@labacacia/nps-sdk 1.0.0-alpha.3 → 1.0.0-alpha.4

package/dist/nip/verifier.js

@@ -0,0 +1,90 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * NipIdentVerifier — Phase 1 dual-trust IdentFrame verifier per NPS-RFC-0002 §8.1.
+ *
+ * Steps:
+ *   1.  v1 Ed25519 signature check against the issuer's CA public key.
+ *   2.  Optional minimum assurance level check.
+ *   3b. X.509 chain validation (only if `cert_format === "v2-x509"` AND
+ *       `trustedX509Roots` is configured).
+ */
+import * as ed25519 from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import { AssuranceLevel } from "./assurance-level.js";
+import * as cf from "./cert-format.js";
+import * as ec from "./error-codes.js";
+import { verify as verifyX509 } from "./x509/verifier.js";
+// noble/ed25519 needs sha512 wired up.
+ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
+function ok() { return { valid: true, stepFailed: 0 }; }
+function fail(stepFailed, errorCode, message) {
+    return { valid: false, stepFailed, errorCode, message };
+}
+export class NipIdentVerifier {
+    options;
+    constructor(options) {
+        this.options = options;
+    }
+    async verify(frame, issuerNid) {
+        // Step 1: v1 Ed25519 signature check ────────────────────────────────
+        const caPubKeyStr = this.options.trustedCaPublicKeys?.[issuerNid];
+        if (caPubKeyStr === undefined) {
+            return fail(1, ec.CERT_UNTRUSTED_ISSUER, `no trusted CA public key for issuer: ${issuerNid}`);
+        }
+        if (!frame.signature?.startsWith("ed25519:")) {
+            return fail(1, ec.CERT_SIGNATURE_INVALID, "missing or malformed signature");
+        }
+        try {
+            const caPubBytes = parsePubKeyString(caPubKeyStr);
+            const sigBytes = Buffer.from(frame.signature.slice("ed25519:".length), "base64");
+            const canonical = canonicalJson(frame.unsignedDict());
+            const msg = new TextEncoder().encode(canonical);
+            if (!ed25519.verify(sigBytes, msg, caPubBytes)) {
+                return fail(1, ec.CERT_SIGNATURE_INVALID, "v1 Ed25519 signature did not verify against issuer CA key");
+            }
+        }
+        catch (e) {
+            return fail(1, ec.CERT_SIGNATURE_INVALID, `v1 signature verification error: ${e.message}`);
+        }
+        // Step 2: minimum assurance level ───────────────────────────────────
+        const minLevel = this.options.minAssuranceLevel;
+        if (minLevel !== undefined) {
+            const got = frame.assuranceLevel ?? AssuranceLevel.ANONYMOUS;
+            if (!got.meetsOrExceeds(minLevel)) {
+                return fail(2, ec.ASSURANCE_MISMATCH, `assurance_level (${got.wire}) below required minimum (${minLevel.wire})`);
+            }
+        }
+        // Step 3b: X.509 chain check (only if both opt-ins present) ──────────
+        const trustedRoots = this.options.trustedX509Roots ?? [];
+        const hasV2Trust = trustedRoots.length > 0;
+        const isV2Frame = frame.certFormat === cf.V2_X509;
+        if (hasV2Trust && isV2Frame) {
+            const x509Result = await verifyX509({
+                certChainBase64UrlDer: frame.certChain ?? [],
+                assertedNid: frame.nid,
+                assertedAssuranceLevel: frame.assuranceLevel,
+                trustedRootCerts: trustedRoots,
+            });
+            if (!x509Result.valid) {
+                return fail(3, x509Result.errorCode ?? ec.CERT_FORMAT_INVALID, x509Result.message ?? "X.509 chain validation failed");
+            }
+        }
+        return ok();
+    }
+}
+/**
+ * Canonical JSON matching NipIdentity.sign — top-level keys filtered/ordered
+ * via `Object.keys(payload).sort()` as JSON.stringify replacer.
+ */
+function canonicalJson(payload) {
+    return JSON.stringify(payload, Object.keys(payload).sort());
+}
+/** Parse `ed25519:<hex>` into a 32-byte Uint8Array public key. */
+function parsePubKeyString(s) {
+    if (!s.startsWith("ed25519:")) {
+        throw new Error(`Unsupported public key format: ${s}`);
+    }
+    return new Uint8Array(Buffer.from(s.slice("ed25519:".length), "hex"));
+}
+//# sourceMappingURL=verifier.js.map

package/dist/nip/verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../src/nip/verifier.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;;;;;;GAQG;AAEH,OAAO,KAAK,OAAO,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAG9C,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAEvC,OAAO,EAAE,MAAM,IAAI,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAE1D,uCAAuC;AACvC,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAkBzE,SAAS,EAAE,KAA2B,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;AAE9E,SAAS,IAAI,CAAC,UAAkB,EAAE,SAAiB,EAAE,OAAe;IAClE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;AAC1D,CAAC;AAED,MAAM,OAAO,gBAAgB;IACC;IAA5B,YAA4B,OAA2B;QAA3B,YAAO,GAAP,OAAO,CAAoB;IAAG,CAAC;IAE3D,KAAK,CAAC,MAAM,CAAC,KAAiB,EAAE,SAAiB;QAC/C,sEAAsE;QACtE,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,SAAS,CAAC,CAAC;QAClE,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,EACrC,wCAAwC,SAAS,EAAE,CAAC,CAAC;QACzD,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC7C,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,EAAE,gCAAgC,CAAC,CAAC;QAC9E,CAAC;QACD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;YAClD,MAAM,QAAQ,GAAK,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,CAAC;YACnF,MAAM,SAAS,GAAI,aAAa,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC;YACvD,MAAM,GAAG,GAAU,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACvD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,GAAG,EAAE,UAAU,CAAC,EAAE,CAAC;gBAC/C,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,EACtC,2DAA2D,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,EACtC,oCAAqC,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QAChE,CAAC;QAED,sEAAsE;QACtE,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC;QAChD,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,KAAK,CAAC,cAAc,IAAI,cAAc,CAAC,SAAS,CAAC;YAC7D,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClC,OAAO,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,EAClC,oBAAoB,GAAG,CAAC,IAAI,6BAA6B,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC;YAC/E,CAAC;QACH,CAAC;QAED,uEAAuE;QACvE,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,IAAI,EAAE,CAAC;QACzD,MAAM,UAAU,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;QAC3C,MAAM,SAAS,GAAI,KAAK,CAAC,UAAU,KAAK,EAAE,CAAC,OAAO,CAAC;QACnD,IAAI,UAAU,IAAI,SAAS,EAAE,CAAC;YAC5B,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC;gBAClC,qBAAqB,EAAG,KAAK,CAAC,SAAS,IAAI,EAAE;gBAC7C,WAAW,EAAa,KAAK,CAAC,GAAG;gBACjC,sBAAsB,EAAE,KAAK,CAAC,cAAc;gBAC5C,gBAAgB,EAAQ,YAAY;aACrC,CAAC,CAAC;YACH,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;gBACtB,OAAO,IAAI,CAAC,CAAC,EACX,UAAU,CAAC,SAAS,IAAI,EAAE,CAAC,mBAAmB,EAC9C,UAAU,CAAC,OAAO,IAAM,+BAA+B,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QAED,OAAO,EAAE,EAAE,CAAC;IACd,CAAC;CACF;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,OAAgC;IACrD,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;AAC9D,CAAC;AAED,kEAAkE;AAClE,SAAS,iBAAiB,CAAC,CAAS;IAClC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,EAAE,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;AACxE,CAAC"}

package/dist/nip/x509/builder.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Issues NPS X.509 NID certificates per NPS-RFC-0002 §4.
+ *
+ * Backed by @peculiar/x509 + Web Crypto Ed25519 (Node 22+).
+ *
+ * Two factory functions:
+ * - {@link issueLeaf} — leaf cert with critical NPS EKU + SAN URI = NID + assurance-level extension.
+ * - {@link issueRoot} — self-signed root for testing / private-CA use.
+ */
+import * as x509 from "@peculiar/x509";
+import { AssuranceLevel } from "../assurance-level.js";
+export type LeafRole = "agent" | "node";
+export interface IssueLeafOptions {
+    subjectNid: string;
+    subjectPublicKey: CryptoKey;
+    caKeys: CryptoKeyPair;
+    issuerNid: string;
+    role: LeafRole;
+    assuranceLevel: AssuranceLevel;
+    notBefore: Date;
+    notAfter: Date;
+    serialNumber: string;
+}
+export interface IssueRootOptions {
+    caNid: string;
+    caKeys: CryptoKeyPair;
+    notBefore: Date;
+    notAfter: Date;
+    serialNumber: string;
+}
+/** Issue a leaf NPS NID certificate (RFC-0002 §4.1). */
+export declare function issueLeaf(opts: IssueLeafOptions): Promise<x509.X509Certificate>;
+/** Issue a self-signed CA root cert (testing / private CA). */
+export declare function issueRoot(opts: IssueRootOptions): Promise<x509.X509Certificate>;
+//# sourceMappingURL=builder.d.ts.map

package/dist/nip/x509/builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"builder.d.ts","sourceRoot":"","sources":["../../../src/nip/x509/builder.ts"],"names":[],"mappings":"AAGA;;;;;;;;GAQG;AAEH,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAEvC,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAOvD,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,MAAM,CAAC;AAExC,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAU,MAAM,CAAC;IAC3B,gBAAgB,EAAI,SAAS,CAAC;IAC9B,MAAM,EAAc,aAAa,CAAC;IAClC,SAAS,EAAW,MAAM,CAAC;IAC3B,IAAI,EAAgB,QAAQ,CAAC;IAC7B,cAAc,EAAM,cAAc,CAAC;IACnC,SAAS,EAAW,IAAI,CAAC;IACzB,QAAQ,EAAY,IAAI,CAAC;IACzB,YAAY,EAAQ,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAe,MAAM,CAAC;IAC3B,MAAM,EAAc,aAAa,CAAC;IAClC,SAAS,EAAW,IAAI,CAAC;IACzB,QAAQ,EAAY,IAAI,CAAC;IACzB,YAAY,EAAQ,MAAM,CAAC;CAC5B;AAED,wDAAwD;AACxD,wBAAsB,SAAS,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAuBrF;AAED,+DAA+D;AAC/D,wBAAsB,SAAS,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAcrF"}

package/dist/nip/x509/builder.js

@@ -0,0 +1,59 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * Issues NPS X.509 NID certificates per NPS-RFC-0002 §4.
+ *
+ * Backed by @peculiar/x509 + Web Crypto Ed25519 (Node 22+).
+ *
+ * Two factory functions:
+ * - {@link issueLeaf} — leaf cert with critical NPS EKU + SAN URI = NID + assurance-level extension.
+ * - {@link issueRoot} — self-signed root for testing / private-CA use.
+ */
+import * as x509 from "@peculiar/x509";
+import { EKU_AGENT_IDENTITY, EKU_NODE_IDENTITY, NID_ASSURANCE_LEVEL } from "./oids.js";
+// Initialize @peculiar/x509 cryptoProvider once on first import. Web Crypto
+// (globalThis.crypto) supports Ed25519 in Node 18+.
+x509.cryptoProvider.set(globalThis.crypto);
+/** Issue a leaf NPS NID certificate (RFC-0002 §4.1). */
+export async function issueLeaf(opts) {
+    const ekuOid = opts.role === "node" ? EKU_NODE_IDENTITY : EKU_AGENT_IDENTITY;
+    // ASN.1 ENUMERATED encoding of assurance level: tag=0x0A, len=0x01, value=<rank>.
+    const assuranceDer = new Uint8Array([0x0A, 0x01, opts.assuranceLevel.rank]);
+    return x509.X509CertificateGenerator.create({
+        serialNumber: opts.serialNumber,
+        issuer: `CN=${escapeDn(opts.issuerNid)}`,
+        subject: `CN=${escapeDn(opts.subjectNid)}`,
+        notBefore: opts.notBefore,
+        notAfter: opts.notAfter,
+        publicKey: opts.subjectPublicKey,
+        signingAlgorithm: { name: "Ed25519" },
+        signingKey: opts.caKeys.privateKey,
+        extensions: [
+            new x509.BasicConstraintsExtension(false, undefined, true),
+            new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature, true),
+            new x509.ExtendedKeyUsageExtension([ekuOid], true),
+            new x509.SubjectAlternativeNameExtension([{ type: "url", value: opts.subjectNid }], false),
+            new x509.Extension(NID_ASSURANCE_LEVEL, false, assuranceDer),
+        ],
+    });
+}
+/** Issue a self-signed CA root cert (testing / private CA). */
+export async function issueRoot(opts) {
+    return x509.X509CertificateGenerator.createSelfSigned({
+        serialNumber: opts.serialNumber,
+        name: `CN=${escapeDn(opts.caNid)}`,
+        notBefore: opts.notBefore,
+        notAfter: opts.notAfter,
+        signingAlgorithm: { name: "Ed25519" },
+        keys: opts.caKeys,
+        extensions: [
+            new x509.BasicConstraintsExtension(true, undefined, true),
+            new x509.KeyUsagesExtension(x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign, true),
+        ],
+    });
+}
+function escapeDn(value) {
+    // Escape characters that have special meaning in RFC 4514 DN syntax.
+    return value.replace(/([",+;<>\\])/g, "\\$1");
+}
+//# sourceMappingURL=builder.js.map

package/dist/nip/x509/builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"builder.js","sourceRoot":"","sources":["../../../src/nip/x509/builder.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;;;;;;GAQG;AAEH,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAGvC,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAEvF,4EAA4E;AAC5E,oDAAoD;AACpD,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AAwB3C,wDAAwD;AACxD,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,IAAsB;IACpD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,kBAAkB,CAAC;IAE7E,kFAAkF;IAClF,MAAM,YAAY,GAAG,IAAI,UAAU,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;IAE5E,OAAO,IAAI,CAAC,wBAAwB,CAAC,MAAM,CAAC;QAC1C,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,MAAM,EAAQ,MAAM,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE;QAC9C,OAAO,EAAO,MAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE;QAC/C,SAAS,EAAK,IAAI,CAAC,SAAS;QAC5B,QAAQ,EAAM,IAAI,CAAC,QAAQ;QAC3B,SAAS,EAAK,IAAI,CAAC,gBAAgB;QACnC,gBAAgB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;QACrC,UAAU,EAAI,IAAI,CAAC,MAAM,CAAC,UAAU;QACpC,UAAU,EAAE;YACV,IAAI,IAAI,CAAC,yBAAyB,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC;YAC1D,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC;YACtE,IAAI,IAAI,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC;YAClD,IAAI,IAAI,CAAC,+BAA+B,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,EAAE,KAAK,CAAC;YAC1F,IAAI,IAAI,CAAC,SAAS,CAAC,mBAAmB,EAAE,KAAK,EAAE,YAAY,CAAC;SAC7D;KACF,CAAC,CAAC;AACL,CAAC;AAED,+DAA+D;AAC/D,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,IAAsB;IACpD,OAAO,IAAI,CAAC,wBAAwB,CAAC,gBAAgB,CAAC;QACpD,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,IAAI,EAAU,MAAM,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE;QAC1C,SAAS,EAAK,IAAI,CAAC,SAAS;QAC5B,QAAQ,EAAM,IAAI,CAAC,QAAQ;QAC3B,gBAAgB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;QACrC,IAAI,EAAU,IAAI,CAAC,MAAM;QACzB,UAAU,EAAE;YACV,IAAI,IAAI,CAAC,yBAAyB,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC;YACzD,IAAI,IAAI,CAAC,kBAAkB,CACzB,IAAI,CAAC,aAAa,CAAC,WAAW,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC;SACrE;KACF,CAAC,CAAC;AACL,CAAC;AAED,SAAS,QAAQ,CAAC,KAAa;IAC7B,qEAAqE;IACrE,OAAO,KAAK,CAAC,OAAO,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;AAChD,CAAC"}

package/dist/nip/x509/index.d.ts

@@ -0,0 +1,4 @@
+export * from "./builder.js";
+export * from "./oids.js";
+export * from "./verifier.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/nip/x509/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/nip/x509/index.ts"],"names":[],"mappings":"AAGA,cAAc,cAAc,CAAC;AAC7B,cAAc,WAAW,CAAC;AAC1B,cAAc,eAAe,CAAC"}

package/dist/nip/x509/index.js

@@ -0,0 +1,6 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+export * from "./builder.js";
+export * from "./oids.js";
+export * from "./verifier.js";
+//# sourceMappingURL=index.js.map

package/dist/nip/x509/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/nip/x509/index.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,cAAc,cAAc,CAAC;AAC7B,cAAc,WAAW,CAAC;AAC1B,cAAc,eAAe,CAAC"}

package/dist/nip/x509/oids.d.ts

@@ -0,0 +1,17 @@
+/**
+ * OID constants for NPS X.509 certificates per NPS-RFC-0002 §4.
+ *
+ * The 1.3.6.1.4.1.99999 arc is provisional pending IANA Private Enterprise
+ * Number assignment (RFC-0002 §10 OQ-2). All implementations MUST update
+ * these constants when the official PEN is granted.
+ */
+export declare const LAB_ACACIA_PEN_ARC = "1.3.6.1.4.1.99999";
+export declare const EKU_ARC = "1.3.6.1.4.1.99999.1";
+export declare const EXTENSION_ARC = "1.3.6.1.4.1.99999.2";
+export declare const EKU_AGENT_IDENTITY = "1.3.6.1.4.1.99999.1.1";
+export declare const EKU_NODE_IDENTITY = "1.3.6.1.4.1.99999.1.2";
+export declare const EKU_CA_INTERMEDIATE_AGENT = "1.3.6.1.4.1.99999.1.3";
+export declare const NID_ASSURANCE_LEVEL = "1.3.6.1.4.1.99999.2.1";
+export declare const ED25519 = "1.3.101.112";
+export declare const OID_EXTENDED_KEY_USAGE = "2.5.29.37";
+//# sourceMappingURL=oids.d.ts.map

package/dist/nip/x509/oids.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oids.d.ts","sourceRoot":"","sources":["../../../src/nip/x509/oids.ts"],"names":[],"mappings":"AAGA;;;;;;GAMG;AAEH,eAAO,MAAM,kBAAkB,sBAAsB,CAAC;AACtD,eAAO,MAAM,OAAO,wBAAuC,CAAC;AAC5D,eAAO,MAAM,aAAa,wBAAiC,CAAC;AAG5D,eAAO,MAAM,kBAAkB,0BAAwB,CAAC;AACxD,eAAO,MAAM,iBAAiB,0BAAyB,CAAC;AACxD,eAAO,MAAM,yBAAyB,0BAAiB,CAAC;AAGxD,eAAO,MAAM,mBAAmB,0BAAuB,CAAC;AAGxD,eAAO,MAAM,OAAO,gBAAgB,CAAC;AAGrC,eAAO,MAAM,sBAAsB,cAAc,CAAC"}

package/dist/nip/x509/oids.js

@@ -0,0 +1,23 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * OID constants for NPS X.509 certificates per NPS-RFC-0002 §4.
+ *
+ * The 1.3.6.1.4.1.99999 arc is provisional pending IANA Private Enterprise
+ * Number assignment (RFC-0002 §10 OQ-2). All implementations MUST update
+ * these constants when the official PEN is granted.
+ */
+export const LAB_ACACIA_PEN_ARC = "1.3.6.1.4.1.99999";
+export const EKU_ARC = `${LAB_ACACIA_PEN_ARC}.1`;
+export const EXTENSION_ARC = `${LAB_ACACIA_PEN_ARC}.2`;
+// ── EKUs (NPS-RFC-0002 §4.1) ─────────────────────────────────────────────────
+export const EKU_AGENT_IDENTITY = `${EKU_ARC}.1`;
+export const EKU_NODE_IDENTITY = `${EKU_ARC}.2`;
+export const EKU_CA_INTERMEDIATE_AGENT = `${EKU_ARC}.3`;
+// ── Custom extensions ────────────────────────────────────────────────────────
+export const NID_ASSURANCE_LEVEL = `${EXTENSION_ARC}.1`;
+// ── Ed25519 algorithm OID per RFC 8410 ───────────────────────────────────────
+export const ED25519 = "1.3.101.112";
+// ── Standard X.509 OIDs we reference ─────────────────────────────────────────
+export const OID_EXTENDED_KEY_USAGE = "2.5.29.37";
+//# sourceMappingURL=oids.js.map

package/dist/nip/x509/oids.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oids.js","sourceRoot":"","sources":["../../../src/nip/x509/oids.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;;;;GAMG;AAEH,MAAM,CAAC,MAAM,kBAAkB,GAAG,mBAAmB,CAAC;AACtD,MAAM,CAAC,MAAM,OAAO,GAAc,GAAG,kBAAkB,IAAI,CAAC;AAC5D,MAAM,CAAC,MAAM,aAAa,GAAQ,GAAG,kBAAkB,IAAI,CAAC;AAE5D,gFAAgF;AAChF,MAAM,CAAC,MAAM,kBAAkB,GAAU,GAAG,OAAO,IAAI,CAAC;AACxD,MAAM,CAAC,MAAM,iBAAiB,GAAW,GAAG,OAAO,IAAI,CAAC;AACxD,MAAM,CAAC,MAAM,yBAAyB,GAAG,GAAG,OAAO,IAAI,CAAC;AAExD,gFAAgF;AAChF,MAAM,CAAC,MAAM,mBAAmB,GAAG,GAAG,aAAa,IAAI,CAAC;AAExD,gFAAgF;AAChF,MAAM,CAAC,MAAM,OAAO,GAAG,aAAa,CAAC;AAErC,gFAAgF;AAChF,MAAM,CAAC,MAAM,sBAAsB,GAAG,WAAW,CAAC"}

package/dist/nip/x509/verifier.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Verifies NPS X.509 NID certificate chains per NPS-RFC-0002 §4.
+ *
+ * Stages (RFC §4.6):
+ * 1. Decode chain (base64url DER → @peculiar/x509 X509Certificate).
+ * 2. Leaf EKU check — critical, contains agent-identity OR node-identity OID.
+ * 3. Subject CN / SAN URI match against asserted NID.
+ * 4. Assurance-level extension match against asserted level (if both present).
+ * 5. Chain signature verification — leaf → intermediates → trusted root.
+ */
+import * as x509 from "@peculiar/x509";
+import { AssuranceLevel } from "../assurance-level.js";
+export interface NipX509VerifyResult {
+    valid: boolean;
+    errorCode?: string;
+    message?: string;
+    leaf?: x509.X509Certificate;
+}
+export interface VerifyOptions {
+    certChainBase64UrlDer: readonly string[];
+    assertedNid: string;
+    assertedAssuranceLevel: AssuranceLevel | null;
+    trustedRootCerts: readonly x509.X509Certificate[];
+}
+export declare function verify(opts: VerifyOptions): Promise<NipX509VerifyResult>;
+//# sourceMappingURL=verifier.d.ts.map

package/dist/nip/x509/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/nip/x509/verifier.ts"],"names":[],"mappings":"AAGA;;;;;;;;;GASG;AAEH,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAEvC,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAWvD,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAQ,OAAO,CAAC;IACrB,SAAS,CAAC,EAAG,MAAM,CAAC;IACpB,OAAO,CAAC,EAAK,MAAM,CAAC;IACpB,IAAI,CAAC,EAAQ,IAAI,CAAC,eAAe,CAAC;CACnC;AAUD,MAAM,WAAW,aAAa;IAC5B,qBAAqB,EAAK,SAAS,MAAM,EAAE,CAAC;IAC5C,WAAW,EAAe,MAAM,CAAC;IACjC,sBAAsB,EAAI,cAAc,GAAG,IAAI,CAAC;IAChD,gBAAgB,EAAU,SAAS,IAAI,CAAC,eAAe,EAAE,CAAC;CAC3D;AAED,wBAAsB,MAAM,CAAC,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,mBAAmB,CAAC,CA+B9E"}

package/dist/nip/x509/verifier.js

@@ -0,0 +1,171 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * Verifies NPS X.509 NID certificate chains per NPS-RFC-0002 §4.
+ *
+ * Stages (RFC §4.6):
+ * 1. Decode chain (base64url DER → @peculiar/x509 X509Certificate).
+ * 2. Leaf EKU check — critical, contains agent-identity OR node-identity OID.
+ * 3. Subject CN / SAN URI match against asserted NID.
+ * 4. Assurance-level extension match against asserted level (if both present).
+ * 5. Chain signature verification — leaf → intermediates → trusted root.
+ */
+import * as x509 from "@peculiar/x509";
+import { AssuranceLevel } from "../assurance-level.js";
+import * as ec from "../error-codes.js";
+import { EKU_AGENT_IDENTITY, EKU_NODE_IDENTITY, NID_ASSURANCE_LEVEL, OID_EXTENDED_KEY_USAGE, } from "./oids.js";
+x509.cryptoProvider.set(globalThis.crypto);
+function ok(leaf) {
+    return { valid: true, leaf };
+}
+function fail(errorCode, message) {
+    return { valid: false, errorCode, message };
+}
+export async function verify(opts) {
+    // Stage 1: decode chain ─────────────────────────────────────────────────
+    if (!opts.certChainBase64UrlDer.length) {
+        return fail(ec.CERT_FORMAT_INVALID, "cert_chain is empty");
+    }
+    let chain;
+    try {
+        chain = opts.certChainBase64UrlDer.map((s) => new x509.X509Certificate(b64uDecode(s).buffer));
+    }
+    catch (e) {
+        return fail(ec.CERT_FORMAT_INVALID, `DER decode failed: ${e.message}`);
+    }
+    const leaf = chain[0];
+    // Stage 2: EKU check ────────────────────────────────────────────────────
+    const ekuResult = checkLeafEku(leaf);
+    if (!ekuResult.valid)
+        return ekuResult;
+    // Stage 3: subject CN / SAN URI match ──────────────────────────────────
+    const subjectResult = checkSubjectNid(leaf, opts.assertedNid);
+    if (!subjectResult.valid)
+        return subjectResult;
+    // Stage 4: assurance-level extension ───────────────────────────────────
+    const assuranceResult = checkAssuranceLevel(leaf, opts.assertedAssuranceLevel);
+    if (!assuranceResult.valid)
+        return assuranceResult;
+    // Stage 5: chain signature verification ────────────────────────────────
+    const chainResult = await checkChainSignature(chain, opts.trustedRootCerts);
+    if (!chainResult.valid)
+        return chainResult;
+    return ok(leaf);
+}
+// ── Stage helpers ──────────────────────────────────────────────────────────
+function checkLeafEku(leaf) {
+    const ekuExt = leaf.extensions.find((e) => e.type === OID_EXTENDED_KEY_USAGE);
+    if (!ekuExt) {
+        return fail(ec.CERT_EKU_MISSING, "leaf has no ExtendedKeyUsage extension");
+    }
+    if (!ekuExt.critical) {
+        return fail(ec.CERT_EKU_MISSING, "ExtendedKeyUsage extension is not marked critical");
+    }
+    const usages = ekuExt.usages;
+    if (!usages.includes(EKU_AGENT_IDENTITY) && !usages.includes(EKU_NODE_IDENTITY)) {
+        return fail(ec.CERT_EKU_MISSING, "ExtendedKeyUsage does not contain agent-identity or node-identity OID");
+    }
+    return ok(leaf);
+}
+function checkSubjectNid(leaf, assertedNid) {
+    // @peculiar/x509 parses the subject DN; iterate to find CN.
+    const cn = extractCn(leaf.subject);
+    if (cn !== assertedNid) {
+        return fail(ec.CERT_SUBJECT_NID_MISMATCH, `leaf subject CN (${cn ?? "<missing>"}) does not match asserted NID (${assertedNid})`);
+    }
+    const sanExt = leaf.getExtension(x509.SubjectAlternativeNameExtension);
+    if (!sanExt) {
+        return fail(ec.CERT_SUBJECT_NID_MISMATCH, "leaf has no Subject Alternative Name extension");
+    }
+    // SubjectAlternativeNameExtension exposes general-name objects with `type: "url"` for URIs.
+    const uris = sanExt.names
+        .toJSON()
+        .filter((n) => n.type === "url")
+        .map((n) => n.value);
+    if (!uris.includes(assertedNid)) {
+        return fail(ec.CERT_SUBJECT_NID_MISMATCH, "no SAN URI matches asserted NID");
+    }
+    return ok(leaf);
+}
+function checkAssuranceLevel(leaf, asserted) {
+    if (asserted === null)
+        return ok(leaf);
+    const ext = leaf.extensions.find((e) => e.type === NID_ASSURANCE_LEVEL);
+    if (!ext) {
+        // Optional in v0.1 — pass silently.
+        return ok(leaf);
+    }
+    const der = new Uint8Array(ext.value);
+    // Decode ASN.1 ENUMERATED: tag=0x0A, len=0x01, content=<rank>.
+    if (der.length !== 3 || der[0] !== 0x0A || der[1] !== 0x01) {
+        return fail(ec.CERT_FORMAT_INVALID, `malformed assurance-level extension: ${Buffer.from(der).toString("hex")}`);
+    }
+    const rank = der[2];
+    let certLevel;
+    try {
+        certLevel = AssuranceLevel.fromRank(rank);
+    }
+    catch {
+        return fail(ec.ASSURANCE_UNKNOWN, `assurance-level extension contains unknown value: ${rank}`);
+    }
+    if (certLevel !== asserted) {
+        return fail(ec.ASSURANCE_MISMATCH, `cert assurance-level (${certLevel.wire}) does not match asserted (${asserted.wire})`);
+    }
+    return ok(leaf);
+}
+async function checkChainSignature(chain, trustedRoots) {
+    if (!trustedRoots.length) {
+        return fail(ec.CERT_FORMAT_INVALID, "no trusted X.509 roots configured");
+    }
+    try {
+        // Walk leaf → intermediates: each must be signed by its successor.
+        for (let i = 0; i < chain.length - 1; i++) {
+            const okStep = await chain[i].verify({ publicKey: await chain[i + 1].publicKey.export(), signatureOnly: true });
+            if (!okStep) {
+                return fail(ec.CERT_FORMAT_INVALID, `chain link ${i} signature did not verify`);
+            }
+        }
+        // The last cert in the chain MUST chain to a trusted root.
+        const last = chain[chain.length - 1];
+        for (const root of trustedRoots) {
+            if (Buffer.from(last.rawData).equals(Buffer.from(root.rawData))) {
+                return ok(chain[0]);
+            }
+            try {
+                const okStep = await last.verify({ publicKey: await root.publicKey.export(), signatureOnly: true });
+                if (okStep)
+                    return ok(chain[0]);
+            }
+            catch {
+                /* try next root */
+            }
+        }
+        return fail(ec.CERT_FORMAT_INVALID, "chain does not anchor to any trusted root");
+    }
+    catch (e) {
+        return fail(ec.CERT_FORMAT_INVALID, `chain signature verification error: ${e.message}`);
+    }
+}
+// ── helpers ────────────────────────────────────────────────────────────────
+function extractCn(dn) {
+    // @peculiar/x509 returns DN strings in RFC 4514 format ("CN=...,O=...").
+    for (const rdn of dn.split(",")) {
+        const trimmed = rdn.trim();
+        if (trimmed.startsWith("CN=")) {
+            let value = trimmed.slice(3);
+            // Strip surrounding quotes if any.
+            if (value.startsWith("\"") && value.endsWith("\"")) {
+                value = value.slice(1, -1);
+            }
+            // Unescape.
+            return value.replace(/\\([",+;<>\\])/g, "$1");
+        }
+    }
+    return null;
+}
+function b64uDecode(s) {
+    const padded = s + "=".repeat((4 - (s.length % 4)) % 4);
+    const std = padded.replace(/-/g, "+").replace(/_/g, "/");
+    return new Uint8Array(Buffer.from(std, "base64"));
+}
+//# sourceMappingURL=verifier.js.map

package/dist/nip/x509/verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/nip/x509/verifier.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;;;;;;;GASG;AAEH,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAEvC,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,KAAK,EAAE,MAAM,mBAAmB,CAAC;AACxC,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,WAAW,CAAC;AAEnB,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AAS3C,SAAS,EAAE,CAAC,IAA0B;IACpC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AAC/B,CAAC;AAED,SAAS,IAAI,CAAC,SAAiB,EAAE,OAAe;IAC9C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;AAC9C,CAAC;AASD,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,IAAmB;IAC9C,0EAA0E;IAC1E,IAAI,CAAC,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE,CAAC;QACvC,OAAO,IAAI,CAAC,EAAE,CAAC,mBAAmB,EAAE,qBAAqB,CAAC,CAAC;IAC7D,CAAC;IACD,IAAI,KAA6B,CAAC;IAClC,IAAI,CAAC;QACH,KAAK,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,MAAqB,CAAC,CAAC,CAAC;IAC/G,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,IAAI,CAAC,EAAE,CAAC,mBAAmB,EAAE,sBAAuB,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAEtB,0EAA0E;IAC1E,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACrC,IAAI,CAAC,SAAS,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAEvC,yEAAyE;IACzE,MAAM,aAAa,GAAG,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;IAC9D,IAAI,CAAC,aAAa,CAAC,KAAK;QAAE,OAAO,aAAa,CAAC;IAE/C,yEAAyE;IACzE,MAAM,eAAe,GAAG,mBAAmB,CAAC,IAAI,EAAE,IAAI,CAAC,sBAAsB,CAAC,CAAC;IAC/E,IAAI,CAAC,eAAe,CAAC,KAAK;QAAE,OAAO,eAAe,CAAC;IAEnD,yEAAyE;IACzE,MAAM,WAAW,GAAG,MAAM,mBAAmB,CAAC,KAAK,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC5E,IAAI,CAAC,WAAW,CAAC,KAAK;QAAE,OAAO,WAAW,CAAC;IAE3C,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;AAClB,CAAC;AAED,8EAA8E;AAE9E,SAAS,YAAY,CAAC,IAA0B;IAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CACjC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,sBAAsB,CACK,CAAC;IAChD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,IAAI,CAAC,EAAE,CAAC,gBAAgB,EAAE,wCAAwC,CAAC,CAAC;IAC7E,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC,EAAE,CAAC,gBAAgB,EAAE,mDAAmD,CAAC,CAAC;IACxF,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,CAAC,MAA2B,CAAC;IAClD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;QAChF,OAAO,IAAI,CAAC,EAAE,CAAC,gBAAgB,EAC7B,uEAAuE,CAAC,CAAC;IAC7E,CAAC;IACD,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,eAAe,CAAC,IAA0B,EAAE,WAAmB;IACtE,4DAA4D;IAC5D,MAAM,EAAE,GAAG,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACnC,IAAI,EAAE,KAAK,WAAW,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC,EAAE,CAAC,yBAAyB,EACtC,oBAAoB,EAAE,IAAI,WAAW,kCAAkC,WAAW,GAAG,CAAC,CAAC;IAC3F,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;IACvE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,IAAI,CAAC,EAAE,CAAC,yBAAyB,EAAE,gDAAgD,CAAC,CAAC;IAC9F,CAAC;IACD,4FAA4F;IAC5F,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK;SACtB,MAAM,EAAE;SACR,MAAM,CAAC,CAAC,CAAmB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC;SACjD,GAAG,CAAC,CAAC,CAAoB,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,CAAC,EAAE,CAAC,yBAAyB,EAAE,iCAAiC,CAAC,CAAC;IAC/E,CAAC;IACD,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,mBAAmB,CAC1B,IAA0B,EAAE,QAA+B;IAE3D,IAAI,QAAQ,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,mBAAmB,CAAC,CAAC;IACxE,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,oCAAoC;QACpC,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACtC,+DAA+D;IAC/D,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3D,OAAO,IAAI,CAAC,EAAE,CAAC,mBAAmB,EAChC,wCAAwC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAChF,CAAC;IACD,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;IACpB,IAAI,SAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,SAAS,GAAG,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,EAAE,CAAC,iBAAiB,EAC9B,qDAAqD,IAAI,EAAE,CAAC,CAAC;IACjE,CAAC;IACD,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAC,EAAE,CAAC,kBAAkB,EAC/B,yBAAyB,SAAS,CAAC,IAAI,8BAA8B,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC;IAC3F,CAAC;IACD,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,KAAsC,EACtC,YAA6C;IAE7C,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC,EAAE,CAAC,mBAAmB,EAAE,mCAAmC,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,CAAC;QACH,mEAAmE;QACnE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC1C,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,MAAM,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;YAChH,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,IAAI,CAAC,EAAE,CAAC,mBAAmB,EAAE,cAAc,CAAC,2BAA2B,CAAC,CAAC;YAClF,CAAC;QACH,CAAC;QACD,2DAA2D;QAC3D,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACrC,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;YAChC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBAChE,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACtB,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;gBACpG,IAAI,MAAM;oBAAE,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YAClC,CAAC;YAAC,MAAM,CAAC;gBACP,mBAAmB;YACrB,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,EAAE,CAAC,mBAAmB,EAAE,2CAA2C,CAAC,CAAC;IACnF,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,IAAI,CAAC,EAAE,CAAC,mBAAmB,EAChC,uCAAwC,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;IACnE,CAAC;AACH,CAAC;AAED,8EAA8E;AAE9E,SAAS,SAAS,CAAC,EAAU;IAC3B,yEAAyE;IACzE,KAAK,MAAM,GAAG,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QAC3B,IAAI,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC7B,mCAAmC;YACnC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC7B,CAAC;YACD,YAAY;YACZ,OAAO,KAAK,CAAC,OAAO,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,UAAU,CAAC,CAAS;IAC3B,MAAM,MAAM,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACzD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;AACpD,CAAC"}

package/dist/nop/client.js

@@ -0,0 +1,90 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+import { NpsFrameCodec } from "../core/codec.js";
+import { EncodingTier } from "../core/frames.js";
+import { FrameRegistry } from "../core/registry.js";
+import { registerNcpFrames } from "../ncp/registry.js";
+import { registerNopFrames } from "./registry.js";
+import { TaskState } from "./models.js";
+const TERMINAL_STATES = new Set([
+    TaskState.COMPLETED,
+    TaskState.FAILED,
+    TaskState.CANCELLED,
+]);
+export class NopTaskStatus {
+    _raw;
+    constructor(_raw) {
+        this._raw = _raw;
+    }
+    get taskId() { return this._raw["task_id"]; }
+    get state() { return this._raw["state"]; }
+    get isTerminal() { return TERMINAL_STATES.has(this._raw["state"]); }
+    get aggregatedResult() { return this._raw["aggregated_result"]; }
+    get errorCode() { return this._raw["error_code"] ?? undefined; }
+    get errorMessage() { return this._raw["error_message"] ?? undefined; }
+    get nodeResults() { return this._raw["node_results"] ?? {}; }
+    get raw() { return this._raw; }
+    toString() {
+        return `NopTaskStatus(taskId=${this.taskId}, state=${String(this._raw["state"])})`;
+    }
+}
+export class NopClient {
+    _baseUrl;
+    _codec;
+    _tier;
+    constructor(baseUrl, options = {}) {
+        this._baseUrl = baseUrl.replace(/\/$/, "");
+        this._tier = options.defaultTier ?? EncodingTier.MSGPACK;
+        const registry = options.registry ?? (() => {
+            const r = new FrameRegistry();
+            registerNcpFrames(r);
+            registerNopFrames(r);
+            return r;
+        })();
+        this._codec = new NpsFrameCodec(registry);
+    }
+    async submit(frame) {
+        const wire = this._codec.encode(frame, { overrideTier: this._tier });
+        const res = await fetch(`${this._baseUrl}/task`, {
+            method: "POST",
+            body: wire,
+            headers: { "Content-Type": "application/x-nps-frame", "Accept": "application/json" },
+        });
+        if (!res.ok)
+            throw new Error(`NOP /task failed: HTTP ${res.status}`);
+        const data = await res.json();
+        return data["task_id"];
+    }
+    async getStatus(taskId) {
+        const res = await fetch(`${this._baseUrl}/task/${taskId}`, {
+            headers: { "Accept": "application/json" },
+        });
+        if (!res.ok)
+            throw new Error(`NOP /task/${taskId} failed: HTTP ${res.status}`);
+        return new NopTaskStatus(await res.json());
+    }
+    async cancel(taskId) {
+        const res = await fetch(`${this._baseUrl}/task/${taskId}/cancel`, {
+            method: "POST",
+            headers: { "Accept": "application/json" },
+        });
+        if (!res.ok)
+            throw new Error(`NOP /task/${taskId}/cancel failed: HTTP ${res.status}`);
+    }
+    async wait(taskId, options = {}) {
+        const pollIntervalMs = options.pollIntervalMs ?? 1000;
+        const timeoutMs = options.timeoutMs ?? 30_000;
+        const deadline = Date.now() + timeoutMs;
+        while (true) {
+            const status = await this.getStatus(taskId);
+            if (status.isTerminal)
+                return status;
+            const remaining = deadline - Date.now();
+            if (remaining <= 0) {
+                throw new Error(`Task '${taskId}' did not complete within ${timeoutMs}ms (state: ${String(status.raw["state"])}).`);
+            }
+            await new Promise((resolve) => setTimeout(resolve, Math.min(pollIntervalMs, remaining)));
+        }
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/nop/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/nop/client.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAGxC,MAAM,eAAe,GAAG,IAAI,GAAG,CAAY;IACzC,SAAS,CAAC,SAAS;IACnB,SAAS,CAAC,MAAM;IAChB,SAAS,CAAC,SAAS;CACpB,CAAC,CAAC;AAEH,MAAM,OAAO,aAAa;IACK;IAA7B,YAA6B,IAA6B;QAA7B,SAAI,GAAJ,IAAI,CAAyB;IAAG,CAAC;IAE9D,IAAI,MAAM,KAAoC,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,CAAY,CAAC,CAAC,CAAC;IACvF,IAAI,KAAK,KAAqC,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAc,CAAC,CAAC,CAAC;IACvF,IAAI,UAAU,KAAgC,OAAO,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAc,CAAC,CAAC,CAAC,CAAC;IAC5G,IAAI,gBAAgB,KAA0B,OAAO,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC;IACtF,IAAI,SAAS,KAAiC,OAAQ,IAAI,CAAC,IAAI,CAAC,YAAY,CAAsB,IAAI,SAAS,CAAC,CAAC,CAAC;IAClH,IAAI,YAAY,KAA8B,OAAQ,IAAI,CAAC,IAAI,CAAC,eAAe,CAAmB,IAAI,SAAS,CAAC,CAAC,CAAC;IAClH,IAAI,WAAW,KAAmC,OAAQ,IAAI,CAAC,IAAI,CAAC,cAAc,CAAyC,IAAI,EAAE,CAAC,CAAC,CAAC;IACpI,IAAI,GAAG,KAA2C,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAErE,QAAQ;QACN,OAAO,wBAAwB,IAAI,CAAC,MAAM,WAAW,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC;IACrF,CAAC;CACF;AAED,MAAM,OAAO,SAAS;IACH,QAAQ,CAAS;IACjB,MAAM,CAAkB;IACxB,KAAK,CAAkB;IAExC,YACE,OAAe,EACf,UAAoE,EAAE;QAEtE,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAC3C,IAAI,CAAC,KAAK,GAAM,OAAO,CAAC,WAAW,IAAI,YAAY,CAAC,OAAO,CAAC;QAE5D,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,CAAC,GAAG,EAAE;YACzC,MAAM,CAAC,GAAG,IAAI,aAAa,EAAE,CAAC;YAC9B,iBAAiB,CAAC,CAAC,CAAC,CAAC;YACrB,iBAAiB,CAAC,CAAC,CAAC,CAAC;YACrB,OAAO,CAAC,CAAC;QACX,CAAC,CAAC,EAAE,CAAC;QACL,IAAI,CAAC,MAAM,GAAG,IAAI,aAAa,CAAC,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAgB;QAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,YAAY,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QACrE,MAAM,GAAG,GAAI,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,QAAQ,OAAO,EAAE;YAChD,MAAM,EAAG,MAAM;YACf,IAAI,EAAK,IAAI;YACb,OAAO,EAAE,EAAE,cAAc,EAAE,yBAAyB,EAAE,QAAQ,EAAE,kBAAkB,EAAE;SACrF,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACrE,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA6B,CAAC;QACzD,OAAO,IAAI,CAAC,SAAS,CAAW,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,MAAc;QAC5B,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,QAAQ,SAAS,MAAM,EAAE,EAAE;YACzD,OAAO,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;SAC1C,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,aAAa,MAAM,iBAAiB,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QAC/E,OAAO,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,IAAI,EAA6B,CAAC,CAAC;IACxE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,MAAc;QACzB,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,QAAQ,SAAS,MAAM,SAAS,EAAE;YAChE,MAAM,EAAG,MAAM;YACf,OAAO,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;SAC1C,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,aAAa,MAAM,wBAAwB,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IACxF,CAAC;IAED,KAAK,CAAC,IAAI,CACR,MAAc,EACd,UAA2D,EAAE;QAE7D,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,IAAI,CAAC;QACtD,MAAM,SAAS,GAAQ,OAAO,CAAC,SAAS,IAAS,MAAM,CAAC;QACxD,MAAM,QAAQ,GAAS,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAE9C,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YAC5C,IAAI,MAAM,CAAC,UAAU;gBAAE,OAAO,MAAM,CAAC;YAErC,MAAM,SAAS,GAAG,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACxC,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;gBACnB,MAAM,IAAI,KAAK,CAAC,SAAS,MAAM,6BAA6B,SAAS,cAAc,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC;YACtH,CAAC;YACD,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;CACF"}