Activities can be delivered out of order, causing federation issues

[dahlia]

Problem

ActivityPub activities can be delivered out of order when they relate to the same object, causing federation issues. Specifically, when a post is created and quickly deleted, the Delete activity can arrive at remote instances before the Create activity, resulting in “zombie posts” that should have been deleted.

This was observed in production: hackers-pub/hackerspub#162 (comment).

Scenario

1. User creates a post → Create(Note) activity is enqueued
2. User immediately deletes the post → Delete(Note) activity is enqueued
3. Both activities are sent to remote instances independently
4. Due to parallel workers and lack of ordering guarantees, Delete(Note) may arrive first
5. Remote instance ignores the delete (no post exists yet)
6. Remote instance later receives and persists Create(Note)
7. Result: “zombie post” exists on remote instance but not on origin

Root cause

The MessageQueue interface doesn't provide:

1. Ordering guarantees — messages for the same object can be processed out of order
2. Cancellation mechanism — can't cancel a queued Create when a Delete is enqueued shortly after
3. Dependency tracking — no way to express that one activity depends on or supersedes another

While PostgresMessageQueue uses ORDER BY created, parallel workers can still process messages out of order. This issue affects all MessageQueue implementations (Postgres, Redis, SQLite, AMQP, Deno KV, etc.).

Proposed solutions

Option A: Add message cancellation API

interface MessageQueue {
  enqueue(message: any, options?: MessageQueueEnqueueOptions & { key?: string }): Promise<void>;
  cancel(key: string): Promise<boolean>; // Returns true if cancelled
}

Users could assign keys to messages and cancel pending ones:

await queue.enqueue(createActivity, { key: `create:${noteId}` });
// Later, if deleted quickly:
if (await queue.cancel(`create:${noteId}`)) {
  // Create was cancelled, no need to send Delete
} else {
  // Create already sent, send Delete
  await queue.enqueue(deleteActivity);
}

Pros: Flexible, allows application-level logic
Cons: Requires checking if cancellation succeeded; complex to implement in distributed queues

Option B: Per-object ordering

interface MessageQueueEnqueueOptions {
  delay?: Temporal.Duration;
  orderingKey?: string; // Messages with same key are processed in order
}

Activities for the same object would be guaranteed to arrive in order:

await queue.enqueue(createActivity, { orderingKey: noteId });
await queue.enqueue(deleteActivity, { orderingKey: noteId });
// Delete always arrives after Create

Pros: Matches ActivityPub's causal ordering semantics; works well with existing queue backends
Cons: May reduce parallelism; requires implementation changes in all queue backends

Option C: Activity batching

Allow grouping related activities so they're sent atomically or cancelled together:

interface MessageQueue {
  enqueueGroup(messages: any[], options?: { atomicCancel?: boolean }): Promise<string>;
  cancelGroup(groupId: string): Promise<boolean>;
}

Pros: Handles complex multi-message scenarios
Cons: Most complex to implement; may not fit all use cases; batching semantics unclear for ActivityPub

Additional context

This is a framework-level issue that affects any Fedify application with rapid Create/Delete operations. A proper fix would benefit the entire ecosystem.

[dahlia]

Additional consideration for Option B: Fan-out mechanism

When implementing Option B (per-object ordering), we need to carefully consider how it interacts with the fan-out mechanism described in the documentation.

With a naive implementation using orderingKey: noteId, we'd face an efficiency problem: If a Create(Note) is sent to servers A–Z, and a Delete(Note) is enqueued after the Create has been delivered to A–K but not yet to L–Z, the Delete would be blocked for all recipients (including A–K) until the Create finishes delivering to server Z. This defeats the purpose of parallelism.

The solution is to make ordering keys recipient-specific during the fan-out stage. The MessageQueue interface itself can remain simple—just guarantee ordering for messages with the same orderingKey string, without needing to understand any hierarchy. The intelligence should live in Federation.sendActivity():

1. First stage (consolidated message): Use orderingKey: noteId (or undefined if not needed)
2. Second stage (individual delivery tasks): When the worker splits the consolidated message, generate orderingKey: ${noteId}:${inboxOrigin} for each recipient server

This way, ordering is preserved per-recipient-server while maintaining parallelism across different servers. Server A can receive Delete immediately after Create finishes, without waiting for server Z's Create to complete.

[dahlia]

Implementation strategy for Option B across MessageQueue backends

Here's a proposed implementation strategy for adding orderingKey support to each MessageQueue backend:

Backends with straightforward native support

These backends can implement ordering directly using their underlying storage mechanisms:

PostgresMessageQueue & SqliteMessageQueue

• Add ordering_key column (nullable) to the message table
• Modify the dequeue query to use SELECT ... FOR UPDATE SKIP LOCKED WHERE ordering_key = ? OR ordering_key IS NULL ORDER BY created
• This ensures only one worker processes messages with the same orderingKey at a time

RedisMessageQueue

• Migrate from Sorted Sets to Redis Streams
• Use consumer groups with orderingKey as the partition/grouping key
• Redis Streams provide built-in ordering guarantees per consumer group

InProcessMessageQueue

• Maintain separate in-memory queues per orderingKey
• Process each queue sequentially while allowing parallelism across different keys

AmqpMessageQueue

• Use RabbitMQ's consistent hash exchange to route messages with the same orderingKey to the same queue/consumer
• Alternatively, dynamically create per-orderingKey queues (adds management complexity)

Backends with limited native support

DenoKvMessageQueue and WorkersMessageQueue pose a challenge because their native queue APIs (Deno.Kv.enqueue() and Cloudflare Queues) don't provide ordering guarantees.

Proposed phased approach

Phase 1: Sequence-based implementation

1. During enqueue(): Generate and attach a sequenceNumber per orderingKey (stored in KV)
2. During listen():
   • Check if the received message is the next expected sequence number for its orderingKey (tracked in KV)
   • If in order: process and update last processed sequence
   • If out of order: re-enqueue with a short delay (100ms with exponential backoff)
3. Add safeguards: max retry count, timeout for missing sequences

Overhead: Adds 1 KV read + 1 KV CAS operation per message. Out-of-order messages (rare) require re-queuing.

Phase 2: Native implementation

• DenoKvMessageQueue: Implement a custom queue on top of Deno KV's atomic operations (similar to how PostgresMessageQueue/SqliteMessageQueue work), instead of using the native Deno.Kv.enqueue() API
• WorkersMessageQueue: Explore Durable Objects for per-orderingKey coordination, though options are limited

Recommendation

Ship Phase 1 for DenoKvMessageQueue and WorkersMessageQueue in Fedify 2.0, which provides correct ordering with acceptable overhead. Other backends can implement native ordering directly. Phase 2 optimizations can be added in subsequent releases based on real-world usage.

[dahlia]

I've created #538 to track the implementation of Option B (orderingKey approach), including the detailed implementation strategy for each MessageQueue backend and the fan-out considerations discussed above.

[dahlia]

Implementation plan for SendActivityOptions.orderingKey

Now that PR #540 has landed the orderingKey infrastructure for all MessageQueue backends, the remaining work is to expose this capability through the sendActivity() API.

Design decision: Opt-in ordering

Not all activities require strict ordering guarantees. For example:

• Create(Note) → Delete(Note) for the same Note: ordering required
• Create(Note) → Create(AnotherNote): no ordering needed
• Follow activities: typically no ordering needed

Therefore, we will add an optional orderingKey parameter to SendActivityOptions. When omitted, activities are delivered with maximum parallelism (current behavior). When specified, activities with the same orderingKey are guaranteed to be delivered in FIFO order to each recipient server.

API design

interface SendActivityOptions {
  // ... existing options ...

  /**
   * An optional key to ensure ordered delivery of activities.
   * Activities with the same `orderingKey` are guaranteed to be
   * delivered in the order they were enqueued, per recipient server.
   *
   * Typical use case: pass the object ID (e.g., Note ID) to ensure
   * that `Create`, `Update`, and `Delete` activities for the same
   * object are delivered in order.
   *
   * When omitted, no ordering is guaranteed (maximum parallelism).
   */
  orderingKey?: string;
}

Usage example

const noteId = note.id!.href;

// Create and Delete will be delivered in order
await ctx.sendActivity(sender, recipients, createNote, { orderingKey: noteId });
await ctx.sendActivity(sender, recipients, deleteNote, { orderingKey: noteId });

Implementation notes

1. Fanout stage: When enqueueing to fanoutQueue, pass orderingKey as-is from the options.

2. Outbox stage: When FederationImpl.sendActivity() splits into per-inbox OutboxMessages, transform the key to ${orderingKey}:${new URL(inbox).origin}. This ensures:

   • Ordering is preserved per-recipient-server
   • Different servers can receive activities in parallel
   • Server A receiving Delete doesn't need to wait for Server Z's Create

3. Message schema: Add orderingKey?: string field to both FanoutMessage and OutboxMessage interfaces.

4. Backward compatibility: Since orderingKey is optional, existing code continues to work unchanged.