@labacacia/nps-sdk 1.0.0-alpha.6 → 1.0.0-alpha.8

package/dist/nip/cert-format.d.ts

@@ -0,0 +1,5 @@
+/** Wire-form constants for `IdentFrame.cert_format` (NPS-RFC-0002 §4.5). */
+export declare const V1_PROPRIETARY: "v1-proprietary";
+export declare const V2_X509: "v2-x509";
+export type CertFormat = typeof V1_PROPRIETARY | typeof V2_X509;
+//# sourceMappingURL=cert-format.d.ts.map

package/dist/nip/cert-format.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cert-format.d.ts","sourceRoot":"","sources":["../../src/nip/cert-format.ts"],"names":[],"mappings":"AAGA,4EAA4E;AAE5E,eAAO,MAAM,cAAc,EAAG,gBAAyB,CAAC;AACxD,eAAO,MAAM,OAAO,EAAU,SAAyB,CAAC;AAExD,MAAM,MAAM,UAAU,GAAG,OAAO,cAAc,GAAG,OAAO,OAAO,CAAC"}

package/dist/nip/cert-format.js

@@ -0,0 +1,6 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/** Wire-form constants for `IdentFrame.cert_format` (NPS-RFC-0002 §4.5). */
+export const V1_PROPRIETARY = "v1-proprietary";
+export const V2_X509 = "v2-x509";
+//# sourceMappingURL=cert-format.js.map

package/dist/nip/cert-format.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cert-format.js","sourceRoot":"","sources":["../../src/nip/cert-format.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,4EAA4E;AAE5E,MAAM,CAAC,MAAM,cAAc,GAAG,gBAAyB,CAAC;AACxD,MAAM,CAAC,MAAM,OAAO,GAAU,SAAyB,CAAC"}

package/dist/nip/error-codes.d.ts

@@ -0,0 +1,25 @@
+/** NIP error code wire constants — mirror of `spec/error-codes.md` NIP section. */
+export declare const CERT_EXPIRED = "NIP-CERT-EXPIRED";
+export declare const CERT_REVOKED = "NIP-CERT-REVOKED";
+export declare const CERT_SIGNATURE_INVALID = "NIP-CERT-SIGNATURE-INVALID";
+export declare const CERT_UNTRUSTED_ISSUER = "NIP-CERT-UNTRUSTED-ISSUER";
+export declare const CERT_CAPABILITY_MISSING = "NIP-CERT-CAPABILITY-MISSING";
+export declare const CERT_SCOPE_VIOLATION = "NIP-CERT-SCOPE-VIOLATION";
+export declare const CA_NID_NOT_FOUND = "NIP-CA-NID-NOT-FOUND";
+export declare const CA_NID_ALREADY_EXISTS = "NIP-CA-NID-ALREADY-EXISTS";
+export declare const CA_SERIAL_DUPLICATE = "NIP-CA-SERIAL-DUPLICATE";
+export declare const CA_RENEWAL_TOO_EARLY = "NIP-CA-RENEWAL-TOO-EARLY";
+export declare const CA_SCOPE_EXPANSION_DENIED = "NIP-CA-SCOPE-EXPANSION-DENIED";
+export declare const OCSP_UNAVAILABLE = "NIP-OCSP-UNAVAILABLE";
+export declare const TRUST_FRAME_INVALID = "NIP-TRUST-FRAME-INVALID";
+export declare const ASSURANCE_MISMATCH = "NIP-ASSURANCE-MISMATCH";
+export declare const ASSURANCE_UNKNOWN = "NIP-ASSURANCE-UNKNOWN";
+export declare const REPUTATION_ENTRY_INVALID = "NIP-REPUTATION-ENTRY-INVALID";
+export declare const REPUTATION_LOG_UNREACHABLE = "NIP-REPUTATION-LOG-UNREACHABLE";
+export declare const REPUTATION_GOSSIP_FORK = "NIP-REPUTATION-GOSSIP-FORK";
+export declare const REPUTATION_GOSSIP_SIG_INVALID = "NIP-REPUTATION-GOSSIP-SIG-INVALID";
+export declare const CERT_FORMAT_INVALID = "NIP-CERT-FORMAT-INVALID";
+export declare const CERT_EKU_MISSING = "NIP-CERT-EKU-MISSING";
+export declare const CERT_SUBJECT_NID_MISMATCH = "NIP-CERT-SUBJECT-NID-MISMATCH";
+export declare const ACME_CHALLENGE_FAILED = "NIP-ACME-CHALLENGE-FAILED";
+//# sourceMappingURL=error-codes.d.ts.map

package/dist/nip/error-codes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-codes.d.ts","sourceRoot":"","sources":["../../src/nip/error-codes.ts"],"names":[],"mappings":"AAGA,mFAAmF;AAGnF,eAAO,MAAM,YAAY,qBAAgC,CAAC;AAC1D,eAAO,MAAM,YAAY,qBAAgC,CAAC;AAC1D,eAAO,MAAM,sBAAsB,+BAAgC,CAAC;AACpE,eAAO,MAAM,qBAAqB,8BAAgC,CAAC;AACnE,eAAO,MAAM,uBAAuB,gCAAgC,CAAC;AACrE,eAAO,MAAM,oBAAoB,6BAAgC,CAAC;AAGlE,eAAO,MAAM,gBAAgB,yBAAkC,CAAC;AAChE,eAAO,MAAM,qBAAqB,8BAAkC,CAAC;AACrE,eAAO,MAAM,mBAAmB,4BAAkC,CAAC;AACnE,eAAO,MAAM,oBAAoB,6BAAkC,CAAC;AACpE,eAAO,MAAM,yBAAyB,kCAAkC,CAAC;AAEzE,eAAO,MAAM,gBAAgB,yBAA6B,CAAC;AAC3D,eAAO,MAAM,mBAAmB,4BAA6B,CAAC;AAG9D,eAAO,MAAM,kBAAkB,2BAA2B,CAAC;AAC3D,eAAO,MAAM,iBAAiB,0BAA2B,CAAC;AAG1D,eAAO,MAAM,wBAAwB,iCAAsC,CAAC;AAC5E,eAAO,MAAM,0BAA0B,mCAAsC,CAAC;AAC9E,eAAO,MAAM,sBAAsB,+BAAsC,CAAC;AAC1E,eAAO,MAAM,6BAA6B,sCAAsC,CAAC;AAGjF,eAAO,MAAM,mBAAmB,4BAAkC,CAAC;AACnE,eAAO,MAAM,gBAAgB,yBAAkC,CAAC;AAChE,eAAO,MAAM,yBAAyB,kCAAkC,CAAC;AACzE,eAAO,MAAM,qBAAqB,8BAAkC,CAAC"}

package/{src/nip/error-codes.ts → dist/nip/error-codes.js}

@@ -1,38 +1,32 @@
 // Copyright 2026 INNO LOTUS PTY LTD
 // SPDX-License-Identifier: Apache-2.0
-
 /** NIP error code wire constants — mirror of `spec/error-codes.md` NIP section. */
-
 // ── Cert verification (v1 + v2) ──────────────────────────────────────────────
-export const CERT_EXPIRED            = "NIP-CERT-EXPIRED";
-export const CERT_REVOKED            = "NIP-CERT-REVOKED";
-export const CERT_SIGNATURE_INVALID  = "NIP-CERT-SIGNATURE-INVALID";
-export const CERT_UNTRUSTED_ISSUER   = "NIP-CERT-UNTRUSTED-ISSUER";
+export const CERT_EXPIRED = "NIP-CERT-EXPIRED";
+export const CERT_REVOKED = "NIP-CERT-REVOKED";
+export const CERT_SIGNATURE_INVALID = "NIP-CERT-SIGNATURE-INVALID";
+export const CERT_UNTRUSTED_ISSUER = "NIP-CERT-UNTRUSTED-ISSUER";
 export const CERT_CAPABILITY_MISSING = "NIP-CERT-CAPABILITY-MISSING";
-export const CERT_SCOPE_VIOLATION    = "NIP-CERT-SCOPE-VIOLATION";
-
+export const CERT_SCOPE_VIOLATION = "NIP-CERT-SCOPE-VIOLATION";
 // ── CA service ───────────────────────────────────────────────────────────────
-export const CA_NID_NOT_FOUND          = "NIP-CA-NID-NOT-FOUND";
-export const CA_NID_ALREADY_EXISTS     = "NIP-CA-NID-ALREADY-EXISTS";
-export const CA_SERIAL_DUPLICATE       = "NIP-CA-SERIAL-DUPLICATE";
-export const CA_RENEWAL_TOO_EARLY      = "NIP-CA-RENEWAL-TOO-EARLY";
+export const CA_NID_NOT_FOUND = "NIP-CA-NID-NOT-FOUND";
+export const CA_NID_ALREADY_EXISTS = "NIP-CA-NID-ALREADY-EXISTS";
+export const CA_SERIAL_DUPLICATE = "NIP-CA-SERIAL-DUPLICATE";
+export const CA_RENEWAL_TOO_EARLY = "NIP-CA-RENEWAL-TOO-EARLY";
 export const CA_SCOPE_EXPANSION_DENIED = "NIP-CA-SCOPE-EXPANSION-DENIED";
-
-export const OCSP_UNAVAILABLE     = "NIP-OCSP-UNAVAILABLE";
-export const TRUST_FRAME_INVALID  = "NIP-TRUST-FRAME-INVALID";
-
+export const OCSP_UNAVAILABLE = "NIP-OCSP-UNAVAILABLE";
+export const TRUST_FRAME_INVALID = "NIP-TRUST-FRAME-INVALID";
 // ── RFC-0003 (assurance level) ───────────────────────────────────────────────
 export const ASSURANCE_MISMATCH = "NIP-ASSURANCE-MISMATCH";
-export const ASSURANCE_UNKNOWN  = "NIP-ASSURANCE-UNKNOWN";
-
+export const ASSURANCE_UNKNOWN = "NIP-ASSURANCE-UNKNOWN";
 // ── RFC-0004 (reputation log) ────────────────────────────────────────────────
-export const REPUTATION_ENTRY_INVALID      = "NIP-REPUTATION-ENTRY-INVALID";
-export const REPUTATION_LOG_UNREACHABLE    = "NIP-REPUTATION-LOG-UNREACHABLE";
-export const REPUTATION_GOSSIP_FORK        = "NIP-REPUTATION-GOSSIP-FORK";
+export const REPUTATION_ENTRY_INVALID = "NIP-REPUTATION-ENTRY-INVALID";
+export const REPUTATION_LOG_UNREACHABLE = "NIP-REPUTATION-LOG-UNREACHABLE";
+export const REPUTATION_GOSSIP_FORK = "NIP-REPUTATION-GOSSIP-FORK";
 export const REPUTATION_GOSSIP_SIG_INVALID = "NIP-REPUTATION-GOSSIP-SIG-INVALID";
-
 // ── RFC-0002 (X.509 + ACME) ──────────────────────────────────────────────────
-export const CERT_FORMAT_INVALID       = "NIP-CERT-FORMAT-INVALID";
-export const CERT_EKU_MISSING          = "NIP-CERT-EKU-MISSING";
+export const CERT_FORMAT_INVALID = "NIP-CERT-FORMAT-INVALID";
+export const CERT_EKU_MISSING = "NIP-CERT-EKU-MISSING";
 export const CERT_SUBJECT_NID_MISMATCH = "NIP-CERT-SUBJECT-NID-MISMATCH";
-export const ACME_CHALLENGE_FAILED     = "NIP-ACME-CHALLENGE-FAILED";
+export const ACME_CHALLENGE_FAILED = "NIP-ACME-CHALLENGE-FAILED";
+//# sourceMappingURL=error-codes.js.map

package/dist/nip/error-codes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-codes.js","sourceRoot":"","sources":["../../src/nip/error-codes.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,mFAAmF;AAEnF,gFAAgF;AAChF,MAAM,CAAC,MAAM,YAAY,GAAc,kBAAkB,CAAC;AAC1D,MAAM,CAAC,MAAM,YAAY,GAAc,kBAAkB,CAAC;AAC1D,MAAM,CAAC,MAAM,sBAAsB,GAAI,4BAA4B,CAAC;AACpE,MAAM,CAAC,MAAM,qBAAqB,GAAK,2BAA2B,CAAC;AACnE,MAAM,CAAC,MAAM,uBAAuB,GAAG,6BAA6B,CAAC;AACrE,MAAM,CAAC,MAAM,oBAAoB,GAAM,0BAA0B,CAAC;AAElE,gFAAgF;AAChF,MAAM,CAAC,MAAM,gBAAgB,GAAY,sBAAsB,CAAC;AAChE,MAAM,CAAC,MAAM,qBAAqB,GAAO,2BAA2B,CAAC;AACrE,MAAM,CAAC,MAAM,mBAAmB,GAAS,yBAAyB,CAAC;AACnE,MAAM,CAAC,MAAM,oBAAoB,GAAQ,0BAA0B,CAAC;AACpE,MAAM,CAAC,MAAM,yBAAyB,GAAG,+BAA+B,CAAC;AAEzE,MAAM,CAAC,MAAM,gBAAgB,GAAO,sBAAsB,CAAC;AAC3D,MAAM,CAAC,MAAM,mBAAmB,GAAI,yBAAyB,CAAC;AAE9D,gFAAgF;AAChF,MAAM,CAAC,MAAM,kBAAkB,GAAG,wBAAwB,CAAC;AAC3D,MAAM,CAAC,MAAM,iBAAiB,GAAI,uBAAuB,CAAC;AAE1D,gFAAgF;AAChF,MAAM,CAAC,MAAM,wBAAwB,GAAQ,8BAA8B,CAAC;AAC5E,MAAM,CAAC,MAAM,0BAA0B,GAAM,gCAAgC,CAAC;AAC9E,MAAM,CAAC,MAAM,sBAAsB,GAAU,4BAA4B,CAAC;AAC1E,MAAM,CAAC,MAAM,6BAA6B,GAAG,mCAAmC,CAAC;AAEjF,gFAAgF;AAChF,MAAM,CAAC,MAAM,mBAAmB,GAAS,yBAAyB,CAAC;AACnE,MAAM,CAAC,MAAM,gBAAgB,GAAY,sBAAsB,CAAC;AAChE,MAAM,CAAC,MAAM,yBAAyB,GAAG,+BAA+B,CAAC;AACzE,MAAM,CAAC,MAAM,qBAAqB,GAAO,2BAA2B,CAAC"}

package/dist/nip/frames.d.ts

@@ -0,0 +1,53 @@
+import { EncodingTier, FrameType } from "../core/frames.js";
+import type { NpsFrame } from "../core/codec.js";
+import { AssuranceLevel } from "./assurance-level.js";
+export interface IdentMetadata {
+    issuer: string;
+    issuedAt: string;
+    expiresAt?: string;
+    capabilities?: readonly string[];
+    scopes?: readonly string[];
+}
+export interface IdentFrameOptions {
+    assuranceLevel?: AssuranceLevel | null;
+    certFormat?: string | null;
+    certChain?: readonly string[] | null;
+}
+export declare class IdentFrame implements NpsFrame {
+    readonly nid: string;
+    readonly pubKey: string;
+    readonly metadata: IdentMetadata;
+    readonly signature: string;
+    readonly frameType = FrameType.IDENT;
+    readonly preferredTier = EncodingTier.MSGPACK;
+    readonly assuranceLevel: AssuranceLevel | null;
+    readonly certFormat: string | null;
+    readonly certChain: readonly string[] | null;
+    constructor(nid: string, pubKey: string, metadata: IdentMetadata, signature: string, options?: IdentFrameOptions);
+    unsignedDict(): Record<string, unknown>;
+    toDict(): Record<string, unknown>;
+    static fromDict(data: Record<string, unknown>): IdentFrame;
+}
+export declare class TrustFrame implements NpsFrame {
+    readonly issuerNid: string;
+    readonly subjectNid: string;
+    readonly scopes: readonly string[];
+    readonly expiresAt: string;
+    readonly signature: string;
+    readonly frameType = FrameType.TRUST;
+    readonly preferredTier = EncodingTier.MSGPACK;
+    constructor(issuerNid: string, subjectNid: string, scopes: readonly string[], expiresAt: string, signature: string);
+    toDict(): Record<string, unknown>;
+    static fromDict(data: Record<string, unknown>): TrustFrame;
+}
+export declare class RevokeFrame implements NpsFrame {
+    readonly nid: string;
+    readonly reason?: string | undefined;
+    readonly revokedAt?: string | undefined;
+    readonly frameType = FrameType.REVOKE;
+    readonly preferredTier = EncodingTier.MSGPACK;
+    constructor(nid: string, reason?: string | undefined, revokedAt?: string | undefined);
+    toDict(): Record<string, unknown>;
+    static fromDict(data: Record<string, unknown>): RevokeFrame;
+}
+//# sourceMappingURL=frames.d.ts.map

package/dist/nip/frames.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"frames.d.ts","sourceRoot":"","sources":["../../src/nip/frames.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC5D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAQ,MAAM,CAAC;IACrB,QAAQ,EAAM,MAAM,CAAC;IACrB,SAAS,CAAC,EAAI,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACjC,MAAM,CAAC,EAAQ,SAAS,MAAM,EAAE,CAAC;CAClC;AAED,MAAM,WAAW,iBAAiB;IAChC,cAAc,CAAC,EAAE,cAAc,GAAG,IAAI,CAAC;IACvC,UAAU,CAAC,EAAM,MAAM,GAAG,IAAI,CAAC;IAC/B,SAAS,CAAC,EAAO,SAAS,MAAM,EAAE,GAAG,IAAI,CAAC;CAC3C;AAED,qBAAa,UAAW,YAAW,QAAQ;aASvB,GAAG,EAAQ,MAAM;aACjB,MAAM,EAAK,MAAM;aACjB,QAAQ,EAAG,aAAa;aACxB,SAAS,EAAE,MAAM;IAXnC,QAAQ,CAAC,SAAS,mBAAuB;IACzC,QAAQ,CAAC,aAAa,wBAAwB;IAE9C,QAAQ,CAAC,cAAc,EAAE,cAAc,GAAG,IAAI,CAAC;IAC/C,QAAQ,CAAC,UAAU,EAAM,MAAM,GAAG,IAAI,CAAC;IACvC,QAAQ,CAAC,SAAS,EAAO,SAAS,MAAM,EAAE,GAAG,IAAI,CAAC;gBAGhC,GAAG,EAAQ,MAAM,EACjB,MAAM,EAAK,MAAM,EACjB,QAAQ,EAAG,aAAa,EACxB,SAAS,EAAE,MAAM,EACjC,OAAO,GAAqB,iBAAsB;IAOpD,YAAY,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAYvC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAOjC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,UAAU;CAiB3D;AAED,qBAAa,UAAW,YAAW,QAAQ;aAKvB,SAAS,EAAG,MAAM;aAClB,UAAU,EAAE,MAAM;aAClB,MAAM,EAAM,SAAS,MAAM,EAAE;aAC7B,SAAS,EAAG,MAAM;aAClB,SAAS,EAAG,MAAM;IARpC,QAAQ,CAAC,SAAS,mBAAuB;IACzC,QAAQ,CAAC,aAAa,wBAAwB;gBAG5B,SAAS,EAAG,MAAM,EAClB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAM,SAAS,MAAM,EAAE,EAC7B,SAAS,EAAG,MAAM,EAClB,SAAS,EAAG,MAAM;IAGpC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAUjC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,UAAU;CAS3D;AAED,qBAAa,WAAY,YAAW,QAAQ;aAKxB,GAAG,EAAQ,MAAM;aACjB,MAAM,CAAC,EAAI,MAAM;aACjB,SAAS,CAAC,EAAE,MAAM;IANpC,QAAQ,CAAC,SAAS,oBAAwB;IAC1C,QAAQ,CAAC,aAAa,wBAAwB;gBAG5B,GAAG,EAAQ,MAAM,EACjB,MAAM,CAAC,EAAI,MAAM,YAAA,EACjB,SAAS,CAAC,EAAE,MAAM,YAAA;IAGpC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAQjC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,WAAW;CAO5D"}

package/dist/nip/frames.js

@@ -0,0 +1,106 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+import { EncodingTier, FrameType } from "../core/frames.js";
+import { AssuranceLevel } from "./assurance-level.js";
+export class IdentFrame {
+    nid;
+    pubKey;
+    metadata;
+    signature;
+    frameType = FrameType.IDENT;
+    preferredTier = EncodingTier.MSGPACK;
+    assuranceLevel;
+    certFormat;
+    certChain;
+    constructor(nid, pubKey, metadata, signature, options = {}) {
+        this.nid = nid;
+        this.pubKey = pubKey;
+        this.metadata = metadata;
+        this.signature = signature;
+        this.assuranceLevel = options.assuranceLevel ?? null;
+        this.certFormat = options.certFormat ?? null;
+        this.certChain = options.certChain ?? null;
+    }
+    unsignedDict() {
+        const out = {
+            nid: this.nid,
+            pub_key: this.pubKey,
+            metadata: this.metadata,
+        };
+        if (this.assuranceLevel !== null)
+            out["assurance_level"] = this.assuranceLevel.wire;
+        // cert_format / cert_chain deliberately excluded from the signed payload —
+        // the v1 Ed25519 signature covers only (nid, pub_key, metadata, [assurance_level]).
+        return out;
+    }
+    toDict() {
+        const out = { ...this.unsignedDict(), signature: this.signature };
+        if (this.certFormat !== null)
+            out["cert_format"] = this.certFormat;
+        if (this.certChain !== null)
+            out["cert_chain"] = [...this.certChain];
+        return out;
+    }
+    static fromDict(data) {
+        const lvl = data["assurance_level"];
+        const assuranceLevel = typeof lvl === "string" ? AssuranceLevel.fromWire(lvl) : null;
+        const chainRaw = data["cert_chain"];
+        const certChain = Array.isArray(chainRaw) ? chainRaw : null;
+        return new IdentFrame(data["nid"], data["pub_key"], data["metadata"], data["signature"], {
+            assuranceLevel,
+            certFormat: data["cert_format"] ?? null,
+            certChain,
+        });
+    }
+}
+export class TrustFrame {
+    issuerNid;
+    subjectNid;
+    scopes;
+    expiresAt;
+    signature;
+    frameType = FrameType.TRUST;
+    preferredTier = EncodingTier.MSGPACK;
+    constructor(issuerNid, subjectNid, scopes, expiresAt, signature) {
+        this.issuerNid = issuerNid;
+        this.subjectNid = subjectNid;
+        this.scopes = scopes;
+        this.expiresAt = expiresAt;
+        this.signature = signature;
+    }
+    toDict() {
+        return {
+            issuer_nid: this.issuerNid,
+            subject_nid: this.subjectNid,
+            scopes: this.scopes,
+            expires_at: this.expiresAt,
+            signature: this.signature,
+        };
+    }
+    static fromDict(data) {
+        return new TrustFrame(data["issuer_nid"], data["subject_nid"], data["scopes"], data["expires_at"], data["signature"]);
+    }
+}
+export class RevokeFrame {
+    nid;
+    reason;
+    revokedAt;
+    frameType = FrameType.REVOKE;
+    preferredTier = EncodingTier.MSGPACK;
+    constructor(nid, reason, revokedAt) {
+        this.nid = nid;
+        this.reason = reason;
+        this.revokedAt = revokedAt;
+    }
+    toDict() {
+        return {
+            nid: this.nid,
+            reason: this.reason ?? null,
+            revoked_at: this.revokedAt ?? null,
+        };
+    }
+    static fromDict(data) {
+        return new RevokeFrame(data["nid"], data["reason"] ?? undefined, data["revoked_at"] ?? undefined);
+    }
+}
+//# sourceMappingURL=frames.js.map

package/dist/nip/frames.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"frames.js","sourceRoot":"","sources":["../../src/nip/frames.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAE5D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAgBtD,MAAM,OAAO,UAAU;IASH;IACA;IACA;IACA;IAXT,SAAS,GAAO,SAAS,CAAC,KAAK,CAAC;IAChC,aAAa,GAAG,YAAY,CAAC,OAAO,CAAC;IAErC,cAAc,CAAwB;IACtC,UAAU,CAAoB;IAC9B,SAAS,CAAgC;IAElD,YACkB,GAAiB,EACjB,MAAiB,EACjB,QAAwB,EACxB,SAAiB,EACjC,UAAgD,EAAE;QAJlC,QAAG,GAAH,GAAG,CAAc;QACjB,WAAM,GAAN,MAAM,CAAW;QACjB,aAAQ,GAAR,QAAQ,CAAgB;QACxB,cAAS,GAAT,SAAS,CAAQ;QAGjC,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,IAAI,CAAC;QACrD,IAAI,CAAC,UAAU,GAAO,OAAO,CAAC,UAAU,IAAQ,IAAI,CAAC;QACrD,IAAI,CAAC,SAAS,GAAQ,OAAO,CAAC,SAAS,IAAS,IAAI,CAAC;IACvD,CAAC;IAED,YAAY;QACV,MAAM,GAAG,GAA4B;YACnC,GAAG,EAAO,IAAI,CAAC,GAAG;YAClB,OAAO,EAAG,IAAI,CAAC,MAAM;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;QACF,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI;YAAE,GAAG,CAAC,iBAAiB,CAAC,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC;QACpF,2EAA2E;QAC3E,oFAAoF;QACpF,OAAO,GAAG,CAAC;IACb,CAAC;IAED,MAAM;QACJ,MAAM,GAAG,GAA4B,EAAE,GAAG,IAAI,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC;QAC3F,IAAI,IAAI,CAAC,UAAU,KAAK,IAAI;YAAE,GAAG,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC;QACnE,IAAI,IAAI,CAAC,SAAS,KAAM,IAAI;YAAE,GAAG,CAAC,YAAY,CAAC,GAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC;QACvE,OAAO,GAAG,CAAC;IACb,CAAC;IAED,MAAM,CAAC,QAAQ,CAAC,IAA6B;QAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACpC,MAAM,cAAc,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACrF,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC;QACpC,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAE,QAAqB,CAAC,CAAC,CAAC,IAAI,CAAC;QAC1E,OAAO,IAAI,UAAU,CACnB,IAAI,CAAC,KAAK,CAAiB,EAC3B,IAAI,CAAC,SAAS,CAAa,EAC3B,IAAI,CAAC,UAAU,CAAmB,EAClC,IAAI,CAAC,WAAW,CAAW,EAC3B;YACE,cAAc;YACd,UAAU,EAAG,IAAI,CAAC,aAAa,CAAwB,IAAI,IAAI;YAC/D,SAAS;SACV,CACF,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,UAAU;IAKH;IACA;IACA;IACA;IACA;IART,SAAS,GAAO,SAAS,CAAC,KAAK,CAAC;IAChC,aAAa,GAAG,YAAY,CAAC,OAAO,CAAC;IAE9C,YACkB,SAAkB,EAClB,UAAkB,EAClB,MAA6B,EAC7B,SAAkB,EAClB,SAAkB;QAJlB,cAAS,GAAT,SAAS,CAAS;QAClB,eAAU,GAAV,UAAU,CAAQ;QAClB,WAAM,GAAN,MAAM,CAAuB;QAC7B,cAAS,GAAT,SAAS,CAAS;QAClB,cAAS,GAAT,SAAS,CAAS;IACjC,CAAC;IAEJ,MAAM;QACJ,OAAO;YACL,UAAU,EAAG,IAAI,CAAC,SAAS;YAC3B,WAAW,EAAE,IAAI,CAAC,UAAU;YAC5B,MAAM,EAAO,IAAI,CAAC,MAAM;YACxB,UAAU,EAAG,IAAI,CAAC,SAAS;YAC3B,SAAS,EAAI,IAAI,CAAC,SAAS;SAC5B,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,QAAQ,CAAC,IAA6B;QAC3C,OAAO,IAAI,UAAU,CACnB,IAAI,CAAC,YAAY,CAAY,EAC7B,IAAI,CAAC,aAAa,CAAW,EAC7B,IAAI,CAAC,QAAQ,CAAkB,EAC/B,IAAI,CAAC,YAAY,CAAY,EAC7B,IAAI,CAAC,WAAW,CAAa,CAC9B,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,WAAW;IAKJ;IACA;IACA;IANT,SAAS,GAAO,SAAS,CAAC,MAAM,CAAC;IACjC,aAAa,GAAG,YAAY,CAAC,OAAO,CAAC;IAE9C,YACkB,GAAiB,EACjB,MAAiB,EACjB,SAAkB;QAFlB,QAAG,GAAH,GAAG,CAAc;QACjB,WAAM,GAAN,MAAM,CAAW;QACjB,cAAS,GAAT,SAAS,CAAS;IACjC,CAAC;IAEJ,MAAM;QACJ,OAAO;YACL,GAAG,EAAS,IAAI,CAAC,GAAG;YACpB,MAAM,EAAM,IAAI,CAAC,MAAM,IAAQ,IAAI;YACnC,UAAU,EAAE,IAAI,CAAC,SAAS,IAAK,IAAI;SACpC,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,QAAQ,CAAC,IAA6B;QAC3C,OAAO,IAAI,WAAW,CACpB,IAAI,CAAC,KAAK,CAAkB,EAC3B,IAAI,CAAC,QAAQ,CAAuB,IAAI,SAAS,EACjD,IAAI,CAAC,YAAY,CAAmB,IAAI,SAAS,CACnD,CAAC;IACJ,CAAC;CACF"}

package/dist/nip/identity.d.ts

@@ -0,0 +1,18 @@
+export declare class NipIdentity {
+    private readonly _privKey;
+    readonly pubKey: Uint8Array;
+    private constructor();
+    static generate(): NipIdentity;
+    static fromPrivateKey(privKey: Uint8Array): NipIdentity;
+    /** Load from an AES-256-GCM encrypted key file. */
+    static load(path: string, passphrase: string): NipIdentity;
+    /** Save to an AES-256-GCM encrypted key file. */
+    save(path: string, passphrase: string): void;
+    /** Sign a dict payload. Returns `ed25519:<base64url>`. */
+    sign(payload: Record<string, unknown>): string;
+    /** Verify a signature string against a dict payload. */
+    verify(payload: Record<string, unknown>, signature: string): boolean;
+    /** Public key as `ed25519:<hex>` string. */
+    get pubKeyString(): string;
+}
+//# sourceMappingURL=identity.d.ts.map

package/dist/nip/identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/nip/identity.ts"],"names":[],"mappings":"AA8BA,qBAAa,WAAW;IAEpB,OAAO,CAAC,QAAQ,CAAC,QAAQ;aACR,MAAM,EAAI,UAAU;IAFvC,OAAO;IAOP,MAAM,CAAC,QAAQ,IAAI,WAAW;IAM9B,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,UAAU,GAAG,WAAW;IAKvD,mDAAmD;IACnD,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,WAAW;IAgB1D,iDAAiD;IACjD,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI;IAoB5C,0DAA0D;IAC1D,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM;IAO9C,wDAAwD;IACxD,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO;IAYpE,4CAA4C;IAC5C,IAAI,YAAY,IAAI,MAAM,CAEzB;CACF"}

package/dist/nip/identity.js

@@ -0,0 +1,94 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * NipIdentity — Ed25519 key management and signing for NPS NID identity.
+ * Uses @noble/ed25519 for signing; node:crypto for key storage encryption.
+ */
+import * as ed25519 from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes } from "node:crypto";
+import { readFileSync, writeFileSync } from "node:fs";
+// noble/ed25519 requires sha512 to be set explicitly in Node environments
+ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
+const KEY_FILE_VERSION = 1;
+const PBKDF2_ITERS = 600_000;
+const SALT_BYTES = 16;
+const IV_BYTES = 12;
+const KEY_BYTES = 32;
+export class NipIdentity {
+    _privKey;
+    pubKey;
+    constructor(_privKey, pubKey) {
+        this._privKey = _privKey;
+        this.pubKey = pubKey;
+    }
+    // ── Factory ───────────────────────────────────────────────────────────────
+    static generate() {
+        const priv = ed25519.utils.randomPrivateKey();
+        const pub = ed25519.getPublicKey(priv);
+        return new NipIdentity(priv, pub);
+    }
+    static fromPrivateKey(privKey) {
+        const pub = ed25519.getPublicKey(privKey);
+        return new NipIdentity(privKey, pub);
+    }
+    /** Load from an AES-256-GCM encrypted key file. */
+    static load(path, passphrase) {
+        const envelope = JSON.parse(readFileSync(path, "utf8"));
+        const salt = Buffer.from(envelope.salt, "hex");
+        const iv = Buffer.from(envelope.iv, "hex");
+        const ct = Buffer.from(envelope.ciphertext, "hex");
+        const dk = pbkdf2Sync(passphrase, salt, PBKDF2_ITERS, KEY_BYTES, "sha256");
+        const decipher = createDecipheriv("aes-256-gcm", dk, iv);
+        // Last 16 bytes of ciphertext are the GCM auth tag
+        const authTag = ct.slice(ct.length - 16);
+        const body = ct.slice(0, ct.length - 16);
+        decipher.setAuthTag(authTag);
+        const priv = Buffer.concat([decipher.update(body), decipher.final()]);
+        return NipIdentity.fromPrivateKey(new Uint8Array(priv));
+    }
+    /** Save to an AES-256-GCM encrypted key file. */
+    save(path, passphrase) {
+        const salt = randomBytes(SALT_BYTES);
+        const iv = randomBytes(IV_BYTES);
+        const dk = pbkdf2Sync(passphrase, salt, PBKDF2_ITERS, KEY_BYTES, "sha256");
+        const cipher = createCipheriv("aes-256-gcm", dk, iv);
+        const body = Buffer.concat([cipher.update(Buffer.from(this._privKey)), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        const envelope = {
+            version: KEY_FILE_VERSION,
+            salt: salt.toString("hex"),
+            iv: iv.toString("hex"),
+            ciphertext: Buffer.concat([body, tag]).toString("hex"),
+            pubKey: Buffer.from(this.pubKey).toString("hex"),
+        };
+        writeFileSync(path, JSON.stringify(envelope, null, 2), "utf8");
+    }
+    // ── Signing ───────────────────────────────────────────────────────────────
+    /** Sign a dict payload. Returns `ed25519:<base64url>`. */
+    sign(payload) {
+        const canonical = JSON.stringify(payload, Object.keys(payload).sort());
+        const bytes = new TextEncoder().encode(canonical);
+        const sig = ed25519.sign(bytes, this._privKey);
+        return `ed25519:${Buffer.from(sig).toString("base64")}`;
+    }
+    /** Verify a signature string against a dict payload. */
+    verify(payload, signature) {
+        if (!signature.startsWith("ed25519:"))
+            return false;
+        try {
+            const canonical = JSON.stringify(payload, Object.keys(payload).sort());
+            const bytes = new TextEncoder().encode(canonical);
+            const sigBytes = Buffer.from(signature.slice("ed25519:".length), "base64");
+            return ed25519.verify(sigBytes, bytes, this.pubKey);
+        }
+        catch {
+            return false;
+        }
+    }
+    /** Public key as `ed25519:<hex>` string. */
+    get pubKeyString() {
+        return `ed25519:${Buffer.from(this.pubKey).toString("hex")}`;
+    }
+}
+//# sourceMappingURL=identity.js.map

package/dist/nip/identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/nip/identity.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;GAGG;AAEH,OAAO,KAAK,OAAO,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACxF,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAEtD,0EAA0E;AAC1E,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAEzE,MAAM,gBAAgB,GAAG,CAAC,CAAC;AAC3B,MAAM,YAAY,GAAO,OAAO,CAAC;AACjC,MAAM,UAAU,GAAS,EAAE,CAAC;AAC5B,MAAM,QAAQ,GAAW,EAAE,CAAC;AAC5B,MAAM,SAAS,GAAU,EAAE,CAAC;AAU5B,MAAM,OAAO,WAAW;IAEH;IACA;IAFnB,YACmB,QAAoB,EACpB,MAAoB;QADpB,aAAQ,GAAR,QAAQ,CAAY;QACpB,WAAM,GAAN,MAAM,CAAc;IACpC,CAAC;IAEJ,6EAA6E;IAE7E,MAAM,CAAC,QAAQ;QACb,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC9C,MAAM,GAAG,GAAI,OAAO,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QACxC,OAAO,IAAI,WAAW,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACpC,CAAC;IAED,MAAM,CAAC,cAAc,CAAC,OAAmB;QACvC,MAAM,GAAG,GAAG,OAAO,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAC1C,OAAO,IAAI,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACvC,CAAC;IAED,mDAAmD;IACnD,MAAM,CAAC,IAAI,CAAC,IAAY,EAAE,UAAkB;QAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAoB,CAAC;QAC3E,MAAM,IAAI,GAAQ,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAQ,KAAK,CAAC,CAAC;QAC1D,MAAM,EAAE,GAAU,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAU,KAAK,CAAC,CAAC;QAC1D,MAAM,EAAE,GAAU,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAE1D,MAAM,EAAE,GAAG,UAAU,CAAC,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC3E,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;QACzD,mDAAmD;QACnD,MAAM,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;QACzC,MAAM,IAAI,GAAM,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;QAC3C,QAAoF,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAC1G,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACtE,OAAO,WAAW,CAAC,cAAc,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,iDAAiD;IACjD,IAAI,CAAC,IAAY,EAAE,UAAkB;QACnC,MAAM,IAAI,GAAK,WAAW,CAAC,UAAU,CAAC,CAAC;QACvC,MAAM,EAAE,GAAO,WAAW,CAAC,QAAQ,CAAC,CAAC;QACrC,MAAM,EAAE,GAAO,UAAU,CAAC,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC/E,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;QACrD,MAAM,IAAI,GAAK,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC1F,MAAM,GAAG,GAAO,MAAuE,CAAC,UAAU,EAAE,CAAC;QAErG,MAAM,QAAQ,GAAoB;YAChC,OAAO,EAAK,gBAAgB;YAC5B,IAAI,EAAQ,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;YAChC,EAAE,EAAU,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;YAC9B,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACtD,MAAM,EAAM,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;SACrD,CAAC;QACF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACjE,CAAC;IAED,6EAA6E;IAE7E,0DAA0D;IAC1D,IAAI,CAAC,OAAgC;QACnC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QACvE,MAAM,KAAK,GAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACtD,MAAM,GAAG,GAAS,OAAO,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrD,OAAO,WAAW,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC1D,CAAC;IAED,wDAAwD;IACxD,MAAM,CAAC,OAAgC,EAAE,SAAiB;QACxD,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,KAAK,CAAC;QACpD,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YACvE,MAAM,KAAK,GAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACtD,MAAM,QAAQ,GAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,CAAC;YAC5E,OAAO,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACtD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,IAAI,YAAY;QACd,OAAO,WAAW,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;IAC/D,CAAC;CACF"}

package/dist/nip/index.d.ts

@@ -0,0 +1,11 @@
+export * from "./frames.js";
+export * from "./identity.js";
+export { registerNipFrames } from "./registry.js";
+export * from "./assurance-level.js";
+export * from "./cert-format.js";
+export * from "./error-codes.js";
+export * from "./verifier.js";
+export * as x509 from "./x509/index.js";
+export * as acme from "./acme/index.js";
+export * from "./reputation-client.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/nip/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/nip/index.ts"],"names":[],"mappings":"AAGA,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGlD,cAAc,sBAAsB,CAAC;AACrC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AACxC,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AAGxC,cAAc,wBAAwB,CAAC"}

package/{src/nip/index.ts → dist/nip/index.js}

@@ -1,10 +1,8 @@
 // Copyright 2026 INNO LOTUS PTY LTD
 // SPDX-License-Identifier: Apache-2.0
-
 export * from "./frames.js";
 export * from "./identity.js";
 export { registerNipFrames } from "./registry.js";
-
 // RFC-0002 / RFC-0003 — X.509 + ACME + dual-trust verifier
 export * from "./assurance-level.js";
 export * from "./cert-format.js";
@@ -12,3 +10,6 @@ export * from "./error-codes.js";
 export * from "./verifier.js";
 export * as x509 from "./x509/index.js";
 export * as acme from "./acme/index.js";
+// RFC-0004 — Reputation log
+export * from "./reputation-client.js";
+//# sourceMappingURL=index.js.map

package/dist/nip/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/nip/index.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAElD,2DAA2D;AAC3D,cAAc,sBAAsB,CAAC;AACrC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AACxC,OAAO,KAAK,IAAI,MAAM,iBAAiB,CAAC;AAExC,4BAA4B;AAC5B,cAAc,wBAAwB,CAAC"}

package/dist/nip/registry.d.ts

@@ -0,0 +1,3 @@
+import { FrameRegistry } from "../core/registry.js";
+export declare function registerNipFrames(registry: FrameRegistry): void;
+//# sourceMappingURL=registry.d.ts.map

package/dist/nip/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/nip/registry.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAIpD,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,aAAa,GAAG,IAAI,CAI/D"}

package/dist/nip/registry.js

@@ -0,0 +1,10 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+import { FrameType } from "../core/frames.js";
+import { IdentFrame, TrustFrame, RevokeFrame } from "./frames.js";
+export function registerNipFrames(registry) {
+    registry.register(FrameType.IDENT, IdentFrame);
+    registry.register(FrameType.TRUST, TrustFrame);
+    registry.register(FrameType.REVOKE, RevokeFrame);
+}
+//# sourceMappingURL=registry.js.map

package/dist/nip/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/nip/registry.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAGtC,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAElE,MAAM,UAAU,iBAAiB,CAAC,QAAuB;IACvD,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,EAAG,UAAU,CAAC,CAAC;IAChD,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,EAAG,UAAU,CAAC,CAAC;IAChD,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;AACnD,CAAC"}

package/dist/nip/reputation-client.d.ts

@@ -0,0 +1,116 @@
+export interface ObservationWindow {
+    start: string;
+    end: string;
+}
+export declare const IncidentType: {
+    readonly Other: "other";
+    readonly CertRevoked: "cert-revoked";
+    readonly RateLimitViolation: "rate-limit-violation";
+    readonly TosViolation: "tos-violation";
+    readonly ScrapingPattern: "scraping-pattern";
+    readonly PaymentDefault: "payment-default";
+    readonly ContractDispute: "contract-dispute";
+    readonly ImpersonationClaim: "impersonation-claim";
+    readonly PositiveAttestation: "positive-attestation";
+};
+export type IncidentType = typeof IncidentType[keyof typeof IncidentType];
+export declare const Severity: {
+    readonly Info: 0;
+    readonly Minor: 1;
+    readonly Moderate: 2;
+    readonly Major: 3;
+    readonly Critical: 4;
+};
+export type Severity = typeof Severity[keyof typeof Severity];
+export interface ReputationLogEntry {
+    v: number;
+    log_id: string;
+    seq: number;
+    timestamp: string;
+    subject_nid: string;
+    incident: string;
+    incidentRaw?: string;
+    severity: string;
+    window?: ObservationWindow;
+    observation?: unknown;
+    evidence_ref?: string;
+    evidence_sha256?: string;
+    issuer_nid: string;
+    signature: string;
+}
+export interface SignedTreeHead {
+    log_id: string;
+    tree_size: number;
+    timestamp: string;
+    sha256_root_hash: string;
+    signature: string;
+}
+export interface InclusionProof {
+    seq: number;
+    leaf_index: number;
+    tree_size: number;
+    leaf_hash: string;
+    audit_path: string[];
+}
+/**
+ * Sign a ReputationLogEntry and return a new entry with `signature` set.
+ * The private key must be a 32-byte raw Ed25519 private key.
+ */
+export declare function signEntry(privKey: Uint8Array, entry: ReputationLogEntry): ReputationLogEntry;
+/**
+ * Verify the `signature` field of a ReputationLogEntry against the given
+ * Ed25519 public key (32-byte raw).
+ */
+export declare function verifyEntry(pubKey: Uint8Array, entry: ReputationLogEntry): boolean;
+/**
+ * Parse a wire severity string.  Throws an Error for unknown values
+ * (no forward-compat — callers must upgrade to handle new severity levels).
+ */
+export declare function parseSeverity(wire: string): Severity;
+/**
+ * Parse a wire incident string.  Unknown values map to `IncidentType.Other`
+ * (forward-compat); the original string is returned as `incidentRaw`.
+ */
+export declare function parseIncident(wire: string): {
+    incident: IncidentType;
+    incidentRaw?: string;
+};
+export declare class ReputationLogException extends Error {
+    readonly nipErrorCode: string;
+    readonly npsStatus: string;
+    constructor(nipErrorCode: string, npsStatus: string, message?: string);
+}
+export declare class ReputationLogClient {
+    private readonly baseUrl;
+    constructor(baseUrl: string);
+    /**
+     * POST /v1/log/entries — submit a signed entry.
+     * Returns the server-echoed entry with seq/timestamp/log_id filled in.
+     */
+    submit(entry: ReputationLogEntry): Promise<ReputationLogEntry>;
+    /**
+     * GET /v1/log/entries — query entries.
+     * @param options.nid      Filter by subject NID.
+     * @param options.sinceSeq Return only entries with seq > sinceSeq.
+     */
+    query(options?: {
+        nid?: string;
+        sinceSeq?: number;
+    }): Promise<ReputationLogEntry[]>;
+    /** GET /v1/log/sth — current SignedTreeHead. */
+    getSth(): Promise<SignedTreeHead>;
+    /** GET /v1/log/proof?seq=<seq> — InclusionProof for a log entry. */
+    getProof(seq: number): Promise<InclusionProof>;
+    /** GET /v1/log/gossip/sth — gossip SignedTreeHead. */
+    getGossipSth(): Promise<SignedTreeHead>;
+    /**
+     * Verify that `entry` is included in the log at the position described by
+     * `proof`, under the given `sth`.
+     *
+     * Merkle construction (RFC 9162):
+     *   leaf_hash = SHA256(0x00 || utf8(canonical_all_sorted_json_of_entry))
+     *   node_hash = SHA256(0x01 || left_bytes || right_bytes)
+     */
+    static verifyInclusion(proof: InclusionProof, sth: SignedTreeHead, entry: ReputationLogEntry): boolean;
+}
+//# sourceMappingURL=reputation-client.d.ts.map

package/dist/nip/reputation-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reputation-client.d.ts","sourceRoot":"","sources":["../../src/nip/reputation-client.ts"],"names":[],"mappings":"AAwDA,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;CACb;AAED,eAAO,MAAM,YAAY;;;;;;;;;;CAUf,CAAC;AACX,MAAM,MAAM,YAAY,GAAG,OAAO,YAAY,CAAC,MAAM,OAAO,YAAY,CAAC,CAAC;AAE1E,eAAO,MAAM,QAAQ;;;;;;CAMX,CAAC;AACX,MAAM,MAAM,QAAQ,GAAG,OAAO,QAAQ,CAAC,MAAM,OAAO,QAAQ,CAAC,CAAC;AAc9D,MAAM,WAAW,kBAAkB;IACjC,CAAC,EAAc,MAAM,CAAC;IACtB,MAAM,EAAS,MAAM,CAAC;IACtB,GAAG,EAAY,MAAM,CAAC;IACtB,SAAS,EAAM,MAAM,CAAC;IACtB,WAAW,EAAI,MAAM,CAAC;IACtB,QAAQ,EAAO,MAAM,CAAC;IACtB,WAAW,CAAC,EAAG,MAAM,CAAC;IACtB,QAAQ,EAAO,MAAM,CAAC;IACtB,MAAM,CAAC,EAAQ,iBAAiB,CAAC;IACjC,WAAW,CAAC,EAAG,OAAO,CAAC;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,UAAU,EAAK,MAAM,CAAC;IACtB,SAAS,EAAM,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAW,MAAM,CAAC;IACxB,SAAS,EAAQ,MAAM,CAAC;IACxB,SAAS,EAAQ,MAAM,CAAC;IACxB,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAQ,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAS,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAG,MAAM,CAAC;IACnB,SAAS,EAAG,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAcD;;;GAGG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,kBAAkB,GAAG,kBAAkB,CAI5F;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,kBAAkB,GAAG,OAAO,CASlF;AAID;;;GAGG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,QAAQ,CAIpD;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG;IAAE,QAAQ,EAAE,YAAY,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,CAG5F;AAYD,qBAAa,sBAAuB,SAAQ,KAAK;aAE7B,YAAY,EAAE,MAAM;aACpB,SAAS,EAAK,MAAM;gBADpB,YAAY,EAAE,MAAM,EACpB,SAAS,EAAK,MAAM,EACpC,OAAO,CAAC,EAAE,MAAM;CAKnB;AAiBD,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;gBAErB,OAAO,EAAE,MAAM;IAK3B;;;OAGG;IACG,MAAM,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAUpE;;;;OAIG;IACG,KAAK,CAAC,OAAO,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAWzF,gDAAgD;IAC1C,MAAM,IAAI,OAAO,CAAC,cAAc,CAAC;IAMvC,oEAAoE;IAC9D,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAMpD,sDAAsD;IAChD,YAAY,IAAI,OAAO,CAAC,cAAc,CAAC;IAM7C;;;;;;;OAOG;IACH,MAAM,CAAC,eAAe,CACpB,KAAK,EAAE,cAAc,EACrB,GAAG,EAAI,cAAc,EACrB,KAAK,EAAE,kBAAkB,GACxB,OAAO;CA8BX"}