Document signing companion HTTP requests#3556
Conversation
|
👋 Thanks for your contribution! I see you have provided all the required changelog information in your PR description. To complete the process, you'll need to create a changelog file in your branch. Please create a file named You can do this by either:
Once you've committed and pushed the file to your PR branch, the checks will pass automatically. |
|
Thanks again for pointing us back toward the existing composition and signing surfaces. I have now released Axismundi ActivityPub Bridge 0.0.16 Alpha, which works with stock ActivityPub 9.0.2 and no longer depends on the integration fork. The transport spool was also changed from the provisional private CPT to a dedicated delivery table rather than simply copying
The released Bridge instead uses one site-prefixed delivery table with a unique Activity URI hash, one status field, a conditional Current companion releases:
At this point the companion stack includes FEP-b2b8 Article projection, an FEP-1311-based standalone media rendition application, and Like/Undo plus Announce/Undo. FEP-044f quote authorization work is in progress. Once that layer is complete, I plan to run the real Article Create and end-to-end interaction scenarios against public Mastodon/Misskey instances and report the observed interoperability results. |
|
Follow-up interoperability update: The FEP-044f consent and authorization path is now implemented in the Axismundi companion stack. This includes per-Article I cannot yet honestly mark the complete Mastodon quote round trip as passed. During one deployment the Actor document was briefly cached without its Bridge 0.0.20 closes that deployment race: As an independent control, the same Actor identity, key material, stock ActivityPub signing hook, and Bridge delivery table successfully completed Follow/Accept and Announce/repost interoperability against uri.life. That instance does not expose quote authoring, so it could not exercise FEP-044f, but it confirms that the stock signing/composition path works outside the mastodon.social cache condition. Current relevant releases: I will post the final mastodon.social QuoteRequest -> Accept -> QuoteAuthorization result once that cache no longer masks the corrected Actor representation. |
|
Final interoperability update: The outbound FEP-044f Quote path is now complete in the Axismundi companion stack, including the held Create lifecycle for remote consent:
The projection emits the FEP-044f I have now verified the completed flow against both public implementations:
The generic Bridge delivery path is also covered end to end for outbound QuoteRequest, automatic Accept, and revocation Delete. The full quote path no longer requires Quote-specific transport code. Current releases: |
What
Document the existing companion-plugin signing surface in
FEDERATION.md.A caller can pass
key_idandprivate_keytowp_safe_remote_post()and reuse the plugin's existinghttp_request_argssignature implementation without adopting the official Outbox model.The new section also makes the ownership boundary explicit: the caller owns recipient validation, recipient selection, queueing, and retries, and should resolve private key material only while sending.
Why
This follows the maintainer guidance in #3548. The capability already exists and works with stock 9.0.2, but it was not documented as an extension point. A small documentation contract is preferable to adding a parallel delivery API.
Resolution of #3533
No new domain-persistence or delivery API is required. The inbound half already composes from the existing post-verification controller actions (
activitypub_inboxandactivitypub_inbox_shared), behavior-level handler registration throughactivitypub_register_handlers, and conditionalactivitypub_skip_inbox_storageclaiming. A companion can therefore consume verified traffic and suppress duplicate default domain persistence without replacing signature verification.For outbound traffic, the companion owns recipient selection, its private spool, and retry policy. This PR documents the remaining supported boundary: reusing the official
http_request_argssigner with transientkey_idandprivate_keyrequest arguments. Together these existing seams satisfy the inbound and outbound requirements described in #3533 while keeping the official plugin authoritative for protocol verification and HTTP signing.Validation
Changelog
Changelog Entry Details
Significance
Type
Message
Document how companion plugins can reuse the existing outbound HTTP signing extension point.
Closes #3533