@fedify/fedify 2.0.0-pr.449.1725 → 2.0.0-pr.451.1730

package/dist/{lookup-B2Bsau2g.cjs → lookup-CMAGfQ1Q.cjs}

@@ -3,10 +3,71 @@
           const { URLPattern } = require("urlpattern-polyfill");
         
 const require_chunk = require('./chunk-DqRYRqnO.cjs');
-const require_docloader = require('./docloader-BdF5STdg.cjs');
+const require_request = require('./request-XHWUW2bi.cjs');
 const __logtape_logtape = require_chunk.__toESM(require("@logtape/logtape"));
 const __opentelemetry_api = require_chunk.__toESM(require("@opentelemetry/api"));
+const node_dns_promises = require_chunk.__toESM(require("node:dns/promises"));
+const node_net = require_chunk.__toESM(require("node:net"));
 
+//#region src/utils/url.ts
+var UrlError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "UrlError";
+	}
+};
+/**
+* Validates a URL to prevent SSRF attacks.
+*/
+async function validatePublicUrl(url) {
+	const parsed = new URL(url);
+	if (parsed.protocol !== "http:" && parsed.protocol !== "https:") throw new UrlError(`Unsupported protocol: ${parsed.protocol}`);
+	let hostname = parsed.hostname;
+	if (hostname.startsWith("[") && hostname.endsWith("]")) hostname = hostname.substring(1, hostname.length - 2);
+	if (hostname === "localhost") throw new UrlError("Localhost is not allowed");
+	if ("Deno" in globalThis && !(0, node_net.isIP)(hostname)) {
+		const netPermission = await Deno.permissions.query({ name: "net" });
+		if (netPermission.state !== "granted") return;
+	}
+	if ("Bun" in globalThis) {
+		if (hostname === "example.com" || hostname.endsWith(".example.com")) return;
+		else if (hostname === "fedify-test.internal") throw new UrlError("Invalid or private address: fedify-test.internal");
+	}
+	let addresses;
+	try {
+		addresses = await (0, node_dns_promises.lookup)(hostname, { all: true });
+	} catch {
+		addresses = [];
+	}
+	for (const { address, family } of addresses) if (family === 4 && !isValidPublicIPv4Address(address) || family === 6 && !isValidPublicIPv6Address(address) || family < 4 || family === 5 || family > 6) throw new UrlError(`Invalid or private address: ${address}`);
+}
+function isValidPublicIPv4Address(address) {
+	const parts = address.split(".");
+	const first = parseInt(parts[0]);
+	if (first === 0 || first === 10 || first === 127) return false;
+	const second = parseInt(parts[1]);
+	if (first === 169 && second === 254) return false;
+	if (first === 172 && second >= 16 && second <= 31) return false;
+	if (first === 192 && second === 168) return false;
+	return true;
+}
+function isValidPublicIPv6Address(address) {
+	address = expandIPv6Address(address);
+	if (address.at(4) !== ":") return false;
+	const firstWord = parseInt(address.substring(0, 4), 16);
+	return !(firstWord >= 64512 && firstWord <= 65023 || firstWord >= 65152 && firstWord <= 65215 || firstWord === 0 || firstWord >= 65280);
+}
+function expandIPv6Address(address) {
+	address = address.toLowerCase();
+	if (address === "::") return "0000:0000:0000:0000:0000:0000:0000:0000";
+	if (address.startsWith("::")) address = "0000" + address;
+	if (address.endsWith("::")) address = address + "0000";
+	address = address.replace("::", ":0000".repeat(8 - (address.match(/:/g) || []).length) + ":");
+	const parts = address.split(":");
+	return parts.map((part) => part.padStart(4, "0")).join(":");
+}
+
+//#endregion
 //#region src/webfinger/lookup.ts
 const logger = (0, __logtape_logtape.getLogger)([
 	"fedify",
@@ -23,7 +84,7 @@ const DEFAULT_MAX_REDIRECTION = 5;
 */
 async function lookupWebFinger(resource, options = {}) {
 	const tracerProvider = options.tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
+	const tracer = tracerProvider.getTracer(require_request.deno_default.name, require_request.deno_default.version);
 	return await tracer.startActiveSpan("webfinger.lookup", {
 		kind: __opentelemetry_api.SpanKind.CLIENT,
 		attributes: {
@@ -66,9 +127,9 @@ async function lookupWebFingerInternal(resource, options = {}) {
 		logger.debug("Fetching WebFinger resource descriptor from {url}...", { url: url.href });
 		let response;
 		if (options.allowPrivateAddress !== true) try {
-			await require_docloader.validatePublicUrl(url.href);
+			await validatePublicUrl(url.href);
 		} catch (e) {
-			if (e instanceof require_docloader.UrlError) {
+			if (e instanceof UrlError) {
 				logger.error("Invalid URL for WebFinger resource descriptor: {error}", { error: e });
 				return null;
 			}
@@ -78,7 +139,7 @@ async function lookupWebFingerInternal(resource, options = {}) {
 			response = await fetch(url, {
 				headers: {
 					Accept: "application/jrd+json",
-					"User-Agent": typeof options.userAgent === "string" ? options.userAgent : require_docloader.getUserAgent(options.userAgent)
+					"User-Agent": typeof options.userAgent === "string" ? options.userAgent : require_request.getUserAgent(options.userAgent)
 				},
 				redirect: "manual",
 				signal: options.signal
@@ -129,9 +190,21 @@ async function lookupWebFingerInternal(resource, options = {}) {
 }
 
 //#endregion
+Object.defineProperty(exports, 'UrlError', {
+  enumerable: true,
+  get: function () {
+    return UrlError;
+  }
+});
 Object.defineProperty(exports, 'lookupWebFinger', {
   enumerable: true,
   get: function () {
     return lookupWebFinger;
   }
+});
+Object.defineProperty(exports, 'validatePublicUrl', {
+  enumerable: true,
+  get: function () {
+    return validatePublicUrl;
+  }
 });

package/dist/{middleware-1oxZY_0z.js → middleware-D-vPitR-.js}

@@ -3,21 +3,21 @@
           import { URLPattern } from "urlpattern-polyfill";
         
 import { getDefaultActivityTransformers } from "./transformers-BFT6d7J5.js";
-import { deno_default, getDocumentLoader, kvCache } from "./docloader-AMdJU291.js";
-import { Activity, Collection, CollectionPage, CryptographicKey, Link, Multikey, Object as Object$1, OrderedCollection, OrderedCollectionPage, getTypeId } from "./actor-C0gLJq8I.js";
-import { lookupWebFinger } from "./lookup-BGCuyJRy.js";
-import { exportJwk, importJwk, validateCryptoKey } from "./key-DFefr8X2.js";
-import { doubleKnock, verifyRequest } from "./http-DVQEn98K.js";
-import { detachSignature, doesActorOwnKey, getKeyOwner, hasSignature, signJsonLd, signObject, verifyJsonLd, verifyObject } from "./proof-CKXppjee.js";
-import { getNodeInfo, nodeInfoToJson } from "./types-CEn4wB51.js";
-import { getAuthenticatedDocumentLoader } from "./authdocloader-6F9IP-VO.js";
-import { lookupObject, traverseCollection } from "./vocab-CkWH9P5l.js";
+import { deno_default } from "./request-DKGQaofB.js";
+import { Activity, Collection, CollectionPage, CryptographicKey, Link, Multikey, Object as Object$1, OrderedCollection, OrderedCollectionPage, getTypeId } from "./actor-DPD6Gbdn.js";
+import { lookupWebFinger } from "./lookup-BV3A9Zbc.js";
+import { doubleKnock, exportJwk, importJwk, validateCryptoKey, verifyRequest } from "./http-DcDb8r1W.js";
+import { detachSignature, doesActorOwnKey, getKeyOwner, hasSignature, signJsonLd, signObject, verifyJsonLd, verifyObject } from "./proof-CLwByIT1.js";
+import { getNodeInfo, nodeInfoToJson } from "./types-DaPoJTSc.js";
+import { getAuthenticatedDocumentLoader, kvCache } from "./kv-cache-ydIs4Ul6.js";
+import { lookupObject, traverseCollection } from "./vocab-yFT-fQBj.js";
 import { getLogger, withContext } from "@logtape/logtape";
 import { SpanKind, SpanStatusCode, context, propagation, trace } from "@opentelemetry/api";
-import { encodeHex } from "byte-encodings/hex";
+import { getDocumentLoader } from "@fedify/vocab-runtime";
 import { cloneDeep } from "es-toolkit";
 import { Router } from "uri-template-router";
 import { parseTemplate } from "url-template";
+import { encodeHex } from "byte-encodings/hex";
 import { ATTR_HTTP_REQUEST_HEADER, ATTR_HTTP_REQUEST_METHOD, ATTR_HTTP_RESPONSE_HEADER, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_URL_FULL } from "@opentelemetry/semantic-conventions";
 import { domainToASCII } from "node:url";
 
@@ -339,7 +339,7 @@ var FederationBuilderImpl = class {
 		this.collectionTypeIds = {};
 	}
 	async build(options) {
-		const { FederationImpl: FederationImpl$1 } = await import("./middleware-DipQbJmB.js");
+		const { FederationImpl: FederationImpl$1 } = await import("./middleware-DzA970CF.js");
 		const f = new FederationImpl$1(options);
 		const trailingSlashInsensitiveValue = f.router.trailingSlashInsensitive;
 		f.router = this.router.clone();

package/dist/{middleware-BDqkoMAQ.js → middleware-Dm8sXYUr.js}

@@ -3,23 +3,24 @@
       import { URLPattern } from "urlpattern-polyfill";
       globalThis.addEventListener = () => {};
     
-import { Activity, Collection, CollectionPage, CryptographicKey, Link, Multikey, Object as Object$1, OrderedCollection, OrderedCollectionPage, deno_default, getDocumentLoader, getTypeId, kvCache, lookupWebFinger } from "./type-COb6KNlm.js";
-import { getNodeInfo } from "./client-BS-GE3XI.js";
-import { RouterError, lookupObject, traverseCollection } from "./lookup-C3pnuyiD.js";
-import { nodeInfoToJson } from "./types-BSuWJsOm.js";
-import { exportJwk, importJwk, validateCryptoKey } from "./key-BSJX6n9o.js";
-import { verifyRequest } from "./http-DbyMqL2X.js";
-import { getAuthenticatedDocumentLoader } from "./authdocloader-C8LXxsmU.js";
-import { detachSignature, hasSignature, signJsonLd, verifyJsonLd } from "./ld-CAJ6Q2od.js";
-import { doesActorOwnKey, getKeyOwner } from "./owner-CaIfLBwg.js";
-import { signObject, verifyObject } from "./proof-BQwXHakc.js";
-import { routeActivity } from "./inbox-DQlf_-Dz.js";
-import { FederationBuilderImpl } from "./builder-JjsppXTK.js";
-import { buildCollectionSynchronizationHeader } from "./collection-CcnIw1qY.js";
-import { KvKeyCache } from "./keycache-CcIfdj0m.js";
-import { acceptsJsonLd } from "./negotiation-5NPJL6zp.js";
-import { createExponentialBackoffPolicy } from "./retry-D4GJ670a.js";
-import { extractInboxes, sendActivity } from "./send-DQd3R1Oc.js";
+import { Activity, Collection, CollectionPage, CryptographicKey, Link, Multikey, Object as Object$1, OrderedCollection, OrderedCollectionPage, RouterError, deno_default, getTypeId, lookupObject, lookupWebFinger, traverseCollection } from "./lookup-BbEekiru.js";
+import { getNodeInfo } from "./client-D6-5okV1.js";
+import { nodeInfoToJson } from "./types-C2XVl6gj.js";
+import { exportJwk, importJwk, validateCryptoKey } from "./key-jSvnymAk.js";
+import { verifyRequest } from "./http-DN0v2zoF.js";
+import { detachSignature, hasSignature, signJsonLd, verifyJsonLd } from "./ld-CcsryBo0.js";
+import { doesActorOwnKey, getKeyOwner } from "./owner-n5c_oZ_M.js";
+import { signObject, verifyObject } from "./proof-CsFR7fiS.js";
+import { getAuthenticatedDocumentLoader } from "./docloader-B2BFBGqv.js";
+import { kvCache } from "./kv-cache-DNvS-egZ.js";
+import { routeActivity } from "./inbox-CgGy7Hzc.js";
+import { FederationBuilderImpl } from "./builder-Dn87hy75.js";
+import { buildCollectionSynchronizationHeader } from "./collection-BzWsN9pB.js";
+import { KvKeyCache } from "./keycache-IVLjlAK9.js";
+import { acceptsJsonLd } from "./negotiation-C4nFufNk.js";
+import { createExponentialBackoffPolicy } from "./retry-CfF8Gn4d.js";
+import { extractInboxes, sendActivity } from "./send-eW9JIzQV.js";
+import { getDocumentLoader } from "@fedify/vocab-runtime";
 import { getLogger, withContext } from "@logtape/logtape";
 import { SpanKind, SpanStatusCode, context, propagation, trace } from "@opentelemetry/api";
 import { ATTR_HTTP_REQUEST_HEADER, ATTR_HTTP_REQUEST_METHOD, ATTR_HTTP_RESPONSE_HEADER, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_URL_FULL } from "@opentelemetry/semantic-conventions";

package/dist/middleware-DzA970CF.js

@@ -0,0 +1,16 @@
+
+          import { Temporal } from "@js-temporal/polyfill";
+          import { URLPattern } from "urlpattern-polyfill";
+        
+import "./transformers-BFT6d7J5.js";
+import "./request-DKGQaofB.js";
+import "./actor-DPD6Gbdn.js";
+import { ContextImpl, FederationImpl, InboxContextImpl, KvSpecDeterminer, createFederation } from "./middleware-D-vPitR-.js";
+import "./lookup-BV3A9Zbc.js";
+import "./http-DcDb8r1W.js";
+import "./proof-CLwByIT1.js";
+import "./types-DaPoJTSc.js";
+import "./kv-cache-ydIs4Ul6.js";
+import "./vocab-yFT-fQBj.js";
+
+export { FederationImpl };

package/dist/middleware-VpoC5jyA.js

@@ -0,0 +1,26 @@
+
+      import { Temporal } from "@js-temporal/polyfill";
+      import { URLPattern } from "urlpattern-polyfill";
+      globalThis.addEventListener = () => {};
+    
+import "./lookup-BbEekiru.js";
+import { ContextImpl, FederationImpl, InboxContextImpl, KvSpecDeterminer, createFederation } from "./middleware-Dm8sXYUr.js";
+import "./client-D6-5okV1.js";
+import "./types-C2XVl6gj.js";
+import "./actor-Cg8ZhoVF.js";
+import "./key-jSvnymAk.js";
+import "./http-DN0v2zoF.js";
+import "./ld-CcsryBo0.js";
+import "./owner-n5c_oZ_M.js";
+import "./proof-CsFR7fiS.js";
+import "./docloader-B2BFBGqv.js";
+import "./kv-cache-DNvS-egZ.js";
+import "./inbox-CgGy7Hzc.js";
+import "./builder-Dn87hy75.js";
+import "./collection-BzWsN9pB.js";
+import "./keycache-IVLjlAK9.js";
+import "./negotiation-C4nFufNk.js";
+import "./retry-CfF8Gn4d.js";
+import "./send-eW9JIzQV.js";
+
+export { FederationImpl };

package/dist/middleware-W_-inBoE.cjs

@@ -0,0 +1,16 @@
+
+          const { Temporal } = require("@js-temporal/polyfill");
+          const { URLPattern } = require("urlpattern-polyfill");
+        
+require('./transformers-CoBS-oFG.cjs');
+require('./request-XHWUW2bi.cjs');
+require('./actor-D020hlx3.cjs');
+const require_middleware = require('./middleware-ekn2KaOw.cjs');
+require('./lookup-CMAGfQ1Q.cjs');
+require('./http-DMsjudj8.cjs');
+require('./proof-CZfrp13P.cjs');
+require('./types-BT0xc4-R.cjs');
+require('./kv-cache-BHIupktM.cjs');
+require('./vocab-CxTuoEVd.cjs');
+
+exports.FederationImpl = require_middleware.FederationImpl;

package/dist/{middleware-D0XMPoN8.cjs → middleware-ekn2KaOw.cjs}

@@ -4,21 +4,21 @@
         
 const require_chunk = require('./chunk-DqRYRqnO.cjs');
 const require_transformers = require('./transformers-CoBS-oFG.cjs');
-const require_docloader = require('./docloader-BdF5STdg.cjs');
-const require_actor = require('./actor-CsRJa7wV.cjs');
-const require_lookup = require('./lookup-B2Bsau2g.cjs');
-const require_key = require('./key-D-RgWfcf.cjs');
-const require_http = require('./http-D_BI5KHC.cjs');
-const require_proof = require('./proof-AhyVJcNZ.cjs');
-const require_types = require('./types-DI0yutHB.cjs');
-const require_authdocloader = require('./authdocloader-BkuVo8LL.cjs');
-const require_vocab = require('./vocab-NZXL5Pr-.cjs');
+const require_request = require('./request-XHWUW2bi.cjs');
+const require_actor = require('./actor-D020hlx3.cjs');
+const require_lookup = require('./lookup-CMAGfQ1Q.cjs');
+const require_http = require('./http-DMsjudj8.cjs');
+const require_proof = require('./proof-CZfrp13P.cjs');
+const require_types = require('./types-BT0xc4-R.cjs');
+const require_kv_cache = require('./kv-cache-BHIupktM.cjs');
+const require_vocab = require('./vocab-CxTuoEVd.cjs');
 const __logtape_logtape = require_chunk.__toESM(require("@logtape/logtape"));
 const __opentelemetry_api = require_chunk.__toESM(require("@opentelemetry/api"));
-const byte_encodings_hex = require_chunk.__toESM(require("byte-encodings/hex"));
+const __fedify_vocab_runtime = require_chunk.__toESM(require("@fedify/vocab-runtime"));
 const es_toolkit = require_chunk.__toESM(require("es-toolkit"));
 const uri_template_router = require_chunk.__toESM(require("uri-template-router"));
 const url_template = require_chunk.__toESM(require("url-template"));
+const byte_encodings_hex = require_chunk.__toESM(require("byte-encodings/hex"));
 const __opentelemetry_semantic_conventions = require_chunk.__toESM(require("@opentelemetry/semantic-conventions"));
 const node_url = require_chunk.__toESM(require("node:url"));
 
@@ -143,7 +143,7 @@ async function routeActivity({ context: ctx, json, activity, recipient, inboxLis
 		return "enqueued";
 	}
 	tracerProvider = tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
+	const tracer = tracerProvider.getTracer(require_request.deno_default.name, require_request.deno_default.version);
 	return await tracer.startActiveSpan("activitypub.dispatch_inbox_listener", { kind: __opentelemetry_api.SpanKind.INTERNAL }, async (span$1) => {
 		const dispatched = inboxListeners?.dispatchWithClass(activity);
 		if (dispatched == null) {
@@ -340,7 +340,7 @@ var FederationBuilderImpl = class {
 		this.collectionTypeIds = {};
 	}
 	async build(options) {
-		const { FederationImpl: FederationImpl$1 } = await Promise.resolve().then(() => require("./middleware-mLaQeD_Z.cjs"));
+		const { FederationImpl: FederationImpl$1 } = await Promise.resolve().then(() => require("./middleware-W_-inBoE.cjs"));
 		const f = new FederationImpl$1(options);
 		const trailingSlashInsensitiveValue = f.router.trailingSlashInsensitive;
 		f.router = this.router.clone();
@@ -366,7 +366,7 @@ var FederationBuilderImpl = class {
 		return f;
 	}
 	_getTracer() {
-		return __opentelemetry_api.trace.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
+		return __opentelemetry_api.trace.getTracer(require_request.deno_default.name, require_request.deno_default.version);
 	}
 	setActorDispatcher(path, dispatcher) {
 		if (this.router.has("actor")) throw new RouterError("Actor dispatcher already set.");
@@ -1113,7 +1113,7 @@ async function handleObject(request, { values, context: context$2, objectDispatc
 async function handleCollection(request, { name, identifier, uriGetter, filter, filterPredicate, context: context$2, collectionCallbacks, tracerProvider, onUnauthorized, onNotFound }) {
 	const spanName = name.trim().replace(/\s+/g, "_");
 	tracerProvider = tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
+	const tracer = tracerProvider.getTracer(require_request.deno_default.name, require_request.deno_default.version);
 	const url = new URL(request.url);
 	const cursor = url.searchParams.get("cursor");
 	if (collectionCallbacks == null) return await onNotFound(request);
@@ -1290,7 +1290,7 @@ function filterCollectionItems(items, collectionName, filterPredicate) {
 */
 async function handleInbox(request, options) {
 	const tracerProvider = options.tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
+	const tracer = tracerProvider.getTracer(require_request.deno_default.name, require_request.deno_default.version);
 	return await tracer.startActiveSpan("activitypub.inbox", {
 		kind: options.queue == null ? __opentelemetry_api.SpanKind.SERVER : __opentelemetry_api.SpanKind.PRODUCER,
 		attributes: { "activitypub.shared_inbox": options.recipient == null }
@@ -1642,7 +1642,7 @@ var CustomCollectionHandler = class {
 		this.CollectionPage = CollectionPage$1;
 		this.filterPredicate = filterPredicate;
 		this.name = this.name.trim().replace(/\s+/g, "_");
-		this.#tracer = this.tracerProvider.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
+		this.#tracer = this.tracerProvider.getTracer(require_request.deno_default.name, require_request.deno_default.version);
 		this.#id = new URL(this.context.url);
 		this.#dispatcher = callbacks.dispatcher.bind(callbacks);
 	}
@@ -2233,7 +2233,7 @@ function extractInboxes({ recipients, preferSharedInbox, excludeBaseUris }) {
 */
 function sendActivity(options) {
 	const tracerProvider = options.tracerProvider ?? __opentelemetry_api.trace.getTracerProvider();
-	const tracer = tracerProvider.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
+	const tracer = tracerProvider.getTracer(require_request.deno_default.name, require_request.deno_default.version);
 	return tracer.startActiveSpan("activitypub.send_activity", {
 		kind: __opentelemetry_api.SpanKind.CLIENT,
 		attributes: { "activitypub.shared_inbox": options.sharedInbox ?? false }
@@ -2404,8 +2404,8 @@ var FederationImpl = class extends FederationBuilderImpl {
 		const { allowPrivateAddress, userAgent } = options;
 		this.allowPrivateAddress = allowPrivateAddress ?? false;
 		this.documentLoaderFactory = options.documentLoaderFactory ?? ((opts) => {
-			return require_docloader.kvCache({
-				loader: require_docloader.getDocumentLoader({
+			return require_kv_cache.kvCache({
+				loader: (0, __fedify_vocab_runtime.getDocumentLoader)({
 					allowPrivateAddress: opts?.allowPrivateAddress ?? allowPrivateAddress,
 					userAgent: opts?.userAgent ?? userAgent
 				}),
@@ -2414,7 +2414,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 			});
 		});
 		this.contextLoaderFactory = options.contextLoaderFactory ?? this.documentLoaderFactory;
-		this.authenticatedDocumentLoaderFactory = options.authenticatedDocumentLoaderFactory ?? ((identity) => require_authdocloader.getAuthenticatedDocumentLoader(identity, {
+		this.authenticatedDocumentLoaderFactory = options.authenticatedDocumentLoaderFactory ?? ((identity) => require_kv_cache.getAuthenticatedDocumentLoader(identity, {
 			allowPrivateAddress,
 			userAgent,
 			specDeterminer: new KvSpecDeterminer(this.kv, this.kvPrefixes.httpMessageSignaturesSpec, options.firstKnock),
@@ -2435,7 +2435,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 		this.router.add("/.well-known/nodeinfo", "nodeInfoJrd");
 	}
 	_getTracer() {
-		return this.tracerProvider.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
+		return this.tracerProvider.getTracer(require_request.deno_default.name, require_request.deno_default.version);
 	}
 	async _startQueueInternal(ctxData, signal, queue) {
 		if (this.inboxQueue == null && this.outboxQueue == null) return;
@@ -2533,7 +2533,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 		});
 		const keys = await Promise.all(message.keys.map(async ({ keyId, privateKey }) => ({
 			keyId: new URL(keyId),
-			privateKey: await require_key.importJwk(privateKey, "private")
+			privateKey: await require_http.importJwk(privateKey, "private")
 		})));
 		const activity = await require_actor.Activity.fromJsonLd(message.activity, {
 			contextLoader: this.contextLoaderFactory({
@@ -2574,7 +2574,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 		for (const { keyId, privateKey } of message.keys) {
 			const pair = {
 				keyId: new URL(keyId),
-				privateKey: await require_key.importJwk(privateKey, "private")
+				privateKey: await require_http.importJwk(privateKey, "private")
 			};
 			if (rsaKeyPair == null && pair.privateKey.algorithm.name === "RSASSA-PKCS1-v1_5") rsaKeyPair = pair;
 			keys.push(pair);
@@ -2809,7 +2809,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 		let proofCreated = false;
 		let rsaKey = null;
 		for (const { keyId, privateKey } of keys) {
-			require_key.validateCryptoKey(privateKey, "private");
+			require_http.validateCryptoKey(privateKey, "private");
 			if (rsaKey == null && privateKey.algorithm.name === "RSASSA-PKCS1-v1_5") {
 				rsaKey = {
 					keyId,
@@ -2877,7 +2877,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 		});
 		const keyJwkPairs = [];
 		for (const { keyId, privateKey } of keys) {
-			const privateKeyJwk = await require_key.exportJwk(privateKey);
+			const privateKeyJwk = await require_http.exportJwk(privateKey);
 			keyJwkPairs.push({
 				keyId: keyId.href,
 				privateKey: privateKeyJwk
@@ -3577,7 +3577,7 @@ var ContextImpl = class ContextImpl {
 		});
 	}
 	sendActivity(sender, recipients, activity, options = {}) {
-		const tracer = this.tracerProvider.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
+		const tracer = this.tracerProvider.getTracer(require_request.deno_default.name, require_request.deno_default.version);
 		return tracer.startActiveSpan(this.federation.outboxQueue == null || options.immediate ? "activitypub.outbox" : "activitypub.fanout", {
 			kind: this.federation.outboxQueue == null || options.immediate ? __opentelemetry_api.SpanKind.CLIENT : __opentelemetry_api.SpanKind.PRODUCER,
 			attributes: {
@@ -3634,7 +3634,7 @@ var ContextImpl = class ContextImpl {
 			keys = sender;
 		} else keys = [sender];
 		if (keys.length < 1) throw new TypeError("The sender's keys must not be empty.");
-		for (const { privateKey } of keys) require_key.validateCryptoKey(privateKey, "private");
+		for (const { privateKey } of keys) require_http.validateCryptoKey(privateKey, "private");
 		const opts = { context: this };
 		let expandedRecipients;
 		if (Array.isArray(recipients)) expandedRecipients = recipients;
@@ -3675,7 +3675,7 @@ var ContextImpl = class ContextImpl {
 		}
 		const keyJwkPairs = await Promise.all(keys.map(async ({ keyId, privateKey }) => ({
 			keyId: keyId.href,
-			privateKey: await require_key.exportJwk(privateKey)
+			privateKey: await require_http.exportJwk(privateKey)
 		})));
 		const carrier = {};
 		__opentelemetry_api.propagation.inject(__opentelemetry_api.context.active(), carrier);
@@ -3723,7 +3723,7 @@ var ContextImpl = class ContextImpl {
 	}
 	routeActivity(recipient, activity, options = {}) {
 		const tracerProvider = this.tracerProvider ?? this.tracerProvider;
-		const tracer = tracerProvider.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
+		const tracer = tracerProvider.getTracer(require_request.deno_default.name, require_request.deno_default.version);
 		return tracer.startActiveSpan("activitypub.inbox", {
 			kind: this.federation.inboxQueue == null || options.immediate ? __opentelemetry_api.SpanKind.INTERNAL : __opentelemetry_api.SpanKind.PRODUCER,
 			attributes: { "activitypub.activity.type": require_actor.getTypeId(activity).href }
@@ -3941,7 +3941,7 @@ var InboxContextImpl = class InboxContextImpl extends ContextImpl {
 		});
 	}
 	forwardActivity(forwarder, recipients, options) {
-		const tracer = this.tracerProvider.getTracer(require_docloader.deno_default.name, require_docloader.deno_default.version);
+		const tracer = this.tracerProvider.getTracer(require_request.deno_default.name, require_request.deno_default.version);
 		return tracer.startActiveSpan("activitypub.outbox", {
 			kind: this.federation.outboxQueue == null || options?.immediate ? __opentelemetry_api.SpanKind.CLIENT : __opentelemetry_api.SpanKind.PRODUCER,
 			attributes: { "activitypub.activity.type": this.activityType }
@@ -4042,7 +4042,7 @@ var InboxContextImpl = class InboxContextImpl extends ContextImpl {
 		});
 		const keyJwkPairs = [];
 		for (const { keyId, privateKey } of keys) {
-			const privateKeyJwk = await require_key.exportJwk(privateKey);
+			const privateKeyJwk = await require_http.exportJwk(privateKey);
 			keyJwkPairs.push({
 				keyId: keyId.href,
 				privateKey: privateKeyJwk

package/dist/{mod-CxkWO3Mg.d.cts → mod--K7l84wp.d.cts}

@@ -1,5 +1,6 @@
-import { DocumentLoader, GetUserAgentOptions } from "./docloader-D-MrRyHl.cjs";
-import { Collection, Link, Object as Object$1 } from "./vocab-Dw1-yVGg.cjs";
+import { GetUserAgentOptions } from "./request-BbHkedIU.cjs";
+import { Collection, Link, Object as Object$1 } from "./vocab-DCBw44JZ.cjs";
+import { DocumentLoader } from "@fedify/vocab-runtime";
 import { TracerProvider } from "@opentelemetry/api";
 
 //#region src/vocab/lookup.d.ts

package/dist/{mod-DBzN0aCM.d.ts → mod-CB80AlIA.d.ts}

@@ -1,6 +1,6 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
-import { GetUserAgentOptions } from "./docloader-CxWcuWqQ.js";
+import { GetUserAgentOptions } from "./request-U1t6zZtk.js";
 import { TracerProvider } from "@opentelemetry/api";
 
 //#region src/webfinger/jrd.d.ts

package/dist/mod-CLKu6Uo_.d.cts

@@ -0,0 +1,107 @@
+import { HttpMessageSignaturesSpecDeterminer } from "./http-B6SKO6NJ.cjs";
+import { KvKey, KvStore } from "./kv-BMKIFXNW.cjs";
+import { DocumentLoader, DocumentLoaderFactoryOptions } from "@fedify/vocab-runtime";
+import { TracerProvider } from "@opentelemetry/api";
+
+//#region src/utils/docloader.d.ts
+/**
+ * Options for {@link getAuthenticatedDocumentLoader}.
+ * @see {@link getAuthenticatedDocumentLoader}
+ * @since 1.3.0
+ */
+interface GetAuthenticatedDocumentLoaderOptions extends DocumentLoaderFactoryOptions {
+  /**
+   * An optional spec determiner for HTTP Message Signatures.
+   * It determines the spec to use for signing requests.
+   * It is used for double-knocking
+   * (see <https://swicg.github.io/activitypub-http-signature/#how-to-upgrade-supported-versions>).
+   * @since 1.6.0
+   */
+  specDeterminer?: HttpMessageSignaturesSpecDeterminer;
+  /**
+   * The OpenTelemetry tracer provider.  If omitted, the global tracer provider
+   * is used.
+   * @since 1.6.0
+   */
+  tracerProvider?: TracerProvider;
+}
+/**
+ * Gets an authenticated {@link DocumentLoader} for the given identity.
+ * Note that an authenticated document loader intentionally does not cache
+ * the fetched documents.
+ * @param identity The identity to get the document loader for.
+ *                 The actor's key pair.
+ * @param options The options for the document loader.
+ * @returns The authenticated document loader.
+ * @throws {TypeError} If the key is invalid or unsupported.
+ * @since 0.4.0
+ */
+declare function getAuthenticatedDocumentLoader(identity: {
+  keyId: URL;
+  privateKey: CryptoKey;
+}, {
+  allowPrivateAddress,
+  userAgent,
+  specDeterminer,
+  tracerProvider
+}?: GetAuthenticatedDocumentLoaderOptions): DocumentLoader;
+/**
+ * A JSON-LD document loader that utilizes the browser's `fetch` API.
+ *
+ * This loader preloads the below frequently used contexts:
+ *
+ * - <https://www.w3.org/ns/activitystreams>
+ * - <https://w3id.org/security/v1>
+ * - <https://w3id.org/security/data-integrity/v1>
+ * - <https://www.w3.org/ns/did/v1>
+ * - <https://w3id.org/security/multikey/v1>
+ * - <https://purl.archive.org/socialweb/webfinger>
+ * - <http://schema.org/>
+ * @param url The URL of the document to load.
+ * @param allowPrivateAddress Whether to allow fetching private network
+ *                            addresses.  Turned off by default.
+ * @returns The remote document.
+ * @deprecated Use {@link getDocumentLoader} instead.
+ */
+//#endregion
+//#region src/utils/kv-cache.d.ts
+/**
+ * The parameters for {@link kvCache} function.
+ */
+interface KvCacheParameters {
+  /**
+   * The document loader to decorate with a cache.
+   */
+  loader: DocumentLoader;
+  /**
+   * The key–value store to use for backing the cache.
+   */
+  kv: KvStore;
+  /**
+   * The key prefix to use for namespacing the cache.
+   * `["_fedify", "remoteDocument"]` by default.
+   */
+  prefix?: KvKey;
+  /**
+   * The per-URL cache rules in the array of `[urlPattern, duration]` pairs
+   * where `urlPattern` is either a string, a {@link URL}, or
+   * a {@link URLPattern} and `duration` is a {@link Temporal.Duration}.
+   * The `duration` is allowed to be at most 30 days.
+   *
+   * By default, 5 minutes for all URLs.
+   */
+  rules?: [string | URL | URLPattern, Temporal.Duration][];
+}
+/**
+ * Decorates a {@link DocumentLoader} with a cache backed by a {@link Deno.Kv}.
+ * @param parameters The parameters for the cache.
+ * @returns The decorated document loader which is cache-enabled.
+ */
+declare function kvCache({
+  loader,
+  kv,
+  prefix,
+  rules
+}: KvCacheParameters): DocumentLoader;
+//#endregion
+export { getAuthenticatedDocumentLoader, kvCache };

package/dist/{mod-Djzcw2ry.d.cts → mod-COlOrmr9.d.cts}

@@ -1,6 +1,6 @@
-import { DocumentLoader } from "./docloader-D-MrRyHl.cjs";
-import { CryptographicKey, DataIntegrityProof, Multikey, Object as Object$1 } from "./vocab-Dw1-yVGg.cjs";
-import { KeyCache } from "./http-D-e6AFwR.cjs";
+import { CryptographicKey, DataIntegrityProof, Multikey, Object as Object$1 } from "./vocab-DCBw44JZ.cjs";
+import { KeyCache } from "./http-B6SKO6NJ.cjs";
+import { DocumentLoader } from "@fedify/vocab-runtime";
 import { TracerProvider } from "@opentelemetry/api";
 
 //#region src/sig/ld.d.ts

package/dist/{mod-DlU8ISoa.d.ts → mod-CRENK2dd.d.ts}

@@ -1,8 +1,9 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
-import { DocumentLoader, GetUserAgentOptions } from "./docloader-CxWcuWqQ.js";
-import { Collection, Link, Object as Object$1 } from "./vocab-BI0Ak5lL.js";
+import { GetUserAgentOptions } from "./request-U1t6zZtk.js";
+import { Collection, Link, Object as Object$1 } from "./vocab-ivDKb439.js";
 import { TracerProvider } from "@opentelemetry/api";
+import { DocumentLoader } from "@fedify/vocab-runtime";
 
 //#region src/vocab/lookup.d.ts
 /**

package/dist/{mod-DcKxhFQ8.d.ts → mod-CaWbCg0N.d.ts}

@@ -1,7 +1,7 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
-import { Activity } from "./vocab-BI0Ak5lL.js";
-import { ActivityTransformer, Context } from "./context-B1X8-X33.js";
+import { Activity } from "./vocab-ivDKb439.js";
+import { ActivityTransformer, Context } from "./context-DqFifMwj.js";
 
 //#region src/compat/transformers.d.ts