('', {'': value}, options.indent, "", options.canonical);
+};
diff --git a/packages/email/.npm/package/npm-shrinkwrap.json b/packages/email/.npm/package/npm-shrinkwrap.json
index e5d3a7cb308..3d84231100b 100644
--- a/packages/email/.npm/package/npm-shrinkwrap.json
+++ b/packages/email/.npm/package/npm-shrinkwrap.json
@@ -9,7 +9,7 @@
       }
     },
     "simplesmtp": {
-      "version": "0.1.25",
+      "version": "0.3.10",
       "dependencies": {
         "rai": {
           "version": "0.1.7"
@@ -20,7 +20,7 @@
       }
     },
     "stream-buffers": {
-      "version": "0.2.3"
+      "version": "0.2.5"
     }
   }
 }
diff --git a/packages/email/package.js b/packages/email/package.js
index 89982dfce3e..d88a91f7e0a 100644
--- a/packages/email/package.js
+++ b/packages/email/package.js
@@ -2,9 +2,12 @@ Package.describe({
   summary: "Send email messages"
 });
 
-// Pinned at older version. 0.1.16+ uses mimelib, not mimelib-noiconv
-// which is much bigger. We need a better solution.
-Npm.depends({mailcomposer: "0.1.15", simplesmtp: "0.1.25", "stream-buffers": "0.2.3"});
+Npm.depends({
+  // Pinned at older version. 0.1.16+ uses mimelib, not mimelib-noiconv which is
+  // much bigger. We need a better solution.
+  mailcomposer: "0.1.15",
+  simplesmtp: "0.3.10",
+  "stream-buffers": "0.2.5"});
 
 Package.on_use(function (api) {
   api.use('underscore', 'server');
diff --git a/packages/geojson-utils/.gitignore b/packages/geojson-utils/.gitignore
new file mode 100644
index 00000000000..677a6fc2637
--- /dev/null
+++ b/packages/geojson-utils/.gitignore
@@ -0,0 +1 @@
+.build*
diff --git a/packages/geojson-utils/geojson-utils.js b/packages/geojson-utils/geojson-utils.js
new file mode 100644
index 00000000000..82d8068263f
--- /dev/null
+++ b/packages/geojson-utils/geojson-utils.js
@@ -0,0 +1,380 @@
+(function () {
+  var gju = {};
+
+  // Export the geojson object for **CommonJS**
+  if (typeof module !== 'undefined' && module.exports) {
+    module.exports = gju;
+  }
+
+  // adapted from http://www.kevlindev.com/gui/math/intersection/Intersection.js
+  gju.lineStringsIntersect = function (l1, l2) {
+    var intersects = [];
+    for (var i = 0; i <= l1.coordinates.length - 2; ++i) {
+      for (var j = 0; j <= l2.coordinates.length - 2; ++j) {
+        var a1 = {
+          x: l1.coordinates[i][1],
+          y: l1.coordinates[i][0]
+        },
+          a2 = {
+            x: l1.coordinates[i + 1][1],
+            y: l1.coordinates[i + 1][0]
+          },
+          b1 = {
+            x: l2.coordinates[j][1],
+            y: l2.coordinates[j][0]
+          },
+          b2 = {
+            x: l2.coordinates[j + 1][1],
+            y: l2.coordinates[j + 1][0]
+          },
+          ua_t = (b2.x - b1.x) * (a1.y - b1.y) - (b2.y - b1.y) * (a1.x - b1.x),
+          ub_t = (a2.x - a1.x) * (a1.y - b1.y) - (a2.y - a1.y) * (a1.x - b1.x),
+          u_b = (b2.y - b1.y) * (a2.x - a1.x) - (b2.x - b1.x) * (a2.y - a1.y);
+        if (u_b != 0) {
+          var ua = ua_t / u_b,
+            ub = ub_t / u_b;
+          if (0 <= ua && ua <= 1 && 0 <= ub && ub <= 1) {
+            intersects.push({
+              'type': 'Point',
+              'coordinates': [a1.x + ua * (a2.x - a1.x), a1.y + ua * (a2.y - a1.y)]
+            });
+          }
+        }
+      }
+    }
+    if (intersects.length == 0) intersects = false;
+    return intersects;
+  }
+
+  // Bounding Box
+
+  function boundingBoxAroundPolyCoords (coords) {
+    var xAll = [], yAll = []
+
+    for (var i = 0; i < coords[0].length; i++) {
+      xAll.push(coords[0][i][1])
+      yAll.push(coords[0][i][0])
+    }
+
+    xAll = xAll.sort(function (a,b) { return a - b })
+    yAll = yAll.sort(function (a,b) { return a - b })
+
+    return [ [xAll[0], yAll[0]], [xAll[xAll.length - 1], yAll[yAll.length - 1]] ]
+  }
+
+  gju.pointInBoundingBox = function (point, bounds) {
+    return !(point.coordinates[1] < bounds[0][0] || point.coordinates[1] > bounds[1][0] || point.coordinates[0] < bounds[0][1] || point.coordinates[0] > bounds[1][1]) 
+  }
+
+  // Point in Polygon
+  // http://www.ecse.rpi.edu/Homepages/wrf/Research/Short_Notes/pnpoly.html#Listing the Vertices
+
+  function pnpoly (x,y,coords) {
+    var vert = [ [0,0] ]
+
+    for (var i = 0; i < coords.length; i++) {
+      for (var j = 0; j < coords[i].length; j++) {
+        vert.push(coords[i][j])
+      }
+      vert.push([0,0])
+    }
+
+    var inside = false
+    for (var i = 0, j = vert.length - 1; i < vert.length; j = i++) {
+      if (((vert[i][0] > y) != (vert[j][0] > y)) && (x < (vert[j][1] - vert[i][1]) * (y - vert[i][0]) / (vert[j][0] - vert[i][0]) + vert[i][1])) inside = !inside
+    }
+
+    return inside
+  }
+
+  gju.pointInPolygon = function (p, poly) {
+    var coords = (poly.type == "Polygon") ? [ poly.coordinates ] : poly.coordinates
+
+    var insideBox = false
+    for (var i = 0; i < coords.length; i++) {
+      if (gju.pointInBoundingBox(p, boundingBoxAroundPolyCoords(coords[i]))) insideBox = true
+    }
+    if (!insideBox) return false
+
+    var insidePoly = false
+    for (var i = 0; i < coords.length; i++) {
+      if (pnpoly(p.coordinates[1], p.coordinates[0], coords[i])) insidePoly = true
+    }
+
+    return insidePoly
+  }
+
+  gju.numberToRadius = function (number) {
+    return number * Math.PI / 180;
+  }
+
+  gju.numberToDegree = function (number) {
+    return number * 180 / Math.PI;
+  }
+
+  // written with help from @tautologe
+  gju.drawCircle = function (radiusInMeters, centerPoint, steps) {
+    var center = [centerPoint.coordinates[1], centerPoint.coordinates[0]],
+      dist = (radiusInMeters / 1000) / 6371,
+      // convert meters to radiant
+      radCenter = [gju.numberToRadius(center[0]), gju.numberToRadius(center[1])],
+      steps = steps || 15,
+      // 15 sided circle
+      poly = [[center[0], center[1]]];
+    for (var i = 0; i < steps; i++) {
+      var brng = 2 * Math.PI * i / steps;
+      var lat = Math.asin(Math.sin(radCenter[0]) * Math.cos(dist)
+              + Math.cos(radCenter[0]) * Math.sin(dist) * Math.cos(brng));
+      var lng = radCenter[1] + Math.atan2(Math.sin(brng) * Math.sin(dist) * Math.cos(radCenter[0]),
+                                          Math.cos(dist) - Math.sin(radCenter[0]) * Math.sin(lat));
+      poly[i] = [];
+      poly[i][1] = gju.numberToDegree(lat);
+      poly[i][0] = gju.numberToDegree(lng);
+    }
+    return {
+      "type": "Polygon",
+      "coordinates": [poly]
+    };
+  }
+
+  // assumes rectangle starts at lower left point
+  gju.rectangleCentroid = function (rectangle) {
+    var bbox = rectangle.coordinates[0];
+    var xmin = bbox[0][0],
+      ymin = bbox[0][1],
+      xmax = bbox[2][0],
+      ymax = bbox[2][1];
+    var xwidth = xmax - xmin;
+    var ywidth = ymax - ymin;
+    return {
+      'type': 'Point',
+      'coordinates': [xmin + xwidth / 2, ymin + ywidth / 2]
+    };
+  }
+
+  // from http://www.movable-type.co.uk/scripts/latlong.html
+  gju.pointDistance = function (pt1, pt2) {
+    var lon1 = pt1.coordinates[0],
+      lat1 = pt1.coordinates[1],
+      lon2 = pt2.coordinates[0],
+      lat2 = pt2.coordinates[1],
+      dLat = gju.numberToRadius(lat2 - lat1),
+      dLon = gju.numberToRadius(lon2 - lon1),
+      a = Math.pow(Math.sin(dLat / 2), 2) + Math.cos(gju.numberToRadius(lat1))
+        * Math.cos(gju.numberToRadius(lat2)) * Math.pow(Math.sin(dLon / 2), 2),
+      c = 2 * Math.atan2(Math.sqrt(a), Math.sqrt(1 - a));
+    // Earth radius is 6371 km
+    return (6371 * c) * 1000; // returns meters
+  },
+
+  // checks if geometry lies entirely within a circle
+  // works with Point, LineString, Polygon
+  gju.geometryWithinRadius = function (geometry, center, radius) {
+    if (geometry.type == 'Point') {
+      return gju.pointDistance(geometry, center) <= radius;
+    } else if (geometry.type == 'LineString' || geometry.type == 'Polygon') {
+      var point = {};
+      var coordinates;
+      if (geometry.type == 'Polygon') {
+        // it's enough to check the exterior ring of the Polygon
+        coordinates = geometry.coordinates[0];
+      } else {
+        coordinates = geometry.coordinates;
+      }
+      for (var i in coordinates) {
+        point.coordinates = coordinates[i];
+        if (gju.pointDistance(point, center) > radius) {
+          return false;
+        }
+      }
+    }
+    return true;
+  }
+
+  // adapted from http://paulbourke.net/geometry/polyarea/javascript.txt
+  gju.area = function (polygon) {
+    var area = 0;
+    // TODO: polygon holes at coordinates[1]
+    var points = polygon.coordinates[0];
+    var j = points.length - 1;
+    var p1, p2;
+
+    for (var i = 0; i < points.length; j = i++) {
+      var p1 = {
+        x: points[i][1],
+        y: points[i][0]
+      };
+      var p2 = {
+        x: points[j][1],
+        y: points[j][0]
+      };
+      area += p1.x * p2.y;
+      area -= p1.y * p2.x;
+    }
+
+    area /= 2;
+    return area;
+  },
+
+  // adapted from http://paulbourke.net/geometry/polyarea/javascript.txt
+  gju.centroid = function (polygon) {
+    var f, x = 0,
+      y = 0;
+    // TODO: polygon holes at coordinates[1]
+    var points = polygon.coordinates[0];
+    var j = points.length - 1;
+    var p1, p2;
+
+    for (var i = 0; i < points.length; j = i++) {
+      var p1 = {
+        x: points[i][1],
+        y: points[i][0]
+      };
+      var p2 = {
+        x: points[j][1],
+        y: points[j][0]
+      };
+      f = p1.x * p2.y - p2.x * p1.y;
+      x += (p1.x + p2.x) * f;
+      y += (p1.y + p2.y) * f;
+    }
+
+    f = gju.area(polygon) * 6;
+    return {
+      'type': 'Point',
+      'coordinates': [y / f, x / f]
+    };
+  },
+
+  gju.simplify = function (source, kink) { /* source[] array of geojson points */
+    /* kink	in metres, kinks above this depth kept  */
+    /* kink depth is the height of the triangle abc where a-b and b-c are two consecutive line segments */
+    kink = kink || 20;
+    source = source.map(function (o) {
+      return {
+        lng: o.coordinates[0],
+        lat: o.coordinates[1]
+      }
+    });
+
+    var n_source, n_stack, n_dest, start, end, i, sig;
+    var dev_sqr, max_dev_sqr, band_sqr;
+    var x12, y12, d12, x13, y13, d13, x23, y23, d23;
+    var F = (Math.PI / 180.0) * 0.5;
+    var index = new Array(); /* aray of indexes of source points to include in the reduced line */
+    var sig_start = new Array(); /* indices of start & end of working section */
+    var sig_end = new Array();
+
+    /* check for simple cases */
+
+    if (source.length < 3) return (source); /* one or two points */
+
+    /* more complex case. initialize stack */
+
+    n_source = source.length;
+    band_sqr = kink * 360.0 / (2.0 * Math.PI * 6378137.0); /* Now in degrees */
+    band_sqr *= band_sqr;
+    n_dest = 0;
+    sig_start[0] = 0;
+    sig_end[0] = n_source - 1;
+    n_stack = 1;
+
+    /* while the stack is not empty  ... */
+    while (n_stack > 0) {
+
+      /* ... pop the top-most entries off the stacks */
+
+      start = sig_start[n_stack - 1];
+      end = sig_end[n_stack - 1];
+      n_stack--;
+
+      if ((end - start) > 1) { /* any intermediate points ? */
+
+        /* ... yes, so find most deviant intermediate point to
+        either side of line joining start & end points */
+
+        x12 = (source[end].lng() - source[start].lng());
+        y12 = (source[end].lat() - source[start].lat());
+        if (Math.abs(x12) > 180.0) x12 = 360.0 - Math.abs(x12);
+        x12 *= Math.cos(F * (source[end].lat() + source[start].lat())); /* use avg lat to reduce lng */
+        d12 = (x12 * x12) + (y12 * y12);
+
+        for (i = start + 1, sig = start, max_dev_sqr = -1.0; i < end; i++) {
+
+          x13 = source[i].lng() - source[start].lng();
+          y13 = source[i].lat() - source[start].lat();
+          if (Math.abs(x13) > 180.0) x13 = 360.0 - Math.abs(x13);
+          x13 *= Math.cos(F * (source[i].lat() + source[start].lat()));
+          d13 = (x13 * x13) + (y13 * y13);
+
+          x23 = source[i].lng() - source[end].lng();
+          y23 = source[i].lat() - source[end].lat();
+          if (Math.abs(x23) > 180.0) x23 = 360.0 - Math.abs(x23);
+          x23 *= Math.cos(F * (source[i].lat() + source[end].lat()));
+          d23 = (x23 * x23) + (y23 * y23);
+
+          if (d13 >= (d12 + d23)) dev_sqr = d23;
+          else if (d23 >= (d12 + d13)) dev_sqr = d13;
+          else dev_sqr = (x13 * y12 - y13 * x12) * (x13 * y12 - y13 * x12) / d12; // solve triangle
+          if (dev_sqr > max_dev_sqr) {
+            sig = i;
+            max_dev_sqr = dev_sqr;
+          }
+        }
+
+        if (max_dev_sqr < band_sqr) { /* is there a sig. intermediate point ? */
+          /* ... no, so transfer current start point */
+          index[n_dest] = start;
+          n_dest++;
+        } else { /* ... yes, so push two sub-sections on stack for further processing */
+          n_stack++;
+          sig_start[n_stack - 1] = sig;
+          sig_end[n_stack - 1] = end;
+          n_stack++;
+          sig_start[n_stack - 1] = start;
+          sig_end[n_stack - 1] = sig;
+        }
+      } else { /* ... no intermediate points, so transfer current start point */
+        index[n_dest] = start;
+        n_dest++;
+      }
+    }
+
+    /* transfer last point */
+    index[n_dest] = n_source - 1;
+    n_dest++;
+
+    /* make return array */
+    var r = new Array();
+    for (var i = 0; i < n_dest; i++)
+      r.push(source[index[i]]);
+
+    return r.map(function (o) {
+      return {
+        type: "Point",
+        coordinates: [o.lng, o.lat]
+      }
+    });
+  }
+
+  // http://www.movable-type.co.uk/scripts/latlong.html#destPoint
+  gju.destinationPoint = function (pt, brng, dist) {
+    dist = dist/6371;  // convert dist to angular distance in radians
+    brng = gju.numberToRadius(brng);
+
+    var lat1 = gju.numberToRadius(pt.coordinates[0]);
+    var lon1 = gju.numberToRadius(pt.coordinates[1]);
+
+    var lat2 = Math.asin( Math.sin(lat1)*Math.cos(dist) +
+                          Math.cos(lat1)*Math.sin(dist)*Math.cos(brng) );
+    var lon2 = lon1 + Math.atan2(Math.sin(brng)*Math.sin(dist)*Math.cos(lat1),
+                                 Math.cos(dist)-Math.sin(lat1)*Math.sin(lat2));
+    lon2 = (lon2+3*Math.PI) % (2*Math.PI) - Math.PI;  // normalise to -180..+180º
+
+    return {
+      'type': 'Point',
+      'coordinates': [gju.numberToDegree(lat2), gju.numberToDegree(lon2)]
+    };
+  };
+
+})();
diff --git a/packages/geojson-utils/geojson-utils.tests.js b/packages/geojson-utils/geojson-utils.tests.js
new file mode 100644
index 00000000000..73cc5d15540
--- /dev/null
+++ b/packages/geojson-utils/geojson-utils.tests.js
@@ -0,0 +1,102 @@
+var gju = GeoJSON;
+
+Tinytest.add("geojson-utils - line intersects", function (test) {
+  var diagonalUp = { "type": "LineString","coordinates": [
+    [0, 0], [10, 10]
+  ]}
+  var diagonalDown = { "type": "LineString","coordinates": [
+    [10, 0], [0, 10]
+  ]}
+  var farAway = { "type": "LineString","coordinates": [
+    [100, 100], [110, 110]
+  ]}
+
+  test.isTrue(gju.lineStringsIntersect(diagonalUp, diagonalDown));
+  test.isFalse(gju.lineStringsIntersect(diagonalUp, farAway));
+});
+
+// Used by two tests
+var box = {
+  "type": "Polygon",
+  "coordinates": [
+    [ [0, 0], [10, 0], [10, 10], [0, 10] ]
+  ]
+};
+
+Tinytest.add("geojson-utils - inside/outside of the box", function (test) {
+
+  var inBox = {"type": "Point", "coordinates": [5, 5]}
+  var outBox = {"type": "Point", "coordinates": [15, 15]}
+
+  test.isTrue(gju.pointInPolygon(inBox, box));
+  test.isFalse(gju.pointInPolygon(outBox, box));
+});
+
+Tinytest.add("geojson-utils - drawCircle", function (test) {
+  test.length(gju.drawCircle(10, {"type": "Point", "coordinates": [0, 0]}).
+               coordinates[0], 15);
+  test.length(gju.drawCircle(10, {"type": "Point", "coordinates": [0, 0]}, 50).
+              coordinates[0], 50);
+});
+
+Tinytest.add("geojson-utils - centroid", function (test) {
+  var centroid = gju.rectangleCentroid(box)
+  test.equal(centroid.coordinates[0], 5);
+  test.equal(centroid.coordinates[1], 5);
+});
+
+Tinytest.add("geojson-utils - point distance", function (test) {
+  var fairyLand = {"type": "Point",
+    "coordinates": [-122.260000705719, 37.80919060818706]}
+  var navalBase = {"type": "Point",
+    "coordinates": [-122.32083320617676, 37.78774223089045]}
+  test.equal(Math.floor(gju.pointDistance(fairyLand, navalBase)), 5852);
+});
+
+Tinytest.add("geojson-utils - points distance generated tests", function (test) {
+  var floatEqual = function (a, b) {
+    test.isTrue(Math.abs(a - b) < 0.000001);
+  };
+
+  // Pairs of points we will be looking a distance between
+  var tests = [[[-19.416501816827804,-13.442164216190577], [8.694866622798145,-8.511979941977188]],
+    [[151.2841189110186,-56.14564002258703], [167.77983197313733,0.05544793023727834]],
+    [[100.28413630579598,-88.02313695591874], [36.48786173714325,53.44207073468715]],
+    [[-70.34899035631679,76.51596869179048], [154.91605914011598,-73.60970971290953]],
+    [[96.28682994353585,58.77288202662021], [-118.33936230326071,72.07877089688554]],
+    [[140.35530551429838,10.507104953983799], [-67.73368513956666,38.075836981181055]],
+    [[69.55582775664516,86.25450283149257], [-18.446230484172702,6.116170521359891]],
+    [[163.83647522330284,-65.7211532376241], [-159.2198902608361,-78.42975475382991]],
+    [[-178.9383797585033,-54.87420454365201], [-175.35227065649815,-84.04084282391705]],
+    [[-48.63219943456352,11.284161149058491], [-179.12627786491066,-51.95622375886887]],
+    [[140.29684206470847,-67.20720696030185], [-109.37452355003916,36.03131077555008]],
+    [[-154.6698773431126,58.322094617411494], [61.18583445576951,-4.3424885796848685]],
+    [[122.5562841903884,10.43972848681733], [-11.756078708684072,-43.86124441982247]],
+    [[-67.91648306301795,-86.38826347864233], [163.577536230674,12.987319261068478]],
+    [[91.65140007715672,17.595150742679834], [135.80393003183417,22.307532118167728]],
+    [[-112.70280818711035,34.45729674655013], [-127.42168210959062,-25.51327457977459]],
+    [[-161.55807900894433,-77.40711871231906], [-92.66313794790767,-89.12077954714186]],
+    [[39.966264681424946,9.890176948625594], [-159.88646019320004,40.60383598925546]],
+    [[-57.48232689569704,86.64061016729102], [59.53941993578337,-75.73194969259202]],
+    [[-142.0938081513159,80.76813141163439], [14.891517050098628,64.56322408467531]]];
+
+  // correct distance between two points
+  var answers = [3115066.2536578891, 6423493.2321747802, 15848950.0402601473,
+    18714226.5425080135, 5223022.7731127860, 13874476.3135112207,
+    9314403.3309389465, 1831929.5917785936, 3244710.9344544266,
+    13691492.4666933995, 14525055.6462231465, 13261602.4336371962,
+    14275427.5511620939, 11699799.3615680672, 4628773.1129429890,
+    6846704.0253010122, 1368055.9401701286, 14041503.0409814864,
+    18560499.7346975356, 3793112.6186894816];
+
+  _.each(tests, function (pair, testN) {
+    var distance = GeoJSON.pointDistance.apply(this, _.map(pair, toGeoJSONPoint));
+    test.isTrue(Math.abs(distance - answers[testN]) < 0.00000001,
+      "Wrong distance between points " + JSON.stringify(pair) + ": " + distance);
+  });
+
+  function toGeoJSONPoint (coordinates) {
+    return { type: "Point", coordinates: coordinates };
+  }
+});
+
diff --git a/packages/geojson-utils/package.js b/packages/geojson-utils/package.js
new file mode 100644
index 00000000000..a82fb5e62df
--- /dev/null
+++ b/packages/geojson-utils/package.js
@@ -0,0 +1,16 @@
+Package.describe({
+  summary: 'GeoJSON utility functions (from https://github.com/maxogden/geojson-js-utils)',
+  internal: true
+});
+
+Package.on_use(function (api) {
+  api.export('GeoJSON');
+  api.add_files(['pre.js', 'geojson-utils.js', 'post.js']);
+});
+
+Package.on_test(function (api) {
+  api.use('tinytest');
+  api.use('geojson-utils');
+  api.add_files(['geojson-utils.tests.js'], 'client');
+});
+
diff --git a/packages/geojson-utils/post.js b/packages/geojson-utils/post.js
new file mode 100644
index 00000000000..7ac8bff75eb
--- /dev/null
+++ b/packages/geojson-utils/post.js
@@ -0,0 +1,4 @@
+// This exports object was created in pre.js.  Now copy the `exports` object
+// from it into the package-scope variable `GeoJSON`, which will get exported.
+GeoJSON = module.exports;
+
diff --git a/packages/geojson-utils/pre.js b/packages/geojson-utils/pre.js
new file mode 100644
index 00000000000..99ad3ca65d8
--- /dev/null
+++ b/packages/geojson-utils/pre.js
@@ -0,0 +1,4 @@
+// Define an object named exports. This will cause geojson-utils.js to put `gju`
+// as a field on it, instead of in the global namespace.  See also post.js.
+module = {exports:{}};
+
diff --git a/packages/google/google_client.js b/packages/google/google_client.js
index 4f8c29c1a3e..50e65c65dbe 100644
--- a/packages/google/google_client.js
+++ b/packages/google/google_client.js
@@ -44,6 +44,15 @@ Google.requestCredential = function (options, credentialRequestCompleteCallback)
         '&access_type=' + accessType +
         '&approval_prompt=' + approvalPrompt;
 
+  // Use Google's domain-specific login page if we want to restrict creation to
+  // a particular email domain. (Don't use it if restrictCreationByEmailDomain
+  // is a function.) Note that all this does is change Google's UI ---
+  // accounts-base/accounts_server.js still checks server-side that the server
+  // has the proper email address after the OAuth conversation.
+  if (typeof Accounts._options.restrictCreationByEmailDomain === 'string') {
+    loginUrl += '&hd=' + encodeURIComponent(Accounts._options.restrictCreationByEmailDomain);
+  }
+
   Oauth.initiateLogin(credentialToken,
                       loginUrl,
                       credentialRequestCompleteCallback,
diff --git a/packages/http/httpcall_tests.js b/packages/http/httpcall_tests.js
index ed6a14985ad..c05ad924825 100644
--- a/packages/http/httpcall_tests.js
+++ b/packages/http/httpcall_tests.js
@@ -249,11 +249,16 @@ testAsyncMulti("httpcall - methods", [
           test.equal(result.statusCode, 200);
           var data = result.data;
           test.equal(data.url, "/foo");
+
           // IE <= 8 turns seems to turn POSTs with no body into
           // GETs, inexplicably.
-          if (Meteor.isClient && $.browser.msie && $.browser.version <= 8
-              && meth === "POST")
-            meth = "GET";
+          //
+          // XXX Except now it doesn't!? Not sure what changed, but
+          // these lines now break the test...
+          // if (Meteor.isClient && $.browser.msie && $.browser.version <= 8
+          //     && meth === "POST")
+          //   meth = "GET";
+
           test.equal(data.method, meth);
         }));
     };
diff --git a/packages/js-analyze-tests/js_analyze_tests.js b/packages/js-analyze-tests/js_analyze_tests.js
index 416f9e1fe26..ea1add3533e 100644
--- a/packages/js-analyze-tests/js_analyze_tests.js
+++ b/packages/js-analyze-tests/js_analyze_tests.js
@@ -1,42 +1,3 @@
-Tinytest.add("js-analyze - findGlobalDottedRefs", function (test) {
-
-  var R = JSAnalyze.READ;
-  var W = JSAnalyze.WRITE;
-  var run = function (source) {
-    return JSAnalyze.findGlobalDottedRefs(source);
-  };
-
-  test.equal(run('x'), {x: R});
-  test.equal(run('x + y'), {x: R, y: R});
-  test.equal(run('x = y'), {x: W, y: R});
-  test.equal(run('var x; x = y'), {y: R});
-  test.equal(run('var y; x = y'), {x: W});
-  test.equal(run('var x,y; x = y'), {});
-  test.equal(run('for (x in y);'), {x: W, y: R});
-  test.equal(run('for (var x in y);'), {y: R});
-  test.equal(run('x++'), {x: W});
-  test.equal(run('var x = y'), {y: R});
-  test.equal(run('a.b[c.d]'), {'a.b': R, 'c.d': R});
-  test.equal(run('foo.bar[baz][c.d].z = 3'), {'foo.bar': W, baz: R, 'c.d': R});
-  test.equal(run('foo.bar(baz)[c.d].z = 3'), {'foo.bar': R, baz: R, 'c.d': R});
-  test.equal(run('var x = y.z; x.a = y; z.b;'), {'y.z': R, 'z.b': R, 'y': R});
-  test.equal(run('Foo.Bar'), {'Foo.Bar': R});
-  test.equal(run('Foo.Bar = 3'), {'Foo.Bar': W});
-  test.equal(run(
-    '(function (a, d) { var b = a, c; return f(a.z, b.z, c.z, d.z, e.z); })()'),
-             { 'f': R, 'e.z': R });
-  test.equal(run('try { Foo } catch (e) { e }'), {'Foo': R});
-  test.equal(run('try { Foo } catch (e) { Foo }'), {'Foo': R});
-  test.equal(run('try { Foo } catch (Foo) { Foo }'), {'Foo': R});
-  test.equal(run('try { e } catch (Foo) { Foo }'), {'e': R});
-  test.equal(run('var x = function y () { return String(y); }'), {'String': R});
-  test.equal(run('a[b=c] = d'), {a: W, b: W, c: R, d: R});
-  test.equal(run('a.a.a[b.b.b=c.c.c] = d.d.d'),
-             {'a.a.a': W, 'b.b.b': W, 'c.c.c': R, 'd.d.d': R});
-  // Without ignoreEval, this thinks J is global.
-  test.equal(run('function x(){var J;J=3;eval("foo");}'), {eval: R});
-});
-
 Tinytest.add("js-analyze - findAssignedGlobals", function (test) {
 
   var run = function (source, expected) {
diff --git a/packages/js-analyze-tests/package.js b/packages/js-analyze-tests/package.js
index a56fdb21d62..01b5b1952bd 100644
--- a/packages/js-analyze-tests/package.js
+++ b/packages/js-analyze-tests/package.js
@@ -1,5 +1,6 @@
 Package.describe({
-  summary: "Tests for JavaScript code analysis for Meteor"
+  summary: "Tests for JavaScript code analysis for Meteor",
+  internal: true
 });
 
 // The tests are in a separate package so that it is possible to compile
diff --git a/packages/js-analyze/.npm/package/npm-shrinkwrap.json b/packages/js-analyze/.npm/package/npm-shrinkwrap.json
index 52f22630197..29842c42b13 100644
--- a/packages/js-analyze/.npm/package/npm-shrinkwrap.json
+++ b/packages/js-analyze/.npm/package/npm-shrinkwrap.json
@@ -3,11 +3,13 @@
     "esprima": {
       "from": "https://github.com/ariya/esprima/tarball/2a41dbf0ddadade0b09a9a7cc9a0c8df9c434018"
     },
-    "estraverse": {
-      "version": "1.1.2-1"
-    },
     "escope": {
-      "from": "https://github.com/meteor/escope/tarball/fef31f03797be5718080f811f9ca6e5297c90d2a"
+      "version": "1.0.0",
+      "dependencies": {
+        "estraverse": {
+          "version": "1.3.1"
+        }
+      }
     }
   }
 }
diff --git a/packages/js-analyze/js_analyze.js b/packages/js-analyze/js_analyze.js
index 5e612b25f0f..ce4a2c34067 100644
--- a/packages/js-analyze/js_analyze.js
+++ b/packages/js-analyze/js_analyze.js
@@ -1,14 +1,8 @@
 var esprima = Npm.require('esprima');
 var escope = Npm.require('escope');
-var estraverse = Npm.require('estraverse');
-
-var Syntax = estraverse.Syntax;
 
 JSAnalyze = {};
 
-JSAnalyze.READ = 1;
-JSAnalyze.WRITE = 2;
-
 // Like esprima.parse, but annotates any thrown error with $ParseError = true.
 var esprimaParse = function (source) {
   try {
@@ -22,111 +16,6 @@ var esprimaParse = function (source) {
   }
 };
 
-// Analyze the JavaScript source code `source` and return a dictionary
-// of all the global dotted references.
-//
-// A global dotted reference is an expression of the form `Foo` or
-// `Foo.Bar.Baz`, where `Foo` is an access to a global variable not defined
-// in `source`.
-//
-// The value in the dictionary is either `JSAnalyze.READ`, if the reference
-// is only ever read and not written, or `JSAnalyze.WRITE` if the reference
-// is written (only or in addition).  A dotted reference is mapped to WRITE
-// if it is every assigned to, or if it is part of a larger
-// expression that is assigned to which consists of a series of dotted
-// or bracketed member access expressions.  For example, in
-// `Foo.Bar[baz].blah = 3`, the dotted reference `Foo.Bar` is reported
-// as WRITE.
-JSAnalyze.findGlobalDottedRefs = function (source) {
-  // escope's analyzer treats vars in the top-level "Program" node as globals.
-  // The newline is necessary in case source ends with a comment.
-  source = '(function () {' + source + '\n})';
-
-  var parseTree = esprimaParse(source);
-  var scoper = escope.analyze(parseTree, {ignoreEval: true});
-
-  var currentScope = null;
-  var dottedExpressionStack = [];
-
-  var globalsFound = {};
-
-  // Add _parent pointers to the tree
-  estraverse.traverse(parseTree, {
-    enter: function (node, parent) {
-      node._parent = parent;
-    }
-  });
-
-  estraverse.traverse(parseTree, {
-    enter: function (node, parent) {
-      currentScope = scoper.acquire(node) || currentScope;
-
-      if (node.type === Syntax.Identifier) {
-        var ref = null;
-        // Find an `escope.Reference` in the current Scope whose
-        // identifier node is `===` to `node`.  If found, this
-        // means escope determined this site to be a reference
-        // rather than some other identifier (like the `x` in
-        // `var x` or `a.x`).
-        for (var i = 0; i < currentScope.references.length; i++) {
-          if (currentScope.references[i].identifier === node) {
-            ref = currentScope.references[i];
-            break;
-          }
-        }
-        if (ref && ! ref.resolved) {
-          // global; not resolved to a local
-          var name = node.name;
-          var expr = node;
-          // find outer expression with dots, e.g. Foo.Bar.Baz
-          while (expr._parent &&
-                 expr._parent.type === Syntax.MemberExpression &&
-                 expr._parent.object === expr &&
-                 ! expr._parent.computed) {
-            expr = expr._parent;
-            name += '.' + expr.property.name;
-          }
-          // now expand expression to include bracketed access,
-          // e.g. Foo.Bar.Baz[3].blah
-          while (expr._parent &&
-                 expr._parent.type === Syntax.MemberExpression &&
-                 expr._parent.object === expr) {
-            expr = expr._parent;
-          }
-          var accessType;
-          // position of `expr`, aka `outer`, now determines whether this
-          // access is a READ or WRITE (which encompasses read/write)
-          var outer = expr;
-          var outerParent = expr._parent;
-          switch (outerParent.type) {
-          case Syntax.AssignmentExpression:
-            accessType = ((outerParent.left === outer) ? JSAnalyze.WRITE
-                          : JSAnalyze.READ);
-            break;
-          case Syntax.UpdateExpression: // prefix or postfix `++` or `--`
-            accessType = JSAnalyze.WRITE;
-            break;
-          case Syntax.ForInStatement:
-            accessType = (outerParent.left === outer ?
-                          JSAnalyze.WRITE : JSAnalyze.READ);
-            break;
-          default:
-            accessType = JSAnalyze.READ;
-            break;
-          }
-          globalsFound[name] = Math.max(globalsFound[name] || 0, accessType);
-        }
-      }
-    },
-    leave: function (node, parent) {
-      currentScope = scoper.release(node) || currentScope;
-    }
-  });
-
-  return globalsFound;
-};
-
-
 // Analyze the JavaScript source code `source` and return a dictionary of all
 // globals which are assigned to in the package. The values in the dictionary
 // are all `true`.
@@ -158,80 +47,12 @@ JSAnalyze.findAssignedGlobals = function (source) {
   // But it can't pull references outward, so for our purposes it is safe to
   // ignore.
   var scoper = escope.analyze(parseTree, {ignoreEval: true});
+  var globalScope = scoper.scopes[0];
 
-  var currentScope = null;
   var assignedGlobals = {};
-
-  // XXX This whole traversal is somewhat overkill. escope actually already
-  // calculates the implicit global variables. The following code ALMOST works,
-  // and doesn't even require ignoreEval:
-  //
-  //  var globalScope = scoper.acquire(parseTree);
-  //  if (globalScope.type !== 'global')
-  //    throw new Error("Unexpected scope type " + globalScope.type);
-  //
-  //  // can't use underscore because we want to have no dependencies
-  //  for (var i = 0; i < globalScope.variables.length; ++i) {
-  //    var variable = globalScope.variables[i];
-  //    // Because this is the global scope, and we wrap source in a function,
-  //    // the only variables in it should have a single implicit definition.
-  //    if (variable.defs.length !== 1)
-  //      throw new Error("Unexpected def length", variable.defs.length);
-  //    if (variable.defs[0].type !== escope.Variable.ImplicitGlobalVariable)
-  //      throw new Error("Unexpected def type", variable.defs[0].type);
-  //    assignedGlobals[variable.name] = true;
-  //  }
-  //
-  // Unfortunately, escope's ImplicitGlobalVariable search has several bugs.
-  //   https://github.com/Constellation/escope/issues/17
-
-
-  // Traverse the tree looking for assignments to unreferenced variables.
-  estraverse.traverse(parseTree, {
-    enter: function (node, parent) {
-      currentScope = scoper.acquire(node) || currentScope;
-
-      // We only care about identifiers.
-      if (node.type !== Syntax.Identifier)
-        return;
-      // We already know this one is an assigned global.
-      // (Avoid using _.has here so that we have no Meteor package
-      // dependencies.)
-      if (assignedGlobals.hasOwnProperty(node.name))
-        return;
-
-      var ref = null;
-      // Find an `escope.Reference` in the current Scope whose identifier node
-      // is `===` to `node`.  If found, this means escope determined this site
-      // to be a reference rather than some other identifier (like the `x` in
-      // `var x` or `a.x`).
-      for (var i = 0; i < currentScope.references.length; i++) {
-        if (currentScope.references[i].identifier === node) {
-          ref = currentScope.references[i];
-          break;
-        }
-      }
-      // If this isn't a reference at all, or it's been resolved to a local, do
-      // nothing.
-      if (!ref || ref.resolved)
-        return;
-
-      // OK, it's a global. But is it being assigned to? The situations where a
-      // global is assigned to are:
-      //    - left-hand side of an '=' assignment
-      //    - the `x` in `for (x in y)` (without a `var`)
-      // (You might think that ++, --, and the += family of operators also
-      // write to globals, but they can't in and of themselves conjure up
-      // a reference where none existed before.)
-      if ((parent.type === Syntax.AssignmentExpression && parent.left === node
-           && parent.operator === '=')
-          || (parent.type === Syntax.ForInStatement && parent.left === node)) {
-        assignedGlobals[node.name] = true;
-      }
-    },
-    leave: function (node, parent) {
-      currentScope = scoper.release(node) || currentScope;
-    }
+  // Underscore is not available in this package.
+  globalScope.implicit.variables.forEach(function (variable) {
+    assignedGlobals[variable.name] = true;
   });
 
   return assignedGlobals;
diff --git a/packages/js-analyze/package.js b/packages/js-analyze/package.js
index 8bc4b460b60..ca2bdd40efa 100644
--- a/packages/js-analyze/package.js
+++ b/packages/js-analyze/package.js
@@ -14,10 +14,7 @@ Npm.depends({
   // This code was originally written against the unreleased 1.1 branch. We can
   // probably switch to a built NPM version when it gets released.
   esprima: "https://github.com/ariya/esprima/tarball/2a41dbf0ddadade0b09a9a7cc9a0c8df9c434018",
-  estraverse: "1.1.2-1",
-  // Fork to add ignoreEval option.
-  // https://github.com/Constellation/escope/pull/18
-  escope: "https://github.com/meteor/escope/tarball/fef31f03797be5718080f811f9ca6e5297c90d2a"
+  escope: "1.0.0"
 });
 
 // This package may not depend on ANY other Meteor packages, even in the test
diff --git a/packages/less/package.js b/packages/less/package.js
index a6c8d7fe62f..afe116d38b4 100644
--- a/packages/less/package.js
+++ b/packages/less/package.js
@@ -1,5 +1,5 @@
 Package.describe({
-  summary: "The dynamic stylesheet language."
+  summary: "The dynamic stylesheet language"
 });
 
 Package._transitional_registerBuildPlugin({
diff --git a/packages/livedata/.npm/package/npm-shrinkwrap.json b/packages/livedata/.npm/package/npm-shrinkwrap.json
index d7e6d5434dc..ffe3f903e9f 100644
--- a/packages/livedata/.npm/package/npm-shrinkwrap.json
+++ b/packages/livedata/.npm/package/npm-shrinkwrap.json
@@ -1,18 +1,23 @@
 {
   "dependencies": {
     "sockjs": {
-      "version": "0.3.7",
+      "version": "0.3.8",
       "dependencies": {
         "node-uuid": {
           "version": "1.3.3"
         },
         "faye-websocket": {
-          "version": "0.4.4"
+          "version": "0.7.0",
+          "dependencies": {
+            "websocket-driver": {
+              "version": "0.3.0"
+            }
+          }
         }
       }
     },
     "websocket": {
-      "version": "1.0.7"
+      "version": "1.0.8"
     }
   }
 }
diff --git a/packages/livedata/livedata_server.js b/packages/livedata/livedata_server.js
index 11bd6752a5f..d43c2c46fab 100644
--- a/packages/livedata/livedata_server.js
+++ b/packages/livedata/livedata_server.js
@@ -583,6 +583,12 @@ _.extend(Session.prototype, {
     });
   },
 
+  // XXX This mixes accounts concerns (login tokens) into livedata, which is not
+  // ideal. Eventually we'll have an API that allows accounts to keep track of
+  // which connections are associated with tokens and close them when necessary,
+  // rather than the current state of things where accounts tells livedata which
+  // connections are associated with which tokens, and when to close connections
+  // associated with a given token.
   _setLoginToken: function (newToken) {
     var self = this;
     var oldToken = self.sessionData.loginToken;
@@ -652,13 +658,6 @@ _.extend(Session.prototype, {
         self._pendingReady = [];
       }
     });
-
-
-    // XXX figure out the login token that was just used, and set up an observe
-    // on the user doc so that deleting the user or the login token disconnects
-    // the session. For now, if you want to make sure that your deleted users
-    // don't have any continuing sessions, you can restart the server, but we
-    // should make it automatic.
   },
 
   _startSubscription: function (handler, subId, params, name) {
@@ -834,6 +833,12 @@ _.extend(Subscription.prototype, {
         cur._publishCursor(self);
       });
       self.ready();
+    } else if (res) {
+      // truthy values other than cursors or arrays are probably a
+      // user mistake (possible returning a Mongo document via, say,
+      // `coll.findOne()`).
+      self.error(new Error("Publish function can only return a Cursor or "
+                           + "an array of Cursors"));
     }
   },
 
@@ -969,6 +974,12 @@ Server = function () {
   // Keeps track of the open connections associated with particular login
   // tokens. Used for logging out all a user's open connections, expiring login
   // tokens, etc.
+  // XXX This mixes accounts concerns (login tokens) into livedata, which is not
+  // ideal. Eventually we'll have an API that allows accounts to keep track of
+  // which connections are associated with tokens and close them when necessary,
+  // rather than the current state of things where accounts tells livedata which
+  // connections are associated with which tokens, and when to close connections
+  // associated with a given token.
   self.sessionsByLoginToken = {};
 
 
@@ -1018,7 +1029,7 @@ Server = function () {
       } catch (e) {
         // XXX print stack nicely
         Meteor._debug("Internal exception while processing message", msg,
-                      e.stack);
+                      e.message, e.stack);
       }
     });
 
@@ -1264,9 +1275,11 @@ _.extend(Server.prototype, {
       if (_.isEmpty(self.sessionsByLoginToken[oldToken]))
         delete self.sessionsByLoginToken[oldToken];
     }
-    if (! _.has(self.sessionsByLoginToken, newToken))
-      self.sessionsByLoginToken[newToken] = [];
-    self.sessionsByLoginToken[newToken].push(session.id);
+    if (newToken) {
+      if (! _.has(self.sessionsByLoginToken, newToken))
+        self.sessionsByLoginToken[newToken] = [];
+      self.sessionsByLoginToken[newToken].push(session.id);
+    }
   },
 
   // Close all open sessions associated with any of the tokens in
diff --git a/packages/livedata/livedata_tests.js b/packages/livedata/livedata_tests.js
index 3fd1cd0c87b..0118e4d7e12 100644
--- a/packages/livedata/livedata_tests.js
+++ b/packages/livedata/livedata_tests.js
@@ -124,6 +124,8 @@ testAsyncMulti("livedata - basic method invocation", [
   echoTest({$date: 30}), // literal
   echoTest({$literal: {$date: 30}}),
   echoTest(12),
+  echoTest(Infinity),
+  echoTest(-Infinity),
 
   function (test, expect) {
     if (Meteor.isServer)
diff --git a/packages/livedata/package.js b/packages/livedata/package.js
index 709ee84e395..adace407936 100644
--- a/packages/livedata/package.js
+++ b/packages/livedata/package.js
@@ -3,8 +3,7 @@ Package.describe({
   internal: true
 });
 
-Npm.depends({sockjs: "0.3.7",
-             websocket: "1.0.7"});
+Npm.depends({sockjs: "0.3.8", websocket: "1.0.8"});
 
 Package.on_use(function (api) {
   api.use(['check', 'random', 'ejson', 'json', 'underscore', 'deps', 'logging'],
diff --git a/packages/livedata/sockjs-0.3.4.js b/packages/livedata/sockjs-0.3.4.js
index a3a2f687ebf..60dd5aef3a6 100644
--- a/packages/livedata/sockjs-0.3.4.js
+++ b/packages/livedata/sockjs-0.3.4.js
@@ -1211,7 +1211,7 @@ SockJS.prototype._applyInfo = function(info, rtt, protocols_whitelist) {
     // Servers can override base_url, eg to provide a randomized domain name and
     // avoid browser per-domain connection limits.
     if (info.base_url)
-      that._base_url = info.base_url;
+      that._base_url = utils.amendUrl(info.base_url);
     var probed = utils.probeProtocols();
     that._protocols = utils.detectProtocols(probed, protocols_whitelist, info);
 // <METEOR>
diff --git a/packages/livedata/stream_server.js b/packages/livedata/stream_server.js
index e00a42ada95..a0f10ecb0f0 100644
--- a/packages/livedata/stream_server.js
+++ b/packages/livedata/stream_server.js
@@ -38,7 +38,10 @@ StreamServer = function () {
     // combining CPU-heavy processing with SockJS termination (eg a proxy which
     // converts to Unix sockets) but for now, raise the delay.
     disconnect_delay: 60 * 1000,
-    jsessionid: false
+    // Set the USE_JSESSIONID environment variable to enable setting the
+    // JSESSIONID cookie. This is useful for setting up proxies with
+    // session affinity.
+    jsessionid: !!process.env.USE_JSESSIONID
   };
 
   // If you know your server environment (eg, proxies) will prevent websockets
diff --git a/packages/logging/.npm/package/npm-shrinkwrap.json b/packages/logging/.npm/package/npm-shrinkwrap.json
index f0eafa1381d..7bbbfcf6bb0 100644
--- a/packages/logging/.npm/package/npm-shrinkwrap.json
+++ b/packages/logging/.npm/package/npm-shrinkwrap.json
@@ -1,7 +1,7 @@
 {
   "dependencies": {
     "cli-color": {
-      "version": "0.2.2",
+      "version": "0.2.3",
       "dependencies": {
         "es5-ext": {
           "version": "0.9.2"
diff --git a/packages/logging/package.js b/packages/logging/package.js
index f3883e7b985..6e9f172e93c 100644
--- a/packages/logging/package.js
+++ b/packages/logging/package.js
@@ -4,7 +4,7 @@ Package.describe({
 });
 
 Npm.depends({
-  "cli-color": "0.2.2"
+  "cli-color": "0.2.3"
 });
 
 Package.on_use(function (api) {
diff --git a/packages/madewith/package.js b/packages/madewith/package.js
index b67b92bf800..79cb20411a2 100644
--- a/packages/madewith/package.js
+++ b/packages/madewith/package.js
@@ -3,7 +3,7 @@ Package.describe({
 });
 
 Package.on_use(function (api) {
-  api.use(['livedata', 'underscore', 'spark', 'templating'], 'client');
+  api.use(['livedata', 'mongo-livedata', 'underscore', 'spark', 'templating'], 'client');
 
   api.add_files([
     'madewith.css',
diff --git a/packages/minifiers/.npm/package/npm-shrinkwrap.json b/packages/minifiers/.npm/package/npm-shrinkwrap.json
index b8040d824d1..b23b2cea61f 100644
--- a/packages/minifiers/.npm/package/npm-shrinkwrap.json
+++ b/packages/minifiers/.npm/package/npm-shrinkwrap.json
@@ -1,29 +1,24 @@
 {
   "dependencies": {
     "clean-css": {
-      "version": "1.0.11",
+      "version": "1.1.2",
       "dependencies": {
         "commander": {
-          "version": "1.2.0",
-          "dependencies": {
-            "keypress": {
-              "version": "0.1.0"
-            }
-          }
+          "version": "2.0.0"
         }
       }
     },
     "uglify-js": {
-      "from": "https://github.com/mishoo/UglifyJS2/tarball/b1febde3e9be32b9d88918ed733efc3796e3f143",
+      "from": "https://github.com/meteor/UglifyJS2/tarball/bb0a762d12d2ecd058b9d7b57f16b4c289378d9c",
       "dependencies": {
         "async": {
           "version": "0.2.9"
         },
         "source-map": {
-          "version": "0.1.26",
+          "version": "0.1.30",
           "dependencies": {
             "amdefine": {
-              "version": "0.0.5"
+              "version": "0.0.8"
             }
           }
         },
@@ -34,6 +29,9 @@
               "version": "0.0.2"
             }
           }
+        },
+        "uglify-to-browserify": {
+          "version": "1.0.1"
         }
       }
     }
diff --git a/packages/minifiers/package.js b/packages/minifiers/package.js
index 91f474d7988..6a3eb50d594 100644
--- a/packages/minifiers/package.js
+++ b/packages/minifiers/package.js
@@ -4,9 +4,9 @@ Package.describe({
 });
 
 Npm.depends({
-  "clean-css": "1.0.11",
-  // We depend on this commit, which has not been released yet.
-  "uglify-js": "https://github.com/mishoo/UglifyJS2/tarball/b1febde3e9be32b9d88918ed733efc3796e3f143"
+  "clean-css": "1.1.2",
+  // Fork of 2.4.0 fixing https://github.com/mishoo/UglifyJS2/pull/308
+  "uglify-js": "https://github.com/meteor/UglifyJS2/tarball/bb0a762d12d2ecd058b9d7b57f16b4c289378d9c"
 });
 
 Package.on_use(function (api) {
diff --git a/packages/minimongo/NOTES b/packages/minimongo/NOTES
index 017aeda6897..e2db1fb0e2e 100644
--- a/packages/minimongo/NOTES
+++ b/packages/minimongo/NOTES
@@ -46,7 +46,7 @@ It just hasn't been looked at/thought about yet.
 upsert combined with $-operators might work, but hasn't actually been
 looked at or tested.
 
-In general, the API needs tests, espectially update. (On the other
+In general, the API needs tests, especially update. (On the other
 hand, the underlying selector and mutator code is quite well tested.)
 
 ## OTHER STUFF ##
diff --git a/packages/minimongo/minimongo.js b/packages/minimongo/minimongo.js
index 7fb03f7810d..2ddb61b84d7 100644
--- a/packages/minimongo/minimongo.js
+++ b/packages/minimongo/minimongo.js
@@ -87,12 +87,18 @@ LocalCollection.Cursor = function (collection, selector, options) {
   if (LocalCollection._selectorIsId(selector)) {
     // stash for fast path
     self.selector_id = LocalCollection._idStringify(selector);
-    self.selector_f = LocalCollection._compileSelector(selector);
+    self.selector_f = LocalCollection._compileSelector(selector, self);
     self.sort_f = undefined;
   } else {
+    // MongoDB throws different errors on different branching operators
+    // containing $near
+    if (isGeoQuerySpecial(selector))
+      throw new Error("$near can't be inside $or/$and/$nor/$not");
+
     self.selector_id = undefined;
-    self.selector_f = LocalCollection._compileSelector(selector);
-    self.sort_f = options.sort ? LocalCollection._compileSort(options.sort) : null;
+    self.selector_f = LocalCollection._compileSelector(selector, self);
+    self.sort_f = (isGeoQuery(selector) || options.sort) ?
+      LocalCollection._compileSort(options.sort || [], self) : null;
   }
   self.skip = options.skip;
   self.limit = options.limit;
@@ -140,9 +146,8 @@ LocalCollection.prototype.findOne = function (selector, options) {
   return this.find(selector, options).fetch()[0];
 };
 
-LocalCollection.Cursor.prototype.forEach = function (callback) {
+LocalCollection.Cursor.prototype.forEach = function (callback, thisArg) {
   var self = this;
-  var doc;
 
   if (self.db_objects === null)
     self.db_objects = self._getRawObjects(true);
@@ -155,12 +160,13 @@ LocalCollection.Cursor.prototype.forEach = function (callback) {
       movedBefore: true});
 
   while (self.cursor_pos < self.db_objects.length) {
-    var elt = EJSON.clone(self.db_objects[self.cursor_pos++]);
+    var elt = EJSON.clone(self.db_objects[self.cursor_pos]);
     if (self.projection_f)
       elt = self.projection_f(elt);
     if (self._transform)
       elt = self._transform(elt);
-    callback(elt);
+    callback.call(thisArg, elt, self.cursor_pos, self);
+    ++self.cursor_pos;
   }
 };
 
@@ -169,11 +175,11 @@ LocalCollection.Cursor.prototype.getTransform = function () {
   return self._transform;
 };
 
-LocalCollection.Cursor.prototype.map = function (callback) {
+LocalCollection.Cursor.prototype.map = function (callback, thisArg) {
   var self = this;
   var res = [];
-  self.forEach(function (doc) {
-    res.push(callback(doc));
+  self.forEach(function (doc, index) {
+    res.push(callback.call(thisArg, doc, index, self));
   });
   return res;
 };
@@ -473,9 +479,13 @@ LocalCollection.prototype.insert = function (doc, callback) {
       LocalCollection._recomputeResults(self.queries[qid]);
   });
   self._observeQueue.drain();
-  // Defer in case the callback returns on a future; gives the caller time to
-  // wait on the future.
-  if (callback) Meteor.defer(function () { callback(null, doc._id); });
+
+  // Defer because the caller likely doesn't expect the callback to be run
+  // immediately.
+  if (callback)
+    Meteor.defer(function () {
+      callback(null, doc._id);
+    });
   return doc._id;
 };
 
@@ -484,7 +494,7 @@ LocalCollection.prototype.remove = function (selector, callback) {
   var remove = [];
 
   var queriesToRecompute = [];
-  var selector_f = LocalCollection._compileSelector(selector);
+  var selector_f = LocalCollection._compileSelector(selector, self);
 
   // Avoid O(n) for "remove a single doc by ID".
   var specificIds = LocalCollection._idsMatchedBySelector(selector);
@@ -533,9 +543,12 @@ LocalCollection.prototype.remove = function (selector, callback) {
       LocalCollection._recomputeResults(query);
   });
   self._observeQueue.drain();
-  // Defer in case the callback returns on a future; gives the caller time to
-  // wait on the future.
-  if (callback) Meteor.defer(callback);
+  var result = remove.length;
+  if (callback)
+    Meteor.defer(function () {
+      callback(null, result);
+    });
+  return result;
 };
 
 // XXX atomicity: if multi is true, and one modification fails, do
@@ -548,10 +561,7 @@ LocalCollection.prototype.update = function (selector, mod, options, callback) {
   }
   if (!options) options = {};
 
-  if (options.upsert)
-    throw new Error("upsert not yet implemented");
-
-  var selector_f = LocalCollection._compileSelector(selector);
+  var selector_f = LocalCollection._compileSelector(selector, self);
 
   // Save the original results of any query that we might need to
   // _recomputeResults on, because _modifyAndNotify will mutate the objects in
@@ -565,12 +575,15 @@ LocalCollection.prototype.update = function (selector, mod, options, callback) {
   });
   var recomputeQids = {};
 
+  var updateCount = 0;
+
   for (var id in self.docs) {
     var doc = self.docs[id];
     if (selector_f(doc)) {
       // XXX Should we save the original even if mod ends up being a no-op?
       self._saveOriginal(id, doc);
       self._modifyAndNotify(doc, mod, recomputeQids);
+      ++updateCount;
       if (!options.multi)
         break;
     }
@@ -583,9 +596,54 @@ LocalCollection.prototype.update = function (selector, mod, options, callback) {
                                         qidToOriginalResults[qid]);
   });
   self._observeQueue.drain();
-  // Defer in case the callback returns on a future; gives the caller time to
-  // wait on the future.
-  if (callback) Meteor.defer(callback);
+
+  // If we are doing an upsert, and we didn't modify any documents yet, then
+  // it's time to do an insert. Figure out what document we are inserting, and
+  // generate an id for it.
+  var insertedId;
+  if (updateCount === 0 && options.upsert) {
+    var newDoc = LocalCollection._removeDollarOperators(selector);
+    LocalCollection._modify(newDoc, mod, true);
+    if (! newDoc._id && options.insertedId)
+      newDoc._id = options.insertedId;
+    insertedId = self.insert(newDoc);
+    updateCount = 1;
+  }
+
+  // Return the number of affected documents, or in the upsert case, an object
+  // containing the number of affected docs and the id of the doc that was
+  // inserted, if any.
+  var result;
+  if (options._returnObject) {
+    result = {
+      numberAffected: updateCount
+    };
+    if (insertedId !== undefined)
+      result.insertedId = insertedId;
+  } else {
+    result = updateCount;
+  }
+
+  if (callback)
+    Meteor.defer(function () {
+      callback(null, result);
+    });
+  return result;
+};
+
+// A convenience wrapper on update. LocalCollection.upsert(sel, mod) is
+// equivalent to LocalCollection.update(sel, mod, { upsert: true, _returnObject:
+// true }).
+LocalCollection.prototype.upsert = function (selector, mod, options, callback) {
+  var self = this;
+  if (! callback && typeof options === "function") {
+    callback = options;
+    options = {};
+  }
+  return self.update(selector, mod, _.extend({}, options, {
+    upsert: true,
+    _returnObject: true
+  }), callback);
 };
 
 LocalCollection.prototype._modifyAndNotify = function (
@@ -1123,3 +1181,23 @@ LocalCollection._compileProjection = function (fields) {
     return res;
   };
 };
+
+// Searches $near operator in the selector recursively
+// (including all $or/$and/$nor/$not branches)
+var isGeoQuery = function (selector) {
+  return _.any(selector, function (val, key) {
+    // Note: _.isObject matches objects and arrays
+    return key === "$near" || (_.isObject(val) && isGeoQuery(val));
+  });
+};
+
+// Checks if $near appears under some $or/$and/$nor/$not branch
+var isGeoQuerySpecial = function (selector) {
+  return _.any(selector, function (val, key) {
+    if (_.contains(['$or', '$and', '$nor', '$not'], key))
+      return isGeoQuery(val);
+    // Note: _.isObject matches objects and arrays
+    return _.isObject(val) && isGeoQuerySpecial(val);
+  });
+};
+
diff --git a/packages/minimongo/minimongo_tests.js b/packages/minimongo/minimongo_tests.js
index 07475e5c941..3a2d2260eb4 100644
--- a/packages/minimongo/minimongo_tests.js
+++ b/packages/minimongo/minimongo_tests.js
@@ -66,7 +66,8 @@ var log_callbacks = function (operations) {
 // XXX test shared structure in all MM entrypoints
 Tinytest.add("minimongo - basics", function (test) {
   var c = new LocalCollection(),
-      fluffyKitten_id;
+      fluffyKitten_id,
+      count;
 
   fluffyKitten_id = c.insert({type: "kitten", name: "fluffy"});
   c.insert({type: "kitten", name: "snookums"});
@@ -87,7 +88,8 @@ Tinytest.add("minimongo - basics", function (test) {
   test.length(c.find({type: "kitten"}).fetch(), 2);
   test.length(c.find({type: "cryptographer"}).fetch(), 2);
 
-  c.update({name: "snookums"}, {$set: {type: "cryptographer"}});
+  count = c.update({name: "snookums"}, {$set: {type: "cryptographer"}});
+  test.equal(count, 1);
   test.equal(c.find().count(), 4);
   test.equal(c.find({type: "kitten"}).count(), 1);
   test.equal(c.find({type: "cryptographer"}).count(), 3);
@@ -102,10 +104,12 @@ Tinytest.add("minimongo - basics", function (test) {
   c.remove({_id: null});
   c.remove({_id: false});
   c.remove({_id: undefined});
-  c.remove();
+  count = c.remove();
+  test.equal(count, 0);
   test.equal(c.find().count(), 4);
 
-  c.remove({});
+  count = c.remove({});
+  test.equal(count, 4);
   test.equal(c.find().count(), 0);
 
   c.insert({_id: 1, name: "strawberry", tags: ["fruit", "red", "squishy"]});
@@ -180,16 +184,25 @@ Tinytest.add("minimongo - cursors", function (test) {
 
   // forEach
   var count = 0;
-  q.forEach(function (obj) {
+  var context = {};
+  q.forEach(function (obj, i, cursor) {
     test.equal(obj.i, count++);
-  });
+    test.equal(obj.i, i);
+    test.isTrue(context === this);
+    test.isTrue(cursor === q);
+  }, context);
   test.equal(count, 20);
   // everything empty
   test.length(q.fetch(), 0);
   q.rewind();
 
   // map
-  res = q.map(function (obj) { return obj.i * 2; });
+  res = q.map(function (obj, i, cursor) {
+    test.equal(obj.i, i);
+    test.isTrue(context === this);
+    test.isTrue(cursor === q);
+    return obj.i * 2;
+  }, context);
   test.length(res, 20);
   for (var i = 0; i < 20; i++)
     test.equal(res[i], i * 2);
@@ -427,6 +440,9 @@ Tinytest.add("minimongo - selector_compiler", function (test) {
   nomatch({a: {$ne: 1}}, {a: [1, 2]});
   nomatch({a: {$ne: 2}}, {a: [1, 2]});
   match({a: {$ne: 3}}, {a: [1, 2]});
+  nomatch({'a.b': {$ne: 1}}, {a: [{b: 1}, {b: 2}]});
+  nomatch({'a.b': {$ne: 2}}, {a: [{b: 1}, {b: 2}]});
+  match({'a.b': {$ne: 3}}, {a: [{b: 1}, {b: 2}]});
 
   nomatch({a: {$ne: {x: 1}}}, {a: {x: 1}});
   match({a: {$ne: {x: 1}}}, {a: {x: 2}});
@@ -456,7 +472,9 @@ Tinytest.add("minimongo - selector_compiler", function (test) {
   nomatch({a: {$nin: [1, 2, 3]}}, {a: [2]}); // tested against mongodb
   nomatch({a: {$nin: [{x: 1}, {x: 2}, {x: 3}]}}, {a: [{x: 2}]});
   nomatch({a: {$nin: [1, 2, 3]}}, {a: [4, 2]});
+  nomatch({'a.b': {$nin: [1, 2, 3]}}, {a: [{b:4}, {b:2}]});
   match({a: {$nin: [1, 2, 3]}}, {a: [4]});
+  match({'a.b': {$nin: [1, 2, 3]}}, {a: [{b:4}]});
 
   // $size
   match({a: {$size: 0}}, {a: []});
@@ -564,7 +582,9 @@ Tinytest.add("minimongo - selector_compiler", function (test) {
   match({x: {$not: {$lt: 10, $gt: 7}}}, {x: 6});
 
   match({x: {$not: {$gt: 7}}}, {x: [2, 3, 4]});
+  match({'x.y': {$not: {$gt: 7}}}, {x: [{y:2}, {y:3}, {y:4}]});
   nomatch({x: {$not: {$gt: 7}}}, {x: [2, 3, 4, 10]});
+  nomatch({'x.y': {$not: {$gt: 7}}}, {x: [{y:2}, {y:3}, {y:4}, {y:10}]});
 
   match({x: {$not: /a/}}, {x: "dog"});
   nomatch({x: {$not: /a/}}, {x: "cat"});
@@ -1557,6 +1577,28 @@ Tinytest.add("minimongo - modify", function (test) {
   modify({a: [1]}, {$push: {a: [2]}}, {a: [1, [2]]});
   modify({a: []}, {$push: {'a.1': 99}}, {a: [null, [99]]}); // tested
   modify({a: {}}, {$push: {'a.x': 99}}, {a: {x: [99]}});
+  modify({}, {$push: {a: {$each: [1, 2, 3]}}},
+         {a: [1, 2, 3]});
+  modify({a: []}, {$push: {a: {$each: [1, 2, 3]}}},
+         {a: [1, 2, 3]});
+  modify({a: [true]}, {$push: {a: {$each: [1, 2, 3]}}},
+         {a: [true, 1, 2, 3]});
+  // No positive numbers for $slice
+  exception({}, {$push: {a: {$each: [], $slice: 5}}});
+  modify({a: [true]}, {$push: {a: {$each: [1, 2, 3], $slice: -2}}},
+         {a: [2, 3]});
+  modify({a: [false, true]}, {$push: {a: {$each: [1], $slice: -2}}},
+         {a: [true, 1]});
+  modify(
+    {a: [{x: 3}, {x: 1}]},
+    {$push: {a: {
+      $each: [{x: 4}, {x: 2}],
+      $slice: -2,
+      $sort: {x: 1}
+    }}},
+    {a: [{x: 3}, {x: 4}]});
+  modify({}, {$push: {a: {$each: [1, 2, 3], $slice: 0}}}, {a: []});
+  modify({a: [1, 2]}, {$push: {a: {$each: [1, 2, 3], $slice: 0}}}, {a: []});
 
   // $pushAll
   modify({}, {$pushAll: {a: [1]}}, {a: [1]});
@@ -1658,11 +1700,8 @@ Tinytest.add("minimongo - modify", function (test) {
   modify({a: {b: 12}}, {$rename: {'a.b': 'x'}}, {a: {}, x: 12}); // tested
   modify({a: {b: 12}}, {$rename: {'a.b': 'q.r'}}, {a: {}, q: {r: 12}});
   modify({a: {b: 12}}, {$rename: {'a.b': 'q.2.r'}}, {a: {}, q: {2: {r: 12}}});
-  // Opera weirdly reorders the output. But what it does tends to be close
-  // enough.
   modify({a: {b: 12}, q: {}}, {$rename: {'a.b': 'q.2.r'}},
-         (typeof opera === 'undefined' ? {a: {}, q: {2: {r: 12}}}
-                                       : {q: {2: {r: 12}}, a: {}}));
+         {a: {}, q: {2: {r: 12}}});
   exception({a: {b: 12}, q: []}, {$rename: {'a.b': 'q.2'}}); // tested
   exception({a: {b: 12}, q: []}, {$rename: {'a.b': 'q.2.r'}}); // tested
   test.expect_fail();
@@ -1996,7 +2035,8 @@ Tinytest.add("minimongo - diff", function (test) {
 
 Tinytest.add("minimongo - saveOriginals", function (test) {
   // set up some data
-  var c = new LocalCollection();
+  var c = new LocalCollection(),
+      count;
   c.insert({_id: 'foo', x: 'untouched'});
   c.insert({_id: 'bar', x: 'updateme'});
   c.insert({_id: 'baz', x: 'updateme'});
@@ -2007,9 +2047,12 @@ Tinytest.add("minimongo - saveOriginals", function (test) {
   c.saveOriginals();
   c.insert({_id: "hooray", z: 'insertme'});
   c.remove({y: 'removeme'});
-  c.update({x: 'updateme'}, {$set: {z: 5}}, {multi: true});
+  count = c.update({x: 'updateme'}, {$set: {z: 5}}, {multi: true});
   c.update('bar', {$set: {k: 7}});  // update same doc twice
 
+  // Verify returned count is correct
+  test.equal(count, 2);
+
   // Verify the originals.
   var originals = c.retrieveOriginals();
   var affected = ['bar', 'baz', 'quux', 'whoa', 'hooray'];
@@ -2242,3 +2285,98 @@ Tinytest.add("minimongo - count on cursor with limit", function(test){
   c.stop();
 
 });
+
+Tinytest.add("minimongo - $near operator tests", function (test) {
+  var coll = new LocalCollection();
+  coll.insert({ rest: { loc: [2, 3] } });
+  coll.insert({ rest: { loc: [-3, 3] } });
+  coll.insert({ rest: { loc: [5, 5] } });
+
+  test.equal(coll.find({ 'rest.loc': { $near: [0, 0], $maxDistance: 30 } }).count(), 3);
+  test.equal(coll.find({ 'rest.loc': { $near: [0, 0], $maxDistance: 4 } }).count(), 1);
+  var points = coll.find({ 'rest.loc': { $near: [0, 0], $maxDistance: 6 } }).fetch();
+  _.each(points, function (point, i, points) {
+    test.isTrue(!i || distance([0, 0], point.rest.loc) >= distance([0, 0], points[i - 1].rest.loc));
+  });
+
+  function distance(a, b) {
+    var x = a[0] - b[0];
+    var y = a[1] - b[1];
+    return Math.sqrt(x * x + y * y);
+  }
+
+  // GeoJSON tests
+  coll = new LocalCollection();
+  var data = [{ "category" : "BURGLARY", "descript" : "BURGLARY OF STORE, FORCIBLE ENTRY", "address" : "100 Block of 10TH ST", "location" : { "type" : "Point", "coordinates" : [  -122.415449723856,  37.7749518087273 ] } },
+    { "category" : "WEAPON LAWS", "descript" : "POSS OF PROHIBITED WEAPON", "address" : "900 Block of MINNA ST", "location" : { "type" : "Point", "coordinates" : [  -122.415386041221,  37.7747879744156 ] } },
+    { "category" : "LARCENY/THEFT", "descript" : "GRAND THEFT OF PROPERTY", "address" : "900 Block of MINNA ST", "location" : { "type" : "Point", "coordinates" : [  -122.41538270191,  37.774683628213 ] } },
+    { "category" : "LARCENY/THEFT", "descript" : "PETTY THEFT FROM LOCKED AUTO", "address" : "900 Block of MINNA ST", "location" : { "type" : "Point", "coordinates" : [  -122.415396041221,  37.7747879744156 ] } },
+    { "category" : "OTHER OFFENSES", "descript" : "POSSESSION OF BURGLARY TOOLS", "address" : "900 Block of MINNA ST", "location" : { "type" : "Point", "coordinates" : [  -122.415386041221,  37.7747879734156 ] } }
+  ];
+
+  _.each(data, function (x, i) { coll.insert(_.extend(x, { x: i })); });
+
+  var close15 = coll.find({ location: { $near: {
+    $geometry: { type: "Point",
+                 coordinates: [-122.4154282, 37.7746115] },
+    $maxDistance: 15 } } }).fetch();
+  test.length(close15, 1);
+  test.equal(close15[0].descript, "GRAND THEFT OF PROPERTY");
+
+  var close20 = coll.find({ location: { $near: {
+    $geometry: { type: "Point",
+                 coordinates: [-122.4154282, 37.7746115] },
+    $maxDistance: 20 } } }).fetch();
+  test.length(close20, 4);
+  test.equal(close20[0].descript, "GRAND THEFT OF PROPERTY");
+  test.equal(close20[1].descript, "PETTY THEFT FROM LOCKED AUTO");
+  test.equal(close20[2].descript, "POSSESSION OF BURGLARY TOOLS");
+  test.equal(close20[3].descript, "POSS OF PROHIBITED WEAPON");
+
+  // Any combinations of $near with $or/$and/$nor/$not should throw an error
+  test.throws(function () {
+    coll.find({ location: {
+      $not: {
+        $near: {
+          $geometry: {
+            type: "Point",
+            coordinates: [-122.4154282, 37.7746115]
+          }, $maxDistance: 20 } } } });
+  });
+  test.throws(function () {
+    coll.find({
+      $and: [ { location: { $near: { $geometry: { type: "Point", coordinates: [-122.4154282, 37.7746115] }, $maxDistance: 20 }}},
+              { x: 0 }]
+    });
+  });
+  test.throws(function () {
+    coll.find({
+      $or: [ { location: { $near: { $geometry: { type: "Point", coordinates: [-122.4154282, 37.7746115] }, $maxDistance: 20 }}},
+             { x: 0 }]
+    });
+  });
+  test.throws(function () {
+    coll.find({
+      $nor: [ { location: { $near: { $geometry: { type: "Point", coordinates: [-122.4154282, 37.7746115] }, $maxDistance: 1 }}},
+              { x: 0 }]
+    });
+  });
+  test.throws(function () {
+    coll.find({
+      $and: [{
+        $and: [{
+          location: {
+            $near: {
+              $geometry: {
+                type: "Point",
+                coordinates: [-122.4154282, 37.7746115]
+              },
+              $maxDistance: 1
+            }
+          }
+        }]
+      }]
+    });
+  });
+});
+
diff --git a/packages/minimongo/modify.js b/packages/minimongo/modify.js
index e699a262ffb..e13c21e6661 100644
--- a/packages/minimongo/modify.js
+++ b/packages/minimongo/modify.js
@@ -5,7 +5,11 @@
 //
 // XXX atomicity: if one modification fails, do we roll back the whole
 // change?
-LocalCollection._modify = function (doc, mod) {
+//
+// isInsert is set when _modify is being called to compute the document to
+// insert as part of an upsert operation. We use this primarily to figure out
+// when to set the fields in $setOnInsert, if present.
+LocalCollection._modify = function (doc, mod, isInsert) {
   var is_modifier = false;
   for (var k in mod) {
     // IE7 doesn't support indexing into strings (eg, k[0]), so use substr.
@@ -35,6 +39,9 @@ LocalCollection._modify = function (doc, mod) {
 
     for (var op in mod) {
       var mod_func = LocalCollection._modifiers[op];
+      // Treat $setOnInsert as $set if this is an insert.
+      if (isInsert && op === '$setOnInsert')
+        mod_func = LocalCollection._modifiers['$set'];
       if (!mod_func)
         throw Error("Invalid modifier specified " + op);
       for (var keypath in mod[op]) {
@@ -60,7 +67,11 @@ LocalCollection._modify = function (doc, mod) {
     // Note: this used to be for (var k in doc) however, this does not
     // work right in Opera. Deleting from a doc while iterating over it
     // would sometimes cause opera to skip some keys.
-    if (k !== '_id')
+
+    // isInsert: if we're constructing a document to insert (via upsert)
+    // and we're in replacement mode, not modify mode, DON'T take the
+    // _id from the query.  This matches mongo's behavior.
+    if (k !== '_id' || isInsert)
       delete doc[k];
   });
   for (var k in new_doc) {
@@ -145,6 +156,9 @@ LocalCollection._modifiers = {
 
     target[field] = EJSON.clone(arg);
   },
+  $setOnInsert: function (target, field, arg) {
+    // converted to `$set` in `_modify`
+  },
   $unset: function (target, field, arg) {
     if (target !== undefined) {
       if (target instanceof Array) {
@@ -155,13 +169,65 @@ LocalCollection._modifiers = {
     }
   },
   $push: function (target, field, arg) {
-    var x = target[field];
-    if (x === undefined)
-      target[field] = [arg];
-    else if (!(x instanceof Array))
+    if (target[field] === undefined)
+      target[field] = [];
+    if (!(target[field] instanceof Array))
       throw Error("Cannot apply $push modifier to non-array");
-    else
-      x.push(EJSON.clone(arg));
+
+    if (!(arg && arg.$each)) {
+      // Simple mode: not $each
+      target[field].push(EJSON.clone(arg));
+      return;
+    }
+
+    // Fancy mode: $each (and maybe $slice and $sort)
+    var toPush = arg.$each;
+    if (!(toPush instanceof Array))
+      throw Error("$each must be an array");
+
+    // Parse $slice.
+    var slice = undefined;
+    if ('$slice' in arg) {
+      if (typeof arg.$slice !== "number")
+        throw Error("$slice must be a numeric value");
+      // XXX should check to make sure integer
+      if (arg.$slice > 0)
+        throw Error("$slice in $push must be zero or negative");
+      slice = arg.$slice;
+    }
+
+    // Parse $sort.
+    var sortFunction = undefined;
+    if (arg.$sort) {
+      if (slice === undefined)
+        throw Error("$sort requires $slice to be present");
+      // XXX this allows us to use a $sort whose value is an array, but that's
+      // actually an extension of the Node driver, so it won't work
+      // server-side. Could be confusing!
+      sortFunction = LocalCollection._compileSort(arg.$sort);
+      for (var i = 0; i < toPush.length; i++) {
+        if (LocalCollection._f._type(toPush[i]) !== 3) {
+          throw Error("$push like modifiers using $sort " +
+                      "require all elements to be objects");
+        }
+      }
+    }
+
+    // Actually push.
+    for (var j = 0; j < toPush.length; j++)
+      target[field].push(EJSON.clone(toPush[j]));
+
+    // Actually sort.
+    if (sortFunction)
+      target[field].sort(sortFunction);
+
+    // Actually slice.
+    if (slice !== undefined) {
+      if (slice === 0)
+        target[field] = [];  // differs from Array.slice!
+      else
+        target[field] = target[field].slice(slice);
+    }
   },
   $pushAll: function (target, field, arg) {
     if (!(typeof arg === "object" && arg instanceof Array))
@@ -196,7 +262,7 @@ LocalCollection._modifiers = {
         for (var i = 0; i < x.length; i++)
           if (LocalCollection._f._equal(value, x[i]))
             return;
-        x.push(value);
+        x.push(EJSON.clone(value));
       });
     }
   },
@@ -299,3 +365,11 @@ LocalCollection._modifiers = {
     throw Error("$bit is not supported");
   }
 };
+
+LocalCollection._removeDollarOperators = function (selector) {
+  var selectorDoc = {};
+  for (var k in selector)
+    if (k.substr(0, 1) !== '$')
+      selectorDoc[k] = selector[k];
+  return selectorDoc;
+};
diff --git a/packages/minimongo/package.js b/packages/minimongo/package.js
index 7502f33d08f..dec89d47884 100644
--- a/packages/minimongo/package.js
+++ b/packages/minimongo/package.js
@@ -7,6 +7,8 @@ Package.on_use(function (api) {
   api.export('LocalCollection');
   api.use(['underscore', 'json', 'ejson', 'ordered-dict', 'deps',
            'random', 'ordered-dict']);
+  // This package is used for geo-location queries such as $near
+  api.use('geojson-utils');
   api.add_files([
     'minimongo.js',
     'selector.js',
@@ -17,6 +19,7 @@ Package.on_use(function (api) {
 });
 
 Package.on_test(function (api) {
+  api.use('geojson-utils', 'client');
   api.use('minimongo', 'client');
   api.use('test-helpers', 'client');
   api.use(['tinytest', 'underscore', 'ejson', 'ordered-dict',
diff --git a/packages/minimongo/selector.js b/packages/minimongo/selector.js
index 7cf8fa0a5d0..3a1e5394a8f 100644
--- a/packages/minimongo/selector.js
+++ b/packages/minimongo/selector.js
@@ -29,7 +29,7 @@ var hasOperators = function(valueSelector) {
   return !!theseAreOperators;  // {} has no operators
 };
 
-var compileValueSelector = function (valueSelector) {
+var compileValueSelector = function (valueSelector, selector, cursor) {
   if (valueSelector == null) {  // undefined or null
     return function (value) {
       return _anyIfArray(value, function (x) {
@@ -74,12 +74,13 @@ var compileValueSelector = function (valueSelector) {
     _.each(valueSelector, function (operand, operator) {
       if (!_.has(VALUE_OPERATORS, operator))
         throw new Error("Unrecognized operator: " + operator);
+      // Special case for location operators
       operatorFunctions.push(VALUE_OPERATORS[operator](
-        operand, valueSelector.$options));
+        operand, valueSelector, cursor));
     });
-    return function (value) {
+    return function (value, doc) {
       return _.all(operatorFunctions, function (f) {
-        return f(value);
+        return f(value, doc);
       });
     };
   }
@@ -95,38 +96,38 @@ var compileValueSelector = function (valueSelector) {
 
 // XXX can factor out common logic below
 var LOGICAL_OPERATORS = {
-  "$and": function(subSelector) {
+  "$and": function(subSelector, operators, cursor) {
     if (!isArray(subSelector) || _.isEmpty(subSelector))
       throw Error("$and/$or/$nor must be nonempty array");
-    var subSelectorFunctions = _.map(
-      subSelector, compileDocumentSelector);
-    return function (doc) {
+    var subSelectorFunctions = _.map(subSelector, function (selector) {
+      return compileDocumentSelector(selector, cursor); });
+    return function (doc, wholeDoc) {
       return _.all(subSelectorFunctions, function (f) {
-        return f(doc);
+        return f(doc, wholeDoc);
       });
     };
   },
 
-  "$or": function(subSelector) {
+  "$or": function(subSelector, operators, cursor) {
     if (!isArray(subSelector) || _.isEmpty(subSelector))
       throw Error("$and/$or/$nor must be nonempty array");
-    var subSelectorFunctions = _.map(
-      subSelector, compileDocumentSelector);
-    return function (doc) {
+    var subSelectorFunctions = _.map(subSelector, function (selector) {
+      return compileDocumentSelector(selector, cursor); });
+    return function (doc, wholeDoc) {
       return _.any(subSelectorFunctions, function (f) {
-        return f(doc);
+        return f(doc, wholeDoc);
       });
     };
   },
 
-  "$nor": function(subSelector) {
+  "$nor": function(subSelector, operators, cursor) {
     if (!isArray(subSelector) || _.isEmpty(subSelector))
       throw Error("$and/$or/$nor must be nonempty array");
-    var subSelectorFunctions = _.map(
-      subSelector, compileDocumentSelector);
-    return function (doc) {
+    var subSelectorFunctions = _.map(subSelector, function (selector) {
+      return compileDocumentSelector(selector, cursor); });
+    return function (doc, wholeDoc) {
       return _.all(subSelectorFunctions, function (f) {
-        return !f(doc);
+        return !f(doc, wholeDoc);
       });
     };
   },
@@ -141,6 +142,13 @@ var LOGICAL_OPERATORS = {
   }
 };
 
+// Each value operator is a function with args:
+//  - operand - Anything
+//  - operators - Object - operators on the same level (neighbours)
+//  - cursor - Object - original cursor
+// returns a function with args:
+//  - value - a value the operator is tested against
+//  - doc - the whole document tested in this query
 var VALUE_OPERATORS = {
   "$in": function (operand) {
     if (!isArray(operand))
@@ -212,11 +220,11 @@ var VALUE_OPERATORS = {
     if (!isArray(operand))
       throw new Error("Argument to $nin must be array");
     var inFunction = VALUE_OPERATORS.$in(operand);
-    return function (value) {
+    return function (value, doc) {
       // Field doesn't exist, so it's not-in operand
       if (value === undefined)
         return true;
-      return !inFunction(value);
+      return !inFunction(value, doc);
     };
   },
 
@@ -255,7 +263,8 @@ var VALUE_OPERATORS = {
     };
   },
 
-  "$regex": function (operand, options) {
+  "$regex": function (operand, operators) {
+    var options = operators.$options;
     if (options !== undefined) {
       // Options passed in $options (even the empty string) always overrides
       // options in the RegExp object itself. (See also
@@ -287,22 +296,80 @@ var VALUE_OPERATORS = {
     return function (value) { return true; };
   },
 
-  "$elemMatch": function (operand) {
-    var matcher = compileDocumentSelector(operand);
-    return function (value) {
+  "$elemMatch": function (operand, selector, cursor) {
+    var matcher = compileDocumentSelector(operand, cursor);
+    return function (value, doc) {
       if (!isArray(value))
         return false;
       return _.any(value, function (x) {
-        return matcher(x);
+        return matcher(x, doc);
       });
     };
   },
 
-  "$not": function (operand) {
-    var matcher = compileValueSelector(operand);
-    return function (value) {
-      return !matcher(value);
+  "$not": function (operand, operators, cursor) {
+    var matcher = compileValueSelector(operand, operators, cursor);
+    return function (value, doc) {
+      return !matcher(value, doc);
     };
+  },
+
+  "$near": function (operand, operators, cursor) {
+    function distanceCoordinatePairs (a, b) {
+      a = pointToArray(a);
+      b = pointToArray(b);
+      var x = a[0] - b[0];
+      var y = a[1] - b[1];
+      if (_.isNaN(x) || _.isNaN(y))
+        return null;
+      return Math.sqrt(x * x + y * y);
+    }
+    // Makes sure we get 2 elements array and assume the first one to be x and
+    // the second one to y no matter what user passes.
+    // In case user passes { lon: x, lat: y } returns [x, y]
+    function pointToArray (point) {
+      return _.map(point, _.identity);
+    }
+    // GeoJSON query is marked as $geometry property
+    var mode = _.isObject(operand) && _.has(operand, '$geometry') ? "2dsphere" : "2d";
+    var maxDistance = mode === "2d" ? operators.$maxDistance : operand.$maxDistance;
+    var point = mode === "2d" ? operand : operand.$geometry;
+    return function (value, doc) {
+      var dist = null;
+      switch (mode) {
+        case "2d":
+          dist = distanceCoordinatePairs(point, value);
+          break;
+        case "2dsphere":
+          // XXX: for now, we don't calculate the actual distance between, say,
+          // polygon and circle. If people care about this use-case it will get
+          // a priority.
+          if (value.type === "Point")
+            dist = GeoJSON.pointDistance(point, value);
+          else
+            dist = GeoJSON.geometryWithinRadius(value, point, maxDistance) ?
+                     0 : maxDistance + 1;
+          break;
+      }
+      // Used later in sorting by distance, since $near queries are sorted by
+      // distance from closest to farthest.
+      if (cursor) {
+        if (!cursor._distance)
+          cursor._distance = {};
+        cursor._distance[doc._id] = dist;
+      }
+
+      // Distance couldn't parse a geometry object
+      if (dist === null)
+        return false;
+
+      return maxDistance === undefined ? true : dist <= maxDistance;
+    };
+  },
+
+  "$maxDistance": function () {
+    // evaluation happens in the $near operator
+    return function () { return true; }
   }
 };
 
@@ -536,7 +603,7 @@ LocalCollection._makeLookupFunction = function (key) {
 };
 
 // The main compilation function for a given selector.
-var compileDocumentSelector = function (docSelector) {
+var compileDocumentSelector = function (docSelector, cursor) {
   var perKeySelectors = [];
   _.each(docSelector, function (subSelector, key) {
     if (key.substr(0, 1) === '$') {
@@ -544,24 +611,47 @@ var compileDocumentSelector = function (docSelector) {
       // this function), or $where.
       if (!_.has(LOGICAL_OPERATORS, key))
         throw new Error("Unrecognized logical operator: " + key);
-      perKeySelectors.push(LOGICAL_OPERATORS[key](subSelector));
+      perKeySelectors.push(
+        LOGICAL_OPERATORS[key](subSelector, docSelector, cursor));
     } else {
       var lookUpByIndex = LocalCollection._makeLookupFunction(key);
-      var valueSelectorFunc = compileValueSelector(subSelector);
-      perKeySelectors.push(function (doc) {
+      var valueSelectorFunc =
+        compileValueSelector(subSelector, docSelector, cursor);
+      perKeySelectors.push(function (doc, wholeDoc) {
         var branchValues = lookUpByIndex(doc);
         // We apply the selector to each "branched" value and return true if any
-        // match. This isn't 100% consistent with MongoDB; eg, see:
-        // https://jira.mongodb.org/browse/SERVER-8585
-        return _.any(branchValues, valueSelectorFunc);
+        // match. However, for "negative" selectors like $ne or $not we actually
+        // require *all* elements to match.
+        //
+        // This is because {'x.tag': {$ne: "foo"}} applied to {x: [{tag: 'foo'},
+        // {tag: 'bar'}]} should NOT match even though there is a branch that
+        // matches. (This matches the fact that $ne uses a negated
+        // _anyIfArrayPlus, for when the last level of the key is the array,
+        // which deMorgans into an 'all'.)
+        //
+        // XXX This isn't 100% consistent with MongoDB in 'null' cases:
+        //     https://jira.mongodb.org/browse/SERVER-8585
+        // XXX this still isn't right.  consider {a: {$ne: 5, $gt: 6}}. the
+        //     $ne needs to use the "all" logic and the $gt needs the "any"
+        //     logic
+        var combiner = (subSelector &&
+                        (subSelector.$not || subSelector.$ne ||
+                         subSelector.$nin))
+              ? _.all : _.any;
+        return combiner(branchValues, function (val) {
+          return valueSelectorFunc(val, wholeDoc);
+        });
       });
     }
   });
 
 
-  return function (doc) {
+  return function (doc, wholeDoc) {
+    // If called w/o wholeDoc, doc is considered the original by default
+    if (wholeDoc === undefined)
+      wholeDoc = doc;
     return _.all(perKeySelectors, function (f) {
-      return f(doc);
+      return f(doc, wholeDoc);
     });
   };
 };
@@ -569,7 +659,7 @@ var compileDocumentSelector = function (docSelector) {
 // Given a selector, return a function that takes one argument, a
 // document, and returns true if the document matches the selector,
 // else false.
-LocalCollection._compileSelector = function (selector) {
+LocalCollection._compileSelector = function (selector, cursor) {
   // you can pass a literal function instead of a selector
   if (selector instanceof Function)
     return function (doc) {return selector.call(doc);};
@@ -592,7 +682,7 @@ LocalCollection._compileSelector = function (selector) {
       EJSON.isBinary(selector))
     throw new Error("Invalid selector: " + selector);
 
-  return compileDocumentSelector(selector);
+  return compileDocumentSelector(selector, cursor);
 };
 
 // Give a sort spec, which can be in any of these forms:
@@ -608,7 +698,7 @@ LocalCollection._compileSelector = function (selector) {
 // first object comes first in order, 1 if the second object comes
 // first, or 0 if neither object comes before the other.
 
-LocalCollection._compileSort = function (spec) {
+LocalCollection._compileSort = function (spec, cursor) {
   var sortSpecParts = [];
 
   if (spec instanceof Array) {
@@ -636,8 +726,14 @@ LocalCollection._compileSort = function (spec) {
     throw Error("Bad sort specification: ", JSON.stringify(spec));
   }
 
+  // If there are no sorting rules specified, try to sort on _distance hidden
+  // fields on cursor we may acquire if query involved $near operator.
   if (sortSpecParts.length === 0)
-    return function () {return 0;};
+    return function (a, b) {
+      if (!cursor || !cursor._distance)
+        return 0;
+      return cursor._distance[a._id] - cursor._distance[b._id];
+    };
 
   // reduceValue takes in all the possible values for the sort key along various
   // branches, and returns the min or max value (according to the bool
@@ -689,3 +785,4 @@ LocalCollection._compileSort = function (spec) {
     return 0;
   };
 };
+
diff --git a/packages/mongo-livedata/.npm/package/npm-shrinkwrap.json b/packages/mongo-livedata/.npm/package/npm-shrinkwrap.json
index 8670dc1fece..fbddd059bb4 100644
--- a/packages/mongo-livedata/.npm/package/npm-shrinkwrap.json
+++ b/packages/mongo-livedata/.npm/package/npm-shrinkwrap.json
@@ -1,7 +1,7 @@
 {
   "dependencies": {
     "mongodb": {
-      "version": "1.3.17",
+      "version": "1.3.19",
       "dependencies": {
         "bson": {
           "version": "0.2.2"
diff --git a/packages/mongo-livedata/allow_tests.js b/packages/mongo-livedata/allow_tests.js
index b9c50f97b11..bc1bd941f39 100644
--- a/packages/mongo-livedata/allow_tests.js
+++ b/packages/mongo-livedata/allow_tests.js
@@ -431,6 +431,18 @@ if (Meteor.isClient) {
               test.equal(collection.find({updated: true}).count(), 2);
             }));
         },
+        // upsert not allowed, and has nice error.
+        function (test, expect) {
+          collection.update(
+            {_id: id2},
+            {$set: { upserted: true }},
+            { upsert: true },
+            expect(function (err, res) {
+              test.equal(err.error, 403);
+              test.matches(err.reason, /in a restricted/);
+              test.equal(collection.find({ upserted: true }).count(), 0);
+            }));
+        },
         // update with rename operator not allowed, and has nice error.
         function (test, expect) {
           collection.update(
@@ -778,4 +790,3 @@ if (Meteor.isServer) {
       delete Package.insecure;
   });
 }
-
diff --git a/packages/mongo-livedata/collection.js b/packages/mongo-livedata/collection.js
index a89b88411f0..3ce91b36c85 100644
--- a/packages/mongo-livedata/collection.js
+++ b/packages/mongo-livedata/collection.js
@@ -313,16 +313,21 @@ var throwIfSelectorIsNotId = function (selector, methodName) {
   }
 };
 
-// 'insert' immediately returns the inserted document's new _id.  The
-// others return nothing.
+// 'insert' immediately returns the inserted document's new _id.
+// The others return values immediately if you are in a stub, an in-memory
+// unmanaged collection, or a mongo-backed collection and you don't pass a
+// callback. 'update' and 'remove' return the number of affected
+// documents. 'upsert' returns an object with keys 'numberAffected' and, if an
+// insert happened, 'insertedId'.
 //
 // Otherwise, the semantics are exactly like other methods: they take
 // a callback as an optional last argument; if no callback is
 // provided, they block until the operation is complete, and throw an
 // exception if it fails; if a callback is provided, then they don't
-// necessarily block, and they call the callback when they finish with
-// error and result arguments.  (The insert method provides the
-// document ID as its result; update and remove don't provide a result.)
+// necessarily block, and they call the callback when they finish with error and
+// result arguments.  (The insert method provides the document ID as its result;
+// update and remove provide the number of affected docs as the result; upsert
+// provides an object with numberAffected and maybe insertedId.)
 //
 // On the client, blocking is impossible, so if a callback
 // isn't provided, they just return immediately and any error
@@ -342,44 +347,60 @@ _.each(["insert", "update", "remove"], function (name) {
     var self = this;
     var args = _.toArray(arguments);
     var callback;
+    var insertId;
     var ret;
 
     if (args.length && args[args.length - 1] instanceof Function)
       callback = args.pop();
 
-    if (Meteor.isClient && !callback) {
-      // Client can't block, so it can't report errors by exception,
-      // only by callback. If they forget the callback, give them a
-      // default one that logs the error, so they aren't totally
-      // baffled if their writes don't work because their database is
-      // down.
-      callback = function (err) {
-        if (err)
-          Meteor._debug(name + " failed: " + (err.reason || err.stack));
-      };
-    }
-
     if (name === "insert") {
       if (!args.length)
         throw new Error("insert requires an argument");
       // shallow-copy the document and generate an ID
       args[0] = _.extend({}, args[0]);
       if ('_id' in args[0]) {
-        ret = args[0]._id;
-        if (!ret || !(typeof ret === 'string'
-              || ret instanceof Meteor.Collection.ObjectID))
+        insertId = args[0]._id;
+        if (!insertId || !(typeof insertId === 'string'
+              || insertId instanceof Meteor.Collection.ObjectID))
           throw new Error("Meteor requires document _id fields to be non-empty strings or ObjectIDs");
       } else {
-        ret = args[0]._id = self._makeNewID();
+        insertId = args[0]._id = self._makeNewID();
       }
     } else {
       args[0] = Meteor.Collection._rewriteSelector(args[0]);
+
+      if (name === "update") {
+        // Mutate args but copy the original options object. We need to add
+        // insertedId to options, but don't want to mutate the caller's options
+        // object. We need to mutate `args` because we pass `args` into the
+        // driver below.
+        var options = args[2] = _.clone(args[2]) || {};
+        if (options && typeof options !== "function" && options.upsert) {
+          // set `insertedId` if absent.  `insertedId` is a Meteor extension.
+          if (options.insertedId) {
+            if (!(typeof options.insertedId === 'string'
+                  || options.insertedId instanceof Meteor.Collection.ObjectID))
+              throw new Error("insertedId must be string or ObjectID");
+          } else {
+            options.insertedId = self._makeNewID();
+          }
+        }
+      }
     }
 
+    // On inserts, always return the id that we generated; on all other
+    // operations, just return the result from the collection.
+    var chooseReturnValueFromCollectionResult = function (result) {
+      if (name === "insert")
+        return insertId;
+      else
+        return result;
+    };
+
     var wrappedCallback;
     if (callback) {
       wrappedCallback = function (error, result) {
-        callback(error, !error && ret);
+        callback(error, ! error && chooseReturnValueFromCollectionResult(result));
       };
     }
 
@@ -389,6 +410,22 @@ _.each(["insert", "update", "remove"], function (name) {
 
       var enclosing = DDP._CurrentInvocation.get();
       var alreadyInSimulation = enclosing && enclosing.isSimulation;
+
+      if (Meteor.isClient && !wrappedCallback && ! alreadyInSimulation) {
+        // Client can't block, so it can't report errors by exception,
+        // only by callback. If they forget the callback, give them a
+        // default one that logs the error, so they aren't totally
+        // baffled if their writes don't work because their database is
+        // down.
+        // Don't give a default callback in simulation, because inside stubs we
+        // want to return the results from the local collection immediately and
+        // not force a callback.
+        wrappedCallback = function (err) {
+          if (err)
+            Meteor._debug(name + " failed: " + (err.reason || err.stack));
+        };
+      }
+
       if (!alreadyInSimulation && name !== "insert") {
         // If we're about to actually send an RPC, we should throw an error if
         // this is a non-ID selector, because the mutation methods only allow
@@ -396,14 +433,20 @@ _.each(["insert", "update", "remove"], function (name) {
         throwIfSelectorIsNotId(args[0], name);
       }
 
-      self._connection.apply(self._prefix + name, args, wrappedCallback);
+      ret = chooseReturnValueFromCollectionResult(
+        self._connection.apply(self._prefix + name, args, wrappedCallback)
+      );
 
     } else {
       // it's my collection.  descend into the collection object
       // and propagate any exception.
       args.push(wrappedCallback);
       try {
-        self._collection[name].apply(self._collection, args);
+        // If the user provided a callback and the collection implements this
+        // operation asynchronously, then queryRet will be undefined, and the
+        // result will be returned through the callback instead.
+        var queryRet = self._collection[name].apply(self._collection, args);
+        ret = chooseReturnValueFromCollectionResult(queryRet);
       } catch (e) {
         if (callback) {
           callback(e);
@@ -414,11 +457,24 @@ _.each(["insert", "update", "remove"], function (name) {
     }
 
     // both sync and async, unless we threw an exception, return ret
-    // (new document ID for insert, undefined otherwise).
+    // (new document ID for insert, num affected for update/remove, object with
+    // numberAffected and maybe insertedId for upsert).
     return ret;
   };
 });
 
+Meteor.Collection.prototype.upsert = function (selector, modifier,
+                                               options, callback) {
+  var self = this;
+  if (! callback && typeof options === "function") {
+    callback = options;
+    options = {};
+  }
+  return self.update(selector, modifier,
+              _.extend({}, options, { _returnObject: true, upsert: true }),
+              callback);
+};
+
 // We'll actually design an index API later. For now, we just pass through to
 // Mongo's, but make it synchronous.
 Meteor.Collection.prototype._ensureIndex = function (index, options) {
@@ -538,6 +594,7 @@ Meteor.Collection.prototype._defineMutationMethods = function() {
     insert: {allow: [], deny: []},
     update: {allow: [], deny: []},
     remove: {allow: [], deny: []},
+    upsert: {allow: [], deny: []}, // dummy arrays; can't set these!
     fetch: [],
     fetchAllFields: false
   };
@@ -562,13 +619,13 @@ Meteor.Collection.prototype._defineMutationMethods = function() {
 
             // In a client simulation, you can do any mutation (even with a
             // complex selector).
-            self._collection[method].apply(
+            return self._collection[method].apply(
               self._collection, _.toArray(arguments));
-            return;
           }
 
-          // This is the server receiving a method call from the client. We
-          // don't allow arbitrary selectors in mutations from the client: only
+          // This is the server receiving a method call from the client.
+
+          // We don't allow arbitrary selectors in mutations from the client: only
           // single-ID selectors.
           if (method !== 'insert')
             throwIfSelectorIsNotId(arguments[0], method);
@@ -584,11 +641,11 @@ Meteor.Collection.prototype._defineMutationMethods = function() {
             var validatedMethodName =
                   '_validated' + method.charAt(0).toUpperCase() + method.slice(1);
             var argsWithUserId = [this.userId].concat(_.toArray(arguments));
-            self[validatedMethodName].apply(self, argsWithUserId);
+            return self[validatedMethodName].apply(self, argsWithUserId);
           } else if (self._isInsecure()) {
             // In insecure mode, allow any mutation (with a simple selector).
-            self._collection[method].apply(self._collection,
-                                           _.toArray(arguments));
+            return self._collection[method].apply(self._collection,
+                                                  _.toArray(arguments));
           } else {
             // In secure mode, if we haven't called allow or deny, then nothing
             // is permitted.
@@ -674,9 +731,17 @@ Meteor.Collection.prototype._validatedUpdate = function(
     userId, selector, mutator, options) {
   var self = this;
 
+  options = options || {};
+
   if (!LocalCollection._selectorIsIdPerhapsAsObject(selector))
     throw new Error("validated update should be of a single ID");
 
+  // We don't support upserts because they don't fit nicely into allow/deny
+  // rules.
+  if (options.upsert)
+    throw new Meteor.Error(403, "Access denied. Upserts not " +
+                           "allowed in a restricted collection.");
+
   // compute modified fields
   var fields = [];
   _.each(mutator, function (params, op) {
diff --git a/packages/mongo-livedata/mongo_driver.js b/packages/mongo-livedata/mongo_driver.js
index deda9b9d482..1f7e999542b 100644
--- a/packages/mongo-livedata/mongo_driver.js
+++ b/packages/mongo-livedata/mongo_driver.js
@@ -196,7 +196,7 @@ MongoConnection.prototype._maybeBeginWrite = function () {
 // observer "has been notified" if its callback has returned.
 
 var writeCallback = function (write, refresh, callback) {
-  return Meteor.bindEnvironment(function (err, result) {
+  return function (err, result) {
     if (! err) {
       // XXX We don't have to run this on error, right?
       refresh();
@@ -206,7 +206,11 @@ var writeCallback = function (write, refresh, callback) {
       callback(err, result);
     else if (err)
       throw err;
-  }, function (err) {
+  };
+};
+
+var bindEnvironmentForWrite = function (callback) {
+  return Meteor.bindEnvironment(callback, function (err) {
     Meteor._debug("Error in Mongo write:", err.stack);
   });
 };
@@ -227,7 +231,7 @@ MongoConnection.prototype._insert = function (collection_name, document,
   var refresh = function () {
     Meteor.refresh({ collection: collection_name, id: document._id });
   };
-  callback = writeCallback(write, refresh, callback);
+  callback = bindEnvironmentForWrite(writeCallback(write, refresh, callback));
   try {
     var collection = self._getCollection(collection_name);
     collection.insert(replaceTypes(document, replaceMeteorAtomWithMongo),
@@ -274,7 +278,7 @@ MongoConnection.prototype._remove = function (collection_name, selector,
   var refresh = function () {
     self._refresh(collection_name, selector);
   };
-  callback = writeCallback(write, refresh, callback);
+  callback = bindEnvironmentForWrite(writeCallback(write, refresh, callback));
 
   try {
     var collection = self._getCollection(collection_name);
@@ -325,15 +329,162 @@ MongoConnection.prototype._update = function (collection_name, selector, mod,
     // explictly enumerate options that minimongo supports
     if (options.upsert) mongoOpts.upsert = true;
     if (options.multi) mongoOpts.multi = true;
-    collection.update(replaceTypes(selector, replaceMeteorAtomWithMongo),
-                      replaceTypes(mod, replaceMeteorAtomWithMongo),
-                      mongoOpts, callback);
+
+    var mongoSelector = replaceTypes(selector, replaceMeteorAtomWithMongo);
+    var mongoMod = replaceTypes(mod, replaceMeteorAtomWithMongo);
+
+    var isModify = isModificationMod(mongoMod);
+    var knownId = (isModify ? selector._id : mod._id);
+
+    if (options.upsert && (! knownId) && options.insertedId) {
+      // XXX In future we could do a real upsert for the mongo id generation
+      // case, if the the node mongo driver gives us back the id of the upserted
+      // doc (which our current version does not).
+      simulateUpsertWithInsertedId(
+        collection, mongoSelector, mongoMod,
+        isModify, options,
+        // This callback does not need to be bindEnvironment'ed because
+        // simulateUpsertWithInsertedId() wraps it and then passes it through
+        // bindEnvironmentForWrite.
+        function (err, result) {
+          // If we got here via a upsert() call, then options._returnObject will
+          // be set and we should return the whole object. Otherwise, we should
+          // just return the number of affected docs to match the mongo API.
+          if (result && ! options._returnObject)
+            callback(err, result.numberAffected);
+          else
+            callback(err, result);
+        }
+      );
+    } else {
+      collection.update(
+        mongoSelector, mongoMod, mongoOpts,
+        bindEnvironmentForWrite(function (err, result, extra) {
+          if (! err) {
+            if (result && options._returnObject) {
+              result = { numberAffected: result };
+              // If this was an upsert() call, and we ended up
+              // inserting a new doc and we know its id, then
+              // return that id as well.
+              if (options.upsert && knownId &&
+                  ! extra.updatedExisting)
+                result.insertedId = knownId;
+            }
+          }
+          callback(err, result);
+        }));
+    }
   } catch (e) {
     write.committed();
     throw e;
   }
 };
 
+var isModificationMod = function (mod) {
+  for (var k in mod)
+    if (k.substr(0, 1) === '$')
+      return true;
+  return false;
+};
+
+var NUM_OPTIMISTIC_TRIES = 3;
+
+// exposed for testing
+MongoConnection._isCannotChangeIdError = function (err) {
+  // either of these checks should work, but just to be safe...
+  return (err.code === 13596 ||
+          err.err.indexOf("cannot change _id of a document") === 0);
+};
+
+var simulateUpsertWithInsertedId = function (collection, selector, mod,
+                                             isModify, options, callback) {
+  // STRATEGY:  First try doing a plain update.  If it affected 0 documents,
+  // then without affecting the database, we know we should probably do an
+  // insert.  We then do a *conditional* insert that will fail in the case
+  // of a race condition.  This conditional insert is actually an
+  // upsert-replace with an _id, which will never successfully update an
+  // existing document.  If this upsert fails with an error saying it
+  // couldn't change an existing _id, then we know an intervening write has
+  // caused the query to match something.  We go back to step one and repeat.
+  // Like all "optimistic write" schemes, we rely on the fact that it's
+  // unlikely our writes will continue to be interfered with under normal
+  // circumstances (though sufficiently heavy contention with writers
+  // disagreeing on the existence of an object will cause writes to fail
+  // in theory).
+
+  var newDoc;
+  // Run this code up front so that it fails fast if someone uses
+  // a Mongo update operator we don't support.
+  if (isModify) {
+    // We've already run replaceTypes/replaceMeteorAtomWithMongo on
+    // selector and mod.  We assume it doesn't matter, as far as
+    // the behavior of modifiers is concerned, whether `_modify`
+    // is run on EJSON or on mongo-converted EJSON.
+    var selectorDoc = LocalCollection._removeDollarOperators(selector);
+    LocalCollection._modify(selectorDoc, mod, true);
+    newDoc = selectorDoc;
+  } else {
+    newDoc = mod;
+  }
+
+  var insertedId = options.insertedId; // must exist
+  var mongoOptsForUpdate = {
+    safe: true,
+    multi: options.multi
+  };
+  var mongoOptsForInsert = {
+    safe: true,
+    upsert: true
+  };
+
+  var tries = NUM_OPTIMISTIC_TRIES;
+
+  var doUpdate = function () {
+    tries--;
+    if (! tries) {
+      callback(new Error("Upsert failed after " + NUM_OPTIMISTIC_TRIES + " tries."));
+    } else {
+      collection.update(selector, mod, mongoOptsForUpdate,
+                        bindEnvironmentForWrite(function (err, result) {
+                          if (err)
+                            callback(err);
+                          else if (result)
+                            callback(null, {
+                              numberAffected: result
+                            });
+                          else
+                            doConditionalInsert();
+                        }));
+    }
+  };
+
+  var doConditionalInsert = function () {
+    var replacementWithId = _.extend(
+      replaceTypes({_id: insertedId}, replaceMeteorAtomWithMongo),
+      newDoc);
+    collection.update(selector, replacementWithId, mongoOptsForInsert,
+                      bindEnvironmentForWrite(function (err, result) {
+                        if (err) {
+                          // figure out if this is a
+                          // "cannot change _id of document" error, and
+                          // if so, try doUpdate() again, up to 3 times.
+                          if (MongoConnection._isCannotChangeIdError(err)) {
+                            doUpdate();
+                          } else {
+                            callback(err);
+                          }
+                        } else {
+                          callback(null, {
+                            numberAffected: result,
+                            insertedId: insertedId
+                          });
+                        }
+                      }));
+  };
+
+  doUpdate();
+};
+
 _.each(["insert", "update", "remove"], function (method) {
   MongoConnection.prototype[method] = function (/* arguments */) {
     var self = this;
@@ -341,6 +492,24 @@ _.each(["insert", "update", "remove"], function (method) {
   };
 });
 
+// XXX MongoConnection.upsert() does not return the id of the inserted document
+// unless you set it explicitly in the selector or modifier (as a replacement
+// doc).
+MongoConnection.prototype.upsert = function (collectionName, selector, mod,
+                                             options, callback) {
+  var self = this;
+  if (typeof options === "function" && ! callback) {
+    callback = options;
+    options = {};
+  }
+
+  return self.update(collectionName, selector, mod,
+                     _.extend({}, options, {
+                       upsert: true,
+                       _returnObject: true
+                     }), callback);
+};
+
 MongoConnection.prototype.find = function (collectionName, selector, options) {
   var self = this;
 
@@ -437,9 +606,15 @@ _.each(['forEach', 'map', 'rewind', 'fetch', 'count'], function (method) {
     if (self._cursorDescription.options.tailable)
       throw new Error("Cannot call " + method + " on a tailable cursor");
 
-    if (!self._synchronousCursor)
+    if (!self._synchronousCursor) {
       self._synchronousCursor = self._mongo._createSynchronousCursor(
-        self._cursorDescription, true);
+        self._cursorDescription, {
+          // Make sure that the "self" argument to forEach/map callbacks is the
+          // Cursor, not the SynchronousCursor.
+          selfForIteration: self,
+          useTransform: true
+        });
+    }
 
     return self._synchronousCursor[method].apply(
       self._synchronousCursor, arguments);
@@ -481,20 +656,21 @@ Cursor.prototype.observeChanges = function (callbacks) {
     self._cursorDescription, ordered, callbacks);
 };
 
-MongoConnection.prototype._createSynchronousCursor = function(cursorDescription,
-                                                              useTransform) {
+MongoConnection.prototype._createSynchronousCursor = function(
+    cursorDescription, options) {
   var self = this;
+  options = _.pick(options || {}, 'selfForIteration', 'useTransform');
 
   var collection = self._getCollection(cursorDescription.collectionName);
-  var options = cursorDescription.options;
+  var cursorOptions = cursorDescription.options;
   var mongoOptions = {
-    sort: options.sort,
-    limit: options.limit,
-    skip: options.skip
+    sort: cursorOptions.sort,
+    limit: cursorOptions.limit,
+    skip: cursorOptions.skip
   };
 
   // Do we want a tailable cursor (which only works on capped collections)?
-  if (options.tailable) {
+  if (cursorOptions.tailable) {
     // We want a tailable cursor...
     mongoOptions.tailable = true;
     // ... and for the server to wait a bit if any getMore has no data (rather
@@ -507,16 +683,21 @@ MongoConnection.prototype._createSynchronousCursor = function(cursorDescription,
 
   var dbCursor = collection.find(
     replaceTypes(cursorDescription.selector, replaceMeteorAtomWithMongo),
-    options.fields, mongoOptions);
+    cursorOptions.fields, mongoOptions);
 
-  return new SynchronousCursor(dbCursor, cursorDescription, useTransform);
+  return new SynchronousCursor(dbCursor, cursorDescription, options);
 };
 
-var SynchronousCursor = function (dbCursor, cursorDescription, useTransform) {
+var SynchronousCursor = function (dbCursor, cursorDescription, options) {
   var self = this;
+  options = _.pick(options || {}, 'selfForIteration', 'useTransform');
+
   self._dbCursor = dbCursor;
   self._cursorDescription = cursorDescription;
-  if (useTransform && cursorDescription.options.transform) {
+  // The "self" argument passed to forEach/map callbacks. If we're wrapped
+  // inside a user-visible Cursor, we want to provide the outer cursor!
+  self._selfForIteration = options.selfForIteration || self;
+  if (options.useTransform && cursorDescription.options.transform) {
     self._transform = Deps._makeNonreactive(
       cursorDescription.options.transform
     );
@@ -558,29 +739,26 @@ _.extend(SynchronousCursor.prototype, {
     }
   },
 
-  // XXX Make more like ECMA forEach:
-  //     https://github.com/meteor/meteor/pull/63#issuecomment-5320050
-  forEach: function (callback) {
+  forEach: function (callback, thisArg) {
     var self = this;
 
     // We implement the loop ourself instead of using self._dbCursor.each,
     // because "each" will call its callback outside of a fiber which makes it
     // much more complex to make this function synchronous.
+    var index = 0;
     while (true) {
       var doc = self._nextObject();
       if (!doc) return;
-      callback(doc);
+      callback.call(thisArg, doc, index++, self._selfForIteration);
     }
   },
 
-  // XXX Make more like ECMA map:
-  //     https://github.com/meteor/meteor/pull/63#issuecomment-5320050
   // XXX Allow overlapping callback executions if callback yields.
-  map: function (callback) {
+  map: function (callback, thisArg) {
     var self = this;
     var res = [];
-    self.forEach(function (doc) {
-      res.push(callback(doc));
+    self.forEach(function (doc, index) {
+      res.push(callback.call(thisArg, doc, index, self._selfForIteration));
     });
     return res;
   },
@@ -892,7 +1070,7 @@ _.extend(LiveResultsSet.prototype, {
       self._synchronousCursor.rewind();
     } else {
       self._synchronousCursor = self._mongoHandle._createSynchronousCursor(
-        self._cursorDescription, false /* !useTransform */);
+        self._cursorDescription);
     }
     var newResults = self._synchronousCursor.getRawObjects(self._ordered);
     var oldResults = self._results;
@@ -1020,8 +1198,7 @@ MongoConnection.prototype._observeChangesTailable = function (
                     + " tailable cursor without a "
                     + (ordered ? "addedBefore" : "added") + " callback");
   }
-  var cursor = self._createSynchronousCursor(cursorDescription,
-                                            false /* useTransform */);
+  var cursor = self._createSynchronousCursor(cursorDescription);
 
   var stopped = false;
   var lastTS = undefined;
@@ -1063,7 +1240,7 @@ MongoConnection.prototype._observeChangesTailable = function (
         cursor = self._createSynchronousCursor(new CursorDescription(
           cursorDescription.collectionName,
           newSelector,
-          cursorDescription.options), false /* useTransform */);
+          cursorDescription.options));
       }
     }
   });
diff --git a/packages/mongo-livedata/mongo_livedata_tests.js b/packages/mongo-livedata/mongo_livedata_tests.js
index 64a23991eec..33877d62188 100644
--- a/packages/mongo-livedata/mongo_livedata_tests.js
+++ b/packages/mongo-livedata/mongo_livedata_tests.js
@@ -23,6 +23,108 @@ if (Meteor.isServer) {
   });
 }
 
+
+// Helpers for upsert tests
+
+var stripId = function (obj) {
+  delete obj._id;
+};
+
+var compareResults = function (test, skipIds, actual, expected) {
+  if (skipIds) {
+    _.map(actual, stripId);
+    _.map(expected, stripId);
+  }
+  // (technically should ignore order in comparison)
+  test.equal(actual, expected);
+};
+
+var upsert = function (coll, useUpdate, query, mod, options, callback) {
+  if (! callback && typeof options === "function") {
+    callback = options;
+    options = {};
+  }
+
+  if (useUpdate) {
+    if (callback)
+      return coll.update(query, mod,
+                         _.extend({ upsert: true }, options),
+                         function (err, result) {
+                           callback(err, ! err && {
+                             numberAffected: result
+                           });
+                         });
+    return {
+      numberAffected: coll.update(query, mod,
+                                  _.extend({ upsert: true }, options))
+    };
+  } else {
+    return coll.upsert(query, mod, options, callback);
+  }
+};
+
+var upsertTestMethod = "livedata_upsert_test_method";
+var upsertTestMethodColl;
+
+// This is the implementation of the upsert test method on both the client and
+// the server. On the client, we get a test object. On the server, we just throw
+// errors if something doesn't go according to plan, and when the client
+// receives those errors it will cause the test to fail.
+//
+// Client-side exceptions in here will NOT cause the test to fail! Because it's
+// a stub, those exceptions will get caught and logged.
+var upsertTestMethodImpl = function (coll, useUpdate, test) {
+  coll.remove({});
+  var result1 = upsert(coll, useUpdate, { foo: "bar" }, { foo: "bar" });
+
+  if (! test) {
+    test = {
+      equal: function (a, b) {
+        if (! EJSON.equals(a, b))
+          throw new Error("Not equal: " +
+                          JSON.stringify(a) + ", " + JSON.stringify(b));
+      },
+      isTrue: function (a) {
+        if (! a)
+          throw new Error("Not truthy: " + JSON.stringify(a));
+      },
+      isFalse: function (a) {
+        if (a)
+          throw new Error("Not falsey: " + JSON.stringify(a));
+      }
+    };
+  }
+
+  // if we don't test this, then testing result1.numberAffected will throw,
+  // which will get caught and logged and the whole test will pass!
+  test.isTrue(result1);
+
+  test.equal(result1.numberAffected, 1);
+  if (! useUpdate)
+    test.isTrue(result1.insertedId);
+  var fooId = result1.insertedId;
+  var obj = coll.findOne({ foo: "bar" });
+  test.isTrue(obj);
+  if (! useUpdate)
+    test.equal(obj._id, result1.insertedId);
+  var result2 = upsert(coll, useUpdate, { _id: fooId },
+                       { $set: { foo: "baz " } });
+  test.isTrue(result2);
+  test.equal(result2.numberAffected, 1);
+  test.isFalse(result2.insertedId);
+};
+
+if (Meteor.isServer) {
+  var m = {};
+  m[upsertTestMethod] = function (run, useUpdate, options) {
+    check(run, String);
+    check(useUpdate, Boolean);
+    upsertTestMethodColl = new Meteor.Collection(upsertTestMethod + "_collection_" + run, options);
+    upsertTestMethodImpl(upsertTestMethodColl, useUpdate);
+  };
+  Meteor.methods(m);
+}
+
 Meteor._FailureTestCollection =
   new Meteor.Collection("___meteor_failure_test_collection");
 
@@ -50,7 +152,6 @@ EJSON.addType("dog", function (o) { return new Dog(o.name, o.color, o.actions);}
 // Parameterize tests.
 _.each( ['STRING', 'MONGO'], function(idGeneration) {
 
-
 var collectionOptions = { idGeneration: idGeneration};
 
 testAsyncMulti("mongo-livedata - database error reporting. " + idGeneration, [
@@ -176,7 +277,12 @@ Tinytest.addAsync("mongo-livedata - basics, " + idGeneration, function (test, on
 
   var cur = coll.find({run: run}, {sort: ["x"]});
   var total = 0;
-  cur.forEach(function (doc) {
+  var index = 0;
+  var context = {};
+  cur.forEach(function (doc, i, cursor) {
+    test.equal(i, index++);
+    test.isTrue(cursor === cur);
+    test.isTrue(context === this);
     total *= 10;
     if (Meteor.isServer) {
       // Verify that the callbacks from forEach run sequentially and that
@@ -190,19 +296,31 @@ Tinytest.addAsync("mongo-livedata - basics, " + idGeneration, function (test, on
     total += doc.x;
     // verify the meteor environment is set up here
     coll2.insert({total:total});
-  });
+  }, context);
   test.equal(total, 14);
 
   cur.rewind();
-  test.equal(cur.map(function (doc) {
+  index = 0;
+  test.equal(cur.map(function (doc, i, cursor) {
+    // XXX we could theoretically make map run its iterations in parallel or
+    // something which would make this fail
+    test.equal(i, index++);
+    test.isTrue(cursor === cur);
+    test.isTrue(context === this);
     return doc.x * 2;
-  }), [2, 8]);
+  }, context), [2, 8]);
 
   test.equal(_.pluck(coll.find({run: run}, {sort: {x: -1}}).fetch(), "x"),
              [4, 1]);
 
+  expectObserve('', function () {
+    var count = coll.update({run: run, x: -1}, {$inc: {x: 2}}, {multi: true});
+    test.equal(count, 0);
+  });
+
   expectObserve('c(3,0,1)c(6,1,4)', function () {
-    coll.update({run: run}, {$inc: {x: 2}}, {multi: true});
+    var count = coll.update({run: run}, {$inc: {x: 2}}, {multi: true});
+    test.equal(count, 2);
     test.equal(_.pluck(coll.find({run: run}, {sort: {x: -1}}).fetch(), "x"),
                [6, 3]);
   });
@@ -215,7 +333,8 @@ Tinytest.addAsync("mongo-livedata - basics, " + idGeneration, function (test, on
   });
 
   expectObserve('r(13,1)', function () {
-    coll.remove({run: run, x: {$gt: 10}});
+    var count = coll.remove({run: run, x: {$gt: 10}});
+    test.equal(count, 1);
     test.equal(coll.find({run: run}).count(), 1);
   });
 
@@ -224,6 +343,12 @@ Tinytest.addAsync("mongo-livedata - basics, " + idGeneration, function (test, on
     test.equal(coll.find({run: run}).count(), 0);
   });
 
+  expectObserve('', function () {
+    var count = coll.remove({run: run});
+    test.equal(count, 0);
+    test.equal(coll.find({run: run}).count(), 0);
+  });
+
   obs.stop();
   onComplete();
 });
@@ -606,6 +731,7 @@ if (Meteor.isServer) {
     var id = coll.insert(doc);
     coll.update(id, { $set: { foo: "baz" } }, function (err, result) {
       test.equal(err, null);
+      test.equal(result, 1);
       test.equal(x, 1);
       onComplete();
     });
@@ -801,6 +927,38 @@ testAsyncMulti('mongo-livedata - document with a custom type, ' + idGeneration,
 ]);
 
 if (Meteor.isServer) {
+  Tinytest.addAsync("mongo-livedata - update return values, " + idGeneration, function (test, onComplete) {
+    var run = test.runId();
+    var coll = new Meteor.Collection("livedata_update_result_"+run, collectionOptions);
+
+    coll.insert({ foo: "bar" });
+    coll.insert({ foo: "baz" });
+    test.equal(coll.update({}, { $set: { foo: "qux" } }, { multi: true }),
+               2);
+    coll.update({}, { $set: { foo: "quux" } }, { multi: true }, function (err, result) {
+      test.isFalse(err);
+      test.equal(result, 2);
+      onComplete();
+    });
+  });
+
+  Tinytest.addAsync("mongo-livedata - remove return values, " + idGeneration, function (test, onComplete) {
+    var run = test.runId();
+    var coll = new Meteor.Collection("livedata_update_result_"+run, collectionOptions);
+
+    coll.insert({ foo: "bar" });
+    coll.insert({ foo: "baz" });
+    test.equal(coll.remove({}), 2);
+    coll.insert({ foo: "bar" });
+    coll.insert({ foo: "baz" });
+    coll.remove({}, function (err, result) {
+      test.isFalse(err);
+      test.equal(result, 2);
+      onComplete();
+    });
+  });
+
+
   Tinytest.addAsync("mongo-livedata - id-based invalidation, " + idGeneration, function (test, onComplete) {
     var run = test.runId();
     var coll = new Meteor.Collection("livedata_invalidation_collection_"+run, collectionOptions);
@@ -868,8 +1026,503 @@ if (Meteor.isServer) {
     _.each(handlesToStop, function (h) {h.stop();});
     onComplete();
   });
+
+  Tinytest.add("mongo-livedata - upsert error parse, " + idGeneration, function (test) {
+    var run = test.runId();
+    var coll = new Meteor.Collection("livedata_upsert_errorparse_collection_"+run, collectionOptions);
+
+    coll.insert({_id: 'foobar'});
+    var err;
+    try {
+      coll.update({_id: 'foobar'}, {_id: 'cowbar'});
+    } catch (e) {
+      err = e;
+    }
+    test.isTrue(err);
+    test.isTrue(MongoInternals.Connection._isCannotChangeIdError(err));
+
+    try {
+      coll.insert({_id: 'foobar'});
+    } catch (e) {
+      err = e;
+    }
+    test.isTrue(err);
+    // duplicate id error is not same as change id error
+    test.isFalse(MongoInternals.Connection._isCannotChangeIdError(err));
+  });
+
+} // end Meteor.isServer
+
+// This test is duplicated below (with some changes) for async upserts that go
+// over the network.
+_.each(Meteor.isServer ? [true, false] : [true], function (minimongo) {
+  _.each([true, false], function (useUpdate) {
+    _.each([true, false], function (useDirectCollection) {
+      Tinytest.add("mongo-livedata - " + (useUpdate ? "update " : "") + "upsert" + (minimongo ? " minimongo" : "") + (useDirectCollection ? " direct collection " : "") + ", " + idGeneration, function (test) {
+        var run = test.runId();
+        var options = collectionOptions;
+        // We don't get ids back when we use update() to upsert, or when we are
+        // directly calling MongoConnection.upsert().
+        var skipIds = useUpdate || (! minimongo && useDirectCollection);
+        if (minimongo)
+          options = _.extend({}, collectionOptions, { connection: null });
+        var coll = new Meteor.Collection(
+          "livedata_upsert_collection_"+run+
+            (useUpdate ? "_update_" : "") +
+            (minimongo ? "_minimongo_" : "") +
+            (useDirectCollection ? "_direct_" : "") + "",
+          options
+        );
+        if (useDirectCollection)
+          coll = coll._collection;
+
+        var result1 = upsert(coll, useUpdate, {foo: 'bar'}, {foo: 'bar'});
+        test.equal(result1.numberAffected, 1);
+        if (! skipIds)
+          test.isTrue(result1.insertedId);
+        compareResults(test, skipIds, coll.find().fetch(), [{foo: 'bar', _id: result1.insertedId}]);
+
+        var result2 = upsert(coll, useUpdate, {foo: 'bar'}, {foo: 'baz'});
+        test.equal(result2.numberAffected, 1);
+        if (! skipIds)
+          test.isFalse(result2.insertedId);
+        compareResults(test, skipIds, coll.find().fetch(), [{foo: 'baz', _id: result1.insertedId}]);
+
+        coll.remove({});
+
+        // Test values that require transformation to go into Mongo:
+
+        var t1 = new Meteor.Collection.ObjectID();
+        var t2 = new Meteor.Collection.ObjectID();
+        var result3 = upsert(coll, useUpdate, {foo: t1}, {foo: t1});
+        test.equal(result3.numberAffected, 1);
+        if (! skipIds)
+          test.isTrue(result3.insertedId);
+        compareResults(test, skipIds, coll.find().fetch(), [{foo: t1, _id: result3.insertedId}]);
+
+        var result4 = upsert(coll, useUpdate, {foo: t1}, {foo: t2});
+        test.equal(result2.numberAffected, 1);
+        if (! skipIds)
+          test.isFalse(result2.insertedId);
+        compareResults(test, skipIds, coll.find().fetch(), [{foo: t2, _id: result3.insertedId}]);
+
+        coll.remove({});
+
+        // Test modification by upsert
+
+        var result5 = upsert(coll, useUpdate, {name: 'David'}, {$set: {foo: 1}});
+        test.equal(result5.numberAffected, 1);
+        if (! skipIds)
+          test.isTrue(result5.insertedId);
+        var davidId = result5.insertedId;
+        compareResults(test, skipIds, coll.find().fetch(), [{name: 'David', foo: 1, _id: davidId}]);
+
+        test.throws(function () {
+          // test that bad modifier fails fast
+          upsert(coll, useUpdate, {name: 'David'}, {$blah: {foo: 2}});
+        });
+
+
+        var result6 = upsert(coll, useUpdate, {name: 'David'}, {$set: {foo: 2}});
+        test.equal(result6.numberAffected, 1);
+        if (! skipIds)
+          test.isFalse(result6.insertedId);
+        compareResults(test, skipIds, coll.find().fetch(), [{name: 'David', foo: 2,
+                                                               _id: result5.insertedId}]);
+
+        var emilyId = coll.insert({name: 'Emily', foo: 2});
+        compareResults(test, skipIds, coll.find().fetch(), [{name: 'David', foo: 2, _id: davidId},
+                                                              {name: 'Emily', foo: 2, _id: emilyId}]);
+
+        // multi update by upsert
+        var result7 = upsert(coll, useUpdate, {foo: 2},
+                             {$set: {bar: 7},
+                              $setOnInsert: {name: 'Fred', foo: 2}},
+                             {multi: true});
+        test.equal(result7.numberAffected, 2);
+        if (! skipIds)
+          test.isFalse(result7.insertedId);
+        compareResults(test, skipIds, coll.find().fetch(), [{name: 'David', foo: 2, bar: 7, _id: davidId},
+                                                              {name: 'Emily', foo: 2, bar: 7, _id: emilyId}]);
+
+        // insert by multi upsert
+        var result8 = upsert(coll, useUpdate, {foo: 3},
+                             {$set: {bar: 7},
+                              $setOnInsert: {name: 'Fred', foo: 2}},
+                             {multi: true});
+        test.equal(result8.numberAffected, 1);
+        if (! skipIds)
+          test.isTrue(result8.insertedId);
+        var fredId = result8.insertedId;
+        compareResults(test, skipIds, coll.find().fetch(),
+                       [{name: 'David', foo: 2, bar: 7, _id: davidId},
+                        {name: 'Emily', foo: 2, bar: 7, _id: emilyId},
+                        {name: 'Fred', foo: 2, bar: 7, _id: fredId}]);
+
+        // test `insertedId` option
+        var result9 = upsert(coll, useUpdate, {name: 'Steve'},
+                             {name: 'Steve'},
+                             {insertedId: 'steve'});
+        test.equal(result9.numberAffected, 1);
+        if (! skipIds)
+          test.equal(result9.insertedId, 'steve');
+        compareResults(test, skipIds, coll.find().fetch(),
+                       [{name: 'David', foo: 2, bar: 7, _id: davidId},
+                        {name: 'Emily', foo: 2, bar: 7, _id: emilyId},
+                        {name: 'Fred', foo: 2, bar: 7, _id: fredId},
+                        {name: 'Steve', _id: 'steve'}]);
+        test.isTrue(coll.findOne('steve'));
+        test.isFalse(coll.findOne('fred'));
+
+        // Test $ operator in selectors.
+
+        var result10 = upsert(coll, useUpdate,
+                              {$or: [{name: 'David'}, {name: 'Emily'}]},
+                              {$set: {foo: 3}}, {multi: true});
+        test.equal(result10.numberAffected, 2);
+        if (! skipIds)
+          test.isFalse(result10.insertedId);
+        compareResults(test, skipIds,
+                       [coll.findOne({name: 'David'}), coll.findOne({name: 'Emily'})],
+                       [{name: 'David', foo: 3, bar: 7, _id: davidId},
+                        {name: 'Emily', foo: 3, bar: 7, _id: emilyId}]
+                      );
+
+        var result11 = upsert(
+          coll, useUpdate,
+          {
+            name: 'Charlie',
+            $or: [{ foo: 2}, { bar: 7 }]
+          },
+          { $set: { foo: 3 } }
+        );
+        test.equal(result11.numberAffected, 1);
+        if (! skipIds)
+          test.isTrue(result11.insertedId);
+        var charlieId = result11.insertedId;
+        compareResults(test, skipIds,
+                       coll.find({ name: 'Charlie' }).fetch(),
+                       [{name: 'Charlie', foo: 3, _id: charlieId}]);
+      });
+    });
+  });
+});
+
+var asyncUpsertTestName = function (useNetwork, useDirectCollection,
+                                    useUpdate, idGeneration) {
+  return "mongo-livedata - async " +
+    (useUpdate ? "update " : "") +
+    "upsert " +
+    (useNetwork ? "over network " : "") +
+    (useDirectCollection ? ", direct collection " : "") +
+    idGeneration;
+};
+
+// This is a duplicate of the test above, with some changes to make it work for
+// callback style. On the client, we test server-backed and in-memory
+// collections, and run the tests for both the Meteor.Collection and the
+// LocalCollection. On the server, we test mongo-backed collections, for both
+// the Meteor.Collection and the MongoConnection.
+_.each(Meteor.isServer ? [false] : [true, false], function (useNetwork) {
+  _.each(useNetwork ? [false] : [true, false], function (useDirectCollection) {
+    _.each([true, false], function (useUpdate) {
+      Tinytest.addAsync(asyncUpsertTestName(useNetwork, useDirectCollection, useUpdate, idGeneration), function (test, onComplete) {
+        var coll;
+        var run = test.runId();
+        var collName = "livedata_upsert_collection_"+run+
+              (useUpdate ? "_update_" : "") +
+              (useNetwork ? "_network_" : "") +
+              (useDirectCollection ? "_direct_" : "");
+        if (useNetwork) {
+          Meteor.call("createInsecureCollection", collName, collectionOptions);
+          coll = new Meteor.Collection(collName, collectionOptions);
+          Meteor.subscribe("c-" + collName);
+        } else {
+          var opts = _.clone(collectionOptions);
+          if (Meteor.isClient)
+            opts.connection = null;
+          coll = new Meteor.Collection(collName, opts);
+          if (useDirectCollection)
+            coll = coll._collection;
+        }
+
+        var result1;
+        var next1 = function (err, result) {
+          result1 = result;
+          test.equal(result1.numberAffected, 1);
+          if (! useUpdate) {
+            test.isTrue(result1.insertedId);
+            test.equal(result1.insertedId, 'foo');
+          }
+          compareResults(test, useUpdate, coll.find().fetch(), [{foo: 'bar', _id: 'foo'}]);
+          upsert(coll, useUpdate, {_id: 'foo'}, {foo: 'baz'}, next2);
+        };
+
+        // Test starts here.
+        upsert(coll, useUpdate, {_id: 'foo'}, {_id: 'foo', foo: 'bar'}, next1);
+
+        var t1, t2, result2;
+        var next2 = function (err, result) {
+          result2 = result;
+          test.equal(result2.numberAffected, 1);
+          if (! useUpdate)
+            test.isFalse(result2.insertedId);
+          compareResults(test, useUpdate, coll.find().fetch(), [{foo: 'baz', _id: result1.insertedId}]);
+          coll.remove({_id: 'foo'});
+          compareResults(test, useUpdate, coll.find().fetch(), []);
+
+          // Test values that require transformation to go into Mongo:
+
+          t1 = new Meteor.Collection.ObjectID();
+          t2 = new Meteor.Collection.ObjectID();
+          upsert(coll, useUpdate, {_id: t1}, {_id: t1, foo: 'bar'}, next3);
+        };
+
+        var result3;
+        var next3 = function (err, result) {
+          result3 = result;
+          test.equal(result3.numberAffected, 1);
+          if (! useUpdate) {
+            test.isTrue(result3.insertedId);
+            test.equal(t1, result3.insertedId);
+          }
+          compareResults(test, useUpdate, coll.find().fetch(), [{_id: t1, foo: 'bar'}]);
+
+          upsert(coll, useUpdate, {_id: t1}, {foo: t2}, next4);
+        };
+
+        var next4 = function (err, result4) {
+          test.equal(result2.numberAffected, 1);
+          if (! useUpdate)
+            test.isFalse(result2.insertedId);
+          compareResults(test, useUpdate, coll.find().fetch(), [{foo: t2, _id: result3.insertedId}]);
+
+          coll.remove({_id: t1});
+
+          // Test modification by upsert
+          upsert(coll, useUpdate, {_id: 'David'}, {$set: {foo: 1}}, next5);
+        };
+
+        var result5;
+        var next5 = function (err, result) {
+          result5 = result;
+          test.equal(result5.numberAffected, 1);
+          if (! useUpdate) {
+            test.isTrue(result5.insertedId);
+            test.equal(result5.insertedId, 'David');
+          }
+          var davidId = result5.insertedId;
+          compareResults(test, useUpdate, coll.find().fetch(), [{foo: 1, _id: davidId}]);
+
+          if (! Meteor.isClient && useDirectCollection) {
+            // test that bad modifier fails
+            // The stub throws an exception about the invalid modifier, which
+            // livedata logs (so we suppress it).
+            Meteor._suppress_log(1);
+            upsert(coll, useUpdate, {_id: 'David'}, {$blah: {foo: 2}}, function (err) {
+              if (! (Meteor.isClient && useDirectCollection))
+                test.isTrue(err);
+              upsert(coll, useUpdate, {_id: 'David'}, {$set: {foo: 2}}, next6);
+            });
+          } else {
+            // XXX skip this test for now for LocalCollection; the fact that
+            // we're in a nested sequence of callbacks means we're inside a
+            // Meteor.defer, which means the exception just gets
+            // logged. Something should be done about this at some point?  Maybe
+            // LocalCollection callbacks don't really have to be deferred.
+            upsert(coll, useUpdate, {_id: 'David'}, {$set: {foo: 2}}, next6);
+          }
+        };
+
+        var result6;
+        var next6 = function (err, result) {
+          result6 = result;
+          test.equal(result6.numberAffected, 1);
+          if (! useUpdate)
+            test.isFalse(result6.insertedId);
+          compareResults(test, useUpdate, coll.find().fetch(), [{_id: 'David', foo: 2}]);
+
+          var emilyId = coll.insert({_id: 'Emily', foo: 2});
+          compareResults(test, useUpdate, coll.find().fetch(), [{_id: 'David', foo: 2},
+                                                                {_id: 'Emily', foo: 2}]);
+
+          // multi update by upsert.
+          // We can't actually update multiple documents since we have to do it by
+          // id, but at least make sure the multi flag doesn't mess anything up.
+          upsert(coll, useUpdate, {_id: 'Emily'},
+                 {$set: {bar: 7},
+                  $setOnInsert: {name: 'Fred', foo: 2}},
+                 {multi: true}, next7);
+        };
+
+        var result7;
+        var next7 = function (err, result) {
+          result7 = result;
+          test.equal(result7.numberAffected, 1);
+          if (! useUpdate)
+            test.isFalse(result7.insertedId);
+          compareResults(test, useUpdate, coll.find().fetch(), [{_id: 'David', foo: 2},
+                                                                {_id: 'Emily', foo: 2, bar: 7}]);
+
+          // insert by multi upsert
+          upsert(coll, useUpdate, {_id: 'Fred'},
+                 {$set: {bar: 7},
+                  $setOnInsert: {name: 'Fred', foo: 2}},
+                 {multi: true}, next8);
+
+        };
+
+        var result8;
+        var next8 = function (err, result) {
+          result8 = result;
+
+          test.equal(result8.numberAffected, 1);
+          if (! useUpdate) {
+            test.isTrue(result8.insertedId);
+            test.equal(result8.insertedId, 'Fred');
+          }
+          var fredId = result8.insertedId;
+          compareResults(test, useUpdate,  coll.find().fetch(),
+                         [{_id: 'David', foo: 2},
+                          {_id: 'Emily', foo: 2, bar: 7},
+                          {name: 'Fred', foo: 2, bar: 7, _id: fredId}]);
+          onComplete();
+        };
+      });
+    });
+  });
+});
+
+if (Meteor.isClient) {
+  Tinytest.addAsync("mongo-livedata - async update/remove return values over network " + idGeneration, function (test, onComplete) {
+    var coll;
+    var run = test.runId();
+    var collName = "livedata_upsert_collection_"+run;
+    Meteor.call("createInsecureCollection", collName, collectionOptions);
+    coll = new Meteor.Collection(collName, collectionOptions);
+    Meteor.subscribe("c-" + collName);
+
+    coll.insert({ _id: "foo" });
+    coll.insert({ _id: "bar" });
+    coll.update({ _id: "foo" }, { $set: { foo: 1 } }, { multi: true }, function (err, result) {
+      test.isFalse(err);
+      test.equal(result, 1);
+      coll.update({ _id: "foo" }, { _id: "foo", foo: 2 }, function (err, result) {
+        test.isFalse(err);
+        test.equal(result, 1);
+        coll.update({ _id: "baz" }, { $set: { foo: 1 } }, function (err, result) {
+          test.isFalse(err);
+          test.equal(result, 0);
+          coll.remove({ _id: "foo" }, function (err, result) {
+            test.equal(result, 1);
+            coll.remove({ _id: "baz" }, function (err, result) {
+              test.equal(result, 0);
+              onComplete();
+            });
+          });
+        });
+      });
+    });
+  });
 }
 
+// Runs a method and its stub which do some upserts. The method throws an error
+// if we don't get the right return values.
+if (Meteor.isClient) {
+  _.each([true, false], function (useUpdate) {
+    Tinytest.addAsync("mongo-livedata - " + (useUpdate ? "update " : "") + "upsert in method, " + idGeneration, function (test, onComplete) {
+      var run = test.runId();
+      upsertTestMethodColl = new Meteor.Collection(upsertTestMethod + "_collection_" + run, collectionOptions);
+      var m = {};
+      delete Meteor.connection._methodHandlers[upsertTestMethod];
+      m[upsertTestMethod] = function (run, useUpdate, options) {
+        upsertTestMethodImpl(upsertTestMethodColl, useUpdate, test);
+      };
+      Meteor.methods(m);
+      Meteor.call(upsertTestMethod, run, useUpdate, collectionOptions, function (err, result) {
+        test.isFalse(err);
+        onComplete();
+      });
+    });
+  });
+}
+
+_.each(Meteor.isServer ? [true, false] : [true], function (minimongo) {
+  _.each([true, false], function (useUpdate) {
+    Tinytest.add("mongo-livedata - " + (useUpdate ? "update " : "") + "upsert by id" + (minimongo ? " minimongo" : "") + ", " + idGeneration, function (test) {
+      var run = test.runId();
+      var options = collectionOptions;
+      if (minimongo)
+        options = _.extend({}, collectionOptions, { connection: null });
+      var coll = new Meteor.Collection("livedata_upsert_by_id_collection_"+run, options);
+
+      var ret;
+      ret = upsert(coll, useUpdate, {_id: 'foo'}, {$set: {x: 1}});
+      test.equal(ret.numberAffected, 1);
+      if (! useUpdate)
+        test.equal(ret.insertedId, 'foo');
+      compareResults(test, useUpdate, coll.find().fetch(),
+                     [{_id: 'foo', x: 1}]);
+
+      ret = upsert(coll, useUpdate, {_id: 'foo'}, {$set: {x: 2}});
+      test.equal(ret.numberAffected, 1);
+      if (! useUpdate)
+        test.isFalse(ret.insertedId);
+      compareResults(test, useUpdate, coll.find().fetch(),
+                     [{_id: 'foo', x: 2}]);
+
+      ret = upsert(coll, useUpdate, {_id: 'bar'}, {$set: {x: 1}});
+      test.equal(ret.numberAffected, 1);
+      if (! useUpdate)
+        test.equal(ret.insertedId, 'bar');
+      compareResults(test, useUpdate, coll.find().fetch(),
+                     [{_id: 'foo', x: 2},
+                      {_id: 'bar', x: 1}]);
+
+      coll.remove({});
+
+      ret = upsert(coll, useUpdate, {_id: 'traz'}, {x: 1});
+      test.equal(ret.numberAffected, 1);
+      var myId = ret.insertedId;
+      if (! useUpdate) {
+        test.isTrue(myId);
+        // upsert with entire document does NOT take _id from
+        // the query.
+        test.notEqual(myId, 'traz');
+      } else {
+        myId = coll.findOne()._id;
+      }
+      compareResults(test, useUpdate, coll.find().fetch(),
+                     [{x: 1, _id: myId}]);
+
+      // this time, insert as _id 'traz'
+      ret = upsert(coll, useUpdate, {_id: 'traz'}, {_id: 'traz', x: 2});
+      test.equal(ret.numberAffected, 1);
+      if (! useUpdate)
+        test.equal(ret.insertedId, 'traz');
+      compareResults(test, useUpdate, coll.find().fetch(),
+                     [{x: 1, _id: myId},
+                      {x: 2, _id: 'traz'}]);
+
+      // now update _id 'traz'
+      ret = upsert(coll, useUpdate, {_id: 'traz'}, {x: 3});
+      test.equal(ret.numberAffected, 1);
+      test.isFalse(ret.insertedId);
+      compareResults(test, useUpdate, coll.find().fetch(),
+                     [{x: 1, _id: myId},
+                      {x: 3, _id: 'traz'}]);
+
+      // now update, passing _id (which is ok as long as it's the same)
+      ret = upsert(coll, useUpdate, {_id: 'traz'}, {_id: 'traz', x: 4});
+      test.equal(ret.numberAffected, 1);
+      test.isFalse(ret.insertedId);
+      compareResults(test, useUpdate, coll.find().fetch(),
+                     [{x: 1, _id: myId},
+                      {x: 4, _id: 'traz'}]);
+
+    });
+  });
+});
 
 });  // end idGeneration parametrization
 
diff --git a/packages/mongo-livedata/package.js b/packages/mongo-livedata/package.js
index ad0c0732753..ce94ac1c373 100644
--- a/packages/mongo-livedata/package.js
+++ b/packages/mongo-livedata/package.js
@@ -12,7 +12,7 @@ Package.describe({
   internal: true
 });
 
-Npm.depends({mongodb: "1.3.17"});
+Npm.depends({mongodb: "1.3.19"});
 
 Package.on_use(function (api) {
   api.use(['random', 'ejson', 'json', 'underscore', 'minimongo', 'logging',
diff --git a/packages/mongo-livedata/remote_collection_driver.js b/packages/mongo-livedata/remote_collection_driver.js
index 9c155ca6989..41502c17eb4 100644
--- a/packages/mongo-livedata/remote_collection_driver.js
+++ b/packages/mongo-livedata/remote_collection_driver.js
@@ -8,8 +8,8 @@ _.extend(MongoInternals.RemoteCollectionDriver.prototype, {
     var self = this;
     var ret = {};
     _.each(
-      ['find', 'findOne', 'insert', 'update', 'remove', '_ensureIndex',
-       '_dropIndex', '_createCappedCollection'],
+      ['find', 'findOne', 'insert', 'update', , 'upsert',
+       'remove', '_ensureIndex', '_dropIndex', '_createCappedCollection'],
       function (m) {
         ret[m] = _.bind(self.mongo[m], self.mongo, name);
       });
diff --git a/packages/oauth1/oauth1_binding.js b/packages/oauth1/oauth1_binding.js
index 8047f387c66..bf9b88140d6 100644
--- a/packages/oauth1/oauth1_binding.js
+++ b/packages/oauth1/oauth1_binding.js
@@ -4,16 +4,16 @@ var querystring = Npm.require("querystring");
 // An OAuth1 wrapper around http calls which helps get tokens and
 // takes care of HTTP headers
 //
-// @param consumerKey {String} As supplied by the OAuth1 provider
-// @param consumerSecret {String} As supplied by the OAuth1 provider
+// @param config {Object} 
+//   - consumerKey (String): oauth consumer key
+//   - secret (String): oauth consumer secret
 // @param urls {Object}
 //   - requestToken (String): url
 //   - authorize (String): url
 //   - accessToken (String): url
 //   - authenticate (String): url
-OAuth1Binding = function(consumerKey, consumerSecret, urls) {
-  this._consumerKey = consumerKey;
-  this._secret = consumerSecret;
+OAuth1Binding = function(config, urls) {
+  this._config = config;
   this._urls = urls;
 };
 
@@ -27,15 +27,26 @@ OAuth1Binding.prototype.prepareRequestToken = function(callbackUrl) {
   var response = self._call('POST', self._urls.requestToken, headers);
   var tokens = querystring.parse(response.content);
 
-  // XXX should we also store oauth_token_secret here?
   if (!tokens.oauth_callback_confirmed)
-    throw new Error("oauth_callback_confirmed false when requesting oauth1 token", tokens);
+    throw new Error(
+      "oauth_callback_confirmed false when requesting oauth1 token", tokens);
+
   self.requestToken = tokens.oauth_token;
+  self.requestTokenSecret = tokens.oauth_token_secret;
 };
 
-OAuth1Binding.prototype.prepareAccessToken = function(query) {
+OAuth1Binding.prototype.prepareAccessToken = function(query, requestTokenSecret) {
   var self = this;
 
+  // support implementations that use request token secrets. This is
+  // read by self._call.
+  //
+  // XXX make it a param to call, not something stashed on self? It's
+  // kinda confusing right now, everything except this is passed as
+  // arguments, but this is stored.
+  if (requestTokenSecret)
+    self.accessTokenSecret = requestTokenSecret;
+
   var headers = self._buildHeader({
     oauth_token: query.oauth_token
   });
@@ -76,7 +87,7 @@ OAuth1Binding.prototype.post = function(url, params, callback) {
 OAuth1Binding.prototype._buildHeader = function(headers) {
   var self = this;
   return _.extend({
-    oauth_consumer_key: self._consumerKey,
+    oauth_consumer_key: self._config.consumerKey,
     oauth_nonce: Random.id().replace(/\W/g, ''),
     oauth_signature_method: 'HMAC-SHA1',
     oauth_timestamp: (new Date().valueOf()/1000).toFixed().toString(),
@@ -98,7 +109,7 @@ OAuth1Binding.prototype._getSignature = function(method, url, rawHeaders, access
     self._encodeString(parameters)
   ].join('&');
 
-  var signingKey = self._encodeString(self._secret) + '&';
+  var signingKey = self._encodeString(self._config.secret) + '&';
   if (accessTokenSecret)
     signingKey += self._encodeString(accessTokenSecret);
 
@@ -108,8 +119,14 @@ OAuth1Binding.prototype._getSignature = function(method, url, rawHeaders, access
 OAuth1Binding.prototype._call = function(method, url, headers, params, callback) {
   var self = this;
 
+  // all URLs to be functions to support parameters/customization
+  if(typeof url === "function") {
+    url = url(self);
+  }
+
   // Get the signature
-  headers.oauth_signature = self._getSignature(method, url, headers, self.accessTokenSecret, params);
+  headers.oauth_signature =
+    self._getSignature(method, url, headers, self.accessTokenSecret, params);
 
   // Make a authorization string according to oauth1 spec
   var authString = self._getAuthHeaderString(headers);
diff --git a/packages/oauth1/oauth1_server.js b/packages/oauth1/oauth1_server.js
index 2e2a530020f..6a61fbd6c71 100644
--- a/packages/oauth1/oauth1_server.js
+++ b/packages/oauth1/oauth1_server.js
@@ -12,8 +12,7 @@ Oauth._requestHandlers['1'] = function (service, query, res) {
   }
 
   var urls = service.urls;
-  var oauthBinding = new OAuth1Binding(
-    config.consumerKey, config.secret, urls);
+  var oauthBinding = new OAuth1Binding(config, urls);
 
   if (query.requestTokenAndRedirect) {
     // step 1 - get and store a request token
@@ -22,10 +21,20 @@ Oauth._requestHandlers['1'] = function (service, query, res) {
     oauthBinding.prepareRequestToken(query.requestTokenAndRedirect);
 
     // Keep track of request token so we can verify it on the next step
-    requestTokens[query.state] = oauthBinding.requestToken;
+    requestTokens[query.state] = {
+      requestToken: oauthBinding.requestToken, 
+      requestTokenSecret: oauthBinding.requestTokenSecret
+    };
+
+    // support for scope/name parameters
+    var redirectUrl = undefined;
+    if(typeof urls.authenticate === "function") {
+      redirectUrl = urls.authenticate(oauthBinding);
+    } else {
+      redirectUrl = urls.authenticate + '?oauth_token=' + oauthBinding.requestToken;
+    }
 
     // redirect to provider login, which will redirect back to "step 2" below
-    var redirectUrl = urls.authenticate + '?oauth_token=' + oauthBinding.requestToken;
     res.writeHead(302, {'Location': redirectUrl});
     res.end();
   } else {
@@ -34,7 +43,8 @@ Oauth._requestHandlers['1'] = function (service, query, res) {
     // token and access token secret and log in as user
 
     // Get the user's request token so we can verify it and clear it
-    var requestToken = requestTokens[query.state];
+    var requestToken = requestTokens[query.state].requestToken;
+    var requestTokenSecret = requestTokens[query.state].requestTokenSecret;
     delete requestTokens[query.state];
 
     // Verify user authorized access and the oauth_token matches
@@ -45,17 +55,17 @@ Oauth._requestHandlers['1'] = function (service, query, res) {
       // subsequent call to the `login` method will be immediate.
 
       // Get the access token for signing requests
-      oauthBinding.prepareAccessToken(query);
+      oauthBinding.prepareAccessToken(query, requestTokenSecret);
 
       // Run service-specific handler.
       var oauthResult = service.handleOauthRequest(oauthBinding);
 
       // Add the login result to the result map
       Oauth._loginResultForCredentialToken[query.state] = {
-          serviceName: service.serviceName,
-          serviceData: oauthResult.serviceData,
-          options: oauthResult.options
-        };
+        serviceName: service.serviceName,
+        serviceData: oauthResult.serviceData,
+        options: oauthResult.options
+      };
     }
 
     // Either close the window, redirect, or render nothing
diff --git a/packages/oauth1/oauth1_tests.js b/packages/oauth1/oauth1_tests.js
index d7eb0e19797..272e0cb123e 100644
--- a/packages/oauth1/oauth1_tests.js
+++ b/packages/oauth1/oauth1_tests.js
@@ -40,7 +40,9 @@ Tinytest.add("oauth1 - loginResultForCredentialToken is stored", function (test)
     });
 
     // simulate logging in using twitterfoo
-    OAuth1Test.requestTokens[credentialToken] = twitterfooAccessToken;
+    OAuth1Test.requestTokens[credentialToken] = {
+      requestToken: twitterfooAccessToken
+    };
 
     var req = {
       method: "POST",
diff --git a/packages/random/random.js b/packages/random/random.js
index 5faddb9d4c5..59e94683e83 100644
--- a/packages/random/random.js
+++ b/packages/random/random.js
@@ -1,3 +1,15 @@
+// We use cryptographically strong PRNGs (crypto.getRandomBytes() on the server,
+// window.crypto.getRandomValues() in the browser) when available. If these
+// PRNGs fail, we fall back to the Alea PRNG, which is not cryptographically
+// strong, and we seed it with various sources such as the date, Math.random,
+// and window size on the client.  When using crypto.getRandomValues(), our
+// primitive is hexString(), from which we construct fraction(). When using
+// window.crypto.getRandomValues() or alea, the primitive is fraction and we use
+// that to construct hex string.
+
+if (Meteor.isServer)
+  var nodeCrypto = Npm.require('crypto');
+
 // see http://baagoe.org/en/wiki/Better_random_numbers_for_javascript
 // for a full discussion and Alea implementation.
 var Alea = function () {
@@ -75,52 +87,79 @@ var Alea = function () {
 
 var UNMISTAKABLE_CHARS = "23456789ABCDEFGHJKLMNPQRSTWXYZabcdefghijkmnopqrstuvwxyz";
 
-var create = function (/* arguments */) {
-
-  var random = Alea.apply(null, arguments);
-
-  var self = {};
-
-  var bind = function (fn) {
-    return _.bind(fn, self);
-  };
-
-  return _.extend(self, {
-    _Alea: Alea,
-
-    create: create,
+// If seeds are provided, then the alea PRNG will be used, since cryptographic
+// PRNGs (Node crypto and window.crypto.getRandomValues) don't allow us to
+// specify seeds. The caller is responsible for making sure to provide a seed
+// for alea if a csprng is not available.
+var RandomGenerator = function (seedArray) {
+  var self = this;
+  if (seedArray !== undefined)
+    self.alea = Alea.apply(null, seedArray);
+  self._Alea = Alea;
+};
 
-    fraction: random,
+RandomGenerator.prototype.fraction = function () {
+  var self = this;
+  if (self.alea) {
+    return self.alea();
+  } else if (nodeCrypto) {
+    var numerator = parseInt(self.hexString(8), 16);
+    return numerator * 2.3283064365386963e-10; // 2^-32
+  } else if (typeof window !== "undefined" && window.crypto &&
+             window.crypto.getRandomValues) {
+    var array = new Uint32Array(1);
+    window.crypto.getRandomValues(array);
+    return array[0] * 2.3283064365386963e-10; // 2^-32
+  }
+};
 
-    choice: bind(function (arrayOrString) {
-      var index = Math.floor(this.fraction() * arrayOrString.length);
-      if (typeof arrayOrString === "string")
-        return arrayOrString.substr(index, 1);
-      else
-        return arrayOrString[index];
-    }),
+RandomGenerator.prototype.hexString = function (digits) {
+  var self = this;
+  if (nodeCrypto && ! self.alea) {
+    var numBytes = Math.ceil(digits / 2);
+    var bytes;
+    // Try to get cryptographically strong randomness. Fall back to
+    // non-cryptographically strong if not available.
+    try {
+      bytes = nodeCrypto.randomBytes(numBytes);
+    } catch (e) {
+      // XXX should re-throw any error except insufficient entropy
+      bytes = nodeCrypto.pseudoRandomBytes(numBytes);
+    }
+    var result = bytes.toString("hex");
+    // If the number of digits is odd, we'll have generated an extra 4 bits
+    // of randomness, so we need to trim the last digit.
+    return result.substring(0, digits);
+  } else {
+    var hexDigits = [];
+    for (var i = 0; i < digits; ++i) {
+      hexDigits.push(self.choice("0123456789abcdef"));
+    }
+    return hexDigits.join('');
+  }
+};
 
-    id: bind(function() {
-      var digits = [];
-      // Length of 17 preserves around 96 bits of entropy, which is the
-      // amount of state in our PRNG
-      for (var i = 0; i < 17; i++) {
-        digits[i] = this.choice(UNMISTAKABLE_CHARS);
-      }
-      return digits.join("");
-    }),
+RandomGenerator.prototype.id = function () {
+  var digits = [];
+  var self = this;
+  // Length of 17 preserves around 96 bits of entropy, which is the
+  // amount of state in the Alea PRNG.
+  for (var i = 0; i < 17; i++) {
+    digits[i] = self.choice(UNMISTAKABLE_CHARS);
+  }
+  return digits.join("");
+};
 
-    hexString: bind(function (digits) {
-      var hexDigits = [];
-      for (var i = 0; i < digits; ++i) {
-        hexDigits.push(this.choice("0123456789abcdef"));
-      }
-      return hexDigits.join('');
-    })
-  });
+RandomGenerator.prototype.choice = function (arrayOrString) {
+  var index = Math.floor(this.fraction() * arrayOrString.length);
+  if (typeof arrayOrString === "string")
+    return arrayOrString.substr(index, 1);
+  else
+    return arrayOrString[index];
 };
 
-// instantiate RNG.  Heuristically collect entropy from various sources
+// instantiate RNG.  Heuristically collect entropy from various sources when a
+// cryptographic PRNG isn't available.
 
 // client sources
 var height = (typeof window !== 'undefined' && window.innerHeight) ||
@@ -143,12 +182,13 @@ var width = (typeof window !== 'undefined' && window.innerWidth) ||
 
 var agent = (typeof navigator !== 'undefined' && navigator.userAgent) || "";
 
-// server sources
-var pid = (typeof process !== 'undefined' && process.pid) || 1;
+if (nodeCrypto ||
+    (typeof window !== "undefined" &&
+     window.crypto && window.crypto.getRandomValues))
+  Random = new RandomGenerator();
+else
+  Random = new RandomGenerator([new Date(), height, width, agent, Math.random()]);
 
-// XXX On the server, use the crypto module (OpenSSL) instead of this PRNG.
-//     (Make Random.fraction be generated from Random.hexString instead of the
-//     other way around, and generate Random.hexString from crypto.randomBytes.)
-Random = create([
-  new Date(), height, width, agent, pid, Math.random()
-]);
+Random.create = function () {
+  return new RandomGenerator(arguments);
+};
diff --git a/packages/random/random_tests.js b/packages/random/random_tests.js
index 52e5b852e53..940afbb6402 100644
--- a/packages/random/random_tests.js
+++ b/packages/random/random_tests.js
@@ -13,3 +13,17 @@ Tinytest.add('random', function (test) {
   test.equal(random.id(), "shxDnjWWmnKPEoLhM");
   test.equal(random.id(), "6QTjB8C5SEqhmz4ni");
 });
+
+// node crypto and window.crypto.getRandomValues() don't let us specify a seed,
+// but at least test that the output is in the right format.
+Tinytest.add('random - format', function (test) {
+  var idLen = 17;
+  test.equal(Random.id().length, idLen);
+  var numDigits = 9;
+  var hexStr = Random.hexString(numDigits);
+  test.equal(hexStr.length, numDigits);
+  parseInt(hexStr, 16); // should not throw
+  var frac = Random.fraction();
+  test.isTrue(frac < 1.0);
+  test.isTrue(frac >= 0.0);
+});
diff --git a/packages/reload/reload.js b/packages/reload/reload.js
index 2c2f412e7e5..6aae7f191b9 100644
--- a/packages/reload/reload.js
+++ b/packages/reload/reload.js
@@ -26,6 +26,11 @@
  * the client's session to render properly.
  */
 
+// XXX when making this API public, also expose a flag for the app
+// developer to know whether a hot code push is happening. This is
+// useful for apps using `window.onbeforeunload`. See
+// https://github.com/meteor/meteor/pull/657
+
 var KEY_NAME = 'Meteor_Reload';
 // after how long should we consider this no longer an automatic
 // reload, but a fresh restart. This only happens if a reload is
diff --git a/packages/spark/spark_tests.js b/packages/spark/spark_tests.js
index cab0f7ea945..e543ade932a 100644
--- a/packages/spark/spark_tests.js
+++ b/packages/spark/spark_tests.js
@@ -1876,7 +1876,7 @@ Tinytest.add("spark - leaderboard, " + idGeneration, function(test) {
   }));
   var idGen;
   if (idGeneration === 'STRING')
-    idGen = Random.id;
+    idGen = _.bind(Random.id, Random);
   else
     idGen = function () { return new LocalCollection._ObjectID(); };
 
diff --git a/packages/spiderable/package.js b/packages/spiderable/package.js
index 431cc5c77e7..6189ea02898 100644
--- a/packages/spiderable/package.js
+++ b/packages/spiderable/package.js
@@ -1,5 +1,5 @@
 Package.describe({
-  summary: "Makes the application crawlable to web spiders."
+  summary: "Makes the application crawlable to web spiders"
 });
 
 Package.on_use(function (api) {
diff --git a/packages/star-translate/package.js b/packages/star-translate/package.js
index 35f71360dc5..d13db65e60a 100644
--- a/packages/star-translate/package.js
+++ b/packages/star-translate/package.js
@@ -1,5 +1,6 @@
 Package.describe({
-  summary: "A package for translating old bundles into stars"
+  summary: "A package for translating old bundles into stars",
+  internal: true
 });
 
 Package.on_use(function (api) {
diff --git a/packages/stylus/package.js b/packages/stylus/package.js
index 1638e266a02..442639ce94a 100644
--- a/packages/stylus/package.js
+++ b/packages/stylus/package.js
@@ -1,5 +1,5 @@
 Package.describe({
-  summary: 'Expressive, dynamic, robust CSS.'
+  summary: 'Expressive, dynamic, robust CSS'
 });
 
 Package._transitional_registerBuildPlugin({
diff --git a/packages/test-helpers/seeded_random.js b/packages/test-helpers/seeded_random.js
index 0094a202584..171a9704868 100644
--- a/packages/test-helpers/seeded_random.js
+++ b/packages/test-helpers/seeded_random.js
@@ -3,7 +3,7 @@ SeededRandom = function(seed) { // seed may be a string or any type
     return new SeededRandom(seed);
 
   seed = seed || "seed";
-  this.gen = new Random._Alea(seed); // from random.js
+  this.gen = Random.create(seed)._Alea; // from random.js
 };
 SeededRandom.prototype.next = function() {
   return this.gen();
diff --git a/packages/underscore/underscore.js b/packages/underscore/underscore.js
index 7d4ee27c7d8..b50115df5c1 100644
--- a/packages/underscore/underscore.js
+++ b/packages/underscore/underscore.js
@@ -1,4 +1,4 @@
-//     Underscore.js 1.5.1
+//     Underscore.js 1.5.2
 //     http://underscorejs.org
 //     (c) 2009-2013 Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors
 //     Underscore may be freely distributed under the MIT license.
@@ -8,7 +8,7 @@
   // Baseline setup
   // --------------
 
-  // Establish the root object, `window` in the browser, or `global` on the server.
+  // Establish the root object, `window` in the browser, or `exports` on the server.
   var root = this;
 
   // Save the previous value of the `_` variable.
@@ -65,7 +65,7 @@
   }
 
   // Current version.
-  _.VERSION = '1.5.1';
+  _.VERSION = '1.5.2';
 
   // Collection Functions
   // --------------------
@@ -78,14 +78,13 @@
     if (nativeForEach && obj.forEach === nativeForEach) {
       obj.forEach(iterator, context);
     } else if (obj.length === +obj.length) {
-      for (var i = 0, l = obj.length; i < l; i++) {
+      for (var i = 0, length = obj.length; i < length; i++) {
         if (iterator.call(context, obj[i], i, obj) === breaker) return;
       }
     } else {
-      for (var key in obj) {
-        if (_.has(obj, key)) {
-          if (iterator.call(context, obj[key], key, obj) === breaker) return;
-        }
+      var keys = _.keys(obj);
+      for (var i = 0, length = keys.length; i < length; i++) {
+        if (iterator.call(context, obj[keys[i]], keys[i], obj) === breaker) return;
       }
     }
   };
@@ -284,7 +283,8 @@
     return result.value;
   };
 
-  // Shuffle an array.
+  // Shuffle an array, using the modern version of the 
+  // [Fisher-Yates shuffle](http://en.wikipedia.org/wiki/Fisher–Yates_shuffle).
   _.shuffle = function(obj) {
     var rand;
     var index = 0;
@@ -297,6 +297,16 @@
     return shuffled;
   };
 
+  // Sample **n** random values from an array.
+  // If **n** is not specified, returns a single random element from the array.
+  // The internal `guard` argument allows it to work with `map`.
+  _.sample = function(obj, n, guard) {
+    if (arguments.length < 2 || guard) {
+      return obj[_.random(obj.length - 1)];
+    }
+    return _.shuffle(obj).slice(0, Math.max(0, n));
+  };
+
   // An internal function to generate lookup iterators.
   var lookupIterator = function(value) {
     return _.isFunction(value) ? value : function(obj){ return obj[value]; };
@@ -307,9 +317,9 @@
     var iterator = lookupIterator(value);
     return _.pluck(_.map(obj, function(value, index, list) {
       return {
-        value : value,
-        index : index,
-        criteria : iterator.call(context, value, index, list)
+        value: value,
+        index: index,
+        criteria: iterator.call(context, value, index, list)
       };
     }).sort(function(left, right) {
       var a = left.criteria;
@@ -318,38 +328,41 @@
         if (a > b || a === void 0) return 1;
         if (a < b || b === void 0) return -1;
       }
-      return left.index < right.index ? -1 : 1;
+      return left.index - right.index;
     }), 'value');
   };
 
   // An internal function used for aggregate "group by" operations.
-  var group = function(obj, value, context, behavior) {
-    var result = {};
-    var iterator = lookupIterator(value == null ? _.identity : value);
-    each(obj, function(value, index) {
-      var key = iterator.call(context, value, index, obj);
-      behavior(result, key, value);
-    });
-    return result;
+  var group = function(behavior) {
+    return function(obj, value, context) {
+      var result = {};
+      var iterator = value == null ? _.identity : lookupIterator(value);
+      each(obj, function(value, index) {
+        var key = iterator.call(context, value, index, obj);
+        behavior(result, key, value);
+      });
+      return result;
+    };
   };
 
   // Groups the object's values by a criterion. Pass either a string attribute
   // to group by, or a function that returns the criterion.
-  _.groupBy = function(obj, value, context) {
-    return group(obj, value, context, function(result, key, value) {
-      (_.has(result, key) ? result[key] : (result[key] = [])).push(value);
-    });
-  };
+  _.groupBy = group(function(result, key, value) {
+    (_.has(result, key) ? result[key] : (result[key] = [])).push(value);
+  });
+
+  // Indexes the object's values by a criterion, similar to `groupBy`, but for
+  // when you know that your index values will be unique.
+  _.indexBy = group(function(result, key, value) {
+    result[key] = value;
+  });
 
   // Counts instances of an object that group by a certain criterion. Pass
   // either a string attribute to count by, or a function that returns the
   // criterion.
-  _.countBy = function(obj, value, context) {
-    return group(obj, value, context, function(result, key) {
-      if (!_.has(result, key)) result[key] = 0;
-      result[key]++;
-    });
-  };
+  _.countBy = group(function(result, key) {
+    _.has(result, key) ? result[key]++ : result[key] = 1;
+  });
 
   // Use a comparator function to figure out the smallest index at which
   // an object should be inserted so as to maintain order. Uses binary search.
@@ -386,7 +399,7 @@
   // allows it to work with `_.map`.
   _.first = _.head = _.take = function(array, n, guard) {
     if (array == null) return void 0;
-    return (n != null) && !guard ? slice.call(array, 0, n) : array[0];
+    return (n == null) || guard ? array[0] : slice.call(array, 0, n);
   };
 
   // Returns everything but the last entry of the array. Especially useful on
@@ -401,10 +414,10 @@
   // values in the array. The **guard** check allows it to work with `_.map`.
   _.last = function(array, n, guard) {
     if (array == null) return void 0;
-    if ((n != null) && !guard) {
-      return slice.call(array, Math.max(array.length - n, 0));
-    } else {
+    if ((n == null) || guard) {
       return array[array.length - 1];
+    } else {
+      return slice.call(array, Math.max(array.length - n, 0));
     }
   };
 
@@ -436,7 +449,7 @@
     return output;
   };
 
-  // Return a completely flattened version of an array.
+  // Flatten out an array, either recursively (by default), or just one level.
   _.flatten = function(array, shallow) {
     return flatten(array, shallow, []);
   };
@@ -508,7 +521,7 @@
   _.object = function(list, values) {
     if (list == null) return {};
     var result = {};
-    for (var i = 0, l = list.length; i < l; i++) {
+    for (var i = 0, length = list.length; i < length; i++) {
       if (values) {
         result[list[i]] = values[i];
       } else {
@@ -526,17 +539,17 @@
   // for **isSorted** to use binary search.
   _.indexOf = function(array, item, isSorted) {
     if (array == null) return -1;
-    var i = 0, l = array.length;
+    var i = 0, length = array.length;
     if (isSorted) {
       if (typeof isSorted == 'number') {
-        i = (isSorted < 0 ? Math.max(0, l + isSorted) : isSorted);
+        i = (isSorted < 0 ? Math.max(0, length + isSorted) : isSorted);
       } else {
         i = _.sortedIndex(array, item);
         return array[i] === item ? i : -1;
       }
     }
     if (nativeIndexOf && array.indexOf === nativeIndexOf) return array.indexOf(item, isSorted);
-    for (; i < l; i++) if (array[i] === item) return i;
+    for (; i < length; i++) if (array[i] === item) return i;
     return -1;
   };
 
@@ -562,11 +575,11 @@
     }
     step = arguments[2] || 1;
 
-    var len = Math.max(Math.ceil((stop - start) / step), 0);
+    var length = Math.max(Math.ceil((stop - start) / step), 0);
     var idx = 0;
-    var range = new Array(len);
+    var range = new Array(length);
 
-    while(idx < len) {
+    while(idx < length) {
       range[idx++] = start;
       start += step;
     }
@@ -678,17 +691,24 @@
   // N milliseconds. If `immediate` is passed, trigger the function on the
   // leading edge, instead of the trailing.
   _.debounce = function(func, wait, immediate) {
-    var result;
-    var timeout = null;
+    var timeout, args, context, timestamp, result;
     return function() {
-      var context = this, args = arguments;
+      context = this;
+      args = arguments;
+      timestamp = new Date();
       var later = function() {
-        timeout = null;
-        if (!immediate) result = func.apply(context, args);
+        var last = (new Date()) - timestamp;
+        if (last < wait) {
+          timeout = setTimeout(later, wait - last);
+        } else {
+          timeout = null;
+          if (!immediate) result = func.apply(context, args);
+        }
       };
       var callNow = immediate && !timeout;
-      clearTimeout(timeout);
-      timeout = setTimeout(later, wait);
+      if (!timeout) {
+        timeout = setTimeout(later, wait);
+      }
       if (callNow) result = func.apply(context, args);
       return result;
     };
@@ -754,22 +774,33 @@
 
   // Retrieve the values of an object's properties.
   _.values = function(obj) {
-    var values = [];
-    for (var key in obj) if (_.has(obj, key)) values.push(obj[key]);
+    var keys = _.keys(obj);
+    var length = keys.length;
+    var values = new Array(length);
+    for (var i = 0; i < length; i++) {
+      values[i] = obj[keys[i]];
+    }
     return values;
   };
 
   // Convert an object into a list of `[key, value]` pairs.
   _.pairs = function(obj) {
-    var pairs = [];
-    for (var key in obj) if (_.has(obj, key)) pairs.push([key, obj[key]]);
+    var keys = _.keys(obj);
+    var length = keys.length;
+    var pairs = new Array(length);
+    for (var i = 0; i < length; i++) {
+      pairs[i] = [keys[i], obj[keys[i]]];
+    }
     return pairs;
   };
 
   // Invert the keys and values of an object. The values must be serializable.
   _.invert = function(obj) {
     var result = {};
-    for (var key in obj) if (_.has(obj, key)) result[obj[key]] = key;
+    var keys = _.keys(obj);
+    for (var i = 0, length = keys.length; i < length; i++) {
+      result[obj[keys[i]]] = keys[i];
+    }
     return result;
   };
 
@@ -1053,8 +1084,7 @@
       '<': '&lt;',
       '>': '&gt;',
       '"': '&quot;',
-      "'": '&#x27;',
-      '/': '&#x2F;'
+      "'": '&#x27;'
     }
   };
   entityMap.unescape = _.invert(entityMap.escape);
@@ -1085,7 +1115,7 @@
 
   // Add your own custom functions to the Underscore object.
   _.mixin = function(obj) {
-    each(_.functions(obj), function(name){
+    each(_.functions(obj), function(name) {
       var func = _[name] = obj[name];
       _.prototype[name] = function() {
         var args = [this._wrapped];
diff --git a/packages/webapp/.npm/package/npm-shrinkwrap.json b/packages/webapp/.npm/package/npm-shrinkwrap.json
index 0283b4caca2..1cd8fc28afb 100644
--- a/packages/webapp/.npm/package/npm-shrinkwrap.json
+++ b/packages/webapp/.npm/package/npm-shrinkwrap.json
@@ -1,14 +1,11 @@
 {
   "dependencies": {
     "connect": {
-      "version": "2.7.10",
+      "version": "2.9.0",
       "dependencies": {
         "qs": {
           "version": "0.6.5"
         },
-        "formidable": {
-          "version": "1.0.14"
-        },
         "cookie-signature": {
           "version": "1.0.1"
         },
@@ -16,33 +13,61 @@
           "version": "0.2.1"
         },
         "cookie": {
-          "version": "0.0.5"
+          "version": "0.1.0"
+        },
+        "send": {
+          "version": "0.1.4",
+          "dependencies": {
+            "mime": {
+              "version": "1.2.11"
+            },
+            "range-parser": {
+              "version": "0.0.4"
+            }
+          }
         },
         "bytes": {
           "version": "0.2.0"
         },
         "fresh": {
-          "version": "0.1.0"
+          "version": "0.2.0"
         },
         "pause": {
           "version": "0.0.1"
         },
+        "uid2": {
+          "version": "0.0.2"
+        },
         "debug": {
           "version": "0.7.2"
+        },
+        "methods": {
+          "version": "0.0.1"
+        },
+        "multiparty": {
+          "version": "2.1.8",
+          "dependencies": {
+            "readable-stream": {
+              "version": "1.0.17"
+            },
+            "stream-counter": {
+              "version": "0.1.0"
+            }
+          }
         }
       }
     },
     "send": {
-      "version": "0.1.0",
+      "version": "0.1.4",
       "dependencies": {
         "debug": {
           "version": "0.7.2"
         },
         "mime": {
-          "version": "1.2.6"
+          "version": "1.2.11"
         },
         "fresh": {
-          "version": "0.1.0"
+          "version": "0.2.0"
         },
         "range-parser": {
           "version": "0.0.4"
@@ -50,7 +75,12 @@
       }
     },
     "useragent": {
-      "version": "2.0.1"
+      "version": "2.0.7",
+      "dependencies": {
+        "lru-cache": {
+          "version": "2.2.4"
+        }
+      }
     }
   }
 }
diff --git a/packages/webapp/package.js b/packages/webapp/package.js
index 0f89553822c..64df6f0886a 100644
--- a/packages/webapp/package.js
+++ b/packages/webapp/package.js
@@ -3,15 +3,20 @@ Package.describe({
   internal: true
 });
 
-Npm.depends({connect: "2.7.10",
-             send: "0.1.0",
-             useragent: "2.0.1"});
+Npm.depends({connect: "2.9.0",
+             send: "0.1.4",
+             useragent: "2.0.7"});
 
 Package.on_use(function (api) {
   api.use(['logging', 'underscore', 'routepolicy'], 'server');
   api.use(['application-configuration'], {
     unordered: true
   });
+  // At response serving time, webapp uses browser-policy if it is loaded. If
+  // browser-policy is loaded, then it must be loaded after webapp
+  // (browser-policy depends on webapp). So we don't explicitly depend in any
+  // way on browser-policy here, but we use it when it is loaded, and it can be
+  // loaded after webapp.
   api.export(['WebApp', 'main', 'WebAppInternals'], 'server');
   api.add_files('webapp_server.js', 'server');
 });
diff --git a/packages/webapp/webapp_server.js b/packages/webapp/webapp_server.js
index af716d5d3a6..2e72e366ed0 100644
--- a/packages/webapp/webapp_server.js
+++ b/packages/webapp/webapp_server.js
@@ -147,7 +147,6 @@ var appUrl = function (url) {
   return true;
 };
 
-
 var runWebAppServer = function () {
   // read the control for the client we'll be serving up
   var clientJsonPath = path.join(__meteor_bootstrap__.serverDir,
@@ -231,6 +230,16 @@ var runWebAppServer = function () {
       next();
       return;
     }
+
+    if (pathname === "/meteor_runtime_config.js" &&
+        ! WebAppInternals.inlineScriptsAllowed()) {
+      res.writeHead(200, { 'Content-type': 'application/javascript' });
+      res.write("__meteor_runtime_config__ = " +
+                JSON.stringify(__meteor_runtime_config__) + ";");
+      res.end();
+      return;
+    }
+
     if (!_.has(staticFiles, pathname)) {
       next();
       return;
@@ -387,15 +396,24 @@ var runWebAppServer = function () {
     argv = optimist(argv).boolean('keepalive').argv;
 
     var boilerplateHtmlPath = path.join(clientDir, clientJson.page);
-    boilerplateHtml =
-      fs.readFileSync(boilerplateHtmlPath, 'utf8')
-      .replace(
-        "// ##RUNTIME_CONFIG##",
-        "__meteor_runtime_config__ = " +
-          JSON.stringify(__meteor_runtime_config__) + ";")
-      .replace(
-          /##ROOT_URL_PATH_PREFIX##/g,
-        __meteor_runtime_config__.ROOT_URL_PATH_PREFIX || "");
+    boilerplateHtml = fs.readFileSync(boilerplateHtmlPath, 'utf8');
+
+    // Include __meteor_runtime_config__ in the app html, as an inline script if
+    // it's not forbidden by CSP.
+    if (WebAppInternals.inlineScriptsAllowed()) {
+      boilerplateHtml = boilerplateHtml.replace(
+          /##RUNTIME_CONFIG##/,
+        "<script type='text/javascript'>__meteor_runtime_config__ = " +
+          JSON.stringify(__meteor_runtime_config__) + ";</script>");
+    } else {
+      boilerplateHtml = boilerplateHtml.replace(
+        /##RUNTIME_CONFIG##/,
+        "<script type='text/javascript' src='##ROOT_URL_PATH_PREFIX##/meteor_runtime_config.js'></script>"
+      );
+    }
+    boilerplateHtml = boilerplateHtml.replace(
+        /##ROOT_URL_PATH_PREFIX##/g,
+      __meteor_runtime_config__.ROOT_URL_PATH_PREFIX || "");
 
     // only start listening after all the startup code has run.
     var localPort = parseInt(process.env.PORT) || 0;
@@ -548,3 +566,14 @@ WebAppInternals.bindToProxy = function (proxyConfig) {
 };
 
 runWebAppServer();
+
+
+var inlineScriptsAllowed = true;
+
+WebAppInternals.inlineScriptsAllowed = function () {
+  return inlineScriptsAllowed;
+};
+
+WebAppInternals.setInlineScriptsAllowed = function (value) {
+  inlineScriptsAllowed = value;
+};
diff --git a/scripts/admin/banner.txt b/scripts/admin/banner.txt
index 3f4a24094b0..d80bda39c54 100644
--- a/scripts/admin/banner.txt
+++ b/scripts/admin/banner.txt
@@ -1,5 +1,4 @@
-=> Meteor 0.6.5.1: a few bugfixes, including fixes for lines ending with
-   backslashes, filenames with spaces, and tab characters in d3.
+=> Meteor 0.6.6.1: Fix file watching on OSX (work around Node issue #6251)
 
    This is being downloaded in the background. Update your project
-   to Meteor 0.6.5.1 by running 'meteor update'.
+   to Meteor 0.6.6.1 by running 'meteor update'.
diff --git a/scripts/admin/bless-release.js b/scripts/admin/bless-release.js
index f6f1e1d0239..9fdc16e5573 100644
--- a/scripts/admin/bless-release.js
+++ b/scripts/admin/bless-release.js
@@ -25,6 +25,7 @@ var Future = require('fibers/future');
 var _ = require('underscore');
 
 var files = require('../../tools/files.js');
+var httpHelpers = require('../../tools/http-helpers.js');
 var warehouse = require('../../tools/warehouse.js');
 
 var PLATFORMS = [
@@ -56,8 +57,8 @@ var execFileSync = function (binary, args) {
 };
 
 var getWarehouseFile = function (path, json) {
-  return files.getUrl({
-    url: "https://s3.amazonaws.com/com.meteor.warehouse/" + path,
+  return httpHelpers.getUrl({
+    url: "https://s3.amazonaws.com/meteor-warehouse/" + path,
     json: json
   });
 };
@@ -172,12 +173,12 @@ var writeGlobalManifest = function (blessedReleaseName, banner) {
 var writeBigRedButton = function (blessedReleaseName, gitTagSourceSha, gitTag) {
   var s3Files = _.map(PLATFORMS, function (platform) {
     return [bootstrapTarballFilename(platform),
-            'com.meteor.warehouse/bootstrap/' + blessedReleaseName];
+            'meteor-warehouse/bootstrap/' + blessedReleaseName];
   });
   s3Files.push([blessedReleaseName + '.notices.json',
-                'com.meteor.warehouse/releases']);
+                'meteor-warehouse/releases']);
   s3Files.push([blessedReleaseName + '.release.json',
-                'com.meteor.warehouse/releases']);
+                'meteor-warehouse/releases']);
   s3Files.push(['manifest.json', 'com.meteor.static/update']);
   var scriptText =
         "#!/bin/bash\n" +
diff --git a/scripts/admin/notices.json b/scripts/admin/notices.json
index 176e5eb6060..a575ed522e0 100644
--- a/scripts/admin/notices.json
+++ b/scripts/admin/notices.json
@@ -54,6 +54,12 @@
   {
     "release": "0.6.5.1"
   },
+  {
+    "release": "0.6.6"
+  },
+  {
+    "release": "0.6.6.1"
+  },
   {
     "release": "NEXT"
   }
diff --git a/scripts/admin/publish-release/server/publish-release.js b/scripts/admin/publish-release/server/publish-release.js
index d4db8cbdfaa..19b8c8abf50 100644
--- a/scripts/admin/publish-release/server/publish-release.js
+++ b/scripts/admin/publish-release/server/publish-release.js
@@ -4,6 +4,8 @@ var Fiber = Npm.require("fibers");
 var Future = Npm.require("fibers/future");
 var child_process = Npm.require("child_process");
 
+var WAREHOUSE_BUCKET = "meteor-warehouse";
+
 var die = function (msg) {
   console.error(msg);
   process.exit(1);
@@ -73,7 +75,7 @@ var getManifest = function(s3, gitSha) {
     s3, ["unpublished", gitSha, "release.json-"].join("/"));
   var manifests = _.map(manifestMetas, function (meta) {
     return s3.GetObject({
-      BucketName: "com.meteor.warehouse",
+      BucketName: WAREHOUSE_BUCKET,
       ObjectName: meta.Key
     }).Body;
   });
@@ -89,7 +91,7 @@ var getManifest = function(s3, gitSha) {
 // are there any files with this prefix?
 var anyWithPrefix = function(s3, prefix) {
   var files = s3.ListObjects({
-    BucketName: "com.meteor.warehouse",
+    BucketName: WAREHOUSE_BUCKET,
     Prefix: prefix
   });
   return !_.isEmpty(files.Body.ListBucketResult.Contents);
@@ -97,7 +99,7 @@ var anyWithPrefix = function(s3, prefix) {
 
 var list3FilesWithPrefix = function (s3, prefix) {
   var artifacts = s3.ListObjects({
-    BucketName: "com.meteor.warehouse",
+    BucketName: WAREHOUSE_BUCKET,
     Prefix: prefix
   }).Body.ListBucketResult.Contents;
 
@@ -117,9 +119,9 @@ var copy3FilesWithPrefix = function (s3, prefix, destDir) {
     var destKey = [destDir, filename].join("/");
 
     var opts = {
-      BucketName: "com.meteor.warehouse",
+      BucketName: WAREHOUSE_BUCKET,
       ObjectName: destKey,
-      SourceBucket: "com.meteor.warehouse",
+      SourceBucket: WAREHOUSE_BUCKET,
       SourceObject: sourceKey,
       Acl: "public-read"
     };
@@ -128,8 +130,8 @@ var copy3FilesWithPrefix = function (s3, prefix, destDir) {
 };
 
 // publish a given tools, copying multiple files from
-// s3://com.meteor.warehouse/unpublished/GITSHA/ to
-// s3://com.meteor.warehouse/tools/VERSION/
+// s3://meteor-warehouse/unpublished/GITSHA/ to
+// s3://meteor-warehouse/tools/VERSION/
 var publishTools = function(s3, gitSha, version) {
   var destDir = ["tools", version].join("/");
 
@@ -147,8 +149,8 @@ var publishTools = function(s3, gitSha, version) {
 };
 
 // publish a given package, copying from
-// s3://com.meteor.warehouse/unpublished/GITSHA/NAME-VERSION-{PLATFORM}.tar.gz to
-// s3://com.meteor.warehouse/packages/NAME-VERSION-{PLATFORM}.tar.gz
+// s3://meteor-warehouse/unpublished/GITSHA/NAME-VERSION-{PLATFORM}.tar.gz to
+// s3://meteor-warehouse/packages/NAME-VERSION-{PLATFORM}.tar.gz
 var publishPackage = function(s3, gitSha, name, version) {
   var destDir = ["packages", name, version].join("/");
   var sourcePrefix = ["unpublished", gitSha,
@@ -166,7 +168,7 @@ var publishPackage = function(s3, gitSha, name, version) {
 };
 
 // publish the release manifest at
-// s3://com.meteor.warehouse/releases/RELEASE.release.json
+// s3://meteor-warehouse/releases/RELEASE.release.json
 var publishManifest = function(s3, manifestText, release) {
   var destKey = ["releases", release + ".release.json"].join("/");
 
@@ -180,7 +182,7 @@ var publishManifest = function(s3, manifestText, release) {
   }
 
   var opts = {
-    BucketName: "com.meteor.warehouse",
+    BucketName: WAREHOUSE_BUCKET,
     ObjectName: destKey,
     ContentLength: manifestText.length,
     Body: manifestText,
diff --git a/scripts/cli-test.sh b/scripts/cli-test.sh
index 9ca96016fb7..ee8ed9af060 100755
--- a/scripts/cli-test.sh
+++ b/scripts/cli-test.sh
@@ -124,7 +124,7 @@ tar tvzf foo.tar.gz >>$OUTPUT
 cd .. # we're now back to $DIR
 echo "... run"
 
-MONGOMARK='--bind_ip 127.0.0.1 --smallfiles --port 9102'
+MONGOMARK='--bind_ip 127.0.0.1 --smallfiles --nohttpinterface --port 9102'
 # kill any old test meteor
 # there is probably a better way to do this, but it is at least portable across macos and linux
 # (the || true is needed on linux, whose xargs will invoke kill even with no args)
diff --git a/scripts/generate-dev-bundle.sh b/scripts/generate-dev-bundle.sh
index 0091c5a388a..85b33fdff30 100755
--- a/scripts/generate-dev-bundle.sh
+++ b/scripts/generate-dev-bundle.sh
@@ -74,9 +74,9 @@ cd build
 git clone git://github.com/joyent/node.git
 cd node
 # When upgrading node versions, also update the values of MIN_NODE_VERSION at
-# the top of tools/meteor.js and tools/server/server.js, and the text in
+# the top of tools/meteor.js and tools/server/boot.js, and the text in
 # docs/client/concepts.html and the README in tools/bundler.js.
-git checkout v0.8.24
+git checkout v0.10.20
 
 ./configure --prefix="$DIR"
 make -j4
@@ -97,30 +97,29 @@ which npm
 # you update version numbers.
 
 cd "$DIR/lib/node_modules"
-npm install optimist@0.3.5
-npm install semver@1.1.0
+npm install optimist@0.6.0
+npm install semver@2.1.0
 npm install handlebars@1.0.7
-npm install request@2.12.0
-npm install keypress@0.1.0
-npm install http-proxy@0.10.1  # not 0.10.2, which contains a sketchy websocket change
-npm install underscore@1.5.1
-npm install fstream@0.1.21
-npm install tar@0.1.14
+npm install request@2.27.0
+npm install keypress@0.2.1
+npm install underscore@1.5.2
+npm install fstream@0.1.24
+npm install tar@0.1.18
 npm install kexec@0.1.1
 npm install shell-quote@0.0.1   # now at 1.3.3, which adds plenty of options to parse but doesn't change quote
-npm install byline@2.0.3  # v3 requires node 0.10
-npm install source-map@0.1.26
+npm install eachline@2.3.3
+npm install source-map@0.1.30
+npm install source-map-support@0.2.3
+
+# Using the unreleased "caronte" branch rewrite of http-proxy (which will become
+# 1.0.0), plus this PR:
+#   https://github.com/nodejitsu/node-http-proxy/pull/495
+npm install https://github.com/meteor/node-http-proxy/tarball/f17186f781c6f00b359d25df424ad74922cd1977
 
 # Using the unreleased 1.1 branch. We can probably switch to a built NPM version
 # when it gets released.
 npm install https://github.com/ariya/esprima/tarball/5044b87f94fb802d9609f1426c838874ec2007b3
 
-# Fork of node-source-map-support which allows us to specify our own
-# retrieveSourceMap function, and uses source-map 0.1.26.
-#   https://github.com/evanw/node-source-map-support/pull/18
-#   https://github.com/evanw/node-source-map-support/pull/17
-npm install https://github.com/meteor/node-source-map-support/tarball/980e444c8346bbe29992fd3086bab0456b8d8667
-
 # If you update the version of fibers in the dev bundle, also update the "npm
 # install" command in docs/client/concepts.html and in the README in
 # tools/bundler.js.
@@ -171,16 +170,15 @@ git checkout ssl-r$MONGO_VERSION
 
 # Compile
 
-MONGO_FLAGS="--ssl --release "
+MONGO_FLAGS="--ssl --release -j4 "
 MONGO_FLAGS+="--cpppath $DIR/build/openssl-out/include --libpath $DIR/build/openssl-out/lib "
 
 if [ "$MONGO_OS" == "osx" ]; then
     # NOTE: '--64' option breaks the compilation, even it is on by default on x64 mac: https://jira.mongodb.org/browse/SERVER-5575
-    MONGO_FLAGS+="-j4 "
     MONGO_FLAGS+="--openssl $DIR/build/openssl-out/lib "
     /usr/local/bin/scons $MONGO_FLAGS mongo mongod
 elif [ "$MONGO_OS" == "linux" ]; then
-    MONGO_FLAGS+="-j2 --no-glibc-check --prefix=./ "
+    MONGO_FLAGS+="--no-glibc-check --prefix=./ "
     if [ "$ARCH" == "x86_64" ]; then
       MONGO_FLAGS+="--64"
     fi
diff --git a/tools/app.html.in b/tools/app.html.in
index bf821f6054f..e2bc250d0f3 100644
--- a/tools/app.html.in
+++ b/tools/app.html.in
@@ -4,9 +4,7 @@
 {{#each stylesheets}}  <link rel="stylesheet" href="##ROOT_URL_PATH_PREFIX##{{this}}">
 {{/each}}
 
-<script type="text/javascript">
-// ##RUNTIME_CONFIG##
-</script>
+##RUNTIME_CONFIG##
 
 {{#each scripts}}  <script type="text/javascript" src="##ROOT_URL_PATH_PREFIX##{{this}}"></script>
 {{/each}}
diff --git a/tools/bundler.js b/tools/bundler.js
index 3216ef8c2b7..30b0459d5bc 100644
--- a/tools/bundler.js
+++ b/tools/bundler.js
@@ -1442,8 +1442,8 @@ var writeSiteArchive = function (targets, outputPath, options) {
 
       builder.write('README', { data: new Buffer(
 "This is a Meteor application bundle. It has only one dependency:\n" +
-"Node.js 0.8 (with the 'fibers' package). The current release of Meteor\n" +
-"has been tested with Node 0.8.24. To run the application:\n" +
+"Node.js 0.10 (with the 'fibers' package). The current release of Meteor\n" +
+"has been tested with Node 0.10.20. To run the application:\n" +
 "\n" +
 "  $ npm install fibers@1.0.1\n" +
 "  $ export MONGO_URL='mongodb://user:password@host:port/databasename'\n" +
diff --git a/tools/deploy-galaxy.js b/tools/deploy-galaxy.js
index 12efda1bb21..228fd616ece 100644
--- a/tools/deploy-galaxy.js
+++ b/tools/deploy-galaxy.js
@@ -5,7 +5,7 @@ var fs = require('fs');
 var unipackage = require('./unipackage.js');
 var fiberHelpers = require('./fiber-helpers.js');
 var Fiber = require('fibers');
-var request = require('request');
+var httpHelpers = require('./http-helpers.js');
 var _ = require('underscore');
 
 // a bit of a hack
@@ -90,7 +90,7 @@ exports.discoverGalaxy = function (app) {
 
   // At some point we may want to send a version in the request so that galaxy
   // can respond differently to different versions of meteor.
-  request({
+  httpHelpers.request({
     url: url,
     json: true,
     strictSSL: true,
@@ -210,7 +210,8 @@ exports.deploy = function (options) {
   var fileSize = fs.statSync(starball).size;
   var fileStream = fs.createReadStream(starball);
   var future = new Future;
-  var req = request.put({
+  var req = httpHelpers.request({
+    method: "PUT",
     url: info.put,
     headers: { 'content-length': fileSize,
                'content-type': 'application/octet-stream' },
diff --git a/tools/deploy.js b/tools/deploy.js
index 90e00d08114..ee2ff43a527 100644
--- a/tools/deploy.js
+++ b/tools/deploy.js
@@ -7,6 +7,7 @@
 var qs = require('querystring');
 var path = require('path');
 var files = require('./files.js');
+var httpHelpers = require('./http-helpers.js');
 var warehouse = require('./warehouse.js');
 var buildmessage = require('./buildmessage.js');
 var _ = require('underscore');
@@ -43,15 +44,16 @@ var meteor_rpc = function (rpc_name, method, site, query_params, callback) {
     url += '?' + qs.stringify(query_params);
   }
 
-  var request = require('request');
-  var r = request({method: method, url: url}, function (error, response, body) {
-    if (error || ((response.statusCode !== 200)
-                  && (response.statusCode !== 201)))
-      // pass some non-falsy error back to callback
-      callback(error || response.statusCode, body);
-    else
-      callback(null, body);
-  });
+  var r = httpHelpers.request(
+    {method: method, url: url},
+    function (error, response, body) {
+      if (error || ((response.statusCode !== 200)
+                    && (response.statusCode !== 201)))
+        // pass some non-falsy error back to callback
+        callback(error || response.statusCode, body);
+      else
+        callback(null, body);
+    });
 
   return r;
 };
@@ -291,7 +293,7 @@ var read_password = function (callback) {
   var keypress = require('keypress');
   keypress(process.stdin);
   process.stdin.on('keypress', inFiber(function(c, key){
-    if (key && 'enter' === key.name) {
+    if (key && (key.name === 'enter' || key.name === 'return')) {
       console.log();
       process.stdin.pause();
       process.stdin.removeAllListeners('keypress');
@@ -345,8 +347,7 @@ var with_password = function (site, callback) {
   // Future.throw. Basically, what Future.wrap does.
   callback = inFiber(callback);
 
-  var request = require('request');
-  request(check_url, function (error, response, body) {
+  httpHelpers.request(check_url, function (error, response, body) {
     if (error || response.statusCode !== 200) {
       callback();
 
diff --git a/tools/files.js b/tools/files.js
index 935051ad60e..e14b9a311c2 100644
--- a/tools/files.js
+++ b/tools/files.js
@@ -436,59 +436,6 @@ _.extend(exports, {
     future.wait();
   },
 
-  // A synchronous wrapper around request(...) that returns the response "body"
-  // or throws.
-  getUrl: function (urlOrOptions, callback) {
-    var future = new Future;
-    // can't just use Future.wrap, because we want to return "body", not
-    // "response".
-
-    urlOrOptions = _.clone(urlOrOptions); // we are going to change it
-    var appVersion;
-    try {
-      appVersion = getToolsVersion();
-    } catch(e) {
-      appVersion = 'checkout';
-    }
-
-    // meteorReleaseContext - an option with information about app directory
-    // release versions, etc, is used to get exact Meteor version used.
-    if (urlOrOptions.hasOwnProperty('meteorReleaseContext')) {
-      // Get meteor app release version: if specified in command line args, take
-      // releaseVersion, if not specified, try global meteor version
-      var meteorReleaseContext = urlOrOptions.meteorReleaseContext;
-      appVersion = meteorReleaseContext.releaseVersion;
-
-      if (appVersion === 'none')
-        appVersion = meteorReleaseContext.appReleaseVersion;
-      if (appVersion === 'none')
-        appVersion = 'checkout';
-
-      delete urlOrOptions.meteorReleaseContext;
-    }
-
-    // Get some kind of User Agent: environment information.
-    var ua = util.format('Meteor/%s OS/%s (%s; %s; %s;)',
-              appVersion, os.platform(), os.type(), os.release(), os.arch());
-
-    var headers = {'User-Agent': ua };
-
-    if (_.isObject(urlOrOptions))
-      urlOrOptions.headers = _.extend(headers, urlOrOptions.headers);
-    else
-      urlOrOptions = { url: urlOrOptions, headers: headers };
-
-    var request = require('request');
-    request(urlOrOptions, function (error, response, body) {
-      if (error)
-        future.throw(new files.OfflineError(error));
-      else if (response.statusCode >= 400 && response.statusCode < 600)
-        future.throw(response);
-      else
-        future.return(body);
-    });
-    return future.wait();
-  },
 
   // Use this if you'd like to replace a directory with another directory as
   // close to atomically as possible. It's better than recursively deleting the
diff --git a/tools/http-helpers.js b/tools/http-helpers.js
new file mode 100644
index 00000000000..68e8279a566
--- /dev/null
+++ b/tools/http-helpers.js
@@ -0,0 +1,95 @@
+///
+/// utility functions for dealing with urls and http
+///
+
+var os = require('os');
+var util = require('util');
+
+var _ = require('underscore');
+var request = require('request');
+var Future = require('fibers/future');
+
+var files = require('./files.js');
+
+
+var httpHelpers = exports;
+_.extend(exports, {
+
+  // A wrapper around request that sets http proxy.
+  request: function (urlOrOptions, callback) {
+
+    if (!_.isObject(urlOrOptions))
+      urlOrOptions = { url: urlOrOptions };
+
+    var url = urlOrOptions.url;
+
+    // try to get proxy from environment
+    var proxy = process.env.HTTP_PROXY || process.env.http_proxy || null;
+    // if we're going to an https url, try the https_proxy env variable first.
+    if (/^https/i.test(url)) {
+      proxy = process.env.HTTPS_PROXY || process.env.https_proxy || proxy;
+    }
+    if (proxy && !urlOrOptions.proxy) {
+      urlOrOptions.proxy = proxy;
+    }
+
+    return request(urlOrOptions, callback);
+  },
+
+
+
+  // A synchronous wrapper around request(...) that returns the response "body"
+  // or throws.
+  getUrl: function (urlOrOptions, callback) {
+    var future = new Future;
+    // can't just use Future.wrap, because we want to return "body", not
+    // "response".
+
+    urlOrOptions = _.clone(urlOrOptions); // we are going to change it
+    var appVersion;
+    try {
+      appVersion = files.getToolsVersion();
+    } catch(e) {
+      appVersion = 'checkout';
+    }
+
+    // meteorReleaseContext - an option with information about app directory
+    // release versions, etc, is used to get exact Meteor version used.
+    if (urlOrOptions.hasOwnProperty('meteorReleaseContext')) {
+      // Get meteor app release version: if specified in command line args, take
+      // releaseVersion, if not specified, try global meteor version
+      var meteorReleaseContext = urlOrOptions.meteorReleaseContext;
+      appVersion = meteorReleaseContext.releaseVersion;
+
+      if (appVersion === 'none')
+        appVersion = meteorReleaseContext.appReleaseVersion;
+      if (appVersion === 'none')
+        appVersion = 'checkout';
+
+      delete urlOrOptions.meteorReleaseContext;
+    }
+
+    // Get some kind of User Agent: environment information.
+    var ua = util.format('Meteor/%s OS/%s (%s; %s; %s;)',
+              appVersion, os.platform(), os.type(), os.release(), os.arch());
+
+    var headers = {'User-Agent': ua };
+
+    if (_.isObject(urlOrOptions))
+      urlOrOptions.headers = _.extend(headers, urlOrOptions.headers);
+    else
+      urlOrOptions = { url: urlOrOptions, headers: headers };
+
+    httpHelpers.request(urlOrOptions, function (error, response, body) {
+      if (error)
+        future.throw(new files.OfflineError(error));
+      else if (response.statusCode >= 400 && response.statusCode < 600)
+        future.throw(response);
+      else
+        future.return(body);
+    });
+    return future.wait();
+  }
+
+
+});
diff --git a/tools/meteor.js b/tools/meteor.js
index 290729f6b75..7b24fb41673 100644
--- a/tools/meteor.js
+++ b/tools/meteor.js
@@ -24,7 +24,7 @@ Fiber(function () {
 
   var Future = require('fibers/future');
   // This code is duplicated in app/server/server.js.
-  var MIN_NODE_VERSION = 'v0.8.24';
+  var MIN_NODE_VERSION = 'v0.10.20';
   if (require('semver').lt(process.version, MIN_NODE_VERSION)) {
     process.stderr.write(
       'Meteor requires Node ' + MIN_NODE_VERSION + ' or later.\n');
diff --git a/tools/meteor_npm.js b/tools/meteor_npm.js
index cf07689d95d..b70a6c3ca22 100644
--- a/tools/meteor_npm.js
+++ b/tools/meteor_npm.js
@@ -10,6 +10,7 @@ var path = require('path');
 var fs = require('fs');
 var cleanup = require(path.join(__dirname, 'cleanup.js'));
 var files = require(path.join(__dirname, 'files.js'));
+var httpHelpers = require('./http-helpers.js');
 var buildmessage = require('./buildmessage.js');
 var _ = require('underscore');
 
@@ -186,6 +187,26 @@ _.extend(exports, {
       throw new Error(
         "Corrupted .npm directory -- can't find npm-shrinkwrap.json in " + packageNpmDir);
 
+    // We need to rebuild all node modules when the Node version changes, in
+    // case there are some binary ones. Technically this is racey, but it
+    // shouldn't fail very often.
+    if (fs.existsSync(path.join(packageNpmDir, 'node_modules'))) {
+      var oldNodeVersion;
+      try {
+        oldNodeVersion = fs.readFileSync(
+          path.join(packageNpmDir, 'node_modules', '.node_version'), 'utf8');
+      } catch (e) {
+        if (e.code !== 'ENOENT')
+          throw e;
+        // Use the Node version from the last release where we didn't drop this
+        // file.
+        oldNodeVersion = 'v0.8.24';
+      }
+
+      if (oldNodeVersion !== process.version)
+        files.rm_recursive(path.join(packageNpmDir, 'node_modules'));
+    }
+
     var installedDependencies = self._installedDependencies(packageNpmDir);
 
     // If we already have the right things installed, life is good.
@@ -276,6 +297,7 @@ _.extend(exports, {
     fs.unlinkSync(path.join(newPackageNpmDir, 'package.json'));
 
     self._createReadme(newPackageNpmDir);
+    self._createNodeVersion(newPackageNpmDir);
     files.renameDirAlmostAtomically(newPackageNpmDir, packageNpmDir);
   },
 
@@ -292,6 +314,12 @@ _.extend(exports, {
     );
   },
 
+  _createNodeVersion: function(newPackageNpmDir) {
+    fs.writeFileSync(
+      path.join(newPackageNpmDir, 'node_modules', '.node_version'),
+      process.version);
+  },
+
   // Returns object with keys 'stdout', 'stderr', and 'success' (true
   // for clean exit with exit code 0, else false)
   _execFileSync: function(file, args, opts) {
@@ -407,9 +435,18 @@ _.extend(exports, {
     // We don't use npm.commands.install since we couldn't
     // figure out how to silence all output (specifically the
     // installed tree which is printed out with `console.log`)
+    //
+    // We use --force, because the NPM cache is broken! See
+    // https://github.com/isaacs/npm/issues/3265 Basically, switching back and
+    // forth between a tarball fork of version X and the real version X can
+    // confuse NPM. But the main reason to use tarball URLs is to get a fork of
+    // the latest version with some fix, so it's easy to trigger this! So
+    // instead, always use --force. (Even with --force, we still WRITE to the
+    // cache, so we can corrupt the cache for other invocations of npm... ah
+    // well.)
     var result =
       this._execFileSync(path.join(files.get_dev_bundle(), "bin", "npm"),
-                         ["install", installArg],
+                         ["install", "--force", installArg],
                          {cwd: dir});
 
     if (! result.success) {
@@ -436,10 +473,11 @@ _.extend(exports, {
 
     this._ensureConnected();
 
-    // `npm install`, which reads npm-shrinkwrap.json
+    // `npm install`, which reads npm-shrinkwrap.json.  See above for why
+    // --force.
     var result =
       this._execFileSync(path.join(files.get_dev_bundle(), "bin", "npm"),
-                         ["install"], {cwd: dir});
+                         ["install", "--force"], {cwd: dir});
 
 
     if (! result.success) {
@@ -454,7 +492,7 @@ _.extend(exports, {
   // dependencies. `npm install` times out after more than a minute.
   _ensureConnected: function () {
     try {
-      files.getUrl("http://registry.npmjs.org");
+      httpHelpers.getUrl("http://registry.npmjs.org");
     } catch (e) {
       buildmessage.error("Can't install npm dependencies. " +
                          "Are you connected to the internet?");
diff --git a/tools/mongo_runner.js b/tools/mongo_runner.js
index f40a4384338..10745d91410 100644
--- a/tools/mongo_runner.js
+++ b/tools/mongo_runner.js
@@ -161,18 +161,29 @@ exports.launch_mongo = function (app_dir, port, launch_callback, on_exit_callbac
     var proc = child_process.spawn(mongod_path, [
       '--bind_ip', '127.0.0.1',
       '--smallfiles',
+      '--nohttpinterface',
       '--port', port,
       '--dbpath', data_path
     ]);
+    var callOnExit = function (code, signal) {
+      on_exit_callback(code, signal, stderrOutput);
+    };
     handle.stop = function (callback) {
       var tries = 0;
       var exited = false;
-      proc.removeListener('exit', on_exit_callback);
+      proc.removeListener('exit', callOnExit);
       proc.kill('SIGINT');
       callback && callback(err);
     };
 
-    proc.on('exit', on_exit_callback);
+    var stderrOutput = '';
+
+    proc.stderr.setEncoding('utf8');
+    proc.stderr.on('data', function (data) {
+      stderrOutput += data;
+    });
+
+    proc.on('exit', callOnExit);
 
     proc.stdout.setEncoding('utf8');
     proc.stdout.on('data', function (data) {
diff --git a/tools/packages.js b/tools/packages.js
index 41832c04fd0..2645a27ef7a 100644
--- a/tools/packages.js
+++ b/tools/packages.js
@@ -26,7 +26,7 @@ var sourcemap = require('source-map');
 // end up as watched dependencies. (At least for now, packages only used in
 // target creation (eg minifiers and dev-bundle-fetcher) don't require you to
 // update BUILT_BY, though you will need to quit and rerun "meteor run".)
-exports.BUILT_BY = 'meteor/8';
+exports.BUILT_BY = 'meteor/10';
 
 // Like Perl's quotemeta: quotes all regexp metacharacters. See
 //   https://github.com/substack/quotemeta/blob/master/index.js
diff --git a/tools/run.js b/tools/run.js
index 8ddc3dc2eda..fff230daa61 100644
--- a/tools/run.js
+++ b/tools/run.js
@@ -108,8 +108,17 @@ var requestQueue = [];
 var startProxy = function (outerPort, innerPort, callback) {
   callback = callback || function () {};
 
+  var http = require('http');
+  // Note: this uses the pre-release 1.0.0 API.
   var httpProxy = require('http-proxy');
-  var p = httpProxy.createServer(function (req, res, proxy) {
+
+  var proxy = httpProxy.createProxyServer({
+    // agent is required to handle keep-alive, and http-proxy 1.0 is a little
+    // buggy without it: https://github.com/nodejitsu/node-http-proxy/pull/488
+    agent: new http.Agent({maxSockets: 100})
+  });
+
+  var server = http.createServer(function (req, res) {
     if (Status.crashing) {
       // sad face. send error logs.
       // XXX formatting! text/plain is bad
@@ -126,43 +135,35 @@ var startProxy = function (outerPort, innerPort, callback) {
       });
 
       res.end();
-    } else if (Status.listening) {
+      return;
+    }
+    var proxyIt = function () {
+      proxy.web(req, res, {target: 'http://127.0.0.1:' + innerPort});
+    };
+    if (Status.listening) {
       // server is listening. things are hunky dory!
-      proxy.proxyRequest(req, res, {
-        host: '127.0.0.1', port: innerPort
-      });
+      proxyIt();
     } else {
-      // Not listening yet. Queue up request.
-      var buffer = httpProxy.buffer(req);
-      requestQueue.push(function () {
-        proxy.proxyRequest(req, res, {
-          host: '127.0.0.1', port: innerPort,
-          buffer: buffer
-        });
-      });
+      requestQueue.push(proxyIt);
     }
   });
 
-  // Proxy websocket requests using same buffering logic as for regular HTTP requests
-  p.on('upgrade', function(req, socket, head) {
+  // Proxy websocket requests using same buffering logic as for regular HTTP
+  // requests
+  server.on('upgrade', function(req, socket, head) {
+    var proxyIt = function () {
+      proxy.ws(req, socket, head, { target: 'http://127.0.0.1:' + innerPort});
+    };
     if (Status.listening) {
       // server is listening. things are hunky dory!
-      p.proxy.proxyWebSocketRequest(req, socket, head, {
-        host: '127.0.0.1', port: innerPort
-      });
+      proxyIt();
     } else {
       // Not listening yet. Queue up request.
-      var buffer = httpProxy.buffer(req);
-      requestQueue.push(function () {
-        p.proxy.proxyWebSocketRequest(req, socket, head, {
-          host: '127.0.0.1', port: innerPort,
-          buffer: buffer
-        });
-      });
+      requestQueue.push(proxyIt);
     }
   });
 
-  p.on('error', function (err) {
+  server.on('error', function (err) {
     if (err.code == 'EADDRINUSE') {
       process.stderr.write("Can't listen on port " + outerPort
                            + ". Perhaps another Meteor is running?\n");
@@ -177,17 +178,20 @@ var startProxy = function (outerPort, innerPort, callback) {
     process.exit(1);
   });
 
-  // don't spin forever if the app doesn't respond. instead return an
-  // error immediately. This shouldn't happen much since we try to not
-  // send requests if the app is down.
-  p.proxy.on('proxyError', function (err, req, res) {
+  // don't crash if the app doesn't respond. instead return an error
+  // immediately. This shouldn't happen much since we try to not send requests
+  // if the app is down.
+  proxy.ee.on('http-proxy:outgoing:web:error', function (err, req, res) {
     res.writeHead(503, {
       'Content-Type': 'text/plain'
     });
     res.end('Unexpected error.');
   });
+  proxy.ee.on('http-proxy:outgoing:ws:error', function (err, req, socket) {
+    socket.end();
+  });
 
-  p.listen(outerPort, callback);
+  server.listen(outerPort, callback);
 };
 
 var saveLog = function (msg) {
@@ -290,10 +294,8 @@ var startServer = function (options) {
   // print directly in the same format as log messages from other apps
   Log.outputFormat = 'colored-text';
 
-  proc.stdout.setEncoding('utf8');
-  // The byline module ensures that each 'data' call will receive one
-  // line.
-  require('byline')(proc.stdout).on('data', function (line) {
+  var eachline = require('eachline');
+  eachline(proc.stdout, 'utf8', function (line) {
     if (!line) return;
     // string must match server.js
     if (line.match(/^LISTENING\s*$/)) {
@@ -306,8 +308,7 @@ var startServer = function (options) {
     saveLog({stdout: Log.format(obj)});
   });
 
-  proc.stderr.setEncoding('utf8');
-  require('byline')(proc.stderr).on('data', function (line) {
+  eachline(proc.stderr, 'utf8', function (line) {
     if (!line) return;
     var obj = Log.objFromText(line, { level: 'warn', stderr: true });
     console.log(Log.format(obj, { color: true }));
@@ -402,29 +403,6 @@ exports.run = function (context, options) {
         ("mongodb://127.0.0.1:" + mongoPort + "/meteor");
   var firstRun = true;
 
-  // node-http-proxy doesn't properly handle errors if it has a problem writing
-  // to the proxy target. While we try to not proxy requests when we don't think
-  // the target is listening, there are race conditions here, and in any case
-  // those attempts don't take effect for pre-existing websocket connections.
-  // Error handling in node-http-proxy is really convoluted and will change with
-  // their ongoing Node 0.10.x compatible rewrite, so rather than trying to
-  // debug and send pull request now, we'll wait for them to finish their
-  // rewrite. In the meantime, ignore two common exceptions that we sometimes
-  // see instead of crashing.
-  //
-  // See https://github.com/meteor/meteor/issues/513
-  //
-  // That bug is about "meteor deploy"s use of http-proxy, but it also affects
-  // our use here; see
-  // https://groups.google.com/d/msg/meteor-core/JgbnfKEa5lA/FJHZtJftfSsJ
-  //
-  // XXX remove this once we've upgraded and fixed http-proxy
-  process.on('uncaughtException', function (e) {
-    if (e && (e.errno === 'EPIPE' || e.message === "This socket is closed."))
-      return;
-    throw e;
-  });
-
   var serverHandle;
   var watcher;
 
@@ -628,11 +606,15 @@ exports.run = function (context, options) {
         }
         restartServer();
       },
-      function (code, signal) { // On Mongo dead
+      function (code, signal, stderr) { // On Mongo dead
         if (Status.shuttingDown) {
           return;
         }
-        console.log("Unexpected mongo exit code " + code + ". Restarting.");
+
+        // Print only last 20 lines of stderr.
+        stderr = stderr.split('\n').slice(-20).join('\n');
+
+        console.log(stderr + "Unexpected mongo exit code " + code + ". Restarting.\n");
 
         // if mongo dies 3 times with less than 5 seconds between each,
         // declare it failed and die.
@@ -645,6 +627,11 @@ exports.run = function (context, options) {
           if (explanation === mongoExitCodes.EXIT_NET_ERROR)
             console.log("\nCheck for other processes listening on port " + mongoPort +
                         "\nor other meteors running in the same project.");
+          if (!explanation && /GLIBC/i.test(stderr))
+            console.log("\nLooks like you are trying to run Meteor on an old Linux " +
+                        "distribution. Meteor on Linux only supports Linux with glibc " +
+                        "version 2.9 and above. Try upgrading your distribution " +
+                        "to the latest version.");
           process.exit(1);
         }
         if (mongoErrorTimer)
diff --git a/tools/server/boot.js b/tools/server/boot.js
index 0a2fa308a2e..32859e084b7 100644
--- a/tools/server/boot.js
+++ b/tools/server/boot.js
@@ -6,7 +6,7 @@ var _ = require('underscore');
 var sourcemap_support = require('source-map-support');
 
 // This code is duplicated in tools/server/server.js.
-var MIN_NODE_VERSION = 'v0.8.24';
+var MIN_NODE_VERSION = 'v0.10.20';
 if (require('semver').lt(process.version, MIN_NODE_VERSION)) {
   process.stderr.write(
     'Meteor requires Node ' + MIN_NODE_VERSION + ' or later.\n');
diff --git a/tools/tests/test_bundler_assets.js b/tools/tests/test_bundler_assets.js
index e3771bf089d..e841b15568f 100644
--- a/tools/tests/test_bundler_assets.js
+++ b/tools/tests/test_bundler_assets.js
@@ -91,7 +91,8 @@ assert.doesNotThrow(function () {
   var cp = require('child_process');
   var meteor = path.join(__dirname, "..", "..", "meteor"); // XXX is this allowed?
   var fut = new Future();
-  var proc = cp.spawn(meteor, ["--once"], {
+  // use a non-default port so we don't fail if someone is running an app now
+  var proc = cp.spawn(meteor, ["--once", "--port", "4123"], {
     cwd: path.join(__dirname, "app-with-private"),
     stdio: 'inherit'
   });
diff --git a/tools/tests/test_bundler_npm.js b/tools/tests/test_bundler_npm.js
index 82fe94c1dca..e4e1509bc05 100644
--- a/tools/tests/test_bundler_npm.js
+++ b/tools/tests/test_bundler_npm.js
@@ -172,12 +172,12 @@ assert.doesNotThrow(function () {
 
   // while bundling, verify that we don't call `npm install
   // name@version unnecessarily` -- calling `npm install` is enough,
-  // and installing each package separately coul unintentionally bump
+  // and installing each package separately could unintentionally bump
   // subdependency versions. (to intentionally bump subdependencies,
   // just remove all of the .npm directory)
   var bareExecFileSync = meteorNpm._execFileSync;
   meteorNpm._execFileSync = function(file, args, opts) {
-    if (args[0] === 'install' && args[1])
+    if (args.length > 2 && args[0] === 'install' && args[1] === '--force')
       assert.fail("shouldn't be installing specific npm packages: " + args[1]);
     return bareExecFileSync(file, args, opts);
   };
diff --git a/tools/updater.js b/tools/updater.js
index 0369ba5ee98..368c95452ce 100644
--- a/tools/updater.js
+++ b/tools/updater.js
@@ -6,6 +6,7 @@ var testingUpdater = false;
 var inFiber = require('./fiber-helpers.js').inFiber;
 var files = require('./files.js');
 var warehouse = require('./warehouse.js');
+var httpHelpers = require('./http-helpers.js');
 
 var manifestUrl = testingUpdater
       ? 'https://s3.amazonaws.com/com.meteor.static/test/update/manifest.json'
@@ -21,7 +22,7 @@ exports.getManifest = function (context) {
   if (context)
     options.meteorReleaseContext = context;
 
-  return files.getUrl(options);
+  return httpHelpers.getUrl(options);
 };
 
 exports.startUpdateChecks = function (context) {
diff --git a/tools/warehouse.js b/tools/warehouse.js
index 91e47b33113..d2ea01838e1 100644
--- a/tools/warehouse.js
+++ b/tools/warehouse.js
@@ -28,6 +28,7 @@ var _ = require("underscore");
 
 var files = require('./files.js');
 var updater = require('./updater.js');
+var httpHelpers = require('./http-helpers.js');
 var fiberHelpers = require('./fiber-helpers.js');
 var logging = require('./logging.js');
 
@@ -235,7 +236,7 @@ _.extend(warehouse, {
     // after we're done writing packages
     if (!releaseAlreadyExists) {
       try {
-        releaseManifestText = files.getUrl(
+        releaseManifestText = httpHelpers.getUrl(
           WAREHOUSE_URLBASE + "/releases/" + releaseVersion + ".release.json");
       } catch (e) {
         // just throw, if we're in the background anyway, or if this is the
@@ -303,7 +304,7 @@ _.extend(warehouse, {
       // try getting the releases's notices. only blessed releases have one, so
       // if we can't find it just proceed.
       try {
-        var notices = files.getUrl(
+        var notices = httpHelpers.getUrl(
           WAREHOUSE_URLBASE + "/releases/" + releaseVersion + ".notices.json");
 
         // Real notices are valid JSON.
@@ -347,7 +348,7 @@ _.extend(warehouse, {
           "meteor-tools-" + toolsVersion + "-" + platform + ".tar.gz";
     var toolsTarballPath = "/tools/" + toolsVersion + "/"
           + toolsTarballFilename;
-    var toolsTarball = files.getUrl({
+    var toolsTarball = httpHelpers.getUrl({
       url: WAREHOUSE_URLBASE + toolsTarballPath,
       encoding: null
     });
@@ -430,7 +431,7 @@ _.extend(warehouse, {
               "/" + version +
               "/" + name + '-' + version + "-" + platform + ".tar.gz";
 
-        var tarball = files.getUrl({url: packageUrl, encoding: null});
+        var tarball = httpHelpers.getUrl({url: packageUrl, encoding: null});
         files.extractTarGz(tarball, packageDir);
         if (!dontWriteFreshFile)
           fs.writeFileSync(warehouse.getPackageFreshFile(name, version), '');
diff --git a/tools/watch.js b/tools/watch.js
index ea685773cbe..c2007c1f3d1 100644
--- a/tools/watch.js
+++ b/tools/watch.js
@@ -1,6 +1,8 @@
 var fs = require("fs");
 var path = require("path");
 var _ = require('underscore');
+var Future = require('fibers/future');
+var fiberHelpers = require('./fiber-helpers.js');
 
 // Watch for changes to a set of files, and the first time that any of
 // the files change, call a user-provided callback. (If you want a
@@ -53,8 +55,6 @@ var _ = require('underscore');
 // nonexistent if they point to something nonexist, etc). Not sure if this is
 // correct.
 
-
-
 var WatchSet = function () {
   var self = this;
 
@@ -209,9 +209,10 @@ WatchSet.fromJSON = function (json) {
 };
 
 var readDirectory = function (options) {
+  var yielding = !!options._yielding;
   // Read the directory.
   try {
-    var contents = fs.readdirSync(options.absPath);
+    var contents = readdirSyncOrYield(options.absPath, yielding);
   } catch (e) {
     // If the path is not a directory, return null; let other errors through.
     if (e && (e.code === 'ENOENT' || e.code === 'ENOTDIR'))
@@ -226,7 +227,7 @@ var readDirectory = function (options) {
       // We do stat instead of lstat here, so that we treat symlinks to
       // directories just like directories themselves.
       // XXX Does the treatment of symlinks make sense?
-      var stats = fs.statSync(path.join(options.absPath, entry));
+      var stats = statSyncOrYield(path.join(options.absPath, entry), yielding);
     } catch (e) {
       if (e && (e.code === 'ENOENT')) {
         // Disappeared after the readdirSync (or a dangling symlink)? Eh,
@@ -274,7 +275,7 @@ var Watcher = function (options) {
   self.justCheckOnce = !!options._justCheckOnce;
 
   self.fileWatches = []; // array of paths
-  self.directoryWatches = []; // array of watch object
+  self.directoryWatches = []; // array of interval handles
 
   // We track all of the currently active timers so that we can cancel
   // them at stop() time. This stops the process from hanging at
@@ -334,7 +335,7 @@ _.extend(Watcher.prototype, {
     return true;
   },
 
-  _fireIfDirectoryChanged: function (info, isDoubleCheck) {
+  _fireIfDirectoryChanged: function (info, yielding) {
     var self = this;
 
     if (self.stopped)
@@ -343,7 +344,8 @@ _.extend(Watcher.prototype, {
     var newContents = exports.readDirectory({
       absPath: info.absPath,
       include: info.include,
-      exclude: info.exclude
+      exclude: info.exclude,
+      _yielding: yielding
     });
 
     // If the directory has changed (including being deleted or created).
@@ -352,20 +354,6 @@ _.extend(Watcher.prototype, {
       return true;
     }
 
-    if (!isDoubleCheck && !self.justCheckOnce) {
-      // Whenever a directory changes, scan it soon as we notice,
-      // but then scan it again one secord later just to make sure
-      // that we haven't missed any changes. See commentary at
-      // #WorkAroundLowPrecisionMtimes
-      // XXX not sure why this uses a different strategy than files
-      var timerId = self.nextTimerId++;
-      self.timers[timerId] = setTimeout(function () {
-        delete self.timers[timerId];
-        if (! self.stopped)
-          self._fireIfDirectoryChanged(info, true);
-      }, 1000);
-    }
-
     return false;
   },
 
@@ -418,7 +406,19 @@ _.extend(Watcher.prototype, {
   _startDirectoryWatches: function () {
     var self = this;
 
-    // Set up a watch for each directory
+    // fs.watchFile doesn't work for directories (as tested on ubuntu)
+    // and fs.watch has serious issues on MacOS (at least in node 0.10)
+    // https://github.com/meteor/meteor/issues/1483
+    // https://groups.google.com/forum/#!topic/meteor-talk/Zy1XxEcxe8o
+    // https://github.com/joyent/node/issues/5463
+    // https://github.com/joyent/libuv/commit/38df93cf
+    //
+    // Instead, just use setInterval. _fireIfDirectoryChanged already
+    // does checking to see if anything really changed. When node has a
+    // stable directory watching API that is more efficient than just
+    // polling, look at the history for this file around release 0.6.5
+    // for a version that uses fs.watch.
+
     _.each(self.watchSet.directories, function (info) {
       if (self.stopped)
         return;
@@ -431,24 +431,12 @@ _.extend(Watcher.prototype, {
       if (self.stopped || self.justCheckOnce)
         return;
 
-      // fs.watchFile doesn't work for directories (as tested on ubuntu)
       // Notice that we poll very frequently (500 ms)
-      try {
-        self.directoryWatches.push(
-          fs.watch(info.absPath, {interval: 500}, function () {
-            self._fireIfDirectoryChanged(info);
-          })
-        );
-      } catch (e) {
-        // Can happen if the directory doesn't exist, in which case we should
-        // fire if it should be there.
-        if (e && e.code === "ENOENT") {
-          if (info.contents !== null)
-            self._fire();
-          return;
-        }
-        throw e;
-      }
+      self.directoryWatches.push(
+        setInterval(fiberHelpers.inFiber(function () {
+          self._fireIfDirectoryChanged(info, true);
+        }), 500)
+      );
     });
   },
 
@@ -480,7 +468,7 @@ _.extend(Watcher.prototype, {
 
     // Clean up directory watches
     _.each(self.directoryWatches, function (watch) {
-      watch.close();
+      clearInterval(watch);
     });
     self.directoryWatches = [];
   }
@@ -536,6 +524,25 @@ var sha1 = function (contents) {
   return hash.digest('hex');
 };
 
+// XXX We should eventually rewrite the whole meteor tools to use yielding fs
+// calls instead of sync (so that meteor is responsive to C-c during bundling,
+// so that the proxy accepts connections, etc) but we don't want to do this in
+// the point release in which we are adding these functions.
+var readdirSyncOrYield = function (path, yielding) {
+  if (yielding) {
+    return Future.wrap(fs.readdir)(path).wait();
+  } else {
+    return fs.readdirSync(path);
+  }
+};
+var statSyncOrYield = function (path, yielding) {
+  if (yielding) {
+    return Future.wrap(fs.stat)(path).wait();
+  } else {
+    return fs.statSync(path);
+  }
+};
+
 _.extend(exports, {
   WatchSet: WatchSet,
   Watcher: Watcher,