Should Undo remove the original activity from inbox?

The Undo activity should undo the original activity “to the extent possible”.

Does that include removing the original activity from the inbox? Or will the inbox contain the original activity plus the Undo afterwards?

The spec states

Side effects should be undone, to the extent possible

and also here

The Undo activity is used to undo the side effects of previous activities.

This means for me, no modifying the inbox/outbox.

But then, there is this, confusingly mixing “side effects” with “inbox addition” in a paragraph calling “inbox addition” both a side effect and “happens anyway”:

Receiving a Create activity in an inbox has surprisingly few side effects; the activity should appear in the actor’s inbox and it is likely that the server will want to locally store a representation of this activity and its accompanying object. However, this mostly happens in general with processing activities delivered to an inbox anyway.

This sounds like an implementation detail. The most straightforward thing to do is to keep both activities. There’s no way to tell that an activity has been undone, except to check for whether the side effects are currently in effect or not (e.g. whether a Like or Announce is still in the appropriate collection, whether an actor is in the followers collection or not, etc.)

Tangentially, there isn’t really a specified to way to get rid of an activity that you received. I suppose you could Remove from inbox, but there’s a chance you will lose track of it forever, so you should probably consider that carefully.

This is a side effect.

In my opinion, it is a reasonable ActivityPub Server implementation if you just store the id of the activity in the inbox collection and be done with processing the object. This minimalist storage engine will lead to more network traffic, but saves on storage on your side.

This takes things to the other extreme than Mastodon. Also messages that are not public, might not be retrievable, due to permissions being hard to implement right (and not really part of the spec). So implement this at your own risk.

Bonus note: You should still record Accepts of Follow requests you get separately. You want to keep track whose inboxes you get to bombard.