@labacacia/nps-sdk 1.0.0-alpha.5 → 1.0.0-alpha.7

package/src/ndp/ndp-registry.ts

@@ -1,116 +0,0 @@
-// Copyright 2026 INNO LOTUS PTY LTD
-// SPDX-License-Identifier: Apache-2.0
-
-import type { AnnounceFrame, NdpResolveResult } from "./frames.js";
-import {
-  extractHostFromTarget,
-  parseNpsTxtRecord,
-  SystemDnsTxtLookup,
-  type DnsTxtLookup,
-} from "./dns-txt.js";
-
-interface RegistryEntry {
-  frame:     AnnounceFrame;
-  expiresAt: number;
-}
-
-export class InMemoryNdpRegistry {
-  private readonly _store = new Map<string, RegistryEntry>();
-
-  // Replaceable for testing
-  clock: () => number = () => Date.now();
-
-  announce(frame: AnnounceFrame): void {
-    const expiresAt = this.clock() + frame.ttl * 1000;
-    if (frame.ttl === 0) {
-      this._store.delete(frame.nid);
-      return;
-    }
-    this._store.set(frame.nid, { frame, expiresAt });
-  }
-
-  getByNid(nid: string): AnnounceFrame | undefined {
-    const entry = this._store.get(nid);
-    if (entry === undefined) return undefined;
-    if (this.clock() > entry.expiresAt) {
-      this._store.delete(nid);
-      return undefined;
-    }
-    return entry.frame;
-  }
-
-  resolve(target: string): NdpResolveResult | undefined {
-    for (const [nid, entry] of this._store) {
-      if (this.clock() > entry.expiresAt) { this._store.delete(nid); continue; }
-      if (!InMemoryNdpRegistry.nwpTargetMatchesNid(nid, target)) continue;
-      const addr = entry.frame.addresses[0];
-      if (addr === undefined) continue;
-      return { host: addr.host, port: addr.port, ttl: entry.frame.ttl };
-    }
-    return undefined;
-  }
-
-  getAll(): AnnounceFrame[] {
-    const now    = this.clock();
-    const result: AnnounceFrame[] = [];
-    for (const [nid, entry] of this._store) {
-      if (now > entry.expiresAt) { this._store.delete(nid); continue; }
-      result.push(entry.frame);
-    }
-    return result;
-  }
-
-  async resolveWithDns(
-    target: string,
-    resolver: DnsTxtLookup = new SystemDnsTxtLookup(),
-  ): Promise<NdpResolveResult | undefined> {
-    // 1. Try in-memory registry first
-    const cached = this.resolve(target);
-    if (cached !== undefined) return cached;
-
-    // 2. Extract hostname and fall back to DNS TXT lookup
-    const host = extractHostFromTarget(target);
-    if (host === undefined) return undefined;
-
-    const txtHost = `_nps-node.${host}`;
-    let records: string[][];
-    try {
-      records = await resolver.resolveTxt(txtHost);
-    } catch {
-      return undefined;
-    }
-
-    for (const record of records) {
-      const result = parseNpsTxtRecord(record, host);
-      if (result !== undefined) return result;
-    }
-
-    return undefined;
-  }
-
-  static nwpTargetMatchesNid(nid: string, target: string): boolean {
-    // NID: urn:nps:node:{authority}:{path-segment}
-    // target: nwp://{authority}/{path}
-    const nidParts = nid.split(":");
-    if (nidParts.length < 5 || nidParts[0] !== "urn" || nidParts[1] !== "nps" || nidParts[2] !== "node") {
-      return false;
-    }
-    if (!target.startsWith("nwp://")) return false;
-
-    const nidAuthority = nidParts[3]!;
-    const nidPath      = nidParts[4]!;
-    const rest         = target.slice("nwp://".length);
-    const slashIdx     = rest.indexOf("/");
-    if (slashIdx === -1) return false;
-
-    const urlAuthority = rest.slice(0, slashIdx);
-    const urlPath      = rest.slice(slashIdx + 1); // without leading slash
-
-    if (urlAuthority !== nidAuthority) return false;
-
-    // nidPath must be a prefix of urlPath at a segment boundary
-    if (urlPath === nidPath) return true;
-    if (urlPath.startsWith(nidPath + "/")) return true;
-    return false;
-  }
-}

package/src/ndp/registry.ts

@@ -1,12 +0,0 @@
-// Copyright 2026 INNO LOTUS PTY LTD
-// SPDX-License-Identifier: Apache-2.0
-
-import { FrameRegistry } from "../core/registry.js";
-import { FrameType } from "../core/frames.js";
-import { AnnounceFrame, GraphFrame, ResolveFrame } from "./frames.js";
-
-export function registerNdpFrames(registry: FrameRegistry): void {
-  registry.register(FrameType.ANNOUNCE, AnnounceFrame);
-  registry.register(FrameType.RESOLVE,  ResolveFrame);
-  registry.register(FrameType.GRAPH,    GraphFrame);
-}

package/src/ndp/validator.ts

@@ -1,64 +0,0 @@
-// Copyright 2026 INNO LOTUS PTY LTD
-// SPDX-License-Identifier: Apache-2.0
-
-import * as ed25519 from "@noble/ed25519";
-import { sha512 } from "@noble/hashes/sha512";
-import type { AnnounceFrame } from "./frames.js";
-
-ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
-
-export interface NdpAnnounceResult {
-  isValid:    boolean;
-  errorCode?: string;
-  message?:   string;
-}
-
-export const NdpAnnounceResult = {
-  ok: (): NdpAnnounceResult => ({ isValid: true }),
-  fail: (errorCode: string, message: string): NdpAnnounceResult => ({ isValid: false, errorCode, message }),
-};
-
-export class NdpAnnounceValidator {
-  private readonly _keys = new Map<string, string>(); // nid → "ed25519:<hex>"
-
-  registerPublicKey(nid: string, encodedPubKey: string): void {
-    this._keys.set(nid, encodedPubKey);
-  }
-
-  removePublicKey(nid: string): void {
-    this._keys.delete(nid);
-  }
-
-  get knownPublicKeys(): ReadonlyMap<string, string> {
-    return this._keys;
-  }
-
-  validate(frame: AnnounceFrame): NdpAnnounceResult {
-    const encoded = this._keys.get(frame.nid);
-    if (encoded === undefined) {
-      return NdpAnnounceResult.fail("NDP-ANNOUNCE-NID-MISMATCH", `No public key registered for NID: ${frame.nid}`);
-    }
-
-    try {
-      const prefix  = "ed25519:";
-      const pubHex  = encoded.startsWith(prefix) ? encoded.slice(prefix.length) : encoded;
-      const pubKey  = Buffer.from(pubHex, "hex");
-
-      const sig = frame.signature;
-      if (!sig.startsWith(prefix)) {
-        return NdpAnnounceResult.fail("NDP-ANNOUNCE-SIG-INVALID", "Signature must start with 'ed25519:'");
-      }
-      const sigBytes = Buffer.from(sig.slice(prefix.length), "base64");
-
-      const unsigned  = frame.unsignedDict();
-      const canonical = JSON.stringify(unsigned, Object.keys(unsigned).sort());
-      const message   = new TextEncoder().encode(canonical);
-
-      const valid = ed25519.verify(sigBytes, message, pubKey);
-      if (!valid) return NdpAnnounceResult.fail("NDP-ANNOUNCE-SIG-INVALID", "Ed25519 signature verification failed.");
-      return NdpAnnounceResult.ok();
-    } catch {
-      return NdpAnnounceResult.fail("NDP-ANNOUNCE-SIG-INVALID", "Ed25519 signature verification failed.");
-    }
-  }
-}

package/src/nip/acme/client.ts

@@ -1,185 +0,0 @@
-// Copyright 2026 INNO LOTUS PTY LTD
-// SPDX-License-Identifier: Apache-2.0
-
-/**
- * ACME client implementing the `agent-01` challenge type per NPS-RFC-0002 §4.4.
- *
- * Flow: newNonce → newAccount → newOrder → fetch authz → sign challenge token →
- * finalize with CSR → fetch leaf cert.
- */
-
-import * as ed25519 from "@noble/ed25519";
-import { sha512 } from "@noble/hashes/sha512";
-import * as x509 from "@peculiar/x509";
-
-import * as Jws from "./jws.js";
-import type {
-  Authorization, Challenge, Directory, FinalizePayload,
-  Identifier, NewAccountPayload, NewOrderPayload, Order,
-} from "./messages.js";
-import * as wire from "./wire.js";
-
-ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
-x509.cryptoProvider.set(globalThis.crypto);
-
-export interface AcmeClientOptions {
-  /** ACME directory URL. */
-  directoryUrl: string;
-  /** Account/agent Ed25519 private key (32-byte raw). */
-  privateKey:   Uint8Array;
-  /** Account/agent Ed25519 public key (32-byte raw). */
-  publicKey:    Uint8Array;
-  /** Web Crypto Ed25519 keypair for CSR signing (must match privateKey). */
-  webCryptoKeys: CryptoKeyPair;
-}
-
-export class AcmeClient {
-  private directory:  Directory | null = null;
-  private accountUrl: string    | null = null;
-  private lastNonce:  string    | null = null;
-
-  constructor(public readonly options: AcmeClientOptions) {}
-
-  /** Drive the full agent-01 flow for `nid`. Returns issued PEM cert chain. */
-  async issueAgentCert(nid: string): Promise<string> {
-    await this.ensureDirectory();
-    if (this.accountUrl === null) await this.newAccount();
-    const order = await this.newOrder(nid);
-    const authz = await this.fetchAuthz(order.authorizations[0]);
-    await this.respondAgent01(authz);
-    const finalized = await this.finalizeOrder(order, nid);
-    return this.downloadPem(finalized.certificate!);
-  }
-
-  // ── Stages ───────────────────────────────────────────────────────────────
-
-  private async ensureDirectory(): Promise<void> {
-    if (this.directory !== null) return;
-    const resp = await fetch(this.options.directoryUrl);
-    ensureSuccess(resp);
-    this.directory = await resp.json() as Directory;
-    await this.refreshNonce();
-  }
-
-  private async refreshNonce(): Promise<void> {
-    const resp = await fetch(this.directory!.newNonce, { method: "HEAD" });
-    ensureSuccess(resp);
-    this.lastNonce = resp.headers.get("Replay-Nonce");
-    if (this.lastNonce === null) {
-      throw new Error("server omitted Replay-Nonce");
-    }
-  }
-
-  private async newAccount(): Promise<void> {
-    const jwk = Jws.jwkFromPublicKey(this.options.publicKey);
-    const env = Jws.sign(
-      { alg: Jws.ALG_EDDSA, nonce: this.lastNonce!, url: this.directory!.newAccount, jwk },
-      { termsOfServiceAgreed: true } as NewAccountPayload,
-      this.options.privateKey);
-
-    const resp = await this.post(this.directory!.newAccount, env);
-    ensureSuccess(resp);
-    this.accountUrl = resp.headers.get("Location");
-    if (this.accountUrl === null) throw new Error("server omitted account Location");
-    this.captureNonce(resp);
-  }
-
-  private async newOrder(nid: string): Promise<Order> {
-    const env = Jws.sign(
-      { alg: Jws.ALG_EDDSA, nonce: this.lastNonce!, url: this.directory!.newOrder, kid: this.accountUrl! },
-      {
-        identifiers: [{ type: wire.IDENTIFIER_TYPE_NID, value: nid } as Identifier],
-      } as NewOrderPayload,
-      this.options.privateKey);
-
-    const resp = await this.post(this.directory!.newOrder, env);
-    ensureSuccess(resp);
-    this.captureNonce(resp);
-    return await resp.json() as Order;
-  }
-
-  private async fetchAuthz(url: string): Promise<Authorization> {
-    // POST-as-GET (RFC 8555 §6.3).
-    const env = Jws.sign(
-      { alg: Jws.ALG_EDDSA, nonce: this.lastNonce!, url, kid: this.accountUrl! },
-      null,
-      this.options.privateKey);
-    const resp = await this.post(url, env);
-    ensureSuccess(resp);
-    this.captureNonce(resp);
-    return await resp.json() as Authorization;
-  }
-
-  private async respondAgent01(authz: Authorization): Promise<void> {
-    const challenge = authz.challenges.find((c) => c.type === wire.CHALLENGE_AGENT_01);
-    if (!challenge) throw new Error("authz has no agent-01 challenge");
-
-    // Sign the challenge token with the account/NID private key.
-    const tokenBytes = new TextEncoder().encode(challenge.token);
-    const sig = ed25519.sign(tokenBytes, this.options.privateKey);
-
-    const env = Jws.sign(
-      { alg: Jws.ALG_EDDSA, nonce: this.lastNonce!, url: challenge.url, kid: this.accountUrl! },
-      { agent_signature: Jws.b64uEncode(sig) },
-      this.options.privateKey);
-    const resp = await this.post(challenge.url, env);
-    ensureSuccess(resp);
-    this.captureNonce(resp);
-  }
-
-  private async finalizeOrder(order: Order, nid: string): Promise<Order> {
-    const csrDer = await this.buildCsr(nid);
-    const env = Jws.sign(
-      { alg: Jws.ALG_EDDSA, nonce: this.lastNonce!, url: order.finalize, kid: this.accountUrl! },
-      { csr: Jws.b64uEncode(csrDer) } as FinalizePayload,
-      this.options.privateKey);
-    const resp = await this.post(order.finalize, env);
-    ensureSuccess(resp);
-    this.captureNonce(resp);
-    return await resp.json() as Order;
-  }
-
-  private async downloadPem(certUrl: string): Promise<string> {
-    const env = Jws.sign(
-      { alg: Jws.ALG_EDDSA, nonce: this.lastNonce!, url: certUrl, kid: this.accountUrl! },
-      null,
-      this.options.privateKey);
-    const resp = await this.post(certUrl, env);
-    ensureSuccess(resp);
-    this.captureNonce(resp);
-    return await resp.text();
-  }
-
-  // ── helpers ──────────────────────────────────────────────────────────────
-
-  private async post(url: string, env: Jws.Envelope): Promise<Response> {
-    return await fetch(url, {
-      method:  "POST",
-      headers: { "Content-Type": wire.CONTENT_TYPE_JOSE_JSON },
-      body:    JSON.stringify(env),
-    });
-  }
-
-  private captureNonce(resp: Response): void {
-    const nonce = resp.headers.get("Replay-Nonce");
-    if (nonce !== null) this.lastNonce = nonce;
-  }
-
-  private async buildCsr(nid: string): Promise<Uint8Array> {
-    const csr = await x509.Pkcs10CertificateRequestGenerator.create({
-      name: `CN=${nid.replace(/([",+;<>\\])/g, "\\$1")}`,
-      keys: this.options.webCryptoKeys,
-      signingAlgorithm: { name: "Ed25519" },
-      extensions: [
-        new x509.SubjectAlternativeNameExtension([{ type: "url", value: nid }], false),
-      ],
-    });
-    return new Uint8Array(csr.rawData);
-  }
-}
-
-function ensureSuccess(resp: Response): void {
-  if (!resp.ok) {
-    throw new Error(`ACME ${resp.url} HTTP ${resp.status}`);
-  }
-}

package/src/nip/acme/index.ts

@@ -1,8 +0,0 @@
-// Copyright 2026 INNO LOTUS PTY LTD
-// SPDX-License-Identifier: Apache-2.0
-
-export * from "./client.js";
-export * from "./jws.js";
-export * from "./messages.js";
-export * from "./server.js";
-export * from "./wire.js";

package/src/nip/acme/jws.ts

@@ -1,109 +0,0 @@
-// Copyright 2026 INNO LOTUS PTY LTD
-// SPDX-License-Identifier: Apache-2.0
-
-/**
- * JWS signing helpers for ACME with Ed25519 (`alg: "EdDSA"` per RFC 8037).
- *
- * Wire shape (RFC 8555 §6.2 + RFC 7515 flattened JWS JSON serialization):
- * {
- *   "protected": base64url(JSON({alg, nonce, url, [jwk|kid]})),
- *   "payload":   base64url(JSON(payload)),
- *   "signature": base64url(Ed25519(protected || "." || payload))
- * }
- */
-
-import * as ed25519 from "@noble/ed25519";
-import { sha512 } from "@noble/hashes/sha512";
-import { sha256 } from "@noble/hashes/sha2";
-
-ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
-
-export const ALG_EDDSA   = "EdDSA";   // RFC 8037 §3.1
-export const KTY_OKP     = "OKP";     // RFC 8037 §2
-export const CRV_ED25519 = "Ed25519"; // RFC 8037 §2
-
-export interface Jwk {
-  kty: string;
-  crv: string;
-  x:   string;
-}
-
-export interface ProtectedHeader {
-  alg:    string;
-  nonce:  string;
-  url:    string;
-  jwk?:   Jwk;
-  kid?:   string;
-}
-
-export interface Envelope {
-  protected: string;
-  payload:   string;
-  signature: string;
-}
-
-export function jwkFromPublicKey(rawPubKey: Uint8Array): Jwk {
-  if (rawPubKey.length !== 32) {
-    throw new Error(`Ed25519 public key must be 32 bytes, got ${rawPubKey.length}`);
-  }
-  return { kty: KTY_OKP, crv: CRV_ED25519, x: b64uEncode(rawPubKey) };
-}
-
-export function publicKeyFromJwk(jwk: Jwk): Uint8Array {
-  if (jwk.kty !== KTY_OKP || jwk.crv !== CRV_ED25519) {
-    throw new Error(`JWK is not OKP/Ed25519: kty=${jwk.kty} crv=${jwk.crv}`);
-  }
-  return b64uDecode(jwk.x);
-}
-
-/** RFC 7638 §3 thumbprint of an Ed25519 JWK (lex-sorted compact JSON, SHA-256, base64url). */
-export function thumbprint(jwk: Jwk): string {
-  const canonical = `{"crv":"${jwk.crv}","kty":"${jwk.kty}","x":"${jwk.x}"}`;
-  return b64uEncode(sha256(new TextEncoder().encode(canonical)));
-}
-
-export function sign(
-  header:   ProtectedHeader,
-  payload:  unknown | null,
-  privKey:  Uint8Array,
-): Envelope {
-  const headerBytes  = new TextEncoder().encode(JSON.stringify(header));
-  const headerB64u   = b64uEncode(headerBytes);
-  const payloadB64u  = payload === null
-    ? ""
-    : b64uEncode(new TextEncoder().encode(JSON.stringify(payload)));
-  const signingInput = new TextEncoder().encode(`${headerB64u}.${payloadB64u}`);
-  const sig          = ed25519.sign(signingInput, privKey);
-  return { protected: headerB64u, payload: payloadB64u, signature: b64uEncode(sig) };
-}
-
-/** Verify a JWS envelope. Returns the parsed protected header on success, else null. */
-export function verify(envelope: Envelope, pubKey: Uint8Array): ProtectedHeader | null {
-  try {
-    const signingInput = new TextEncoder().encode(`${envelope.protected}.${envelope.payload}`);
-    const sigBytes     = b64uDecode(envelope.signature);
-    if (!ed25519.verify(sigBytes, signingInput, pubKey)) return null;
-    const headerJson = new TextDecoder().decode(b64uDecode(envelope.protected));
-    return JSON.parse(headerJson) as ProtectedHeader;
-  } catch {
-    return null;
-  }
-}
-
-export function decodePayload<T = unknown>(envelope: Envelope): T | null {
-  if (!envelope.payload) return null;
-  return JSON.parse(new TextDecoder().decode(b64uDecode(envelope.payload))) as T;
-}
-
-// ── helpers ──────────────────────────────────────────────────────────────────
-
-export function b64uEncode(bytes: Uint8Array): string {
-  return Buffer.from(bytes).toString("base64").replace(/=+$/, "")
-    .replace(/\+/g, "-").replace(/\//g, "_");
-}
-
-export function b64uDecode(s: string): Uint8Array {
-  const padded = s + "=".repeat((4 - (s.length % 4)) % 4);
-  const std = padded.replace(/-/g, "+").replace(/_/g, "/");
-  return new Uint8Array(Buffer.from(std, "base64"));
-}

package/src/nip/acme/messages.ts

@@ -1,85 +0,0 @@
-// Copyright 2026 INNO LOTUS PTY LTD
-// SPDX-License-Identifier: Apache-2.0
-
-/** ACME wire-level DTOs (RFC 8555 + NPS-RFC-0002 §4.4) — plain interfaces. */
-
-export interface DirectoryMeta {
-  termsOfService?:          string;
-  website?:                 string;
-  caaIdentities?:           readonly string[];
-  externalAccountRequired?: boolean;
-}
-
-export interface Directory {
-  newNonce:    string;
-  newAccount:  string;
-  newOrder:    string;
-  revokeCert?: string;
-  keyChange?:  string;
-  meta?:       DirectoryMeta;
-}
-
-export interface NewAccountPayload {
-  termsOfServiceAgreed?: boolean;
-  contact?:              readonly string[];
-  onlyReturnExisting?:   boolean;
-}
-
-export interface Account {
-  status:    string;
-  contact?:  readonly string[];
-  orders?:   string;
-}
-
-export interface Identifier {
-  type:  string;   // "nid" per NPS-RFC-0002 §4.4
-  value: string;
-}
-
-export interface NewOrderPayload {
-  identifiers: readonly Identifier[];
-  notBefore?:  string;
-  notAfter?:   string;
-}
-
-export interface ProblemDetail {
-  type:    string;
-  detail?: string;
-  status?: number;
-}
-
-export interface Order {
-  status:         string;
-  expires?:       string;
-  identifiers:    readonly Identifier[];
-  authorizations: readonly string[];
-  finalize:       string;
-  certificate?:   string;
-  error?:         ProblemDetail;
-}
-
-export interface Challenge {
-  type:       string;   // "agent-01" per NPS-RFC-0002 §4.4
-  url:        string;
-  status:     string;
-  token:      string;
-  validated?: string;
-  error?:     ProblemDetail;
-}
-
-export interface Authorization {
-  status:     string;
-  expires?:   string;
-  identifier: Identifier;
-  challenges: readonly Challenge[];
-}
-
-export interface ChallengeRespondPayload {
-  /** base64url(Ed25519(token)) per NPS-RFC-0002 §4.4. */
-  agent_signature: string;
-}
-
-export interface FinalizePayload {
-  /** base64url(CSR DER). */
-  csr: string;
-}