@fedify/fedify 2.2.3-dev.1098 → 2.2.3

package/dist/mod.d.ts

@@ -2,10 +2,10 @@
 import { a as InboundService, c as OutboundService, d as Software, f as Usage, i as parseNodeInfo, l as Protocol, n as ParseNodeInfoOptions, o as JsonValue, p as nodeInfoToJson, r as getNodeInfo, s as NodeInfo, t as GetNodeInfoOptions, u as Services } from "./client-CSddvgWN.js";
 import { C as exportJwk, D as importJwk, E as generateCryptoKeyPair, S as KeyCache, T as fetchKeyDetailed, _ as validateAcceptSignature, a as VerifyRequestDetailedResult, b as FetchKeyOptions, c as signRequest, d as AcceptSignatureMember, f as AcceptSignatureParameters, g as parseAcceptSignature, h as fulfillAcceptSignature, i as SignRequestOptions, l as verifyRequest, m as formatAcceptSignature, n as HttpMessageSignaturesSpecDeterminer, o as VerifyRequestFailureReason, p as FulfillAcceptSignatureResult, r as Rfc9421SignRequestOptions, s as VerifyRequestOptions, t as HttpMessageSignaturesSpec, u as verifyRequestDetailed, v as FetchKeyDetailedResult, w as fetchKey, x as FetchKeyResult, y as FetchKeyErrorResult } from "./http-BDZeS5om.js";
 import { i as getKeyOwner, n as GetKeyOwnerOptions, r as doesActorOwnKey, t as DoesActorOwnKeyOptions } from "./owner-CnngXDNJ.js";
-import { $ as ActorAliasMapper, A as FederationKvPrefixes, B as Router, C as IdempotencyKeyCallback, Ct as SendActivityError, D as ObjectCallbackSetters, Dt as digest, E as InboxListenerSetters, Et as buildCollectionSynchronizationHeader, F as RetryContext, G as respondWithObject, H as RouterOptions, I as RetryPolicy, J as InProcessMessageQueueOptions, K as respondWithObjectIfAcceptable, L as createExponentialBackoffPolicy, M as FederationQueueOptions, N as createFederation, O as OutboxListenerSetters, Ot as ActivityTransformer, P as CreateExponentialBackoffPolicyOptions, Q as ParallelMessageQueue, R as Message, S as FederationStartQueueOptions, St as WebFingerLinksDispatcher, T as InboxChallengePolicy, Tt as PageItems, U as RouterRouteResult, V as RouterError, W as RespondWithObjectOptions, X as MessageQueueEnqueueOptions, Y as MessageQueue, Z as MessageQueueListenOptions, _ as Federatable, _t as OutboxListenerErrorHandler, a as GetSignedKeyOptions, at as CollectionCursor, b as FederationFetchOptions, bt as UnverifiedActivityHandler, c as ParseUriResult, ct as CustomCollectionCursor, d as SendActivityOptions, dt as InboxListener, et as ActorDispatcher, f as SendActivityOptionsForCollection, ft as NodeInfoDispatcher, g as CustomCollectionCallbackSetters, gt as OutboxListener, h as ConstructorWithTypeId, ht as OutboxErrorHandler, i as GetActorOptions, it as CollectionCounter, j as FederationOrigin, k as Rfc6570Expression, l as RequestContext, lt as CustomCollectionDispatcher, m as CollectionCallbackSetters, mt as ObjectDispatcher, n as Context, nt as ActorKeyPairsDispatcher, o as InboxContext, ot as CollectionDispatcher, p as ActorCallbackSetters, pt as ObjectAuthorizePredicate, q as InProcessMessageQueue, r as ForwardActivityOptions, rt as AuthorizePredicate, s as OutboxContext, st as CustomCollectionCounter, t as ActorKeyPair, tt as ActorHandleMapper, u as RouteActivityOptions, ut as InboxErrorHandler, v as Federation, vt as OutboxPermanentFailureHandler, w as IdempotencyStrategy, wt as SenderKeyPair, x as FederationOptions, xt as UnverifiedActivityReason, y as FederationBuilder, yt as SharedInboxKeyDispatcher, z as createFederationBuilder } from "./context-BPMgyX7m.js";
+import { $ as ActorAliasMapper, A as FederationKvPrefixes, B as Router, C as IdempotencyKeyCallback, Ct as SendActivityError, D as ObjectCallbackSetters, Dt as digest, E as InboxListenerSetters, Et as buildCollectionSynchronizationHeader, F as RetryContext, G as respondWithObject, H as RouterOptions, I as RetryPolicy, J as InProcessMessageQueueOptions, K as respondWithObjectIfAcceptable, L as createExponentialBackoffPolicy, M as FederationQueueOptions, N as createFederation, O as OutboxListenerSetters, Ot as ActivityTransformer, P as CreateExponentialBackoffPolicyOptions, Q as ParallelMessageQueue, R as Message, S as FederationStartQueueOptions, St as WebFingerLinksDispatcher, T as InboxChallengePolicy, Tt as PageItems, U as RouterRouteResult, V as RouterError, W as RespondWithObjectOptions, X as MessageQueueEnqueueOptions, Y as MessageQueue, Z as MessageQueueListenOptions, _ as Federatable, _t as OutboxListenerErrorHandler, a as GetSignedKeyOptions, at as CollectionCursor, b as FederationFetchOptions, bt as UnverifiedActivityHandler, c as ParseUriResult, ct as CustomCollectionCursor, d as SendActivityOptions, dt as InboxListener, et as ActorDispatcher, f as SendActivityOptionsForCollection, ft as NodeInfoDispatcher, g as CustomCollectionCallbackSetters, gt as OutboxListener, h as ConstructorWithTypeId, ht as OutboxErrorHandler, i as GetActorOptions, it as CollectionCounter, j as FederationOrigin, k as Rfc6570Expression, l as RequestContext, lt as CustomCollectionDispatcher, m as CollectionCallbackSetters, mt as ObjectDispatcher, n as Context, nt as ActorKeyPairsDispatcher, o as InboxContext, ot as CollectionDispatcher, p as ActorCallbackSetters, pt as ObjectAuthorizePredicate, q as InProcessMessageQueue, r as ForwardActivityOptions, rt as AuthorizePredicate, s as OutboxContext, st as CustomCollectionCounter, t as ActorKeyPair, tt as ActorHandleMapper, u as RouteActivityOptions, ut as InboxErrorHandler, v as Federation, vt as OutboxPermanentFailureHandler, w as IdempotencyStrategy, wt as SenderKeyPair, x as FederationOptions, xt as UnverifiedActivityReason, y as FederationBuilder, yt as SharedInboxKeyDispatcher, z as createFederationBuilder } from "./context-BU-1O90h.js";
 import { a as MemoryKvStore, i as KvStoreSetOptions, n as KvStore, r as KvStoreListEntry, t as KvKey } from "./kv-D6hNiMTK.js";
 import { actorDehydrator, autoIdAssigner, getDefaultActivityTransformers } from "./compat/mod.js";
-import { n as handleWebFinger, t as WebFingerHandlerParameters } from "./mod-CNAHY39V.js";
+import { n as handleWebFinger, t as WebFingerHandlerParameters } from "./mod-BVt6iTmH.js";
 import { _ as hasSignatureLike, a as createProof, b as verifySignature, c as verifyObject, d as SignJsonLdOptions, f as VerifyJsonLdOptions, g as detachSignature, h as createSignature, i as VerifyProofOptions, l as verifyProof, m as attachSignature, n as SignObjectOptions, o as hasProofLike, p as VerifySignatureOptions, r as VerifyObjectOptions, s as signObject, t as CreateProofOptions, u as CreateSignatureOptions, v as signJsonLd, y as verifyJsonLd } from "./mod-DHO9lk3D.js";
 import { n as getAuthenticatedDocumentLoader, t as kvCache } from "./mod-BhU_H1I_.js";
 export * from "@fedify/vocab-runtime";

package/dist/mod.js

@@ -3,11 +3,11 @@ import { URLPattern } from "urlpattern-polyfill";
 import "./chunk-CRNNMoPX.js";
 import { n as autoIdAssigner, r as getDefaultActivityTransformers, t as actorDehydrator } from "./transformers-BGMIq1cs.js";
 import "./compat/mod.js";
-import { a as verifyRequestDetailed, c as fetchKeyDetailed, f as formatAcceptSignature, h as validateAcceptSignature, i as verifyRequest, l as generateCryptoKeyPair, m as parseAcceptSignature, o as exportJwk, p as fulfillAcceptSignature, r as signRequest, s as fetchKey, u as importJwk } from "./http-D8qsXrUS.js";
-import { a as createExponentialBackoffPolicy, c as buildCollectionSynchronizationHeader, d as Router, f as RouterError, i as SendActivityError, l as digest, o as respondWithObject, r as handleWebFinger, s as respondWithObjectIfAcceptable, t as createFederation, u as createFederationBuilder } from "./middleware-gXlDLkok.js";
-import { a as verifyProof, c as getKeyOwner, d as detachSignature, f as hasSignatureLike, h as verifySignature, i as verifyObject, l as attachSignature, m as verifyJsonLd, n as hasProofLike, p as signJsonLd, r as signObject, s as doesActorOwnKey, t as createProof, u as createSignature } from "./proof-z93OkIov.js";
+import { a as verifyRequestDetailed, c as fetchKeyDetailed, f as formatAcceptSignature, h as validateAcceptSignature, i as verifyRequest, l as generateCryptoKeyPair, m as parseAcceptSignature, o as exportJwk, p as fulfillAcceptSignature, r as signRequest, s as fetchKey, u as importJwk } from "./http-BPPaA2uz.js";
+import { a as createExponentialBackoffPolicy, c as buildCollectionSynchronizationHeader, d as Router, f as RouterError, i as SendActivityError, l as digest, o as respondWithObject, r as handleWebFinger, s as respondWithObjectIfAcceptable, t as createFederation, u as createFederationBuilder } from "./middleware-Ar1QOOPG.js";
+import { C as verifySignature, S as verifyJsonLd, _ as hasSignatureLike, a as verifyProof, b as signJsonLd, c as getKeyOwner, d as attachSignature, i as verifyObject, m as detachSignature, n as hasProofLike, p as createSignature, r as signObject, s as doesActorOwnKey, t as createProof } from "./proof-SQ4cQs3A.js";
 import { n as getNodeInfo, r as parseNodeInfo, t as nodeInfoToJson } from "./types-CAY3OdLq.js";
-import { n as getAuthenticatedDocumentLoader, t as kvCache } from "./kv-cache-D_eVhctK.js";
+import { n as getAuthenticatedDocumentLoader, t as kvCache } from "./kv-cache-C4DGZ_t4.js";
 import { InProcessMessageQueue, MemoryKvStore, ParallelMessageQueue } from "./federation/mod.js";
 import "./nodeinfo/mod.js";
 import "./runtime/mod.js";

package/dist/nodeinfo/handler.test.mjs

@@ -5,7 +5,7 @@ import { r as createRequestContext } from "../context-Dk_tacqz.mjs";
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
 import "../std__assert-CRDpx_HF.mjs";
 import { t as MemoryKvStore } from "../kv-rV3vodCc.mjs";
-import { _ as handleNodeInfoJrd, g as handleNodeInfo, o as createFederation } from "../middleware-2gmMVy8b.mjs";
+import { _ as handleNodeInfoJrd, g as handleNodeInfo, o as createFederation } from "../middleware-D9k0Knum.mjs";
 import { test } from "@fedify/fixture";
 //#region src/nodeinfo/handler.test.ts
 test("handleNodeInfo()", async () => {

package/dist/{owner-DBSV2TSl.mjs → owner-DRHNR5YO.mjs}

@@ -1,8 +1,8 @@
 import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as version, t as name } from "./deno-CziVFvS6.mjs";
-import "./key-D3TgMhcs.mjs";
+import { n as version, t as name } from "./deno-DMg4SgCb.mjs";
+import "./key-BAQuZEU1.mjs";
 import { CryptographicKey, Object as Object$1, isActor } from "@fedify/vocab";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
 import { getDocumentLoader } from "@fedify/vocab-runtime";

package/dist/{proof-tz91vdtN.mjs → proof-DLhLRv3m.mjs}

@@ -1,8 +1,8 @@
 import { Temporal } from "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as version, t as name } from "./deno-CziVFvS6.mjs";
-import { n as fetchKey, o as validateCryptoKey } from "./key-D3TgMhcs.mjs";
+import { n as version, t as name } from "./deno-DMg4SgCb.mjs";
+import { n as fetchKey, o as validateCryptoKey } from "./key-BAQuZEU1.mjs";
 import { n as preloadedOnlyDocumentLoader } from "./public-audience-DYFHzm_c.mjs";
 import { r as normalizeOutgoingActivityJsonLd } from "./outgoing-jsonld-CNmZLixq.mjs";
 import { Activity, DataIntegrityProof, Multikey, getTypeId } from "@fedify/vocab";

package/dist/{proof-CZDkoeWG.cjs → proof-DfrItHmh.cjs}

@@ -1,7 +1,7 @@
 const { Temporal } = require("@js-temporal/polyfill");
 const { URLPattern } = require("urlpattern-polyfill");
 const require_chunk = require("./chunk-DDcVe30Y.cjs");
-const require_http = require("./http-kPc328Pc.cjs");
+const require_http = require("./http-Cl0Q2bUO.cjs");
 let _logtape_logtape = require("@logtape/logtape");
 let _fedify_vocab = require("@fedify/vocab");
 let _opentelemetry_api = require("@opentelemetry/api");
@@ -18,6 +18,288 @@ const logger$3 = (0, _logtape_logtape.getLogger)([
 	"sig",
 	"ld"
 ]);
+const localContext = [
+	"https://w3id.org/identity/v1",
+	"https://www.w3.org/ns/activitystreams",
+	"https://w3id.org/security/v1",
+	"https://w3id.org/security/data-integrity/v1"
+];
+const localContextUrls = new Set(localContext);
+const builtInContextLoader = (0, _fedify_vocab_runtime.getDocumentLoader)();
+const disallowedJsonLdKeywords = new Set([
+	"@graph",
+	"@included",
+	"@reverse"
+]);
+/** @internal */
+var UnsafeJsonLdError = class extends TypeError {
+	constructor(keyword) {
+		super(`Unsupported JSON-LD keyword: ${keyword}.`);
+		this.keyword = keyword;
+		this.name = "UnsafeJsonLdError";
+	}
+};
+/** @internal */
+var InvalidContextReferenceError = class extends TypeError {
+	constructor(reference) {
+		super(`Invalid JSON-LD context reference: ${reference}.`);
+		this.reference = reference;
+		this.name = "InvalidContextReferenceError";
+	}
+};
+function createLoadingRemoteContextFailedError(reference, cause) {
+	const message = cause instanceof Error ? cause.message : String(cause);
+	const error = /* @__PURE__ */ new Error(`Dereferencing a URL did not result in a valid JSON-LD context: ${reference}. ${message}`);
+	error.name = "jsonld.InvalidUrl";
+	error.details = {
+		code: "loading remote context failed",
+		url: reference
+	};
+	error.cause = cause;
+	return error;
+}
+/** @internal */
+function isClearlyMalformedContextReference(reference) {
+	for (const char of reference) {
+		const code = char.charCodeAt(0);
+		if (code <= 32 || code === 127) return true;
+	}
+	if (/^[A-Za-z][A-Za-z0-9+.-]*:/.test(reference) && !URL.canParse(reference)) return true;
+	for (let i = 0; i < reference.length; i++) {
+		if (reference[i] !== "%") continue;
+		if (i + 2 >= reference.length || !/[0-9A-Fa-f]/.test(reference[i + 1]) || !/[0-9A-Fa-f]/.test(reference[i + 2])) return true;
+		i += 2;
+	}
+	if (reference.startsWith("./") || reference.startsWith("../") || reference.startsWith("/") || reference.startsWith("//")) {
+		for (const char of reference) if ("[]<>\"\\^`{|}".includes(char)) return true;
+	}
+	return false;
+}
+function cloneRemoteDocument(remoteDocument) {
+	return structuredClone(remoteDocument);
+}
+function createMemoizedDocumentLoader(documentLoader) {
+	const cache = /* @__PURE__ */ new Map();
+	return async (url, options) => {
+		const cacheKey = URL.canParse(url) ? new URL(url).href : url;
+		let remoteDocument = cache.get(cacheKey);
+		if (remoteDocument == null) {
+			remoteDocument = Promise.resolve(documentLoader(url, options)).then(cloneRemoteDocument);
+			remoteDocument.catch(() => {
+				if (cache.get(cacheKey) === remoteDocument) cache.delete(cacheKey);
+			});
+			cache.set(cacheKey, remoteDocument);
+		}
+		return cloneRemoteDocument(await remoteDocument);
+	};
+}
+/** @internal */
+function wrapContextLoaderForJsonLd(contextLoader) {
+	const loader = contextLoader ?? builtInContextLoader;
+	return async (url, options) => {
+		try {
+			return await loader(url, options);
+		} catch (error) {
+			if (!isInvalidUrlTypeError(error)) throw error;
+			if (isClearlyMalformedContextReference(url)) throw new InvalidContextReferenceError(url);
+			throw createLoadingRemoteContextFailedError(url, error);
+		}
+	};
+}
+/** @internal */
+function getNormalizationContextLoader(contextLoader) {
+	const loader = wrapContextLoaderForJsonLd(contextLoader);
+	return createMemoizedDocumentLoader(async (url, options) => {
+		if (URL.canParse(url)) {
+			const normalizedUrl = new URL(url).href;
+			if (localContextUrls.has(normalizedUrl)) return await builtInContextLoader(normalizedUrl, options);
+		}
+		return await loader(url, options);
+	});
+}
+/** @internal */
+async function compactJsonLd(jsonLd, contextLoader) {
+	const hasLds = typeof jsonLd === "object" && jsonLd != null && "signature" in jsonLd;
+	const signature = hasLds ? jsonLd.signature : void 0;
+	const normalizationContextLoader = getNormalizationContextLoader(contextLoader);
+	const document = hasLds ? detachSignature(jsonLd) : jsonLd;
+	await assertNoGraphBeforeCompaction(document, normalizationContextLoader);
+	const compacted = await _fedify_vocab_runtime_jsonld.default.compact(document, localContext, { documentLoader: normalizationContextLoader });
+	if (hasLds && typeof compacted === "object" && compacted != null) compacted.signature = signature;
+	assertSafeJsonLd(compacted);
+	return compacted;
+}
+function createInvalidRemoteContextError(reference) {
+	const error = /* @__PURE__ */ new Error(`Dereferencing a URL did not result in a JSON object. The response was valid JSON, but it was not a JSON object. URL: "${reference}".`);
+	error.name = "jsonld.InvalidUrl";
+	error.details = {
+		code: "invalid remote context",
+		url: reference
+	};
+	return error;
+}
+function getRemoteContext(remoteDocument, reference) {
+	const { contextUrl, documentUrl } = remoteDocument;
+	let { document } = remoteDocument;
+	if (typeof document === "string") document = JSON.parse(document);
+	if (typeof document !== "object" || document == null || Array.isArray(document)) throw createInvalidRemoteContextError(reference);
+	let context = "@context" in document ? document["@context"] : {};
+	if (contextUrl != null) context = Array.isArray(context) ? [...context, contextUrl] : [context, contextUrl];
+	return {
+		context,
+		baseUrl: documentUrl ?? reference
+	};
+}
+function createGraphAliasContextState() {
+	return {
+		graphTerms: /* @__PURE__ */ new Set(),
+		jsonTerms: /* @__PURE__ */ new Set(),
+		propertyContexts: /* @__PURE__ */ new Map(),
+		termTargets: /* @__PURE__ */ new Map()
+	};
+}
+function cloneGraphAliasContextState(state) {
+	return {
+		graphTerms: new Set(state.graphTerms),
+		jsonTerms: new Set(state.jsonTerms),
+		propertyContexts: new Map(state.propertyContexts),
+		termTargets: new Map(state.termTargets)
+	};
+}
+function resolveContextTarget(target, state) {
+	if (target === "@graph") return target;
+	const mapped = state.termTargets.get(target);
+	if (mapped == null) return target;
+	return mapped;
+}
+function getDirectContextTarget(definition) {
+	if (definition === null) return null;
+	if (typeof definition === "string") return definition;
+	if (typeof definition === "object" && definition != null && "@id" in definition) {
+		const id = definition["@id"];
+		if (id === null) return null;
+		if (typeof id === "string") return id;
+	}
+}
+function isJsonTypedDefinition(definition) {
+	return typeof definition === "object" && definition != null && "@type" in definition && definition["@type"] === "@json";
+}
+function resolveLocalContextTarget(target, state, localTargets, seen = /* @__PURE__ */ new Set()) {
+	if (target === "@graph") return target;
+	if (seen.has(target)) return target;
+	seen.add(target);
+	if (localTargets.has(target)) {
+		const localTarget = localTargets.get(target);
+		return localTarget == null ? target : resolveLocalContextTarget(localTarget, state, localTargets, seen);
+	}
+	return resolveContextTarget(target, state);
+}
+function refreshGraphAliases(state) {
+	state.graphTerms.clear();
+	for (const [term, target] of state.termTargets) if (target === "@graph") state.graphTerms.add(term);
+}
+function normalizeContextReference(reference, baseUrl) {
+	if (baseUrl != null) return new URL(reference, baseUrl).href;
+	return URL.canParse(reference) ? new URL(reference).href : reference;
+}
+/** @internal */
+function isInvalidUrlTypeError(error) {
+	const code = error.code;
+	return error instanceof TypeError && (code === "ERR_INVALID_URL" || /^Invalid URL(?::|$)/.test(error.message) || / cannot be parsed as a URL\.?$/.test(error.message));
+}
+async function applyGraphAliasContext(state, context, documentLoader, remoteContextCache, baseUrl = null, processingContexts = /* @__PURE__ */ new Set()) {
+	if (context === null) return createGraphAliasContextState();
+	let nextState = cloneGraphAliasContextState(state);
+	if (Array.isArray(context)) {
+		for (const item of context) nextState = await applyGraphAliasContext(nextState, item, documentLoader, remoteContextCache, baseUrl, processingContexts);
+		return nextState;
+	}
+	if (typeof context === "string") {
+		const reference = normalizeContextReference(context, baseUrl);
+		const cacheKey = `${baseUrl ?? ""}\n${reference}`;
+		if (processingContexts.has(cacheKey)) return nextState;
+		processingContexts.add(cacheKey);
+		try {
+			let remoteContext = remoteContextCache.get(cacheKey);
+			if (remoteContext == null) {
+				remoteContext = (async () => {
+					try {
+						return getRemoteContext(await documentLoader(reference), reference);
+					} catch (error) {
+						if (reference === context && isInvalidUrlTypeError(error) && isClearlyMalformedContextReference(context)) throw new InvalidContextReferenceError(context);
+						throw error;
+					}
+				})();
+				remoteContextCache.set(cacheKey, remoteContext);
+			}
+			const loadedRemoteContext = await remoteContext;
+			return await applyGraphAliasContext(nextState, loadedRemoteContext.context, documentLoader, remoteContextCache, loadedRemoteContext.baseUrl, processingContexts);
+		} finally {
+			processingContexts.delete(cacheKey);
+		}
+	}
+	if (typeof context === "object" && context != null) {
+		if ("@import" in context && typeof context["@import"] === "string") nextState = await applyGraphAliasContext(nextState, context["@import"], documentLoader, remoteContextCache, baseUrl, processingContexts);
+		const localTargets = /* @__PURE__ */ new Map();
+		for (const [term, definition] of globalThis.Object.entries(context)) {
+			if (term.startsWith("@")) continue;
+			const target = getDirectContextTarget(definition);
+			if (target == null) localTargets.set(term, null);
+			else if (typeof target === "string") localTargets.set(term, target);
+			else localTargets.delete(term);
+		}
+		for (const [term, definition] of globalThis.Object.entries(context)) {
+			if (term.startsWith("@")) continue;
+			if (localTargets.has(term)) {
+				const directTarget = localTargets.get(term);
+				if (directTarget == null) nextState.termTargets.set(term, null);
+				else nextState.termTargets.set(term, resolveLocalContextTarget(directTarget, nextState, localTargets));
+			} else nextState.termTargets.delete(term);
+			if (typeof definition === "object" && definition != null && "@context" in definition) nextState.propertyContexts.set(term, {
+				context: definition["@context"],
+				baseUrl
+			});
+			else nextState.propertyContexts.delete(term);
+			if (isJsonTypedDefinition(definition)) nextState.jsonTerms.add(term);
+			else nextState.jsonTerms.delete(term);
+		}
+		refreshGraphAliases(nextState);
+	}
+	return nextState;
+}
+async function assertNoGraphBeforeCompaction(jsonLd, documentLoader, inheritedState = createGraphAliasContextState(), propertyContext, remoteContextCache = /* @__PURE__ */ new Map()) {
+	if (Array.isArray(jsonLd)) {
+		for (const item of jsonLd) await assertNoGraphBeforeCompaction(item, documentLoader, inheritedState, propertyContext, remoteContextCache);
+		return;
+	}
+	if (typeof jsonLd !== "object" || jsonLd == null) return;
+	const jsonLiteralWrapper = isJsonLiteralWrapper(jsonLd);
+	let state = inheritedState;
+	if (propertyContext !== void 0) state = await applyGraphAliasContext(state, propertyContext.context, documentLoader, remoteContextCache, propertyContext.baseUrl);
+	if ("@context" in jsonLd) state = await applyGraphAliasContext(state, jsonLd["@context"], documentLoader, remoteContextCache);
+	for (const [key, value] of globalThis.Object.entries(jsonLd)) {
+		if (key === "@context") continue;
+		if (jsonLiteralWrapper && key === "@value") continue;
+		if (key === "@graph" || state.graphTerms.has(key)) throw new UnsafeJsonLdError("@graph");
+		if (state.jsonTerms.has(key)) continue;
+		await assertNoGraphBeforeCompaction(value, documentLoader, state, state.propertyContexts.get(key), remoteContextCache);
+	}
+}
+function isJsonLiteralWrapper(value) {
+	return "@value" in value && (value["@type"] === "@json" || value.type === "@json");
+}
+/** @internal */
+function assertSafeJsonLd(jsonLd) {
+	if (Array.isArray(jsonLd)) for (const item of jsonLd) assertSafeJsonLd(item);
+	else if (typeof jsonLd === "object" && jsonLd != null) {
+		const jsonLiteralWrapper = isJsonLiteralWrapper(jsonLd);
+		for (const [key, value] of globalThis.Object.entries(jsonLd)) {
+			if (disallowedJsonLdKeywords.has(key)) throw new UnsafeJsonLdError(key);
+			if (jsonLiteralWrapper && key === "@value") continue;
+			assertSafeJsonLd(value);
+		}
+	}
+}
 /**
 * Attaches a LD signature to the given JSON-LD document.
 * @param jsonLd The JSON-LD document to attach the signature to.  It is not
@@ -234,9 +516,21 @@ async function verifySignature(jsonLd, options = {}) {
 * @returns `true` if the document is authentic; `false` otherwise.
 */
 async function verifyJsonLd(jsonLd, options = {}) {
+	return await verifyJsonLdInternal(jsonLd, options, true);
+}
+/** @internal */
+async function verifyCompactJsonLd(jsonLd, options = {}) {
+	return await verifyJsonLdInternal(jsonLd, options, false);
+}
+async function verifyJsonLdInternal(jsonLd, options, compact) {
 	return await (options.tracerProvider ?? _opentelemetry_api.trace.getTracerProvider()).getTracer(require_http.name, require_http.version).startActiveSpan("ld_signatures.verify", async (span) => {
 		try {
-			const object = await _fedify_vocab.Object.fromJsonLd(jsonLd, options);
+			const verificationOptions = hasSignature(jsonLd) ? {
+				...options,
+				contextLoader: getNormalizationContextLoader(options.contextLoader)
+			} : options;
+			const compacted = compact ? hasSignature(jsonLd) ? await compactJsonLd(jsonLd, options.contextLoader) : jsonLd : jsonLd;
+			const object = await _fedify_vocab.Object.fromJsonLd(compacted, verificationOptions);
 			if (object.id != null) span.setAttribute("activitypub.object.id", object.id.href);
 			span.setAttribute("activitypub.object.type", (0, _fedify_vocab.getTypeId)(object).href);
 			if (typeof jsonLd === "object" && jsonLd != null && "signature" in jsonLd && typeof jsonLd.signature === "object" && jsonLd.signature != null) {
@@ -246,7 +540,7 @@ async function verifyJsonLd(jsonLd, options = {}) {
 			}
 			const attributions = new Set(object.attributionIds.map((uri) => uri.href));
 			if (object instanceof _fedify_vocab.Activity) for (const uri of object.actorIds) attributions.add(uri.href);
-			const key = await verifySignature(jsonLd, options);
+			const key = await verifySignature(compacted, verificationOptions);
 			if (key == null) return false;
 			if (key.ownerId == null) {
 				logger$3.debug("Key {keyId} has no owner.", { keyId: key.id?.href });
@@ -1041,12 +1335,30 @@ async function verifyObject(cls, jsonLd, options = {}) {
 	return object;
 }
 //#endregion
+Object.defineProperty(exports, "InvalidContextReferenceError", {
+	enumerable: true,
+	get: function() {
+		return InvalidContextReferenceError;
+	}
+});
+Object.defineProperty(exports, "assertSafeJsonLd", {
+	enumerable: true,
+	get: function() {
+		return assertSafeJsonLd;
+	}
+});
 Object.defineProperty(exports, "attachSignature", {
 	enumerable: true,
 	get: function() {
 		return attachSignature;
 	}
 });
+Object.defineProperty(exports, "compactJsonLd", {
+	enumerable: true,
+	get: function() {
+		return compactJsonLd;
+	}
+});
 Object.defineProperty(exports, "createProof", {
 	enumerable: true,
 	get: function() {
@@ -1077,18 +1389,42 @@ Object.defineProperty(exports, "getKeyOwner", {
 		return getKeyOwner;
 	}
 });
+Object.defineProperty(exports, "getNormalizationContextLoader", {
+	enumerable: true,
+	get: function() {
+		return getNormalizationContextLoader;
+	}
+});
 Object.defineProperty(exports, "hasProofLike", {
 	enumerable: true,
 	get: function() {
 		return hasProofLike;
 	}
 });
+Object.defineProperty(exports, "hasSignature", {
+	enumerable: true,
+	get: function() {
+		return hasSignature;
+	}
+});
 Object.defineProperty(exports, "hasSignatureLike", {
 	enumerable: true,
 	get: function() {
 		return hasSignatureLike;
 	}
 });
+Object.defineProperty(exports, "isClearlyMalformedContextReference", {
+	enumerable: true,
+	get: function() {
+		return isClearlyMalformedContextReference;
+	}
+});
+Object.defineProperty(exports, "isInvalidUrlTypeError", {
+	enumerable: true,
+	get: function() {
+		return isInvalidUrlTypeError;
+	}
+});
 Object.defineProperty(exports, "normalizeOutgoingActivityJsonLd", {
 	enumerable: true,
 	get: function() {
@@ -1107,6 +1443,12 @@ Object.defineProperty(exports, "signObject", {
 		return signObject;
 	}
 });
+Object.defineProperty(exports, "verifyCompactJsonLd", {
+	enumerable: true,
+	get: function() {
+		return verifyCompactJsonLd;
+	}
+});
 Object.defineProperty(exports, "verifyJsonLd", {
 	enumerable: true,
 	get: function() {
@@ -1131,3 +1473,9 @@ Object.defineProperty(exports, "verifySignature", {
 		return verifySignature;
 	}
 });
+Object.defineProperty(exports, "wrapContextLoaderForJsonLd", {
+	enumerable: true,
+	get: function() {
+		return wrapContextLoaderForJsonLd;
+	}
+});