@labacacia/nps-sdk 1.0.0-alpha.1

package/dist/nip/frames.js

@@ -0,0 +1,81 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+import { EncodingTier, FrameType } from "../core/frames.js";
+export class IdentFrame {
+    nid;
+    pubKey;
+    metadata;
+    signature;
+    frameType = FrameType.IDENT;
+    preferredTier = EncodingTier.MSGPACK;
+    constructor(nid, pubKey, metadata, signature) {
+        this.nid = nid;
+        this.pubKey = pubKey;
+        this.metadata = metadata;
+        this.signature = signature;
+    }
+    unsignedDict() {
+        return {
+            nid: this.nid,
+            pub_key: this.pubKey,
+            metadata: this.metadata,
+        };
+    }
+    toDict() {
+        return { ...this.unsignedDict(), signature: this.signature };
+    }
+    static fromDict(data) {
+        return new IdentFrame(data["nid"], data["pub_key"], data["metadata"], data["signature"]);
+    }
+}
+export class TrustFrame {
+    issuerNid;
+    subjectNid;
+    scopes;
+    expiresAt;
+    signature;
+    frameType = FrameType.TRUST;
+    preferredTier = EncodingTier.MSGPACK;
+    constructor(issuerNid, subjectNid, scopes, expiresAt, signature) {
+        this.issuerNid = issuerNid;
+        this.subjectNid = subjectNid;
+        this.scopes = scopes;
+        this.expiresAt = expiresAt;
+        this.signature = signature;
+    }
+    toDict() {
+        return {
+            issuer_nid: this.issuerNid,
+            subject_nid: this.subjectNid,
+            scopes: this.scopes,
+            expires_at: this.expiresAt,
+            signature: this.signature,
+        };
+    }
+    static fromDict(data) {
+        return new TrustFrame(data["issuer_nid"], data["subject_nid"], data["scopes"], data["expires_at"], data["signature"]);
+    }
+}
+export class RevokeFrame {
+    nid;
+    reason;
+    revokedAt;
+    frameType = FrameType.REVOKE;
+    preferredTier = EncodingTier.MSGPACK;
+    constructor(nid, reason, revokedAt) {
+        this.nid = nid;
+        this.reason = reason;
+        this.revokedAt = revokedAt;
+    }
+    toDict() {
+        return {
+            nid: this.nid,
+            reason: this.reason ?? null,
+            revoked_at: this.revokedAt ?? null,
+        };
+    }
+    static fromDict(data) {
+        return new RevokeFrame(data["nid"], data["reason"] ?? undefined, data["revoked_at"] ?? undefined);
+    }
+}
+//# sourceMappingURL=frames.js.map

package/dist/nip/frames.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"frames.js","sourceRoot":"","sources":["../../src/nip/frames.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAW5D,MAAM,OAAO,UAAU;IAKH;IACA;IACA;IACA;IAPT,SAAS,GAAO,SAAS,CAAC,KAAK,CAAC;IAChC,aAAa,GAAG,YAAY,CAAC,OAAO,CAAC;IAE9C,YACkB,GAAiB,EACjB,MAAiB,EACjB,QAAwB,EACxB,SAAiB;QAHjB,QAAG,GAAH,GAAG,CAAc;QACjB,WAAM,GAAN,MAAM,CAAW;QACjB,aAAQ,GAAR,QAAQ,CAAgB;QACxB,cAAS,GAAT,SAAS,CAAQ;IAChC,CAAC;IAEJ,YAAY;QACV,OAAO;YACL,GAAG,EAAO,IAAI,CAAC,GAAG;YAClB,OAAO,EAAG,IAAI,CAAC,MAAM;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;IACJ,CAAC;IAED,MAAM;QACJ,OAAO,EAAE,GAAG,IAAI,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC;IAC/D,CAAC;IAED,MAAM,CAAC,QAAQ,CAAC,IAA6B;QAC3C,OAAO,IAAI,UAAU,CACnB,IAAI,CAAC,KAAK,CAAiB,EAC3B,IAAI,CAAC,SAAS,CAAa,EAC3B,IAAI,CAAC,UAAU,CAAmB,EAClC,IAAI,CAAC,WAAW,CAAW,CAC5B,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,UAAU;IAKH;IACA;IACA;IACA;IACA;IART,SAAS,GAAO,SAAS,CAAC,KAAK,CAAC;IAChC,aAAa,GAAG,YAAY,CAAC,OAAO,CAAC;IAE9C,YACkB,SAAkB,EAClB,UAAkB,EAClB,MAA6B,EAC7B,SAAkB,EAClB,SAAkB;QAJlB,cAAS,GAAT,SAAS,CAAS;QAClB,eAAU,GAAV,UAAU,CAAQ;QAClB,WAAM,GAAN,MAAM,CAAuB;QAC7B,cAAS,GAAT,SAAS,CAAS;QAClB,cAAS,GAAT,SAAS,CAAS;IACjC,CAAC;IAEJ,MAAM;QACJ,OAAO;YACL,UAAU,EAAG,IAAI,CAAC,SAAS;YAC3B,WAAW,EAAE,IAAI,CAAC,UAAU;YAC5B,MAAM,EAAO,IAAI,CAAC,MAAM;YACxB,UAAU,EAAG,IAAI,CAAC,SAAS;YAC3B,SAAS,EAAI,IAAI,CAAC,SAAS;SAC5B,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,QAAQ,CAAC,IAA6B;QAC3C,OAAO,IAAI,UAAU,CACnB,IAAI,CAAC,YAAY,CAAY,EAC7B,IAAI,CAAC,aAAa,CAAW,EAC7B,IAAI,CAAC,QAAQ,CAAkB,EAC/B,IAAI,CAAC,YAAY,CAAY,EAC7B,IAAI,CAAC,WAAW,CAAa,CAC9B,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,WAAW;IAKJ;IACA;IACA;IANT,SAAS,GAAO,SAAS,CAAC,MAAM,CAAC;IACjC,aAAa,GAAG,YAAY,CAAC,OAAO,CAAC;IAE9C,YACkB,GAAiB,EACjB,MAAiB,EACjB,SAAkB;QAFlB,QAAG,GAAH,GAAG,CAAc;QACjB,WAAM,GAAN,MAAM,CAAW;QACjB,cAAS,GAAT,SAAS,CAAS;IACjC,CAAC;IAEJ,MAAM;QACJ,OAAO;YACL,GAAG,EAAS,IAAI,CAAC,GAAG;YACpB,MAAM,EAAM,IAAI,CAAC,MAAM,IAAQ,IAAI;YACnC,UAAU,EAAE,IAAI,CAAC,SAAS,IAAK,IAAI;SACpC,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,QAAQ,CAAC,IAA6B;QAC3C,OAAO,IAAI,WAAW,CACpB,IAAI,CAAC,KAAK,CAAkB,EAC3B,IAAI,CAAC,QAAQ,CAAuB,IAAI,SAAS,EACjD,IAAI,CAAC,YAAY,CAAmB,IAAI,SAAS,CACnD,CAAC;IACJ,CAAC;CACF"}

package/dist/nip/identity.d.ts

@@ -0,0 +1,18 @@
+export declare class NipIdentity {
+    private readonly _privKey;
+    readonly pubKey: Uint8Array;
+    private constructor();
+    static generate(): NipIdentity;
+    static fromPrivateKey(privKey: Uint8Array): NipIdentity;
+    /** Load from an AES-256-GCM encrypted key file. */
+    static load(path: string, passphrase: string): NipIdentity;
+    /** Save to an AES-256-GCM encrypted key file. */
+    save(path: string, passphrase: string): void;
+    /** Sign a dict payload. Returns `ed25519:<base64url>`. */
+    sign(payload: Record<string, unknown>): string;
+    /** Verify a signature string against a dict payload. */
+    verify(payload: Record<string, unknown>, signature: string): boolean;
+    /** Public key as `ed25519:<hex>` string. */
+    get pubKeyString(): string;
+}
+//# sourceMappingURL=identity.d.ts.map

package/dist/nip/identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/nip/identity.ts"],"names":[],"mappings":"AA8BA,qBAAa,WAAW;IAEpB,OAAO,CAAC,QAAQ,CAAC,QAAQ;aACR,MAAM,EAAI,UAAU;IAFvC,OAAO;IAOP,MAAM,CAAC,QAAQ,IAAI,WAAW;IAM9B,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,UAAU,GAAG,WAAW;IAKvD,mDAAmD;IACnD,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,WAAW;IAgB1D,iDAAiD;IACjD,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI;IAoB5C,0DAA0D;IAC1D,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM;IAO9C,wDAAwD;IACxD,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO;IAYpE,4CAA4C;IAC5C,IAAI,YAAY,IAAI,MAAM,CAEzB;CACF"}

package/dist/nip/identity.js

@@ -0,0 +1,94 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * NipIdentity — Ed25519 key management and signing for NPS NID identity.
+ * Uses @noble/ed25519 for signing; node:crypto for key storage encryption.
+ */
+import * as ed25519 from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes } from "node:crypto";
+import { readFileSync, writeFileSync } from "node:fs";
+// noble/ed25519 requires sha512 to be set explicitly in Node environments
+ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
+const KEY_FILE_VERSION = 1;
+const PBKDF2_ITERS = 600_000;
+const SALT_BYTES = 16;
+const IV_BYTES = 12;
+const KEY_BYTES = 32;
+export class NipIdentity {
+    _privKey;
+    pubKey;
+    constructor(_privKey, pubKey) {
+        this._privKey = _privKey;
+        this.pubKey = pubKey;
+    }
+    // ── Factory ───────────────────────────────────────────────────────────────
+    static generate() {
+        const priv = ed25519.utils.randomPrivateKey();
+        const pub = ed25519.getPublicKey(priv);
+        return new NipIdentity(priv, pub);
+    }
+    static fromPrivateKey(privKey) {
+        const pub = ed25519.getPublicKey(privKey);
+        return new NipIdentity(privKey, pub);
+    }
+    /** Load from an AES-256-GCM encrypted key file. */
+    static load(path, passphrase) {
+        const envelope = JSON.parse(readFileSync(path, "utf8"));
+        const salt = Buffer.from(envelope.salt, "hex");
+        const iv = Buffer.from(envelope.iv, "hex");
+        const ct = Buffer.from(envelope.ciphertext, "hex");
+        const dk = pbkdf2Sync(passphrase, salt, PBKDF2_ITERS, KEY_BYTES, "sha256");
+        const decipher = createDecipheriv("aes-256-gcm", dk, iv);
+        // Last 16 bytes of ciphertext are the GCM auth tag
+        const authTag = ct.slice(ct.length - 16);
+        const body = ct.slice(0, ct.length - 16);
+        decipher.setAuthTag(authTag);
+        const priv = Buffer.concat([decipher.update(body), decipher.final()]);
+        return NipIdentity.fromPrivateKey(new Uint8Array(priv));
+    }
+    /** Save to an AES-256-GCM encrypted key file. */
+    save(path, passphrase) {
+        const salt = randomBytes(SALT_BYTES);
+        const iv = randomBytes(IV_BYTES);
+        const dk = pbkdf2Sync(passphrase, salt, PBKDF2_ITERS, KEY_BYTES, "sha256");
+        const cipher = createCipheriv("aes-256-gcm", dk, iv);
+        const body = Buffer.concat([cipher.update(Buffer.from(this._privKey)), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        const envelope = {
+            version: KEY_FILE_VERSION,
+            salt: salt.toString("hex"),
+            iv: iv.toString("hex"),
+            ciphertext: Buffer.concat([body, tag]).toString("hex"),
+            pubKey: Buffer.from(this.pubKey).toString("hex"),
+        };
+        writeFileSync(path, JSON.stringify(envelope, null, 2), "utf8");
+    }
+    // ── Signing ───────────────────────────────────────────────────────────────
+    /** Sign a dict payload. Returns `ed25519:<base64url>`. */
+    sign(payload) {
+        const canonical = JSON.stringify(payload, Object.keys(payload).sort());
+        const bytes = new TextEncoder().encode(canonical);
+        const sig = ed25519.sign(bytes, this._privKey);
+        return `ed25519:${Buffer.from(sig).toString("base64")}`;
+    }
+    /** Verify a signature string against a dict payload. */
+    verify(payload, signature) {
+        if (!signature.startsWith("ed25519:"))
+            return false;
+        try {
+            const canonical = JSON.stringify(payload, Object.keys(payload).sort());
+            const bytes = new TextEncoder().encode(canonical);
+            const sigBytes = Buffer.from(signature.slice("ed25519:".length), "base64");
+            return ed25519.verify(sigBytes, bytes, this.pubKey);
+        }
+        catch {
+            return false;
+        }
+    }
+    /** Public key as `ed25519:<hex>` string. */
+    get pubKeyString() {
+        return `ed25519:${Buffer.from(this.pubKey).toString("hex")}`;
+    }
+}
+//# sourceMappingURL=identity.js.map

package/dist/nip/identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/nip/identity.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;GAGG;AAEH,OAAO,KAAK,OAAO,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACxF,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAEtD,0EAA0E;AAC1E,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAEzE,MAAM,gBAAgB,GAAG,CAAC,CAAC;AAC3B,MAAM,YAAY,GAAO,OAAO,CAAC;AACjC,MAAM,UAAU,GAAS,EAAE,CAAC;AAC5B,MAAM,QAAQ,GAAW,EAAE,CAAC;AAC5B,MAAM,SAAS,GAAU,EAAE,CAAC;AAU5B,MAAM,OAAO,WAAW;IAEH;IACA;IAFnB,YACmB,QAAoB,EACpB,MAAoB;QADpB,aAAQ,GAAR,QAAQ,CAAY;QACpB,WAAM,GAAN,MAAM,CAAc;IACpC,CAAC;IAEJ,6EAA6E;IAE7E,MAAM,CAAC,QAAQ;QACb,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC9C,MAAM,GAAG,GAAI,OAAO,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QACxC,OAAO,IAAI,WAAW,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACpC,CAAC;IAED,MAAM,CAAC,cAAc,CAAC,OAAmB;QACvC,MAAM,GAAG,GAAG,OAAO,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAC1C,OAAO,IAAI,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACvC,CAAC;IAED,mDAAmD;IACnD,MAAM,CAAC,IAAI,CAAC,IAAY,EAAE,UAAkB;QAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAoB,CAAC;QAC3E,MAAM,IAAI,GAAQ,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAQ,KAAK,CAAC,CAAC;QAC1D,MAAM,EAAE,GAAU,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAU,KAAK,CAAC,CAAC;QAC1D,MAAM,EAAE,GAAU,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAE1D,MAAM,EAAE,GAAG,UAAU,CAAC,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC3E,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;QACzD,mDAAmD;QACnD,MAAM,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;QACzC,MAAM,IAAI,GAAM,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;QAC3C,QAAoF,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAC1G,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACtE,OAAO,WAAW,CAAC,cAAc,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,iDAAiD;IACjD,IAAI,CAAC,IAAY,EAAE,UAAkB;QACnC,MAAM,IAAI,GAAK,WAAW,CAAC,UAAU,CAAC,CAAC;QACvC,MAAM,EAAE,GAAO,WAAW,CAAC,QAAQ,CAAC,CAAC;QACrC,MAAM,EAAE,GAAO,UAAU,CAAC,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC/E,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;QACrD,MAAM,IAAI,GAAK,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC1F,MAAM,GAAG,GAAO,MAAuE,CAAC,UAAU,EAAE,CAAC;QAErG,MAAM,QAAQ,GAAoB;YAChC,OAAO,EAAK,gBAAgB;YAC5B,IAAI,EAAQ,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;YAChC,EAAE,EAAU,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;YAC9B,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACtD,MAAM,EAAM,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;SACrD,CAAC;QACF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACjE,CAAC;IAED,6EAA6E;IAE7E,0DAA0D;IAC1D,IAAI,CAAC,OAAgC;QACnC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QACvE,MAAM,KAAK,GAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACtD,MAAM,GAAG,GAAS,OAAO,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrD,OAAO,WAAW,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC1D,CAAC;IAED,wDAAwD;IACxD,MAAM,CAAC,OAAgC,EAAE,SAAiB;QACxD,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,KAAK,CAAC;QACpD,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YACvE,MAAM,KAAK,GAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACtD,MAAM,QAAQ,GAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,CAAC;YAC5E,OAAO,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACtD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,IAAI,YAAY;QACd,OAAO,WAAW,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;IAC/D,CAAC;CACF"}

package/dist/nip/index.cjs

@@ -0,0 +1,214 @@
+'use strict';
+
+var ed25519 = require('@noble/ed25519');
+var sha512 = require('@noble/hashes/sha512');
+var crypto = require('crypto');
+var fs = require('fs');
+
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var ed25519__namespace = /*#__PURE__*/_interopNamespace(ed25519);
+
+// src/nip/frames.ts
+var IdentFrame = class _IdentFrame {
+  constructor(nid, pubKey, metadata, signature) {
+    this.nid = nid;
+    this.pubKey = pubKey;
+    this.metadata = metadata;
+    this.signature = signature;
+  }
+  nid;
+  pubKey;
+  metadata;
+  signature;
+  frameType = 32 /* IDENT */;
+  preferredTier = 1 /* MSGPACK */;
+  unsignedDict() {
+    return {
+      nid: this.nid,
+      pub_key: this.pubKey,
+      metadata: this.metadata
+    };
+  }
+  toDict() {
+    return { ...this.unsignedDict(), signature: this.signature };
+  }
+  static fromDict(data) {
+    return new _IdentFrame(
+      data["nid"],
+      data["pub_key"],
+      data["metadata"],
+      data["signature"]
+    );
+  }
+};
+var TrustFrame = class _TrustFrame {
+  constructor(issuerNid, subjectNid, scopes, expiresAt, signature) {
+    this.issuerNid = issuerNid;
+    this.subjectNid = subjectNid;
+    this.scopes = scopes;
+    this.expiresAt = expiresAt;
+    this.signature = signature;
+  }
+  issuerNid;
+  subjectNid;
+  scopes;
+  expiresAt;
+  signature;
+  frameType = 33 /* TRUST */;
+  preferredTier = 1 /* MSGPACK */;
+  toDict() {
+    return {
+      issuer_nid: this.issuerNid,
+      subject_nid: this.subjectNid,
+      scopes: this.scopes,
+      expires_at: this.expiresAt,
+      signature: this.signature
+    };
+  }
+  static fromDict(data) {
+    return new _TrustFrame(
+      data["issuer_nid"],
+      data["subject_nid"],
+      data["scopes"],
+      data["expires_at"],
+      data["signature"]
+    );
+  }
+};
+var RevokeFrame = class _RevokeFrame {
+  constructor(nid, reason, revokedAt) {
+    this.nid = nid;
+    this.reason = reason;
+    this.revokedAt = revokedAt;
+  }
+  nid;
+  reason;
+  revokedAt;
+  frameType = 34 /* REVOKE */;
+  preferredTier = 1 /* MSGPACK */;
+  toDict() {
+    return {
+      nid: this.nid,
+      reason: this.reason ?? null,
+      revoked_at: this.revokedAt ?? null
+    };
+  }
+  static fromDict(data) {
+    return new _RevokeFrame(
+      data["nid"],
+      data["reason"] ?? void 0,
+      data["revoked_at"] ?? void 0
+    );
+  }
+};
+ed25519__namespace.etc.sha512Sync = (...m) => sha512.sha512(ed25519__namespace.etc.concatBytes(...m));
+var KEY_FILE_VERSION = 1;
+var PBKDF2_ITERS = 6e5;
+var SALT_BYTES = 16;
+var IV_BYTES = 12;
+var KEY_BYTES = 32;
+var NipIdentity = class _NipIdentity {
+  constructor(_privKey, pubKey) {
+    this._privKey = _privKey;
+    this.pubKey = pubKey;
+  }
+  _privKey;
+  pubKey;
+  // ── Factory ───────────────────────────────────────────────────────────────
+  static generate() {
+    const priv = ed25519__namespace.utils.randomPrivateKey();
+    const pub = ed25519__namespace.getPublicKey(priv);
+    return new _NipIdentity(priv, pub);
+  }
+  static fromPrivateKey(privKey) {
+    const pub = ed25519__namespace.getPublicKey(privKey);
+    return new _NipIdentity(privKey, pub);
+  }
+  /** Load from an AES-256-GCM encrypted key file. */
+  static load(path, passphrase) {
+    const envelope = JSON.parse(fs.readFileSync(path, "utf8"));
+    const salt = Buffer.from(envelope.salt, "hex");
+    const iv = Buffer.from(envelope.iv, "hex");
+    const ct = Buffer.from(envelope.ciphertext, "hex");
+    const dk = crypto.pbkdf2Sync(passphrase, salt, PBKDF2_ITERS, KEY_BYTES, "sha256");
+    const decipher = crypto.createDecipheriv("aes-256-gcm", dk, iv);
+    const authTag = ct.slice(ct.length - 16);
+    const body = ct.slice(0, ct.length - 16);
+    decipher.setAuthTag(authTag);
+    const priv = Buffer.concat([decipher.update(body), decipher.final()]);
+    return _NipIdentity.fromPrivateKey(new Uint8Array(priv));
+  }
+  /** Save to an AES-256-GCM encrypted key file. */
+  save(path, passphrase) {
+    const salt = crypto.randomBytes(SALT_BYTES);
+    const iv = crypto.randomBytes(IV_BYTES);
+    const dk = crypto.pbkdf2Sync(passphrase, salt, PBKDF2_ITERS, KEY_BYTES, "sha256");
+    const cipher = crypto.createCipheriv("aes-256-gcm", dk, iv);
+    const body = Buffer.concat([cipher.update(Buffer.from(this._privKey)), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    const envelope = {
+      version: KEY_FILE_VERSION,
+      salt: salt.toString("hex"),
+      iv: iv.toString("hex"),
+      ciphertext: Buffer.concat([body, tag]).toString("hex"),
+      pubKey: Buffer.from(this.pubKey).toString("hex")
+    };
+    fs.writeFileSync(path, JSON.stringify(envelope, null, 2), "utf8");
+  }
+  // ── Signing ───────────────────────────────────────────────────────────────
+  /** Sign a dict payload. Returns `ed25519:<base64url>`. */
+  sign(payload) {
+    const canonical = JSON.stringify(payload, Object.keys(payload).sort());
+    const bytes = new TextEncoder().encode(canonical);
+    const sig = ed25519__namespace.sign(bytes, this._privKey);
+    return `ed25519:${Buffer.from(sig).toString("base64")}`;
+  }
+  /** Verify a signature string against a dict payload. */
+  verify(payload, signature) {
+    if (!signature.startsWith("ed25519:")) return false;
+    try {
+      const canonical = JSON.stringify(payload, Object.keys(payload).sort());
+      const bytes = new TextEncoder().encode(canonical);
+      const sigBytes = Buffer.from(signature.slice("ed25519:".length), "base64");
+      return ed25519__namespace.verify(sigBytes, bytes, this.pubKey);
+    } catch {
+      return false;
+    }
+  }
+  /** Public key as `ed25519:<hex>` string. */
+  get pubKeyString() {
+    return `ed25519:${Buffer.from(this.pubKey).toString("hex")}`;
+  }
+};
+
+// src/nip/registry.ts
+function registerNipFrames(registry) {
+  registry.register(32 /* IDENT */, IdentFrame);
+  registry.register(33 /* TRUST */, TrustFrame);
+  registry.register(34 /* REVOKE */, RevokeFrame);
+}
+
+exports.IdentFrame = IdentFrame;
+exports.NipIdentity = NipIdentity;
+exports.RevokeFrame = RevokeFrame;
+exports.TrustFrame = TrustFrame;
+exports.registerNipFrames = registerNipFrames;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/nip/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/nip/frames.ts","../../src/nip/identity.ts","../../src/nip/registry.ts"],"names":["ed25519","sha512","readFileSync","pbkdf2Sync","createDecipheriv","randomBytes","createCipheriv","writeFileSync"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAcO,IAAM,UAAA,GAAN,MAAM,WAAA,CAA+B;AAAA,EAI1C,WAAA,CACkB,GAAA,EACA,MAAA,EACA,QAAA,EACA,SAAA,EAChB;AAJgB,IAAA,IAAA,CAAA,GAAA,GAAA,GAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AAAA,EACf;AAAA,EAJe,GAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA,SAAA;AAAA,EAPT,SAAA,GAAA,EAAA;AAAA,EACA,aAAA,GAAA,CAAA;AAAA,EAST,YAAA,GAAwC;AACtC,IAAA,OAAO;AAAA,MACL,KAAU,IAAA,CAAK,GAAA;AAAA,MACf,SAAU,IAAA,CAAK,MAAA;AAAA,MACf,UAAU,IAAA,CAAK;AAAA,KACjB;AAAA,EACF;AAAA,EAEA,MAAA,GAAkC;AAChC,IAAA,OAAO,EAAE,GAAG,IAAA,CAAK,cAAa,EAAG,SAAA,EAAW,KAAK,SAAA,EAAU;AAAA,EAC7D;AAAA,EAEA,OAAO,SAAS,IAAA,EAA2C;AACzD,IAAA,OAAO,IAAI,WAAA;AAAA,MACT,KAAK,KAAK,CAAA;AAAA,MACV,KAAK,SAAS,CAAA;AAAA,MACd,KAAK,UAAU,CAAA;AAAA,MACf,KAAK,WAAW;AAAA,KAClB;AAAA,EACF;AACF;AAEO,IAAM,UAAA,GAAN,MAAM,WAAA,CAA+B;AAAA,EAI1C,WAAA,CACkB,SAAA,EACA,UAAA,EACA,MAAA,EACA,WACA,SAAA,EAChB;AALgB,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AAAA,EACf;AAAA,EALe,SAAA;AAAA,EACA,UAAA;AAAA,EACA,MAAA;AAAA,EACA,SAAA;AAAA,EACA,SAAA;AAAA,EART,SAAA,GAAA,EAAA;AAAA,EACA,aAAA,GAAA,CAAA;AAAA,EAUT,MAAA,GAAkC;AAChC,IAAA,OAAO;AAAA,MACL,YAAa,IAAA,CAAK,SAAA;AAAA,MAClB,aAAa,IAAA,CAAK,UAAA;AAAA,MAClB,QAAa,IAAA,CAAK,MAAA;AAAA,MAClB,YAAa,IAAA,CAAK,SAAA;AAAA,MAClB,WAAa,IAAA,CAAK;AAAA,KACpB;AAAA,EACF;AAAA,EAEA,OAAO,SAAS,IAAA,EAA2C;AACzD,IAAA,OAAO,IAAI,WAAA;AAAA,MACT,KAAK,YAAY,CAAA;AAAA,MACjB,KAAK,aAAa,CAAA;AAAA,MAClB,KAAK,QAAQ,CAAA;AAAA,MACb,KAAK,YAAY,CAAA;AAAA,MACjB,KAAK,WAAW;AAAA,KAClB;AAAA,EACF;AACF;AAEO,IAAM,WAAA,GAAN,MAAM,YAAA,CAAgC;AAAA,EAI3C,WAAA,CACkB,GAAA,EACA,MAAA,EACA,SAAA,EAChB;AAHgB,IAAA,IAAA,CAAA,GAAA,GAAA,GAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AAAA,EACf;AAAA,EAHe,GAAA;AAAA,EACA,MAAA;AAAA,EACA,SAAA;AAAA,EANT,SAAA,GAAA,EAAA;AAAA,EACA,aAAA,GAAA,CAAA;AAAA,EAQT,MAAA,GAAkC;AAChC,IAAA,OAAO;AAAA,MACL,KAAY,IAAA,CAAK,GAAA;AAAA,MACjB,MAAA,EAAY,KAAK,MAAA,IAAc,IAAA;AAAA,MAC/B,UAAA,EAAY,KAAK,SAAA,IAAc;AAAA,KACjC;AAAA,EACF;AAAA,EAEA,OAAO,SAAS,IAAA,EAA4C;AAC1D,IAAA,OAAO,IAAI,YAAA;AAAA,MACT,KAAK,KAAK,CAAA;AAAA,MACT,IAAA,CAAK,QAAQ,CAAA,IAA2B,MAAA;AAAA,MACxC,IAAA,CAAK,YAAY,CAAA,IAAuB;AAAA,KAC3C;AAAA,EACF;AACF;AC3FQA,kBAAA,CAAA,GAAA,CAAI,UAAA,GAAa,IAAI,CAAA,KAAMC,aAAA,CAAeD,uBAAI,WAAA,CAAY,GAAG,CAAC,CAAC,CAAA;AAEvE,IAAM,gBAAA,GAAmB,CAAA;AACzB,IAAM,YAAA,GAAmB,GAAA;AACzB,IAAM,UAAA,GAAmB,EAAA;AACzB,IAAM,QAAA,GAAmB,EAAA;AACzB,IAAM,SAAA,GAAmB,EAAA;AAUlB,IAAM,WAAA,GAAN,MAAM,YAAA,CAAY;AAAA,EACf,WAAA,CACW,UACA,MAAA,EACjB;AAFiB,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAChB;AAAA,EAFgB,QAAA;AAAA,EACA,MAAA;AAAA;AAAA,EAKnB,OAAO,QAAA,GAAwB;AAC7B,IAAA,MAAM,IAAA,GAAeA,yBAAM,gBAAA,EAAiB;AAC5C,IAAA,MAAM,GAAA,GAAeA,gCAAa,IAAI,CAAA;AACtC,IAAA,OAAO,IAAI,YAAA,CAAY,IAAA,EAAM,GAAG,CAAA;AAAA,EAClC;AAAA,EAEA,OAAO,eAAe,OAAA,EAAkC;AACtD,IAAA,MAAM,GAAA,GAAcA,gCAAa,OAAO,CAAA;AACxC,IAAA,OAAO,IAAI,YAAA,CAAY,OAAA,EAAS,GAAG,CAAA;AAAA,EACrC;AAAA;AAAA,EAGA,OAAO,IAAA,CAAK,IAAA,EAAc,UAAA,EAAiC;AACzD,IAAA,MAAM,WAAW,IAAA,CAAK,KAAA,CAAME,eAAA,CAAa,IAAA,EAAM,MAAM,CAAC,CAAA;AACtD,IAAA,MAAM,IAAA,GAAY,MAAA,CAAO,IAAA,CAAK,QAAA,CAAS,MAAY,KAAK,CAAA;AACxD,IAAA,MAAM,EAAA,GAAY,MAAA,CAAO,IAAA,CAAK,QAAA,CAAS,IAAY,KAAK,CAAA;AACxD,IAAA,MAAM,EAAA,GAAY,MAAA,CAAO,IAAA,CAAK,QAAA,CAAS,YAAY,KAAK,CAAA;AAExD,IAAA,MAAM,KAAKC,iBAAA,CAAW,UAAA,EAAY,IAAA,EAAM,YAAA,EAAc,WAAW,QAAQ,CAAA;AACzE,IAAA,MAAM,QAAA,GAAWC,uBAAA,CAAiB,aAAA,EAAe,EAAA,EAAI,EAAE,CAAA;AAEvD,IAAA,MAAM,OAAA,GAAU,EAAA,CAAG,KAAA,CAAM,EAAA,CAAG,SAAS,EAAE,CAAA;AACvC,IAAA,MAAM,OAAU,EAAA,CAAG,KAAA,CAAM,CAAA,EAAG,EAAA,CAAG,SAAS,EAAE,CAAA;AAC1C,IAAC,QAAA,CAAqF,WAAW,OAAO,CAAA;AACxG,IAAA,MAAM,IAAA,GAAO,MAAA,CAAO,MAAA,CAAO,CAAC,QAAA,CAAS,MAAA,CAAO,IAAI,CAAA,EAAG,QAAA,CAAS,KAAA,EAAO,CAAC,CAAA;AACpE,IAAA,OAAO,YAAA,CAAY,cAAA,CAAe,IAAI,UAAA,CAAW,IAAI,CAAC,CAAA;AAAA,EACxD;AAAA;AAAA,EAGA,IAAA,CAAK,MAAc,UAAA,EAA0B;AAC3C,IAAA,MAAM,IAAA,GAASC,mBAAY,UAAU,CAAA;AACrC,IAAA,MAAM,EAAA,GAASA,mBAAY,QAAQ,CAAA;AACnC,IAAA,MAAM,KAASF,iBAAA,CAAW,UAAA,EAAY,IAAA,EAAM,YAAA,EAAc,WAAW,QAAQ,CAAA;AAC7E,IAAA,MAAM,MAAA,GAASG,qBAAA,CAAe,aAAA,EAAe,EAAA,EAAI,EAAE,CAAA;AACnD,IAAA,MAAM,IAAA,GAAS,MAAA,CAAO,MAAA,CAAO,CAAC,OAAO,MAAA,CAAO,MAAA,CAAO,IAAA,CAAK,IAAA,CAAK,QAAQ,CAAC,CAAA,EAAG,MAAA,CAAO,KAAA,EAAO,CAAC,CAAA;AACxF,IAAA,MAAM,GAAA,GAAU,OAAwE,UAAA,EAAW;AAEnG,IAAA,MAAM,QAAA,GAA4B;AAAA,MAChC,OAAA,EAAY,gBAAA;AAAA,MACZ,IAAA,EAAY,IAAA,CAAK,QAAA,CAAS,KAAK,CAAA;AAAA,MAC/B,EAAA,EAAY,EAAA,CAAG,QAAA,CAAS,KAAK,CAAA;AAAA,MAC7B,UAAA,EAAY,OAAO,MAAA,CAAO,CAAC,MAAM,GAAG,CAAC,CAAA,CAAE,QAAA,CAAS,KAAK,CAAA;AAAA,MACrD,QAAY,MAAA,CAAO,IAAA,CAAK,KAAK,MAAM,CAAA,CAAE,SAAS,KAAK;AAAA,KACrD;AACA,IAAAC,gBAAA,CAAc,MAAM,IAAA,CAAK,SAAA,CAAU,UAAU,IAAA,EAAM,CAAC,GAAG,MAAM,CAAA;AAAA,EAC/D;AAAA;AAAA;AAAA,EAKA,KAAK,OAAA,EAA0C;AAC7C,IAAA,MAAM,SAAA,GAAY,KAAK,SAAA,CAAU,OAAA,EAAS,OAAO,IAAA,CAAK,OAAO,CAAA,CAAE,IAAA,EAAM,CAAA;AACrE,IAAA,MAAM,KAAA,GAAY,IAAI,WAAA,EAAY,CAAE,OAAO,SAAS,CAAA;AACpD,IAAA,MAAM,GAAA,GAAoBP,kBAAA,CAAA,IAAA,CAAK,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA;AACnD,IAAA,OAAO,WAAW,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA,CAAE,QAAA,CAAS,QAAQ,CAAC,CAAA,CAAA;AAAA,EACvD;AAAA;AAAA,EAGA,MAAA,CAAO,SAAkC,SAAA,EAA4B;AACnE,IAAA,IAAI,CAAC,SAAA,CAAU,UAAA,CAAW,UAAU,GAAG,OAAO,KAAA;AAC9C,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAAY,KAAK,SAAA,CAAU,OAAA,EAAS,OAAO,IAAA,CAAK,OAAO,CAAA,CAAE,IAAA,EAAM,CAAA;AACrE,MAAA,MAAM,KAAA,GAAY,IAAI,WAAA,EAAY,CAAE,OAAO,SAAS,CAAA;AACpD,MAAA,MAAM,QAAA,GAAY,OAAO,IAAA,CAAK,SAAA,CAAU,MAAM,UAAA,CAAW,MAAM,GAAG,QAAQ,CAAA;AAC1E,MAAA,OAAeA,kBAAA,CAAA,MAAA,CAAO,QAAA,EAAU,KAAA,EAAO,IAAA,CAAK,MAAM,CAAA;AAAA,IACpD,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,KAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA,EAGA,IAAI,YAAA,GAAuB;AACzB,IAAA,OAAO,CAAA,QAAA,EAAW,OAAO,IAAA,CAAK,IAAA,CAAK,MAAM,CAAA,CAAE,QAAA,CAAS,KAAK,CAAC,CAAA,CAAA;AAAA,EAC5D;AACF;;;ACzGO,SAAS,kBAAkB,QAAA,EAA+B;AAC/D,EAAA,QAAA,CAAS,yBAA2B,UAAU,CAAA;AAC9C,EAAA,QAAA,CAAS,yBAA2B,UAAU,CAAA;AAC9C,EAAA,QAAA,CAAS,0BAA2B,WAAW,CAAA;AACjD","file":"index.cjs","sourcesContent":["// Copyright 2026 INNO LOTUS PTY LTD\n// SPDX-License-Identifier: Apache-2.0\n\nimport { EncodingTier, FrameType } from \"../core/frames.js\";\nimport type { NpsFrame } from \"../core/codec.js\";\n\nexport interface IdentMetadata {\n  issuer:       string;\n  issuedAt:     string;\n  expiresAt?:   string;\n  capabilities?: readonly string[];\n  scopes?:       readonly string[];\n}\n\nexport class IdentFrame implements NpsFrame {\n  readonly frameType     = FrameType.IDENT;\n  readonly preferredTier = EncodingTier.MSGPACK;\n\n  constructor(\n    public readonly nid:       string,\n    public readonly pubKey:    string,\n    public readonly metadata:  IdentMetadata,\n    public readonly signature: string,\n  ) {}\n\n  unsignedDict(): Record<string, unknown> {\n    return {\n      nid:      this.nid,\n      pub_key:  this.pubKey,\n      metadata: this.metadata,\n    };\n  }\n\n  toDict(): Record<string, unknown> {\n    return { ...this.unsignedDict(), signature: this.signature };\n  }\n\n  static fromDict(data: Record<string, unknown>): IdentFrame {\n    return new IdentFrame(\n      data[\"nid\"]       as string,\n      data[\"pub_key\"]   as string,\n      data[\"metadata\"]  as IdentMetadata,\n      data[\"signature\"] as string,\n    );\n  }\n}\n\nexport class TrustFrame implements NpsFrame {\n  readonly frameType     = FrameType.TRUST;\n  readonly preferredTier = EncodingTier.MSGPACK;\n\n  constructor(\n    public readonly issuerNid:  string,\n    public readonly subjectNid: string,\n    public readonly scopes:     readonly string[],\n    public readonly expiresAt:  string,\n    public readonly signature:  string,\n  ) {}\n\n  toDict(): Record<string, unknown> {\n    return {\n      issuer_nid:  this.issuerNid,\n      subject_nid: this.subjectNid,\n      scopes:      this.scopes,\n      expires_at:  this.expiresAt,\n      signature:   this.signature,\n    };\n  }\n\n  static fromDict(data: Record<string, unknown>): TrustFrame {\n    return new TrustFrame(\n      data[\"issuer_nid\"]  as string,\n      data[\"subject_nid\"] as string,\n      data[\"scopes\"]      as string[],\n      data[\"expires_at\"]  as string,\n      data[\"signature\"]   as string,\n    );\n  }\n}\n\nexport class RevokeFrame implements NpsFrame {\n  readonly frameType     = FrameType.REVOKE;\n  readonly preferredTier = EncodingTier.MSGPACK;\n\n  constructor(\n    public readonly nid:       string,\n    public readonly reason?:   string,\n    public readonly revokedAt?: string,\n  ) {}\n\n  toDict(): Record<string, unknown> {\n    return {\n      nid:        this.nid,\n      reason:     this.reason     ?? null,\n      revoked_at: this.revokedAt  ?? null,\n    };\n  }\n\n  static fromDict(data: Record<string, unknown>): RevokeFrame {\n    return new RevokeFrame(\n      data[\"nid\"]        as string,\n      (data[\"reason\"]     as string | null) ?? undefined,\n      (data[\"revoked_at\"] as string | null) ?? undefined,\n    );\n  }\n}\n","// Copyright 2026 INNO LOTUS PTY LTD\n// SPDX-License-Identifier: Apache-2.0\n\n/**\n * NipIdentity — Ed25519 key management and signing for NPS NID identity.\n * Uses @noble/ed25519 for signing; node:crypto for key storage encryption.\n */\n\nimport * as ed25519 from \"@noble/ed25519\";\nimport { sha512 } from \"@noble/hashes/sha512\";\nimport { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes } from \"node:crypto\";\nimport { readFileSync, writeFileSync } from \"node:fs\";\n\n// noble/ed25519 requires sha512 to be set explicitly in Node environments\ned25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));\n\nconst KEY_FILE_VERSION = 1;\nconst PBKDF2_ITERS     = 600_000;\nconst SALT_BYTES       = 16;\nconst IV_BYTES         = 12;\nconst KEY_BYTES        = 32;\n\ninterface KeyFileEnvelope {\n  version:    number;\n  salt:       string; // hex\n  iv:         string; // hex\n  ciphertext: string; // hex\n  pubKey:     string; // hex\n}\n\nexport class NipIdentity {\n  private constructor(\n    private readonly _privKey: Uint8Array,\n    public  readonly pubKey:   Uint8Array,\n  ) {}\n\n  // ── Factory ───────────────────────────────────────────────────────────────\n\n  static generate(): NipIdentity {\n    const priv = ed25519.utils.randomPrivateKey();\n    const pub  = ed25519.getPublicKey(priv);\n    return new NipIdentity(priv, pub);\n  }\n\n  static fromPrivateKey(privKey: Uint8Array): NipIdentity {\n    const pub = ed25519.getPublicKey(privKey);\n    return new NipIdentity(privKey, pub);\n  }\n\n  /** Load from an AES-256-GCM encrypted key file. */\n  static load(path: string, passphrase: string): NipIdentity {\n    const envelope = JSON.parse(readFileSync(path, \"utf8\")) as KeyFileEnvelope;\n    const salt      = Buffer.from(envelope.salt,       \"hex\");\n    const iv        = Buffer.from(envelope.iv,         \"hex\");\n    const ct        = Buffer.from(envelope.ciphertext, \"hex\");\n\n    const dk = pbkdf2Sync(passphrase, salt, PBKDF2_ITERS, KEY_BYTES, \"sha256\");\n    const decipher = createDecipheriv(\"aes-256-gcm\", dk, iv);\n    // Last 16 bytes of ciphertext are the GCM auth tag\n    const authTag = ct.slice(ct.length - 16);\n    const body    = ct.slice(0, ct.length - 16);\n    (decipher as ReturnType<typeof createDecipheriv> & { setAuthTag(tag: Buffer): void }).setAuthTag(authTag);\n    const priv = Buffer.concat([decipher.update(body), decipher.final()]);\n    return NipIdentity.fromPrivateKey(new Uint8Array(priv));\n  }\n\n  /** Save to an AES-256-GCM encrypted key file. */\n  save(path: string, passphrase: string): void {\n    const salt   = randomBytes(SALT_BYTES);\n    const iv     = randomBytes(IV_BYTES);\n    const dk     = pbkdf2Sync(passphrase, salt, PBKDF2_ITERS, KEY_BYTES, \"sha256\");\n    const cipher = createCipheriv(\"aes-256-gcm\", dk, iv);\n    const body   = Buffer.concat([cipher.update(Buffer.from(this._privKey)), cipher.final()]);\n    const tag    = (cipher as ReturnType<typeof createCipheriv> & { getAuthTag(): Buffer }).getAuthTag();\n\n    const envelope: KeyFileEnvelope = {\n      version:    KEY_FILE_VERSION,\n      salt:       salt.toString(\"hex\"),\n      iv:         iv.toString(\"hex\"),\n      ciphertext: Buffer.concat([body, tag]).toString(\"hex\"),\n      pubKey:     Buffer.from(this.pubKey).toString(\"hex\"),\n    };\n    writeFileSync(path, JSON.stringify(envelope, null, 2), \"utf8\");\n  }\n\n  // ── Signing ───────────────────────────────────────────────────────────────\n\n  /** Sign a dict payload. Returns `ed25519:<base64url>`. */\n  sign(payload: Record<string, unknown>): string {\n    const canonical = JSON.stringify(payload, Object.keys(payload).sort());\n    const bytes     = new TextEncoder().encode(canonical);\n    const sig       = ed25519.sign(bytes, this._privKey);\n    return `ed25519:${Buffer.from(sig).toString(\"base64\")}`;\n  }\n\n  /** Verify a signature string against a dict payload. */\n  verify(payload: Record<string, unknown>, signature: string): boolean {\n    if (!signature.startsWith(\"ed25519:\")) return false;\n    try {\n      const canonical = JSON.stringify(payload, Object.keys(payload).sort());\n      const bytes     = new TextEncoder().encode(canonical);\n      const sigBytes  = Buffer.from(signature.slice(\"ed25519:\".length), \"base64\");\n      return ed25519.verify(sigBytes, bytes, this.pubKey);\n    } catch {\n      return false;\n    }\n  }\n\n  /** Public key as `ed25519:<hex>` string. */\n  get pubKeyString(): string {\n    return `ed25519:${Buffer.from(this.pubKey).toString(\"hex\")}`;\n  }\n}\n","// Copyright 2026 INNO LOTUS PTY LTD\n// SPDX-License-Identifier: Apache-2.0\n\nimport { FrameRegistry } from \"../core/registry.js\";\nimport { FrameType } from \"../core/frames.js\";\nimport { IdentFrame, TrustFrame, RevokeFrame } from \"./frames.js\";\n\nexport function registerNipFrames(registry: FrameRegistry): void {\n  registry.register(FrameType.IDENT,  IdentFrame);\n  registry.register(FrameType.TRUST,  TrustFrame);\n  registry.register(FrameType.REVOKE, RevokeFrame);\n}\n"]}

package/dist/nip/index.d.cts

@@ -0,0 +1,65 @@
+import { N as NpsFrame, g as FrameType, c as EncodingTier, F as FrameRegistry } from '../codec-CmHeovTV.cjs';
+
+interface IdentMetadata {
+    issuer: string;
+    issuedAt: string;
+    expiresAt?: string;
+    capabilities?: readonly string[];
+    scopes?: readonly string[];
+}
+declare class IdentFrame implements NpsFrame {
+    readonly nid: string;
+    readonly pubKey: string;
+    readonly metadata: IdentMetadata;
+    readonly signature: string;
+    readonly frameType = FrameType.IDENT;
+    readonly preferredTier = EncodingTier.MSGPACK;
+    constructor(nid: string, pubKey: string, metadata: IdentMetadata, signature: string);
+    unsignedDict(): Record<string, unknown>;
+    toDict(): Record<string, unknown>;
+    static fromDict(data: Record<string, unknown>): IdentFrame;
+}
+declare class TrustFrame implements NpsFrame {
+    readonly issuerNid: string;
+    readonly subjectNid: string;
+    readonly scopes: readonly string[];
+    readonly expiresAt: string;
+    readonly signature: string;
+    readonly frameType = FrameType.TRUST;
+    readonly preferredTier = EncodingTier.MSGPACK;
+    constructor(issuerNid: string, subjectNid: string, scopes: readonly string[], expiresAt: string, signature: string);
+    toDict(): Record<string, unknown>;
+    static fromDict(data: Record<string, unknown>): TrustFrame;
+}
+declare class RevokeFrame implements NpsFrame {
+    readonly nid: string;
+    readonly reason?: string | undefined;
+    readonly revokedAt?: string | undefined;
+    readonly frameType = FrameType.REVOKE;
+    readonly preferredTier = EncodingTier.MSGPACK;
+    constructor(nid: string, reason?: string | undefined, revokedAt?: string | undefined);
+    toDict(): Record<string, unknown>;
+    static fromDict(data: Record<string, unknown>): RevokeFrame;
+}
+
+declare class NipIdentity {
+    private readonly _privKey;
+    readonly pubKey: Uint8Array;
+    private constructor();
+    static generate(): NipIdentity;
+    static fromPrivateKey(privKey: Uint8Array): NipIdentity;
+    /** Load from an AES-256-GCM encrypted key file. */
+    static load(path: string, passphrase: string): NipIdentity;
+    /** Save to an AES-256-GCM encrypted key file. */
+    save(path: string, passphrase: string): void;
+    /** Sign a dict payload. Returns `ed25519:<base64url>`. */
+    sign(payload: Record<string, unknown>): string;
+    /** Verify a signature string against a dict payload. */
+    verify(payload: Record<string, unknown>, signature: string): boolean;
+    /** Public key as `ed25519:<hex>` string. */
+    get pubKeyString(): string;
+}
+
+declare function registerNipFrames(registry: FrameRegistry): void;
+
+export { IdentFrame, type IdentMetadata, NipIdentity, RevokeFrame, TrustFrame, registerNipFrames };

package/dist/nip/index.d.ts

@@ -0,0 +1,4 @@
+export * from "./frames.js";
+export * from "./identity.js";
+export { registerNipFrames } from "./registry.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/nip/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/nip/index.ts"],"names":[],"mappings":"AAGA,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC"}

package/dist/nip/index.js

@@ -0,0 +1,6 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+export * from "./frames.js";
+export * from "./identity.js";
+export { registerNipFrames } from "./registry.js";
+//# sourceMappingURL=index.js.map

package/dist/nip/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/nip/index.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC"}

package/dist/nip/registry.d.ts

@@ -0,0 +1,3 @@
+import { FrameRegistry } from "../core/registry.js";
+export declare function registerNipFrames(registry: FrameRegistry): void;
+//# sourceMappingURL=registry.d.ts.map

package/dist/nip/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/nip/registry.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAIpD,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,aAAa,GAAG,IAAI,CAI/D"}

package/dist/nip/registry.js

@@ -0,0 +1,10 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+import { FrameType } from "../core/frames.js";
+import { IdentFrame, TrustFrame, RevokeFrame } from "./frames.js";
+export function registerNipFrames(registry) {
+    registry.register(FrameType.IDENT, IdentFrame);
+    registry.register(FrameType.TRUST, TrustFrame);
+    registry.register(FrameType.REVOKE, RevokeFrame);
+}
+//# sourceMappingURL=registry.js.map

package/dist/nip/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/nip/registry.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAGtC,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAElE,MAAM,UAAU,iBAAiB,CAAC,QAAuB;IACvD,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,EAAG,UAAU,CAAC,CAAC;IAChD,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,EAAG,UAAU,CAAC,CAAC;IAChD,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;AACnD,CAAC"}

package/dist/nop/client.d.ts

@@ -0,0 +1,34 @@
+import { EncodingTier } from "../core/frames.js";
+import { FrameRegistry } from "../core/registry.js";
+import { TaskState } from "./models.js";
+import type { TaskFrame } from "./frames.js";
+export declare class NopTaskStatus {
+    private readonly _raw;
+    constructor(_raw: Record<string, unknown>);
+    get taskId(): string;
+    get state(): TaskState;
+    get isTerminal(): boolean;
+    get aggregatedResult(): unknown;
+    get errorCode(): string | undefined;
+    get errorMessage(): string | undefined;
+    get nodeResults(): Record<string, unknown>;
+    get raw(): Record<string, unknown>;
+    toString(): string;
+}
+export declare class NopClient {
+    private readonly _baseUrl;
+    private readonly _codec;
+    private readonly _tier;
+    constructor(baseUrl: string, options?: {
+        defaultTier?: EncodingTier;
+        registry?: FrameRegistry;
+    });
+    submit(frame: TaskFrame): Promise<string>;
+    getStatus(taskId: string): Promise<NopTaskStatus>;
+    cancel(taskId: string): Promise<void>;
+    wait(taskId: string, options?: {
+        pollIntervalMs?: number;
+        timeoutMs?: number;
+    }): Promise<NopTaskStatus>;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/nop/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/nop/client.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAGpD,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAQ7C,qBAAa,aAAa;IACZ,OAAO,CAAC,QAAQ,CAAC,IAAI;gBAAJ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAE1D,IAAI,MAAM,IAAc,MAAM,CAAyD;IACvF,IAAI,KAAK,IAAe,SAAS,CAAsD;IACvF,IAAI,UAAU,IAAU,OAAO,CAA6E;IAC5G,IAAI,gBAAgB,IAAI,OAAO,CAAuD;IACtF,IAAI,SAAS,IAAW,MAAM,GAAG,SAAS,CAAwE;IAClH,IAAI,YAAY,IAAQ,MAAM,GAAG,SAAS,CAAwE;IAClH,IAAI,WAAW,IAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAqF;IACpI,IAAI,GAAG,IAAiB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAsB;IAErE,QAAQ,IAAI,MAAM;CAGnB;AAED,qBAAa,SAAS;IACpB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAkB;IACzC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAkB;gBAGtC,OAAO,EAAE,MAAM,EACf,OAAO,GAAE;QAAE,WAAW,CAAC,EAAE,YAAY,CAAC;QAAC,QAAQ,CAAC,EAAE,aAAa,CAAA;KAAO;IAclE,MAAM,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC;IAYzC,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAQjD,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQrC,IAAI,CACR,MAAM,EAAE,MAAM,EACd,OAAO,GAAE;QAAE,cAAc,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAO,GAC5D,OAAO,CAAC,aAAa,CAAC;CAgB1B"}