implemented federation
This commit is contained in:
+39
-14
@@ -9,19 +9,6 @@ Versions follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
### Planned — Phase 3E (Observability)
|
||||
- Prometheus metrics endpoint `GET /metrics`
|
||||
- Structured internal metrics: pipeline duration, queue depth, deployment frequency, error rates
|
||||
- Health check endpoint `GET /health` returning DB + NATS status
|
||||
- Environment cards: live health status via HTTP health check polling
|
||||
- Repo page: error rate and deployment frequency sparklines
|
||||
|
||||
### Planned — Phase 3F (Federation, next)
|
||||
- ActivityPub inbox/outbox HTTP handlers
|
||||
- HTTP signature verification middleware
|
||||
- WebFinger `/.well-known/webfinger` endpoint
|
||||
- Cross-instance pull requests via ActivityPub activities
|
||||
|
||||
### Planned — Phase 4 (Intelligence + Artifacts)
|
||||
- AI failure diagnosis (pipeline failure root-cause analysis via Claude API)
|
||||
- AI deployment risk scoring
|
||||
@@ -30,6 +17,43 @@ Versions follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
- OCI container registry
|
||||
- Secret scanning (commit-level pattern detection)
|
||||
- Dependency vulnerability scanning
|
||||
- Cross-instance pull requests (ForgeFed ActivityPub extension)
|
||||
|
||||
---
|
||||
|
||||
## [0.9.0] — 2026-05-12
|
||||
|
||||
Phase 3F complete. ForgeBucket is now a first-class ActivityPub node — interoperable with Mastodon, Forgejo, and any fediverse server.
|
||||
|
||||
### Added — ActivityPub Federation (`internal/domain/federation/`)
|
||||
|
||||
- **`GET /.well-known/webfinger`** — resolves `acct:user@domain` to the actor URL; returns `application/jrd+json`
|
||||
- **`GET /users/{username}`** — returns a JSON-LD actor document (`Person` type) including public key object for HTTP signature verification
|
||||
- **`POST /users/{username}/inbox`** — receives and dispatches inbound ActivityPub activities; HTTP signature verification enforced in production (skipped in `DEBUG=true` mode for local testing)
|
||||
- **`GET /users/{username}/outbox`** — serves an `OrderedCollection` (summary on page 0, paginated `OrderedCollectionPage` on page ≥ 1, 20 activities per page)
|
||||
- **`GET /users/{username}/followers`** — stub `OrderedCollection` (zero items; social graph in Phase 4)
|
||||
- **`GET /users/{username}/following`** — stub `OrderedCollection`
|
||||
|
||||
### Added — HTTP Signatures (`internal/domain/federation/signatures.go`)
|
||||
- `Sign(req, keyID, privateKeyPEM)` — signs outgoing HTTP requests with RSA-SHA256; covers `(request-target)`, `host`, and `date` headers
|
||||
- `Verify(r, db, instanceURL)` — parses `Signature` header, resolves sender's public key (local `FederationActor` first, then network fetch via `FetchActor`), verifies RSA-SHA256 digest
|
||||
|
||||
### Added — Actor Lifecycle (`internal/domain/federation/actor.go`)
|
||||
- `GetOrCreate` — lazily creates a `FederationActor` for a local user; generates a fresh RSA-2048 key pair and derives `InboxURL`, `OutboxURL`, `APID` from `INSTANCE_URL`; stable across requests
|
||||
- `ActorJSON` — returns the JSON-LD document shape expected by all ActivityPub clients
|
||||
- `APID(instanceURL, username)` — canonical `{instanceURL}/users/{username}` helper
|
||||
|
||||
### Added — Follow / Accept Flow (`internal/domain/federation/inbox.go`)
|
||||
- Incoming `Follow` activities are auto-accepted: remote actor is fetched (or retrieved from cache), an `Accept` activity is signed and delivered to their inbox asynchronously
|
||||
- Both the inbound `Follow` and outbound `Accept` are persisted to `FederationActivity` for audit
|
||||
|
||||
### Added — Remote Actor Cache (`internal/domain/federation/remote.go`)
|
||||
- `FetchActor` — HTTP GET with `Accept: application/activity+json`, extracts inbox URL and public key PEM, stores in `RemoteActor` table to avoid repeated fetches
|
||||
- `DeliverActivity` — marshals activity JSON, signs the request, POSTs to recipient inbox with 15-second timeout
|
||||
|
||||
### Added — Database Models (migration `014_federation`)
|
||||
- `FederationActivity` — append-only log of all inbound and outbound activities: `ActorAPID`, `Type`, `ObjectJSON`, `Direction` (inbound/outbound), `RemoteActor`, `Published`
|
||||
- `RemoteActor` — cache for remote actor documents: `APID` (unique), `InboxURL`, `PublicKey`, `FetchedAt`
|
||||
|
||||
---
|
||||
|
||||
@@ -312,7 +336,8 @@ Initial development milestone. Core Git hosting, collaboration, and frontend SPA
|
||||
|
||||
---
|
||||
|
||||
[Unreleased]: https://github.com/forgeo/forgebucket/compare/v0.8.0...HEAD
|
||||
[Unreleased]: https://github.com/forgeo/forgebucket/compare/v0.9.0...HEAD
|
||||
[0.9.0]: https://github.com/forgeo/forgebucket/compare/v0.8.0...v0.9.0
|
||||
[0.8.0]: https://github.com/forgeo/forgebucket/compare/v0.7.0...v0.8.0
|
||||
[0.7.0]: https://github.com/forgeo/forgebucket/compare/v0.6.0...v0.7.0
|
||||
[0.6.0]: https://github.com/forgeo/forgebucket/compare/v0.5.0...v0.6.0
|
||||
|
||||
Reference in New Issue
Block a user