@fedify/fedify 2.1.0 → 2.1.2

package/dist/sig/{http.test.js → http.test.mjs}

@@ -1,37 +1,28 @@
-
-      import { Temporal } from "@js-temporal/polyfill";
-      import { URLPattern } from "urlpattern-polyfill";
-      globalThis.addEventListener = () => {};
-    
-import { esm_default } from "../esm-nLm00z9V.js";
-import { assertEquals } from "../assert_equals-DSbWqCm3.js";
-import { assert } from "../assert-MZs1qjMx.js";
-import "../assert_instance_of-DHz7EHNU.js";
-import "../deno-BRMCYThi.js";
-import "../accept-D7sAxyNa.js";
-import { exportJwk } from "../key-BsSCz8Z_.js";
-import { createRfc9421SignatureBase, doubleKnock, formatRfc9421Signature, formatRfc9421SignatureParameters, parseRfc9421Signature, parseRfc9421SignatureInput, signRequest, timingSafeEqual, verifyRequest, verifyRequestDetailed } from "../http-CKDim8Tw.js";
-import { assertExists, assertStringIncludes } from "../std__assert-X-_kMxKM.js";
-import { assertFalse, assertRejects } from "../assert_rejects-0h7I2Esa.js";
-import { assertThrows } from "../assert_throws-rjdMBf31.js";
-import "../assert_not_equals-f3m3epl3.js";
-import { rsaPrivateKey2, rsaPublicKey1, rsaPublicKey2, rsaPublicKey5 } from "../keys-BFve7QQv.js";
+import { Temporal } from "@js-temporal/polyfill";
+import "urlpattern-polyfill";
+globalThis.addEventListener = () => {};
+import { t as esm_default } from "../esm-DVILvP5e.mjs";
+import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
+import { a as assertExists, t as assertStringIncludes } from "../std__assert-Duiq_YC9.mjs";
+import { n as assertFalse, t as assertRejects } from "../assert_rejects-B-qJtC9Z.mjs";
+import { t as assertThrows } from "../assert_throws-4NwKEy2q.mjs";
+import { t as assert } from "../assert-ddO5KLpe.mjs";
+import { t as exportJwk } from "../key-1MaItIGc.mjs";
+import { a as parseRfc9421Signature, c as timingSafeEqual, i as formatRfc9421SignatureParameters, l as verifyRequest, n as doubleKnock, o as parseRfc9421SignatureInput, r as formatRfc9421Signature, s as signRequest, t as createRfc9421SignatureBase, u as verifyRequestDetailed } from "../http-BTLPIzFa.mjs";
+import { i as rsaPrivateKey2, l as rsaPublicKey5, o as rsaPublicKey1, s as rsaPublicKey2 } from "../keys-BAK-tUlf.mjs";
 import { createTestTracerProvider, mockDocumentLoader, test } from "@fedify/fixture";
 import { FetchError, exportSpki } from "@fedify/vocab-runtime";
 import { encodeBase64 } from "byte-encodings/base64";
-
 //#region src/sig/http.test.ts
 test("signRequest() [draft-cavage]", async () => {
-	const request = new Request("https://example.com/", {
+	assertEquals(await verifyRequest(await signRequest(new Request("https://example.com/", {
 		method: "POST",
 		body: "Hello, world!",
 		headers: {
 			"Content-Type": "text/plain; charset=utf-8",
 			Accept: "text/plain"
 		}
-	});
-	const signed = await signRequest(request, rsaPrivateKey2, new URL("https://example.com/key2"));
-	assertEquals(await verifyRequest(signed, {
+	}), rsaPrivateKey2, new URL("https://example.com/key2")), {
 		contextLoader: mockDocumentLoader,
 		documentLoader: mockDocumentLoader
 	}), rsaPublicKey2);
@@ -57,8 +48,8 @@ test("verifyRequest() [draft-cavage]", async () => {
 			get(keyId) {
 				return Promise.resolve(cache[keyId.href]);
 			},
-			set(keyId, key$1) {
-				cache[keyId.href] = key$1;
+			set(keyId, key) {
+				cache[keyId.href] = key;
 				return Promise.resolve();
 			}
 		}
@@ -146,7 +137,7 @@ test("verifyRequest() [draft-cavage]", async () => {
 		currentTime: Temporal.Instant.from("2025-01-01T00:00:00.0000Z"),
 		timeWindow: false
 	}), rsaPublicKey1);
-	const request2 = new Request("https://c27a97f98d5f.ngrok.app/i/inbox", {
+	assert(await verifyRequest(new Request("https://c27a97f98d5f.ngrok.app/i/inbox", {
 		method: "POST",
 		body: "{\"@context\":[\"https://www.w3.org/ns/activitystreams\",\"https://w3id.org/security/v1\"],\"actor\":\"https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd\",\"object\":{\"actor\":\"https://c27a97f98d5f.ngrok.app/i\",\"object\":\"https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd\",\"type\":\"Follow\",\"id\":\"https://c27a97f98d5f.ngrok.app/i#follows/https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd\"},\"type\":\"Accept\",\"id\":\"https://oeee.cafe/objects/0fc2608f-5660-4b91-b8c7-63c0c2ac2e20\"}",
 		headers: {
@@ -156,12 +147,10 @@ test("verifyRequest() [draft-cavage]", async () => {
 			Digest: "SHA-256=YZyjeVQW5GwliJowASkteBJhFBTq3eQk/AMqRETc//A=",
 			Signature: "keyId=\"https://oeee.cafe/ap/users/3609fd4e-d51d-4db8-9f04-4189815864dd#main-key\",algorithm=\"hs2019\",created=\"1756126694\",expires=\"1756130294\",headers=\"(request-target) (created) (expires) content-type date digest host\",signature=\"XFb0jl2uMhE7RhbneE9sK9Zls2qZec8iy6+9O8UgDQeBGJThORFLjXKlps4QO1WAf1YSVB/i5aV6yF+h73Lm3ZiuAJDx1h+00iLsxoYuIw1CZvF0V2jELoo3sQ2/ZzqeoO6H5TbK7tKnU+ulFAPTuJgjIvPwYl11OMRouVS34NiaHP9Yx9pU813TLv37thG/hUKanyq8kk0IJWtDWteY/zxDvzoe7VOkBXVBHslMyrNAI/5JGulVQAQp/E61dJAhTHHIyGxkc/7iutWFZuqFXIiPJ9KR2OuKDj/B32hEzlsf5xH/CjqOJPIg1qMK8FzDiALCq6zjiKIBEnW8HQc/hQ==\""
 		}
-	});
-	const options2 = {
+	}), {
 		...options,
 		currentTime: Temporal.Instant.from("2025-08-25T12:58:14Z")
-	};
-	assert(await verifyRequest(request2, options2) != null);
+	}) != null);
 });
 test("verifyRequestDetailed() classifies malformed signatures as invalid", async () => {
 	const draftMissingKeyId = await verifyRequestDetailed(new Request("https://example.com/", {
@@ -214,7 +203,7 @@ test("verifyRequestDetailed() classifies malformed signatures as invalid", async
 test("verifyRequestDetailed() records failure details on span", async () => {
 	const [tracerProvider, exporter] = createTestTracerProvider();
 	const keyId = new URL("https://gone.example/actors/alice#main-key");
-	const request = await signRequest(new Request("https://example.com/inbox", {
+	assertFalse((await verifyRequestDetailed(await signRequest(new Request("https://example.com/inbox", {
 		method: "POST",
 		headers: {
 			"Content-Type": "application/activity+json",
@@ -225,16 +214,14 @@ test("verifyRequestDetailed() records failure details on span", async () => {
 			type: "Create",
 			actor: "https://gone.example/actors/alice"
 		})
-	}), rsaPrivateKey2, keyId);
-	const result = await verifyRequestDetailed(request, {
+	}), rsaPrivateKey2, keyId), {
 		tracerProvider,
 		contextLoader: mockDocumentLoader,
 		documentLoader(url) {
 			if (url === keyId.href) throw new FetchError(keyId, `HTTP 410: ${keyId.href}`, new Response(null, { status: 410 }));
 			return mockDocumentLoader(url);
 		}
-	});
-	assertFalse(result.verified);
+	})).verified);
 	const spans = exporter.getSpans("http_signatures.verify");
 	assertEquals(spans.length, 1);
 	const span = spans[0];
@@ -282,9 +269,7 @@ test("signRequest() and verifyRequest() [rfc9421] implementation", async () => {
 	const contentDigest = signed.headers.get("Content-Digest");
 	assertExists(contentDigest);
 	assert(contentDigest.startsWith("sha-256=:"), "Content-Digest should use RFC 9421 format");
-	const expectedDigest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(requestBody));
-	const expectedDigestBase64 = encodeBase64(expectedDigest);
-	assertEquals(contentDigest, `sha-256=:${expectedDigestBase64}:`, "Content-Digest should have correct value");
+	assertEquals(contentDigest, `sha-256=:${encodeBase64(await crypto.subtle.digest("SHA-256", new TextEncoder().encode(requestBody)))}:`, "Content-Digest should have correct value");
 	const signature = signed.headers.get("Signature");
 	assertExists(signature);
 	const sigFormat = /^sig1=:([A-Za-z0-9+/]+=*):/;
@@ -305,25 +290,22 @@ test("signRequest() and verifyRequest() [rfc9421] implementation", async () => {
 	assertEquals(parsedSig.sig1.byteLength > 0, true, "Signature value should be a non-empty Uint8Array");
 	const verifyHeaders = new Headers();
 	for (const [name, value] of signed.headers.entries()) if (name !== "Signature" && name !== "Signature-Input") verifyHeaders.set(name, value);
-	const reconstructedRequest = new Request(request.url, {
+	const reconstructedBase = createRfc9421SignatureBase(new Request(request.url, {
 		method: request.method,
 		headers: verifyHeaders
-	});
-	const reconstructedBase = createRfc9421SignatureBase(reconstructedRequest, parsedInput.sig1.components, parsedInput.sig1.parameters);
+	}), parsedInput.sig1.components, parsedInput.sig1.parameters);
 	const signatureBytes = new Uint8Array(parsedSig.sig1);
-	const signatureVerifies = await crypto.subtle.verify("RSASSA-PKCS1-v1_5", rsaPublicKey2.publicKey, signatureBytes, new TextEncoder().encode(reconstructedBase));
-	assert(signatureVerifies, "Manual verification of signature should succeed");
+	assert(await crypto.subtle.verify("RSASSA-PKCS1-v1_5", rsaPublicKey2.publicKey, signatureBytes, new TextEncoder().encode(reconstructedBase)), "Manual verification of signature should succeed");
 });
 test("createRfc9421SignatureBase()", () => {
-	const request = new Request("https://example.com/path?query=value", {
+	assertEquals(createRfc9421SignatureBase(new Request("https://example.com/path?query=value", {
 		method: "POST",
 		headers: {
 			Host: "example.com",
 			Date: "Tue, 05 Mar 2024 07:49:44 GMT",
 			"Content-Type": "text/plain"
 		}
-	});
-	const components = [
+	}), [
 		{
 			value: "@method",
 			params: {}
@@ -340,21 +322,17 @@ test("createRfc9421SignatureBase()", () => {
 			value: "date",
 			params: {}
 		}
-	];
-	const created = 1709626184;
-	const signatureBase = createRfc9421SignatureBase(request, components, formatRfc9421SignatureParameters({
+	], formatRfc9421SignatureParameters({
 		algorithm: "rsa-v1_5-sha256",
 		keyId: new URL("https://example.com/key"),
-		created
-	}));
-	const expected = [
+		created: 1709626184
+	})), [
 		`"@method": POST`,
 		`"@target-uri": https://example.com/path?query=value`,
 		`"host": example.com`,
 		`"date": Tue, 05 Mar 2024 07:49:44 GMT`,
 		`"@signature-params": ("@method" "@target-uri" "host" "date");alg="rsa-v1_5-sha256";keyid="https://example.com/key";created=1709626184`
-	].join("\n");
-	assertEquals(signatureBase, expected);
+	].join("\n"));
 });
 test("formatRfc9421Signature()", () => {
 	const signature = new Uint8Array([
@@ -365,7 +343,7 @@ test("formatRfc9421Signature()", () => {
 	]);
 	const keyId = new URL("https://example.com/key");
 	const algorithm = "rsa-v1_5-sha256";
-	const components = [
+	const [signatureInput, signatureHeader] = formatRfc9421Signature(signature, [
 		{
 			"value": "@method",
 			params: {}
@@ -378,19 +356,16 @@ test("formatRfc9421Signature()", () => {
 			"value": "host",
 			params: {}
 		}
-	];
-	const created = 1709626184;
-	const [signatureInput, signatureHeader] = formatRfc9421Signature(signature, components, formatRfc9421SignatureParameters({
+	], formatRfc9421SignatureParameters({
 		algorithm,
 		keyId,
-		created
+		created: 1709626184
 	}));
 	assertEquals(signatureInput, `sig1=("@method" "@target-uri" "host");alg="rsa-v1_5-sha256";keyid="https://example.com/key";created=1709626184`);
 	assertEquals(signatureHeader, `sig1=:AQIDBA==:`);
 });
 test("parseRfc9421SignatureInput()", () => {
-	const signatureInput = `sig1=("@method" "@target-uri" "host" "date");keyid="https://example.com/key";alg="rsa-v1_5-sha256";created=1709626184`;
-	const parsed = parseRfc9421SignatureInput(signatureInput);
+	const parsed = parseRfc9421SignatureInput(`sig1=("@method" "@target-uri" "host" "date");keyid="https://example.com/key";alg="rsa-v1_5-sha256";created=1709626184`);
 	assertEquals(parsed.sig1.keyId, "https://example.com/key");
 	assertEquals(parsed.sig1.alg, "rsa-v1_5-sha256");
 	assertEquals(parsed.sig1.created, 1709626184);
@@ -415,8 +390,7 @@ test("parseRfc9421SignatureInput()", () => {
 	assertEquals(parsed.sig1.parameters, "keyid=\"https://example.com/key\";alg=\"rsa-v1_5-sha256\";created=1709626184");
 });
 test("parseRfc9421Signature()", () => {
-	const signature = `sig1=:AQIDBA==:,sig2=:Zm9vYmFy:`;
-	const parsed = parseRfc9421Signature(signature);
+	const parsed = parseRfc9421Signature(`sig1=:AQIDBA==:,sig2=:Zm9vYmFy:`);
 	assertExists(parsed.sig1);
 	assertExists(parsed.sig2);
 	const sig1Bytes = new Uint8Array(parsed.sig1);
@@ -425,37 +399,33 @@ test("parseRfc9421Signature()", () => {
 	assertEquals(sig1Bytes[1], 2);
 	assertEquals(sig1Bytes[2], 3);
 	assertEquals(sig1Bytes[3], 4);
-	const sig2Text = new TextDecoder().decode(parsed.sig2);
-	assertEquals(sig2Text, "foobar");
+	assertEquals(new TextDecoder().decode(parsed.sig2), "foobar");
 });
 test("verifyRequest() [rfc9421] successful GET verification", async () => {
 	const currentTimestamp = 1709626184;
 	const currentTime = Temporal.Instant.from("2024-03-05T08:09:44Z");
-	const validRequest = new Request("https://example.com/api/resource", {
+	assertEquals(await verifyRequest(await signRequest(new Request("https://example.com/api/resource", {
 		method: "GET",
 		headers: {
 			"Accept": "application/json",
 			"Host": "example.com",
 			"Date": "Tue, 05 Mar 2024 07:49:44 GMT"
 		}
-	});
-	const signedRequest = await signRequest(validRequest, rsaPrivateKey2, new URL("https://example.com/key2"), {
+	}), rsaPrivateKey2, new URL("https://example.com/key2"), {
 		spec: "rfc9421",
 		currentTime
-	});
-	const verifiedKey = await verifyRequest(signedRequest, {
+	}), {
 		contextLoader: mockDocumentLoader,
 		documentLoader: mockDocumentLoader,
 		spec: "rfc9421",
 		currentTime: Temporal.Instant.from(`${(/* @__PURE__ */ new Date(currentTimestamp * 1e3)).toISOString()}`)
-	});
-	assertEquals(verifiedKey, rsaPublicKey2, "Valid signature should verify to the correct public key");
+	}), rsaPublicKey2, "Valid signature should verify to the correct public key");
 });
 test("verifyRequest() [rfc9421] manual POST verification", async () => {
 	const currentTimestamp = 1709626184;
 	const currentTime = Temporal.Instant.from("2024-03-05T08:09:44Z");
 	const postBody = "Test content for signature verification";
-	const postRequest = new Request("https://example.com/api/resource", {
+	const signedPostRequest = await signRequest(new Request("https://example.com/api/resource", {
 		method: "POST",
 		body: postBody,
 		headers: {
@@ -464,8 +434,7 @@ test("verifyRequest() [rfc9421] manual POST verification", async () => {
 			"Host": "example.com",
 			"Date": "Tue, 05 Mar 2024 07:49:44 GMT"
 		}
-	});
-	const signedPostRequest = await signRequest(postRequest, rsaPrivateKey2, new URL("https://example.com/key2"), {
+	}), rsaPrivateKey2, new URL("https://example.com/key2"), {
 		spec: "rfc9421",
 		currentTime
 	});
@@ -487,61 +456,54 @@ test("verifyRequest() [rfc9421] manual POST verification", async () => {
 	assertExists(parsedSignature.sig1, "Should have a valid signature value");
 	assertEquals(parsedInput.sig1.keyId, "https://example.com/key2", "Signature should have the correct key ID");
 	assertEquals(parsedInput.sig1.created, currentTimestamp, "Signature should have the correct timestamp");
-	const manualRequest = new Request("https://example.com/api/resource", {
+	const signatureBase = createRfc9421SignatureBase(new Request("https://example.com/api/resource", {
 		method: "POST",
 		body: postBody,
 		headers: new Headers(signedPostRequest.headers)
-	});
-	const signatureBase = createRfc9421SignatureBase(manualRequest, parsedInput.sig1.components, parsedInput.sig1.parameters);
-	const signatureVerified = await crypto.subtle.verify("RSASSA-PKCS1-v1_5", rsaPublicKey2.publicKey, parsedSignature.sig1.slice(), new TextEncoder().encode(signatureBase));
-	assert(signatureVerified, "Manual verification of POST signature should succeed");
+	}), parsedInput.sig1.components, parsedInput.sig1.parameters);
+	assert(await crypto.subtle.verify("RSASSA-PKCS1-v1_5", rsaPublicKey2.publicKey, parsedSignature.sig1.slice(), new TextEncoder().encode(signatureBase)), "Manual verification of POST signature should succeed");
 });
 test("verifyRequest() [rfc9421] error cases and edge cases", async () => {
 	const currentTimestamp = 1709626184;
 	const currentTime = Temporal.Instant.from("2024-03-05T08:09:44Z");
-	const validRequest = new Request("https://example.com/api/resource", {
+	const signedRequest = await signRequest(new Request("https://example.com/api/resource", {
 		method: "GET",
 		headers: {
 			"Accept": "application/json",
 			"Host": "example.com",
 			"Date": "Tue, 05 Mar 2024 07:49:44 GMT"
 		}
-	});
-	const signedRequest = await signRequest(validRequest, rsaPrivateKey2, new URL("https://example.com/key2"), {
+	}), rsaPrivateKey2, new URL("https://example.com/key2"), {
 		spec: "rfc9421",
 		currentTime
 	});
 	const validSignatureInput = signedRequest.headers.get("Signature-Input") || "";
 	const validSignature = signedRequest.headers.get("Signature") || "";
-	const missingInputHeader = new Request("https://example.com/api/resource", {
+	assertEquals(await verifyRequest(new Request("https://example.com/api/resource", {
 		method: "GET",
 		headers: new Headers({
 			"Accept": "application/json",
 			"Host": "example.com",
 			"Signature": validSignature
 		})
-	});
-	const missingInputResult = await verifyRequest(missingInputHeader, {
+	}), {
 		contextLoader: mockDocumentLoader,
 		documentLoader: mockDocumentLoader,
 		spec: "rfc9421"
-	});
-	assertEquals(missingInputResult, null, "Should fail verification when Signature-Input header is missing");
-	const missingSignatureHeader = new Request("https://example.com/api/resource", {
+	}), null, "Should fail verification when Signature-Input header is missing");
+	assertEquals(await verifyRequest(new Request("https://example.com/api/resource", {
 		method: "GET",
 		headers: new Headers({
 			"Accept": "application/json",
 			"Host": "example.com",
 			"Signature-Input": validSignatureInput
 		})
-	});
-	const missingSignatureResult = await verifyRequest(missingSignatureHeader, {
+	}), {
 		contextLoader: mockDocumentLoader,
 		documentLoader: mockDocumentLoader,
 		spec: "rfc9421"
-	});
-	assertEquals(missingSignatureResult, null, "Should fail verification when Signature header is missing");
-	const tamperedRequest = new Request("https://example.com/api/resource", {
+	}), null, "Should fail verification when Signature header is missing");
+	assertEquals(await verifyRequest(new Request("https://example.com/api/resource", {
 		method: "GET",
 		headers: new Headers({
 			"Accept": "application/json",
@@ -550,14 +512,12 @@ test("verifyRequest() [rfc9421] error cases and edge cases", async () => {
 			"Signature-Input": validSignatureInput,
 			"Signature": "sig1=:AAAAAA==:"
 		})
-	});
-	const tamperedResult = await verifyRequest(tamperedRequest, {
+	}), {
 		contextLoader: mockDocumentLoader,
 		documentLoader: mockDocumentLoader,
 		spec: "rfc9421"
-	});
-	assertEquals(tamperedResult, null, "Should fail verification when signature is tampered");
-	const expiredRequest = new Request("https://example.com/api/resource", {
+	}), null, "Should fail verification when signature is tampered");
+	assertEquals(await verifyRequest(new Request("https://example.com/api/resource", {
 		method: "GET",
 		headers: new Headers({
 			"Accept": "application/json",
@@ -566,16 +526,14 @@ test("verifyRequest() [rfc9421] error cases and edge cases", async () => {
 			"Signature-Input": validSignatureInput,
 			"Signature": validSignature
 		})
-	});
-	const expiredResult = await verifyRequest(expiredRequest, {
+	}), {
 		contextLoader: mockDocumentLoader,
 		documentLoader: mockDocumentLoader,
 		spec: "rfc9421",
 		currentTime: Temporal.Instant.from(`${(/* @__PURE__ */ new Date((currentTimestamp + 2592e3) * 1e3)).toISOString()}`),
 		timeWindow: { hours: 1 }
-	});
-	assertEquals(expiredResult, null, "Should fail verification when signature timestamp is too old");
-	const futureRequest = new Request("https://example.com/api/resource", {
+	}), null, "Should fail verification when signature timestamp is too old");
+	assertEquals(await verifyRequest(new Request("https://example.com/api/resource", {
 		method: "GET",
 		headers: new Headers({
 			"Accept": "application/json",
@@ -584,16 +542,14 @@ test("verifyRequest() [rfc9421] error cases and edge cases", async () => {
 			"Signature-Input": validSignatureInput,
 			"Signature": validSignature
 		})
-	});
-	const futureResult = await verifyRequest(futureRequest, {
+	}), {
 		contextLoader: mockDocumentLoader,
 		documentLoader: mockDocumentLoader,
 		spec: "rfc9421",
 		currentTime: Temporal.Instant.from(`${(/* @__PURE__ */ new Date((currentTimestamp - 2592e3) * 1e3)).toISOString()}`),
 		timeWindow: { hours: 1 }
-	});
-	assertEquals(futureResult, null, "Should fail verification when signature timestamp is in the future");
-	const timeCheckRequest = new Request("https://example.com/api/resource", {
+	}), null, "Should fail verification when signature timestamp is in the future");
+	assertEquals(await verifyRequest(new Request("https://example.com/api/resource", {
 		method: "GET",
 		headers: new Headers({
 			"Accept": "application/json",
@@ -602,16 +558,14 @@ test("verifyRequest() [rfc9421] error cases and edge cases", async () => {
 			"Signature-Input": validSignatureInput,
 			"Signature": validSignature
 		})
-	});
-	const timeDisabledResult = await verifyRequest(timeCheckRequest, {
+	}), {
 		contextLoader: mockDocumentLoader,
 		documentLoader: mockDocumentLoader,
 		spec: "rfc9421",
 		currentTime: Temporal.Instant.from(`${(/* @__PURE__ */ new Date((currentTimestamp + 31536e3) * 1e3)).toISOString()}`),
 		timeWindow: false
-	});
-	assertEquals(timeDisabledResult, rsaPublicKey2, "Should verify signature when time checking is disabled");
-	const postRequest = new Request("https://example.com/api/resource", {
+	}), rsaPublicKey2, "Should verify signature when time checking is disabled");
+	const freshSignedPostRequest = await signRequest(new Request("https://example.com/api/resource", {
 		method: "POST",
 		body: "Test content for signature verification",
 		headers: {
@@ -620,15 +574,14 @@ test("verifyRequest() [rfc9421] error cases and edge cases", async () => {
 			"Host": "example.com",
 			"Date": "Tue, 05 Mar 2024 07:49:44 GMT"
 		}
-	});
-	const freshSignedPostRequest = await signRequest(postRequest, rsaPrivateKey2, new URL("https://example.com/key2"), {
+	}), rsaPrivateKey2, new URL("https://example.com/key2"), {
 		spec: "rfc9421",
 		currentTime
 	});
 	const postSignatureInput = freshSignedPostRequest.headers.get("Signature-Input") || "";
 	const postSignature = freshSignedPostRequest.headers.get("Signature") || "";
 	const postContentDigest = freshSignedPostRequest.headers.get("Content-Digest") || "";
-	const tamperDigestRequest = new Request("https://example.com/api/resource", {
+	assertEquals(await verifyRequest(new Request("https://example.com/api/resource", {
 		method: "POST",
 		body: "This content won't match the digest",
 		headers: new Headers({
@@ -639,22 +592,19 @@ test("verifyRequest() [rfc9421] error cases and edge cases", async () => {
 			"Signature": postSignature,
 			"Content-Digest": postContentDigest
 		})
-	});
-	const tamperDigestResult = await verifyRequest(tamperDigestRequest, {
+	}), {
 		contextLoader: mockDocumentLoader,
 		documentLoader: mockDocumentLoader,
 		spec: "rfc9421",
 		currentTime: Temporal.Instant.from(`${(/* @__PURE__ */ new Date(currentTimestamp * 1e3)).toISOString()}`)
-	});
-	assertEquals(tamperDigestResult, null, "Should fail verification with invalid Content-Digest");
+	}), null, "Should fail verification with invalid Content-Digest");
 	const testRequest = new Request("https://example.com/", { headers: new Headers({
 		"Date": "Tue, 05 Mar 2024 07:49:44 GMT",
 		"Host": "example.com",
 		"Signature-Input": `sig1=("@method" "@target-uri" "host" "date");keyid="https://example.com/key";alg="rsa-v1_5-sha256";created=1709626184`,
 		"Signature": `sig1=:YXNkZmprc2RmaGprc2RoZmprc2hkZmtqaHNkZg==:`
 	}) });
-	const signatureInput = testRequest.headers.get("Signature-Input") || "";
-	const parsedInput = parseRfc9421SignatureInput(signatureInput);
+	const parsedInput = parseRfc9421SignatureInput(testRequest.headers.get("Signature-Input") || "");
 	assertExists(parsedInput.sig1);
 	assertEquals(parsedInput.sig1.keyId, "https://example.com/key");
 	assertEquals(parsedInput.sig1.alg, "rsa-v1_5-sha256");
@@ -677,12 +627,10 @@ test("verifyRequest() [rfc9421] error cases and edge cases", async () => {
 			params: {}
 		}
 	]);
-	const signature = testRequest.headers.get("Signature") || "";
-	const parsedSig = parseRfc9421Signature(signature);
+	const parsedSig = parseRfc9421Signature(testRequest.headers.get("Signature") || "");
 	assertExists(parsedSig.sig1);
 	assert(new TextDecoder().decode(parsedSig.sig1).length > 0, "Signature base64 should decode to non-empty string");
-	const complexSignatureInput = "sig1=(\"@method\" \"@target-uri\" \"host\" \"content-type\" \"value with \\\"quotes\\\" and spaces\");keyid=\"https://example.com/key with spaces\";alg=\"rsa-v1_5-sha256\";created=1709626184";
-	const complexParsedInput = parseRfc9421SignatureInput(complexSignatureInput);
+	const complexParsedInput = parseRfc9421SignatureInput("sig1=(\"@method\" \"@target-uri\" \"host\" \"content-type\" \"value with \\\"quotes\\\" and spaces\");keyid=\"https://example.com/key with spaces\";alg=\"rsa-v1_5-sha256\";created=1709626184");
 	assertExists(complexParsedInput.sig1);
 	assertEquals(complexParsedInput.sig1.keyId, "https://example.com/key with spaces");
 	assertEquals(complexParsedInput.sig1.alg, "rsa-v1_5-sha256");
@@ -701,16 +649,13 @@ test("verifyRequest() [rfc9421] error cases and edge cases", async () => {
 	assertEquals(multiParsedInput.sig2.alg, "rsa-pss-sha512");
 	const multiParsedSig = parseRfc9421Signature(multiSigRequest.headers.get("Signature") || "");
 	assertEquals(Object.keys(multiParsedSig).length, 2, "Should parse multiple signature values");
-	const invalidInputFormat = "this is not a valid signature-input format";
-	const parsedInvalidInput = parseRfc9421SignatureInput(invalidInputFormat);
+	const parsedInvalidInput = parseRfc9421SignatureInput("this is not a valid signature-input format");
 	assertEquals(Object.keys(parsedInvalidInput).length, 0, "Should handle invalid Signature-Input format");
-	const invalidSigFormat = "this is not a valid signature format";
-	const parsedInvalidSig = parseRfc9421Signature(invalidSigFormat);
+	const parsedInvalidSig = parseRfc9421Signature("this is not a valid signature format");
 	assertEquals(Object.keys(parsedInvalidSig).length, 0, "Should handle invalid Signature format");
-	const invalidBase64Sig = "sig1=:!@#$%%^&*():";
-	const parsedInvalidBase64 = parseRfc9421Signature(invalidBase64Sig);
+	const parsedInvalidBase64 = parseRfc9421Signature("sig1=:!@#$%%^&*():");
 	assertEquals(Object.keys(parsedInvalidBase64).length, 0, "Should handle invalid base64 in signature");
-	const mixedRequest = new Request("https://example.com/api/resource", {
+	assertEquals(await verifyRequest(new Request("https://example.com/api/resource", {
 		method: "GET",
 		headers: new Headers({
 			"Accept": "application/json",
@@ -719,14 +664,12 @@ test("verifyRequest() [rfc9421] error cases and edge cases", async () => {
 			"Signature-Input": `${validSignatureInput},sig2=("@method" "@target-uri" "host" "date");keyid="https://example.com/invalid-key";alg="rsa-v1_5-sha256";created=${currentTimestamp}`,
 			"Signature": `${validSignature},sig2=:AAAAAA==:`
 		})
-	});
-	const mixedResult = await verifyRequest(mixedRequest, {
+	}), {
 		contextLoader: mockDocumentLoader,
 		documentLoader: mockDocumentLoader,
 		spec: "rfc9421",
 		currentTime: Temporal.Instant.from(`${(/* @__PURE__ */ new Date(currentTimestamp * 1e3)).toISOString()}`)
-	});
-	assertEquals(mixedResult, rsaPublicKey2, "Should verify when at least one signature is valid");
+	}), rsaPublicKey2, "Should verify when at least one signature is valid");
 });
 test("verifyRequest() [rfc9421] test vector from Mastodon", async () => {
 	const signedRequest = new Request("https://www.example.com/activitypub/success", {
@@ -789,14 +732,13 @@ test("doubleKnock() function with successful first attempt", async () => {
 	const logFunction = (req) => {
 		loggedRequest = req;
 	};
-	const response = await doubleKnock(request, {
+	assertEquals((await doubleKnock(request, {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
 	}, {
 		specDeterminer,
 		log: logFunction
-	});
-	assertEquals(response.status, 202, "Response status should be 202 Accepted");
+	})).status, 202, "Response status should be 202 Accepted");
 	assertEquals(requestCount, 1, "Only one request should have been made");
 	assertEquals(firstRequestSpec, "rfc9421", "First attempt should use RFC 9421");
 	assertEquals(specDeterminer.usedSpec, "rfc9421", "Spec should be remembered");
@@ -837,11 +779,10 @@ test("doubleKnock() function with fallback to draft-cavage", async () => {
 			this.rememberedSpec = spec;
 		}
 	};
-	const response = await doubleKnock(request, {
+	assertEquals((await doubleKnock(request, {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	}, { specDeterminer });
-	assertEquals(response.status, 202, "Response status should be 202 Accepted");
+	}, { specDeterminer })).status, 202, "Response status should be 202 Accepted");
 	assertEquals(requestCount, 2, "Two requests should have been made");
 	assertEquals(firstSpec, "rfc9421", "First attempt should use RFC 9421");
 	assertEquals(secondSpec, "draft-cavage-http-signatures-12", "Second attempt should use draft-cavage");
@@ -863,16 +804,14 @@ test("doubleKnock() function with redirect handling", async () => {
 		responseCodes.push(202);
 		return new Response("", { status: 202 });
 	});
-	const request = new Request("https://example.com/redirect-endpoint", {
+	assertEquals((await doubleKnock(new Request("https://example.com/redirect-endpoint", {
 		method: "POST",
 		body: "Test message that will be redirected",
 		headers: { "Content-Type": "text/plain" }
-	});
-	const response = await doubleKnock(request, {
+	}), {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	});
-	assertEquals(response.status, 202, "Final response status should be 202 Accepted");
+	})).status, 202, "Final response status should be 202 Accepted");
 	assertEquals(requestedUrls.length, 2, "Two URLs should have been requested");
 	assertEquals(requestedUrls[0], "https://example.com/redirect-endpoint", "First request should be to redirect-endpoint");
 	assertEquals(requestedUrls[1], "https://example.com/final-endpoint", "Second request should be to final-endpoint");
@@ -891,16 +830,14 @@ test("doubleKnock() function with both specs rejected", async () => {
 		else attempts.push("unknown");
 		return new Response("Unauthorized", { status: 401 });
 	});
-	const request = new Request("https://example.com/inbox-rejects-all", {
+	assertEquals((await doubleKnock(new Request("https://example.com/inbox-rejects-all", {
 		method: "POST",
 		body: "Test message that will be rejected regardless of signature format",
 		headers: { "Content-Type": "text/plain" }
-	});
-	const response = await doubleKnock(request, {
+	}), {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	});
-	assertEquals(response.status, 401, "Final response status should be 401 Unauthorized");
+	})).status, 401, "Final response status should be 401 Unauthorized");
 	assertEquals(requestCount, 2, "Two requests should have been made");
 	assertEquals(attempts.length, 2, "Two signature attempts should have been made");
 	assertEquals(attempts[0], "rfc9421", "First attempt should use RFC 9421");
@@ -924,16 +861,14 @@ test("doubleKnock() function with specDeterminer choosing draft-cavage first", a
 		},
 		rememberSpec(_origin, _spec) {}
 	};
-	const request = new Request("https://example.com/inbox-accepts-any", {
+	assertEquals((await doubleKnock(new Request("https://example.com/inbox-accepts-any", {
 		method: "POST",
 		body: "Test message with draft-cavage preference",
 		headers: { "Content-Type": "text/plain" }
-	});
-	const response = await doubleKnock(request, {
+	}), {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	}, { specDeterminer });
-	assertEquals(response.status, 202, "Response status should be 202 Accepted");
+	}, { specDeterminer })).status, 202, "Response status should be 202 Accepted");
 	assertEquals(requestCount, 1, "Only one request should have been made");
 	assertEquals(firstSpec, "draft-cavage", "First attempt should use draft-cavage");
 	esm_default.hardReset();
@@ -981,6 +916,49 @@ test("doubleKnock() complex redirect chain test", async () => {
 	for (const loggedReq of logs) assert(loggedReq.headers.has("Signature-Input") || loggedReq.headers.has("Signature"), "Each request should be signed with either RFC 9421 or draft-cavage");
 	esm_default.hardReset();
 });
+test("doubleKnock() throws on too many redirects", async () => {
+	esm_default.spyGlobal();
+	let requestCount = 0;
+	esm_default.post("begin:https://example.com/too-many-redirects/", (cl) => {
+		requestCount++;
+		const index = Number(cl.url.split("/").at(-1));
+		return Response.redirect(`https://example.com/too-many-redirects/${index + 1}`, 302);
+	});
+	const request = new Request("https://example.com/too-many-redirects/0", {
+		method: "POST",
+		body: "Redirect loop",
+		headers: { "Content-Type": "text/plain" }
+	});
+	await assertRejects(() => doubleKnock(request, {
+		keyId: rsaPublicKey2.id,
+		privateKey: rsaPrivateKey2
+	}), Error, "Too many redirections");
+	assertEquals(requestCount, 21);
+	esm_default.hardReset();
+});
+test("doubleKnock() detects redirect loops", async () => {
+	esm_default.spyGlobal();
+	let requestCount = 0;
+	esm_default.post("https://example.com/redirect-loop-a", () => {
+		requestCount++;
+		return Response.redirect("https://example.com/redirect-loop-b", 302);
+	});
+	esm_default.post("https://example.com/redirect-loop-b", () => {
+		requestCount++;
+		return Response.redirect("https://example.com/redirect-loop-a", 302);
+	});
+	const request = new Request("https://example.com/redirect-loop-a", {
+		method: "POST",
+		body: "Redirect loop",
+		headers: { "Content-Type": "text/plain" }
+	});
+	await assertRejects(() => doubleKnock(request, {
+		keyId: rsaPublicKey2.id,
+		privateKey: rsaPrivateKey2
+	}), Error, "Redirect loop detected");
+	assertEquals(requestCount, 2);
+	esm_default.hardReset();
+});
 test("doubleKnock() async specDeterminer test", async () => {
 	esm_default.spyGlobal();
 	let requestCount = 0;
@@ -1001,25 +979,21 @@ test("doubleKnock() async specDeterminer test", async () => {
 			await new Promise((resolve) => setTimeout(resolve, 10));
 		}
 	};
-	const request = new Request("https://example.com/inbox-async-determiner", {
+	assertEquals((await doubleKnock(new Request("https://example.com/inbox-async-determiner", {
 		method: "POST",
 		body: "Test message with async spec determiner",
 		headers: { "Content-Type": "text/plain" }
-	});
-	const response = await doubleKnock(request, {
+	}), {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	}, { specDeterminer });
-	assertEquals(response.status, 202, "Response status should be 202 Accepted");
+	}, { specDeterminer })).status, 202, "Response status should be 202 Accepted");
 	assertEquals(requestCount, 1, "Only one request should have been made");
 	assertEquals(specUsed, "draft-cavage-http-signatures-12", "Should use spec from async determiner");
 	esm_default.hardReset();
 });
 test("timingSafeEqual()", async (t) => {
 	await t.step("should return true for equal empty arrays", () => {
-		const a = new Uint8Array([]);
-		const b = new Uint8Array([]);
-		assert(timingSafeEqual(a, b));
+		assert(timingSafeEqual(new Uint8Array([]), new Uint8Array([])));
 	});
 	await t.step("should return true for equal non-empty arrays", async (t2) => {
 		const testCases = [
@@ -1086,7 +1060,7 @@ test("timingSafeEqual()", async (t) => {
 		assert(timingSafeEqual(arr, arr), "Array should be equal to itself by reference");
 	});
 	await t.step("should return false for arrays with same length but different content", async (t2) => {
-		const testCases = [
+		for (const tc of [
 			{
 				a: [
 					1,
@@ -1144,13 +1118,12 @@ test("timingSafeEqual()", async (t) => {
 				],
 				name: "middle byte differs with edge values"
 			}
-		];
-		for (const tc of testCases) await t2.step(tc.name, () => {
+		]) await t2.step(tc.name, () => {
 			assertFalse(timingSafeEqual(new Uint8Array(tc.a), new Uint8Array(tc.b)));
 		});
 	});
 	await t.step("should return false for arrays with different lengths", async (t2) => {
-		const testCases = [
+		for (const tc of [
 			{
 				a: [
 					1,
@@ -1187,13 +1160,12 @@ test("timingSafeEqual()", async (t) => {
 				b: [],
 				name: "a non-empty, b empty"
 			}
-		];
-		for (const tc of testCases) await t2.step(tc.name, () => {
+		]) await t2.step(tc.name, () => {
 			assertFalse(timingSafeEqual(new Uint8Array(tc.a), new Uint8Array(tc.b)));
 		});
 	});
 	await t.step("should return false where content matches up to shorter length", async (t2) => {
-		const testCases = [
+		for (const tc of [
 			{
 				a: [1, 2],
 				b: [
@@ -1222,21 +1194,16 @@ test("timingSafeEqual()", async (t) => {
 				b: [0],
 				name: "two zeros vs single zero"
 			}
-		];
-		for (const tc of testCases) await t2.step(tc.name, () => {
+		]) await t2.step(tc.name, () => {
 			assertFalse(timingSafeEqual(new Uint8Array(tc.a), new Uint8Array(tc.b)));
 		});
 	});
 	await t.step("should correctly handle comparisons involving padding bytes", async (t2) => {
 		await t2.step("a=[1], b=[1,0] (b longer with trailing zero)", () => {
-			const a1 = new Uint8Array([1]);
-			const b1 = new Uint8Array([1, 0]);
-			assertFalse(timingSafeEqual(a1, b1));
+			assertFalse(timingSafeEqual(new Uint8Array([1]), new Uint8Array([1, 0])));
 		});
 		await t2.step("a=[1,0], b=[1] (a longer with trailing zero)", () => {
-			const a2 = new Uint8Array([1, 0]);
-			const b2 = new Uint8Array([1]);
-			assertFalse(timingSafeEqual(a2, b2));
+			assertFalse(timingSafeEqual(new Uint8Array([1, 0]), new Uint8Array([1])));
 		});
 	});
 });
@@ -1256,20 +1223,18 @@ test("signRequest() [rfc9421] error handling for invalid signature base creation
 	assertExists(signedRequest.headers.get("Signature"));
 });
 test("verifyRequest() [rfc9421] error handling for invalid signature base creation", async () => {
-	const request = new Request("https://example.com/test", {
+	assertEquals(await verifyRequest(new Request("https://example.com/test", {
 		method: "GET",
 		headers: {
 			"Accept": "application/json",
 			"Signature-Input": "sig1=(\"@unsupported\");alg=\"rsa-pss-sha256\";keyid=\"https://example.com/key2\";created=1234567890",
 			"Signature": "sig1=:invalid_signature_data:"
 		}
-	});
-	const result = await verifyRequest(request, {
+	}), {
 		spec: "rfc9421",
 		documentLoader: mockDocumentLoader,
 		contextLoader: mockDocumentLoader
-	});
-	assertEquals(result, null, "Verification should fail gracefully for malformed signature inputs");
+	}), null, "Verification should fail gracefully for malformed signature inputs");
 });
 test("doubleKnock() regression test for TypeError: unusable bug #294", async () => {
 	esm_default.spyGlobal();
@@ -1283,16 +1248,14 @@ test("doubleKnock() regression test for TypeError: unusable bug #294", async ()
 	esm_default.post("https://example.com/final-destination", () => {
 		return new Response("Success", { status: 200 });
 	});
-	const request = new Request("https://example.com/inbox-retry-redirect", {
+	assertEquals((await doubleKnock(new Request("https://example.com/inbox-retry-redirect", {
 		method: "POST",
 		body: "Test activity content",
 		headers: { "Content-Type": "application/activity+json" }
-	});
-	const response = await doubleKnock(request, {
+	}), {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	});
-	assertEquals(response.status, 200);
+	})).status, 200);
 	assertEquals(requestCount, 2, "Should make 2 requests before redirect");
 	esm_default.hardReset();
 });
@@ -1307,16 +1270,14 @@ test("doubleKnock() regression test for redirect handling bug", async () => {
 	esm_default.post("https://example.com/final-destination", () => {
 		return new Response("Success", { status: 200 });
 	});
-	const request = new Request("https://example.com/inbox-retry-redirect", {
+	assertEquals((await doubleKnock(new Request("https://example.com/inbox-retry-redirect", {
 		method: "POST",
 		body: "Test activity content",
 		headers: { "Content-Type": "application/activity+json" }
-	});
-	const response = await doubleKnock(request, {
+	}), {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	});
-	assertEquals(response.status, 200);
+	})).status, 200);
 	esm_default.hardReset();
 });
 test("signRequest() and verifyRequest() cancellation", {
@@ -1362,22 +1323,19 @@ test("signRequest() and verifyRequest() cancellation", {
 	esm_default.hardReset();
 });
 test("signRequest() with custom label", async () => {
-	const request = new Request("https://example.com/api", {
+	const signed = await signRequest(new Request("https://example.com/api", {
 		method: "POST",
 		body: "test",
 		headers: { "Content-Type": "text/plain" }
-	});
-	const signed = await signRequest(request, rsaPrivateKey2, new URL("https://example.com/key2"), {
+	}), rsaPrivateKey2, new URL("https://example.com/key2"), {
 		spec: "rfc9421",
 		rfc9421: { label: "mysig" }
 	});
-	const sigInput = signed.headers.get("Signature-Input");
-	assertStringIncludes(sigInput, "mysig=");
-	const sig = signed.headers.get("Signature");
-	assertStringIncludes(sig, "mysig=");
+	assertStringIncludes(signed.headers.get("Signature-Input"), "mysig=");
+	assertStringIncludes(signed.headers.get("Signature"), "mysig=");
 });
 test("signRequest() with custom components", async () => {
-	const request = new Request("https://example.com/api", {
+	const sigInput = (await signRequest(new Request("https://example.com/api", {
 		method: "POST",
 		body: "test",
 		headers: {
@@ -1385,8 +1343,7 @@ test("signRequest() with custom components", async () => {
 			"Host": "example.com",
 			"Date": "Tue, 05 Mar 2024 07:49:44 GMT"
 		}
-	});
-	const signed = await signRequest(request, rsaPrivateKey2, new URL("https://example.com/key2"), {
+	}), rsaPrivateKey2, new URL("https://example.com/key2"), {
 		spec: "rfc9421",
 		rfc9421: { components: [
 			{
@@ -1402,29 +1359,26 @@ test("signRequest() with custom components", async () => {
 				params: {}
 			}
 		] }
-	});
-	const sigInput = signed.headers.get("Signature-Input");
+	})).headers.get("Signature-Input");
 	assertStringIncludes(sigInput, "\"@method\"");
 	assertStringIncludes(sigInput, "\"@target-uri\"");
 	assertStringIncludes(sigInput, "\"@authority\"");
 	assertStringIncludes(sigInput, "\"content-digest\"");
 });
 test("signRequest() with nonce and tag", async () => {
-	const request = new Request("https://example.com/api", {
+	const sigInput = (await signRequest(new Request("https://example.com/api", {
 		method: "GET",
 		headers: {
 			"Host": "example.com",
 			"Date": "Tue, 05 Mar 2024 07:49:44 GMT"
 		}
-	});
-	const signed = await signRequest(request, rsaPrivateKey2, new URL("https://example.com/key2"), {
+	}), rsaPrivateKey2, new URL("https://example.com/key2"), {
 		spec: "rfc9421",
 		rfc9421: {
 			nonce: "test-nonce-123",
 			tag: "app-v1"
 		}
-	});
-	const sigInput = signed.headers.get("Signature-Input");
+	})).headers.get("Signature-Input");
 	assertStringIncludes(sigInput, "nonce=\"test-nonce-123\"");
 	assertStringIncludes(sigInput, "tag=\"app-v1\"");
 });
@@ -1434,26 +1388,22 @@ test("formatRfc9421SignatureParameters() escapes nonce and tag", () => {
 		keyId: new URL("https://example.com/key"),
 		created: 1709626184
 	};
-	const slashNonce = formatRfc9421SignatureParameters({
+	assertStringIncludes(formatRfc9421SignatureParameters({
 		...commonParams,
 		nonce: "x\\y"
-	});
-	assertStringIncludes(slashNonce, "nonce=\"x\\\\y\"");
-	const quoteNonce = formatRfc9421SignatureParameters({
+	}), "nonce=\"x\\\\y\"");
+	assertStringIncludes(formatRfc9421SignatureParameters({
 		...commonParams,
 		nonce: "a\"b"
-	});
-	assertStringIncludes(quoteNonce, "nonce=\"a\\\"b\"");
-	const slashTag = formatRfc9421SignatureParameters({
+	}), "nonce=\"a\\\"b\"");
+	assertStringIncludes(formatRfc9421SignatureParameters({
 		...commonParams,
 		tag: "x\\y"
-	});
-	assertStringIncludes(slashTag, "tag=\"x\\\\y\"");
-	const quoteTag = formatRfc9421SignatureParameters({
+	}), "tag=\"x\\\\y\"");
+	assertStringIncludes(formatRfc9421SignatureParameters({
 		...commonParams,
 		tag: "a\"b"
-	});
-	assertStringIncludes(quoteTag, "tag=\"a\\\"b\"");
+	}), "tag=\"a\\\"b\"");
 	const mixed = formatRfc9421SignatureParameters({
 		...commonParams,
 		nonce: "n\"o\\nce",
@@ -1463,12 +1413,11 @@ test("formatRfc9421SignatureParameters() escapes nonce and tag", () => {
 	assertStringIncludes(mixed, "tag=\"t\\\"ag\\\\value\"");
 });
 test("signRequest() [rfc9421] accumulates multiple signatures when called sequentially", async () => {
-	const request = new Request("https://example.com/inbox", {
+	const twiceSigned = await signRequest(await signRequest(new Request("https://example.com/inbox", {
 		method: "POST",
 		body: "Hello",
 		headers: { "Content-Type": "text/plain" }
-	});
-	const onceSigned = await signRequest(request, rsaPrivateKey2, new URL("https://example.com/key2"), {
+	}), rsaPrivateKey2, new URL("https://example.com/key2"), {
 		spec: "rfc9421",
 		rfc9421: {
 			label: "sig1",
@@ -1480,8 +1429,7 @@ test("signRequest() [rfc9421] accumulates multiple signatures when called sequen
 				params: {}
 			}]
 		}
-	});
-	const twiceSigned = await signRequest(onceSigned, rsaPrivateKey2, new URL("https://example.com/key2"), {
+	}), rsaPrivateKey2, new URL("https://example.com/key2"), {
 		spec: "rfc9421",
 		rfc9421: {
 			label: "sig2",
@@ -1508,20 +1456,17 @@ test("doubleKnock(): Accept-Signature challenge retry succeeds", async () => {
 			status: 401,
 			headers: { "Accept-Signature": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-digest\");created;nonce=\"challenge-nonce-1\"" }
 		});
-		const sigInput = req.headers.get("Signature-Input") ?? "";
-		if (sigInput.includes("challenge-nonce-1")) return new Response("", { status: 202 });
+		if ((req.headers.get("Signature-Input") ?? "").includes("challenge-nonce-1")) return new Response("", { status: 202 });
 		return new Response("Bad", { status: 400 });
 	});
-	const request = new Request("https://example.com/inbox-challenge-ok", {
+	assertEquals((await doubleKnock(new Request("https://example.com/inbox-challenge-ok", {
 		method: "POST",
 		body: "Test message",
 		headers: { "Content-Type": "text/plain" }
-	});
-	const response = await doubleKnock(request, {
+	}), {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	});
-	assertEquals(response.status, 202);
+	})).status, 202);
 	assertEquals(requestCount, 2);
 	esm_default.hardReset();
 });
@@ -1538,16 +1483,14 @@ test("doubleKnock(): unfulfillable Accept-Signature falls to legacy fallback", a
 		if (req.headers.has("Signature") && !req.headers.has("Signature-Input")) return new Response("", { status: 202 });
 		return new Response("Bad", { status: 400 });
 	});
-	const request = new Request("https://example.com/inbox-unfulfillable", {
+	assertEquals((await doubleKnock(new Request("https://example.com/inbox-unfulfillable", {
 		method: "POST",
 		body: "Test message",
 		headers: { "Content-Type": "text/plain" }
-	});
-	const response = await doubleKnock(request, {
+	}), {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	});
-	assertEquals(response.status, 202);
+	})).status, 202);
 	assertEquals(requestCount, 2);
 	esm_default.hardReset();
 });
@@ -1561,16 +1504,14 @@ test("doubleKnock(): no Accept-Signature falls to legacy fallback", async () =>
 		if (req.headers.has("Signature")) return new Response("", { status: 202 });
 		return new Response("Bad", { status: 400 });
 	});
-	const request = new Request("https://example.com/inbox-no-challenge", {
+	assertEquals((await doubleKnock(new Request("https://example.com/inbox-no-challenge", {
 		method: "POST",
 		body: "Test message",
 		headers: { "Content-Type": "text/plain" }
-	});
-	const response = await doubleKnock(request, {
+	}), {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	});
-	assertEquals(response.status, 202);
+	})).status, 202);
 	assertEquals(requestCount, 2);
 	esm_default.hardReset();
 });
@@ -1588,16 +1529,14 @@ test("doubleKnock(): challenge retry also fails → legacy fallback attempted",
 		if (req.headers.has("Signature") && !req.headers.has("Signature-Input")) return new Response("", { status: 202 });
 		return new Response("Bad", { status: 400 });
 	});
-	const request = new Request("https://example.com/inbox-challenge-fails", {
+	assertEquals((await doubleKnock(new Request("https://example.com/inbox-challenge-fails", {
 		method: "POST",
 		body: "Test message",
 		headers: { "Content-Type": "text/plain" }
-	});
-	const response = await doubleKnock(request, {
+	}), {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	});
-	assertEquals(response.status, 202);
+	})).status, 202);
 	assertEquals(requestCount, 3);
 	esm_default.hardReset();
 });
@@ -1618,16 +1557,14 @@ test("doubleKnock(): challenge retry returns another challenge → not followed"
 		if (req.headers.has("Signature") && !req.headers.has("Signature-Input")) return new Response("", { status: 202 });
 		return new Response("Bad", { status: 400 });
 	});
-	const request = new Request("https://example.com/inbox-challenge-loop", {
+	assertEquals((await doubleKnock(new Request("https://example.com/inbox-challenge-loop", {
 		method: "POST",
 		body: "Test message",
 		headers: { "Content-Type": "text/plain" }
-	});
-	const response = await doubleKnock(request, {
+	}), {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	});
-	assertEquals(response.status, 202);
+	})).status, 202);
 	assertEquals(requestCount, 3);
 	esm_default.hardReset();
 });
@@ -1644,16 +1581,14 @@ test("doubleKnock(): Accept-Signature with unsupported component falls to legacy
 		if (req.headers.has("Signature") && !req.headers.has("Signature-Input")) return new Response("", { status: 202 });
 		return new Response("Bad", { status: 400 });
 	});
-	const request = new Request("https://example.com/inbox-bad-challenge", {
+	assertEquals((await doubleKnock(new Request("https://example.com/inbox-bad-challenge", {
 		method: "POST",
 		body: "Test message",
 		headers: { "Content-Type": "text/plain" }
-	});
-	const response = await doubleKnock(request, {
+	}), {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	});
-	assertEquals(response.status, 202);
+	})).status, 202);
 	assertEquals(requestCount, 2);
 	esm_default.hardReset();
 });
@@ -1670,16 +1605,14 @@ test("doubleKnock(): Accept-Signature with unsupported derived component falls t
 		if (req.headers.has("Signature") && !req.headers.has("Signature-Input")) return new Response("", { status: 202 });
 		return new Response("Bad", { status: 400 });
 	});
-	const request = new Request("https://example.com/inbox-bad-derived", {
+	assertEquals((await doubleKnock(new Request("https://example.com/inbox-bad-derived", {
 		method: "POST",
 		body: "Test message",
 		headers: { "Content-Type": "text/plain" }
-	});
-	const response = await doubleKnock(request, {
+	}), {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	});
-	assertEquals(response.status, 202);
+	})).status, 202);
 	assertEquals(requestCount, 2);
 	esm_default.hardReset();
 });
@@ -1696,16 +1629,14 @@ test("doubleKnock(): Accept-Signature with multiple entries where first throws f
 		if (req.headers.has("Signature-Input")) return new Response("", { status: 202 });
 		return new Response("Bad", { status: 400 });
 	});
-	const request = new Request("https://example.com/inbox-multi-challenge", {
+	assertEquals((await doubleKnock(new Request("https://example.com/inbox-multi-challenge", {
 		method: "POST",
 		body: "Test message",
 		headers: { "Content-Type": "text/plain" }
-	});
-	const response = await doubleKnock(request, {
+	}), {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	});
-	assertEquals(response.status, 202);
+	})).status, 202);
 	assertEquals(requestCount, 2);
 	esm_default.hardReset();
 });
@@ -1724,18 +1655,16 @@ test("doubleKnock(): Accept-Signature with multiple compatible entries fulfills
 		if (sigInput.includes("sig1=") && sigInput.includes("sig2=") && sig.includes("sig1=") && sig.includes("sig2=")) return new Response("", { status: 202 });
 		return new Response("Missing signatures", { status: 400 });
 	});
-	const request = new Request("https://example.com/inbox-multi-compat", {
+	assertEquals((await doubleKnock(new Request("https://example.com/inbox-multi-compat", {
 		method: "POST",
 		body: "Test message",
 		headers: { "Content-Type": "text/plain" }
-	});
-	const response = await doubleKnock(request, {
+	}), {
 		keyId: rsaPublicKey2.id,
 		privateKey: rsaPrivateKey2
-	});
-	assertEquals(response.status, 202);
+	})).status, 202);
 	assertEquals(requestCount, 2);
 	esm_default.hardReset();
 });
-
-//#endregion
+//#endregion
+export {};