@fedify/fedify 2.3.0-dev.1099 → 2.3.0-dev.1114

package/dist/{proof-DMJJZnKd.js → proof-Vd8-1EWh.js}

@@ -1,6 +1,6 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
-import { _ as version, d as validateCryptoKey, g as name, s as fetchKey } from "./http-Dzy5c472.js";
+import { C as version, S as name, d as validateCryptoKey, f as getDurationMs, g as measureSignatureKeyFetch, p as getFederationMetrics, s as fetchKey } from "./http-CpzZ9zsb.js";
 import { getLogger } from "@logtape/logtape";
 import { Activity, CryptographicKey, DataIntegrityProof, Multikey, Object as Object$1, PUBLIC_COLLECTION, getTypeId, isActor } from "@fedify/vocab";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
@@ -145,6 +145,17 @@ function detachSignature(jsonLd) {
 }
 /**
 * Verifies Linked Data Signatures of the given JSON-LD document.
+*
+* This is a low-level utility that only checks the cryptographic signature
+* and (optionally) the cached key.  It does not run the JSON-LD parsing,
+* attribution, and owner checks that a complete inbound LD verification
+* needs.  For incoming activities, prefer {@link verifyJsonLd}, which is
+* the public verification entry point and the one that emits the
+* `activitypub.signature.verification.duration` metric for the LD path.
+* `verifySignature` itself only emits
+* `activitypub.signature.key_fetch.duration`, since the rest of the work
+* that the verification-duration metric is meant to cover happens in
+* `verifyJsonLd`.
 * @param jsonLd The JSON-LD document to verify.
 * @param options Options for verifying the signature.
 * @returns The public key that signed the document or `null` if the signature
@@ -164,7 +175,7 @@ async function verifySignature(jsonLd, options = {}) {
 		});
 		return null;
 	}
-	const { key, cached } = await fetchKey(new URL(sig.creator), CryptographicKey, options);
+	const { key, cached } = await measureSignatureKeyFetch(options.meterProvider, "linked_data", () => fetchKey(new URL(sig.creator), CryptographicKey, options));
 	if (key == null) return null;
 	const sigOpts = {
 		...sig,
@@ -204,13 +215,13 @@ async function verifySignature(jsonLd, options = {}) {
 			keyId: sig.creator,
 			...sig
 		});
-		const { key } = await fetchKey(new URL(sig.creator), CryptographicKey, {
+		const { key } = await measureSignatureKeyFetch(options.meterProvider, "linked_data", () => fetchKey(new URL(sig.creator), CryptographicKey, {
 			...options,
 			keyCache: {
 				get: () => Promise.resolve(void 0),
 				set: async (keyId, key) => await options.keyCache?.set(keyId, key)
 			}
-		});
+		}));
 		if (key == null) return null;
 		return await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, signature.slice(), messageBytes) ? key : null;
 	}
@@ -222,6 +233,33 @@ async function verifySignature(jsonLd, options = {}) {
 	return null;
 }
 /**
+* Known Linked Data Signature `type` values, used to keep
+* `ld_signatures.type` on a bounded set of spec-defined string values.
+* Fedify only signs and verifies `RsaSignature2017`; other values come in
+* only from external documents and are dropped from the metric attribute to
+* avoid attacker-controlled cardinality.
+*/
+const LD_KNOWN_SIGNATURE_TYPES = new Set(["RsaSignature2017"]);
+/**
+* Reports only whether a `signature` key is present on the document, with
+* no shape check on its value.  This is intentionally looser than
+* {@link hasSignature} (which validates a full `RsaSignature2017` shape)
+* and {@link hasSignatureLike} (which structurally accepts several known
+* suites): `verifyJsonLd` needs to tell a document with a malformed or
+* unsupported signature payload (classified as `rejected`) apart from a
+* truly unsigned document (classified as `missing`), and only this
+* presence-only check captures both cases.
+*/
+function hasLdSignatureProperty(jsonLd) {
+	return typeof jsonLd === "object" && jsonLd != null && "signature" in jsonLd;
+}
+function getLdSignatureObject(jsonLd) {
+	if (!hasLdSignatureProperty(jsonLd)) return void 0;
+	const { signature } = jsonLd;
+	if (typeof signature !== "object" || signature == null || Array.isArray(signature)) return;
+	return signature;
+}
+/**
 * Verify the authenticity of the given JSON-LD document using Linked Data
 * Signatures.  If the document is signed, this function verifies the signature
 * and checks if the document is attributed to the owner of the public key.
@@ -232,14 +270,22 @@ async function verifySignature(jsonLd, options = {}) {
 */
 async function verifyJsonLd(jsonLd, options = {}) {
 	return await (options.tracerProvider ?? trace.getTracerProvider()).getTracer(name, version).startActiveSpan("ld_signatures.verify", async (span) => {
+		const start = performance.now();
+		let verified = false;
+		let threw = false;
+		let signatureType;
 		try {
 			const object = await Object$1.fromJsonLd(jsonLd, options);
 			if (object.id != null) span.setAttribute("activitypub.object.id", object.id.href);
 			span.setAttribute("activitypub.object.type", getTypeId(object).href);
-			if (typeof jsonLd === "object" && jsonLd != null && "signature" in jsonLd && typeof jsonLd.signature === "object" && jsonLd.signature != null) {
-				if ("creator" in jsonLd.signature && typeof jsonLd.signature.creator === "string") span.setAttribute("ld_signatures.key_id", jsonLd.signature.creator);
-				if ("signatureValue" in jsonLd.signature && typeof jsonLd.signature.signatureValue === "string") span.setAttribute("ld_signatures.signature", jsonLd.signature.signatureValue);
-				if ("type" in jsonLd.signature && typeof jsonLd.signature.type === "string") span.setAttribute("ld_signatures.type", jsonLd.signature.type);
+			const sig = getLdSignatureObject(jsonLd);
+			if (sig != null) {
+				if (typeof sig.creator === "string") span.setAttribute("ld_signatures.key_id", sig.creator);
+				if (typeof sig.signatureValue === "string") span.setAttribute("ld_signatures.signature", sig.signatureValue);
+				if (typeof sig.type === "string") {
+					span.setAttribute("ld_signatures.type", sig.type);
+					if (LD_KNOWN_SIGNATURE_TYPES.has(sig.type)) signatureType = sig.type;
+				}
 			}
 			const attributions = new Set(object.attributionIds.map((uri) => uri.href));
 			if (object instanceof Activity) for (const uri of object.actorIds) attributions.add(uri.href);
@@ -254,14 +300,18 @@ async function verifyJsonLd(jsonLd, options = {}) {
 				logger$3.debug("Some attributions are not authenticated by the Linked Data Signatures: {attributions}.", { attributions: [...attributions] });
 				return false;
 			}
+			verified = true;
 			return true;
 		} catch (error) {
+			threw = true;
 			span.setStatus({
 				code: SpanStatusCode.ERROR,
 				message: String(error)
 			});
 			throw error;
 		} finally {
+			const classified = threw ? "error" : verified ? "verified" : hasLdSignatureProperty(jsonLd) ? "rejected" : "missing";
+			getFederationMetrics(options.meterProvider).recordSignatureVerificationDuration(getDurationMs(start), "linked_data", classified, { ldType: signatureType });
 			span.end();
 		}
 	});
@@ -766,6 +816,15 @@ async function normalizeOutgoingActivityJsonLd(jsonLd, contextLoader) {
 }
 //#endregion
 //#region src/sig/proof.ts
+/**
+* Known Object Integrity Proof `cryptosuite` values, used to keep
+* `object_integrity_proofs.cryptosuite` on a bounded set of spec-defined
+* string values.  Fedify currently signs and verifies only
+* `eddsa-jcs-2022`; other values come in only from external proofs and are
+* dropped from the metric attribute to avoid attacker-controlled
+* cardinality.
+*/
+const OIP_KNOWN_CRYPTOSUITES = new Set(["eddsa-jcs-2022"]);
 const logger = getLogger([
 	"fedify",
 	"sig",
@@ -892,6 +951,10 @@ async function signObject(object, privateKey, keyId, options = {}) {
 */
 async function verifyProof(jsonLd, proof, options = {}) {
 	return await (options.tracerProvider ?? trace.getTracerProvider()).getTracer(name, version).startActiveSpan("object_integrity_proofs.verify", async (span) => {
+		const start = performance.now();
+		let verified = false;
+		let threw = false;
+		const cryptosuite = proof.cryptosuite != null && OIP_KNOWN_CRYPTOSUITES.has(proof.cryptosuite) ? proof.cryptosuite : void 0;
 		if (span.isRecording()) {
 			if (proof.cryptosuite != null) span.setAttribute("object_integrity_proofs.cryptosuite", proof.cryptosuite);
 			if (proof.verificationMethodId != null) span.setAttribute("object_integrity_proofs.key_id", proof.verificationMethodId.href);
@@ -900,21 +963,25 @@ async function verifyProof(jsonLd, proof, options = {}) {
 		try {
 			const key = await verifyProofInternal(jsonLd, proof, options);
 			if (key == null) span.setStatus({ code: SpanStatusCode.ERROR });
+			else verified = true;
 			return key;
 		} catch (error) {
+			threw = true;
 			span.setStatus({
 				code: SpanStatusCode.ERROR,
 				message: String(error)
 			});
 			throw error;
 		} finally {
+			const classified = threw ? "error" : verified ? "verified" : "rejected";
+			getFederationMetrics(options.meterProvider).recordSignatureVerificationDuration(getDurationMs(start), "object_integrity", classified, { cryptosuite });
 			span.end();
 		}
 	});
 }
 async function verifyProofInternal(jsonLd, proof, options) {
 	if (typeof jsonLd !== "object" || jsonLd == null || Array.isArray(jsonLd) || proof.cryptosuite !== "eddsa-jcs-2022" || proof.verificationMethodId == null || proof.proofPurpose !== "assertionMethod" || proof.proofValue == null || proof.created == null) return null;
-	const publicKeyPromise = fetchKey(proof.verificationMethodId, Multikey, options);
+	const publicKeyPromise = measureSignatureKeyFetch(options.meterProvider, "object_integrity", () => fetchKey(proof.verificationMethodId, Multikey, options));
 	const proofConfig = {
 		"@context": jsonLd["@context"],
 		type: "DataIntegrityProof",
@@ -954,7 +1021,7 @@ async function verifyProofInternal(jsonLd, proof, options) {
 				proof,
 				keyId: proof.verificationMethodId.href
 			});
-			return await verifyProof(jsonLd, proof, {
+			return await verifyProofInternal(jsonLd, proof, {
 				...options,
 				keyCache: {
 					get: () => Promise.resolve(void 0),
@@ -985,7 +1052,7 @@ async function verifyProofInternal(jsonLd, proof, options) {
 			keyId: proof.verificationMethodId.href,
 			proof
 		});
-		return await verifyProof(jsonLd, proof, {
+		return await verifyProofInternal(jsonLd, proof, {
 			...options,
 			keyCache: {
 				get: () => Promise.resolve(void 0),

package/dist/send-CAYXdUTk.mjs

@@ -0,0 +1,225 @@
+import "@js-temporal/polyfill";
+import "urlpattern-polyfill";
+globalThis.addEventListener = () => {};
+import { n as version, t as name } from "./deno-CF3jMgip.mjs";
+import { n as getFederationMetrics, t as getDurationMs } from "./metrics-ek3ilf6c.mjs";
+import { n as doubleKnock } from "./http-BmOZYc-8.mjs";
+import { getLogger } from "@logtape/logtape";
+import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
+//#region src/federation/send.ts
+/**
+* Extracts the inbox URLs from recipients.
+* @param parameters The parameters to extract the inboxes.
+*                   See also {@link ExtractInboxesParameters}.
+* @returns The inboxes as a map of inbox URL to actor URIs.
+*/
+function extractInboxes({ recipients, preferSharedInbox, excludeBaseUris }) {
+	const inboxes = {};
+	for (const recipient of recipients) {
+		let inbox;
+		let sharedInbox = false;
+		if (preferSharedInbox && recipient.endpoints?.sharedInbox != null) {
+			inbox = recipient.endpoints.sharedInbox;
+			sharedInbox = true;
+		} else inbox = recipient.inboxId;
+		if (inbox != null && recipient.id != null) {
+			if (excludeBaseUris != null && excludeBaseUris.some((u) => u.origin === inbox?.origin)) continue;
+			inboxes[inbox.href] ??= {
+				actorIds: /* @__PURE__ */ new Set(),
+				sharedInbox
+			};
+			inboxes[inbox.href].actorIds.add(recipient.id.href);
+		}
+	}
+	return inboxes;
+}
+/**
+* Sends an {@link Activity} to an inbox.
+*
+* @param parameters The parameters for sending the activity.
+*                   See also {@link SendActivityParameters}.
+* @throws {Error} If the activity fails to send.
+*/
+function sendActivity(options) {
+	const tracerProvider = options.tracerProvider ?? trace.getTracerProvider();
+	return tracerProvider.getTracer(name, version).startActiveSpan("activitypub.send_activity", {
+		kind: SpanKind.CLIENT,
+		attributes: { "activitypub.shared_inbox": options.sharedInbox ?? false }
+	}, async (span) => {
+		if (options.activityId != null) span.setAttribute("activitypub.activity.id", options.activityId);
+		if (options.activityType != null) span.setAttribute("activitypub.activity.type", options.activityType);
+		try {
+			await sendActivityInternal({
+				...options,
+				tracerProvider
+			}, span);
+		} catch (e) {
+			span.setStatus({
+				code: SpanStatusCode.ERROR,
+				message: String(e)
+			});
+			throw e;
+		} finally {
+			span.end();
+		}
+	});
+}
+const MAX_ERROR_RESPONSE_BODY_BYTES = 1024;
+function getActivityActorId(activity) {
+	if (!isRecord(activity)) return void 0;
+	return getIdValue(activity.actor);
+}
+function getIdValue(value) {
+	if (typeof value === "string" && value !== "") return value;
+	if (value instanceof URL) return value.href;
+	if (Array.isArray(value)) {
+		for (const item of value) {
+			const id = getIdValue(item);
+			if (id != null) return id;
+		}
+		return;
+	}
+	if (isRecord(value)) return getIdValue(value.id);
+}
+function isRecord(value) {
+	return typeof value === "object" && value != null;
+}
+async function readLimitedResponseBody(response, maxBytes) {
+	if (response.body == null) return "";
+	const reader = response.body.getReader();
+	const decoder = new TextDecoder();
+	const chunks = [];
+	let totalBytes = 0;
+	let truncated = false;
+	try {
+		while (true) {
+			const { done, value } = await reader.read();
+			if (done) break;
+			if (totalBytes + value.length > maxBytes) {
+				const remaining = maxBytes - totalBytes;
+				if (remaining > 0) chunks.push(decoder.decode(value.slice(0, remaining), { stream: true }));
+				truncated = true;
+				break;
+			}
+			chunks.push(decoder.decode(value, { stream: true }));
+			totalBytes += value.length;
+		}
+	} finally {
+		reader.releaseLock();
+	}
+	let result = chunks.join("");
+	if (truncated) result += "… (truncated)";
+	return result;
+}
+async function sendActivityInternal({ activity, activityId, activityType, keys, inbox, headers, specDeterminer, meterProvider, tracerProvider }, span) {
+	const logger = getLogger([
+		"fedify",
+		"federation",
+		"outbox"
+	]);
+	const federationMetrics = getFederationMetrics(meterProvider);
+	const started = performance.now();
+	let deliverySuccess = false;
+	headers = new Headers(headers);
+	headers.set("Content-Type", "application/activity+json");
+	const request = new Request(inbox, {
+		method: "POST",
+		headers,
+		body: JSON.stringify(activity)
+	});
+	let rsaKey = null;
+	for (const key of keys) if (key.privateKey.algorithm.name === "RSASSA-PKCS1-v1_5") {
+		rsaKey = key;
+		break;
+	}
+	if (rsaKey == null) logger.warn("No supported key found to sign the request to {inbox}.  The request will be sent without a signature.  In order to sign the request, at least one RSASSA-PKCS1-v1_5 key must be provided.", {
+		inbox: inbox.href,
+		keys: keys.map((pair) => ({
+			keyId: pair.keyId.href,
+			privateKey: pair.privateKey
+		}))
+	});
+	let response;
+	try {
+		response = rsaKey == null ? await fetch(request) : await doubleKnock(request, rsaKey, {
+			tracerProvider,
+			specDeterminer
+		});
+	} catch (error) {
+		logger.error("Failed to send activity {activityId} to {inbox}:\n{error}", {
+			activityId,
+			inbox: inbox.href,
+			error
+		});
+		federationMetrics.recordDelivery(inbox, getDurationMs(started), false, activityType);
+		throw error;
+	}
+	try {
+		if (!response.ok) {
+			let error;
+			try {
+				error = await readLimitedResponseBody(response, MAX_ERROR_RESPONSE_BODY_BYTES);
+			} catch (_) {
+				error = "";
+			}
+			logger.error("Failed to send activity {activityId} to {inbox} ({status} {statusText}):\n{error}", {
+				activityId,
+				inbox: inbox.href,
+				status: response.status,
+				statusText: response.statusText,
+				error
+			});
+			throw new SendActivityError(inbox, response.status, `Failed to send activity ${activityId} to ${inbox.href} (${response.status} ${response.statusText}):\n${error}`, error);
+		}
+		deliverySuccess = true;
+		const eventAttributes = {
+			"activitypub.inbox.url": inbox.href,
+			"activitypub.activity.id": activityId ?? ""
+		};
+		if (activityType != null) eventAttributes["activitypub.activity.type"] = activityType;
+		const actorId = getActivityActorId(activity);
+		if (actorId != null) eventAttributes["activitypub.actor.id"] = actorId;
+		span.addEvent("activitypub.activity.sent", eventAttributes);
+	} finally {
+		federationMetrics.recordDelivery(inbox, getDurationMs(started), deliverySuccess, activityType);
+	}
+}
+/**
+* An error that is thrown when an activity fails to send to a remote inbox.
+* It contains structured information about the failure, including the HTTP
+* status code, the inbox URL, and the response body.
+* @since 2.0.0
+*/
+var SendActivityError = class extends Error {
+	/**
+	* The inbox URL that the activity was being sent to.
+	*/
+	inbox;
+	/**
+	* The HTTP status code returned by the inbox.
+	*/
+	statusCode;
+	/**
+	* The response body from the inbox, if any.  Note that this may be
+	* truncated to a maximum of 1 KiB to prevent excessive memory consumption
+	* when remote servers return large error pages (e.g., Cloudflare error pages).
+	* If truncated, the string will end with `"… (truncated)"`.
+	*/
+	responseBody;
+	/**
+	* Creates a new {@link SendActivityError}.
+	* @param inbox The inbox URL.
+	* @param statusCode The HTTP status code.
+	* @param message The error message.
+	* @param responseBody The response body.
+	*/
+	constructor(inbox, statusCode, message, responseBody) {
+		super(message);
+		this.name = "SendActivityError";
+		this.inbox = inbox;
+		this.statusCode = statusCode;
+		this.responseBody = responseBody;
+	}
+};
+//#endregion
+export { extractInboxes as n, sendActivity as r, SendActivityError as t };

package/dist/sig/accept.test.mjs

@@ -1,7 +1,7 @@
 import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { i as validateAcceptSignature, n as fulfillAcceptSignature, r as parseAcceptSignature, t as formatAcceptSignature } from "../accept-CceiKpCy.mjs";
+import { i as validateAcceptSignature, n as fulfillAcceptSignature, r as parseAcceptSignature, t as formatAcceptSignature } from "../accept-CgDcxvjV.mjs";
 import { test } from "@fedify/fixture";
 import { deepStrictEqual, strictEqual } from "node:assert/strict";
 //#region src/sig/accept.test.ts

package/dist/sig/http.test.mjs

@@ -2,15 +2,15 @@ import { Temporal } from "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
 import { t as assertEquals } from "../assert_equals-Ew3jOFa3.mjs";
-import { i as assertExists, t as assertStringIncludes } from "../std__assert-CRDpx_HF.mjs";
-import { n as assertFalse, t as assertRejects } from "../assert_rejects-B-qJtC9Z.mjs";
+import { r as assertExists, t as assertStringIncludes } from "../std__assert-BTEgfoJo.mjs";
+import { n as assertGreaterOrEqual, r as assertFalse, t as assertRejects } from "../assert_rejects-DQP-q39h.mjs";
 import { t as assertThrows } from "../assert_throws-4NwKEy2q.mjs";
 import { t as assert } from "../assert-DikXweDx.mjs";
 import { t as esm_default } from "../esm-sdtqOUPu.mjs";
-import { t as exportJwk } from "../key-D9dUsyow.mjs";
-import { a as parseRfc9421Signature, c as timingSafeEqual, i as formatRfc9421SignatureParameters, l as verifyRequest, n as doubleKnock, o as parseRfc9421SignatureInput, r as formatRfc9421Signature, s as signRequest, t as createRfc9421SignatureBase, u as verifyRequestDetailed } from "../http-5G18W3NP.mjs";
-import { i as rsaPrivateKey2, l as rsaPublicKey5, o as rsaPublicKey1, s as rsaPublicKey2 } from "../keys-C3kae-6B.mjs";
-import { createTestTracerProvider, mockDocumentLoader, test } from "@fedify/fixture";
+import { t as exportJwk } from "../key-B4I8H5Lc.mjs";
+import { a as parseRfc9421Signature, c as timingSafeEqual, i as formatRfc9421SignatureParameters, l as verifyRequest, n as doubleKnock, o as parseRfc9421SignatureInput, r as formatRfc9421Signature, s as signRequest, t as createRfc9421SignatureBase, u as verifyRequestDetailed } from "../http-BmOZYc-8.mjs";
+import { i as rsaPrivateKey2, l as rsaPublicKey5, o as rsaPublicKey1, s as rsaPublicKey2 } from "../keys-CSYsOMFG.mjs";
+import { createTestMeterProvider, createTestTracerProvider, mockDocumentLoader, test } from "@fedify/fixture";
 import { FetchError, exportSpki } from "@fedify/vocab-runtime";
 import { encodeBase64 } from "byte-encodings/base64";
 //#region src/sig/http.test.ts
@@ -230,6 +230,212 @@ test("verifyRequestDetailed() records failure details on span", async () => {
 	assertEquals(span.attributes["http_signatures.key_id"], keyId.href);
 	assertEquals(span.attributes["http_signatures.key_fetch_status"], 410);
 });
+test("verifyRequestDetailed() records verification duration metric", async (t) => {
+	const buildSignedRequest = () => signRequest(new Request("https://example.com/inbox", {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/activity+json",
+			accept: "application/ld+json"
+		},
+		body: JSON.stringify({
+			"@context": "https://www.w3.org/ns/activitystreams",
+			type: "Create",
+			actor: "https://example.com/key2"
+		})
+	}), rsaPrivateKey2, new URL("https://example.com/key2"));
+	await t.step("verified path emits one measurement", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assert((await verifyRequestDetailed(await buildSignedRequest(), {
+			contextLoader: mockDocumentLoader,
+			documentLoader: mockDocumentLoader,
+			meterProvider
+		})).verified);
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		const measurement = measurements[0];
+		assertEquals(measurement.type, "histogram");
+		assertGreaterOrEqual(measurement.value, 0);
+		assertEquals(measurement.attributes["activitypub.signature.kind"], "http");
+		assertEquals(measurement.attributes["activitypub.signature.result"], "verified");
+		assertEquals(measurement.attributes["http_signatures.algorithm"], "rsa-sha256");
+		assertFalse("http_signatures.failure_reason" in measurement.attributes);
+	});
+	await t.step("missing signature is recorded as result=missing", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		const result = await verifyRequestDetailed(new Request("https://example.com/inbox", {
+			method: "POST",
+			headers: { "Content-Type": "application/activity+json" },
+			body: "{}"
+		}), {
+			contextLoader: mockDocumentLoader,
+			documentLoader: mockDocumentLoader,
+			meterProvider
+		});
+		assertFalse(result.verified);
+		assertEquals(result.reason.type, "noSignature");
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.kind"], "http");
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "missing");
+		assertFalse("http_signatures.failure_reason" in measurements[0].attributes);
+	});
+	await t.step("invalid signature is recorded as result=rejected with failure_reason", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		const result = await verifyRequestDetailed(new Request("https://example.com/", {
+			method: "POST",
+			headers: {
+				Date: "Tue, 05 Mar 2024 07:49:44 GMT",
+				Digest: "sha-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=",
+				Signature: "keyId=\"https://example.com/key2\",headers=\"(request-target) date digest\",signature=\"AAAA\""
+			},
+			body: ""
+		}), {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		});
+		assertFalse(result.verified);
+		assertEquals(result.reason.type, "invalidSignature");
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.kind"], "http");
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "rejected");
+		assertEquals(measurements[0].attributes["http_signatures.failure_reason"], "invalidSignature");
+	});
+	await t.step("key fetch failure is recorded as result=rejected with failure_reason=keyFetchError", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		const keyId = new URL("https://gone.example/actors/alice#main-key");
+		const result = await verifyRequestDetailed(await signRequest(new Request("https://example.com/inbox", {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/activity+json",
+				accept: "application/ld+json"
+			},
+			body: JSON.stringify({
+				"@context": "https://www.w3.org/ns/activitystreams",
+				type: "Create",
+				actor: "https://gone.example/actors/alice"
+			})
+		}), rsaPrivateKey2, keyId), {
+			contextLoader: mockDocumentLoader,
+			documentLoader(url) {
+				if (url === keyId.href) throw new FetchError(keyId, `HTTP 410: ${keyId.href}`, new Response(null, { status: 410 }));
+				return mockDocumentLoader(url);
+			},
+			meterProvider
+		});
+		assertFalse(result.verified);
+		assertEquals(result.reason.type, "keyFetchError");
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.result"], "rejected");
+		assertEquals(measurements[0].attributes["http_signatures.failure_reason"], "keyFetchError");
+	});
+	await t.step("verifyRequest() wrapper emits exactly one measurement, not two", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertExists(await verifyRequest(await buildSignedRequest(), {
+			contextLoader: mockDocumentLoader,
+			documentLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		assertEquals(recorder.getMeasurements("activitypub.signature.verification.duration").length, 1);
+	});
+	await t.step("cached-key retry emits one measurement, not two", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		const cache = { "https://example.com/key2": rsaPublicKey1 };
+		assertExists(await verifyRequest(await buildSignedRequest(), {
+			contextLoader: mockDocumentLoader,
+			documentLoader: mockDocumentLoader,
+			meterProvider,
+			keyCache: {
+				get(keyId) {
+					return Promise.resolve(cache[keyId.href]);
+				},
+				set(keyId, k) {
+					cache[keyId.href] = k;
+					return Promise.resolve();
+				}
+			}
+		}));
+		assertEquals(recorder.getMeasurements("activitypub.signature.verification.duration").length, 1);
+	});
+	await t.step("key fetch records result=fetched on a cold cache", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertExists(await verifyRequest(await buildSignedRequest(), {
+			contextLoader: mockDocumentLoader,
+			documentLoader: mockDocumentLoader,
+			meterProvider
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.key_fetch.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].type, "histogram");
+		assertGreaterOrEqual(measurements[0].value, 0);
+		assertEquals(measurements[0].attributes["activitypub.signature.kind"], "http");
+		assertEquals(measurements[0].attributes["activitypub.signature.key_fetch.result"], "fetched");
+	});
+	await t.step("key fetch records result=hit when served from the key cache", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		const cache = { "https://example.com/key2": rsaPublicKey2 };
+		assertExists(await verifyRequest(await buildSignedRequest(), {
+			contextLoader: mockDocumentLoader,
+			documentLoader: mockDocumentLoader,
+			meterProvider,
+			keyCache: {
+				get(keyId) {
+					return Promise.resolve(cache[keyId.href]);
+				},
+				set(keyId, k) {
+					cache[keyId.href] = k;
+					return Promise.resolve();
+				}
+			}
+		}));
+		const measurements = recorder.getMeasurements("activitypub.signature.key_fetch.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.key_fetch.result"], "hit");
+	});
+	await t.step("key fetch records result=error when the remote key returns HTTP 410", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		const keyId = new URL("https://gone.example/actors/alice#main-key");
+		assertFalse((await verifyRequestDetailed(await signRequest(new Request("https://example.com/inbox", {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/activity+json",
+				accept: "application/ld+json"
+			},
+			body: "{}"
+		}), rsaPrivateKey2, keyId), {
+			contextLoader: mockDocumentLoader,
+			documentLoader(url) {
+				if (url === keyId.href) throw new FetchError(keyId, `HTTP 410: ${keyId.href}`, new Response(null, { status: 410 }));
+				return mockDocumentLoader(url);
+			},
+			meterProvider
+		})).verified);
+		const measurements = recorder.getMeasurements("activitypub.signature.key_fetch.duration");
+		assertEquals(measurements.length, 1);
+		assertEquals(measurements[0].attributes["activitypub.signature.key_fetch.result"], "error");
+	});
+	await t.step("draft-cavage with unknown algorithm omits the algorithm metric attribute", async () => {
+		const [meterProvider, recorder] = createTestMeterProvider();
+		assertFalse((await verifyRequestDetailed(new Request("https://example.com/", {
+			method: "POST",
+			headers: {
+				Date: "Tue, 05 Mar 2024 07:49:44 GMT",
+				Digest: "sha-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=",
+				Signature: "keyId=\"https://example.com/key2\",algorithm=\"x-attacker-supplied\",headers=\"(request-target) date digest\",signature=\"AAAA\""
+			},
+			body: ""
+		}), {
+			documentLoader: mockDocumentLoader,
+			contextLoader: mockDocumentLoader,
+			meterProvider
+		})).verified);
+		const measurements = recorder.getMeasurements("activitypub.signature.verification.duration");
+		assertEquals(measurements.length, 1);
+		assertFalse("http_signatures.algorithm" in measurements[0].attributes);
+	});
+});
 test("signRequest() and verifyRequest() [rfc9421] implementation", async () => {
 	const currentTimestamp = 1709626184;
 	const currentTime = Temporal.Instant.from("2024-03-05T08:09:44Z");