@fedify/fedify 2.3.0-dev.1099 → 2.3.0-dev.1114

package/dist/{mod-DHO9lk3D.d.ts → mod-BDhgfjP7.d.cts}

@@ -1,8 +1,8 @@
 /// <reference lib="esnext.temporal" />
-import { S as KeyCache } from "./http-BDZeS5om.js";
+import { S as KeyCache } from "./http-D6aw3j2U.cjs";
 import { CryptographicKey, DataIntegrityProof, Multikey, Object as Object$1 } from "@fedify/vocab";
-import { TracerProvider } from "@opentelemetry/api";
 import { DocumentLoader } from "@fedify/vocab-runtime";
+import { MeterProvider, TracerProvider } from "@opentelemetry/api";
 
 //#region src/sig/ld.d.ts
 /**
@@ -127,9 +127,26 @@ interface VerifySignatureOptions {
   * @since 1.3.0
   */
   tracerProvider?: TracerProvider;
+  /**
+  * The OpenTelemetry meter provider.  If omitted, the global meter provider
+  * is used.
+  * @since 2.3.0
+  */
+  meterProvider?: MeterProvider;
 }
 /**
 * Verifies Linked Data Signatures of the given JSON-LD document.
+*
+* This is a low-level utility that only checks the cryptographic signature
+* and (optionally) the cached key.  It does not run the JSON-LD parsing,
+* attribution, and owner checks that a complete inbound LD verification
+* needs.  For incoming activities, prefer {@link verifyJsonLd}, which is
+* the public verification entry point and the one that emits the
+* `activitypub.signature.verification.duration` metric for the LD path.
+* `verifySignature` itself only emits
+* `activitypub.signature.key_fetch.duration`, since the rest of the work
+* that the verification-duration metric is meant to cover happens in
+* `verifyJsonLd`.
 * @param jsonLd The JSON-LD document to verify.
 * @param options Options for verifying the signature.
 * @returns The public key that signed the document or `null` if the signature
@@ -246,6 +263,12 @@ interface VerifyProofOptions {
   * @since 1.3.0
   */
   tracerProvider?: TracerProvider;
+  /**
+  * The OpenTelemetry meter provider.  If omitted, the global meter provider
+  * is used.
+  * @since 2.3.0
+  */
+  meterProvider?: MeterProvider;
 }
 /**
 * Verifies the given proof for the object.

package/dist/{mod-B0rWmfW5.d.cts → mod-BR_BB0bh.d.cts}

@@ -1,5 +1,5 @@
 /// <reference lib="esnext.temporal" />
-import { n as HttpMessageSignaturesSpecDeterminer } from "./http-C87EWkO0.cjs";
+import { n as HttpMessageSignaturesSpecDeterminer } from "./http-D6aw3j2U.cjs";
 import { n as KvStore, t as KvKey } from "./kv-gJ8LYbxX.cjs";
 import { DocumentLoader, DocumentLoaderFactoryOptions } from "@fedify/vocab-runtime";
 import { TracerProvider } from "@opentelemetry/api";

package/dist/{mod-Dx3-hqyo.d.ts → mod-C6E8rkcz.d.ts}

@@ -1,5 +1,5 @@
 /// <reference lib="esnext.temporal" />
-import { Ct as WebFingerLinksDispatcher, et as ActorAliasMapper, l as RequestContext, nt as ActorHandleMapper, tt as ActorDispatcher } from "./context-Dqgt8saU.js";
+import { Ct as WebFingerLinksDispatcher, et as ActorAliasMapper, l as RequestContext, nt as ActorHandleMapper, tt as ActorDispatcher } from "./context-cSUMk2da.js";
 import { Span, Tracer } from "@opentelemetry/api";
 
 //#region src/federation/webfinger.d.ts

package/dist/{mod-BhU_H1I_.d.ts → mod-DLrRb0dx.d.ts}

@@ -1,5 +1,5 @@
 /// <reference lib="esnext.temporal" />
-import { n as HttpMessageSignaturesSpecDeterminer } from "./http-BDZeS5om.js";
+import { n as HttpMessageSignaturesSpecDeterminer } from "./http-D6LP89UO.js";
 import { n as KvStore, t as KvKey } from "./kv-D6hNiMTK.js";
 import { TracerProvider } from "@opentelemetry/api";
 import { DocumentLoader, DocumentLoaderFactoryOptions } from "@fedify/vocab-runtime";

package/dist/{mod-CLPnQPsv.d.cts → mod-P9tE2WmM.d.cts}

@@ -1,5 +1,5 @@
 /// <reference lib="esnext.temporal" />
-import { Ct as WebFingerLinksDispatcher, et as ActorAliasMapper, l as RequestContext, nt as ActorHandleMapper, tt as ActorDispatcher } from "./context-C0C_sRha.cjs";
+import { Ct as WebFingerLinksDispatcher, et as ActorAliasMapper, l as RequestContext, nt as ActorHandleMapper, tt as ActorDispatcher } from "./context-Ch-ZLyTQ.cjs";
 import { Span, Tracer } from "@opentelemetry/api";
 
 //#region src/federation/webfinger.d.ts

package/dist/mod.cjs

@@ -4,11 +4,11 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 require("./chunk-DDcVe30Y.cjs");
 const require_transformers = require("./transformers-NeAONrAq.cjs");
 require("./compat/mod.cjs");
-const require_http = require("./http-W2u_KBoQ.cjs");
-const require_middleware = require("./middleware-Caj827xW.cjs");
-const require_proof = require("./proof-CZCaAURh.cjs");
+const require_http = require("./http-CKCgOPkX.cjs");
+const require_middleware = require("./middleware-EqTYPG4F.cjs");
+const require_proof = require("./proof-DIoqrKnX.cjs");
 const require_types = require("./types-KC4QAoxe.cjs");
-const require_kv_cache = require("./kv-cache-BygrlQ1c.cjs");
+const require_kv_cache = require("./kv-cache-DY-XWOqM.cjs");
 const require_federation_mod = require("./federation/mod.cjs");
 require("./nodeinfo/mod.cjs");
 require("./runtime/mod.cjs");

package/dist/mod.d.cts

@@ -1,13 +1,13 @@
 /// <reference lib="esnext.temporal" />
 import { a as InboundService, c as OutboundService, d as Software, f as Usage, i as parseNodeInfo, l as Protocol, n as ParseNodeInfoOptions, o as JsonValue, p as nodeInfoToJson, r as getNodeInfo, s as NodeInfo, t as GetNodeInfoOptions, u as Services } from "./client-CAM_bQXx.cjs";
-import { C as exportJwk, D as importJwk, E as generateCryptoKeyPair, S as KeyCache, T as fetchKeyDetailed, _ as validateAcceptSignature, a as VerifyRequestDetailedResult, b as FetchKeyOptions, c as signRequest, d as AcceptSignatureMember, f as AcceptSignatureParameters, g as parseAcceptSignature, h as fulfillAcceptSignature, i as SignRequestOptions, l as verifyRequest, m as formatAcceptSignature, n as HttpMessageSignaturesSpecDeterminer, o as VerifyRequestFailureReason, p as FulfillAcceptSignatureResult, r as Rfc9421SignRequestOptions, s as VerifyRequestOptions, t as HttpMessageSignaturesSpec, u as verifyRequestDetailed, v as FetchKeyDetailedResult, w as fetchKey, x as FetchKeyResult, y as FetchKeyErrorResult } from "./http-C87EWkO0.cjs";
+import { C as exportJwk, D as importJwk, E as generateCryptoKeyPair, S as KeyCache, T as fetchKeyDetailed, _ as validateAcceptSignature, a as VerifyRequestDetailedResult, b as FetchKeyOptions, c as signRequest, d as AcceptSignatureMember, f as AcceptSignatureParameters, g as parseAcceptSignature, h as fulfillAcceptSignature, i as SignRequestOptions, l as verifyRequest, m as formatAcceptSignature, n as HttpMessageSignaturesSpecDeterminer, o as VerifyRequestFailureReason, p as FulfillAcceptSignatureResult, r as Rfc9421SignRequestOptions, s as VerifyRequestOptions, t as HttpMessageSignaturesSpec, u as verifyRequestDetailed, v as FetchKeyDetailedResult, w as fetchKey, x as FetchKeyResult, y as FetchKeyErrorResult } from "./http-D6aw3j2U.cjs";
 import { i as getKeyOwner, n as GetKeyOwnerOptions, r as doesActorOwnKey, t as DoesActorOwnKeyOptions } from "./owner-DEvZuyOE.cjs";
-import { $ as ParallelMessageQueue, A as FederationKvPrefixes, B as Router, C as IdempotencyKeyCallback, Ct as WebFingerLinksDispatcher, D as ObjectCallbackSetters, Dt as buildCollectionSynchronizationHeader, E as InboxListenerSetters, Et as PageItems, F as RetryContext, G as respondWithObject, H as RouterOptions, I as RetryPolicy, J as InProcessMessageQueueOptions, K as respondWithObjectIfAcceptable, L as createExponentialBackoffPolicy, M as FederationQueueOptions, N as createFederation, O as OutboxListenerSetters, Ot as digest, P as CreateExponentialBackoffPolicyOptions, Q as MessageQueueListenOptions, R as Message, S as FederationStartQueueOptions, St as UnverifiedActivityReason, T as InboxChallengePolicy, Tt as SenderKeyPair, U as RouterRouteResult, V as RouterError, W as RespondWithObjectOptions, X as MessageQueueDepth, Y as MessageQueue, Z as MessageQueueEnqueueOptions, _ as Federatable, _t as OutboxListener, a as GetSignedKeyOptions, at as CollectionCounter, b as FederationFetchOptions, bt as SharedInboxKeyDispatcher, c as ParseUriResult, ct as CustomCollectionCounter, d as SendActivityOptions, dt as InboxErrorHandler, et as ActorAliasMapper, f as SendActivityOptionsForCollection, ft as InboxListener, g as CustomCollectionCallbackSetters, gt as OutboxErrorHandler, h as ConstructorWithTypeId, ht as ObjectDispatcher, i as GetActorOptions, it as AuthorizePredicate, j as FederationOrigin, k as Rfc6570Expression, kt as ActivityTransformer, l as RequestContext, lt as CustomCollectionCursor, m as CollectionCallbackSetters, mt as ObjectAuthorizePredicate, n as Context, nt as ActorHandleMapper, o as InboxContext, ot as CollectionCursor, p as ActorCallbackSetters, pt as NodeInfoDispatcher, q as InProcessMessageQueue, r as ForwardActivityOptions, rt as ActorKeyPairsDispatcher, s as OutboxContext, st as CollectionDispatcher, t as ActorKeyPair, tt as ActorDispatcher, u as RouteActivityOptions, ut as CustomCollectionDispatcher, v as Federation, vt as OutboxListenerErrorHandler, w as IdempotencyStrategy, wt as SendActivityError, x as FederationOptions, xt as UnverifiedActivityHandler, y as FederationBuilder, yt as OutboxPermanentFailureHandler, z as createFederationBuilder } from "./context-C0C_sRha.cjs";
+import { $ as ParallelMessageQueue, A as FederationKvPrefixes, B as Router, C as IdempotencyKeyCallback, Ct as WebFingerLinksDispatcher, D as ObjectCallbackSetters, Dt as buildCollectionSynchronizationHeader, E as InboxListenerSetters, Et as PageItems, F as RetryContext, G as respondWithObject, H as RouterOptions, I as RetryPolicy, J as InProcessMessageQueueOptions, K as respondWithObjectIfAcceptable, L as createExponentialBackoffPolicy, M as FederationQueueOptions, N as createFederation, O as OutboxListenerSetters, Ot as digest, P as CreateExponentialBackoffPolicyOptions, Q as MessageQueueListenOptions, R as Message, S as FederationStartQueueOptions, St as UnverifiedActivityReason, T as InboxChallengePolicy, Tt as SenderKeyPair, U as RouterRouteResult, V as RouterError, W as RespondWithObjectOptions, X as MessageQueueDepth, Y as MessageQueue, Z as MessageQueueEnqueueOptions, _ as Federatable, _t as OutboxListener, a as GetSignedKeyOptions, at as CollectionCounter, b as FederationFetchOptions, bt as SharedInboxKeyDispatcher, c as ParseUriResult, ct as CustomCollectionCounter, d as SendActivityOptions, dt as InboxErrorHandler, et as ActorAliasMapper, f as SendActivityOptionsForCollection, ft as InboxListener, g as CustomCollectionCallbackSetters, gt as OutboxErrorHandler, h as ConstructorWithTypeId, ht as ObjectDispatcher, i as GetActorOptions, it as AuthorizePredicate, j as FederationOrigin, k as Rfc6570Expression, kt as ActivityTransformer, l as RequestContext, lt as CustomCollectionCursor, m as CollectionCallbackSetters, mt as ObjectAuthorizePredicate, n as Context, nt as ActorHandleMapper, o as InboxContext, ot as CollectionCursor, p as ActorCallbackSetters, pt as NodeInfoDispatcher, q as InProcessMessageQueue, r as ForwardActivityOptions, rt as ActorKeyPairsDispatcher, s as OutboxContext, st as CollectionDispatcher, t as ActorKeyPair, tt as ActorDispatcher, u as RouteActivityOptions, ut as CustomCollectionDispatcher, v as Federation, vt as OutboxListenerErrorHandler, w as IdempotencyStrategy, wt as SendActivityError, x as FederationOptions, xt as UnverifiedActivityHandler, y as FederationBuilder, yt as OutboxPermanentFailureHandler, z as createFederationBuilder } from "./context-Ch-ZLyTQ.cjs";
 import { a as MemoryKvStore, i as KvStoreSetOptions, n as KvStore, r as KvStoreListEntry, t as KvKey } from "./kv-gJ8LYbxX.cjs";
 import { actorDehydrator, autoIdAssigner, getDefaultActivityTransformers } from "./compat/mod.cjs";
-import { n as handleWebFinger, t as WebFingerHandlerParameters } from "./mod-CLPnQPsv.cjs";
-import { _ as hasSignatureLike, a as createProof, b as verifySignature, c as verifyObject, d as SignJsonLdOptions, f as VerifyJsonLdOptions, g as detachSignature, h as createSignature, i as VerifyProofOptions, l as verifyProof, m as attachSignature, n as SignObjectOptions, o as hasProofLike, p as VerifySignatureOptions, r as VerifyObjectOptions, s as signObject, t as CreateProofOptions, u as CreateSignatureOptions, v as signJsonLd, y as verifyJsonLd } from "./mod-DXY9JF28.cjs";
-import { n as getAuthenticatedDocumentLoader, t as kvCache } from "./mod-B0rWmfW5.cjs";
+import { n as handleWebFinger, t as WebFingerHandlerParameters } from "./mod-P9tE2WmM.cjs";
+import { _ as hasSignatureLike, a as createProof, b as verifySignature, c as verifyObject, d as SignJsonLdOptions, f as VerifyJsonLdOptions, g as detachSignature, h as createSignature, i as VerifyProofOptions, l as verifyProof, m as attachSignature, n as SignObjectOptions, o as hasProofLike, p as VerifySignatureOptions, r as VerifyObjectOptions, s as signObject, t as CreateProofOptions, u as CreateSignatureOptions, v as signJsonLd, y as verifyJsonLd } from "./mod-BDhgfjP7.cjs";
+import { n as getAuthenticatedDocumentLoader, t as kvCache } from "./mod-BR_BB0bh.cjs";
 export * from "@fedify/vocab-runtime";
 
 //#region src/mod.d.ts

package/dist/mod.d.ts

@@ -1,13 +1,13 @@
 /// <reference lib="esnext.temporal" />
 import { a as InboundService, c as OutboundService, d as Software, f as Usage, i as parseNodeInfo, l as Protocol, n as ParseNodeInfoOptions, o as JsonValue, p as nodeInfoToJson, r as getNodeInfo, s as NodeInfo, t as GetNodeInfoOptions, u as Services } from "./client-CSddvgWN.js";
-import { C as exportJwk, D as importJwk, E as generateCryptoKeyPair, S as KeyCache, T as fetchKeyDetailed, _ as validateAcceptSignature, a as VerifyRequestDetailedResult, b as FetchKeyOptions, c as signRequest, d as AcceptSignatureMember, f as AcceptSignatureParameters, g as parseAcceptSignature, h as fulfillAcceptSignature, i as SignRequestOptions, l as verifyRequest, m as formatAcceptSignature, n as HttpMessageSignaturesSpecDeterminer, o as VerifyRequestFailureReason, p as FulfillAcceptSignatureResult, r as Rfc9421SignRequestOptions, s as VerifyRequestOptions, t as HttpMessageSignaturesSpec, u as verifyRequestDetailed, v as FetchKeyDetailedResult, w as fetchKey, x as FetchKeyResult, y as FetchKeyErrorResult } from "./http-BDZeS5om.js";
+import { C as exportJwk, D as importJwk, E as generateCryptoKeyPair, S as KeyCache, T as fetchKeyDetailed, _ as validateAcceptSignature, a as VerifyRequestDetailedResult, b as FetchKeyOptions, c as signRequest, d as AcceptSignatureMember, f as AcceptSignatureParameters, g as parseAcceptSignature, h as fulfillAcceptSignature, i as SignRequestOptions, l as verifyRequest, m as formatAcceptSignature, n as HttpMessageSignaturesSpecDeterminer, o as VerifyRequestFailureReason, p as FulfillAcceptSignatureResult, r as Rfc9421SignRequestOptions, s as VerifyRequestOptions, t as HttpMessageSignaturesSpec, u as verifyRequestDetailed, v as FetchKeyDetailedResult, w as fetchKey, x as FetchKeyResult, y as FetchKeyErrorResult } from "./http-D6LP89UO.js";
 import { i as getKeyOwner, n as GetKeyOwnerOptions, r as doesActorOwnKey, t as DoesActorOwnKeyOptions } from "./owner-CnngXDNJ.js";
-import { $ as ParallelMessageQueue, A as FederationKvPrefixes, B as Router, C as IdempotencyKeyCallback, Ct as WebFingerLinksDispatcher, D as ObjectCallbackSetters, Dt as buildCollectionSynchronizationHeader, E as InboxListenerSetters, Et as PageItems, F as RetryContext, G as respondWithObject, H as RouterOptions, I as RetryPolicy, J as InProcessMessageQueueOptions, K as respondWithObjectIfAcceptable, L as createExponentialBackoffPolicy, M as FederationQueueOptions, N as createFederation, O as OutboxListenerSetters, Ot as digest, P as CreateExponentialBackoffPolicyOptions, Q as MessageQueueListenOptions, R as Message, S as FederationStartQueueOptions, St as UnverifiedActivityReason, T as InboxChallengePolicy, Tt as SenderKeyPair, U as RouterRouteResult, V as RouterError, W as RespondWithObjectOptions, X as MessageQueueDepth, Y as MessageQueue, Z as MessageQueueEnqueueOptions, _ as Federatable, _t as OutboxListener, a as GetSignedKeyOptions, at as CollectionCounter, b as FederationFetchOptions, bt as SharedInboxKeyDispatcher, c as ParseUriResult, ct as CustomCollectionCounter, d as SendActivityOptions, dt as InboxErrorHandler, et as ActorAliasMapper, f as SendActivityOptionsForCollection, ft as InboxListener, g as CustomCollectionCallbackSetters, gt as OutboxErrorHandler, h as ConstructorWithTypeId, ht as ObjectDispatcher, i as GetActorOptions, it as AuthorizePredicate, j as FederationOrigin, k as Rfc6570Expression, kt as ActivityTransformer, l as RequestContext, lt as CustomCollectionCursor, m as CollectionCallbackSetters, mt as ObjectAuthorizePredicate, n as Context, nt as ActorHandleMapper, o as InboxContext, ot as CollectionCursor, p as ActorCallbackSetters, pt as NodeInfoDispatcher, q as InProcessMessageQueue, r as ForwardActivityOptions, rt as ActorKeyPairsDispatcher, s as OutboxContext, st as CollectionDispatcher, t as ActorKeyPair, tt as ActorDispatcher, u as RouteActivityOptions, ut as CustomCollectionDispatcher, v as Federation, vt as OutboxListenerErrorHandler, w as IdempotencyStrategy, wt as SendActivityError, x as FederationOptions, xt as UnverifiedActivityHandler, y as FederationBuilder, yt as OutboxPermanentFailureHandler, z as createFederationBuilder } from "./context-Dqgt8saU.js";
+import { $ as ParallelMessageQueue, A as FederationKvPrefixes, B as Router, C as IdempotencyKeyCallback, Ct as WebFingerLinksDispatcher, D as ObjectCallbackSetters, Dt as buildCollectionSynchronizationHeader, E as InboxListenerSetters, Et as PageItems, F as RetryContext, G as respondWithObject, H as RouterOptions, I as RetryPolicy, J as InProcessMessageQueueOptions, K as respondWithObjectIfAcceptable, L as createExponentialBackoffPolicy, M as FederationQueueOptions, N as createFederation, O as OutboxListenerSetters, Ot as digest, P as CreateExponentialBackoffPolicyOptions, Q as MessageQueueListenOptions, R as Message, S as FederationStartQueueOptions, St as UnverifiedActivityReason, T as InboxChallengePolicy, Tt as SenderKeyPair, U as RouterRouteResult, V as RouterError, W as RespondWithObjectOptions, X as MessageQueueDepth, Y as MessageQueue, Z as MessageQueueEnqueueOptions, _ as Federatable, _t as OutboxListener, a as GetSignedKeyOptions, at as CollectionCounter, b as FederationFetchOptions, bt as SharedInboxKeyDispatcher, c as ParseUriResult, ct as CustomCollectionCounter, d as SendActivityOptions, dt as InboxErrorHandler, et as ActorAliasMapper, f as SendActivityOptionsForCollection, ft as InboxListener, g as CustomCollectionCallbackSetters, gt as OutboxErrorHandler, h as ConstructorWithTypeId, ht as ObjectDispatcher, i as GetActorOptions, it as AuthorizePredicate, j as FederationOrigin, k as Rfc6570Expression, kt as ActivityTransformer, l as RequestContext, lt as CustomCollectionCursor, m as CollectionCallbackSetters, mt as ObjectAuthorizePredicate, n as Context, nt as ActorHandleMapper, o as InboxContext, ot as CollectionCursor, p as ActorCallbackSetters, pt as NodeInfoDispatcher, q as InProcessMessageQueue, r as ForwardActivityOptions, rt as ActorKeyPairsDispatcher, s as OutboxContext, st as CollectionDispatcher, t as ActorKeyPair, tt as ActorDispatcher, u as RouteActivityOptions, ut as CustomCollectionDispatcher, v as Federation, vt as OutboxListenerErrorHandler, w as IdempotencyStrategy, wt as SendActivityError, x as FederationOptions, xt as UnverifiedActivityHandler, y as FederationBuilder, yt as OutboxPermanentFailureHandler, z as createFederationBuilder } from "./context-cSUMk2da.js";
 import { a as MemoryKvStore, i as KvStoreSetOptions, n as KvStore, r as KvStoreListEntry, t as KvKey } from "./kv-D6hNiMTK.js";
 import { actorDehydrator, autoIdAssigner, getDefaultActivityTransformers } from "./compat/mod.js";
-import { n as handleWebFinger, t as WebFingerHandlerParameters } from "./mod-Dx3-hqyo.js";
-import { _ as hasSignatureLike, a as createProof, b as verifySignature, c as verifyObject, d as SignJsonLdOptions, f as VerifyJsonLdOptions, g as detachSignature, h as createSignature, i as VerifyProofOptions, l as verifyProof, m as attachSignature, n as SignObjectOptions, o as hasProofLike, p as VerifySignatureOptions, r as VerifyObjectOptions, s as signObject, t as CreateProofOptions, u as CreateSignatureOptions, v as signJsonLd, y as verifyJsonLd } from "./mod-DHO9lk3D.js";
-import { n as getAuthenticatedDocumentLoader, t as kvCache } from "./mod-BhU_H1I_.js";
+import { n as handleWebFinger, t as WebFingerHandlerParameters } from "./mod-C6E8rkcz.js";
+import { _ as hasSignatureLike, a as createProof, b as verifySignature, c as verifyObject, d as SignJsonLdOptions, f as VerifyJsonLdOptions, g as detachSignature, h as createSignature, i as VerifyProofOptions, l as verifyProof, m as attachSignature, n as SignObjectOptions, o as hasProofLike, p as VerifySignatureOptions, r as VerifyObjectOptions, s as signObject, t as CreateProofOptions, u as CreateSignatureOptions, v as signJsonLd, y as verifyJsonLd } from "./mod-B-Lin9Sy.js";
+import { n as getAuthenticatedDocumentLoader, t as kvCache } from "./mod-DLrRb0dx.js";
 export * from "@fedify/vocab-runtime";
 
 //#region src/mod.d.ts

package/dist/mod.js

@@ -3,11 +3,11 @@ import { URLPattern } from "urlpattern-polyfill";
 import "./chunk-CRNNMoPX.js";
 import { n as autoIdAssigner, r as getDefaultActivityTransformers, t as actorDehydrator } from "./transformers-BGMIq1cs.js";
 import "./compat/mod.js";
-import { a as verifyRequestDetailed, c as fetchKeyDetailed, f as formatAcceptSignature, h as validateAcceptSignature, i as verifyRequest, l as generateCryptoKeyPair, m as parseAcceptSignature, o as exportJwk, p as fulfillAcceptSignature, r as signRequest, s as fetchKey, u as importJwk } from "./http-Dzy5c472.js";
-import { a as createExponentialBackoffPolicy, c as buildCollectionSynchronizationHeader, d as Router, f as RouterError, i as SendActivityError, l as digest, o as respondWithObject, r as handleWebFinger, s as respondWithObjectIfAcceptable, t as createFederation, u as createFederationBuilder } from "./middleware-vCF_cKAq.js";
-import { a as verifyProof, c as getKeyOwner, d as detachSignature, f as hasSignatureLike, h as verifySignature, i as verifyObject, l as attachSignature, m as verifyJsonLd, n as hasProofLike, p as signJsonLd, r as signObject, s as doesActorOwnKey, t as createProof, u as createSignature } from "./proof-DMJJZnKd.js";
+import { a as verifyRequestDetailed, b as parseAcceptSignature, c as fetchKeyDetailed, i as verifyRequest, l as generateCryptoKeyPair, o as exportJwk, r as signRequest, s as fetchKey, u as importJwk, v as formatAcceptSignature, x as validateAcceptSignature, y as fulfillAcceptSignature } from "./http-CpzZ9zsb.js";
+import { a as createExponentialBackoffPolicy, c as buildCollectionSynchronizationHeader, d as Router, f as RouterError, i as SendActivityError, l as digest, o as respondWithObject, r as handleWebFinger, s as respondWithObjectIfAcceptable, t as createFederation, u as createFederationBuilder } from "./middleware-CuZbBw-N.js";
+import { a as verifyProof, c as getKeyOwner, d as detachSignature, f as hasSignatureLike, h as verifySignature, i as verifyObject, l as attachSignature, m as verifyJsonLd, n as hasProofLike, p as signJsonLd, r as signObject, s as doesActorOwnKey, t as createProof, u as createSignature } from "./proof-Vd8-1EWh.js";
 import { n as getNodeInfo, r as parseNodeInfo, t as nodeInfoToJson } from "./types-CAY3OdLq.js";
-import { n as getAuthenticatedDocumentLoader, t as kvCache } from "./kv-cache-CBSgxEsZ.js";
+import { n as getAuthenticatedDocumentLoader, t as kvCache } from "./kv-cache-Wc5ezcVW.js";
 import { InProcessMessageQueue, MemoryKvStore, ParallelMessageQueue } from "./federation/mod.js";
 import "./nodeinfo/mod.js";
 import "./runtime/mod.js";

package/dist/nodeinfo/client.test.mjs

@@ -2,9 +2,9 @@ import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
-import "../std__assert-CRDpx_HF.mjs";
+import "../std__assert-BTEgfoJo.mjs";
 import { t as esm_default } from "../esm-sdtqOUPu.mjs";
-import { a as parseProtocol, c as parseUsage, i as parseOutboundService, n as parseInboundService, o as parseServices, r as parseNodeInfo, s as parseSoftware, t as getNodeInfo } from "../client-B_A6mfn3.mjs";
+import { a as parseProtocol, c as parseUsage, i as parseOutboundService, n as parseInboundService, o as parseServices, r as parseNodeInfo, s as parseSoftware, t as getNodeInfo } from "../client-Bneh_DYR.mjs";
 import { test } from "@fedify/fixture";
 //#region src/nodeinfo/client.test.ts
 test("getNodeInfo()", async (t) => {

package/dist/nodeinfo/handler.test.mjs

@@ -3,9 +3,9 @@ import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
 import { r as createRequestContext } from "../context-BAE7AKLA.mjs";
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
-import "../std__assert-CRDpx_HF.mjs";
-import { t as MemoryKvStore } from "../kv-x2IvBUyq.mjs";
-import { _ as handleNodeInfoJrd, g as handleNodeInfo, o as createFederation } from "../middleware-BXnhAGF9.mjs";
+import "../std__assert-BTEgfoJo.mjs";
+import { t as MemoryKvStore } from "../kv-QHE0oeM3.mjs";
+import { _ as handleNodeInfoJrd, g as handleNodeInfo, o as createFederation } from "../middleware-DlcecZMq.mjs";
 import { test } from "@fedify/fixture";
 //#region src/nodeinfo/handler.test.ts
 test("handleNodeInfo()", async () => {

package/dist/nodeinfo/types.test.mjs

@@ -2,9 +2,9 @@ import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
-import "../std__assert-CRDpx_HF.mjs";
+import "../std__assert-BTEgfoJo.mjs";
 import { t as assertThrows } from "../assert_throws-4NwKEy2q.mjs";
-import { t as nodeInfoToJson } from "../types-BFowWFTT.mjs";
+import { t as nodeInfoToJson } from "../types-D09GN0uZ.mjs";
 import { test } from "@fedify/fixture";
 //#region src/nodeinfo/types.test.ts
 test("nodeInfoToJson()", () => {

package/dist/otel/exporter.test.mjs

@@ -2,8 +2,8 @@ import { Temporal } from "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
-import "../std__assert-CRDpx_HF.mjs";
-import { t as MemoryKvStore } from "../kv-x2IvBUyq.mjs";
+import "../std__assert-BTEgfoJo.mjs";
+import { t as MemoryKvStore } from "../kv-QHE0oeM3.mjs";
 import { getLogger } from "@logtape/logtape";
 import { ExportResultCode } from "@opentelemetry/core";
 import { SpanKind, SpanStatusCode, TraceFlags } from "@opentelemetry/api";

package/dist/{outgoing-jsonld-BgFLCJQ_.mjs → outgoing-jsonld-BNL8AC14.mjs}

@@ -1,7 +1,7 @@
 import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as preloadedOnlyDocumentLoader, t as normalizePublicAudience } from "./public-audience-N3pyOx2p.mjs";
+import { n as preloadedOnlyDocumentLoader, t as normalizePublicAudience } from "./public-audience-c9zmYKgA.mjs";
 import { getLogger } from "@logtape/logtape";
 import { preloadedContexts } from "@fedify/vocab-runtime";
 import jsonld from "@fedify/vocab-runtime/jsonld";

package/dist/{owner-DwJe0BH9.mjs → owner-DO810N24.mjs}

@@ -1,8 +1,8 @@
 import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as version, t as name } from "./deno-DBabeupC.mjs";
-import "./key-D9dUsyow.mjs";
+import { n as version, t as name } from "./deno-CF3jMgip.mjs";
+import "./key-B4I8H5Lc.mjs";
 import { CryptographicKey, Object as Object$1, isActor } from "@fedify/vocab";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
 import { getDocumentLoader } from "@fedify/vocab-runtime";

package/dist/{proof-erpV_J_n.mjs → proof-BgfyWv7b.mjs}

@@ -1,16 +1,26 @@
 import { Temporal } from "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as version, t as name } from "./deno-DBabeupC.mjs";
-import { n as fetchKey, o as validateCryptoKey } from "./key-D9dUsyow.mjs";
-import { n as preloadedOnlyDocumentLoader } from "./public-audience-N3pyOx2p.mjs";
-import { r as normalizeOutgoingActivityJsonLd } from "./outgoing-jsonld-BgFLCJQ_.mjs";
+import { n as version, t as name } from "./deno-CF3jMgip.mjs";
+import { a as measureSignatureKeyFetch, n as getFederationMetrics, t as getDurationMs } from "./metrics-ek3ilf6c.mjs";
+import { n as fetchKey, o as validateCryptoKey } from "./key-B4I8H5Lc.mjs";
+import { n as preloadedOnlyDocumentLoader } from "./public-audience-c9zmYKgA.mjs";
+import { r as normalizeOutgoingActivityJsonLd } from "./outgoing-jsonld-BNL8AC14.mjs";
 import { getLogger } from "@logtape/logtape";
 import { Activity, DataIntegrityProof, Multikey, getTypeId } from "@fedify/vocab";
 import { SpanStatusCode, trace } from "@opentelemetry/api";
 import { encodeHex } from "byte-encodings/hex";
 import serialize from "json-canon";
 //#region src/sig/proof.ts
+/**
+* Known Object Integrity Proof `cryptosuite` values, used to keep
+* `object_integrity_proofs.cryptosuite` on a bounded set of spec-defined
+* string values.  Fedify currently signs and verifies only
+* `eddsa-jcs-2022`; other values come in only from external proofs and are
+* dropped from the metric attribute to avoid attacker-controlled
+* cardinality.
+*/
+const OIP_KNOWN_CRYPTOSUITES = new Set(["eddsa-jcs-2022"]);
 const logger = getLogger([
 	"fedify",
 	"sig",
@@ -137,6 +147,10 @@ async function signObject(object, privateKey, keyId, options = {}) {
 */
 async function verifyProof(jsonLd, proof, options = {}) {
 	return await (options.tracerProvider ?? trace.getTracerProvider()).getTracer(name, version).startActiveSpan("object_integrity_proofs.verify", async (span) => {
+		const start = performance.now();
+		let verified = false;
+		let threw = false;
+		const cryptosuite = proof.cryptosuite != null && OIP_KNOWN_CRYPTOSUITES.has(proof.cryptosuite) ? proof.cryptosuite : void 0;
 		if (span.isRecording()) {
 			if (proof.cryptosuite != null) span.setAttribute("object_integrity_proofs.cryptosuite", proof.cryptosuite);
 			if (proof.verificationMethodId != null) span.setAttribute("object_integrity_proofs.key_id", proof.verificationMethodId.href);
@@ -145,21 +159,25 @@ async function verifyProof(jsonLd, proof, options = {}) {
 		try {
 			const key = await verifyProofInternal(jsonLd, proof, options);
 			if (key == null) span.setStatus({ code: SpanStatusCode.ERROR });
+			else verified = true;
 			return key;
 		} catch (error) {
+			threw = true;
 			span.setStatus({
 				code: SpanStatusCode.ERROR,
 				message: String(error)
 			});
 			throw error;
 		} finally {
+			const classified = threw ? "error" : verified ? "verified" : "rejected";
+			getFederationMetrics(options.meterProvider).recordSignatureVerificationDuration(getDurationMs(start), "object_integrity", classified, { cryptosuite });
 			span.end();
 		}
 	});
 }
 async function verifyProofInternal(jsonLd, proof, options) {
 	if (typeof jsonLd !== "object" || jsonLd == null || Array.isArray(jsonLd) || proof.cryptosuite !== "eddsa-jcs-2022" || proof.verificationMethodId == null || proof.proofPurpose !== "assertionMethod" || proof.proofValue == null || proof.created == null) return null;
-	const publicKeyPromise = fetchKey(proof.verificationMethodId, Multikey, options);
+	const publicKeyPromise = measureSignatureKeyFetch(options.meterProvider, "object_integrity", () => fetchKey(proof.verificationMethodId, Multikey, options));
 	const proofConfig = {
 		"@context": jsonLd["@context"],
 		type: "DataIntegrityProof",
@@ -199,7 +217,7 @@ async function verifyProofInternal(jsonLd, proof, options) {
 				proof,
 				keyId: proof.verificationMethodId.href
 			});
-			return await verifyProof(jsonLd, proof, {
+			return await verifyProofInternal(jsonLd, proof, {
 				...options,
 				keyCache: {
 					get: () => Promise.resolve(void 0),
@@ -230,7 +248,7 @@ async function verifyProofInternal(jsonLd, proof, options) {
 			keyId: proof.verificationMethodId.href,
 			proof
 		});
-		return await verifyProof(jsonLd, proof, {
+		return await verifyProofInternal(jsonLd, proof, {
 			...options,
 			keyCache: {
 				get: () => Promise.resolve(void 0),

package/dist/{proof-CZCaAURh.cjs → proof-DIoqrKnX.cjs}

@@ -1,7 +1,7 @@
 const { Temporal } = require("@js-temporal/polyfill");
 const { URLPattern } = require("urlpattern-polyfill");
 const require_chunk = require("./chunk-DDcVe30Y.cjs");
-const require_http = require("./http-W2u_KBoQ.cjs");
+const require_http = require("./http-CKCgOPkX.cjs");
 let _logtape_logtape = require("@logtape/logtape");
 let _fedify_vocab = require("@fedify/vocab");
 let _opentelemetry_api = require("@opentelemetry/api");
@@ -148,6 +148,17 @@ function detachSignature(jsonLd) {
 }
 /**
 * Verifies Linked Data Signatures of the given JSON-LD document.
+*
+* This is a low-level utility that only checks the cryptographic signature
+* and (optionally) the cached key.  It does not run the JSON-LD parsing,
+* attribution, and owner checks that a complete inbound LD verification
+* needs.  For incoming activities, prefer {@link verifyJsonLd}, which is
+* the public verification entry point and the one that emits the
+* `activitypub.signature.verification.duration` metric for the LD path.
+* `verifySignature` itself only emits
+* `activitypub.signature.key_fetch.duration`, since the rest of the work
+* that the verification-duration metric is meant to cover happens in
+* `verifyJsonLd`.
 * @param jsonLd The JSON-LD document to verify.
 * @param options Options for verifying the signature.
 * @returns The public key that signed the document or `null` if the signature
@@ -167,7 +178,7 @@ async function verifySignature(jsonLd, options = {}) {
 		});
 		return null;
 	}
-	const { key, cached } = await require_http.fetchKey(new URL(sig.creator), _fedify_vocab.CryptographicKey, options);
+	const { key, cached } = await require_http.measureSignatureKeyFetch(options.meterProvider, "linked_data", () => require_http.fetchKey(new URL(sig.creator), _fedify_vocab.CryptographicKey, options));
 	if (key == null) return null;
 	const sigOpts = {
 		...sig,
@@ -207,13 +218,13 @@ async function verifySignature(jsonLd, options = {}) {
 			keyId: sig.creator,
 			...sig
 		});
-		const { key } = await require_http.fetchKey(new URL(sig.creator), _fedify_vocab.CryptographicKey, {
+		const { key } = await require_http.measureSignatureKeyFetch(options.meterProvider, "linked_data", () => require_http.fetchKey(new URL(sig.creator), _fedify_vocab.CryptographicKey, {
 			...options,
 			keyCache: {
 				get: () => Promise.resolve(void 0),
 				set: async (keyId, key) => await options.keyCache?.set(keyId, key)
 			}
-		});
+		}));
 		if (key == null) return null;
 		return await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, signature.slice(), messageBytes) ? key : null;
 	}
@@ -225,6 +236,33 @@ async function verifySignature(jsonLd, options = {}) {
 	return null;
 }
 /**
+* Known Linked Data Signature `type` values, used to keep
+* `ld_signatures.type` on a bounded set of spec-defined string values.
+* Fedify only signs and verifies `RsaSignature2017`; other values come in
+* only from external documents and are dropped from the metric attribute to
+* avoid attacker-controlled cardinality.
+*/
+const LD_KNOWN_SIGNATURE_TYPES = new Set(["RsaSignature2017"]);
+/**
+* Reports only whether a `signature` key is present on the document, with
+* no shape check on its value.  This is intentionally looser than
+* {@link hasSignature} (which validates a full `RsaSignature2017` shape)
+* and {@link hasSignatureLike} (which structurally accepts several known
+* suites): `verifyJsonLd` needs to tell a document with a malformed or
+* unsupported signature payload (classified as `rejected`) apart from a
+* truly unsigned document (classified as `missing`), and only this
+* presence-only check captures both cases.
+*/
+function hasLdSignatureProperty(jsonLd) {
+	return typeof jsonLd === "object" && jsonLd != null && "signature" in jsonLd;
+}
+function getLdSignatureObject(jsonLd) {
+	if (!hasLdSignatureProperty(jsonLd)) return void 0;
+	const { signature } = jsonLd;
+	if (typeof signature !== "object" || signature == null || Array.isArray(signature)) return;
+	return signature;
+}
+/**
 * Verify the authenticity of the given JSON-LD document using Linked Data
 * Signatures.  If the document is signed, this function verifies the signature
 * and checks if the document is attributed to the owner of the public key.
@@ -235,14 +273,22 @@ async function verifySignature(jsonLd, options = {}) {
 */
 async function verifyJsonLd(jsonLd, options = {}) {
 	return await (options.tracerProvider ?? _opentelemetry_api.trace.getTracerProvider()).getTracer(require_http.name, require_http.version).startActiveSpan("ld_signatures.verify", async (span) => {
+		const start = performance.now();
+		let verified = false;
+		let threw = false;
+		let signatureType;
 		try {
 			const object = await _fedify_vocab.Object.fromJsonLd(jsonLd, options);
 			if (object.id != null) span.setAttribute("activitypub.object.id", object.id.href);
 			span.setAttribute("activitypub.object.type", (0, _fedify_vocab.getTypeId)(object).href);
-			if (typeof jsonLd === "object" && jsonLd != null && "signature" in jsonLd && typeof jsonLd.signature === "object" && jsonLd.signature != null) {
-				if ("creator" in jsonLd.signature && typeof jsonLd.signature.creator === "string") span.setAttribute("ld_signatures.key_id", jsonLd.signature.creator);
-				if ("signatureValue" in jsonLd.signature && typeof jsonLd.signature.signatureValue === "string") span.setAttribute("ld_signatures.signature", jsonLd.signature.signatureValue);
-				if ("type" in jsonLd.signature && typeof jsonLd.signature.type === "string") span.setAttribute("ld_signatures.type", jsonLd.signature.type);
+			const sig = getLdSignatureObject(jsonLd);
+			if (sig != null) {
+				if (typeof sig.creator === "string") span.setAttribute("ld_signatures.key_id", sig.creator);
+				if (typeof sig.signatureValue === "string") span.setAttribute("ld_signatures.signature", sig.signatureValue);
+				if (typeof sig.type === "string") {
+					span.setAttribute("ld_signatures.type", sig.type);
+					if (LD_KNOWN_SIGNATURE_TYPES.has(sig.type)) signatureType = sig.type;
+				}
 			}
 			const attributions = new Set(object.attributionIds.map((uri) => uri.href));
 			if (object instanceof _fedify_vocab.Activity) for (const uri of object.actorIds) attributions.add(uri.href);
@@ -257,14 +303,18 @@ async function verifyJsonLd(jsonLd, options = {}) {
 				logger$3.debug("Some attributions are not authenticated by the Linked Data Signatures: {attributions}.", { attributions: [...attributions] });
 				return false;
 			}
+			verified = true;
 			return true;
 		} catch (error) {
+			threw = true;
 			span.setStatus({
 				code: _opentelemetry_api.SpanStatusCode.ERROR,
 				message: String(error)
 			});
 			throw error;
 		} finally {
+			const classified = threw ? "error" : verified ? "verified" : hasLdSignatureProperty(jsonLd) ? "rejected" : "missing";
+			require_http.getFederationMetrics(options.meterProvider).recordSignatureVerificationDuration(require_http.getDurationMs(start), "linked_data", classified, { ldType: signatureType });
 			span.end();
 		}
 	});
@@ -769,6 +819,15 @@ async function normalizeOutgoingActivityJsonLd(jsonLd, contextLoader) {
 }
 //#endregion
 //#region src/sig/proof.ts
+/**
+* Known Object Integrity Proof `cryptosuite` values, used to keep
+* `object_integrity_proofs.cryptosuite` on a bounded set of spec-defined
+* string values.  Fedify currently signs and verifies only
+* `eddsa-jcs-2022`; other values come in only from external proofs and are
+* dropped from the metric attribute to avoid attacker-controlled
+* cardinality.
+*/
+const OIP_KNOWN_CRYPTOSUITES = new Set(["eddsa-jcs-2022"]);
 const logger = (0, _logtape_logtape.getLogger)([
 	"fedify",
 	"sig",
@@ -895,6 +954,10 @@ async function signObject(object, privateKey, keyId, options = {}) {
 */
 async function verifyProof(jsonLd, proof, options = {}) {
 	return await (options.tracerProvider ?? _opentelemetry_api.trace.getTracerProvider()).getTracer(require_http.name, require_http.version).startActiveSpan("object_integrity_proofs.verify", async (span) => {
+		const start = performance.now();
+		let verified = false;
+		let threw = false;
+		const cryptosuite = proof.cryptosuite != null && OIP_KNOWN_CRYPTOSUITES.has(proof.cryptosuite) ? proof.cryptosuite : void 0;
 		if (span.isRecording()) {
 			if (proof.cryptosuite != null) span.setAttribute("object_integrity_proofs.cryptosuite", proof.cryptosuite);
 			if (proof.verificationMethodId != null) span.setAttribute("object_integrity_proofs.key_id", proof.verificationMethodId.href);
@@ -903,21 +966,25 @@ async function verifyProof(jsonLd, proof, options = {}) {
 		try {
 			const key = await verifyProofInternal(jsonLd, proof, options);
 			if (key == null) span.setStatus({ code: _opentelemetry_api.SpanStatusCode.ERROR });
+			else verified = true;
 			return key;
 		} catch (error) {
+			threw = true;
 			span.setStatus({
 				code: _opentelemetry_api.SpanStatusCode.ERROR,
 				message: String(error)
 			});
 			throw error;
 		} finally {
+			const classified = threw ? "error" : verified ? "verified" : "rejected";
+			require_http.getFederationMetrics(options.meterProvider).recordSignatureVerificationDuration(require_http.getDurationMs(start), "object_integrity", classified, { cryptosuite });
 			span.end();
 		}
 	});
 }
 async function verifyProofInternal(jsonLd, proof, options) {
 	if (typeof jsonLd !== "object" || jsonLd == null || Array.isArray(jsonLd) || proof.cryptosuite !== "eddsa-jcs-2022" || proof.verificationMethodId == null || proof.proofPurpose !== "assertionMethod" || proof.proofValue == null || proof.created == null) return null;
-	const publicKeyPromise = require_http.fetchKey(proof.verificationMethodId, _fedify_vocab.Multikey, options);
+	const publicKeyPromise = require_http.measureSignatureKeyFetch(options.meterProvider, "object_integrity", () => require_http.fetchKey(proof.verificationMethodId, _fedify_vocab.Multikey, options));
 	const proofConfig = {
 		"@context": jsonLd["@context"],
 		type: "DataIntegrityProof",
@@ -957,7 +1024,7 @@ async function verifyProofInternal(jsonLd, proof, options) {
 				proof,
 				keyId: proof.verificationMethodId.href
 			});
-			return await verifyProof(jsonLd, proof, {
+			return await verifyProofInternal(jsonLd, proof, {
 				...options,
 				keyCache: {
 					get: () => Promise.resolve(void 0),
@@ -988,7 +1055,7 @@ async function verifyProofInternal(jsonLd, proof, options) {
 			keyId: proof.verificationMethodId.href,
 			proof
 		});
-		return await verifyProof(jsonLd, proof, {
+		return await verifyProofInternal(jsonLd, proof, {
 			...options,
 			keyCache: {
 				get: () => Promise.resolve(void 0),