F.7: Mastodon bundle — flagship federated microblog#16
Open
kh0pper wants to merge 1 commit intof6-lemmy-bundlefrom
Open
F.7: Mastodon bundle — flagship federated microblog#16kh0pper wants to merge 1 commit intof6-lemmy-bundlefrom
kh0pper wants to merge 1 commit intof6-lemmy-bundlefrom
Conversation
Stacked on F.6 (Lemmy). Heaviest small-AP bundle in the roll-out; third
consumer of F.0's storage-translators (storage-translators.mastodon()).
Validates that F.1/F.5's Mastodon-API verb taxonomy scales to the real
reference implementation.
Bundle (bundles/mastodon/):
- manifest.json consent_required with EN/ES covering federation reach,
LOCAL_DOMAIN immutability (once federated, the domain
cannot be changed without abandoning every identity),
remote-media cache growth (10-100 GB without S3),
hardware gate (min 3 GB effective RAM, warn <8 GB total).
- docker-compose.yml ghcr.io/mastodon/mastodon:v4.3.0 (web + sidekiq) +
mastodon-streaming:v4.3.0 (Node streaming split out in
4.3+) + postgres:15-alpine + redis:7-alpine. 5 containers.
Web entrypoint runs db:migrate + assets:precompile +
puma. Blank-default S3_* passthrough for
configure-storage.mjs. mem_limits: web=2g, sidekiq=1.5g,
streaming=512m, postgres=512m, redis=256m.
start_period=180s on web (first-boot migrations +
asset precompile).
- server/server.js 15 MCP tools matching the federated-social verb
taxonomy: mastodon_status, mastodon_post,
mastodon_post_with_media (async /api/v2/media upload
with processing-poll), mastodon_feed
(home/public/local/notifications), mastodon_search,
mastodon_follow/unfollow, mastodon_block_user,
mastodon_mute_user (supports duration + notification-only),
mastodon_block_domain (user-scope inline),
mastodon_defederate (admin, QUEUED, severity selector),
mastodon_import_blocklist (QUEUED), mastodon_review_reports,
mastodon_report_remote (status_ids + category),
mastodon_media_prune (surfaces tootctl recipe — Mastodon
keeps media prune as CLI to prevent accidental
mass-deletion). resolveAccount() +
queueModerationAction() duplicated from F.1/F.5 by
design; file-top comment documents the hoist threshold
(fourth Mastodon-compatible bundle).
- server/index.js stdio transport.
- panel/mastodon.js + panel/routes.js Nest panel: instance status +
home timeline. XSS-safe. /api/mastodon/{status,feed}.
- skills/mastodon.md secret-generation via rake secret + VAPID keypair,
first-run bootstrap (tootctl accounts create with Admin
role), Caddy activitypub-mastodon profile (wires
/api/v1/streaming to mastodon-streaming:4000), moderation
ladder, troubleshooting (auth scopes, sidekiq queue,
federation delivery retries, media cache).
- scripts/post-install.sh 240s web health wait (migrations + asset
precompile), configure-storage.mjs invocation when
MASTODON_S3_ENDPOINT set, federation-network
verification, next-step guidance.
- scripts/configure-storage.mjs wraps storage-translators.mastodon().
Inline fallback if shared helper unresolvable
(installed-mode).
- scripts/backup.sh pg_dump + system/ tar. Loud warning: .env holds
SECRET_KEY_BASE + OTP_SECRET + VAPID keys — back up
SEPARATELY and encrypted; LOSS invalidates 2FA + sessions.
- package.json MCP + zod deps.
Integrations with shipped F-series:
- F.0 storage-translators.mastodon() third consumer (after F.4, F.5).
- F.0 rate limiter content + moderation verbs. Read-only uncapped.
- F.0 hardware gate manifest-declared minimums.
- F.1 GoToSocial + F.5 Pixelfed same Mastodon API; verb taxonomy
transfers cleanly across all three.
Human-in-the-loop moderation:
- Inline (rate-limited): mastodon_block_user, mastodon_mute_user,
mastodon_block_domain (user-scoped), mastodon_report_remote.
- Queued (operator confirms in Nest within 72h): mastodon_defederate
(admin /api/v1/admin/domain_blocks with severity silence/suspend/noop),
mastodon_import_blocklist.
- Media prune surfaced as tootctl recipe rather than HTTP invocation
(Mastodon's deliberate API omission).
Image tag policy:
- ghcr.io/mastodon/mastodon:v4.3.0 + mastodon-streaming:v4.3.0 pinned
at implementation time; 4.3 is the active release line.
Registry / discovery surface:
- registry/add-ons.json entry before developer-kit.
- skills/superpowers.md trigger row (EN+ES).
- CLAUDE.md Skills Reference entry after lemmy.md.
Verified:
- node --check on all JS files
- bash -n on shell scripts
- MCP server boots via createMastodonServer() with no env set
- docker compose config parses with required env set
- JSON parse on manifest, package, registry
- npm run check passes
Next:
- F.8 PeerTube (video, needs S3 + transcoding policy — heaviest bundle)
- F.11 identity attestation (independent)
- F.12 cross-app bridging (F.3 Matrix + F.7 Mastodon both now present — unblocked)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Stacked on F.6 (Lemmy). Heaviest small-AP bundle in the roll-out. Third consumer of F.0's
storage-translators(Mastodon's S3_* envelope). Validates that F.1/F.5's Mastodon-API verb taxonomy scales against the reference implementation — same verbs, full admin surface (severity-tunable defederate, report review, remote reporting with attached status_ids).db:migrate+assets:precompileon first boot; healthcheckstart_period=180s.mastodon_defederatewith severity silence/suspend/noop,mastodon_mute_userwith temporary duration + notification-only scope,mastodon_report_remotewith status_ids attachment + category).MASTODON_S3_*andscripts/configure-storage.mjsroutes through F.0'sstorage-translators.mastodon()(S3_ENABLED + S3_BUCKET + S3_PROTOCOL + S3_HOSTNAME + AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY).min_ram_mb=3000,recommended=6000. This bundle is refused on hosts that can't meet 3 GB effective RAM after committed bundles — meaning on <8 GB hosts the gate will typically say no once any other bundle is co-installed.Test plan
node --checkon all JS filesbash -non shell scriptscreateMastodonServer()with no env setdocker compose configparses with required env setnpm run checkpassesIntegration notes
resolveAccount()+queueModerationAction()are deliberately duplicated across F.1/F.5/F.7 rather than extracted. File-top comment documents the hoist threshold: when a fourth Mastodon-compatible bundle lands (Akkoma / Iceshrimp), move the shared code toservers/shared/mastodon-api.js. Three copies is acceptable; four is the trigger.v4.3.0pinned at implementation time. 4.3 is the active release line. Next-major bumps follow the image-tag policy (separate PR, CVE-feed-gated).Rollout position
🤖 Generated with Claude Code