fixed reverse chronological ordering in a pair of FTs clogging the pipeline; added ActivityPub to project; new apps.ap for WebFinger, Actor, Outbox views; apps.lyric.models now contains ap_public_key, ap_private_key fields + ensure_keypair(); new apps.lyric migration accordingly; new in drama.models are to_activity() w. JoinGate, SelectRole, Create compat. & None verb support; new core.urls for /.well-known/webfinger + /ap/ included; cryptography installed, added to reqs.txt; 24 new green UTs & ITs; in sum, project is now read-only ActivityPub node

src/apps/lyric/models.py

@@ -44,6 +44,8 @@ class User(AbstractBaseUser):
     unlocked_decks = models.ManyToManyField(
         "epic.DeckVariant", blank=True, related_name="unlocked_by",
     )
+    ap_public_key = models.TextField(blank=True, default="")
+    ap_private_key = models.TextField(blank=True, default="")
 
     is_staff = models.BooleanField(default=False)
     is_superuser = models.BooleanField(default=False)
@@ -52,6 +54,24 @@ class User(AbstractBaseUser):
     REQUIRED_FIELDS = []
     USERNAME_FIELD = "email"
 
+    def ensure_keypair(self):
+        """Generate and persist an RSA-2048 keypair if not already set."""
+        if self.ap_public_key:
+            return
+        from cryptography.hazmat.primitives.asymmetric import rsa
+        from cryptography.hazmat.primitives import serialization
+        private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+        self.ap_public_key = private_key.public_key().public_bytes(
+            serialization.Encoding.PEM,
+            serialization.PublicFormat.SubjectPublicKeyInfo,
+        ).decode()
+        self.ap_private_key = private_key.private_bytes(
+            serialization.Encoding.PEM,
+            serialization.PrivateFormat.PKCS8,
+            serialization.NoEncryption(),
+        ).decode()
+        self.save(update_fields=["ap_public_key", "ap_private_key"])
+
     def has_perm(self, perm, obj=None):
         return self.is_superuser