@labacacia/nps-sdk 1.0.0-alpha.6 → 1.0.0-alpha.7

package/tests/ndp.test.ts

@@ -1,377 +0,0 @@
-// Copyright 2026 INNO LOTUS PTY LTD
-// SPDX-License-Identifier: Apache-2.0
-
-import { describe, expect, it } from "vitest";
-import { AnnounceFrame, ResolveFrame, GraphFrame } from "../src/ndp/frames.js";
-import { InMemoryNdpRegistry } from "../src/ndp/ndp-registry.js";
-import { NdpAnnounceValidator, NdpAnnounceResult } from "../src/ndp/validator.js";
-import { parseNpsTxtRecord, extractHostFromTarget, type DnsTxtLookup } from "../src/ndp/dns-txt.js";
-import { NipIdentity } from "../src/nip/identity.js";
-import { createFullRegistry } from "../src/setup.js";
-import { NpsFrameCodec } from "../src/core/index.js";
-
-// ── Helpers ───────────────────────────────────────────────────────────────────
-
-const NID   = "urn:nps:node:example.com:data";
-const ADDRS = [{ host: "example.com", port: 17433, protocol: "nwp" }];
-const CAPS  = ["nwp/query", "nwp/stream"];
-
-function makeAnnounce(nid = NID, ttl = 300, id?: NipIdentity): AnnounceFrame {
-  const ident     = id ?? NipIdentity.generate();
-  const timestamp = "2026-01-01T00:00:00Z";
-  const unsigned  = {
-    nid, addresses: ADDRS, capabilities: CAPS, ttl, timestamp, node_type: null,
-  };
-  const sig = ident.sign(unsigned);
-  return new AnnounceFrame(nid, ADDRS, CAPS, ttl, timestamp, sig);
-}
-
-// ── AnnounceFrame round-trip ──────────────────────────────────────────────────
-
-describe("AnnounceFrame", () => {
-  it("toDict / fromDict roundtrip", () => {
-    const f    = makeAnnounce();
-    const back = AnnounceFrame.fromDict(f.toDict());
-    expect(back.nid).toBe(NID);
-    expect(back.ttl).toBe(300);
-    expect(back.addresses[0]?.port).toBe(17433);
-    expect(back.capabilities).toContain("nwp/query");
-  });
-
-  it("unsignedDict omits signature", () => {
-    const f   = makeAnnounce();
-    const d   = f.unsignedDict();
-    expect(d["signature"]).toBeUndefined();
-    expect(d["nid"]).toBe(NID);
-  });
-
-  it("codec roundtrip (MsgPack)", () => {
-    const registry = createFullRegistry();
-    const codec    = new NpsFrameCodec(registry);
-    const f        = makeAnnounce();
-    const back     = codec.decode(codec.encode(f)) as AnnounceFrame;
-    expect(back).toBeInstanceOf(AnnounceFrame);
-    expect(back.nid).toBe(NID);
-  });
-});
-
-// ── ResolveFrame round-trip ───────────────────────────────────────────────────
-
-describe("ResolveFrame", () => {
-  it("toDict / fromDict with resolved", () => {
-    const f    = new ResolveFrame("nwp://example.com/data", "urn:nps:node:a:b", { host: "example.com", port: 17433, ttl: 300 });
-    const back = ResolveFrame.fromDict(f.toDict());
-    expect(back.target).toBe("nwp://example.com/data");
-    expect(back.requesterNid).toBe("urn:nps:node:a:b");
-    expect(back.resolved?.port).toBe(17433);
-  });
-
-  it("toDict / fromDict without optional fields", () => {
-    const f    = new ResolveFrame("nwp://example.com/data");
-    const back = ResolveFrame.fromDict(f.toDict());
-    expect(back.requesterNid).toBeUndefined();
-    expect(back.resolved).toBeUndefined();
-  });
-});
-
-// ── GraphFrame round-trip ─────────────────────────────────────────────────────
-
-describe("GraphFrame", () => {
-  it("toDict / fromDict with nodes", () => {
-    const nodes = [{ nid: NID, addresses: ADDRS, capabilities: CAPS }];
-    const f     = new GraphFrame(1, true, nodes);
-    const back  = GraphFrame.fromDict(f.toDict());
-    expect(back.seq).toBe(1);
-    expect(back.initialSync).toBe(true);
-    expect(back.nodes?.[0]?.nid).toBe(NID);
-    expect(back.patch).toBeUndefined();
-  });
-});
-
-// ── InMemoryNdpRegistry ───────────────────────────────────────────────────────
-
-describe("InMemoryNdpRegistry", () => {
-  it("announce + getByNid", () => {
-    const reg = new InMemoryNdpRegistry();
-    const f   = makeAnnounce();
-    reg.announce(f);
-    expect(reg.getByNid(NID)).toBe(f);
-  });
-
-  it("getByNid returns undefined for unknown NID", () => {
-    const reg = new InMemoryNdpRegistry();
-    expect(reg.getByNid("urn:nps:node:unknown:x")).toBeUndefined();
-  });
-
-  it("announce with ttl=0 removes entry", () => {
-    const reg = new InMemoryNdpRegistry();
-    reg.announce(makeAnnounce(NID, 300));
-    expect(reg.getByNid(NID)).toBeDefined();
-    reg.announce(makeAnnounce(NID, 0));
-    expect(reg.getByNid(NID)).toBeUndefined();
-  });
-
-  it("TTL expiry — getByNid returns undefined after expiry", () => {
-    const reg = new InMemoryNdpRegistry();
-    let   now = 0;
-    reg.clock = () => now;
-    reg.announce(makeAnnounce(NID, 10));
-    now = 11_000;
-    expect(reg.getByNid(NID)).toBeUndefined();
-  });
-
-  it("resolve returns host/port for matching target", () => {
-    const reg = new InMemoryNdpRegistry();
-    reg.announce(makeAnnounce());
-    const r = reg.resolve("nwp://example.com/data/sub");
-    expect(r).toBeDefined();
-    expect(r?.host).toBe("example.com");
-    expect(r?.port).toBe(17433);
-  });
-
-  it("resolve returns undefined for non-matching target", () => {
-    const reg = new InMemoryNdpRegistry();
-    reg.announce(makeAnnounce());
-    expect(reg.resolve("nwp://other.com/data")).toBeUndefined();
-  });
-
-  it("getAll returns active entries", () => {
-    const reg = new InMemoryNdpRegistry();
-    let   now = 0;
-    reg.clock = () => now;
-    reg.announce(makeAnnounce("urn:nps:node:a.com:x", 100));
-    reg.announce(makeAnnounce("urn:nps:node:b.com:y", 1));
-    now = 2_000; // b expired
-    const all = reg.getAll();
-    expect(all).toHaveLength(1);
-    expect(all[0]?.nid).toBe("urn:nps:node:a.com:x");
-  });
-
-  it("resolve skips expired entries", () => {
-    const reg = new InMemoryNdpRegistry();
-    let   now = 0;
-    reg.clock = () => now;
-    reg.announce(makeAnnounce(NID, 5));
-    now = 10_000;
-    expect(reg.resolve("nwp://example.com/data")).toBeUndefined();
-  });
-});
-
-// ── nwpTargetMatchesNid ───────────────────────────────────────────────────────
-
-describe("InMemoryNdpRegistry.nwpTargetMatchesNid", () => {
-  const match = InMemoryNdpRegistry.nwpTargetMatchesNid;
-
-  it("exact match", () => {
-    expect(match("urn:nps:node:example.com:data", "nwp://example.com/data")).toBe(true);
-  });
-
-  it("sub-path match", () => {
-    expect(match("urn:nps:node:example.com:data", "nwp://example.com/data/sub")).toBe(true);
-  });
-
-  it("different authority does not match", () => {
-    expect(match("urn:nps:node:other.com:data", "nwp://example.com/data")).toBe(false);
-  });
-
-  it("sibling path does not match", () => {
-    expect(match("urn:nps:node:example.com:data", "nwp://example.com/dataset")).toBe(false);
-  });
-
-  it("invalid NID format returns false", () => {
-    expect(match("invalid-nid", "nwp://example.com/data")).toBe(false);
-  });
-
-  it("non-nwp:// target returns false", () => {
-    expect(match("urn:nps:node:example.com:data", "http://example.com/data")).toBe(false);
-  });
-
-  it("target without path slash returns false", () => {
-    expect(match("urn:nps:node:example.com:data", "nwp://example.com")).toBe(false);
-  });
-});
-
-// ── NdpAnnounceResult ─────────────────────────────────────────────────────────
-
-describe("NdpAnnounceResult", () => {
-  it("ok() returns isValid=true", () => {
-    const r = NdpAnnounceResult.ok();
-    expect(r.isValid).toBe(true);
-    expect(r.errorCode).toBeUndefined();
-  });
-
-  it("fail() returns isValid=false with code + message", () => {
-    const r = NdpAnnounceResult.fail("NDP-ERR", "bad sig");
-    expect(r.isValid).toBe(false);
-    expect(r.errorCode).toBe("NDP-ERR");
-    expect(r.message).toBe("bad sig");
-  });
-});
-
-// ── NdpAnnounceValidator ──────────────────────────────────────────────────────
-
-describe("NdpAnnounceValidator", () => {
-  it("fails when no key registered", () => {
-    const v   = new NdpAnnounceValidator();
-    const r   = v.validate(makeAnnounce());
-    expect(r.isValid).toBe(false);
-    expect(r.errorCode).toBe("NDP-ANNOUNCE-NID-MISMATCH");
-  });
-
-  it("validates a correctly signed frame", () => {
-    const ident = NipIdentity.generate();
-    const v     = new NdpAnnounceValidator();
-    v.registerPublicKey(NID, ident.pubKeyString);
-    const f = makeAnnounce(NID, 300, ident);
-    expect(v.validate(f).isValid).toBe(true);
-  });
-
-  it("rejects tampered frame (wrong signature)", () => {
-    const ident = NipIdentity.generate();
-    const v     = new NdpAnnounceValidator();
-    v.registerPublicKey(NID, ident.pubKeyString);
-    // Build frame signed by a different key
-    const other = NipIdentity.generate();
-    const f     = makeAnnounce(NID, 300, other);
-    expect(v.validate(f).isValid).toBe(false);
-  });
-
-  it("rejects signature with wrong prefix", () => {
-    const ident = NipIdentity.generate();
-    const v     = new NdpAnnounceValidator();
-    v.registerPublicKey(NID, ident.pubKeyString);
-    const f = new AnnounceFrame(NID, ADDRS, CAPS, 300, "2026-01-01T00:00:00Z", "rsa:invalid");
-    const r = v.validate(f);
-    expect(r.isValid).toBe(false);
-    expect(r.errorCode).toBe("NDP-ANNOUNCE-SIG-INVALID");
-  });
-
-  it("rejects corrupted base64 signature", () => {
-    const ident = NipIdentity.generate();
-    const v     = new NdpAnnounceValidator();
-    v.registerPublicKey(NID, ident.pubKeyString);
-    const f = new AnnounceFrame(NID, ADDRS, CAPS, 300, "2026-01-01T00:00:00Z", "ed25519:!!!garbage!!!");
-    const r = v.validate(f);
-    expect(r.isValid).toBe(false);
-  });
-
-  it("removePublicKey removes registration", () => {
-    const ident = NipIdentity.generate();
-    const v     = new NdpAnnounceValidator();
-    v.registerPublicKey(NID, ident.pubKeyString);
-    v.removePublicKey(NID);
-    expect(v.knownPublicKeys.has(NID)).toBe(false);
-    expect(v.validate(makeAnnounce(NID, 300, ident)).isValid).toBe(false);
-  });
-
-  it("knownPublicKeys is readonly view", () => {
-    const v = new NdpAnnounceValidator();
-    v.registerPublicKey("urn:nps:node:a:1", "ed25519:aabb");
-    expect(v.knownPublicKeys.size).toBe(1);
-  });
-});
-
-// ── DnsTxtResolution ──────────────────────────────────────────────────────────
-
-describe("DnsTxtResolution", () => {
-  // ── parseNpsTxtRecord ───────────────────────────────────────────────────────
-
-  it("parseNpsTxtRecord - valid full record", () => {
-    const parts = ["v=nps1 type=memory port=17434 nid=urn:nps:node:api.example.com:products fp=sha256:a3f9"];
-    const result = parseNpsTxtRecord(parts, "api.example.com");
-    expect(result).toBeDefined();
-    expect(result?.host).toBe("api.example.com");
-    expect(result?.port).toBe(17434);
-    expect(result?.ttl).toBe(300);
-    expect(result?.certFingerprint).toBe("sha256:a3f9");
-  });
-
-  it("parseNpsTxtRecord - missing v returns undefined", () => {
-    const parts = ["type=memory port=17434 nid=urn:nps:node:api.example.com:products"];
-    expect(parseNpsTxtRecord(parts, "api.example.com")).toBeUndefined();
-  });
-
-  it("parseNpsTxtRecord - wrong v returns undefined", () => {
-    const parts = ["v=nps2 nid=urn:nps:node:api.example.com:products"];
-    expect(parseNpsTxtRecord(parts, "api.example.com")).toBeUndefined();
-  });
-
-  it("parseNpsTxtRecord - missing nid returns undefined", () => {
-    const parts = ["v=nps1 type=memory port=17434"];
-    expect(parseNpsTxtRecord(parts, "api.example.com")).toBeUndefined();
-  });
-
-  it("parseNpsTxtRecord - default port", () => {
-    const parts = ["v=nps1 nid=urn:nps:node:api.example.com:products"];
-    const result = parseNpsTxtRecord(parts, "api.example.com");
-    expect(result).toBeDefined();
-    expect(result?.port).toBe(17433);
-  });
-
-  it("parseNpsTxtRecord - with fingerprint", () => {
-    const parts = ["v=nps1 nid=urn:nps:node:api.example.com:products fp=sha256:deadbeef"];
-    const result = parseNpsTxtRecord(parts, "api.example.com");
-    expect(result?.certFingerprint).toBe("sha256:deadbeef");
-  });
-
-  // ── resolveWithDns ──────────────────────────────────────────────────────────
-
-  it("resolveWithDns - uses registry first (dns not called)", async () => {
-    const reg = new InMemoryNdpRegistry();
-    reg.announce(makeAnnounce("urn:nps:node:example.com:data", 300));
-
-    let dnsCalled = false;
-    const mockDns: DnsTxtLookup = {
-      resolveTxt: async (_hostname: string) => {
-        dnsCalled = true;
-        return [];
-      },
-    };
-
-    const result = await reg.resolveWithDns("nwp://example.com/data", mockDns);
-    expect(result).toBeDefined();
-    expect(result?.host).toBe("example.com");
-    expect(dnsCalled).toBe(false);
-  });
-
-  it("resolveWithDns - falls back to dns when registry empty", async () => {
-    const reg = new InMemoryNdpRegistry();
-
-    const mockDns: DnsTxtLookup = {
-      resolveTxt: async (hostname: string) => {
-        expect(hostname).toBe("_nps-node.api.example.com");
-        return [["v=nps1 nid=urn:nps:node:api.example.com:products port=17434"]];
-      },
-    };
-
-    const result = await reg.resolveWithDns("nwp://api.example.com/products", mockDns);
-    expect(result).toBeDefined();
-    expect(result?.host).toBe("api.example.com");
-    expect(result?.port).toBe(17434);
-  });
-
-  it("resolveWithDns - invalid txt returns undefined", async () => {
-    const reg = new InMemoryNdpRegistry();
-
-    const mockDns: DnsTxtLookup = {
-      resolveTxt: async (_hostname: string) => {
-        // Missing v=nps1 and nid — invalid record
-        return [["type=memory port=17434"]];
-      },
-    };
-
-    const result = await reg.resolveWithDns("nwp://api.example.com/products", mockDns);
-    expect(result).toBeUndefined();
-  });
-
-  it("resolveWithDns - empty records returns undefined", async () => {
-    const reg = new InMemoryNdpRegistry();
-
-    const mockDns: DnsTxtLookup = {
-      resolveTxt: async (_hostname: string) => [],
-    };
-
-    const result = await reg.resolveWithDns("nwp://api.example.com/products", mockDns);
-    expect(result).toBeUndefined();
-  });
-});

package/tests/nip-acme-agent01.test.ts

@@ -1,192 +0,0 @@
-// Copyright 2026 INNO LOTUS PTY LTD
-// SPDX-License-Identifier: Apache-2.0
-
-// TypeScript parallel of Java AcmeAgent01Tests / .NET AcmeAgent01Tests
-// per NPS-RFC-0002 §4.4. End-to-end agent-01 round-trip plus tampered-signature
-// negative path.
-
-import { describe, expect, it } from "vitest";
-import * as ed25519 from "@noble/ed25519";
-import { sha512 } from "@noble/hashes/sha512";
-import * as x509 from "@peculiar/x509";
-
-import { AssuranceLevel } from "../src/nip/assurance-level.js";
-import * as ec from "../src/nip/error-codes.js";
-import { issueRoot } from "../src/nip/x509/builder.js";
-import { verify as verifyX509 } from "../src/nip/x509/verifier.js";
-import { AcmeClient } from "../src/nip/acme/client.js";
-import { AcmeServer } from "../src/nip/acme/server.js";
-import * as Jws from "../src/nip/acme/jws.js";
-import * as wire from "../src/nip/acme/wire.js";
-import type {
-  Authorization, ChallengeRespondPayload, Directory, NewAccountPayload,
-  NewOrderPayload, Order, ProblemDetail,
-} from "../src/nip/acme/messages.js";
-import { generateDualKeyPair, randomHexSerial } from "./_rfc0002-keys.js";
-
-ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
-x509.cryptoProvider.set(globalThis.crypto);
-
-interface Fixture {
-  caNid:     string;
-  agentNid:  string;
-  caRoot:    x509.X509Certificate;
-  agentKeys: Awaited<ReturnType<typeof generateDualKeyPair>>;
-  server:    AcmeServer;
-}
-
-async function createFixture(): Promise<Fixture> {
-  const caNid    = "urn:nps:ca:acme-test";
-  const agentNid = "urn:nps:agent:acme-test:1";
-
-  const caKeys = await generateDualKeyPair();
-  const caRoot = await issueRoot({
-    caNid, caKeys: caKeys.webCrypto,
-    notBefore: new Date(Date.now() - 60_000),
-    notAfter:  new Date(Date.now() + 365 * 24 * 3600_000),
-    serialNumber: "01",
-  });
-
-  const agentKeys = await generateDualKeyPair();
-
-  const server = new AcmeServer({
-    caNid, caKeys: caKeys.webCrypto, caRootCert: caRoot,
-    certValidityMs: 30 * 24 * 3600_000,
-  });
-  await server.start();
-
-  return { caNid, agentNid, caRoot, agentKeys, server };
-}
-
-describe("ACME agent-01 — RFC-0002 §4.4 round-trip", () => {
-
-  it("issueAgentCert round-trip returns a PEM chain that verifies against the CA root", async () => {
-    const fx = await createFixture();
-    try {
-      const client = new AcmeClient({
-        directoryUrl:  fx.server.directoryUrl,
-        privateKey:    fx.agentKeys.privRaw,
-        publicKey:     fx.agentKeys.pubRaw,
-        webCryptoKeys: fx.agentKeys.webCrypto,
-      });
-
-      const pem = await client.issueAgentCert(fx.agentNid);
-      expect(pem).toContain("BEGIN CERTIFICATE");
-
-      // Parse PEM chain and re-encode as base64url DER for the X.509 verifier.
-      const certs = x509.PemConverter.decode(pem)
-        .map((buf) => new x509.X509Certificate(buf));
-      expect(certs.length).toBeGreaterThan(0);
-      const chainB64 = certs.map((c) => b64uEncode(new Uint8Array(c.rawData)));
-
-      const result = await verifyX509({
-        certChainBase64UrlDer:  chainB64,
-        assertedNid:            fx.agentNid,
-        assertedAssuranceLevel: AssuranceLevel.ANONYMOUS,
-        trustedRootCerts:       [fx.caRoot],
-      });
-      expect(result.valid).toBe(true);
-      expect(extractCn(result.leaf!.subject)).toBe(fx.agentNid);
-    } finally {
-      await fx.server.close();
-    }
-  });
-
-  it("respondAgent01 with tampered agent_signature → server returns NIP-ACME-CHALLENGE-FAILED", async () => {
-    const fx = await createFixture();
-    try {
-      // Drive the flow manually so we can splice in a forged challenge response.
-      const dirResp = await fetch(fx.server.directoryUrl);
-      expect(dirResp.ok).toBe(true);
-      const dir = await dirResp.json() as Directory;
-
-      const nonceResp = await fetch(dir.newNonce, { method: "HEAD" });
-      let nonce = nonceResp.headers.get("Replay-Nonce")!;
-      expect(nonce).not.toBeNull();
-
-      // newAccount.
-      const jwk = Jws.jwkFromPublicKey(fx.agentKeys.pubRaw);
-      const acctEnv = Jws.sign(
-        { alg: Jws.ALG_EDDSA, nonce, url: dir.newAccount, jwk },
-        { termsOfServiceAgreed: true } as NewAccountPayload,
-        fx.agentKeys.privRaw);
-      const acctResp = await postJose(dir.newAccount, acctEnv);
-      expect(acctResp.status).toBe(201);
-      const accountUrl = acctResp.headers.get("Location")!;
-      nonce = acctResp.headers.get("Replay-Nonce")!;
-
-      // newOrder.
-      const orderEnv = Jws.sign(
-        { alg: Jws.ALG_EDDSA, nonce, url: dir.newOrder, kid: accountUrl },
-        {
-          identifiers: [{ type: wire.IDENTIFIER_TYPE_NID, value: fx.agentNid }],
-        } as NewOrderPayload,
-        fx.agentKeys.privRaw);
-      const orderResp = await postJose(dir.newOrder, orderEnv);
-      expect(orderResp.status).toBe(201);
-      const order = await orderResp.json() as Order;
-      nonce = orderResp.headers.get("Replay-Nonce")!;
-
-      // POST-as-GET on authz to discover the challenge URL + token.
-      const authzEnv = Jws.sign(
-        { alg: Jws.ALG_EDDSA, nonce, url: order.authorizations[0], kid: accountUrl },
-        null, fx.agentKeys.privRaw);
-      const authzResp = await postJose(order.authorizations[0], authzEnv);
-      const authz = await authzResp.json() as Authorization;
-      nonce = authzResp.headers.get("Replay-Nonce")!;
-
-      const challenge = authz.challenges.find((c) => c.type === wire.CHALLENGE_AGENT_01);
-      expect(challenge).toBeDefined();
-
-      // ★ Tampered: sign challenge token with a *different* keypair, but submit
-      //   the JWS envelope under the registered account's key — server verifies
-      //   the JWS sig (passes with account key) and then verifies the agent
-      //   signature against the account key (fails).
-      const forger = await generateDualKeyPair();
-      const tokenBytes = new TextEncoder().encode(challenge!.token);
-      const forgedSig  = ed25519.sign(tokenBytes, forger.privRaw);
-
-      const chEnv = Jws.sign(
-        { alg: Jws.ALG_EDDSA, nonce, url: challenge!.url, kid: accountUrl },
-        { agent_signature: Jws.b64uEncode(forgedSig) } as ChallengeRespondPayload,
-        fx.agentKeys.privRaw);
-      const chResp = await postJose(challenge!.url, chEnv);
-
-      expect(chResp.status).toBe(400);
-      const problem = await chResp.json() as ProblemDetail;
-      expect(problem.type).toBe(ec.ACME_CHALLENGE_FAILED);
-    } finally {
-      await fx.server.close();
-    }
-  });
-});
-
-// ── helpers ──────────────────────────────────────────────────────────────────
-
-async function postJose(url: string, env: Jws.Envelope): Promise<Response> {
-  return await fetch(url, {
-    method:  "POST",
-    headers: { "Content-Type": wire.CONTENT_TYPE_JOSE_JSON },
-    body:    JSON.stringify(env),
-  });
-}
-
-function b64uEncode(bytes: Uint8Array): string {
-  return Buffer.from(bytes).toString("base64").replace(/=+$/, "")
-    .replace(/\+/g, "-").replace(/\//g, "_");
-}
-
-function extractCn(dn: string): string | null {
-  for (const rdn of dn.split(",")) {
-    const t = rdn.trim();
-    if (t.startsWith("CN=")) {
-      let v = t.slice(3);
-      if (v.startsWith("\"") && v.endsWith("\"")) v = v.slice(1, -1);
-      return v.replace(/\\([",+;<>\\])/g, "$1");
-    }
-  }
-  return null;
-}
-
-// Touch the import so unused-symbol lint doesn't trip.
-void randomHexSerial;