ncc-05 1.1.0 → 1.1.2

package/README.md

@@ -1,8 +1,17 @@
 # ncc-05
 
-Nostr Community Convention 05 - Identity-Bound Service Locator Resolution.
+**Nostr Community Convention 05 - Identity-Bound Service Locator Resolution.**
 
-This library provides a simple way to publish and resolve identity-bound service endpoints (IP/Port/Onion) using Nostr `kind:30058` events.
+A TypeScript library for publishing and resolving dynamic, encrypted service endpoints (IP, Port, Onion) bound to cryptographic identities using Nostr `kind:30058` events.
+
+## Features
+
+- **Identity-Centric**: Endpoints are bound to a Nostr Pubkey.
+- **Privacy-First**: NIP-44 encryption is mandatory by default.
+- **Multi-Recipient Support**: Implement "Wrapping" patterns to share endpoints with groups without sharing private keys.
+- **NIP-65 Gossip**: Built-in support for discovering a publisher's preferred relays.
+- **Tor Ready**: Easy integration with SOCKS5 proxies for anonymous resolution.
+- **Type Safe**: Fully typed with TypeScript.
 
 ## Installation
 
@@ -12,7 +21,7 @@ npm install ncc-05
 
 ## Usage
 
-### Resolver
+### 1. Basic Resolution (Self or Public)
 
 Resolve an identity-bound service locator for a given pubkey.
 
@@ -22,65 +31,62 @@ import { nip19 } from 'nostr-tools';
 
 const resolver = new NCC05Resolver();
 
-// Your secret key is needed to decrypt the record (NIP-44)
-const mySecretKey = nip19.decode('nsec...').data as Uint8Array;
-const targetPubkey = '...'; 
+// Resolve using an npub (or hex pubkey)
+const target = 'npub1...';
+const mySecretKey = ...; // Uint8Array needed for encrypted records
 
-const payload = await resolver.resolve(targetPubkey, mySecretKey);
+const payload = await resolver.resolve(target, mySecretKey, 'addr', { 
+    gossip: true, // Follow NIP-65 hints
+    strict: true  // Reject expired records
+});
 
 if (payload) {
-    console.log('Resolved Endpoints:');
-    payload.endpoints.forEach(ep => {
-        console.log(`- ${ep.type}://${ep.uri} (${ep.family})`);
-    });
+    console.log('Resolved Endpoints:', payload.endpoints);
 }
 ```
 
-### Publisher
+### 2. Targeted Encryption (Friend-to-Friend)
 
-Publish your own service locator record.
+Alice publishes a record that only Bob can decrypt.
 
 ```typescript
-import { NCC05Publisher, NCC05Payload } from 'ncc-05';
+import { NCC05Publisher } from 'ncc-05';
 
 const publisher = new NCC05Publisher();
-const mySecretKey = ...;
-
-const payload: NCC05Payload = {
-    v: 1,
-    ttl: 600,
-    updated_at: Math.floor(Date.now() / 1000),
-    endpoints: [
-        {
-            type: 'tcp',
-            uri: '127.0.0.1:8080',
-            priority: 10,
-            family: 'ipv4'
-        }
-    ]
-};
-
-const relays = ['wss://relay.damus.io', 'wss://nos.lol'];
-await publisher.publish(relays, mySecretKey, payload);
+const AliceSK = ...;
+const BobPK = "..."; // Bob's hex pubkey
+
+await publisher.publish(relays, AliceSK, payload, {
+    identifier: 'for-bob',
+    recipientPubkey: BobPK // Encrypts specifically for Bob
+});
 ```
 
-## Features
+### 3. Group Wrapping (One Event, Many Recipients)
 
-- **NIP-44 Encryption**: All locator records are encrypted by default.
-- **NIP-01/NIP-33**: Uses standard Nostr primitives.
-- **Identity-Centric**: Resolution is bound to a cryptographic identity (Pubkey).
-- **Tor/Proxy Support**: Easily route relay traffic through SOCKS5 in Node.js.
+Alice shares her endpoint with a list of authorized friends in a single event.
 
-## Tor & Privacy (Node.js)
+```typescript
+await publisher.publishWrapped(
+    relays, 
+    AliceSK, 
+    [BobPK, CharliePK, DavePK], 
+    payload, 
+    'private-group'
+);
+
+// Bob resolves it using his own key:
+const payload = await resolver.resolve(AlicePK, BobSK, 'private-group');
+```
 
-To resolve anonymously through Tor, you can use the `socks-proxy-agent` and a custom `WebSocket` implementation:
+### 4. Tor & Privacy (Node.js)
+
+Route all Nostr relay traffic through a local Tor proxy (`127.0.0.1:9050`).
 
 ```typescript
-import { NCC05Resolver } from 'ncc-05';
 import { SocksProxyAgent } from 'socks-proxy-agent';
 import { WebSocket } from 'ws';
 
-// Create a custom WebSocket class that uses the Tor agent
 class TorWebSocket extends WebSocket {
     constructor(address: string, protocols?: string | string[]) {
         const agent = new SocksProxyAgent('socks5h://127.0.0.1:9050');
@@ -93,6 +99,22 @@ const resolver = new NCC05Resolver({
 });
 ```
 
+## API Reference
+
+### `NCC05Resolver`
+- `resolve(targetPubkey, secretKey?, identifier?, options?)`: Finds and decrypts a locator record.
+- `close()`: Closes pool connections.
+
+### `NCC05Publisher`
+- `publish(relays, secretKey, payload, options?)`: Publishes a standard or targeted record.
+- `publishWrapped(relays, secretKey, recipients, payload, identifier?)`: Publishes a multi-recipient record.
+
+### `NCC05Group`
+- `createGroupIdentity()`: Generates a shared group keypair.
+- `resolveAsGroup(...)`: Helper for shared-nsec resolution.
+
 ## License
 
-MIT
+
+
+CC0 1.0 Universal

package/dist/index.d.ts

@@ -1,65 +1,161 @@
+/**
+ * NCC-05: Identity-Bound Service Locator Resolution
+ *
+ * This library implements the NCC-05 convention for publishing and resolving
+ * dynamic service endpoints (IP, Port, Onion) bound to Nostr identities.
+ *
+ * @module ncc-05
+ */
 import { Event } from 'nostr-tools';
+/**
+ * Represents a single reachable service endpoint.
+ */
 export interface NCC05Endpoint {
+    /** Protocol type, e.g., 'tcp', 'udp', 'http' */
     type: 'tcp' | 'udp' | string;
+    /** The URI string, e.g., '1.2.3.4:8080' or '[2001:db8::1]:9000' */
     uri: string;
+    /** Priority for selection (lower is higher priority) */
     priority: number;
+    /** Network family for routing hints */
     family: 'ipv4' | 'ipv6' | 'onion' | string;
 }
+/**
+ * The logical structure of an NCC-05 locator record payload.
+ */
 export interface NCC05Payload {
+    /** Payload version (currently 1) */
     v: number;
+    /** Time-to-live in seconds */
     ttl: number;
+    /** Unix timestamp of the last update */
     updated_at: number;
+    /** List of available endpoints */
     endpoints: NCC05Endpoint[];
+    /** Optional capability identifiers supported by the service */
     caps?: string[];
+    /** Optional human-readable notes */
     notes?: string;
 }
+/**
+ * Options for configuring the NCC05Resolver.
+ */
 export interface ResolverOptions {
+    /** List of relays used to bootstrap discovery */
     bootstrapRelays?: string[];
+    /** Timeout for relay queries in milliseconds (default: 10000) */
     timeout?: number;
+    /** Custom WebSocket implementation (e.g., for Tor/SOCKS5 in Node.js) */
     websocketImplementation?: any;
 }
 /**
- * Utility for managing shared group access to NCC-05 records.
+ * Structure for multi-recipient encrypted events.
+ * Implements a "wrapping" pattern to share one event with multiple keys.
+ */
+export interface WrappedContent {
+    /** The NCC05Payload encrypted with a random symmetric session key */
+    ciphertext: string;
+    /** Map of recipient pubkey (hex) to the encrypted session key */
+    wraps: Record<string, string>;
+}
+/**
+ * Utility for managing shared group access to service records.
  */
 export declare class NCC05Group {
     /**
-     * Generate a new shared identity for a group.
-     * The nsec should be shared with all authorized members.
+     * Generates a fresh identity (keypair) for a shared group.
+     * The resulting nsec should be shared with all authorized group members.
+     *
+     * @returns An object containing nsec, hex pubkey, and the raw secret key.
      */
     static createGroupIdentity(): {
         nsec: `nsec1${string}`;
         sk: Uint8Array<ArrayBufferLike>;
         pk: string;
+        npub: `npub1${string}`;
     };
     /**
-     * Resolve a record that was published using a group's shared identity.
+     * Helper to resolve a record using a group's shared identity.
+     *
+     * @param resolver - An initialized NCC05Resolver instance.
+     * @param groupPubkey - The public key of the group.
+     * @param groupSecretKey - The shared secret key of the group.
+     * @param identifier - The 'd' tag of the record (default: 'addr').
+     * @returns The resolved NCC05Payload or null.
      */
     static resolveAsGroup(resolver: NCC05Resolver, groupPubkey: string, groupSecretKey: Uint8Array, identifier?: string): Promise<NCC05Payload | null>;
 }
+/**
+ * Handles the discovery, selection, and decryption of NCC-05 locator records.
+ */
 export declare class NCC05Resolver {
     private pool;
     private bootstrapRelays;
     private timeout;
+    /**
+     * @param options - Configuration for the resolver.
+     */
     constructor(options?: ResolverOptions);
     /**
-     * Resolve a locator record for a given pubkey.
-     * Supports both hex and npub strings.
+     * Resolves a locator record for a given identity.
+     *
+     * Supports standard NIP-44 encryption, multi-recipient "wrapping",
+     * and plaintext public records.
+     *
+     * @param targetPubkey - The pubkey (hex or npub) of the service owner.
+     * @param secretKey - Your secret key (required if the record is encrypted).
+     * @param identifier - The 'd' tag of the record (default: 'addr').
+     * @param options - Resolution options (strict mode, gossip discovery).
+     * @returns The resolved and validated NCC05Payload, or null if not found/invalid.
      */
-    resolve(targetPubkey: string, secretKey: Uint8Array, identifier?: string, options?: {
+    resolve(targetPubkey: string, secretKey?: Uint8Array, identifier?: string, options?: {
         strict?: boolean;
         gossip?: boolean;
     }): Promise<NCC05Payload | null>;
+    /**
+     * Closes connections to all relays in the pool.
+     */
     close(): void;
 }
+/**
+ * Handles the construction, encryption, and publication of NCC-05 events.
+ */
 export declare class NCC05Publisher {
     private pool;
+    /**
+     * @param options - Configuration for the publisher.
+     */
     constructor(options?: {
         websocketImplementation?: any;
     });
     /**
-     * Create and publish a locator record.
-     * @param recipientPubkey Optional hex pubkey of the recipient. If omitted, self-encrypts.
+     * Publishes a single record encrypted for multiple recipients using the wrapping pattern.
+     * This avoids sharing a single group private key.
+     *
+     * @param relays - List of relays to publish to.
+     * @param secretKey - The publisher's secret key.
+     * @param recipients - List of recipient public keys (hex).
+     * @param payload - The service locator payload.
+     * @param identifier - The 'd' tag identifier (default: 'addr').
+     * @returns The signed Nostr event.
+     */
+    publishWrapped(relays: string[], secretKey: Uint8Array, recipients: string[], payload: NCC05Payload, identifier?: string): Promise<Event>;
+    /**
+     * Publishes a locator record. Supports self-encryption, targeted encryption, or plaintext.
+     *
+     * @param relays - List of relays to publish to.
+     * @param secretKey - The publisher's secret key.
+     * @param payload - The service locator payload.
+     * @param options - Publishing options (identifier, recipient, or public flag).
+     * @returns The signed Nostr event.
+     */
+    publish(relays: string[], secretKey: Uint8Array, payload: NCC05Payload, options?: {
+        identifier?: string;
+        recipientPubkey?: string;
+        public?: boolean;
+    }): Promise<Event>;
+    /**
+     * Closes connections to the specified relays.
      */
-    publish(relays: string[], secretKey: Uint8Array, payload: NCC05Payload, identifier?: string, recipientPubkey?: string): Promise<Event>;
     close(relays: string[]): void;
 }

package/dist/index.js

@@ -1,45 +1,75 @@
+/**
+ * NCC-05: Identity-Bound Service Locator Resolution
+ *
+ * This library implements the NCC-05 convention for publishing and resolving
+ * dynamic service endpoints (IP, Port, Onion) bound to Nostr identities.
+ *
+ * @module ncc-05
+ */
 import { SimplePool, nip44, nip19, finalizeEvent, verifyEvent, getPublicKey, generateSecretKey } from 'nostr-tools';
 /**
- * Utility for managing shared group access to NCC-05 records.
+ * Utility for managing shared group access to service records.
  */
 export class NCC05Group {
     /**
-     * Generate a new shared identity for a group.
-     * The nsec should be shared with all authorized members.
+     * Generates a fresh identity (keypair) for a shared group.
+     * The resulting nsec should be shared with all authorized group members.
+     *
+     * @returns An object containing nsec, hex pubkey, and the raw secret key.
      */
     static createGroupIdentity() {
         const sk = generateSecretKey();
+        const pk = getPublicKey(sk);
         return {
             nsec: nip19.nsecEncode(sk),
             sk: sk,
-            pk: getPublicKey(sk)
+            pk: pk,
+            npub: nip19.npubEncode(pk)
         };
     }
     /**
-     * Resolve a record that was published using a group's shared identity.
+     * Helper to resolve a record using a group's shared identity.
+     *
+     * @param resolver - An initialized NCC05Resolver instance.
+     * @param groupPubkey - The public key of the group.
+     * @param groupSecretKey - The shared secret key of the group.
+     * @param identifier - The 'd' tag of the record (default: 'addr').
+     * @returns The resolved NCC05Payload or null.
      */
     static async resolveAsGroup(resolver, groupPubkey, groupSecretKey, identifier = 'addr') {
-        // In group mode, we use the group's SK to decrypt a record 
-        // that was self-encrypted by the group's PK.
         return resolver.resolve(groupPubkey, groupSecretKey, identifier);
     }
 }
+/**
+ * Handles the discovery, selection, and decryption of NCC-05 locator records.
+ */
 export class NCC05Resolver {
     pool;
     bootstrapRelays;
     timeout;
+    /**
+     * @param options - Configuration for the resolver.
+     */
     constructor(options = {}) {
         this.pool = new SimplePool();
         if (options.websocketImplementation) {
-            // @ts-ignore - Patching pool for custom WebSocket (Tor/Proxy)
+            // @ts-ignore - Patching pool for custom transport
             this.pool.websocketImplementation = options.websocketImplementation;
         }
         this.bootstrapRelays = options.bootstrapRelays || ['wss://relay.damus.io', 'wss://nos.lol'];
         this.timeout = options.timeout || 10000;
     }
     /**
-     * Resolve a locator record for a given pubkey.
-     * Supports both hex and npub strings.
+     * Resolves a locator record for a given identity.
+     *
+     * Supports standard NIP-44 encryption, multi-recipient "wrapping",
+     * and plaintext public records.
+     *
+     * @param targetPubkey - The pubkey (hex or npub) of the service owner.
+     * @param secretKey - Your secret key (required if the record is encrypted).
+     * @param identifier - The 'd' tag of the record (default: 'addr').
+     * @param options - Resolution options (strict mode, gossip discovery).
+     * @returns The resolved and validated NCC05Payload, or null if not found/invalid.
      */
     async resolve(targetPubkey, secretKey, identifier = 'addr', options = {}) {
         let hexPubkey = targetPubkey;
@@ -70,79 +100,138 @@ export class NCC05Resolver {
             limit: 10
         };
         const queryPromise = this.pool.querySync(queryRelays, filter);
-        const timeoutPromise = new Promise((resolve) => setTimeout(() => resolve(null), this.timeout));
+        const timeoutPromise = new Promise((r) => setTimeout(() => r(null), this.timeout));
         const result = await Promise.race([queryPromise, timeoutPromise]);
         if (!result || (Array.isArray(result) && result.length === 0))
             return null;
-        // 2. Filter for valid signatures and sort by created_at
         const validEvents = result
             .filter(e => verifyEvent(e))
             .sort((a, b) => b.created_at - a.created_at);
         if (validEvents.length === 0)
             return null;
         const latestEvent = validEvents[0];
-        // 2. Decrypt
         try {
-            const conversationKey = nip44.getConversationKey(secretKey, hexPubkey);
-            const decrypted = nip44.decrypt(latestEvent.content, conversationKey);
-            const payload = JSON.parse(decrypted);
-            // 3. Basic Validation
-            if (!payload.endpoints || !Array.isArray(payload.endpoints)) {
-                console.error('Invalid NCC-05 payload structure');
-                return null;
+            let content = latestEvent.content;
+            // Handle "Wrapped" multi-recipient content
+            if (content.includes('"wraps"') && secretKey) {
+                const wrapped = JSON.parse(content);
+                const myPk = getPublicKey(secretKey);
+                const myWrap = wrapped.wraps[myPk];
+                if (myWrap) {
+                    const conversationKey = nip44.getConversationKey(secretKey, hexPubkey);
+                    const symmetricKeyHex = nip44.decrypt(myWrap, conversationKey);
+                    const symmetricKey = new Uint8Array(symmetricKeyHex.match(/.{1,2}/g).map(byte => parseInt(byte, 16)));
+                    const sessionConversationKey = nip44.getConversationKey(symmetricKey, getPublicKey(symmetricKey));
+                    content = nip44.decrypt(wrapped.ciphertext, sessionConversationKey);
+                }
             }
-            // 4. Freshness check
+            else if (secretKey) {
+                // Standard NIP-44
+                const conversationKey = nip44.getConversationKey(secretKey, hexPubkey);
+                content = nip44.decrypt(latestEvent.content, conversationKey);
+            }
+            const payload = JSON.parse(content);
+            if (!payload.endpoints)
+                return null;
+            // Freshness validation
             const now = Math.floor(Date.now() / 1000);
             if (now > payload.updated_at + payload.ttl) {
-                if (options.strict) {
-                    console.warn('Rejecting expired NCC-05 record (strict mode)');
+                if (options.strict)
                     return null;
-                }
                 console.warn('NCC-05 record has expired');
             }
             return payload;
         }
         catch (e) {
-            console.error('Failed to decrypt or parse NCC-05 record:', e);
             return null;
         }
     }
+    /**
+     * Closes connections to all relays in the pool.
+     */
     close() {
         this.pool.close(this.bootstrapRelays);
     }
 }
+/**
+ * Handles the construction, encryption, and publication of NCC-05 events.
+ */
 export class NCC05Publisher {
     pool;
+    /**
+     * @param options - Configuration for the publisher.
+     */
     constructor(options = {}) {
         this.pool = new SimplePool();
         if (options.websocketImplementation) {
-            // @ts-ignore - Patching pool for custom WebSocket (Tor/Proxy)
+            // @ts-ignore
             this.pool.websocketImplementation = options.websocketImplementation;
         }
     }
     /**
-     * Create and publish a locator record.
-     * @param recipientPubkey Optional hex pubkey of the recipient. If omitted, self-encrypts.
+     * Publishes a single record encrypted for multiple recipients using the wrapping pattern.
+     * This avoids sharing a single group private key.
+     *
+     * @param relays - List of relays to publish to.
+     * @param secretKey - The publisher's secret key.
+     * @param recipients - List of recipient public keys (hex).
+     * @param payload - The service locator payload.
+     * @param identifier - The 'd' tag identifier (default: 'addr').
+     * @returns The signed Nostr event.
+     */
+    async publishWrapped(relays, secretKey, recipients, payload, identifier = 'addr') {
+        const sessionKey = generateSecretKey();
+        const sessionKeyHex = Array.from(sessionKey).map(b => b.toString(16).padStart(2, '0')).join('');
+        const selfConversation = nip44.getConversationKey(sessionKey, getPublicKey(sessionKey));
+        const ciphertext = nip44.encrypt(JSON.stringify(payload), selfConversation);
+        const wraps = {};
+        for (const rPk of recipients) {
+            const conversationKey = nip44.getConversationKey(secretKey, rPk);
+            wraps[rPk] = nip44.encrypt(sessionKeyHex, conversationKey);
+        }
+        const wrappedContent = { ciphertext, wraps };
+        const eventTemplate = {
+            kind: 30058,
+            created_at: Math.floor(Date.now() / 1000),
+            tags: [['d', identifier]],
+            content: JSON.stringify(wrappedContent),
+        };
+        const signedEvent = finalizeEvent(eventTemplate, secretKey);
+        await Promise.all(this.pool.publish(relays, signedEvent));
+        return signedEvent;
+    }
+    /**
+     * Publishes a locator record. Supports self-encryption, targeted encryption, or plaintext.
+     *
+     * @param relays - List of relays to publish to.
+     * @param secretKey - The publisher's secret key.
+     * @param payload - The service locator payload.
+     * @param options - Publishing options (identifier, recipient, or public flag).
+     * @returns The signed Nostr event.
      */
-    async publish(relays, secretKey, payload, identifier = 'addr', recipientPubkey) {
+    async publish(relays, secretKey, payload, options = {}) {
         const myPubkey = getPublicKey(secretKey);
-        const encryptionTarget = recipientPubkey || myPubkey;
-        // 1. Encrypt
-        const conversationKey = nip44.getConversationKey(secretKey, encryptionTarget);
-        const encryptedContent = nip44.encrypt(JSON.stringify(payload), conversationKey);
-        // 2. Create and Finalize Event
+        const identifier = options.identifier || 'addr';
+        let content = JSON.stringify(payload);
+        if (!options.public) {
+            const encryptionTarget = options.recipientPubkey || myPubkey;
+            const conversationKey = nip44.getConversationKey(secretKey, encryptionTarget);
+            content = nip44.encrypt(content, conversationKey);
+        }
         const eventTemplate = {
             kind: 30058,
             created_at: Math.floor(Date.now() / 1000),
             pubkey: myPubkey,
             tags: [['d', identifier]],
-            content: encryptedContent,
+            content: content,
         };
         const signedEvent = finalizeEvent(eventTemplate, secretKey);
-        // 3. Publish
         await Promise.all(this.pool.publish(relays, signedEvent));
         return signedEvent;
     }
+    /**
+     * Closes connections to the specified relays.
+     */
     close(relays) {
         this.pool.close(relays);
     }

package/dist/mock-relay.d.ts

@@ -0,0 +1,6 @@
+export declare class MockRelay {
+    private wss;
+    private events;
+    constructor(port?: number);
+    stop(): void;
+}

package/dist/mock-relay.js

@@ -0,0 +1,47 @@
+import { WebSocketServer } from 'ws';
+export class MockRelay {
+    wss;
+    events = [];
+    constructor(port = 8080) {
+        this.wss = new WebSocketServer({ port });
+        this.wss.on('connection', (ws) => {
+            ws.on('message', (data) => {
+                const msg = JSON.parse(data);
+                const type = msg[0];
+                if (type === 'EVENT') {
+                    const event = msg[1];
+                    // Basic replaceable logic for test consistency
+                    if (event.kind === 30058 || event.kind === 10002) {
+                        const dTag = event.tags.find((t) => t[0] === 'd')?.[1] || "";
+                        this.events = this.events.filter(e => !(e.pubkey === event.pubkey && e.kind === event.kind && (e.tags.find((t) => t[0] === 'd')?.[1] || "") === dTag));
+                    }
+                    this.events.push(event);
+                    ws.send(JSON.stringify(["OK", event.id, true, ""]));
+                }
+                else if (type === 'REQ') {
+                    const subId = msg[1];
+                    const filters = msg[2];
+                    this.events.forEach(event => {
+                        let match = true;
+                        if (filters.authors && !filters.authors.includes(event.pubkey))
+                            match = false;
+                        if (filters.kinds && !filters.kinds.includes(event.kind))
+                            match = false;
+                        if (filters['#d']) {
+                            const dTag = event.tags.find((t) => t[0] === 'd')?.[1];
+                            if (!filters['#d'].includes(dTag))
+                                match = false;
+                        }
+                        if (match) {
+                            ws.send(JSON.stringify(["EVENT", subId, event]));
+                        }
+                    });
+                    ws.send(JSON.stringify(["EOSE", subId]));
+                }
+            });
+        });
+    }
+    stop() {
+        this.wss.close();
+    }
+}

package/dist/test.js

@@ -1,9 +1,12 @@
 import { NCC05Publisher, NCC05Resolver, NCC05Group } from './index.js';
-import { generateSecretKey, getPublicKey } from 'nostr-tools';
+import { generateSecretKey, getPublicKey, nip19 } from 'nostr-tools';
+import { MockRelay } from './mock-relay.js';
 async function test() {
+    console.log('Starting Mock Relay...');
+    const relay = new MockRelay(8080);
+    const relays = ['ws://localhost:8080'];
     const sk = generateSecretKey();
     const pk = getPublicKey(sk);
-    const relays = ['wss://relay.damus.io'];
     const publisher = new NCC05Publisher();
     const resolver = new NCC05Resolver({ bootstrapRelays: relays });
     const payload = {
@@ -23,7 +26,8 @@ async function test() {
         console.log('Successfully resolved:', JSON.stringify(resolved, null, 2));
     }
     else {
-        console.log('Failed to resolve.');
+        console.error('FAILED: resolution.');
+        process.exit(1);
     }
     // Test Strict Mode with Expired Record
     console.log('Testing expired record in strict mode...');
@@ -33,7 +37,7 @@ async function test() {
         updated_at: Math.floor(Date.now() / 1000) - 10, // 10s ago
         endpoints: [{ type: 'tcp', uri: '1.1.1.1:1', priority: 1, family: 'ipv4' }]
     };
-    await publisher.publish(relays, sk, expiredPayload, 'expired-test');
+    await publisher.publish(relays, sk, expiredPayload, { identifier: 'expired-test' });
     const strictResult = await resolver.resolve(pk, sk, 'expired-test', { strict: true });
     if (strictResult === null) {
         console.log('Correctly rejected expired record in strict mode.');
@@ -44,8 +48,6 @@ async function test() {
     }
     // Test Gossip Mode
     console.log('Testing Gossip discovery...');
-    // In this test, we just point kind:10002 to the same relay we are using
-    // to verify the code path executes.
     const relayListTemplate = {
         kind: 10002,
         created_at: Math.floor(Date.now() / 1000),
@@ -53,6 +55,7 @@ async function test() {
         content: '',
     };
     const signedRL = (await import('nostr-tools')).finalizeEvent(relayListTemplate, sk);
+    // @ts-ignore
     await Promise.all(publisher['pool'].publish(relays, signedRL));
     const gossipResult = await resolver.resolve(pk, sk, 'addr', { gossip: true });
     if (gossipResult) {
@@ -64,7 +67,7 @@ async function test() {
     }
     // Test npub resolution
     console.log('Testing npub resolution...');
-    const npub = (await import('nostr-tools')).nip19.npubEncode(pk);
+    const npub = nip19.npubEncode(pk);
     const npubResult = await resolver.resolve(npub, sk);
     if (npubResult) {
         console.log('npub resolution successful.');
@@ -85,7 +88,17 @@ async function test() {
     };
     // User A publishes for User B
     console.log('User A publishing for User B...');
-    await publisher.publish(relays, skA, payloadFriend, 'friend-test', pkB);
+    await publisher.publish(relays, skA, payloadFriend, { identifier: 'friend-test', recipientPubkey: pkB });
+    // User B resolves User A's record
+    console.log('User B resolving User A...');
+    const friendResult = await resolver.resolve(pkA, skB, 'friend-test');
+    if (friendResult && friendResult.endpoints[0].uri === 'friend:7777') {
+        console.log('Friend-to-Friend resolution successful.');
+    }
+    else {
+        console.error('FAILED: Friend-to-Friend resolution.');
+        process.exit(1);
+    }
     // Test Group Resolution Utility
     console.log('Testing NCC05Group utility...');
     const groupIdentity = NCC05Group.createGroupIdentity();
@@ -94,7 +107,7 @@ async function test() {
         endpoints: [{ type: 'tcp', uri: 'group-service:8888', priority: 1, family: 'ipv4' }]
     };
     console.log('Publishing as Group...');
-    await publisher.publish(relays, groupIdentity.sk, payloadGroup, 'group-test');
+    await publisher.publish(relays, groupIdentity.sk, payloadGroup, { identifier: 'group-test' });
     console.log('Resolving as Group Member...');
     const groupResult = await NCC05Group.resolveAsGroup(resolver, groupIdentity.pk, groupIdentity.sk, 'group-test');
     if (groupResult && groupResult.endpoints[0].uri === 'group-service:8888') {
@@ -104,8 +117,35 @@ async function test() {
         console.error('FAILED: NCC05Group resolution.');
         process.exit(1);
     }
+    // Test Group Wrapping (Multi-Recipient)
+    console.log('Testing Group Wrapping (Multi-Recipient)...');
+    const skAlice = generateSecretKey();
+    const pkAlice = getPublicKey(skAlice);
+    const skBob = generateSecretKey();
+    const pkBob = getPublicKey(skBob);
+    const skCharlie = generateSecretKey();
+    const pkCharlie = getPublicKey(skCharlie);
+    const payloadWrap = {
+        v: 1, ttl: 60, updated_at: Math.floor(Date.now() / 1000),
+        endpoints: [{ type: 'tcp', uri: 'multi-recipient:9999', priority: 1, family: 'ipv4' }]
+    };
+    console.log('Alice publishing wrapped record for Bob and Charlie...');
+    await publisher.publishWrapped(relays, skAlice, [pkBob, pkCharlie], payloadWrap, 'wrap-test');
+    console.log('Bob resolving Alice...');
+    const bobResult = await resolver.resolve(pkAlice, skBob, 'wrap-test');
+    console.log('Charlie resolving Alice...');
+    const charlieResult = await resolver.resolve(pkAlice, skCharlie, 'wrap-test');
+    if (bobResult && charlieResult && bobResult.endpoints[0].uri === 'multi-recipient:9999') {
+        console.log('Group Wrapping successful! Both recipients resolved Alice.');
+    }
+    else {
+        console.error('FAILED: Group Wrapping resolution.');
+        process.exit(1);
+    }
     publisher.close(relays);
     resolver.close();
+    relay.stop();
+    console.log('Local Mock Test Suite Passed.');
     process.exit(0);
 }
 test().catch(console.error);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ncc-05",
-  "version": "1.1.0",
+  "version": "1.1.2",
   "description": "Nostr Community Convention 05 - Identity-Bound Service Locator Resolution",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -17,12 +17,14 @@
     "privacy"
   ],
   "author": "lostcause",
-  "license": "MIT",
+  "license": "CC0-1.0",
   "dependencies": {
     "nostr-tools": "^2.10.0"
   },
   "devDependencies": {
+    "@types/node": "^25.0.3",
+    "@types/ws": "^8.18.1",
     "typescript": "^5.0.0",
-    "@types/node": "^20.0.0"
+    "ws": "^8.18.3"
   }
 }

package/src/index.ts

@@ -1,3 +1,12 @@
+/**
+ * NCC-05: Identity-Bound Service Locator Resolution
+ * 
+ * This library implements the NCC-05 convention for publishing and resolving
+ * dynamic service endpoints (IP, Port, Onion) bound to Nostr identities.
+ * 
+ * @module ncc-05
+ */
+
 import { 
     SimplePool, 
     nip44, 
@@ -9,47 +18,90 @@ import {
     generateSecretKey
 } from 'nostr-tools';
 
+/**
+ * Represents a single reachable service endpoint.
+ */
 export interface NCC05Endpoint {
+    /** Protocol type, e.g., 'tcp', 'udp', 'http' */
     type: 'tcp' | 'udp' | string;
+    /** The URI string, e.g., '1.2.3.4:8080' or '[2001:db8::1]:9000' */
     uri: string;
+    /** Priority for selection (lower is higher priority) */
     priority: number;
+    /** Network family for routing hints */
     family: 'ipv4' | 'ipv6' | 'onion' | string;
 }
 
+/**
+ * The logical structure of an NCC-05 locator record payload.
+ */
 export interface NCC05Payload {
+    /** Payload version (currently 1) */
     v: number;
+    /** Time-to-live in seconds */
     ttl: number;
+    /** Unix timestamp of the last update */
     updated_at: number;
+    /** List of available endpoints */
     endpoints: NCC05Endpoint[];
+    /** Optional capability identifiers supported by the service */
     caps?: string[];
+    /** Optional human-readable notes */
     notes?: string;
 }
 
+/**
+ * Options for configuring the NCC05Resolver.
+ */
 export interface ResolverOptions {
+    /** List of relays used to bootstrap discovery */
     bootstrapRelays?: string[];
+    /** Timeout for relay queries in milliseconds (default: 10000) */
     timeout?: number;
-    websocketImplementation?: any; // To support Tor/SOCKS5 proxies in Node.js
+    /** Custom WebSocket implementation (e.g., for Tor/SOCKS5 in Node.js) */
+    websocketImplementation?: any;
 }
 
 /**
- * Utility for managing shared group access to NCC-05 records.
+ * Structure for multi-recipient encrypted events.
+ * Implements a "wrapping" pattern to share one event with multiple keys.
+ */
+export interface WrappedContent {
+    /** The NCC05Payload encrypted with a random symmetric session key */
+    ciphertext: string;
+    /** Map of recipient pubkey (hex) to the encrypted session key */
+    wraps: Record<string, string>;
+}
+
+/**
+ * Utility for managing shared group access to service records.
  */
 export class NCC05Group {
     /**
-     * Generate a new shared identity for a group.
-     * The nsec should be shared with all authorized members.
+     * Generates a fresh identity (keypair) for a shared group.
+     * The resulting nsec should be shared with all authorized group members.
+     * 
+     * @returns An object containing nsec, hex pubkey, and the raw secret key.
      */
     static createGroupIdentity() {
         const sk = generateSecretKey();
+        const pk = getPublicKey(sk);
         return {
             nsec: nip19.nsecEncode(sk),
             sk: sk,
-            pk: getPublicKey(sk)
+            pk: pk,
+            npub: nip19.npubEncode(pk)
         };
     }
 
     /**
-     * Resolve a record that was published using a group's shared identity.
+     * Helper to resolve a record using a group's shared identity.
+     * 
+     * @param resolver - An initialized NCC05Resolver instance.
+     * @param groupPubkey - The public key of the group.
+     * @param groupSecretKey - The shared secret key of the group.
+     * @param identifier - The 'd' tag of the record (default: 'addr').
+     * @returns The resolved NCC05Payload or null.
      */
     static async resolveAsGroup(
         resolver: NCC05Resolver,
@@ -57,21 +109,25 @@ export class NCC05Group {
         groupSecretKey: Uint8Array,
         identifier: string = 'addr'
     ): Promise<NCC05Payload | null> {
-        // In group mode, we use the group's SK to decrypt a record 
-        // that was self-encrypted by the group's PK.
         return resolver.resolve(groupPubkey, groupSecretKey, identifier);
     }
 }
 
+/**
+ * Handles the discovery, selection, and decryption of NCC-05 locator records.
+ */
 export class NCC05Resolver {
     private pool: SimplePool;
     private bootstrapRelays: string[];
     private timeout: number;
 
+    /**
+     * @param options - Configuration for the resolver.
+     */
     constructor(options: ResolverOptions = {}) {
         this.pool = new SimplePool();
         if (options.websocketImplementation) {
-            // @ts-ignore - Patching pool for custom WebSocket (Tor/Proxy)
+            // @ts-ignore - Patching pool for custom transport
             this.pool.websocketImplementation = options.websocketImplementation;
         }
         this.bootstrapRelays = options.bootstrapRelays || ['wss://relay.damus.io', 'wss://nos.lol'];
@@ -79,12 +135,20 @@ export class NCC05Resolver {
     }
 
     /**
-     * Resolve a locator record for a given pubkey.
-     * Supports both hex and npub strings.
+     * Resolves a locator record for a given identity.
+     * 
+     * Supports standard NIP-44 encryption, multi-recipient "wrapping", 
+     * and plaintext public records.
+     * 
+     * @param targetPubkey - The pubkey (hex or npub) of the service owner.
+     * @param secretKey - Your secret key (required if the record is encrypted).
+     * @param identifier - The 'd' tag of the record (default: 'addr').
+     * @param options - Resolution options (strict mode, gossip discovery).
+     * @returns The resolved and validated NCC05Payload, or null if not found/invalid.
      */
     async resolve(
         targetPubkey: string, 
-        secretKey: Uint8Array, 
+        secretKey?: Uint8Array, 
         identifier: string = 'addr',
         options: { strict?: boolean, gossip?: boolean } = {}
     ): Promise<NCC05Payload | null> {
@@ -102,7 +166,6 @@ export class NCC05Resolver {
                 authors: [hexPubkey],
                 kinds: [10002]
             });
-
             if (relayListEvent) {
                 const discoveredRelays = relayListEvent.tags
                     .filter(t => t[0] === 'r')
@@ -121,15 +184,11 @@ export class NCC05Resolver {
         };
 
         const queryPromise = this.pool.querySync(queryRelays, filter);
-        const timeoutPromise = new Promise<null>((resolve) => 
-            setTimeout(() => resolve(null), this.timeout)
-        );
-
+        const timeoutPromise = new Promise<null>((r) => setTimeout(() => r(null), this.timeout));
         const result = await Promise.race([queryPromise, timeoutPromise]);
         
         if (!result || (Array.isArray(result) && result.length === 0)) return null;
         
-        // 2. Filter for valid signatures and sort by created_at
         const validEvents = (result as Event[])
             .filter(e => verifyEvent(e))
             .sort((a, b) => b.created_at - a.created_at);
@@ -137,87 +196,156 @@ export class NCC05Resolver {
         if (validEvents.length === 0) return null;
         const latestEvent = validEvents[0];
 
-        // 2. Decrypt
         try {
-            const conversationKey = nip44.getConversationKey(secretKey, hexPubkey);
-            const decrypted = nip44.decrypt(latestEvent.content, conversationKey);
-            const payload = JSON.parse(decrypted) as NCC05Payload;
-
-            // 3. Basic Validation
-            if (!payload.endpoints || !Array.isArray(payload.endpoints)) {
-                console.error('Invalid NCC-05 payload structure');
-                return null;
+            let content = latestEvent.content;
+            
+            // Handle "Wrapped" multi-recipient content
+            if (content.includes('"wraps"') && secretKey) {
+                const wrapped = JSON.parse(content) as WrappedContent;
+                const myPk = getPublicKey(secretKey);
+                const myWrap = wrapped.wraps[myPk];
+                
+                if (myWrap) {
+                    const conversationKey = nip44.getConversationKey(secretKey, hexPubkey);
+                    const symmetricKeyHex = nip44.decrypt(myWrap, conversationKey);
+                    const symmetricKey = new Uint8Array(symmetricKeyHex.match(/.{1,2}/g)!.map(byte => parseInt(byte, 16)));
+                    
+                    const sessionConversationKey = nip44.getConversationKey(symmetricKey, getPublicKey(symmetricKey));
+                    content = nip44.decrypt(wrapped.ciphertext, sessionConversationKey);
+                }
+            } else if (secretKey) {
+                // Standard NIP-44
+                const conversationKey = nip44.getConversationKey(secretKey, hexPubkey);
+                content = nip44.decrypt(latestEvent.content, conversationKey);
             }
 
-            // 4. Freshness check
+            const payload = JSON.parse(content) as NCC05Payload;
+            if (!payload.endpoints) return null;
+
+            // Freshness validation
             const now = Math.floor(Date.now() / 1000);
             if (now > payload.updated_at + payload.ttl) {
-                if (options.strict) {
-                    console.warn('Rejecting expired NCC-05 record (strict mode)');
-                    return null;
-                }
+                if (options.strict) return null;
                 console.warn('NCC-05 record has expired');
             }
 
             return payload;
         } catch (e) {
-            console.error('Failed to decrypt or parse NCC-05 record:', e);
             return null;
         }
     }
 
+    /**
+     * Closes connections to all relays in the pool.
+     */
     close() {
         this.pool.close(this.bootstrapRelays);
     }
 }
 
+/**
+ * Handles the construction, encryption, and publication of NCC-05 events.
+ */
 export class NCC05Publisher {
     private pool: SimplePool;
 
+    /**
+     * @param options - Configuration for the publisher.
+     */
     constructor(options: { websocketImplementation?: any } = {}) {
         this.pool = new SimplePool();
         if (options.websocketImplementation) {
-            // @ts-ignore - Patching pool for custom WebSocket (Tor/Proxy)
+            // @ts-ignore
             this.pool.websocketImplementation = options.websocketImplementation;
         }
     }
 
     /**
-     * Create and publish a locator record.
-     * @param recipientPubkey Optional hex pubkey of the recipient. If omitted, self-encrypts.
+     * Publishes a single record encrypted for multiple recipients using the wrapping pattern.
+     * This avoids sharing a single group private key.
+     * 
+     * @param relays - List of relays to publish to.
+     * @param secretKey - The publisher's secret key.
+     * @param recipients - List of recipient public keys (hex).
+     * @param payload - The service locator payload.
+     * @param identifier - The 'd' tag identifier (default: 'addr').
+     * @returns The signed Nostr event.
+     */
+    async publishWrapped(
+        relays: string[],
+        secretKey: Uint8Array,
+        recipients: string[],
+        payload: NCC05Payload,
+        identifier: string = 'addr'
+    ): Promise<Event> {
+        const sessionKey = generateSecretKey();
+        const sessionKeyHex = Array.from(sessionKey).map(b => b.toString(16).padStart(2, '0')).join('');
+        
+        const selfConversation = nip44.getConversationKey(sessionKey, getPublicKey(sessionKey));
+        const ciphertext = nip44.encrypt(JSON.stringify(payload), selfConversation);
+
+        const wraps: Record<string, string> = {};
+        for (const rPk of recipients) {
+            const conversationKey = nip44.getConversationKey(secretKey, rPk);
+            wraps[rPk] = nip44.encrypt(sessionKeyHex, conversationKey);
+        }
+
+        const wrappedContent: WrappedContent = { ciphertext, wraps };
+
+        const eventTemplate = {
+            kind: 30058,
+            created_at: Math.floor(Date.now() / 1000),
+            tags: [['d', identifier]],
+            content: JSON.stringify(wrappedContent),
+        };
+
+        const signedEvent = finalizeEvent(eventTemplate, secretKey);
+        await Promise.all(this.pool.publish(relays, signedEvent));
+        return signedEvent;
+    }
+
+    /**
+     * Publishes a locator record. Supports self-encryption, targeted encryption, or plaintext.
+     * 
+     * @param relays - List of relays to publish to.
+     * @param secretKey - The publisher's secret key.
+     * @param payload - The service locator payload.
+     * @param options - Publishing options (identifier, recipient, or public flag).
+     * @returns The signed Nostr event.
      */
     async publish(
         relays: string[],
         secretKey: Uint8Array,
         payload: NCC05Payload,
-        identifier: string = 'addr',
-        recipientPubkey?: string
+        options: { identifier?: string, recipientPubkey?: string, public?: boolean } = {}
     ): Promise<Event> {
         const myPubkey = getPublicKey(secretKey);
-        const encryptionTarget = recipientPubkey || myPubkey;
-        
-        // 1. Encrypt
-        const conversationKey = nip44.getConversationKey(secretKey, encryptionTarget);
-        const encryptedContent = nip44.encrypt(JSON.stringify(payload), conversationKey);
+        const identifier = options.identifier || 'addr';
+        let content = JSON.stringify(payload);
+
+        if (!options.public) {
+            const encryptionTarget = options.recipientPubkey || myPubkey;
+            const conversationKey = nip44.getConversationKey(secretKey, encryptionTarget);
+            content = nip44.encrypt(content, conversationKey);
+        }
 
-        // 2. Create and Finalize Event
         const eventTemplate = {
             kind: 30058,
             created_at: Math.floor(Date.now() / 1000),
             pubkey: myPubkey,
             tags: [['d', identifier]],
-            content: encryptedContent,
+            content: content,
         };
 
         const signedEvent = finalizeEvent(eventTemplate, secretKey);
-
-        // 3. Publish
         await Promise.all(this.pool.publish(relays, signedEvent));
-        
         return signedEvent;
     }
 
+    /**
+     * Closes connections to the specified relays.
+     */
     close(relays: string[]) {
         this.pool.close(relays);
     }
-}
+}

package/src/mock-relay.ts

@@ -0,0 +1,51 @@
+import { WebSocketServer, WebSocket } from 'ws';
+
+export class MockRelay {
+    private wss: WebSocketServer;
+    private events: any[] = [];
+
+    constructor(port: number = 8080) {
+        this.wss = new WebSocketServer({ port });
+        this.wss.on('connection', (ws: WebSocket) => {
+            ws.on('message', (data: string) => {
+                const msg = JSON.parse(data);
+                const type = msg[0];
+
+                if (type === 'EVENT') {
+                    const event = msg[1];
+                    // Basic replaceable logic for test consistency
+                    if (event.kind === 30058 || event.kind === 10002) {
+                        const dTag = event.tags.find((t: any) => t[0] === 'd')?.[1] || "";
+                        this.events = this.events.filter(e => 
+                            !(e.pubkey === event.pubkey && e.kind === event.kind && (e.tags.find((t: any) => t[0] === 'd')?.[1] || "") === dTag)
+                        );
+                    }
+                    this.events.push(event);
+                    ws.send(JSON.stringify(["OK", event.id, true, ""]));
+                } else if (type === 'REQ') {
+                    const subId = msg[1];
+                    const filters = msg[2];
+                    
+                    this.events.forEach(event => {
+                        let match = true;
+                        if (filters.authors && !filters.authors.includes(event.pubkey)) match = false;
+                        if (filters.kinds && !filters.kinds.includes(event.kind)) match = false;
+                        if (filters['#d']) {
+                            const dTag = event.tags.find((t: any) => t[0] === 'd')?.[1];
+                            if (!filters['#d'].includes(dTag)) match = false;
+                        }
+                        
+                        if (match) {
+                            ws.send(JSON.stringify(["EVENT", subId, event]));
+                        }
+                    });
+                    ws.send(JSON.stringify(["EOSE", subId]));
+                }
+            });
+        });
+    }
+
+    stop() {
+        this.wss.close();
+    }
+}

package/src/test.ts

@@ -1,10 +1,14 @@
 import { NCC05Publisher, NCC05Resolver, NCC05Payload, NCC05Group } from './index.js';
-import { generateSecretKey, getPublicKey } from 'nostr-tools';
+import { generateSecretKey, getPublicKey, nip19 } from 'nostr-tools';
+import { MockRelay } from './mock-relay.js';
 
 async function test() {
+    console.log('Starting Mock Relay...');
+    const relay = new MockRelay(8080);
+    const relays = ['ws://localhost:8080'];
+
     const sk = generateSecretKey();
     const pk = getPublicKey(sk);
-    const relays = ['wss://relay.damus.io'];
 
     const publisher = new NCC05Publisher();
     const resolver = new NCC05Resolver({ bootstrapRelays: relays });
@@ -28,7 +32,8 @@ async function test() {
     if (resolved) {
         console.log('Successfully resolved:', JSON.stringify(resolved, null, 2));
     } else {
-        console.log('Failed to resolve.');
+        console.error('FAILED: resolution.');
+        process.exit(1);
     }
 
     // Test Strict Mode with Expired Record
@@ -39,7 +44,7 @@ async function test() {
         updated_at: Math.floor(Date.now() / 1000) - 10, // 10s ago
         endpoints: [{ type: 'tcp', uri: '1.1.1.1:1', priority: 1, family: 'ipv4' }]
     };
-    await publisher.publish(relays, sk, expiredPayload, 'expired-test');
+    await publisher.publish(relays, sk, expiredPayload, { identifier: 'expired-test' });
     const strictResult = await resolver.resolve(pk, sk, 'expired-test', { strict: true });
     
     if (strictResult === null) {
@@ -51,8 +56,6 @@ async function test() {
 
     // Test Gossip Mode
     console.log('Testing Gossip discovery...');
-    // In this test, we just point kind:10002 to the same relay we are using
-    // to verify the code path executes.
     const relayListTemplate = {
         kind: 10002,
         created_at: Math.floor(Date.now() / 1000),
@@ -60,6 +63,7 @@ async function test() {
         content: '',
     };
     const signedRL = (await import('nostr-tools')).finalizeEvent(relayListTemplate, sk);
+    // @ts-ignore
     await Promise.all(publisher['pool'].publish(relays, signedRL));
     
     const gossipResult = await resolver.resolve(pk, sk, 'addr', { gossip: true });
@@ -72,7 +76,7 @@ async function test() {
 
     // Test npub resolution
     console.log('Testing npub resolution...');
-    const npub = (await import('nostr-tools')).nip19.npubEncode(pk);
+    const npub = nip19.npubEncode(pk);
     const npubResult = await resolver.resolve(npub, sk);
     if (npubResult) {
         console.log('npub resolution successful.');
@@ -95,7 +99,17 @@ async function test() {
 
     // User A publishes for User B
     console.log('User A publishing for User B...');
-    await publisher.publish(relays, skA, payloadFriend, 'friend-test', pkB);
+    await publisher.publish(relays, skA, payloadFriend, { identifier: 'friend-test', recipientPubkey: pkB });
+
+    // User B resolves User A's record
+    console.log('User B resolving User A...');
+    const friendResult = await resolver.resolve(pkA, skB, 'friend-test');
+    if (friendResult && friendResult.endpoints[0].uri === 'friend:7777') {
+        console.log('Friend-to-Friend resolution successful.');
+    } else {
+        console.error('FAILED: Friend-to-Friend resolution.');
+        process.exit(1);
+    }
 
     // Test Group Resolution Utility
     console.log('Testing NCC05Group utility...');
@@ -106,7 +120,7 @@ async function test() {
     };
 
     console.log('Publishing as Group...');
-    await publisher.publish(relays, groupIdentity.sk, payloadGroup, 'group-test');
+    await publisher.publish(relays, groupIdentity.sk, payloadGroup, { identifier: 'group-test' });
 
     console.log('Resolving as Group Member...');
     const groupResult = await NCC05Group.resolveAsGroup(resolver, groupIdentity.pk, groupIdentity.sk, 'group-test');
@@ -117,8 +131,40 @@ async function test() {
         process.exit(1);
     }
 
+    // Test Group Wrapping (Multi-Recipient)
+    console.log('Testing Group Wrapping (Multi-Recipient)...');
+    const skAlice = generateSecretKey();
+    const pkAlice = getPublicKey(skAlice);
+    const skBob = generateSecretKey();
+    const pkBob = getPublicKey(skBob);
+    const skCharlie = generateSecretKey();
+    const pkCharlie = getPublicKey(skCharlie);
+
+    const payloadWrap: NCC05Payload = {
+        v: 1, ttl: 60, updated_at: Math.floor(Date.now() / 1000),
+        endpoints: [{ type: 'tcp', uri: 'multi-recipient:9999', priority: 1, family: 'ipv4' }]
+    };
+
+    console.log('Alice publishing wrapped record for Bob and Charlie...');
+    await publisher.publishWrapped(relays, skAlice, [pkBob, pkCharlie], payloadWrap, 'wrap-test');
+
+    console.log('Bob resolving Alice...');
+    const bobResult = await resolver.resolve(pkAlice, skBob, 'wrap-test');
+    
+    console.log('Charlie resolving Alice...');
+    const charlieResult = await resolver.resolve(pkAlice, skCharlie, 'wrap-test');
+
+    if (bobResult && charlieResult && bobResult.endpoints[0].uri === 'multi-recipient:9999') {
+        console.log('Group Wrapping successful! Both recipients resolved Alice.');
+    } else {
+        console.error('FAILED: Group Wrapping resolution.');
+        process.exit(1);
+    }
+
     publisher.close(relays);
     resolver.close();
+    relay.stop();
+    console.log('Local Mock Test Suite Passed.');
     process.exit(0);
 }