ncc-02-js 0.2.5 → 0.3.1

package/README.md

@@ -6,7 +6,7 @@ This library provides tools for service owners to publish records and for client
 
 ## Features
 
-- **Service Discovery**: Resolve Kind 30059 service records.
+- **Service Discovery**: Resolve Kind 30059 service records for both public and private services.
 - **Verification**: Built-in signature and expiry validation.
 - **Trust Policy**: Support for third-party attestations (Kind 30060) and revocations (Kind 30061).
 - **Security**: Cross-validation of subject and service identifiers to prevent impersonation.
@@ -36,68 +36,33 @@ try {
     requireAttestation: true,
     minLevel: 'verified' // 'self', 'verified', 'hardened'
   });
-  console.log('Resolved endpoint:', service.endpoint);
+  if(service.endpoint) {
+    console.log('Resolved endpoint:', service.endpoint);
+  } else {
+    console.log('Resolved private service, use NCC-05 for endpoint discovery.');
+  }
 } catch (err) {
   console.error('Resolution failed:', err.code, err.message);
+} finally {
+  resolver.close(); // Clean up WebSocket connections
 }
 ```
 
 ### 2. Publish a Service Record
-
-```javascript
-import { NCC02Builder } from 'ncc-02-js';
-
-// Initialize with private key (hex)
-const builder = new NCC02Builder(privateKey);
-
-// Example 1: IP-based Service
-const event = builder.createServiceRecord({
-  serviceId: 'media',
-  endpoint: 'https://203.0.113.45:8443',
-  fingerprint: 'sha256:fingerprint',
-  expiryDays: 14
-});
-
-// Example 2: Tor Onion Service
-const onionEvent = builder.createServiceRecord({
-  serviceId: 'wallet',
-  endpoint: 'tcp://vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion:80',
-  fingerprint: 'sha256:fingerprint',
-  expiryDays: 7
-});
-// publish events to relays...
-```
-
-### 3. Issue an Attestation (CA)
-
-```javascript
-const caBuilder = new NCC02Builder(caPrivateKey);
-const attestation = caBuilder.createAttestation({
-  subjectPubkey: 'npub1...', // The service owner being certified
-  serviceId: 'media',
-  serviceEventId: serviceRecordEventId,
-  level: 'verified',
-  validDays: 30
-});
-```
-
-## Trust Model & Security
+...
+### Trust Model & Security
 
 ### Trust Levels
 - `self`: Asserted by the service owner (default if no attestation).
 - `verified`: Attested by a trusted third party.
 - `hardened`: Attested by a third party with stricter verification (e.g., physical proof or long-term history).
 
-### Threat Model
-- **Endpoint Impersonation**: Prevented by binding the endpoint URI to a public key fingerprint (`k` tag).
-- **Man-in-the-Middle (MITM)**: Mitigated via cryptographic pinning of transport-level keys.
-- **Stale Records**: Limited by required expiry (`exp`) and support for revocations.
-- **Relay Censorship**: Mitigated by querying multiple relays (implemented via `SimplePool`).
+### Resolution Optimization
+The resolver is designed to be network-efficient. It will only query for attestations (Kind 30060) and revocations (Kind 30061) if the provided policy requires them (e.g., when `requireAttestation` is set to `true` or a `minLevel` higher than `self` is requested).
 
-### Fail-Closed Design
-The library follows a fail-closed principle. If a policy requirement is not met (e.g., `requireAttestation: true` but no valid attestation is found), it throws an `NCC02Error` rather than returning a partially verified record.
-
-## API Reference
+### Threat Model
+...
+### API Reference
 
 ### `NCC02Resolver(relays, options)`
 - `relays`: Array of relay URLs.
@@ -108,8 +73,12 @@ The library follows a fail-closed principle. If a policy requirement is not met
 - `options.requireAttestation`: Fails if no trusted attestation is found.
 - `options.minLevel`: Minimum trust level required.
 
+#### `close()`
+Closes WebSocket connections to all relays. If the resolver was initialized with an external `pool`, this will *not* close the pool; it only untracks the relays for this instance. If the resolver created its own internal pool, it will close it entirely.
+
+
 ### `NCC02Builder(privateKey)`
-- `createServiceRecord({ serviceId, endpoint, fingerprint, expiryDays })`
+- `createServiceRecord({ serviceId, endpoint?, fingerprint?, expiryDays? })`
 - `createAttestation({ subjectPubkey, serviceId, serviceEventId, level, validDays })`
 - `createRevocation({ attestationId, reason })`
 

package/dist/index.cjs

@@ -2509,25 +2509,24 @@ var NCC02Builder = class {
    * Creates a signed Service Record (Kind 30059).
    * @param {Object} options
    * @param {string} options.serviceId - The 'd' tag identifier.
-   * @param {string} options.endpoint - The 'u' tag URI.
-   * @param {string} options.fingerprint - The 'k' tag fingerprint.
+   * @param {string} [options.endpoint] - The 'u' tag URI.
+   * @param {string} [options.fingerprint] - The 'k' tag fingerprint.
    * @param {number} [options.expiryDays=14] - Expiry in days.
    */
   createServiceRecord(options) {
     const { serviceId, endpoint, fingerprint, expiryDays = 14 } = options;
     if (!serviceId) throw new Error("serviceId (d tag) is required");
-    if (!endpoint) throw new Error("endpoint (u tag) is required");
-    if (!fingerprint) throw new Error("fingerprint (k tag) is required");
     const expiry = Math.floor(Date.now() / 1e3) + expiryDays * 24 * 60 * 60;
+    const tags = [
+      ["d", serviceId],
+      ["exp", expiry.toString()]
+    ];
+    if (endpoint) tags.push(["u", endpoint]);
+    if (fingerprint) tags.push(["k", fingerprint]);
     const event = {
       kind: KINDS.SERVICE_RECORD,
       created_at: Math.floor(Date.now() / 1e3),
-      tags: [
-        ["d", serviceId],
-        ["u", endpoint],
-        ["k", fingerprint],
-        ["exp", expiry.toString()]
-      ],
+      tags,
       content: `NCC-02 Service Record for ${serviceId}`,
       pubkey: this.pk
     };
@@ -7693,6 +7692,14 @@ var NCC02Resolver = class {
     this.ownsPool = !options.pool;
     this.trustedCAPubkeys = new Set(options.trustedCAPubkeys || []);
   }
+  /**
+   * Closes the connection to the relays if the pool is owned by this resolver.
+   */
+  close() {
+    if (this.ownsPool && this.pool) {
+      this.pool.close(this.relays);
+    }
+  }
   /**
    * Internal query helper using SimplePool.subscribeMany (since list() is deprecated).
    * @param {import('nostr-tools').Filter} filter 
@@ -7752,8 +7759,11 @@ var NCC02Resolver = class {
     }
     const serviceTags = Object.fromEntries(serviceEvent.tags);
     const now2 = Math.floor(Date.now() / 1e3);
-    if (!serviceTags.u || !serviceTags.k || !serviceTags.exp) {
-      throw new NCC02Error("MALFORMED_RECORD", "Service record is missing required tags (u, k, or exp)");
+    if (!serviceTags.exp) {
+      throw new NCC02Error("MALFORMED_RECORD", "Service record is missing required tag (exp)");
+    }
+    if (serviceTags.u && (serviceTags.u.startsWith("wss://") || serviceTags.u.startsWith("https://")) && !serviceTags.k) {
+      throw new NCC02Error("MALFORMED_RECORD", "Service record with 'https' or 'wss' endpoint must have a 'k' tag");
     }
     const exp = parseInt(serviceTags.exp);
     if (isNaN(exp)) {
@@ -7762,35 +7772,37 @@ var NCC02Resolver = class {
     if (exp < now2) {
       throw new NCC02Error("EXPIRED", "Service record has expired");
     }
-    let attestations;
-    let revocations;
-    try {
-      [attestations, revocations] = await Promise.all([
-        this._query({ kinds: [KINDS.ATTESTATION], "#e": [serviceEvent.id] }),
-        this._query({ kinds: [KINDS.REVOCATION] })
-      ]);
-    } catch (err) {
-      throw new NCC02Error("RELAY_ERROR", "Failed to query relay for attestations/revocations", err);
-    }
     const validAttestations = [];
-    for (const att of attestations) {
-      if (this.trustedCAPubkeys.has(att.pubkey)) {
-        const attTags = Object.fromEntries(att.tags);
-        if (attTags.subj !== pubkey) continue;
-        if (attTags.srv !== serviceId) continue;
-        if (standard && attTags.std !== standard) continue;
-        if (minLevel && !this._isLevelSufficient(attTags.lvl, minLevel)) continue;
-        if (this._isAttestationValid(att, attTags, revocations)) {
-          validAttestations.push({
-            pubkey: att.pubkey,
-            level: attTags.lvl,
-            eventId: att.id
-          });
+    if (requireAttestation || minLevel === "verified" || minLevel === "hardened") {
+      let attestations;
+      let revocations;
+      try {
+        [attestations, revocations] = await Promise.all([
+          this._query({ kinds: [KINDS.ATTESTATION], "#e": [serviceEvent.id] }),
+          this._query({ kinds: [KINDS.REVOCATION] })
+        ]);
+      } catch (err) {
+        throw new NCC02Error("RELAY_ERROR", "Failed to query relay for attestations/revocations", err);
+      }
+      for (const att of attestations) {
+        if (this.trustedCAPubkeys.has(att.pubkey)) {
+          const attTags = Object.fromEntries(att.tags);
+          if (attTags.subj !== pubkey) continue;
+          if (attTags.srv !== serviceId) continue;
+          if (standard && attTags.std !== standard) continue;
+          if (minLevel && !this._isLevelSufficient(attTags.lvl, minLevel)) continue;
+          if (this._isAttestationValid(att, attTags, revocations)) {
+            validAttestations.push({
+              pubkey: att.pubkey,
+              level: attTags.lvl,
+              eventId: att.id
+            });
+          }
         }
       }
-    }
-    if (requireAttestation && validAttestations.length === 0) {
-      throw new NCC02Error("POLICY_FAILURE", `No trusted attestations meet the required policy for ${serviceId}`);
+      if (requireAttestation && validAttestations.length === 0) {
+        throw new NCC02Error("POLICY_FAILURE", `No trusted attestations meet the required policy for ${serviceId}`);
+      }
     }
     return {
       endpoint: serviceTags.u,

package/dist/index.mjs

@@ -2475,25 +2475,24 @@ var NCC02Builder = class {
    * Creates a signed Service Record (Kind 30059).
    * @param {Object} options
    * @param {string} options.serviceId - The 'd' tag identifier.
-   * @param {string} options.endpoint - The 'u' tag URI.
-   * @param {string} options.fingerprint - The 'k' tag fingerprint.
+   * @param {string} [options.endpoint] - The 'u' tag URI.
+   * @param {string} [options.fingerprint] - The 'k' tag fingerprint.
    * @param {number} [options.expiryDays=14] - Expiry in days.
    */
   createServiceRecord(options) {
     const { serviceId, endpoint, fingerprint, expiryDays = 14 } = options;
     if (!serviceId) throw new Error("serviceId (d tag) is required");
-    if (!endpoint) throw new Error("endpoint (u tag) is required");
-    if (!fingerprint) throw new Error("fingerprint (k tag) is required");
     const expiry = Math.floor(Date.now() / 1e3) + expiryDays * 24 * 60 * 60;
+    const tags = [
+      ["d", serviceId],
+      ["exp", expiry.toString()]
+    ];
+    if (endpoint) tags.push(["u", endpoint]);
+    if (fingerprint) tags.push(["k", fingerprint]);
     const event = {
       kind: KINDS.SERVICE_RECORD,
       created_at: Math.floor(Date.now() / 1e3),
-      tags: [
-        ["d", serviceId],
-        ["u", endpoint],
-        ["k", fingerprint],
-        ["exp", expiry.toString()]
-      ],
+      tags,
       content: `NCC-02 Service Record for ${serviceId}`,
       pubkey: this.pk
     };
@@ -7659,6 +7658,14 @@ var NCC02Resolver = class {
     this.ownsPool = !options.pool;
     this.trustedCAPubkeys = new Set(options.trustedCAPubkeys || []);
   }
+  /**
+   * Closes the connection to the relays if the pool is owned by this resolver.
+   */
+  close() {
+    if (this.ownsPool && this.pool) {
+      this.pool.close(this.relays);
+    }
+  }
   /**
    * Internal query helper using SimplePool.subscribeMany (since list() is deprecated).
    * @param {import('nostr-tools').Filter} filter 
@@ -7718,8 +7725,11 @@ var NCC02Resolver = class {
     }
     const serviceTags = Object.fromEntries(serviceEvent.tags);
     const now2 = Math.floor(Date.now() / 1e3);
-    if (!serviceTags.u || !serviceTags.k || !serviceTags.exp) {
-      throw new NCC02Error("MALFORMED_RECORD", "Service record is missing required tags (u, k, or exp)");
+    if (!serviceTags.exp) {
+      throw new NCC02Error("MALFORMED_RECORD", "Service record is missing required tag (exp)");
+    }
+    if (serviceTags.u && (serviceTags.u.startsWith("wss://") || serviceTags.u.startsWith("https://")) && !serviceTags.k) {
+      throw new NCC02Error("MALFORMED_RECORD", "Service record with 'https' or 'wss' endpoint must have a 'k' tag");
     }
     const exp = parseInt(serviceTags.exp);
     if (isNaN(exp)) {
@@ -7728,35 +7738,37 @@ var NCC02Resolver = class {
     if (exp < now2) {
       throw new NCC02Error("EXPIRED", "Service record has expired");
     }
-    let attestations;
-    let revocations;
-    try {
-      [attestations, revocations] = await Promise.all([
-        this._query({ kinds: [KINDS.ATTESTATION], "#e": [serviceEvent.id] }),
-        this._query({ kinds: [KINDS.REVOCATION] })
-      ]);
-    } catch (err) {
-      throw new NCC02Error("RELAY_ERROR", "Failed to query relay for attestations/revocations", err);
-    }
     const validAttestations = [];
-    for (const att of attestations) {
-      if (this.trustedCAPubkeys.has(att.pubkey)) {
-        const attTags = Object.fromEntries(att.tags);
-        if (attTags.subj !== pubkey) continue;
-        if (attTags.srv !== serviceId) continue;
-        if (standard && attTags.std !== standard) continue;
-        if (minLevel && !this._isLevelSufficient(attTags.lvl, minLevel)) continue;
-        if (this._isAttestationValid(att, attTags, revocations)) {
-          validAttestations.push({
-            pubkey: att.pubkey,
-            level: attTags.lvl,
-            eventId: att.id
-          });
+    if (requireAttestation || minLevel === "verified" || minLevel === "hardened") {
+      let attestations;
+      let revocations;
+      try {
+        [attestations, revocations] = await Promise.all([
+          this._query({ kinds: [KINDS.ATTESTATION], "#e": [serviceEvent.id] }),
+          this._query({ kinds: [KINDS.REVOCATION] })
+        ]);
+      } catch (err) {
+        throw new NCC02Error("RELAY_ERROR", "Failed to query relay for attestations/revocations", err);
+      }
+      for (const att of attestations) {
+        if (this.trustedCAPubkeys.has(att.pubkey)) {
+          const attTags = Object.fromEntries(att.tags);
+          if (attTags.subj !== pubkey) continue;
+          if (attTags.srv !== serviceId) continue;
+          if (standard && attTags.std !== standard) continue;
+          if (minLevel && !this._isLevelSufficient(attTags.lvl, minLevel)) continue;
+          if (this._isAttestationValid(att, attTags, revocations)) {
+            validAttestations.push({
+              pubkey: att.pubkey,
+              level: attTags.lvl,
+              eventId: att.id
+            });
+          }
         }
       }
-    }
-    if (requireAttestation && validAttestations.length === 0) {
-      throw new NCC02Error("POLICY_FAILURE", `No trusted attestations meet the required policy for ${serviceId}`);
+      if (requireAttestation && validAttestations.length === 0) {
+        throw new NCC02Error("POLICY_FAILURE", `No trusted attestations meet the required policy for ${serviceId}`);
+      }
     }
     return {
       endpoint: serviceTags.u,

package/dist/models.d.ts

@@ -22,14 +22,14 @@ export class NCC02Builder {
      * Creates a signed Service Record (Kind 30059).
      * @param {Object} options
      * @param {string} options.serviceId - The 'd' tag identifier.
-     * @param {string} options.endpoint - The 'u' tag URI.
-     * @param {string} options.fingerprint - The 'k' tag fingerprint.
+     * @param {string} [options.endpoint] - The 'u' tag URI.
+     * @param {string} [options.fingerprint] - The 'k' tag fingerprint.
      * @param {number} [options.expiryDays=14] - Expiry in days.
      */
     createServiceRecord(options: {
         serviceId: string;
-        endpoint: string;
-        fingerprint: string;
+        endpoint?: string;
+        fingerprint?: string;
         expiryDays?: number;
     }): import("nostr-tools/core").VerifiedEvent;
     /**

package/dist/resolver.d.ts

@@ -13,8 +13,8 @@ export class NCC02Error extends Error {
 }
 /**
  * @typedef {Object} ResolvedService
- * @property {string} endpoint
- * @property {string} fingerprint
+ * @property {string|undefined} endpoint
+ * @property {string|undefined} fingerprint
  * @property {number} expiry
  * @property {any[]} attestations
  * @property {string} eventId
@@ -42,6 +42,10 @@ export class NCC02Resolver {
     pool: SimplePool;
     ownsPool: boolean;
     trustedCAPubkeys: Set<string>;
+    /**
+     * Closes the connection to the relays if the pool is owned by this resolver.
+     */
+    close(): void;
     /**
      * Internal query helper using SimplePool.subscribeMany (since list() is deprecated).
      * @param {import('nostr-tools').Filter} filter
@@ -87,8 +91,8 @@ export class NCC02Resolver {
     verifyEndpoint(resolved: ResolvedService, actualFingerprint: string): boolean;
 }
 export type ResolvedService = {
-    endpoint: string;
-    fingerprint: string;
+    endpoint: string | undefined;
+    fingerprint: string | undefined;
     expiry: number;
     attestations: any[];
     eventId: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ncc-02-js",
-  "version": "0.2.5",
+  "version": "0.3.1",
   "description": "Nostr-native service discovery and trust implementation (NCC-02)",
   "main": "dist/index.cjs",
   "module": "dist/index.mjs",

package/src/models.js

@@ -27,26 +27,26 @@ export class NCC02Builder {
    * Creates a signed Service Record (Kind 30059).
    * @param {Object} options
    * @param {string} options.serviceId - The 'd' tag identifier.
-   * @param {string} options.endpoint - The 'u' tag URI.
-   * @param {string} options.fingerprint - The 'k' tag fingerprint.
+   * @param {string} [options.endpoint] - The 'u' tag URI.
+   * @param {string} [options.fingerprint] - The 'k' tag fingerprint.
    * @param {number} [options.expiryDays=14] - Expiry in days.
    */
   createServiceRecord(options) {
     const { serviceId, endpoint, fingerprint, expiryDays = 14 } = options;
     if (!serviceId) throw new Error('serviceId (d tag) is required');
-    if (!endpoint) throw new Error('endpoint (u tag) is required');
-    if (!fingerprint) throw new Error('fingerprint (k tag) is required');
 
     const expiry = Math.floor(Date.now() / 1000) + (expiryDays * 24 * 60 * 60);
+    const tags = [
+      ['d', serviceId],
+      ['exp', expiry.toString()]
+    ];
+    if(endpoint) tags.push(['u', endpoint]);
+    if(fingerprint) tags.push(['k', fingerprint]);
+
     const event = {
       kind: KINDS.SERVICE_RECORD,
       created_at: Math.floor(Date.now() / 1000),
-      tags: [
-        ['d', serviceId],
-        ['u', endpoint],
-        ['k', fingerprint],
-        ['exp', expiry.toString()]
-      ],
+      tags: tags,
       content: `NCC-02 Service Record for ${serviceId}`,
       pubkey: this.pk
     };

package/src/resolver.js

@@ -19,8 +19,8 @@ export class NCC02Error extends Error {
 
 /**
  * @typedef {Object} ResolvedService
- * @property {string} endpoint
- * @property {string} fingerprint
+ * @property {string|undefined} endpoint
+ * @property {string|undefined} fingerprint
  * @property {number} expiry
  * @property {any[]} attestations
  * @property {string} eventId
@@ -43,7 +43,7 @@ export class NCC02Resolver {
    */
   constructor(relays, options = {}) {
     if (!Array.isArray(relays)) {
-       throw new Error("NCC02Resolver expects an array of relay URLs.");
+      throw new Error('NCC02Resolver expects an array of relay URLs.');
     }
     this.relays = relays;
     this.pool = options.pool || new SimplePool();
@@ -51,22 +51,31 @@ export class NCC02Resolver {
     this.trustedCAPubkeys = new Set(options.trustedCAPubkeys || []);
   }
 
+  /**
+   * Closes the connection to the relays if the pool is owned by this resolver.
+   */
+  close() {
+    if (this.ownsPool && this.pool) {
+      this.pool.close(this.relays);
+    }
+  }
+
   /**
    * Internal query helper using SimplePool.subscribeMany (since list() is deprecated).
    * @param {import('nostr-tools').Filter} filter 
    * @returns {Promise<import('nostr-tools').Event[]>}
    */
   async _query(filter) {
-      return new Promise((resolve) => {
-          /** @type {import('nostr-tools').Event[]} */
-          const events = [];
-          // subscribeMany(relays, filters, callbacks)
-          // @ts-ignore - subscribeMany filters parameter type mismatch with simple Object
-          const sub = this.pool.subscribeMany(this.relays, [filter], {
-              onevent(e) { events.push(e); },
-              oneose() { sub.close(); resolve(events); }
-          });
+    return new Promise((resolve) => {
+      /** @type {import('nostr-tools').Event[]} */
+      const events = [];
+      // subscribeMany(relays, filters, callbacks)
+      // @ts-ignore - subscribeMany filters parameter type mismatch with simple Object
+      const sub = this.pool.subscribeMany(this.relays, [filter], {
+        onevent(e) { events.push(e); },
+        oneose() { sub.close(); resolve(events); }
       });
+    });
   }
 
   /**
@@ -117,8 +126,13 @@ export class NCC02Resolver {
     const now = Math.floor(Date.now() / 1000);
 
     // Security Fix: exp is REQUIRED by NCC-02 spec
-    if (!serviceTags.u || !serviceTags.k || !serviceTags.exp) {
-      throw new NCC02Error('MALFORMED_RECORD', 'Service record is missing required tags (u, k, or exp)');
+    if (!serviceTags.exp) {
+      throw new NCC02Error('MALFORMED_RECORD', 'Service record is missing required tag (exp)');
+    }
+    
+    // 'k' is required for TLS-based endpoints
+    if (serviceTags.u && (serviceTags.u.startsWith('wss://') || serviceTags.u.startsWith('https://')) && !serviceTags.k) {
+      throw new NCC02Error('MALFORMED_RECORD', 'Service record with \'https\' or \'wss\' endpoint must have a \'k\' tag');
     }
 
     const exp = parseInt(serviceTags.exp);
@@ -129,42 +143,46 @@ export class NCC02Resolver {
       throw new NCC02Error('EXPIRED', 'Service record has expired');
     }
 
-    let attestations;
-    let revocations;
-    try {
-      [attestations, revocations] = await Promise.all([
-        this._query({ kinds: [KINDS.ATTESTATION], '#e': [serviceEvent.id] }),
-        this._query({ kinds: [KINDS.REVOCATION] })
-      ]);
-    } catch (err) {
-      throw new NCC02Error('RELAY_ERROR', 'Failed to query relay for attestations/revocations', err);
-    }
-
     const validAttestations = [];
-    for (const att of attestations) {
-      if (this.trustedCAPubkeys.has(att.pubkey)) {
-        const attTags = Object.fromEntries(att.tags);
-        
-        // Cross-validate subject, service ID, and standard
-        if (attTags.subj !== pubkey) continue;
-        if (attTags.srv !== serviceId) continue;
-        if (standard && attTags.std !== standard) continue;
-        
-        // Trust Level Filtering
-        if (minLevel && !this._isLevelSufficient(attTags.lvl, minLevel)) continue;
-
-        if (this._isAttestationValid(att, attTags, revocations)) {
-          validAttestations.push({
-            pubkey: att.pubkey,
-            level: attTags.lvl,
-            eventId: att.id
-          });
+
+    // Optimization: Only fetch attestations if policy requires it
+    if (requireAttestation || minLevel === 'verified' || minLevel === 'hardened') {
+      let attestations;
+      let revocations;
+      try {
+        [attestations, revocations] = await Promise.all([
+          this._query({ kinds: [KINDS.ATTESTATION], '#e': [serviceEvent.id] }),
+          this._query({ kinds: [KINDS.REVOCATION] })
+        ]);
+      } catch (err) {
+        throw new NCC02Error('RELAY_ERROR', 'Failed to query relay for attestations/revocations', err);
+      }
+
+      for (const att of attestations) {
+        if (this.trustedCAPubkeys.has(att.pubkey)) {
+          const attTags = Object.fromEntries(att.tags);
+          
+          // Cross-validate subject, service ID, and standard
+          if (attTags.subj !== pubkey) continue;
+          if (attTags.srv !== serviceId) continue;
+          if (standard && attTags.std !== standard) continue;
+          
+          // Trust Level Filtering
+          if (minLevel && !this._isLevelSufficient(attTags.lvl, minLevel)) continue;
+
+          if (this._isAttestationValid(att, attTags, revocations)) {
+            validAttestations.push({
+              pubkey: att.pubkey,
+              level: attTags.lvl,
+              eventId: att.id
+            });
+          }
         }
       }
-    }
 
-    if (requireAttestation && validAttestations.length === 0) {
-      throw new NCC02Error('POLICY_FAILURE', `No trusted attestations meet the required policy for ${serviceId}`);
+      if (requireAttestation && validAttestations.length === 0) {
+        throw new NCC02Error('POLICY_FAILURE', `No trusted attestations meet the required policy for ${serviceId}`);
+      }
     }
 
     return {