11 Commits

Author	SHA1	Message	Date
Ricardo	80ef9bca11	docs: update CLAUDE.md and README.md for v3.9 audit refactoring ... CLAUDE.md: - Architecture tree: add 4 extracted modules (batch-broadcast, syndicator, init-indexes, federation-actions) - Update index.js description to "lifecycle orchestration" - Data flow: add batch-broadcast delivery path README.md: - Remove stale "no custom emoji rendering" limitation - Update account enrichment to describe non-blocking behavior - Add 3 missing Mastodon API MongoDB collections - Add OAuth scope enforcement, rate limiting, token expiry, and CSRF to Mastodon Client API features	2026-03-25 12:35:10 +01:00
Ricardo	12454749ad	fix: comprehensive security, performance, and architecture audit fixes ... 27 issues fixed from multi-dimensional code review (4 Critical, 6 High, 11 Medium, 6 Low): Security (Critical): - Escape HTML in OAuth authorization page to prevent XSS (C1) - Add CSRF protection to OAuth authorize flow (C2) - Replace bypassable regex sanitizer with sanitize-html library (C3) - Enforce OAuth scopes on all Mastodon API routes (C4) Security (Medium/Low): - Fix SSRF via DNS resolution before private IP check (M1) - Add rate limiting to API, auth, and app registration endpoints (M2) - Validate redirect_uri on POST /oauth/authorize (M4) - Fix custom emoji URL injection with scheme validation + escaping (M5) - Remove data: scheme from allowed image sources (L6) - Add access token expiry (1hr) and refresh token rotation (90d) (M3) - Hash client secrets before storage (L3) Architecture: - Extract batch-broadcast.js — shared delivery logic (H1a) - Extract init-indexes.js — MongoDB index creation (H1b) - Extract syndicator.js — syndication logic (H1c) - Create federation-actions.js facade for controllers (M6) - index.js reduced from 1810 to ~1169 lines (35%) Performance: - Cache moderation data with 30s TTL + write invalidation (H6) - Increase inbox queue throughput to 10 items/sec (H5) - Make account enrichment non-blocking with fire-and-forget (H4) - Remove ephemeral getReplies/getLikes/getShares from ingest (M11) - Fix LRU caches to use true LRU eviction (L1) - Fix N+1 backfill queries with batch $in lookup (L2) UI/UX: - Split 3441-line reader.css into 15 feature-scoped files (H2) - Extract inline Alpine.js interaction component (H3) - Reduce sidebar navigation from 7 to 3 items (M7) - Add ARIA live regions for dynamic content updates (M8) - Extract shared CW/non-CW content partial (M9) - Document form handling pattern convention (M10) - Add accessible labels to functional emoji icons (L4) - Convert profile editor to Alpine.js (L5) Audit: documentation-central/audits/2026-03-24-activitypub-code-review.md Plan: documentation-central/plans/2026-03-24-activitypub-audit-fixes.md	2026-03-25 07:41:20 +01:00
Ricardo	c71fd691a3	fix: direct follow workaround for tags.pub identity/v1 context rejection ... tags.pub's activitypub-bot (activitystrea.ms parser) rejects any activity body containing the https://w3id.org/identity/v1 JSON-LD context with 400 Invalid request body. Fedify 2.0 adds this context via LD Signatures (RsaSignature2017) on all outbound activities. Workaround: lib/direct-follow.js sends Follow/Undo(Follow) with a minimal body (no LD Sig, no proof) using draft-cavage HTTP Signatures, scoped only to tags.pub via DIRECT_FOLLOW_HOSTS set. Also removes [federation-diag] inbox POST logging (no longer needed). Upstream: https://github.com/social-web-foundation/tags.pub/issues/10	2026-03-22 19:40:12 +01:00
Ricardo	0d8b2d0f11	docs: update CLAUDE.md and README.md with Mastodon Client API layer ... CLAUDE.md: - Architecture: add full lib/mastodon/ tree (entities, helpers, middleware, routes) - Data flow: add Mastodon API path (client → /api/v1/* → ap_timeline + Fedify) - Collections: add ap_oauth_apps, ap_oauth_tokens, ap_markers; fix ap_blocked_servers field name - Gotchas #34-35: Mastodon API architecture decisions (pagination, own-post detection, account enrichment, OAuth native app redirect, token storage, route ordering, unsigned fallback, backfill, content processing) - Route table: add all Mastodon Client API endpoints README.md: - Updated description to mention Mastodon Client API compatibility - Added full Mastodon Client API feature section - Added moderation overview to Admin UI features	2026-03-21 20:50:36 +01:00
Ricardo	d676374ec1	docs: document Fedify workarounds for endpoints type and PropertyValue attachment ... - Gotcha 10: endpoints as:Endpoints type stripping (fedify#576, fixed in 2.1.0) - Gotcha 11: PropertyValue attachment type validation (fedify#629, open) - README: added both to Fedify Workarounds section - Renumbered gotchas 10-31 → 12-33 Confab-Link: http://localhost:8080/sessions/af5f8b45-6b8d-442d-8f25-78c326190709	2026-03-17 15:16:01 +01:00
Ricardo	a87fe59259	docs: update CLAUDE.md and README.md with v2.14.0/v2.15.0 features ... Add full feature documentation for federation resilience (v2.14.0) and Hollo-inspired patterns (v2.15.0). Add credits to Hollo, Fedify, and Wafrn. Update architecture tree, collections table, routes, and gotchas in CLAUDE.md. Confab-Link: http://localhost:8080/sessions/af5f8b45-6b8d-442d-8f25-78c326190709	2026-03-17 11:23:12 +01:00
Ricardo	ab2363d123	docs: update CLAUDE.md and README.md for v2.5.0 ... Document unified item processing pipeline (gotcha #23), parameterized infinite scroll component (gotcha #24), quote embeds (gotcha #25). Update architecture tree with new modules and controllers. Expand route table and admin UI pages with explore, tag timeline, post detail, and API endpoints. Add reader features (explore, hashtags, quotes, link previews, read tracking, infinite scroll) to README. Confab-Link: http://localhost:8080/sessions/e9d666ac-3c90-4298-9e92-9ac9d142bc06	2026-03-03 13:03:48 +01:00
Ricardo	fceac1f344	feat: use authenticated document loader for all inbox handler fetches ... Pass ctx.getDocumentLoader({ identifier: handle }) to every .getActor(), .getObject(), and .getTarget() call in inbox handlers. This signs outbound fetches with our actor's key, fixing silent failures against Authorized Fetch (Secure Mode) servers like hachyderm.io. The authenticated loader is also threaded through extractObjectData() and extractActorInfo() in timeline-store.js so internal calls to .getAttributedTo(), .getIcon(), .getTags(), and .getAttachments() also use signed requests. Also removes the endpoints.type workaround in federation-bridge.js since Fedify 2.0 fixed issue #576 upstream. The attachment array workaround for Mastodon compatibility remains. Bumps version to 2.0.26.	2026-02-25 09:41:29 +01:00
Ricardo	a6f3f8dd6c	docs: update CLAUDE.md and README.md for Fedify 2.0 ... - Update dependencies table (remove @fedify/express, add @fedify/debugger, unfurl.js) - Add new config options: debugDashboard, debugPassword, notificationRetentionDays - Document new gotchas: modular imports, importSpkiPem removal, KvStore list(), debug dashboard body consumption - Update LogTape gotcha for debug dashboard interaction - Add debug dashboard and public profile routes to route table - README: add public profile and debug dashboard feature sections, Fedify 2.0 mention	2026-02-22 14:36:40 +01:00
Ricardo	0fa446ceb2	feat: make Fedify log level configurable via logLevel option ... Default changed from "info" to "warning" so production logs are quiet. Set logLevel to "info" or "debug" in config to troubleshoot federation.	2026-02-21 22:51:07 +01:00
Ricardo	b81ecbcaa4	docs: add CLAUDE.md for AI agents and README.md for humans ... CLAUDE.md covers architecture, 18 critical gotchas distilled from bug fixes (Fedify bridge, objectId vs getObject, template collisions, Express 5 redirect, date handling, author fallback chain, etc.), MongoDB collections, route table, and publishing workflow. README.md covers features, installation, configuration, nginx setup, how syndication/inbox/content negotiation work, Mastodon migration, admin UI reference, and known limitations.	2026-02-21 17:06:11 +01:00