@evan while perusing the spec, I realized that an implementation doesn't really need double knocking at all.
Any implementation can just stuff two Signature headers in there, one for the cavage v12 version, and one for RFC9421, and requests should still be valid.
Can anyone trust cavage HTTP signature verifiers to not break on this: no, probably not... :(