@fedify/fedify 2.3.0-dev.1137 → 2.3.0-dev.1150

package/dist/{middleware-BWLUrbS9.cjs → middleware-D_iXrYHJ.cjs}

@@ -2,10 +2,10 @@ const { Temporal } = require("@js-temporal/polyfill");
 const { URLPattern } = require("urlpattern-polyfill");
 const require_chunk = require("./chunk-DDcVe30Y.cjs");
 const require_transformers = require("./transformers-NeAONrAq.cjs");
-const require_http = require("./http-CWoeyogl.cjs");
-const require_proof = require("./proof-CcsIJLTn.cjs");
+const require_http = require("./http-DQYEA7AZ.cjs");
+const require_proof = require("./proof-CYK8T8IS.cjs");
 const require_types = require("./types-KC4QAoxe.cjs");
-const require_kv_cache = require("./kv-cache-DuEwFYcN.cjs");
+const require_kv_cache = require("./kv-cache-Dsg_bi4N.cjs");
 let _logtape_logtape = require("@logtape/logtape");
 let _fedify_uri_template = require("@fedify/uri-template");
 let _fedify_vocab = require("@fedify/vocab");
@@ -14,6 +14,8 @@ let byte_encodings_hex = require("byte-encodings/hex");
 let es_toolkit = require("es-toolkit");
 let _fedify_vocab_runtime = require("@fedify/vocab-runtime");
 let _opentelemetry_semantic_conventions = require("@opentelemetry/semantic-conventions");
+let _fedify_vocab_runtime_jsonld = require("@fedify/vocab-runtime/jsonld");
+_fedify_vocab_runtime_jsonld = require_chunk.__toESM(_fedify_vocab_runtime_jsonld, 1);
 let _fedify_webfinger = require("@fedify/webfinger");
 let node_url = require("node:url");
 //#region src/federation/activity-listener.ts
@@ -691,7 +693,7 @@ async function buildCollectionSynchronizationHeader(collectionId, actorIds) {
 }
 //#endregion
 //#region src/federation/inbox.ts
-async function routeActivity({ context: ctx, json, activity, recipient, inboxListeners, inboxContextFactory, inboxErrorHandler, kv, kvPrefixes, queue, span, meterProvider, tracerProvider, idempotencyStrategy }) {
+async function routeActivity({ context: ctx, json, originalJson, normalizedActivity, ldSignatureVerified, activity, recipient, inboxListeners, inboxContextFactory, listenerInboxContextFactory, inboxErrorHandler, kv, kvPrefixes, queue, span, meterProvider, tracerProvider, idempotencyStrategy }) {
 	const logger = (0, _logtape_logtape.getLogger)([
 		"fedify",
 		"federation",
@@ -750,7 +752,9 @@ async function routeActivity({ context: ctx, json, activity, recipient, inboxLis
 				type: "inbox",
 				id: crypto.randomUUID(),
 				baseUrl: ctx.origin,
-				activity: json,
+				activity: originalJson ?? json,
+				...normalizedActivity == null ? {} : { normalizedActivity },
+				...ldSignatureVerified == null ? {} : { ldSignatureVerified },
 				identifier: recipient,
 				attempt: 0,
 				started: (/* @__PURE__ */ new Date()).toISOString(),
@@ -804,7 +808,8 @@ async function routeActivity({ context: ctx, json, activity, recipient, inboxLis
 			const activityType = (0, _fedify_vocab.getTypeId)(activity).href;
 			const started = performance.now();
 			try {
-				await listener(inboxContextFactory(recipient, json, activity.id?.href, activityType), activity);
+				const contextFactory = listenerInboxContextFactory ?? inboxContextFactory;
+				await listener(contextFactory(recipient, contextFactory === inboxContextFactory ? json : originalJson ?? json, activity.id?.href, activityType), activity);
 			} finally {
 				require_http.getFederationMetrics(meterProvider).recordInboxProcessingDuration(activityType, require_http.getDurationMs(started));
 			}
@@ -1029,7 +1034,123 @@ function acceptsJsonLd(request) {
 	return types.includes("application/activity+json") || types.includes("application/ld+json") || types.includes("application/json");
 }
 //#endregion
+//#region src/federation/temporal.ts
+function isPlainObject(value) {
+	return typeof value === "object" && value != null && !Array.isArray(value);
+}
+function normalizeDateTimeLiteral(value) {
+	return value.substring(19).match(/[Z+-]/) ? value : value + "Z";
+}
+function isMalformedDateTimeLiteral(value) {
+	if (typeof value !== "string") return false;
+	try {
+		Temporal.Instant.from(normalizeDateTimeLiteral(value));
+		return false;
+	} catch {
+		return true;
+	}
+}
+function isMalformedDurationLiteral(value) {
+	if (typeof value !== "string") return false;
+	try {
+		Temporal.Duration.from(value);
+		return false;
+	} catch {
+		return true;
+	}
+}
+const TEMPORAL_DATE_TIME_IRIS = new Set([
+	"https://www.w3.org/ns/activitystreams#deleted",
+	"https://www.w3.org/ns/activitystreams#endTime",
+	"https://www.w3.org/ns/activitystreams#published",
+	"https://www.w3.org/ns/activitystreams#startTime",
+	"https://www.w3.org/ns/activitystreams#updated",
+	"http://purl.org/dc/terms/created",
+	"https://w3id.org/security#created"
+]);
+const TEMPORAL_DURATION_IRIS = new Set(["https://www.w3.org/ns/activitystreams#duration"]);
+const QUESTION_CLOSED_IRI = "https://www.w3.org/ns/activitystreams#closed";
+const XSD_DATE_TIME_IRI = "http://www.w3.org/2001/XMLSchema#dateTime";
+function hasMalformedExpandedDateTimeLiteral(value) {
+	if (Array.isArray(value)) return value.some(hasMalformedExpandedDateTimeLiteral);
+	return isPlainObject(value) && "@value" in value && isMalformedDateTimeLiteral(value["@value"]);
+}
+function hasMalformedExpandedQuestionClosedLiteral(value) {
+	if (Array.isArray(value)) return value.some(hasMalformedExpandedQuestionClosedLiteral);
+	if (!isPlainObject(value) || !("@value" in value)) return false;
+	const literal = value["@value"];
+	if (typeof literal === "boolean") return false;
+	if (typeof literal !== "string") return false;
+	if (value["@type"] !== XSD_DATE_TIME_IRI) return false;
+	if (new Date(literal).toString() === "Invalid Date") return false;
+	return isMalformedDateTimeLiteral(literal);
+}
+function hasMalformedExpandedDurationLiteral(value) {
+	if (Array.isArray(value)) return value.some(hasMalformedExpandedDurationLiteral);
+	return isPlainObject(value) && "@value" in value && isMalformedDurationLiteral(value["@value"]);
+}
+function hasMalformedKnownTemporalLiteralInternal(value, visited) {
+	if (Array.isArray(value)) return value.some((item) => hasMalformedKnownTemporalLiteralInternal(item, visited));
+	if (!isPlainObject(value)) return false;
+	if (visited.has(value)) return false;
+	visited.add(value);
+	if ("@value" in value) return false;
+	for (const [key, child] of Object.entries(value)) {
+		if (TEMPORAL_DATE_TIME_IRIS.has(key)) {
+			if (hasMalformedExpandedDateTimeLiteral(child)) return true;
+			continue;
+		}
+		if (key === QUESTION_CLOSED_IRI) {
+			if (hasMalformedExpandedQuestionClosedLiteral(child)) return true;
+			continue;
+		}
+		if (TEMPORAL_DURATION_IRIS.has(key)) {
+			if (hasMalformedExpandedDurationLiteral(child)) return true;
+			continue;
+		}
+		if (hasMalformedKnownTemporalLiteralInternal(child, visited)) return true;
+	}
+	return false;
+}
+async function hasMalformedKnownTemporalLiteral(value, contextLoader) {
+	try {
+		return hasMalformedKnownTemporalLiteralInternal(await _fedify_vocab_runtime_jsonld.default.expand(value, {
+			documentLoader: require_proof.getNormalizationContextLoader(contextLoader),
+			keepFreeFloatingNodes: true
+		}), /* @__PURE__ */ new Set());
+	} catch {
+		return false;
+	}
+}
+//#endregion
 //#region src/federation/handler.ts
+const rawInboxContextFactorySymbol = Symbol("fedify.rawInboxContextFactory");
+function isRemoteContextLoadingFailure$1(error) {
+	return error instanceof Error && typeof error.details === "object" && error.details != null && error.details.code === "loading remote context failed";
+}
+function isPermanentRemoteContextError$1(error) {
+	if (!(error instanceof Error) || error.name !== "jsonld.InvalidUrl") return false;
+	const details = error.details;
+	if (details?.code === "invalid remote context") return true;
+	return isRemoteContextLoadingFailure$1(error) && typeof details?.url === "string" && !URL.canParse(details.url) && require_proof.isClearlyMalformedContextReference(details.url);
+}
+function isInvalidJsonLdError(error) {
+	if (!(error instanceof Error)) return false;
+	const name = error.name;
+	return name === "UnsafeJsonLdError" || error instanceof require_proof.InvalidContextReferenceError || isPermanentRemoteContextError$1(error) || name === "jsonld.SyntaxError" && !isRemoteContextLoadingFailure$1(error);
+}
+function isValidationTypeError(error) {
+	return error instanceof TypeError && (/^(Invalid JSON-LD:|Invalid type:|Unexpected type:)/.test(error.message) || require_proof.isInvalidUrlTypeError(error));
+}
+function isPermanentActivityParseError(error) {
+	return isInvalidJsonLdError(error) || isValidationTypeError(error);
+}
+function hasHttpSignatureHeaders(request) {
+	return request.headers.has("Signature") || request.headers.has("Signature-Input");
+}
+function hasObjectIntegrityProof(json) {
+	return typeof json === "object" && json != null && "proof" in json;
+}
 /**
 * Handles an actor request.
 * @template TContextData The context data to pass to the context.
@@ -1101,8 +1222,8 @@ async function handleObject(request, { values, context, objectDispatcher, author
 * @param parameters The parameters for handling the collection.
 * @returns A promise that resolves to an HTTP response.
 */
-async function handleCollection(request, { name: name$2, identifier, uriGetter, filter, filterPredicate, context, collectionCallbacks, tracerProvider, onUnauthorized, onNotFound }) {
-	const spanName = name$2.trim().replace(/\s+/g, "_");
+async function handleCollection(request, { name: name$1, identifier, uriGetter, filter, filterPredicate, context, collectionCallbacks, tracerProvider, onUnauthorized, onNotFound }) {
+	const spanName = name$1.trim().replace(/\s+/g, "_");
 	tracerProvider = tracerProvider ?? _opentelemetry_api.trace.getTracerProvider();
 	const tracer = tracerProvider.getTracer(require_http.name, require_http.version);
 	const cursor = new URL(request.url).searchParams.get("cursor");
@@ -1144,7 +1265,7 @@ async function handleCollection(request, { name: name$2, identifier, uriGetter,
 			collection = new _fedify_vocab.OrderedCollection({
 				id: baseUri,
 				totalItems: totalItems == null ? null : Number(totalItems),
-				items: filterCollectionItems(itemsOrResponse, name$2, filterPredicate)
+				items: filterCollectionItems(itemsOrResponse, name$1, filterPredicate)
 			});
 		} else {
 			const lastCursor = await collectionCallbacks.lastCursor?.(context, identifier);
@@ -1165,7 +1286,7 @@ async function handleCollection(request, { name: name$2, identifier, uriGetter,
 	} else {
 		const uri = new URL(baseUri);
 		uri.searchParams.set("cursor", cursor);
-		const pageOrResponse = await tracer.startActiveSpan(`activitypub.dispatch_collection_page ${name$2}`, {
+		const pageOrResponse = await tracer.startActiveSpan(`activitypub.dispatch_collection_page ${name$1}`, {
 			kind: _opentelemetry_api.SpanKind.SERVER,
 			attributes: {
 				"activitypub.collection.id": uri.href,
@@ -1209,7 +1330,7 @@ async function handleCollection(request, { name: name$2, identifier, uriGetter,
 			id: uri,
 			prev,
 			next,
-			items: filterCollectionItems(items, name$2, filterPredicate),
+			items: filterCollectionItems(items, name$1, filterPredicate),
 			partOf
 		});
 	}
@@ -1556,29 +1677,105 @@ async function handleInboxInternal(request, parameters, span) {
 		});
 	}
 	const keyCache = new KvKeyCache(kv, kvPrefixes.publicKey, ctx);
-	let ldSigVerified;
-	try {
-		ldSigVerified = await require_proof.verifyJsonLd(json, {
-			contextLoader: ctx.contextLoader,
-			documentLoader: ctx.documentLoader,
-			keyCache,
-			meterProvider,
-			tracerProvider
+	const jsonWithoutSig = require_proof.detachSignature(json);
+	const hasLdSignature = require_proof.hasSignature(json);
+	const canAttemptAlternateAuthAfterLdSignatureFailure = skipSignatureVerification || hasHttpSignatureHeaders(request) || hasObjectIntegrityProof(jsonWithoutSig);
+	let deferredLdSignatureError = void 0;
+	const respondInvalidActivity = async (error) => {
+		logger.error("Failed to parse activity:\n{error}", {
+			recipient,
+			activity: json,
+			error
 		});
-	} catch (error) {
-		if (error instanceof Error && error.name === "jsonld.SyntaxError") {
-			logger.error("Failed to parse JSON-LD:\n{error}", {
+		try {
+			await inboxErrorHandler?.(ctx, error);
+		} catch (error) {
+			logger.error("An unexpected error occurred in inbox error handler:\n{error}", {
+				error,
+				activity: json,
+				recipient
+			});
+		}
+		span.setStatus({
+			code: _opentelemetry_api.SpanStatusCode.ERROR,
+			message: `Failed to parse activity:\n${error}`
+		});
+		return new Response("Invalid activity.", {
+			status: 400,
+			headers: { "Content-Type": "text/plain; charset=utf-8" }
+		});
+	};
+	let compactedJson = json;
+	let compactedJsonWithoutSig = jsonWithoutSig;
+	let ldSigVerified = false;
+	if (hasLdSignature) {
+		try {
+			compactedJson = await require_proof.compactJsonLd(json, ctx.contextLoader);
+		} catch (error) {
+			if (isInvalidJsonLdError(error)) {
+				logger.error("Failed to parse JSON-LD:\n{error}", {
+					recipient,
+					error
+				});
+				return new Response("Invalid JSON-LD.", {
+					status: 400,
+					headers: { "Content-Type": "text/plain; charset=utf-8" }
+				});
+			}
+			if (!canAttemptAlternateAuthAfterLdSignatureFailure) throw error;
+			if (!skipSignatureVerification) deferredLdSignatureError = error;
+			logger.debug("Failed to normalize JSON-LD for Linked Data Signatures; deferring to another authentication path only if it verifies:\n{error}", {
 				recipient,
 				error
 			});
-			return new Response("Invalid JSON-LD.", {
-				status: 400,
-				headers: { "Content-Type": "text/plain; charset=utf-8" }
-			});
 		}
-		ldSigVerified = false;
+		if (compactedJson !== json) {
+			compactedJsonWithoutSig = require_proof.detachSignature(compactedJson);
+			try {
+				ldSigVerified = await require_proof.verifyCompactJsonLd(compactedJson, {
+					contextLoader: ctx.contextLoader,
+					documentLoader: ctx.documentLoader,
+					keyCache,
+					meterProvider,
+					tracerProvider
+				});
+			} catch (error) {
+				if (error instanceof RangeError && await hasMalformedKnownTemporalLiteral(compactedJsonWithoutSig, ctx.contextLoader)) return await respondInvalidActivity(error);
+				if (isInvalidJsonLdError(error)) {
+					logger.error("Failed to parse JSON-LD:\n{error}", {
+						recipient,
+						error
+					});
+					return new Response("Invalid JSON-LD.", {
+						status: 400,
+						headers: { "Content-Type": "text/plain; charset=utf-8" }
+					});
+				}
+				if (!canAttemptAlternateAuthAfterLdSignatureFailure) throw error;
+				if (!skipSignatureVerification) try {
+					await _fedify_vocab.Object.fromJsonLd(compactedJson, {
+						contextLoader: require_proof.getNormalizationContextLoader(ctx.contextLoader),
+						documentLoader: ctx.documentLoader,
+						tracerProvider
+					});
+				} catch (parseError) {
+					if (parseError instanceof RangeError && await hasMalformedKnownTemporalLiteral(compactedJsonWithoutSig, ctx.contextLoader)) return await respondInvalidActivity(parseError);
+					if (isInvalidJsonLdError(parseError)) {
+						logger.error("Failed to parse JSON-LD:\n{error}", {
+							recipient,
+							error: parseError
+						});
+						return new Response("Invalid JSON-LD.", {
+							status: 400,
+							headers: { "Content-Type": "text/plain; charset=utf-8" }
+						});
+					}
+					deferredLdSignatureError = parseError;
+				}
+				ldSigVerified = false;
+			}
+		}
 	}
-	const jsonWithoutSig = require_proof.detachSignature(json);
 	let activity = null;
 	let activityVerified = false;
 	if (ldSigVerified) {
@@ -1586,7 +1783,16 @@ async function handleInboxInternal(request, parameters, span) {
 			recipient,
 			json
 		});
-		activity = await _fedify_vocab.Activity.fromJsonLd(jsonWithoutSig, ctx);
+		try {
+			activity = await _fedify_vocab.Activity.fromJsonLd(compactedJsonWithoutSig, {
+				...ctx,
+				contextLoader: require_proof.getNormalizationContextLoader(ctx.contextLoader)
+			});
+		} catch (error) {
+			if (error instanceof RangeError && await hasMalformedKnownTemporalLiteral(compactedJsonWithoutSig, ctx.contextLoader)) return await respondInvalidActivity(error);
+			if (!isPermanentActivityParseError(error)) throw error;
+			return await respondInvalidActivity(error);
+		}
 		activityVerified = true;
 	} else {
 		logger.debug("Linked Data Signatures are not verified.", {
@@ -1595,13 +1801,22 @@ async function handleInboxInternal(request, parameters, span) {
 		});
 		try {
 			activity = await require_proof.verifyObject(_fedify_vocab.Activity, jsonWithoutSig, {
-				contextLoader: ctx.contextLoader,
+				contextLoader: require_proof.wrapContextLoaderForJsonLd(ctx.contextLoader),
 				documentLoader: ctx.documentLoader,
 				keyCache,
 				meterProvider,
 				tracerProvider
 			});
 		} catch (error) {
+			if (error instanceof RangeError && await hasMalformedKnownTemporalLiteral(jsonWithoutSig, ctx.contextLoader)) return await respondInvalidActivity(error);
+			if (deferredLdSignatureError != null) {
+				logger.debug("Object Integrity Proof fallback did not supersede a deferred Linked Data Signature failure:\n{error}", {
+					recipient,
+					error
+				});
+				activity = null;
+			}
+			if (!isPermanentActivityParseError(error)) throw error;
 			logger.error("Failed to parse activity:\n{error}", {
 				recipient,
 				activity: json,
@@ -1650,6 +1865,7 @@ async function handleInboxInternal(request, parameters, span) {
 				tracerProvider
 			});
 			if (verification.verified === false) {
+				if (deferredLdSignatureError != null) throw deferredLdSignatureError;
 				const reason = verification.reason;
 				const remoteHost = "keyId" in reason && reason.keyId != null ? require_http.getRemoteHost(reason.keyId) : void 0;
 				require_http.getFederationMetrics(parameters.meterProvider).recordSignatureVerificationFailure(reason.type, remoteHost);
@@ -1727,7 +1943,15 @@ async function handleInboxInternal(request, parameters, span) {
 			}
 			httpSigKey = verification.key;
 		}
-		activity = await _fedify_vocab.Activity.fromJsonLd(jsonWithoutSig, ctx);
+		try {
+			activity = await _fedify_vocab.Activity.fromJsonLd(jsonWithoutSig, {
+				...ctx,
+				contextLoader: require_proof.wrapContextLoaderForJsonLd(ctx.contextLoader)
+			});
+		} catch (error) {
+			if (!isPermanentActivityParseError(error)) throw error;
+			return await respondInvalidActivity(error);
+		}
 	}
 	if (activity.id != null) span.setAttribute("activitypub.activity.id", activity.id.href);
 	span.setAttribute("activitypub.activity.type", (0, _fedify_vocab.getTypeId)(activity).href);
@@ -1739,6 +1963,7 @@ async function handleInboxInternal(request, parameters, span) {
 		"http_signatures.key_id": httpSigKey?.id?.href ?? ""
 	});
 	if (httpSigKey != null && !await require_proof.doesActorOwnKey(activity, httpSigKey, ctx)) {
+		if (deferredLdSignatureError != null) throw deferredLdSignatureError;
 		require_http.getFederationMetrics(parameters.meterProvider).recordSignatureVerificationFailure("actorKeyMismatch", httpSigKey.id == null ? void 0 : require_http.getRemoteHost(httpSigKey.id));
 		logger.error("The signer ({keyId}) and the actor ({actorId}) do not match.", {
 			activity: json,
@@ -1765,10 +1990,14 @@ async function handleInboxInternal(request, parameters, span) {
 	const routeResult = await routeActivity({
 		context: ctx,
 		json,
+		originalJson: json,
+		normalizedActivity: hasLdSignature && compactedJson !== json ? compactedJson : void 0,
+		ldSignatureVerified: hasLdSignature ? ldSigVerified : void 0,
 		activity,
 		recipient,
 		inboxListeners,
 		inboxContextFactory,
+		listenerInboxContextFactory: ldSigVerified ? inboxContextFactory[rawInboxContextFactorySymbol] : void 0,
 		inboxErrorHandler,
 		kv,
 		kvPrefixes,
@@ -1895,8 +2124,8 @@ var CustomCollectionHandler = class {
 	* @param CollectionPage The CollectionPage constructor.
 	* @param filterPredicate Optional filter predicate for items.
 	*/
-	constructor(name$1, values, context, callbacks, tracerProvider = _opentelemetry_api.trace.getTracerProvider(), Collection, CollectionPage, filterPredicate) {
-		this.name = name$1;
+	constructor(name$2, values, context, callbacks, tracerProvider = _opentelemetry_api.trace.getTracerProvider(), Collection, CollectionPage, filterPredicate) {
+		this.name = name$2;
 		this.values = values;
 		this.context = context;
 		this.callbacks = callbacks;
@@ -2601,22 +2830,72 @@ const logger = (0, _logtape_logtape.getLogger)([
 * @returns The response to the request.
 */
 async function handleWebFinger(request, options) {
-	if (options.tracer == null) return await handleWebFingerInternal(request, options);
-	return await options.tracer.startActiveSpan("webfinger.handle", { kind: _opentelemetry_api.SpanKind.SERVER }, async (span) => {
-		try {
-			const response = await handleWebFingerInternal(request, options);
-			span.setStatus({ code: response.ok ? _opentelemetry_api.SpanStatusCode.UNSET : _opentelemetry_api.SpanStatusCode.ERROR });
-			return response;
-		} catch (error) {
-			span.setStatus({
-				code: _opentelemetry_api.SpanStatusCode.ERROR,
-				message: String(error)
-			});
-			throw error;
-		} finally {
-			span.end();
+	const meterProvider = options.meterProvider;
+	const start = meterProvider == null ? 0 : performance.now();
+	const scheme = computeResourceScheme(options.context.url.searchParams.get("resource"));
+	let notFoundResponse;
+	const wrappedOptions = {
+		...options,
+		async onNotFound(req) {
+			const r = await options.onNotFound(req);
+			notFoundResponse = r;
+			return r;
 		}
-	});
+	};
+	let response;
+	try {
+		if (options.tracer == null) response = await handleWebFingerInternal(request, wrappedOptions);
+		else response = await options.tracer.startActiveSpan("webfinger.handle", { kind: _opentelemetry_api.SpanKind.SERVER }, async (span) => {
+			try {
+				const inner = await handleWebFingerInternal(request, wrappedOptions);
+				span.setStatus({ code: inner.ok ? _opentelemetry_api.SpanStatusCode.UNSET : _opentelemetry_api.SpanStatusCode.ERROR });
+				return inner;
+			} catch (error) {
+				span.setStatus({
+					code: _opentelemetry_api.SpanStatusCode.ERROR,
+					message: String(error)
+				});
+				throw error;
+			} finally {
+				span.end();
+			}
+		});
+		return response;
+	} finally {
+		if (meterProvider != null) require_http.recordWebFingerHandle(meterProvider, {
+			durationMs: Math.max(0, performance.now() - start),
+			result: classifyWebFingerHandleResult(response, notFoundResponse),
+			scheme,
+			statusCode: response?.status
+		});
+	}
+}
+const WEBFINGER_HANDLE_SCHEME_WHITELIST = new Set([
+	"acct",
+	"http",
+	"https",
+	"mailto"
+]);
+function isAllowedResourceScheme(scheme) {
+	return WEBFINGER_HANDLE_SCHEME_WHITELIST.has(scheme);
+}
+function computeResourceScheme(resource) {
+	if (resource == null) return void 0;
+	const colon = resource.indexOf(":");
+	if (colon <= 0) return void 0;
+	const candidate = resource.substring(0, colon).toLowerCase();
+	return isAllowedResourceScheme(candidate) ? candidate : "other";
+}
+function classifyWebFingerHandleResult(response, notFoundResponse) {
+	if (response == null) return "error";
+	if (notFoundResponse != null && response === notFoundResponse) return "not_found";
+	switch (response.status) {
+		case 200: return "resolved";
+		case 400: return "invalid";
+		case 404: return "not_found";
+		case 410: return "tombstoned";
+		default: return "error";
+	}
 }
 async function handleWebFingerInternal(request, { context, host, actorDispatcher, actorHandleMapper, actorAliasMapper, onNotFound, span, webFingerLinksDispatcher }) {
 	if (actorDispatcher == null) {
@@ -2732,6 +3011,18 @@ var middleware_exports = /* @__PURE__ */ require_chunk.__exportAll({
 	OutboxContextImpl: () => OutboxContextImpl,
 	createFederation: () => createFederation
 });
+function isRemoteContextLoadingFailure(error) {
+	return error instanceof Error && typeof error.details === "object" && error.details != null && error.details.code === "loading remote context failed";
+}
+function isPermanentRemoteContextError(error) {
+	if (!(error instanceof Error) || error.name !== "jsonld.InvalidUrl") return false;
+	const details = error.details;
+	if (details?.code === "invalid remote context") return true;
+	return isRemoteContextLoadingFailure(error) && typeof details?.url === "string" && !URL.canParse(details.url) && require_proof.isClearlyMalformedContextReference(details.url);
+}
+function isPermanentInboxParseError(error) {
+	return error instanceof Error && (error.name === "UnsafeJsonLdError" || error instanceof require_proof.InvalidContextReferenceError || isPermanentRemoteContextError(error) || error.name === "jsonld.SyntaxError" && !isRemoteContextLoadingFailure(error)) || error instanceof TypeError && (/^(Invalid JSON-LD:|Invalid type:|Unexpected type:)/.test(error.message) || require_proof.isInvalidUrlTypeError(error));
+}
 /**
 * Create a new {@link Federation} instance.
 * @param parameters Parameters for initializing the instance.
@@ -3234,78 +3525,37 @@ var FederationImpl = class extends FederationBuilderImpl {
 			const identity = await this.sharedInboxKeyDispatcher(context);
 			if (identity != null) context = this.#createContext(baseUrl, ctxData, { documentLoader: "identifier" in identity || "username" in identity ? await context.getDocumentLoader(identity) : context.getDocumentLoader(identity) });
 		}
-		const activity = await _fedify_vocab.Activity.fromJsonLd(message.activity, context);
-		const activityType = (0, _fedify_vocab.getTypeId)(activity).href;
-		span.setAttribute("activitypub.activity.type", activityType);
-		onActivityType?.(activityType);
-		if (activity.id != null) span.setAttribute("activitypub.activity.id", activity.id.href);
-		const cacheKey = activity.id == null ? null : [
-			...this.kvPrefixes.activityIdempotence,
-			context.origin,
-			activity.id.href
-		];
-		if (cacheKey != null) {
-			if (await this.kv.get(cacheKey) === true) {
-				logger.debug("Activity {activityId} has already been processed.", {
-					activityId: activity.id?.href,
-					activity: message.activity,
-					recipient: message.identifier
-				});
-				require_http.recordInboxActivity(this.meterProvider, "rejected", activityType);
-				return;
-			}
-		}
-		await this._getTracer().startActiveSpan("activitypub.dispatch_inbox_listener", { kind: _opentelemetry_api.SpanKind.INTERNAL }, async (span) => {
-			const dispatched = this.inboxListeners?.dispatchWithClass(activity);
-			if (dispatched == null) {
-				logger.error("Unsupported activity type:\n{activity}", {
-					activityId: activity.id?.href,
-					activity: message.activity,
-					recipient: message.identifier,
-					trial: message.attempt
-				});
-				span.setStatus({
-					code: _opentelemetry_api.SpanStatusCode.ERROR,
-					message: `Unsupported activity type: ${activityType}`
-				});
-				require_http.recordInboxActivity(this.meterProvider, "rejected", activityType);
-				span.end();
-				return;
-			}
-			const { class: cls, listener } = dispatched;
-			span.updateName(`activitypub.dispatch_inbox_listener ${cls.name}`);
-			try {
-				const started = performance.now();
-				try {
-					await listener(context.toInboxContext(message.identifier, message.activity, activity.id?.href, activityType), activity);
-				} finally {
-					require_http.getFederationMetrics(this.meterProvider).recordInboxProcessingDuration(activityType, require_http.getDurationMs(started));
-				}
-				require_http.recordInboxActivity(this.meterProvider, "processed", activityType);
-			} catch (error) {
+		await this._getTracer().startActiveSpan("activitypub.dispatch_inbox_listener", { kind: _opentelemetry_api.SpanKind.INTERNAL }, async (listenerSpan) => {
+			let activity = null;
+			let cacheKey = null;
+			let activityType;
+			const reportInboxError = async (error) => {
 				try {
 					await this.inboxErrorHandler?.(context, error);
 				} catch (error) {
 					logger.error("An unexpected error occurred in inbox error handler:\n{error}", {
 						error,
 						trial: message.attempt,
-						activityId: activity.id?.href,
+						activityId: activity?.id?.href,
 						activity: message.activity,
 						recipient: message.identifier
 					});
 				}
+			};
+			const handleRetriableFailure = async (error) => {
+				await reportInboxError(error);
 				if (this.inboxQueue?.nativeRetrial) {
 					logger.error("Failed to process the incoming activity {activityId}; backend will handle retry:\n{error}", {
 						error,
-						activityId: activity.id?.href,
+						activityId: activity?.id?.href,
 						activity: message.activity,
 						recipient: message.identifier
 					});
-					span.setStatus({
+					listenerSpan.setStatus({
 						code: _opentelemetry_api.SpanStatusCode.ERROR,
 						message: String(error)
 					});
-					span.end();
+					listenerSpan.end();
 					throw error;
 				}
 				const delay = this.inboxRetryPolicy({
@@ -3316,20 +3566,27 @@ var FederationImpl = class extends FederationBuilderImpl {
 					logger.error("Failed to process the incoming activity {activityId} (attempt #{attempt}); retry...:\n{error}", {
 						error,
 						attempt: message.attempt,
-						activityId: activity.id?.href,
+						activityId: activity?.id?.href,
 						activity: message.activity,
 						recipient: message.identifier
 					});
+					if (this.inboxQueue == null) {
+						listenerSpan.setStatus({
+							code: _opentelemetry_api.SpanStatusCode.ERROR,
+							message: String(error)
+						});
+						listenerSpan.end();
+						throw error;
+					}
 					const retryMessage = {
 						...message,
 						attempt: message.attempt + 1
 					};
-					const { inboxQueue } = this;
-					if (inboxQueue != null) {
-						await inboxQueue.enqueue(retryMessage, { delay: Temporal.Duration.compare(delay, { seconds: 0 }) < 0 ? Temporal.Duration.from({ seconds: 0 }) : delay });
+					await this.inboxQueue.enqueue(retryMessage, { delay: Temporal.Duration.compare(delay, { seconds: 0 }) < 0 ? Temporal.Duration.from({ seconds: 0 }) : delay });
+					if (activityType != null) {
 						require_http.getFederationMetrics(this.meterProvider).recordQueueTaskEnqueued({
 							role: "inbox",
-							queue: inboxQueue,
+							queue: this.inboxQueue,
 							activityType
 						}, retryMessage.attempt);
 						require_http.recordInboxActivity(this.meterProvider, "retried", activityType);
@@ -3337,26 +3594,137 @@ var FederationImpl = class extends FederationBuilderImpl {
 				} else {
 					logger.error("Failed to process the incoming activity {activityId} after {trial} attempts; giving up:\n{error}", {
 						error,
-						activityId: activity.id?.href,
+						activityId: activity?.id?.href,
 						activity: message.activity,
 						recipient: message.identifier
 					});
-					require_http.recordInboxActivity(this.meterProvider, "abandoned", activityType);
+					if (activityType != null) require_http.recordInboxActivity(this.meterProvider, "abandoned", activityType);
 				}
-				span.setStatus({
+				listenerSpan.setStatus({
 					code: _opentelemetry_api.SpanStatusCode.ERROR,
 					message: String(error)
 				});
-				span.end();
+				listenerSpan.end();
+			};
+			let dispatched;
+			let parseInput = void 0;
+			let parseContextLoader = context.contextLoader;
+			try {
+				const hasSignatureField = require_proof.hasSignature(message.activity);
+				const shouldParseFromNormalizedSignedPayload = message.ldSignatureVerified === true || message.normalizedActivity != null || message.ldSignatureVerified == null && hasSignatureField;
+				const parseContext = hasSignatureField ? {
+					...context,
+					contextLoader: require_proof.getNormalizationContextLoader(context.contextLoader)
+				} : {
+					...context,
+					contextLoader: require_proof.wrapContextLoaderForJsonLd(context.contextLoader)
+				};
+				parseContextLoader = parseContext.contextLoader;
+				let normalizedActivity;
+				if (shouldParseFromNormalizedSignedPayload) {
+					normalizedActivity = message.normalizedActivity ?? await require_proof.compactJsonLd(message.activity, context.contextLoader);
+					require_proof.assertSafeJsonLd(normalizedActivity);
+				}
+				parseInput = shouldParseFromNormalizedSignedPayload ? require_proof.detachSignature(normalizedActivity) : hasSignatureField ? require_proof.detachSignature(message.activity) : message.activity;
+				activity = await _fedify_vocab.Activity.fromJsonLd(parseInput, parseContext);
+				activityType = (0, _fedify_vocab.getTypeId)(activity).href;
+				span.setAttribute("activitypub.activity.type", activityType);
+				listenerSpan.setAttribute("activitypub.activity.type", activityType);
+				onActivityType?.(activityType);
+				if (activity.id != null) {
+					span.setAttribute("activitypub.activity.id", activity.id.href);
+					listenerSpan.setAttribute("activitypub.activity.id", activity.id.href);
+				}
+				cacheKey = activity.id == null ? null : [
+					...this.kvPrefixes.activityIdempotence,
+					context.origin,
+					activity.id.href
+				];
+				if (cacheKey != null) {
+					if (await this.kv.get(cacheKey) === true) {
+						logger.debug("Activity {activityId} has already been processed.", {
+							activityId: activity.id?.href,
+							activity: message.activity,
+							recipient: message.identifier
+						});
+						require_http.recordInboxActivity(this.meterProvider, "rejected", activityType);
+						listenerSpan.end();
+						return;
+					}
+				}
+				dispatched = this.inboxListeners?.dispatchWithClass(activity);
+			} catch (error) {
+				if (activity == null && error instanceof RangeError && await hasMalformedKnownTemporalLiteral(parseInput, parseContextLoader)) {
+					await reportInboxError(error);
+					logger.error("Failed to parse the queued incoming activity {activityId}:\n{error}", {
+						error,
+						trial: message.attempt,
+						activityId: null,
+						activity: message.activity,
+						recipient: message.identifier
+					});
+					listenerSpan.setStatus({
+						code: _opentelemetry_api.SpanStatusCode.ERROR,
+						message: String(error)
+					});
+					listenerSpan.end();
+					return;
+				}
+				if (isPermanentInboxParseError(error)) {
+					await reportInboxError(error);
+					logger.error("Failed to parse the queued incoming activity {activityId}:\n{error}", {
+						error,
+						trial: message.attempt,
+						activityId: activity?.id?.href,
+						activity: message.activity,
+						recipient: message.identifier
+					});
+					listenerSpan.setStatus({
+						code: _opentelemetry_api.SpanStatusCode.ERROR,
+						message: String(error)
+					});
+					listenerSpan.end();
+					return;
+				}
+				await handleRetriableFailure(error);
+				return;
+			}
+			if (dispatched == null) {
+				logger.error("Unsupported activity type:\n{activity}", {
+					activityId: activity.id?.href,
+					activity: message.activity,
+					recipient: message.identifier,
+					trial: message.attempt
+				});
+				listenerSpan.setStatus({
+					code: _opentelemetry_api.SpanStatusCode.ERROR,
+					message: `Unsupported activity type: ${activityType}`
+				});
+				require_http.recordInboxActivity(this.meterProvider, "rejected", activityType);
+				listenerSpan.end();
+				return;
+			}
+			const { class: cls, listener } = dispatched;
+			listenerSpan.updateName(`activitypub.dispatch_inbox_listener ${cls.name}`);
+			try {
+				const started = performance.now();
+				try {
+					await listener(context.toInboxContext(message.identifier, message.activity, activity.id?.href, activityType), activity);
+				} finally {
+					require_http.getFederationMetrics(this.meterProvider).recordInboxProcessingDuration(activityType, require_http.getDurationMs(started));
+				}
+				require_http.recordInboxActivity(this.meterProvider, "processed", activityType);
+			} catch (error) {
+				await handleRetriableFailure(error);
 				return;
 			}
 			if (cacheKey != null) await this.kv.set(cacheKey, true, { ttl: Temporal.Duration.from({ days: 1 }) });
 			logger.info("Activity {activityId} has been processed.", {
-				activityId: activity.id?.href,
+				activityId: activity?.id?.href,
 				activity: message.activity,
 				recipient: message.identifier
 			});
-			span.end();
+			listenerSpan.end();
 		});
 	}
 	startQueue(contextData, options = {}) {
@@ -3650,7 +4018,8 @@ var FederationImpl = class extends FederationBuilderImpl {
 				actorAliasMapper: this.actorCallbacks?.aliasMapper,
 				webFingerLinksDispatcher: this.webFingerLinksDispatcher,
 				onNotFound,
-				tracer
+				tracer,
+				meterProvider: this._meterProvider
 			});
 			case "nodeInfoJrd": return await handleNodeInfoJrd(request, context);
 			case "nodeInfo": return await handleNodeInfo(request, {
@@ -3736,16 +4105,18 @@ var FederationImpl = class extends FederationBuilderImpl {
 					onNotFound
 				});
 				context = this.#createContext(request, contextData, { documentLoader: await context.getDocumentLoader({ identifier: route.values.identifier }) });
-			case "sharedInbox":
+			case "sharedInbox": {
 				if (routeName !== "inbox" && this.sharedInboxKeyDispatcher != null) {
 					const identity = await this.sharedInboxKeyDispatcher(context);
 					if (identity != null) context = this.#createContext(request, contextData, { documentLoader: "identifier" in identity || "username" in identity ? await context.getDocumentLoader(identity) : context.getDocumentLoader(identity) });
 				}
 				if (!this.manuallyStartQueue) this._startQueueInternal(contextData);
+				const inboxContextFactory = context.toInboxContext.bind(context);
+				inboxContextFactory[rawInboxContextFactorySymbol] = context.toInboxContext.bind(context);
 				return await handleInbox(request, {
 					recipient: route.values.identifier ?? null,
 					context,
-					inboxContextFactory: context.toInboxContext.bind(context),
+					inboxContextFactory,
 					kv: this.kv,
 					kvPrefixes: this.kvPrefixes,
 					queue: this.inboxQueue,
@@ -3761,6 +4132,7 @@ var FederationImpl = class extends FederationBuilderImpl {
 					tracerProvider: this.tracerProvider,
 					idempotencyStrategy: this.idempotencyStrategy
 				});
+			}
 			case "following": return await handleCollection(request, {
 				name: "following",
 				identifier: route.values.identifier,
@@ -4209,6 +4581,7 @@ var ContextImpl = class ContextImpl {
 			...options,
 			userAgent: options.userAgent ?? this.federation.userAgent,
 			tracerProvider: options.tracerProvider ?? this.tracerProvider,
+			meterProvider: options.meterProvider ?? this.federation._meterProvider,
 			allowPrivateAddress: this.federation.allowPrivateAddress
 		});
 	}
@@ -4493,6 +4866,7 @@ var ContextImpl = class ContextImpl {
 		const routeResult = await routeActivity({
 			context: this,
 			json,
+			ldSignatureVerified: false,
 			activity,
 			recipient,
 			inboxListeners: this.federation.inboxListeners,
@@ -4781,6 +5155,14 @@ async function forwardActivityInternal(ctx, loggerCategory, forwarder, recipient
 }
 var InboxContextImpl = class InboxContextImpl extends ContextImpl {
 	recipient;
+	/**
+	* The original received activity payload.
+	*
+	* Fedify may normalize a Linked Data Signature payload internally for safe
+	* parsing, but forwarding must keep the sender's payload unchanged so
+	* third-party signatures/proofs remain intact.
+	* @internal
+	*/
 	activity;
 	activityId;
 	activityType;