@rmdes/indiekit-endpoint-activitypub 2.14.0 → 2.15.1

package/README.md

@@ -12,6 +12,28 @@ ActivityPub federation endpoint for [Indiekit](https://getindiekit.com), built o
 - Reply delivery — replies are addressed to and delivered directly to the original post's author
 - Shared inbox support with collection sync (FEP-8fcf)
 - Configurable actor type (Person, Service, Organization, Group)
+- Manual follow approval — review and accept/reject follow requests before they take effect
+- Direct messages — private conversations stored separately from the public timeline
+
+**Federation Resilience** *(v2.14.0+)*
+- Async inbox queue — inbound activities are persisted to MongoDB before processing, ensuring no data loss on crashes
+- Server blocking — block entire remote servers by domain, rejecting all inbound activities from blocked instances
+- Key freshness tracking — tracks when remote actor keys were last verified, skipping redundant re-fetches
+- Redis-cached actor lookups — caches actor resolution results to reduce network round-trips
+- Delivery strike tracking on `ap_followers` — counts consecutive delivery failures per follower
+- FEP-fe34 security — verifies `proof.created` timestamps to reject replayed activities
+
+**Outbox Failure Handling** *(v2.15.0+, inspired by [Hollo](https://github.com/fedify-dev/hollo))*
+- **410 Gone** — immediate full cleanup: removes the follower, their timeline items, and their notifications
+- **404 Not Found** — strike system: 3 consecutive failures over 7+ days triggers the same full cleanup
+- Strike auto-reset — when an actor sends us any activity, their delivery failure count resets to zero
+- Prevents orphaned data from accumulating over time while tolerating temporary server outages
+
+**Reply Intelligence** *(v2.15.0+, inspired by [Hollo](https://github.com/fedify-dev/hollo))*
+- Recursive reply chain fetching — when a reply arrives, fetches parent posts up to 5 levels deep for thread context
+- Ancestor posts stored with `isContext: true` flag for thread view without cluttering the main timeline
+- Reply forwarding to followers — when someone replies to our posts, the reply is forwarded to our followers so they see the full conversation
+- Write-time visibility classification — computes `public`/`unlisted`/`private`/`direct` from `to`/`cc` fields at ingest time
 
 **Reader**
 - Timeline view showing posts from followed accounts with tab filtering (notes, articles, replies, boosts, media)
@@ -36,6 +58,8 @@ ActivityPub federation endpoint for [Indiekit](https://getindiekit.com), built o
 **Moderation**
 - Mute actors or keywords
 - Block actors (also removes from followers)
+- Block entire servers by domain
+- Report remote actors to their home instance (Flag activity)
 - All moderation actions available from the reader UI
 
 **Mastodon Migration**
@@ -186,6 +210,7 @@ When remote servers send activities to your inbox:
 - **Accept(Follow)** → Marks our follow as accepted
 - **Reject(Follow)** → Marks our follow as rejected
 - **Block** → Removes actor from our followers
+- **Flag** → Outbound report sent to remote actor's instance
 
 ### Content Negotiation
 
@@ -254,7 +279,7 @@ The plugin creates these collections automatically:
 
 | Collection | Description |
 |---|---|
-| `ap_followers` | Accounts following your actor |
+| `ap_followers` | Accounts following your actor (includes delivery failure strike tracking) |
 | `ap_following` | Accounts you follow |
 | `ap_activities` | Activity log with automatic TTL cleanup |
 | `ap_keys` | RSA and Ed25519 key pairs for HTTP Signatures |
@@ -262,11 +287,19 @@ The plugin creates these collections automatically:
 | `ap_profile` | Actor profile (single document) |
 | `ap_featured` | Pinned/featured posts |
 | `ap_featured_tags` | Featured hashtags |
-| `ap_timeline` | Reader timeline items from followed accounts |
+| `ap_timeline` | Reader timeline items (includes `visibility` and `isContext` fields) |
 | `ap_notifications` | Interaction notifications |
 | `ap_muted` | Muted actors and keywords |
 | `ap_blocked` | Blocked actors |
 | `ap_interactions` | Per-post like/boost tracking |
+| `ap_messages` | Direct messages / private conversations |
+| `ap_followed_tags` | Hashtags you follow for timeline filtering |
+| `ap_explore_tabs` | Saved Mastodon instances for the explore view |
+| `ap_reports` | Outbound reports (Flag activities) sent to remote instances |
+| `ap_pending_follows` | Follow requests awaiting manual approval |
+| `ap_blocked_servers` | Blocked server domains (instance-level blocks) |
+| `ap_key_freshness` | Tracks when remote actor keys were last verified |
+| `ap_inbox_queue` | Persistent async inbox processing queue |
 
 ## Supported Post Types
 
@@ -346,6 +379,16 @@ This is not a bug — Fedify requires explicit opt-in for signed fetches. But it
 - **No custom emoji rendering** — Custom emoji shortcodes display as text
 - **In-process queue without Redis** — Activities may be lost on restart
 
+## Acknowledgements
+
+This plugin builds on the excellent [Fedify](https://fedify.dev) framework by [Hong Minhee](https://github.com/dahlia). Fedify provides the core ActivityPub federation layer — HTTP Signatures, content negotiation, message queues, and the vocabulary types that make all of this possible.
+
+Several federation patterns in this plugin were inspired by studying other open-source ActivityPub implementations:
+
+- **[Hollo](https://github.com/fedify-dev/hollo)** (by the Fedify author) — A single-user Fedify-based ActivityPub server that served as the primary reference implementation. The outbox permanent failure handling (410 cleanup and 404 strike system), recursive reply chain fetching, reply forwarding to followers, and write-time visibility classification in v2.15.0 are all adapted from Hollo's patterns for a MongoDB/single-user context.
+
+- **[Wafrn](https://github.com/gabboman/wafrn)** — A federated social network whose ActivityPub implementation informed the operational resilience patterns added in v2.14.0. Server blocking, key freshness tracking, async inbox processing with persistent queues, and the general approach to federation hardening were inspired by studying Wafrn's production codebase.
+
 ## License
 
 MIT

package/assets/reader.css

@@ -351,6 +351,12 @@
   margin-left: 0.2em;
 }
 
+.ap-card__visibility {
+  font-size: var(--font-size-xs);
+  margin-left: 0.3em;
+  opacity: 0.7;
+}
+
 .ap-card__timestamp-link {
   color: inherit;
   text-decoration: none;

package/lib/controllers/post-detail.js

@@ -62,51 +62,87 @@ async function loadParentChain(ctx, documentLoader, timelineCol, parentUrl, maxD
   return parents;
 }
 
-// Load replies collection (best-effort)
-async function loadReplies(object, ctx, documentLoader, timelineCol, maxReplies = 10) {
-  const replies = [];
+// Load local replies from ap_timeline (items where inReplyTo matches this post)
+async function loadLocalReplies(timelineCol, postUrl, postUid, maxReplies = 20) {
+  if (!timelineCol) return [];
 
-  try {
-    const repliesCollection = await object.getReplies({ documentLoader });
-    if (!repliesCollection) return replies;
+  const matchUrls = [postUrl, postUid].filter(Boolean);
+  if (matchUrls.length === 0) return [];
 
-    let items = [];
-    try {
-      items = await repliesCollection.getItems({ documentLoader });
-    } catch {
-      return replies;
-    }
+  const localReplies = await timelineCol
+    .find({ inReplyTo: { $in: matchUrls } })
+    .sort({ published: 1 })
+    .limit(maxReplies)
+    .toArray();
 
-    for (const replyItem of items.slice(0, maxReplies)) {
-      try {
-        const replyUrl = replyItem.id?.href || replyItem.url?.href;
-        if (!replyUrl) continue;
-
-        // Check timeline first
-        let reply = timelineCol
-          ? await timelineCol.findOne({
-              $or: [{ uid: replyUrl }, { url: replyUrl }],
-            })
-          : null;
-
-        if (!reply) {
-          // Extract from the item we already have
-          if (replyItem instanceof Note || replyItem instanceof Article) {
-            reply = await extractObjectData(replyItem);
-          }
+  return localReplies;
+}
+
+// Load replies collection (best-effort) — merges local + remote
+async function loadReplies(object, ctx, documentLoader, timelineCol, maxReplies = 20) {
+  const postUrl = object?.id?.href || object?.url?.href;
+
+  // Start with local replies already in our timeline (from organic inbox delivery
+  // or reply chain fetching). These are fast and free — no network requests.
+  const seenUrls = new Set();
+  const replies = await loadLocalReplies(timelineCol, postUrl, postUrl, maxReplies);
+  for (const r of replies) {
+    if (r.uid) seenUrls.add(r.uid);
+    if (r.url) seenUrls.add(r.url);
+  }
+
+  // Supplement with remote replies collection (may contain items we don't have locally)
+  if (object && replies.length < maxReplies) {
+    try {
+      const repliesCollection = await object.getReplies({ documentLoader });
+      if (repliesCollection) {
+        let items = [];
+        try {
+          items = await repliesCollection.getItems({ documentLoader });
+        } catch {
+          // Remote fetch failed — continue with local replies only
         }
 
-        if (reply) {
-          replies.push(reply);
+        for (const replyItem of items.slice(0, maxReplies - replies.length)) {
+          try {
+            const replyUrl = replyItem.id?.href || replyItem.url?.href;
+            if (!replyUrl || seenUrls.has(replyUrl)) continue;
+            seenUrls.add(replyUrl);
+
+            // Check timeline first
+            let reply = timelineCol
+              ? await timelineCol.findOne({
+                  $or: [{ uid: replyUrl }, { url: replyUrl }],
+                })
+              : null;
+
+            if (!reply) {
+              // Extract from the item we already have
+              if (replyItem instanceof Note || replyItem instanceof Article) {
+                reply = await extractObjectData(replyItem);
+              }
+            }
+
+            if (reply) {
+              replies.push(reply);
+            }
+          } catch {
+            continue; // Skip failed replies
+          }
         }
-      } catch {
-        continue; // Skip failed replies
       }
+    } catch {
+      // getReplies() failed or not available
     }
-  } catch {
-    // getReplies() failed or not available
   }
 
+  // Sort all replies chronologically
+  replies.sort((a, b) => {
+    const dateA = a.published || "";
+    const dateB = b.published || "";
+    return dateA < dateB ? -1 : dateA > dateB ? 1 : 0;
+  });
+
   return replies;
 }
 

package/lib/federation-setup.js

@@ -41,6 +41,7 @@ import { MongoKvStore } from "./kv-store.js";
 import { registerInboxListeners } from "./inbox-listeners.js";
 import { jf2ToAS2Activity, resolvePostUrl } from "./jf2-to-as2.js";
 import { cachedQuery } from "./redis-cache.js";
+import { onOutboxPermanentFailure } from "./outbox-failure.js";
 
 const COLLECTION_CACHE_TTL = 300; // 5 minutes
 
@@ -342,25 +343,15 @@ export function setupFederation(options) {
   });
 
   // Handle permanent delivery failures (Fedify 2.0).
-  // Fires when a remote inbox returns 404/410 — the server is gone.
-  // Log it and let the admin see which followers are unreachable.
+  // Fires when a remote inbox returns 404/410.
+  // 410: immediate full cleanup. 404: strike system (3 strikes over 7 days).
   federation.setOutboxPermanentFailureHandler(async (_ctx, values) => {
-    const { inbox, error, actorIds } = values;
-    const inboxUrl = inbox?.href || String(inbox);
-    const actors = actorIds?.map((id) => id?.href || String(id)) || [];
-    console.warn(
-      `[ActivityPub] Permanent delivery failure to ${inboxUrl}: ${error?.message || "unknown"}` +
-        (actors.length ? ` (actors: ${actors.join(", ")})` : ""),
+    await onOutboxPermanentFailure(
+      values.statusCode,
+      values.actorIds,
+      values.inbox,
+      collections,
     );
-    collections.ap_activities.insertOne({
-      direction: "outbound",
-      type: "DeliveryFailed",
-      actorUrl: publicationUrl,
-      objectUrl: inboxUrl,
-      summary: `Permanent delivery failure to ${inboxUrl}: ${error?.message || "unknown"}`,
-      affectedActors: actors,
-      receivedAt: new Date().toISOString(),
-    }).catch(() => {});
   });
 
   // Wrap with debug dashboard if enabled. The debugger proxies the

package/lib/inbox-handlers.js

@@ -152,6 +152,73 @@ function isDirectMessage(object, ourActorUrl, followersUrl) {
   return true;
 }
 
+/**
+ * Compute post visibility from to/cc addressing fields.
+ * Matches Hollo's write-time visibility classification.
+ *
+ * @param {object} object - Fedify object (Note, Article, etc.)
+ * @returns {"public"|"unlisted"|"private"|"direct"}
+ */
+function computeVisibility(object) {
+  const to = new Set((object.toIds || []).map((u) => u.href));
+  const cc = new Set((object.ccIds || []).map((u) => u.href));
+
+  if (to.has(PUBLIC)) return "public";
+  if (cc.has(PUBLIC)) return "unlisted";
+  // Without knowing the remote actor's followers URL, we can't distinguish
+  // "private" (followers-only) from "direct". Both are non-public.
+  if (to.size > 0 || cc.size > 0) return "private";
+  return "direct";
+}
+
+/**
+ * Recursively fetch and store ancestor posts for a reply chain.
+ * Each ancestor is stored with isContext: true so it can be filtered
+ * from the main timeline while being available for thread views.
+ *
+ * @param {object} object - Fedify object (Note, Article, etc.)
+ * @param {object} collections - MongoDB collections
+ * @param {object} authLoader - Authenticated document loader
+ * @param {number} maxDepth - Maximum recursion depth
+ */
+async function fetchReplyChain(object, collections, authLoader, maxDepth) {
+  if (maxDepth <= 0) return;
+  const parentUrl = object.replyTargetId?.href;
+  if (!parentUrl) return;
+
+  // Skip if we already have this post
+  if (collections.ap_timeline) {
+    const existing = await collections.ap_timeline.findOne({ uid: parentUrl });
+    if (existing) return;
+  }
+
+  // Fetch the parent post
+  let parent;
+  try {
+    parent = await object.getReplyTarget({ documentLoader: authLoader });
+  } catch {
+    // Remote server unreachable — stop climbing
+    return;
+  }
+  if (!parent || !parent.id) return;
+
+  // Store as context item
+  try {
+    const timelineItem = await extractObjectData(parent, {
+      documentLoader: authLoader,
+    });
+    timelineItem.isContext = true;
+    timelineItem.visibility = computeVisibility(parent);
+    await addTimelineItem(collections, timelineItem);
+  } catch {
+    // Extraction failed — stop climbing
+    return;
+  }
+
+  // Recurse for the parent's parent
+  await fetchReplyChain(parent, collections, authLoader, maxDepth - 1);
+}
+
 // ---------------------------------------------------------------------------
 // Individual handlers
 // ---------------------------------------------------------------------------
@@ -515,7 +582,7 @@ export async function handleAnnounce(item, collections, ctx, handle) {
         boostedAt: announce.published ? String(announce.published) : new Date().toISOString(),
         documentLoader: authLoader,
       });
-
+      timelineItem.visibility = computeVisibility(object);
       await addTimelineItem(collections, timelineItem);
 
       // Fire-and-forget quote enrichment for boosted posts
@@ -688,6 +755,18 @@ export async function handleCreate(item, collections, ctx, handle) {
     }
   }
 
+  // --- Recursive reply chain fetching ---
+  // Fetch and store ancestor posts so conversation threads have context.
+  // Each ancestor is stored with isContext: true to distinguish from organic timeline items.
+  if (inReplyTo) {
+    try {
+      await fetchReplyChain(object, collections, authLoader, 5);
+    } catch (error) {
+      // Non-critical — incomplete context is acceptable
+      console.warn("[inbox-handlers] Reply chain fetch failed:", error.message);
+    }
+  }
+
   // Check for mentions of our actor
   if (object.tag) {
     const tags = Array.isArray(object.tag) ? object.tag : [object.tag];
@@ -728,6 +807,7 @@ export async function handleCreate(item, collections, ctx, handle) {
         actorFallback: actorObj,
         documentLoader: authLoader,
       });
+      timelineItem.visibility = computeVisibility(object);
       await addTimelineItem(collections, timelineItem);
 
       // Fire-and-forget OG unfurling for notes and articles (not boosts)
@@ -768,6 +848,7 @@ export async function handleCreate(item, collections, ctx, handle) {
             actorFallback: actorObj,
             documentLoader: authLoader,
           });
+          timelineItem.visibility = computeVisibility(object);
           await addTimelineItem(collections, timelineItem);
         }
       }

package/lib/inbox-listeners.js

@@ -27,6 +27,7 @@ import {
 
 import { isServerBlocked } from "./storage/server-blocks.js";
 import { touchKeyFreshness } from "./key-refresh.js";
+import { resetDeliveryStrikes } from "./outbox-failure.js";
 import { enqueueActivity } from "./inbox-queue.js";
 import { extractActorInfo } from "./timeline-store.js";
 import { addNotification } from "./storage/notifications.js";
@@ -53,6 +54,7 @@ export function registerInboxListeners(inboxChain, options) {
       const actorUrl = follow.actorId?.href || "";
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
+      await resetDeliveryStrikes(collections, actorUrl);
 
       const authLoader = await getAuthLoader(ctx);
       const followerActor = await follow.getActor({ documentLoader: authLoader });
@@ -152,6 +154,7 @@ export function registerInboxListeners(inboxChain, options) {
       const actorUrl = undo.actorId?.href || "";
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
+      await resetDeliveryStrikes(collections, actorUrl);
 
       await enqueueActivity(collections, {
         activityType: "Undo",
@@ -165,6 +168,7 @@ export function registerInboxListeners(inboxChain, options) {
       const actorUrl = accept.actorId?.href || "";
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
+      await resetDeliveryStrikes(collections, actorUrl);
 
       await enqueueActivity(collections, {
         activityType: "Accept",
@@ -178,6 +182,7 @@ export function registerInboxListeners(inboxChain, options) {
       const actorUrl = reject.actorId?.href || "";
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
+      await resetDeliveryStrikes(collections, actorUrl);
 
       await enqueueActivity(collections, {
         activityType: "Reject",
@@ -191,6 +196,7 @@ export function registerInboxListeners(inboxChain, options) {
       const actorUrl = like.actorId?.href || "";
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
+      await resetDeliveryStrikes(collections, actorUrl);
 
       await enqueueActivity(collections, {
         activityType: "Like",
@@ -205,6 +211,7 @@ export function registerInboxListeners(inboxChain, options) {
       const actorUrl = announce.actorId?.href || "";
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
+      await resetDeliveryStrikes(collections, actorUrl);
 
       await enqueueActivity(collections, {
         activityType: "Announce",
@@ -219,11 +226,47 @@ export function registerInboxListeners(inboxChain, options) {
       const actorUrl = create.actorId?.href || "";
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
+      await resetDeliveryStrikes(collections, actorUrl);
+
+      // Forward public replies to our posts to our followers.
+      // Must happen here (not in async handler) because forwardActivity
+      // is only available on InboxContext, not base Context.
+      const objectUrl = create.objectId?.href || "";
+      try {
+        const obj = await create.getObject();
+        const inReplyTo = obj?.replyTargetId?.href || "";
+        if (
+          inReplyTo &&
+          collections._publicationUrl &&
+          inReplyTo.startsWith(collections._publicationUrl)
+        ) {
+          // Check if the reply is public (to/cc includes PUBLIC collection)
+          const toUrls = (obj.toIds || []).map((u) => u.href);
+          const ccUrls = (obj.ccIds || []).map((u) => u.href);
+          const isPublic = [...toUrls, ...ccUrls].includes(
+            "https://www.w3.org/ns/activitystreams#Public",
+          );
+          if (isPublic) {
+            await ctx.forwardActivity(
+              { identifier: handle },
+              "followers",
+              {
+                skipIfUnsigned: true,
+                preferSharedInbox: true,
+                excludeBaseUris: [new URL(ctx.origin)],
+              },
+            );
+          }
+        }
+      } catch (error) {
+        // Non-critical — forwarding failure shouldn't block processing
+        console.warn("[inbox-listeners] Reply forwarding failed:", error.message);
+      }
 
       await enqueueActivity(collections, {
         activityType: "Create",
         actorUrl,
-        objectUrl: create.objectId?.href || "",
+        objectUrl,
         rawJson: await create.toJsonLd(),
       });
     })
@@ -233,6 +276,7 @@ export function registerInboxListeners(inboxChain, options) {
       const actorUrl = del.actorId?.href || "";
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
+      await resetDeliveryStrikes(collections, actorUrl);
 
       await enqueueActivity(collections, {
         activityType: "Delete",
@@ -247,6 +291,7 @@ export function registerInboxListeners(inboxChain, options) {
       const actorUrl = move.actorId?.href || "";
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
+      await resetDeliveryStrikes(collections, actorUrl);
 
       await enqueueActivity(collections, {
         activityType: "Move",
@@ -260,6 +305,7 @@ export function registerInboxListeners(inboxChain, options) {
       const actorUrl = update.actorId?.href || "";
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
+      await resetDeliveryStrikes(collections, actorUrl);
 
       await enqueueActivity(collections, {
         activityType: "Update",
@@ -299,6 +345,7 @@ export function registerInboxListeners(inboxChain, options) {
       const actorUrl = flag.actorId?.href || "";
       if (await isServerBlocked(actorUrl, collections)) return;
       await touchKeyFreshness(collections, actorUrl);
+      await resetDeliveryStrikes(collections, actorUrl);
 
       await enqueueActivity(collections, {
         activityType: "Flag",

package/lib/outbox-failure.js

@@ -0,0 +1,139 @@
+/**
+ * Outbox permanent failure handling.
+ * Cleans up dead followers when delivery permanently fails.
+ *
+ * - 410 Gone: Immediate full cleanup (actor is permanently gone)
+ * - 404: Strike system — 3 failures over 7+ days triggers full cleanup
+ *
+ * @module outbox-failure
+ */
+
+import { logActivity } from "./activity-log.js";
+
+const STRIKE_THRESHOLD = 3;
+const STRIKE_WINDOW_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+
+/**
+ * Clean up all data associated with an actor.
+ * Removes follower record, their timeline items, and their notifications.
+ *
+ * @param {object} collections - MongoDB collections
+ * @param {string} actorUrl - Actor URL to clean up
+ * @param {string} reason - Reason for cleanup (for logging)
+ */
+async function cleanupActor(collections, actorUrl, reason) {
+  const { ap_followers, ap_timeline, ap_notifications } = collections;
+
+  // Remove from followers
+  const deleted = await ap_followers.deleteOne({ actorUrl });
+
+  // Remove their timeline items
+  if (ap_timeline) {
+    await ap_timeline.deleteMany({ "author.url": actorUrl });
+  }
+
+  // Remove their notifications
+  if (ap_notifications) {
+    await ap_notifications.deleteMany({ actorUrl });
+  }
+
+  if (deleted.deletedCount > 0) {
+    console.info(`[outbox-failure] Cleaned up actor ${actorUrl}: ${reason}`);
+  }
+}
+
+/**
+ * Handle permanent outbox delivery failure.
+ * Called by Fedify's setOutboxPermanentFailureHandler.
+ *
+ * @param {number} statusCode - HTTP status code (404, 410, etc.)
+ * @param {readonly URL[]} actorIds - Array of actor ID URLs
+ * @param {URL} inbox - The inbox URL that failed
+ * @param {object} collections - MongoDB collections
+ */
+export async function onOutboxPermanentFailure(statusCode, actorIds, inbox, collections) {
+  const inboxUrl = inbox?.href || String(inbox);
+
+  for (const actorId of actorIds) {
+    const actorUrl = actorId?.href || String(actorId);
+
+    if (statusCode === 410) {
+      // 410 Gone — immediate full cleanup
+      await cleanupActor(collections, actorUrl, `410 Gone from ${inboxUrl}`);
+
+      await logActivity(collections.ap_activities, {
+        direction: "outbound",
+        type: "DeliveryFailed:410",
+        actorUrl,
+        objectUrl: inboxUrl,
+        summary: `Permanent delivery failure (410 Gone) to ${inboxUrl} — actor cleaned up`,
+      }, {});
+    } else {
+      // 404 or other — strike system
+      const now = new Date();
+      const result = await collections.ap_followers.findOneAndUpdate(
+        { actorUrl },
+        {
+          $inc: { deliveryFailures: 1 },
+          $setOnInsert: { firstFailureAt: now.toISOString() },
+          $set: { lastFailureAt: now.toISOString() },
+        },
+        { returnDocument: "after" },
+      );
+
+      if (!result) {
+        // Not a follower — nothing to track or clean up
+        continue;
+      }
+
+      const failures = result.deliveryFailures || 1;
+      const firstFailure = result.firstFailureAt
+        ? new Date(result.firstFailureAt)
+        : now;
+      const windowElapsed = now.getTime() - firstFailure.getTime() >= STRIKE_WINDOW_MS;
+
+      if (failures >= STRIKE_THRESHOLD && windowElapsed) {
+        // Confirmed dead — full cleanup
+        await cleanupActor(
+          collections,
+          actorUrl,
+          `${failures} failures over ${Math.round((now.getTime() - firstFailure.getTime()) / 86400000)}d (HTTP ${statusCode})`,
+        );
+
+        await logActivity(collections.ap_activities, {
+          direction: "outbound",
+          type: `DeliveryFailed:${statusCode}:cleanup`,
+          actorUrl,
+          objectUrl: inboxUrl,
+          summary: `${failures} delivery failures over 7+ days — actor cleaned up`,
+        }, {});
+      } else {
+        // Strike recorded, not yet confirmed dead
+        await logActivity(collections.ap_activities, {
+          direction: "outbound",
+          type: `DeliveryFailed:${statusCode}:strike`,
+          actorUrl,
+          objectUrl: inboxUrl,
+          summary: `Delivery strike ${failures}/${STRIKE_THRESHOLD} for ${actorUrl} (HTTP ${statusCode})`,
+        }, {});
+      }
+    }
+  }
+}
+
+/**
+ * Reset delivery failure strikes for an actor.
+ * Called when we receive an inbound activity from an actor,
+ * proving they are alive despite previous delivery failures.
+ *
+ * @param {object} collections - MongoDB collections
+ * @param {string} actorUrl - Actor URL
+ */
+export async function resetDeliveryStrikes(collections, actorUrl) {
+  if (!actorUrl) return;
+  // Only update if the fields exist — avoid unnecessary writes
+  await collections.ap_followers.updateOne(
+    { actorUrl, deliveryFailures: { $exists: true } },
+    { $unset: { deliveryFailures: "", firstFailureAt: "", lastFailureAt: "" } },
+  );
+}

package/lib/storage/timeline.js

@@ -73,6 +73,18 @@ export async function getTimelineItems(collections, options = {}) {
 
   const query = {};
 
+  // Exclude context-only items (ancestors fetched for thread reconstruction)
+  // unless explicitly requested via options.includeContext
+  if (!options.includeContext) {
+    query.isContext = { $ne: true };
+  }
+
+  // Exclude private/direct posts from the main timeline feed —
+  // these belong in messages/notifications, not the public reader
+  if (!options.includePrivate) {
+    query.visibility = { $nin: ["private", "direct"] };
+  }
+
   // Type filter
   if (options.type) {
     query.type = options.type;
@@ -252,7 +264,11 @@ export async function countNewItems(collections, after, options = {}) {
   const { ap_timeline } = collections;
   if (!after || Number.isNaN(new Date(after).getTime())) return 0;
 
-  const query = { published: { $gt: after } };
+  const query = {
+    published: { $gt: after },
+    isContext: { $ne: true },
+    visibility: { $nin: ["private", "direct"] },
+  };
   if (options.type) query.type = options.type;
   if (options.excludeReplies) {
     query.$or = [
@@ -289,5 +305,9 @@ export async function markItemsRead(collections, uids) {
  */
 export async function countUnreadItems(collections) {
   const { ap_timeline } = collections;
-  return await ap_timeline.countDocuments({ read: { $ne: true } });
+  return await ap_timeline.countDocuments({
+    read: { $ne: true },
+    isContext: { $ne: true },
+    visibility: { $nin: ["private", "direct"] },
+  });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "2.14.0",
+  "version": "2.15.1",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",

package/views/partials/ap-item-card.njk

@@ -65,6 +65,9 @@
         </time>
         {% if item.updated %}<span class="ap-card__edited" title="{{ item.updated | date('PPp') }}">✏️</span>{% endif %}
       </a>
+      {% if item.visibility and item.visibility != "public" %}
+        <span class="ap-card__visibility ap-card__visibility--{{ item.visibility }}" title="{% if item.visibility == 'unlisted' %}{{ __('activitypub.reader.compose.visibilityUnlisted') }}{% elif item.visibility == 'private' %}{{ __('activitypub.reader.compose.visibilityFollowers') }}{% elif item.visibility == 'direct' %}DM{% endif %}">{% if item.visibility == "unlisted" %}🔓{% elif item.visibility == "private" %}🔒{% elif item.visibility == "direct" %}✉️{% endif %}</span>
+      {% endif %}
     {% endif %}
   </header>