Ryan Barrett

Hmm! Interesting. Sorry for the trouble! We don't have an explicit depth limit; we use https://docs.joinmastodon.org/methods/statuses/#context (authenticated) to get Mastodon replies, and this is far below its threshold, so I'm...

From https://en.m.wikipedia.org/wiki/MeWe : > MeWe's practice of creating accounts on behalf of users and businesses who were not users of the site may have served to inflate the amount of...

Heard from the user here: as expected, they hadn't intended `#nobot` to block bridges after all. Should we drop `#nobot` and only use `nobridge` to opt out?

The ATProto equivalent might be [`alsoKnownAs` in the DID document](https://github.com/snarfed/did-method-plc#how-it-works). Discussion: https://github.com/bluesky-social/atproto/discussions/2075

Current tentative plan: use each protocols' native mechanism, identify protocols by URI scheme and/or MIME type. Not ideal, but it's a start.

[AP mentions this very lightly for `Update`:](https://www.w3.org/TR/activitypub/#update-activity-inbox) > The receiving server MUST take care to be sure that the Update is authorized to modify its object. At minimum, this may...

...but sadly AP doesn't specify any authorization/permission model more comprehensive than those bits. Supposedly the most common one is "same origin," which says that the `actor` of any activity that...

Another point to check: when we fetch an actor, we should check that its `id` is the same (final) URL we fetched. If it's not, we should override it with...

For a second, I worried that this started to re-introduce the req't from some implementations like Mastodon that object ids are on the same domain as their author/actor's id, which...

TODO: make task queue handlers admin only, pass `authed_as` to receive task.