@labacacia/nps-sdk 1.0.0-alpha.3 → 1.0.0-alpha.4

package/dist/ndp/ndp-registry.js

@@ -0,0 +1,79 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+export class InMemoryNdpRegistry {
+    _store = new Map();
+    // Replaceable for testing
+    clock = () => Date.now();
+    announce(frame) {
+        const expiresAt = this.clock() + frame.ttl * 1000;
+        if (frame.ttl === 0) {
+            this._store.delete(frame.nid);
+            return;
+        }
+        this._store.set(frame.nid, { frame, expiresAt });
+    }
+    getByNid(nid) {
+        const entry = this._store.get(nid);
+        if (entry === undefined)
+            return undefined;
+        if (this.clock() > entry.expiresAt) {
+            this._store.delete(nid);
+            return undefined;
+        }
+        return entry.frame;
+    }
+    resolve(target) {
+        for (const [nid, entry] of this._store) {
+            if (this.clock() > entry.expiresAt) {
+                this._store.delete(nid);
+                continue;
+            }
+            if (!InMemoryNdpRegistry.nwpTargetMatchesNid(nid, target))
+                continue;
+            const addr = entry.frame.addresses[0];
+            if (addr === undefined)
+                continue;
+            return { host: addr.host, port: addr.port, ttl: entry.frame.ttl };
+        }
+        return undefined;
+    }
+    getAll() {
+        const now = this.clock();
+        const result = [];
+        for (const [nid, entry] of this._store) {
+            if (now > entry.expiresAt) {
+                this._store.delete(nid);
+                continue;
+            }
+            result.push(entry.frame);
+        }
+        return result;
+    }
+    static nwpTargetMatchesNid(nid, target) {
+        // NID: urn:nps:node:{authority}:{path-segment}
+        // target: nwp://{authority}/{path}
+        const nidParts = nid.split(":");
+        if (nidParts.length < 5 || nidParts[0] !== "urn" || nidParts[1] !== "nps" || nidParts[2] !== "node") {
+            return false;
+        }
+        if (!target.startsWith("nwp://"))
+            return false;
+        const nidAuthority = nidParts[3];
+        const nidPath = nidParts[4];
+        const rest = target.slice("nwp://".length);
+        const slashIdx = rest.indexOf("/");
+        if (slashIdx === -1)
+            return false;
+        const urlAuthority = rest.slice(0, slashIdx);
+        const urlPath = rest.slice(slashIdx + 1); // without leading slash
+        if (urlAuthority !== nidAuthority)
+            return false;
+        // nidPath must be a prefix of urlPath at a segment boundary
+        if (urlPath === nidPath)
+            return true;
+        if (urlPath.startsWith(nidPath + "/"))
+            return true;
+        return false;
+    }
+}
+//# sourceMappingURL=ndp-registry.js.map

package/dist/ndp/ndp-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ndp-registry.js","sourceRoot":"","sources":["../../src/ndp/ndp-registry.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAStC,MAAM,OAAO,mBAAmB;IACb,MAAM,GAAG,IAAI,GAAG,EAAyB,CAAC;IAE3D,0BAA0B;IAC1B,KAAK,GAAiB,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvC,QAAQ,CAAC,KAAoB;QAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,EAAE,GAAG,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC;QAClD,IAAI,KAAK,CAAC,GAAG,KAAK,CAAC,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC9B,OAAO;QACT,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,QAAQ,CAAC,GAAW;QAClB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,KAAK,KAAK,SAAS;YAAE,OAAO,SAAS,CAAC;QAC1C,IAAI,IAAI,CAAC,KAAK,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACnC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACxB,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC,KAAK,CAAC;IACrB,CAAC;IAED,OAAO,CAAC,MAAc;QACpB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACvC,IAAI,IAAI,CAAC,KAAK,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;gBAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAAC,SAAS;YAAC,CAAC;YAC1E,IAAI,CAAC,mBAAmB,CAAC,mBAAmB,CAAC,GAAG,EAAE,MAAM,CAAC;gBAAE,SAAS;YACpE,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;YACtC,IAAI,IAAI,KAAK,SAAS;gBAAE,SAAS;YACjC,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QACpE,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM;QACJ,MAAM,GAAG,GAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAoB,EAAE,CAAC;QACnC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACvC,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;gBAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAAC,SAAS;YAAC,CAAC;YACjE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC3B,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,CAAC,mBAAmB,CAAC,GAAW,EAAE,MAAc;QACpD,+CAA+C;QAC/C,mCAAmC;QACnC,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,KAAK,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,KAAK,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC;YACpG,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,OAAO,KAAK,CAAC;QAE/C,MAAM,YAAY,GAAG,QAAQ,CAAC,CAAC,CAAE,CAAC;QAClC,MAAM,OAAO,GAAQ,QAAQ,CAAC,CAAC,CAAE,CAAC;QAClC,MAAM,IAAI,GAAW,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACnD,MAAM,QAAQ,GAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,QAAQ,KAAK,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAElC,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,wBAAwB;QAEvE,IAAI,YAAY,KAAK,YAAY;YAAE,OAAO,KAAK,CAAC;QAEhD,4DAA4D;QAC5D,IAAI,OAAO,KAAK,OAAO;YAAE,OAAO,IAAI,CAAC;QACrC,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,GAAG,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACnD,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/ndp/registry.js

@@ -0,0 +1,10 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+import { FrameType } from "../core/frames.js";
+import { AnnounceFrame, GraphFrame, ResolveFrame } from "./frames.js";
+export function registerNdpFrames(registry) {
+    registry.register(FrameType.ANNOUNCE, AnnounceFrame);
+    registry.register(FrameType.RESOLVE, ResolveFrame);
+    registry.register(FrameType.GRAPH, GraphFrame);
+}
+//# sourceMappingURL=registry.js.map

package/dist/ndp/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/ndp/registry.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAGtC,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEtE,MAAM,UAAU,iBAAiB,CAAC,QAAuB;IACvD,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IACrD,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAG,YAAY,CAAC,CAAC;IACpD,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,EAAK,UAAU,CAAC,CAAC;AACpD,CAAC"}

package/dist/ndp/validator.js

@@ -0,0 +1,48 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+import * as ed25519 from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
+export const NdpAnnounceResult = {
+    ok: () => ({ isValid: true }),
+    fail: (errorCode, message) => ({ isValid: false, errorCode, message }),
+};
+export class NdpAnnounceValidator {
+    _keys = new Map(); // nid → "ed25519:<hex>"
+    registerPublicKey(nid, encodedPubKey) {
+        this._keys.set(nid, encodedPubKey);
+    }
+    removePublicKey(nid) {
+        this._keys.delete(nid);
+    }
+    get knownPublicKeys() {
+        return this._keys;
+    }
+    validate(frame) {
+        const encoded = this._keys.get(frame.nid);
+        if (encoded === undefined) {
+            return NdpAnnounceResult.fail("NDP-ANNOUNCE-NID-MISMATCH", `No public key registered for NID: ${frame.nid}`);
+        }
+        try {
+            const prefix = "ed25519:";
+            const pubHex = encoded.startsWith(prefix) ? encoded.slice(prefix.length) : encoded;
+            const pubKey = Buffer.from(pubHex, "hex");
+            const sig = frame.signature;
+            if (!sig.startsWith(prefix)) {
+                return NdpAnnounceResult.fail("NDP-ANNOUNCE-SIG-INVALID", "Signature must start with 'ed25519:'");
+            }
+            const sigBytes = Buffer.from(sig.slice(prefix.length), "base64");
+            const unsigned = frame.unsignedDict();
+            const canonical = JSON.stringify(unsigned, Object.keys(unsigned).sort());
+            const message = new TextEncoder().encode(canonical);
+            const valid = ed25519.verify(sigBytes, message, pubKey);
+            if (!valid)
+                return NdpAnnounceResult.fail("NDP-ANNOUNCE-SIG-INVALID", "Ed25519 signature verification failed.");
+            return NdpAnnounceResult.ok();
+        }
+        catch {
+            return NdpAnnounceResult.fail("NDP-ANNOUNCE-SIG-INVALID", "Ed25519 signature verification failed.");
+        }
+    }
+}
+//# sourceMappingURL=validator.js.map

package/dist/ndp/validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validator.js","sourceRoot":"","sources":["../../src/ndp/validator.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,OAAO,KAAK,OAAO,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAG9C,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAQzE,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,EAAE,EAAE,GAAsB,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAChD,IAAI,EAAE,CAAC,SAAiB,EAAE,OAAe,EAAqB,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;CAC1G,CAAC;AAEF,MAAM,OAAO,oBAAoB;IACd,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,wBAAwB;IAE5E,iBAAiB,CAAC,GAAW,EAAE,aAAqB;QAClD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IACrC,CAAC;IAED,eAAe,CAAC,GAAW;QACzB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAED,IAAI,eAAe;QACjB,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED,QAAQ,CAAC,KAAoB;QAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC1C,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;YAC1B,OAAO,iBAAiB,CAAC,IAAI,CAAC,2BAA2B,EAAE,qCAAqC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC/G,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAI,UAAU,CAAC;YAC3B,MAAM,MAAM,GAAI,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;YACpF,MAAM,MAAM,GAAI,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YAE3C,MAAM,GAAG,GAAG,KAAK,CAAC,SAAS,CAAC;YAC5B,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC5B,OAAO,iBAAiB,CAAC,IAAI,CAAC,0BAA0B,EAAE,sCAAsC,CAAC,CAAC;YACpG,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,CAAC;YAEjE,MAAM,QAAQ,GAAI,KAAK,CAAC,YAAY,EAAE,CAAC;YACvC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YACzE,MAAM,OAAO,GAAK,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAEtD,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;YACxD,IAAI,CAAC,KAAK;gBAAE,OAAO,iBAAiB,CAAC,IAAI,CAAC,0BAA0B,EAAE,wCAAwC,CAAC,CAAC;YAChH,OAAO,iBAAiB,CAAC,EAAE,EAAE,CAAC;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,iBAAiB,CAAC,IAAI,CAAC,0BAA0B,EAAE,wCAAwC,CAAC,CAAC;QACtG,CAAC;IACH,CAAC;CACF"}

package/dist/nip/acme/client.d.ts

@@ -0,0 +1,31 @@
+export interface AcmeClientOptions {
+    /** ACME directory URL. */
+    directoryUrl: string;
+    /** Account/agent Ed25519 private key (32-byte raw). */
+    privateKey: Uint8Array;
+    /** Account/agent Ed25519 public key (32-byte raw). */
+    publicKey: Uint8Array;
+    /** Web Crypto Ed25519 keypair for CSR signing (must match privateKey). */
+    webCryptoKeys: CryptoKeyPair;
+}
+export declare class AcmeClient {
+    readonly options: AcmeClientOptions;
+    private directory;
+    private accountUrl;
+    private lastNonce;
+    constructor(options: AcmeClientOptions);
+    /** Drive the full agent-01 flow for `nid`. Returns issued PEM cert chain. */
+    issueAgentCert(nid: string): Promise<string>;
+    private ensureDirectory;
+    private refreshNonce;
+    private newAccount;
+    private newOrder;
+    private fetchAuthz;
+    private respondAgent01;
+    private finalizeOrder;
+    private downloadPem;
+    private post;
+    private captureNonce;
+    private buildCsr;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/nip/acme/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/nip/acme/client.ts"],"names":[],"mappings":"AAwBA,MAAM,WAAW,iBAAiB;IAChC,0BAA0B;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,uDAAuD;IACvD,UAAU,EAAI,UAAU,CAAC;IACzB,sDAAsD;IACtD,SAAS,EAAK,UAAU,CAAC;IACzB,0EAA0E;IAC1E,aAAa,EAAE,aAAa,CAAC;CAC9B;AAED,qBAAa,UAAU;aAKO,OAAO,EAAE,iBAAiB;IAJtD,OAAO,CAAC,SAAS,CAA2B;IAC5C,OAAO,CAAC,UAAU,CAA0B;IAC5C,OAAO,CAAC,SAAS,CAA2B;gBAEhB,OAAO,EAAE,iBAAiB;IAEtD,6EAA6E;IACvE,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;YAYpC,eAAe;YAQf,YAAY;YASZ,UAAU;YAcV,QAAQ;YAcR,UAAU;YAYV,cAAc;YAiBd,aAAa;YAYb,WAAW;YAaX,IAAI;IAQlB,OAAO,CAAC,YAAY;YAKN,QAAQ;CAWvB"}

package/dist/nip/acme/client.js

@@ -0,0 +1,136 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * ACME client implementing the `agent-01` challenge type per NPS-RFC-0002 §4.4.
+ *
+ * Flow: newNonce → newAccount → newOrder → fetch authz → sign challenge token →
+ * finalize with CSR → fetch leaf cert.
+ */
+import * as ed25519 from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import * as x509 from "@peculiar/x509";
+import * as Jws from "./jws.js";
+import * as wire from "./wire.js";
+ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
+x509.cryptoProvider.set(globalThis.crypto);
+export class AcmeClient {
+    options;
+    directory = null;
+    accountUrl = null;
+    lastNonce = null;
+    constructor(options) {
+        this.options = options;
+    }
+    /** Drive the full agent-01 flow for `nid`. Returns issued PEM cert chain. */
+    async issueAgentCert(nid) {
+        await this.ensureDirectory();
+        if (this.accountUrl === null)
+            await this.newAccount();
+        const order = await this.newOrder(nid);
+        const authz = await this.fetchAuthz(order.authorizations[0]);
+        await this.respondAgent01(authz);
+        const finalized = await this.finalizeOrder(order, nid);
+        return this.downloadPem(finalized.certificate);
+    }
+    // ── Stages ───────────────────────────────────────────────────────────────
+    async ensureDirectory() {
+        if (this.directory !== null)
+            return;
+        const resp = await fetch(this.options.directoryUrl);
+        ensureSuccess(resp);
+        this.directory = await resp.json();
+        await this.refreshNonce();
+    }
+    async refreshNonce() {
+        const resp = await fetch(this.directory.newNonce, { method: "HEAD" });
+        ensureSuccess(resp);
+        this.lastNonce = resp.headers.get("Replay-Nonce");
+        if (this.lastNonce === null) {
+            throw new Error("server omitted Replay-Nonce");
+        }
+    }
+    async newAccount() {
+        const jwk = Jws.jwkFromPublicKey(this.options.publicKey);
+        const env = Jws.sign({ alg: Jws.ALG_EDDSA, nonce: this.lastNonce, url: this.directory.newAccount, jwk }, { termsOfServiceAgreed: true }, this.options.privateKey);
+        const resp = await this.post(this.directory.newAccount, env);
+        ensureSuccess(resp);
+        this.accountUrl = resp.headers.get("Location");
+        if (this.accountUrl === null)
+            throw new Error("server omitted account Location");
+        this.captureNonce(resp);
+    }
+    async newOrder(nid) {
+        const env = Jws.sign({ alg: Jws.ALG_EDDSA, nonce: this.lastNonce, url: this.directory.newOrder, kid: this.accountUrl }, {
+            identifiers: [{ type: wire.IDENTIFIER_TYPE_NID, value: nid }],
+        }, this.options.privateKey);
+        const resp = await this.post(this.directory.newOrder, env);
+        ensureSuccess(resp);
+        this.captureNonce(resp);
+        return await resp.json();
+    }
+    async fetchAuthz(url) {
+        // POST-as-GET (RFC 8555 §6.3).
+        const env = Jws.sign({ alg: Jws.ALG_EDDSA, nonce: this.lastNonce, url, kid: this.accountUrl }, null, this.options.privateKey);
+        const resp = await this.post(url, env);
+        ensureSuccess(resp);
+        this.captureNonce(resp);
+        return await resp.json();
+    }
+    async respondAgent01(authz) {
+        const challenge = authz.challenges.find((c) => c.type === wire.CHALLENGE_AGENT_01);
+        if (!challenge)
+            throw new Error("authz has no agent-01 challenge");
+        // Sign the challenge token with the account/NID private key.
+        const tokenBytes = new TextEncoder().encode(challenge.token);
+        const sig = ed25519.sign(tokenBytes, this.options.privateKey);
+        const env = Jws.sign({ alg: Jws.ALG_EDDSA, nonce: this.lastNonce, url: challenge.url, kid: this.accountUrl }, { agent_signature: Jws.b64uEncode(sig) }, this.options.privateKey);
+        const resp = await this.post(challenge.url, env);
+        ensureSuccess(resp);
+        this.captureNonce(resp);
+    }
+    async finalizeOrder(order, nid) {
+        const csrDer = await this.buildCsr(nid);
+        const env = Jws.sign({ alg: Jws.ALG_EDDSA, nonce: this.lastNonce, url: order.finalize, kid: this.accountUrl }, { csr: Jws.b64uEncode(csrDer) }, this.options.privateKey);
+        const resp = await this.post(order.finalize, env);
+        ensureSuccess(resp);
+        this.captureNonce(resp);
+        return await resp.json();
+    }
+    async downloadPem(certUrl) {
+        const env = Jws.sign({ alg: Jws.ALG_EDDSA, nonce: this.lastNonce, url: certUrl, kid: this.accountUrl }, null, this.options.privateKey);
+        const resp = await this.post(certUrl, env);
+        ensureSuccess(resp);
+        this.captureNonce(resp);
+        return await resp.text();
+    }
+    // ── helpers ──────────────────────────────────────────────────────────────
+    async post(url, env) {
+        return await fetch(url, {
+            method: "POST",
+            headers: { "Content-Type": wire.CONTENT_TYPE_JOSE_JSON },
+            body: JSON.stringify(env),
+        });
+    }
+    captureNonce(resp) {
+        const nonce = resp.headers.get("Replay-Nonce");
+        if (nonce !== null)
+            this.lastNonce = nonce;
+    }
+    async buildCsr(nid) {
+        const csr = await x509.Pkcs10CertificateRequestGenerator.create({
+            name: `CN=${nid.replace(/([",+;<>\\])/g, "\\$1")}`,
+            keys: this.options.webCryptoKeys,
+            signingAlgorithm: { name: "Ed25519" },
+            extensions: [
+                new x509.SubjectAlternativeNameExtension([{ type: "url", value: nid }], false),
+            ],
+        });
+        return new Uint8Array(csr.rawData);
+    }
+}
+function ensureSuccess(resp) {
+    if (!resp.ok) {
+        throw new Error(`ACME ${resp.url} HTTP ${resp.status}`);
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/nip/acme/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/nip/acme/client.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;;;GAKG;AAEH,OAAO,KAAK,OAAO,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAEvC,OAAO,KAAK,GAAG,MAAM,UAAU,CAAC;AAKhC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AACzE,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AAa3C,MAAM,OAAO,UAAU;IAKO;IAJpB,SAAS,GAAsB,IAAI,CAAC;IACpC,UAAU,GAAqB,IAAI,CAAC;IACpC,SAAS,GAAsB,IAAI,CAAC;IAE5C,YAA4B,OAA0B;QAA1B,YAAO,GAAP,OAAO,CAAmB;IAAG,CAAC;IAE1D,6EAA6E;IAC7E,KAAK,CAAC,cAAc,CAAC,GAAW;QAC9B,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,UAAU,KAAK,IAAI;YAAE,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACtD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACvC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;QAC7D,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,WAAY,CAAC,CAAC;IAClD,CAAC;IAED,4EAA4E;IAEpE,KAAK,CAAC,eAAe;QAC3B,IAAI,IAAI,CAAC,SAAS,KAAK,IAAI;YAAE,OAAO;QACpC,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QACpD,aAAa,CAAC,IAAI,CAAC,CAAC;QACpB,IAAI,CAAC,SAAS,GAAG,MAAM,IAAI,CAAC,IAAI,EAAe,CAAC;QAChD,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;IAC5B,CAAC;IAEO,KAAK,CAAC,YAAY;QACxB,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,SAAU,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QACvE,aAAa,CAAC,IAAI,CAAC,CAAC;QACpB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAClD,IAAI,IAAI,CAAC,SAAS,KAAK,IAAI,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,UAAU;QACtB,MAAM,GAAG,GAAG,GAAG,CAAC,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACzD,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAClB,EAAE,GAAG,EAAE,GAAG,CAAC,SAAS,EAAE,KAAK,EAAE,IAAI,CAAC,SAAU,EAAE,GAAG,EAAE,IAAI,CAAC,SAAU,CAAC,UAAU,EAAE,GAAG,EAAE,EACpF,EAAE,oBAAoB,EAAE,IAAI,EAAuB,EACnD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAE3B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAU,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAC9D,aAAa,CAAC,IAAI,CAAC,CAAC;QACpB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,IAAI,CAAC,UAAU,KAAK,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACjF,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAC,GAAW;QAChC,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAClB,EAAE,GAAG,EAAE,GAAG,CAAC,SAAS,EAAE,KAAK,EAAE,IAAI,CAAC,SAAU,EAAE,GAAG,EAAE,IAAI,CAAC,SAAU,CAAC,QAAQ,EAAE,GAAG,EAAE,IAAI,CAAC,UAAW,EAAE,EACpG;YACE,WAAW,EAAE,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,mBAAmB,EAAE,KAAK,EAAE,GAAG,EAAgB,CAAC;SACzD,EACpB,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAE3B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5D,aAAa,CAAC,IAAI,CAAC,CAAC;QACpB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QACxB,OAAO,MAAM,IAAI,CAAC,IAAI,EAAW,CAAC;IACpC,CAAC;IAEO,KAAK,CAAC,UAAU,CAAC,GAAW;QAClC,+BAA+B;QAC/B,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAClB,EAAE,GAAG,EAAE,GAAG,CAAC,SAAS,EAAE,KAAK,EAAE,IAAI,CAAC,SAAU,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,UAAW,EAAE,EAC1E,IAAI,EACJ,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC3B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACvC,aAAa,CAAC,IAAI,CAAC,CAAC;QACpB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QACxB,OAAO,MAAM,IAAI,CAAC,IAAI,EAAmB,CAAC;IAC5C,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,KAAoB;QAC/C,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACnF,IAAI,CAAC,SAAS;YAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QAEnE,6DAA6D;QAC7D,MAAM,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC7D,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAE9D,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAClB,EAAE,GAAG,EAAE,GAAG,CAAC,SAAS,EAAE,KAAK,EAAE,IAAI,CAAC,SAAU,EAAE,GAAG,EAAE,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,UAAW,EAAE,EACzF,EAAE,eAAe,EAAE,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,EACxC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC3B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACjD,aAAa,CAAC,IAAI,CAAC,CAAC;QACpB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,KAAY,EAAE,GAAW;QACnD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACxC,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAClB,EAAE,GAAG,EAAE,GAAG,CAAC,SAAS,EAAE,KAAK,EAAE,IAAI,CAAC,SAAU,EAAE,GAAG,EAAE,KAAK,CAAC,QAAQ,EAAE,GAAG,EAAE,IAAI,CAAC,UAAW,EAAE,EAC1F,EAAE,GAAG,EAAE,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,EAAqB,EAClD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC3B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAClD,aAAa,CAAC,IAAI,CAAC,CAAC;QACpB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QACxB,OAAO,MAAM,IAAI,CAAC,IAAI,EAAW,CAAC;IACpC,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,OAAe;QACvC,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAClB,EAAE,GAAG,EAAE,GAAG,CAAC,SAAS,EAAE,KAAK,EAAE,IAAI,CAAC,SAAU,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,UAAW,EAAE,EACnF,IAAI,EACJ,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC3B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC3C,aAAa,CAAC,IAAI,CAAC,CAAC;QACpB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QACxB,OAAO,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,4EAA4E;IAEpE,KAAK,CAAC,IAAI,CAAC,GAAW,EAAE,GAAiB;QAC/C,OAAO,MAAM,KAAK,CAAC,GAAG,EAAE;YACtB,MAAM,EAAG,MAAM;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,IAAI,CAAC,sBAAsB,EAAE;YACxD,IAAI,EAAK,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC;SAC7B,CAAC,CAAC;IACL,CAAC;IAEO,YAAY,CAAC,IAAc;QACjC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAC/C,IAAI,KAAK,KAAK,IAAI;YAAE,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC;IAC7C,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAC,GAAW;QAChC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,iCAAiC,CAAC,MAAM,CAAC;YAC9D,IAAI,EAAE,MAAM,GAAG,CAAC,OAAO,CAAC,eAAe,EAAE,MAAM,CAAC,EAAE;YAClD,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,aAAa;YAChC,gBAAgB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;YACrC,UAAU,EAAE;gBACV,IAAI,IAAI,CAAC,+BAA+B,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC;aAC/E;SACF,CAAC,CAAC;QACH,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC;CACF;AAED,SAAS,aAAa,CAAC,IAAc;IACnC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,QAAQ,IAAI,CAAC,GAAG,SAAS,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1D,CAAC;AACH,CAAC"}

package/dist/nip/acme/index.d.ts

@@ -0,0 +1,6 @@
+export * from "./client.js";
+export * from "./jws.js";
+export * from "./messages.js";
+export * from "./server.js";
+export * from "./wire.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/nip/acme/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/nip/acme/index.ts"],"names":[],"mappings":"AAGA,cAAc,aAAa,CAAC;AAC5B,cAAc,UAAU,CAAC;AACzB,cAAc,eAAe,CAAC;AAC9B,cAAc,aAAa,CAAC;AAC5B,cAAc,WAAW,CAAC"}

package/dist/nip/acme/index.js

@@ -0,0 +1,8 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+export * from "./client.js";
+export * from "./jws.js";
+export * from "./messages.js";
+export * from "./server.js";
+export * from "./wire.js";
+//# sourceMappingURL=index.js.map

package/dist/nip/acme/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/nip/acme/index.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,cAAc,aAAa,CAAC;AAC5B,cAAc,UAAU,CAAC;AACzB,cAAc,eAAe,CAAC;AAC9B,cAAc,aAAa,CAAC;AAC5B,cAAc,WAAW,CAAC"}

package/dist/nip/acme/jws.d.ts

@@ -0,0 +1,31 @@
+export declare const ALG_EDDSA = "EdDSA";
+export declare const KTY_OKP = "OKP";
+export declare const CRV_ED25519 = "Ed25519";
+export interface Jwk {
+    kty: string;
+    crv: string;
+    x: string;
+}
+export interface ProtectedHeader {
+    alg: string;
+    nonce: string;
+    url: string;
+    jwk?: Jwk;
+    kid?: string;
+}
+export interface Envelope {
+    protected: string;
+    payload: string;
+    signature: string;
+}
+export declare function jwkFromPublicKey(rawPubKey: Uint8Array): Jwk;
+export declare function publicKeyFromJwk(jwk: Jwk): Uint8Array;
+/** RFC 7638 §3 thumbprint of an Ed25519 JWK (lex-sorted compact JSON, SHA-256, base64url). */
+export declare function thumbprint(jwk: Jwk): string;
+export declare function sign(header: ProtectedHeader, payload: unknown | null, privKey: Uint8Array): Envelope;
+/** Verify a JWS envelope. Returns the parsed protected header on success, else null. */
+export declare function verify(envelope: Envelope, pubKey: Uint8Array): ProtectedHeader | null;
+export declare function decodePayload<T = unknown>(envelope: Envelope): T | null;
+export declare function b64uEncode(bytes: Uint8Array): string;
+export declare function b64uDecode(s: string): Uint8Array;
+//# sourceMappingURL=jws.d.ts.map

package/dist/nip/acme/jws.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jws.d.ts","sourceRoot":"","sources":["../../../src/nip/acme/jws.ts"],"names":[],"mappings":"AAoBA,eAAO,MAAM,SAAS,UAAY,CAAC;AACnC,eAAO,MAAM,OAAO,QAAY,CAAC;AACjC,eAAO,MAAM,WAAW,YAAY,CAAC;AAErC,MAAM,WAAW,GAAG;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,EAAI,MAAM,CAAC;CACb;AAED,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAK,MAAM,CAAC;IACf,KAAK,EAAG,MAAM,CAAC;IACf,GAAG,EAAK,MAAM,CAAC;IACf,GAAG,CAAC,EAAI,GAAG,CAAC;IACZ,GAAG,CAAC,EAAI,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAI,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,UAAU,GAAG,GAAG,CAK3D;AAED,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,GAAG,GAAG,UAAU,CAKrD;AAED,8FAA8F;AAC9F,wBAAgB,UAAU,CAAC,GAAG,EAAE,GAAG,GAAG,MAAM,CAG3C;AAED,wBAAgB,IAAI,CAClB,MAAM,EAAI,eAAe,EACzB,OAAO,EAAG,OAAO,GAAG,IAAI,EACxB,OAAO,EAAG,UAAU,GACnB,QAAQ,CASV;AAED,wFAAwF;AACxF,wBAAgB,MAAM,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,GAAG,eAAe,GAAG,IAAI,CAUrF;AAED,wBAAgB,aAAa,CAAC,CAAC,GAAG,OAAO,EAAE,QAAQ,EAAE,QAAQ,GAAG,CAAC,GAAG,IAAI,CAGvE;AAID,wBAAgB,UAAU,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAGpD;AAED,wBAAgB,UAAU,CAAC,CAAC,EAAE,MAAM,GAAG,UAAU,CAIhD"}

package/dist/nip/acme/jws.js

@@ -0,0 +1,76 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * JWS signing helpers for ACME with Ed25519 (`alg: "EdDSA"` per RFC 8037).
+ *
+ * Wire shape (RFC 8555 §6.2 + RFC 7515 flattened JWS JSON serialization):
+ * {
+ *   "protected": base64url(JSON({alg, nonce, url, [jwk|kid]})),
+ *   "payload":   base64url(JSON(payload)),
+ *   "signature": base64url(Ed25519(protected || "." || payload))
+ * }
+ */
+import * as ed25519 from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import { sha256 } from "@noble/hashes/sha2";
+ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
+export const ALG_EDDSA = "EdDSA"; // RFC 8037 §3.1
+export const KTY_OKP = "OKP"; // RFC 8037 §2
+export const CRV_ED25519 = "Ed25519"; // RFC 8037 §2
+export function jwkFromPublicKey(rawPubKey) {
+    if (rawPubKey.length !== 32) {
+        throw new Error(`Ed25519 public key must be 32 bytes, got ${rawPubKey.length}`);
+    }
+    return { kty: KTY_OKP, crv: CRV_ED25519, x: b64uEncode(rawPubKey) };
+}
+export function publicKeyFromJwk(jwk) {
+    if (jwk.kty !== KTY_OKP || jwk.crv !== CRV_ED25519) {
+        throw new Error(`JWK is not OKP/Ed25519: kty=${jwk.kty} crv=${jwk.crv}`);
+    }
+    return b64uDecode(jwk.x);
+}
+/** RFC 7638 §3 thumbprint of an Ed25519 JWK (lex-sorted compact JSON, SHA-256, base64url). */
+export function thumbprint(jwk) {
+    const canonical = `{"crv":"${jwk.crv}","kty":"${jwk.kty}","x":"${jwk.x}"}`;
+    return b64uEncode(sha256(new TextEncoder().encode(canonical)));
+}
+export function sign(header, payload, privKey) {
+    const headerBytes = new TextEncoder().encode(JSON.stringify(header));
+    const headerB64u = b64uEncode(headerBytes);
+    const payloadB64u = payload === null
+        ? ""
+        : b64uEncode(new TextEncoder().encode(JSON.stringify(payload)));
+    const signingInput = new TextEncoder().encode(`${headerB64u}.${payloadB64u}`);
+    const sig = ed25519.sign(signingInput, privKey);
+    return { protected: headerB64u, payload: payloadB64u, signature: b64uEncode(sig) };
+}
+/** Verify a JWS envelope. Returns the parsed protected header on success, else null. */
+export function verify(envelope, pubKey) {
+    try {
+        const signingInput = new TextEncoder().encode(`${envelope.protected}.${envelope.payload}`);
+        const sigBytes = b64uDecode(envelope.signature);
+        if (!ed25519.verify(sigBytes, signingInput, pubKey))
+            return null;
+        const headerJson = new TextDecoder().decode(b64uDecode(envelope.protected));
+        return JSON.parse(headerJson);
+    }
+    catch {
+        return null;
+    }
+}
+export function decodePayload(envelope) {
+    if (!envelope.payload)
+        return null;
+    return JSON.parse(new TextDecoder().decode(b64uDecode(envelope.payload)));
+}
+// ── helpers ──────────────────────────────────────────────────────────────────
+export function b64uEncode(bytes) {
+    return Buffer.from(bytes).toString("base64").replace(/=+$/, "")
+        .replace(/\+/g, "-").replace(/\//g, "_");
+}
+export function b64uDecode(s) {
+    const padded = s + "=".repeat((4 - (s.length % 4)) % 4);
+    const std = padded.replace(/-/g, "+").replace(/_/g, "/");
+    return new Uint8Array(Buffer.from(std, "base64"));
+}
+//# sourceMappingURL=jws.js.map

package/dist/nip/acme/jws.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jws.js","sourceRoot":"","sources":["../../../src/nip/acme/jws.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;;;;;;;GASG;AAEH,OAAO,KAAK,OAAO,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE5C,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAEzE,MAAM,CAAC,MAAM,SAAS,GAAK,OAAO,CAAC,CAAG,gBAAgB;AACtD,MAAM,CAAC,MAAM,OAAO,GAAO,KAAK,CAAC,CAAK,cAAc;AACpD,MAAM,CAAC,MAAM,WAAW,GAAG,SAAS,CAAC,CAAC,cAAc;AAsBpD,MAAM,UAAU,gBAAgB,CAAC,SAAqB;IACpD,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,4CAA4C,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IAClF,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,GAAQ;IACvC,IAAI,GAAG,CAAC,GAAG,KAAK,OAAO,IAAI,GAAG,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,CAAC,GAAG,QAAQ,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAC3B,CAAC;AAED,8FAA8F;AAC9F,MAAM,UAAU,UAAU,CAAC,GAAQ;IACjC,MAAM,SAAS,GAAG,WAAW,GAAG,CAAC,GAAG,YAAY,GAAG,CAAC,GAAG,UAAU,GAAG,CAAC,CAAC,IAAI,CAAC;IAC3E,OAAO,UAAU,CAAC,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,UAAU,IAAI,CAClB,MAAyB,EACzB,OAAwB,EACxB,OAAoB;IAEpB,MAAM,WAAW,GAAI,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACtE,MAAM,UAAU,GAAK,UAAU,CAAC,WAAW,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAI,OAAO,KAAK,IAAI;QACnC,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC,UAAU,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAClE,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,UAAU,IAAI,WAAW,EAAE,CAAC,CAAC;IAC9E,MAAM,GAAG,GAAY,OAAO,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IACzD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;AACrF,CAAC;AAED,wFAAwF;AACxF,MAAM,UAAU,MAAM,CAAC,QAAkB,EAAE,MAAkB;IAC3D,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3F,MAAM,QAAQ,GAAO,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACpD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,YAAY,EAAE,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;QACjE,MAAM,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAoB,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa,CAAc,QAAkB;IAC3D,IAAI,CAAC,QAAQ,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IACnC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAM,CAAC;AACjF,CAAC;AAED,gFAAgF;AAEhF,MAAM,UAAU,UAAU,CAAC,KAAiB;IAC1C,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;SAC5D,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,CAAS;IAClC,MAAM,MAAM,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACzD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;AACpD,CAAC"}

package/dist/nip/acme/messages.d.ts

@@ -0,0 +1,71 @@
+/** ACME wire-level DTOs (RFC 8555 + NPS-RFC-0002 §4.4) — plain interfaces. */
+export interface DirectoryMeta {
+    termsOfService?: string;
+    website?: string;
+    caaIdentities?: readonly string[];
+    externalAccountRequired?: boolean;
+}
+export interface Directory {
+    newNonce: string;
+    newAccount: string;
+    newOrder: string;
+    revokeCert?: string;
+    keyChange?: string;
+    meta?: DirectoryMeta;
+}
+export interface NewAccountPayload {
+    termsOfServiceAgreed?: boolean;
+    contact?: readonly string[];
+    onlyReturnExisting?: boolean;
+}
+export interface Account {
+    status: string;
+    contact?: readonly string[];
+    orders?: string;
+}
+export interface Identifier {
+    type: string;
+    value: string;
+}
+export interface NewOrderPayload {
+    identifiers: readonly Identifier[];
+    notBefore?: string;
+    notAfter?: string;
+}
+export interface ProblemDetail {
+    type: string;
+    detail?: string;
+    status?: number;
+}
+export interface Order {
+    status: string;
+    expires?: string;
+    identifiers: readonly Identifier[];
+    authorizations: readonly string[];
+    finalize: string;
+    certificate?: string;
+    error?: ProblemDetail;
+}
+export interface Challenge {
+    type: string;
+    url: string;
+    status: string;
+    token: string;
+    validated?: string;
+    error?: ProblemDetail;
+}
+export interface Authorization {
+    status: string;
+    expires?: string;
+    identifier: Identifier;
+    challenges: readonly Challenge[];
+}
+export interface ChallengeRespondPayload {
+    /** base64url(Ed25519(token)) per NPS-RFC-0002 §4.4. */
+    agent_signature: string;
+}
+export interface FinalizePayload {
+    /** base64url(CSR DER). */
+    csr: string;
+}
+//# sourceMappingURL=messages.d.ts.map

package/dist/nip/acme/messages.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"messages.d.ts","sourceRoot":"","sources":["../../../src/nip/acme/messages.ts"],"names":[],"mappings":"AAGA,8EAA8E;AAE9E,MAAM,WAAW,aAAa;IAC5B,cAAc,CAAC,EAAW,MAAM,CAAC;IACjC,OAAO,CAAC,EAAkB,MAAM,CAAC;IACjC,aAAa,CAAC,EAAY,SAAS,MAAM,EAAE,CAAC;IAC5C,uBAAuB,CAAC,EAAE,OAAO,CAAC;CACnC;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAK,MAAM,CAAC;IACpB,UAAU,EAAG,MAAM,CAAC;IACpB,QAAQ,EAAK,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAG,MAAM,CAAC;IACpB,IAAI,CAAC,EAAQ,aAAa,CAAC;CAC5B;AAED,MAAM,WAAW,iBAAiB;IAChC,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,OAAO,CAAC,EAAe,SAAS,MAAM,EAAE,CAAC;IACzC,kBAAkB,CAAC,EAAI,OAAO,CAAC;CAChC;AAED,MAAM,WAAW,OAAO;IACtB,MAAM,EAAK,MAAM,CAAC;IAClB,OAAO,CAAC,EAAG,SAAS,MAAM,EAAE,CAAC;IAC7B,MAAM,CAAC,EAAI,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAG,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,SAAS,UAAU,EAAE,CAAC;IACnC,SAAS,CAAC,EAAG,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAI,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAK,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,KAAK;IACpB,MAAM,EAAU,MAAM,CAAC;IACvB,OAAO,CAAC,EAAQ,MAAM,CAAC;IACvB,WAAW,EAAK,SAAS,UAAU,EAAE,CAAC;IACtC,cAAc,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,QAAQ,EAAQ,MAAM,CAAC;IACvB,WAAW,CAAC,EAAI,MAAM,CAAC;IACvB,KAAK,CAAC,EAAU,aAAa,CAAC;CAC/B;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAQ,MAAM,CAAC;IACnB,GAAG,EAAS,MAAM,CAAC;IACnB,MAAM,EAAM,MAAM,CAAC;IACnB,KAAK,EAAO,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAM,aAAa,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAM,MAAM,CAAC;IACnB,OAAO,CAAC,EAAI,MAAM,CAAC;IACnB,UAAU,EAAE,UAAU,CAAC;IACvB,UAAU,EAAE,SAAS,SAAS,EAAE,CAAC;CAClC;AAED,MAAM,WAAW,uBAAuB;IACtC,uDAAuD;IACvD,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,eAAe;IAC9B,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;CACb"}

package/dist/nip/acme/messages.js

@@ -0,0 +1,4 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+export {};
+//# sourceMappingURL=messages.js.map

package/dist/nip/acme/messages.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"messages.js","sourceRoot":"","sources":["../../../src/nip/acme/messages.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC"}

package/dist/nip/acme/server.d.ts

@@ -0,0 +1,41 @@
+import * as x509 from "@peculiar/x509";
+export interface AcmeServerOptions {
+    caNid: string;
+    caKeys: CryptoKeyPair;
+    caRootCert: x509.X509Certificate;
+    certValidityMs: number;
+}
+export declare class AcmeServer {
+    readonly options: AcmeServerOptions;
+    private readonly server;
+    private readonly nonces;
+    private readonly accountJwks;
+    private readonly orders;
+    private readonly authzs;
+    private readonly challenges;
+    private readonly certs;
+    private boundPort;
+    constructor(options: AcmeServerOptions);
+    start(): Promise<this>;
+    close(): Promise<void>;
+    get baseUrl(): string;
+    get directoryUrl(): string;
+    private dispatch;
+    private handleDirectory;
+    private handleNewNonce;
+    private handleNewAccount;
+    private handleNewOrder;
+    private handleAuthz;
+    private handleChallenge;
+    private handleFinalize;
+    private handleCert;
+    private handleOrder;
+    private mintNonce;
+    private consumeNonce;
+    private verifyAccount;
+    private readEnvelope;
+    private parseHeader;
+    private sendJson;
+    private sendProblem;
+}
+//# sourceMappingURL=server.d.ts.map

package/dist/nip/acme/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../../src/nip/acme/server.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAevC,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAY,MAAM,CAAC;IACxB,MAAM,EAAW,aAAa,CAAC;IAC/B,UAAU,EAAO,IAAI,CAAC,eAAe,CAAC;IACtC,cAAc,EAAG,MAAM,CAAC;CACzB;AA6BD,qBAAa,UAAU;aAUO,OAAO,EAAE,iBAAiB;IATtD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA2B;IAClD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA+B;IAC3D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAuC;IAC9D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAuC;IAC9D,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAuC;IAClE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAoC;IAC1D,OAAO,CAAC,SAAS,CAAgB;gBAEL,OAAO,EAAE,iBAAiB;IAIhD,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAS5B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAItB,IAAI,OAAO,IAAU,MAAM,CAAiD;IAC5E,IAAI,YAAY,IAAK,MAAM,CAAwC;YAIrD,QAAQ;IAsBtB,OAAO,CAAC,eAAe;IASvB,OAAO,CAAC,cAAc;YAOR,gBAAgB;YAgChB,cAAc;YAwDd,WAAW;YA2BX,eAAe;YAyDf,cAAc;YAuEd,UAAU;YAmBV,WAAW;IAuBzB,OAAO,CAAC,SAAS;IAMjB,OAAO,CAAC,YAAY;IAIpB,OAAO,CAAC,aAAa;YAOP,YAAY;IAe1B,OAAO,CAAC,WAAW;IAUnB,OAAO,CAAC,QAAQ;IAMhB,OAAO,CAAC,WAAW;CAKpB"}