@labacacia/nps-sdk 1.0.0-alpha.5 → 1.0.0-alpha.7

package/CHANGELOG.cn.md

@@ -8,6 +8,32 @@
 
 ---
 
+## [1.0.0-alpha.7] —— 2026-05-17
+
+### 新增
+
+- **`nip/reputation-client.ts` — `ReputationLogClient`（NPS-RFC-0004 Phase 2）**：基于 fetch 的声誉日志 operator 完整客户端。`submitEntry`、`queryEntries`、`getSth`、`getProof`、`getGossipSth`。`verifyInclusion` 使用 `@noble/hashes/sha256` 在本地执行 RFC 9162 §2.1.3.2 Merkle audit-path 验证。`signEntry` / `verifyEntry` 使用 `@noble/ed25519` 签名验证条目。Wire 类型：`ReputationLogEntry`、`SignedTreeHead`、`InclusionProof`、`ObservationWindow`。`AnchorTopologyError` 携带 `nwpErrorCode` + `npsStatus`。30 条回归测试。从 `@labacacia/nps-sdk/nip` 重新导出。
+
+- **`nwp/anchor-client.ts` — `AnchorNodeClient`（NPS-CR-0002）**：基于 fetch 的 Anchor Node 拓扑查询客户端。`getSnapshot`（topology.snapshot）和 `subscribe` async generator（topology.stream NDJSON）。判别联合类型 `TopologyEvent`，包含 `member_joined`、`member_left`、`member_updated`、`anchor_state`、`resync_required` 五种 kind。`AnchorTopologyError` 处理协议错误。24 条回归测试。
+
+### 跟随套件
+
+本次跟随 NPS 套件 `v1.0.0-alpha.7`。
+
+---
+
+## [1.0.0-alpha.6] —— 2026-05-14
+
+### 变更
+
+- **`nip/x509/oids.ts` — IANA PEN 65715（Breaking，CR-0004）**：`LAB_ACACIA_PEN_ARC` 从 `"1.3.6.1.4.1.99999"` 更新为 `"1.3.6.1.4.1.65715"`。在临时弧下签发的证书必须吊销并重新签发。
+
+- **`nwp/index.ts` — 移除 `NwpErrorCodes` 重导出（Breaking）**：从桶文件中移除了 `export * as NwpErrorCodes from "./error-codes.js"`。如需使用，请直接从 `@labacacia/nps-sdk/nwp/error-codes` 导入。
+
+- **版本升级至 `1.0.0-alpha.6`** —— 与 NPS 套件 alpha.6 版本同步。
+
+---
+
 ## [1.0.0-alpha.5] —— 2026-05-01
 
 ### 新增
@@ -123,8 +149,6 @@
 
 作为 NPS 套件 `v1.0.0-alpha.1` 的一部分首次公开 alpha。
 
-[1.0.0-alpha.5]: https://github.com/labacacia/NPS-sdk-ts/releases/tag/v1.0.0-alpha.5
-[1.0.0-alpha.4]: https://gitee.com/labacacia/NPS-sdk-ts/releases/tag/v1.0.0-alpha.4
-[1.0.0-alpha.3]: https://github.com/LabAcacia/NPS-Dev/releases/tag/v1.0.0-alpha.3
-[1.0.0-alpha.2]: https://github.com/LabAcacia/NPS-Dev/releases/tag/v1.0.0-alpha.2
-[1.0.0-alpha.1]: https://github.com/LabAcacia/NPS-Dev/releases/tag/v1.0.0-alpha.1
+[1.0.0-alpha.7]: https://github.com/labacacia/NPS-sdk-ts/releases/tag/v1.0.0-alpha.7
+[1.0.0-alpha.2]: https://github.com/LabAcacia/nps/releases/tag/v1.0.0-alpha.2
+[1.0.0-alpha.1]: https://github.com/LabAcacia/nps/releases/tag/v1.0.0-alpha.1

package/CHANGELOG.md

@@ -8,6 +8,32 @@ Until NPS reaches v1.0 stable, every repository in the suite is synchronized to
 
 ---
 
+## [1.0.0-alpha.7] — 2026-05-17
+
+### Added
+
+- **`nip/reputation-client.ts` — `ReputationLogClient` (NPS-RFC-0004 Phase 2)**: Full fetch-based client for the reputation-log operator API. `submitEntry`, `queryEntries`, `getSth`, `getProof`, `getGossipSth`. `verifyInclusion` performs RFC 9162 §2.1.3.2 Merkle audit-path verification locally using `@noble/hashes/sha256`. `signEntry` / `verifyEntry` sign and verify entries with `@noble/ed25519`. Wire types: `ReputationLogEntry`, `SignedTreeHead`, `InclusionProof`, `ObservationWindow`. `AnchorTopologyError` carries `nwpErrorCode` + `npsStatus`. 30 regression tests. Re-exported from `@labacacia/nps-sdk/nip`.
+
+- **`nwp/anchor-client.ts` — `AnchorNodeClient` (NPS-CR-0002)**: Fetch-based client for Anchor Node topology queries. `getSnapshot` (topology.snapshot) and `subscribe` async generator (topology.stream NDJSON). Discriminated-union `TopologyEvent` with kinds: `member_joined`, `member_left`, `member_updated`, `anchor_state`, `resync_required`. `AnchorTopologyError` for protocol errors. 24 regression tests.
+
+### Tracking the suite
+
+This release tracks NPS suite `v1.0.0-alpha.7`.
+
+---
+
+## [1.0.0-alpha.6] — 2026-05-14
+
+### Changed
+
+- **`nip/x509/oids.ts` — IANA PEN 65715 (Breaking, CR-0004)**: `LAB_ACACIA_PEN_ARC` updated from `"1.3.6.1.4.1.99999"` to `"1.3.6.1.4.1.65715"`. Certificates issued under the provisional arc must be revoked and re-issued.
+
+- **`nwp/index.ts` — `NwpErrorCodes` re-export removed (Breaking)**: `export * as NwpErrorCodes from "./error-codes.js"` removed from the barrel. Import directly from `@labacacia/nps-sdk/nwp/error-codes` if needed.
+
+- **Version bump to `1.0.0-alpha.6`** — synchronized with NPS suite alpha.6 release.
+
+---
+
 ## [1.0.0-alpha.5] — 2026-05-01
 
 ### Added
@@ -132,8 +158,6 @@ Until NPS reaches v1.0 stable, every repository in the suite is synchronized to
 
 First public alpha as part of the NPS suite `v1.0.0-alpha.1` release.
 
-[1.0.0-alpha.5]: https://github.com/labacacia/NPS-sdk-ts/releases/tag/v1.0.0-alpha.5
-[1.0.0-alpha.4]: https://github.com/labacacia/NPS-sdk-ts/releases/tag/v1.0.0-alpha.4
-[1.0.0-alpha.3]: https://github.com/LabAcacia/NPS-Dev/releases/tag/v1.0.0-alpha.3
-[1.0.0-alpha.2]: https://github.com/LabAcacia/NPS-Dev/releases/tag/v1.0.0-alpha.2
-[1.0.0-alpha.1]: https://github.com/LabAcacia/NPS-Dev/releases/tag/v1.0.0-alpha.1
+[1.0.0-alpha.7]: https://github.com/labacacia/NPS-sdk-ts/releases/tag/v1.0.0-alpha.7
+[1.0.0-alpha.2]: https://github.com/LabAcacia/nps/releases/tag/v1.0.0-alpha.2
+[1.0.0-alpha.1]: https://github.com/LabAcacia/nps/releases/tag/v1.0.0-alpha.1

package/README.cn.md

@@ -7,24 +7,19 @@
 
 ## 状态
 
-**v1.0.0-alpha.5 —— NWP 错误码 + NPS 状态码扩展** · 5 个协议 · 284 个测试 · 覆盖率 ≥ 98%
+**v1.0.0-alpha.6 — RFC-0002 跨 SDK 端口波（第三棒）** · 5 个协议 · 271 个测试 · 覆盖率 ≥ 98%
+
+> npm registry 说明：`@labacacia/nps-sdk@1.0.0-alpha.6` 已 deprecated，因为发布到 npm 的 tarball 缺少 `dist/`。当前 `alpha` dist-tag 临时指向 `1.0.0-alpha.5`；需要 alpha.6 源码时请使用 GitHub `v1.0.0-alpha.6` tag，等待下一个 npm 预发布。
 
 | 协议 | 类 | 状态 |
 |------|----|------|
 | NCP — Neural Communication Protocol | 帧、编解码器 | ✅ |
-| NWP — Neural Web Protocol | `NwpClient`、`NwpErrorCodes` | ✅ |
+| NWP — Neural Web Protocol | `NwpClient` | ✅ |
 | NIP — Neural Identity Protocol | `NipIdentity`、`NipIdentVerifier`（RFC-0002 §8.1 双信任）、`AssuranceLevel`（RFC-0003）、`nip.x509` + `nip.acme` | ✅ |
-| NDP — Neural Discovery Protocol | `InMemoryNdpRegistry`、`NdpAnnounceValidator`、`resolveWithDns`（DNS TXT 回退）、`DnsTxtLookup`、`SystemDnsTxtLookup`、`parseNpsTxtRecord` | ✅ |
+| NDP — Neural Discovery Protocol | `InMemoryNdpRegistry`、`NdpAnnounceValidator` | ✅ |
 | NOP — Neural Orchestration Protocol | `NopClient` | ✅ |
 
-**alpha.5 新增：**
-
-- `NwpErrorCodes` —— 从 `@labacacia/nps-sdk/nwp` 导出，包含 30 个 NWP wire 错误码字符串常量（`NWP-AUTH-*`、`NWP-QUERY-*`、`NWP-TOPOLOGY-*`、`NWP-RESERVED-TYPE-UNSUPPORTED` 等）。
-- `NpsStatusCodes.NPS_SERVER_UNSUPPORTED` —— 新状态码 `"NPS-SERVER-UNSUPPORTED"`（HTTP 501）。
-- `NipErrorCodes.REPUTATION_GOSSIP_FORK` / `.REPUTATION_GOSSIP_SIG_INVALID` —— RFC-0004 Phase 3 gossip 错误码。
-- `AssuranceLevel.fromWire("")` 改为返回 `Anonymous`（spec §5.1.1 修复）。
-
-**alpha.4 新增** —— 完整的 NPS-RFC-0002 X.509 + ACME `agent-01` NID 证书原语：
+**早期新增** —— 完整的 NPS-RFC-0002 X.509 + ACME `agent-01` NID 证书原语：
 
 - `nip.x509` —— `issueLeaf` / `issueRoot` / `verify`（基于 `@peculiar/x509` + 原生 Web Crypto Ed25519）。
 - `nip.acme` —— `AcmeClient` + 进程内 `AcmeServer` + JWS / messages helpers（RFC 8555 + RFC 8037 EdDSA）。
@@ -33,7 +28,7 @@
 ## 安装
 
 ```bash
-npm install @labacacia/nps-sdk
+npm install @labacacia/nps-sdk@alpha
 ```
 
 > **对等依赖：** Node.js 22+
@@ -165,4 +160,4 @@ npm run build
 
 ## 许可证
 
-Apache 2.0 —— 详见 [LICENSE](../../LICENSE)。
+Apache 2.0 —— 详见 [LICENSE](https://github.com/labacacia/NPS-Dev/blob/main/LICENSE)。

package/README.md

@@ -7,24 +7,19 @@ Part of the [LabAcacia](https://github.com/LabAcacia) / INNO LOTUS PTY LTD open-
 
 ## Status
 
-**v1.0.0-alpha.5 — NWP error codes + NPS status code extension** · 5 protocols · 284 tests · ≥ 98% coverage
+**v1.0.0-alpha.6 — RFC-0002 cross-SDK port (third language)** · 5 protocols · 271 tests · ≥ 98% coverage
+
+> npm registry note: `@labacacia/nps-sdk@1.0.0-alpha.6` is deprecated because the published tarball omitted `dist/`. The `alpha` dist-tag currently resolves to `1.0.0-alpha.5`; use the GitHub `v1.0.0-alpha.6` tag for source until the next npm prerelease.
 
 | Protocol | Class | Status |
 |----------|-------|--------|
 | NCP — Neural Communication Protocol | Framing, codec | ✅ |
-| NWP — Neural Web Protocol | `NwpClient`, `NwpErrorCodes` | ✅ |
+| NWP — Neural Web Protocol | `NwpClient` | ✅ |
 | NIP — Neural Identity Protocol | `NipIdentity`, `NipIdentVerifier` (RFC-0002 §8.1 dual-trust), `AssuranceLevel` (RFC-0003), `nip.x509` + `nip.acme` | ✅ |
-| NDP — Neural Discovery Protocol | `InMemoryNdpRegistry`, `NdpAnnounceValidator`, `resolveWithDns` (DNS TXT fallback), `DnsTxtLookup`, `SystemDnsTxtLookup`, `parseNpsTxtRecord` | ✅ |
+| NDP — Neural Discovery Protocol | `InMemoryNdpRegistry`, `NdpAnnounceValidator` | ✅ |
 | NOP — Neural Orchestration Protocol | `NopClient` | ✅ |
 
-**alpha.5 additions:**
-
-- `NwpErrorCodes` — exported from `@labacacia/nps-sdk/nwp`; 30 NWP wire error code constants (`NWP-AUTH-*`, `NWP-QUERY-*`, `NWP-TOPOLOGY-*`, `NWP-RESERVED-TYPE-UNSUPPORTED`, …).
-- `NpsStatusCodes.NPS_SERVER_UNSUPPORTED` — new `"NPS-SERVER-UNSUPPORTED"` status code (HTTP 501) in `src/core/status-codes.ts`.
-- `NipErrorCodes.REPUTATION_GOSSIP_FORK` / `.REPUTATION_GOSSIP_SIG_INVALID` — RFC-0004 Phase 3 gossip error codes.
-- `AssuranceLevel.fromWire("")` returns `Anonymous` instead of `Unknown` (spec §5.1.1 fix).
-
-**alpha.4 additions** — Full NPS-RFC-0002 X.509 + ACME `agent-01` NID certificate primitives:
+**Earlier additions** — Full NPS-RFC-0002 X.509 + ACME `agent-01` NID certificate primitives:
 
 - `nip.x509` — `issueLeaf` / `issueRoot` / `verify` (built on `@peculiar/x509` + native Web Crypto Ed25519).
 - `nip.acme` — `AcmeClient` + in-process `AcmeServer` + JWS / message helpers (RFC 8555 + EdDSA per RFC 8037).
@@ -33,7 +28,7 @@ Part of the [LabAcacia](https://github.com/LabAcacia) / INNO LOTUS PTY LTD open-
 ## Installation
 
 ```bash
-npm install @labacacia/nps-sdk
+npm install @labacacia/nps-sdk@alpha
 ```
 
 > **Peer requirement:** Node.js 22+
@@ -165,4 +160,4 @@ node node_modules/tsup/dist/cli-default.js
 
 ## License
 
-Apache 2.0 — see [LICENSE](../../LICENSE)
+Apache 2.0 — see [LICENSE](https://github.com/labacacia/NPS-Dev/blob/main/LICENSE)

package/dist/nip/index.d.ts

@@ -7,4 +7,5 @@ export * from "./error-codes.js";
 export * from "./verifier.js";
 export * as x509 from "./x509/index.js";
 export * as acme from "./acme/index.js";
+export * from "./reputation-client.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/nip/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/nip/index.ts"],"names":[],"mappings":"AAGA,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGlD,cAAc,sBAAsB,CAAC;AACrC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AACxC,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/nip/index.ts"],"names":[],"mappings":"AAGA,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGlD,cAAc,sBAAsB,CAAC;AACrC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AACxC,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AAGxC,cAAc,wBAAwB,CAAC"}

package/dist/nip/index.js

@@ -10,4 +10,6 @@ export * from "./error-codes.js";
 export * from "./verifier.js";
 export * as x509 from "./x509/index.js";
 export * as acme from "./acme/index.js";
+// RFC-0004 — Reputation log
+export * from "./reputation-client.js";
 //# sourceMappingURL=index.js.map

package/dist/nip/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/nip/index.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAElD,2DAA2D;AAC3D,cAAc,sBAAsB,CAAC;AACrC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AACxC,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/nip/index.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAElD,2DAA2D;AAC3D,cAAc,sBAAsB,CAAC;AACrC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AACxC,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AAExC,4BAA4B;AAC5B,cAAc,wBAAwB,CAAC"}

package/dist/nip/reputation-client.d.ts

@@ -0,0 +1,116 @@
+export interface ObservationWindow {
+    start: string;
+    end: string;
+}
+export declare const IncidentType: {
+    readonly Other: "other";
+    readonly CertRevoked: "cert-revoked";
+    readonly RateLimitViolation: "rate-limit-violation";
+    readonly TosViolation: "tos-violation";
+    readonly ScrapingPattern: "scraping-pattern";
+    readonly PaymentDefault: "payment-default";
+    readonly ContractDispute: "contract-dispute";
+    readonly ImpersonationClaim: "impersonation-claim";
+    readonly PositiveAttestation: "positive-attestation";
+};
+export type IncidentType = typeof IncidentType[keyof typeof IncidentType];
+export declare const Severity: {
+    readonly Info: 0;
+    readonly Minor: 1;
+    readonly Moderate: 2;
+    readonly Major: 3;
+    readonly Critical: 4;
+};
+export type Severity = typeof Severity[keyof typeof Severity];
+export interface ReputationLogEntry {
+    v: number;
+    log_id: string;
+    seq: number;
+    timestamp: string;
+    subject_nid: string;
+    incident: string;
+    incidentRaw?: string;
+    severity: string;
+    window?: ObservationWindow;
+    observation?: unknown;
+    evidence_ref?: string;
+    evidence_sha256?: string;
+    issuer_nid: string;
+    signature: string;
+}
+export interface SignedTreeHead {
+    log_id: string;
+    tree_size: number;
+    timestamp: string;
+    sha256_root_hash: string;
+    signature: string;
+}
+export interface InclusionProof {
+    seq: number;
+    leaf_index: number;
+    tree_size: number;
+    leaf_hash: string;
+    audit_path: string[];
+}
+/**
+ * Sign a ReputationLogEntry and return a new entry with `signature` set.
+ * The private key must be a 32-byte raw Ed25519 private key.
+ */
+export declare function signEntry(privKey: Uint8Array, entry: ReputationLogEntry): ReputationLogEntry;
+/**
+ * Verify the `signature` field of a ReputationLogEntry against the given
+ * Ed25519 public key (32-byte raw).
+ */
+export declare function verifyEntry(pubKey: Uint8Array, entry: ReputationLogEntry): boolean;
+/**
+ * Parse a wire severity string.  Throws an Error for unknown values
+ * (no forward-compat — callers must upgrade to handle new severity levels).
+ */
+export declare function parseSeverity(wire: string): Severity;
+/**
+ * Parse a wire incident string.  Unknown values map to `IncidentType.Other`
+ * (forward-compat); the original string is returned as `incidentRaw`.
+ */
+export declare function parseIncident(wire: string): {
+    incident: IncidentType;
+    incidentRaw?: string;
+};
+export declare class ReputationLogException extends Error {
+    readonly nipErrorCode: string;
+    readonly npsStatus: string;
+    constructor(nipErrorCode: string, npsStatus: string, message?: string);
+}
+export declare class ReputationLogClient {
+    private readonly baseUrl;
+    constructor(baseUrl: string);
+    /**
+     * POST /v1/log/entries — submit a signed entry.
+     * Returns the server-echoed entry with seq/timestamp/log_id filled in.
+     */
+    submit(entry: ReputationLogEntry): Promise<ReputationLogEntry>;
+    /**
+     * GET /v1/log/entries — query entries.
+     * @param options.nid      Filter by subject NID.
+     * @param options.sinceSeq Return only entries with seq > sinceSeq.
+     */
+    query(options?: {
+        nid?: string;
+        sinceSeq?: number;
+    }): Promise<ReputationLogEntry[]>;
+    /** GET /v1/log/sth — current SignedTreeHead. */
+    getSth(): Promise<SignedTreeHead>;
+    /** GET /v1/log/proof?seq=<seq> — InclusionProof for a log entry. */
+    getProof(seq: number): Promise<InclusionProof>;
+    /** GET /v1/log/gossip/sth — gossip SignedTreeHead. */
+    getGossipSth(): Promise<SignedTreeHead>;
+    /**
+     * Verify that `entry` is included in the log at the position described by
+     * `proof`, under the given `sth`.
+     *
+     * Merkle construction (RFC 9162):
+     *   leaf_hash = SHA256(0x00 || utf8(canonical_all_sorted_json_of_entry))
+     *   node_hash = SHA256(0x01 || left_bytes || right_bytes)
+     */
+    static verifyInclusion(proof: InclusionProof, sth: SignedTreeHead, entry: ReputationLogEntry): boolean;
+}
+//# sourceMappingURL=reputation-client.d.ts.map

package/dist/nip/reputation-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reputation-client.d.ts","sourceRoot":"","sources":["../../src/nip/reputation-client.ts"],"names":[],"mappings":"AAwDA,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;CACb;AAED,eAAO,MAAM,YAAY;;;;;;;;;;CAUf,CAAC;AACX,MAAM,MAAM,YAAY,GAAG,OAAO,YAAY,CAAC,MAAM,OAAO,YAAY,CAAC,CAAC;AAE1E,eAAO,MAAM,QAAQ;;;;;;CAMX,CAAC;AACX,MAAM,MAAM,QAAQ,GAAG,OAAO,QAAQ,CAAC,MAAM,OAAO,QAAQ,CAAC,CAAC;AAc9D,MAAM,WAAW,kBAAkB;IACjC,CAAC,EAAc,MAAM,CAAC;IACtB,MAAM,EAAS,MAAM,CAAC;IACtB,GAAG,EAAY,MAAM,CAAC;IACtB,SAAS,EAAM,MAAM,CAAC;IACtB,WAAW,EAAI,MAAM,CAAC;IACtB,QAAQ,EAAO,MAAM,CAAC;IACtB,WAAW,CAAC,EAAG,MAAM,CAAC;IACtB,QAAQ,EAAO,MAAM,CAAC;IACtB,MAAM,CAAC,EAAQ,iBAAiB,CAAC;IACjC,WAAW,CAAC,EAAG,OAAO,CAAC;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,UAAU,EAAK,MAAM,CAAC;IACtB,SAAS,EAAM,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAW,MAAM,CAAC;IACxB,SAAS,EAAQ,MAAM,CAAC;IACxB,SAAS,EAAQ,MAAM,CAAC;IACxB,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAQ,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAS,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAG,MAAM,CAAC;IACnB,SAAS,EAAG,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAcD;;;GAGG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,kBAAkB,GAAG,kBAAkB,CAI5F;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,kBAAkB,GAAG,OAAO,CASlF;AAID;;;GAGG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,QAAQ,CAIpD;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG;IAAE,QAAQ,EAAE,YAAY,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,CAG5F;AAYD,qBAAa,sBAAuB,SAAQ,KAAK;aAE7B,YAAY,EAAE,MAAM;aACpB,SAAS,EAAK,MAAM;gBADpB,YAAY,EAAE,MAAM,EACpB,SAAS,EAAK,MAAM,EACpC,OAAO,CAAC,EAAE,MAAM;CAKnB;AAiBD,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;gBAErB,OAAO,EAAE,MAAM;IAK3B;;;OAGG;IACG,MAAM,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAUpE;;;;OAIG;IACG,KAAK,CAAC,OAAO,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAWzF,gDAAgD;IAC1C,MAAM,IAAI,OAAO,CAAC,cAAc,CAAC;IAMvC,oEAAoE;IAC9D,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAMpD,sDAAsD;IAChD,YAAY,IAAI,OAAO,CAAC,cAAc,CAAC;IAM7C;;;;;;;OAOG;IACH,MAAM,CAAC,eAAe,CACpB,KAAK,EAAE,cAAc,EACrB,GAAG,EAAI,cAAc,EACrB,KAAK,EAAE,kBAAkB,GACxB,OAAO;CA8BX"}

package/dist/nip/reputation-client.js

@@ -0,0 +1,261 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * ReputationLogClient — NPS-RFC-0004 reputation log HTTP client, signing
+ * helpers, and Merkle inclusion verification.
+ */
+import * as ed25519 from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import { sha256 } from "@noble/hashes/sha256";
+// noble/ed25519 requires sha512 to be set explicitly in Node environments
+ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
+// ── Base64url helpers ────────────────────────────────────────────────────────
+function base64urlEncode(bytes) {
+    return Buffer.from(bytes)
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=/g, "");
+}
+function base64urlDecode(s) {
+    // Re-pad to a multiple of 4
+    const padded = s.replace(/-/g, "+").replace(/_/g, "/");
+    const pad = (4 - (padded.length % 4)) % 4;
+    return new Uint8Array(Buffer.from(padded + "=".repeat(pad), "base64"));
+}
+// ── Sorted-key canonical JSON ────────────────────────────────────────────────
+/**
+ * Returns a value where every object in the tree has its keys sorted
+ * alphabetically (deeply). Arrays and primitives pass through unchanged.
+ */
+function sortedValue(v) {
+    if (v === null || typeof v !== "object")
+        return v;
+    if (Array.isArray(v))
+        return v.map(sortedValue);
+    const obj = v;
+    const sorted = {};
+    for (const k of Object.keys(obj).sort()) {
+        sorted[k] = sortedValue(obj[k]);
+    }
+    return sorted;
+}
+/** Canonical JSON with all object keys sorted recursively. */
+function sortedJson(obj) {
+    return JSON.stringify(sortedValue(obj));
+}
+export const IncidentType = {
+    Other: "other",
+    CertRevoked: "cert-revoked",
+    RateLimitViolation: "rate-limit-violation",
+    TosViolation: "tos-violation",
+    ScrapingPattern: "scraping-pattern",
+    PaymentDefault: "payment-default",
+    ContractDispute: "contract-dispute",
+    ImpersonationClaim: "impersonation-claim",
+    PositiveAttestation: "positive-attestation",
+};
+export const Severity = {
+    Info: 0,
+    Minor: 1,
+    Moderate: 2,
+    Major: 3,
+    Critical: 4,
+};
+/** Maps wire severity strings to numeric values. Throws on unknown values. */
+const SEVERITY_WIRE = {
+    info: Severity.Info,
+    minor: Severity.Minor,
+    moderate: Severity.Moderate,
+    major: Severity.Major,
+    critical: Severity.Critical,
+};
+/** Known incident wire strings for forward-compat mapping. */
+const KNOWN_INCIDENTS = new Set(Object.values(IncidentType).filter(v => v !== "other"));
+// ── Signing helpers ──────────────────────────────────────────────────────────
+/**
+ * Build the canonical bytes to sign for a ReputationLogEntry.
+ * The `signature` field is excluded; all remaining keys are sorted recursively.
+ */
+function entrySigningBytes(entry) {
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    const { signature, ...rest } = entry;
+    return new TextEncoder().encode(sortedJson(rest));
+}
+/**
+ * Sign a ReputationLogEntry and return a new entry with `signature` set.
+ * The private key must be a 32-byte raw Ed25519 private key.
+ */
+export function signEntry(privKey, entry) {
+    const bytes = entrySigningBytes(entry);
+    const sig = ed25519.sign(bytes, privKey);
+    return { ...entry, signature: `ed25519:${base64urlEncode(sig)}` };
+}
+/**
+ * Verify the `signature` field of a ReputationLogEntry against the given
+ * Ed25519 public key (32-byte raw).
+ */
+export function verifyEntry(pubKey, entry) {
+    if (!entry.signature.startsWith("ed25519:"))
+        return false;
+    try {
+        const sigBytes = base64urlDecode(entry.signature.slice("ed25519:".length));
+        const bytes = entrySigningBytes(entry);
+        return ed25519.verify(sigBytes, bytes, pubKey);
+    }
+    catch {
+        return false;
+    }
+}
+// ── Severity / incident parsing ──────────────────────────────────────────────
+/**
+ * Parse a wire severity string.  Throws an Error for unknown values
+ * (no forward-compat — callers must upgrade to handle new severity levels).
+ */
+export function parseSeverity(wire) {
+    const v = SEVERITY_WIRE[wire.toLowerCase()];
+    if (v === undefined)
+        throw new Error(`Unknown NPS severity value: "${wire}"`);
+    return v;
+}
+/**
+ * Parse a wire incident string.  Unknown values map to `IncidentType.Other`
+ * (forward-compat); the original string is returned as `incidentRaw`.
+ */
+export function parseIncident(wire) {
+    if (KNOWN_INCIDENTS.has(wire))
+        return { incident: wire };
+    return { incident: IncidentType.Other, incidentRaw: wire };
+}
+// ── Merkle verification ──────────────────────────────────────────────────────
+function bytesEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    for (let i = 0; i < a.length; i++)
+        if (a[i] !== b[i])
+            return false;
+    return true;
+}
+// ── HTTP client ──────────────────────────────────────────────────────────────
+export class ReputationLogException extends Error {
+    nipErrorCode;
+    npsStatus;
+    constructor(nipErrorCode, npsStatus, message) {
+        super(message);
+        this.nipErrorCode = nipErrorCode;
+        this.npsStatus = npsStatus;
+        this.name = "ReputationLogException";
+    }
+}
+/** Throw a ReputationLogException for non-ok HTTP responses. */
+async function ensureOk(resp) {
+    if (resp.ok)
+        return;
+    let nipCode = "NIP-UNKNOWN";
+    let npsStatus = String(resp.status);
+    let message = resp.statusText;
+    try {
+        const body = await resp.json();
+        if (body.error)
+            nipCode = body.error;
+        if (body.status)
+            npsStatus = body.status;
+        if (body.message)
+            message = body.message;
+    }
+    catch { /* ignore parse failures */ }
+    throw new ReputationLogException(nipCode, npsStatus, message);
+}
+export class ReputationLogClient {
+    baseUrl;
+    constructor(baseUrl) {
+        // Strip trailing slash for consistent path construction
+        this.baseUrl = baseUrl.replace(/\/+$/, "");
+    }
+    /**
+     * POST /v1/log/entries — submit a signed entry.
+     * Returns the server-echoed entry with seq/timestamp/log_id filled in.
+     */
+    async submit(entry) {
+        const resp = await fetch(`${this.baseUrl}/v1/log/entries`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(entry),
+        });
+        await ensureOk(resp);
+        return resp.json();
+    }
+    /**
+     * GET /v1/log/entries — query entries.
+     * @param options.nid      Filter by subject NID.
+     * @param options.sinceSeq Return only entries with seq > sinceSeq.
+     */
+    async query(options) {
+        const params = new URLSearchParams();
+        if (options?.nid !== undefined)
+            params.set("nid", options.nid);
+        if (options?.sinceSeq !== undefined)
+            params.set("since", String(options.sinceSeq));
+        const qs = params.size > 0 ? `?${params.toString()}` : "";
+        const resp = await fetch(`${this.baseUrl}/v1/log/entries${qs}`);
+        await ensureOk(resp);
+        const body = await resp.json();
+        return body.entries;
+    }
+    /** GET /v1/log/sth — current SignedTreeHead. */
+    async getSth() {
+        const resp = await fetch(`${this.baseUrl}/v1/log/sth`);
+        await ensureOk(resp);
+        return resp.json();
+    }
+    /** GET /v1/log/proof?seq=<seq> — InclusionProof for a log entry. */
+    async getProof(seq) {
+        const resp = await fetch(`${this.baseUrl}/v1/log/proof?seq=${seq}`);
+        await ensureOk(resp);
+        return resp.json();
+    }
+    /** GET /v1/log/gossip/sth — gossip SignedTreeHead. */
+    async getGossipSth() {
+        const resp = await fetch(`${this.baseUrl}/v1/log/gossip/sth`);
+        await ensureOk(resp);
+        return resp.json();
+    }
+    /**
+     * Verify that `entry` is included in the log at the position described by
+     * `proof`, under the given `sth`.
+     *
+     * Merkle construction (RFC 9162):
+     *   leaf_hash = SHA256(0x00 || utf8(canonical_all_sorted_json_of_entry))
+     *   node_hash = SHA256(0x01 || left_bytes || right_bytes)
+     */
+    static verifyInclusion(proof, sth, entry) {
+        // Leaf hash includes the signature field
+        const leafBytes = new TextEncoder().encode(sortedJson(entry));
+        const leafBuf = new Uint8Array(1 + leafBytes.length);
+        leafBuf[0] = 0x00;
+        leafBuf.set(leafBytes, 1);
+        const computedLeafHash = sha256(leafBuf);
+        // Verify that the computed leaf hash matches the proof's leaf_hash
+        const proofLeafHash = base64urlDecode(proof.leaf_hash);
+        if (!bytesEqual(computedLeafHash, proofLeafHash))
+            return false;
+        // RFC 9162 fold up the audit path
+        let nodeHash = computedLeafHash;
+        for (let i = 0; i < proof.audit_path.length; i++) {
+            const sibling = base64urlDecode(proof.audit_path[i]);
+            const buf = new Uint8Array(65);
+            buf[0] = 0x01;
+            if (((BigInt(proof.leaf_index) >> BigInt(i)) & 1n) === 0n) {
+                buf.set(nodeHash, 1);
+                buf.set(sibling, 33);
+            }
+            else {
+                buf.set(sibling, 1);
+                buf.set(nodeHash, 33);
+            }
+            nodeHash = sha256(buf);
+        }
+        return bytesEqual(nodeHash, base64urlDecode(sth.sha256_root_hash));
+    }
+}
+//# sourceMappingURL=reputation-client.js.map

package/dist/nip/reputation-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reputation-client.js","sourceRoot":"","sources":["../../src/nip/reputation-client.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;GAGG;AAEH,OAAO,KAAK,OAAO,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAE9C,0EAA0E;AAC1E,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAEzE,gFAAgF;AAEhF,SAAS,eAAe,CAAC,KAAiB;IACxC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;SACtB,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AACvB,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,4BAA4B;IAC5B,MAAM,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC1C,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;AACzE,CAAC;AAED,gFAAgF;AAEhF;;;GAGG;AACH,SAAS,WAAW,CAAC,CAAU;IAC7B,IAAI,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC;IAClD,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAChD,MAAM,GAAG,GAAG,CAA4B,CAAC;IACzC,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QACxC,MAAM,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8DAA8D;AAC9D,SAAS,UAAU,CAAC,GAAY;IAC9B,OAAO,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;AAC1C,CAAC;AASD,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,KAAK,EAAgB,OAAO;IAC5B,WAAW,EAAU,cAAc;IACnC,kBAAkB,EAAG,sBAAsB;IAC3C,YAAY,EAAS,eAAe;IACpC,eAAe,EAAM,kBAAkB;IACvC,cAAc,EAAO,iBAAiB;IACtC,eAAe,EAAM,kBAAkB;IACvC,kBAAkB,EAAG,qBAAqB;IAC1C,mBAAmB,EAAE,sBAAsB;CACnC,CAAC;AAGX,MAAM,CAAC,MAAM,QAAQ,GAAG;IACtB,IAAI,EAAM,CAAC;IACX,KAAK,EAAK,CAAC;IACX,QAAQ,EAAE,CAAC;IACX,KAAK,EAAK,CAAC;IACX,QAAQ,EAAE,CAAC;CACH,CAAC;AAGX,8EAA8E;AAC9E,MAAM,aAAa,GAA6B;IAC9C,IAAI,EAAM,QAAQ,CAAC,IAAI;IACvB,KAAK,EAAK,QAAQ,CAAC,KAAK;IACxB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;IAC3B,KAAK,EAAK,QAAQ,CAAC,KAAK;IACxB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;CAC5B,CAAC;AAEF,8DAA8D;AAC9D,MAAM,eAAe,GAAG,IAAI,GAAG,CAAS,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC;AAmChG,gFAAgF;AAEhF;;;GAGG;AACH,SAAS,iBAAiB,CAAC,KAAyB;IAClD,6DAA6D;IAC7D,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC;IACrC,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;AACpD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,OAAmB,EAAE,KAAyB;IACtE,MAAM,KAAK,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IACvC,MAAM,GAAG,GAAK,OAAO,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAC3C,OAAO,EAAE,GAAG,KAAK,EAAE,SAAS,EAAE,WAAW,eAAe,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;AACpE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,MAAkB,EAAE,KAAyB;IACvE,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1D,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;QAC3E,MAAM,KAAK,GAAM,iBAAiB,CAAC,KAAK,CAAC,CAAC;QAC1C,OAAO,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,MAAM,CAAC,GAAG,aAAa,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK,SAAS;QAAE,MAAM,IAAI,KAAK,CAAC,gCAAgC,IAAI,GAAG,CAAC,CAAC;IAC9E,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,IAAI,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,QAAQ,EAAE,IAAoB,EAAE,CAAC;IACzE,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;AAC7D,CAAC;AAED,gFAAgF;AAEhF,SAAS,UAAU,CAAC,CAAa,EAAE,CAAa;IAC9C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IACnE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,gFAAgF;AAEhF,MAAM,OAAO,sBAAuB,SAAQ,KAAK;IAE7B;IACA;IAFlB,YACkB,YAAoB,EACpB,SAAoB,EACpC,OAAgB;QAEhB,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,iBAAY,GAAZ,YAAY,CAAQ;QACpB,cAAS,GAAT,SAAS,CAAW;QAIpC,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;IACvC,CAAC;CACF;AAED,gEAAgE;AAChE,KAAK,UAAU,QAAQ,CAAC,IAAc;IACpC,IAAI,IAAI,CAAC,EAAE;QAAE,OAAO;IACpB,IAAI,OAAO,GAAI,aAAa,CAAC;IAC7B,IAAI,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,OAAO,GAAK,IAAI,CAAC,UAAU,CAAC;IAChC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAA2D,CAAC;QACxF,IAAI,IAAI,CAAC,KAAK;YAAI,OAAO,GAAK,IAAI,CAAC,KAAK,CAAC;QACzC,IAAI,IAAI,CAAC,MAAM;YAAG,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC;QAC1C,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,GAAK,IAAI,CAAC,OAAO,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC,CAAC,2BAA2B,CAAC,CAAC;IACvC,MAAM,IAAI,sBAAsB,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;AAChE,CAAC;AAED,MAAM,OAAO,mBAAmB;IACb,OAAO,CAAS;IAEjC,YAAY,OAAe;QACzB,wDAAwD;QACxD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM,CAAC,KAAyB;QACpC,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,iBAAiB,EAAE;YACzD,MAAM,EAAG,MAAM;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAK,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;SAC/B,CAAC,CAAC;QACH,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC,IAAI,EAAiC,CAAC;IACpD,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,KAAK,CAAC,OAA6C;QACvD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QACrC,IAAI,OAAO,EAAE,GAAG,KAAU,SAAS;YAAE,MAAM,CAAC,GAAG,CAAC,KAAK,EAAI,OAAO,CAAC,GAAG,CAAC,CAAC;QACtE,IAAI,OAAO,EAAE,QAAQ,KAAK,SAAS;YAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;QACnF,MAAM,EAAE,GAAK,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5D,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,kBAAkB,EAAE,EAAE,CAAC,CAAC;QAChE,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;QACrB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAuC,CAAC;QACpE,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,gDAAgD;IAChD,KAAK,CAAC,MAAM;QACV,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,aAAa,CAAC,CAAC;QACvD,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC,IAAI,EAA6B,CAAC;IAChD,CAAC;IAED,oEAAoE;IACpE,KAAK,CAAC,QAAQ,CAAC,GAAW;QACxB,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,qBAAqB,GAAG,EAAE,CAAC,CAAC;QACpE,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC,IAAI,EAA6B,CAAC;IAChD,CAAC;IAED,sDAAsD;IACtD,KAAK,CAAC,YAAY;QAChB,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,oBAAoB,CAAC,CAAC;QAC9D,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC,IAAI,EAA6B,CAAC;IAChD,CAAC;IAED;;;;;;;OAOG;IACH,MAAM,CAAC,eAAe,CACpB,KAAqB,EACrB,GAAqB,EACrB,KAAyB;QAEzB,yCAAyC;QACzC,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;QAC9D,MAAM,OAAO,GAAK,IAAI,UAAU,CAAC,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;QACvD,OAAO,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;QAClB,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QAC1B,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;QAEzC,mEAAmE;QACnE,MAAM,aAAa,GAAG,eAAe,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACvD,IAAI,CAAC,UAAU,CAAC,gBAAgB,EAAE,aAAa,CAAC;YAAE,OAAO,KAAK,CAAC;QAE/D,kCAAkC;QAClC,IAAI,QAAQ,GAAG,gBAAgB,CAAC;QAChC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACjD,MAAM,OAAO,GAAG,eAAe,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;YACrD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;YAC/B,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;YACd,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC;gBAC1D,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;gBACrB,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YACvB,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;gBACpB,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YACxB,CAAC;YACD,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QACzB,CAAC;QAED,OAAO,UAAU,CAAC,QAAQ,EAAE,eAAe,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC;IACrE,CAAC;CACF"}

package/dist/nip/x509/oids.d.ts

@@ -1,17 +1,16 @@
 /**
  * OID constants for NPS X.509 certificates per NPS-RFC-0002 §4.
  *
- * The 1.3.6.1.4.1.99999 arc is provisional pending IANA Private Enterprise
- * Number assignment (RFC-0002 §10 OQ-2). All implementations MUST update
- * these constants when the official PEN is granted.
+ * The 1.3.6.1.4.1.65715 arc is the LabAcacia IANA-assigned Private Enterprise
+ * Number (PEN 65715, NPS-CR-0004, 2026-05-08).
  */
-export declare const LAB_ACACIA_PEN_ARC = "1.3.6.1.4.1.99999";
-export declare const EKU_ARC = "1.3.6.1.4.1.99999.1";
-export declare const EXTENSION_ARC = "1.3.6.1.4.1.99999.2";
-export declare const EKU_AGENT_IDENTITY = "1.3.6.1.4.1.99999.1.1";
-export declare const EKU_NODE_IDENTITY = "1.3.6.1.4.1.99999.1.2";
-export declare const EKU_CA_INTERMEDIATE_AGENT = "1.3.6.1.4.1.99999.1.3";
-export declare const NID_ASSURANCE_LEVEL = "1.3.6.1.4.1.99999.2.1";
+export declare const LAB_ACACIA_PEN_ARC = "1.3.6.1.4.1.65715";
+export declare const EKU_ARC = "1.3.6.1.4.1.65715.1";
+export declare const EXTENSION_ARC = "1.3.6.1.4.1.65715.2";
+export declare const EKU_AGENT_IDENTITY = "1.3.6.1.4.1.65715.1.1";
+export declare const EKU_NODE_IDENTITY = "1.3.6.1.4.1.65715.1.2";
+export declare const EKU_CA_INTERMEDIATE_AGENT = "1.3.6.1.4.1.65715.1.3";
+export declare const NID_ASSURANCE_LEVEL = "1.3.6.1.4.1.65715.2.1";
 export declare const ED25519 = "1.3.101.112";
 export declare const OID_EXTENDED_KEY_USAGE = "2.5.29.37";
 //# sourceMappingURL=oids.d.ts.map

package/dist/nip/x509/oids.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oids.d.ts","sourceRoot":"","sources":["../../../src/nip/x509/oids.ts"],"names":[],"mappings":"AAGA;;;;;;GAMG;AAEH,eAAO,MAAM,kBAAkB,sBAAsB,CAAC;AACtD,eAAO,MAAM,OAAO,wBAAuC,CAAC;AAC5D,eAAO,MAAM,aAAa,wBAAiC,CAAC;AAG5D,eAAO,MAAM,kBAAkB,0BAAwB,CAAC;AACxD,eAAO,MAAM,iBAAiB,0BAAyB,CAAC;AACxD,eAAO,MAAM,yBAAyB,0BAAiB,CAAC;AAGxD,eAAO,MAAM,mBAAmB,0BAAuB,CAAC;AAGxD,eAAO,MAAM,OAAO,gBAAgB,CAAC;AAGrC,eAAO,MAAM,sBAAsB,cAAc,CAAC"}
+{"version":3,"file":"oids.d.ts","sourceRoot":"","sources":["../../../src/nip/x509/oids.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AAEH,eAAO,MAAM,kBAAkB,sBAAsB,CAAC;AACtD,eAAO,MAAM,OAAO,wBAAuC,CAAC;AAC5D,eAAO,MAAM,aAAa,wBAAiC,CAAC;AAG5D,eAAO,MAAM,kBAAkB,0BAAwB,CAAC;AACxD,eAAO,MAAM,iBAAiB,0BAAyB,CAAC;AACxD,eAAO,MAAM,yBAAyB,0BAAiB,CAAC;AAGxD,eAAO,MAAM,mBAAmB,0BAAuB,CAAC;AAGxD,eAAO,MAAM,OAAO,gBAAgB,CAAC;AAGrC,eAAO,MAAM,sBAAsB,cAAc,CAAC"}