@fedify/fedify 2.3.0-dev.1099 → 2.3.0-dev.1114

package/dist/{http-Dzy5c472.js → http-CpzZ9zsb.js}

@@ -2,7 +2,7 @@ import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
 import { getLogger } from "@logtape/logtape";
 import { CryptographicKey, Object as Object$1, isActor } from "@fedify/vocab";
-import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
+import { SpanKind, SpanStatusCode, metrics, trace } from "@opentelemetry/api";
 import { encodeHex } from "byte-encodings/hex";
 import { Item, decodeDict, encodeDict, encodeItem } from "structured-field-values";
 import { FetchError, getDocumentLoader } from "@fedify/vocab-runtime";
@@ -10,7 +10,7 @@ import { ATTR_HTTP_REQUEST_HEADER, ATTR_HTTP_REQUEST_METHOD, ATTR_URL_FULL } fro
 import { decodeBase64, encodeBase64 } from "byte-encodings/base64";
 //#region deno.json
 var name = "@fedify/fedify";
-var version = "2.3.0-dev.1099+fafcfa78";
+var version = "2.3.0-dev.1114+15a3316d";
 //#endregion
 //#region src/sig/accept.ts
 /**
@@ -151,6 +151,314 @@ function fulfillAcceptSignature(entry, localKeyId, localAlg) {
 	};
 }
 //#endregion
+//#region src/federation/metrics.ts
+var FederationMetrics = class {
+	deliverySent;
+	deliveryPermanentFailure;
+	signatureVerificationFailure;
+	signatureVerificationDuration;
+	signatureKeyFetchDuration;
+	deliveryDuration;
+	inboxProcessingDuration;
+	httpServerRequestCount;
+	httpServerRequestDuration;
+	queueTaskEnqueued;
+	queueTaskStarted;
+	queueTaskCompleted;
+	queueTaskFailed;
+	queueTaskDuration;
+	queueTaskInFlight;
+	constructor(meterProvider) {
+		const meter = meterProvider.getMeter(name, version);
+		this.deliverySent = meter.createCounter("activitypub.delivery.sent", {
+			description: "ActivityPub delivery attempts.",
+			unit: "{attempt}"
+		});
+		this.deliveryPermanentFailure = meter.createCounter("activitypub.delivery.permanent_failure", {
+			description: "ActivityPub deliveries abandoned as permanent failures.",
+			unit: "{failure}"
+		});
+		this.signatureVerificationFailure = meter.createCounter("activitypub.signature.verification_failure", {
+			description: "ActivityPub signature verification failures.",
+			unit: "{failure}"
+		});
+		this.signatureVerificationDuration = meter.createHistogram("activitypub.signature.verification.duration", {
+			description: "Duration of ActivityPub signature verification, including local key lookup and remote key fetches.",
+			unit: "ms"
+		});
+		this.signatureKeyFetchDuration = meter.createHistogram("activitypub.signature.key_fetch.duration", {
+			description: "Duration of public key lookup performed during ActivityPub signature verification.",
+			unit: "ms"
+		});
+		this.deliveryDuration = meter.createHistogram("activitypub.delivery.duration", {
+			description: "Duration of ActivityPub delivery attempts.",
+			unit: "ms"
+		});
+		this.inboxProcessingDuration = meter.createHistogram("activitypub.inbox.processing_duration", {
+			description: "Duration of ActivityPub inbox listener processing.",
+			unit: "ms"
+		});
+		this.httpServerRequestCount = meter.createCounter("fedify.http.server.request.count", {
+			description: "HTTP requests handled by Federation.fetch().",
+			unit: "{request}"
+		});
+		this.httpServerRequestDuration = meter.createHistogram("fedify.http.server.request.duration", {
+			description: "Duration of HTTP requests handled by Federation.fetch().",
+			unit: "ms",
+			advice: { explicitBucketBoundaries: [
+				5,
+				10,
+				25,
+				50,
+				75,
+				100,
+				250,
+				500,
+				750,
+				1e3,
+				2500,
+				5e3,
+				7500,
+				1e4
+			] }
+		});
+		this.queueTaskEnqueued = meter.createCounter("fedify.queue.task.enqueued", {
+			description: "Tasks Fedify enqueued for inbox, outbox, or fanout work.",
+			unit: "{task}"
+		});
+		this.queueTaskStarted = meter.createCounter("fedify.queue.task.started", {
+			description: "Tasks Fedify began processing as a queue worker.",
+			unit: "{task}"
+		});
+		this.queueTaskCompleted = meter.createCounter("fedify.queue.task.completed", {
+			description: "Queue tasks Fedify finished processing without throwing.",
+			unit: "{task}"
+		});
+		this.queueTaskFailed = meter.createCounter("fedify.queue.task.failed", {
+			description: "Queue tasks Fedify abandoned because processing threw.",
+			unit: "{task}"
+		});
+		this.queueTaskDuration = meter.createHistogram("fedify.queue.task.duration", {
+			description: "Duration of queue task processing in Fedify workers.",
+			unit: "ms",
+			advice: { explicitBucketBoundaries: [
+				5,
+				10,
+				25,
+				50,
+				75,
+				100,
+				250,
+				500,
+				750,
+				1e3,
+				2500,
+				5e3,
+				7500,
+				1e4
+			] }
+		});
+		this.queueTaskInFlight = meter.createUpDownCounter("fedify.queue.task.in_flight", {
+			description: "Queue tasks currently being processed in this Fedify process.",
+			unit: "{task}"
+		});
+	}
+	recordDelivery(inbox, durationMs, success, activityType) {
+		const deliveryAttributes = {
+			"activitypub.remote.host": getRemoteHost(inbox),
+			"activitypub.delivery.success": success
+		};
+		if (activityType != null) deliveryAttributes["activitypub.activity.type"] = activityType;
+		this.deliverySent.add(1, deliveryAttributes);
+		this.deliveryDuration.record(durationMs, deliveryAttributes);
+	}
+	recordPermanentFailure(inbox, statusCode) {
+		this.deliveryPermanentFailure.add(1, {
+			"activitypub.remote.host": getRemoteHost(inbox),
+			"http.response.status_code": statusCode
+		});
+	}
+	recordSignatureVerificationFailure(reason, remoteHost) {
+		const attributes = { "activitypub.verification.failure_reason": reason };
+		if (remoteHost != null) attributes["activitypub.remote.host"] = remoteHost;
+		this.signatureVerificationFailure.add(1, attributes);
+	}
+	recordSignatureVerificationDuration(durationMs, kind, result, extra = {}) {
+		const attributes = {
+			"activitypub.signature.kind": kind,
+			"activitypub.signature.result": result
+		};
+		if (extra.algorithm != null) attributes["http_signatures.algorithm"] = extra.algorithm;
+		if (extra.failureReason != null) attributes["http_signatures.failure_reason"] = extra.failureReason;
+		if (extra.ldType != null) attributes["ld_signatures.type"] = extra.ldType;
+		if (extra.cryptosuite != null) attributes["object_integrity_proofs.cryptosuite"] = extra.cryptosuite;
+		this.signatureVerificationDuration.record(durationMs, attributes);
+	}
+	recordSignatureKeyFetchDuration(durationMs, kind, result) {
+		this.signatureKeyFetchDuration.record(durationMs, {
+			"activitypub.signature.kind": kind,
+			"activitypub.signature.key_fetch.result": result
+		});
+	}
+	recordInboxProcessingDuration(activityType, durationMs) {
+		this.inboxProcessingDuration.record(durationMs, { "activitypub.activity.type": activityType });
+	}
+	recordHttpServerRequest(method, endpoint, durationMs, options = {}) {
+		const attributes = {
+			"http.request.method": normalizeHttpMethod(method),
+			"fedify.endpoint": endpoint
+		};
+		if (options.statusCode != null) attributes["http.response.status_code"] = options.statusCode;
+		if (options.routeTemplate != null) attributes["fedify.route.template"] = options.routeTemplate;
+		this.httpServerRequestCount.add(1, attributes);
+		this.httpServerRequestDuration.record(durationMs, attributes);
+	}
+	recordQueueTaskEnqueued(common, attempt) {
+		const attributes = buildQueueTaskAttributes(common);
+		attributes["fedify.queue.task.attempt"] = attempt;
+		this.queueTaskEnqueued.add(1, attributes);
+	}
+	recordQueueTaskStarted(common) {
+		this.queueTaskStarted.add(1, buildQueueTaskAttributes(common));
+	}
+	incrementQueueTaskInFlight(common) {
+		this.queueTaskInFlight.add(1, buildQueueTaskInFlightAttributes(common));
+	}
+	decrementQueueTaskInFlight(common) {
+		this.queueTaskInFlight.add(-1, buildQueueTaskInFlightAttributes(common));
+	}
+	recordQueueTaskOutcome(common, result, durationMs) {
+		const attributes = buildQueueTaskAttributes(common);
+		attributes["fedify.queue.task.result"] = result;
+		if (result === "completed") this.queueTaskCompleted.add(1, attributes);
+		else if (result === "failed") this.queueTaskFailed.add(1, attributes);
+		this.queueTaskDuration.record(durationMs, attributes);
+	}
+};
+function buildQueueTaskAttributes(common) {
+	const attributes = { "fedify.queue.role": common.role };
+	const backend = getQueueBackend(common.queue);
+	if (backend != null) attributes["fedify.queue.backend"] = backend;
+	const nativeRetrial = common.queue?.nativeRetrial;
+	if (typeof nativeRetrial === "boolean") attributes["fedify.queue.native_retrial"] = nativeRetrial;
+	if (common.activityType != null) attributes["activitypub.activity.type"] = common.activityType;
+	return attributes;
+}
+function buildQueueTaskInFlightAttributes(common) {
+	return buildQueueTaskAttributes({
+		role: common.role,
+		queue: common.queue
+	});
+}
+/**
+* Returns the constructor name of the given message queue, when it is a
+* meaningful identifier.  Used as a best-effort `fedify.queue.backend`
+* attribute on queue task metrics; returns `undefined` for plain object
+* literals (whose constructor is `Object`) so the attribute does not appear
+* with a non-informative value.
+* @since 2.3.0
+*/
+function getQueueBackend(queue) {
+	const name = queue?.constructor?.name;
+	if (name == null || name === "" || name === "Object") return void 0;
+	return name;
+}
+/**
+* Records `fedify.queue.task.enqueued` for an outgoing outbox enqueue.
+*
+* Both `Context.sendActivity()` and `OutboxContext.forwardActivity()` enqueue
+* outbox messages with the same metric attributes (role, queue, activity
+* type, attempt), so they share this helper rather than each defining a local
+* closure.
+* @since 2.3.0
+*/
+function recordOutboxEnqueue(meterProvider, outboxQueue, message) {
+	getFederationMetrics(meterProvider).recordQueueTaskEnqueued({
+		role: "outbox",
+		queue: outboxQueue,
+		activityType: message.activityType
+	}, message.attempt);
+}
+/**
+* Times an awaited public key fetch and records exactly one
+* `activitypub.signature.key_fetch.duration` measurement, classifying the
+* outcome as `hit`, `fetched`, or `error` based on the `cached` flag and
+* whether the returned key is non-null.  Errors thrown by the fetch are
+* reported as `error` and rethrown, so verifier behavior is unchanged.
+*
+* Shared by the three signature verifiers (HTTP, Linked Data, Object
+* Integrity Proofs); the only per-call variation is the
+* `activitypub.signature.kind` attribute value.
+* @since 2.3.0
+*/
+async function measureSignatureKeyFetch(meterProvider, kind, fetch) {
+	const start = performance.now();
+	try {
+		const result = await fetch();
+		getFederationMetrics(meterProvider).recordSignatureKeyFetchDuration(getDurationMs(start), kind, result.key != null ? result.cached ? "hit" : "fetched" : "error");
+		return result;
+	} catch (error) {
+		getFederationMetrics(meterProvider).recordSignatureKeyFetchDuration(getDurationMs(start), kind, "error");
+		throw error;
+	}
+}
+/**
+* Whether the given thrown value is an `AbortError`.
+*
+* `processQueuedTask` distinguishes aborted tasks (recorded as
+* `fedify.queue.task.result=aborted`) from other failures so that backend
+* shutdown signals do not inflate the `fedify.queue.task.failed` counter.
+* @since 2.3.0
+*/
+function isAbortError$1(error) {
+	if (error == null || typeof error !== "object") return false;
+	const name = error.name;
+	return typeof name === "string" && name === "AbortError";
+}
+const KNOWN_HTTP_METHODS = new Set([
+	"CONNECT",
+	"DELETE",
+	"GET",
+	"HEAD",
+	"OPTIONS",
+	"PATCH",
+	"POST",
+	"PUT",
+	"QUERY",
+	"TRACE"
+]);
+function normalizeHttpMethod(method) {
+	const upper = method.toUpperCase();
+	return KNOWN_HTTP_METHODS.has(upper) ? upper : "_OTHER";
+}
+const federationMetrics = /* @__PURE__ */ new WeakMap();
+/**
+* Gets the cached Fedify metric instruments for a meter provider.
+* @since 2.3.0
+*/
+function getFederationMetrics(meterProvider = metrics.getMeterProvider()) {
+	let instruments = federationMetrics.get(meterProvider);
+	if (instruments == null) {
+		instruments = new FederationMetrics(meterProvider);
+		federationMetrics.set(meterProvider, instruments);
+	}
+	return instruments;
+}
+/**
+* Gets the bounded remote host attribute value for a URL.
+* @since 2.3.0
+*/
+function getRemoteHost(url) {
+	return url.hostname;
+}
+/**
+* Gets an elapsed duration in milliseconds from a `performance.now()` value.
+* @since 2.3.0
+*/
+function getDurationMs(start) {
+	return Math.max(0, performance.now() - start);
+}
+//#endregion
 //#region src/sig/key.ts
 /**
 * Checks if the given key is valid and supported.  No-op if the key is valid,
@@ -799,6 +1107,27 @@ function parseKeyId(value) {
 function getKeyFetchErrorName(error) {
 	return error.name || error.constructor.name || "Error";
 }
+/**
+* Known draft-cavage `algorithm` parameter values, used to keep the
+* `http_signatures.algorithm` metric attribute on a bounded set.  The header
+* field is attacker-controlled and not used to select the verification
+* algorithm, so unknown values are dropped from the metric to prevent
+* cardinality blow-up.
+*/
+const DRAFT_KNOWN_ALGORITHMS = new Set([
+	"ecdsa-sha256",
+	"ecdsa-sha384",
+	"ecdsa-sha512",
+	"ed25519",
+	"hs2019",
+	"rsa-sha1",
+	"rsa-sha256",
+	"rsa-sha512"
+]);
+function classifyHttpVerifyResult(result) {
+	if (result.verified) return "verified";
+	return result.reason.type === "noSignature" ? "missing" : "rejected";
+}
 function recordVerificationResult(span, result) {
 	span.setAttribute("http_signatures.verified", result.verified);
 	if (result.verified === true) return;
@@ -842,27 +1171,37 @@ async function verifyRequestDetailed(request, options = {}) {
 			span.setAttribute(ATTR_URL_FULL, request.url);
 			for (const [name, value] of request.headers) span.setAttribute(ATTR_HTTP_REQUEST_HEADER(name), value);
 		}
+		const start = performance.now();
+		const metricsContext = {};
+		let result;
+		let threw = false;
 		try {
 			let spec = options.spec;
 			if (spec == null) spec = request.headers.has("Signature-Input") ? "rfc9421" : "draft-cavage-http-signatures-12";
-			let result;
-			if (spec === "rfc9421") result = await verifyRequestRfc9421(request, span, options);
-			else result = await verifyRequestDraft(request, span, options);
+			if (spec === "rfc9421") result = await verifyRequestRfc9421(request, span, metricsContext, options);
+			else result = await verifyRequestDraft(request, span, metricsContext, options);
 			recordVerificationResult(span, result);
 			if (!result.verified) span.setStatus({ code: SpanStatusCode.ERROR });
 			return result;
 		} catch (error) {
+			threw = true;
 			span.setStatus({
 				code: SpanStatusCode.ERROR,
 				message: String(error)
 			});
 			throw error;
 		} finally {
+			const classified = threw ? "error" : classifyHttpVerifyResult(result);
+			const failureReason = result != null && !result.verified && result.reason.type !== "noSignature" ? result.reason.type : void 0;
+			getFederationMetrics(options.meterProvider).recordSignatureVerificationDuration(getDurationMs(start), "http", classified, {
+				algorithm: metricsContext.algorithm,
+				failureReason
+			});
 			span.end();
 		}
 	});
 }
-async function verifyRequestDraft(request, span, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, tracerProvider } = {}) {
+async function verifyRequestDraft(request, span, metricsContext, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, meterProvider, tracerProvider } = {}) {
 	const logger = getLogger([
 		"fedify",
 		"sig",
@@ -1010,13 +1349,17 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 	const keyIdUrl = parseKeyId(keyId);
 	if (keyIdUrl == null) return invalidSignatureResult(null);
 	span?.setAttribute("http_signatures.key_id", keyId);
-	if ("algorithm" in sigValues) span?.setAttribute("http_signatures.algorithm", sigValues.algorithm);
-	const { key, cached, fetchError } = await fetchKeyDetailed(keyIdUrl, CryptographicKey, {
+	if ("algorithm" in sigValues) {
+		span?.setAttribute("http_signatures.algorithm", sigValues.algorithm);
+		const normalizedAlgorithm = sigValues.algorithm.toLowerCase();
+		if (DRAFT_KNOWN_ALGORITHMS.has(normalizedAlgorithm)) metricsContext.algorithm = normalizedAlgorithm;
+	}
+	const { key, cached, fetchError } = await measureSignatureKeyFetch(meterProvider, "http", () => fetchKeyDetailed(keyIdUrl, CryptographicKey, {
 		documentLoader,
 		contextLoader,
 		keyCache,
 		tracerProvider
-	});
+	}));
 	if (fetchError != null) return keyFetchErrorResult(keyIdUrl, fetchError);
 	if (key == null) return invalidSignatureResult(keyIdUrl);
 	const headerNames = headers.split(/\s+/g);
@@ -1038,7 +1381,7 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 				signature,
 				message
 			});
-			return await verifyRequestDetailed(originalRequest, {
+			return await verifyRequestDraft(originalRequest, span, metricsContext, {
 				documentLoader,
 				contextLoader,
 				timeWindow,
@@ -1046,7 +1389,9 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 				keyCache: {
 					get: () => Promise.resolve(void 0),
 					set: async (keyId, key) => await keyCache?.set(keyId, key)
-				}
+				},
+				meterProvider,
+				tracerProvider
 			});
 		}
 		logger.debug("Failed to verify with the fetched key {keyId}; signature {signature} is invalid.  Check if the key is correct or if the signed message is correct.  The message to sign is:\n{message}", {
@@ -1122,7 +1467,7 @@ async function verifyRfc9421ContentDigest(digestHeader, body) {
 	}
 	return false;
 }
-async function verifyRequestRfc9421(request, span, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, tracerProvider } = {}) {
+async function verifyRequestRfc9421(request, span, metricsContext, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, meterProvider, tracerProvider } = {}) {
 	const logger = getLogger([
 		"fedify",
 		"sig",
@@ -1156,9 +1501,14 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 		return invalidSignatureResult(null);
 	}
 	let failure = noSignatureResult();
+	let failureAlgorithm;
+	const setFailure = (result, algorithm) => {
+		failure = result;
+		failureAlgorithm = algorithm;
+	};
 	for (const sigName of signatureNames) {
 		if (!signatures[sigName]) {
-			failure = invalidSignatureResult(parseKeyId(signatureInputs[sigName]?.keyId));
+			setFailure(invalidSignatureResult(parseKeyId(signatureInputs[sigName]?.keyId)));
 			continue;
 		}
 		const sigInput = signatureInputs[sigName];
@@ -1169,7 +1519,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				signatureName: sigName,
 				signatureInput: signatureInputHeader
 			});
-			failure = invalidSignatureResult(null);
+			setFailure(invalidSignatureResult(null));
 			continue;
 		}
 		if (!sigInput.created) {
@@ -1177,7 +1527,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				signatureName: sigName,
 				signatureInput: signatureInputHeader
 			});
-			failure = invalidSignatureResult(keyId);
+			setFailure(invalidSignatureResult(keyId));
 			continue;
 		}
 		const signatureCreated = Temporal.Instant.fromEpochMilliseconds(sigInput.created * 1e3);
@@ -1189,14 +1539,14 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 					created: signatureCreated.toString(),
 					now: now.toString()
 				});
-				failure = invalidSignatureResult(keyId);
+				setFailure(invalidSignatureResult(keyId));
 				continue;
 			} else if (Temporal.Instant.compare(signatureCreated, now.subtract(tw)) < 0) {
 				logger.debug("Failed to verify; signature created time is too far in the past.", {
 					created: signatureCreated.toString(),
 					now: now.toString()
 				});
-				failure = invalidSignatureResult(keyId);
+				setFailure(invalidSignatureResult(keyId));
 				continue;
 			}
 		}
@@ -1204,34 +1554,34 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 			const contentDigestHeader = request.headers.get("Content-Digest");
 			if (!contentDigestHeader) {
 				logger.debug("Failed to verify; Content-Digest header required but not found.", { components: sigInput.components });
-				failure = invalidSignatureResult(keyId);
+				setFailure(invalidSignatureResult(keyId));
 				continue;
 			}
 			if (!await verifyRfc9421ContentDigest(contentDigestHeader, await request.arrayBuffer())) {
 				logger.debug("Failed to verify; Content-Digest verification failed.", { contentDigest: contentDigestHeader });
-				failure = invalidSignatureResult(keyId);
+				setFailure(invalidSignatureResult(keyId));
 				continue;
 			}
 		}
 		span?.setAttribute("http_signatures.key_id", sigInput.keyId);
 		span?.setAttribute("http_signatures.created", sigInput.created.toString());
 		if (keyId == null) {
-			failure = invalidSignatureResult(null);
+			setFailure(invalidSignatureResult(null));
 			continue;
 		}
-		const { key, cached, fetchError } = await fetchKeyDetailed(keyId, CryptographicKey, {
+		const { key, cached, fetchError } = await measureSignatureKeyFetch(meterProvider, "http", () => fetchKeyDetailed(keyId, CryptographicKey, {
 			documentLoader,
 			contextLoader,
 			keyCache,
 			tracerProvider
-		});
+		}));
 		if (fetchError != null) {
-			failure = keyFetchErrorResult(keyId, fetchError);
+			setFailure(keyFetchErrorResult(keyId, fetchError));
 			continue;
 		}
 		if (!key) {
 			logger.debug("Failed to fetch key: {keyId}", { keyId: sigInput.keyId });
-			failure = invalidSignatureResult(keyId);
+			setFailure(invalidSignatureResult(keyId));
 			continue;
 		}
 		let alg = sigInput.alg?.toLowerCase();
@@ -1243,12 +1593,13 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 		}
 		if (alg) span?.setAttribute("http_signatures.algorithm", alg);
 		const algorithm = alg && rfc9421AlgorithmMap[alg];
+		const candidateAlgorithm = algorithm ? alg : void 0;
 		if (!algorithm) {
 			logger.debug("Failed to verify; unsupported algorithm: {algorithm}", {
 				algorithm: sigInput.alg,
 				supported: Object.keys(rfc9421AlgorithmMap)
 			});
-			failure = invalidSignatureResult(keyId);
+			setFailure(invalidSignatureResult(keyId));
 			continue;
 		}
 		let signatureBase;
@@ -1259,20 +1610,22 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				error,
 				signatureInput: sigInput
 			});
-			failure = invalidSignatureResult(keyId);
+			setFailure(invalidSignatureResult(keyId), candidateAlgorithm);
 			continue;
 		}
 		const signatureBaseBytes = new TextEncoder().encode(signatureBase);
 		span?.setAttribute("http_signatures.signature", encodeHex(sigBytes));
 		try {
-			if (await crypto.subtle.verify(algorithm, key.publicKey, sigBytes.slice(), signatureBaseBytes)) return {
-				verified: true,
-				key,
-				signatureLabel: sigName
-			};
-			else if (cached) {
+			if (await crypto.subtle.verify(algorithm, key.publicKey, sigBytes.slice(), signatureBaseBytes)) {
+				metricsContext.algorithm = candidateAlgorithm;
+				return {
+					verified: true,
+					key,
+					signatureLabel: sigName
+				};
+			} else if (cached) {
 				logger.debug("Failed to verify with cached key {keyId}; retrying with fresh key...", { keyId: sigInput.keyId });
-				return await verifyRequestDetailed(originalRequest, {
+				return await verifyRequestRfc9421(originalRequest, span, metricsContext, {
 					documentLoader,
 					contextLoader,
 					timeWindow,
@@ -1281,14 +1634,16 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 						get: () => Promise.resolve(void 0),
 						set: async (keyId, key) => await keyCache?.set(keyId, key)
 					},
-					spec: "rfc9421"
+					spec: "rfc9421",
+					meterProvider,
+					tracerProvider
 				});
 			} else {
 				logger.debug("Failed to verify signature with fetched key {keyId}; signature invalid.", {
 					keyId: sigInput.keyId,
 					signatureBase
 				});
-				failure = invalidSignatureResult(keyId);
+				setFailure(invalidSignatureResult(keyId), candidateAlgorithm);
 			}
 		} catch (error) {
 			logger.debug("Error during signature verification: {error}", {
@@ -1296,9 +1651,10 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				keyId: sigInput.keyId,
 				algorithm: sigInput.alg
 			});
-			failure = invalidSignatureResult(keyId);
+			setFailure(invalidSignatureResult(keyId), candidateAlgorithm);
 		}
 	}
+	metricsContext.algorithm = failureAlgorithm;
 	return failure;
 }
 /**
@@ -1520,4 +1876,4 @@ function timingSafeEqual(a, b) {
 	return result === 0;
 }
 //#endregion
-export { version as _, verifyRequestDetailed as a, fetchKeyDetailed as c, validateCryptoKey as d, formatAcceptSignature as f, name as g, validateAcceptSignature as h, verifyRequest as i, generateCryptoKeyPair as l, parseAcceptSignature as m, parseRfc9421SignatureInput as n, exportJwk as o, fulfillAcceptSignature as p, signRequest as r, fetchKey as s, doubleKnock as t, importJwk as u };
+export { version as C, name as S, recordOutboxEnqueue as _, verifyRequestDetailed as a, parseAcceptSignature as b, fetchKeyDetailed as c, validateCryptoKey as d, getDurationMs as f, measureSignatureKeyFetch as g, isAbortError$1 as h, verifyRequest as i, generateCryptoKeyPair as l, getRemoteHost as m, parseRfc9421SignatureInput as n, exportJwk as o, getFederationMetrics as p, signRequest as r, fetchKey as s, doubleKnock as t, importJwk as u, formatAcceptSignature as v, validateAcceptSignature as x, fulfillAcceptSignature as y };

package/dist/{http-BDZeS5om.d.ts → http-D6LP89UO.d.ts}

@@ -1,6 +1,6 @@
 /// <reference lib="esnext.temporal" />
 import { CryptographicKey, Multikey } from "@fedify/vocab";
-import { TracerProvider } from "@opentelemetry/api";
+import { MeterProvider, TracerProvider } from "@opentelemetry/api";
 import { DocumentLoader } from "@fedify/vocab-runtime";
 
 //#region src/sig/key.d.ts
@@ -464,6 +464,12 @@ interface VerifyRequestOptions {
   * @since 1.3.0
   */
   tracerProvider?: TracerProvider;
+  /**
+  * The OpenTelemetry meter provider.  If omitted, the global meter provider
+  * is used.
+  * @since 2.3.0
+  */
+  meterProvider?: MeterProvider;
 }
 /**
 * The reason why {@link verifyRequestDetailed} could not verify a request.

package/dist/{http-C87EWkO0.d.cts → http-D6aw3j2U.d.cts}

@@ -1,7 +1,7 @@
 /// <reference lib="esnext.temporal" />
 import { CryptographicKey, Multikey } from "@fedify/vocab";
 import { DocumentLoader } from "@fedify/vocab-runtime";
-import { TracerProvider } from "@opentelemetry/api";
+import { MeterProvider, TracerProvider } from "@opentelemetry/api";
 
 //#region src/sig/key.d.ts
 /**
@@ -464,6 +464,12 @@ interface VerifyRequestOptions {
   * @since 1.3.0
   */
   tracerProvider?: TracerProvider;
+  /**
+  * The OpenTelemetry meter provider.  If omitted, the global meter provider
+  * is used.
+  * @since 2.3.0
+  */
+  meterProvider?: MeterProvider;
 }
 /**
 * The reason why {@link verifyRequestDetailed} could not verify a request.

package/dist/{key-D9dUsyow.mjs → key-B4I8H5Lc.mjs}

@@ -1,7 +1,7 @@
 import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as version, t as name } from "./deno-DBabeupC.mjs";
+import { n as version, t as name } from "./deno-CF3jMgip.mjs";
 import { getLogger } from "@logtape/logtape";
 import { CryptographicKey, Object as Object$1, isActor } from "@fedify/vocab";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";

package/dist/{kv-cache-BygrlQ1c.cjs → kv-cache-DY-XWOqM.cjs}

@@ -1,7 +1,7 @@
 const { Temporal } = require("@js-temporal/polyfill");
 const { URLPattern } = require("urlpattern-polyfill");
 require("./chunk-DDcVe30Y.cjs");
-const require_http = require("./http-W2u_KBoQ.cjs");
+const require_http = require("./http-CKCgOPkX.cjs");
 let _logtape_logtape = require("@logtape/logtape");
 let es_toolkit = require("es-toolkit");
 let _fedify_vocab_runtime = require("@fedify/vocab-runtime");