7.0.0

.gitea/workflows/default_nottags.yaml

@@ -0,0 +1,66 @@
+name: Default (not tags)
+
+on:
+  push:
+    tags-ignore:
+      - '**'
+
+env:
+  IMAGE: code.foss.global/host.today/ht-docker-node:npmci
+  NPMCI_COMPUTED_REPOURL: https://${{gitea.repository_owner}}:${{secrets.GITEA_TOKEN}}@/${{gitea.repository}}.git
+  NPMCI_TOKEN_NPM: ${{secrets.NPMCI_TOKEN_NPM}}
+  NPMCI_TOKEN_NPM2: ${{secrets.NPMCI_TOKEN_NPM2}}
+  NPMCI_GIT_GITHUBTOKEN: ${{secrets.NPMCI_GIT_GITHUBTOKEN}}
+  NPMCI_URL_CLOUDLY: ${{secrets.NPMCI_URL_CLOUDLY}}
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    container:
+      image: ${{ env.IMAGE }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install pnpm and npmci
+        run: |
+          pnpm install -g pnpm
+          pnpm install -g @ship.zone/npmci
+
+      - name: Run npm prepare
+        run: npmci npm prepare
+
+      - name: Audit production dependencies
+        run: |
+          npmci command npm config set registry https://registry.npmjs.org
+          npmci command pnpm audit --audit-level=high --prod
+        continue-on-error: true
+
+      - name: Audit development dependencies
+        run: |
+          npmci command npm config set registry https://registry.npmjs.org
+          npmci command pnpm audit --audit-level=high --dev
+        continue-on-error: true
+
+  test:
+    if: ${{ always() }}
+    needs: security
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ env.IMAGE }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Test stable
+        run: |
+          npmci node install stable
+          npmci npm install
+          npmci npm test
+
+      - name: Test build
+        run: |
+          npmci node install stable
+          npmci npm install
+          npmci npm build

.gitea/workflows/default_tags.yaml

@@ -0,0 +1,124 @@
+name: Default (tags)
+
+on:
+  push:
+    tags:
+      - '*'
+
+env:
+  IMAGE: code.foss.global/host.today/ht-docker-node:npmci
+  NPMCI_COMPUTED_REPOURL: https://${{gitea.repository_owner}}:${{secrets.GITEA_TOKEN}}@/${{gitea.repository}}.git
+  NPMCI_TOKEN_NPM: ${{secrets.NPMCI_TOKEN_NPM}}
+  NPMCI_TOKEN_NPM2: ${{secrets.NPMCI_TOKEN_NPM2}}
+  NPMCI_GIT_GITHUBTOKEN: ${{secrets.NPMCI_GIT_GITHUBTOKEN}}
+  NPMCI_URL_CLOUDLY: ${{secrets.NPMCI_URL_CLOUDLY}}
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    container:
+      image: ${{ env.IMAGE }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Prepare
+        run: |
+          pnpm install -g pnpm
+          pnpm install -g @ship.zone/npmci
+          npmci npm prepare
+
+      - name: Audit production dependencies
+        run: |
+          npmci command npm config set registry https://registry.npmjs.org
+          npmci command pnpm audit --audit-level=high --prod
+        continue-on-error: true
+
+      - name: Audit development dependencies
+        run: |
+          npmci command npm config set registry https://registry.npmjs.org
+          npmci command pnpm audit --audit-level=high --dev
+        continue-on-error: true
+
+  test:
+    if: ${{ always() }}
+    needs: security
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ env.IMAGE }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Prepare
+        run: |
+          pnpm install -g pnpm
+          pnpm install -g @ship.zone/npmci
+          npmci npm prepare
+
+      - name: Test stable
+        run: |
+          npmci node install stable
+          npmci npm install
+          npmci npm test
+
+      - name: Test build
+        run: |
+          npmci node install stable
+          npmci npm install
+          npmci npm build
+
+  release:
+    needs: test
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ env.IMAGE }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Prepare
+        run: |
+          pnpm install -g pnpm
+          pnpm install -g @ship.zone/npmci
+          npmci npm prepare
+
+      - name: Release
+        run: |
+          npmci node install stable
+          npmci npm publish
+
+  metadata:
+    needs: test
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ env.IMAGE }}
+    continue-on-error: true
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Prepare
+        run: |
+          pnpm install -g pnpm
+          pnpm install -g @ship.zone/npmci
+          npmci npm prepare
+
+      - name: Code quality
+        run: |
+          npmci command npm install -g typescript
+          npmci npm install
+
+      - name: Trigger
+        run: npmci trigger
+
+      - name: Build docs and upload artifacts
+        run: |
+          npmci node install stable
+          npmci npm install
+          pnpm install -g @git.zone/tsdoc
+          npmci command tsdoc
+        continue-on-error: true

.gitignore

@@ -1,5 +1,19 @@
-node_modules/
+.nogit/
+
+# artifacts
 coverage/
 public/
-pages/
+
-.nogit/
+# installs
+node_modules/
+
+# caches
+.yarn/
+.cache/
+.rpt2_cache
+
+# builds
+dist/
+dist_*/
+
+#------# custom

.gitlab-ci.yml

@@ -1,71 +0,0 @@
-# gitzone standard
-image: hosttoday/ht-docker-node:npmci
-
-cache:
-  paths:
-  - .yarn/
-  key: "$CI_BUILD_STAGE"
-
-stages:
-- test
-- release
-- trigger
-- pages
-
-testLEGACY:
-  stage: test
-  script:
-    - npmci test legacy
-  coverage: /\d+.?\d+?\%\s*coverage/
-  tags:
-    - docker
-  allow_failure: true
-
-testLTS:
-  stage: test
-  script:
-    - npmci test lts
-  coverage: /\d+.?\d+?\%\s*coverage/
-  tags:
-    - docker
-    
-testSTABLE:
-  stage: test
-  script:
-    - npmci test stable
-  coverage: /\d+.?\d+?\%\s*coverage/
-  tags:
-    - docker
-
-release:
-  stage: release
-  script:
-    - npmci publish
-  only:
-    - tags
-  tags:
-    - docker
-
-trigger:
-  stage: trigger
-  script:
-    - npmci trigger
-  only:
-    - tags
-  tags:
-    - docker
-
-pages:
-  image: hosttoday/ht-docker-node:npmci
-  stage: pages
-  script:
-    - npmci command yarn global add npmpage
-    - npmci command npmpage
-  tags:
-    - docker
-  only:
-    - tags
-  artifacts:
-    expire_in: 1 week
-    paths:
-    - public

.vscode/launch.json

@@ -0,0 +1,11 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "command": "npm test",
+      "name": "Run npm test",
+      "request": "launch",
+      "type": "node-terminal"
+    }
+  ]
+}

.vscode/settings.json

@@ -0,0 +1,26 @@
+{
+  "json.schemas": [
+    {
+      "fileMatch": ["/npmextra.json"],
+      "schema": {
+        "type": "object",
+        "properties": {
+          "npmci": {
+            "type": "object",
+            "description": "settings for npmci"
+          },
+          "gitzone": {
+            "type": "object",
+            "description": "settings for gitzone",
+            "properties": {
+              "projectType": {
+                "type": "string",
+                "enum": ["website", "element", "service", "npm", "wcc"]
+              }
+            }
+          }
+        }
+      }
+    }
+  ]
+}

README.md

@@ -1,29 +0,0 @@
-# smartacme
-acme implementation in TypeScript
-
-## Availabililty
-[![npm](https://umbrellazone.gitlab.io/assets/repo-button-npm.svg)](https://www.npmjs.com/package/smartacme)
-[![git](https://umbrellazone.gitlab.io/assets/repo-button-git.svg)](https://GitLab.com/umbrellazone/smartacme)
-[![git](https://umbrellazone.gitlab.io/assets/repo-button-mirror.svg)](https://github.com/umbrellazone/smartacme)
-[![docs](https://umbrellazone.gitlab.io/assets/repo-button-docs.svg)](https://umbrellazone.gitlab.io/smartacme/)
-
-## Status for master
-[![build status](https://GitLab.com/umbrellazone/smartacme/badges/master/build.svg)](https://GitLab.com/umbrellazone/smartacme/commits/master)
-[![coverage report](https://GitLab.com/umbrellazone/smartacme/badges/master/coverage.svg)](https://GitLab.com/umbrellazone/smartacme/commits/master)
-[![npm downloads per month](https://img.shields.io/npm/dm/smartacme.svg)](https://www.npmjs.com/package/smartacme)
-[![Dependency Status](https://david-dm.org/umbrellazone/smartacme.svg)](https://david-dm.org/umbrellazone/smartacme)
-[![bitHound Dependencies](https://www.bithound.io/github/umbrellazone/smartacme/badges/dependencies.svg)](https://www.bithound.io/github/umbrellazone/smartacme/master/dependencies/npm)
-[![bitHound Code](https://www.bithound.io/github/umbrellazone/smartacme/badges/code.svg)](https://www.bithound.io/github/umbrellazone/smartacme)
-[![TypeScript](https://img.shields.io/badge/TypeScript-2.x-blue.svg)](https://nodejs.org/dist/latest-v6.x/docs/api/)
-[![node](https://img.shields.io/badge/node->=%206.x.x-blue.svg)](https://nodejs.org/dist/latest-v6.x/docs/api/)
-[![JavaScript Style Guide](https://img.shields.io/badge/code%20style-standard-brightgreen.svg)](http://standardjs.com/)
-
-## Usage
-Use TypeScript for best in class instellisense.
-
-For further information read the linked docs at the top of this README.
-
-> MIT licensed | **©** [Lossless GmbH](https://lossless.gmbh)
-| By using this npm module you agree to our [privacy policy](https://lossless.gmbH/privacy.html)
-
-[![repo-footer](https://umbrellazone.gitlab.io/assets/repo-footer.svg)](https://umbrella.zone)

changelog.md

@@ -0,0 +1,181 @@
+# Changelog
+
+## 2025-04-30 - 7.0.0 - BREAKING CHANGE(SmartAcme (Cert Management))
+Refactor certificate management and challenge handling API to use a unified certManager interface, remove legacy storage, and update challenge workflows.
+
+- Introduce ICertManager interface with MemoryCertManager and MongoCertManager implementations.
+- Remove the legacy SmartacmeCertManager and update SmartAcme to require a certManager option instead of mongoDescriptor.
+- Adjust certificate renewal logic to delete and store certificates through the new certManager API.
+- Refine DNS-01 challenge handling by removing in-handler DNS propagation waiting and relying on external checks.
+- Increase retry settings for robustness during challenge verification and certificate issuance.
+- Update integration and unit tests to use the new certManager configuration.
+
+## 2025-04-30 - 6.2.0 - feat(handlers)
+Add in-memory HTTP-01 challenge handler and rename file-based handler to Http01Webroot
+
+- Renamed Http01Handler to Http01Webroot in both implementation and documentation
+- Introduced Http01MemoryHandler for diskless HTTP-01 challenges
+- Updated tests and README examples to reflect handler name changes and new feature
+
+## 2025-04-30 - 6.1.3 - fix(Dns01Handler)
+Update dependency versions and refine Dns01Handler implementation
+
+- Bump '@apiclient.xyz/cloudflare' to ^6.4.1 and '@tsclass/tsclass' to ^9.1.0 in package.json
+- Remove duplicate Cloudflare import in smartacme.plugins.ts
+- Refactor Dns01Handler to use IConvenientDnsProvider and add checkWetherDomainIsSupported method
+- Align devDependencies versions for improved consistency
+
+## 2025-04-27 - 6.1.2 - fix(repo)
+Update repository metadata by replacing the LICENSE file with a license.md file for improved consistency.
+
+- Removed the old LICENSE file.
+- Introduced license.md as the new license documentation file.
+
+## 2025-04-27 - 6.1.1 - fix(readme)
+Fix license link reference in documentation
+
+- Updated the license link from [license](license) to [license.md](license.md) in the License and Legal Information section
+
+## 2025-04-27 - 6.1.0 - feat(readme)
+Update documentation with detailed built-in challenge handlers and custom handler examples
+
+- Expanded readme to include sections on Dns01Handler and Http01Handler usage
+- Added examples for creating and registering custom ACME challenge handlers
+- Improved clarity of ACME certificate management instructions using SmartAcme
+
+## 2025-04-27 - 6.0.1 - fix(readme)
+Remove extraneous code fence markers from license section in readme
+
+- Removed unnecessary triple backticks wrapping the license information
+- Improved clarity of the license section in the documentation
+
+## 2025-04-27 - 6.0.0 - BREAKING CHANGE(SmartAcme)
+Refactor challenge handling by removing legacy setChallenge/removeChallenge in favor of pluggable challengeHandlers and update documentation and tests accordingly
+
+- Removed legacy challenge methods and introduced new 'challengeHandlers' and 'challengePriority' options
+- Updated readme examples to demonstrate usage with DNS-01 (and HTTP-01) handlers
+- Refactored internal SmartAcme flow to select and process challenges via the new handler interface
+- Adjusted tests (including integration tests) to align with the updated challenge handling mechanism
+
+## 2025-04-27 - 5.1.0 - feat(smartacme)
+Implement exponential backoff retry logic and graceful shutdown handling in SmartAcme; update acme-client dependency to v5.4.0
+
+- Added retry helper with exponential backoff for ACME client operations
+- Introduced retryOptions in ISmartAcmeOptions for configurable retry parameters
+- Enhanced graceful shutdown handling by cleaning up pending DNS challenges on signal
+- Updated acme-client dependency from v4.2.5 to v5.4.0
+
+## 2025-04-26 - 5.0.1 - fix(build)
+Update CI workflows, bump dependency versions, and refine import and TypeScript configuration
+
+- Changed CI workflow image and npmci package from '@shipzone/npmci' to '@ship.zone/npmci', and updated repository URLs
+- Bumped several dependency versions in package.json (e.g. @api.global/typedserver, @push.rocks/lik, @push.rocks/smartdata, @push.rocks/smartdns, @tsclass/tsclass) to newer releases
+- Adjusted smartdns import to use the smartdnsClient module for proper module resolution
+- Updated tsconfig.json to add emitDecoratorMetadata and baseUrl settings
+- Minor markdown and formatting tweaks in readme and gitignore files, and slight improvements in test async handling
+
+## 2024-06-16 - 5.0.0 - No significant changes  
+This release contains no user‑facing changes.
+
+## 2024-06-16 - 4.0.8 - Structure and configuration updates  
+- BREAKING CHANGE(structure): renamed classes to avoid confusion  
+- update description  
+- update tsconfig  
+- update npmextra.json: githost
+
+## 2024-01-28 - 4.0.7–4.0.6 - Internal fixes and updates  
+- A series of releases with routine bug fixes and maintenance updates.
+
+## 2023-07-21 - 4.0.5–4.0.4 - Internal fixes and updates  
+- Multiple releases addressing internal issues and maintenance improvements.
+
+## 2023-07-10 - 4.0.3 - Organizational changes  
+- switch to new org scheme
+
+## 2022-09-27 - 4.0.0–4.0.2 - Internal fixes and updates  
+- Routine maintenance and internal bug fixes.
+
+## 2022-09-27 - 3.0.15 - Breaking changes  
+- BREAKING CHANGE(core): update
+
+## 2021-01-22 - 3.0.9–3.0.14 - Internal fixes and updates  
+- A range of releases focused on routine internal updates.
+
+## 2020-11-18 - 3.0.0–3.0.8 - Internal fixes and updates  
+- Routine maintenance and internal bug fixes.
+
+## 2020-02-10 - 2.1.2 - Breaking changes  
+- BREAKING CHANGE(core): streamline scope to certificate retrieval using dns challenge
+
+## 2020-02-10 - 2.1.0–2.1.1 - Internal fixes and updates  
+- Routine fixes and updates.
+
+## 2019-02-06 - 2.0.36 - New feature  
+- feat(Cert): now has validity check
+
+## 2019-01-18 - 2.0.2–2.0.35 - Internal fixes and updates  
+- Routine internal updates and maintenance.
+
+## 2018-10-07 - 2.0.0–2.0.1 - Internal fixes and updates  
+- Routine internal updates and maintenance.
+
+## 2018-10-07 - 1.1.4 - Breaking changes  
+- BREAKING CHANGE(scope): change to @pushrocks
+
+## 2018-08-12 - 1.1.1 - NPM publishing fix  
+- fix(npm publishing): update
+
+## 2018-08-11 - 1.1.0 - Certificate issuance update  
+- fix(core): now creating certs all right
+
+## 2018-08-11 - 1.0.11 - Feature update  
+- feat(swaitch to acme-v2): switch to letsencrypt v2
+
+## 2017-04-28 - 1.0.10 - CI improvements  
+- add updated ci config
+
+## 2017-04-28 - 1.0.9 - Standards update  
+- update to latest standards
+
+## 2017-01-27 - 1.0.8 - Basic functionality  
+- basic functionality
+
+## 2017-01-25 - 1.0.7 - Response and validation improvements  
+- now getting a valid response  
+- update validation  
+- improve README
+
+## 2017-01-15 - 1.0.6 - Async and documentation improvements  
+- improve README  
+- add async checkDNS
+
+## 2017-01-15 - 1.0.5 - Standards and process updates  
+- update to new standards  
+- now has working requestValidation method  
+- fix som things  
+- start better segregation of concerns  
+- start with certificate signing process
+
+## 2017-01-01 - 1.0.4 - Certificate acquisition improvements  
+- now getting certificates  
+- can now agree to TOS  
+- remove test keys
+
+## 2017-01-01 - 1.0.3 - NPM extra configuration  
+- add npmextra.json
+
+## 2017-01-01 - 1.0.2 - README and integration update  
+- add better readme  
+- switch to rawacme for more basic letsencrypt access
+
+## 2016-11-17 - 1.0.1 - Promise fix  
+- fix promise
+
+## 2016-11-17 - 1.0.0 - Major initial release changes  
+- remove superflouous key creation  
+- switch to acme core  
+- prepare switch to le‑acme‑core  
+- improve upon keyCreation  
+- update to use more promises  
+- add README  
+- first version

docs/index.md

@@ -1,59 +0,0 @@
-# smartacme
-acme implementation in TypeScript
-
-## Availabililty
-[![npm](https://umbrellazone.gitlab.io/assets/repo-button-npm.svg)](https://www.npmjs.com/package/smartacme)
-[![git](https://umbrellazone.gitlab.io/assets/repo-button-git.svg)](https://GitLab.com/umbrellazone/smartacme)
-[![git](https://umbrellazone.gitlab.io/assets/repo-button-mirror.svg)](https://github.com/umbrellazone/smartacme)
-[![docs](https://umbrellazone.gitlab.io/assets/repo-button-docs.svg)](https://umbrellazone.gitlab.io/smartacme/)
-
-## Status for master
-[![build status](https://GitLab.com/umbrellazone/smartacme/badges/master/build.svg)](https://GitLab.com/umbrellazone/smartacme/commits/master)
-[![coverage report](https://GitLab.com/umbrellazone/smartacme/badges/master/coverage.svg)](https://GitLab.com/umbrellazone/smartacme/commits/master)
-[![npm downloads per month](https://img.shields.io/npm/dm/smartacme.svg)](https://www.npmjs.com/package/smartacme)
-[![Dependency Status](https://david-dm.org/umbrellazone/smartacme.svg)](https://david-dm.org/umbrellazone/smartacme)
-[![bitHound Dependencies](https://www.bithound.io/github/umbrellazone/smartacme/badges/dependencies.svg)](https://www.bithound.io/github/umbrellazone/smartacme/master/dependencies/npm)
-[![bitHound Code](https://www.bithound.io/github/umbrellazone/smartacme/badges/code.svg)](https://www.bithound.io/github/umbrellazone/smartacme)
-[![TypeScript](https://img.shields.io/badge/TypeScript-2.x-blue.svg)](https://nodejs.org/dist/latest-v6.x/docs/api/)
-[![node](https://img.shields.io/badge/node->=%206.x.x-blue.svg)](https://nodejs.org/dist/latest-v6.x/docs/api/)
-[![JavaScript Style Guide](https://img.shields.io/badge/code%20style-standard-brightgreen.svg)](http://standardjs.com/)
-
-## Usage
-Use TypeScript for best in class instellisense.
-
-```javascript
-import { SmartAcme } from 'smartacme'
-
-let smac = new SmartAcme()
-
-(async () => { // learn async/await, it'll make your life easier
-
-    // optionally accepts a filePath Arg with a stored acmeaccount.json
-    // will create an account and 
-    let myAccount = await smac.createAcmeAccount()
-    
-    // will return a dnsHash to set in your DNS record
-    let myCert = await myAccount.createAcmeCert('example.com')
-
-    // gets and accepts the specified challenge
-    // first argument optional, defaults to dns-01 (which is the cleanest method for production use)
-    let myChallenge = await myCert.getChallenge('dns-01')
-
-    /* ----------
-    Now you need to set the challenge in your DNS
-    myChallenge.domainNamePrefixed is the address for the record
-    myChallenge.dnsKeyHash is the ready to use txt record value expected by letsencrypt
-    -------------*/
-})()
-```
-
-## Other relevant npm modules
-module name | description
---- | ---
-cert | a higlevel production module that uses smartacme to manage certs
-smartnginx | a highlevel production tool for docker environments to manage nginx 
-
-> MIT licensed | **©** [Lossless GmbH](https://lossless.gmbh)
-| By using this npm module you agree to our [privacy policy](https://lossless.gmbH/privacy.html)
-
-[![repo-footer](https://umbrellazone.gitlab.io/assets/repo-footer.svg)](https://umbrella.zone

license.md

@@ -1,4 +1,4 @@
-Copyright (C) 2016, Lossless GmbH
+Copyright (C) 2016, Task Venture Capital GmbH
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

npmextra.json

@@ -1,7 +1,38 @@
 {
-    "npmci": {
+  "gitzone": {
-        "globalNpmTools": [
+    "projectType": "npm",
-            "npmts"
+    "module": {
+      "githost": "code.foss.global",
+      "gitscope": "push.rocks",
+      "gitrepo": "smartacme",
+      "description": "A TypeScript-based ACME client for LetsEncrypt certificate management with a focus on simplicity and power.",
+      "npmPackagename": "@push.rocks/smartacme",
+      "license": "MIT",
+      "projectDomain": "push.rocks",
+      "keywords": [
+        "ACME",
+        "LetsEncrypt",
+        "TypeScript",
+        "certificate management",
+        "DNS challenges",
+        "SSL/TLS",
+        "secure communication",
+        "domain validation",
+        "automation",
+        "crypto",
+        "MongoDB",
+        "dns-01 challenge",
+        "token-based challenges",
+        "certificate renewal",
+        "wildcard certificates"
       ]
     }
+  },
+  "npmci": {
+    "npmGlobalTools": [],
+    "npmAccessLevel": "public"
+  },
+  "tsdoc": {
+    "legal": "\n## License and Legal Information\n\nThis repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. \n\n**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.\n\n### Trademarks\n\nThis project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.\n\n### Company Information\n\nTask Venture Capital GmbH  \nRegistered at District court Bremen HRB 35230 HB, Germany\n\nFor any legal inquiries or if you require further information, please contact us via email at hello@task.vc.\n\nBy using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.\n"
+  }
 }

package.json

@@ -1,39 +1,84 @@
 {
-  "name": "smartacme",
+  "name": "@push.rocks/smartacme",
-  "version": "1.1.0",
+  "version": "7.0.0",
-  "description": "acme implementation in TypeScript",
+  "private": false,
-  "main": "dist/index.js",
+  "description": "A TypeScript-based ACME client for LetsEncrypt certificate management with a focus on simplicity and power.",
-  "typings": "dist/index.d.ts",
+  "main": "dist_ts/index.js",
+  "typings": "dist_ts/index.d.ts",
+  "type": "module",
   "scripts": {
-    "test": "(tstest test/)"
+    "test": "(tstest test/)",
+    "build": "(tsbuild --web --allowimplicitany)",
+    "buildDocs": "tsdoc"
   },
   "repository": {
     "type": "git",
-    "url": "git+ssh://git@gitlab.com/umbrellazone/smartacme.git"
+    "url": "https://code.foss.global/push.rocks/smartacme.git"
   },
   "keywords": [
+    "ACME",
+    "LetsEncrypt",
     "TypeScript",
-    "acme",
+    "certificate management",
-    "letsencrypt"
+    "DNS challenges",
+    "SSL/TLS",
+    "secure communication",
+    "domain validation",
+    "automation",
+    "crypto",
+    "MongoDB",
+    "dns-01 challenge",
+    "token-based challenges",
+    "certificate renewal",
+    "wildcard certificates"
   ],
-  "author": "Lossless GmbH",
+  "author": "Task Venture Capital GmbH",
   "license": "MIT",
   "bugs": {
-    "url": "https://gitlab.com/umbrellazone/smartacme/issues"
+    "url": "https://code.foss.global/push.rocks/smartacme/issues"
   },
-  "homepage": "https://gitlab.com/umbrellazone/smartacme#README",
+  "homepage": "https://code.foss.global/push.rocks/smartacme#readme",
   "dependencies": {
-    "@pushrocks/smartpromise": "^2.0.5",
+    "@api.global/typedserver": "^3.0.74",
-    "acme-v2": "^1.2.0",
+    "@apiclient.xyz/cloudflare": "^6.4.1",
-    "rsa-compat": "^1.5.1"
+    "@push.rocks/lik": "^6.2.2",
+    "@push.rocks/smartdata": "^5.15.1",
+    "@push.rocks/smartdelay": "^3.0.5",
+    "@push.rocks/smartdns": "^6.2.2",
+    "@push.rocks/smartlog": "^3.0.7",
+    "@push.rocks/smartpromise": "^4.2.3",
+    "@push.rocks/smartrequest": "^2.1.0",
+    "@push.rocks/smartstring": "^4.0.15",
+    "@push.rocks/smarttime": "^4.1.1",
+    "@push.rocks/smartunique": "^3.0.9",
+    "@tsclass/tsclass": "^9.1.0",
+    "acme-client": "^5.4.0"
   },
   "devDependencies": {
-    "@gitzone/tsbuild": "^2.0.22",
+    "@git.zone/tsbuild": "^2.3.2",
-    "@gitzone/tsrun": "^1.1.12",
+    "@git.zone/tsrun": "^1.3.3",
-    "@gitzone/tstest": "^1.0.13",
+    "@git.zone/tstest": "^1.0.96",
-    "@types/node": "^10.5.8",
+    "@push.rocks/qenv": "^6.1.0",
-    "cflare": "^1.0.5",
+    "@push.rocks/tapbundle": "^6.0.0",
-    "qenv": "^1.1.7",
+    "@types/node": "^22.15.3"
-    "tapbundle": "^2.0.2"
+  },
+  "files": [
+    "ts/**/*",
+    "ts_web/**/*",
+    "dist/**/*",
+    "dist_*/**/*",
+    "dist_ts/**/*",
+    "dist_ts_web/**/*",
+    "assets/**/*",
+    "cli.js",
+    "npmextra.json",
+    "readme.md"
+  ],
+  "browserslist": [
+    "last 1 chrome versions"
+  ],
+  "packageManager": "pnpm@10.7.0+sha512.6b865ad4b62a1d9842b61d674a393903b871d9244954f652b8842c2b553c72176b278f64c463e52d40fff8aba385c235c8c9ecf5cc7de4fd78b8bb6d49633ab6",
+  "pnpm": {
+    "overrides": {}
   }
 }

qenv.yml

@@ -1,3 +1,5 @@
-vars:
+required:
-    - CF_EMAIL
+  - CF_TOKEN
-    - CF_KEY
+  - MONGODB_URL
+  - MONGODB_PASSWORD
+  - MONGODB_DATABASE

readme.hints.md

@@ -0,0 +1,2 @@
+ - this repo is dependent on letsencrypt and its limits
+ - to simpify the outside API, smartacme is stateful, meaning it works with a mongodb and a collection called 'SmartacmeCert'.

readme.md

@@ -0,0 +1,338 @@
+# @push.rocks/smartacme
+
+A TypeScript-based ACME client with an easy yet powerful interface for LetsEncrypt certificate management.
+
+## Install
+
+To install `@push.rocks/smartacme`, you can use npm or yarn. Run one of the following commands in your project directory:
+
+```bash
+npm install @push.rocks/smartacme --save
+```
+
+or
+
+```bash
+yarn add @push.rocks/smartacme
+```
+
+Make sure your project is set up to use TypeScript and supports ECMAScript Modules (ESM).
+
+## Usage
+
+This guide will walk you through using `@push.rocks/smartacme` to set up and manage ACME (Automated Certificate Management Environment) certificates with a focus on the Let's Encrypt service, which provides free SSL certificates. The library provides an easy yet powerful TypeScript interface to automate the process of obtaining, renewing, and installing your SSL certificates.
+
+### Table of Contents
+
+1. [Setting Up Your Project](#setting-up-your-project)
+2. [Creating a SmartAcme Instance](#creating-a-smartacme-instance)
+3. [Initializing SmartAcme](#initializing-smartacme)
+4. [Obtaining a Certificate for a Domain](#obtaining-a-certificate-for-a-domain)
+5. [Automating DNS Challenges](#automating-dns-challenges)
+6. [Managing Certificates](#managing-certificates)
+7. [Environmental Considerations](#environmental-considerations)
+8. [Complete Example](#complete-example)
+
+### Setting Up Your Project
+
+Ensure your project includes the necessary TypeScript configuration and dependencies. You'll need to have TypeScript installed and configured for ECMAScript Modules. If you are new to TypeScript, review its [documentation](https://www.typescriptlang.org/docs/) to get started.
+
+### Creating a SmartAcme Instance
+
+Start by importing the `SmartAcme` class and any built-in handlers you plan to use. For example, to use DNS-01 via Cloudflare:
+
+```typescript
+import { SmartAcme } from '@push.rocks/smartacme';
+import * as cloudflare from '@apiclient.xyz/cloudflare';
+import { Dns01Handler } from '@push.rocks/smartacme/ts/handlers/Dns01Handler.js';
+
+// Create a Cloudflare account client with your API token
+const cfAccount = new cloudflare.CloudflareAccount('YOUR_CF_TOKEN');
+
+// Instantiate SmartAcme with one or more ACME challenge handlers
+const smartAcmeInstance = new SmartAcme({
+  accountEmail: 'youremail@example.com',
+  mongoDescriptor: {
+    mongoDbUrl: 'mongodb://yourmongoURL',
+    mongoDbName: 'yourDbName',
+    mongoDbPass: 'yourDbPassword',
+  },
+  environment: 'integration', // 'production' to request real certificates
+  retryOptions: {},         // optional retry/backoff settings
+  challengeHandlers: [
+    new Dns01Handler(cfAccount),
+    // you can add more handlers, e.g. Http01Webroot
+  ],
+  challengePriority: ['dns-01'], // optional ordering of challenge types
+});
+```
+
+### Initializing SmartAcme
+
+Before proceeding to request certificates, start your SmartAcme instance:
+
+```typescript
+await smartAcmeInstance.start();
+```
+
+### Obtaining a Certificate for a Domain
+
+To obtain a certificate for a specific domain, use the `getCertificateForDomain` method. This function ensures that if a valid certificate is already present, it will be reused; otherwise, a new certificate is obtained:
+
+```typescript
+const myDomain = 'example.com';
+const myCert = await smartAcmeInstance.getCertificateForDomain(myDomain);
+console.log('Certificate:', myCert);
+```
+
+### Automating DNS Challenges
+
+SmartAcme uses pluggable ACME challenge handlers (see built-in handlers below) to automate domain validation. You configure handlers via the `challengeHandlers` array when creating the instance, and SmartAcme will invoke each handler’s `prepare`, optional `verify`, and `cleanup` methods during the ACME order flow.
+
+### Managing Certificates
+
+The library automatically handles fetching, renewing, and storing your certificates in a MongoDB database specified in your configuration. Ensure your MongoDB instance is accessible and properly configured for use with SmartAcme.
+
+```typescript
+const mongoDescriptor = {
+  mongoDbUrl: 'mongodb://yourmongoURL',
+  mongoDbName: 'yourDbName',
+  mongoDbPass: 'yourDbPassword',
+};
+```
+
+### Environmental Considerations
+
+When creating an instance of `SmartAcme`, you can specify an `environment` option. This is particularly useful for testing, as you can use the `integration` environment to avoid hitting rate limits and for testing your setup without issuing real certificates. Switch to `production` when you are ready to obtain actual certificates.
+
+### Complete Example
+
+Below is a complete example demonstrating how to use `@push.rocks/smartacme` to obtain and manage an ACME certificate with Let's Encrypt using a DNS-01 handler:
+
+```typescript
+import { SmartAcme } from '@push.rocks/smartacme';
+import * as cloudflare from '@apiclient.xyz/cloudflare';
+import { Qenv } from '@push.rocks/qenv';
+
+const qenv = new Qenv('./', './.nogit/');
+const cloudflareAccount = new cloudflare.CloudflareAccount(qenv.getEnvVarOnDemand('CF_TOKEN'));
+
+async function main() {
+  const smartAcmeInstance = new SmartAcme({
+    accountEmail: 'youremail@example.com',
+    mongoDescriptor: {
+      mongoDbUrl: qenv.getEnvVarRequired('MONGODB_URL'),
+      mongoDbName: qenv.getEnvVarRequired('MONGODB_DATABASE'),
+      mongoDbPass: qenv.getEnvVarRequired('MONGODB_PASSWORD'),
+    },
+    environment: 'integration',
+    challengeHandlers: [ new Dns01Handler(cloudflareAccount) ],
+  });
+
+  await smartAcmeInstance.start();
+
+  const myDomain = 'example.com';
+  const myCert = await smartAcmeInstance.getCertificateForDomain(myDomain);
+  console.log('Certificate:', myCert);
+
+  await smartAcmeInstance.stop();
+}
+
+ main().catch(console.error);
+ ```
+ 
+ ## Built-in Challenge Handlers
+ 
+ This module includes three out-of-the-box ACME challenge handlers:
+ 
+ - **Dns01Handler**
+   - Uses a Cloudflare account (from `@apiclient.xyz/cloudflare`) and Smartdns client to set and remove DNS TXT records, then wait for propagation.
+   - Import path:
+     ```typescript
+     import { Dns01Handler } from '@push.rocks/smartacme/ts/handlers/Dns01Handler.js';
+     ```
+   - Example:
+     ```typescript
+     import * as cloudflare from '@apiclient.xyz/cloudflare';
+     const cfAccount = new cloudflare.CloudflareAccount('CF_TOKEN');
+     const dnsHandler = new Dns01Handler(cfAccount);
+     ```
+ 
+ - **Http01Webroot**
+   - Writes ACME HTTP-01 challenge files under a file-system webroot (`/.well-known/acme-challenge/`), and removes them on cleanup.
+   - Import path:
+     ```typescript
+     import { Http01Webroot } from '@push.rocks/smartacme/ts/handlers/Http01Handler.js';
+     ```
+   - Example:
+     ```typescript
+     const httpHandler = new Http01Webroot({ webroot: '/var/www/html' });
+     ```
+ 
+ - **Http01MemoryHandler**
+   - In-memory HTTP-01 challenge handler that stores and serves ACME tokens without disk I/O.
+   - Import path:
+     ```typescript
+     import { Http01MemoryHandler } from '@push.rocks/smartacme/ts/handlers/Http01MemoryHandler.js';
+     ```
+   - Example (Express integration):
+     ```typescript
+     import { Http01MemoryHandler } from '@push.rocks/smartacme/ts/handlers/Http01MemoryHandler.js';
+     const memoryHandler = new Http01MemoryHandler();
+     app.use((req, res, next) => memoryHandler.handleRequest(req, res, next));
+     ```
+  
+ All handlers implement the `IChallengeHandler<T>` interface and can be combined in the `challengeHandlers` array.
+ 
+ ## Creating Custom Handlers
+ 
+ To support additional challenge types or custom validation flows, implement the `IChallengeHandler<T>` interface:
+ 
+ ```typescript
+ import type { IChallengeHandler } from '@push.rocks/smartacme/ts/handlers/IChallengeHandler.js';
+ 
+ // Define your custom challenge payload type
+ interface MyChallenge { type: string; /* ... */ }
+ 
+ class MyCustomHandler implements IChallengeHandler<MyChallenge> {
+   getSupportedTypes(): string[] {
+     return ['my-01'];
+   }
+ 
+   // Prepare the challenge (set DNS records, start servers, etc.)
+   async prepare(ch: MyChallenge): Promise<void> {
+     // preparation logic
+   }
+ 
+   // Optional verify step after prepare
+   async verify?(ch: MyChallenge): Promise<void> {
+     // verification logic
+   }
+ 
+   // Cleanup after challenge (remove records, stop servers)
+   async cleanup(ch: MyChallenge): Promise<void> {
+     // cleanup logic
+   }
+ }
+ 
+ // Then register your handler:
+ const customInstance = new SmartAcme({
+   /* other options */, 
+   challengeHandlers: [ new MyCustomHandler() ],
+   challengePriority: ['my-01'],
+ });
+
+In this example, `Qenv` is used to manage environment variables, and `cloudflare` library is used to handle DNS challenges required by Let's Encrypt ACME protocol. The `setChallenge` and `removeChallenge` methods are essential for automating the DNS challenge process, which is a key part of domain validation.
+
+## Additional Details
+
+### Certificate Object
+
+The certificate object obtained from the `getCertificateForDomain` method has the following properties:
+
+- `id`: Unique identifier for the certificate.
+- `domainName`: The domain name for which the certificate is issued.
+- `created`: Timestamp of when the certificate was created.
+- `privateKey`: The private key associated with the certificate.
+- `publicKey`: The public key or certificate itself.
+- `csr`: Certificate Signing Request (CSR) used to obtain the certificate.
+- `validUntil`: Timestamp indicating the expiration date of the certificate.
+
+### Methods Summary
+
+- **start()**: Initializes the SmartAcme instance, sets up the ACME client, and registers the account with Let's Encrypt.
+- **stop()**: Closes the MongoDB connection and performs any necessary cleanup.
+- **getCertificateForDomain(domainArg: string)**: Retrieves or obtains a certificate for the specified domain name. If a valid certificate exists in the database, it is returned. Otherwise, a new certificate is requested and stored.
+- **setChallenge(dnsChallenge: any)**: Automates the process of setting DNS challenge records.
+- **removeChallenge(dnsChallenge: any)**: Automates the process of removing DNS challenge records.
+
+### Handling Domain Matching
+
+The `SmartacmeCertMatcher` class is responsible for matching certificates with the broadest scope for wildcard certificates. The `getCertificateDomainNameByDomainName` method ensures that domains at various levels are correctly matched.
+
+```typescript
+import { SmartacmeCertMatcher } from '@push.rocks/smartacme';
+
+const certMatcher = new SmartacmeCertMatcher();
+const certDomainName = certMatcher.getCertificateDomainNameByDomainName('subdomain.example.com');
+console.log('Certificate Domain Name:', certDomainName); // Output: example.com
+```
+
+### Testing
+
+Automated tests can be added to ensure that the setup and functions work as expected. Using a testing framework such as `tap` and mock services for DNS providers (e.g., Cloudflare), you can simulate the process of obtaining and managing certificates without the need for actual domain ownership.
+
+```typescript
+import { tap, expect } from '@push.rocks/tapbundle';
+import { Qenv } from '@push.rocks/qenv';
+import * as cloudflare from '@apiclient.xyz/cloudflare';
+import * as smartacme from '@push.rocks/smartacme';
+
+const testQenv = new Qenv('./', './.nogit/');
+const testCloudflare = new cloudflare.CloudflareAccount(testQenv.getEnvVarOnDemand('CF_TOKEN'));
+
+let smartAcmeInstance: smartacme.SmartAcme;
+
+tap.test('should create a valid instance of SmartAcme', async () => {
+  smartAcmeInstance = new smartacme.SmartAcme({
+    accountEmail: 'domains@lossless.org',
+    accountPrivateKey: null,
+    mongoDescriptor: {
+      mongoDbName: testQenv.getEnvVarRequired('MONGODB_DATABASE'),
+      mongoDbPass: testQenv.getEnvVarRequired('MONGODB_PASSWORD'),
+      mongoDbUrl: testQenv.getEnvVarRequired('MONGODB_URL'),
+    },
+    setChallenge: async (dnsChallenge) => {
+      await testCloudflare.convenience.acmeSetDnsChallenge(dnsChallenge);
+    },
+    removeChallenge: async (dnsChallenge) => {
+      await testCloudflare.convenience.acmeRemoveDnsChallenge(dnsChallenge);
+    },
+    environment: 'integration',
+  });
+  await smartAcmeInstance.init();
+  expect(smartAcmeInstance).toBeInstanceOf(smartacme.SmartAcme);
+});
+
+tap.test('should get a domain certificate', async () => {
+  const certificate = await smartAcmeInstance.getCertificateForDomain('example.com');
+  console.log('Certificate:', certificate);
+  expect(certificate).toHaveProperty('domainName', 'example.com');
+});
+
+tap.test('certmatcher should correctly match domains', async () => {
+  const certMatcher = new smartacme.SmartacmeCertMatcher();
+  const matchedCert = certMatcher.getCertificateDomainNameByDomainName('subdomain.example.com');
+  expect(matchedCert).toBe('example.com');
+});
+
+tap.test('should stop correctly', async () => {
+  await smartAcmeInstance.stop();
+  expect(smartAcmeInstance).toHaveProperty('client', null);
+});
+
+tap.start();
+```
+
+This comprehensive guide ensures you can set up, manage, and test ACME certificates efficiently and effectively using `@push.rocks/smartacme`.
+
+---
+
+## License and Legal Information
+
+This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license.md](license.md) file within this repository.
+
+**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
+
+### Trademarks
+
+This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.
+
+### Company Information
+
+Task Venture Capital GmbH
+Registered at District court Bremen HRB 35230 HB, Germany
+
+For any legal inquiries or if you require further information, please contact us via email at hello@task.vc.
+
+By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.

readme.plan.md

@@ -0,0 +1,44 @@
+# Plan: Diskless HTTP-01 Handler and Renaming Existing Handler
+
+This plan outlines steps to rename the existing filesystem-based HTTP-01 handler to `Http01Webroot`
+and introduce a new diskless (in-memory) HTTP-01 handler for integration with arbitrary HTTP servers
+(e.g., Express).
+
+## 1. Rename existing handler to Http01Webroot
+- In `ts/handlers/Http01Handler.ts`:
+  - Rename `Http01HandlerOptions` to `Http01WebrootOptions`.
+  - Rename class `Http01Handler` to `Http01Webroot`.
+  - Remove the legacy alias; rename the handler directly.
+  - In `ts/handlers/index.ts`:
+    - Export `Http01Webroot` under its new name.
+    - Remove any `Http01Handler` export.
+    - Update existing tests (e.g., `test.handlers-http01.ts`) to import `Http01Webroot` instead of `Http01Handler`.
+
+## 2. Add new diskless (in-memory) HTTP-01 handler
+- Create `ts/handlers/Http01MemoryHandler.ts`:
+  - Implement `IChallengeHandler<{ token: string; keyAuthorization: string; webPath: string }>`, storing challenges in a private `Map<string, string>`.
+  - `prepare()`: add token→keyAuthorization mapping.
+  - `verify()`: no-op.
+  - `cleanup()`: remove mapping.
+  - Add `handleRequest(req, res, next?)` method:
+    - Parse `/.well-known/acme-challenge/:token` from `req.url`.
+    - If token exists, respond with the key authorization and status 200.
+    - If missing and `next` provided, call `next()`, otherwise respond 404.
+- Export `Http01MemoryHandler` in `ts/handlers/index.ts`.
+
+## 3. Write tests for Http01MemoryHandler
+- Create `test/test.handlers-http01-memory.ts`:
+  - Use `tap` and `expect` to:
+    1. `prepare()` a challenge.
+    2. Invoke `handleRequest()` with a fake `req`/`res` to confirm 200 and correct body.
+    3. `cleanup()` the challenge.
+    4. Confirm `handleRequest()` now yields 404.
+
+## 4. Update documentation
+- Add examples in `readme.md` showing how to use both `Http01Webroot` and the new `Http01MemoryHandler`:
+  - Sample code for Express integration using `handleRequest`.
+
+## 5. Build and test
+- Run `pnpm build` and `pnpm test`, ensuring existing tests are updated for `Http01Webroot` and new tests pass.
+
+Please review and let me know if this plan makes sense before proceeding with implementation.

test/test.certmatcher.ts

@@ -0,0 +1,21 @@
+import { tap, expect } from '@push.rocks/tapbundle';
+import { SmartacmeCertMatcher } from '../ts/smartacme.classes.certmatcher.js';
+
+tap.test('should match 2-level domain', async () => {
+  const matcher = new SmartacmeCertMatcher();
+  expect(matcher.getCertificateDomainNameByDomainName('example.com')).toEqual('example.com');
+});
+
+tap.test('should match 3-level domain', async () => {
+  const matcher = new SmartacmeCertMatcher();
+  expect(matcher.getCertificateDomainNameByDomainName('subdomain.example.com')).toEqual('example.com');
+});
+
+tap.test('should return undefined for deeper domain', async () => {
+  const matcher = new SmartacmeCertMatcher();
+  // domain with 4 or more levels
+  const result = matcher.getCertificateDomainNameByDomainName('a.b.example.com');
+  expect(result).toEqual(undefined);
+});
+
+export default tap.start();

test/test.handlers-dns01.ts

@@ -0,0 +1,34 @@
+import { tap, expect } from '@push.rocks/tapbundle';
+import { Dns01Handler } from '../ts/handlers/Dns01Handler.js';
+
+tap.test('Dns01Handler prepare and cleanup calls Cloudflare and DNS functions', async () => {
+  let setCalled = false;
+  let removeCalled = false;
+  // fake Cloudflare API
+  const fakeCF: any = {
+    convenience: {
+      acmeSetDnsChallenge: async (_ch: any) => {
+        setCalled = true;
+      },
+      acmeRemoveDnsChallenge: async (_ch: any) => {
+        removeCalled = true;
+      },
+    },
+  };
+  // fake DNS checker
+  const fakeDNS: any = {
+    checkUntilAvailable: async (host: string, rr: string, val: string, count: number, interval: number) => {
+      expect(host).toEqual('test.host');
+      expect(rr).toEqual('TXT');
+      expect(val).toEqual('token');
+    },
+  };
+  const handler = new Dns01Handler(fakeCF, fakeDNS);
+  const input = { hostName: 'test.host', challenge: 'token' };
+  await handler.prepare(input);
+  expect(setCalled).toEqual(true);
+  await handler.cleanup(input);
+  expect(removeCalled).toEqual(true);
+});
+
+export default tap.start();

test/test.handlers-http01-memory.ts

@@ -0,0 +1,58 @@
+import { tap, expect } from '@push.rocks/tapbundle';
+import { Http01MemoryHandler } from '../ts/handlers/Http01MemoryHandler.js';
+
+tap.test('Http01MemoryHandler serves in-memory challenges and cleans up', async () => {
+  const handler = new Http01MemoryHandler();
+  const token = 'testtoken';
+  const keyAuth = 'keyAuthValue';
+  const webPath = `/.well-known/acme-challenge/${token}`;
+  const challenge = { type: 'http-01', token, keyAuthorization: keyAuth, webPath };
+
+  // Prepare challenge (store in memory)
+  await handler.prepare(challenge);
+
+  // Serve existing challenge without next()
+  const req1: any = { url: webPath };
+  const res1: any = {
+    statusCode: 0,
+    headers: {} as Record<string, string>,
+    body: '',
+    setHeader(name: string, value: string) { this.headers[name] = value; },
+    end(body?: string) { this.body = body || ''; },
+  };
+  handler.handleRequest(req1, res1);
+  expect(res1.statusCode).toEqual(200);
+  expect(res1.body).toEqual(keyAuth);
+  expect(res1.headers['content-type']).toEqual('text/plain');
+
+  // Cleanup challenge (remove from memory)
+  await handler.cleanup(challenge);
+
+  // Serve after cleanup without next() should give 404
+  const req2: any = { url: webPath };
+  const res2: any = {
+    statusCode: 0,
+    headers: {} as Record<string, string>,
+    body: '',
+    setHeader(name: string, value: string) { this.headers[name] = value; },
+    end(body?: string) { this.body = body || ''; },
+  };
+  handler.handleRequest(req2, res2);
+  expect(res2.statusCode).toEqual(404);
+
+  // Serve after cleanup with next() should call next
+  const req3: any = { url: webPath };
+  let nextCalled = false;
+  const next = () => { nextCalled = true; };
+  const res3: any = {
+    statusCode: 0,
+    headers: {} as Record<string, string>,
+    body: '',
+    setHeader(name: string, value: string) { this.headers[name] = value; },
+    end(body?: string) { this.body = body || ''; },
+  };
+  handler.handleRequest(req3, res3, next);
+  expect(nextCalled).toEqual(true);
+});
+
+export default tap.start();

test/test.handlers-http01.ts

@@ -0,0 +1,26 @@
+import { tap, expect } from '@push.rocks/tapbundle';
+import { Http01Webroot } from '../ts/handlers/Http01Handler.js';
+import { promises as fs } from 'fs';
+import * as path from 'path';
+import os from 'os';
+
+tap.test('Http01Webroot writes challenge file and removes it on cleanup', async () => {
+  // create temporary webroot directory
+  const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'http01-'));
+  const handler = new Http01Webroot({ webroot: tmpDir });
+  const token = 'testtoken';
+  const keyAuth = 'keyAuthValue';
+  const webPath = `/.well-known/acme-challenge/${token}`;
+  const input = { type: 'http-01', token, keyAuthorization: keyAuth, webPath };
+  // prepare should write the file
+  await handler.prepare(input);
+  const filePath = path.join(tmpDir, webPath);
+  const content = await fs.readFile(filePath, 'utf8');
+  expect(content).toEqual(keyAuth);
+  // cleanup should remove the file
+  await handler.cleanup(input);
+  const exists = await fs.stat(filePath).then(() => true).catch(() => false);
+  expect(exists).toEqual(false);
+});
+
+export default tap.start();

test/test.smartacme.integration.ts

@@ -0,0 +1,47 @@
+import { tap, expect } from '@push.rocks/tapbundle';
+import { Qenv } from '@push.rocks/qenv';
+import * as cloudflare from '@apiclient.xyz/cloudflare';
+import { SmartAcme, MongoCertManager } from '../ts/index.js';
+import { Dns01Handler } from '../ts/handlers/Dns01Handler.js';
+
+// Load environment variables for credentials (stored under .nogit/)
+const testQenv = new Qenv('./', './.nogit/');
+// Cloudflare API token for DNS-01 challenge (must be set in .nogit/ or env)
+const cfToken = (await testQenv.getEnvVarOnDemand('CF_TOKEN'))!;
+const cfAccount = new cloudflare.CloudflareAccount(cfToken);
+// MongoDB connection settings for certificate storage (must be set in .nogit/ or env)
+const mongoDbName = (await testQenv.getEnvVarOnDemand('MONGODB_DATABASE'))!;
+const mongoDbPass = (await testQenv.getEnvVarOnDemand('MONGODB_PASSWORD'))!;
+const mongoDbUrl = (await testQenv.getEnvVarOnDemand('MONGODB_URL'))!;
+
+let smartAcmeInstance: SmartAcme;
+
+tap.test('create SmartAcme instance with DNS-01 handler and start', async () => {
+  smartAcmeInstance = new SmartAcme({
+    accountEmail: 'domains@lossless.org',
+    certManager: new MongoCertManager({ mongoDbName, mongoDbPass, mongoDbUrl }),
+    environment: 'integration',
+    retryOptions: {},
+    challengeHandlers: [new Dns01Handler(cfAccount)],
+    challengePriority: ['dns-01'],
+  });
+  await smartAcmeInstance.start();
+  expect(smartAcmeInstance).toBeInstanceOf(SmartAcme);
+});
+
+tap.test('get a domain certificate via DNS-01 challenge', async () => {
+  // Replace 'bleu.de' with your test domain if different
+  const domain = 'bleu.de';
+  const cert = await smartAcmeInstance.getCertificateForDomain(domain);
+  expect(cert).toHaveProperty('domainName');
+  expect(cert).toEqual(domain);
+  expect(cert).toHaveProperty('publicKey');
+  expect(typeof cert.publicKey).toEqual('string');
+  expect(cert.publicKey.length).toBeGreaterThan(0);
+});
+
+tap.test('stop SmartAcme instance', async () => {
+  await smartAcmeInstance.stop();
+});
+
+export default tap.start();

test/test.smartacme.ts

@@ -0,0 +1,32 @@
+import { tap, expect } from '@push.rocks/tapbundle';
+import { SmartAcme, MemoryCertManager } from '../ts/index.js';
+import type { IChallengeHandler } from '../ts/handlers/IChallengeHandler.js';
+
+// Dummy handler for testing
+class DummyHandler implements IChallengeHandler<any> {
+  getSupportedTypes(): string[] { return ['dns-01']; }
+  async prepare(_: any): Promise<void> { /* no-op */ }
+  async cleanup(_: any): Promise<void> { /* no-op */ }
+}
+
+tap.test('constructor throws without challengeHandlers', async () => {
+  expect(() => new SmartAcme({
+    accountEmail: 'test@example.com',
+    certManager: new MemoryCertManager(),
+    environment: 'integration',
+    retryOptions: {},
+  } as any)).toThrow();
+});
+
+tap.test('constructor accepts valid challengeHandlers', async () => {
+  const sa = new SmartAcme({
+    accountEmail: 'test@example.com',
+    certManager: new MemoryCertManager(),
+    environment: 'integration',
+    retryOptions: {},
+    challengeHandlers: [new DummyHandler()],
+  });
+  expect(sa).toBeInstanceOf(SmartAcme);
+});
+
+export default tap.start();

test/test.ts

@@ -1,13 +0,0 @@
-import { tap, expect } from 'tapbundle';
-
-import * as smartacme from '../ts/index';
-
-let smartAcmeInstance: smartacme.SmartAcme;
-
-tap.test('should create a valid instance of SmartAcme' , async () => {
-  smartAcmeInstance = new smartacme.SmartAcme();
-  await smartAcmeInstance.init()
-  console.log(smartAcmeInstance.directoryUrls);
-})
-
-tap.start();

ts/00_commitinfo_data.ts

@@ -0,0 +1,8 @@
+/**
+ * autocreated commitinfo by @push.rocks/commitinfo
+ */
+export const commitinfo = {
+  name: '@push.rocks/smartacme',
+  version: '7.0.0',
+  description: 'A TypeScript-based ACME client for LetsEncrypt certificate management with a focus on simplicity and power.'
+}

ts/certmanagers.ts

@@ -0,0 +1,90 @@
+import * as plugins from './smartacme.plugins.js';
+import type { ICertManager } from './interfaces/certmanager.js';
+import { SmartacmeCert } from './smartacme.classes.cert.js';
+
+/**
+ * In-memory certificate manager for mongoless mode.
+ * Stores certificates in memory only and does not connect to MongoDB.
+ */
+export class MemoryCertManager implements ICertManager {
+  public interestMap: plugins.lik.InterestMap<string, SmartacmeCert>;
+  private certs: Map<string, SmartacmeCert> = new Map();
+
+  constructor() {
+    this.interestMap = new plugins.lik.InterestMap((domain) => domain);
+  }
+
+  public async init(): Promise<void> {
+    // no-op for in-memory store
+  }
+
+  public async retrieveCertificate(domainName: string): Promise<SmartacmeCert | null> {
+    return this.certs.get(domainName) ?? null;
+  }
+
+  public async storeCertificate(cert: SmartacmeCert): Promise<void> {
+    this.certs.set(cert.domainName, cert);
+    const interest = this.interestMap.findInterest(cert.domainName);
+    if (interest) {
+      interest.fullfillInterest(cert);
+      interest.markLost();
+    }
+  }
+
+  public async deleteCertificate(domainName: string): Promise<void> {
+    this.certs.delete(domainName);
+  }
+
+  public async close(): Promise<void> {
+    // no-op
+  }
+}
+
+/**
+ * MongoDB-backed certificate manager using EasyStore from smartdata.
+ */
+export class MongoCertManager implements ICertManager {
+  public interestMap: plugins.lik.InterestMap<string, SmartacmeCert>;
+  private db: plugins.smartdata.SmartdataDb;
+  private store: plugins.smartdata.EasyStore<Record<string, any>>;
+
+  /**
+   * @param mongoDescriptor MongoDB connection settings
+   */
+  constructor(mongoDescriptor: plugins.smartdata.IMongoDescriptor) {
+    this.db = new plugins.smartdata.SmartdataDb(mongoDescriptor);
+    // Use a single EasyStore document to hold all certs keyed by domainName
+    this.store = new plugins.smartdata.EasyStore<Record<string, any>>(
+      'smartacme-certs',
+      this.db,
+    );
+    this.interestMap = new plugins.lik.InterestMap((domain) => domain);
+  }
+
+  public async init(): Promise<void> {
+    await this.db.init();
+  }
+
+  public async retrieveCertificate(domainName: string): Promise<SmartacmeCert | null> {
+    const data = await this.store.readKey(domainName);
+    return data ? new SmartacmeCert(data) : null;
+  }
+
+  public async storeCertificate(cert: SmartacmeCert): Promise<void> {
+    // write plain object for persistence
+    await this.store.writeKey(cert.domainName, { ...cert });
+    const interest = this.interestMap.findInterest(cert.domainName);
+    if (interest) {
+      interest.fullfillInterest(cert);
+      interest.markLost();
+    }
+  }
+
+  public async deleteCertificate(domainName: string): Promise<void> {
+    await this.store.deleteKey(domainName);
+  }
+
+  public async close(): Promise<void> {
+    await this.db.close();
+  }
+}

ts/handlers/Dns01Handler.ts

@@ -0,0 +1,36 @@
+import * as plugins from '../smartacme.plugins.js';
+import type { IChallengeHandler } from './IChallengeHandler.js';
+
+/**
+ * DNS-01 challenge handler using CloudflareAccount and Smartdns.
+ */
+export class Dns01Handler implements IChallengeHandler<plugins.tsclass.network.IDnsChallenge> {
+  private cf: plugins.tsclass.network.IConvenientDnsProvider;
+  private smartdns: plugins.smartdnsClient.Smartdns;
+
+  constructor(
+    convenientDnsProvider: plugins.tsclass.network.IConvenientDnsProvider,
+    smartdnsInstance?: plugins.smartdnsClient.Smartdns,
+  ) {
+    this.cf = convenientDnsProvider;
+    this.smartdns = smartdnsInstance ?? new plugins.smartdnsClient.Smartdns({});
+  }
+
+  public getSupportedTypes(): string[] {
+    return ['dns-01'];
+  }
+
+  public async prepare(ch: plugins.tsclass.network.IDnsChallenge): Promise<void> {
+    // set DNS TXT record
+    await this.cf.convenience.acmeSetDnsChallenge(ch);
+  }
+
+  public async cleanup(ch: plugins.tsclass.network.IDnsChallenge): Promise<void> {
+    // remove DNS TXT record
+    await this.cf.convenience.acmeRemoveDnsChallenge(ch);
+  }
+
+  public async checkWetherDomainIsSupported(domainArg: string): Promise<boolean> {
+    return this.cf.convenience.isDomainSupported(domainArg);
+  }
+}

ts/handlers/Http01Handler.ts

@@ -0,0 +1,54 @@
+import { promises as fs } from 'fs';
+import * as path from 'path';
+import type { IChallengeHandler } from './IChallengeHandler.js';
+
+/**
+ * HTTP-01 ACME challenge handler using file-system webroot.
+ * Writes and removes the challenge file under <webroot>/.well-known/acme-challenge/. 
+ */
+export interface Http01WebrootOptions {
+  /**
+   * Directory that serves HTTP requests for /.well-known/acme-challenge
+   */
+  webroot: string;
+}
+
+export class Http01Webroot implements IChallengeHandler<{
+  type: string;
+  token: string;
+  keyAuthorization: string;
+  webPath: string;
+}> {
+  private webroot: string;
+
+  constructor(options: Http01WebrootOptions) {
+    this.webroot = options.webroot;
+  }
+
+  public getSupportedTypes(): string[] {
+    return ['http-01'];
+  }
+
+  public async prepare(ch: { token: string; keyAuthorization: string; webPath: string }): Promise<void> {
+    const relWebPath = ch.webPath.replace(/^\/+/, '');
+    const filePath = path.join(this.webroot, relWebPath);
+    const dir = path.dirname(filePath);
+    await fs.mkdir(dir, { recursive: true });
+    await fs.writeFile(filePath, ch.keyAuthorization, 'utf8');
+  }
+
+  public async verify(ch: { webPath: string; keyAuthorization: string }): Promise<void> {
+    // Optional: implement HTTP polling if desired
+    return;
+  }
+
+  public async cleanup(ch: { token: string; webPath: string }): Promise<void> {
+    const relWebPath = ch.webPath.replace(/^\/+/, '');
+    const filePath = path.join(this.webroot, relWebPath);
+    try {
+      await fs.unlink(filePath);
+    } catch {
+      // ignore missing file
+    }
+  }
+}

ts/handlers/Http01MemoryHandler.ts

@@ -0,0 +1,67 @@
+import type { IChallengeHandler } from './IChallengeHandler.js';
+
+/**
+ * HTTP-01 ACME challenge handler using in-memory storage.
+ * Stores challenge tokens and key authorizations in memory
+ * and serves them via handleRequest for arbitrary HTTP servers.
+ */
+export interface Http01MemoryHandlerChallenge {
+  type: string;
+  token: string;
+  keyAuthorization: string;
+  webPath: string;
+}
+
+export class Http01MemoryHandler implements IChallengeHandler<Http01MemoryHandlerChallenge> {
+  private store: Map<string, string> = new Map();
+
+  public getSupportedTypes(): string[] {
+    return ['http-01'];
+  }
+
+  public async prepare(ch: Http01MemoryHandlerChallenge): Promise<void> {
+    this.store.set(ch.token, ch.keyAuthorization);
+  }
+
+  public async verify(_ch: Http01MemoryHandlerChallenge): Promise<void> {
+    // No-op
+    return;
+  }
+
+  public async cleanup(ch: Http01MemoryHandlerChallenge): Promise<void> {
+    this.store.delete(ch.token);
+  }
+
+  /**
+   * HTTP request handler for serving ACME HTTP-01 challenges.
+   * @param req HTTP request object (should have url property)
+   * @param res HTTP response object
+   * @param next Optional next() callback for Express-style fallthrough
+   */
+  public handleRequest(req: any, res: any, next?: () => void): void {
+    const url = req.url || '';
+    const prefix = '/.well-known/acme-challenge/';
+    if (!url.startsWith(prefix)) {
+      if (next) {
+        return next();
+      }
+      res.statusCode = 404;
+      return res.end();
+    }
+    const token = url.slice(prefix.length);
+    const keyAuth = this.store.get(token);
+    if (keyAuth !== undefined) {
+      if (typeof res.status === 'function' && typeof res.send === 'function') {
+        return res.status(200).send(keyAuth);
+      }
+      res.statusCode = 200;
+      res.setHeader('content-type', 'text/plain');
+      return res.end(keyAuth);
+    }
+    if (next) {
+      return next();
+    }
+    res.statusCode = 404;
+    return res.end();
+  }
+}

ts/handlers/IChallengeHandler.ts

@@ -0,0 +1,22 @@
+/**
+ * Pluggable interface for ACME challenge handlers.
+ * Supports DNS-01, HTTP-01, TLS-ALPN-01, or custom challenge types.
+ */
+export interface IChallengeHandler<T> {
+  /**
+   * ACME challenge types this handler supports (e.g. ['dns-01']).
+   */
+  getSupportedTypes(): string[];
+  /**
+   * Prepare the challenge: set DNS record, start HTTP/TLS server, etc.
+   */
+  prepare(ch: T): Promise<void>;
+  /**
+   * Optional extra verify step (HTTP GET, ALPN handshake).
+   */
+  verify?(ch: T): Promise<void>;
+  /**
+   * Clean up resources: remove DNS record, stop server.
+   */
+  cleanup(ch: T): Promise<void>;
+}

ts/handlers/index.ts

@@ -0,0 +1,5 @@
+export type { IChallengeHandler } from './IChallengeHandler.js';
+// Removed legacy handler adapter
+export { Dns01Handler } from './Dns01Handler.js';
+export { Http01Webroot } from './Http01Handler.js';
+export { Http01MemoryHandler } from './Http01MemoryHandler.js';

ts/index.ts

@@ -1 +1,4 @@
-export * from './smartacme.classes.smartacme'
+export * from './smartacme.classes.smartacme.js';
+export { SmartacmeCert as Cert } from './smartacme.classes.cert.js';
+export type { ICertManager } from './interfaces/certmanager.js';
+export { MemoryCertManager, MongoCertManager } from './certmanagers.js';

ts/interfaces/accountdata.ts

@@ -0,0 +1,8 @@
+export interface IAccountData {
+  id: number;
+  key: { kty: 'RSA'; n: string; e: string; kid: string };
+  contact: string[];
+  initialIp: string;
+  createdAt: string;
+  status: string;
+}

ts/interfaces/certmanager.ts

@@ -0,0 +1,37 @@
+import type { InterestMap } from '@push.rocks/lik';
+import type { SmartacmeCert } from '../smartacme.classes.cert.js';
+
+// (ICertRecord removed; use SmartacmeCert directly)
+
+/**
+ * Interface for certificate storage managers.
+ * Users can implement this to provide custom persistence (in-memory,
+ * file-based, Redis, etc.).
+ */
+export interface ICertManager {
+  /**
+   * Map for coordinating concurrent certificate requests.
+   */
+  interestMap: InterestMap<string, SmartacmeCert>;
+  /**
+   * Initialize the store (e.g., connect to database).
+   */
+  init(): Promise<void>;
+  /**
+   * Retrieve a certificate record by domain name.
+   * Returns null if none found.
+   */
+  retrieveCertificate(domainName: string): Promise<SmartacmeCert | null>;
+  /**
+   * Store a certificate record. Fulfills any pending interests.
+   */
+  storeCertificate(cert: SmartacmeCert): Promise<void>;
+  /**
+   * Delete a certificate record by domain name.
+   */
+  deleteCertificate(domainName: string): Promise<void>;
+  /**
+   * Close the store (e.g., disconnect database).
+   */
+  close(): Promise<void>;
+}

ts/interfaces/index.ts

@@ -0,0 +1 @@
+export * from './accountdata.js';

ts/smartacme.classes.cert.ts

@@ -0,0 +1,39 @@
+import * as plugins from './smartacme.plugins.js';
+
+/**
+ * Plain certificate record.
+ */
+export class SmartacmeCert {
+  public id: string;
+  public domainName: string;
+  public created: number;
+  public privateKey: string;
+  public publicKey: string;
+  public csr: string;
+  public validUntil: number;
+
+  constructor(data: Partial<SmartacmeCert> = {}) {
+    this.id = data.id || '';
+    this.domainName = data.domainName || '';
+    this.created = data.created || Date.now();
+    this.privateKey = data.privateKey || '';
+    this.publicKey = data.publicKey || '';
+    this.csr = data.csr || '';
+    this.validUntil = data.validUntil || 0;
+  }
+
+  /**
+   * Check if certificate is still valid.
+   */
+  public isStillValid(): boolean {
+    return this.validUntil >= Date.now();
+  }
+
+  /**
+   * Check if certificate needs renewal (e.g., expires in <10 days).
+   */
+  public shouldBeRenewed(): boolean {
+    const threshold = Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ days: 10 });
+    return this.validUntil < threshold;
+  }
+}

ts/smartacme.classes.certmatcher.ts

@@ -0,0 +1,19 @@
+import * as plugins from './smartacme.plugins.js';
+import * as interfaces from './interfaces/index.js';
+
+/**
+ * certmatcher is responsible for matching certificates
+ */
+export class SmartacmeCertMatcher {
+  /**
+   * creates a domainName for the certificate that will include the broadest scope
+   * for wild card certificates
+   * @param domainNameArg the domainNameArg to create the scope from
+   */
+  public getCertificateDomainNameByDomainName(domainNameArg: string): string {
+    const originalDomain = new plugins.smartstring.Domain(domainNameArg);
+    if (!originalDomain.level4) {
+      return `${originalDomain.level2}.${originalDomain.level1}`;
+    }
+  }
+}

ts/smartacme.classes.keypair.ts

@@ -1,27 +0,0 @@
-import * as plugins from './smartacme.plugins';
-const rsa = require('rsa-compat').RSA;
-
-export class KeyPair {
-  rsaKeyPair: any
-
-  /**
-   * generates a fresh rsa keyPair
-   */
-  static async generateFresh(): Promise<KeyPair> {
-    const done = plugins.smartpromise.defer();
-    var options = { bitlen: 2048, exp: 65537, public: true, pem: true, internal: true };
-    rsa.generateKeypair(options, function(err, keypair) {
-      if(err) {
-        console.log(err);
-      }
-      done.resolve(keypair);
-    });
-    const result: any = await done.promise;
-    const keyPair = new KeyPair(result);
-    return keyPair;
-  }
-
-  constructor(rsaKeyPairArg) {
-    this.rsaKeyPair = rsaKeyPairArg;
-  }
-}

ts/smartacme.classes.smartacme.ts

@@ -1,47 +1,368 @@
-const acme = require('acme-v2').ACME.create({
+import * as plugins from './smartacme.plugins.js';
-  RSA: require('rsa-compat').RSA,
+import type { ICertManager } from './interfaces/certmanager.js';
+import { SmartacmeCertMatcher } from './smartacme.classes.certmatcher.js';
+import { commitinfo } from './00_commitinfo_data.js';
+import { SmartacmeCert } from './smartacme.classes.cert.js';
 
-  // other overrides
+/**
-  promisify: require('util').promisify,
+ * the options for the class @see SmartAcme
-
+ */
-  // used for constructing user-agent
+export interface ISmartAcmeOptions {
-  os: require('os'),
+  accountPrivateKey?: string;
-  process: require('process'),
+  accountEmail: string;
-
+  /**
-  // used for overriding the default user-agent
+   * Certificate storage manager (e.g., Mongo or in-memory).
-  userAgent: 'My custom UA String',
+   */
-  getUserAgentString: function(deps) {
+  certManager: ICertManager;
-    return 'My custom UA String';
+  // Removed legacy setChallenge/removeChallenge in favor of `challengeHandlers`
-  },
+  environment: 'production' | 'integration';
-
+  /**
-  // don't try to validate challenges locally
+   * Optional retry/backoff configuration for transient failures
-  skipChallengeTest: false
+   */
-});
+  retryOptions?: {
-
+    /** number of retry attempts */
-import { KeyPair } from './smartacme.classes.keypair';
+    retries?: number;
+    /** backoff multiplier */
+    factor?: number;
+    /** initial delay in milliseconds */
+    minTimeoutMs?: number;
+    /** maximum delay cap in milliseconds */
+    maxTimeoutMs?: number;
+  };
+  /**
+   * Pluggable ACME challenge handlers (DNS-01, HTTP-01, TLS-ALPN-01, etc.)
+   */
+  challengeHandlers?: plugins.handlers.IChallengeHandler<any>[];
+  /**
+   * Order of challenge types to try (e.g. ['http-01','dns-01']).
+   * Defaults to ['dns-01'] or first supported type from handlers.
+   */
+  challengePriority?: string[];
+}
 
+/**
+ * class SmartAcme
+ * can be used for setting up communication with an ACME authority
+ *
+ * ```ts
+ * const mySmartAcmeInstance = new SmartAcme({
+ *  // see ISmartAcmeOptions for options
+ * })
+ * ```
+ */
 export class SmartAcme {
-  keyPair: KeyPair;
+  private options: ISmartAcmeOptions;
-  directoryUrls: any;
 
-  async init() {
+  // the acme client
-    // get directory url
+  private client: plugins.acme.Client;
-    this.directoryUrls = await acme.init('https://acme-staging-v02.api.letsencrypt.org/directory');
+  private smartdns = new plugins.smartdnsClient.Smartdns({});
+  public logger: plugins.smartlog.Smartlog;
 
-    // create keyPair
+  // the account private key
-    this.keyPair = await KeyPair.generateFresh();
+  private privateKey: string;
 
-    // get account
+
-    const registrationData = await acme.accounts.create({
+  // certificate manager for persistence (implements ICertManager)
-      email: 'domains@lossless.org', // valid email (server checks MX records)
+  private certmanager: ICertManager;
-      accountKeypair: this.keyPair.rsaKeyPair,
+  private certmatcher: SmartacmeCertMatcher;
-      agreeToTerms: async tosUrl => {
+  // retry/backoff configuration (resolved with defaults)
-        return tosUrl;
+  private retryOptions: { retries: number; factor: number; minTimeoutMs: number; maxTimeoutMs: number };
+  // track pending DNS challenges for graceful shutdown
+  private pendingChallenges: plugins.tsclass.network.IDnsChallenge[] = [];
+  // configured pluggable ACME challenge handlers
+  private challengeHandlers: plugins.handlers.IChallengeHandler<any>[];
+  // priority order of challenge types
+  private challengePriority: string[];
+
+  constructor(optionsArg: ISmartAcmeOptions) {
+    this.options = optionsArg;
+    this.logger = plugins.smartlog.Smartlog.createForCommitinfo(commitinfo);
+    // enable console output for structured logging
+    this.logger.enableConsole();
+    // initialize retry/backoff options
+    this.retryOptions = {
+      retries: optionsArg.retryOptions?.retries ?? 10,
+      factor: optionsArg.retryOptions?.factor ?? 4,
+      minTimeoutMs: optionsArg.retryOptions?.minTimeoutMs ?? 1000,
+      maxTimeoutMs: optionsArg.retryOptions?.maxTimeoutMs ?? 60000,
+    };
+    // initialize challenge handlers (must provide at least one)
+    if (!optionsArg.challengeHandlers || optionsArg.challengeHandlers.length === 0) {
+      throw new Error(
+        'You must provide at least one ACME challenge handler via options.challengeHandlers',
+      );
     }
-    }).catch(e => {
+    this.challengeHandlers = optionsArg.challengeHandlers;
-      console.log(e);
+    // initialize challenge priority
+    this.challengePriority =
+      optionsArg.challengePriority && optionsArg.challengePriority.length > 0
+        ? optionsArg.challengePriority
+        : this.challengeHandlers.map((h) => h.getSupportedTypes()[0]);
+  }
+
+  /**
+   * starts the instance
+   * ```ts
+   * await myCloudlyInstance.start() // does not support options
+   * ```
+   */
+  public async start() {
+    this.privateKey =
+      this.options.accountPrivateKey || (await plugins.acme.forge.createPrivateKey()).toString();
+
+    // Initialize certificate manager
+    if (!this.options.certManager) {
+      throw new Error('You must provide a certManager via options.certManager');
+    }
+    this.certmanager = this.options.certManager;
+    await this.certmanager.init();
+
+    // CertMatcher
+    this.certmatcher = new SmartacmeCertMatcher();
+
+    // ACME Client
+    this.client = new plugins.acme.Client({
+      directoryUrl: (() => {
+        if (this.options.environment === 'production') {
+          return plugins.acme.directory.letsencrypt.production;
+        } else {
+          return plugins.acme.directory.letsencrypt.staging;
+        }
+      })(),
+      accountKey: this.privateKey,
     });
 
-    console.log(registrationData);
+    /* Register account */
+    await this.client.createAccount({
+      termsOfServiceAgreed: true,
+      contact: [`mailto:${this.options.accountEmail}`],
+    });
+    // Setup graceful shutdown handlers
+    process.on('SIGINT', () => this.handleSignal('SIGINT'));
+    process.on('SIGTERM', () => this.handleSignal('SIGTERM'));
   }
+
+  /**
+   * Stops the SmartAcme instance and closes certificate store connections.
+   */
+  public async stop() {
+    if (this.certmanager && typeof (this.certmanager as any).close === 'function') {
+      await (this.certmanager as any).close();
+    }
+  }
+    /** Retry helper with exponential backoff */
+    private async retry<T>(operation: () => Promise<T>, operationName: string = 'operation'): Promise<T> {
+      let attempt = 0;
+      let delay = this.retryOptions.minTimeoutMs;
+      while (true) {
+        try {
+          return await operation();
+        } catch (err) {
+          attempt++;
+          if (attempt > this.retryOptions.retries) {
+            await this.logger.log('error', `Operation ${operationName} failed after ${attempt} attempts`, err);
+            throw err;
+          }
+          await this.logger.log('warn', `Operation ${operationName} failed on attempt ${attempt}, retrying in ${delay}ms`, err);
+          await plugins.smartdelay.delayFor(delay);
+          delay = Math.min(delay * this.retryOptions.factor, this.retryOptions.maxTimeoutMs);
+        }
+      }
+    }
+    /** Clean up pending challenges and shut down */
+    private async handleShutdown(): Promise<void> {
+      for (const input of [...this.pendingChallenges]) {
+        const type: string = (input as any).type;
+        const handler = this.challengeHandlers.find((h) => h.getSupportedTypes().includes(type));
+        if (handler) {
+          try {
+            await handler.cleanup(input);
+            await this.logger.log('info', `Removed pending ${type} challenge during shutdown`, input);
+          } catch (err) {
+            await this.logger.log('error', `Failed to remove pending ${type} challenge during shutdown`, err);
+          }
+        } else {
+          await this.logger.log(
+            'warn',
+            `No handler for pending challenge type '${type}' during shutdown; skipping cleanup`,
+            input,
+          );
+        }
+      }
+      this.pendingChallenges = [];
+      await this.stop();
+    }
+    /** Handle process signals for graceful shutdown */
+    private handleSignal(sig: string): void {
+      this.logger.log('info', `Received signal ${sig}, shutting down gracefully`);
+      this.handleShutdown()
+        .then(() => process.exit(0))
+        .catch((err) => {
+          this.logger.log('error', 'Error during shutdown', err).then(() => process.exit(1));
+        });
+    }
+
+  /**
+   * gets a certificate
+   * it runs through the following steps
+   *
+   * * look in the database
+   * * if in the database and still valid return it
+   * * if not in the database announce it
+   * * then get it from letsencrypt
+   * * store it
+   * * remove it from the pending map (which it go onto by announcing it)
+   * * retrieve it from the databse and return it
+   *
+   * @param domainArg
+   */
+  public async getCertificateForDomain(domainArg: string): Promise<SmartacmeCert> {
+    const certDomainName = this.certmatcher.getCertificateDomainNameByDomainName(domainArg);
+    const retrievedCertificate = await this.certmanager.retrieveCertificate(certDomainName);
+
+    if (
+      !retrievedCertificate &&
+      (await this.certmanager.interestMap.checkInterest(certDomainName))
+    ) {
+      const existingCertificateInterest = this.certmanager.interestMap.findInterest(certDomainName);
+      const certificate = existingCertificateInterest.interestFullfilled;
+      return certificate;
+    } else if (retrievedCertificate && !retrievedCertificate.shouldBeRenewed()) {
+      return retrievedCertificate;
+    } else if (retrievedCertificate && retrievedCertificate.shouldBeRenewed()) {
+      // Remove old certificate via certManager
+      await this.certmanager.deleteCertificate(certDomainName);
+    }
+
+    // lets make sure others get the same interest
+    const currentDomainInterst = await this.certmanager.interestMap.addInterest(certDomainName);
+
+    /* Place new order with retry */
+    const order = await this.retry(() => this.client.createOrder({
+      identifiers: [
+        { type: 'dns', value: certDomainName },
+        { type: 'dns', value: `*.${certDomainName}` },
+      ],
+    }), 'createOrder');
+
+    /* Get authorizations and select challenges */
+    const authorizations = await this.retry(() => this.client.getAuthorizations(order), 'getAuthorizations');
+
+    for (const authz of authorizations) {
+      await this.logger.log('debug', 'Authorization received', authz);
+      // select a handler based on configured priority
+      let selectedHandler: { type: string; handler: plugins.handlers.IChallengeHandler<any> } | null = null;
+      let selectedChallengeArg: any = null;
+      for (const type of this.challengePriority) {
+        const candidate = authz.challenges.find((c: any) => c.type === type);
+        if (!candidate) continue;
+        const handler = this.challengeHandlers.find((h) => h.getSupportedTypes().includes(type));
+        if (handler) {
+          selectedHandler = { type, handler };
+          selectedChallengeArg = candidate;
+          break;
+        }
+      }
+      if (!selectedHandler) {
+        throw new Error(`No challenge handler for domain ${authz.identifier.value}: supported types [${this.challengePriority.join(',')}]`);
+      }
+      const { type, handler } = selectedHandler;
+      // build handler input with keyAuthorization
+      let input: any;
+      // retrieve keyAuthorization for challenge
+      const keyAuth = await this.client.getChallengeKeyAuthorization(selectedChallengeArg);
+      if (type === 'dns-01') {
+        input = { type, hostName: `_acme-challenge.${authz.identifier.value}`, challenge: keyAuth };
+      } else if (type === 'http-01') {
+        // HTTP-01 requires serving token at webPath
+        input = {
+          type,
+          token: (selectedChallengeArg as any).token,
+          keyAuthorization: keyAuth,
+          webPath: `/.well-known/acme-challenge/${(selectedChallengeArg as any).token}`,
+        };
+      } else {
+        // generic challenge input: include raw challenge properties
+        input = { type, keyAuthorization: keyAuth, ...selectedChallengeArg };
+      }
+      this.pendingChallenges.push(input);
+      try {
+        // Prepare the challenge (set DNS record, write file, etc.)
+        await this.retry(() => handler.prepare(input), `${type}.prepare`);
+        // For DNS-01, wait for propagation before verification
+        if (type === 'dns-01') {
+          const dnsInput = input as { hostName: string; challenge: string };
+          // Wait for authoritative DNS propagation before ACME verify
+          await this.retry(
+            () => this.smartdns.checkUntilAvailable(dnsInput.hostName, 'TXT', dnsInput.challenge, 100, 5000),
+            `${type}.propagation`,
+          );
+          // Extra cool-down to ensure ACME server sees the new TXT record
+          this.logger.log('info', 'Cooling down for 1 minute before ACME verification');
+          await plugins.smartdelay.delayFor(60000);
+        }
+        // Official ACME verification (ensures challenge is publicly reachable)
+        await this.retry(
+          () => this.client.verifyChallenge(authz, selectedChallengeArg),
+          `${type}.verifyChallenge`,
+        );
+        // Notify ACME server to complete the challenge
+        await this.retry(
+          () => this.client.completeChallenge(selectedChallengeArg),
+          `${type}.completeChallenge`,
+        );
+        // Wait for valid status (warnings on staging timeouts)
+        try {
+          await this.retry(
+            () => this.client.waitForValidStatus(selectedChallengeArg),
+            `${type}.waitForValidStatus`,
+          );
+        } catch (err) {
+          await this.logger.log(
+            'warn',
+            `Challenge ${type} did not reach valid status in time, proceeding to finalize`,
+            err,
+          );
+        }
+      } finally {
+        // Always cleanup resource
+        try {
+          await this.retry(() => handler.cleanup(input), `${type}.cleanup`);
+        } catch (err) {
+          await this.logger.log('error', `Error during ${type}.cleanup`, err);
+        } finally {
+          this.pendingChallenges = this.pendingChallenges.filter((c) => c !== input);
+        }
+      }
+    }
+
+    /* Finalize order */
+    const [key, csr] = await plugins.acme.forge.createCsr({
+      commonName: `*.${certDomainName}`,
+      altNames: [certDomainName],
+    });
+
+    await this.retry(() => this.client.finalizeOrder(order, csr), 'finalizeOrder');
+    const cert = await this.retry(() => this.client.getCertificate(order), 'getCertificate');
+
+    /* Done */
+
+    // Store the new certificate record
+    const certRecord = new SmartacmeCert({
+      id: plugins.smartunique.shortId(),
+      domainName: certDomainName,
+      privateKey: key.toString(),
+      publicKey: cert.toString(),
+      csr: csr.toString(),
+      created: Date.now(),
+      validUntil: Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ days: 90 }),
+    });
+    await this.certmanager.storeCertificate(certRecord);
+
+    const newCertificate = await this.certmanager.retrieveCertificate(certDomainName);
+    currentDomainInterst.fullfillInterest(newCertificate);
+    currentDomainInterst.destroy();
+    return newCertificate;
+  }
+
 }

ts/smartacme.plugins.ts

@@ -1,5 +1,47 @@
-import * as smartpromise from '@pushrocks/smartpromise';
+// @apiclient.xyz scope
+import * as cloudflare from '@apiclient.xyz/cloudflare';
+
+export { cloudflare };
+
+// @apiglobal scope
+import * as typedserver from '@api.global/typedserver';
+
+export { typedserver };
+
+// @pushrocks scope
+import * as lik from '@push.rocks/lik';
+import * as smartdata from '@push.rocks/smartdata';
+import * as smartdelay from '@push.rocks/smartdelay';
+import * as smartdnsClient from '@push.rocks/smartdns/client';
+import * as smartlog from '@push.rocks/smartlog';
+import * as smartpromise from '@push.rocks/smartpromise';
+import * as smartrequest from '@push.rocks/smartrequest';
+import * as smartunique from '@push.rocks/smartunique';
+import * as smartstring from '@push.rocks/smartstring';
+import * as smarttime from '@push.rocks/smarttime';
 
 export {
-  smartpromise
+  lik,
-}
+  smartdata,
+  smartdelay,
+  smartdnsClient,
+  smartlog,
+  smartpromise,
+  smartrequest,
+  smartunique,
+  smartstring,
+  smarttime,
+};
+
+// @tsclass scope
+import * as tsclass from '@tsclass/tsclass';
+
+export { tsclass };
+
+// third party scope
+import * as acme from 'acme-client';
+
+export { acme };
+// local handlers for challenge types
+import * as handlers from './handlers/index.js';
+export { handlers };

tsconfig.json

@@ -0,0 +1,22 @@
+{
+  "compilerOptions": {
+    "experimentalDecorators": true,
+    "emitDecoratorMetadata": true,
+    "useDefineForClassFields": false,
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "esModuleInterop": true,
+    "verbatimModuleSyntax": true,
+    "baseUrl": ".",
+    "paths": {}
+  },
+  "include": [
+    "ts/**/*.ts"
+  ],
+  "exclude": [
+    "node_modules",
+    "test",
+    "dist_*/**/*.d.ts"
+  ]
+}

tslint.json

@@ -1,3 +0,0 @@
-{
-    "extends": "tslint-config-standard"
-}