Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From vibefed
Detects WebFinger protocol (RFC 7033) endpoints in codebases by searching for 'webfinger', /.well-known/webfinger routes, JRD responses, and libraries. Use for auditing ActivityPub or federated identity support.
npx claudepluginhub reiver/vibefed --plugin vibefedHow this skill is triggered — by the user, by Claude, or both
Slash command
/vibefed:detect-webfingerThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
WebFinger (RFC 7033) is a protocol that allows discovery of information about
Conducts multi-turn iterative deep research on codebase topics by tracing code paths across files, mapping architecture, and analyzing data flows with strict evidence standards.
Uses tree-sitter index for code navigation in Rust, Python, TypeScript, JavaScript, Go, Java, Scala, SQL: finds symbols, reads function implementations, traces callers, discovers tests.
Guides writing ast-grep rules for AST-based structural code search to find patterns like unhandled async functions or specific constructs beyond text matching.
Share bugs, ideas, or general feedback.
WebFinger (RFC 7033) is a protocol that allows discovery of information about
people or resources using a standard URL pattern: /.well-known/webfinger.
It is commonly used by ActivityPub implementations (Mastodon, etc.) and
federated identity systems.
Search the codebase for the string webfinger (case-insensitive) across all
source files. This single search catches the vast majority of implementations.
Search query: webfinger
Case: insensitive
Scope: all source files (exclude: node_modules, vendor, .git, dist, build)
If no matches are found, proceed to Step 2 (fallback search). If matches are found, proceed to Step 3 (classify results).
Some implementations register WebFinger indirectly under a generic well-known handler. Search for:
/.well-known/ (route registration)well_known (snake_case variant common in Python/Ruby)jrd+json (the WebFinger response MIME type — very specific signal)acct: (the URI scheme WebFinger uses for user lookups)If any of these match, include the files in Step 3 classification. If still nothing — report: WebFinger not detected.
For each file containing a match, determine which category it falls into:
The file contains executable code that:
/.well-known/webfingerresource query parametersubject fieldThe file imports or references a WebFinger library (e.g. node-webfinger,
ostatus, activitypub, webfinger-rack, go-webfinger) without directly
defining the handler. The endpoint likely exists but is provided by the
dependency.
The match appears in:
The file handles /.well-known/ generically and may or may not route
WebFinger requests. Read the surrounding logic to determine.
If the codebase language/framework is identifiable, also look for these common patterns:
| Framework | Pattern to look for |
|---|---|
| Express / Node | app.get('/.well-known/webfinger' |
| Rails | get '/.well-known/webfinger' in routes.rb |
| Django | path('.well-known/webfinger' in urls.py |
| Spring Boot | @GetMapping("/.well-known/webfinger") |
| Mastodon / ActivityPub | Check for webfinger_controller or webfinger_resource |
| PHP | $_GET['resource'] near a well-known path check |
Provide a clear summary with:
rel
parameter filtering detected" or "Missing application/jrd+json content
type header"For reference, a complete implementation handles:
GET /.well-known/webfingerresource (e.g. acct:user@example.com)rel (filters which link types to return)application/jrd+jsonsubject field, typically also
links and/or aliasesresource param is missing