@dwk/activitypub 0.1.0-beta.0

package/dist/config.js

@@ -0,0 +1,142 @@
+/**
+ * Configuration, the declared Cloudflare `Env` fragment, and config resolution
+ * for `@dwk/activitypub`.
+ *
+ * Per the composition contract the package never reads the global environment
+ * directly: the actor profile, key material, and delivery policy are all passed
+ * into {@link createActivityPub}, so an actor can be instantiated multiple times
+ * and unit-tested in isolation. The only runtime coupling is the per-actor
+ * Durable Object namespace, and a missing binding fails loudly at startup.
+ */
+import { noopLogger, noopMetrics } from "@dwk/log";
+/**
+ * Internal headers the trusted front door uses to hand verified facts and the
+ * config subset the DO needs (including signing key material, which never leaves
+ * Cloudflare's network) to the Durable Object.
+ */
+export const INTERNAL_HEADERS = {
+    /** The verified actor IRI that signed an inbound `POST /inbox` (absent ⇒ unverified). */
+    signedActor: "x-ap-signed-actor",
+    /** JSON config subset the DO needs (IRIs, delivery policy, signing key). */
+    config: "x-ap-config",
+    /** Marks an owner-authorized publish request (`POST <actor>/outbox`). */
+    publish: "x-ap-publish",
+};
+const DEFAULT_PAGE_SIZE = 50;
+const DEFAULT_MAX_ATTEMPTS = 8;
+const DEFAULT_BASE_DELAY_MS = 60_000;
+const DEFAULT_CLOCK_SKEW_SECONDS = 300;
+const DEFAULT_SOFTWARE = {
+    name: "dwk-activitypub",
+    version: "0.0.0",
+};
+/** Strip a trailing slash so path joins are unambiguous. */
+function normalizeBaseUrl(baseUrl) {
+    return baseUrl.endsWith("/") ? baseUrl.slice(0, -1) : baseUrl;
+}
+/** Derive the actor + collection IRIs from a base URL and username. */
+export function deriveIris(baseUrl, username) {
+    const id = `${baseUrl}/users/${encodeURIComponent(username)}`;
+    return {
+        id,
+        inbox: `${id}/inbox`,
+        outbox: `${id}/outbox`,
+        followers: `${id}/followers`,
+        following: `${id}/following`,
+        keyId: `${id}#main-key`,
+    };
+}
+/**
+ * The default key resolver: fetch the `keyId` (an actor or fragment IRI) as AS2
+ * and read its embedded `publicKey`. Returns `null` when the document cannot be
+ * fetched or carries no usable key, which the verifier maps to a rejection.
+ */
+function defaultKeyResolver(fetchImpl) {
+    return async (keyId) => {
+        // The key IRI is the actor (or key) document URL with its fragment
+        // stripped. Parse it as a URL so the fragment is removed per the URL spec
+        // (rather than by string surgery) and an unparseable `keyId` is rejected
+        // before it reaches `fetch`.
+        let actorUrl;
+        try {
+            const url = new URL(keyId);
+            // Only ever dereference a remote actor/key document over HTTP(S); reject
+            // other schemes (`file:`, `data:`, …) outright so a crafted `keyId`
+            // cannot redirect the fetch at a non-network resource.
+            if (url.protocol !== "http:" && url.protocol !== "https:")
+                return null;
+            url.hash = "";
+            actorUrl = url.href;
+        }
+        catch {
+            return null;
+        }
+        let response;
+        try {
+            response = await fetchImpl(actorUrl, {
+                headers: { accept: "application/activity+json" },
+                // Bound key resolution so a slow remote cannot stall inbox verification.
+                signal: AbortSignal.timeout(10_000),
+            });
+        }
+        catch {
+            return null;
+        }
+        if (!response.ok)
+            return null;
+        let doc;
+        try {
+            doc = await response.json();
+        }
+        catch {
+            return null;
+        }
+        if (!doc || typeof doc !== "object")
+            return null;
+        const publicKey = doc.publicKey;
+        if (!publicKey || typeof publicKey !== "object")
+            return null;
+        const pem = publicKey.publicKeyPem;
+        const owner = publicKey.owner ??
+            doc.id;
+        if (typeof pem !== "string" || typeof owner !== "string")
+            return null;
+        return { owner, publicKeyPem: pem };
+    };
+}
+/** Apply defaults and derive IRIs from raw {@link ActivityPubConfig}. */
+export function resolveConfig(config) {
+    if (!config.baseUrl) {
+        throw new Error("@dwk/activitypub: `baseUrl` is required");
+    }
+    if (!config.actor || !config.actor.username) {
+        throw new Error("@dwk/activitypub: `actor.username` is required");
+    }
+    if (!config.publicKeyPem) {
+        throw new Error("@dwk/activitypub: `publicKeyPem` is required");
+    }
+    const baseUrl = normalizeBaseUrl(config.baseUrl);
+    const fetchImpl = config.fetch ?? fetch;
+    const sharedInbox = (config.sharedInbox ?? true) ? `${baseUrl}/inbox` : undefined;
+    return {
+        baseUrl,
+        actor: config.actor,
+        iris: deriveIris(baseUrl, config.actor.username),
+        sharedInbox,
+        publicKeyPem: config.publicKeyPem,
+        privateKeyPem: config.privateKeyPem,
+        publishToken: config.publishToken,
+        pageSize: config.pageSize ?? DEFAULT_PAGE_SIZE,
+        deliveryMaxAttempts: config.deliveryMaxAttempts ?? DEFAULT_MAX_ATTEMPTS,
+        deliveryBaseDelayMs: config.deliveryBaseDelayMs ?? DEFAULT_BASE_DELAY_MS,
+        clockSkewSeconds: config.clockSkewSeconds ?? DEFAULT_CLOCK_SKEW_SECONDS,
+        software: config.software ?? DEFAULT_SOFTWARE,
+        keyResolver: config.keyResolver ?? defaultKeyResolver(fetchImpl),
+        verifyInboxSignature: config.verifyInboxSignature,
+        fetch: fetchImpl,
+        now: config.now ?? (() => Date.now()),
+        logger: config.logger ?? noopLogger,
+        metrics: config.metrics ?? noopMetrics,
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAA6B,MAAM,UAAU,CAAC;AAsI9E;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,yFAAyF;IACzF,WAAW,EAAE,mBAAmB;IAChC,4EAA4E;IAC5E,MAAM,EAAE,aAAa;IACrB,yEAAyE;IACzE,OAAO,EAAE,cAAc;CACf,CAAC;AAiBX,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAC7B,MAAM,oBAAoB,GAAG,CAAC,CAAC;AAC/B,MAAM,qBAAqB,GAAG,MAAM,CAAC;AACrC,MAAM,0BAA0B,GAAG,GAAG,CAAC;AAEvC,MAAM,gBAAgB,GAAiB;IACrC,IAAI,EAAE,iBAAiB;IACvB,OAAO,EAAE,OAAO;CACjB,CAAC;AAEF,4DAA4D;AAC5D,SAAS,gBAAgB,CAAC,OAAe;IACvC,OAAO,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;AAChE,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,UAAU,CAAC,OAAe,EAAE,QAAgB;IAC1D,MAAM,EAAE,GAAG,GAAG,OAAO,UAAU,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC9D,OAAO;QACL,EAAE;QACF,KAAK,EAAE,GAAG,EAAE,QAAQ;QACpB,MAAM,EAAE,GAAG,EAAE,SAAS;QACtB,SAAS,EAAE,GAAG,EAAE,YAAY;QAC5B,SAAS,EAAE,GAAG,EAAE,YAAY;QAC5B,KAAK,EAAE,GAAG,EAAE,WAAW;KACxB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,SAAuB;IACjD,OAAO,KAAK,EAAE,KAAa,EAA+B,EAAE;QAC1D,mEAAmE;QACnE,0EAA0E;QAC1E,yEAAyE;QACzE,6BAA6B;QAC7B,IAAI,QAAgB,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;YAC3B,yEAAyE;YACzE,oEAAoE;YACpE,uDAAuD;YACvD,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACvE,GAAG,CAAC,IAAI,GAAG,EAAE,CAAC;YACd,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC;QACtB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,QAAkB,CAAC;QACvB,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE;gBACnC,OAAO,EAAE,EAAE,MAAM,EAAE,2BAA2B,EAAE;gBAChD,yEAAyE;gBACzE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;aACpC,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAC9B,IAAI,GAAY,CAAC;QACjB,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QACjD,MAAM,SAAS,GAAI,GAA+B,CAAC,SAAS,CAAC;QAC7D,IAAI,CAAC,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC7D,MAAM,GAAG,GAAI,SAAqC,CAAC,YAAY,CAAC;QAChE,MAAM,KAAK,GACR,SAAqC,CAAC,KAAK;YAC3C,GAA+B,CAAC,EAAE,CAAC;QACtC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QACtE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC;IACtC,CAAC,CAAC;AACJ,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,aAAa,CAAC,MAAyB;IACrD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IACD,MAAM,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,IAAI,KAAK,CAAC;IACxC,MAAM,WAAW,GACf,CAAC,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,OAAO,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IAEhE,OAAO;QACL,OAAO;QACP,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,IAAI,EAAE,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC;QAChD,WAAW;QACX,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,iBAAiB;QAC9C,mBAAmB,EAAE,MAAM,CAAC,mBAAmB,IAAI,oBAAoB;QACvE,mBAAmB,EAAE,MAAM,CAAC,mBAAmB,IAAI,qBAAqB;QACxE,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,0BAA0B;QACvE,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,gBAAgB;QAC7C,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,kBAAkB,CAAC,SAAS,CAAC;QAChE,oBAAoB,EAAE,MAAM,CAAC,oBAAoB;QACjD,KAAK,EAAE,SAAS;QAChB,GAAG,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;QACrC,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,UAAU;QACnC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,WAAW;KACvC,CAAC;AACJ,CAAC"}

package/dist/delivery.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Outbound delivery for `@dwk/activitypub`: sign an activity and `POST` it to a
+ * remote inbox.
+ *
+ * Delivery targets are attacker-influenced URLs (a follower's advertised inbox),
+ * so every target passes a syntactic SSRF guard before any request leaves —
+ * rejecting non-HTTPS schemes and private / loopback / link-local hosts so a
+ * malicious actor cannot point a delivery at the Worker's own network. (DNS
+ * rebinding is out of scope: the Workers runtime does not expose name
+ * resolution to user code; see `@dwk/webmention`'s safe-fetch for the same
+ * limitation.) The forthcoming `@dwk/http-signatures` package owns the signing
+ * primitive; this module wires it to the network.
+ */
+import { type SignerKey } from "./signature";
+/** Machine-readable cause of a blocked delivery target. */
+export type BlockedReason = "invalid_url" | "disallowed_scheme" | "blocked_host";
+/** Raised when a delivery target is refused on SSRF grounds. */
+export declare class DeliveryBlockedError extends Error {
+    readonly reason: BlockedReason;
+    constructor(reason: BlockedReason);
+}
+/**
+ * Validate a delivery target URL: HTTPS only, and a public host. Throws a
+ * {@link DeliveryBlockedError} on any failure so the caller logs it and drops
+ * the row rather than retrying a target that can never be reached.
+ */
+export declare function assertPublicHttpsTarget(url: string): URL;
+/** The outcome of a single delivery attempt. */
+export type DeliveryResult = {
+    readonly ok: true;
+    readonly status: number;
+} | {
+    readonly ok: false;
+    readonly status: number;
+    readonly retryable: boolean;
+};
+/**
+ * Sign and `POST` one activity to a remote inbox. A `2xx` is success; `4xx`
+ * (except `408`/`429`) is a permanent failure (drop) since the peer rejected the
+ * request; `5xx`, `408`, `429`, and network errors are retryable.
+ */
+export declare function deliverActivity(inboxUrl: string, activityJson: string, signer: SignerKey, fetchImpl: typeof fetch, now?: () => number, timeoutMs?: number): Promise<DeliveryResult>;
+//# sourceMappingURL=delivery.d.ts.map

package/dist/delivery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"delivery.d.ts","sourceRoot":"","sources":["../src/delivery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAe,KAAK,SAAS,EAAE,MAAM,aAAa,CAAC;AAE1D,2DAA2D;AAC3D,MAAM,MAAM,aAAa,GACrB,aAAa,GACb,mBAAmB,GACnB,cAAc,CAAC;AAEnB,gEAAgE;AAChE,qBAAa,oBAAqB,SAAQ,KAAK;IAC7C,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;gBACnB,MAAM,EAAE,aAAa;CAKlC;AAuCD;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CA6BxD;AAED,gDAAgD;AAChD,MAAM,MAAM,cAAc,GACtB;IAAE,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC9C;IACE,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IACnB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;CAC7B,CAAC;AAEN;;;;GAIG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,SAAS,EACjB,SAAS,EAAE,OAAO,KAAK,EACvB,GAAG,GAAE,MAAM,MAAyB,EACpC,SAAS,SAAS,GACjB,OAAO,CAAC,cAAc,CAAC,CA4BzB"}

package/dist/delivery.js

@@ -0,0 +1,131 @@
+/**
+ * Outbound delivery for `@dwk/activitypub`: sign an activity and `POST` it to a
+ * remote inbox.
+ *
+ * Delivery targets are attacker-influenced URLs (a follower's advertised inbox),
+ * so every target passes a syntactic SSRF guard before any request leaves —
+ * rejecting non-HTTPS schemes and private / loopback / link-local hosts so a
+ * malicious actor cannot point a delivery at the Worker's own network. (DNS
+ * rebinding is out of scope: the Workers runtime does not expose name
+ * resolution to user code; see `@dwk/webmention`'s safe-fetch for the same
+ * limitation.) The forthcoming `@dwk/http-signatures` package owns the signing
+ * primitive; this module wires it to the network.
+ */
+import { signRequest } from "./signature";
+/** Raised when a delivery target is refused on SSRF grounds. */
+export class DeliveryBlockedError extends Error {
+    reason;
+    constructor(reason) {
+        super(`delivery target blocked: ${reason}`);
+        this.name = "DeliveryBlockedError";
+        this.reason = reason;
+    }
+}
+/** Parse a canonical dotted-decimal IPv4 host into its four octets. */
+function parseIPv4(host) {
+    const match = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/.exec(host);
+    if (!match)
+        return null;
+    const octets = [];
+    for (let i = 1; i <= 4; i++) {
+        const value = Number(match[i]);
+        if (value > 255)
+            return null;
+        octets.push(value);
+    }
+    return octets;
+}
+/** Whether an IPv4 address falls in a private, loopback, or link-local range. */
+function isPrivateIPv4(octets) {
+    const [a, b] = octets;
+    if (a === 10)
+        return true; // 10.0.0.0/8
+    if (a === 127)
+        return true; // loopback
+    if (a === 0)
+        return true; // "this network"
+    if (a === 169 && b === 254)
+        return true; // link-local (incl. cloud metadata)
+    if (a === 172 && b >= 16 && b <= 31)
+        return true; // 172.16.0.0/12
+    if (a === 192 && b === 168)
+        return true; // 192.168.0.0/16
+    if (a >= 224)
+        return true; // multicast / reserved
+    return false;
+}
+/** A host name that names the local host or an internal/reserved suffix. */
+function isBlockedHostName(host) {
+    const lower = host.toLowerCase();
+    if (lower === "localhost")
+        return true;
+    return (lower.endsWith(".localhost") ||
+        lower.endsWith(".internal") ||
+        lower.endsWith(".local"));
+}
+/**
+ * Validate a delivery target URL: HTTPS only, and a public host. Throws a
+ * {@link DeliveryBlockedError} on any failure so the caller logs it and drops
+ * the row rather than retrying a target that can never be reached.
+ */
+export function assertPublicHttpsTarget(url) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        throw new DeliveryBlockedError("invalid_url");
+    }
+    if (parsed.protocol !== "https:") {
+        throw new DeliveryBlockedError("disallowed_scheme");
+    }
+    const host = parsed.hostname;
+    const ipv4 = parseIPv4(host);
+    if (ipv4 && isPrivateIPv4(ipv4)) {
+        throw new DeliveryBlockedError("blocked_host");
+    }
+    // IPv6 loopback / unique-local / link-local, and bracketed forms.
+    const v6 = host.replace(/^\[|\]$/g, "").toLowerCase();
+    if (v6 === "::1" ||
+        v6.startsWith("fe80:") ||
+        v6.startsWith("fc") ||
+        v6.startsWith("fd")) {
+        throw new DeliveryBlockedError("blocked_host");
+    }
+    if (isBlockedHostName(host)) {
+        throw new DeliveryBlockedError("blocked_host");
+    }
+    return parsed;
+}
+/**
+ * Sign and `POST` one activity to a remote inbox. A `2xx` is success; `4xx`
+ * (except `408`/`429`) is a permanent failure (drop) since the peer rejected the
+ * request; `5xx`, `408`, `429`, and network errors are retryable.
+ */
+export async function deliverActivity(inboxUrl, activityJson, signer, fetchImpl, now = () => Date.now(), timeoutMs = 10_000) {
+    // Throws DeliveryBlockedError for an unsafe target — the caller drops the row.
+    assertPublicHttpsTarget(inboxUrl);
+    const body = new TextEncoder().encode(activityJson);
+    const signed = await signRequest(inboxUrl, body, signer, { now });
+    let response;
+    try {
+        response = await fetchImpl(inboxUrl, {
+            method: "POST",
+            headers: signed.headers,
+            body: signed.body,
+            // A hung peer must not pin the delivery worker; a timeout is retryable.
+            signal: AbortSignal.timeout(timeoutMs),
+        });
+    }
+    catch {
+        return { ok: false, status: 0, retryable: true };
+    }
+    if (response.status >= 200 && response.status < 300) {
+        return { ok: true, status: response.status };
+    }
+    const retryable = response.status >= 500 ||
+        response.status === 408 ||
+        response.status === 429;
+    return { ok: false, status: response.status, retryable };
+}
+//# sourceMappingURL=delivery.js.map

package/dist/delivery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"delivery.js","sourceRoot":"","sources":["../src/delivery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,WAAW,EAAkB,MAAM,aAAa,CAAC;AAQ1D,gEAAgE;AAChE,MAAM,OAAO,oBAAqB,SAAQ,KAAK;IACpC,MAAM,CAAgB;IAC/B,YAAY,MAAqB;QAC/B,KAAK,CAAC,4BAA4B,MAAM,EAAE,CAAC,CAAC;QAC5C,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;QACnC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;CACF;AAED,uEAAuE;AACvE,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,KAAK,GAAG,8CAA8C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxE,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/B,IAAI,KAAK,GAAG,GAAG;YAAE,OAAO,IAAI,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC;IACD,OAAO,MAA0C,CAAC;AACpD,CAAC;AAED,iFAAiF;AACjF,SAAS,aAAa,CAAC,MAAwC;IAC7D,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC;IACtB,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC,CAAC,aAAa;IACxC,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC,CAAC,WAAW;IACvC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,iBAAiB;IAC3C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC,CAAC,oCAAoC;IAC7E,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC,CAAC,gBAAgB;IAClE,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC,CAAC,iBAAiB;IAC1D,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC,CAAC,uBAAuB;IAClD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,4EAA4E;AAC5E,SAAS,iBAAiB,CAAC,IAAY;IACrC,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,IAAI,KAAK,KAAK,WAAW;QAAE,OAAO,IAAI,CAAC;IACvC,OAAO,CACL,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC;QAC5B,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC3B,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CACzB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAW;IACjD,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,oBAAoB,CAAC,aAAa,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,oBAAoB,CAAC,mBAAmB,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC;IAC7B,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAC7B,IAAI,IAAI,IAAI,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,oBAAoB,CAAC,cAAc,CAAC,CAAC;IACjD,CAAC;IACD,kEAAkE;IAClE,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACtD,IACE,EAAE,KAAK,KAAK;QACZ,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;QACtB,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC;QACnB,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,EACnB,CAAC;QACD,MAAM,IAAI,oBAAoB,CAAC,cAAc,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,oBAAoB,CAAC,cAAc,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAWD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,YAAoB,EACpB,MAAiB,EACjB,SAAuB,EACvB,MAAoB,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EACpC,SAAS,GAAG,MAAM;IAElB,+EAA+E;IAC/E,uBAAuB,CAAC,QAAQ,CAAC,CAAC;IAElC,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;IAElE,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE;YACnC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,IAAI,EAAE,MAAM,CAAC,IAAoB;YACjC,wEAAwE;YACxE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC;SACvC,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IACnD,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACpD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC;IAC/C,CAAC;IACD,MAAM,SAAS,GACb,QAAQ,CAAC,MAAM,IAAI,GAAG;QACtB,QAAQ,CAAC,MAAM,KAAK,GAAG;QACvB,QAAQ,CAAC,MAAM,KAAK,GAAG,CAAC;IAC1B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC;AAC3D,CAAC"}

package/dist/handler.d.ts

@@ -0,0 +1,21 @@
+/**
+ * The stateless ActivityPub front door.
+ *
+ * It serves the static actor document and the NodeInfo discovery documents
+ * directly, verifies inbound `POST /inbox` HTTP signatures at the edge, and
+ * routes everything that touches authoritative state — collection reads, the
+ * inbox, the owner publish endpoint — to the per-actor Durable Object, which
+ * owns dedup, the follower/outbox collections, and the signed delivery queue.
+ * The handler routes purely on the request URL, so it is mountable under any
+ * path prefix (include the prefix in `baseUrl`).
+ */
+import { type ActivityPubConfig, type ActivityPubEnv } from "./config";
+/** A `fetch`-compatible Worker handler. */
+export type ActivityPubHandler = (request: Request, env: ActivityPubEnv, ctx: ExecutionContext) => Promise<Response>;
+/**
+ * Create the stateless ActivityPub front-door handler. The actor document and
+ * NodeInfo are served here; all authoritative state lives in the
+ * {@link ActivityPubObject} the request is routed to.
+ */
+export declare function createActivityPub(config: ActivityPubConfig): ActivityPubHandler;
+//# sourceMappingURL=handler.d.ts.map

package/dist/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../src/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAYH,OAAO,EAGL,KAAK,iBAAiB,EACtB,KAAK,cAAc,EAGpB,MAAM,UAAU,CAAC;AASlB,2CAA2C;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAC/B,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,cAAc,EACnB,GAAG,EAAE,gBAAgB,KAClB,OAAO,CAAC,QAAQ,CAAC,CAAC;AAiIvB;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,iBAAiB,GACxB,kBAAkB,CAyIpB"}

package/dist/handler.js

@@ -0,0 +1,293 @@
+/**
+ * The stateless ActivityPub front door.
+ *
+ * It serves the static actor document and the NodeInfo discovery documents
+ * directly, verifies inbound `POST /inbox` HTTP signatures at the edge, and
+ * routes everything that touches authoritative state — collection reads, the
+ * inbox, the owner publish endpoint — to the per-actor Durable Object, which
+ * owns dedup, the follower/outbox collections, and the signed delivery queue.
+ * The handler routes purely on the request URL, so it is mountable under any
+ * path prefix (include the prefix in `baseUrl`).
+ */
+import { inboxLinkHeader } from "@dwk/ldn/discovery";
+import { hostFromUrl } from "@dwk/log";
+import { as2ContentType, buildActorDocument } from "./as2";
+import { buildNodeInfo20, buildNodeInfo21, buildNodeInfoDiscovery, } from "./nodeinfo";
+import { INTERNAL_HEADERS, resolveConfig, } from "./config";
+import { ActivityPubLogEvent, ApOutcome, OUTCOME_ACTIVITY_HEADER, OUTCOME_HEADER, } from "./log";
+import { verifyInboxSignature } from "./signature";
+const JSON_CONTENT_TYPE = "application/json; charset=utf-8";
+/** Fail loudly if a required Cloudflare binding is missing. */
+function assertBindings(env) {
+    if (!env.ACTOR) {
+        throw new Error("@dwk/activitypub: missing required Durable Object binding `ACTOR`");
+    }
+}
+/** The path portion of an IRI, for route matching. */
+function pathOf(iri) {
+    return new URL(iri).pathname;
+}
+function jsonResponse(body, contentType, status = 200) {
+    return new Response(JSON.stringify(body), {
+        status,
+        headers: { "content-type": contentType },
+    });
+}
+function text(status, body) {
+    return new Response(body, {
+        status,
+        headers: { "content-type": "text/plain; charset=utf-8" },
+    });
+}
+/** Build the config subset the DO needs (including signing key material). */
+function forwardedConfig(config) {
+    return {
+        iris: config.iris,
+        actorName: config.actor.name ?? config.actor.username,
+        manuallyApprovesFollowers: config.actor.manuallyApprovesFollowers ?? false,
+        pageSize: config.pageSize,
+        deliveryMaxAttempts: config.deliveryMaxAttempts,
+        deliveryBaseDelayMs: config.deliveryBaseDelayMs,
+        keyId: config.iris.keyId,
+        sharedInbox: config.sharedInbox,
+        ...(config.privateKeyPem ? { privateKeyPem: config.privateKeyPem } : {}),
+    };
+}
+/** Emit a structured event on both the logger and the metrics seam. */
+function emit(config, level, event, fields) {
+    config.logger[level](event, fields);
+    config.metrics.count(event, fields);
+}
+/** Reach the per-actor Durable Object (one per actor IRI; no sharding). */
+function actorStub(config, env) {
+    const id = env.ACTOR.idFromName(config.iris.id);
+    return env.ACTOR.get(id);
+}
+/** Forward a request to the DO with the internal config (and optional) headers. */
+function forwardToDo(config, env, url, init) {
+    const headers = new Headers();
+    headers.set(INTERNAL_HEADERS.config, JSON.stringify(forwardedConfig(config)));
+    const accept = init.extra?.accept;
+    if (accept)
+        headers.set("accept", accept);
+    for (const [k, v] of Object.entries(init.extra ?? {})) {
+        if (k !== "accept")
+            headers.set(k, v);
+    }
+    const request = new Request(url, {
+        method: init.method,
+        headers,
+        ...(init.body !== undefined ? { body: init.body } : {}),
+    });
+    return actorStub(config, env).fetch(request);
+}
+/**
+ * Translate the DO's internal inbound-outcome header into the matching log
+ * event, then strip it before the response reaches the peer.
+ */
+function logInboxOutcome(config, response) {
+    const outcome = response.headers.get(OUTCOME_HEADER);
+    if (!outcome)
+        return response;
+    if (outcome === ApOutcome.InboxAccepted) {
+        emit(config, "info", ActivityPubLogEvent.InboxAccepted, {
+            activity: response.headers.get(OUTCOME_ACTIVITY_HEADER) ?? undefined,
+        });
+    }
+    else if (outcome === ApOutcome.InboxDuplicate) {
+        emit(config, "info", ActivityPubLogEvent.InboxDuplicate);
+    }
+    const headers = new Headers(response.headers);
+    headers.delete(OUTCOME_HEADER);
+    headers.delete(OUTCOME_ACTIVITY_HEADER);
+    return new Response(response.body, {
+        status: response.status,
+        statusText: response.statusText,
+        headers,
+    });
+}
+/** Verify an inbound `POST /inbox` signature, via the override or the built-in. */
+async function verifySignature(config, inbox) {
+    if (config.verifyInboxSignature) {
+        return config.verifyInboxSignature(inbox);
+    }
+    return verifyInboxSignature(inbox, config.keyResolver, {
+        clockSkewSeconds: config.clockSkewSeconds,
+        now: config.now,
+    });
+}
+/**
+ * Create the stateless ActivityPub front-door handler. The actor document and
+ * NodeInfo are served here; all authoritative state lives in the
+ * {@link ActivityPubObject} the request is routed to.
+ */
+export function createActivityPub(config) {
+    const resolved = resolveConfig(config);
+    const iris = resolved.iris;
+    const actorPath = pathOf(iris.id);
+    const inboxPath = pathOf(iris.inbox);
+    const outboxPath = pathOf(iris.outbox);
+    const followersPath = pathOf(iris.followers);
+    const followingPath = pathOf(iris.following);
+    const sharedInboxPath = resolved.sharedInbox
+        ? pathOf(resolved.sharedInbox)
+        : undefined;
+    const nodeInfo20Path = new URL(`${resolved.baseUrl}/nodeinfo/2.0`).pathname;
+    const nodeInfo21Path = new URL(`${resolved.baseUrl}/nodeinfo/2.1`).pathname;
+    return async (request, env, _ctx) => {
+        assertBindings(env);
+        const url = new URL(request.url);
+        const path = url.pathname;
+        const method = request.method.toUpperCase();
+        // --- NodeInfo (static discovery + mostly-static 2.1 doc) ---------------
+        if (path === "/.well-known/nodeinfo" && method === "GET") {
+            return jsonResponse(buildNodeInfoDiscovery(resolved.baseUrl), JSON_CONTENT_TYPE);
+        }
+        if ((path === nodeInfo20Path || path === nodeInfo21Path) &&
+            method === "GET") {
+            const usage = await nodeInfoUsage(resolved, env);
+            const build = path === nodeInfo20Path ? buildNodeInfo20 : buildNodeInfo21;
+            return jsonResponse(build(resolved.software, usage), JSON_CONTENT_TYPE);
+        }
+        // --- Actor document (static, served at the edge) ------------------------
+        if (path === actorPath) {
+            if (method !== "GET" && method !== "HEAD") {
+                return text(405, "Method Not Allowed");
+            }
+            // Serve AS2 to federation peers; an HTML profile page is out of scope.
+            // A strict client may still content-negotiate for the JSON-LD profile
+            // variant (§3.2), so the response Content-Type honors `Accept`.
+            const body = JSON.stringify(buildActorDocument(iris, resolved.actor, resolved.publicKeyPem, {
+                sharedInbox: resolved.sharedInbox,
+            }));
+            return new Response(method === "HEAD" ? null : body, {
+                status: 200,
+                headers: {
+                    "content-type": as2ContentType(request.headers.get("accept")),
+                    // Advertise the actor's inbox via LDN discovery too, so a plain
+                    // Linked Data Notifications sender (not just an ActivityPub peer) can
+                    // find it from the `Link` header without parsing the AS2 body.
+                    link: inboxLinkHeader(iris.inbox),
+                },
+            });
+        }
+        // --- Inbox(es): verify signature at the edge, then route to the DO ------
+        // Both the actor's personal inbox and the optional instance-level shared
+        // inbox (§7.1.3) are handled identically: the single actor is the only
+        // recipient, so a batched delivery to the shared inbox is processed for it.
+        const isPersonalInbox = path === inboxPath;
+        const isSharedInbox = sharedInboxPath !== undefined && path === sharedInboxPath;
+        if (isPersonalInbox || isSharedInbox) {
+            if (method !== "POST") {
+                // The personal inbox lets the DO answer 405; the shared inbox is
+                // write-only with no DO collection behind it, so answer here.
+                if (isSharedInbox)
+                    return text(405, "Method Not Allowed");
+                return forwardToDo(resolved, env, request.url, { method });
+            }
+            const bodyBytes = new Uint8Array(await request.arrayBuffer());
+            const inbox = {
+                method,
+                path: `${url.pathname}${url.search}`,
+                headers: request.headers,
+                body: bodyBytes,
+            };
+            const result = await verifySignature(resolved, inbox);
+            if (!result.ok) {
+                emit(resolved, "warn", ActivityPubLogEvent.SignatureRejected, {
+                    reason: result.reason,
+                });
+                return text(401, `invalid_signature: ${result.reason}`);
+            }
+            emit(resolved, "info", ActivityPubLogEvent.SignatureAccepted, {
+                actorHost: hostFromUrl(result.actor),
+            });
+            const response = await forwardToDo(resolved, env, request.url, {
+                method,
+                body: bodyBytes,
+                extra: { [INTERNAL_HEADERS.signedActor]: result.actor },
+            });
+            return logInboxOutcome(resolved, response);
+        }
+        // --- Owner publish endpoint (the micropub → Create fan-out seam) --------
+        if (path === outboxPath && method === "POST") {
+            if (!resolved.publishToken) {
+                emit(resolved, "warn", ActivityPubLogEvent.PublishRejected, {
+                    reason: "disabled",
+                });
+                return text(404, "Not Found");
+            }
+            if (!(await authorizedPublish(request, resolved.publishToken))) {
+                emit(resolved, "warn", ActivityPubLogEvent.PublishRejected, {
+                    reason: "unauthorized",
+                });
+                return text(401, "Unauthorized");
+            }
+            const body = new Uint8Array(await request.arrayBuffer());
+            return forwardToDo(resolved, env, request.url, {
+                method,
+                body: body,
+                extra: { [INTERNAL_HEADERS.publish]: "1" },
+            });
+        }
+        // --- Collection reads (authoritative; routed to the DO) -----------------
+        if (method === "GET" &&
+            (path === outboxPath || path === followersPath || path === followingPath)) {
+            return forwardToDo(resolved, env, request.url, { method });
+        }
+        if (path === inboxPath || path === outboxPath) {
+            // Non-GET/POST on a collection: let the DO answer 405.
+            return forwardToDo(resolved, env, request.url, { method });
+        }
+        return text(404, "Not Found");
+    };
+}
+/** Whether a publish request carries the configured bearer token. */
+async function authorizedPublish(request, token) {
+    const header = request.headers.get("authorization");
+    if (!header)
+        return false;
+    const match = /^Bearer\s+(.+)$/i.exec(header);
+    if (match === null)
+        return false;
+    return constantTimeEqual(match[1], token);
+}
+/**
+ * Constant-time string comparison that leaks neither the content **nor the
+ * length** of the secret. Both inputs are hashed to fixed-length SHA-256
+ * digests (via WebCrypto, so the package needs no `node:crypto` /
+ * `nodejs_compat`) and the digests are compared without an early return.
+ */
+async function constantTimeEqual(a, b) {
+    const enc = new TextEncoder();
+    const [ha, hb] = await Promise.all([
+        crypto.subtle.digest("SHA-256", enc.encode(a)),
+        crypto.subtle.digest("SHA-256", enc.encode(b)),
+    ]);
+    const va = new Uint8Array(ha);
+    const vb = new Uint8Array(hb);
+    let diff = 0;
+    for (let i = 0; i < va.length; i++)
+        diff |= va[i] ^ vb[i];
+    return diff === 0;
+}
+/** Fetch live usage counts from the DO for the NodeInfo document. */
+async function nodeInfoUsage(config, env) {
+    try {
+        const statsUrl = `${config.iris.id}/__stats`;
+        const response = await forwardToDo(config, env, statsUrl, {
+            method: "GET",
+        });
+        if (!response.ok)
+            return {};
+        const stats = (await response.json());
+        return {
+            users: typeof stats.users === "number" ? stats.users : 1,
+            localPosts: typeof stats.localPosts === "number" ? stats.localPosts : 0,
+        };
+    }
+    catch {
+        return {};
+    }
+}
+//# sourceMappingURL=handler.js.map