npm - @labacacia/nps-sdk - Versions diffs - 1.0.0-alpha.6 → 1.0.0-alpha.7 - Mend

@labacacia/nps-sdk 1.0.0-alpha.6 → 1.0.0-alpha.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/CHANGELOG.cn.md +115 -0
package/CHANGELOG.md +124 -0
package/README.cn.md +3 -1
package/README.md +3 -1
package/dist/core/anchor-cache.d.ts +42 -0
package/dist/core/anchor-cache.d.ts.map +1 -0
package/dist/core/anchor-cache.js +104 -0
package/dist/core/anchor-cache.js.map +1 -0
package/dist/core/cache.d.ts +14 -0
package/dist/core/cache.d.ts.map +1 -0
package/dist/core/cache.js +80 -0
package/dist/core/cache.js.map +1 -0
package/dist/core/canonical-json.d.ts +12 -0
package/dist/core/canonical-json.d.ts.map +1 -0
package/dist/core/canonical-json.js +44 -0
package/dist/core/canonical-json.js.map +1 -0
package/dist/core/codec.d.ts +32 -0
package/dist/core/codec.d.ts.map +1 -0
package/dist/core/codec.js +119 -0
package/dist/core/codec.js.map +1 -0
package/dist/core/codecs/index.d.ts +4 -0
package/dist/core/codecs/index.d.ts.map +1 -0
package/{src/core/codecs/index.ts → dist/core/codecs/index.js} +1 -0
package/dist/core/codecs/index.js.map +1 -0
package/dist/core/codecs/ncp-codec.d.ts +39 -0
package/dist/core/codecs/ncp-codec.d.ts.map +1 -0
package/dist/core/codecs/ncp-codec.js +93 -0
package/dist/core/codecs/ncp-codec.js.map +1 -0
package/dist/core/codecs/tier1-json-codec.d.ts +10 -0
package/dist/core/codecs/tier1-json-codec.d.ts.map +1 -0
package/{src/core/codecs/tier1-json-codec.ts → dist/core/codecs/tier1-json-codec.js} +11 -16
package/dist/core/codecs/tier1-json-codec.js.map +1 -0
package/dist/core/codecs/tier2-msgpack-codec.d.ts +10 -0
package/dist/core/codecs/tier2-msgpack-codec.d.ts.map +1 -0
package/{src/core/codecs/tier2-msgpack-codec.ts → dist/core/codecs/tier2-msgpack-codec.js} +10 -14
package/dist/core/codecs/tier2-msgpack-codec.js.map +1 -0
package/dist/core/crypto-provider.d.ts +31 -0
package/dist/core/crypto-provider.d.ts.map +1 -0
package/dist/core/crypto-provider.js +10 -0
package/dist/core/crypto-provider.js.map +1 -0
package/dist/core/exceptions.d.ts +27 -0
package/dist/core/exceptions.d.ts.map +1 -0
package/dist/core/exceptions.js +52 -0
package/dist/core/exceptions.js.map +1 -0
package/dist/core/frame-header.d.ts +87 -0
package/dist/core/frame-header.d.ts.map +1 -0
package/dist/core/frame-header.js +185 -0
package/dist/core/frame-header.js.map +1 -0
package/dist/core/frame-registry.d.ts +35 -0
package/dist/core/frame-registry.d.ts.map +1 -0
package/dist/core/frame-registry.js +63 -0
package/dist/core/frame-registry.js.map +1 -0
package/dist/core/frames.d.ts +81 -0
package/dist/core/frames.d.ts.map +1 -0
package/dist/core/frames.js +154 -0
package/dist/core/frames.js.map +1 -0
package/dist/core/index.d.ts +11 -0
package/dist/core/index.d.ts.map +1 -0
package/{src/core/index.ts → dist/core/index.js} +3 -23
package/dist/core/index.js.map +1 -0
package/dist/core/registry.d.ts +11 -0
package/dist/core/registry.d.ts.map +1 -0
package/dist/core/registry.js +17 -0
package/dist/core/registry.js.map +1 -0
package/dist/core/status-codes.d.ts +29 -0
package/dist/core/status-codes.d.ts.map +1 -0
package/dist/core/status-codes.js +39 -0
package/dist/core/status-codes.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -0
package/{src/index.ts → dist/index.js} +1 -1
package/dist/index.js.map +1 -0
package/dist/ncp/frames/anchor-frame.d.ts +29 -0
package/dist/ncp/frames/anchor-frame.d.ts.map +1 -0
package/dist/ncp/frames/anchor-frame.js +54 -0
package/dist/ncp/frames/anchor-frame.js.map +1 -0
package/dist/ncp/frames/caps-frame.d.ts +29 -0
package/dist/ncp/frames/caps-frame.d.ts.map +1 -0
package/dist/ncp/frames/caps-frame.js +29 -0
package/dist/ncp/frames/caps-frame.js.map +1 -0
package/dist/ncp/frames/diff-frame.d.ts +32 -0
package/dist/ncp/frames/diff-frame.d.ts.map +1 -0
package/dist/ncp/frames/diff-frame.js +37 -0
package/dist/ncp/frames/diff-frame.js.map +1 -0
package/dist/ncp/frames/error-frame.d.ts +16 -0
package/dist/ncp/frames/error-frame.d.ts.map +1 -0
package/dist/ncp/frames/error-frame.js +13 -0
package/dist/ncp/frames/error-frame.js.map +1 -0
package/dist/ncp/frames/hello-frame.d.ts +21 -0
package/dist/ncp/frames/hello-frame.d.ts.map +1 -0
package/dist/ncp/frames/hello-frame.js +25 -0
package/dist/ncp/frames/hello-frame.js.map +1 -0
package/dist/ncp/frames/stream-frame.d.ts +16 -0
package/dist/ncp/frames/stream-frame.d.ts.map +1 -0
package/dist/ncp/frames/stream-frame.js +18 -0
package/dist/ncp/frames/stream-frame.js.map +1 -0
package/dist/ncp/frames.d.ts +94 -0
package/dist/ncp/frames.d.ts.map +1 -0
package/dist/ncp/frames.js +192 -0
package/dist/ncp/frames.js.map +1 -0
package/dist/ncp/handshake.d.ts +30 -0
package/dist/ncp/handshake.d.ts.map +1 -0
package/dist/ncp/handshake.js +80 -0
package/dist/ncp/handshake.js.map +1 -0
package/dist/ncp/index.d.ts +12 -0
package/dist/ncp/index.d.ts.map +1 -0
package/{src/ncp/index.ts → dist/ncp/index.js} +1 -0
package/dist/ncp/index.js.map +1 -0
package/dist/ncp/ncp-error-codes.d.ts +23 -0
package/dist/ncp/ncp-error-codes.d.ts.map +1 -0
package/dist/ncp/ncp-error-codes.js +34 -0
package/dist/ncp/ncp-error-codes.js.map +1 -0
package/dist/ncp/ncp-patch-format.d.ts +7 -0
package/dist/ncp/ncp-patch-format.d.ts.map +1 -0
package/dist/ncp/ncp-patch-format.js +13 -0
package/dist/ncp/ncp-patch-format.js.map +1 -0
package/dist/ncp/preamble.d.ts +47 -0
package/dist/ncp/preamble.d.ts.map +1 -0
package/dist/ncp/preamble.js +74 -0
package/dist/ncp/preamble.js.map +1 -0
package/dist/ncp/registry.d.ts +3 -0
package/dist/ncp/registry.d.ts.map +1 -0
package/dist/ncp/registry.js +13 -0
package/dist/ncp/registry.js.map +1 -0
package/dist/ncp/stream-manager.d.ts +57 -0
package/dist/ncp/stream-manager.d.ts.map +1 -0
package/dist/ncp/stream-manager.js +163 -0
package/dist/ncp/stream-manager.js.map +1 -0
package/dist/ndp/dns-txt.d.ts +35 -0
package/dist/ndp/dns-txt.d.ts.map +1 -0
package/dist/ndp/dns-txt.js +67 -0
package/dist/ndp/dns-txt.js.map +1 -0
package/dist/ndp/frames.d.ts +56 -0
package/dist/ndp/frames.d.ts.map +1 -0
package/dist/ndp/frames.js +87 -0
package/dist/ndp/frames.js.map +1 -0
package/dist/ndp/index.d.ts +6 -0
package/dist/ndp/index.d.ts.map +1 -0
package/{src/ndp/index.ts → dist/ndp/index.js} +1 -1
package/dist/ndp/index.js.map +1 -0
package/dist/ndp/ndp-registry.d.ts +13 -0
package/dist/ndp/ndp-registry.d.ts.map +1 -0
package/dist/ndp/ndp-registry.js +104 -0
package/dist/ndp/ndp-registry.js.map +1 -0
package/dist/ndp/registry.d.ts +3 -0
package/dist/ndp/registry.d.ts.map +1 -0
package/dist/ndp/registry.js +10 -0
package/dist/ndp/registry.js.map +1 -0
package/dist/ndp/validator.d.ts +18 -0
package/dist/ndp/validator.d.ts.map +1 -0
package/dist/ndp/validator.js +48 -0
package/dist/ndp/validator.js.map +1 -0
package/dist/nip/acme/client.d.ts +31 -0
package/dist/nip/acme/client.d.ts.map +1 -0
package/dist/nip/acme/client.js +136 -0
package/dist/nip/acme/client.js.map +1 -0
package/dist/nip/acme/index.d.ts +6 -0
package/dist/nip/acme/index.d.ts.map +1 -0
package/{src/nip/acme/index.ts → dist/nip/acme/index.js} +1 -1
package/dist/nip/acme/index.js.map +1 -0
package/dist/nip/acme/jws.d.ts +31 -0
package/dist/nip/acme/jws.d.ts.map +1 -0
package/dist/nip/acme/jws.js +76 -0
package/dist/nip/acme/jws.js.map +1 -0
package/dist/nip/acme/messages.d.ts +71 -0
package/dist/nip/acme/messages.d.ts.map +1 -0
package/dist/nip/acme/messages.js +4 -0
package/dist/nip/acme/messages.js.map +1 -0
package/dist/nip/acme/server.d.ts +41 -0
package/dist/nip/acme/server.d.ts.map +1 -0
package/dist/nip/acme/server.js +458 -0
package/dist/nip/acme/server.js.map +1 -0
package/dist/nip/acme/wire.d.ts +19 -0
package/dist/nip/acme/wire.d.ts.map +1 -0
package/dist/nip/acme/wire.js +21 -0
package/dist/nip/acme/wire.js.map +1 -0
package/dist/nip/assurance-level.d.ts +19 -0
package/dist/nip/assurance-level.d.ts.map +1 -0
package/dist/nip/assurance-level.js +38 -0
package/dist/nip/assurance-level.js.map +1 -0
package/dist/nip/cert-format.d.ts +5 -0
package/dist/nip/cert-format.d.ts.map +1 -0
package/dist/nip/cert-format.js +6 -0
package/dist/nip/cert-format.js.map +1 -0
package/dist/nip/error-codes.d.ts +25 -0
package/dist/nip/error-codes.d.ts.map +1 -0
package/{src/nip/error-codes.ts → dist/nip/error-codes.js} +19 -25
package/dist/nip/error-codes.js.map +1 -0
package/dist/nip/frames.d.ts +53 -0
package/dist/nip/frames.d.ts.map +1 -0
package/dist/nip/frames.js +106 -0
package/dist/nip/frames.js.map +1 -0
package/dist/nip/identity.d.ts +18 -0
package/dist/nip/identity.d.ts.map +1 -0
package/dist/nip/identity.js +94 -0
package/dist/nip/identity.js.map +1 -0
package/dist/nip/index.d.ts +11 -0
package/dist/nip/index.d.ts.map +1 -0
package/{src/nip/index.ts → dist/nip/index.js} +3 -2
package/dist/nip/index.js.map +1 -0
package/dist/nip/registry.d.ts +3 -0
package/dist/nip/registry.d.ts.map +1 -0
package/dist/nip/registry.js +10 -0
package/dist/nip/registry.js.map +1 -0
package/dist/nip/reputation-client.d.ts +116 -0
package/dist/nip/reputation-client.d.ts.map +1 -0
package/dist/nip/reputation-client.js +261 -0
package/dist/nip/reputation-client.js.map +1 -0
package/dist/nip/verifier.d.ts +23 -0
package/dist/nip/verifier.d.ts.map +1 -0
package/dist/nip/verifier.js +90 -0
package/dist/nip/verifier.js.map +1 -0
package/dist/nip/x509/builder.d.ts +35 -0
package/dist/nip/x509/builder.d.ts.map +1 -0
package/dist/nip/x509/builder.js +59 -0
package/dist/nip/x509/builder.js.map +1 -0
package/dist/nip/x509/index.d.ts +4 -0
package/dist/nip/x509/index.d.ts.map +1 -0
package/{src/nip/x509/index.ts → dist/nip/x509/index.js} +1 -1
package/dist/nip/x509/index.js.map +1 -0
package/dist/nip/x509/oids.d.ts +16 -0
package/dist/nip/x509/oids.d.ts.map +1 -0
package/{src/nip/x509/oids.ts → dist/nip/x509/oids.js} +5 -10
package/dist/nip/x509/oids.js.map +1 -0
package/dist/nip/x509/verifier.d.ts +26 -0
package/dist/nip/x509/verifier.d.ts.map +1 -0
package/dist/nip/x509/verifier.js +171 -0
package/dist/nip/x509/verifier.js.map +1 -0
package/dist/nop/client.d.ts +34 -0
package/dist/nop/client.d.ts.map +1 -0
package/dist/nop/client.js +90 -0
package/dist/nop/client.js.map +1 -0
package/dist/nop/frames.d.ts +65 -0
package/dist/nop/frames.d.ts.map +1 -0
package/dist/nop/frames.js +148 -0
package/dist/nop/frames.js.map +1 -0
package/dist/nop/index.d.ts +5 -0
package/dist/nop/index.d.ts.map +1 -0
package/{src/nop/index.ts → dist/nop/index.js} +1 -1
package/dist/nop/index.js.map +1 -0
package/dist/nop/models.d.ts +58 -0
package/dist/nop/models.d.ts.map +1 -0
package/dist/nop/models.js +50 -0
package/dist/nop/models.js.map +1 -0
package/dist/nop/nop-types.d.ts +136 -0
package/dist/nop/nop-types.d.ts.map +1 -0
package/dist/nop/nop-types.js +44 -0
package/dist/nop/nop-types.js.map +1 -0
package/dist/nop/registry.d.ts +3 -0
package/dist/nop/registry.d.ts.map +1 -0
package/dist/nop/registry.js +11 -0
package/dist/nop/registry.js.map +1 -0
package/dist/nwp/anchor-client.d.ts +109 -0
package/dist/nwp/anchor-client.d.ts.map +1 -0
package/dist/nwp/anchor-client.js +279 -0
package/dist/nwp/anchor-client.js.map +1 -0
package/dist/nwp/client.d.ts +22 -0
package/dist/nwp/client.d.ts.map +1 -0
package/dist/nwp/client.js +101 -0
package/dist/nwp/client.js.map +1 -0
package/dist/nwp/frames.d.ts +46 -0
package/dist/nwp/frames.d.ts.map +1 -0
package/dist/nwp/frames.js +81 -0
package/dist/nwp/frames.js.map +1 -0
package/dist/nwp/index.d.ts +5 -0
package/dist/nwp/index.d.ts.map +1 -0
package/{src/nwp/index.ts → dist/nwp/index.js} +2 -1
package/dist/nwp/index.js.map +1 -0
package/dist/nwp/registry.d.ts +3 -0
package/dist/nwp/registry.d.ts.map +1 -0
package/dist/nwp/registry.js +9 -0
package/dist/nwp/registry.js.map +1 -0
package/dist/setup.d.ts +10 -0
package/dist/setup.d.ts.map +1 -0
package/{src/setup.ts → dist/setup.js} +13 -16
package/dist/setup.js.map +1 -0
package/package.json +12 -1
package/CONTRIBUTING.cn.md +0 -35
package/CONTRIBUTING.md +0 -35
package/nip-ca-server/Dockerfile +0 -27
package/nip-ca-server/README.md +0 -45
package/nip-ca-server/db/001_init.sql +0 -25
package/nip-ca-server/docker-compose.yml +0 -29
package/nip-ca-server/package.json +0 -23
package/nip-ca-server/src/ca.ts +0 -155
package/nip-ca-server/src/db.ts +0 -104
package/nip-ca-server/src/index.ts +0 -157
package/nip-ca-server/tsconfig.json +0 -13
package/src/core/anchor-cache.ts +0 -129
package/src/core/cache.ts +0 -93
package/src/core/canonical-json.ts +0 -50
package/src/core/codec.ts +0 -158
package/src/core/codecs/ncp-codec.ts +0 -170
package/src/core/crypto-provider.ts +0 -47
package/src/core/exceptions.ts +0 -57
package/src/core/frame-header.ts +0 -282
package/src/core/frame-registry.ts +0 -91
package/src/core/frames.ts +0 -184
package/src/core/registry.ts +0 -28
package/src/core/status-codes.ts +0 -47
package/src/ncp/frames/anchor-frame.ts +0 -87
package/src/ncp/frames/caps-frame.ts +0 -59
package/src/ncp/frames/diff-frame.ts +0 -69
package/src/ncp/frames/error-frame.ts +0 -26
package/src/ncp/frames/hello-frame.ts +0 -50
package/src/ncp/frames/stream-frame.ts +0 -35
package/src/ncp/frames.ts +0 -251
package/src/ncp/handshake.ts +0 -95
package/src/ncp/ncp-error-codes.ts +0 -36
package/src/ncp/ncp-patch-format.ts +0 -16
package/src/ncp/preamble.ts +0 -79
package/src/ncp/registry.ts +0 -15
package/src/ncp/stream-manager.ts +0 -212
package/src/ndp/dns-txt.ts +0 -86
package/src/ndp/frames.ts +0 -124
package/src/ndp/ndp-registry.ts +0 -116
package/src/ndp/registry.ts +0 -12
package/src/ndp/validator.ts +0 -64
package/src/nip/acme/client.ts +0 -185
package/src/nip/acme/jws.ts +0 -109
package/src/nip/acme/messages.ts +0 -85
package/src/nip/acme/server.ts +0 -480
package/src/nip/acme/wire.ts +0 -24
package/src/nip/assurance-level.ts +0 -40
package/src/nip/cert-format.ts +0 -9
package/src/nip/frames.ts +0 -138
package/src/nip/identity.ts +0 -113
package/src/nip/registry.ts +0 -12
package/src/nip/verifier.ts +0 -122
package/src/nip/x509/builder.ts +0 -91
package/src/nip/x509/verifier.ts +0 -214
package/src/nop/client.ts +0 -103
package/src/nop/frames.ts +0 -181
package/src/nop/models.ts +0 -79
package/src/nop/nop-types.ts +0 -208
package/src/nop/registry.ts +0 -13
package/src/nwp/client.ts +0 -114
package/src/nwp/frames.ts +0 -116
package/src/nwp/registry.ts +0 -11
package/tests/_rfc0002-keys.ts +0 -57
package/tests/core/anchor-cache.test.ts +0 -242
package/tests/core/codec.test.ts +0 -205
package/tests/core/frame-registry.test.ts +0 -46
package/tests/core.test.ts +0 -327
package/tests/ncp/diff-binary-bitset.test.ts +0 -107
package/tests/ncp/e2e-enc-reject.test.ts +0 -93
package/tests/ncp/err-error-frame.test.ts +0 -152
package/tests/ncp/frames.test.ts +0 -359
package/tests/ncp/framing.test.ts +0 -233
package/tests/ncp/hello-frame.test.ts +0 -122
package/tests/ncp/inline-anchor.test.ts +0 -88
package/tests/ncp/preamble.test.ts +0 -93
package/tests/ncp/security.test.ts +0 -184
package/tests/ncp/stream-window.test.ts +0 -167
package/tests/ncp/stream.test.ts +0 -242
package/tests/ncp/version-negotiation.test.ts +0 -123
package/tests/ndp.test.ts +0 -377
package/tests/nip-acme-agent01.test.ts +0 -192
package/tests/nip-x509.test.ts +0 -280
package/tests/nip.test.ts +0 -184
package/tests/nop.test.ts +0 -344
package/tests/nwp.test.ts +0 -237
package/tsconfig.json +0 -20
package/tsup.config.ts +0 -20
package/vitest.config.ts +0 -10

package/tests/nip-x509.test.ts DELETED Viewed

@@ -1,280 +0,0 @@
-// Copyright 2026 INNO LOTUS PTY LTD
-// SPDX-License-Identifier: Apache-2.0
-// TypeScript parallel of Java NipX509Tests / .NET NipX509Tests per NPS-RFC-0002 §4.
-// Covers the 5 verification scenarios documented in the .NET reference.
-import { describe, expect, it } from "vitest";
-import * as ed25519 from "@noble/ed25519";
-import { sha512 } from "@noble/hashes/sha512";
-import * as x509 from "@peculiar/x509";
-import { AssuranceLevel } from "../src/nip/assurance-level.js";
-import { V2_X509 } from "../src/nip/cert-format.js";
-import * as ec from "../src/nip/error-codes.js";
-import { IdentFrame } from "../src/nip/frames.js";
-import { NipIdentVerifier } from "../src/nip/verifier.js";
-import { issueLeaf, issueRoot } from "../src/nip/x509/builder.js";
-import { generateDualKeyPair, randomHexSerial, type DualKeyPair } from "./_rfc0002-keys.js";
-ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
-x509.cryptoProvider.set(globalThis.crypto);
-describe("NipX509 — RFC-0002 §4 verifier scenarios", () => {
-  it("registerX509 round-trip — dual-trust verifier accepts", async () => {
-    const caNid    = "urn:nps:ca:test";
-    const agentNid = "urn:nps:agent:happy:1";
-    const ca    = await generateDualKeyPair();
-    const agent = await generateDualKeyPair();
-    const root = await issueRoot({
-      caNid, caKeys: ca.webCrypto,
-      notBefore: minutesAgo(1), notAfter: daysFromNow(365),
-      serialNumber: "01",
-    });
-    const leaf = await issueLeaf({
-      subjectNid: agentNid, subjectPublicKey: agent.webCrypto.publicKey,
-      caKeys: ca.webCrypto, issuerNid: caNid, role: "agent",
-      assuranceLevel: AssuranceLevel.ATTESTED,
-      notBefore: minutesAgo(1), notAfter: daysFromNow(30),
-      serialNumber: "02",
-    });
-    const frame = await buildV2Frame(agentNid, agent.pubRaw, ca.privRaw,
-      AssuranceLevel.ATTESTED, leaf, root);
-    const verifier = new NipIdentVerifier({
-      trustedCaPublicKeys: { [caNid]: pubKeyHex(ca.pubRaw) },
-      trustedX509Roots:    [root],
-    });
-    const result = await verifier.verify(frame, caNid);
-    expect(result.valid).toBe(true);
-    expect(result.stepFailed).toBe(0);
-  });
-  it("leaf without EKU extension — verifier rejects with NIP-CERT-EKU-MISSING", async () => {
-    const caNid    = "urn:nps:ca:test";
-    const agentNid = "urn:nps:agent:eku-stripped:1";
-    const ca    = await generateDualKeyPair();
-    const agent = await generateDualKeyPair();
-    const root = await issueRoot({
-      caNid, caKeys: ca.webCrypto,
-      notBefore: minutesAgo(1), notAfter: daysFromNow(365),
-      serialNumber: "01",
-    });
-    const tampered = await buildLeafWithoutEku(
-      agentNid, agent.webCrypto.publicKey, ca.webCrypto, caNid, "63");
-    const frame = await buildV2Frame(agentNid, agent.pubRaw, ca.privRaw,
-      null, tampered, root);
-    const verifier = new NipIdentVerifier({
-      trustedCaPublicKeys: { [caNid]: pubKeyHex(ca.pubRaw) },
-      trustedX509Roots:    [root],
-    });
-    const result = await verifier.verify(frame, caNid);
-    expect(result.valid).toBe(false);
-    expect(result.errorCode).toBe(ec.CERT_EKU_MISSING);
-    expect(result.stepFailed).toBe(3);
-  });
-  it("leaf for different NID — verifier rejects with NIP-CERT-SUBJECT-NID-MISMATCH", async () => {
-    const caNid    = "urn:nps:ca:test";
-    const victimNid = "urn:nps:agent:victim:1";
-    const forgedNid = "urn:nps:agent:attacker:9";
-    const ca    = await generateDualKeyPair();
-    const agent = await generateDualKeyPair();
-    const root = await issueRoot({
-      caNid, caKeys: ca.webCrypto,
-      notBefore: minutesAgo(1), notAfter: daysFromNow(365),
-      serialNumber: "01",
-    });
-    // Issue a leaf whose CN/SAN are the *forged* NID, but splice it into a
-    // frame asserting the *victim* NID. The v1 Ed25519 sig still asserts victim.
-    const forgedLeaf = await issueLeaf({
-      subjectNid: forgedNid, subjectPublicKey: agent.webCrypto.publicKey,
-      caKeys: ca.webCrypto, issuerNid: caNid, role: "agent",
-      assuranceLevel: AssuranceLevel.ANONYMOUS,
-      notBefore: minutesAgo(1), notAfter: daysFromNow(30),
-      serialNumber: "4d",
-    });
-    const frame = await buildV2Frame(victimNid, agent.pubRaw, ca.privRaw,
-      null, forgedLeaf, root);
-    const verifier = new NipIdentVerifier({
-      trustedCaPublicKeys: { [caNid]: pubKeyHex(ca.pubRaw) },
-      trustedX509Roots:    [root],
-    });
-    const result = await verifier.verify(frame, caNid);
-    expect(result.valid).toBe(false);
-    expect(result.errorCode).toBe(ec.CERT_SUBJECT_NID_MISMATCH);
-    expect(result.stepFailed).toBe(3);
-  });
-  it("v1-only verifier ignores cert_chain and accepts v2 frames (Phase 1 backward compat)", async () => {
-    const caNid    = "urn:nps:ca:test";
-    const agentNid = "urn:nps:agent:v1-compat:1";
-    const ca    = await generateDualKeyPair();
-    const agent = await generateDualKeyPair();
-    const root = await issueRoot({
-      caNid, caKeys: ca.webCrypto,
-      notBefore: minutesAgo(1), notAfter: daysFromNow(365),
-      serialNumber: "01",
-    });
-    const leaf = await issueLeaf({
-      subjectNid: agentNid, subjectPublicKey: agent.webCrypto.publicKey,
-      caKeys: ca.webCrypto, issuerNid: caNid, role: "agent",
-      assuranceLevel: AssuranceLevel.ANONYMOUS,
-      notBefore: minutesAgo(1), notAfter: daysFromNow(30),
-      serialNumber: "02",
-    });
-    const frame = await buildV2Frame(agentNid, agent.pubRaw, ca.privRaw,
-      null, leaf, root);
-    // Verifier WITHOUT trustedX509Roots — Step 3b is skipped entirely.
-    const verifier = new NipIdentVerifier({
-      trustedCaPublicKeys: { [caNid]: pubKeyHex(ca.pubRaw) },
-    });
-    const result = await verifier.verify(frame, caNid);
-    expect(result.valid).toBe(true);
-    expect(result.stepFailed).toBe(0);
-  });
-  it("v2 verifier with unrelated trust root rejects with NIP-CERT-FORMAT-INVALID", async () => {
-    const caNid    = "urn:nps:ca:test";
-    const agentNid = "urn:nps:agent:wrong-trust:1";
-    const ca    = await generateDualKeyPair();
-    const agent = await generateDualKeyPair();
-    const root = await issueRoot({
-      caNid, caKeys: ca.webCrypto,
-      notBefore: minutesAgo(1), notAfter: daysFromNow(365),
-      serialNumber: "01",
-    });
-    const leaf = await issueLeaf({
-      subjectNid: agentNid, subjectPublicKey: agent.webCrypto.publicKey,
-      caKeys: ca.webCrypto, issuerNid: caNid, role: "agent",
-      assuranceLevel: AssuranceLevel.ANONYMOUS,
-      notBefore: minutesAgo(1), notAfter: daysFromNow(30),
-      serialNumber: "02",
-    });
-    const frame = await buildV2Frame(agentNid, agent.pubRaw, ca.privRaw,
-      null, leaf, root);
-    // Different unrelated CA root — chain won't anchor.
-    const otherCa   = await generateDualKeyPair();
-    const otherRoot = await issueRoot({
-      caNid: "urn:nps:ca:other", caKeys: otherCa.webCrypto,
-      notBefore: minutesAgo(1), notAfter: daysFromNow(365),
-      serialNumber: "01",
-    });
-    const verifier = new NipIdentVerifier({
-      trustedCaPublicKeys: { [caNid]: pubKeyHex(ca.pubRaw) },
-      trustedX509Roots:    [otherRoot],
-    });
-    const result = await verifier.verify(frame, caNid);
-    expect(result.valid).toBe(false);
-    expect(result.errorCode).toBe(ec.CERT_FORMAT_INVALID);
-    expect(result.stepFailed).toBe(3);
-  });
-});
-// ── helpers ──────────────────────────────────────────────────────────────────
-/**
- * Build a v2 IdentFrame including a v1 Ed25519 CA signature over the canonical
- * unsigned dict (matches IdentFrame.unsignedDict + NipIdentVerifier signing path).
- */
-async function buildV2Frame(
-  subjectNid:  string,
-  subjectPub:  Uint8Array,
-  caPriv:      Uint8Array,
-  level:       AssuranceLevel | null,
-  leaf:        x509.X509Certificate,
-  root:        x509.X509Certificate,
-): Promise<IdentFrame> {
-  const pubKeyStr = pubKeyHex(subjectPub);
-  const metadata  = { issued_by: "test-ca" };
-  const unsigned: Record<string, unknown> = {
-    nid:      subjectNid,
-    pub_key:  pubKeyStr,
-    metadata,
-  };
-  if (level !== null) unsigned["assurance_level"] = level.wire;
-  const canonical = JSON.stringify(unsigned, Object.keys(unsigned).sort());
-  const sig       = ed25519.sign(new TextEncoder().encode(canonical), caPriv);
-  const sigWire   = "ed25519:" + Buffer.from(sig).toString("base64");
-  const chain = [
-    b64uEncode(new Uint8Array(leaf.rawData)),
-    b64uEncode(new Uint8Array(root.rawData)),
-  ];
-  return new IdentFrame(subjectNid, pubKeyStr, metadata, sigWire, {
-    assuranceLevel: level,
-    certFormat:     V2_X509,
-    certChain:      chain,
-  });
-}
-/** Issue a leaf cert with EKU extension deliberately omitted. */
-async function buildLeafWithoutEku(
-  subjectNid:  string,
-  subjectPub:  CryptoKey,
-  caKeys:      CryptoKeyPair,
-  caNid:       string,
-  serial:      string,
-): Promise<x509.X509Certificate> {
-  const escape = (v: string) => v.replace(/([",+;<>\\])/g, "\\$1");
-  return x509.X509CertificateGenerator.create({
-    serialNumber: serial,
-    issuer:       `CN=${escape(caNid)}`,
-    subject:      `CN=${escape(subjectNid)}`,
-    notBefore:    minutesAgo(1),
-    notAfter:     daysFromNow(30),
-    publicKey:    subjectPub,
-    signingAlgorithm: { name: "Ed25519" },
-    signingKey:   caKeys.privateKey,
-    extensions: [
-      new x509.BasicConstraintsExtension(false, undefined, true),
-      new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature, true),
-      // ★ Deliberately NO ExtendedKeyUsage extension.
-      new x509.SubjectAlternativeNameExtension([{ type: "url", value: subjectNid }], false),
-    ],
-  });
-}
-function pubKeyHex(raw: Uint8Array): string {
-  return "ed25519:" + Buffer.from(raw).toString("hex");
-}
-function b64uEncode(bytes: Uint8Array): string {
-  return Buffer.from(bytes).toString("base64").replace(/=+$/, "")
-    .replace(/\+/g, "-").replace(/\//g, "_");
-}
-function minutesAgo(n: number):    Date { return new Date(Date.now() - n * 60_000); }
-function daysFromNow(n: number):   Date { return new Date(Date.now() + n * 24 * 3600_000); }
-// Touch the type so TS doesn't tree-shake the import in declaration emit.
-type _ = DualKeyPair;

package/tests/nip.test.ts DELETED Viewed

@@ -1,184 +0,0 @@
-// Copyright 2026 INNO LOTUS PTY LTD
-// SPDX-License-Identifier: Apache-2.0
-import { describe, expect, it } from "vitest";
-import { mkdtempSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
-import { NipIdentity } from "../src/nip/identity.js";
-import { IdentFrame, TrustFrame, RevokeFrame } from "../src/nip/frames.js";
-import { createFullRegistry } from "../src/setup.js";
-import { NpsFrameCodec } from "../src/core/index.js";
-// ── NipIdentity ───────────────────────────────────────────────────────────────
-describe("NipIdentity", () => {
-  it("generate() creates distinct keys each time", () => {
-    const a = NipIdentity.generate();
-    const b = NipIdentity.generate();
-    expect(Buffer.from(a.pubKey).toString("hex")).not.toBe(Buffer.from(b.pubKey).toString("hex"));
-  });
-  it("fromPrivateKey() derives consistent public key", () => {
-    const id  = NipIdentity.generate();
-    const id2 = NipIdentity.fromPrivateKey(id["_privKey"]);
-    expect(Buffer.from(id2.pubKey).toString("hex")).toBe(Buffer.from(id.pubKey).toString("hex"));
-  });
-  it("pubKeyString returns 'ed25519:<hex>'", () => {
-    const id = NipIdentity.generate();
-    expect(id.pubKeyString).toMatch(/^ed25519:[0-9a-f]{64}$/);
-  });
-  it("sign + verify roundtrip succeeds", () => {
-    const id      = NipIdentity.generate();
-    const payload = { action: "announce", nid: "urn:nps:node:test:1", ts: "2026-01-01T00:00:00Z" };
-    const sig     = id.sign(payload);
-    expect(sig).toMatch(/^ed25519:/);
-    expect(id.verify(payload, sig)).toBe(true);
-  });
-  it("verify returns false for tampered payload", () => {
-    const id      = NipIdentity.generate();
-    const payload = { foo: "bar" };
-    const sig     = id.sign(payload);
-    expect(id.verify({ foo: "baz" }, sig)).toBe(false);
-  });
-  it("verify returns false for wrong prefix", () => {
-    const id      = NipIdentity.generate();
-    const payload = { x: 1 };
-    expect(id.verify(payload, "rsa:abc")).toBe(false);
-  });
-  it("verify returns false for corrupted base64", () => {
-    const id      = NipIdentity.generate();
-    const payload = { x: 1 };
-    expect(id.verify(payload, "ed25519:!!!")).toBe(false);
-  });
-  it("sign is canonical — key-order independent", () => {
-    const id  = NipIdentity.generate();
-    const p1  = { b: 2, a: 1 };
-    const p2  = { a: 1, b: 2 };
-    const s1  = id.sign(p1);
-    const s2  = id.sign(p2);
-    expect(s1).toBe(s2);
-  });
-  it("save + load roundtrip", () => {
-    const dir  = mkdtempSync(join(tmpdir(), "nip-test-"));
-    const path = join(dir, "key.json");
-    try {
-      const id   = NipIdentity.generate();
-      const pass = "test-passphrase-123";
-      id.save(path, pass);
-      const loaded = NipIdentity.load(path, pass);
-      // Verify signatures from loaded key match original
-      const payload = { hello: "world" };
-      const sig     = id.sign(payload);
-      expect(loaded.verify(payload, sig)).toBe(true);
-      expect(Buffer.from(loaded.pubKey).toString("hex")).toBe(
-        Buffer.from(id.pubKey).toString("hex"),
-      );
-    } finally {
-      rmSync(dir, { recursive: true });
-    }
-  });
-  it("load with wrong passphrase throws", () => {
-    const dir  = mkdtempSync(join(tmpdir(), "nip-test-"));
-    const path = join(dir, "key.json");
-    try {
-      NipIdentity.generate().save(path, "correct-pass");
-      expect(() => NipIdentity.load(path, "wrong-pass")).toThrow();
-    } finally {
-      rmSync(dir, { recursive: true });
-    }
-  });
-});
-// ── IdentFrame ────────────────────────────────────────────────────────────────
-describe("IdentFrame", () => {
-  const NID  = "urn:nps:node:example.com:svc";
-  const meta = { issuer: "urn:nps:ca:root", issuedAt: "2026-01-01T00:00:00Z", expiresAt: "2027-01-01T00:00:00Z" };
-  it("toDict / fromDict roundtrip", () => {
-    const f    = new IdentFrame(NID, "ed25519:aabbcc", meta, "ed25519:sig");
-    const back = IdentFrame.fromDict(f.toDict());
-    expect(back.nid).toBe(NID);
-    expect(back.pubKey).toBe("ed25519:aabbcc");
-    expect(back.metadata.issuer).toBe("urn:nps:ca:root");
-    expect(back.signature).toBe("ed25519:sig");
-  });
-  it("unsignedDict omits signature", () => {
-    const f = new IdentFrame(NID, "ed25519:aabbcc", meta, "ed25519:sig");
-    const d = f.unsignedDict();
-    expect(d["signature"]).toBeUndefined();
-    expect(d["pub_key"]).toBe("ed25519:aabbcc");
-  });
-  it("codec roundtrip (MsgPack)", () => {
-    const registry = createFullRegistry();
-    const codec    = new NpsFrameCodec(registry);
-    const f        = new IdentFrame(NID, "ed25519:aabbcc", meta, "ed25519:sig");
-    const back     = codec.decode(codec.encode(f)) as IdentFrame;
-    expect(back).toBeInstanceOf(IdentFrame);
-    expect(back.nid).toBe(NID);
-  });
-});
-// ── TrustFrame ────────────────────────────────────────────────────────────────
-describe("TrustFrame", () => {
-  it("toDict / fromDict roundtrip", () => {
-    const f    = new TrustFrame(
-      "urn:nps:node:issuer:1", "urn:nps:node:subject:1",
-      ["nwp/query"], "2027-01-01T00:00:00Z", "ed25519:sig",
-    );
-    const back = TrustFrame.fromDict(f.toDict());
-    expect(back.issuerNid).toBe("urn:nps:node:issuer:1");
-    expect(back.subjectNid).toBe("urn:nps:node:subject:1");
-    expect(back.scopes[0]).toBe("nwp/query");
-    expect(back.expiresAt).toBe("2027-01-01T00:00:00Z");
-    expect(back.signature).toBe("ed25519:sig");
-  });
-  it("codec roundtrip (MsgPack)", () => {
-    const registry = createFullRegistry();
-    const codec    = new NpsFrameCodec(registry);
-    const f        = new TrustFrame("urn:nps:node:a:1", "urn:nps:node:b:1", ["nwp/query"], "2027-01-01T00:00:00Z", "ed25519:sig");
-    const back     = codec.decode(codec.encode(f)) as TrustFrame;
-    expect(back).toBeInstanceOf(TrustFrame);
-  });
-});
-// ── RevokeFrame ───────────────────────────────────────────────────────────────
-describe("RevokeFrame", () => {
-  it("toDict / fromDict with all fields", () => {
-    const f    = new RevokeFrame("urn:nps:node:a:1", "compromised", "2026-06-01T00:00:00Z");
-    const back = RevokeFrame.fromDict(f.toDict());
-    expect(back.nid).toBe("urn:nps:node:a:1");
-    expect(back.reason).toBe("compromised");
-    expect(back.revokedAt).toBe("2026-06-01T00:00:00Z");
-  });
-  it("optional fields default to undefined", () => {
-    const f    = new RevokeFrame("urn:nps:node:a:1");
-    const back = RevokeFrame.fromDict(f.toDict());
-    expect(back.reason).toBeUndefined();
-    expect(back.revokedAt).toBeUndefined();
-  });
-  it("codec roundtrip (MsgPack)", () => {
-    const registry = createFullRegistry();
-    const codec    = new NpsFrameCodec(registry);
-    const f        = new RevokeFrame("urn:nps:node:a:1", "expired");
-    const back     = codec.decode(codec.encode(f)) as RevokeFrame;
-    expect(back).toBeInstanceOf(RevokeFrame);
-    expect(back.reason).toBe("expired");
-  });
-});