@labacacia/nps-sdk 1.0.0-alpha.1 → 1.0.0-alpha.13

package/dist/nip/reputation-client.d.ts

@@ -0,0 +1,116 @@
+export interface ObservationWindow {
+    start: string;
+    end: string;
+}
+export declare const IncidentType: {
+    readonly Other: "other";
+    readonly CertRevoked: "cert-revoked";
+    readonly RateLimitViolation: "rate-limit-violation";
+    readonly TosViolation: "tos-violation";
+    readonly ScrapingPattern: "scraping-pattern";
+    readonly PaymentDefault: "payment-default";
+    readonly ContractDispute: "contract-dispute";
+    readonly ImpersonationClaim: "impersonation-claim";
+    readonly PositiveAttestation: "positive-attestation";
+};
+export type IncidentType = typeof IncidentType[keyof typeof IncidentType];
+export declare const Severity: {
+    readonly Info: 0;
+    readonly Minor: 1;
+    readonly Moderate: 2;
+    readonly Major: 3;
+    readonly Critical: 4;
+};
+export type Severity = typeof Severity[keyof typeof Severity];
+export interface ReputationLogEntry {
+    v: number;
+    log_id: string;
+    seq: number;
+    timestamp: string;
+    subject_nid: string;
+    incident: string;
+    incidentRaw?: string;
+    severity: string;
+    window?: ObservationWindow;
+    observation?: unknown;
+    evidence_ref?: string;
+    evidence_sha256?: string;
+    issuer_nid: string;
+    signature: string;
+}
+export interface SignedTreeHead {
+    log_id: string;
+    tree_size: number;
+    timestamp: string;
+    sha256_root_hash: string;
+    signature: string;
+}
+export interface InclusionProof {
+    seq: number;
+    leaf_index: number;
+    tree_size: number;
+    leaf_hash: string;
+    audit_path: string[];
+}
+/**
+ * Sign a ReputationLogEntry and return a new entry with `signature` set.
+ * The private key must be a 32-byte raw Ed25519 private key.
+ */
+export declare function signEntry(privKey: Uint8Array, entry: ReputationLogEntry): ReputationLogEntry;
+/**
+ * Verify the `signature` field of a ReputationLogEntry against the given
+ * Ed25519 public key (32-byte raw).
+ */
+export declare function verifyEntry(pubKey: Uint8Array, entry: ReputationLogEntry): boolean;
+/**
+ * Parse a wire severity string.  Throws an Error for unknown values
+ * (no forward-compat — callers must upgrade to handle new severity levels).
+ */
+export declare function parseSeverity(wire: string): Severity;
+/**
+ * Parse a wire incident string.  Unknown values map to `IncidentType.Other`
+ * (forward-compat); the original string is returned as `incidentRaw`.
+ */
+export declare function parseIncident(wire: string): {
+    incident: IncidentType;
+    incidentRaw?: string;
+};
+export declare class ReputationLogException extends Error {
+    readonly nipErrorCode: string;
+    readonly npsStatus: string;
+    constructor(nipErrorCode: string, npsStatus: string, message?: string);
+}
+export declare class ReputationLogClient {
+    private readonly baseUrl;
+    constructor(baseUrl: string);
+    /**
+     * POST /v1/log/entries — submit a signed entry.
+     * Returns the server-echoed entry with seq/timestamp/log_id filled in.
+     */
+    submit(entry: ReputationLogEntry): Promise<ReputationLogEntry>;
+    /**
+     * GET /v1/log/entries — query entries.
+     * @param options.nid      Filter by subject NID.
+     * @param options.sinceSeq Return only entries with seq > sinceSeq.
+     */
+    query(options?: {
+        nid?: string;
+        sinceSeq?: number;
+    }): Promise<ReputationLogEntry[]>;
+    /** GET /v1/log/sth — current SignedTreeHead. */
+    getSth(): Promise<SignedTreeHead>;
+    /** GET /v1/log/proof?seq=<seq> — InclusionProof for a log entry. */
+    getProof(seq: number): Promise<InclusionProof>;
+    /** GET /v1/log/gossip/sth — gossip SignedTreeHead. */
+    getGossipSth(): Promise<SignedTreeHead>;
+    /**
+     * Verify that `entry` is included in the log at the position described by
+     * `proof`, under the given `sth`.
+     *
+     * Merkle construction (RFC 9162):
+     *   leaf_hash = SHA256(0x00 || utf8(canonical_all_sorted_json_of_entry))
+     *   node_hash = SHA256(0x01 || left_bytes || right_bytes)
+     */
+    static verifyInclusion(proof: InclusionProof, sth: SignedTreeHead, entry: ReputationLogEntry): boolean;
+}
+//# sourceMappingURL=reputation-client.d.ts.map

package/dist/nip/reputation-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reputation-client.d.ts","sourceRoot":"","sources":["../../src/nip/reputation-client.ts"],"names":[],"mappings":"AAwDA,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;CACb;AAED,eAAO,MAAM,YAAY;;;;;;;;;;CAUf,CAAC;AACX,MAAM,MAAM,YAAY,GAAG,OAAO,YAAY,CAAC,MAAM,OAAO,YAAY,CAAC,CAAC;AAE1E,eAAO,MAAM,QAAQ;;;;;;CAMX,CAAC;AACX,MAAM,MAAM,QAAQ,GAAG,OAAO,QAAQ,CAAC,MAAM,OAAO,QAAQ,CAAC,CAAC;AAc9D,MAAM,WAAW,kBAAkB;IACjC,CAAC,EAAc,MAAM,CAAC;IACtB,MAAM,EAAS,MAAM,CAAC;IACtB,GAAG,EAAY,MAAM,CAAC;IACtB,SAAS,EAAM,MAAM,CAAC;IACtB,WAAW,EAAI,MAAM,CAAC;IACtB,QAAQ,EAAO,MAAM,CAAC;IACtB,WAAW,CAAC,EAAG,MAAM,CAAC;IACtB,QAAQ,EAAO,MAAM,CAAC;IACtB,MAAM,CAAC,EAAQ,iBAAiB,CAAC;IACjC,WAAW,CAAC,EAAG,OAAO,CAAC;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,UAAU,EAAK,MAAM,CAAC;IACtB,SAAS,EAAM,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAW,MAAM,CAAC;IACxB,SAAS,EAAQ,MAAM,CAAC;IACxB,SAAS,EAAQ,MAAM,CAAC;IACxB,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAQ,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAS,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAG,MAAM,CAAC;IACnB,SAAS,EAAG,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAcD;;;GAGG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,kBAAkB,GAAG,kBAAkB,CAI5F;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,kBAAkB,GAAG,OAAO,CASlF;AAID;;;GAGG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,QAAQ,CAIpD;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG;IAAE,QAAQ,EAAE,YAAY,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,CAG5F;AAYD,qBAAa,sBAAuB,SAAQ,KAAK;aAE7B,YAAY,EAAE,MAAM;aACpB,SAAS,EAAK,MAAM;gBADpB,YAAY,EAAE,MAAM,EACpB,SAAS,EAAK,MAAM,EACpC,OAAO,CAAC,EAAE,MAAM;CAKnB;AAiBD,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;gBAErB,OAAO,EAAE,MAAM;IAK3B;;;OAGG;IACG,MAAM,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAUpE;;;;OAIG;IACG,KAAK,CAAC,OAAO,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAWzF,gDAAgD;IAC1C,MAAM,IAAI,OAAO,CAAC,cAAc,CAAC;IAMvC,oEAAoE;IAC9D,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAMpD,sDAAsD;IAChD,YAAY,IAAI,OAAO,CAAC,cAAc,CAAC;IAM7C;;;;;;;OAOG;IACH,MAAM,CAAC,eAAe,CACpB,KAAK,EAAE,cAAc,EACrB,GAAG,EAAI,cAAc,EACrB,KAAK,EAAE,kBAAkB,GACxB,OAAO;CA8BX"}

package/dist/nip/reputation-client.js

@@ -0,0 +1,261 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * ReputationLogClient — NPS-RFC-0004 reputation log HTTP client, signing
+ * helpers, and Merkle inclusion verification.
+ */
+import * as ed25519 from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import { sha256 } from "@noble/hashes/sha256";
+// noble/ed25519 requires sha512 to be set explicitly in Node environments
+ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
+// ── Base64url helpers ────────────────────────────────────────────────────────
+function base64urlEncode(bytes) {
+    return Buffer.from(bytes)
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=/g, "");
+}
+function base64urlDecode(s) {
+    // Re-pad to a multiple of 4
+    const padded = s.replace(/-/g, "+").replace(/_/g, "/");
+    const pad = (4 - (padded.length % 4)) % 4;
+    return new Uint8Array(Buffer.from(padded + "=".repeat(pad), "base64"));
+}
+// ── Sorted-key canonical JSON ────────────────────────────────────────────────
+/**
+ * Returns a value where every object in the tree has its keys sorted
+ * alphabetically (deeply). Arrays and primitives pass through unchanged.
+ */
+function sortedValue(v) {
+    if (v === null || typeof v !== "object")
+        return v;
+    if (Array.isArray(v))
+        return v.map(sortedValue);
+    const obj = v;
+    const sorted = {};
+    for (const k of Object.keys(obj).sort()) {
+        sorted[k] = sortedValue(obj[k]);
+    }
+    return sorted;
+}
+/** Canonical JSON with all object keys sorted recursively. */
+function sortedJson(obj) {
+    return JSON.stringify(sortedValue(obj));
+}
+export const IncidentType = {
+    Other: "other",
+    CertRevoked: "cert-revoked",
+    RateLimitViolation: "rate-limit-violation",
+    TosViolation: "tos-violation",
+    ScrapingPattern: "scraping-pattern",
+    PaymentDefault: "payment-default",
+    ContractDispute: "contract-dispute",
+    ImpersonationClaim: "impersonation-claim",
+    PositiveAttestation: "positive-attestation",
+};
+export const Severity = {
+    Info: 0,
+    Minor: 1,
+    Moderate: 2,
+    Major: 3,
+    Critical: 4,
+};
+/** Maps wire severity strings to numeric values. Throws on unknown values. */
+const SEVERITY_WIRE = {
+    info: Severity.Info,
+    minor: Severity.Minor,
+    moderate: Severity.Moderate,
+    major: Severity.Major,
+    critical: Severity.Critical,
+};
+/** Known incident wire strings for forward-compat mapping. */
+const KNOWN_INCIDENTS = new Set(Object.values(IncidentType).filter(v => v !== "other"));
+// ── Signing helpers ──────────────────────────────────────────────────────────
+/**
+ * Build the canonical bytes to sign for a ReputationLogEntry.
+ * The `signature` field is excluded; all remaining keys are sorted recursively.
+ */
+function entrySigningBytes(entry) {
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    const { signature, ...rest } = entry;
+    return new TextEncoder().encode(sortedJson(rest));
+}
+/**
+ * Sign a ReputationLogEntry and return a new entry with `signature` set.
+ * The private key must be a 32-byte raw Ed25519 private key.
+ */
+export function signEntry(privKey, entry) {
+    const bytes = entrySigningBytes(entry);
+    const sig = ed25519.sign(bytes, privKey);
+    return { ...entry, signature: `ed25519:${base64urlEncode(sig)}` };
+}
+/**
+ * Verify the `signature` field of a ReputationLogEntry against the given
+ * Ed25519 public key (32-byte raw).
+ */
+export function verifyEntry(pubKey, entry) {
+    if (!entry.signature.startsWith("ed25519:"))
+        return false;
+    try {
+        const sigBytes = base64urlDecode(entry.signature.slice("ed25519:".length));
+        const bytes = entrySigningBytes(entry);
+        return ed25519.verify(sigBytes, bytes, pubKey);
+    }
+    catch {
+        return false;
+    }
+}
+// ── Severity / incident parsing ──────────────────────────────────────────────
+/**
+ * Parse a wire severity string.  Throws an Error for unknown values
+ * (no forward-compat — callers must upgrade to handle new severity levels).
+ */
+export function parseSeverity(wire) {
+    const v = SEVERITY_WIRE[wire.toLowerCase()];
+    if (v === undefined)
+        throw new Error(`Unknown NPS severity value: "${wire}"`);
+    return v;
+}
+/**
+ * Parse a wire incident string.  Unknown values map to `IncidentType.Other`
+ * (forward-compat); the original string is returned as `incidentRaw`.
+ */
+export function parseIncident(wire) {
+    if (KNOWN_INCIDENTS.has(wire))
+        return { incident: wire };
+    return { incident: IncidentType.Other, incidentRaw: wire };
+}
+// ── Merkle verification ──────────────────────────────────────────────────────
+function bytesEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    for (let i = 0; i < a.length; i++)
+        if (a[i] !== b[i])
+            return false;
+    return true;
+}
+// ── HTTP client ──────────────────────────────────────────────────────────────
+export class ReputationLogException extends Error {
+    nipErrorCode;
+    npsStatus;
+    constructor(nipErrorCode, npsStatus, message) {
+        super(message);
+        this.nipErrorCode = nipErrorCode;
+        this.npsStatus = npsStatus;
+        this.name = "ReputationLogException";
+    }
+}
+/** Throw a ReputationLogException for non-ok HTTP responses. */
+async function ensureOk(resp) {
+    if (resp.ok)
+        return;
+    let nipCode = "NIP-UNKNOWN";
+    let npsStatus = String(resp.status);
+    let message = resp.statusText;
+    try {
+        const body = await resp.json();
+        if (body.error)
+            nipCode = body.error;
+        if (body.status)
+            npsStatus = body.status;
+        if (body.message)
+            message = body.message;
+    }
+    catch { /* ignore parse failures */ }
+    throw new ReputationLogException(nipCode, npsStatus, message);
+}
+export class ReputationLogClient {
+    baseUrl;
+    constructor(baseUrl) {
+        // Strip trailing slash for consistent path construction
+        this.baseUrl = baseUrl.replace(/\/+$/, "");
+    }
+    /**
+     * POST /v1/log/entries — submit a signed entry.
+     * Returns the server-echoed entry with seq/timestamp/log_id filled in.
+     */
+    async submit(entry) {
+        const resp = await fetch(`${this.baseUrl}/v1/log/entries`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(entry),
+        });
+        await ensureOk(resp);
+        return resp.json();
+    }
+    /**
+     * GET /v1/log/entries — query entries.
+     * @param options.nid      Filter by subject NID.
+     * @param options.sinceSeq Return only entries with seq > sinceSeq.
+     */
+    async query(options) {
+        const params = new URLSearchParams();
+        if (options?.nid !== undefined)
+            params.set("nid", options.nid);
+        if (options?.sinceSeq !== undefined)
+            params.set("since", String(options.sinceSeq));
+        const qs = params.size > 0 ? `?${params.toString()}` : "";
+        const resp = await fetch(`${this.baseUrl}/v1/log/entries${qs}`);
+        await ensureOk(resp);
+        const body = await resp.json();
+        return body.entries;
+    }
+    /** GET /v1/log/sth — current SignedTreeHead. */
+    async getSth() {
+        const resp = await fetch(`${this.baseUrl}/v1/log/sth`);
+        await ensureOk(resp);
+        return resp.json();
+    }
+    /** GET /v1/log/proof?seq=<seq> — InclusionProof for a log entry. */
+    async getProof(seq) {
+        const resp = await fetch(`${this.baseUrl}/v1/log/proof?seq=${seq}`);
+        await ensureOk(resp);
+        return resp.json();
+    }
+    /** GET /v1/log/gossip/sth — gossip SignedTreeHead. */
+    async getGossipSth() {
+        const resp = await fetch(`${this.baseUrl}/v1/log/gossip/sth`);
+        await ensureOk(resp);
+        return resp.json();
+    }
+    /**
+     * Verify that `entry` is included in the log at the position described by
+     * `proof`, under the given `sth`.
+     *
+     * Merkle construction (RFC 9162):
+     *   leaf_hash = SHA256(0x00 || utf8(canonical_all_sorted_json_of_entry))
+     *   node_hash = SHA256(0x01 || left_bytes || right_bytes)
+     */
+    static verifyInclusion(proof, sth, entry) {
+        // Leaf hash includes the signature field
+        const leafBytes = new TextEncoder().encode(sortedJson(entry));
+        const leafBuf = new Uint8Array(1 + leafBytes.length);
+        leafBuf[0] = 0x00;
+        leafBuf.set(leafBytes, 1);
+        const computedLeafHash = sha256(leafBuf);
+        // Verify that the computed leaf hash matches the proof's leaf_hash
+        const proofLeafHash = base64urlDecode(proof.leaf_hash);
+        if (!bytesEqual(computedLeafHash, proofLeafHash))
+            return false;
+        // RFC 9162 fold up the audit path
+        let nodeHash = computedLeafHash;
+        for (let i = 0; i < proof.audit_path.length; i++) {
+            const sibling = base64urlDecode(proof.audit_path[i]);
+            const buf = new Uint8Array(65);
+            buf[0] = 0x01;
+            if (((BigInt(proof.leaf_index) >> BigInt(i)) & 1n) === 0n) {
+                buf.set(nodeHash, 1);
+                buf.set(sibling, 33);
+            }
+            else {
+                buf.set(sibling, 1);
+                buf.set(nodeHash, 33);
+            }
+            nodeHash = sha256(buf);
+        }
+        return bytesEqual(nodeHash, base64urlDecode(sth.sha256_root_hash));
+    }
+}
+//# sourceMappingURL=reputation-client.js.map

package/dist/nip/reputation-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reputation-client.js","sourceRoot":"","sources":["../../src/nip/reputation-client.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;GAGG;AAEH,OAAO,KAAK,OAAO,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAE9C,0EAA0E;AAC1E,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAEzE,gFAAgF;AAEhF,SAAS,eAAe,CAAC,KAAiB;IACxC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;SACtB,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AACvB,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,4BAA4B;IAC5B,MAAM,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC1C,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;AACzE,CAAC;AAED,gFAAgF;AAEhF;;;GAGG;AACH,SAAS,WAAW,CAAC,CAAU;IAC7B,IAAI,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC;IAClD,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAChD,MAAM,GAAG,GAAG,CAA4B,CAAC;IACzC,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QACxC,MAAM,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8DAA8D;AAC9D,SAAS,UAAU,CAAC,GAAY;IAC9B,OAAO,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;AAC1C,CAAC;AASD,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,KAAK,EAAgB,OAAO;IAC5B,WAAW,EAAU,cAAc;IACnC,kBAAkB,EAAG,sBAAsB;IAC3C,YAAY,EAAS,eAAe;IACpC,eAAe,EAAM,kBAAkB;IACvC,cAAc,EAAO,iBAAiB;IACtC,eAAe,EAAM,kBAAkB;IACvC,kBAAkB,EAAG,qBAAqB;IAC1C,mBAAmB,EAAE,sBAAsB;CACnC,CAAC;AAGX,MAAM,CAAC,MAAM,QAAQ,GAAG;IACtB,IAAI,EAAM,CAAC;IACX,KAAK,EAAK,CAAC;IACX,QAAQ,EAAE,CAAC;IACX,KAAK,EAAK,CAAC;IACX,QAAQ,EAAE,CAAC;CACH,CAAC;AAGX,8EAA8E;AAC9E,MAAM,aAAa,GAA6B;IAC9C,IAAI,EAAM,QAAQ,CAAC,IAAI;IACvB,KAAK,EAAK,QAAQ,CAAC,KAAK;IACxB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;IAC3B,KAAK,EAAK,QAAQ,CAAC,KAAK;IACxB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;CAC5B,CAAC;AAEF,8DAA8D;AAC9D,MAAM,eAAe,GAAG,IAAI,GAAG,CAAS,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC;AAmChG,gFAAgF;AAEhF;;;GAGG;AACH,SAAS,iBAAiB,CAAC,KAAyB;IAClD,6DAA6D;IAC7D,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC;IACrC,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;AACpD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,OAAmB,EAAE,KAAyB;IACtE,MAAM,KAAK,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IACvC,MAAM,GAAG,GAAK,OAAO,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAC3C,OAAO,EAAE,GAAG,KAAK,EAAE,SAAS,EAAE,WAAW,eAAe,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;AACpE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,MAAkB,EAAE,KAAyB;IACvE,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1D,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;QAC3E,MAAM,KAAK,GAAM,iBAAiB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,MAAM,CAAC,GAAG,aAAa,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK,SAAS;QAAE,MAAM,IAAI,KAAK,CAAC,gCAAgC,IAAI,GAAG,CAAC,CAAC;IAC9E,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,IAAI,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,QAAQ,EAAE,IAAoB,EAAE,CAAC;IACzE,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;AAC7D,CAAC;AAED,gFAAgF;AAEhF,SAAS,UAAU,CAAC,CAAa,EAAE,CAAa;IAC9C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IACnE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,gFAAgF;AAEhF,MAAM,OAAO,sBAAuB,SAAQ,KAAK;IAE7B;IACA;IAFlB,YACkB,YAAoB,EACpB,SAAoB,EACpC,OAAgB;QAEhB,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,iBAAY,GAAZ,YAAY,CAAQ;QACpB,cAAS,GAAT,SAAS,CAAW;QAIpC,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;IACvC,CAAC;CACF;AAED,gEAAgE;AAChE,KAAK,UAAU,QAAQ,CAAC,IAAc;IACpC,IAAI,IAAI,CAAC,EAAE;QAAE,OAAO;IACpB,IAAI,OAAO,GAAI,aAAa,CAAC;IAC7B,IAAI,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,OAAO,GAAK,IAAI,CAAC,UAAU,CAAC;IAChC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAA2D,CAAC;QACxF,IAAI,IAAI,CAAC,KAAK;YAAI,OAAO,GAAK,IAAI,CAAC,KAAK,CAAC;QACzC,IAAI,IAAI,CAAC,MAAM;YAAG,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC;QAC1C,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,GAAK,IAAI,CAAC,OAAO,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC,CAAC,2BAA2B,CAAC,CAAC;IACvC,MAAM,IAAI,sBAAsB,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;AAChE,CAAC;AAED,MAAM,OAAO,mBAAmB;IACb,OAAO,CAAS;IAEjC,YAAY,OAAe;QACzB,wDAAwD;QACxD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM,CAAC,KAAyB;QACpC,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,iBAAiB,EAAE;YACzD,MAAM,EAAG,MAAM;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAK,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;SAC/B,CAAC,CAAC;QACH,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC,IAAI,EAAiC,CAAC;IACpD,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,KAAK,CAAC,OAA6C;QACvD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QACrC,IAAI,OAAO,EAAE,GAAG,KAAU,SAAS;YAAE,MAAM,CAAC,GAAG,CAAC,KAAK,EAAI,OAAO,CAAC,GAAG,CAAC,CAAC;QACtE,IAAI,OAAO,EAAE,QAAQ,KAAK,SAAS;YAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;QACnF,MAAM,EAAE,GAAK,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5D,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,kBAAkB,EAAE,EAAE,CAAC,CAAC;QAChE,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;QACrB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAuC,CAAC;QACpE,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,gDAAgD;IAChD,KAAK,CAAC,MAAM;QACV,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,aAAa,CAAC,CAAC;QACvD,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC,IAAI,EAA6B,CAAC;IAChD,CAAC;IAED,oEAAoE;IACpE,KAAK,CAAC,QAAQ,CAAC,GAAW;QACxB,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,qBAAqB,GAAG,EAAE,CAAC,CAAC;QACpE,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC,IAAI,EAA6B,CAAC;IAChD,CAAC;IAED,sDAAsD;IACtD,KAAK,CAAC,YAAY;QAChB,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,oBAAoB,CAAC,CAAC;QAC9D,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC,IAAI,EAA6B,CAAC;IAChD,CAAC;IAED;;;;;;;OAOG;IACH,MAAM,CAAC,eAAe,CACpB,KAAqB,EACrB,GAAqB,EACrB,KAAyB;QAEzB,yCAAyC;QACzC,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;QAC9D,MAAM,OAAO,GAAK,IAAI,UAAU,CAAC,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;QACvD,OAAO,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;QAClB,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QAC1B,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;QAEzC,mEAAmE;QACnE,MAAM,aAAa,GAAG,eAAe,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACvD,IAAI,CAAC,UAAU,CAAC,gBAAgB,EAAE,aAAa,CAAC;YAAE,OAAO,KAAK,CAAC;QAE/D,kCAAkC;QAClC,IAAI,QAAQ,GAAG,gBAAgB,CAAC;QAChC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACjD,MAAM,OAAO,GAAG,eAAe,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;YACrD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;YAC/B,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;YACd,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC;gBAC1D,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;gBACrB,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YACvB,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;gBACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YACxB,CAAC;YACD,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QACzB,CAAC;QAED,OAAO,UAAU,CAAC,QAAQ,EAAE,eAAe,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC;IACrE,CAAC;CACF"}

package/dist/nip/verifier.d.ts

@@ -0,0 +1,23 @@
+import type { X509Certificate } from "@peculiar/x509";
+import { AssuranceLevel } from "./assurance-level.js";
+import type { IdentFrame } from "./frames.js";
+export interface NipVerifierOptions {
+    /** Map of issuer NID → CA public key string (`ed25519:<hex>`). */
+    trustedCaPublicKeys?: Readonly<Record<string, string>>;
+    /** X.509 trust anchors. Empty/undefined makes Step 3b reject v2 frames. */
+    trustedX509Roots?: readonly X509Certificate[];
+    /** Minimum required assurance level (NPS-RFC-0003). */
+    minAssuranceLevel?: AssuranceLevel;
+}
+export interface NipIdentVerifyResult {
+    valid: boolean;
+    stepFailed: number;
+    errorCode?: string;
+    message?: string;
+}
+export declare class NipIdentVerifier {
+    readonly options: NipVerifierOptions;
+    constructor(options: NipVerifierOptions);
+    verify(frame: IdentFrame, issuerNid: string): Promise<NipIdentVerifyResult>;
+}
+//# sourceMappingURL=verifier.d.ts.map

package/dist/nip/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../src/nip/verifier.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEtD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAGtD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAM9C,MAAM,WAAW,kBAAkB;IACjC,kEAAkE;IAClE,mBAAmB,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACvD,2EAA2E;IAC3E,gBAAgB,CAAC,EAAK,SAAS,eAAe,EAAE,CAAC;IACjD,uDAAuD;IACvD,iBAAiB,CAAC,EAAI,cAAc,CAAC;CACtC;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAO,OAAO,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAI,MAAM,CAAC;CACpB;AAQD,qBAAa,gBAAgB;aACC,OAAO,EAAE,kBAAkB;gBAA3B,OAAO,EAAE,kBAAkB;IAEjD,MAAM,CAAC,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;CAsDlF"}

package/dist/nip/verifier.js

@@ -0,0 +1,90 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * NipIdentVerifier — Phase 1 dual-trust IdentFrame verifier per NPS-RFC-0002 §8.1.
+ *
+ * Steps:
+ *   1.  v1 Ed25519 signature check against the issuer's CA public key.
+ *   2.  Optional minimum assurance level check.
+ *   3b. X.509 chain validation (only if `cert_format === "v2-x509"` AND
+ *       `trustedX509Roots` is configured).
+ */
+import * as ed25519 from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import { AssuranceLevel } from "./assurance-level.js";
+import * as cf from "./cert-format.js";
+import * as ec from "./error-codes.js";
+import { verify as verifyX509 } from "./x509/verifier.js";
+// noble/ed25519 needs sha512 wired up.
+ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
+function ok() { return { valid: true, stepFailed: 0 }; }
+function fail(stepFailed, errorCode, message) {
+    return { valid: false, stepFailed, errorCode, message };
+}
+export class NipIdentVerifier {
+    options;
+    constructor(options) {
+        this.options = options;
+    }
+    async verify(frame, issuerNid) {
+        // Step 1: v1 Ed25519 signature check ────────────────────────────────
+        const caPubKeyStr = this.options.trustedCaPublicKeys?.[issuerNid];
+        if (caPubKeyStr === undefined) {
+            return fail(1, ec.CERT_UNTRUSTED_ISSUER, `no trusted CA public key for issuer: ${issuerNid}`);
+        }
+        if (!frame.signature?.startsWith("ed25519:")) {
+            return fail(1, ec.CERT_SIGNATURE_INVALID, "missing or malformed signature");
+        }
+        try {
+            const caPubBytes = parsePubKeyString(caPubKeyStr);
+            const sigBytes = Buffer.from(frame.signature.slice("ed25519:".length), "base64");
+            const canonical = canonicalJson(frame.unsignedDict());
+            const msg = new TextEncoder().encode(canonical);
+            if (!ed25519.verify(sigBytes, msg, caPubBytes)) {
+                return fail(1, ec.CERT_SIGNATURE_INVALID, "v1 Ed25519 signature did not verify against issuer CA key");
+            }
+        }
+        catch (e) {
+            return fail(1, ec.CERT_SIGNATURE_INVALID, `v1 signature verification error: ${e.message}`);
+        }
+        // Step 2: minimum assurance level ───────────────────────────────────
+        const minLevel = this.options.minAssuranceLevel;
+        if (minLevel !== undefined) {
+            const got = frame.assuranceLevel ?? AssuranceLevel.ANONYMOUS;
+            if (!got.meetsOrExceeds(minLevel)) {
+                return fail(2, ec.ASSURANCE_MISMATCH, `assurance_level (${got.wire}) below required minimum (${minLevel.wire})`);
+            }
+        }
+        // Step 3b: X.509 chain check (only if both opt-ins present) ──────────
+        const trustedRoots = this.options.trustedX509Roots ?? [];
+        const hasV2Trust = trustedRoots.length > 0;
+        const isV2Frame = frame.certFormat === cf.V2_X509;
+        if (hasV2Trust && isV2Frame) {
+            const x509Result = await verifyX509({
+                certChainBase64UrlDer: frame.certChain ?? [],
+                assertedNid: frame.nid,
+                assertedAssuranceLevel: frame.assuranceLevel,
+                trustedRootCerts: trustedRoots,
+            });
+            if (!x509Result.valid) {
+                return fail(3, x509Result.errorCode ?? ec.CERT_FORMAT_INVALID, x509Result.message ?? "X.509 chain validation failed");
+            }
+        }
+        return ok();
+    }
+}
+/**
+ * Canonical JSON matching NipIdentity.sign — top-level keys filtered/ordered
+ * via `Object.keys(payload).sort()` as JSON.stringify replacer.
+ */
+function canonicalJson(payload) {
+    return JSON.stringify(payload, Object.keys(payload).sort());
+}
+/** Parse `ed25519:<hex>` into a 32-byte Uint8Array public key. */
+function parsePubKeyString(s) {
+    if (!s.startsWith("ed25519:")) {
+        throw new Error(`Unsupported public key format: ${s}`);
+    }
+    return new Uint8Array(Buffer.from(s.slice("ed25519:".length), "hex"));
+}
+//# sourceMappingURL=verifier.js.map

package/dist/nip/verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../src/nip/verifier.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;;;;;;GAQG;AAEH,OAAO,KAAK,OAAO,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAG9C,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAEvC,OAAO,EAAE,MAAM,IAAI,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAE1D,uCAAuC;AACvC,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAkBzE,SAAS,EAAE,KAA2B,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;AAE9E,SAAS,IAAI,CAAC,UAAkB,EAAE,SAAiB,EAAE,OAAe;IAClE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;AAC1D,CAAC;AAED,MAAM,OAAO,gBAAgB;IACC;IAA5B,YAA4B,OAA2B;QAA3B,YAAO,GAAP,OAAO,CAAoB;IAAG,CAAC;IAE3D,KAAK,CAAC,MAAM,CAAC,KAAiB,EAAE,SAAiB;QAC/C,sEAAsE;QACtE,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,SAAS,CAAC,CAAC;QAClE,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,EACrC,wCAAwC,SAAS,EAAE,CAAC,CAAC;QACzD,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC7C,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,EAAE,gCAAgC,CAAC,CAAC;QAC9E,CAAC;QACD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;YAClD,MAAM,QAAQ,GAAK,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,CAAC;YACnF,MAAM,SAAS,GAAI,aAAa,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC;YACvD,MAAM,GAAG,GAAU,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACvD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,GAAG,EAAE,UAAU,CAAC,EAAE,CAAC;gBAC/C,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,EACtC,2DAA2D,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,EACtC,oCAAqC,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QAChE,CAAC;QAED,sEAAsE;QACtE,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC;QAChD,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,KAAK,CAAC,cAAc,IAAI,cAAc,CAAC,SAAS,CAAC;YAC7D,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClC,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,EAClC,oBAAoB,GAAG,CAAC,IAAI,6BAA6B,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC;YAC/E,CAAC;QACH,CAAC;QAED,uEAAuE;QACvE,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,IAAI,EAAE,CAAC;QACzD,MAAM,UAAU,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;QAC3C,MAAM,SAAS,GAAI,KAAK,CAAC,UAAU,KAAK,EAAE,CAAC,OAAO,CAAC;QACnD,IAAI,UAAU,IAAI,SAAS,EAAE,CAAC;YAC5B,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC;gBAClC,qBAAqB,EAAG,KAAK,CAAC,SAAS,IAAI,EAAE;gBAC7C,WAAW,EAAa,KAAK,CAAC,GAAG;gBACjC,sBAAsB,EAAE,KAAK,CAAC,cAAc;gBAC5C,gBAAgB,EAAQ,YAAY;aACrC,CAAC,CAAC;YACH,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;gBACtB,OAAO,IAAI,CAAC,CAAC,EACX,UAAU,CAAC,SAAS,IAAI,EAAE,CAAC,mBAAmB,EAC9C,UAAU,CAAC,OAAO,IAAM,+BAA+B,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QAED,OAAO,EAAE,EAAE,CAAC;IACd,CAAC;CACF;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,OAAgC;IACrD,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;AAC9D,CAAC;AAED,kEAAkE;AAClE,SAAS,iBAAiB,CAAC,CAAS;IAClC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,EAAE,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;AACxE,CAAC"}

package/dist/nip/x509/builder.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Issues NPS X.509 NID certificates per NPS-RFC-0002 §4.
+ *
+ * Backed by @peculiar/x509 + Web Crypto Ed25519 (Node 22+).
+ *
+ * Two factory functions:
+ * - {@link issueLeaf} — leaf cert with critical NPS EKU + SAN URI = NID + assurance-level extension.
+ * - {@link issueRoot} — self-signed root for testing / private-CA use.
+ */
+import * as x509 from "@peculiar/x509";
+import { AssuranceLevel } from "../assurance-level.js";
+export type LeafRole = "agent" | "node";
+export interface IssueLeafOptions {
+    subjectNid: string;
+    subjectPublicKey: CryptoKey;
+    caKeys: CryptoKeyPair;
+    issuerNid: string;
+    role: LeafRole;
+    assuranceLevel: AssuranceLevel;
+    notBefore: Date;
+    notAfter: Date;
+    serialNumber: string;
+}
+export interface IssueRootOptions {
+    caNid: string;
+    caKeys: CryptoKeyPair;
+    notBefore: Date;
+    notAfter: Date;
+    serialNumber: string;
+}
+/** Issue a leaf NPS NID certificate (RFC-0002 §4.1). */
+export declare function issueLeaf(opts: IssueLeafOptions): Promise<x509.X509Certificate>;
+/** Issue a self-signed CA root cert (testing / private CA). */
+export declare function issueRoot(opts: IssueRootOptions): Promise<x509.X509Certificate>;
+//# sourceMappingURL=builder.d.ts.map

package/dist/nip/x509/builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"builder.d.ts","sourceRoot":"","sources":["../../../src/nip/x509/builder.ts"],"names":[],"mappings":"AAGA;;;;;;;;GAQG;AAEH,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAEvC,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAOvD,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,MAAM,CAAC;AAExC,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAU,MAAM,CAAC;IAC3B,gBAAgB,EAAI,SAAS,CAAC;IAC9B,MAAM,EAAc,aAAa,CAAC;IAClC,SAAS,EAAW,MAAM,CAAC;IAC3B,IAAI,EAAgB,QAAQ,CAAC;IAC7B,cAAc,EAAM,cAAc,CAAC;IACnC,SAAS,EAAW,IAAI,CAAC;IACzB,QAAQ,EAAY,IAAI,CAAC;IACzB,YAAY,EAAQ,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAe,MAAM,CAAC;IAC3B,MAAM,EAAc,aAAa,CAAC;IAClC,SAAS,EAAW,IAAI,CAAC;IACzB,QAAQ,EAAY,IAAI,CAAC;IACzB,YAAY,EAAQ,MAAM,CAAC;CAC5B;AAED,wDAAwD;AACxD,wBAAsB,SAAS,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAuBrF;AAED,+DAA+D;AAC/D,wBAAsB,SAAS,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAcrF"}

package/dist/nip/x509/builder.js

@@ -0,0 +1,59 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * Issues NPS X.509 NID certificates per NPS-RFC-0002 §4.
+ *
+ * Backed by @peculiar/x509 + Web Crypto Ed25519 (Node 22+).
+ *
+ * Two factory functions:
+ * - {@link issueLeaf} — leaf cert with critical NPS EKU + SAN URI = NID + assurance-level extension.
+ * - {@link issueRoot} — self-signed root for testing / private-CA use.
+ */
+import * as x509 from "@peculiar/x509";
+import { EKU_AGENT_IDENTITY, EKU_NODE_IDENTITY, NID_ASSURANCE_LEVEL } from "./oids.js";
+// Initialize @peculiar/x509 cryptoProvider once on first import. Web Crypto
+// (globalThis.crypto) supports Ed25519 in Node 18+.
+x509.cryptoProvider.set(globalThis.crypto);
+/** Issue a leaf NPS NID certificate (RFC-0002 §4.1). */
+export async function issueLeaf(opts) {
+    const ekuOid = opts.role === "node" ? EKU_NODE_IDENTITY : EKU_AGENT_IDENTITY;
+    // ASN.1 ENUMERATED encoding of assurance level: tag=0x0A, len=0x01, value=<rank>.
+    const assuranceDer = new Uint8Array([0x0A, 0x01, opts.assuranceLevel.rank]);
+    return x509.X509CertificateGenerator.create({
+        serialNumber: opts.serialNumber,
+        issuer: `CN=${escapeDn(opts.issuerNid)}`,
+        subject: `CN=${escapeDn(opts.subjectNid)}`,
+        notBefore: opts.notBefore,
+        notAfter: opts.notAfter,
+        publicKey: opts.subjectPublicKey,
+        signingAlgorithm: { name: "Ed25519" },
+        signingKey: opts.caKeys.privateKey,
+        extensions: [
+            new x509.BasicConstraintsExtension(false, undefined, true),
+            new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature, true),
+            new x509.ExtendedKeyUsageExtension([ekuOid], true),
+            new x509.SubjectAlternativeNameExtension([{ type: "url", value: opts.subjectNid }], false),
+            new x509.Extension(NID_ASSURANCE_LEVEL, false, assuranceDer),
+        ],
+    });
+}
+/** Issue a self-signed CA root cert (testing / private CA). */
+export async function issueRoot(opts) {
+    return x509.X509CertificateGenerator.createSelfSigned({
+        serialNumber: opts.serialNumber,
+        name: `CN=${escapeDn(opts.caNid)}`,
+        notBefore: opts.notBefore,
+        notAfter: opts.notAfter,
+        signingAlgorithm: { name: "Ed25519" },
+        keys: opts.caKeys,
+        extensions: [
+            new x509.BasicConstraintsExtension(true, undefined, true),
+            new x509.KeyUsagesExtension(x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign, true),
+        ],
+    });
+}
+function escapeDn(value) {
+    // Escape characters that have special meaning in RFC 4514 DN syntax.
+    return value.replace(/([",+;<>\\])/g, "\\$1");
+}
+//# sourceMappingURL=builder.js.map

package/dist/nip/x509/builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"builder.js","sourceRoot":"","sources":["../../../src/nip/x509/builder.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;;;;;;GAQG;AAEH,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAGvC,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAEvF,4EAA4E;AAC5E,oDAAoD;AACpD,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AAwB3C,wDAAwD;AACxD,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,IAAsB;IACpD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,kBAAkB,CAAC;IAE7E,kFAAkF;IAClF,MAAM,YAAY,GAAG,IAAI,UAAU,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;IAE5E,OAAO,IAAI,CAAC,wBAAwB,CAAC,MAAM,CAAC;QAC1C,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,MAAM,EAAQ,MAAM,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE;QAC9C,OAAO,EAAO,MAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE;QAC/C,SAAS,EAAK,IAAI,CAAC,SAAS;QAC5B,QAAQ,EAAM,IAAI,CAAC,QAAQ;QAC3B,SAAS,EAAK,IAAI,CAAC,gBAAgB;QACnC,gBAAgB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;QACrC,UAAU,EAAI,IAAI,CAAC,MAAM,CAAC,UAAU;QACpC,UAAU,EAAE;YACV,IAAI,IAAI,CAAC,yBAAyB,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC;YAC1D,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC;YACtE,IAAI,IAAI,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC;YAClD,IAAI,IAAI,CAAC,+BAA+B,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,EAAE,KAAK,CAAC;YAC1F,IAAI,IAAI,CAAC,SAAS,CAAC,mBAAmB,EAAE,KAAK,EAAE,YAAY,CAAC;SAC7D;KACF,CAAC,CAAC;AACL,CAAC;AAED,+DAA+D;AAC/D,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,IAAsB;IACpD,OAAO,IAAI,CAAC,wBAAwB,CAAC,gBAAgB,CAAC;QACpD,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,IAAI,EAAU,MAAM,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE;QAC1C,SAAS,EAAK,IAAI,CAAC,SAAS;QAC5B,QAAQ,EAAM,IAAI,CAAC,QAAQ;QAC3B,gBAAgB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;QACrC,IAAI,EAAU,IAAI,CAAC,MAAM;QACzB,UAAU,EAAE;YACV,IAAI,IAAI,CAAC,yBAAyB,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC;YACzD,IAAI,IAAI,CAAC,kBAAkB,CACzB,IAAI,CAAC,aAAa,CAAC,WAAW,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC;SACrE;KACF,CAAC,CAAC;AACL,CAAC;AAED,SAAS,QAAQ,CAAC,KAAa;IAC7B,qEAAqE;IACrE,OAAO,KAAK,CAAC,OAAO,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;AAChD,CAAC"}

package/dist/nip/x509/index.d.ts

@@ -0,0 +1,4 @@
+export * from "./builder.js";
+export * from "./oids.js";
+export * from "./verifier.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/nip/x509/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/nip/x509/index.ts"],"names":[],"mappings":"AAGA,cAAc,cAAc,CAAC;AAC7B,cAAc,WAAW,CAAC;AAC1B,cAAc,eAAe,CAAC"}

package/dist/nip/x509/index.js

@@ -0,0 +1,6 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+export * from "./builder.js";
+export * from "./oids.js";
+export * from "./verifier.js";
+//# sourceMappingURL=index.js.map

package/dist/nip/x509/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/nip/x509/index.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,cAAc,cAAc,CAAC;AAC7B,cAAc,WAAW,CAAC;AAC1B,cAAc,eAAe,CAAC"}