@fedify/fedify 2.3.0-dev.1110 → 2.3.0-dev.1114

package/dist/{http-DV0il3vk.cjs → http-CKCgOPkX.cjs}

@@ -11,7 +11,7 @@ let _opentelemetry_semantic_conventions = require("@opentelemetry/semantic-conve
 let byte_encodings_base64 = require("byte-encodings/base64");
 //#region deno.json
 var name = "@fedify/fedify";
-var version = "2.3.0-dev.1110+3ba84466";
+var version = "2.3.0-dev.1114+15a3316d";
 //#endregion
 //#region src/sig/accept.ts
 /**
@@ -152,6 +152,314 @@ function fulfillAcceptSignature(entry, localKeyId, localAlg) {
 	};
 }
 //#endregion
+//#region src/federation/metrics.ts
+var FederationMetrics = class {
+	deliverySent;
+	deliveryPermanentFailure;
+	signatureVerificationFailure;
+	signatureVerificationDuration;
+	signatureKeyFetchDuration;
+	deliveryDuration;
+	inboxProcessingDuration;
+	httpServerRequestCount;
+	httpServerRequestDuration;
+	queueTaskEnqueued;
+	queueTaskStarted;
+	queueTaskCompleted;
+	queueTaskFailed;
+	queueTaskDuration;
+	queueTaskInFlight;
+	constructor(meterProvider) {
+		const meter = meterProvider.getMeter(name, version);
+		this.deliverySent = meter.createCounter("activitypub.delivery.sent", {
+			description: "ActivityPub delivery attempts.",
+			unit: "{attempt}"
+		});
+		this.deliveryPermanentFailure = meter.createCounter("activitypub.delivery.permanent_failure", {
+			description: "ActivityPub deliveries abandoned as permanent failures.",
+			unit: "{failure}"
+		});
+		this.signatureVerificationFailure = meter.createCounter("activitypub.signature.verification_failure", {
+			description: "ActivityPub signature verification failures.",
+			unit: "{failure}"
+		});
+		this.signatureVerificationDuration = meter.createHistogram("activitypub.signature.verification.duration", {
+			description: "Duration of ActivityPub signature verification, including local key lookup and remote key fetches.",
+			unit: "ms"
+		});
+		this.signatureKeyFetchDuration = meter.createHistogram("activitypub.signature.key_fetch.duration", {
+			description: "Duration of public key lookup performed during ActivityPub signature verification.",
+			unit: "ms"
+		});
+		this.deliveryDuration = meter.createHistogram("activitypub.delivery.duration", {
+			description: "Duration of ActivityPub delivery attempts.",
+			unit: "ms"
+		});
+		this.inboxProcessingDuration = meter.createHistogram("activitypub.inbox.processing_duration", {
+			description: "Duration of ActivityPub inbox listener processing.",
+			unit: "ms"
+		});
+		this.httpServerRequestCount = meter.createCounter("fedify.http.server.request.count", {
+			description: "HTTP requests handled by Federation.fetch().",
+			unit: "{request}"
+		});
+		this.httpServerRequestDuration = meter.createHistogram("fedify.http.server.request.duration", {
+			description: "Duration of HTTP requests handled by Federation.fetch().",
+			unit: "ms",
+			advice: { explicitBucketBoundaries: [
+				5,
+				10,
+				25,
+				50,
+				75,
+				100,
+				250,
+				500,
+				750,
+				1e3,
+				2500,
+				5e3,
+				7500,
+				1e4
+			] }
+		});
+		this.queueTaskEnqueued = meter.createCounter("fedify.queue.task.enqueued", {
+			description: "Tasks Fedify enqueued for inbox, outbox, or fanout work.",
+			unit: "{task}"
+		});
+		this.queueTaskStarted = meter.createCounter("fedify.queue.task.started", {
+			description: "Tasks Fedify began processing as a queue worker.",
+			unit: "{task}"
+		});
+		this.queueTaskCompleted = meter.createCounter("fedify.queue.task.completed", {
+			description: "Queue tasks Fedify finished processing without throwing.",
+			unit: "{task}"
+		});
+		this.queueTaskFailed = meter.createCounter("fedify.queue.task.failed", {
+			description: "Queue tasks Fedify abandoned because processing threw.",
+			unit: "{task}"
+		});
+		this.queueTaskDuration = meter.createHistogram("fedify.queue.task.duration", {
+			description: "Duration of queue task processing in Fedify workers.",
+			unit: "ms",
+			advice: { explicitBucketBoundaries: [
+				5,
+				10,
+				25,
+				50,
+				75,
+				100,
+				250,
+				500,
+				750,
+				1e3,
+				2500,
+				5e3,
+				7500,
+				1e4
+			] }
+		});
+		this.queueTaskInFlight = meter.createUpDownCounter("fedify.queue.task.in_flight", {
+			description: "Queue tasks currently being processed in this Fedify process.",
+			unit: "{task}"
+		});
+	}
+	recordDelivery(inbox, durationMs, success, activityType) {
+		const deliveryAttributes = {
+			"activitypub.remote.host": getRemoteHost(inbox),
+			"activitypub.delivery.success": success
+		};
+		if (activityType != null) deliveryAttributes["activitypub.activity.type"] = activityType;
+		this.deliverySent.add(1, deliveryAttributes);
+		this.deliveryDuration.record(durationMs, deliveryAttributes);
+	}
+	recordPermanentFailure(inbox, statusCode) {
+		this.deliveryPermanentFailure.add(1, {
+			"activitypub.remote.host": getRemoteHost(inbox),
+			"http.response.status_code": statusCode
+		});
+	}
+	recordSignatureVerificationFailure(reason, remoteHost) {
+		const attributes = { "activitypub.verification.failure_reason": reason };
+		if (remoteHost != null) attributes["activitypub.remote.host"] = remoteHost;
+		this.signatureVerificationFailure.add(1, attributes);
+	}
+	recordSignatureVerificationDuration(durationMs, kind, result, extra = {}) {
+		const attributes = {
+			"activitypub.signature.kind": kind,
+			"activitypub.signature.result": result
+		};
+		if (extra.algorithm != null) attributes["http_signatures.algorithm"] = extra.algorithm;
+		if (extra.failureReason != null) attributes["http_signatures.failure_reason"] = extra.failureReason;
+		if (extra.ldType != null) attributes["ld_signatures.type"] = extra.ldType;
+		if (extra.cryptosuite != null) attributes["object_integrity_proofs.cryptosuite"] = extra.cryptosuite;
+		this.signatureVerificationDuration.record(durationMs, attributes);
+	}
+	recordSignatureKeyFetchDuration(durationMs, kind, result) {
+		this.signatureKeyFetchDuration.record(durationMs, {
+			"activitypub.signature.kind": kind,
+			"activitypub.signature.key_fetch.result": result
+		});
+	}
+	recordInboxProcessingDuration(activityType, durationMs) {
+		this.inboxProcessingDuration.record(durationMs, { "activitypub.activity.type": activityType });
+	}
+	recordHttpServerRequest(method, endpoint, durationMs, options = {}) {
+		const attributes = {
+			"http.request.method": normalizeHttpMethod(method),
+			"fedify.endpoint": endpoint
+		};
+		if (options.statusCode != null) attributes["http.response.status_code"] = options.statusCode;
+		if (options.routeTemplate != null) attributes["fedify.route.template"] = options.routeTemplate;
+		this.httpServerRequestCount.add(1, attributes);
+		this.httpServerRequestDuration.record(durationMs, attributes);
+	}
+	recordQueueTaskEnqueued(common, attempt) {
+		const attributes = buildQueueTaskAttributes(common);
+		attributes["fedify.queue.task.attempt"] = attempt;
+		this.queueTaskEnqueued.add(1, attributes);
+	}
+	recordQueueTaskStarted(common) {
+		this.queueTaskStarted.add(1, buildQueueTaskAttributes(common));
+	}
+	incrementQueueTaskInFlight(common) {
+		this.queueTaskInFlight.add(1, buildQueueTaskInFlightAttributes(common));
+	}
+	decrementQueueTaskInFlight(common) {
+		this.queueTaskInFlight.add(-1, buildQueueTaskInFlightAttributes(common));
+	}
+	recordQueueTaskOutcome(common, result, durationMs) {
+		const attributes = buildQueueTaskAttributes(common);
+		attributes["fedify.queue.task.result"] = result;
+		if (result === "completed") this.queueTaskCompleted.add(1, attributes);
+		else if (result === "failed") this.queueTaskFailed.add(1, attributes);
+		this.queueTaskDuration.record(durationMs, attributes);
+	}
+};
+function buildQueueTaskAttributes(common) {
+	const attributes = { "fedify.queue.role": common.role };
+	const backend = getQueueBackend(common.queue);
+	if (backend != null) attributes["fedify.queue.backend"] = backend;
+	const nativeRetrial = common.queue?.nativeRetrial;
+	if (typeof nativeRetrial === "boolean") attributes["fedify.queue.native_retrial"] = nativeRetrial;
+	if (common.activityType != null) attributes["activitypub.activity.type"] = common.activityType;
+	return attributes;
+}
+function buildQueueTaskInFlightAttributes(common) {
+	return buildQueueTaskAttributes({
+		role: common.role,
+		queue: common.queue
+	});
+}
+/**
+* Returns the constructor name of the given message queue, when it is a
+* meaningful identifier.  Used as a best-effort `fedify.queue.backend`
+* attribute on queue task metrics; returns `undefined` for plain object
+* literals (whose constructor is `Object`) so the attribute does not appear
+* with a non-informative value.
+* @since 2.3.0
+*/
+function getQueueBackend(queue) {
+	const name = queue?.constructor?.name;
+	if (name == null || name === "" || name === "Object") return void 0;
+	return name;
+}
+/**
+* Records `fedify.queue.task.enqueued` for an outgoing outbox enqueue.
+*
+* Both `Context.sendActivity()` and `OutboxContext.forwardActivity()` enqueue
+* outbox messages with the same metric attributes (role, queue, activity
+* type, attempt), so they share this helper rather than each defining a local
+* closure.
+* @since 2.3.0
+*/
+function recordOutboxEnqueue(meterProvider, outboxQueue, message) {
+	getFederationMetrics(meterProvider).recordQueueTaskEnqueued({
+		role: "outbox",
+		queue: outboxQueue,
+		activityType: message.activityType
+	}, message.attempt);
+}
+/**
+* Times an awaited public key fetch and records exactly one
+* `activitypub.signature.key_fetch.duration` measurement, classifying the
+* outcome as `hit`, `fetched`, or `error` based on the `cached` flag and
+* whether the returned key is non-null.  Errors thrown by the fetch are
+* reported as `error` and rethrown, so verifier behavior is unchanged.
+*
+* Shared by the three signature verifiers (HTTP, Linked Data, Object
+* Integrity Proofs); the only per-call variation is the
+* `activitypub.signature.kind` attribute value.
+* @since 2.3.0
+*/
+async function measureSignatureKeyFetch(meterProvider, kind, fetch) {
+	const start = performance.now();
+	try {
+		const result = await fetch();
+		getFederationMetrics(meterProvider).recordSignatureKeyFetchDuration(getDurationMs(start), kind, result.key != null ? result.cached ? "hit" : "fetched" : "error");
+		return result;
+	} catch (error) {
+		getFederationMetrics(meterProvider).recordSignatureKeyFetchDuration(getDurationMs(start), kind, "error");
+		throw error;
+	}
+}
+/**
+* Whether the given thrown value is an `AbortError`.
+*
+* `processQueuedTask` distinguishes aborted tasks (recorded as
+* `fedify.queue.task.result=aborted`) from other failures so that backend
+* shutdown signals do not inflate the `fedify.queue.task.failed` counter.
+* @since 2.3.0
+*/
+function isAbortError$1(error) {
+	if (error == null || typeof error !== "object") return false;
+	const name = error.name;
+	return typeof name === "string" && name === "AbortError";
+}
+const KNOWN_HTTP_METHODS = new Set([
+	"CONNECT",
+	"DELETE",
+	"GET",
+	"HEAD",
+	"OPTIONS",
+	"PATCH",
+	"POST",
+	"PUT",
+	"QUERY",
+	"TRACE"
+]);
+function normalizeHttpMethod(method) {
+	const upper = method.toUpperCase();
+	return KNOWN_HTTP_METHODS.has(upper) ? upper : "_OTHER";
+}
+const federationMetrics = /* @__PURE__ */ new WeakMap();
+/**
+* Gets the cached Fedify metric instruments for a meter provider.
+* @since 2.3.0
+*/
+function getFederationMetrics(meterProvider = _opentelemetry_api.metrics.getMeterProvider()) {
+	let instruments = federationMetrics.get(meterProvider);
+	if (instruments == null) {
+		instruments = new FederationMetrics(meterProvider);
+		federationMetrics.set(meterProvider, instruments);
+	}
+	return instruments;
+}
+/**
+* Gets the bounded remote host attribute value for a URL.
+* @since 2.3.0
+*/
+function getRemoteHost(url) {
+	return url.hostname;
+}
+/**
+* Gets an elapsed duration in milliseconds from a `performance.now()` value.
+* @since 2.3.0
+*/
+function getDurationMs(start) {
+	return Math.max(0, performance.now() - start);
+}
+//#endregion
 //#region src/sig/key.ts
 /**
 * Checks if the given key is valid and supported.  No-op if the key is valid,
@@ -800,6 +1108,27 @@ function parseKeyId(value) {
 function getKeyFetchErrorName(error) {
 	return error.name || error.constructor.name || "Error";
 }
+/**
+* Known draft-cavage `algorithm` parameter values, used to keep the
+* `http_signatures.algorithm` metric attribute on a bounded set.  The header
+* field is attacker-controlled and not used to select the verification
+* algorithm, so unknown values are dropped from the metric to prevent
+* cardinality blow-up.
+*/
+const DRAFT_KNOWN_ALGORITHMS = new Set([
+	"ecdsa-sha256",
+	"ecdsa-sha384",
+	"ecdsa-sha512",
+	"ed25519",
+	"hs2019",
+	"rsa-sha1",
+	"rsa-sha256",
+	"rsa-sha512"
+]);
+function classifyHttpVerifyResult(result) {
+	if (result.verified) return "verified";
+	return result.reason.type === "noSignature" ? "missing" : "rejected";
+}
 function recordVerificationResult(span, result) {
 	span.setAttribute("http_signatures.verified", result.verified);
 	if (result.verified === true) return;
@@ -843,27 +1172,37 @@ async function verifyRequestDetailed(request, options = {}) {
 			span.setAttribute(_opentelemetry_semantic_conventions.ATTR_URL_FULL, request.url);
 			for (const [name, value] of request.headers) span.setAttribute((0, _opentelemetry_semantic_conventions.ATTR_HTTP_REQUEST_HEADER)(name), value);
 		}
+		const start = performance.now();
+		const metricsContext = {};
+		let result;
+		let threw = false;
 		try {
 			let spec = options.spec;
 			if (spec == null) spec = request.headers.has("Signature-Input") ? "rfc9421" : "draft-cavage-http-signatures-12";
-			let result;
-			if (spec === "rfc9421") result = await verifyRequestRfc9421(request, span, options);
-			else result = await verifyRequestDraft(request, span, options);
+			if (spec === "rfc9421") result = await verifyRequestRfc9421(request, span, metricsContext, options);
+			else result = await verifyRequestDraft(request, span, metricsContext, options);
 			recordVerificationResult(span, result);
 			if (!result.verified) span.setStatus({ code: _opentelemetry_api.SpanStatusCode.ERROR });
 			return result;
 		} catch (error) {
+			threw = true;
 			span.setStatus({
 				code: _opentelemetry_api.SpanStatusCode.ERROR,
 				message: String(error)
 			});
 			throw error;
 		} finally {
+			const classified = threw ? "error" : classifyHttpVerifyResult(result);
+			const failureReason = result != null && !result.verified && result.reason.type !== "noSignature" ? result.reason.type : void 0;
+			getFederationMetrics(options.meterProvider).recordSignatureVerificationDuration(getDurationMs(start), "http", classified, {
+				algorithm: metricsContext.algorithm,
+				failureReason
+			});
 			span.end();
 		}
 	});
 }
-async function verifyRequestDraft(request, span, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, tracerProvider } = {}) {
+async function verifyRequestDraft(request, span, metricsContext, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, meterProvider, tracerProvider } = {}) {
 	const logger = (0, _logtape_logtape.getLogger)([
 		"fedify",
 		"sig",
@@ -1011,13 +1350,17 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 	const keyIdUrl = parseKeyId(keyId);
 	if (keyIdUrl == null) return invalidSignatureResult(null);
 	span?.setAttribute("http_signatures.key_id", keyId);
-	if ("algorithm" in sigValues) span?.setAttribute("http_signatures.algorithm", sigValues.algorithm);
-	const { key, cached, fetchError } = await fetchKeyDetailed(keyIdUrl, _fedify_vocab.CryptographicKey, {
+	if ("algorithm" in sigValues) {
+		span?.setAttribute("http_signatures.algorithm", sigValues.algorithm);
+		const normalizedAlgorithm = sigValues.algorithm.toLowerCase();
+		if (DRAFT_KNOWN_ALGORITHMS.has(normalizedAlgorithm)) metricsContext.algorithm = normalizedAlgorithm;
+	}
+	const { key, cached, fetchError } = await measureSignatureKeyFetch(meterProvider, "http", () => fetchKeyDetailed(keyIdUrl, _fedify_vocab.CryptographicKey, {
 		documentLoader,
 		contextLoader,
 		keyCache,
 		tracerProvider
-	});
+	}));
 	if (fetchError != null) return keyFetchErrorResult(keyIdUrl, fetchError);
 	if (key == null) return invalidSignatureResult(keyIdUrl);
 	const headerNames = headers.split(/\s+/g);
@@ -1039,7 +1382,7 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 				signature,
 				message
 			});
-			return await verifyRequestDetailed(originalRequest, {
+			return await verifyRequestDraft(originalRequest, span, metricsContext, {
 				documentLoader,
 				contextLoader,
 				timeWindow,
@@ -1047,7 +1390,9 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 				keyCache: {
 					get: () => Promise.resolve(void 0),
 					set: async (keyId, key) => await keyCache?.set(keyId, key)
-				}
+				},
+				meterProvider,
+				tracerProvider
 			});
 		}
 		logger.debug("Failed to verify with the fetched key {keyId}; signature {signature} is invalid.  Check if the key is correct or if the signed message is correct.  The message to sign is:\n{message}", {
@@ -1123,7 +1468,7 @@ async function verifyRfc9421ContentDigest(digestHeader, body) {
 	}
 	return false;
 }
-async function verifyRequestRfc9421(request, span, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, tracerProvider } = {}) {
+async function verifyRequestRfc9421(request, span, metricsContext, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, meterProvider, tracerProvider } = {}) {
 	const logger = (0, _logtape_logtape.getLogger)([
 		"fedify",
 		"sig",
@@ -1157,9 +1502,14 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 		return invalidSignatureResult(null);
 	}
 	let failure = noSignatureResult();
+	let failureAlgorithm;
+	const setFailure = (result, algorithm) => {
+		failure = result;
+		failureAlgorithm = algorithm;
+	};
 	for (const sigName of signatureNames) {
 		if (!signatures[sigName]) {
-			failure = invalidSignatureResult(parseKeyId(signatureInputs[sigName]?.keyId));
+			setFailure(invalidSignatureResult(parseKeyId(signatureInputs[sigName]?.keyId)));
 			continue;
 		}
 		const sigInput = signatureInputs[sigName];
@@ -1170,7 +1520,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				signatureName: sigName,
 				signatureInput: signatureInputHeader
 			});
-			failure = invalidSignatureResult(null);
+			setFailure(invalidSignatureResult(null));
 			continue;
 		}
 		if (!sigInput.created) {
@@ -1178,7 +1528,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				signatureName: sigName,
 				signatureInput: signatureInputHeader
 			});
-			failure = invalidSignatureResult(keyId);
+			setFailure(invalidSignatureResult(keyId));
 			continue;
 		}
 		const signatureCreated = Temporal.Instant.fromEpochMilliseconds(sigInput.created * 1e3);
@@ -1190,14 +1540,14 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 					created: signatureCreated.toString(),
 					now: now.toString()
 				});
-				failure = invalidSignatureResult(keyId);
+				setFailure(invalidSignatureResult(keyId));
 				continue;
 			} else if (Temporal.Instant.compare(signatureCreated, now.subtract(tw)) < 0) {
 				logger.debug("Failed to verify; signature created time is too far in the past.", {
 					created: signatureCreated.toString(),
 					now: now.toString()
 				});
-				failure = invalidSignatureResult(keyId);
+				setFailure(invalidSignatureResult(keyId));
 				continue;
 			}
 		}
@@ -1205,34 +1555,34 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 			const contentDigestHeader = request.headers.get("Content-Digest");
 			if (!contentDigestHeader) {
 				logger.debug("Failed to verify; Content-Digest header required but not found.", { components: sigInput.components });
-				failure = invalidSignatureResult(keyId);
+				setFailure(invalidSignatureResult(keyId));
 				continue;
 			}
 			if (!await verifyRfc9421ContentDigest(contentDigestHeader, await request.arrayBuffer())) {
 				logger.debug("Failed to verify; Content-Digest verification failed.", { contentDigest: contentDigestHeader });
-				failure = invalidSignatureResult(keyId);
+				setFailure(invalidSignatureResult(keyId));
 				continue;
 			}
 		}
 		span?.setAttribute("http_signatures.key_id", sigInput.keyId);
 		span?.setAttribute("http_signatures.created", sigInput.created.toString());
 		if (keyId == null) {
-			failure = invalidSignatureResult(null);
+			setFailure(invalidSignatureResult(null));
 			continue;
 		}
-		const { key, cached, fetchError } = await fetchKeyDetailed(keyId, _fedify_vocab.CryptographicKey, {
+		const { key, cached, fetchError } = await measureSignatureKeyFetch(meterProvider, "http", () => fetchKeyDetailed(keyId, _fedify_vocab.CryptographicKey, {
 			documentLoader,
 			contextLoader,
 			keyCache,
 			tracerProvider
-		});
+		}));
 		if (fetchError != null) {
-			failure = keyFetchErrorResult(keyId, fetchError);
+			setFailure(keyFetchErrorResult(keyId, fetchError));
 			continue;
 		}
 		if (!key) {
 			logger.debug("Failed to fetch key: {keyId}", { keyId: sigInput.keyId });
-			failure = invalidSignatureResult(keyId);
+			setFailure(invalidSignatureResult(keyId));
 			continue;
 		}
 		let alg = sigInput.alg?.toLowerCase();
@@ -1244,12 +1594,13 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 		}
 		if (alg) span?.setAttribute("http_signatures.algorithm", alg);
 		const algorithm = alg && rfc9421AlgorithmMap[alg];
+		const candidateAlgorithm = algorithm ? alg : void 0;
 		if (!algorithm) {
 			logger.debug("Failed to verify; unsupported algorithm: {algorithm}", {
 				algorithm: sigInput.alg,
 				supported: Object.keys(rfc9421AlgorithmMap)
 			});
-			failure = invalidSignatureResult(keyId);
+			setFailure(invalidSignatureResult(keyId));
 			continue;
 		}
 		let signatureBase;
@@ -1260,20 +1611,22 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				error,
 				signatureInput: sigInput
 			});
-			failure = invalidSignatureResult(keyId);
+			setFailure(invalidSignatureResult(keyId), candidateAlgorithm);
 			continue;
 		}
 		const signatureBaseBytes = new TextEncoder().encode(signatureBase);
 		span?.setAttribute("http_signatures.signature", (0, byte_encodings_hex.encodeHex)(sigBytes));
 		try {
-			if (await crypto.subtle.verify(algorithm, key.publicKey, sigBytes.slice(), signatureBaseBytes)) return {
-				verified: true,
-				key,
-				signatureLabel: sigName
-			};
-			else if (cached) {
+			if (await crypto.subtle.verify(algorithm, key.publicKey, sigBytes.slice(), signatureBaseBytes)) {
+				metricsContext.algorithm = candidateAlgorithm;
+				return {
+					verified: true,
+					key,
+					signatureLabel: sigName
+				};
+			} else if (cached) {
 				logger.debug("Failed to verify with cached key {keyId}; retrying with fresh key...", { keyId: sigInput.keyId });
-				return await verifyRequestDetailed(originalRequest, {
+				return await verifyRequestRfc9421(originalRequest, span, metricsContext, {
 					documentLoader,
 					contextLoader,
 					timeWindow,
@@ -1282,14 +1635,16 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 						get: () => Promise.resolve(void 0),
 						set: async (keyId, key) => await keyCache?.set(keyId, key)
 					},
-					spec: "rfc9421"
+					spec: "rfc9421",
+					meterProvider,
+					tracerProvider
 				});
 			} else {
 				logger.debug("Failed to verify signature with fetched key {keyId}; signature invalid.", {
 					keyId: sigInput.keyId,
 					signatureBase
 				});
-				failure = invalidSignatureResult(keyId);
+				setFailure(invalidSignatureResult(keyId), candidateAlgorithm);
 			}
 		} catch (error) {
 			logger.debug("Error during signature verification: {error}", {
@@ -1297,9 +1652,10 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				keyId: sigInput.keyId,
 				algorithm: sigInput.alg
 			});
-			failure = invalidSignatureResult(keyId);
+			setFailure(invalidSignatureResult(keyId), candidateAlgorithm);
 		}
 	}
+	metricsContext.algorithm = failureAlgorithm;
 	return failure;
 }
 /**
@@ -1563,12 +1919,42 @@ Object.defineProperty(exports, "generateCryptoKeyPair", {
 		return generateCryptoKeyPair;
 	}
 });
+Object.defineProperty(exports, "getDurationMs", {
+	enumerable: true,
+	get: function() {
+		return getDurationMs;
+	}
+});
+Object.defineProperty(exports, "getFederationMetrics", {
+	enumerable: true,
+	get: function() {
+		return getFederationMetrics;
+	}
+});
+Object.defineProperty(exports, "getRemoteHost", {
+	enumerable: true,
+	get: function() {
+		return getRemoteHost;
+	}
+});
 Object.defineProperty(exports, "importJwk", {
 	enumerable: true,
 	get: function() {
 		return importJwk;
 	}
 });
+Object.defineProperty(exports, "isAbortError", {
+	enumerable: true,
+	get: function() {
+		return isAbortError$1;
+	}
+});
+Object.defineProperty(exports, "measureSignatureKeyFetch", {
+	enumerable: true,
+	get: function() {
+		return measureSignatureKeyFetch;
+	}
+});
 Object.defineProperty(exports, "name", {
 	enumerable: true,
 	get: function() {
@@ -1587,6 +1973,12 @@ Object.defineProperty(exports, "parseRfc9421SignatureInput", {
 		return parseRfc9421SignatureInput;
 	}
 });
+Object.defineProperty(exports, "recordOutboxEnqueue", {
+	enumerable: true,
+	get: function() {
+		return recordOutboxEnqueue;
+	}
+});
 Object.defineProperty(exports, "signRequest", {
 	enumerable: true,
 	get: function() {