@fedify/fedify 2.0.0-dev.1690 → 2.0.0-dev.170

package/dist/otel/mod.js

@@ -0,0 +1,255 @@
+
+          import { Temporal } from "@js-temporal/polyfill";
+          import { URLPattern } from "urlpattern-polyfill";
+        
+import { getLogger } from "@logtape/logtape";
+import { ExportResultCode } from "@opentelemetry/core";
+
+//#region src/otel/exporter.ts
+/**
+* A SpanExporter that persists ActivityPub activity traces to a
+* {@link KvStore}.  This enables distributed tracing across multiple
+* nodes in a Fedify deployment.
+*
+* The exporter captures activity data from OpenTelemetry span events
+* (`activitypub.activity.received` and `activitypub.activity.sent`)
+* and stores them in the KvStore with trace context preserved.
+*
+* @example Basic usage with MemoryKvStore
+* ```typescript ignore
+* import { MemoryKvStore } from "@fedify/fedify";
+* import { FedifySpanExporter } from "@fedify/fedify/otel";
+* import {
+*   BasicTracerProvider,
+*   SimpleSpanProcessor,
+* } from "@opentelemetry/sdk-trace-base";
+*
+* const kv = new MemoryKvStore();
+* const exporter = new FedifySpanExporter(kv, {
+*   ttl: Temporal.Duration.from({ hours: 1 }),
+* });
+*
+* const provider = new BasicTracerProvider({
+*   spanProcessors: [new SimpleSpanProcessor(exporter)],
+* });
+* ```
+*
+* @example Querying stored traces
+* ```typescript ignore
+* import { MemoryKvStore } from "@fedify/fedify";
+* import { FedifySpanExporter } from "@fedify/fedify/otel";
+*
+* const kv = new MemoryKvStore();
+* const exporter = new FedifySpanExporter(kv);
+* const traceId = "abc123";
+*
+* // Get all activities for a specific trace
+* const activities = await exporter.getActivitiesByTraceId(traceId);
+*
+* // Get recent traces
+* const recentTraces = await exporter.getRecentTraces({ limit: 100 });
+* ```
+*
+* @since 1.10.0
+*/
+var FedifySpanExporter = class {
+	#kv;
+	#ttl;
+	#keyPrefix;
+	/**
+	* Creates a new FedifySpanExporter.
+	*
+	* @param kv The KvStore to persist trace data to.
+	* @param options Configuration options.
+	*/
+	constructor(kv, options) {
+		this.#kv = kv;
+		this.#ttl = options?.ttl;
+		this.#keyPrefix = options?.keyPrefix ?? ["fedify", "traces"];
+	}
+	/**
+	* Exports spans to the KvStore.
+	*
+	* @param spans The spans to export.
+	* @param resultCallback Callback to invoke with the export result.
+	*/
+	export(spans, resultCallback) {
+		this.#exportAsync(spans).then(() => resultCallback({ code: ExportResultCode.SUCCESS })).catch((error) => {
+			getLogger([
+				"fedify",
+				"otel",
+				"exporter"
+			]).error("Failed to export spans to KvStore: {error}", { error });
+			resultCallback({ code: ExportResultCode.FAILED });
+		});
+	}
+	async #exportAsync(spans) {
+		const storeOperations = [];
+		for (const span of spans) {
+			const records = this.#extractRecords(span);
+			for (const record of records) storeOperations.push(this.#storeRecord(record));
+		}
+		const results = await Promise.allSettled(storeOperations);
+		const rejected = results.filter((r) => r.status === "rejected");
+		if (rejected.length > 0) throw new AggregateError(rejected.map((r) => r.reason), "Failed to store one or more trace activity records.");
+	}
+	#extractRecords(span) {
+		const records = [];
+		const spanContext = span.spanContext();
+		const traceId = spanContext.traceId;
+		const spanId = spanContext.spanId;
+		const parentSpanId = span.parentSpanContext?.spanId;
+		for (const event of span.events) if (event.name === "activitypub.activity.received") {
+			const record = this.#extractInboundRecord(event, traceId, spanId, parentSpanId);
+			if (record != null) records.push(record);
+		} else if (event.name === "activitypub.activity.sent") {
+			const record = this.#extractOutboundRecord(event, traceId, spanId, parentSpanId);
+			if (record != null) records.push(record);
+		}
+		return records;
+	}
+	#extractInboundRecord(event, traceId, spanId, parentSpanId) {
+		const attrs = event.attributes;
+		if (attrs == null) return null;
+		const activityJson = attrs["activitypub.activity.json"];
+		if (typeof activityJson !== "string") return null;
+		let activityType = "Unknown";
+		let activityId;
+		let actorId;
+		try {
+			const activity = JSON.parse(activityJson);
+			activityType = activity.type ?? "Unknown";
+			activityId = activity.id;
+			if (typeof activity.actor === "string") actorId = activity.actor;
+			else if (activity.actor != null && typeof activity.actor.id === "string") actorId = activity.actor.id;
+		} catch {}
+		const verified = attrs["activitypub.activity.verified"];
+		const httpSigVerified = attrs["http_signatures.verified"];
+		const httpSigKeyId = attrs["http_signatures.key_id"];
+		const ldSigVerified = attrs["ld_signatures.verified"];
+		let signatureDetails;
+		if (typeof httpSigVerified === "boolean" || typeof ldSigVerified === "boolean") signatureDetails = {
+			httpSignaturesVerified: httpSigVerified === true,
+			httpSignaturesKeyId: typeof httpSigKeyId === "string" && httpSigKeyId !== "" ? httpSigKeyId : void 0,
+			ldSignaturesVerified: ldSigVerified === true
+		};
+		return {
+			traceId,
+			spanId,
+			parentSpanId,
+			direction: "inbound",
+			activityType,
+			activityId,
+			actorId,
+			activityJson,
+			verified: typeof verified === "boolean" ? verified : void 0,
+			signatureDetails,
+			timestamp: (/* @__PURE__ */ new Date(event.time[0] * 1e3 + event.time[1] / 1e6)).toISOString()
+		};
+	}
+	#extractOutboundRecord(event, traceId, spanId, parentSpanId) {
+		const attrs = event.attributes;
+		if (attrs == null) return null;
+		const activityJson = attrs["activitypub.activity.json"];
+		if (typeof activityJson !== "string") return null;
+		let activityType = "Unknown";
+		let activityId;
+		let actorId;
+		try {
+			const activity = JSON.parse(activityJson);
+			activityType = activity.type ?? "Unknown";
+			activityId = activity.id;
+			if (typeof activity.actor === "string") actorId = activity.actor;
+			else if (activity.actor != null && typeof activity.actor.id === "string") actorId = activity.actor.id;
+		} catch {}
+		const inboxUrl = attrs["activitypub.inbox.url"];
+		const explicitActivityId = attrs["activitypub.activity.id"];
+		return {
+			traceId,
+			spanId,
+			parentSpanId,
+			direction: "outbound",
+			activityType,
+			activityId: activityId ?? (typeof explicitActivityId === "string" && explicitActivityId !== "" ? explicitActivityId : void 0),
+			actorId,
+			activityJson,
+			timestamp: (/* @__PURE__ */ new Date(event.time[0] * 1e3 + event.time[1] / 1e6)).toISOString(),
+			inboxUrl: typeof inboxUrl === "string" ? inboxUrl : void 0
+		};
+	}
+	async #storeRecord(record) {
+		const options = this.#ttl != null ? { ttl: this.#ttl } : void 0;
+		const key = [
+			...this.#keyPrefix,
+			record.traceId,
+			record.spanId
+		];
+		await this.#kv.set(key, record, options);
+		await this.#updateTraceSummary(record, options);
+	}
+	async #setWithCasRetry(key, transform, options) {
+		if (this.#kv.cas != null) for (let attempt = 0; attempt < 3; attempt++) {
+			const existing$1 = await this.#kv.get(key);
+			const newValue$1 = transform(existing$1);
+			if (await this.#kv.cas(key, existing$1, newValue$1, options)) return;
+		}
+		const existing = await this.#kv.get(key);
+		const newValue = transform(existing);
+		await this.#kv.set(key, newValue, options);
+	}
+	async #updateTraceSummary(record, options) {
+		const summaryKey = [
+			...this.#keyPrefix,
+			"_summaries",
+			record.traceId
+		];
+		await this.#setWithCasRetry(summaryKey, (existing) => {
+			const activityCount = existing != null ? existing.activityCount + 1 : 1;
+			const activityTypes = existing != null ? existing.activityTypes.includes(record.activityType) ? existing.activityTypes : [...existing.activityTypes, record.activityType] : [record.activityType];
+			return {
+				traceId: existing?.traceId ?? record.traceId,
+				timestamp: existing?.timestamp ?? record.timestamp,
+				activityCount,
+				activityTypes
+			};
+		}, options);
+	}
+	/**
+	* Gets all activity records for a specific trace ID.
+	*
+	* @param traceId The trace ID to query.
+	* @returns An array of activity records belonging to the trace.
+	*/
+	async getActivitiesByTraceId(traceId) {
+		const prefix = [...this.#keyPrefix, traceId];
+		const records = [];
+		for await (const entry of this.#kv.list(prefix)) records.push(entry.value);
+		return records;
+	}
+	/**
+	* Gets recent traces with summary information.
+	*
+	* @param options Options for the query.
+	* @returns An array of trace summaries.
+	*/
+	async getRecentTraces(options) {
+		const summaryPrefix = [...this.#keyPrefix, "_summaries"];
+		const summaries = [];
+		for await (const entry of this.#kv.list(summaryPrefix)) summaries.push(entry.value);
+		summaries.sort((a, b) => b.timestamp.localeCompare(a.timestamp));
+		if (options?.limit != null) return summaries.slice(0, options.limit);
+		return summaries;
+	}
+	/**
+	* Forces the exporter to flush any buffered data.
+	* This is a no-op because we write directly to the KvStore without buffering.
+	*/
+	async forceFlush() {}
+	/**
+	* Shuts down the exporter.
+	*/
+	async shutdown() {}
+};
+
+//#endregion
+export { FedifySpanExporter };

package/dist/{owner-e3FYDhsk.js → owner-BOEfZQv2.js}

@@ -3,9 +3,10 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { CryptographicKey, Object as Object$1, getDocumentLoader } from "./type-C69ZBu7f.js";
-import { isActor } from "./actor-DuCeRiNh.js";
-import { trace } from "@opentelemetry/api";
+import { deno_default } from "./deno-DhWON59o.js";
+import { CryptographicKey, Object as Object$1, isActor } from "@fedify/vocab";
+import { getDocumentLoader } from "@fedify/vocab-runtime";
+import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
 
 //#region src/sig/owner.ts
 /**
@@ -16,11 +17,47 @@ import { trace } from "@opentelemetry/api";
 * @returns Whether the actor is the owner of the key.
 */
 async function doesActorOwnKey(activity, key, options) {
-	if (key.ownerId != null) return key.ownerId.href === activity.actorId?.href;
-	const actor = await activity.getActor(options);
-	if (actor == null || !isActor(actor)) return false;
-	for (const publicKeyId of actor.publicKeyIds) if (key.id != null && publicKeyId.href === key.id.href) return true;
-	return false;
+	const tracerProvider = options.tracerProvider ?? trace.getTracerProvider();
+	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
+	return await tracer.startActiveSpan("activitypub.verify_key_ownership", {
+		kind: SpanKind.INTERNAL,
+		attributes: {
+			"activitypub.actor.id": activity.actorId?.href ?? "",
+			"activitypub.key.id": key.id?.href ?? ""
+		}
+	}, async (span) => {
+		try {
+			if (key.ownerId != null) {
+				const owns = key.ownerId.href === activity.actorId?.href;
+				span.setAttribute("activitypub.key_ownership.verified", owns);
+				span.setAttribute("activitypub.key_ownership.method", "owner_id");
+				return owns;
+			}
+			const actor = await activity.getActor(options);
+			if (actor == null || !isActor(actor)) {
+				span.setAttribute("activitypub.key_ownership.verified", false);
+				span.setAttribute("activitypub.key_ownership.method", "actor_fetch");
+				return false;
+			}
+			for (const publicKeyId of actor.publicKeyIds) if (key.id != null && publicKeyId.href === key.id.href) {
+				span.setAttribute("activitypub.key_ownership.verified", true);
+				span.setAttribute("activitypub.key_ownership.method", "actor_fetch");
+				return true;
+			}
+			span.setAttribute("activitypub.key_ownership.verified", false);
+			span.setAttribute("activitypub.key_ownership.method", "actor_fetch");
+			return false;
+		} catch (error) {
+			span.recordException(error);
+			span.setStatus({
+				code: SpanStatusCode.ERROR,
+				message: String(error)
+			});
+			throw error;
+		} finally {
+			span.end();
+		}
+	});
 }
 /**
 * Gets the actor that owns the specified key.  Returns `null` if the key has no

package/dist/{owner-hd9lvQcP.d.ts → owner-BgI8C-VY.d.ts}

@@ -1,9 +1,8 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
-import { DocumentLoader } from "./docloader-CxWcuWqQ.js";
-import { Activity, CryptographicKey } from "./vocab-BI0Ak5lL.js";
-import { Actor } from "./actor-T6RyhRgk.js";
+import { Activity, Actor, CryptographicKey } from "@fedify/vocab";
 import { TracerProvider } from "@opentelemetry/api";
+import { DocumentLoader } from "@fedify/vocab-runtime";
 
 //#region src/sig/owner.d.ts
 /**

package/dist/{owner-BN_tO3cY.d.cts → owner-C-zfmVAD.d.cts}

@@ -1,6 +1,5 @@
-import { DocumentLoader } from "./docloader-D-MrRyHl.cjs";
-import { Activity, CryptographicKey } from "./vocab-Dw1-yVGg.cjs";
-import { Actor } from "./actor-D6K058Tb.cjs";
+import { Activity, Actor, CryptographicKey } from "@fedify/vocab";
+import { DocumentLoader } from "@fedify/vocab-runtime";
 import { TracerProvider } from "@opentelemetry/api";
 
 //#region src/sig/owner.d.ts

package/dist/{proof-B-eqv0Ug.cjs → proof-CaDQpGJD.cjs}

@@ -3,14 +3,14 @@
           const { URLPattern } = require("urlpattern-polyfill");
         
 const require_chunk = require('./chunk-DqRYRqnO.cjs');
-const require_docloader = require('./docloader-CCqXeagZ.cjs');
-const require_actor = require('./actor-Be0ThtXy.cjs');
-const require_key = require('./key-Z6ceKnZC.cjs');
+const require_http = require('./http-7RQPvAkX.cjs');
 const __logtape_logtape = require_chunk.__toESM(require("@logtape/logtape"));
+const __fedify_vocab = require_chunk.__toESM(require("@fedify/vocab"));
 const __opentelemetry_api = require_chunk.__toESM(require("@opentelemetry/api"));
-const jsonld = require_chunk.__toESM(require("jsonld"));
-const byte_encodings_base64 = require_chunk.__toESM(require("byte-encodings/base64"));
 const byte_encodings_hex = require_chunk.__toESM(require("byte-encodings/hex"));
+const byte_encodings_base64 = require_chunk.__toESM(require("byte-encodings/base64"));
+const __fedify_vocab_runtime = require_chunk.__toESM(require("@fedify/vocab-runtime"));
+const jsonld = require_chunk.__toESM(require("jsonld"));
 const json_canon = require_chunk.__toESM(require("json-canon"));
 
 //#region src/sig/ld.ts
@@ -47,7 +47,7 @@ function attachSignature(jsonLd, signature) {
 * @since 1.0.0
 */
 async function createSignature(jsonLd, privateKey, keyId, { contextLoader, created } = {}) {
-	require_key.validateCryptoKey(privateKey, "private");
+	require_http.validateCryptoKey(privateKey, "private");
 	if (privateKey.algorithm.name !== "RSASSA-PKCS1-v1_5") throw new TypeError("Unsupported algorithm: " + privateKey.algorithm.name);
 	const options = {
 		"@context": "https://w3id.org/identity/v1",
@@ -81,7 +81,7 @@ async function createSignature(jsonLd, privateKey, keyId, { contextLoader, creat
 */
 async function signJsonLd(jsonLd, privateKey, keyId, options) {
 	const tracerProvider = options.tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
+	const tracer = tracerProvider.getTracer(require_http.deno_default.name, require_http.deno_default.version);
 	return await tracer.startActiveSpan("ld_signatures.sign", { attributes: { "ld_signatures.key_id": keyId.href } }, async (span) => {
 		try {
 			const signature = await createSignature(jsonLd, privateKey, keyId, options);
@@ -150,7 +150,7 @@ async function verifySignature(jsonLd, options = {}) {
 		});
 		return null;
 	}
-	const { key, cached } = await require_key.fetchKey(new URL(sig.creator), require_actor.CryptographicKey, options);
+	const { key, cached } = await require_http.fetchKey(new URL(sig.creator), __fedify_vocab.CryptographicKey, options);
 	if (key == null) return null;
 	const sigOpts = {
 		...sig,
@@ -191,7 +191,7 @@ async function verifySignature(jsonLd, options = {}) {
 			keyId: sig.creator,
 			...sig
 		});
-		const { key: key$1 } = await require_key.fetchKey(new URL(sig.creator), require_actor.CryptographicKey, {
+		const { key: key$1 } = await require_http.fetchKey(new URL(sig.creator), __fedify_vocab.CryptographicKey, {
 			...options,
 			keyCache: {
 				get: () => Promise.resolve(void 0),
@@ -220,19 +220,19 @@ async function verifySignature(jsonLd, options = {}) {
 */
 async function verifyJsonLd(jsonLd, options = {}) {
 	const tracerProvider = options.tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
+	const tracer = tracerProvider.getTracer(require_http.deno_default.name, require_http.deno_default.version);
 	return await tracer.startActiveSpan("ld_signatures.verify", async (span) => {
 		try {
-			const object = await require_actor.Object.fromJsonLd(jsonLd, options);
+			const object = await __fedify_vocab.Object.fromJsonLd(jsonLd, options);
 			if (object.id != null) span.setAttribute("activitypub.object.id", object.id.href);
-			span.setAttribute("activitypub.object.type", require_actor.getTypeId(object).href);
+			span.setAttribute("activitypub.object.type", (0, __fedify_vocab.getTypeId)(object).href);
 			if (typeof jsonLd === "object" && jsonLd != null && "signature" in jsonLd && typeof jsonLd.signature === "object" && jsonLd.signature != null) {
 				if ("creator" in jsonLd.signature && typeof jsonLd.signature.creator === "string") span.setAttribute("ld_signatures.key_id", jsonLd.signature.creator);
 				if ("signatureValue" in jsonLd.signature && typeof jsonLd.signature.signatureValue === "string") span.setAttribute("ld_signatures.signature", jsonLd.signature.signatureValue);
 				if ("type" in jsonLd.signature && typeof jsonLd.signature.type === "string") span.setAttribute("ld_signatures.type", jsonLd.signature.type);
 			}
 			const attributions = new Set(object.attributionIds.map((uri) => uri.href));
-			if (object instanceof require_actor.Activity) for (const uri of object.actorIds) attributions.add(uri.href);
+			if (object instanceof __fedify_vocab.Activity) for (const uri of object.actorIds) attributions.add(uri.href);
 			const key = await verifySignature(jsonLd, options);
 			if (key == null) return false;
 			if (key.ownerId == null) {
@@ -259,7 +259,7 @@ async function verifyJsonLd(jsonLd, options = {}) {
 async function hashJsonLd(jsonLd, contextLoader) {
 	const canon = await jsonld.default.canonize(jsonLd, {
 		format: "application/n-quads",
-		documentLoader: contextLoader ?? require_docloader.getDocumentLoader()
+		documentLoader: contextLoader ?? (0, __fedify_vocab_runtime.getDocumentLoader)()
 	});
 	const encoder = new TextEncoder();
 	const hash = await crypto.subtle.digest("SHA-256", encoder.encode(canon));
@@ -276,11 +276,47 @@ async function hashJsonLd(jsonLd, contextLoader) {
 * @returns Whether the actor is the owner of the key.
 */
 async function doesActorOwnKey(activity, key, options) {
-	if (key.ownerId != null) return key.ownerId.href === activity.actorId?.href;
-	const actor = await activity.getActor(options);
-	if (actor == null || !require_actor.isActor(actor)) return false;
-	for (const publicKeyId of actor.publicKeyIds) if (key.id != null && publicKeyId.href === key.id.href) return true;
-	return false;
+	const tracerProvider = options.tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
+	const tracer = tracerProvider.getTracer(require_http.deno_default.name, require_http.deno_default.version);
+	return await tracer.startActiveSpan("activitypub.verify_key_ownership", {
+		kind: __opentelemetry_api.SpanKind.INTERNAL,
+		attributes: {
+			"activitypub.actor.id": activity.actorId?.href ?? "",
+			"activitypub.key.id": key.id?.href ?? ""
+		}
+	}, async (span) => {
+		try {
+			if (key.ownerId != null) {
+				const owns = key.ownerId.href === activity.actorId?.href;
+				span.setAttribute("activitypub.key_ownership.verified", owns);
+				span.setAttribute("activitypub.key_ownership.method", "owner_id");
+				return owns;
+			}
+			const actor = await activity.getActor(options);
+			if (actor == null || !(0, __fedify_vocab.isActor)(actor)) {
+				span.setAttribute("activitypub.key_ownership.verified", false);
+				span.setAttribute("activitypub.key_ownership.method", "actor_fetch");
+				return false;
+			}
+			for (const publicKeyId of actor.publicKeyIds) if (key.id != null && publicKeyId.href === key.id.href) {
+				span.setAttribute("activitypub.key_ownership.verified", true);
+				span.setAttribute("activitypub.key_ownership.method", "actor_fetch");
+				return true;
+			}
+			span.setAttribute("activitypub.key_ownership.verified", false);
+			span.setAttribute("activitypub.key_ownership.method", "actor_fetch");
+			return false;
+		} catch (error) {
+			span.recordException(error);
+			span.setStatus({
+				code: __opentelemetry_api.SpanStatusCode.ERROR,
+				message: String(error)
+			});
+			throw error;
+		} finally {
+			span.end();
+		}
+	});
 }
 /**
 * Gets the actor that owns the specified key.  Returns `null` if the key has no
@@ -294,10 +330,10 @@ async function doesActorOwnKey(activity, key, options) {
 */
 async function getKeyOwner(keyId, options) {
 	const tracerProvider = options.tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
-	const documentLoader = options.documentLoader ?? require_docloader.getDocumentLoader();
-	const contextLoader = options.contextLoader ?? require_docloader.getDocumentLoader();
+	const documentLoader = options.documentLoader ?? (0, __fedify_vocab_runtime.getDocumentLoader)();
+	const contextLoader = options.contextLoader ?? (0, __fedify_vocab_runtime.getDocumentLoader)();
 	let object;
-	if (keyId instanceof require_actor.CryptographicKey) {
+	if (keyId instanceof __fedify_vocab.CryptographicKey) {
 		object = keyId;
 		if (object.id == null) return null;
 		keyId = object.id;
@@ -310,7 +346,7 @@ async function getKeyOwner(keyId, options) {
 			return null;
 		}
 		try {
-			object = await require_actor.Object.fromJsonLd(keyDoc, {
+			object = await __fedify_vocab.Object.fromJsonLd(keyDoc, {
 				documentLoader,
 				contextLoader,
 				tracerProvider
@@ -318,7 +354,7 @@ async function getKeyOwner(keyId, options) {
 		} catch (e) {
 			if (!(e instanceof TypeError)) throw e;
 			try {
-				object = await require_actor.CryptographicKey.fromJsonLd(keyDoc, {
+				object = await __fedify_vocab.CryptographicKey.fromJsonLd(keyDoc, {
 					documentLoader,
 					contextLoader,
 					tracerProvider
@@ -330,14 +366,14 @@ async function getKeyOwner(keyId, options) {
 		}
 	}
 	let owner = null;
-	if (object instanceof require_actor.CryptographicKey) {
+	if (object instanceof __fedify_vocab.CryptographicKey) {
 		if (object.ownerId == null) return null;
 		owner = await object.getOwner({
 			documentLoader,
 			contextLoader,
 			tracerProvider
 		});
-	} else if (require_actor.isActor(object)) owner = object;
+	} else if ((0, __fedify_vocab.isActor)(object)) owner = object;
 	else return null;
 	if (owner == null) return null;
 	for (const kid of owner.publicKeyIds) if (kid.href === keyId.href) return owner;
@@ -362,7 +398,7 @@ const logger = (0, __logtape_logtape.getLogger)([
 * @since 0.10.0
 */
 async function createProof(object, privateKey, keyId, { contextLoader, context, created } = {}) {
-	require_key.validateCryptoKey(privateKey, "private");
+	require_http.validateCryptoKey(privateKey, "private");
 	if (privateKey.algorithm.name !== "Ed25519") throw new TypeError("Unsupported algorithm: " + privateKey.algorithm.name);
 	const objectWithoutProofs = object.clone({ proofs: [] });
 	const compactMsg = await objectWithoutProofs.toJsonLd({
@@ -390,7 +426,7 @@ async function createProof(object, privateKey, keyId, { contextLoader, context,
 	digest.set(new Uint8Array(proofDigest), 0);
 	digest.set(new Uint8Array(msgDigest), proofDigest.byteLength);
 	const sig = await crypto.subtle.sign("Ed25519", privateKey, digest);
-	return new require_actor.DataIntegrityProof({
+	return new __fedify_vocab.DataIntegrityProof({
 		cryptosuite: "eddsa-jcs-2022",
 		verificationMethod: keyId,
 		proofPurpose: "assertionMethod",
@@ -410,8 +446,8 @@ async function createProof(object, privateKey, keyId, { contextLoader, context,
 */
 async function signObject(object, privateKey, keyId, options = {}) {
 	const tracerProvider = options.tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
-	return await tracer.startActiveSpan("object_integrity_proofs.sign", { attributes: { "activitypub.object.type": require_actor.getTypeId(object).href } }, async (span) => {
+	const tracer = tracerProvider.getTracer(require_http.deno_default.name, require_http.deno_default.version);
+	return await tracer.startActiveSpan("object_integrity_proofs.sign", { attributes: { "activitypub.object.type": (0, __fedify_vocab.getTypeId)(object).href } }, async (span) => {
 		try {
 			if (object.id != null) span.setAttribute("activitypub.object.id", object.id.href);
 			const existingProofs = [];
@@ -446,7 +482,7 @@ async function signObject(object, privateKey, keyId, options = {}) {
 */
 async function verifyProof(jsonLd, proof, options = {}) {
 	const tracerProvider = options.tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
+	const tracer = tracerProvider.getTracer(require_http.deno_default.name, require_http.deno_default.version);
 	return await tracer.startActiveSpan("object_integrity_proofs.verify", async (span) => {
 		if (span.isRecording()) {
 			if (proof.cryptosuite != null) span.setAttribute("object_integrity_proofs.cryptosuite", proof.cryptosuite);
@@ -470,7 +506,7 @@ async function verifyProof(jsonLd, proof, options = {}) {
 }
 async function verifyProofInternal(jsonLd, proof, options) {
 	if (typeof jsonLd !== "object" || proof.cryptosuite !== "eddsa-jcs-2022" || proof.verificationMethodId == null || proof.proofPurpose !== "assertionMethod" || proof.proofValue == null || proof.created == null) return null;
-	const publicKeyPromise = require_key.fetchKey(proof.verificationMethodId, require_actor.Multikey, options);
+	const publicKeyPromise = require_http.fetchKey(proof.verificationMethodId, __fedify_vocab.Multikey, options);
 	const proofConfig = {
 		"@context": jsonLd["@context"],
 		type: "DataIntegrityProof",
@@ -575,7 +611,7 @@ async function verifyObject(cls, jsonLd, options = {}) {
 	]);
 	const object = await cls.fromJsonLd(jsonLd, options);
 	const attributions = new Set(object.attributionIds.map((uri) => uri.href));
-	if (object instanceof require_actor.Activity) for (const uri of object.actorIds) attributions.add(uri.href);
+	if (object instanceof __fedify_vocab.Activity) for (const uri of object.actorIds) attributions.add(uri.href);
 	for await (const proof of object.getProofs(options)) {
 		const key = await verifyProof(jsonLd, proof, options);
 		if (key === null) return null;

package/dist/{proof-DfgvA3al.js → proof-iYIDiv8I.js}

@@ -2,14 +2,14 @@
           import { Temporal } from "@js-temporal/polyfill";
           import { URLPattern } from "urlpattern-polyfill";
         
-import { deno_default, getDocumentLoader } from "./docloader-XK3y2jn5.js";
-import { Activity, CryptographicKey, DataIntegrityProof, Multikey, Object as Object$1, getTypeId, isActor } from "./actor-ChbPLm6n.js";
-import { fetchKey, validateCryptoKey } from "./key-jyNTxCvK.js";
+import { deno_default, fetchKey, validateCryptoKey } from "./http-CZXlv4xU.js";
 import { getLogger } from "@logtape/logtape";
-import { SpanStatusCode, trace } from "@opentelemetry/api";
-import jsonld from "jsonld";
-import { decodeBase64, encodeBase64 } from "byte-encodings/base64";
+import { Activity, CryptographicKey, DataIntegrityProof, Multikey, Object as Object$1, getTypeId, isActor } from "@fedify/vocab";
+import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
 import { encodeHex } from "byte-encodings/hex";
+import { decodeBase64, encodeBase64 } from "byte-encodings/base64";
+import { getDocumentLoader } from "@fedify/vocab-runtime";
+import jsonld from "jsonld";
 import serialize from "json-canon";
 
 //#region src/sig/ld.ts
@@ -275,11 +275,47 @@ async function hashJsonLd(jsonLd, contextLoader) {
 * @returns Whether the actor is the owner of the key.
 */
 async function doesActorOwnKey(activity, key, options) {
-	if (key.ownerId != null) return key.ownerId.href === activity.actorId?.href;
-	const actor = await activity.getActor(options);
-	if (actor == null || !isActor(actor)) return false;
-	for (const publicKeyId of actor.publicKeyIds) if (key.id != null && publicKeyId.href === key.id.href) return true;
-	return false;
+	const tracerProvider = options.tracerProvider ?? trace.getTracerProvider();
+	const tracer = tracerProvider.getTracer(deno_default.name, deno_default.version);
+	return await tracer.startActiveSpan("activitypub.verify_key_ownership", {
+		kind: SpanKind.INTERNAL,
+		attributes: {
+			"activitypub.actor.id": activity.actorId?.href ?? "",
+			"activitypub.key.id": key.id?.href ?? ""
+		}
+	}, async (span) => {
+		try {
+			if (key.ownerId != null) {
+				const owns = key.ownerId.href === activity.actorId?.href;
+				span.setAttribute("activitypub.key_ownership.verified", owns);
+				span.setAttribute("activitypub.key_ownership.method", "owner_id");
+				return owns;
+			}
+			const actor = await activity.getActor(options);
+			if (actor == null || !isActor(actor)) {
+				span.setAttribute("activitypub.key_ownership.verified", false);
+				span.setAttribute("activitypub.key_ownership.method", "actor_fetch");
+				return false;
+			}
+			for (const publicKeyId of actor.publicKeyIds) if (key.id != null && publicKeyId.href === key.id.href) {
+				span.setAttribute("activitypub.key_ownership.verified", true);
+				span.setAttribute("activitypub.key_ownership.method", "actor_fetch");
+				return true;
+			}
+			span.setAttribute("activitypub.key_ownership.verified", false);
+			span.setAttribute("activitypub.key_ownership.method", "actor_fetch");
+			return false;
+		} catch (error) {
+			span.recordException(error);
+			span.setStatus({
+				code: SpanStatusCode.ERROR,
+				message: String(error)
+			});
+			throw error;
+		} finally {
+			span.end();
+		}
+	});
 }
 /**
 * Gets the actor that owns the specified key.  Returns `null` if the key has no