we recently added RFC-9421 to @[email protected] : https://docs.bonfirenetworks.org/federation-interoperability.html#7-http-signatures-secure-fetch

not doing double-knock but rather using different methods to try and discover what the other side supports (in priority order):

Inbound signature caching: When a remote server sends us a signed request, we cache which format they used (cavage or RFC 9421)

Accept-Signature header: When we receive an Accept-Signature response header from a remote server (on any response — WebFinger, object fetch, inbox POST), we cache RFC 9421 support for that host

FEP-844e generator detection: Check remote actors' generator.implements or the instance service actor's implements property for RFC 9421 support URIs (see below)

NodeInfo software version: Look up the remote's software name and version against a known-support map (e.g., Mastodon ≥ 4.5.0, Fedify ≥ 1.6.0, Hollo, Mitra)

Default: Fall back to draft-cavage

@[email protected] @[email protected] @[email protected] @[email protected] would it help if selecting "followers only" didn't also include any mentioned people who are not followers? so mentions only are only shown the post and notified if you post publicly or if they are already following you.