Automattic · pfefferle · May 8, 2026 · May 8, 2026 · May 8, 2026 · May 8, 2026
diff --git a/.github/changelog/feature-collections-consent b/.github/changelog/feature-collections-consent
@@ -0,0 +1,4 @@
+Significance: minor
+Type: added
+
+Add an opt-in setting to consent to inclusion in Starter Kits (also called Starter Packs or Featured Collections). Off by default. Find it under Settings, ActivityPub, Activities.
diff --git a/includes/activity/class-activity.php b/includes/activity/class-activity.php
@@ -38,9 +38,10 @@ class Activity extends Base_Object {
 	const JSON_LD_CONTEXT = array(
 		'https://www.w3.org/ns/activitystreams',
 		array(
-			'toot'         => 'http://joinmastodon.org/ns#',
-			'QuoteRequest' => 'toot:QuoteRequest',
-			'blurhash'     => 'toot:blurhash',
+			'toot'           => 'http://joinmastodon.org/ns#',
+			'QuoteRequest'   => 'toot:QuoteRequest',
+			'blurhash'       => 'toot:blurhash',
+			'FeatureRequest' => 'https://w3id.org/fep/7aa9#FeatureRequest',
 		),
 	);
 
@@ -71,6 +72,7 @@ class Activity extends Base_Object {
 		'Move',
 		'Offer',
 		'QuoteRequest', // @see https://codeberg.org/fediverse/fep/src/branch/main/fep/044f/fep-044f.md
+		'FeatureRequest', // @see https://w3id.org/fep/7aa9 (FEP-7aa9 draft)
 		'Read',
 		'Reject',
 		'Remove',

diff --git a/includes/activity/class-actor.php b/includes/activity/class-actor.php
@@ -74,6 +74,7 @@ class Actor extends Base_Object {
 			'toot'                      => 'http://joinmastodon.org/ns#',
 			'lemmy'                     => 'https://join-lemmy.org/ns#',
 			'litepub'                   => 'http://litepub.social/ns#',
+			'gts'                       => 'https://gotosocial.org/ns#',
 			'manuallyApprovesFollowers' => 'as:manuallyApprovesFollowers',
 			'PropertyValue'             => 'schema:PropertyValue',
 			'value'                     => 'schema:value',
@@ -107,6 +108,18 @@ class Actor extends Base_Object {
 				'@type'      => '@id',
 				'@container' => '@list',
 			),
+			'interactionPolicy'         => array(
+				'@id'   => 'gts:interactionPolicy',
+				'@type' => '@id',
+			),
+			'canFeature'                => array(
+				'@id'   => 'https://w3id.org/fep/7aa9#canFeature',
+				'@type' => '@id',
+			),
+			'automaticApproval'         => array(
+				'@id'   => 'gts:automaticApproval',
+				'@type' => '@id',
+			),
 			'postingRestrictedToMods'   => 'lemmy:postingRestrictedToMods',
 			'discoverable'              => 'toot:discoverable',
 			'indexable'                 => 'toot:indexable',
@@ -369,4 +382,43 @@ class Actor extends Base_Object {
 	 * @var boolean|null
 	 */
 	protected $invisible = null;
+
+	/**
+	 * Get the actor-level interaction policy.
+	 *
+	 * Overrides the magic property accessor on Base_Object so that we always
+	 * compute the policy from the current site setting rather than returning a
+	 * cached property value. Currently only emits `canFeature` (FEP-7aa9).
+	 * Driven by the site option `activitypub_default_feature_policy` and
+	 * defaults to denying all featured-collection requests, in line with
+	 * FEP-7aa9's "absence of policy = no consent" rule.
+	 *
+	 * @see https://w3id.org/fep/7aa9
+	 *
+	 * @since unreleased
+	 *
+	 * @return array
+	 */
+	public function get_interaction_policy() {
+		return array_merge( (array) parent::get_interaction_policy(), array( 'canFeature' => $this->build_can_feature_policy() ) );
+	}
+
+	/**
+	 * Build the `canFeature` policy array from the site option.
+	 *
+	 * @return array
+	 */
+	protected function build_can_feature_policy() {
+		$policy = \get_option( 'activitypub_default_feature_policy', ACTIVITYPUB_INTERACTION_POLICY_ME );
+
+		switch ( $policy ) {
+			case ACTIVITYPUB_INTERACTION_POLICY_ANYONE:
+				return array( 'automaticApproval' => array( 'https://www.w3.org/ns/activitystreams#Public' ) );
+			case ACTIVITYPUB_INTERACTION_POLICY_FOLLOWERS:
+				return array( 'automaticApproval' => array( $this->get_followers() ) );
+			case ACTIVITYPUB_INTERACTION_POLICY_ME:
+			default:
+				return array( 'automaticApproval' => array( $this->get_id() ) );
+		}
+	}
 }
diff --git a/includes/activity/extended-object/class-feature-authorization.php b/includes/activity/extended-object/class-feature-authorization.php
@@ -0,0 +1,74 @@
+<?php
+/**
+ * Feature_Authorization is an implementation of the FeatureAuthorization activity type,
+ * as defined in FEP-7aa9 (https://w3id.org/fep/7aa9).
+ *
+ * This class represents a FeatureAuthorization activity for ActivityPub implementations.
+ *
+ * @package Activitypub
+ */
+
+namespace Activitypub\Activity\Extended_Object;
+
+use Activitypub\Activity\Base_Object;
+
+/**
+ * Class representing a FeatureAuthorization activity.
+ *
+ * @see https://w3id.org/fep/7aa9
+ *
+ * @since unreleased
+ *
+ * @method Base_Object|string|array|null get_interacting_object() Gets the interacting object property of the object.
+ * @method Base_Object|string|array|null get_interaction_target() Gets the interaction target property of the object.
+ *
+ * @method Feature_Authorization set_interacting_object( string|array|Base_Object|null $data ) Sets the interacting object property of the object.
+ * @method Feature_Authorization set_interaction_target( string|array|Base_Object|null $data ) Sets the interaction target property of the object.
+ */
+class Feature_Authorization extends Base_Object {
+	/**
+	 * The JSON-LD context for the object.
+	 *
+	 * Intentionally minimal: stamps are always served standalone at their own
+	 * URL, so we ship only the vocabulary the stamp document itself uses.
+	 * Mirrors the Quote_Authorization (FEP-044f) approach.
+	 *
+	 * @var array
+	 */
+	const JSON_LD_CONTEXT = array(
+		'https://www.w3.org/ns/activitystreams',
+		array(
+			'FeatureAuthorization' => 'https://w3id.org/fep/7aa9#FeatureAuthorization',
+			'gts'                  => 'https://gotosocial.org/ns#',
+			'interactingObject'    => array(
+				'@id'   => 'gts:interactingObject',
+				'@type' => '@id',
+			),
+			'interactionTarget'    => array(
+				'@id'   => 'gts:interactionTarget',
+				'@type' => '@id',
+			),
+		),
+	);
+
+	/**
+	 * The type of the object.
+	 *
+	 * @var string
+	 */
+	protected $type = 'FeatureAuthorization';
+
+	/**
+	 * The object that is being interacted with.
+	 *
+	 * @var Base_Object|string|array|null
+	 */
+	protected $interacting_object;
+
+	/**
+	 * The target of the interaction.
+	 *
+	 * @var Base_Object|string|array|null
+	 */
+	protected $interaction_target;
+}
diff --git a/includes/class-handler.php b/includes/class-handler.php
@@ -28,6 +28,7 @@ public static function register_handlers() {
 		Handler\Collection_Sync::init();
 		Handler\Create::init();
 		Handler\Delete::init();
+		Handler\Feature_Request::init();
 		Handler\Follow::init();
 		Handler\Like::init();
 		Handler\Move::init();

diff --git a/includes/class-options.php b/includes/class-options.php
@@ -201,6 +201,24 @@ public static function register_settings() {
 			)
 		);
 
+		\register_setting(
+			'activitypub',
+			'activitypub_default_feature_policy',
+			array(
+				'type'              => 'string',
+				'description'       => 'Default policy for who can include this site\'s actors in featured collections (FEP-7aa9).',
+				'default'           => ACTIVITYPUB_INTERACTION_POLICY_ME,
+				'sanitize_callback' => static function ( $value ) {
+					$allowed = array(
+						ACTIVITYPUB_INTERACTION_POLICY_ANYONE,
+						ACTIVITYPUB_INTERACTION_POLICY_FOLLOWERS,
+						ACTIVITYPUB_INTERACTION_POLICY_ME,
+					);
+					return \in_array( $value, $allowed, true ) ? $value : ACTIVITYPUB_INTERACTION_POLICY_ME;
+				},
+			)
+		);
+
 		\register_setting(
 			'activitypub',
 			'activitypub_relays',

diff --git a/includes/class-query.php b/includes/class-query.php
@@ -7,6 +7,7 @@
 
 namespace Activitypub;
 
+use Activitypub\Activity\Extended_Object\Feature_Authorization;
 use Activitypub\Activity\Extended_Object\Quote_Authorization;
 use Activitypub\Collection\Actors;
 use Activitypub\Collection\Outbox;
@@ -139,8 +140,14 @@ public function get_activitypub_object_id() {
 	private function prepare_activitypub_data() {
 		$queried_object = $this->get_queried_object();
 
-		if ( $queried_object instanceof \WP_Post && \get_query_var( 'stamp' ) ) {
-			return $this->maybe_get_stamp();
+		if ( \get_query_var( 'stamp' ) ) {
+			if ( $queried_object instanceof \WP_Post ) {
+				return $this->maybe_get_stamp();
+			}
+
+			if ( $queried_object instanceof \WP_User || \get_query_var( 'actor' ) ) {
+				return $this->maybe_get_actor_stamp();
+			}
 		}
 
 		// Check for Outbox Activity.
@@ -433,4 +440,63 @@ private function maybe_get_stamp() {
 
 		return true;
 	}
+
+	/**
+	 * Maybe get a FeatureAuthorization object from an actor-scoped stamp.
+	 *
+	 * Resolves URLs of the form `?actor=USER_ID&stamp=UMETA_ID` against the
+	 * `_activitypub_featured_by` user meta. The umeta_id doubles as the stamp
+	 * identifier; ownership is enforced by checking the row's user_id matches
+	 * the queried actor.
+	 *
+	 * @return bool True if a FeatureAuthorization was prepared, false otherwise.
+	 */
+	private function maybe_get_actor_stamp() {
+		$stamp_id = (int) \get_query_var( 'stamp' );
+		$actor_id = (int) \get_query_var( 'actor' );
+
+		if ( ! $stamp_id ) {
+			return false;
+		}
+
+		if ( ! $actor_id ) {
+			$queried = $this->get_queried_object();
+			if ( $queried instanceof \WP_User ) {
+				$actor_id = (int) $queried->ID;
+			}
+		}
+
+		if ( ! $actor_id ) {
+			return false;
+		}
+
+		$meta = \get_metadata_by_mid( 'user', $stamp_id );
+		if ( ! $meta || '_activitypub_featured_by' !== $meta->meta_key || (int) $meta->user_id !== $actor_id ) {
+			return false;
+		}
+
+		$actor = Actors::get_by_id( $actor_id );
+		if ( \is_wp_error( $actor ) ) {
+			return false;
+		}
+
+		$stamp_url = \add_query_arg(
+			array(
+				'actor' => $actor_id,
+				'stamp' => $meta->umeta_id,
+			),
+			\home_url( '/' )
+		);
+
+		$authorization = new Feature_Authorization();
+		$authorization->set_id( $stamp_url );
+		$authorization->set_attributed_to( $actor->get_id() );
+		$authorization->set_interacting_object( $meta->meta_value );
+		$authorization->set_interaction_target( $actor->get_id() );
+
+		$this->activitypub_object    = $authorization;
+		$this->activitypub_object_id = $authorization->get_id();
+
+		return true;
+	}
 }
diff --git a/includes/class-router.php b/includes/class-router.php
@@ -290,8 +290,16 @@ public static function template_redirect() {
 			exit;
 		}
 
-		$actor = \get_query_var( 'actor', null );
-		if ( $actor ) {
+		/*
+		 * Skip the actor branch when this looks like an actor-scoped FEP-7aa9
+		 * stamp URL: numeric `actor` paired with a `stamp`. Those resolve to a
+		 * FeatureAuthorization via Activitypub\Query, not via the username
+		 * lookup which would 404 the numeric ID. Non-numeric actors fall
+		 * through to the regular Mastodon-style profile lookup.
+		 */
+		$actor        = \get_query_var( 'actor', null );
+		$is_stamp_url = $actor && \get_query_var( 'stamp' ) && \ctype_digit( (string) $actor );
+		if ( $actor && ! $is_stamp_url ) {
 			$actor = Actors::get_by_username( $actor );
 			if ( ! $actor || \is_wp_error( $actor ) ) {
 				$wp_query->set_404();