-
v7.0.0
Stablereleased this
2026-06-30 15:19:31 +00:00 | 14 commits to main since this releaseTea Leaves v7.0.0 — Cross-Instance Collaborative Editing
Released 2026-06-30
Extends the read-only federation layer into write-capable cross-instance collaboration: an invited researcher on another Tea Leaves instance can create and update entries in a host project over a signed ActivityPub channel, with a trust chain, conflict review, and an admin kill-switch. Migrations
041–043(additive).✨ Features
🤝 Cross-instance write path (#12 / #9 / #10 / #11)
- Invite a remote editor by their ActivityPub actor URL (
POST /api/projects/:id/invite-remote); their instance must be federated + enabled. - Signed write path — a
Create/Updateof aNoteaddressed to a project's AP context becomes an entry write. The signature is verified against the actor's cached key and bound to the activity'sactor(no actor spoofing); only accepted remote editors may write (no open inbox). Remote-authored entries carry attribution snapshotted from the actor. - Conflict resolution — optimistic lock on
updated_atvs the activity'spublished: non-conflicting writes apply automatically (last-write-wins), conflicts land in an owner review queue (apply / keep mine). - Schema:
project_collaborators.remote_actor_url+remote_contributions(migration041).
↔️ Editor-side round-trip (#62)
The other half: an invited editor's instance learns of the invite via a signed AP Invite (a new Shared with me page), signed-fetches the host project's entries (
GET /ap/projects/:id), and delivers signed Create/Update edits from a remote-project view — completing create and update end-to-end across instances. (migrations042–043)🛑 Admin defederation kill-switch (#61)
Sever a malicious or compromised instance: a blocked state that hard-rejects its inbound activity before signature processing, revokes its remote editors, quarantines its pending/conflict contributions, and optionally purges the entries its actors authored.
🔒 Security
Two hardenings caught by automated review during the build:
- Inbound signatures must now cover
(request-target)/date/digestwith the digest verified unconditionally — closes a replay / body-substitution actor-spoofing gap (also hardens the existing Follow/comment inbox). - Editor egress (Invite-supplied host URLs) is restricted to admin-federated origins — an SSRF guard.
🧪 Internal
API test suite grew to 218 tests (HTTP-signature harnesses for the signed read/write paths). No breaking changes; migrations
041–043apply on startup.Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
- Invite a remote editor by their ActivityPub actor URL (