fedbox 0.0.1 → 0.0.2

package/README.md

@@ -15,10 +15,32 @@ fedbox init
 
 # Start your server
 fedbox start
+
+# Post something!
+fedbox post "Hello, Fediverse!"
 ```
 
 That's it. You're on the Fediverse.
 
+## Commands
+
+```bash
+# Setup
+fedbox init           # Set up your identity
+fedbox start          # Start the server
+fedbox status         # Show your profile info
+
+# Social
+fedbox post "text"    # Post a message to followers
+fedbox follow @user@domain  # Follow someone
+fedbox timeline       # View posts from people you follow
+fedbox reply <url> "text"   # Reply to a post
+fedbox posts          # View your own posts
+
+# Help
+fedbox help           # Show all commands
+```
+
 ## Federation (so Mastodon can find you)
 
 To federate with the wider Fediverse, you need a public HTTPS URL. The easiest way:
@@ -42,28 +64,25 @@ Restart your server, and you're federated! Search for `@yourname@abc123.ngrok.io
 ## What You Get
 
 - **Your own identity** — `@you@yourdomain.com`
+- **Post from CLI** — `fedbox post "Hello world"`
+- **Follow anyone** — `fedbox follow @user@mastodon.social`
+- **View timeline** — `fedbox timeline`
+- **Reply to posts** — `fedbox reply <url> "Nice!"`
 - **ActivityPub compatible** — Works with Mastodon, Pleroma, Pixelfed, etc.
-- **Persistent storage** — SQLite database for followers, posts, activities
-- **Beautiful profile page** — Dark theme, looks great
-- **Zero config** — Just answer a few questions
-
-## Commands
-
-```bash
-fedbox init     # Set up your identity
-fedbox start    # Start the server
-fedbox status   # Show current config
-fedbox help     # Show help
-```
+- **HTTP Signature verification** — Secure federation
+- **Rate limiting** — Protection against abuse
+- **Persistent storage** — SQLite database
+- **Beautiful profile page** — Dark theme, shows your posts
 
 ## How It Works
 
 Fedbox uses [microfed](https://github.com/micro-fed/microfed.org) for ActivityPub primitives:
 
 - **Profile** — Your actor/identity
-- **Inbox** — Receive follows, likes, boosts
+- **Inbox** — Receive follows, likes, boosts, posts
 - **Outbox** — Your posts
 - **WebFinger** — So others can find you
+- **HTTP Signatures** — Secure signed requests
 
 Data is stored in SQLite (`data/fedbox.db`).
 

package/bin/cli.js

@@ -1,13 +1,12 @@
 #!/usr/bin/env node
 
 /**
- * Pubcrawl CLI
+ * Fedbox CLI
  * Zero to Fediverse in 60 seconds
  */
 
 import { createInterface } from 'readline'
-import { existsSync, writeFileSync, mkdirSync } from 'fs'
-import { join } from 'path'
+import { existsSync, writeFileSync, mkdirSync, readFileSync } from 'fs'
 import { generateKeypair } from 'microfed/auth'
 
 const rl = createInterface({
@@ -30,6 +29,11 @@ const COMMANDS = {
   init: runInit,
   start: runStart,
   status: runStatus,
+  post: runPost,
+  follow: runFollow,
+  timeline: runTimeline,
+  reply: runReply,
+  posts: runPosts,
   help: runHelp
 }
 
@@ -49,7 +53,6 @@ async function main() {
 async function runInit() {
   console.log(BANNER)
 
-  // Check if already initialized
   if (existsSync('fedbox.json')) {
     console.log('⚠️  Already initialized. Delete fedbox.json to start over.\n')
     process.exit(1)
@@ -57,7 +60,6 @@ async function runInit() {
 
   console.log('Let\'s get you on the Fediverse!\n')
 
-  // Gather info
   const username = await ask('👤 Username (e.g., alice): ')
   const displayName = await ask('📛 Display name (e.g., Alice): ') || username
   const summary = await ask('📝 Bio (optional): ') || ''
@@ -66,7 +68,6 @@ async function runInit() {
   console.log('\n🔐 Generating keypair...')
   const { publicKey, privateKey } = generateKeypair()
 
-  // Create config
   const config = {
     username: username.toLowerCase().replace(/[^a-z0-9]/g, ''),
     displayName,
@@ -77,12 +78,10 @@ async function runInit() {
     createdAt: new Date().toISOString()
   }
 
-  // Create data directory
   if (!existsSync('data')) {
     mkdirSync('data')
   }
 
-  // Save config
   writeFileSync('fedbox.json', JSON.stringify(config, null, 2))
   console.log('✅ Config saved to fedbox.json')
 
@@ -118,7 +117,6 @@ async function runStart() {
 
   console.log('🚀 Starting server...\n')
 
-  // Dynamic import to avoid loading before init
   const { startServer } = await import('../lib/server.js')
   await startServer()
 }
@@ -129,39 +127,232 @@ async function runStatus() {
     process.exit(1)
   }
 
-  const config = JSON.parse(await import('fs').then(fs =>
-    fs.readFileSync('fedbox.json', 'utf8')
-  ))
+  const config = JSON.parse(readFileSync('fedbox.json', 'utf8'))
+
+  // Get follower/following counts
+  let followers = 0, following = 0
+  try {
+    const { initStore, getFollowerCount, getFollowingCount } = await import('../lib/store.js')
+    initStore()
+    followers = getFollowerCount()
+    following = getFollowingCount()
+  } catch {}
 
   console.log(`
 ╔═══════════════════════════════════════════╗
 ║  📊 FEDBOX STATUS                         ║
 ╚═══════════════════════════════════════════╝
 
-Username:  @${config.username}
-Name:      ${config.displayName}
-Port:      ${config.port}
-Domain:    ${config.domain || '(not set - run with ngrok)'}
-Created:   ${config.createdAt}
+Username:   @${config.username}
+Name:       ${config.displayName}
+Port:       ${config.port}
+Domain:     ${config.domain || '(not set - run with ngrok)'}
+Followers:  ${followers}
+Following:  ${following}
+Created:    ${config.createdAt}
+`)
+
+  rl.close()
+}
+
+async function runPost() {
+  if (!existsSync('fedbox.json')) {
+    console.log('❌ Not initialized. Run: fedbox init\n')
+    process.exit(1)
+  }
+
+  const content = process.argv[3]
+  if (!content) {
+    console.log('Usage: fedbox post "Your message here"')
+    process.exit(1)
+  }
+
+  const { post } = await import('../lib/actions.js')
+
+  console.log('📝 Creating post...')
+  const result = await post(content)
+
+  console.log(`
+✅ Posted!
+
+ID: ${result.noteId}
+Content: ${content}
+Delivered to: ${result.delivered.success} followers (${result.delivered.failed} failed)
+`)
+
+  rl.close()
+}
+
+async function runFollow() {
+  if (!existsSync('fedbox.json')) {
+    console.log('❌ Not initialized. Run: fedbox init\n')
+    process.exit(1)
+  }
+
+  const handle = process.argv[3]
+  if (!handle) {
+    console.log('Usage: fedbox follow @user@domain')
+    process.exit(1)
+  }
+
+  const { follow } = await import('../lib/actions.js')
+
+  try {
+    const result = await follow(handle)
+    console.log(`
+✅ Follow request sent!
+
+User: ${result.actor.preferredUsername || result.actor.name}
+Actor: ${result.actor.id}
+
+Waiting for them to accept...
+`)
+  } catch (err) {
+    console.log(`❌ ${err.message}`)
+    process.exit(1)
+  }
+
+  rl.close()
+}
+
+async function runTimeline() {
+  if (!existsSync('fedbox.json')) {
+    console.log('❌ Not initialized. Run: fedbox init\n')
+    process.exit(1)
+  }
+
+  const { timeline } = await import('../lib/actions.js')
+  const posts = timeline(20)
+
+  if (posts.length === 0) {
+    console.log(`
+📭 Your timeline is empty.
+
+Follow some people with: fedbox follow @user@domain
+`)
+    rl.close()
+    return
+  }
+
+  console.log(`
+╔═══════════════════════════════════════════╗
+║  📰 TIMELINE                              ║
+╚═══════════════════════════════════════════╝
+`)
+
+  for (const post of posts) {
+    const author = post.author?.split('/').pop() || 'unknown'
+    const content = post.content
+      .replace(/<[^>]*>/g, '') // Strip HTML
+      .slice(0, 200)
+    const date = new Date(post.published).toLocaleString()
+
+    console.log(`┌─ @${author} · ${date}`)
+    console.log(`│ ${content}`)
+    if (post.inReplyTo) {
+      console.log(`│ ↩️  Reply to: ${post.inReplyTo}`)
+    }
+    console.log(`└─ ${post.id}`)
+    console.log()
+  }
+
+  rl.close()
+}
+
+async function runReply() {
+  if (!existsSync('fedbox.json')) {
+    console.log('❌ Not initialized. Run: fedbox init\n')
+    process.exit(1)
+  }
+
+  const postUrl = process.argv[3]
+  const content = process.argv[4]
+
+  if (!postUrl || !content) {
+    console.log('Usage: fedbox reply <post-url> "Your reply"')
+    process.exit(1)
+  }
+
+  const { reply } = await import('../lib/actions.js')
+
+  console.log('💬 Sending reply...')
+  const result = await reply(postUrl, content)
+
+  console.log(`
+✅ Reply sent!
+
+ID: ${result.noteId}
+In reply to: ${postUrl}
+Delivered to: ${result.delivered.success} inboxes
+`)
+
+  rl.close()
+}
+
+async function runPosts() {
+  if (!existsSync('fedbox.json')) {
+    console.log('❌ Not initialized. Run: fedbox init\n')
+    process.exit(1)
+  }
+
+  const { myPosts } = await import('../lib/actions.js')
+  const posts = myPosts(20)
+
+  if (posts.length === 0) {
+    console.log(`
+📭 You haven't posted anything yet.
+
+Create a post with: fedbox post "Hello, Fediverse!"
+`)
+    rl.close()
+    return
+  }
+
+  console.log(`
+╔═══════════════════════════════════════════╗
+║  📝 YOUR POSTS                            ║
+╚═══════════════════════════════════════════╝
 `)
 
+  for (const post of posts) {
+    const date = new Date(post.published).toLocaleString()
+    console.log(`┌─ ${date}`)
+    console.log(`│ ${post.content}`)
+    if (post.in_reply_to) {
+      console.log(`│ ↩️  Reply to: ${post.in_reply_to}`)
+    }
+    console.log(`└─ ${post.id}`)
+    console.log()
+  }
+
   rl.close()
 }
 
 function runHelp() {
   console.log(`
 ${BANNER}
-Usage: fedbox <command>
+Usage: fedbox <command> [args]
+
+Setup:
+  init              Set up a new Fediverse identity
+  start             Start the server
+  status            Show current configuration
+
+Social:
+  post "text"       Post a message to your followers
+  follow @user@dom  Follow a remote user
+  timeline          View posts from people you follow
+  reply <url> "text" Reply to a post
+  posts             View your own posts
 
-Commands:
-  init      Set up a new Fediverse identity
-  start     Start the server
-  status    Show current configuration
-  help      Show this help
+Other:
+  help              Show this help
 
 Quick start:
   $ fedbox init
   $ fedbox start
+  $ fedbox post "Hello, Fediverse!"
+  $ fedbox follow @user@mastodon.social
 
 For federation (so Mastodon can find you):
   $ ngrok http 3000

package/lib/actions.js

@@ -0,0 +1,295 @@
+/**
+ * Fedbox Actions
+ * User actions: post, follow, reply, timeline
+ */
+
+import { readFileSync } from 'fs'
+import { outbox, webfinger } from 'microfed'
+import {
+  initStore,
+  savePost,
+  getPosts,
+  getPost,
+  getFollowers,
+  getFollowing,
+  addFollowing,
+  getActivities,
+  cacheActor,
+  getCachedActor
+} from './store.js'
+
+let config = null
+
+/**
+ * Load config
+ */
+function loadConfig() {
+  config = JSON.parse(readFileSync('fedbox.json', 'utf8'))
+  return config
+}
+
+/**
+ * Get actor URL
+ */
+function getActorUrl() {
+  const domain = config.domain || `localhost:${config.port}`
+  const protocol = config.domain ? 'https' : 'http'
+  return `${protocol}://${domain}/users/${config.username}`
+}
+
+/**
+ * Fetch remote actor
+ */
+async function fetchActor(id) {
+  const cached = getCachedActor(id)
+  if (cached) return cached
+
+  try {
+    const response = await fetch(id, {
+      headers: { 'Accept': 'application/activity+json' }
+    })
+    if (!response.ok) return null
+    const actor = await response.json()
+    cacheActor(actor)
+    return actor
+  } catch {
+    return null
+  }
+}
+
+/**
+ * Post a note to followers
+ */
+export async function post(content, inReplyTo = null) {
+  loadConfig()
+  initStore()
+
+  const actorUrl = getActorUrl()
+  const noteId = `${actorUrl}/posts/${Date.now()}`
+
+  // Create the Note
+  const note = outbox.createNote(actorUrl, content, {
+    id: noteId,
+    inReplyTo,
+    to: ['https://www.w3.org/ns/activitystreams#Public'],
+    cc: [`${actorUrl}/followers`]
+  })
+
+  // Wrap in Create activity
+  const create = {
+    '@context': 'https://www.w3.org/ns/activitystreams',
+    type: 'Create',
+    id: `${noteId}/activity`,
+    actor: actorUrl,
+    published: new Date().toISOString(),
+    to: note.to,
+    cc: note.cc,
+    object: note
+  }
+
+  // Save to local posts
+  savePost(noteId, content, inReplyTo)
+
+  // Deliver to all followers
+  const followers = getFollowers()
+  const results = { success: 0, failed: 0 }
+
+  for (const follower of followers) {
+    if (!follower.inbox) continue
+    try {
+      await outbox.send({
+        activity: create,
+        inbox: follower.inbox,
+        privateKey: config.privateKey,
+        keyId: `${actorUrl}#main-key`
+      })
+      results.success++
+    } catch (err) {
+      results.failed++
+    }
+  }
+
+  return { noteId, note, delivered: results }
+}
+
+/**
+ * Follow a remote user
+ */
+export async function follow(handle) {
+  loadConfig()
+  initStore()
+
+  // Parse handle (@user@domain or user@domain)
+  const cleanHandle = handle.replace(/^@/, '')
+  const [username, domain] = cleanHandle.split('@')
+
+  if (!username || !domain) {
+    throw new Error('Invalid handle. Use format: @user@domain or user@domain')
+  }
+
+  // Resolve via WebFinger
+  console.log(`🔍 Looking up ${cleanHandle}...`)
+  const resolved = await webfinger.resolve(username, domain)
+
+  if (!resolved) {
+    throw new Error(`Could not find ${cleanHandle}`)
+  }
+
+  // Fetch the actor
+  console.log(`📥 Fetching actor...`)
+  const remoteActor = await fetchActor(resolved.actorId)
+
+  if (!remoteActor) {
+    throw new Error(`Could not fetch actor: ${resolved.actorId}`)
+  }
+
+  const actorUrl = getActorUrl()
+  const inbox = remoteActor.inbox
+
+  // Create Follow activity
+  const followActivity = outbox.createFollow(actorUrl, remoteActor.id)
+
+  // Send Follow
+  console.log(`📤 Sending Follow to ${inbox}...`)
+  await outbox.send({
+    activity: followActivity,
+    inbox,
+    privateKey: config.privateKey,
+    keyId: `${actorUrl}#main-key`
+  })
+
+  // Save to following (pending acceptance)
+  addFollowing(remoteActor.id, false)
+
+  return {
+    actor: remoteActor,
+    followActivity
+  }
+}
+
+/**
+ * Reply to a post
+ */
+export async function reply(postUrl, content) {
+  loadConfig()
+  initStore()
+
+  // Fetch the original post to get the author
+  let originalAuthor = null
+  try {
+    const response = await fetch(postUrl, {
+      headers: { 'Accept': 'application/activity+json' }
+    })
+    if (response.ok) {
+      const post = await response.json()
+      originalAuthor = post.attributedTo
+    }
+  } catch {
+    // Continue without original author
+  }
+
+  const actorUrl = getActorUrl()
+  const noteId = `${actorUrl}/posts/${Date.now()}`
+
+  // Create the reply Note
+  const note = outbox.createNote(actorUrl, content, {
+    id: noteId,
+    inReplyTo: postUrl,
+    to: ['https://www.w3.org/ns/activitystreams#Public'],
+    cc: [`${actorUrl}/followers`, originalAuthor].filter(Boolean)
+  })
+
+  // Wrap in Create activity
+  const create = {
+    '@context': 'https://www.w3.org/ns/activitystreams',
+    type: 'Create',
+    id: `${noteId}/activity`,
+    actor: actorUrl,
+    published: new Date().toISOString(),
+    to: note.to,
+    cc: note.cc,
+    object: note
+  }
+
+  // Save locally
+  savePost(noteId, content, postUrl)
+
+  // Collect inboxes to deliver to
+  const inboxes = new Set()
+
+  // Add all followers
+  const followers = getFollowers()
+  for (const f of followers) {
+    if (f.inbox) inboxes.add(f.inbox)
+  }
+
+  // Add original author's inbox
+  if (originalAuthor) {
+    const authorActor = await fetchActor(originalAuthor)
+    if (authorActor?.inbox) {
+      inboxes.add(authorActor.inbox)
+    }
+  }
+
+  // Deliver
+  const results = { success: 0, failed: 0 }
+  for (const inbox of inboxes) {
+    try {
+      await outbox.send({
+        activity: create,
+        inbox,
+        privateKey: config.privateKey,
+        keyId: `${actorUrl}#main-key`
+      })
+      results.success++
+    } catch {
+      results.failed++
+    }
+  }
+
+  return { noteId, note, delivered: results }
+}
+
+/**
+ * Get timeline (posts from people we follow + mentions)
+ */
+export function timeline(limit = 20) {
+  loadConfig()
+  initStore()
+
+  // Get Create activities from inbox
+  const activities = getActivities(100)
+
+  const posts = activities
+    .filter(a => a.type === 'Create' && a.raw?.object)
+    .map(a => {
+      const obj = a.raw.object
+      return {
+        id: obj.id || a.id,
+        author: typeof a.raw.actor === 'string' ? a.raw.actor : a.raw.actor?.id,
+        content: obj.content || '',
+        published: obj.published || a.created_at,
+        inReplyTo: obj.inReplyTo
+      }
+    })
+    .slice(0, limit)
+
+  return posts
+}
+
+/**
+ * Get our own posts
+ */
+export function myPosts(limit = 20) {
+  loadConfig()
+  initStore()
+  return getPosts(limit)
+}
+
+export default {
+  post,
+  follow,
+  reply,
+  timeline,
+  myPosts
+}

package/lib/server.js

@@ -19,6 +19,7 @@ import {
   getActivities,
   savePost,
   getPosts,
+  getPost,
   cacheActor,
   getCachedActor
 } from './store.js'
@@ -26,6 +27,11 @@ import {
 let config = null
 let actor = null
 
+// Rate limiting: track requests per IP
+const rateLimits = new Map()
+const RATE_LIMIT_WINDOW = 60000 // 1 minute
+const RATE_LIMIT_MAX = 100 // max requests per window
+
 /**
  * Load configuration
  */
@@ -69,6 +75,41 @@ function buildActor() {
   })
 }
 
+/**
+ * Check rate limit
+ */
+function checkRateLimit(ip) {
+  const now = Date.now()
+  const record = rateLimits.get(ip)
+
+  if (!record || now - record.start > RATE_LIMIT_WINDOW) {
+    rateLimits.set(ip, { start: now, count: 1 })
+    return true
+  }
+
+  record.count++
+  if (record.count > RATE_LIMIT_MAX) {
+    return false
+  }
+
+  return true
+}
+
+/**
+ * Clean old rate limit entries (run periodically)
+ */
+function cleanRateLimits() {
+  const now = Date.now()
+  for (const [ip, record] of rateLimits) {
+    if (now - record.start > RATE_LIMIT_WINDOW) {
+      rateLimits.delete(ip)
+    }
+  }
+}
+
+// Clean rate limits every minute
+setInterval(cleanRateLimits, RATE_LIMIT_WINDOW)
+
 /**
  * Fetch remote actor (with caching)
  */
@@ -90,6 +131,66 @@ async function fetchActor(id) {
   }
 }
 
+/**
+ * Verify HTTP signature on incoming request
+ */
+async function verifySignature(req, body) {
+  const signature = req.headers['signature']
+  if (!signature) {
+    return { valid: false, reason: 'No signature header' }
+  }
+
+  // Parse signature header
+  const sigParts = {}
+  signature.split(',').forEach(part => {
+    const [key, ...rest] = part.split('=')
+    sigParts[key.trim()] = rest.join('=').replace(/^"|"$/g, '')
+  })
+
+  const keyId = sigParts.keyId
+  if (!keyId) {
+    return { valid: false, reason: 'No keyId in signature' }
+  }
+
+  // Extract actor ID from keyId (usually actorId#main-key)
+  const actorId = keyId.replace(/#.*$/, '')
+
+  // Fetch the actor to get their public key
+  const remoteActor = await fetchActor(actorId)
+  if (!remoteActor) {
+    return { valid: false, reason: `Could not fetch actor: ${actorId}` }
+  }
+
+  const publicKeyPem = remoteActor.publicKey?.publicKeyPem
+  if (!publicKeyPem) {
+    return { valid: false, reason: 'Actor has no public key' }
+  }
+
+  // Build the signing string
+  const headers = sigParts.headers?.split(' ') || ['(request-target)', 'host', 'date']
+  const signingParts = headers.map(header => {
+    if (header === '(request-target)') {
+      return `(request-target): ${req.method.toLowerCase()} ${req.url}`
+    }
+    if (header === 'digest' && body) {
+      // Recalculate digest for comparison
+      const crypto = await import('crypto')
+      const digest = crypto.createHash('sha256').update(body).digest('base64')
+      return `digest: SHA-256=${digest}`
+    }
+    return `${header}: ${req.headers[header.toLowerCase()] || ''}`
+  })
+  const signingString = signingParts.join('\n')
+
+  // Verify the signature
+  try {
+    const isValid = auth.verify(signingString, sigParts.signature, publicKeyPem)
+    return { valid: isValid, actor: remoteActor }
+  } catch (err) {
+    return { valid: false, reason: `Verification error: ${err.message}` }
+  }
+}
+
 /**
  * Handle incoming activities
  */
@@ -108,7 +209,7 @@ async function handleActivity(activity) {
       handleAccept(activity)
       break
     case 'Create':
-      console.log(`   New post: ${activity.object?.content?.slice(0, 50)}...`)
+      console.log(`   📝 New post: ${activity.object?.content?.slice(0, 50)}...`)
       break
     case 'Like':
       console.log(`   ❤️ Liked: ${activity.object}`)
@@ -173,6 +274,18 @@ function handleAccept(activity) {
  * Request handler
  */
 async function handleRequest(req, res) {
+  // Get client IP
+  const ip = req.headers['x-forwarded-for']?.split(',')[0] ||
+             req.socket.remoteAddress ||
+             'unknown'
+
+  // Check rate limit
+  if (!checkRateLimit(ip)) {
+    console.log(`🚫 Rate limited: ${ip}`)
+    res.writeHead(429, { 'Retry-After': '60' })
+    return res.end('Too many requests')
+  }
+
   const url = new URL(req.url, `${getProtocol()}://${getDomain()}`)
   const path = url.pathname
   const accept = req.headers.accept || ''
@@ -216,6 +329,34 @@ async function handleRequest(req, res) {
     return res.end(JSON.stringify(actor, null, 2))
   }
 
+  // Individual post
+  const postMatch = path.match(/^\/users\/[^/]+\/posts\/(\d+)$/)
+  if (postMatch) {
+    const postId = `${getProtocol()}://${getDomain()}${path}`
+    const post = getPost(postId)
+    if (!post) {
+      res.writeHead(404)
+      return res.end('Not found')
+    }
+
+    const note = {
+      '@context': 'https://www.w3.org/ns/activitystreams',
+      type: 'Note',
+      id: post.id,
+      attributedTo: actor.id,
+      content: post.content,
+      published: post.published,
+      to: ['https://www.w3.org/ns/activitystreams#Public'],
+      cc: [`${actor.id}/followers`]
+    }
+    if (post.in_reply_to) {
+      note.inReplyTo = post.in_reply_to
+    }
+
+    res.setHeader('Content-Type', 'application/activity+json')
+    return res.end(JSON.stringify(note, null, 2))
+  }
+
   // Inbox
   if (path === `/users/${config.username}/inbox` || path === '/inbox') {
     if (req.method !== 'POST') {
@@ -227,6 +368,15 @@ async function handleRequest(req, res) {
     for await (const chunk of req) chunks.push(chunk)
     const body = Buffer.concat(chunks).toString()
 
+    // Verify signature (log warning but don't reject for now - some servers don't sign)
+    const sigResult = await verifySignature(req, body)
+    if (!sigResult.valid) {
+      console.log(`   ⚠️  Signature: ${sigResult.reason}`)
+      // Continue anyway - strict mode would return 401 here
+    } else {
+      console.log(`   🔐 Signature verified`)
+    }
+
     try {
       const activity = JSON.parse(body)
       await handleActivity(activity)
@@ -250,12 +400,16 @@ async function handleRequest(req, res) {
       orderedItems: posts.map(p => ({
         type: 'Create',
         actor: actor.id,
+        published: p.published,
         object: {
           type: 'Note',
           id: p.id,
           content: p.content,
           published: p.published,
-          attributedTo: actor.id
+          attributedTo: actor.id,
+          to: ['https://www.w3.org/ns/activitystreams#Public'],
+          cc: [`${actor.id}/followers`],
+          ...(p.in_reply_to ? { inReplyTo: p.in_reply_to } : {})
         }
       }))
     }
@@ -312,6 +466,7 @@ async function handleRequest(req, res) {
 function renderProfile() {
   const followers = getFollowerCount()
   const following = getFollowingCount()
+  const posts = getPosts(10)
 
   return `<!DOCTYPE html>
 <html>
@@ -335,6 +490,7 @@ function renderProfile() {
       border-radius: 16px;
       padding: 2rem;
       text-align: center;
+      margin-bottom: 1.5rem;
     }
     .avatar {
       width: 120px;
@@ -363,11 +519,20 @@ function renderProfile() {
       margin-top: 1.5rem;
       font-size: 0.9rem;
     }
+    .posts { margin-top: 1rem; }
+    .post {
+      background: #16213e;
+      border-radius: 12px;
+      padding: 1rem;
+      margin-bottom: 1rem;
+    }
+    .post-content { margin-bottom: 0.5rem; }
+    .post-meta { color: #666; font-size: 0.8rem; }
   </style>
 </head>
 <body>
   <div class="card">
-    <div class="avatar">🍺</div>
+    <div class="avatar">📦</div>
     <h1>${config.displayName}</h1>
     <p class="handle">@${config.username}@${getDomain()}</p>
     ${config.summary ? `<p class="bio">${config.summary}</p>` : ''}
@@ -380,9 +545,24 @@ function renderProfile() {
         <div class="stat-num">${following}</div>
         <div class="stat-label">Following</div>
       </div>
+      <div class="stat">
+        <div class="stat-num">${posts.length}</div>
+        <div class="stat-label">Posts</div>
+      </div>
     </div>
     <div class="badge">📦 Powered by Fedbox</div>
   </div>
+
+  ${posts.length > 0 ? `
+  <div class="posts">
+    ${posts.map(p => `
+    <div class="post">
+      <div class="post-content">${p.content}</div>
+      <div class="post-meta">${new Date(p.published).toLocaleString()}</div>
+    </div>
+    `).join('')}
+  </div>
+  ` : ''}
 </body>
 </html>`
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fedbox",
-  "version": "0.0.1",
+  "version": "0.0.2",
   "description": "Zero to Fediverse in 60 seconds",
   "type": "module",
   "main": "lib/server.js",