@rmdes/indiekit-endpoint-activitypub 1.0.20 → 1.0.22

package/index.js

@@ -21,6 +21,16 @@ import {
   profileGetController,
   profilePostController,
 } from "./lib/controllers/profile.js";
+import {
+  featuredGetController,
+  featuredPinController,
+  featuredUnpinController,
+} from "./lib/controllers/featured.js";
+import {
+  featuredTagsGetController,
+  featuredTagsAddController,
+  featuredTagsRemoveController,
+} from "./lib/controllers/featured-tags.js";
 import {
   refollowPauseController,
   refollowResumeController,
@@ -41,6 +51,9 @@ const defaults = {
   alsoKnownAs: "",
   activityRetentionDays: 90,
   storeRawActivities: false,
+  redisUrl: "",
+  parallelWorkers: 5,
+  actorType: "Person",
 };
 
 export default class ActivityPubEndpoint {
@@ -135,6 +148,12 @@ export default class ActivityPubEndpoint {
     router.get("/admin/followers", followersController(mp));
     router.get("/admin/following", followingController(mp));
     router.get("/admin/activities", activitiesController(mp));
+    router.get("/admin/featured", featuredGetController(mp));
+    router.post("/admin/featured/pin", featuredPinController());
+    router.post("/admin/featured/unpin", featuredUnpinController());
+    router.get("/admin/tags", featuredTagsGetController(mp));
+    router.post("/admin/tags/add", featuredTagsAddController());
+    router.post("/admin/tags/remove", featuredTagsRemoveController());
     router.get("/admin/profile", profileGetController(mp));
     router.post("/admin/profile", profilePostController(mp));
     router.get("/admin/migrate", migrateGetController(mp, this.options));
@@ -265,7 +284,7 @@ export default class ActivityPubEndpoint {
 
           const ctx = self._federation.createContext(
             new URL(self._publicationUrl),
-            {},
+            { handle, publicationUrl: self._publicationUrl },
           );
 
           // For replies, resolve the original post author for proper
@@ -326,11 +345,16 @@ export default class ActivityPubEndpoint {
             `[ActivityPub] Sending ${activity.constructor?.name || "activity"} for ${properties.url} to ${followerCount} followers`,
           );
 
-          // Send to followers
+          // Send to followers via shared inboxes with collection sync (FEP-8fcf)
           await ctx.sendActivity(
             { identifier: handle },
             "followers",
             activity,
+            {
+              preferSharedInbox: true,
+              syncCollection: true,
+              orderingKey: properties.url,
+            },
           );
 
           // For replies, also deliver to the original post author's inbox
@@ -341,6 +365,7 @@ export default class ActivityPubEndpoint {
                 { identifier: handle },
                 replyToActor.recipient,
                 activity,
+                { orderingKey: properties.url },
               );
               console.info(
                 `[ActivityPub] Reply delivered to author: ${replyToActor.url}`,
@@ -407,7 +432,7 @@ export default class ActivityPubEndpoint {
       const handle = this.options.actor.handle;
       const ctx = this._federation.createContext(
         new URL(this._publicationUrl),
-        {},
+        { handle, publicationUrl: this._publicationUrl },
       );
 
       // Resolve the remote actor to get their inbox
@@ -422,7 +447,9 @@ export default class ActivityPubEndpoint {
         object: new URL(actorUrl),
       });
 
-      await ctx.sendActivity({ identifier: handle }, remoteActor, follow);
+      await ctx.sendActivity({ identifier: handle }, remoteActor, follow, {
+        orderingKey: actorUrl,
+      });
 
       // Store in ap_following
       const name =
@@ -501,7 +528,7 @@ export default class ActivityPubEndpoint {
       const handle = this.options.actor.handle;
       const ctx = this._federation.createContext(
         new URL(this._publicationUrl),
-        {},
+        { handle, publicationUrl: this._publicationUrl },
       );
 
       const remoteActor = await ctx.lookupObject(actorUrl);
@@ -530,7 +557,9 @@ export default class ActivityPubEndpoint {
         object: follow,
       });
 
-      await ctx.sendActivity({ identifier: handle }, remoteActor, undo);
+      await ctx.sendActivity({ identifier: handle }, remoteActor, undo, {
+        orderingKey: actorUrl,
+      });
       await this._collections.ap_following.deleteOne({ actorUrl });
 
       console.info(`[ActivityPub] Sent Undo(Follow) to ${actorUrl}`);
@@ -585,6 +614,8 @@ export default class ActivityPubEndpoint {
     Indiekit.addCollection("ap_keys");
     Indiekit.addCollection("ap_kv");
     Indiekit.addCollection("ap_profile");
+    Indiekit.addCollection("ap_featured");
+    Indiekit.addCollection("ap_featured_tags");
 
     // Store collection references (posts resolved lazily)
     const indiekitCollections = Indiekit.collections;
@@ -595,6 +626,8 @@ export default class ActivityPubEndpoint {
       ap_keys: indiekitCollections.get("ap_keys"),
       ap_kv: indiekitCollections.get("ap_kv"),
       ap_profile: indiekitCollections.get("ap_profile"),
+      ap_featured: indiekitCollections.get("ap_featured"),
+      ap_featured_tags: indiekitCollections.get("ap_featured_tags"),
       get posts() {
         return indiekitCollections.get("posts");
       },
@@ -617,6 +650,28 @@ export default class ActivityPubEndpoint {
       );
     }
 
+    // Performance indexes for inbox handlers and batch refollow
+    this._collections.ap_followers.createIndex(
+      { actorUrl: 1 },
+      { unique: true, background: true },
+    );
+    this._collections.ap_following.createIndex(
+      { actorUrl: 1 },
+      { unique: true, background: true },
+    );
+    this._collections.ap_following.createIndex(
+      { source: 1 },
+      { background: true },
+    );
+    this._collections.ap_activities.createIndex(
+      { objectUrl: 1 },
+      { background: true },
+    );
+    this._collections.ap_activities.createIndex(
+      { type: 1, actorUrl: 1, objectUrl: 1 },
+      { background: true },
+    );
+
     // Seed actor profile from config on first run
     this._seedProfile().catch((error) => {
       console.warn("[ActivityPub] Profile seed failed:", error.message);
@@ -628,6 +683,10 @@ export default class ActivityPubEndpoint {
       mountPath: this.options.mountPath,
       handle: this.options.actor.handle,
       storeRawActivities: this.options.storeRawActivities,
+      redisUrl: this.options.redisUrl,
+      publicationUrl: this._publicationUrl,
+      parallelWorkers: this.options.parallelWorkers,
+      actorType: this.options.actorType,
     });
 
     this._federation = federation;

package/lib/activity-log.js

@@ -19,12 +19,16 @@
  * @param {string} [record.content] - Content excerpt
  * @param {string} record.summary - Human-readable summary
  */
-export async function logActivity(collection, record) {
+export async function logActivity(collection, record, options = {}) {
   try {
-    await collection.insertOne({
+    const doc = {
       ...record,
       receivedAt: new Date().toISOString(),
-    });
+    };
+    if (options.rawJson) {
+      doc.rawJson = options.rawJson;
+    }
+    await collection.insertOne(doc);
   } catch (error) {
     console.warn("[ActivityPub] Failed to log activity:", error.message);
   }

package/lib/batch-refollow.js

@@ -225,7 +225,7 @@ async function processOneFollow(options, entry) {
   const { federation, collections, handle, publicationUrl } = options;
 
   try {
-    const ctx = federation.createContext(new URL(publicationUrl), {});
+    const ctx = federation.createContext(new URL(publicationUrl), { handle, publicationUrl });
 
     // Resolve the remote actor
     const remoteActor = await ctx.lookupObject(entry.actorUrl);
@@ -242,7 +242,9 @@ async function processOneFollow(options, entry) {
       object: new URL(canonicalUrl),
     });
 
-    await ctx.sendActivity({ identifier: handle }, remoteActor, follow);
+    await ctx.sendActivity({ identifier: handle }, remoteActor, follow, {
+      orderingKey: canonicalUrl,
+    });
 
     // Mark as sent — update actorUrl to canonical form so Accept handler
     // can match when the remote server responds

package/lib/controllers/featured-tags.js

@@ -0,0 +1,71 @@
+/**
+ * Featured tags controller — list, add, and remove featured hashtags.
+ */
+
+export function featuredTagsGetController(mountPath) {
+  return async (request, response, next) => {
+    try {
+      const { application } = request.app.locals;
+      const collection = application?.collections?.get("ap_featured_tags");
+
+      const tags = collection
+        ? await collection.find().sort({ addedAt: -1 }).toArray()
+        : [];
+
+      response.render("activitypub-featured-tags", {
+        title:
+          response.locals.__("activitypub.featuredTags") || "Featured Tags",
+        tags,
+        mountPath,
+      });
+    } catch (error) {
+      next(error);
+    }
+  };
+}
+
+export function featuredTagsAddController() {
+  return async (request, response, next) => {
+    try {
+      const { application } = request.app.locals;
+      const collection = application?.collections?.get("ap_featured_tags");
+      if (!collection) return response.status(500).send("No collection");
+
+      let { tag } = request.body;
+      if (!tag) return response.status(400).send("Missing tag");
+
+      // Normalize: strip leading # and lowercase
+      tag = tag.replace(/^#/, "").toLowerCase().trim();
+      if (!tag) return response.status(400).send("Invalid tag");
+
+      await collection.updateOne(
+        { tag },
+        { $set: { tag, addedAt: new Date().toISOString() } },
+        { upsert: true },
+      );
+
+      response.redirect("back");
+    } catch (error) {
+      next(error);
+    }
+  };
+}
+
+export function featuredTagsRemoveController() {
+  return async (request, response, next) => {
+    try {
+      const { application } = request.app.locals;
+      const collection = application?.collections?.get("ap_featured_tags");
+      if (!collection) return response.status(500).send("No collection");
+
+      const { tag } = request.body;
+      if (!tag) return response.status(400).send("Missing tag");
+
+      await collection.deleteOne({ tag });
+
+      response.redirect("back");
+    } catch (error) {
+      next(error);
+    }
+  };
+}

package/lib/controllers/featured.js

@@ -0,0 +1,117 @@
+/**
+ * Featured (pinned) posts controller — list, pin, and unpin posts.
+ */
+const MAX_PINS = 5;
+
+export function featuredGetController(mountPath) {
+  return async (request, response, next) => {
+    try {
+      const { application } = request.app.locals;
+      const featuredCollection = application?.collections?.get("ap_featured");
+      const postsCollection = application?.collections?.get("posts");
+
+      const pinnedDocs = featuredCollection
+        ? await featuredCollection.find().sort({ pinnedAt: -1 }).toArray()
+        : [];
+
+      // Enrich pinned posts with title/type from posts collection
+      const pinned = [];
+      for (const doc of pinnedDocs) {
+        let title = doc.postUrl;
+        let postType = "note";
+        if (postsCollection) {
+          const post = await postsCollection.findOne({
+            "properties.url": doc.postUrl,
+          });
+          if (post?.properties) {
+            title =
+              post.properties.name ||
+              post.properties.content?.text?.slice(0, 80) ||
+              doc.postUrl;
+            postType = post.properties["post-type"] || "note";
+          }
+        }
+        pinned.push({ ...doc, title, postType });
+      }
+
+      // Get recent posts for the "pin" dropdown
+      const recentPosts = postsCollection
+        ? await postsCollection
+            .find()
+            .sort({ "properties.published": -1 })
+            .limit(20)
+            .toArray()
+        : [];
+
+      const pinnedUrls = new Set(pinnedDocs.map((d) => d.postUrl));
+      const availablePosts = recentPosts
+        .filter((p) => p.properties?.url && !pinnedUrls.has(p.properties.url))
+        .map((p) => ({
+          url: p.properties.url,
+          title:
+            p.properties.name ||
+            p.properties.content?.text?.slice(0, 80) ||
+            p.properties.url,
+          postType: p.properties["post-type"] || "note",
+        }));
+
+      response.render("activitypub-featured", {
+        title: response.locals.__("activitypub.featured") || "Pinned Posts",
+        pinned,
+        availablePosts,
+        maxPins: MAX_PINS,
+        canPin: pinned.length < MAX_PINS,
+        mountPath,
+      });
+    } catch (error) {
+      next(error);
+    }
+  };
+}
+
+export function featuredPinController() {
+  return async (request, response, next) => {
+    try {
+      const { application } = request.app.locals;
+      const collection = application?.collections?.get("ap_featured");
+      if (!collection) return response.status(500).send("No collection");
+
+      const { postUrl } = request.body;
+      if (!postUrl) return response.status(400).send("Missing postUrl");
+
+      const count = await collection.countDocuments();
+      if (count >= MAX_PINS) {
+        return response.status(400).send("Maximum pins reached");
+      }
+
+      await collection.updateOne(
+        { postUrl },
+        { $set: { postUrl, pinnedAt: new Date().toISOString() } },
+        { upsert: true },
+      );
+
+      response.redirect("back");
+    } catch (error) {
+      next(error);
+    }
+  };
+}
+
+export function featuredUnpinController() {
+  return async (request, response, next) => {
+    try {
+      const { application } = request.app.locals;
+      const collection = application?.collections?.get("ap_featured");
+      if (!collection) return response.status(500).send("No collection");
+
+      const { postUrl } = request.body;
+      if (!postUrl) return response.status(400).send("Missing postUrl");
+
+      await collection.deleteOne({ postUrl });
+
+      response.redirect("back");
+    } catch (error) {
+      next(error);
+    }
+  };
+}

package/lib/controllers/profile.js

@@ -36,8 +36,15 @@ export function profilePostController(mountPath) {
         return next(new Error("ap_profile collection not available"));
       }
 
-      const { name, summary, url, icon, image, manuallyApprovesFollowers } =
-        request.body;
+      const {
+        name,
+        summary,
+        url,
+        icon,
+        image,
+        manuallyApprovesFollowers,
+        authorizedFetch,
+      } = request.body;
 
       const update = {
         $set: {
@@ -47,6 +54,7 @@ export function profilePostController(mountPath) {
           icon: icon?.trim() || "",
           image: image?.trim() || "",
           manuallyApprovesFollowers: manuallyApprovesFollowers === "true",
+          authorizedFetch: authorizedFetch === "true",
           updatedAt: new Date().toISOString(),
         },
       };

package/lib/federation-setup.js

@@ -7,20 +7,35 @@
  */
 
 import { AsyncLocalStorage } from "node:async_hooks";
+import { createRequire } from "node:module";
 import { Temporal } from "@js-temporal/polyfill";
 import {
+  Application,
+  Article,
+  Create,
   Endpoints,
+  Group,
+  Hashtag,
   Image,
   InProcessMessageQueue,
+  Note,
+  Organization,
+  ParallelMessageQueue,
   Person,
   PropertyValue,
+  Service,
   createFederation,
+  exportJwk,
   generateCryptoKeyPair,
+  importJwk,
   importSpki,
 } from "@fedify/fedify";
 import { configure, getConsoleSink } from "@logtape/logtape";
+import { RedisMessageQueue } from "@fedify/redis";
+import Redis from "ioredis";
 import { MongoKvStore } from "./kv-store.js";
 import { registerInboxListeners } from "./inbox-listeners.js";
+import { jf2ToAS2Activity, resolvePostUrl } from "./jf2-to-as2.js";
 
 /**
  * Create and configure a Fedify Federation instance.
@@ -41,8 +56,16 @@ export function setupFederation(options) {
     mountPath,
     handle,
     storeRawActivities = false,
+    redisUrl = "",
+    publicationUrl = "",
+    parallelWorkers = 5,
+    actorType = "Person",
   } = options;
 
+  // Map config string to Fedify actor class
+  const actorTypeMap = { Person, Service, Application, Organization, Group };
+  const ActorClass = actorTypeMap[actorType] || Person;
+
   // Configure LogTape for Fedify delivery logging (once per process)
   if (!_logtapeConfigured) {
     _logtapeConfigured = true;
@@ -64,9 +87,28 @@ export function setupFederation(options) {
     });
   }
 
+  let queue;
+  if (redisUrl) {
+    const redisQueue = new RedisMessageQueue(() => new Redis(redisUrl));
+    if (parallelWorkers > 1) {
+      queue = new ParallelMessageQueue(redisQueue, parallelWorkers);
+      console.info(
+        `[ActivityPub] Using Redis message queue with ${parallelWorkers} parallel workers`,
+      );
+    } else {
+      queue = redisQueue;
+      console.info("[ActivityPub] Using Redis message queue (single worker)");
+    }
+  } else {
+    queue = new InProcessMessageQueue();
+    console.warn(
+      "[ActivityPub] Using in-process message queue (not recommended for production)",
+    );
+  }
+
   const federation = createFederation({
     kv: new MongoKvStore(collections.ap_kv),
-    queue: new InProcessMessageQueue(),
+    queue,
   });
 
   // --- Actor dispatcher ---
@@ -74,6 +116,26 @@ export function setupFederation(options) {
     .setActorDispatcher(
       `${mountPath}/users/{identifier}`,
       async (ctx, identifier) => {
+        // Instance actor: Application-type actor for the domain itself
+        // Required for authorized fetch to avoid infinite loops
+        const hostname = ctx.url?.hostname || "";
+        if (identifier === hostname) {
+          const keyPairs = await ctx.getActorKeyPairs(identifier);
+          const appOptions = {
+            id: ctx.getActorUri(identifier),
+            preferredUsername: hostname,
+            name: hostname,
+            inbox: ctx.getInboxUri(identifier),
+            outbox: ctx.getOutboxUri(identifier),
+            endpoints: new Endpoints({ sharedInbox: ctx.getInboxUri() }),
+          };
+          if (keyPairs.length > 0) {
+            appOptions.publicKey = keyPairs[0].cryptographicKey;
+            appOptions.assertionMethods = keyPairs.map((k) => k.multikey);
+          }
+          return new Application(appOptions);
+        }
+
         if (identifier !== handle) return null;
 
         const profile = await getProfile(collections);
@@ -88,6 +150,9 @@ export function setupFederation(options) {
           outbox: ctx.getOutboxUri(identifier),
           followers: ctx.getFollowersUri(identifier),
           following: ctx.getFollowingUri(identifier),
+          liked: ctx.getLikedUri(identifier),
+          featured: ctx.getFeaturedUri(identifier),
+          featuredTags: ctx.getFeaturedTagsUri(identifier),
           endpoints: new Endpoints({ sharedInbox: ctx.getInboxUri() }),
           manuallyApprovesFollowers:
             profile.manuallyApprovesFollowers || false,
@@ -113,7 +178,7 @@ export function setupFederation(options) {
 
         if (keyPairs.length > 0) {
           personOptions.publicKey = keyPairs[0].cryptographicKey;
-          personOptions.assertionMethod = keyPairs[0].multikey;
+          personOptions.assertionMethods = keyPairs.map((k) => k.multikey);
         }
 
         if (profile.attachments?.length > 0) {
@@ -132,38 +197,115 @@ export function setupFederation(options) {
           personOptions.published = Temporal.Instant.from(profile.createdAt);
         }
 
-        return new Person(personOptions);
+        return new ActorClass(personOptions);
       },
     )
-    .mapHandle((_ctx, username) => (username === handle ? handle : null))
+    .mapHandle((_ctx, username) => {
+      if (username === handle) return handle;
+      // Accept hostname as valid identifier for instance actor
+      if (publicationUrl) {
+        try {
+          const hostname = new URL(publicationUrl).hostname;
+          if (username === hostname) return hostname;
+        } catch { /* ignore */ }
+      }
+      return null;
+    })
+    .mapAlias((_ctx, alias) => {
+      // Resolve profile URL and /@handle patterns via WebFinger
+      if (!publicationUrl) return null;
+      try {
+        const pub = new URL(publicationUrl);
+        if (alias.hostname !== pub.hostname) return null;
+        const path = alias.pathname.replace(/\/$/, "");
+        if (path === "" || path === `/@${handle}`) return handle;
+      } catch { /* ignore */ }
+      return null;
+    })
     .setKeyPairsDispatcher(async (ctx, identifier) => {
-      if (identifier !== handle) return [];
+      // Allow key pairs for both the main actor and instance actor
+      const hostname = ctx.url?.hostname || "";
+      if (identifier !== handle && identifier !== hostname) return [];
 
       const keyPairs = [];
 
-      // Import legacy RSA key pair (for HTTP Signatures compatibility)
-      const legacyKey = await collections.ap_keys.findOne({});
-      if (legacyKey?.publicKeyPem && legacyKey?.privateKeyPem) {
+      // --- Legacy RSA key pair (HTTP Signatures) ---
+      const legacyKey = await collections.ap_keys.findOne({ type: "rsa" });
+      // Fall back to old schema (no type field) for backward compat
+      const rsaDoc =
+        legacyKey ||
+        (await collections.ap_keys.findOne({
+          publicKeyPem: { $exists: true },
+        }));
+
+      if (rsaDoc?.publicKeyPem && rsaDoc?.privateKeyPem) {
         try {
-          const publicKey = await importSpki(legacyKey.publicKeyPem);
-          const privateKey = await importPkcs8Pem(legacyKey.privateKeyPem);
+          const publicKey = await importSpki(rsaDoc.publicKeyPem);
+          const privateKey = await importPkcs8Pem(rsaDoc.privateKeyPem);
           keyPairs.push({ publicKey, privateKey });
         } catch {
+          console.warn("[ActivityPub] Could not import legacy RSA keys");
+        }
+      }
+
+      // --- Ed25519 key pair (Object Integrity Proofs) ---
+      // Load from DB or generate + persist on first use
+      let ed25519Doc = await collections.ap_keys.findOne({
+        type: "ed25519",
+      });
+
+      if (ed25519Doc?.publicKeyJwk && ed25519Doc?.privateKeyJwk) {
+        try {
+          const publicKey = await importJwk(
+            ed25519Doc.publicKeyJwk,
+            "public",
+          );
+          const privateKey = await importJwk(
+            ed25519Doc.privateKeyJwk,
+            "private",
+          );
+          keyPairs.push({ publicKey, privateKey });
+        } catch (error) {
           console.warn(
-            "[ActivityPub] Could not import legacy RSA keys",
+            "[ActivityPub] Could not import Ed25519 keys, regenerating:",
+            error.message,
           );
+          ed25519Doc = null; // Force regeneration below
         }
       }
 
-      // Generate Ed25519 key pair (for Object Integrity Proofs)
-      try {
-        const ed25519 = await generateCryptoKeyPair("Ed25519");
-        keyPairs.push(ed25519);
-      } catch (error) {
-        console.warn("[ActivityPub] Could not generate Ed25519 key pair:", error.message);
+      if (!ed25519Doc) {
+        try {
+          const ed25519 = await generateCryptoKeyPair("Ed25519");
+          await collections.ap_keys.insertOne({
+            type: "ed25519",
+            publicKeyJwk: await exportJwk(ed25519.publicKey),
+            privateKeyJwk: await exportJwk(ed25519.privateKey),
+            createdAt: new Date().toISOString(),
+          });
+          keyPairs.push(ed25519);
+          console.info(
+            "[ActivityPub] Generated and persisted Ed25519 key pair",
+          );
+        } catch (error) {
+          console.warn(
+            "[ActivityPub] Could not generate Ed25519 key pair:",
+            error.message,
+          );
+        }
       }
 
       return keyPairs;
+    })
+    .authorize(async (ctx, identifier, signedKey, _signedKeyOwner) => {
+      // Instance actor is always publicly accessible (prevents infinite loops)
+      const hostname = ctx.url?.hostname || "";
+      if (identifier === hostname) return true;
+      // Check if authorized fetch is enabled
+      const profile = await getProfile(collections);
+      if (!profile.authorizedFetch) return true;
+      // When enabled, require a valid HTTP Signature
+      return signedKey != null;
     });
 
   // --- Inbox listeners ---
@@ -188,8 +330,22 @@ export function setupFederation(options) {
   setupFollowers(federation, mountPath, handle, collections);
   setupFollowing(federation, mountPath, handle, collections);
   setupOutbox(federation, mountPath, handle, collections);
+  setupLiked(federation, mountPath, handle, collections);
+  setupFeatured(federation, mountPath, handle, collections, publicationUrl);
+  setupFeaturedTags(federation, mountPath, handle, collections, publicationUrl);
+
+  // --- Object dispatchers (make posts dereferenceable) ---
+  setupObjectDispatchers(federation, mountPath, handle, collections, publicationUrl);
 
   // --- NodeInfo ---
+  let softwareVersion = { major: 1, minor: 0, patch: 0 };
+  try {
+    const require = createRequire(import.meta.url);
+    const pkg = require("@indiekit/indiekit/package.json");
+    const [major, minor, patch] = pkg.version.split(/[.-]/).map(Number);
+    if (!Number.isNaN(major)) softwareVersion = { major, minor: minor || 0, patch: patch || 0 };
+  } catch { /* fallback to 1.0.0 */ }
+
   federation.setNodeInfoDispatcher("/nodeinfo/2.1", async () => {
     const postsCount = collections.posts
       ? await collections.posts.countDocuments()
@@ -198,7 +354,7 @@ export function setupFederation(options) {
     return {
       software: {
         name: "indiekit",
-        version: { major: 1, minor: 0, patch: 0 },
+        version: softwareVersion,
       },
       protocols: ["activitypub"],
       usage: {
@@ -228,8 +384,29 @@ function setupFollowers(federation, mountPath, handle, collections) {
       `${mountPath}/users/{identifier}/followers`,
       async (ctx, identifier, cursor) => {
         if (identifier !== handle) return null;
+
+        // One-shot collection: when cursor is null, return ALL followers
+        // as Recipient objects so sendActivity("followers") can deliver.
+        // See: https://fedify.dev/manual/collections#one-shot-followers-collection-for-gathering-recipients
+        if (cursor == null) {
+          const docs = await collections.ap_followers
+            .find()
+            .sort({ followedAt: -1 })
+            .toArray();
+          return {
+            items: docs.map((f) => ({
+              id: new URL(f.actorUrl),
+              inboxId: f.inbox ? new URL(f.inbox) : null,
+              endpoints: f.sharedInbox
+                ? { sharedInbox: new URL(f.sharedInbox) }
+                : null,
+            })),
+          };
+        }
+
+        // Paginated collection: for remote browsing of /followers endpoint
         const pageSize = 20;
-        const skip = cursor ? Number.parseInt(cursor, 10) : 0;
+        const skip = Number.parseInt(cursor, 10);
         const docs = await collections.ap_followers
           .find()
           .sort({ followedAt: -1 })
@@ -282,6 +459,118 @@ function setupFollowing(federation, mountPath, handle, collections) {
     .setFirstCursor(async () => "0");
 }
 
+function setupLiked(federation, mountPath, handle, collections) {
+  federation
+    .setLikedDispatcher(
+      `${mountPath}/users/{identifier}/liked`,
+      async (ctx, identifier, cursor) => {
+        if (identifier !== handle) return null;
+        if (!collections.posts) return { items: [] };
+
+        const pageSize = 20;
+        const skip = cursor ? Number.parseInt(cursor, 10) : 0;
+        const query = { "properties.post-type": "like" };
+        const docs = await collections.posts
+          .find(query)
+          .sort({ "properties.published": -1 })
+          .skip(skip)
+          .limit(pageSize)
+          .toArray();
+        const total = await collections.posts.countDocuments(query);
+
+        const items = docs
+          .map((d) => {
+            const likeOf = d.properties?.["like-of"];
+            return likeOf ? new URL(likeOf) : null;
+          })
+          .filter(Boolean);
+
+        return {
+          items,
+          nextCursor:
+            skip + pageSize < total ? String(skip + pageSize) : null,
+        };
+      },
+    )
+    .setCounter(async (ctx, identifier) => {
+      if (identifier !== handle) return 0;
+      if (!collections.posts) return 0;
+      return await collections.posts.countDocuments({
+        "properties.post-type": "like",
+      });
+    })
+    .setFirstCursor(async () => "0");
+}
+
+function setupFeatured(federation, mountPath, handle, collections, publicationUrl) {
+  federation.setFeaturedDispatcher(
+    `${mountPath}/users/{identifier}/featured`,
+    async (ctx, identifier) => {
+      if (identifier !== handle) return null;
+      if (!collections.ap_featured) return { items: [] };
+
+      const docs = await collections.ap_featured
+        .find()
+        .sort({ pinnedAt: -1 })
+        .toArray();
+
+      // Convert pinned post URLs to Fedify Note/Article objects
+      const items = [];
+      for (const doc of docs) {
+        if (!collections.posts) continue;
+        const post = await collections.posts.findOne({
+          "properties.url": doc.postUrl,
+        });
+        if (!post) continue;
+        const actorUrl = ctx.getActorUri(identifier).href;
+        const activity = jf2ToAS2Activity(
+          post.properties,
+          actorUrl,
+          publicationUrl,
+        );
+        if (activity instanceof Create) {
+          const obj = await activity.getObject();
+          if (obj) items.push(obj);
+        }
+      }
+
+      return { items };
+    },
+  );
+}
+
+function setupFeaturedTags(federation, mountPath, handle, collections, publicationUrl) {
+  federation.setFeaturedTagsDispatcher(
+    `${mountPath}/users/{identifier}/tags`,
+    async (ctx, identifier) => {
+      if (identifier !== handle) return null;
+      if (!collections.ap_featured_tags) return { items: [] };
+
+      const docs = await collections.ap_featured_tags
+        .find()
+        .sort({ addedAt: -1 })
+        .toArray();
+
+      const baseUrl = publicationUrl
+        ? publicationUrl.replace(/\/$/, "")
+        : ctx.url.origin;
+
+      const items = docs.map(
+        (doc) =>
+          new Hashtag({
+            name: `#${doc.tag}`,
+            href: new URL(
+              `/categories/${encodeURIComponent(doc.tag)}`,
+              baseUrl,
+            ),
+          }),
+      );
+
+      return { items };
+    },
+  );
+}
+
 function setupOutbox(federation, mountPath, handle, collections) {
   federation
     .setOutboxDispatcher(
@@ -334,6 +623,41 @@ function setupOutbox(federation, mountPath, handle, collections) {
     .setFirstCursor(async () => "0");
 }
 
+function setupObjectDispatchers(federation, mountPath, handle, collections, publicationUrl) {
+  // Shared lookup: find post by URL path, convert to Fedify Note/Article
+  async function resolvePost(ctx, id) {
+    if (!collections.posts || !publicationUrl) return null;
+    const postUrl = `${publicationUrl.replace(/\/$/, "")}/${id}`;
+    const post = await collections.posts.findOne({ "properties.url": postUrl });
+    if (!post) return null;
+    const actorUrl = ctx.getActorUri(handle).href;
+    const activity = jf2ToAS2Activity(post.properties, actorUrl, publicationUrl);
+    // Only Create activities wrap Note/Article objects
+    if (!(activity instanceof Create)) return null;
+    return await activity.getObject();
+  }
+
+  // Note dispatcher — handles note, reply, bookmark, jam, rsvp, checkin
+  federation.setObjectDispatcher(
+    Note,
+    `${mountPath}/objects/note/{+id}`,
+    async (ctx, { id }) => {
+      const obj = await resolvePost(ctx, id);
+      return obj instanceof Note ? obj : null;
+    },
+  );
+
+  // Article dispatcher
+  federation.setObjectDispatcher(
+    Article,
+    `${mountPath}/objects/article/{+id}`,
+    async (ctx, { id }) => {
+      const obj = await resolvePost(ctx, id);
+      return obj instanceof Article ? obj : null;
+    },
+  );
+}
+
 // --- Helpers ---
 
 async function getProfile(collections) {

package/lib/inbox-listeners.js

@@ -16,6 +16,7 @@ import {
   Like,
   Move,
   Note,
+  Reject,
   Remove,
   Undo,
   Update,
@@ -72,6 +73,7 @@ export function registerInboxListeners(inboxChain, options) {
           actor: ctx.getActorUri(handle),
           object: follow,
         }),
+        { orderingKey: followerUrl },
       );
 
       await logActivity(collections, storeRawActivities, {
@@ -160,6 +162,37 @@ export function registerInboxListeners(inboxChain, options) {
         });
       }
     })
+    .on(Reject, async (ctx, reject) => {
+      const actorObj = await reject.getActor();
+      const actorUrl = actorObj?.id?.href || "";
+      if (!actorUrl) return;
+
+      // Mark rejected follow in ap_following
+      const result = await collections.ap_following.findOneAndUpdate(
+        {
+          actorUrl,
+          source: { $in: ["refollow:sent", "microsub-reader"] },
+        },
+        {
+          $set: {
+            source: "rejected",
+            rejectedAt: new Date().toISOString(),
+          },
+        },
+        { returnDocument: "after" },
+      );
+
+      if (result) {
+        const actorName = result.name || result.handle || actorUrl;
+        await logActivity(collections, storeRawActivities, {
+          direction: "inbound",
+          type: "Reject(Follow)",
+          actorUrl,
+          actorName,
+          summary: `${actorName} rejected our Follow`,
+        });
+      }
+    })
     .on(Like, async (ctx, like) => {
       const objectId = (await like.getObject())?.id?.href || "";
 
@@ -324,8 +357,12 @@ export function registerInboxListeners(inboxChain, options) {
  * Wrapper around the shared utility that accepts the (collections, storeRaw, record) signature
  * used throughout this file.
  */
-async function logActivity(collections, storeRaw, record) {
-  await logActivityShared(collections.ap_activities, record);
+async function logActivity(collections, storeRaw, record, rawJson) {
+  await logActivityShared(
+    collections.ap_activities,
+    record,
+    storeRaw && rawJson ? { rawJson } : {},
+  );
 }
 
 // Cached ActivityPub channel ObjectId

package/locales/en.json

@@ -4,6 +4,8 @@
     "followers": "Followers",
     "following": "Following",
     "activities": "Activity log",
+    "featured": "Pinned Posts",
+    "featuredTags": "Featured Tags",
     "recentActivity": "Recent activity",
     "noActivity": "No activity yet. Once your actor is federated, interactions will appear here.",
     "noFollowers": "No followers yet.",
@@ -36,6 +38,8 @@
       "imageHint": "URL to a banner image shown at the top of your profile",
       "manualApprovalLabel": "Manually approve followers",
       "manualApprovalHint": "When enabled, follow requests require your approval before they take effect",
+      "authorizedFetchLabel": "Require authorized fetch (secure mode)",
+      "authorizedFetchHint": "When enabled, only servers with valid HTTP Signatures can fetch your actor and collections. This improves privacy but may reduce compatibility with some clients.",
       "save": "Save profile",
       "saved": "Profile saved. Changes are now visible to the fediverse."
     },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "1.0.20",
+  "version": "1.0.22",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",
@@ -37,10 +37,12 @@
     "url": "https://github.com/rmdes/indiekit-endpoint-activitypub/issues"
   },
   "dependencies": {
-    "@fedify/fedify": "^1.10.0",
-    "@fedify/express": "^1.9.0",
+    "@fedify/express": "^1.10.3",
+    "@fedify/fedify": "^1.10.3",
+    "@fedify/redis": "^1.10.3",
     "@js-temporal/polyfill": "^0.5.0",
-    "express": "^5.0.0"
+    "express": "^5.0.0",
+    "ioredis": "^5.9.3"
   },
   "peerDependencies": {
     "@indiekit/error": "^1.0.0-beta.25",

package/views/activitypub-featured-tags.njk

@@ -0,0 +1,43 @@
+{% extends "document.njk" %}
+
+{% from "heading/macro.njk" import heading with context %}
+{% from "prose/macro.njk" import prose with context %}
+
+{% block content %}
+  {{ heading({ text: title, level: 1, parent: { text: __("activitypub.title"), href: mountPath } }) }}
+
+  {% if tags.length > 0 %}
+    <table class="table">
+      <thead>
+        <tr>
+          <th>Tag</th>
+          <th>Added</th>
+          <th></th>
+        </tr>
+      </thead>
+      <tbody>
+        {% for item in tags %}
+          <tr>
+            <td>#{{ item.tag }}</td>
+            <td>{% if item.addedAt %}{{ item.addedAt | date("PPp") }}{% endif %}</td>
+            <td>
+              <form method="post" action="{{ mountPath }}/admin/tags/remove">
+                <input type="hidden" name="tag" value="{{ item.tag }}">
+                <button type="submit" class="button button--small">Remove</button>
+              </form>
+            </td>
+          </tr>
+        {% endfor %}
+      </tbody>
+    </table>
+  {% else %}
+    {{ prose({ text: "No featured tags yet. Add a hashtag to help others discover your content." }) }}
+  {% endif %}
+
+  <h2>Add a featured tag</h2>
+  <form method="post" action="{{ mountPath }}/admin/tags/add">
+    <label for="tag">Hashtag</label>
+    <input type="text" id="tag" name="tag" placeholder="indieweb" required>
+    <button type="submit" class="button">Add tag</button>
+  </form>
+{% endblock %}

package/views/activitypub-featured.njk

@@ -0,0 +1,52 @@
+{% extends "document.njk" %}
+
+{% from "heading/macro.njk" import heading with context %}
+{% from "prose/macro.njk" import prose with context %}
+
+{% block content %}
+  {{ heading({ text: title, level: 1, parent: { text: __("activitypub.title"), href: mountPath } }) }}
+
+  {% if pinned.length > 0 %}
+    <table class="table">
+      <thead>
+        <tr>
+          <th>Post</th>
+          <th>Type</th>
+          <th>Pinned</th>
+          <th></th>
+        </tr>
+      </thead>
+      <tbody>
+        {% for item in pinned %}
+          <tr>
+            <td><a href="{{ item.postUrl }}">{{ item.title }}</a></td>
+            <td>{{ item.postType }}</td>
+            <td>{% if item.pinnedAt %}{{ item.pinnedAt | date("PPp") }}{% endif %}</td>
+            <td>
+              <form method="post" action="{{ mountPath }}/admin/featured/unpin">
+                <input type="hidden" name="postUrl" value="{{ item.postUrl }}">
+                <button type="submit" class="button button--small">Unpin</button>
+              </form>
+            </td>
+          </tr>
+        {% endfor %}
+      </tbody>
+    </table>
+  {% else %}
+    {{ prose({ text: "No pinned posts yet." }) }}
+  {% endif %}
+
+  {% if canPin and availablePosts.length > 0 %}
+    <h2>Pin a post ({{ pinned.length }}/{{ maxPins }})</h2>
+    <form method="post" action="{{ mountPath }}/admin/featured/pin">
+      <select name="postUrl">
+        {% for post in availablePosts %}
+          <option value="{{ post.url }}">{{ post.title }} ({{ post.postType }})</option>
+        {% endfor %}
+      </select>
+      <button type="submit" class="button">Pin</button>
+    </form>
+  {% elif not canPin %}
+    {{ prose({ text: "Maximum of " + maxPins + " pinned posts reached. Unpin one to add another." }) }}
+  {% endif %}
+{% endblock %}

package/views/activitypub-profile.njk

@@ -69,6 +69,18 @@
       values: ["true"] if profile.manuallyApprovesFollowers else []
     }) }}
 
+    {{ checkboxes({
+      name: "authorizedFetch",
+      items: [
+        {
+          label: __("activitypub.profile.authorizedFetchLabel"),
+          value: "true",
+          hint: __("activitypub.profile.authorizedFetchHint")
+        }
+      ],
+      values: ["true"] if profile.authorizedFetch else []
+    }) }}
+
     {{ button({ text: __("activitypub.profile.save") }) }}
   </form>
 {% endblock %}