Description
Wire incoming supported ActivityPub requests into the portable core boundary.
Scope
- Add the local actor inbox route.
- Enforce request size and supported ActivityPub content types.
- Parse supported incoming activities into
feder-vocab types.
- Convert supported activities into
feder_core::Input values.
- Call
FederCore::handle and return appropriate HTTP responses.
- Reject unsupported or malformed activities without mutating core state.
- Keep unsigned inbox operation restricted to tests, localhost, or an explicit insecure development mode until signature verification is implemented.
Security constraint
This issue does not establish request authenticity. A public deployment must not trust the JSON actor field until HTTP Signature verification confirms the signer and checks that it matches the activity actor.
Done when
- A controlled integration test can POST a Follow and observe the expected core actions.
- Unsupported, malformed, oversized, and disallowed unsigned requests are rejected.
- The runtime/core boundary remains explicit and the core performs no HTTP work.
Out of scope
- Production-safe public inbox exposure.
- HTTP Signature verification.
- Remote actor or key fetching.
- Executing storage and delivery actions.
Description
Wire incoming supported ActivityPub requests into the portable core boundary.
Scope
feder-vocabtypes.feder_core::Inputvalues.FederCore::handleand return appropriate HTTP responses.Security constraint
This issue does not establish request authenticity. A public deployment must not trust the JSON
actorfield until HTTP Signature verification confirms the signer and checks that it matches the activity actor.Done when
Out of scope