GKaszewski/k-ap
1
0
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases Wiki Activity

chore: bump to 0.4.0, update changelog
All checks were successful
CI / fmt (push) Successful in 21s
Details
CI / clippy (push) Successful in 2m51s
Details
CI / test (push) Successful in 3m49s
Details

Browse Source
This commit is contained in:
Gabriel Kaszewski
2026-05-30 02:50:46 +02:00
parent 4cb8efb6ce
commit d1ce277ff5
3 changed files with 30 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
CHANGELOG.md
View File

@@ -1,5 +1,33 @@
# Changelog
## [0.4.0] — 2026-05-30
### Breaking changes
**`RemoteActor` has a new required field `fetched_at: Option<DateTime<Utc>>`** — set to `Some(Utc::now())` when fetched from a remote instance, or `None` for locally-constructed actors. Consumers must add this column to their `upsert_remote_actor` / `get_remote_actor` implementations.
**`ApFederationConfig::new()` signature changed** — now takes an additional `signing_actor: Option<&DbActor>` parameter. Internal to consumers using `ApFederationConfig` directly; builder users are unaffected.
**`FederationData::new()` takes an additional `actor_cache_ttl: Duration` parameter** — only affects consumers constructing `FederationData` directly (e.g. tests).
---
### New features
**Signed fetch for authorized-fetch / Secure Mode** — set `.signed_fetch_actor_id(uuid)` on the builder to sign all outgoing GET requests with that actor's keypair. Call `service.signed_fetch(&url)` to fetch any remote AP resource with signatures.
**Actor cache TTL**`fetched_at` is now tracked on `RemoteActor`. Configure staleness via `.actor_cache_ttl_secs(secs)` (default: 24h). Use `get_or_refresh_remote_actor(actor_url)` for TTL-aware lookups that re-fetch stale actors from origin.
**SSRF protection** — all outgoing HTTP requests (federation fetches, WebFinger, backfill) now validate resolved IPs against private/reserved ranges (127/8, 10/8, 172.16/12, 192.168/16, 169.254/16, CGNAT 100.64/10, ::1, fc00::/7, fe80::/10). Debug mode bypasses this check.
---
### Bug fixes
**Inbound `Block` now persists to `BlocklistRepository`**`BlockActivity::receive()` calls `add_blocked_actor()` after removing follower/following relationships. `Undo(Block)` clears the record via `remove_blocked_actor()`.
---
## [0.3.1] — 2026-05-29
### Breaking changes

2
Cargo.lock generated
View File

@@ -1368,7 +1368,7 @@ dependencies = [
[[package]]
name = "k-ap"
version = "0.3.1"
version = "0.4.0"
dependencies = [
"activitypub_federation",
"anyhow",

2
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "k-ap"
version = "0.3.1"
version = "0.4.0"
edition = "2024"
description = "Generic ActivityPub protocol layer"
license = "MIT"