ロックダウンされた/ログイン必須ノートは /outbox で見える

[eternal-flame-AD]

💡 Summary

タイトル通り

(I received permission to post this in public.)

🥰 Expected Behavior

From the description one would reasonably conclude:

• This note is not visible from the home instance
• This note is no longer federated in public view (a non follower should not be able to look this note up regardless of their respect of the _misskey vendor keys).
• (Ideally but not mandatory behavior) Further AP get requests need a valid signature.

🤬 Actual Behavior

https://mi.yumechi.jp/users/a10sac8leyy40014/outbox?page=true

The note can still be looked up, have "public" audience and can be enumerated using /outbox?page=true

📝 Steps to Reproduce

Set up lockdown

Go to the /users/<id>/outbox

💻 Frontend Environment

Not frontend problem

🛰 Backend Environment (for server admin)

* Installation Method or Hosting Service: podman
* Misskey: 2025.3.1
* Node: 22 
* PostgreSQL: 17
* Redis: official
* OS and Architecture: linux x86_64

Do you want to address this bug yourself?

• Yes, I will patch the bug myself and send a pull request (Probably after Thurs or Friday, don't wait for me if time sensitive)

[eternal-flame-AD]

Related: #14802 #14473