@fedify/fedify 2.3.0-dev.1189 → 2.3.0-dev.1190

package/dist/{builder-Dc6s3gPe.mjs → builder-BzgNpXoY.mjs}

@@ -1,7 +1,7 @@
 import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as version, t as name } from "./deno-BomxIkHS.mjs";
+import { n as version, t as name } from "./deno-CoAwVm1I.mjs";
 import { t as ActivityListenerSet } from "./activity-listener-tztVvlNb.mjs";
 import { getLogger } from "@logtape/logtape";
 import { Router, RouterError, assertPath } from "@fedify/uri-template";
@@ -73,7 +73,7 @@ var FederationBuilderImpl = class {
 		this.collectionTypeIds = {};
 	}
 	async build(options) {
-		const { FederationImpl } = await import("./middleware-sgx08IEk.mjs");
+		const { FederationImpl } = await import("./middleware-hWs3qtrr.mjs");
 		const f = new FederationImpl(options);
 		const trailingSlashInsensitiveValue = f.router.trailingSlashInsensitive;
 		f.router = this.router.clone();

package/dist/circuit-breaker-CSWsyoef.mjs

@@ -0,0 +1,337 @@
+import { Temporal } from "@js-temporal/polyfill";
+import "urlpattern-polyfill";
+globalThis.addEventListener = () => {};
+import { getLogger } from "@logtape/logtape";
+//#region src/federation/circuit-breaker.ts
+const MAX_CUSTOM_FAILURE_HISTORY = 100;
+/**
+* Tracks reachability state for remote outbox delivery hosts.
+* @since 2.3.0
+*/
+var CircuitBreaker = class {
+	#kv;
+	#prefix;
+	#options;
+	#now;
+	#stateChangeObserver;
+	constructor(options) {
+		this.#kv = options.kv;
+		this.#prefix = options.prefix;
+		this.#options = normalizeCircuitBreakerOptions(options.options ?? {});
+		this.#now = options.now ?? (() => Temporal.Now.instant());
+		this.#stateChangeObserver = options.stateChangeObserver;
+	}
+	get options() {
+		return this.#options;
+	}
+	capHeldDelay(heldSince, delay) {
+		const now = this.#now();
+		return now.until(this.#capHeldRetryAt(now, heldSince, now.add(delay)));
+	}
+	async beforeSend(remoteHost, message) {
+		const heldSince = parseHeldSince(message.circuitHeldSince);
+		const now = this.#now();
+		if (heldSince != null && Temporal.Instant.compare(heldSince.add(this.#options.heldActivityTtl), now) <= 0) return {
+			type: "drop",
+			heldSince
+		};
+		let lastConflictingState;
+		for (let attempt = 0; attempt < 10; attempt++) {
+			const oldState = await this.#get(remoteHost);
+			if (oldState == null || oldState.state === "closed") return {
+				type: "send",
+				probe: false
+			};
+			if (oldState.state === "half-open") {
+				const halfOpened = oldState.halfOpened == null ? void 0 : Temporal.Instant.from(oldState.halfOpened);
+				if (halfOpened != null) {
+					const staleAt = halfOpened.add(this.#options.recoveryDelay);
+					if (Temporal.Instant.compare(now, staleAt) < 0) {
+						const releaseAt = now.add(this.#options.releaseInterval);
+						const retryAt = Temporal.Instant.compare(releaseAt, staleAt) < 0 ? releaseAt : staleAt;
+						const cappedRetryAt = this.#capHeldRetryAt(now, heldSince, retryAt);
+						return {
+							type: "hold",
+							state: "half-open",
+							delay: now.until(cappedRetryAt),
+							heldSince: heldSince ?? now
+						};
+					}
+				}
+				const newState = {
+					...oldState,
+					state: "half-open",
+					halfOpened: now.toString()
+				};
+				if (await this.#replace(remoteHost, oldState, newState)) return {
+					type: "send",
+					probe: true
+				};
+				lastConflictingState = "half-open";
+				continue;
+			}
+			const probeAt = (oldState.opened == null ? now : Temporal.Instant.from(oldState.opened)).add(this.#options.recoveryDelay);
+			if (Temporal.Instant.compare(now, probeAt) < 0) {
+				const retryAt = this.#capHeldRetryAt(now, heldSince, probeAt);
+				return {
+					type: "hold",
+					state: "open",
+					delay: now.until(retryAt),
+					heldSince: heldSince ?? now
+				};
+			}
+			const newState = {
+				...oldState,
+				state: "half-open",
+				halfOpened: now.toString()
+			};
+			if (await this.#replace(remoteHost, oldState, newState)) {
+				await this.#notifyStateChange(remoteHost, "open", "half-open");
+				return {
+					type: "send",
+					probe: true,
+					stateChange: {
+						previousState: "open",
+						newState: "half-open"
+					}
+				};
+			}
+			lastConflictingState = "open";
+		}
+		if (lastConflictingState != null) {
+			const retryAt = this.#capHeldRetryAt(now, heldSince, now.add(this.#options.releaseInterval));
+			return {
+				type: "hold",
+				state: lastConflictingState,
+				delay: now.until(retryAt),
+				heldSince: heldSince ?? now
+			};
+		}
+		throw new Error(`Failed to update circuit breaker state for ${remoteHost}`);
+	}
+	async recordSuccess(remoteHost) {
+		for (let attempt = 0; attempt < 10; attempt++) {
+			const oldState = await this.#get(remoteHost);
+			if (oldState == null) return void 0;
+			if (await this.#replace(remoteHost, oldState, void 0)) {
+				if (oldState.state !== "closed") {
+					await this.#notifyStateChange(remoteHost, oldState.state, "closed");
+					return {
+						previousState: oldState.state,
+						newState: "closed"
+					};
+				}
+				return;
+			}
+		}
+		throw new Error(`Failed to update circuit breaker state for ${remoteHost}`);
+	}
+	async recordReachableFailure(remoteHost) {
+		return await this.recordSuccess(remoteHost);
+	}
+	async recordFailure(remoteHost) {
+		const now = this.#now();
+		for (let attempt = 0; attempt < 10; attempt++) {
+			const oldState = await this.#get(remoteHost);
+			if (oldState?.state === "open") return void 0;
+			const oldFailures = oldState?.failures.map(Temporal.Instant.from) ?? [];
+			const failures = this.#options.pruneFailures([...oldFailures, now], now);
+			let newState;
+			let transition;
+			if (oldState?.state === "half-open" || this.#options.failure(failures)) {
+				newState = {
+					state: "open",
+					failures: failures.map((t) => t.toString()),
+					opened: now.toString()
+				};
+				transition = [oldState?.state ?? "closed", "open"];
+			} else newState = {
+				state: "closed",
+				failures: failures.map((t) => t.toString())
+			};
+			if (await this.#replace(remoteHost, oldState, newState)) {
+				if (transition != null) {
+					await this.#notifyStateChange(remoteHost, transition[0], transition[1]);
+					return {
+						previousState: transition[0],
+						newState: transition[1]
+					};
+				}
+				return;
+			}
+		}
+		throw new Error(`Failed to update circuit breaker state for ${remoteHost}`);
+	}
+	async dropActivity(remoteHost, details) {
+		try {
+			await this.#options.onActivityDrop?.(remoteHost, details);
+		} catch (error) {
+			getLogger([
+				"fedify",
+				"federation",
+				"circuit"
+			]).error("An unexpected error occurred in circuit breaker activity drop handler:\n{error}", {
+				remoteHost,
+				error
+			});
+		}
+	}
+	async getState(remoteHost) {
+		return await this.#get(remoteHost);
+	}
+	#key(remoteHost) {
+		return [...this.#prefix, remoteHost];
+	}
+	#capHeldRetryAt(now, heldSince, retryAt) {
+		const expiresAt = (heldSince ?? now).add(this.#options.heldActivityTtl);
+		return Temporal.Instant.compare(expiresAt, retryAt) < 0 ? expiresAt : retryAt;
+	}
+	async #get(remoteHost) {
+		return parseCircuitBreakerKvState(await this.#kv.get(this.#key(remoteHost)));
+	}
+	async #replace(remoteHost, oldState, newState) {
+		const key = this.#key(remoteHost);
+		if (this.#kv.cas == null) {
+			if (newState == null) await this.#kv.delete(key);
+			else await this.#kv.set(key, newState);
+			return true;
+		}
+		return await this.#kv.cas(key, oldState, newState);
+	}
+	async #notifyStateChange(remoteHost, previousState, newState) {
+		try {
+			await this.#options.onStateChange?.(remoteHost, previousState, newState);
+		} catch (error) {
+			getLogger([
+				"fedify",
+				"federation",
+				"circuit"
+			]).error("An unexpected error occurred in circuit breaker state change handler:\n{error}", {
+				remoteHost,
+				previousState,
+				newState,
+				error
+			});
+		}
+		try {
+			await this.#stateChangeObserver?.(remoteHost, previousState, newState);
+		} catch (error) {
+			getLogger([
+				"fedify",
+				"federation",
+				"circuit"
+			]).error("An unexpected error occurred in circuit breaker state change observer:\n{error}", {
+				remoteHost,
+				previousState,
+				newState,
+				error
+			});
+		}
+	}
+};
+/**
+* Normalizes user-provided circuit breaker options into the internal policy
+* shape used while processing queued outbox deliveries.
+*
+* @param options The public circuit breaker options supplied to Fedify.
+* @returns The normalized failure predicate, failure pruning function,
+* duration values, and optional callbacks with defaults applied.
+* @throws {RangeError} If any configured duration is not positive.
+* @throws {TypeError} If `failureThreshold` is not a positive integer.
+*/
+function normalizeCircuitBreakerOptions(options) {
+	const recoveryDelay = toInstantDuration(options.recoveryDelay ?? { minutes: 30 });
+	const heldActivityTtl = toInstantDuration(options.heldActivityTtl ?? { hours: 168 });
+	const releaseInterval = toInstantDuration(options.releaseInterval ?? { seconds: 1 });
+	assertPositiveDuration(recoveryDelay, "recoveryDelay");
+	assertPositiveDuration(heldActivityTtl, "heldActivityTtl");
+	assertPositiveDuration(releaseInterval, "releaseInterval");
+	let failure;
+	let pruneFailures;
+	if (options.failure == null) {
+		const failureThreshold = options.failureThreshold ?? 5;
+		if (!Number.isInteger(failureThreshold) || failureThreshold <= 0) throw new TypeError("failureThreshold must be a positive integer.");
+		const failureWindow = toInstantDuration(options.failureWindow ?? { minutes: 10 });
+		assertPositiveDuration(failureWindow, "failureWindow");
+		pruneFailures = (timestamps, now) => {
+			const earliest = now.subtract(failureWindow);
+			return timestamps.filter((timestamp) => Temporal.Instant.compare(timestamp, earliest) >= 0).slice(-failureThreshold);
+		};
+		failure = (timestamps) => {
+			if (timestamps.length < failureThreshold) return false;
+			const first = timestamps[timestamps.length - failureThreshold];
+			const last = timestamps[timestamps.length - 1];
+			return Temporal.Duration.compare(first.until(last), failureWindow) <= 0;
+		};
+	} else {
+		failure = options.failure;
+		pruneFailures = (timestamps) => timestamps.slice(-MAX_CUSTOM_FAILURE_HISTORY);
+	}
+	return {
+		failure,
+		pruneFailures,
+		recoveryDelay,
+		heldActivityTtl,
+		releaseInterval,
+		onStateChange: options.onStateChange,
+		onActivityDrop: options.onActivityDrop
+	};
+}
+function toInstantDuration(duration) {
+	const parsed = Temporal.Duration.from(duration);
+	return Temporal.Duration.from({ milliseconds: Math.trunc(parsed.total({
+		unit: "millisecond",
+		relativeTo: Temporal.PlainDateTime.from("2026-01-01T00:00:00")
+	})) });
+}
+function assertPositiveDuration(duration, name) {
+	if (Temporal.Duration.compare(duration, { seconds: 0 }) <= 0) throw new RangeError(`${name} must be a positive duration.`);
+}
+function parseHeldSince(value) {
+	if (value == null) return void 0;
+	try {
+		return Temporal.Instant.from(value);
+	} catch (error) {
+		getLogger([
+			"fedify",
+			"federation",
+			"circuit"
+		]).warn("Invalid circuitHeldSince value in queued outbox message: {value}", {
+			value,
+			error
+		});
+		return;
+	}
+}
+/**
+* Parses a value loaded from the circuit breaker KV store.
+*
+* @param value The raw KV value to validate.
+* @returns A circuit breaker state when `value` has a recognized state and
+* valid instant strings, or `undefined` when the stored value is malformed.
+*/
+function parseCircuitBreakerKvState(value) {
+	const isInstantString = (v) => {
+		if (typeof v !== "string") return false;
+		try {
+			Temporal.Instant.from(v);
+			return true;
+		} catch {
+			return false;
+		}
+	};
+	if (typeof value !== "object" || value == null) return void 0;
+	const record = value;
+	if (record.state !== "closed" && record.state !== "open" && record.state !== "half-open") return;
+	if (!Array.isArray(record.failures) || !record.failures.every((failure) => isInstantString(failure))) return;
+	if (record.opened != null && !isInstantString(record.opened)) return;
+	if (record.halfOpened != null && !isInstantString(record.halfOpened)) return;
+	return {
+		state: record.state,
+		failures: record.failures,
+		...record.opened == null ? {} : { opened: record.opened },
+		...record.halfOpened == null ? {} : { halfOpened: record.halfOpened }
+	};
+}
+//#endregion
+export { normalizeCircuitBreakerOptions as n, parseCircuitBreakerKvState as r, CircuitBreaker as t };

package/dist/compat/mod.d.cts

@@ -1,5 +1,5 @@
 /// <reference lib="esnext.temporal" />
-import { n as Context, vt as ActivityTransformer } from "../context-CRXCkTM6.cjs";
+import { At as ActivityTransformer, n as Context } from "../context-DMHK7jqX.cjs";
 import { Activity } from "@fedify/vocab";
 
 //#region src/compat/transformers.d.ts

package/dist/compat/mod.d.ts

@@ -1,5 +1,5 @@
 /// <reference lib="esnext.temporal" />
-import { n as Context, vt as ActivityTransformer } from "../context-MgCh7YGu.js";
+import { At as ActivityTransformer, n as Context } from "../context-K9cg8oGx.js";
 import { Activity } from "@fedify/vocab";
 
 //#region src/compat/transformers.d.ts

package/dist/compat/transformers.test.mjs

@@ -5,7 +5,7 @@ import { t as assertEquals } from "../assert_equals-C-ZRDbaf.mjs";
 import { t as assertInstanceOf } from "../assert_instance_of-DBC5X09g.mjs";
 import { t as assert } from "../assert-OguE97r2.mjs";
 import { t as MemoryKvStore } from "../kv-x2IvBUyq.mjs";
-import { n as FederationImpl, v as actorDehydrator, y as autoIdAssigner } from "../middleware-DK0thDHX.mjs";
+import { n as FederationImpl, v as actorDehydrator, y as autoIdAssigner } from "../middleware-BUGT2LmO.mjs";
 import { Follow, Person } from "@fedify/vocab";
 import { test } from "@fedify/fixture";
 //#region src/compat/transformers.test.ts

package/dist/{context-CRXCkTM6.d.cts → context-DMHK7jqX.d.cts}

@@ -15,6 +15,177 @@ import { MeterProvider, Span, Tracer, TracerProvider } from "@opentelemetry/api"
 */
 type ActivityTransformer<TContextData> = (activity: Activity, context: Context<TContextData>) => Activity;
 //#endregion
+//#region src/federation/circuit-breaker.d.ts
+/**
+* The state of a remote host circuit breaker.
+* @since 2.3.0
+*/
+type CircuitBreakerState = "closed" | "open" | "half-open";
+/**
+* The JSON-serializable state stored in the configured {@link KvStore}.
+* @since 2.3.0
+*/
+interface CircuitBreakerKvState {
+  readonly state: CircuitBreakerState;
+  readonly failures: readonly string[];
+  readonly opened?: string;
+  readonly halfOpened?: string;
+}
+/**
+* Details passed to {@link CircuitBreakerOptions.onActivityDrop} when a held
+* activity expires before the remote host recovers.
+* @since 2.3.0
+*/
+interface CircuitBreakerActivityDrop {
+  /** The inbox URL that would have received the activity. */
+  readonly inbox: URL;
+  /** The activity that was dropped. */
+  readonly activity: Activity;
+  /** The activity ID, when known. */
+  readonly activityId?: string;
+  /** The activity type. */
+  readonly activityType: string;
+  /** The actor IDs represented by this inbox. */
+  readonly actorIds: readonly URL[];
+  /** The time when Fedify first held this activity. */
+  readonly heldSince: Temporal.Instant;
+}
+/**
+* Configures how a remote host circuit opens after repeated delivery
+* failures.
+* @since 2.3.0
+*/
+type CircuitBreakerFailurePolicy = {
+  failure(timestamps: readonly Temporal.Instant[]): boolean;
+  readonly failureThreshold?: never;
+  readonly failureWindow?: never;
+} | {
+  readonly failure?: never;
+  readonly failureThreshold?: number;
+  readonly failureWindow?: Temporal.Duration | Temporal.DurationLike;
+};
+/**
+* Options for Fedify's outbound activity circuit breaker.
+* @since 2.3.0
+*/
+type CircuitBreakerOptions = CircuitBreakerFailurePolicy & {
+  /**
+  * How long an open circuit waits before allowing a half-open recovery probe.
+  * @default `{ minutes: 30 }`
+  */
+  readonly recoveryDelay?: Temporal.Duration | Temporal.DurationLike;
+  /**
+  * How long Fedify keeps requeueing activities held by an open circuit before
+  * dropping them.
+  * @default `{ days: 7 }`
+  */
+  readonly heldActivityTtl?: Temporal.Duration | Temporal.DurationLike;
+  /**
+  * How often other held activities retry while a half-open probe is in
+  * flight.  The probe is treated as stale after the recovery delay.
+  * @default `{ seconds: 1 }`
+  */
+  readonly releaseInterval?: Temporal.Duration | Temporal.DurationLike;
+  /**
+  * Called whenever the circuit state changes.
+  */
+  readonly onStateChange?: (remoteHost: string, previousState: CircuitBreakerState, newState: CircuitBreakerState) => void | Promise<void>;
+  /**
+  * Called when an activity held by the circuit breaker expires.
+  */
+  readonly onActivityDrop?: (remoteHost: string, details: CircuitBreakerActivityDrop) => void | Promise<void>;
+};
+/**
+* Normalized circuit breaker options used internally by Fedify.
+* @internal
+*/
+interface NormalizedCircuitBreakerOptions {
+  readonly failure: (timestamps: readonly Temporal.Instant[]) => boolean;
+  readonly pruneFailures: (timestamps: readonly Temporal.Instant[], now: Temporal.Instant) => readonly Temporal.Instant[];
+  readonly recoveryDelay: Temporal.Duration;
+  readonly heldActivityTtl: Temporal.Duration;
+  readonly releaseInterval: Temporal.Duration;
+  readonly onStateChange?: CircuitBreakerOptions["onStateChange"];
+  readonly onActivityDrop?: CircuitBreakerOptions["onActivityDrop"];
+}
+/**
+* Constructor options for {@link CircuitBreaker}.
+* @internal
+*/
+interface CircuitBreakerCreateOptions {
+  readonly kv: KvStore;
+  readonly prefix: KvKey;
+  readonly options?: CircuitBreakerOptions;
+  readonly now?: () => Temporal.Instant;
+  /**
+  * Observes state changes after user callbacks have run.
+  * @internal
+  */
+  readonly stateChangeObserver?: (remoteHost: string, previousState: CircuitBreakerState, newState: CircuitBreakerState) => void | Promise<void>;
+}
+/**
+* The delivery decision returned by {@link CircuitBreaker.beforeSend}.
+* @internal
+*/
+type CircuitBreakerBeforeSendDecision = {
+  readonly type: "send";
+  readonly probe: boolean;
+  readonly stateChange?: CircuitBreakerStateChange;
+} | {
+  readonly type: "hold";
+  readonly state: "open" | "half-open";
+  readonly delay: Temporal.Duration;
+  readonly heldSince: Temporal.Instant;
+} | {
+  readonly type: "drop";
+  readonly heldSince: Temporal.Instant;
+};
+/**
+* A circuit breaker state transition.
+* @since 2.3.0
+*/
+interface CircuitBreakerStateChange {
+  readonly previousState: CircuitBreakerState;
+  readonly newState: CircuitBreakerState;
+}
+/**
+* Tracks reachability state for remote outbox delivery hosts.
+* @since 2.3.0
+*/
+declare class CircuitBreaker {
+  #private;
+  constructor(options: CircuitBreakerCreateOptions);
+  get options(): NormalizedCircuitBreakerOptions;
+  capHeldDelay(heldSince: Temporal.Instant, delay: Temporal.Duration): Temporal.Duration;
+  beforeSend(remoteHost: string, message: {
+    readonly circuitHeldSince?: string;
+  }): Promise<CircuitBreakerBeforeSendDecision>;
+  recordSuccess(remoteHost: string): Promise<CircuitBreakerStateChange | undefined>;
+  recordReachableFailure(remoteHost: string): Promise<CircuitBreakerStateChange | undefined>;
+  recordFailure(remoteHost: string): Promise<CircuitBreakerStateChange | undefined>;
+  dropActivity(remoteHost: string, details: CircuitBreakerActivityDrop): Promise<void>;
+  getState(remoteHost: string): Promise<CircuitBreakerKvState | undefined>;
+}
+/**
+* Normalizes user-provided circuit breaker options into the internal policy
+* shape used while processing queued outbox deliveries.
+*
+* @param options The public circuit breaker options supplied to Fedify.
+* @returns The normalized failure predicate, failure pruning function,
+* duration values, and optional callbacks with defaults applied.
+* @throws {RangeError} If any configured duration is not positive.
+* @throws {TypeError} If `failureThreshold` is not a positive integer.
+*/
+declare function normalizeCircuitBreakerOptions(options: CircuitBreakerOptions): NormalizedCircuitBreakerOptions;
+/**
+* Parses a value loaded from the circuit breaker KV store.
+*
+* @param value The raw KV value to validate.
+* @returns A circuit breaker state when `value` has a recognized state and
+* valid instant strings, or `undefined` when the stored value is malformed.
+*/
+declare function parseCircuitBreakerKvState(value: unknown): CircuitBreakerKvState | undefined;
+//#endregion
 //#region src/federation/collection.d.ts
 /**
 * A page of items.
@@ -81,13 +252,19 @@ declare class SendActivityError extends Error {
   */
   readonly responseBody: string;
   /**
+  * The response headers from the inbox.
+  * @since 2.3.0
+  */
+  readonly responseHeaders: Headers;
+  /**
   * Creates a new {@link SendActivityError}.
   * @param inbox The inbox URL.
   * @param statusCode The HTTP status code.
   * @param message The error message.
   * @param responseBody The response body.
+  * @param responseHeaders The response headers.
   */
-  constructor(inbox: URL, statusCode: number, message: string, responseBody: string);
+  constructor(inbox: URL, statusCode: number, message: string, responseBody: string, responseHeaders?: HeadersInit);
 }
 //#endregion
 //#region src/federation/callback.d.ts
@@ -310,11 +487,28 @@ type OutboxErrorHandler = (error: Error, activity: Activity | null) => void | Pr
 * @since 2.0.0
 */
 type OutboxPermanentFailureHandler<TContextData> = (context: Context<TContextData>, values: {
-  /** The inbox URL that failed. */readonly inbox: URL; /** The activity that failed to deliver. */
+  /**
+  * Why Fedify is giving up on delivery.
+  *
+  * `"http"` means the inbox returned a configured permanent-failure HTTP
+  * status.  `"circuit-breaker-ttl"` means the outbound circuit breaker held
+  * the activity until its retention period expired.
+  *
+  * @since 2.3.0
+  */
+  readonly reason: "http" | "circuit-breaker-ttl"; /** The inbox URL that failed. */
+  readonly inbox: URL; /** The activity that failed to deliver. */
   readonly activity: Activity; /** The error that occurred. */
   readonly error: SendActivityError; /** The HTTP status code returned by the inbox. */
   readonly statusCode: number;
   /**
+  * The time when the circuit breaker first held the activity, if
+  * {@link reason} is `"circuit-breaker-ttl"`.
+  *
+  * @since 2.3.0
+  */
+  readonly circuitHeldSince?: Temporal.Instant;
+  /**
   * The actor IDs that were supposed to receive the activity at this inbox.
   */
   readonly actorIds: readonly URL[];
@@ -476,6 +670,17 @@ interface OutboxMessage {
   readonly attempt: number;
   readonly headers: Readonly<Record<string, string>>;
   readonly orderingKey?: string;
+  /**
+  * Whether this message is currently held by the outbound circuit breaker.
+  * @internal
+  */
+  readonly circuitHeld?: true;
+  /**
+  * When Fedify first held this message because the remote host circuit was
+  * open.
+  * @internal
+  */
+  readonly circuitHeldSince?: string;
   readonly traceContext: Readonly<Record<string, string>>;
 }
 interface InboxMessage {
@@ -649,6 +854,12 @@ interface FederationKvPrefixes {
   * @since 2.1.0
   */
   readonly acceptSignatureNonce: KvKey;
+  /**
+  * The key prefix used for storing outbound delivery circuit breaker state.
+  * @default `["_fedify", "circuit"]`
+  * @since 2.3.0
+  */
+  readonly circuitBreaker: KvKey;
 }
 /**
 * Options for {@link FederationOptions.origin} when it is not a string.
@@ -1352,6 +1563,16 @@ interface FederationOptions<TContextData> {
   */
   outboxRetryPolicy?: RetryPolicy;
   /**
+  * The circuit breaker for queued outbound activity delivery.  When enabled,
+  * Fedify tracks repeated failures per remote host and temporarily holds
+  * queued activities instead of repeatedly hammering an unreachable server.
+  *
+  * Passing `false` disables the circuit breaker.
+  *
+  * @since 2.3.0
+  */
+  circuitBreaker?: false | CircuitBreakerOptions;
+  /**
   * The retry policy for processing incoming activities.  By default, this
   * uses an exponential backoff strategy with a maximum of 10 attempts and a
   * maximum delay of 12 hours.
@@ -2621,4 +2842,4 @@ interface ActorKeyPair extends CryptoKeyPair {
   readonly multikey: Multikey;
 }
 //#endregion
-export { CustomCollectionDispatcher as $, FederationKvPrefixes as A, RespondWithObjectOptions as B, IdempotencyKeyCallback as C, ObjectCallbackSetters as D, InboxListenerSetters as E, RetryContext as F, ActorHandleMapper as G, respondWithObjectIfAcceptable as H, RetryPolicy as I, CollectionCounter as J, ActorKeyPairsDispatcher as K, createExponentialBackoffPolicy as L, FederationQueueOptions as M, createFederation as N, OutboxListenerSetters as O, CreateExponentialBackoffPolicyOptions as P, CustomCollectionCursor as Q, Message as R, FederationStartQueueOptions as S, InboxChallengePolicy as T, ActorAliasMapper as U, respondWithObject as V, ActorDispatcher as W, CollectionDispatcher as X, CollectionCursor as Y, CustomCollectionCounter as Z, Federatable as _, digest as _t, GetSignedKeyOptions as a, OutboxErrorHandler as at, FederationFetchOptions as b, ParseUriResult as c, OutboxPermanentFailureHandler as ct, SendActivityOptions as d, UnverifiedActivityReason as dt, InboxErrorHandler as et, SendActivityOptionsForCollection as f, WebFingerLinksDispatcher as ft, CustomCollectionCallbackSetters as g, buildCollectionSynchronizationHeader as gt, ConstructorWithTypeId as h, PageItems as ht, GetActorOptions as i, ObjectDispatcher as it, FederationOrigin as j, Rfc6570Expression as k, RequestContext as l, SharedInboxKeyDispatcher as lt, CollectionCallbackSetters as m, SenderKeyPair as mt, Context as n, NodeInfoDispatcher as nt, InboxContext as o, OutboxListener as ot, ActorCallbackSetters as p, SendActivityError as pt, AuthorizePredicate as q, ForwardActivityOptions as r, ObjectAuthorizePredicate as rt, OutboxContext as s, OutboxListenerErrorHandler as st, ActorKeyPair as t, InboxListener as tt, RouteActivityOptions as u, UnverifiedActivityHandler as ut, Federation as v, ActivityTransformer as vt, IdempotencyStrategy as w, FederationOptions as x, FederationBuilder as y, createFederationBuilder as z };
+export { CustomCollectionDispatcher as $, FederationKvPrefixes as A, ActivityTransformer as At, RespondWithObjectOptions as B, IdempotencyKeyCallback as C, CircuitBreakerKvState as Ct, ObjectCallbackSetters as D, NormalizedCircuitBreakerOptions as Dt, InboxListenerSetters as E, CircuitBreakerStateChange as Et, RetryContext as F, ActorHandleMapper as G, respondWithObjectIfAcceptable as H, RetryPolicy as I, CollectionCounter as J, ActorKeyPairsDispatcher as K, createExponentialBackoffPolicy as L, FederationQueueOptions as M, createFederation as N, OutboxListenerSetters as O, normalizeCircuitBreakerOptions as Ot, CreateExponentialBackoffPolicyOptions as P, CustomCollectionCursor as Q, Message as R, FederationStartQueueOptions as S, CircuitBreakerFailurePolicy as St, InboxChallengePolicy as T, CircuitBreakerState as Tt, ActorAliasMapper as U, respondWithObject as V, ActorDispatcher as W, CollectionDispatcher as X, CollectionCursor as Y, CustomCollectionCounter as Z, Federatable as _, digest as _t, GetSignedKeyOptions as a, OutboxErrorHandler as at, FederationFetchOptions as b, CircuitBreakerBeforeSendDecision as bt, ParseUriResult as c, OutboxPermanentFailureHandler as ct, SendActivityOptions as d, UnverifiedActivityReason as dt, InboxErrorHandler as et, SendActivityOptionsForCollection as f, WebFingerLinksDispatcher as ft, CustomCollectionCallbackSetters as g, buildCollectionSynchronizationHeader as gt, ConstructorWithTypeId as h, PageItems as ht, GetActorOptions as i, ObjectDispatcher as it, FederationOrigin as j, Rfc6570Expression as k, parseCircuitBreakerKvState as kt, RequestContext as l, SharedInboxKeyDispatcher as lt, CollectionCallbackSetters as m, SenderKeyPair as mt, Context as n, NodeInfoDispatcher as nt, InboxContext as o, OutboxListener as ot, ActorCallbackSetters as p, SendActivityError as pt, AuthorizePredicate as q, ForwardActivityOptions as r, ObjectAuthorizePredicate as rt, OutboxContext as s, OutboxListenerErrorHandler as st, ActorKeyPair as t, InboxListener as tt, RouteActivityOptions as u, UnverifiedActivityHandler as ut, Federation as v, CircuitBreaker as vt, IdempotencyStrategy as w, CircuitBreakerOptions as wt, FederationOptions as x, CircuitBreakerCreateOptions as xt, FederationBuilder as y, CircuitBreakerActivityDrop as yt, createFederationBuilder as z };