javascript-solid-server 0.0.61 → 0.0.64

package/.claude/settings.local.json

@@ -215,7 +215,9 @@
       "WebFetch(domain:fonstr.com)",
       "Bash(node -e \"import\\(''nostr-tools''\\).then\\(m => console.log\\(Object.keys\\(m\\).join\\(''\\\\n''\\)\\)\\)\":*)",
       "Bash(gh repo list:*)",
-      "Bash(gh search:*)"
+      "Bash(gh search:*)",
+      "Bash(__NEW_LINE__ echo \"\")",
+      "WebFetch(domain:webfinger.net)"
     ]
   }
 }

package/README.md

@@ -6,8 +6,9 @@ A minimal, fast, JSON-LD native Solid server.
 
 ## Features
 
-### Implemented (v0.0.60)
+### Implemented (v0.0.61)
 
+- **ActivityPub Federation** - Fediverse integration with WebFinger, inbox/outbox, HTTP signatures
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
 - **SPARQL Update** - Standard SPARQL UPDATE protocol for PATCH
@@ -126,6 +127,11 @@ jss --help             # Show help
 | `--nostr-max-events <n>` | Max events in relay memory | 1000 |
 | `--invite-only` | Require invite code for registration | false |
 | `--default-quota <size>` | Default storage quota per pod (e.g., 50MB) | 50MB |
+| `--activitypub` | Enable ActivityPub federation | false |
+| `--ap-username <name>` | ActivityPub username | me |
+| `--ap-display-name <name>` | ActivityPub display name | (username) |
+| `--ap-summary <text>` | ActivityPub bio/summary | - |
+| `--ap-nostr-pubkey <hex>` | Nostr pubkey for identity linking | - |
 | `-q, --quiet` | Suppress logs | false |
 
 ### Environment Variables
@@ -143,6 +149,8 @@ export JSS_MASHLIB=true
 export JSS_NOSTR=true
 export JSS_INVITE_ONLY=true
 export JSS_DEFAULT_QUOTA=100MB
+export JSS_ACTIVITYPUB=true
+export JSS_AP_USERNAME=alice
 jss start
 ```
 
@@ -409,6 +417,72 @@ git add .acl && git commit -m "Add ACL"
 
 See [git-credential-nostr](https://github.com/JavaScriptSolidServer/git-credential-nostr) for more details.
 
+## ActivityPub Federation
+
+Enable ActivityPub to federate with Mastodon, Pleroma, Misskey, and other Fediverse servers:
+
+```bash
+jss start --activitypub --ap-username alice --ap-display-name "Alice" --ap-summary "Hello from JSS!"
+```
+
+### Endpoints
+
+| Endpoint | Description |
+|----------|-------------|
+| `/.well-known/webfinger` | Actor discovery (Mastodon searches here) |
+| `/.well-known/nodeinfo` | NodeInfo discovery |
+| `/profile/card` | Actor (returns JSON-LD when `Accept: application/activity+json`) |
+| `/inbox` | Shared inbox for receiving activities |
+| `/profile/card/inbox` | Personal inbox |
+| `/profile/card/outbox` | User's activities |
+| `/profile/card/followers` | Followers collection |
+| `/profile/card/following` | Following collection |
+
+### How It Works
+
+1. **Discovery**: Mastodon looks up `@alice@your.server` via WebFinger
+2. **Actor**: Returns ActivityPub Actor JSON-LD with public key
+3. **Follow**: Remote servers POST Follow activities to inbox
+4. **Accept**: JSS auto-accepts follows and sends Accept back
+5. **Delivery**: Posts are signed with HTTP Signatures and delivered to follower inboxes
+
+### Identity Linking
+
+Your WebID (`/profile/card#me`) becomes your ActivityPub Actor. Link to Nostr identity:
+
+```bash
+jss start --activitypub --ap-nostr-pubkey <64-char-hex-pubkey>
+```
+
+This adds `alsoKnownAs: ["did:nostr:<pubkey>"]` to your Actor profile, creating a verifiable link between your Solid, ActivityPub, and Nostr identities (the SAND stack).
+
+### Programmatic Usage
+
+```javascript
+import { createServer } from 'javascript-solid-server';
+
+const server = createServer({
+  activitypub: true,
+  apUsername: 'alice',
+  apDisplayName: 'Alice',
+  apSummary: 'Building the decentralized web!',
+  apNostrPubkey: 'abc123...'  // Optional: links to did:nostr
+});
+```
+
+### Testing Federation
+
+```bash
+# Check WebFinger
+curl "http://localhost:3000/.well-known/webfinger?resource=acct:alice@localhost:3000"
+
+# Get Actor (AP format)
+curl -H "Accept: application/activity+json" http://localhost:3000/profile/card
+
+# Check NodeInfo
+curl http://localhost:3000/.well-known/nodeinfo/2.1
+```
+
 ### Linking Nostr to WebID (did:nostr)
 
 Bridge your Nostr identity to a Solid WebID for seamless authentication:
@@ -812,6 +886,15 @@ src/
 │   ├── interactions.js   # Login/consent handlers
 │   ├── views.js          # HTML templates
 │   └── invites.js        # Invite code management
+├── ap/
+│   ├── index.js          # ActivityPub plugin
+│   ├── keys.js           # RSA keypair management
+│   ├── store.js          # SQLite storage (followers, activities)
+│   └── routes/
+│       ├── actor.js      # Actor JSON-LD
+│       ├── inbox.js      # Receive activities
+│       ├── outbox.js     # User's activities
+│       └── collections.js # Followers/following
 ├── rdf/
 │   ├── turtle.js         # Turtle <-> JSON-LD
 │   └── conneg.js         # Content negotiation
@@ -831,6 +914,8 @@ Minimal dependencies for a fast, secure server:
 - **n3** - Turtle parsing (only used when conneg enabled)
 - **oidc-provider** - OpenID Connect Identity Provider (only when IdP enabled)
 - **bcrypt** - Password hashing (only when IdP enabled)
+- **microfed** - ActivityPub primitives (only when activitypub enabled)
+- **better-sqlite3** - SQLite storage for federation data
 
 ## License
 

package/bin/jss.js

@@ -63,6 +63,12 @@ program
   .option('--no-nostr', 'Disable Nostr relay')
   .option('--nostr-path <path>', 'Nostr relay WebSocket path (default: /relay)')
   .option('--nostr-max-events <n>', 'Max events in relay memory (default: 1000)', parseInt)
+  .option('--activitypub', 'Enable ActivityPub federation')
+  .option('--no-activitypub', 'Disable ActivityPub federation')
+  .option('--ap-username <name>', 'ActivityPub username (default: me)')
+  .option('--ap-display-name <name>', 'ActivityPub display name')
+  .option('--ap-summary <text>', 'ActivityPub bio/summary')
+  .option('--ap-nostr-pubkey <hex>', 'Nostr pubkey for identity linking')
   .option('--invite-only', 'Require invite code for registration')
   .option('--no-invite-only', 'Allow open registration')
   .option('-q, --quiet', 'Suppress log output')
@@ -110,6 +116,11 @@ program
         nostr: config.nostr,
         nostrPath: config.nostrPath,
         nostrMaxEvents: config.nostrMaxEvents,
+        activitypub: config.activitypub,
+        apUsername: config.apUsername,
+        apDisplayName: config.apDisplayName,
+        apSummary: config.apSummary,
+        apNostrPubkey: config.apNostrPubkey,
         inviteOnly: config.inviteOnly,
       });
 
@@ -131,6 +142,7 @@ program
         }
         if (config.git) console.log('  Git: enabled (clone/push support)');
         if (config.nostr) console.log(`  Nostr: enabled (${config.nostrPath})`);
+        if (config.activitypub) console.log(`  ActivityPub: enabled (@${config.apUsername || 'me'})`);
         if (config.inviteOnly) console.log('  Registration: invite-only');
         console.log('\n  Press Ctrl+C to stop\n');
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.61",
+  "version": "0.0.64",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -36,7 +36,8 @@
     "microfed": "^0.0.14",
     "n3": "^1.26.0",
     "nostr-tools": "^2.19.4",
-    "oidc-provider": "^9.6.0"
+    "oidc-provider": "^9.6.0",
+    "sql.js": "^1.13.0"
   },
   "engines": {
     "node": ">=18.0.0"

package/src/ap/index.js

@@ -11,6 +11,10 @@ import { createOutboxHandler } from './routes/outbox.js'
 import { createCollectionsHandler } from './routes/collections.js'
 import { createActorHandler } from './routes/actor.js'
 
+// Shared state for actor handler (accessed by server.js)
+let sharedActorHandler = null
+export function getActorHandler() { return sharedActorHandler }
+
 /**
  * ActivityPub Fastify plugin
  * @param {FastifyInstance} fastify
@@ -23,7 +27,7 @@ import { createActorHandler } from './routes/actor.js'
 export async function activityPubPlugin(fastify, options = {}) {
   // Initialize storage and keypair
   const keypair = loadOrCreateKeypair()
-  initStore()
+  await initStore()
 
   // Store config for handlers
   const config = {
@@ -37,16 +41,37 @@ export async function activityPubPlugin(fastify, options = {}) {
   // Decorate fastify with AP config
   fastify.decorate('apConfig', config)
 
+  // Helper to detect protocol from proxy headers
+  const getProtocol = (request) => {
+    // Check X-Forwarded-Proto first
+    let protocol = request.headers['x-forwarded-proto']
+    if (!protocol) {
+      // Cloudflare uses cf-visitor: {"scheme":"https"}
+      const cfVisitor = request.headers['cf-visitor']
+      if (cfVisitor) {
+        try {
+          const parsed = JSON.parse(cfVisitor)
+          protocol = parsed.scheme
+        } catch { /* ignore */ }
+      }
+    }
+    // If still no protocol and hostname looks like a public domain, assume https
+    if (!protocol && request.hostname && !request.hostname.match(/^(localhost|127\.|192\.168\.|10\.)/)) {
+      protocol = 'https'
+    }
+    return protocol || request.protocol
+  }
+
   // Helper to build actor ID from request
   const getActorId = (request) => {
-    const protocol = request.headers['x-forwarded-proto'] || request.protocol
+    const protocol = getProtocol(request)
     const host = request.headers['x-forwarded-host'] || request.hostname
     return `${protocol}://${host}/profile/card#me`
   }
 
   // Helper to get base URL
   const getBaseUrl = (request) => {
-    const protocol = request.headers['x-forwarded-proto'] || request.protocol
+    const protocol = getProtocol(request)
     const host = request.headers['x-forwarded-host'] || request.hostname
     return `${protocol}://${host}`
   }
@@ -110,7 +135,7 @@ export async function activityPubPlugin(fastify, options = {}) {
         version: '2.1',
         software: {
           name: 'jss',
-          version: '0.0.61',
+          version: '0.0.62',
           repository: 'https://github.com/JavaScriptSolidServer/JavaScriptSolidServer'
         },
         protocols: ['activitypub', 'solid'],
@@ -127,37 +152,11 @@ export async function activityPubPlugin(fastify, options = {}) {
       })
   })
 
-  // Actor endpoint - handle AP content negotiation for /profile/card
+  // Actor endpoint - expose handler for profile/card AP requests
   const actorHandler = createActorHandler(config, keypair)
 
-  // Decorate request to track AP handling
-  fastify.decorateRequest('apHandled', false)
-
-  // Register dedicated GET route for /profile/card with AP content negotiation
-  // This needs to run BEFORE the wildcard LDP routes
-  fastify.get('/profile/card', {
-    // Run this handler first, before wildcard routes
-    preHandler: async (request, reply) => {
-      const accept = request.headers.accept || ''
-      const wantsAP = accept.includes('activity+json') ||
-                      accept.includes('ld+json; profile="https://www.w3.org/ns/activitystreams"')
-
-      if (wantsAP) {
-        const actor = actorHandler(request)
-        request.apHandled = true
-        return reply
-          .header('Content-Type', 'application/activity+json')
-          .send(actor)
-      }
-      // If not AP, skip and let the request continue (but this route won't have a main handler)
-      // We return early - the request will 404 on this route but get caught by wildcard
-    }
-  }, async (request, reply) => {
-    // This handler won't be reached if AP was handled
-    // For non-AP requests, we need to pass through to LDP
-    // But we can't easily do that here, so we'll handle it differently
-    reply.callNotFound()
-  })
+  // Store actorHandler in shared state for use by server-level hook
+  sharedActorHandler = actorHandler
 
   // Inbox endpoint
   const inboxHandler = createInboxHandler(config, keypair)

package/src/ap/routes/actor.js

@@ -11,8 +11,24 @@
  */
 export function createActorHandler(config, keypair) {
   return (request) => {
-    const protocol = request.headers['x-forwarded-proto'] || request.protocol
+    // Check various proxy headers for protocol detection
+    let protocol = request.headers['x-forwarded-proto']
+    if (!protocol) {
+      // Cloudflare uses cf-visitor: {"scheme":"https"}
+      const cfVisitor = request.headers['cf-visitor']
+      if (cfVisitor) {
+        try {
+          const parsed = JSON.parse(cfVisitor)
+          protocol = parsed.scheme
+        } catch { /* ignore */ }
+      }
+    }
+    // If still no protocol and hostname looks like a public domain, assume https
     const host = request.headers['x-forwarded-host'] || request.hostname
+    if (!protocol && host && !host.match(/^(localhost|127\.|192\.168\.|10\.)/)) {
+      protocol = 'https'
+    }
+    protocol = protocol || request.protocol
     const baseUrl = `${protocol}://${host}`
     const profileUrl = `${baseUrl}/profile/card`
     const actorId = `${profileUrl}#me`

package/src/ap/store.js

@@ -1,72 +1,117 @@
 /**
  * ActivityPub SQLite Storage
  * Persistence layer for federation data
+ *
+ * Uses better-sqlite3 when available (native, fast)
+ * Falls back to sql.js on Android/platforms without native builds
  */
 
-import Database from 'better-sqlite3'
-import { existsSync, mkdirSync } from 'fs'
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs'
 import { dirname } from 'path'
 
 let db = null
+let dbPath = null
+let usingSqlJs = false
+
+// SQL schema
+const SCHEMA = `
+  -- Followers (people following us)
+  CREATE TABLE IF NOT EXISTS followers (
+    id TEXT PRIMARY KEY,
+    actor TEXT NOT NULL,
+    inbox TEXT,
+    created_at TEXT DEFAULT CURRENT_TIMESTAMP
+  );
+
+  -- Following (people we follow)
+  CREATE TABLE IF NOT EXISTS following (
+    id TEXT PRIMARY KEY,
+    actor TEXT NOT NULL,
+    accepted INTEGER DEFAULT 0,
+    created_at TEXT DEFAULT CURRENT_TIMESTAMP
+  );
+
+  -- Activities (inbox)
+  CREATE TABLE IF NOT EXISTS activities (
+    id TEXT PRIMARY KEY,
+    type TEXT NOT NULL,
+    actor TEXT,
+    object TEXT,
+    raw TEXT NOT NULL,
+    created_at TEXT DEFAULT CURRENT_TIMESTAMP
+  );
+
+  -- Posts (our outbox)
+  CREATE TABLE IF NOT EXISTS posts (
+    id TEXT PRIMARY KEY,
+    content TEXT NOT NULL,
+    in_reply_to TEXT,
+    published TEXT DEFAULT CURRENT_TIMESTAMP
+  );
+
+  -- Known actors (cache)
+  CREATE TABLE IF NOT EXISTS actors (
+    id TEXT PRIMARY KEY,
+    data TEXT NOT NULL,
+    fetched_at TEXT DEFAULT CURRENT_TIMESTAMP
+  );
+`
 
 /**
  * Initialize the database
+ * Tries better-sqlite3 first, falls back to sql.js
  * @param {string} path - Path to SQLite file
  */
-export function initStore(path = 'data/activitypub.db') {
+export async function initStore(path = 'data/activitypub.db') {
   // Ensure directory exists
   const dir = dirname(path)
   if (!existsSync(dir)) {
     mkdirSync(dir, { recursive: true })
   }
 
-  db = new Database(path)
-
-  // Create tables
-  db.exec(`
-    -- Followers (people following us)
-    CREATE TABLE IF NOT EXISTS followers (
-      id TEXT PRIMARY KEY,
-      actor TEXT NOT NULL,
-      inbox TEXT,
-      created_at TEXT DEFAULT CURRENT_TIMESTAMP
-    );
-
-    -- Following (people we follow)
-    CREATE TABLE IF NOT EXISTS following (
-      id TEXT PRIMARY KEY,
-      actor TEXT NOT NULL,
-      accepted INTEGER DEFAULT 0,
-      created_at TEXT DEFAULT CURRENT_TIMESTAMP
-    );
-
-    -- Activities (inbox)
-    CREATE TABLE IF NOT EXISTS activities (
-      id TEXT PRIMARY KEY,
-      type TEXT NOT NULL,
-      actor TEXT,
-      object TEXT,
-      raw TEXT NOT NULL,
-      created_at TEXT DEFAULT CURRENT_TIMESTAMP
-    );
-
-    -- Posts (our outbox)
-    CREATE TABLE IF NOT EXISTS posts (
-      id TEXT PRIMARY KEY,
-      content TEXT NOT NULL,
-      in_reply_to TEXT,
-      published TEXT DEFAULT CURRENT_TIMESTAMP
-    );
-
-    -- Known actors (cache)
-    CREATE TABLE IF NOT EXISTS actors (
-      id TEXT PRIMARY KEY,
-      data TEXT NOT NULL,
-      fetched_at TEXT DEFAULT CURRENT_TIMESTAMP
-    );
-  `)
+  dbPath = path
+
+  // Try better-sqlite3 first (fast, native)
+  try {
+    const Database = (await import('better-sqlite3')).default
+    db = new Database(path)
+    db.exec(SCHEMA)
+    usingSqlJs = false
+    return db
+  } catch (e) {
+    // Fall back to sql.js (WASM, works everywhere)
+    console.log('ActivityPub: Using sql.js (WASM) for SQLite storage')
+
+    const initSqlJs = (await import('sql.js')).default
+    const SQL = await initSqlJs()
+
+    // Load existing database if it exists
+    if (existsSync(path)) {
+      const buffer = readFileSync(path)
+      db = new SQL.Database(buffer)
+    } else {
+      db = new SQL.Database()
+    }
+
+    db.run(SCHEMA)
+    usingSqlJs = true
+
+    // Save initial database
+    saveDatabase()
+
+    return db
+  }
+}
 
-  return db
+/**
+ * Save sql.js database to disk
+ */
+function saveDatabase() {
+  if (usingSqlJs && db && dbPath) {
+    const data = db.export()
+    const buffer = Buffer.from(data)
+    writeFileSync(dbPath, buffer)
+  }
 }
 
 /**
@@ -79,128 +124,156 @@ export function getStore() {
   return db
 }
 
+// Helper to run prepared statements across both implementations
+function runStmt(sql, params = []) {
+  if (usingSqlJs) {
+    db.run(sql, params)
+    saveDatabase()
+  } else {
+    db.prepare(sql).run(...params)
+  }
+}
+
+function getOne(sql, params = []) {
+  if (usingSqlJs) {
+    const stmt = db.prepare(sql)
+    stmt.bind(params)
+    if (stmt.step()) {
+      const row = stmt.getAsObject()
+      stmt.free()
+      return row
+    }
+    stmt.free()
+    return null
+  } else {
+    return db.prepare(sql).get(...params)
+  }
+}
+
+function getAll(sql, params = []) {
+  if (usingSqlJs) {
+    const results = []
+    const stmt = db.prepare(sql)
+    stmt.bind(params)
+    while (stmt.step()) {
+      results.push(stmt.getAsObject())
+    }
+    stmt.free()
+    return results
+  } else {
+    return db.prepare(sql).all(...params)
+  }
+}
+
 // Followers
 
 export function addFollower(actorId, inbox) {
-  const stmt = db.prepare(`
-    INSERT OR REPLACE INTO followers (id, actor, inbox)
-    VALUES (?, ?, ?)
-  `)
-  stmt.run(actorId, actorId, inbox)
+  runStmt(
+    'INSERT OR REPLACE INTO followers (id, actor, inbox) VALUES (?, ?, ?)',
+    [actorId, actorId, inbox]
+  )
 }
 
 export function removeFollower(actorId) {
-  const stmt = db.prepare('DELETE FROM followers WHERE id = ?')
-  stmt.run(actorId)
+  runStmt('DELETE FROM followers WHERE id = ?', [actorId])
 }
 
 export function getFollowers() {
-  const stmt = db.prepare('SELECT * FROM followers ORDER BY created_at DESC')
-  return stmt.all()
+  return getAll('SELECT * FROM followers ORDER BY created_at DESC')
 }
 
 export function getFollowerCount() {
-  const stmt = db.prepare('SELECT COUNT(*) as count FROM followers')
-  return stmt.get().count
+  const row = getOne('SELECT COUNT(*) as count FROM followers')
+  return row ? row.count : 0
 }
 
 export function getFollowerInboxes() {
-  const stmt = db.prepare('SELECT DISTINCT inbox FROM followers WHERE inbox IS NOT NULL')
-  return stmt.all().map(row => row.inbox)
+  return getAll('SELECT DISTINCT inbox FROM followers WHERE inbox IS NOT NULL')
+    .map(row => row.inbox)
 }
 
 // Following
 
 export function addFollowing(actorId, accepted = false) {
-  const stmt = db.prepare(`
-    INSERT OR REPLACE INTO following (id, actor, accepted)
-    VALUES (?, ?, ?)
-  `)
-  stmt.run(actorId, actorId, accepted ? 1 : 0)
+  runStmt(
+    'INSERT OR REPLACE INTO following (id, actor, accepted) VALUES (?, ?, ?)',
+    [actorId, actorId, accepted ? 1 : 0]
+  )
 }
 
 export function acceptFollowing(actorId) {
-  const stmt = db.prepare('UPDATE following SET accepted = 1 WHERE id = ?')
-  stmt.run(actorId)
+  runStmt('UPDATE following SET accepted = 1 WHERE id = ?', [actorId])
 }
 
 export function removeFollowing(actorId) {
-  const stmt = db.prepare('DELETE FROM following WHERE id = ?')
-  stmt.run(actorId)
+  runStmt('DELETE FROM following WHERE id = ?', [actorId])
 }
 
 export function getFollowing() {
-  const stmt = db.prepare('SELECT * FROM following WHERE accepted = 1 ORDER BY created_at DESC')
-  return stmt.all()
+  return getAll('SELECT * FROM following WHERE accepted = 1 ORDER BY created_at DESC')
 }
 
 export function getFollowingCount() {
-  const stmt = db.prepare('SELECT COUNT(*) as count FROM following WHERE accepted = 1')
-  return stmt.get().count
+  const row = getOne('SELECT COUNT(*) as count FROM following WHERE accepted = 1')
+  return row ? row.count : 0
 }
 
 // Activities
 
 export function saveActivity(activity) {
-  const stmt = db.prepare(`
-    INSERT OR REPLACE INTO activities (id, type, actor, object, raw)
-    VALUES (?, ?, ?, ?, ?)
-  `)
-  stmt.run(
-    activity.id,
-    activity.type,
-    typeof activity.actor === 'string' ? activity.actor : activity.actor?.id,
-    typeof activity.object === 'string' ? activity.object : JSON.stringify(activity.object),
-    JSON.stringify(activity)
+  runStmt(
+    'INSERT OR REPLACE INTO activities (id, type, actor, object, raw) VALUES (?, ?, ?, ?, ?)',
+    [
+      activity.id,
+      activity.type,
+      typeof activity.actor === 'string' ? activity.actor : activity.actor?.id,
+      typeof activity.object === 'string' ? activity.object : JSON.stringify(activity.object),
+      JSON.stringify(activity)
+    ]
   )
 }
 
 export function getActivities(limit = 20) {
-  const stmt = db.prepare('SELECT * FROM activities ORDER BY created_at DESC LIMIT ?')
-  return stmt.all(limit).map(row => ({
-    ...row,
-    raw: JSON.parse(row.raw)
-  }))
+  return getAll('SELECT * FROM activities ORDER BY created_at DESC LIMIT ?', [limit])
+    .map(row => ({
+      ...row,
+      raw: JSON.parse(row.raw)
+    }))
 }
 
 // Posts
 
 export function savePost(id, content, inReplyTo = null) {
-  const stmt = db.prepare(`
-    INSERT INTO posts (id, content, in_reply_to)
-    VALUES (?, ?, ?)
-  `)
-  stmt.run(id, content, inReplyTo)
+  runStmt(
+    'INSERT INTO posts (id, content, in_reply_to) VALUES (?, ?, ?)',
+    [id, content, inReplyTo]
+  )
 }
 
 export function getPosts(limit = 20) {
-  const stmt = db.prepare('SELECT * FROM posts ORDER BY published DESC LIMIT ?')
-  return stmt.all(limit)
+  return getAll('SELECT * FROM posts ORDER BY published DESC LIMIT ?', [limit])
 }
 
 export function getPost(id) {
-  const stmt = db.prepare('SELECT * FROM posts WHERE id = ?')
-  return stmt.get(id)
+  return getOne('SELECT * FROM posts WHERE id = ?', [id])
 }
 
 export function getPostCount() {
-  const stmt = db.prepare('SELECT COUNT(*) as count FROM posts')
-  return stmt.get().count
+  const row = getOne('SELECT COUNT(*) as count FROM posts')
+  return row ? row.count : 0
 }
 
 // Actor cache
 
 export function cacheActor(actor) {
-  const stmt = db.prepare(`
-    INSERT OR REPLACE INTO actors (id, data, fetched_at)
-    VALUES (?, ?, CURRENT_TIMESTAMP)
-  `)
-  stmt.run(actor.id, JSON.stringify(actor))
+  runStmt(
+    'INSERT OR REPLACE INTO actors (id, data, fetched_at) VALUES (?, ?, datetime("now"))',
+    [actor.id, JSON.stringify(actor)]
+  )
 }
 
 export function getCachedActor(id) {
-  const stmt = db.prepare('SELECT * FROM actors WHERE id = ?')
-  const row = stmt.get(id)
+  const row = getOne('SELECT * FROM actors WHERE id = ?', [id])
   return row ? JSON.parse(row.data) : null
 }
 

package/src/config.js

@@ -50,6 +50,13 @@ export const defaults = {
   nostrPath: '/relay',
   nostrMaxEvents: 1000,
 
+  // ActivityPub federation
+  activitypub: false,
+  apUsername: 'me',
+  apDisplayName: null,
+  apSummary: null,
+  apNostrPubkey: null,
+
   // Invite-only registration
   inviteOnly: false,
 
@@ -89,6 +96,11 @@ const envMap = {
   JSS_NOSTR: 'nostr',
   JSS_NOSTR_PATH: 'nostrPath',
   JSS_NOSTR_MAX_EVENTS: 'nostrMaxEvents',
+  JSS_ACTIVITYPUB: 'activitypub',
+  JSS_AP_USERNAME: 'apUsername',
+  JSS_AP_DISPLAY_NAME: 'apDisplayName',
+  JSS_AP_SUMMARY: 'apSummary',
+  JSS_AP_NOSTR_PUBKEY: 'apNostrPubkey',
   JSS_INVITE_ONLY: 'inviteOnly',
   JSS_DEFAULT_QUOTA: 'defaultQuota',
 };

package/src/server.js

@@ -12,7 +12,7 @@ import { idpPlugin } from './idp/index.js';
 import { isGitRequest, isGitWriteOperation, handleGit } from './handlers/git.js';
 import { AccessMode } from './wac/parser.js';
 import { registerNostrRelay } from './nostr/relay.js';
-import { activityPubPlugin } from './ap/index.js';
+import { activityPubPlugin, getActorHandler } from './ap/index.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
@@ -202,6 +202,33 @@ export function createServer(options = {}) {
     // Note: OPTIONS requests are handled by handleOptions to include Accept-* headers
   });
 
+  // ActivityPub actor endpoint - dedicated route for /profile/card with AP Accept header
+  // Registered before wildcard routes to take priority
+  if (activitypubEnabled) {
+    fastify.route({
+      method: 'GET',
+      url: '/profile/card',
+      handler: async (request, reply) => {
+        const accept = request.headers.accept || '';
+        const wantsAP = accept.includes('activity+json') ||
+                        accept.includes('ld+json; profile="https://www.w3.org/ns/activitystreams"');
+
+        const actorHandler = getActorHandler();
+        if (wantsAP && actorHandler) {
+          const actor = actorHandler(request);
+          return reply
+            .type('application/activity+json')
+            .send(actor);
+        }
+
+        // Not AP request - serve the HTML profile from disk
+        // This is handled by importing the resource handler
+        const { handleGet } = await import('./handlers/resource.js');
+        return handleGet(request, reply);
+      }
+    });
+  }
+
   // Security: Block access to dotfiles except allowed Solid-specific ones
   // This prevents exposure of .git/, .env, .htpasswd, etc.
   // Git protocol requests bypass this check when git is enabled