Fix Accept delivery for Follow activities and actor profile

- Fix sign_request() call: parse URL into path/host (was passing 'url' kwarg that doesn't exist)
- Fix verify_request_signature() call to match actual function signature
- Add manuallyApprovesFollowers: false to actor JSON-LD so Mastodon auto-accepts follows

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

bp/actors/routes.py

@@ -62,12 +62,15 @@ async def _send_accept(
     body_bytes = json.dumps(accept).encode()
     key_id = f"{actor_url}#main-key"
 
+    from urllib.parse import urlparse
+    parsed = urlparse(follower_inbox)
     headers = sign_request(
-        method="POST",
-        url=follower_inbox,
-        body=body_bytes,
         private_key_pem=actor.private_key_pem,
         key_id=key_id,
+        method="POST",
+        path=parsed.path,
+        host=parsed.netloc,
+        body=body_bytes,
     )
     headers["Content-Type"] = AP_CONTENT_TYPE
 
@@ -107,6 +110,7 @@ def register(url_prefix="/users"):
                 "name": actor.display_name or username,
                 "preferredUsername": username,
                 "summary": actor.summary or "",
+                "manuallyApprovesFollowers": False,
                 "inbox": f"https://{domain}/users/{username}/inbox",
                 "outbox": f"https://{domain}/users/{username}/outbox",
                 "followers": f"https://{domain}/users/{username}/followers",
@@ -207,18 +211,20 @@ def register(url_prefix="/users"):
         sig_valid = False
         try:
             from shared.utils.http_signatures import verify_request_signature
-            raw_body = await request.get_data()
             req_headers = dict(request.headers)
-            req_headers["(request-target)"] = f"post /users/{username}/inbox"
+            sig_header = req_headers.get("Signature", "")
 
             # Fetch remote actor to get their public key
             remote_actor = await _fetch_remote_actor(from_actor_url)
-            if remote_actor:
+            if remote_actor and sig_header:
                 pub_key_pem = (remote_actor.get("publicKey") or {}).get("publicKeyPem")
                 if pub_key_pem:
                     sig_valid = verify_request_signature(
-                        headers=req_headers,
                         public_key_pem=pub_key_pem,
+                        signature_header=sig_header,
+                        method="POST",
+                        path=f"/users/{username}/inbox",
+                        headers=req_headers,
                     )
         except Exception:
             log.debug("Signature verification failed for %s", from_actor_url, exc_info=True)