Mastodon interoperability smoke tests (strict: HTTPS + signature verification)

[sij411]

Summary

Add a strict-mode smoke test lane that validates Fedify's interoperability with Mastodon over HTTPS with HTTP signature verification enabled. This complements the non-strict lane (#615 / PR #598), which tests basic ActivityPub over HTTP with signature verification skipped.

Parent issue

Sub-issue of #481 (Interoperability smoke test suite).

Motivation

The non-strict smoke tests validate that ActivityPub messages are correctly formed and processed, but they skip TLS and signature verification. In real-world federation, every request is signed and verified over HTTPS. This lane ensures the full chain works: TLS termination, HTTP signature signing, signature verification, and WebFinger discovery over HTTPS.

Approach

• Standalone Docker Compose file with Caddy reverse proxies terminating TLS in front of both the Fedify harness and Mastodon
• Self-signed CA generated per CI run, trusted by all containers (SSL_CERT_FILE for Ruby/OpenSSL, DENO_CERT for Deno)
• STRICT_MODE env var toggles signature verification and URL scheme in the shared harness code
• WebFinger-based account discovery in provisioning instead of DB pre-registration
• CI trigger: nightly schedule + workflow_dispatch (not on every push)

Architecture

                    ┌─────────────────┐
                    │   Caddy proxy   │◄── "fedify-harness" alias (TLS :443)
                    │   (harness)     │
                    └────────┬────────┘
                             │ reverse_proxy :3001
                    ┌────────▼────────┐
                    │ fedify-harness  │
                    │   -backend      │
                    └─────────────────┘

                    ┌─────────────────┐
                    │   Caddy proxy   │◄── "mastodon" alias (TLS :443)
                    │   (mastodon)    │
                    └────────┬────────┘
                             │ reverse_proxy :3000
                    ┌────────▼────────┐
                    │ mastodon-web    │
                    │   -backend      │
                    └─────────────────┘

Acceptance criteria

• All 6 smoke test scenarios pass with signature verification enabled over HTTPS
• Self-signed CA is generated and trusted by all containers
• WebFinger discovery works over HTTPS during provisioning
• Non-strict lane is not affected (no regressions)
• CI workflow runs on nightly schedule and workflow_dispatch

[github-actions]

@sij411 This issue has been assigned for over two weeks without updates. Please provide a status update, or unassign yourself if you're unable to continue working on it.

[sij411]

Non-strict version is merged so I will work on soon.