javascript-solid-server 0.0.60 → 0.0.62

package/.claude/settings.local.json

@@ -213,7 +213,9 @@
       "Bash(ssh phone:*)",
       "Bash(dig:*)",
       "WebFetch(domain:fonstr.com)",
-      "Bash(node -e \"import\\(''nostr-tools''\\).then\\(m => console.log\\(Object.keys\\(m\\).join\\(''\\\\n''\\)\\)\\)\":*)"
+      "Bash(node -e \"import\\(''nostr-tools''\\).then\\(m => console.log\\(Object.keys\\(m\\).join\\(''\\\\n''\\)\\)\\)\":*)",
+      "Bash(gh repo list:*)",
+      "Bash(gh search:*)"
     ]
   }
 }

package/README.md

@@ -6,8 +6,9 @@ A minimal, fast, JSON-LD native Solid server.
 
 ## Features
 
-### Implemented (v0.0.60)
+### Implemented (v0.0.61)
 
+- **ActivityPub Federation** - Fediverse integration with WebFinger, inbox/outbox, HTTP signatures
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
 - **SPARQL Update** - Standard SPARQL UPDATE protocol for PATCH
@@ -126,6 +127,11 @@ jss --help             # Show help
 | `--nostr-max-events <n>` | Max events in relay memory | 1000 |
 | `--invite-only` | Require invite code for registration | false |
 | `--default-quota <size>` | Default storage quota per pod (e.g., 50MB) | 50MB |
+| `--activitypub` | Enable ActivityPub federation | false |
+| `--ap-username <name>` | ActivityPub username | me |
+| `--ap-display-name <name>` | ActivityPub display name | (username) |
+| `--ap-summary <text>` | ActivityPub bio/summary | - |
+| `--ap-nostr-pubkey <hex>` | Nostr pubkey for identity linking | - |
 | `-q, --quiet` | Suppress logs | false |
 
 ### Environment Variables
@@ -143,6 +149,8 @@ export JSS_MASHLIB=true
 export JSS_NOSTR=true
 export JSS_INVITE_ONLY=true
 export JSS_DEFAULT_QUOTA=100MB
+export JSS_ACTIVITYPUB=true
+export JSS_AP_USERNAME=alice
 jss start
 ```
 
@@ -409,6 +417,72 @@ git add .acl && git commit -m "Add ACL"
 
 See [git-credential-nostr](https://github.com/JavaScriptSolidServer/git-credential-nostr) for more details.
 
+## ActivityPub Federation
+
+Enable ActivityPub to federate with Mastodon, Pleroma, Misskey, and other Fediverse servers:
+
+```bash
+jss start --activitypub --ap-username alice --ap-display-name "Alice" --ap-summary "Hello from JSS!"
+```
+
+### Endpoints
+
+| Endpoint | Description |
+|----------|-------------|
+| `/.well-known/webfinger` | Actor discovery (Mastodon searches here) |
+| `/.well-known/nodeinfo` | NodeInfo discovery |
+| `/profile/card` | Actor (returns JSON-LD when `Accept: application/activity+json`) |
+| `/inbox` | Shared inbox for receiving activities |
+| `/profile/card/inbox` | Personal inbox |
+| `/profile/card/outbox` | User's activities |
+| `/profile/card/followers` | Followers collection |
+| `/profile/card/following` | Following collection |
+
+### How It Works
+
+1. **Discovery**: Mastodon looks up `@alice@your.server` via WebFinger
+2. **Actor**: Returns ActivityPub Actor JSON-LD with public key
+3. **Follow**: Remote servers POST Follow activities to inbox
+4. **Accept**: JSS auto-accepts follows and sends Accept back
+5. **Delivery**: Posts are signed with HTTP Signatures and delivered to follower inboxes
+
+### Identity Linking
+
+Your WebID (`/profile/card#me`) becomes your ActivityPub Actor. Link to Nostr identity:
+
+```bash
+jss start --activitypub --ap-nostr-pubkey <64-char-hex-pubkey>
+```
+
+This adds `alsoKnownAs: ["did:nostr:<pubkey>"]` to your Actor profile, creating a verifiable link between your Solid, ActivityPub, and Nostr identities (the SAND stack).
+
+### Programmatic Usage
+
+```javascript
+import { createServer } from 'javascript-solid-server';
+
+const server = createServer({
+  activitypub: true,
+  apUsername: 'alice',
+  apDisplayName: 'Alice',
+  apSummary: 'Building the decentralized web!',
+  apNostrPubkey: 'abc123...'  // Optional: links to did:nostr
+});
+```
+
+### Testing Federation
+
+```bash
+# Check WebFinger
+curl "http://localhost:3000/.well-known/webfinger?resource=acct:alice@localhost:3000"
+
+# Get Actor (AP format)
+curl -H "Accept: application/activity+json" http://localhost:3000/profile/card
+
+# Check NodeInfo
+curl http://localhost:3000/.well-known/nodeinfo/2.1
+```
+
 ### Linking Nostr to WebID (did:nostr)
 
 Bridge your Nostr identity to a Solid WebID for seamless authentication:
@@ -812,6 +886,15 @@ src/
 │   ├── interactions.js   # Login/consent handlers
 │   ├── views.js          # HTML templates
 │   └── invites.js        # Invite code management
+├── ap/
+│   ├── index.js          # ActivityPub plugin
+│   ├── keys.js           # RSA keypair management
+│   ├── store.js          # SQLite storage (followers, activities)
+│   └── routes/
+│       ├── actor.js      # Actor JSON-LD
+│       ├── inbox.js      # Receive activities
+│       ├── outbox.js     # User's activities
+│       └── collections.js # Followers/following
 ├── rdf/
 │   ├── turtle.js         # Turtle <-> JSON-LD
 │   └── conneg.js         # Content negotiation
@@ -831,6 +914,8 @@ Minimal dependencies for a fast, secure server:
 - **n3** - Turtle parsing (only used when conneg enabled)
 - **oidc-provider** - OpenID Connect Identity Provider (only when IdP enabled)
 - **bcrypt** - Password hashing (only when IdP enabled)
+- **microfed** - ActivityPub primitives (only when activitypub enabled)
+- **better-sqlite3** - SQLite storage for federation data
 
 ## License
 

package/bin/jss.js

@@ -63,6 +63,12 @@ program
   .option('--no-nostr', 'Disable Nostr relay')
   .option('--nostr-path <path>', 'Nostr relay WebSocket path (default: /relay)')
   .option('--nostr-max-events <n>', 'Max events in relay memory (default: 1000)', parseInt)
+  .option('--activitypub', 'Enable ActivityPub federation')
+  .option('--no-activitypub', 'Disable ActivityPub federation')
+  .option('--ap-username <name>', 'ActivityPub username (default: me)')
+  .option('--ap-display-name <name>', 'ActivityPub display name')
+  .option('--ap-summary <text>', 'ActivityPub bio/summary')
+  .option('--ap-nostr-pubkey <hex>', 'Nostr pubkey for identity linking')
   .option('--invite-only', 'Require invite code for registration')
   .option('--no-invite-only', 'Allow open registration')
   .option('-q, --quiet', 'Suppress log output')
@@ -110,6 +116,11 @@ program
         nostr: config.nostr,
         nostrPath: config.nostrPath,
         nostrMaxEvents: config.nostrMaxEvents,
+        activitypub: config.activitypub,
+        apUsername: config.apUsername,
+        apDisplayName: config.apDisplayName,
+        apSummary: config.apSummary,
+        apNostrPubkey: config.apNostrPubkey,
         inviteOnly: config.inviteOnly,
       });
 
@@ -131,6 +142,7 @@ program
         }
         if (config.git) console.log('  Git: enabled (clone/push support)');
         if (config.nostr) console.log(`  Nostr: enabled (${config.nostrPath})`);
+        if (config.activitypub) console.log(`  ActivityPub: enabled (@${config.apUsername || 'me'})`);
         if (config.inviteOnly) console.log('  Registration: invite-only');
         console.log('\n  Press Ctrl+C to stop\n');
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.60",
+  "version": "0.0.62",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -27,10 +27,13 @@
     "@fastify/rate-limit": "^9.1.0",
     "@fastify/websocket": "^8.3.1",
     "bcrypt": "^6.0.0",
+    "bcryptjs": "^3.0.3",
+    "better-sqlite3": "^12.5.0",
     "commander": "^14.0.2",
     "fastify": "^4.29.1",
     "fs-extra": "^11.2.0",
     "jose": "^6.1.3",
+    "microfed": "^0.0.14",
     "n3": "^1.26.0",
     "nostr-tools": "^2.19.4",
     "oidc-provider": "^9.6.0"
@@ -42,7 +45,10 @@
     "solid",
     "ldp",
     "linked-data",
-    "decentralized"
+    "decentralized",
+    "activitypub",
+    "fediverse",
+    "nostr"
   ],
   "license": "AGPL-3.0-only",
   "devDependencies": {

package/scripts/install-termux.sh

@@ -0,0 +1,81 @@
+#!/data/data/com.termux/files/usr/bin/bash
+#
+# PhonePod Installer for Termux
+#
+# Usage:
+#   curl -sL https://raw.githubusercontent.com/JavaScriptSolidServer/JavaScriptSolidServer/gh-pages/scripts/install-termux.sh | bash
+#
+
+set -e
+
+echo ""
+echo "  ╔═══════════════════════════════════════╗"
+echo "  ║         PhonePod Installer            ║"
+echo "  ║   Solid + Nostr + Git on your phone   ║"
+echo "  ╚═══════════════════════════════════════╝"
+echo ""
+
+# Check we're in Termux
+if [ ! -d "/data/data/com.termux" ]; then
+  echo "✗ This script is for Termux on Android"
+  echo "  Install Termux from F-Droid: https://f-droid.org/packages/com.termux/"
+  exit 1
+fi
+
+echo "→ Installing dependencies..."
+pkg update -y
+pkg install -y nodejs-lts openssh autossh git
+
+echo "→ Installing PM2 and JSS..."
+npm install -g pm2 javascript-solid-server
+
+# Fix PATH for npm global bins
+NPM_BIN="$(npm config get prefix)/bin"
+if [[ ":$PATH:" != *":$NPM_BIN:"* ]]; then
+  echo "export PATH=\"\$PATH:$NPM_BIN\"" >> ~/.bashrc
+  export PATH="$PATH:$NPM_BIN"
+fi
+
+echo "→ Setting up boot persistence..."
+mkdir -p ~/.termux/boot
+cat > ~/.termux/boot/start-pod.sh << 'BOOT'
+#!/data/data/com.termux/files/usr/bin/bash
+# Start PhonePod on boot
+termux-wake-lock
+export PATH="$PATH:$(npm config get prefix)/bin"
+pm2 resurrect
+BOOT
+chmod +x ~/.termux/boot/start-pod.sh
+
+echo "→ Starting JSS..."
+pm2 start jss -- start --port 8080 --nostr --git
+pm2 save
+
+# Get local IP
+LOCAL_IP=$(ip route get 1 2>/dev/null | awk '{print $7}' | head -1)
+
+echo ""
+echo "  ╔═══════════════════════════════════════╗"
+echo "  ║         ✓ PhonePod Installed!         ║"
+echo "  ╚═══════════════════════════════════════╝"
+echo ""
+echo "  Local:   http://localhost:8080"
+if [ -n "$LOCAL_IP" ]; then
+echo "  Network: http://$LOCAL_IP:8080"
+fi
+echo ""
+echo "  Features enabled:"
+echo "    • Solid pod (LDP, WAC, WebID)"
+echo "    • Nostr relay (wss://localhost:8080/relay)"
+echo "    • Git server (git clone http://localhost:8080/)"
+echo ""
+echo "  Commands:"
+echo "    pm2 status      - check status"
+echo "    pm2 logs jss    - view logs"
+echo "    pm2 restart jss - restart server"
+echo ""
+echo "  For public access, setup a tunnel:"
+echo "    https://github.com/JavaScriptSolidServer/JavaScriptSolidServer/issues/46"
+echo ""
+echo "  NOTE: Install Termux:Boot from F-Droid for auto-start on reboot"
+echo ""

package/src/ap/index.js

@@ -0,0 +1,177 @@
+/**
+ * ActivityPub Plugin for JSS
+ * Adds federation support via the ActivityPub protocol
+ */
+
+import { webfinger } from 'microfed'
+import { loadOrCreateKeypair, getKeyId } from './keys.js'
+import { initStore } from './store.js'
+import { createInboxHandler } from './routes/inbox.js'
+import { createOutboxHandler } from './routes/outbox.js'
+import { createCollectionsHandler } from './routes/collections.js'
+import { createActorHandler } from './routes/actor.js'
+
+/**
+ * ActivityPub Fastify plugin
+ * @param {FastifyInstance} fastify
+ * @param {object} options
+ * @param {string} options.username - Default username for single-user mode
+ * @param {string} options.displayName - Display name
+ * @param {string} options.summary - Bio/description
+ * @param {string} options.nostrPubkey - Nostr public key (hex) for identity linking
+ */
+export async function activityPubPlugin(fastify, options = {}) {
+  // Initialize storage and keypair
+  const keypair = loadOrCreateKeypair()
+  initStore()
+
+  // Store config for handlers
+  const config = {
+    keypair,
+    username: options.username || 'me',
+    displayName: options.displayName || options.username || 'Anonymous',
+    summary: options.summary || '',
+    nostrPubkey: options.nostrPubkey || null
+  }
+
+  // Decorate fastify with AP config
+  fastify.decorate('apConfig', config)
+
+  // Helper to build actor ID from request
+  const getActorId = (request) => {
+    const protocol = request.headers['x-forwarded-proto'] || request.protocol
+    const host = request.headers['x-forwarded-host'] || request.hostname
+    return `${protocol}://${host}/profile/card#me`
+  }
+
+  // Helper to get base URL
+  const getBaseUrl = (request) => {
+    const protocol = request.headers['x-forwarded-proto'] || request.protocol
+    const host = request.headers['x-forwarded-host'] || request.hostname
+    return `${protocol}://${host}`
+  }
+
+  // WebFinger endpoint
+  fastify.get('/.well-known/webfinger', async (request, reply) => {
+    const resource = request.query.resource
+    if (!resource) {
+      return reply.code(400).send({ error: 'Missing resource parameter' })
+    }
+
+    const parsed = webfinger.parseResource(resource)
+    if (!parsed) {
+      return reply.code(400).send({ error: 'Invalid resource format' })
+    }
+
+    // Check if this is our user
+    const host = request.headers['x-forwarded-host'] || request.hostname
+    if (parsed.domain !== host) {
+      return reply.code(404).send({ error: 'Not found' })
+    }
+
+    // For now, accept any username and map to /profile/card#me
+    // In multi-user mode, we'd look up the user
+    const baseUrl = getBaseUrl(request)
+    const actorUrl = `${baseUrl}/profile/card#me`
+    const profileUrl = `${baseUrl}/profile/card`
+
+    const response = webfinger.createResponse(
+      `${parsed.username}@${parsed.domain}`,
+      actorUrl,
+      { profileUrl }
+    )
+
+    return reply
+      .header('Content-Type', 'application/jrd+json')
+      .header('Access-Control-Allow-Origin', '*')
+      .send(response)
+  })
+
+  // NodeInfo discovery (for Mastodon compatibility)
+  fastify.get('/.well-known/nodeinfo', async (request, reply) => {
+    const baseUrl = getBaseUrl(request)
+    return reply
+      .header('Content-Type', 'application/json')
+      .send({
+        links: [
+          {
+            rel: 'http://nodeinfo.diaspora.software/ns/schema/2.1',
+            href: `${baseUrl}/.well-known/nodeinfo/2.1`
+          }
+        ]
+      })
+  })
+
+  fastify.get('/.well-known/nodeinfo/2.1', async (request, reply) => {
+    const { getPostCount } = await import('./store.js')
+    return reply
+      .header('Content-Type', 'application/json; profile="http://nodeinfo.diaspora.software/ns/schema/2.1#"')
+      .send({
+        version: '2.1',
+        software: {
+          name: 'jss',
+          version: '0.0.62',
+          repository: 'https://github.com/JavaScriptSolidServer/JavaScriptSolidServer'
+        },
+        protocols: ['activitypub', 'solid'],
+        services: { inbound: [], outbound: [] },
+        usage: {
+          users: { total: 1, activeMonth: 1, activeHalfyear: 1 },
+          localPosts: getPostCount()
+        },
+        openRegistrations: true,
+        metadata: {
+          nodeName: config.displayName,
+          nodeDescription: 'SAND Stack: Solid + ActivityPub + Nostr + DID'
+        }
+      })
+  })
+
+  // Actor endpoint - handle AP content negotiation for /profile/card
+  const actorHandler = createActorHandler(config, keypair)
+
+  // Decorate request to track AP handling
+  fastify.decorateRequest('apHandled', false)
+
+  // Register dedicated GET route for /profile/card with AP content negotiation
+  // This needs to run BEFORE the wildcard LDP routes
+  fastify.get('/profile/card', {
+    // Run this handler first, before wildcard routes
+    preHandler: async (request, reply) => {
+      const accept = request.headers.accept || ''
+      const wantsAP = accept.includes('activity+json') ||
+                      accept.includes('ld+json; profile="https://www.w3.org/ns/activitystreams"')
+
+      if (wantsAP) {
+        const actor = actorHandler(request)
+        request.apHandled = true
+        return reply
+          .header('Content-Type', 'application/activity+json')
+          .send(actor)
+      }
+      // If not AP, skip and let the request continue (but this route won't have a main handler)
+      // We return early - the request will 404 on this route but get caught by wildcard
+    }
+  }, async (request, reply) => {
+    // This handler won't be reached if AP was handled
+    // For non-AP requests, we need to pass through to LDP
+    // But we can't easily do that here, so we'll handle it differently
+    reply.callNotFound()
+  })
+
+  // Inbox endpoint
+  const inboxHandler = createInboxHandler(config, keypair)
+  fastify.post('/inbox', inboxHandler)
+  fastify.post('/profile/card/inbox', inboxHandler)
+
+  // Outbox endpoint
+  const outboxHandler = createOutboxHandler(config, keypair)
+  fastify.get('/profile/card/outbox', outboxHandler)
+
+  // Followers/Following collections
+  const collectionsHandler = createCollectionsHandler(config)
+  fastify.get('/profile/card/followers', (req, reply) => collectionsHandler(req, reply, 'followers'))
+  fastify.get('/profile/card/following', (req, reply) => collectionsHandler(req, reply, 'following'))
+}
+
+export default activityPubPlugin

package/src/ap/keys.js

@@ -0,0 +1,64 @@
+/**
+ * ActivityPub RSA Keypair Management
+ * Generate and persist keypairs for HTTP Signatures
+ */
+
+import { generateKeyPairSync } from 'crypto'
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs'
+import { dirname, join } from 'path'
+
+const DEFAULT_KEY_PATH = 'data/ap-keys.json'
+
+/**
+ * Generate RSA keypair
+ * @param {number} modulusLength - Key size in bits (default 2048)
+ * @returns {{ publicKey: string, privateKey: string }}
+ */
+export function generateKeypair(modulusLength = 2048) {
+  const { publicKey, privateKey } = generateKeyPairSync('rsa', {
+    modulusLength,
+    publicKeyEncoding: { type: 'spki', format: 'pem' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
+  })
+  return { publicKey, privateKey }
+}
+
+/**
+ * Load keypair from disk, generate if not exists
+ * @param {string} path - Path to keys file
+ * @returns {{ publicKey: string, privateKey: string }}
+ */
+export function loadOrCreateKeypair(path = DEFAULT_KEY_PATH) {
+  if (existsSync(path)) {
+    const data = JSON.parse(readFileSync(path, 'utf8'))
+    return data
+  }
+
+  // Generate new keypair
+  const keypair = generateKeypair()
+
+  // Ensure directory exists
+  const dir = dirname(path)
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true })
+  }
+
+  // Save to disk
+  writeFileSync(path, JSON.stringify(keypair, null, 2))
+  console.log(`Generated new ActivityPub keypair: ${path}`)
+
+  return keypair
+}
+
+/**
+ * Get key ID for HTTP Signatures
+ * @param {string} actorId - Actor URL (e.g., https://example.com/profile/card#me)
+ * @returns {string} Key ID (e.g., https://example.com/profile/card#main-key)
+ */
+export function getKeyId(actorId) {
+  // Strip fragment and add #main-key
+  const base = actorId.replace(/#.*$/, '')
+  return `${base}#main-key`
+}
+
+export default { generateKeypair, loadOrCreateKeypair, getKeyId }

package/src/ap/routes/actor.js

@@ -0,0 +1,54 @@
+/**
+ * Actor endpoint handler
+ * Returns ActivityPub Actor JSON-LD for content negotiation
+ */
+
+/**
+ * Create actor handler
+ * @param {object} config - AP configuration
+ * @param {object} keypair - RSA keypair
+ * @returns {Function} Handler function
+ */
+export function createActorHandler(config, keypair) {
+  return (request) => {
+    const protocol = request.headers['x-forwarded-proto'] || request.protocol
+    const host = request.headers['x-forwarded-host'] || request.hostname
+    const baseUrl = `${protocol}://${host}`
+    const profileUrl = `${baseUrl}/profile/card`
+    const actorId = `${profileUrl}#me`
+
+    const actor = {
+      '@context': [
+        'https://www.w3.org/ns/activitystreams',
+        'https://w3id.org/security/v1'
+      ],
+      type: 'Person',
+      id: actorId,
+      url: profileUrl,
+      preferredUsername: config.username,
+      name: config.displayName,
+      summary: config.summary ? `<p>${config.summary}</p>` : '',
+      inbox: `${profileUrl}/inbox`,
+      outbox: `${profileUrl}/outbox`,
+      followers: `${profileUrl}/followers`,
+      following: `${profileUrl}/following`,
+      endpoints: {
+        sharedInbox: `${baseUrl}/inbox`
+      },
+      publicKey: {
+        id: `${profileUrl}#main-key`,
+        owner: actorId,
+        publicKeyPem: keypair.publicKey
+      }
+    }
+
+    // Add Nostr identity linking via alsoKnownAs
+    if (config.nostrPubkey) {
+      actor.alsoKnownAs = [`did:nostr:${config.nostrPubkey}`]
+    }
+
+    return actor
+  }
+}
+
+export default { createActorHandler }

package/src/ap/routes/collections.js

@@ -0,0 +1,46 @@
+/**
+ * Collections endpoint handler
+ * Returns followers/following as OrderedCollection
+ */
+
+import { getFollowers, getFollowing, getFollowerCount, getFollowingCount } from '../store.js'
+
+/**
+ * Create collections handler
+ * @param {object} config - AP configuration
+ * @returns {Function} Fastify handler
+ */
+export function createCollectionsHandler(config) {
+  return async (request, reply, collectionType) => {
+    const protocol = request.headers['x-forwarded-proto'] || request.protocol
+    const host = request.headers['x-forwarded-host'] || request.hostname
+    const baseUrl = `${protocol}://${host}`
+    const profileUrl = `${baseUrl}/profile/card`
+
+    let items, totalItems
+
+    if (collectionType === 'followers') {
+      const followers = getFollowers()
+      items = followers.map(f => f.actor)
+      totalItems = getFollowerCount()
+    } else {
+      const following = getFollowing()
+      items = following.map(f => f.actor)
+      totalItems = getFollowingCount()
+    }
+
+    const collection = {
+      '@context': 'https://www.w3.org/ns/activitystreams',
+      type: 'OrderedCollection',
+      id: `${profileUrl}/${collectionType}`,
+      totalItems,
+      orderedItems: items
+    }
+
+    return reply
+      .header('Content-Type', 'application/activity+json')
+      .send(collection)
+  }
+}
+
+export default { createCollectionsHandler }

package/src/ap/routes/inbox.js

@@ -0,0 +1,239 @@
+/**
+ * Inbox endpoint handler
+ * Receives and processes incoming ActivityPub activities
+ */
+
+import { auth, outbox } from 'microfed'
+import {
+  saveActivity,
+  addFollower,
+  removeFollower,
+  acceptFollowing,
+  cacheActor,
+  getCachedActor
+} from '../store.js'
+import { getKeyId } from '../keys.js'
+
+/**
+ * Fetch remote actor (with caching)
+ * @param {string} id - Actor URL
+ * @returns {Promise<object|null>} Actor object or null
+ */
+async function fetchActor(id) {
+  // Strip fragment for fetching
+  const fetchUrl = id.replace(/#.*$/, '')
+  const cached = getCachedActor(id)
+  if (cached) return cached
+
+  try {
+    const response = await fetch(fetchUrl, {
+      headers: { 'Accept': 'application/activity+json' }
+    })
+    if (!response.ok) return null
+
+    const actor = await response.json()
+    cacheActor(actor)
+    return actor
+  } catch {
+    return null
+  }
+}
+
+/**
+ * Verify HTTP signature on incoming request
+ * @param {object} request - Fastify request
+ * @param {string} body - Request body
+ * @returns {Promise<{valid: boolean, actor?: object, reason?: string}>}
+ */
+async function verifySignature(request, body) {
+  const signature = request.headers['signature']
+  if (!signature) {
+    return { valid: false, reason: 'No signature header' }
+  }
+
+  // Parse signature header
+  const sigParts = auth.parseSignatureHeader(signature)
+  if (!sigParts) {
+    return { valid: false, reason: 'Invalid signature format' }
+  }
+
+  const keyId = sigParts.keyId
+  if (!keyId) {
+    return { valid: false, reason: 'No keyId in signature' }
+  }
+
+  // Extract actor URL from keyId (strip fragment like #main-key)
+  const actorUrl = keyId.replace(/#.*$/, '')
+
+  // Fetch the actor to get their public key
+  const remoteActor = await fetchActor(actorUrl)
+  if (!remoteActor) {
+    return { valid: false, reason: `Could not fetch actor: ${actorUrl}` }
+  }
+
+  const publicKeyPem = remoteActor.publicKey?.publicKeyPem
+  if (!publicKeyPem) {
+    return { valid: false, reason: 'Actor has no public key' }
+  }
+
+  // Verify digest if present
+  const digestHeader = request.headers['digest']
+  if (digestHeader && !auth.verifyDigest(body, digestHeader)) {
+    return { valid: false, reason: 'Digest mismatch' }
+  }
+
+  // Build path from URL
+  const url = new URL(request.url, `http://${request.hostname}`)
+
+  // Verify signature
+  try {
+    const valid = auth.verify({
+      publicKey: publicKeyPem,
+      signature,
+      method: request.method,
+      path: url.pathname,
+      headers: request.headers
+    })
+    return { valid, actor: remoteActor }
+  } catch (err) {
+    return { valid: false, reason: `Verification error: ${err.message}` }
+  }
+}
+
+/**
+ * Create inbox handler
+ * @param {object} config - AP configuration
+ * @param {object} keypair - RSA keypair
+ * @returns {Function} Fastify handler
+ */
+export function createInboxHandler(config, keypair) {
+  return async (request, reply) => {
+    // Parse body
+    let activity
+    let body
+    try {
+      body = typeof request.body === 'string'
+        ? request.body
+        : request.body.toString()
+      activity = JSON.parse(body)
+    } catch {
+      return reply.code(400).send({ error: 'Invalid JSON' })
+    }
+
+    // Verify signature (log but don't reject for now - many servers have issues)
+    const sigResult = await verifySignature(request, body)
+    if (!sigResult.valid) {
+      request.log.warn(`Signature verification failed: ${sigResult.reason}`)
+    } else {
+      request.log.info(`Signature verified for ${activity.actor}`)
+    }
+
+    // Validate activity
+    if (!activity.type) {
+      return reply.code(400).send({ error: 'Missing activity type' })
+    }
+
+    // Save activity
+    if (activity.id) {
+      saveActivity(activity)
+    }
+
+    // Handle activity by type
+    const protocol = request.headers['x-forwarded-proto'] || request.protocol
+    const host = request.headers['x-forwarded-host'] || request.hostname
+    const baseUrl = `${protocol}://${host}`
+    const profileUrl = `${baseUrl}/profile/card`
+    const actorId = `${profileUrl}#me`
+
+    request.log.info(`Received ${activity.type} from ${activity.actor}`)
+
+    switch (activity.type) {
+      case 'Follow':
+        await handleFollow(activity, actorId, profileUrl, keypair, request.log)
+        break
+
+      case 'Undo':
+        await handleUndo(activity, request.log)
+        break
+
+      case 'Accept':
+        handleAccept(activity, request.log)
+        break
+
+      case 'Create':
+        request.log.info(`New post: ${activity.object?.content?.slice(0, 50)}...`)
+        break
+
+      case 'Like':
+        request.log.info(`Liked: ${activity.object}`)
+        break
+
+      case 'Announce':
+        request.log.info(`Boosted: ${activity.object}`)
+        break
+
+      default:
+        request.log.info(`Unhandled activity type: ${activity.type}`)
+    }
+
+    // Accept the activity
+    return reply.code(202).send()
+  }
+}
+
+/**
+ * Handle Follow activity
+ */
+async function handleFollow(activity, actorId, profileUrl, keypair, log) {
+  const followerActor = await fetchActor(activity.actor)
+  if (!followerActor) {
+    log.warn('Could not fetch follower actor')
+    return
+  }
+
+  // Add to followers
+  addFollower(activity.actor, followerActor.inbox)
+  log.info(`New follower: ${followerActor.preferredUsername || activity.actor}`)
+
+  // Send Accept
+  const accept = outbox.createAccept(actorId, activity)
+
+  try {
+    await outbox.send({
+      activity: accept,
+      inbox: followerActor.inbox,
+      privateKey: keypair.privateKey,
+      keyId: `${profileUrl}#main-key`
+    })
+    log.info(`Sent Accept to ${followerActor.inbox}`)
+  } catch (err) {
+    log.error(`Failed to send Accept: ${err.message}`)
+  }
+}
+
+/**
+ * Handle Undo activity
+ */
+async function handleUndo(activity, log) {
+  if (activity.object?.type === 'Follow') {
+    removeFollower(activity.actor)
+    log.info(`Unfollowed by ${activity.actor}`)
+  }
+}
+
+/**
+ * Handle Accept activity (our follow was accepted)
+ */
+function handleAccept(activity, log) {
+  if (activity.object?.type === 'Follow') {
+    const target = typeof activity.object.object === 'string'
+      ? activity.object.object
+      : activity.object.object?.id
+    if (target) {
+      acceptFollowing(target)
+      log.info('Follow accepted!')
+    }
+  }
+}
+
+export default { createInboxHandler }

package/src/ap/routes/outbox.js

@@ -0,0 +1,52 @@
+/**
+ * Outbox endpoint handler
+ * Returns user's activities as OrderedCollection
+ */
+
+import { getPosts } from '../store.js'
+
+/**
+ * Create outbox handler
+ * @param {object} config - AP configuration
+ * @param {object} keypair - RSA keypair
+ * @returns {Function} Fastify handler
+ */
+export function createOutboxHandler(config, keypair) {
+  return async (request, reply) => {
+    const protocol = request.headers['x-forwarded-proto'] || request.protocol
+    const host = request.headers['x-forwarded-host'] || request.hostname
+    const baseUrl = `${protocol}://${host}`
+    const profileUrl = `${baseUrl}/profile/card`
+    const actorId = `${profileUrl}#me`
+
+    const posts = getPosts(20)
+
+    const collection = {
+      '@context': 'https://www.w3.org/ns/activitystreams',
+      type: 'OrderedCollection',
+      id: `${profileUrl}/outbox`,
+      totalItems: posts.length,
+      orderedItems: posts.map(p => ({
+        type: 'Create',
+        actor: actorId,
+        published: p.published,
+        object: {
+          type: 'Note',
+          id: p.id,
+          content: p.content,
+          published: p.published,
+          attributedTo: actorId,
+          to: ['https://www.w3.org/ns/activitystreams#Public'],
+          cc: [`${profileUrl}/followers`],
+          ...(p.in_reply_to ? { inReplyTo: p.in_reply_to } : {})
+        }
+      }))
+    }
+
+    return reply
+      .header('Content-Type', 'application/activity+json')
+      .send(collection)
+  }
+}
+
+export default { createOutboxHandler }

package/src/ap/store.js

@@ -0,0 +1,228 @@
+/**
+ * ActivityPub SQLite Storage
+ * Persistence layer for federation data
+ */
+
+import Database from 'better-sqlite3'
+import { existsSync, mkdirSync } from 'fs'
+import { dirname } from 'path'
+
+let db = null
+
+/**
+ * Initialize the database
+ * @param {string} path - Path to SQLite file
+ */
+export function initStore(path = 'data/activitypub.db') {
+  // Ensure directory exists
+  const dir = dirname(path)
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true })
+  }
+
+  db = new Database(path)
+
+  // Create tables
+  db.exec(`
+    -- Followers (people following us)
+    CREATE TABLE IF NOT EXISTS followers (
+      id TEXT PRIMARY KEY,
+      actor TEXT NOT NULL,
+      inbox TEXT,
+      created_at TEXT DEFAULT CURRENT_TIMESTAMP
+    );
+
+    -- Following (people we follow)
+    CREATE TABLE IF NOT EXISTS following (
+      id TEXT PRIMARY KEY,
+      actor TEXT NOT NULL,
+      accepted INTEGER DEFAULT 0,
+      created_at TEXT DEFAULT CURRENT_TIMESTAMP
+    );
+
+    -- Activities (inbox)
+    CREATE TABLE IF NOT EXISTS activities (
+      id TEXT PRIMARY KEY,
+      type TEXT NOT NULL,
+      actor TEXT,
+      object TEXT,
+      raw TEXT NOT NULL,
+      created_at TEXT DEFAULT CURRENT_TIMESTAMP
+    );
+
+    -- Posts (our outbox)
+    CREATE TABLE IF NOT EXISTS posts (
+      id TEXT PRIMARY KEY,
+      content TEXT NOT NULL,
+      in_reply_to TEXT,
+      published TEXT DEFAULT CURRENT_TIMESTAMP
+    );
+
+    -- Known actors (cache)
+    CREATE TABLE IF NOT EXISTS actors (
+      id TEXT PRIMARY KEY,
+      data TEXT NOT NULL,
+      fetched_at TEXT DEFAULT CURRENT_TIMESTAMP
+    );
+  `)
+
+  return db
+}
+
+/**
+ * Get database instance
+ */
+export function getStore() {
+  if (!db) {
+    throw new Error('Store not initialized. Call initStore() first.')
+  }
+  return db
+}
+
+// Followers
+
+export function addFollower(actorId, inbox) {
+  const stmt = db.prepare(`
+    INSERT OR REPLACE INTO followers (id, actor, inbox)
+    VALUES (?, ?, ?)
+  `)
+  stmt.run(actorId, actorId, inbox)
+}
+
+export function removeFollower(actorId) {
+  const stmt = db.prepare('DELETE FROM followers WHERE id = ?')
+  stmt.run(actorId)
+}
+
+export function getFollowers() {
+  const stmt = db.prepare('SELECT * FROM followers ORDER BY created_at DESC')
+  return stmt.all()
+}
+
+export function getFollowerCount() {
+  const stmt = db.prepare('SELECT COUNT(*) as count FROM followers')
+  return stmt.get().count
+}
+
+export function getFollowerInboxes() {
+  const stmt = db.prepare('SELECT DISTINCT inbox FROM followers WHERE inbox IS NOT NULL')
+  return stmt.all().map(row => row.inbox)
+}
+
+// Following
+
+export function addFollowing(actorId, accepted = false) {
+  const stmt = db.prepare(`
+    INSERT OR REPLACE INTO following (id, actor, accepted)
+    VALUES (?, ?, ?)
+  `)
+  stmt.run(actorId, actorId, accepted ? 1 : 0)
+}
+
+export function acceptFollowing(actorId) {
+  const stmt = db.prepare('UPDATE following SET accepted = 1 WHERE id = ?')
+  stmt.run(actorId)
+}
+
+export function removeFollowing(actorId) {
+  const stmt = db.prepare('DELETE FROM following WHERE id = ?')
+  stmt.run(actorId)
+}
+
+export function getFollowing() {
+  const stmt = db.prepare('SELECT * FROM following WHERE accepted = 1 ORDER BY created_at DESC')
+  return stmt.all()
+}
+
+export function getFollowingCount() {
+  const stmt = db.prepare('SELECT COUNT(*) as count FROM following WHERE accepted = 1')
+  return stmt.get().count
+}
+
+// Activities
+
+export function saveActivity(activity) {
+  const stmt = db.prepare(`
+    INSERT OR REPLACE INTO activities (id, type, actor, object, raw)
+    VALUES (?, ?, ?, ?, ?)
+  `)
+  stmt.run(
+    activity.id,
+    activity.type,
+    typeof activity.actor === 'string' ? activity.actor : activity.actor?.id,
+    typeof activity.object === 'string' ? activity.object : JSON.stringify(activity.object),
+    JSON.stringify(activity)
+  )
+}
+
+export function getActivities(limit = 20) {
+  const stmt = db.prepare('SELECT * FROM activities ORDER BY created_at DESC LIMIT ?')
+  return stmt.all(limit).map(row => ({
+    ...row,
+    raw: JSON.parse(row.raw)
+  }))
+}
+
+// Posts
+
+export function savePost(id, content, inReplyTo = null) {
+  const stmt = db.prepare(`
+    INSERT INTO posts (id, content, in_reply_to)
+    VALUES (?, ?, ?)
+  `)
+  stmt.run(id, content, inReplyTo)
+}
+
+export function getPosts(limit = 20) {
+  const stmt = db.prepare('SELECT * FROM posts ORDER BY published DESC LIMIT ?')
+  return stmt.all(limit)
+}
+
+export function getPost(id) {
+  const stmt = db.prepare('SELECT * FROM posts WHERE id = ?')
+  return stmt.get(id)
+}
+
+export function getPostCount() {
+  const stmt = db.prepare('SELECT COUNT(*) as count FROM posts')
+  return stmt.get().count
+}
+
+// Actor cache
+
+export function cacheActor(actor) {
+  const stmt = db.prepare(`
+    INSERT OR REPLACE INTO actors (id, data, fetched_at)
+    VALUES (?, ?, CURRENT_TIMESTAMP)
+  `)
+  stmt.run(actor.id, JSON.stringify(actor))
+}
+
+export function getCachedActor(id) {
+  const stmt = db.prepare('SELECT * FROM actors WHERE id = ?')
+  const row = stmt.get(id)
+  return row ? JSON.parse(row.data) : null
+}
+
+export default {
+  initStore,
+  getStore,
+  addFollower,
+  removeFollower,
+  getFollowers,
+  getFollowerCount,
+  getFollowerInboxes,
+  addFollowing,
+  acceptFollowing,
+  removeFollowing,
+  getFollowing,
+  getFollowingCount,
+  saveActivity,
+  getActivities,
+  savePost,
+  getPosts,
+  getPost,
+  getPostCount,
+  cacheActor,
+  getCachedActor
+}

package/src/config.js

@@ -50,6 +50,13 @@ export const defaults = {
   nostrPath: '/relay',
   nostrMaxEvents: 1000,
 
+  // ActivityPub federation
+  activitypub: false,
+  apUsername: 'me',
+  apDisplayName: null,
+  apSummary: null,
+  apNostrPubkey: null,
+
   // Invite-only registration
   inviteOnly: false,
 
@@ -89,6 +96,11 @@ const envMap = {
   JSS_NOSTR: 'nostr',
   JSS_NOSTR_PATH: 'nostrPath',
   JSS_NOSTR_MAX_EVENTS: 'nostrMaxEvents',
+  JSS_ACTIVITYPUB: 'activitypub',
+  JSS_AP_USERNAME: 'apUsername',
+  JSS_AP_DISPLAY_NAME: 'apDisplayName',
+  JSS_AP_SUMMARY: 'apSummary',
+  JSS_AP_NOSTR_PUBKEY: 'apNostrPubkey',
   JSS_INVITE_ONLY: 'inviteOnly',
   JSS_DEFAULT_QUOTA: 'defaultQuota',
 };

package/src/server.js

@@ -12,6 +12,7 @@ import { idpPlugin } from './idp/index.js';
 import { isGitRequest, isGitWriteOperation, handleGit } from './handlers/git.js';
 import { AccessMode } from './wac/parser.js';
 import { registerNostrRelay } from './nostr/relay.js';
+import { activityPubPlugin } from './ap/index.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
@@ -31,6 +32,11 @@ const __dirname = dirname(fileURLToPath(import.meta.url));
  * @param {boolean} options.nostr - Enable Nostr relay (default false)
  * @param {string} options.nostrPath - Nostr relay WebSocket path (default '/relay')
  * @param {number} options.nostrMaxEvents - Max events in relay memory (default 1000)
+ * @param {boolean} options.activitypub - Enable ActivityPub federation (default false)
+ * @param {string} options.apUsername - ActivityPub username (default 'me')
+ * @param {string} options.apDisplayName - ActivityPub display name
+ * @param {string} options.apSummary - ActivityPub bio/summary
+ * @param {string} options.apNostrPubkey - Nostr pubkey for identity linking
  */
 export function createServer(options = {}) {
   // Content negotiation is OFF by default - we're a JSON-LD native server
@@ -54,6 +60,12 @@ export function createServer(options = {}) {
   const nostrEnabled = options.nostr ?? false;
   const nostrPath = options.nostrPath ?? '/relay';
   const nostrMaxEvents = options.nostrMaxEvents ?? 1000;
+  // ActivityPub federation is OFF by default
+  const activitypubEnabled = options.activitypub ?? false;
+  const apUsername = options.apUsername ?? 'me';
+  const apDisplayName = options.apDisplayName ?? options.apUsername ?? 'Anonymous';
+  const apSummary = options.apSummary ?? '';
+  const apNostrPubkey = options.apNostrPubkey ?? null;
   // Invite-only registration is OFF by default - open registration
   const inviteOnly = options.inviteOnly ?? false;
   // Default storage quota per pod (50MB default, 0 = unlimited)
@@ -152,6 +164,16 @@ export function createServer(options = {}) {
     });
   }
 
+  // Register ActivityPub plugin if enabled
+  if (activitypubEnabled) {
+    fastify.register(activityPubPlugin, {
+      username: apUsername,
+      displayName: apDisplayName,
+      summary: apSummary,
+      nostrPubkey: apNostrPubkey
+    });
+  }
+
   // Register rate limiting plugin
   // Protects against brute force attacks and resource exhaustion
   fastify.register(rateLimit, {
@@ -237,8 +259,13 @@ export function createServer(options = {}) {
   // Authorization hook - check WAC permissions
   // Skip for pod creation endpoint (needs special handling)
   fastify.addHook('preHandler', async (request, reply) => {
-    // Skip auth for pod creation, OPTIONS, IdP routes, mashlib, well-known, notifications, nostr, and git
+    // Skip auth for pod creation, OPTIONS, IdP routes, mashlib, well-known, notifications, nostr, git, and AP
     const mashlibPaths = ['/mashlib.min.js', '/mash.css', '/841.mashlib.min.js'];
+    const apPaths = ['/inbox', '/profile/card/inbox', '/profile/card/outbox', '/profile/card/followers', '/profile/card/following'];
+    // Check if request wants ActivityPub content for profile
+    const accept = request.headers.accept || '';
+    const wantsAP = accept.includes('activity+json') || accept.includes('ld+json; profile="https://www.w3.org/ns/activitystreams"');
+    const isProfileAP = activitypubEnabled && wantsAP && (request.url === '/profile/card' || request.url.startsWith('/profile/card?'));
     if (request.url === '/.pods' ||
         request.url === '/.notifications' ||
         request.method === 'OPTIONS' ||
@@ -246,6 +273,8 @@ export function createServer(options = {}) {
         request.url.startsWith('/.well-known/') ||
         (nostrEnabled && request.url.startsWith(nostrPath)) ||
         (gitEnabled && isGitRequest(request.url)) ||
+        (activitypubEnabled && apPaths.some(p => request.url === p || request.url.startsWith(p + '?'))) ||
+        isProfileAP ||
         mashlibPaths.some(p => request.url === p || request.url.startsWith(p + '.'))) {
       return;
     }