@fedify/fedify 2.3.0-dev.1099 → 2.3.0-dev.1114

package/dist/sig/key.test.mjs

@@ -2,11 +2,11 @@ import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
-import "../std__assert-CRDpx_HF.mjs";
-import { t as assertRejects } from "../assert_rejects-B-qJtC9Z.mjs";
+import "../std__assert-BTEgfoJo.mjs";
+import { t as assertRejects } from "../assert_rejects-DQP-q39h.mjs";
 import { t as assertThrows } from "../assert_throws-4NwKEy2q.mjs";
-import { a as importJwk, i as generateCryptoKeyPair, n as fetchKey, o as validateCryptoKey, r as fetchKeyDetailed, t as exportJwk } from "../key-D9dUsyow.mjs";
-import { c as rsaPublicKey3, i as rsaPrivateKey2, o as rsaPublicKey1, s as rsaPublicKey2, t as ed25519Multikey } from "../keys-C3kae-6B.mjs";
+import { a as importJwk, i as generateCryptoKeyPair, n as fetchKey, o as validateCryptoKey, r as fetchKeyDetailed, t as exportJwk } from "../key-B4I8H5Lc.mjs";
+import { c as rsaPublicKey3, i as rsaPrivateKey2, o as rsaPublicKey1, s as rsaPublicKey2, t as ed25519Multikey } from "../keys-CSYsOMFG.mjs";
 import { CryptographicKey, Multikey } from "@fedify/vocab";
 import { createTestTracerProvider, mockDocumentLoader, test } from "@fedify/fixture";
 import { FetchError } from "@fedify/vocab-runtime";

package/dist/sig/ld.test.mjs

@@ -2,14 +2,14 @@ import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
-import { n as assertFalse, t as assertRejects } from "../assert_rejects-B-qJtC9Z.mjs";
+import { n as assertGreaterOrEqual, r as assertFalse, t as assertRejects } from "../assert_rejects-DQP-q39h.mjs";
 import { t as assertThrows } from "../assert_throws-4NwKEy2q.mjs";
 import { t as assert } from "../assert-DikXweDx.mjs";
-import { i as generateCryptoKeyPair } from "../key-D9dUsyow.mjs";
-import { a as rsaPrivateKey3, c as rsaPublicKey3, i as rsaPrivateKey2, n as ed25519PrivateKey, s as rsaPublicKey2, t as ed25519Multikey } from "../keys-C3kae-6B.mjs";
-import { a as signJsonLd, i as hasSignatureLike, n as createSignature, o as verifyJsonLd, r as detachSignature, s as verifySignature, t as attachSignature } from "../ld-hbxDLO1k.mjs";
+import { i as generateCryptoKeyPair } from "../key-B4I8H5Lc.mjs";
+import { a as rsaPrivateKey3, c as rsaPublicKey3, i as rsaPrivateKey2, n as ed25519PrivateKey, s as rsaPublicKey2, t as ed25519Multikey } from "../keys-CSYsOMFG.mjs";
+import { a as signJsonLd, i as hasSignatureLike, n as createSignature, o as verifyJsonLd, r as detachSignature, s as verifySignature, t as attachSignature } from "../ld-B5D5THhl.mjs";
 import { CryptographicKey } from "@fedify/vocab";
-import { mockDocumentLoader, test } from "@fedify/fixture";
+import { createTestMeterProvider, mockDocumentLoader, test } from "@fedify/fixture";
 import { encodeBase64 } from "byte-encodings/base64";
 //#region src/sig/ld.test.ts
 test("attachSignature()", () => {
@@ -249,5 +249,138 @@ test("verifyJsonLd()", async () => {
 		contextLoader: mockDocumentLoader
 	}));
 });
+test("verifyJsonLd() records verification duration metric", async (t) => {
+	await t.step("verified path records result=verified with bounded type", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assert(await verifyJsonLd(testVector, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		const m = measurements[0];
+		assertEquals(m.type, "histogram");
+		assertGreaterOrEqual(m.value, 0);
+		assertEquals(m.attributes["activitypub.signature.kind"], "linked_data");
+		assertEquals(m.attributes["activitypub.signature.result"], "verified");
+		assertEquals(m.attributes["ld_signatures.type"], "RsaSignature2017");
+	});
+	await t.step("missing signature records result=missing without type", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertFalse(await verifyJsonLd(document, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.kind"], "linked_data");
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "missing");
+		assertFalse("ld_signatures.type" in measurements[0].attributes);
+	});
+	await t.step("invalid signature records result=rejected", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertFalse(await verifyJsonLd({
+			...testVector,
+			signature: {
+				...testVector.signature,
+				signatureValue: encodeBase64(new Uint8Array([
+					1,
+					2,
+					3,
+					4
+				]))
+			}
+		}, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "rejected");
+		assertEquals(measurements[0].attributes["ld_signatures.type"], "RsaSignature2017");
+	});
+	await t.step("malformed (null) signature property records result=rejected, not missing", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertFalse(await verifyJsonLd({
+			...document,
+			signature: null
+		}, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "rejected");
+		assertFalse("ld_signatures.type" in measurements[0].attributes);
+	});
+	await t.step("key fetch records result=fetched on a cold cache", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assert(await verifyJsonLd(testVector, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.key_fetch.duration");
+		assertEquals(measurements.length, 1);
+		assertGreaterOrEqual(measurements[0].value, 0);
+		assertEquals(measurements[0].attributes["activitypub.signature.kind"], "linked_data");
+		assertEquals(measurements[0].attributes["activitypub.signature.key_fetch.result"], "fetched");
+	});
+	await t.step("missing signature emits no key_fetch measurement", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertFalse(await verifyJsonLd(document, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		assertEquals(recorder.getMeasurements("activitypub.signature.key_fetch.duration").length, 0);
+	});
+	await t.step("cached-key retry emits two key_fetch measurements: hit then fetched", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assert(await verifyJsonLd(testVector, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider,
+			keyCache: {
+				async get(keyId) {
+					return new CryptographicKey({
+						id: keyId,
+						owner: new URL("https://activitypub.academy/users/brauca_darradiul"),
+						publicKey: (await generateCryptoKeyPair("RSASSA-PKCS1-v1_5")).publicKey
+					});
+				},
+				set(_keyId, _key) {
+					return Promise.resolve();
+				}
+			}
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.key_fetch.duration");
+		assertEquals(measurements.length, 2);
+		assertEquals(measurements[0].attributes["activitypub.signature.key_fetch.result"], "hit");
+		assertEquals(measurements[1].attributes["activitypub.signature.key_fetch.result"], "fetched");
+	});
+	await t.step("unknown signature type omits the ld_signatures.type metric attribute", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertFalse(await verifyJsonLd({
+			...testVector,
+			signature: {
+				...testVector.signature,
+				type: "MadeUpSignature9999"
+			}
+		}, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "rejected");
+		assertFalse("ld_signatures.type" in measurements[0].attributes);
+	});
+});
 //#endregion
 export {};

package/dist/sig/mod.cjs

@@ -1,8 +1,8 @@
 const { Temporal } = require("@js-temporal/polyfill");
 const { URLPattern } = require("urlpattern-polyfill");
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const require_http = require("../http-W2u_KBoQ.cjs");
-const require_proof = require("../proof-CZCaAURh.cjs");
+const require_http = require("../http-CKCgOPkX.cjs");
+const require_proof = require("../proof-DIoqrKnX.cjs");
 exports.attachSignature = require_proof.attachSignature;
 exports.createProof = require_proof.createProof;
 exports.createSignature = require_proof.createSignature;

package/dist/sig/mod.d.cts

@@ -1,5 +1,5 @@
 /// <reference lib="esnext.temporal" />
-import { C as exportJwk, D as importJwk, E as generateCryptoKeyPair, S as KeyCache, T as fetchKeyDetailed, _ as validateAcceptSignature, a as VerifyRequestDetailedResult, b as FetchKeyOptions, c as signRequest, d as AcceptSignatureMember, f as AcceptSignatureParameters, g as parseAcceptSignature, h as fulfillAcceptSignature, i as SignRequestOptions, l as verifyRequest, m as formatAcceptSignature, n as HttpMessageSignaturesSpecDeterminer, o as VerifyRequestFailureReason, p as FulfillAcceptSignatureResult, r as Rfc9421SignRequestOptions, s as VerifyRequestOptions, t as HttpMessageSignaturesSpec, u as verifyRequestDetailed, v as FetchKeyDetailedResult, w as fetchKey, x as FetchKeyResult, y as FetchKeyErrorResult } from "../http-C87EWkO0.cjs";
+import { C as exportJwk, D as importJwk, E as generateCryptoKeyPair, S as KeyCache, T as fetchKeyDetailed, _ as validateAcceptSignature, a as VerifyRequestDetailedResult, b as FetchKeyOptions, c as signRequest, d as AcceptSignatureMember, f as AcceptSignatureParameters, g as parseAcceptSignature, h as fulfillAcceptSignature, i as SignRequestOptions, l as verifyRequest, m as formatAcceptSignature, n as HttpMessageSignaturesSpecDeterminer, o as VerifyRequestFailureReason, p as FulfillAcceptSignatureResult, r as Rfc9421SignRequestOptions, s as VerifyRequestOptions, t as HttpMessageSignaturesSpec, u as verifyRequestDetailed, v as FetchKeyDetailedResult, w as fetchKey, x as FetchKeyResult, y as FetchKeyErrorResult } from "../http-D6aw3j2U.cjs";
 import { i as getKeyOwner, n as GetKeyOwnerOptions, r as doesActorOwnKey, t as DoesActorOwnKeyOptions } from "../owner-DEvZuyOE.cjs";
-import { _ as hasSignatureLike, a as createProof, b as verifySignature, c as verifyObject, d as SignJsonLdOptions, f as VerifyJsonLdOptions, g as detachSignature, h as createSignature, i as VerifyProofOptions, l as verifyProof, m as attachSignature, n as SignObjectOptions, o as hasProofLike, p as VerifySignatureOptions, r as VerifyObjectOptions, s as signObject, t as CreateProofOptions, u as CreateSignatureOptions, v as signJsonLd, y as verifyJsonLd } from "../mod-DXY9JF28.cjs";
+import { _ as hasSignatureLike, a as createProof, b as verifySignature, c as verifyObject, d as SignJsonLdOptions, f as VerifyJsonLdOptions, g as detachSignature, h as createSignature, i as VerifyProofOptions, l as verifyProof, m as attachSignature, n as SignObjectOptions, o as hasProofLike, p as VerifySignatureOptions, r as VerifyObjectOptions, s as signObject, t as CreateProofOptions, u as CreateSignatureOptions, v as signJsonLd, y as verifyJsonLd } from "../mod-BDhgfjP7.cjs";
 export { AcceptSignatureMember, AcceptSignatureParameters, CreateProofOptions, CreateSignatureOptions, DoesActorOwnKeyOptions, FetchKeyDetailedResult, FetchKeyErrorResult, FetchKeyOptions, FetchKeyResult, FulfillAcceptSignatureResult, GetKeyOwnerOptions, HttpMessageSignaturesSpec, HttpMessageSignaturesSpecDeterminer, KeyCache, Rfc9421SignRequestOptions, SignJsonLdOptions, SignObjectOptions, SignRequestOptions, VerifyJsonLdOptions, VerifyObjectOptions, VerifyProofOptions, VerifyRequestDetailedResult, VerifyRequestFailureReason, VerifyRequestOptions, VerifySignatureOptions, attachSignature, createProof, createSignature, detachSignature, doesActorOwnKey, exportJwk, fetchKey, fetchKeyDetailed, formatAcceptSignature, fulfillAcceptSignature, generateCryptoKeyPair, getKeyOwner, hasProofLike, hasSignatureLike, importJwk, parseAcceptSignature, signJsonLd, signObject, signRequest, validateAcceptSignature, verifyJsonLd, verifyObject, verifyProof, verifyRequest, verifyRequestDetailed, verifySignature };

package/dist/sig/mod.d.ts

@@ -1,5 +1,5 @@
 /// <reference lib="esnext.temporal" />
-import { C as exportJwk, D as importJwk, E as generateCryptoKeyPair, S as KeyCache, T as fetchKeyDetailed, _ as validateAcceptSignature, a as VerifyRequestDetailedResult, b as FetchKeyOptions, c as signRequest, d as AcceptSignatureMember, f as AcceptSignatureParameters, g as parseAcceptSignature, h as fulfillAcceptSignature, i as SignRequestOptions, l as verifyRequest, m as formatAcceptSignature, n as HttpMessageSignaturesSpecDeterminer, o as VerifyRequestFailureReason, p as FulfillAcceptSignatureResult, r as Rfc9421SignRequestOptions, s as VerifyRequestOptions, t as HttpMessageSignaturesSpec, u as verifyRequestDetailed, v as FetchKeyDetailedResult, w as fetchKey, x as FetchKeyResult, y as FetchKeyErrorResult } from "../http-BDZeS5om.js";
+import { C as exportJwk, D as importJwk, E as generateCryptoKeyPair, S as KeyCache, T as fetchKeyDetailed, _ as validateAcceptSignature, a as VerifyRequestDetailedResult, b as FetchKeyOptions, c as signRequest, d as AcceptSignatureMember, f as AcceptSignatureParameters, g as parseAcceptSignature, h as fulfillAcceptSignature, i as SignRequestOptions, l as verifyRequest, m as formatAcceptSignature, n as HttpMessageSignaturesSpecDeterminer, o as VerifyRequestFailureReason, p as FulfillAcceptSignatureResult, r as Rfc9421SignRequestOptions, s as VerifyRequestOptions, t as HttpMessageSignaturesSpec, u as verifyRequestDetailed, v as FetchKeyDetailedResult, w as fetchKey, x as FetchKeyResult, y as FetchKeyErrorResult } from "../http-D6LP89UO.js";
 import { i as getKeyOwner, n as GetKeyOwnerOptions, r as doesActorOwnKey, t as DoesActorOwnKeyOptions } from "../owner-CnngXDNJ.js";
-import { _ as hasSignatureLike, a as createProof, b as verifySignature, c as verifyObject, d as SignJsonLdOptions, f as VerifyJsonLdOptions, g as detachSignature, h as createSignature, i as VerifyProofOptions, l as verifyProof, m as attachSignature, n as SignObjectOptions, o as hasProofLike, p as VerifySignatureOptions, r as VerifyObjectOptions, s as signObject, t as CreateProofOptions, u as CreateSignatureOptions, v as signJsonLd, y as verifyJsonLd } from "../mod-DHO9lk3D.js";
+import { _ as hasSignatureLike, a as createProof, b as verifySignature, c as verifyObject, d as SignJsonLdOptions, f as VerifyJsonLdOptions, g as detachSignature, h as createSignature, i as VerifyProofOptions, l as verifyProof, m as attachSignature, n as SignObjectOptions, o as hasProofLike, p as VerifySignatureOptions, r as VerifyObjectOptions, s as signObject, t as CreateProofOptions, u as CreateSignatureOptions, v as signJsonLd, y as verifyJsonLd } from "../mod-B-Lin9Sy.js";
 export { AcceptSignatureMember, AcceptSignatureParameters, CreateProofOptions, CreateSignatureOptions, DoesActorOwnKeyOptions, FetchKeyDetailedResult, FetchKeyErrorResult, FetchKeyOptions, FetchKeyResult, FulfillAcceptSignatureResult, GetKeyOwnerOptions, HttpMessageSignaturesSpec, HttpMessageSignaturesSpecDeterminer, KeyCache, Rfc9421SignRequestOptions, SignJsonLdOptions, SignObjectOptions, SignRequestOptions, VerifyJsonLdOptions, VerifyObjectOptions, VerifyProofOptions, VerifyRequestDetailedResult, VerifyRequestFailureReason, VerifyRequestOptions, VerifySignatureOptions, attachSignature, createProof, createSignature, detachSignature, doesActorOwnKey, exportJwk, fetchKey, fetchKeyDetailed, formatAcceptSignature, fulfillAcceptSignature, generateCryptoKeyPair, getKeyOwner, hasProofLike, hasSignatureLike, importJwk, parseAcceptSignature, signJsonLd, signObject, signRequest, validateAcceptSignature, verifyJsonLd, verifyObject, verifyProof, verifyRequest, verifyRequestDetailed, verifySignature };

package/dist/sig/mod.js

@@ -1,5 +1,5 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
-import { a as verifyRequestDetailed, c as fetchKeyDetailed, f as formatAcceptSignature, h as validateAcceptSignature, i as verifyRequest, l as generateCryptoKeyPair, m as parseAcceptSignature, o as exportJwk, p as fulfillAcceptSignature, r as signRequest, s as fetchKey, u as importJwk } from "../http-Dzy5c472.js";
-import { a as verifyProof, c as getKeyOwner, d as detachSignature, f as hasSignatureLike, h as verifySignature, i as verifyObject, l as attachSignature, m as verifyJsonLd, n as hasProofLike, p as signJsonLd, r as signObject, s as doesActorOwnKey, t as createProof, u as createSignature } from "../proof-DMJJZnKd.js";
+import { a as verifyRequestDetailed, b as parseAcceptSignature, c as fetchKeyDetailed, i as verifyRequest, l as generateCryptoKeyPair, o as exportJwk, r as signRequest, s as fetchKey, u as importJwk, v as formatAcceptSignature, x as validateAcceptSignature, y as fulfillAcceptSignature } from "../http-CpzZ9zsb.js";
+import { a as verifyProof, c as getKeyOwner, d as detachSignature, f as hasSignatureLike, h as verifySignature, i as verifyObject, l as attachSignature, m as verifyJsonLd, n as hasProofLike, p as signJsonLd, r as signObject, s as doesActorOwnKey, t as createProof, u as createSignature } from "../proof-Vd8-1EWh.js";
 export { attachSignature, createProof, createSignature, detachSignature, doesActorOwnKey, exportJwk, fetchKey, fetchKeyDetailed, formatAcceptSignature, fulfillAcceptSignature, generateCryptoKeyPair, getKeyOwner, hasProofLike, hasSignatureLike, importJwk, parseAcceptSignature, signJsonLd, signObject, signRequest, validateAcceptSignature, verifyJsonLd, verifyObject, verifyProof, verifyRequest, verifyRequestDetailed, verifySignature };

package/dist/sig/owner.test.mjs

@@ -2,11 +2,11 @@ import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
-import "../std__assert-CRDpx_HF.mjs";
-import { n as assertFalse } from "../assert_rejects-B-qJtC9Z.mjs";
+import "../std__assert-BTEgfoJo.mjs";
+import { r as assertFalse } from "../assert_rejects-DQP-q39h.mjs";
 import { t as assert } from "../assert-DikXweDx.mjs";
-import { o as rsaPublicKey1, s as rsaPublicKey2 } from "../keys-C3kae-6B.mjs";
-import { n as getKeyOwner, t as doesActorOwnKey } from "../owner-DwJe0BH9.mjs";
+import { o as rsaPublicKey1, s as rsaPublicKey2 } from "../keys-CSYsOMFG.mjs";
+import { n as getKeyOwner, t as doesActorOwnKey } from "../owner-DO810N24.mjs";
 import { Create, CryptographicKey, lookupObject } from "@fedify/vocab";
 import { createTestTracerProvider, mockDocumentLoader, test } from "@fedify/fixture";
 //#region src/sig/owner.test.ts

package/dist/sig/proof.test.mjs

@@ -2,15 +2,15 @@ import { Temporal } from "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
-import "../std__assert-CRDpx_HF.mjs";
-import { n as assertFalse, t as assertRejects } from "../assert_rejects-B-qJtC9Z.mjs";
+import "../std__assert-BTEgfoJo.mjs";
+import { n as assertGreaterOrEqual, r as assertFalse, t as assertRejects } from "../assert_rejects-DQP-q39h.mjs";
 import { t as assertInstanceOf } from "../assert_instance_of-C4Ri6VuN.mjs";
 import { t as assert } from "../assert-DikXweDx.mjs";
-import { i as rsaPrivateKey2, n as ed25519PrivateKey, r as ed25519PublicKey, s as rsaPublicKey2, t as ed25519Multikey } from "../keys-C3kae-6B.mjs";
-import { r as normalizeOutgoingActivityJsonLd } from "../outgoing-jsonld-BgFLCJQ_.mjs";
-import { a as verifyProof, i as verifyObject, n as hasProofLike, r as signObject, t as createProof } from "../proof-erpV_J_n.mjs";
+import { i as rsaPrivateKey2, n as ed25519PrivateKey, r as ed25519PublicKey, s as rsaPublicKey2, t as ed25519Multikey } from "../keys-CSYsOMFG.mjs";
+import { r as normalizeOutgoingActivityJsonLd } from "../outgoing-jsonld-BNL8AC14.mjs";
+import { a as verifyProof, i as verifyObject, n as hasProofLike, r as signObject, t as createProof } from "../proof-BgfyWv7b.mjs";
 import { Create, DataIntegrityProof, Document, Multikey, Note, PUBLIC_COLLECTION, Place } from "@fedify/vocab";
-import { mockDocumentLoader, test } from "@fedify/fixture";
+import { createTestMeterProvider, mockDocumentLoader, test } from "@fedify/fixture";
 import { decodeMultibase, importMultibaseKey } from "@fedify/vocab-runtime";
 import { decodeHex } from "byte-encodings/hex";
 //#region src/sig/proof.test.ts
@@ -326,6 +326,167 @@ test("verifyProof()", async () => {
 	}), null);
 	assertFalse(contextLoaderCalls.includes("https://attacker.example/ctx"));
 });
+test("verifyProof() records verification duration metric", async (t) => {
+	const jsonLd = {
+		"@context": ["https://www.w3.org/ns/activitystreams", "https://w3id.org/security/data-integrity/v1"],
+		id: "https://server.example/activities/1",
+		type: "Create",
+		actor: "https://server.example/users/alice",
+		object: {
+			id: "https://server.example/objects/1",
+			type: "Note",
+			attributedTo: "https://server.example/users/alice",
+			content: "Hello world",
+			location: {
+				type: "Place",
+				longitude: -71.184902,
+				latitude: 25.273962
+			}
+		}
+	};
+	const proof = new DataIntegrityProof({
+		cryptosuite: "eddsa-jcs-2022",
+		verificationMethod: new URL("https://server.example/users/alice#ed25519-key"),
+		proofPurpose: "assertionMethod",
+		proofValue: decodeMultibase("zLaewdp4H9kqtwyrLatK4cjY5oRHwVcw4gibPSUDYDMhi4M49v8pcYk3ZB6D69dNpAPbUmY8ocuJ3m9KhKJEEg7z"),
+		created: Temporal.Instant.from("2023-02-24T23:36:38Z")
+	});
+	await t.step("verified path records result=verified with bounded cryptosuite", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assert(await verifyProof(jsonLd, proof, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}) != null);
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		const m = measurements[0];
+		assertEquals(m.type, "histogram");
+		assertGreaterOrEqual(m.value, 0);
+		assertEquals(m.attributes["activitypub.signature.kind"], "object_integrity");
+		assertEquals(m.attributes["activitypub.signature.result"], "verified");
+		assertEquals(m.attributes["object_integrity_proofs.cryptosuite"], "eddsa-jcs-2022");
+	});
+	await t.step("rejected path records result=rejected", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertEquals(await verifyProof({
+			...jsonLd,
+			object: {
+				...jsonLd.object,
+				content: "bye"
+			}
+		}, proof, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}), null);
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "rejected");
+		assertEquals(measurements[0].attributes["object_integrity_proofs.cryptosuite"], "eddsa-jcs-2022");
+	});
+	await t.step("cached-key retry emits one measurement, not two", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		const cache = { ["https://server.example/users/alice#ed25519-key"]: ed25519Multikey };
+		assert(await verifyProof(jsonLd, proof, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider,
+			keyCache: {
+				get(id) {
+					return Promise.resolve(cache[id.href]);
+				},
+				set(id, k) {
+					cache[id.href] = k;
+					return Promise.resolve();
+				}
+			}
+		}) != null);
+		assertEquals(recorder.getMeasurements("activitypub.signature.verification.duration").length, 1);
+		const keyFetches = recorder.getMeasurements("activitypub.signature.key_fetch.duration");
+		assertEquals(keyFetches.length, 2);
+		assertEquals(keyFetches[0].attributes["activitypub.signature.key_fetch.result"], "hit");
+		assertEquals(keyFetches[1].attributes["activitypub.signature.key_fetch.result"], "fetched");
+	});
+	await t.step("key fetch records result=fetched on a cold cache", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assert(await verifyProof(jsonLd, proof, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}) != null);
+		const measurements = recorder.getMeasurements("activitypub.signature.key_fetch.duration");
+		assertEquals(measurements.length, 1);
+		assertGreaterOrEqual(measurements[0].value, 0);
+		assertEquals(measurements[0].attributes["activitypub.signature.kind"], "object_integrity");
+		assertEquals(measurements[0].attributes["activitypub.signature.key_fetch.result"], "fetched");
+	});
+	await t.step("key fetch records result=hit when served from the key cache", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		const cache = { "https://server.example/users/alice#ed25519-key": new Multikey({
+			id: new URL("https://server.example/users/alice#ed25519-key"),
+			controller: new URL("https://server.example/users/alice"),
+			publicKey: await importMultibaseKey("z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2")
+		}) };
+		assert(await verifyProof(jsonLd, proof, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider,
+			keyCache: {
+				get(id) {
+					return Promise.resolve(cache[id.href]);
+				},
+				set(id, k) {
+					cache[id.href] = k;
+					return Promise.resolve();
+				}
+			}
+		}) != null);
+		const measurements = recorder.getMeasurements("activitypub.signature.key_fetch.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.key_fetch.result"], "hit");
+	});
+	await t.step("verifyObject() wrapper emits one measurement per inner verifyProof()", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assert(await verifyObject(Create, {
+			...jsonLd,
+			proof: await proof.toJsonLd({
+				format: "compact",
+				contextLoader: mockDocumentLoader
+			})
+		}, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}) != null);
+		assertEquals(recorder.getMeasurements("activitypub.signature.verification.duration").length, 1);
+	});
+	await t.step("unknown cryptosuite omits the cryptosuite metric attribute", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		const exoticProof = await DataIntegrityProof.fromJsonLd({
+			"@context": "https://w3id.org/security/data-integrity/v1",
+			type: "DataIntegrityProof",
+			cryptosuite: "made-up-suite-9999",
+			verificationMethod: "https://server.example/users/alice#ed25519-key",
+			proofPurpose: "assertionMethod",
+			proofValue: "zLaewdp4H9kqtwyrLatK4cjY5oRHwVcw4gibPSUDYDMhi4M49v8pcYk3ZB6D69dNpAPbUmY8ocuJ3m9KhKJEEg7z",
+			created: "2023-02-24T23:36:38Z"
+		}, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader
+		});
+		assertEquals(exoticProof.cryptosuite, "made-up-suite-9999");
+		assertEquals(await verifyProof(jsonLd, exoticProof, {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		}), null);
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "rejected");
+		assertFalse("object_integrity_proofs.cryptosuite" in measurements[0].attributes);
+	});
+});
 test("verifyObject()", async () => {
 	const options = {
 		documentLoader: mockDocumentLoader,

package/dist/{std__assert-CRDpx_HF.mjs → std__assert-BTEgfoJo.mjs}

@@ -2,7 +2,7 @@ import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
 import { l as AssertionError, s as format } from "./assert_equals-Ew3jOFa3.mjs";
-import "./assert_rejects-B-qJtC9Z.mjs";
+import "./assert_rejects-DQP-q39h.mjs";
 import "./assert_throws-4NwKEy2q.mjs";
 import "./assert_strict_equals-Dmjbg-bA.mjs";
 //#region ../../node_modules/.pnpm/@jsr+std__assert@0.226.0/node_modules/@jsr/std__assert/assert_exists.js
@@ -28,31 +28,6 @@ import "./assert_strict_equals-Dmjbg-bA.mjs";
 	}
 }
 //#endregion
-//#region ../../node_modules/.pnpm/@jsr+std__assert@0.226.0/node_modules/@jsr/std__assert/assert_greater_or_equal.js
-/**
-* Make an assertion that `actual` is greater than or equal to `expected`.
-* If not then throw.
-*
-* @example Usage
-* ```ts no-eval
-* import { assertGreaterOrEqual } from "@std/assert/assert-greater-or-equal";
-*
-* assertGreaterOrEqual(2, 1); // Doesn't throw
-* assertGreaterOrEqual(1, 1); // Doesn't throw
-* assertGreaterOrEqual(0, 1); // Throws
-* ```
-*
-* @typeParam T The type of the values to compare.
-* @param actual The actual value to compare.
-* @param expected The expected value to compare.
-* @param msg The optional message to display if the assertion fails.
-*/ function assertGreaterOrEqual(actual, expected, msg) {
-	if (actual >= expected) return;
-	const actualString = format(actual);
-	const expectedString = format(expected);
-	throw new AssertionError(msg ?? `Expect ${actualString} >= ${expectedString}`);
-}
-//#endregion
 //#region ../../node_modules/.pnpm/@jsr+std__assert@0.226.0/node_modules/@jsr/std__assert/assert_greater.js
 /**
 * Make an assertion that `actual` is greater than `expected`.
@@ -101,4 +76,4 @@ import "./assert_strict_equals-Dmjbg-bA.mjs";
 	}
 }
 //#endregion
-export { assertExists as i, assertGreater as n, assertGreaterOrEqual as r, assertStringIncludes as t };
+export { assertGreater as n, assertExists as r, assertStringIncludes as t };

package/dist/utils/docloader.test.mjs

@@ -2,12 +2,12 @@ import { Temporal } from "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
-import "../std__assert-CRDpx_HF.mjs";
-import { t as assertRejects } from "../assert_rejects-B-qJtC9Z.mjs";
+import "../std__assert-BTEgfoJo.mjs";
+import { t as assertRejects } from "../assert_rejects-DQP-q39h.mjs";
 import { t as esm_default } from "../esm-sdtqOUPu.mjs";
-import { l as verifyRequest } from "../http-5G18W3NP.mjs";
-import { i as rsaPrivateKey2 } from "../keys-C3kae-6B.mjs";
-import { t as getAuthenticatedDocumentLoader } from "../docloader-DA5FzJOR.mjs";
+import { l as verifyRequest } from "../http-BmOZYc-8.mjs";
+import { i as rsaPrivateKey2 } from "../keys-CSYsOMFG.mjs";
+import { t as getAuthenticatedDocumentLoader } from "../docloader-BENj6vQ4.mjs";
 import { mockDocumentLoader, test } from "@fedify/fixture";
 import { UrlError } from "@fedify/vocab-runtime";
 //#region src/utils/docloader.test.ts

package/dist/utils/kv-cache.test.mjs

@@ -1,7 +1,7 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as kvCache, t as MockKvStore } from "../kv-cache-CiiNwT6W.mjs";
+import { n as kvCache, t as MockKvStore } from "../kv-cache-DihufyAQ.mjs";
 import { deepStrictEqual, throws } from "node:assert";
 import { mockDocumentLoader, test } from "@fedify/fixture";
 import { preloadedContexts } from "@fedify/vocab-runtime";

package/dist/utils/mod.cjs

@@ -1,6 +1,6 @@
 const { Temporal } = require("@js-temporal/polyfill");
 const { URLPattern } = require("urlpattern-polyfill");
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const require_kv_cache = require("../kv-cache-BygrlQ1c.cjs");
+const require_kv_cache = require("../kv-cache-DY-XWOqM.cjs");
 exports.getAuthenticatedDocumentLoader = require_kv_cache.getAuthenticatedDocumentLoader;
 exports.kvCache = require_kv_cache.kvCache;

package/dist/utils/mod.d.cts

@@ -1,3 +1,3 @@
 /// <reference lib="esnext.temporal" />
-import { n as getAuthenticatedDocumentLoader, t as kvCache } from "../mod-B0rWmfW5.cjs";
+import { n as getAuthenticatedDocumentLoader, t as kvCache } from "../mod-BR_BB0bh.cjs";
 export { getAuthenticatedDocumentLoader, kvCache };

package/dist/utils/mod.d.ts

@@ -1,3 +1,3 @@
 /// <reference lib="esnext.temporal" />
-import { n as getAuthenticatedDocumentLoader, t as kvCache } from "../mod-BhU_H1I_.js";
+import { n as getAuthenticatedDocumentLoader, t as kvCache } from "../mod-DLrRb0dx.js";
 export { getAuthenticatedDocumentLoader, kvCache };

package/dist/utils/mod.js

@@ -1,4 +1,4 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
-import { n as getAuthenticatedDocumentLoader, t as kvCache } from "../kv-cache-CBSgxEsZ.js";
+import { n as getAuthenticatedDocumentLoader, t as kvCache } from "../kv-cache-Wc5ezcVW.js";
 export { getAuthenticatedDocumentLoader, kvCache };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/fedify",
-  "version": "2.3.0-dev.1099+fafcfa78",
+  "version": "2.3.0-dev.1114+15a3316d",
   "description": "An ActivityPub server framework",
   "keywords": [
     "ActivityPub",
@@ -140,7 +140,7 @@
   },
   "dependencies": {
     "@js-temporal/polyfill": "^0.5.1",
-    "@logtape/logtape": "^2.0.7",
+    "@logtape/logtape": "^2.1.0",
     "@opentelemetry/api": "^1.9.1",
     "@opentelemetry/core": "^2.7.1",
     "@opentelemetry/sdk-trace-base": "^2.7.1",
@@ -153,9 +153,9 @@
     "uri-template-router": "^1.0.0",
     "url-template": "^3.1.1",
     "urlpattern-polyfill": "^10.1.0",
-    "@fedify/vocab": "2.3.0-dev.1099+fafcfa78",
-    "@fedify/webfinger": "2.3.0-dev.1099+fafcfa78",
-    "@fedify/vocab-runtime": "2.3.0-dev.1099+fafcfa78"
+    "@fedify/vocab": "2.3.0-dev.1114+15a3316d",
+    "@fedify/vocab-runtime": "2.3.0-dev.1114+15a3316d",
+    "@fedify/webfinger": "2.3.0-dev.1114+15a3316d"
   },
   "devDependencies": {
     "@opentelemetry/sdk-metrics": "2.7.1",
@@ -169,7 +169,7 @@
     "typescript": "^6.0.0",
     "wrangler": "^4.17.0",
     "@fedify/fixture": "2.0.0",
-    "@fedify/vocab-tools": "^2.3.0-dev.1099+fafcfa78"
+    "@fedify/vocab-tools": "^2.3.0-dev.1114+15a3316d"
   },
   "scripts": {
     "build:self": "tsdown",