@labacacia/nps-sdk 1.0.0-alpha.2 → 1.0.0-alpha.4

package/dist/nip/error-codes.js

@@ -0,0 +1,30 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/** NIP error code wire constants — mirror of `spec/error-codes.md` NIP section. */
+// ── Cert verification (v1 + v2) ──────────────────────────────────────────────
+export const CERT_EXPIRED = "NIP-CERT-EXPIRED";
+export const CERT_REVOKED = "NIP-CERT-REVOKED";
+export const CERT_SIGNATURE_INVALID = "NIP-CERT-SIGNATURE-INVALID";
+export const CERT_UNTRUSTED_ISSUER = "NIP-CERT-UNTRUSTED-ISSUER";
+export const CERT_CAPABILITY_MISSING = "NIP-CERT-CAPABILITY-MISSING";
+export const CERT_SCOPE_VIOLATION = "NIP-CERT-SCOPE-VIOLATION";
+// ── CA service ───────────────────────────────────────────────────────────────
+export const CA_NID_NOT_FOUND = "NIP-CA-NID-NOT-FOUND";
+export const CA_NID_ALREADY_EXISTS = "NIP-CA-NID-ALREADY-EXISTS";
+export const CA_SERIAL_DUPLICATE = "NIP-CA-SERIAL-DUPLICATE";
+export const CA_RENEWAL_TOO_EARLY = "NIP-CA-RENEWAL-TOO-EARLY";
+export const CA_SCOPE_EXPANSION_DENIED = "NIP-CA-SCOPE-EXPANSION-DENIED";
+export const OCSP_UNAVAILABLE = "NIP-OCSP-UNAVAILABLE";
+export const TRUST_FRAME_INVALID = "NIP-TRUST-FRAME-INVALID";
+// ── RFC-0003 (assurance level) ───────────────────────────────────────────────
+export const ASSURANCE_MISMATCH = "NIP-ASSURANCE-MISMATCH";
+export const ASSURANCE_UNKNOWN = "NIP-ASSURANCE-UNKNOWN";
+// ── RFC-0004 (reputation log) ────────────────────────────────────────────────
+export const REPUTATION_ENTRY_INVALID = "NIP-REPUTATION-ENTRY-INVALID";
+export const REPUTATION_LOG_UNREACHABLE = "NIP-REPUTATION-LOG-UNREACHABLE";
+// ── RFC-0002 (X.509 + ACME) ──────────────────────────────────────────────────
+export const CERT_FORMAT_INVALID = "NIP-CERT-FORMAT-INVALID";
+export const CERT_EKU_MISSING = "NIP-CERT-EKU-MISSING";
+export const CERT_SUBJECT_NID_MISMATCH = "NIP-CERT-SUBJECT-NID-MISMATCH";
+export const ACME_CHALLENGE_FAILED = "NIP-ACME-CHALLENGE-FAILED";
+//# sourceMappingURL=error-codes.js.map

package/dist/nip/error-codes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-codes.js","sourceRoot":"","sources":["../../src/nip/error-codes.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,mFAAmF;AAEnF,gFAAgF;AAChF,MAAM,CAAC,MAAM,YAAY,GAAc,kBAAkB,CAAC;AAC1D,MAAM,CAAC,MAAM,YAAY,GAAc,kBAAkB,CAAC;AAC1D,MAAM,CAAC,MAAM,sBAAsB,GAAI,4BAA4B,CAAC;AACpE,MAAM,CAAC,MAAM,qBAAqB,GAAK,2BAA2B,CAAC;AACnE,MAAM,CAAC,MAAM,uBAAuB,GAAG,6BAA6B,CAAC;AACrE,MAAM,CAAC,MAAM,oBAAoB,GAAM,0BAA0B,CAAC;AAElE,gFAAgF;AAChF,MAAM,CAAC,MAAM,gBAAgB,GAAY,sBAAsB,CAAC;AAChE,MAAM,CAAC,MAAM,qBAAqB,GAAO,2BAA2B,CAAC;AACrE,MAAM,CAAC,MAAM,mBAAmB,GAAS,yBAAyB,CAAC;AACnE,MAAM,CAAC,MAAM,oBAAoB,GAAQ,0BAA0B,CAAC;AACpE,MAAM,CAAC,MAAM,yBAAyB,GAAG,+BAA+B,CAAC;AAEzE,MAAM,CAAC,MAAM,gBAAgB,GAAO,sBAAsB,CAAC;AAC3D,MAAM,CAAC,MAAM,mBAAmB,GAAI,yBAAyB,CAAC;AAE9D,gFAAgF;AAChF,MAAM,CAAC,MAAM,kBAAkB,GAAG,wBAAwB,CAAC;AAC3D,MAAM,CAAC,MAAM,iBAAiB,GAAI,uBAAuB,CAAC;AAE1D,gFAAgF;AAChF,MAAM,CAAC,MAAM,wBAAwB,GAAM,8BAA8B,CAAC;AAC1E,MAAM,CAAC,MAAM,0BAA0B,GAAI,gCAAgC,CAAC;AAE5E,gFAAgF;AAChF,MAAM,CAAC,MAAM,mBAAmB,GAAS,yBAAyB,CAAC;AACnE,MAAM,CAAC,MAAM,gBAAgB,GAAY,sBAAsB,CAAC;AAChE,MAAM,CAAC,MAAM,yBAAyB,GAAG,+BAA+B,CAAC;AACzE,MAAM,CAAC,MAAM,qBAAqB,GAAO,2BAA2B,CAAC"}

package/dist/nip/frames.d.ts

@@ -1,5 +1,6 @@
 import { EncodingTier, FrameType } from "../core/frames.js";
 import type { NpsFrame } from "../core/codec.js";
+import { AssuranceLevel } from "./assurance-level.js";
 export interface IdentMetadata {
     issuer: string;
     issuedAt: string;
@@ -7,6 +8,11 @@ export interface IdentMetadata {
     capabilities?: readonly string[];
     scopes?: readonly string[];
 }
+export interface IdentFrameOptions {
+    assuranceLevel?: AssuranceLevel | null;
+    certFormat?: string | null;
+    certChain?: readonly string[] | null;
+}
 export declare class IdentFrame implements NpsFrame {
     readonly nid: string;
     readonly pubKey: string;
@@ -14,7 +20,10 @@ export declare class IdentFrame implements NpsFrame {
     readonly signature: string;
     readonly frameType = FrameType.IDENT;
     readonly preferredTier = EncodingTier.MSGPACK;
-    constructor(nid: string, pubKey: string, metadata: IdentMetadata, signature: string);
+    readonly assuranceLevel: AssuranceLevel | null;
+    readonly certFormat: string | null;
+    readonly certChain: readonly string[] | null;
+    constructor(nid: string, pubKey: string, metadata: IdentMetadata, signature: string, options?: IdentFrameOptions);
     unsignedDict(): Record<string, unknown>;
     toDict(): Record<string, unknown>;
     static fromDict(data: Record<string, unknown>): IdentFrame;

package/dist/nip/frames.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"frames.d.ts","sourceRoot":"","sources":["../../src/nip/frames.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC5D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAEjD,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAQ,MAAM,CAAC;IACrB,QAAQ,EAAM,MAAM,CAAC;IACrB,SAAS,CAAC,EAAI,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACjC,MAAM,CAAC,EAAQ,SAAS,MAAM,EAAE,CAAC;CAClC;AAED,qBAAa,UAAW,YAAW,QAAQ;aAKvB,GAAG,EAAQ,MAAM;aACjB,MAAM,EAAK,MAAM;aACjB,QAAQ,EAAG,aAAa;aACxB,SAAS,EAAE,MAAM;IAPnC,QAAQ,CAAC,SAAS,mBAAuB;IACzC,QAAQ,CAAC,aAAa,wBAAwB;gBAG5B,GAAG,EAAQ,MAAM,EACjB,MAAM,EAAK,MAAM,EACjB,QAAQ,EAAG,aAAa,EACxB,SAAS,EAAE,MAAM;IAGnC,YAAY,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAQvC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAIjC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,UAAU;CAQ3D;AAED,qBAAa,UAAW,YAAW,QAAQ;aAKvB,SAAS,EAAG,MAAM;aAClB,UAAU,EAAE,MAAM;aAClB,MAAM,EAAM,SAAS,MAAM,EAAE;aAC7B,SAAS,EAAG,MAAM;aAClB,SAAS,EAAG,MAAM;IARpC,QAAQ,CAAC,SAAS,mBAAuB;IACzC,QAAQ,CAAC,aAAa,wBAAwB;gBAG5B,SAAS,EAAG,MAAM,EAClB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAM,SAAS,MAAM,EAAE,EAC7B,SAAS,EAAG,MAAM,EAClB,SAAS,EAAG,MAAM;IAGpC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAUjC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,UAAU;CAS3D;AAED,qBAAa,WAAY,YAAW,QAAQ;aAKxB,GAAG,EAAQ,MAAM;aACjB,MAAM,CAAC,EAAI,MAAM;aACjB,SAAS,CAAC,EAAE,MAAM;IANpC,QAAQ,CAAC,SAAS,oBAAwB;IAC1C,QAAQ,CAAC,aAAa,wBAAwB;gBAG5B,GAAG,EAAQ,MAAM,EACjB,MAAM,CAAC,EAAI,MAAM,YAAA,EACjB,SAAS,CAAC,EAAE,MAAM,YAAA;IAGpC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAQjC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,WAAW;CAO5D"}
+{"version":3,"file":"frames.d.ts","sourceRoot":"","sources":["../../src/nip/frames.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC5D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAQ,MAAM,CAAC;IACrB,QAAQ,EAAM,MAAM,CAAC;IACrB,SAAS,CAAC,EAAI,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACjC,MAAM,CAAC,EAAQ,SAAS,MAAM,EAAE,CAAC;CAClC;AAED,MAAM,WAAW,iBAAiB;IAChC,cAAc,CAAC,EAAE,cAAc,GAAG,IAAI,CAAC;IACvC,UAAU,CAAC,EAAM,MAAM,GAAG,IAAI,CAAC;IAC/B,SAAS,CAAC,EAAO,SAAS,MAAM,EAAE,GAAG,IAAI,CAAC;CAC3C;AAED,qBAAa,UAAW,YAAW,QAAQ;aASvB,GAAG,EAAQ,MAAM;aACjB,MAAM,EAAK,MAAM;aACjB,QAAQ,EAAG,aAAa;aACxB,SAAS,EAAE,MAAM;IAXnC,QAAQ,CAAC,SAAS,mBAAuB;IACzC,QAAQ,CAAC,aAAa,wBAAwB;IAE9C,QAAQ,CAAC,cAAc,EAAE,cAAc,GAAG,IAAI,CAAC;IAC/C,QAAQ,CAAC,UAAU,EAAM,MAAM,GAAG,IAAI,CAAC;IACvC,QAAQ,CAAC,SAAS,EAAO,SAAS,MAAM,EAAE,GAAG,IAAI,CAAC;gBAGhC,GAAG,EAAQ,MAAM,EACjB,MAAM,EAAK,MAAM,EACjB,QAAQ,EAAG,aAAa,EACxB,SAAS,EAAE,MAAM,EACjC,OAAO,GAAqB,iBAAsB;IAOpD,YAAY,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAYvC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAOjC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,UAAU;CAiB3D;AAED,qBAAa,UAAW,YAAW,QAAQ;aAKvB,SAAS,EAAG,MAAM;aAClB,UAAU,EAAE,MAAM;aAClB,MAAM,EAAM,SAAS,MAAM,EAAE;aAC7B,SAAS,EAAG,MAAM;aAClB,SAAS,EAAG,MAAM;IARpC,QAAQ,CAAC,SAAS,mBAAuB;IACzC,QAAQ,CAAC,aAAa,wBAAwB;gBAG5B,SAAS,EAAG,MAAM,EAClB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAM,SAAS,MAAM,EAAE,EAC7B,SAAS,EAAG,MAAM,EAClB,SAAS,EAAG,MAAM;IAGpC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAUjC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,UAAU;CAS3D;AAED,qBAAa,WAAY,YAAW,QAAQ;aAKxB,GAAG,EAAQ,MAAM;aACjB,MAAM,CAAC,EAAI,MAAM;aACjB,SAAS,CAAC,EAAE,MAAM;IANpC,QAAQ,CAAC,SAAS,oBAAwB;IAC1C,QAAQ,CAAC,aAAa,wBAAwB;gBAG5B,GAAG,EAAQ,MAAM,EACjB,MAAM,CAAC,EAAI,MAAM,YAAA,EACjB,SAAS,CAAC,EAAE,MAAM,YAAA;IAGpC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAQjC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,WAAW;CAO5D"}

package/dist/nip/frames.js

@@ -1,6 +1,7 @@
 // Copyright 2026 INNO LOTUS PTY LTD
 // SPDX-License-Identifier: Apache-2.0
 import { EncodingTier, FrameType } from "../core/frames.js";
+import { AssuranceLevel } from "./assurance-level.js";
 export class IdentFrame {
     nid;
     pubKey;
@@ -8,24 +9,48 @@ export class IdentFrame {
     signature;
     frameType = FrameType.IDENT;
     preferredTier = EncodingTier.MSGPACK;
-    constructor(nid, pubKey, metadata, signature) {
+    assuranceLevel;
+    certFormat;
+    certChain;
+    constructor(nid, pubKey, metadata, signature, options = {}) {
         this.nid = nid;
         this.pubKey = pubKey;
         this.metadata = metadata;
         this.signature = signature;
+        this.assuranceLevel = options.assuranceLevel ?? null;
+        this.certFormat = options.certFormat ?? null;
+        this.certChain = options.certChain ?? null;
     }
     unsignedDict() {
-        return {
+        const out = {
             nid: this.nid,
             pub_key: this.pubKey,
             metadata: this.metadata,
         };
+        if (this.assuranceLevel !== null)
+            out["assurance_level"] = this.assuranceLevel.wire;
+        // cert_format / cert_chain deliberately excluded from the signed payload —
+        // the v1 Ed25519 signature covers only (nid, pub_key, metadata, [assurance_level]).
+        return out;
     }
     toDict() {
-        return { ...this.unsignedDict(), signature: this.signature };
+        const out = { ...this.unsignedDict(), signature: this.signature };
+        if (this.certFormat !== null)
+            out["cert_format"] = this.certFormat;
+        if (this.certChain !== null)
+            out["cert_chain"] = [...this.certChain];
+        return out;
     }
     static fromDict(data) {
-        return new IdentFrame(data["nid"], data["pub_key"], data["metadata"], data["signature"]);
+        const lvl = data["assurance_level"];
+        const assuranceLevel = typeof lvl === "string" ? AssuranceLevel.fromWire(lvl) : null;
+        const chainRaw = data["cert_chain"];
+        const certChain = Array.isArray(chainRaw) ? chainRaw : null;
+        return new IdentFrame(data["nid"], data["pub_key"], data["metadata"], data["signature"], {
+            assuranceLevel,
+            certFormat: data["cert_format"] ?? null,
+            certChain,
+        });
     }
 }
 export class TrustFrame {

package/dist/nip/frames.js.map

@@ -1 +1 @@
-{"version":3,"file":"frames.js","sourceRoot":"","sources":["../../src/nip/frames.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAW5D,MAAM,OAAO,UAAU;IAKH;IACA;IACA;IACA;IAPT,SAAS,GAAO,SAAS,CAAC,KAAK,CAAC;IAChC,aAAa,GAAG,YAAY,CAAC,OAAO,CAAC;IAE9C,YACkB,GAAiB,EACjB,MAAiB,EACjB,QAAwB,EACxB,SAAiB;QAHjB,QAAG,GAAH,GAAG,CAAc;QACjB,WAAM,GAAN,MAAM,CAAW;QACjB,aAAQ,GAAR,QAAQ,CAAgB;QACxB,cAAS,GAAT,SAAS,CAAQ;IAChC,CAAC;IAEJ,YAAY;QACV,OAAO;YACL,GAAG,EAAO,IAAI,CAAC,GAAG;YAClB,OAAO,EAAG,IAAI,CAAC,MAAM;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;IACJ,CAAC;IAED,MAAM;QACJ,OAAO,EAAE,GAAG,IAAI,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC;IAC/D,CAAC;IAED,MAAM,CAAC,QAAQ,CAAC,IAA6B;QAC3C,OAAO,IAAI,UAAU,CACnB,IAAI,CAAC,KAAK,CAAiB,EAC3B,IAAI,CAAC,SAAS,CAAa,EAC3B,IAAI,CAAC,UAAU,CAAmB,EAClC,IAAI,CAAC,WAAW,CAAW,CAC5B,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,UAAU;IAKH;IACA;IACA;IACA;IACA;IART,SAAS,GAAO,SAAS,CAAC,KAAK,CAAC;IAChC,aAAa,GAAG,YAAY,CAAC,OAAO,CAAC;IAE9C,YACkB,SAAkB,EAClB,UAAkB,EAClB,MAA6B,EAC7B,SAAkB,EAClB,SAAkB;QAJlB,cAAS,GAAT,SAAS,CAAS;QAClB,eAAU,GAAV,UAAU,CAAQ;QAClB,WAAM,GAAN,MAAM,CAAuB;QAC7B,cAAS,GAAT,SAAS,CAAS;QAClB,cAAS,GAAT,SAAS,CAAS;IACjC,CAAC;IAEJ,MAAM;QACJ,OAAO;YACL,UAAU,EAAG,IAAI,CAAC,SAAS;YAC3B,WAAW,EAAE,IAAI,CAAC,UAAU;YAC5B,MAAM,EAAO,IAAI,CAAC,MAAM;YACxB,UAAU,EAAG,IAAI,CAAC,SAAS;YAC3B,SAAS,EAAI,IAAI,CAAC,SAAS;SAC5B,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,QAAQ,CAAC,IAA6B;QAC3C,OAAO,IAAI,UAAU,CACnB,IAAI,CAAC,YAAY,CAAY,EAC7B,IAAI,CAAC,aAAa,CAAW,EAC7B,IAAI,CAAC,QAAQ,CAAkB,EAC/B,IAAI,CAAC,YAAY,CAAY,EAC7B,IAAI,CAAC,WAAW,CAAa,CAC9B,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,WAAW;IAKJ;IACA;IACA;IANT,SAAS,GAAO,SAAS,CAAC,MAAM,CAAC;IACjC,aAAa,GAAG,YAAY,CAAC,OAAO,CAAC;IAE9C,YACkB,GAAiB,EACjB,MAAiB,EACjB,SAAkB;QAFlB,QAAG,GAAH,GAAG,CAAc;QACjB,WAAM,GAAN,MAAM,CAAW;QACjB,cAAS,GAAT,SAAS,CAAS;IACjC,CAAC;IAEJ,MAAM;QACJ,OAAO;YACL,GAAG,EAAS,IAAI,CAAC,GAAG;YACpB,MAAM,EAAM,IAAI,CAAC,MAAM,IAAQ,IAAI;YACnC,UAAU,EAAE,IAAI,CAAC,SAAS,IAAK,IAAI;SACpC,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,QAAQ,CAAC,IAA6B;QAC3C,OAAO,IAAI,WAAW,CACpB,IAAI,CAAC,KAAK,CAAkB,EAC3B,IAAI,CAAC,QAAQ,CAAuB,IAAI,SAAS,EACjD,IAAI,CAAC,YAAY,CAAmB,IAAI,SAAS,CACnD,CAAC;IACJ,CAAC;CACF"}
+{"version":3,"file":"frames.js","sourceRoot":"","sources":["../../src/nip/frames.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAE5D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAgBtD,MAAM,OAAO,UAAU;IASH;IACA;IACA;IACA;IAXT,SAAS,GAAO,SAAS,CAAC,KAAK,CAAC;IAChC,aAAa,GAAG,YAAY,CAAC,OAAO,CAAC;IAErC,cAAc,CAAwB;IACtC,UAAU,CAAoB;IAC9B,SAAS,CAAgC;IAElD,YACkB,GAAiB,EACjB,MAAiB,EACjB,QAAwB,EACxB,SAAiB,EACjC,UAAgD,EAAE;QAJlC,QAAG,GAAH,GAAG,CAAc;QACjB,WAAM,GAAN,MAAM,CAAW;QACjB,aAAQ,GAAR,QAAQ,CAAgB;QACxB,cAAS,GAAT,SAAS,CAAQ;QAGjC,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,IAAI,CAAC;QACrD,IAAI,CAAC,UAAU,GAAO,OAAO,CAAC,UAAU,IAAQ,IAAI,CAAC;QACrD,IAAI,CAAC,SAAS,GAAQ,OAAO,CAAC,SAAS,IAAS,IAAI,CAAC;IACvD,CAAC;IAED,YAAY;QACV,MAAM,GAAG,GAA4B;YACnC,GAAG,EAAO,IAAI,CAAC,GAAG;YAClB,OAAO,EAAG,IAAI,CAAC,MAAM;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;QACF,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI;YAAE,GAAG,CAAC,iBAAiB,CAAC,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC;QACpF,2EAA2E;QAC3E,oFAAoF;QACpF,OAAO,GAAG,CAAC;IACb,CAAC;IAED,MAAM;QACJ,MAAM,GAAG,GAA4B,EAAE,GAAG,IAAI,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC;QAC3F,IAAI,IAAI,CAAC,UAAU,KAAK,IAAI;YAAE,GAAG,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC;QACnE,IAAI,IAAI,CAAC,SAAS,KAAM,IAAI;YAAE,GAAG,CAAC,YAAY,CAAC,GAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC;QACvE,OAAO,GAAG,CAAC;IACb,CAAC;IAED,MAAM,CAAC,QAAQ,CAAC,IAA6B;QAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACpC,MAAM,cAAc,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACrF,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC;QACpC,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAE,QAAqB,CAAC,CAAC,CAAC,IAAI,CAAC;QAC1E,OAAO,IAAI,UAAU,CACnB,IAAI,CAAC,KAAK,CAAiB,EAC3B,IAAI,CAAC,SAAS,CAAa,EAC3B,IAAI,CAAC,UAAU,CAAmB,EAClC,IAAI,CAAC,WAAW,CAAW,EAC3B;YACE,cAAc;YACd,UAAU,EAAG,IAAI,CAAC,aAAa,CAAwB,IAAI,IAAI;YAC/D,SAAS;SACV,CACF,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,UAAU;IAKH;IACA;IACA;IACA;IACA;IART,SAAS,GAAO,SAAS,CAAC,KAAK,CAAC;IAChC,aAAa,GAAG,YAAY,CAAC,OAAO,CAAC;IAE9C,YACkB,SAAkB,EAClB,UAAkB,EAClB,MAA6B,EAC7B,SAAkB,EAClB,SAAkB;QAJlB,cAAS,GAAT,SAAS,CAAS;QAClB,eAAU,GAAV,UAAU,CAAQ;QAClB,WAAM,GAAN,MAAM,CAAuB;QAC7B,cAAS,GAAT,SAAS,CAAS;QAClB,cAAS,GAAT,SAAS,CAAS;IACjC,CAAC;IAEJ,MAAM;QACJ,OAAO;YACL,UAAU,EAAG,IAAI,CAAC,SAAS;YAC3B,WAAW,EAAE,IAAI,CAAC,UAAU;YAC5B,MAAM,EAAO,IAAI,CAAC,MAAM;YACxB,UAAU,EAAG,IAAI,CAAC,SAAS;YAC3B,SAAS,EAAI,IAAI,CAAC,SAAS;SAC5B,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,QAAQ,CAAC,IAA6B;QAC3C,OAAO,IAAI,UAAU,CACnB,IAAI,CAAC,YAAY,CAAY,EAC7B,IAAI,CAAC,aAAa,CAAW,EAC7B,IAAI,CAAC,QAAQ,CAAkB,EAC/B,IAAI,CAAC,YAAY,CAAY,EAC7B,IAAI,CAAC,WAAW,CAAa,CAC9B,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,WAAW;IAKJ;IACA;IACA;IANT,SAAS,GAAO,SAAS,CAAC,MAAM,CAAC;IACjC,aAAa,GAAG,YAAY,CAAC,OAAO,CAAC;IAE9C,YACkB,GAAiB,EACjB,MAAiB,EACjB,SAAkB;QAFlB,QAAG,GAAH,GAAG,CAAc;QACjB,WAAM,GAAN,MAAM,CAAW;QACjB,cAAS,GAAT,SAAS,CAAS;IACjC,CAAC;IAEJ,MAAM;QACJ,OAAO;YACL,GAAG,EAAS,IAAI,CAAC,GAAG;YACpB,MAAM,EAAM,IAAI,CAAC,MAAM,IAAQ,IAAI;YACnC,UAAU,EAAE,IAAI,CAAC,SAAS,IAAK,IAAI;SACpC,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,QAAQ,CAAC,IAA6B;QAC3C,OAAO,IAAI,WAAW,CACpB,IAAI,CAAC,KAAK,CAAkB,EAC3B,IAAI,CAAC,QAAQ,CAAuB,IAAI,SAAS,EACjD,IAAI,CAAC,YAAY,CAAmB,IAAI,SAAS,CACnD,CAAC;IACJ,CAAC;CACF"}

package/dist/nip/index.d.ts

@@ -1,4 +1,10 @@
 export * from "./frames.js";
 export * from "./identity.js";
 export { registerNipFrames } from "./registry.js";
+export * from "./assurance-level.js";
+export * from "./cert-format.js";
+export * from "./error-codes.js";
+export * from "./verifier.js";
+export * as x509 from "./x509/index.js";
+export * as acme from "./acme/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/nip/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/nip/index.ts"],"names":[],"mappings":"AAGA,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/nip/index.ts"],"names":[],"mappings":"AAGA,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGlD,cAAc,sBAAsB,CAAC;AACrC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AACxC,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC"}

package/dist/nip/index.js

@@ -3,4 +3,11 @@
 export * from "./frames.js";
 export * from "./identity.js";
 export { registerNipFrames } from "./registry.js";
+// RFC-0002 / RFC-0003 — X.509 + ACME + dual-trust verifier
+export * from "./assurance-level.js";
+export * from "./cert-format.js";
+export * from "./error-codes.js";
+export * from "./verifier.js";
+export * as x509 from "./x509/index.js";
+export * as acme from "./acme/index.js";
 //# sourceMappingURL=index.js.map

package/dist/nip/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/nip/index.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/nip/index.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAElD,2DAA2D;AAC3D,cAAc,sBAAsB,CAAC;AACrC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AACxC,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC"}

package/dist/nip/verifier.d.ts

@@ -0,0 +1,23 @@
+import type { X509Certificate } from "@peculiar/x509";
+import { AssuranceLevel } from "./assurance-level.js";
+import type { IdentFrame } from "./frames.js";
+export interface NipVerifierOptions {
+    /** Map of issuer NID → CA public key string (`ed25519:<hex>`). */
+    trustedCaPublicKeys?: Readonly<Record<string, string>>;
+    /** X.509 trust anchors. Empty/undefined makes Step 3b reject v2 frames. */
+    trustedX509Roots?: readonly X509Certificate[];
+    /** Minimum required assurance level (NPS-RFC-0003). */
+    minAssuranceLevel?: AssuranceLevel;
+}
+export interface NipIdentVerifyResult {
+    valid: boolean;
+    stepFailed: number;
+    errorCode?: string;
+    message?: string;
+}
+export declare class NipIdentVerifier {
+    readonly options: NipVerifierOptions;
+    constructor(options: NipVerifierOptions);
+    verify(frame: IdentFrame, issuerNid: string): Promise<NipIdentVerifyResult>;
+}
+//# sourceMappingURL=verifier.d.ts.map

package/dist/nip/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../src/nip/verifier.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEtD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAGtD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAM9C,MAAM,WAAW,kBAAkB;IACjC,kEAAkE;IAClE,mBAAmB,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACvD,2EAA2E;IAC3E,gBAAgB,CAAC,EAAK,SAAS,eAAe,EAAE,CAAC;IACjD,uDAAuD;IACvD,iBAAiB,CAAC,EAAI,cAAc,CAAC;CACtC;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAO,OAAO,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAI,MAAM,CAAC;CACpB;AAQD,qBAAa,gBAAgB;aACC,OAAO,EAAE,kBAAkB;gBAA3B,OAAO,EAAE,kBAAkB;IAEjD,MAAM,CAAC,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;CAsDlF"}

package/dist/nip/verifier.js

@@ -0,0 +1,90 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * NipIdentVerifier — Phase 1 dual-trust IdentFrame verifier per NPS-RFC-0002 §8.1.
+ *
+ * Steps:
+ *   1.  v1 Ed25519 signature check against the issuer's CA public key.
+ *   2.  Optional minimum assurance level check.
+ *   3b. X.509 chain validation (only if `cert_format === "v2-x509"` AND
+ *       `trustedX509Roots` is configured).
+ */
+import * as ed25519 from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import { AssuranceLevel } from "./assurance-level.js";
+import * as cf from "./cert-format.js";
+import * as ec from "./error-codes.js";
+import { verify as verifyX509 } from "./x509/verifier.js";
+// noble/ed25519 needs sha512 wired up.
+ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
+function ok() { return { valid: true, stepFailed: 0 }; }
+function fail(stepFailed, errorCode, message) {
+    return { valid: false, stepFailed, errorCode, message };
+}
+export class NipIdentVerifier {
+    options;
+    constructor(options) {
+        this.options = options;
+    }
+    async verify(frame, issuerNid) {
+        // Step 1: v1 Ed25519 signature check ────────────────────────────────
+        const caPubKeyStr = this.options.trustedCaPublicKeys?.[issuerNid];
+        if (caPubKeyStr === undefined) {
+            return fail(1, ec.CERT_UNTRUSTED_ISSUER, `no trusted CA public key for issuer: ${issuerNid}`);
+        }
+        if (!frame.signature?.startsWith("ed25519:")) {
+            return fail(1, ec.CERT_SIGNATURE_INVALID, "missing or malformed signature");
+        }
+        try {
+            const caPubBytes = parsePubKeyString(caPubKeyStr);
+            const sigBytes = Buffer.from(frame.signature.slice("ed25519:".length), "base64");
+            const canonical = canonicalJson(frame.unsignedDict());
+            const msg = new TextEncoder().encode(canonical);
+            if (!ed25519.verify(sigBytes, msg, caPubBytes)) {
+                return fail(1, ec.CERT_SIGNATURE_INVALID, "v1 Ed25519 signature did not verify against issuer CA key");
+            }
+        }
+        catch (e) {
+            return fail(1, ec.CERT_SIGNATURE_INVALID, `v1 signature verification error: ${e.message}`);
+        }
+        // Step 2: minimum assurance level ───────────────────────────────────
+        const minLevel = this.options.minAssuranceLevel;
+        if (minLevel !== undefined) {
+            const got = frame.assuranceLevel ?? AssuranceLevel.ANONYMOUS;
+            if (!got.meetsOrExceeds(minLevel)) {
+                return fail(2, ec.ASSURANCE_MISMATCH, `assurance_level (${got.wire}) below required minimum (${minLevel.wire})`);
+            }
+        }
+        // Step 3b: X.509 chain check (only if both opt-ins present) ──────────
+        const trustedRoots = this.options.trustedX509Roots ?? [];
+        const hasV2Trust = trustedRoots.length > 0;
+        const isV2Frame = frame.certFormat === cf.V2_X509;
+        if (hasV2Trust && isV2Frame) {
+            const x509Result = await verifyX509({
+                certChainBase64UrlDer: frame.certChain ?? [],
+                assertedNid: frame.nid,
+                assertedAssuranceLevel: frame.assuranceLevel,
+                trustedRootCerts: trustedRoots,
+            });
+            if (!x509Result.valid) {
+                return fail(3, x509Result.errorCode ?? ec.CERT_FORMAT_INVALID, x509Result.message ?? "X.509 chain validation failed");
+            }
+        }
+        return ok();
+    }
+}
+/**
+ * Canonical JSON matching NipIdentity.sign — top-level keys filtered/ordered
+ * via `Object.keys(payload).sort()` as JSON.stringify replacer.
+ */
+function canonicalJson(payload) {
+    return JSON.stringify(payload, Object.keys(payload).sort());
+}
+/** Parse `ed25519:<hex>` into a 32-byte Uint8Array public key. */
+function parsePubKeyString(s) {
+    if (!s.startsWith("ed25519:")) {
+        throw new Error(`Unsupported public key format: ${s}`);
+    }
+    return new Uint8Array(Buffer.from(s.slice("ed25519:".length), "hex"));
+}
+//# sourceMappingURL=verifier.js.map

package/dist/nip/verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../src/nip/verifier.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;;;;;;GAQG;AAEH,OAAO,KAAK,OAAO,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAG9C,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAEvC,OAAO,EAAE,MAAM,IAAI,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAE1D,uCAAuC;AACvC,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAkBzE,SAAS,EAAE,KAA2B,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;AAE9E,SAAS,IAAI,CAAC,UAAkB,EAAE,SAAiB,EAAE,OAAe;IAClE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;AAC1D,CAAC;AAED,MAAM,OAAO,gBAAgB;IACC;IAA5B,YAA4B,OAA2B;QAA3B,YAAO,GAAP,OAAO,CAAoB;IAAG,CAAC;IAE3D,KAAK,CAAC,MAAM,CAAC,KAAiB,EAAE,SAAiB;QAC/C,sEAAsE;QACtE,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,SAAS,CAAC,CAAC;QAClE,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,EACrC,wCAAwC,SAAS,EAAE,CAAC,CAAC;QACzD,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC7C,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,EAAE,gCAAgC,CAAC,CAAC;QAC9E,CAAC;QACD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;YAClD,MAAM,QAAQ,GAAK,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,CAAC;YACnF,MAAM,SAAS,GAAI,aAAa,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC;YACvD,MAAM,GAAG,GAAU,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACvD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,GAAG,EAAE,UAAU,CAAC,EAAE,CAAC;gBAC/C,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,EACtC,2DAA2D,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,EACtC,oCAAqC,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QAChE,CAAC;QAED,sEAAsE;QACtE,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC;QAChD,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,KAAK,CAAC,cAAc,IAAI,cAAc,CAAC,SAAS,CAAC;YAC7D,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClC,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,EAClC,oBAAoB,GAAG,CAAC,IAAI,6BAA6B,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC;YAC/E,CAAC;QACH,CAAC;QAED,uEAAuE;QACvE,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,IAAI,EAAE,CAAC;QACzD,MAAM,UAAU,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;QAC3C,MAAM,SAAS,GAAI,KAAK,CAAC,UAAU,KAAK,EAAE,CAAC,OAAO,CAAC;QACnD,IAAI,UAAU,IAAI,SAAS,EAAE,CAAC;YAC5B,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC;gBAClC,qBAAqB,EAAG,KAAK,CAAC,SAAS,IAAI,EAAE;gBAC7C,WAAW,EAAa,KAAK,CAAC,GAAG;gBACjC,sBAAsB,EAAE,KAAK,CAAC,cAAc;gBAC5C,gBAAgB,EAAQ,YAAY;aACrC,CAAC,CAAC;YACH,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;gBACtB,OAAO,IAAI,CAAC,CAAC,EACX,UAAU,CAAC,SAAS,IAAI,EAAE,CAAC,mBAAmB,EAC9C,UAAU,CAAC,OAAO,IAAM,+BAA+B,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QAED,OAAO,EAAE,EAAE,CAAC;IACd,CAAC;CACF;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,OAAgC;IACrD,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;AAC9D,CAAC;AAED,kEAAkE;AAClE,SAAS,iBAAiB,CAAC,CAAS;IAClC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,EAAE,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;AACxE,CAAC"}

package/dist/nip/x509/builder.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Issues NPS X.509 NID certificates per NPS-RFC-0002 §4.
+ *
+ * Backed by @peculiar/x509 + Web Crypto Ed25519 (Node 22+).
+ *
+ * Two factory functions:
+ * - {@link issueLeaf} — leaf cert with critical NPS EKU + SAN URI = NID + assurance-level extension.
+ * - {@link issueRoot} — self-signed root for testing / private-CA use.
+ */
+import * as x509 from "@peculiar/x509";
+import { AssuranceLevel } from "../assurance-level.js";
+export type LeafRole = "agent" | "node";
+export interface IssueLeafOptions {
+    subjectNid: string;
+    subjectPublicKey: CryptoKey;
+    caKeys: CryptoKeyPair;
+    issuerNid: string;
+    role: LeafRole;
+    assuranceLevel: AssuranceLevel;
+    notBefore: Date;
+    notAfter: Date;
+    serialNumber: string;
+}
+export interface IssueRootOptions {
+    caNid: string;
+    caKeys: CryptoKeyPair;
+    notBefore: Date;
+    notAfter: Date;
+    serialNumber: string;
+}
+/** Issue a leaf NPS NID certificate (RFC-0002 §4.1). */
+export declare function issueLeaf(opts: IssueLeafOptions): Promise<x509.X509Certificate>;
+/** Issue a self-signed CA root cert (testing / private CA). */
+export declare function issueRoot(opts: IssueRootOptions): Promise<x509.X509Certificate>;
+//# sourceMappingURL=builder.d.ts.map

package/dist/nip/x509/builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"builder.d.ts","sourceRoot":"","sources":["../../../src/nip/x509/builder.ts"],"names":[],"mappings":"AAGA;;;;;;;;GAQG;AAEH,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAEvC,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAOvD,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,MAAM,CAAC;AAExC,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAU,MAAM,CAAC;IAC3B,gBAAgB,EAAI,SAAS,CAAC;IAC9B,MAAM,EAAc,aAAa,CAAC;IAClC,SAAS,EAAW,MAAM,CAAC;IAC3B,IAAI,EAAgB,QAAQ,CAAC;IAC7B,cAAc,EAAM,cAAc,CAAC;IACnC,SAAS,EAAW,IAAI,CAAC;IACzB,QAAQ,EAAY,IAAI,CAAC;IACzB,YAAY,EAAQ,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAe,MAAM,CAAC;IAC3B,MAAM,EAAc,aAAa,CAAC;IAClC,SAAS,EAAW,IAAI,CAAC;IACzB,QAAQ,EAAY,IAAI,CAAC;IACzB,YAAY,EAAQ,MAAM,CAAC;CAC5B;AAED,wDAAwD;AACxD,wBAAsB,SAAS,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAuBrF;AAED,+DAA+D;AAC/D,wBAAsB,SAAS,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAcrF"}

package/dist/nip/x509/builder.js

@@ -0,0 +1,59 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * Issues NPS X.509 NID certificates per NPS-RFC-0002 §4.
+ *
+ * Backed by @peculiar/x509 + Web Crypto Ed25519 (Node 22+).
+ *
+ * Two factory functions:
+ * - {@link issueLeaf} — leaf cert with critical NPS EKU + SAN URI = NID + assurance-level extension.
+ * - {@link issueRoot} — self-signed root for testing / private-CA use.
+ */
+import * as x509 from "@peculiar/x509";
+import { EKU_AGENT_IDENTITY, EKU_NODE_IDENTITY, NID_ASSURANCE_LEVEL } from "./oids.js";
+// Initialize @peculiar/x509 cryptoProvider once on first import. Web Crypto
+// (globalThis.crypto) supports Ed25519 in Node 18+.
+x509.cryptoProvider.set(globalThis.crypto);
+/** Issue a leaf NPS NID certificate (RFC-0002 §4.1). */
+export async function issueLeaf(opts) {
+    const ekuOid = opts.role === "node" ? EKU_NODE_IDENTITY : EKU_AGENT_IDENTITY;
+    // ASN.1 ENUMERATED encoding of assurance level: tag=0x0A, len=0x01, value=<rank>.
+    const assuranceDer = new Uint8Array([0x0A, 0x01, opts.assuranceLevel.rank]);
+    return x509.X509CertificateGenerator.create({
+        serialNumber: opts.serialNumber,
+        issuer: `CN=${escapeDn(opts.issuerNid)}`,
+        subject: `CN=${escapeDn(opts.subjectNid)}`,
+        notBefore: opts.notBefore,
+        notAfter: opts.notAfter,
+        publicKey: opts.subjectPublicKey,
+        signingAlgorithm: { name: "Ed25519" },
+        signingKey: opts.caKeys.privateKey,
+        extensions: [
+            new x509.BasicConstraintsExtension(false, undefined, true),
+            new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature, true),
+            new x509.ExtendedKeyUsageExtension([ekuOid], true),
+            new x509.SubjectAlternativeNameExtension([{ type: "url", value: opts.subjectNid }], false),
+            new x509.Extension(NID_ASSURANCE_LEVEL, false, assuranceDer),
+        ],
+    });
+}
+/** Issue a self-signed CA root cert (testing / private CA). */
+export async function issueRoot(opts) {
+    return x509.X509CertificateGenerator.createSelfSigned({
+        serialNumber: opts.serialNumber,
+        name: `CN=${escapeDn(opts.caNid)}`,
+        notBefore: opts.notBefore,
+        notAfter: opts.notAfter,
+        signingAlgorithm: { name: "Ed25519" },
+        keys: opts.caKeys,
+        extensions: [
+            new x509.BasicConstraintsExtension(true, undefined, true),
+            new x509.KeyUsagesExtension(x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign, true),
+        ],
+    });
+}
+function escapeDn(value) {
+    // Escape characters that have special meaning in RFC 4514 DN syntax.
+    return value.replace(/([",+;<>\\])/g, "\\$1");
+}
+//# sourceMappingURL=builder.js.map

package/dist/nip/x509/builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"builder.js","sourceRoot":"","sources":["../../../src/nip/x509/builder.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;;;;;;GAQG;AAEH,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAGvC,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAEvF,4EAA4E;AAC5E,oDAAoD;AACpD,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AAwB3C,wDAAwD;AACxD,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,IAAsB;IACpD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,kBAAkB,CAAC;IAE7E,kFAAkF;IAClF,MAAM,YAAY,GAAG,IAAI,UAAU,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;IAE5E,OAAO,IAAI,CAAC,wBAAwB,CAAC,MAAM,CAAC;QAC1C,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,MAAM,EAAQ,MAAM,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE;QAC9C,OAAO,EAAO,MAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE;QAC/C,SAAS,EAAK,IAAI,CAAC,SAAS;QAC5B,QAAQ,EAAM,IAAI,CAAC,QAAQ;QAC3B,SAAS,EAAK,IAAI,CAAC,gBAAgB;QACnC,gBAAgB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;QACrC,UAAU,EAAI,IAAI,CAAC,MAAM,CAAC,UAAU;QACpC,UAAU,EAAE;YACV,IAAI,IAAI,CAAC,yBAAyB,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC;YAC1D,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC;YACtE,IAAI,IAAI,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC;YAClD,IAAI,IAAI,CAAC,+BAA+B,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,EAAE,KAAK,CAAC;YAC1F,IAAI,IAAI,CAAC,SAAS,CAAC,mBAAmB,EAAE,KAAK,EAAE,YAAY,CAAC;SAC7D;KACF,CAAC,CAAC;AACL,CAAC;AAED,+DAA+D;AAC/D,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,IAAsB;IACpD,OAAO,IAAI,CAAC,wBAAwB,CAAC,gBAAgB,CAAC;QACpD,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,IAAI,EAAU,MAAM,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE;QAC1C,SAAS,EAAK,IAAI,CAAC,SAAS;QAC5B,QAAQ,EAAM,IAAI,CAAC,QAAQ;QAC3B,gBAAgB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;QACrC,IAAI,EAAU,IAAI,CAAC,MAAM;QACzB,UAAU,EAAE;YACV,IAAI,IAAI,CAAC,yBAAyB,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC;YACzD,IAAI,IAAI,CAAC,kBAAkB,CACzB,IAAI,CAAC,aAAa,CAAC,WAAW,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC;SACrE;KACF,CAAC,CAAC;AACL,CAAC;AAED,SAAS,QAAQ,CAAC,KAAa;IAC7B,qEAAqE;IACrE,OAAO,KAAK,CAAC,OAAO,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;AAChD,CAAC"}

package/dist/nip/x509/index.d.ts

@@ -0,0 +1,4 @@
+export * from "./builder.js";
+export * from "./oids.js";
+export * from "./verifier.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/nip/x509/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/nip/x509/index.ts"],"names":[],"mappings":"AAGA,cAAc,cAAc,CAAC;AAC7B,cAAc,WAAW,CAAC;AAC1B,cAAc,eAAe,CAAC"}

package/dist/nip/x509/index.js

@@ -0,0 +1,6 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+export * from "./builder.js";
+export * from "./oids.js";
+export * from "./verifier.js";
+//# sourceMappingURL=index.js.map

package/dist/nip/x509/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/nip/x509/index.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,cAAc,cAAc,CAAC;AAC7B,cAAc,WAAW,CAAC;AAC1B,cAAc,eAAe,CAAC"}

package/dist/nip/x509/oids.d.ts

@@ -0,0 +1,17 @@
+/**
+ * OID constants for NPS X.509 certificates per NPS-RFC-0002 §4.
+ *
+ * The 1.3.6.1.4.1.99999 arc is provisional pending IANA Private Enterprise
+ * Number assignment (RFC-0002 §10 OQ-2). All implementations MUST update
+ * these constants when the official PEN is granted.
+ */
+export declare const LAB_ACACIA_PEN_ARC = "1.3.6.1.4.1.99999";
+export declare const EKU_ARC = "1.3.6.1.4.1.99999.1";
+export declare const EXTENSION_ARC = "1.3.6.1.4.1.99999.2";
+export declare const EKU_AGENT_IDENTITY = "1.3.6.1.4.1.99999.1.1";
+export declare const EKU_NODE_IDENTITY = "1.3.6.1.4.1.99999.1.2";
+export declare const EKU_CA_INTERMEDIATE_AGENT = "1.3.6.1.4.1.99999.1.3";
+export declare const NID_ASSURANCE_LEVEL = "1.3.6.1.4.1.99999.2.1";
+export declare const ED25519 = "1.3.101.112";
+export declare const OID_EXTENDED_KEY_USAGE = "2.5.29.37";
+//# sourceMappingURL=oids.d.ts.map

package/dist/nip/x509/oids.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oids.d.ts","sourceRoot":"","sources":["../../../src/nip/x509/oids.ts"],"names":[],"mappings":"AAGA;;;;;;GAMG;AAEH,eAAO,MAAM,kBAAkB,sBAAsB,CAAC;AACtD,eAAO,MAAM,OAAO,wBAAuC,CAAC;AAC5D,eAAO,MAAM,aAAa,wBAAiC,CAAC;AAG5D,eAAO,MAAM,kBAAkB,0BAAwB,CAAC;AACxD,eAAO,MAAM,iBAAiB,0BAAyB,CAAC;AACxD,eAAO,MAAM,yBAAyB,0BAAiB,CAAC;AAGxD,eAAO,MAAM,mBAAmB,0BAAuB,CAAC;AAGxD,eAAO,MAAM,OAAO,gBAAgB,CAAC;AAGrC,eAAO,MAAM,sBAAsB,cAAc,CAAC"}

package/dist/nip/x509/oids.js

@@ -0,0 +1,23 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * OID constants for NPS X.509 certificates per NPS-RFC-0002 §4.
+ *
+ * The 1.3.6.1.4.1.99999 arc is provisional pending IANA Private Enterprise
+ * Number assignment (RFC-0002 §10 OQ-2). All implementations MUST update
+ * these constants when the official PEN is granted.
+ */
+export const LAB_ACACIA_PEN_ARC = "1.3.6.1.4.1.99999";
+export const EKU_ARC = `${LAB_ACACIA_PEN_ARC}.1`;
+export const EXTENSION_ARC = `${LAB_ACACIA_PEN_ARC}.2`;
+// ── EKUs (NPS-RFC-0002 §4.1) ─────────────────────────────────────────────────
+export const EKU_AGENT_IDENTITY = `${EKU_ARC}.1`;
+export const EKU_NODE_IDENTITY = `${EKU_ARC}.2`;
+export const EKU_CA_INTERMEDIATE_AGENT = `${EKU_ARC}.3`;
+// ── Custom extensions ────────────────────────────────────────────────────────
+export const NID_ASSURANCE_LEVEL = `${EXTENSION_ARC}.1`;
+// ── Ed25519 algorithm OID per RFC 8410 ───────────────────────────────────────
+export const ED25519 = "1.3.101.112";
+// ── Standard X.509 OIDs we reference ─────────────────────────────────────────
+export const OID_EXTENDED_KEY_USAGE = "2.5.29.37";
+//# sourceMappingURL=oids.js.map

package/dist/nip/x509/oids.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oids.js","sourceRoot":"","sources":["../../../src/nip/x509/oids.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;;;;GAMG;AAEH,MAAM,CAAC,MAAM,kBAAkB,GAAG,mBAAmB,CAAC;AACtD,MAAM,CAAC,MAAM,OAAO,GAAc,GAAG,kBAAkB,IAAI,CAAC;AAC5D,MAAM,CAAC,MAAM,aAAa,GAAQ,GAAG,kBAAkB,IAAI,CAAC;AAE5D,gFAAgF;AAChF,MAAM,CAAC,MAAM,kBAAkB,GAAU,GAAG,OAAO,IAAI,CAAC;AACxD,MAAM,CAAC,MAAM,iBAAiB,GAAW,GAAG,OAAO,IAAI,CAAC;AACxD,MAAM,CAAC,MAAM,yBAAyB,GAAG,GAAG,OAAO,IAAI,CAAC;AAExD,gFAAgF;AAChF,MAAM,CAAC,MAAM,mBAAmB,GAAG,GAAG,aAAa,IAAI,CAAC;AAExD,gFAAgF;AAChF,MAAM,CAAC,MAAM,OAAO,GAAG,aAAa,CAAC;AAErC,gFAAgF;AAChF,MAAM,CAAC,MAAM,sBAAsB,GAAG,WAAW,CAAC"}

package/dist/nip/x509/verifier.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Verifies NPS X.509 NID certificate chains per NPS-RFC-0002 §4.
+ *
+ * Stages (RFC §4.6):
+ * 1. Decode chain (base64url DER → @peculiar/x509 X509Certificate).
+ * 2. Leaf EKU check — critical, contains agent-identity OR node-identity OID.
+ * 3. Subject CN / SAN URI match against asserted NID.
+ * 4. Assurance-level extension match against asserted level (if both present).
+ * 5. Chain signature verification — leaf → intermediates → trusted root.
+ */
+import * as x509 from "@peculiar/x509";
+import { AssuranceLevel } from "../assurance-level.js";
+export interface NipX509VerifyResult {
+    valid: boolean;
+    errorCode?: string;
+    message?: string;
+    leaf?: x509.X509Certificate;
+}
+export interface VerifyOptions {
+    certChainBase64UrlDer: readonly string[];
+    assertedNid: string;
+    assertedAssuranceLevel: AssuranceLevel | null;
+    trustedRootCerts: readonly x509.X509Certificate[];
+}
+export declare function verify(opts: VerifyOptions): Promise<NipX509VerifyResult>;
+//# sourceMappingURL=verifier.d.ts.map

package/dist/nip/x509/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/nip/x509/verifier.ts"],"names":[],"mappings":"AAGA;;;;;;;;;GASG;AAEH,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAEvC,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAWvD,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAQ,OAAO,CAAC;IACrB,SAAS,CAAC,EAAG,MAAM,CAAC;IACpB,OAAO,CAAC,EAAK,MAAM,CAAC;IACpB,IAAI,CAAC,EAAQ,IAAI,CAAC,eAAe,CAAC;CACnC;AAUD,MAAM,WAAW,aAAa;IAC5B,qBAAqB,EAAK,SAAS,MAAM,EAAE,CAAC;IAC5C,WAAW,EAAe,MAAM,CAAC;IACjC,sBAAsB,EAAI,cAAc,GAAG,IAAI,CAAC;IAChD,gBAAgB,EAAU,SAAS,IAAI,CAAC,eAAe,EAAE,CAAC;CAC3D;AAED,wBAAsB,MAAM,CAAC,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,mBAAmB,CAAC,CA+B9E"}