v9.1.3

.gitea/workflows/default_nottags.yaml

@@ -0,0 +1,66 @@
+name: Default (not tags)
+
+on:
+  push:
+    tags-ignore:
+      - '**'
+
+env:
+  IMAGE: code.foss.global/host.today/ht-docker-node:npmci
+  NPMCI_COMPUTED_REPOURL: https://${{gitea.repository_owner}}:${{secrets.GITEA_TOKEN}}@/${{gitea.repository}}.git
+  NPMCI_TOKEN_NPM: ${{secrets.NPMCI_TOKEN_NPM}}
+  NPMCI_TOKEN_NPM2: ${{secrets.NPMCI_TOKEN_NPM2}}
+  NPMCI_GIT_GITHUBTOKEN: ${{secrets.NPMCI_GIT_GITHUBTOKEN}}
+  NPMCI_URL_CLOUDLY: ${{secrets.NPMCI_URL_CLOUDLY}}
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    container:
+      image: ${{ env.IMAGE }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install pnpm and npmci
+        run: |
+          pnpm install -g pnpm
+          pnpm install -g @ship.zone/npmci
+
+      - name: Run npm prepare
+        run: npmci npm prepare
+
+      - name: Audit production dependencies
+        run: |
+          npmci command npm config set registry https://registry.npmjs.org
+          npmci command pnpm audit --audit-level=high --prod
+        continue-on-error: true
+
+      - name: Audit development dependencies
+        run: |
+          npmci command npm config set registry https://registry.npmjs.org
+          npmci command pnpm audit --audit-level=high --dev
+        continue-on-error: true
+
+  test:
+    if: ${{ always() }}
+    needs: security
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ env.IMAGE }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Test stable
+        run: |
+          npmci node install stable
+          npmci npm install
+          npmci npm test
+
+      - name: Test build
+        run: |
+          npmci node install stable
+          npmci npm install
+          npmci npm build

.gitea/workflows/default_tags.yaml

@@ -0,0 +1,124 @@
+name: Default (tags)
+
+on:
+  push:
+    tags:
+      - '*'
+
+env:
+  IMAGE: code.foss.global/host.today/ht-docker-node:npmci
+  NPMCI_COMPUTED_REPOURL: https://${{gitea.repository_owner}}:${{secrets.GITEA_TOKEN}}@/${{gitea.repository}}.git
+  NPMCI_TOKEN_NPM: ${{secrets.NPMCI_TOKEN_NPM}}
+  NPMCI_TOKEN_NPM2: ${{secrets.NPMCI_TOKEN_NPM2}}
+  NPMCI_GIT_GITHUBTOKEN: ${{secrets.NPMCI_GIT_GITHUBTOKEN}}
+  NPMCI_URL_CLOUDLY: ${{secrets.NPMCI_URL_CLOUDLY}}
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    container:
+      image: ${{ env.IMAGE }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Prepare
+        run: |
+          pnpm install -g pnpm
+          pnpm install -g @ship.zone/npmci
+          npmci npm prepare
+
+      - name: Audit production dependencies
+        run: |
+          npmci command npm config set registry https://registry.npmjs.org
+          npmci command pnpm audit --audit-level=high --prod
+        continue-on-error: true
+
+      - name: Audit development dependencies
+        run: |
+          npmci command npm config set registry https://registry.npmjs.org
+          npmci command pnpm audit --audit-level=high --dev
+        continue-on-error: true
+
+  test:
+    if: ${{ always() }}
+    needs: security
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ env.IMAGE }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Prepare
+        run: |
+          pnpm install -g pnpm
+          pnpm install -g @ship.zone/npmci
+          npmci npm prepare
+
+      - name: Test stable
+        run: |
+          npmci node install stable
+          npmci npm install
+          npmci npm test
+
+      - name: Test build
+        run: |
+          npmci node install stable
+          npmci npm install
+          npmci npm build
+
+  release:
+    needs: test
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ env.IMAGE }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Prepare
+        run: |
+          pnpm install -g pnpm
+          pnpm install -g @ship.zone/npmci
+          npmci npm prepare
+
+      - name: Release
+        run: |
+          npmci node install stable
+          npmci npm publish
+
+  metadata:
+    needs: test
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ env.IMAGE }}
+    continue-on-error: true
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Prepare
+        run: |
+          pnpm install -g pnpm
+          pnpm install -g @ship.zone/npmci
+          npmci npm prepare
+
+      - name: Code quality
+        run: |
+          npmci command npm install -g typescript
+          npmci npm install
+
+      - name: Trigger
+        run: npmci trigger
+
+      - name: Build docs and upload artifacts
+        run: |
+          npmci node install stable
+          npmci npm install
+          pnpm install -g @git.zone/tsdoc
+          npmci command tsdoc
+        continue-on-error: true

.gitignore

@@ -1,5 +1,19 @@
-node_modules/
+.nogit/
+
+# artifacts
 coverage/
 public/
-pages/
-.nogit/
+
+# installs
+node_modules/
+
+# caches
+.yarn/
+.cache/
+.rpt2_cache
+
+# builds
+dist/
+dist_*/
+
+#------# custom

.gitlab-ci.yml

@@ -1,150 +0,0 @@
-# gitzone standard
-image: hosttoday/ht-docker-node:npmci
-
-cache:
-  paths:
-  - .npmci_cache/
-  key: "$CI_BUILD_STAGE"
-
-stages:
-- security
-- test
-- release
-- metadata
-
-# ====================
-# security stage
-# ====================
-mirror:
-  stage: security
-  script:
-  - npmci git mirror
-  tags:
-  - docker
-  - notpriv
-
-snyk:
-  stage: security
-  script:
-    - npmci npm prepare
-    - npmci command npm install -g snyk
-    - npmci command npm install --ignore-scripts
-    - npmci command snyk test
-  tags:
-  - docker
-  - notpriv
-
-sast:
-  stage: security
-  image: registry.gitlab.com/hosttoday/ht-docker-dbase:npmci
-  variables:
-    DOCKER_DRIVER: overlay2
-  allow_failure: true
-  services:
-    - docker:stable-dind
-  script:
-    - npmci npm prepare
-    - npmci npm install
-    - npmci command npm run build
-    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
-    - docker run
-        --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
-        --volume "$PWD:/code"
-        --volume /var/run/docker.sock:/var/run/docker.sock
-        "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
-  artifacts:
-    reports:
-      sast: gl-sast-report.json
-  tags:
-  - docker
-  - priv
-
-# ====================
-# test stage
-# ====================
-
-testLTS:
-  stage: test
-  script:
-  - npmci npm prepare
-  - npmci node install lts
-  - npmci npm install
-  - npmci npm test
-  coverage: /\d+.?\d+?\%\s*coverage/
-  tags:
-  - docker
-  - notpriv
-    
-testSTABLE:
-  stage: test
-  script:
-  - npmci npm prepare
-  - npmci node install stable
-  - npmci npm install
-  - npmci npm test
-  coverage: /\d+.?\d+?\%\s*coverage/
-  tags:
-  - docker
-  - notpriv
-
-release:
-  stage: release
-  script:
-  - npmci node install stable
-  - npmci npm publish
-  only:
-  - tags
-  tags:
-  - docker
-  - notpriv
-
-# ====================
-# metadata stage
-# ====================
-codequality:
-  stage: metadata
-  image: docker:stable
-  allow_failure: true
-  services:
-    - docker:stable-dind
-  script:
-    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
-    - docker run
-        --env SOURCE_CODE="$PWD"
-        --volume "$PWD":/code
-        --volume /var/run/docker.sock:/var/run/docker.sock
-        "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code
-  artifacts:
-    paths: [codeclimate.json]
-  tags:
-  - docker
-  - priv
-
-trigger:
-  stage: metadata
-  script:
-  - npmci trigger
-  only:
-  - tags
-  tags:
-  - docker
-  - notpriv
-
-pages:
-  image: hosttoday/ht-docker-node:npmci
-  stage: metadata
-  script:
-    - npmci command npm install -g typedoc typescript
-    - npmci npm prepare
-    - npmci npm install
-    - npmci command typedoc --module "commonjs" --target "ES2016" --out public/ ts/
-  tags:
-    - docker
-    - notpriv
-  only:
-    - tags
-  artifacts:
-    expire_in: 1 week
-    paths:
-    - public
-  allow_failure: true

.snyk

@@ -1,12 +0,0 @@
-# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.12.0
-# ignores vulnerabilities until expiry date; change duration by modifying expiry date
-ignore:
-  'npm:node-forge:20180226':
-    - rsa-compat > node-forge:
-        reason: None given
-        expires: '2018-09-11T19:17:24.148Z'
-    - acme-v2 > rsa-compat > node-forge:
-        reason: None given
-        expires: '2018-09-11T19:17:24.148Z'
-patch: {}

.vscode/launch.json

@@ -0,0 +1,11 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "command": "npm test",
+      "name": "Run npm test",
+      "request": "launch",
+      "type": "node-terminal"
+    }
+  ]
+}

.vscode/settings.json

@@ -0,0 +1,26 @@
+{
+  "json.schemas": [
+    {
+      "fileMatch": ["/npmextra.json"],
+      "schema": {
+        "type": "object",
+        "properties": {
+          "npmci": {
+            "type": "object",
+            "description": "settings for npmci"
+          },
+          "gitzone": {
+            "type": "object",
+            "description": "settings for gitzone",
+            "properties": {
+              "projectType": {
+                "type": "string",
+                "enum": ["website", "element", "service", "npm", "wcc"]
+              }
+            }
+          }
+        }
+      }
+    }
+  ]
+}

README.md

@@ -1,63 +0,0 @@
-# smartacme
-
-acme implementation in TypeScript
-
-## Availabililty
-
-[![npm](https://umbrellazone.gitlab.io/assets/repo-button-npm.svg)](https://www.npmjs.com/package/smartacme)
-[![git](https://umbrellazone.gitlab.io/assets/repo-button-git.svg)](https://GitLab.com/umbrellazone/smartacme)
-[![git](https://umbrellazone.gitlab.io/assets/repo-button-mirror.svg)](https://github.com/umbrellazone/smartacme)
-[![docs](https://umbrellazone.gitlab.io/assets/repo-button-docs.svg)](https://umbrellazone.gitlab.io/smartacme/)
-
-## Status for master
-
-[![build status](https://GitLab.com/umbrellazone/smartacme/badges/master/build.svg)](https://GitLab.com/umbrellazone/smartacme/commits/master)
-[![coverage report](https://GitLab.com/umbrellazone/smartacme/badges/master/coverage.svg)](https://GitLab.com/umbrellazone/smartacme/commits/master)
-[![npm downloads per month](https://img.shields.io/npm/dm/smartacme.svg)](https://www.npmjs.com/package/smartacme)
-[![Dependency Status](https://david-dm.org/umbrellazone/smartacme.svg)](https://david-dm.org/umbrellazone/smartacme)
-[![bitHound Dependencies](https://www.bithound.io/github/umbrellazone/smartacme/badges/dependencies.svg)](https://www.bithound.io/github/umbrellazone/smartacme/master/dependencies/npm)
-[![bitHound Code](https://www.bithound.io/github/umbrellazone/smartacme/badges/code.svg)](https://www.bithound.io/github/umbrellazone/smartacme)
-[![TypeScript](https://img.shields.io/badge/TypeScript-2.x-blue.svg)](https://nodejs.org/dist/latest-v6.x/docs/api/)
-[![node](https://img.shields.io/badge/node->=%206.x.x-blue.svg)](https://nodejs.org/dist/latest-v6.x/docs/api/)
-[![JavaScript Style Guide](https://img.shields.io/badge/code%20style-standard-brightgreen.svg)](http://standardjs.com/)
-
-## Usage
-
-Use TypeScript for best in class instellisense.
-
-```javascript
-import { SmartAcme } from 'smartacme';
-
-let smac = new SmartAcme()(async () => {
-  // learn async/await, it'll make your life easier
-
-  // optionally accepts a filePath Arg with a stored acmeaccount.json
-  // will create an account and
-  let myAccount = await smac.createAcmeAccount();
-
-  // will return a dnsHash to set in your DNS record
-  let myCert = await myAccount.createAcmeCert('example.com');
-
-  // gets and accepts the specified challenge
-  // first argument optional, defaults to dns-01 (which is the cleanest method for production use)
-  let myChallenge = await myCert.getChallenge('dns-01');
-
-  /* ----------
-    Now you need to set the challenge in your DNS
-    myChallenge.domainNamePrefixed is the address for the record
-    myChallenge.dnsKeyHash is the ready to use txt record value expected by letsencrypt
-    -------------*/
-})();
-```
-
-## Other relevant npm modules
-
-| module name | description                                                         |
-| ----------- | ------------------------------------------------------------------- |
-| cert        | a higlevel production module that uses smartacme to manage certs    |
-| smartnginx  | a highlevel production tool for docker environments to manage nginx |
-
-> MIT licensed | **©** [Lossless GmbH](https://lossless.gmbh)
-> | By using this npm module you agree to our [privacy policy](https://lossless.gmbH/privacy.html)
-
-[![repo-footer](https://umbrellazone.gitlab.io/assets/repo-footer.svg)](https://umbrella.zone

changelog.md

@@ -0,0 +1,334 @@
+# Changelog
+
+## 2026-02-16 - 9.1.3 - fix(smartacme)
+Include base domain alongside wildcard when building identifiers for wildcard certificate requests
+
+- When isWildcardRequest is true, the base domain (e.g. example.com) is now added in addition to the wildcard (*.example.com) so the issued certificate covers both apex and wildcard entries.
+- Prevents missing SAN for the apex domain when requesting wildcard certificates.
+
+## 2026-02-15 - 9.1.2 - fix(docs)
+document built-in concurrency control, rate limiting, and request deduplication in README
+
+- Added a new 'Concurrency Control & Rate Limiting' section to the README describing per-domain mutex, global concurrency cap, and sliding-window account rate limiting (defaults: 1 per domain, 5 global, 250 per 3 hours).
+- Documented new SmartAcme options in the interface: maxConcurrentIssuances, maxOrdersPerWindow, and orderWindowMs.
+- Added example code showing configuration of the limits and an example of request deduplication behavior (multiple subdomain requests resolving to a single ACME order).
+- Added an example subscription to certIssuanceEvents and updated the components table with TaskManager entry.
+- Change is documentation-only (README) — no code changes; safe patch release.
+
+## 2026-02-15 - 9.1.1 - fix(deps)
+bump @push.rocks/smarttime to ^4.2.3 and @push.rocks/taskbuffer to ^6.1.2
+
+- @push.rocks/smarttime: ^4.1.1 -> ^4.2.3
+- @push.rocks/taskbuffer: ^6.1.0 -> ^6.1.2
+- Only package.json dependency version updates; no code changes
+
+## 2026-02-15 - 9.1.0 - feat(smartacme)
+Integrate @push.rocks/taskbuffer TaskManager to coordinate ACME certificate issuance with per-domain mutex, global concurrency cap, and account-level rate limiting; refactor issuance flow into a single reusable cert-issuance task, expose issuance events, and update lifecycle to start/stop the TaskManager. Add configuration for concurrent issuances and sliding-window order limits, export taskbuffer types/plugins, and update tests and docs accordingly.
+
+- Added dependency @push.rocks/taskbuffer and re-exported ITaskEvent/ITaskMetadata in ts/index.ts; also imported/exported taskbuffer in ts/plugins.ts.
+- Replaced interestMap coordination with TaskManager + TaskConstraintGroup(s): 'cert-domain-mutex' (per-domain mutex, resultSharingMode: 'share-latest'), 'acme-global-concurrency' (global concurrency cap), and 'acme-account-rate-limit' (sliding-window rate limiter).
+- Introduced a single reusable Task named 'cert-issuance' and moved the ACME issuance flow into performCertificateIssuance(), splitting progress into named steps (prepare/authorize/finalize/store) and using notifyStep() for observable progress.
+- Exposed certIssuanceEvents via SmartAcme.certIssuanceEvents and wired TaskManager.start()/stop() into SmartAcme.start()/stop().
+- Added new ISmartAcmeOptions: maxConcurrentIssuances, maxOrdersPerWindow, orderWindowMs to control concurrency and rate limiting.
+- Updated tests to remove interestMap stubs and adapt to the taskbuffer-based flow; cleaned up client/retry stubbing in tests.
+- Updated readme.hints.md with guidance on concurrency, rate limiting, and taskbuffer integration.
+
+## 2026-02-15 - 9.0.1 - fix(acme-http-client)
+Destroy keep-alive HTTP agents and DNS client on shutdown to allow process exit; add destroy() on AcmeHttpClient and AcmeClient, wire agents into requests, and call client/smartdns destroy during SmartAcme.stop; documentation clarifications and expanded README (error handling, examples, default retry values).
+
+- ts/acme/acme.classes.http-client.ts: added per-protocol http/https agents (keepAlive: false), use agent for outgoing requests, and added destroy() to explicitly destroy agents and free sockets.
+- ts/acme/acme.classes.client.ts: added destroy() that forwards to the HTTP client to allow transport cleanup.
+- ts/smartacme.classes.smartacme.ts: SmartAcme.stop now calls client.destroy() and smartdns.destroy() (when present) to ensure child processes and sockets are terminated before exit; also ensures certmanager.close() is awaited.
+- readme.md: documentation improvements and clarifications (Let’s Encrypt spelling, added RFC 8555 compliance note, error handling / AcmeError usage examples, default retry parameter docs, UI/emoji improvements, and other wording/formatting updates).
+
+## 2026-02-15 - 9.0.0 - BREAKING CHANGE(acme)
+Replace external acme-client with a built-in RFC8555-compliant ACME implementation and update public APIs accordingly
+
+- Add complete TypeScript ACME implementation under ts/acme (AcmeClient, AcmeCrypto, AcmeHttpClient, AcmeAccount, AcmeOrderManager, AcmeChallengeManager, AcmeError, interfaces, ACME_DIRECTORY_URLS).
+- Implement JWK/JWK-thumbprint, JWS creation, nonce management, bad-nonce retries, Retry-After handling, CSR generation via @peculiar/x509 and node:crypto.
+- Update SmartAcme to use the new AcmeClient/AcmeCrypto API (e.g. plugins.acme.AcmeClient, accountKeyPem) and add AcmeError-aware retry/backoff logic.
+- Remove dependency on the external acme-client and other unused packages; add @peculiar/x509 and bump multiple dependency/devDependency versions.
+- Add/adjust tests (unit tests for crypto, challenge, error handling) and update test imports to @git.zone/tstest; update README/readme.hints and npmextra.json to reflect implementation and publishing changes.
+
+## 2025-05-19 - 8.0.0 - BREAKING CHANGE(smartacme)
+Make wildcard certificates opt-in to fix HTTP-01 only configurations
+
+- BREAKING CHANGE: Wildcard certificates are no longer automatically requested for all domains
+- Added 'includeWildcard' option to getCertificateForDomain() to explicitly request wildcard certificates
+- HTTP-01 only configurations now work correctly as they do not try to request wildcard certificates automatically
+- Updated certificate CSR generation to match the requested domain configuration
+
+## 2025-05-19 - 7.4.0 - feat(smartacme)
+Make wildcard certificates opt-in to fix HTTP-01 only configurations
+
+- BREAKING CHANGE: Wildcard certificates are no longer automatically requested for all domains
+- Added `includeWildcard` option to `getCertificateForDomain()` to explicitly request wildcards
+- HTTP-01 only configurations now work correctly as they no longer attempt wildcard certificates
+- Wildcard certificates require DNS-01 handler and must be explicitly requested
+- Updated certificate CSR generation to match the requested domain configuration
+
+## 2025-05-18 - 7.3.4 - fix(smartacme)
+Refine documentation and tests for improved clarity in ACME certificate management
+
+- Enhanced the README with detailed usage, configuration, and example sections
+- Refined test cases for certificate matching and challenge handlers across DNS-01 and HTTP-01
+- Updated TypeScript definitions and inline comments for better developer experience
+
+## 2025-05-05 - 7.3.3 - fix(SmartAcme)
+Remove duplicate challengeHandlers declaration from SmartAcme class
+
+- Eliminated the redundant private declaration of challengeHandlers since it is already defined as a public property
+- Ensures a single source of truth and clearer interface for challenge handler configuration
+
+## 2025-05-05 - 7.3.2 - fix(test)
+Add missing checkWetherDomainIsSupported implementation to DummyHandler for interface compliance in tests
+
+- Implemented the missing checkWetherDomainIsSupported method in the DummyHandler to satisfy IChallengeHandler interface requirements
+- Ensured that tests now correctly instantiate the DummyHandler without interface errors
+
+## 2025-05-05 - 7.3.1 - fix(core)
+Refactor import paths and update dependency references
+
+- Replaced deprecated 'smartacme.plugins.js' with the new 'plugins.js' across cert managers, handlers, and core classes
+- Added missing dependencies (@push.rocks/smartfile and @push.rocks/smartnetwork) in package.json
+- Updated HTTP challenge handlers to include domain support checks via checkWetherDomainIsSupported
+- Adjusted import paths in MongoCertManager, MemoryCertManager, and DNS-01 handler for consistency
+
+## 2025-05-05 - 7.3.0 - feat(index)
+Bump @tsclass/tsclass to 9.2.0 and update module exports to include handlers
+
+- Upgrade @tsclass/tsclass dependency from 9.1.0 to 9.2.0 in package.json
+- Add explicit export of handlers in ts/index.ts to improve module accessibility
+
+## 2025-05-05 - 7.2.5 - fix(smartacme)
+Refactor module exports and update wildcard certificate support documentation
+
+- Updated readme.plan.md to streamline and remove obsolete wildcard plan details
+- Normalized certmanager imports by consolidating exports in ts/index.ts and updating tests accordingly
+- Reordered ISmartAcmeOptions interface properties for clarity (accountEmail moved to the top)
+
+## 2025-05-04 - 7.2.4 - fix(test)
+Refactor wildcard certificate test to properly stub SmartAcme.start and getCertificateForDomain for robust integration.
+
+- Temporarily override SmartAcme.start and getCertificateForDomain to simulate wildcard certificate behavior.
+- Restore original prototype methods post-test to prevent side effects.
+- Improve test clarity for wildcard certificate integration.
+
+## 2025-05-01 - 7.2.3 - fix(docs)
+Improve certificate manager documentation with detailed examples and custom implementation guide
+
+- Added usage examples for MemoryCertManager and MongoCertManager
+- Provided a custom ICertManager implementation guide
+- Enhanced overall documentation clarity for certificate storage configuration
+
+## 2025-05-01 - 7.2.2 - fix(readme)
+Update readme documentation: switch installation instructions to pnpm and clarify usage with MongoCertManager and updated SmartAcme options
+
+- Replaced npm/yarn commands with pnpm commands for installation and testing.
+- Added guidance to ensure the project is set up for TypeScript and ECMAScript Modules.
+- Updated usage examples to include initialization of MongoCertManager instead of legacy mongoDescriptor.
+- Revised challenge handlers examples to reference the current API signatures.
+
+## 2025-05-01 - 7.2.1 - fix(smartacme)
+Centralize interest map coordination and remove redundant interestMap from cert managers
+
+- Removed interestMap property and related logic from MemoryCertManager and MongoCertManager
+- Refactored SmartAcme to instantiate its own interestMap for coordinating certificate requests
+- Updated getCertificateForDomain to use the new interestMap for checking and adding certificate interests
+
+## 2025-05-01 - 7.2.0 - feat(core)
+Refactor SmartAcme core to centralize interest coordination and update dependencies
+
+- Moved interest coordination mechanism out of ICertManager implementations and into SmartAcme core
+- Updated certificate managers (MemoryCertManager and MongoCertManager) to remove redundant interestMap handling
+- Upgraded @push.rocks/tapbundle from 6.0.1 to 6.0.3 in package.json
+- Revised readme.plan.md to reflect the new interest coordination approach
+
+## 2025-04-30 - 7.1.0 - feat(certmanagers/integration)
+Add optional wipe methods to certificate managers and update integration tests, plus bump tapbundle dependency
+
+- Introduce wipe() in ICertManager to support integration testing by clearing stored certificates
+- Implement wipe() in MemoryCertManager and MongoCertManager for resetting internal state
+- Refactor SmartAcme constructor to consider wiping certificates in integration mode (commented out for now)
+- Update integration test assertions and add console logging for domain certificate retrieval
+- Upgrade @push.rocks/tapbundle from ^6.0.0 to ^6.0.1
+
+## 2025-04-30 - 7.0.0 - BREAKING CHANGE(SmartAcme (Cert Management))
+Refactor certificate management and challenge handling API to use a unified certManager interface, remove legacy storage, and update challenge workflows.
+
+- Introduce ICertManager interface with MemoryCertManager and MongoCertManager implementations.
+- Remove the legacy SmartacmeCertManager and update SmartAcme to require a certManager option instead of mongoDescriptor.
+- Adjust certificate renewal logic to delete and store certificates through the new certManager API.
+- Refine DNS-01 challenge handling by removing in-handler DNS propagation waiting and relying on external checks.
+- Increase retry settings for robustness during challenge verification and certificate issuance.
+- Update integration and unit tests to use the new certManager configuration.
+
+## 2025-04-30 - 6.2.0 - feat(handlers)
+Add in-memory HTTP-01 challenge handler and rename file-based handler to Http01Webroot
+
+- Renamed Http01Handler to Http01Webroot in both implementation and documentation
+- Introduced Http01MemoryHandler for diskless HTTP-01 challenges
+- Updated tests and README examples to reflect handler name changes and new feature
+
+## 2025-04-30 - 6.1.3 - fix(Dns01Handler)
+Update dependency versions and refine Dns01Handler implementation
+
+- Bump '@apiclient.xyz/cloudflare' to ^6.4.1 and '@tsclass/tsclass' to ^9.1.0 in package.json
+- Remove duplicate Cloudflare import in smartacme.plugins.ts
+- Refactor Dns01Handler to use IConvenientDnsProvider and add checkWetherDomainIsSupported method
+- Align devDependencies versions for improved consistency
+
+## 2025-04-27 - 6.1.2 - fix(repo)
+Update repository metadata by replacing the LICENSE file with a license.md file for improved consistency.
+
+- Removed the old LICENSE file.
+- Introduced license.md as the new license documentation file.
+
+## 2025-04-27 - 6.1.1 - fix(readme)
+Fix license link reference in documentation
+
+- Updated the license link from [license](license) to [license.md](license.md) in the License and Legal Information section
+
+## 2025-04-27 - 6.1.0 - feat(readme)
+Update documentation with detailed built-in challenge handlers and custom handler examples
+
+- Expanded readme to include sections on Dns01Handler and Http01Handler usage
+- Added examples for creating and registering custom ACME challenge handlers
+- Improved clarity of ACME certificate management instructions using SmartAcme
+
+## 2025-04-27 - 6.0.1 - fix(readme)
+Remove extraneous code fence markers from license section in readme
+
+- Removed unnecessary triple backticks wrapping the license information
+- Improved clarity of the license section in the documentation
+
+## 2025-04-27 - 6.0.0 - BREAKING CHANGE(SmartAcme)
+Refactor challenge handling by removing legacy setChallenge/removeChallenge in favor of pluggable challengeHandlers and update documentation and tests accordingly
+
+- Removed legacy challenge methods and introduced new 'challengeHandlers' and 'challengePriority' options
+- Updated readme examples to demonstrate usage with DNS-01 (and HTTP-01) handlers
+- Refactored internal SmartAcme flow to select and process challenges via the new handler interface
+- Adjusted tests (including integration tests) to align with the updated challenge handling mechanism
+
+## 2025-04-27 - 5.1.0 - feat(smartacme)
+Implement exponential backoff retry logic and graceful shutdown handling in SmartAcme; update acme-client dependency to v5.4.0
+
+- Added retry helper with exponential backoff for ACME client operations
+- Introduced retryOptions in ISmartAcmeOptions for configurable retry parameters
+- Enhanced graceful shutdown handling by cleaning up pending DNS challenges on signal
+- Updated acme-client dependency from v4.2.5 to v5.4.0
+
+## 2025-04-26 - 5.0.1 - fix(build)
+Update CI workflows, bump dependency versions, and refine import and TypeScript configuration
+
+- Changed CI workflow image and npmci package from '@shipzone/npmci' to '@ship.zone/npmci', and updated repository URLs
+- Bumped several dependency versions in package.json (e.g. @api.global/typedserver, @push.rocks/lik, @push.rocks/smartdata, @push.rocks/smartdns, @tsclass/tsclass) to newer releases
+- Adjusted smartdns import to use the smartdnsClient module for proper module resolution
+- Updated tsconfig.json to add emitDecoratorMetadata and baseUrl settings
+- Minor markdown and formatting tweaks in readme and gitignore files, and slight improvements in test async handling
+
+## 2024-06-16 - 5.0.0 - No significant changes  
+This release contains no user‑facing changes.
+
+## 2024-06-16 - 4.0.8 - Structure and configuration updates  
+- BREAKING CHANGE(structure): renamed classes to avoid confusion  
+- update description  
+- update tsconfig  
+- update npmextra.json: githost
+
+## 2024-01-28 - 4.0.7–4.0.6 - Internal fixes and updates  
+- A series of releases with routine bug fixes and maintenance updates.
+
+## 2023-07-21 - 4.0.5–4.0.4 - Internal fixes and updates  
+- Multiple releases addressing internal issues and maintenance improvements.
+
+## 2023-07-10 - 4.0.3 - Organizational changes  
+- switch to new org scheme
+
+## 2022-09-27 - 4.0.0–4.0.2 - Internal fixes and updates  
+- Routine maintenance and internal bug fixes.
+
+## 2022-09-27 - 3.0.15 - Breaking changes  
+- BREAKING CHANGE(core): update
+
+## 2021-01-22 - 3.0.9–3.0.14 - Internal fixes and updates  
+- A range of releases focused on routine internal updates.
+
+## 2020-11-18 - 3.0.0–3.0.8 - Internal fixes and updates  
+- Routine maintenance and internal bug fixes.
+
+## 2020-02-10 - 2.1.2 - Breaking changes  
+- BREAKING CHANGE(core): streamline scope to certificate retrieval using dns challenge
+
+## 2020-02-10 - 2.1.0–2.1.1 - Internal fixes and updates  
+- Routine fixes and updates.
+
+## 2019-02-06 - 2.0.36 - New feature  
+- feat(Cert): now has validity check
+
+## 2019-01-18 - 2.0.2–2.0.35 - Internal fixes and updates  
+- Routine internal updates and maintenance.
+
+## 2018-10-07 - 2.0.0–2.0.1 - Internal fixes and updates  
+- Routine internal updates and maintenance.
+
+## 2018-10-07 - 1.1.4 - Breaking changes  
+- BREAKING CHANGE(scope): change to @pushrocks
+
+## 2018-08-12 - 1.1.1 - NPM publishing fix  
+- fix(npm publishing): update
+
+## 2018-08-11 - 1.1.0 - Certificate issuance update  
+- fix(core): now creating certs all right
+
+## 2018-08-11 - 1.0.11 - Feature update  
+- feat(swaitch to acme-v2): switch to letsencrypt v2
+
+## 2017-04-28 - 1.0.10 - CI improvements  
+- add updated ci config
+
+## 2017-04-28 - 1.0.9 - Standards update  
+- update to latest standards
+
+## 2017-01-27 - 1.0.8 - Basic functionality  
+- basic functionality
+
+## 2017-01-25 - 1.0.7 - Response and validation improvements  
+- now getting a valid response  
+- update validation  
+- improve README
+
+## 2017-01-15 - 1.0.6 - Async and documentation improvements  
+- improve README  
+- add async checkDNS
+
+## 2017-01-15 - 1.0.5 - Standards and process updates  
+- update to new standards  
+- now has working requestValidation method  
+- fix som things  
+- start better segregation of concerns  
+- start with certificate signing process
+
+## 2017-01-01 - 1.0.4 - Certificate acquisition improvements  
+- now getting certificates  
+- can now agree to TOS  
+- remove test keys
+
+## 2017-01-01 - 1.0.3 - NPM extra configuration  
+- add npmextra.json
+
+## 2017-01-01 - 1.0.2 - README and integration update  
+- add better readme  
+- switch to rawacme for more basic letsencrypt access
+
+## 2016-11-17 - 1.0.1 - Promise fix  
+- fix promise
+
+## 2016-11-17 - 1.0.0 - Major initial release changes  
+- remove superflouous key creation  
+- switch to acme core  
+- prepare switch to le‑acme‑core  
+- improve upon keyCreation  
+- update to use more promises  
+- add README  
+- first version

license.md

@@ -1,4 +1,4 @@
-Copyright (C) 2016, Lossless GmbH
+Copyright (C) 2016, Task Venture Capital GmbH
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

npmextra.json

@@ -1,6 +1,44 @@
 {
-  "npmci": {
-    "npmGlobalTools": [],
-    "npmAccessLevel": "public"
+  "@git.zone/cli": {
+    "projectType": "npm",
+    "module": {
+      "githost": "code.foss.global",
+      "gitscope": "push.rocks",
+      "gitrepo": "smartacme",
+      "description": "A TypeScript-based ACME client for LetsEncrypt certificate management with a focus on simplicity and power.",
+      "npmPackagename": "@push.rocks/smartacme",
+      "license": "MIT",
+      "projectDomain": "push.rocks",
+      "keywords": [
+        "ACME",
+        "LetsEncrypt",
+        "TypeScript",
+        "certificate management",
+        "DNS challenges",
+        "SSL/TLS",
+        "secure communication",
+        "domain validation",
+        "automation",
+        "crypto",
+        "MongoDB",
+        "dns-01 challenge",
+        "token-based challenges",
+        "certificate renewal",
+        "wildcard certificates"
+      ]
+    },
+    "release": {
+      "registries": [
+        "https://verdaccio.lossless.digital",
+        "https://registry.npmjs.org"
+      ],
+      "accessLevel": "public"
+    }
+  },
+  "@git.zone/tsdoc": {
+    "legal": "\n## License and Legal Information\n\nThis repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. \n\n**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.\n\n### Trademarks\n\nThis project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.\n\n### Company Information\n\nTask Venture Capital GmbH  \nRegistered at District court Bremen HRB 35230 HB, Germany\n\nFor any legal inquiries or if you require further information, please contact us via email at hello@task.vc.\n\nBy using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.\n"
+  },
+  "@ship.zone/szci": {
+    "npmGlobalTools": []
   }
 }

package.json

@@ -1,52 +1,82 @@
 {
-  "name": "@pushrocks/smartacme",
-  "version": "2.0.32",
+  "name": "@push.rocks/smartacme",
+  "version": "9.1.3",
   "private": false,
-  "description": "acme implementation in TypeScript",
-  "main": "dist/index.js",
-  "typings": "dist/index.d.ts",
+  "description": "A TypeScript-based ACME client for LetsEncrypt certificate management with a focus on simplicity and power.",
+  "main": "dist_ts/index.js",
+  "typings": "dist_ts/index.d.ts",
+  "type": "module",
   "scripts": {
-    "test": "(tstest test/)",
-    "build": "(tsbuild)"
+    "test": "(tstest test/ --verbose --logfile --timeout 600)",
+    "build": "(tsbuild)",
+    "buildDocs": "tsdoc"
   },
   "repository": {
     "type": "git",
-    "url": "git+ssh://git@gitlab.com/umbrellazone/smartacme.git"
+    "url": "https://code.foss.global/push.rocks/smartacme.git"
   },
   "keywords": [
+    "ACME",
+    "LetsEncrypt",
     "TypeScript",
-    "acme",
-    "letsencrypt"
+    "certificate management",
+    "DNS challenges",
+    "SSL/TLS",
+    "secure communication",
+    "domain validation",
+    "automation",
+    "crypto",
+    "MongoDB",
+    "dns-01 challenge",
+    "token-based challenges",
+    "certificate renewal",
+    "wildcard certificates"
   ],
-  "author": "Lossless GmbH",
+  "author": "Task Venture Capital GmbH",
   "license": "MIT",
   "bugs": {
-    "url": "https://gitlab.com/umbrellazone/smartacme/issues"
+    "url": "https://code.foss.global/push.rocks/smartacme/issues"
   },
-  "homepage": "https://gitlab.com/umbrellazone/smartacme#README",
+  "homepage": "https://code.foss.global/push.rocks/smartacme#readme",
   "dependencies": {
-    "@pushrocks/lik": "^3.0.4",
-    "@pushrocks/smartdata": "^3.1.13",
-    "@pushrocks/smartdelay": "^2.0.2",
-    "@pushrocks/smartdns": "^3.0.8",
-    "@pushrocks/smartexpress": "^3.0.6",
-    "@pushrocks/smartlog": "^2.0.11",
-    "@pushrocks/smartpromise": "^2.0.5",
-    "@pushrocks/smartrequest": "^1.1.14",
-    "@pushrocks/smartstring": "^3.0.8",
-    "@pushrocks/smarttime": "^3.0.5",
-    "@pushrocks/smartunique": "^3.0.1",
-    "acme-client": "2.2.2"
+    "@apiclient.xyz/cloudflare": "^7.1.0",
+    "@peculiar/x509": "^1.14.3",
+    "@push.rocks/lik": "^6.2.2",
+    "@push.rocks/smartdata": "^7.0.15",
+    "@push.rocks/smartdelay": "^3.0.5",
+    "@push.rocks/smartdns": "^7.8.1",
+    "@push.rocks/smartlog": "^3.1.10",
+    "@push.rocks/smartnetwork": "^4.4.0",
+    "@push.rocks/smartstring": "^4.1.0",
+    "@push.rocks/smarttime": "^4.2.3",
+    "@push.rocks/smartunique": "^3.0.9",
+    "@push.rocks/taskbuffer": "^6.1.2",
+    "@tsclass/tsclass": "^9.3.0"
   },
   "devDependencies": {
-    "@gitzone/tsbuild": "^2.1.4",
-    "@gitzone/tsrun": "^1.1.17",
-    "@gitzone/tstest": "^1.0.18",
-    "@mojoio/cloudflare": "^2.0.0",
-    "@pushrocks/qenv": "^4.0.0",
-    "@pushrocks/tapbundle": "^3.0.7",
-    "@types/node": "^10.12.18",
-    "tslint": "^5.12.1",
-    "tslint-config-prettier": "^1.17.0"
+    "@git.zone/tsbuild": "^4.1.2",
+    "@git.zone/tsrun": "^2.0.1",
+    "@git.zone/tstest": "^3.1.8",
+    "@push.rocks/qenv": "^6.1.3",
+    "@types/node": "^25.2.3"
+  },
+  "files": [
+    "ts/**/*",
+    "ts_web/**/*",
+    "dist/**/*",
+    "dist_*/**/*",
+    "dist_ts/**/*",
+    "dist_ts_web/**/*",
+    "assets/**/*",
+    "cli.js",
+    "npmextra.json",
+    "readme.md"
+  ],
+  "browserslist": [
+    "last 1 chrome versions"
+  ],
+  "packageManager": "pnpm@10.7.0+sha512.6b865ad4b62a1d9842b61d674a393903b871d9244954f652b8842c2b553c72176b278f64c463e52d40fff8aba385c235c8c9ecf5cc7de4fd78b8bb6d49633ab6",
+  "pnpm": {
+    "overrides": {}
   }
 }

qenv.yml

@@ -1,6 +1,5 @@
 required:
-  - CF_EMAIL
-  - CF_KEY
+  - CF_TOKEN
   - MONGODB_URL
   - MONGODB_PASSWORD
   - MONGODB_DATABASE

readme.hints.md

@@ -0,0 +1,52 @@
+- this repo is dependent on letsencrypt and its limits
+- to simpify the outside API, smartacme is stateful, meaning it works with a mongodb and a collection called 'SmartacmeCert'.
+
+## Certificate Request Behavior
+
+As of v7.4.0, SmartAcme no longer automatically requests wildcard certificates for all domain requests. This change was made to fix issues with HTTP-01 only configurations which cannot validate wildcard domains.
+
+- By default, `getCertificateForDomain('example.com')` only requests a certificate for `example.com`
+- To request both regular and wildcard certificates, use `getCertificateForDomain('example.com', { includeWildcard: true })`
+- Wildcard certificates require a DNS-01 challenge handler to be configured
+- Direct wildcard requests like `getCertificateForDomain('*.example.com')` only request the wildcard certificate
+
+This change ensures HTTP-01 only configurations work properly while still allowing wildcard certificates when needed and supported.
+
+## ACME Protocol Implementation
+
+As of v8.1.0, the `acme-client` npm package has been replaced with a custom OOP implementation under `ts/acme/`. This uses `node:crypto` for all cryptographic operations and `@peculiar/x509` solely for CSR generation. The implementation follows RFC 8555.
+
+Key files:
+- `ts/acme/acme.classes.client.ts` — Top-level facade (`AcmeClient`), accepts optional `logger` callback
+- `ts/acme/acme.classes.crypto.ts` — Key gen, JWK, JWS signing, CSR (`AcmeCrypto`)
+- `ts/acme/acme.classes.http-client.ts` — JWS-signed HTTP transport with nonce management and logging
+- `ts/acme/acme.classes.error.ts` — Structured `AcmeError` with type URN, subproblems, Retry-After, `isRetryable`/`isRateLimited`
+- `ts/acme/acme.classes.account.ts` — Account registration
+- `ts/acme/acme.classes.order.ts` — Order lifecycle + polling
+- `ts/acme/acme.classes.challenge.ts` — Key authorization + challenge completion
+- `ts/acme/acme.classes.directory.ts` — CA directory URL constants (`ACME_DIRECTORY_URLS`)
+
+Usage in `ts/plugins.ts`: `import * as acme from './acme/index.js'` (replaces `acme-client`)
+
+## Concurrency & Rate Limiting (taskbuffer integration)
+
+As of v9.1.0, `@push.rocks/lik.InterestMap` was replaced with `@push.rocks/taskbuffer.TaskManager` for coordinating concurrent certificate requests. This provides:
+
+- **Per-domain mutex** (`cert-domain-mutex`): Only one ACME issuance per TLD at a time, with `resultSharingMode: 'share-latest'` so queued callers get the same result without re-issuing.
+- **Global concurrency cap** (`acme-global-concurrency`): Limits total parallel ACME operations (default 5, configurable via `maxConcurrentIssuances`).
+- **Account-level rate limiting** (`acme-account-rate-limit`): Sliding-window rate limit (default 250 orders per 3 hours, configurable via `maxOrdersPerWindow`/`orderWindowMs`) to stay under Let's Encrypt limits.
+- **Step-based progress**: The cert issuance task uses `notifyStep()` for prepare/authorize/finalize/store phases, observable via `smartAcme.certIssuanceEvents`.
+
+Key implementation details:
+- A single reusable `Task` named `cert-issuance` handles all domains via `triggerTaskConstrained()` with different inputs.
+- The `shouldExecute` callback on the domain mutex checks the certmanager cache as a safety net.
+- `TaskManager.start()` is called in `SmartAcme.start()` and `TaskManager.stop()` in `SmartAcme.stop()`.
+- The "no cronjobs specified" log messages during tests come from taskbuffer's internal CronManager polling — harmless noise when no cron tasks are scheduled.
+
+## Dependency Notes
+
+- `acme-client` was replaced with custom implementation in `ts/acme/` + `@peculiar/x509` for CSR generation
+- `@push.rocks/smartfile`, `@api.global/typedserver`, `@push.rocks/smartrequest`, `@push.rocks/smartpromise` were removed as unused dependencies in v8.1.0
+- The `@apiclient.xyz/cloudflare` `convenience` namespace is deprecated but still functional. The `Dns01Handler` accepts an `IConvenientDnsProvider` interface which remains stable.
+- Test imports use `@git.zone/tstest/tapbundle` (not `@push.rocks/tapbundle`)
+- Build uses `tsbuild` (no flags needed, v4+)

readme.md

@@ -0,0 +1,410 @@
+# @push.rocks/smartacme
+
+A TypeScript-based ACME client for Let's Encrypt certificate management with a focus on simplicity and power. 🔒
+
+## Issue Reporting and Security
+
+For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
+
+## Install
+
+```bash
+pnpm add @push.rocks/smartacme
+```
+
+Ensure your project uses TypeScript and ECMAScript Modules (ESM).
+
+## Usage
+
+`@push.rocks/smartacme` automates the full ACME certificate lifecycle — obtaining, renewing, and storing SSL/TLS certificates from Let's Encrypt. It features a built-in RFC 8555-compliant ACME protocol implementation, pluggable challenge handlers (DNS-01, HTTP-01), pluggable certificate storage backends (MongoDB, in-memory, or your own), structured error handling with smart retry logic, and built-in concurrency control with rate limiting to keep you safely within Let's Encrypt limits.
+
+### 🚀 Quick Start
+
+```typescript
+import { SmartAcme, certmanagers, handlers } from '@push.rocks/smartacme';
+import * as cloudflare from '@apiclient.xyz/cloudflare';
+
+// 1. Set up a certificate manager (MongoDB or in-memory)
+const certManager = new certmanagers.MongoCertManager({
+  mongoDbUrl: 'mongodb://localhost:27017',
+  mongoDbName: 'myapp',
+  mongoDbPass: 'secret',
+});
+
+// 2. Set up challenge handlers
+const cfAccount = new cloudflare.CloudflareAccount('YOUR_CF_API_TOKEN');
+const dnsHandler = new handlers.Dns01Handler(cfAccount);
+
+// 3. Create and start SmartAcme
+const smartAcme = new SmartAcme({
+  accountEmail: 'admin@example.com',
+  certManager,
+  environment: 'production', // or 'integration' for staging
+  challengeHandlers: [dnsHandler],
+});
+
+await smartAcme.start();
+
+// 4. Get a certificate
+const cert = await smartAcme.getCertificateForDomain('example.com');
+console.log(cert.publicKey);  // PEM certificate chain
+console.log(cert.privateKey); // PEM private key
+
+// 5. Clean up
+await smartAcme.stop();
+```
+
+### ⚙️ SmartAcme Options
+
+```typescript
+interface ISmartAcmeOptions {
+  accountEmail: string;                      // ACME account email
+  accountPrivateKey?: string;                // Optional account key (auto-generated if omitted)
+  certManager: ICertManager;                 // Certificate storage backend
+  environment: 'production' | 'integration'; // Let's Encrypt environment
+  challengeHandlers: IChallengeHandler[];    // At least one handler required
+  challengePriority?: string[];              // e.g. ['dns-01', 'http-01']
+  retryOptions?: {                           // Optional retry/backoff config
+    retries?: number;                        // Default: 10
+    factor?: number;                         // Default: 4
+    minTimeoutMs?: number;                   // Default: 1000
+    maxTimeoutMs?: number;                   // Default: 60000
+  };
+  // Concurrency & rate limiting
+  maxConcurrentIssuances?: number;           // Global cap on parallel ACME ops (default: 5)
+  maxOrdersPerWindow?: number;               // Max orders in sliding window (default: 250)
+  orderWindowMs?: number;                    // Sliding window duration in ms (default: 3 hours)
+}
+```
+
+### 📜 Getting Certificates
+
+```typescript
+// Standard certificate for a single domain
+const cert = await smartAcme.getCertificateForDomain('example.com');
+
+// Include wildcard coverage (requires DNS-01 handler)
+// Issues a single cert covering example.com AND *.example.com
+const certWithWildcard = await smartAcme.getCertificateForDomain('example.com', {
+  includeWildcard: true,
+});
+
+// Request wildcard only
+const wildcardCert = await smartAcme.getCertificateForDomain('*.example.com');
+```
+
+Certificates are automatically cached and reused when still valid. Renewal happens automatically when a certificate is within 10 days of expiration.
+
+### 📦 Certificate Object
+
+The returned `SmartacmeCert` (also exported as `Cert`) object has these properties:
+
+| Property     | Type     | Description                          |
+|-------------|----------|--------------------------------------|
+| `id`        | `string` | Unique certificate identifier        |
+| `domainName`| `string` | Domain the cert is issued for        |
+| `publicKey` | `string` | PEM-encoded certificate chain        |
+| `privateKey`| `string` | PEM-encoded private key              |
+| `csr`       | `string` | Certificate Signing Request          |
+| `created`   | `number` | Timestamp of creation                |
+| `validUntil`| `number` | Timestamp of expiration              |
+
+Useful methods:
+
+```typescript
+cert.isStillValid();    // true if not expired
+cert.shouldBeRenewed(); // true if expires within 10 days
+```
+
+## 🔀 Concurrency Control & Rate Limiting
+
+When many callers request certificates concurrently (e.g., hundreds of subdomains under the same TLD), SmartAcme automatically handles deduplication, concurrency, and rate limiting using a built-in task manager powered by `@push.rocks/taskbuffer`.
+
+### How It Works
+
+Three constraint layers protect your ACME account:
+
+| Layer | What It Does | Default |
+|-------|-------------|---------|
+| **Per-domain mutex** | Only one issuance runs per base domain at a time. Concurrent requests for the same domain automatically wait and receive the same certificate result. | 1 concurrent per domain |
+| **Global concurrency cap** | Limits total parallel ACME operations across all domains. | 5 concurrent |
+| **Account rate limit** | Sliding-window rate limiter that keeps you under Let's Encrypt's 300 orders/3h account limit. | 250 per 3 hours |
+
+### 🛡️ Automatic Request Deduplication
+
+If 100 requests come in for subdomains of `example.com` simultaneously, only **one** ACME issuance runs. All other callers automatically wait and receive the same certificate — no duplicate orders, no wasted rate limit budget.
+
+```typescript
+// These all resolve to the same certificate with a single ACME order:
+const results = await Promise.all([
+  smartAcme.getCertificateForDomain('app.example.com'),
+  smartAcme.getCertificateForDomain('api.example.com'),
+  smartAcme.getCertificateForDomain('cdn.example.com'),
+]);
+```
+
+### ⚡ Configuring Limits
+
+```typescript
+const smartAcme = new SmartAcme({
+  accountEmail: 'admin@example.com',
+  certManager,
+  environment: 'production',
+  challengeHandlers: [dnsHandler],
+  maxConcurrentIssuances: 10,     // Allow up to 10 parallel ACME issuances
+  maxOrdersPerWindow: 200,        // Cap at 200 orders per window
+  orderWindowMs: 2 * 60 * 60_000, // 2-hour sliding window
+});
+```
+
+### 📊 Observing Issuance Progress
+
+Subscribe to the `certIssuanceEvents` stream to observe certificate issuance progress in real-time:
+
+```typescript
+smartAcme.certIssuanceEvents.subscribe((event) => {
+  switch (event.type) {
+    case 'started':
+      console.log(`🔄 Issuance started: ${event.task.name}`);
+      break;
+    case 'step':
+      console.log(`📍 Step: ${event.stepName} (${event.task.currentProgress}%)`);
+      break;
+    case 'completed':
+      console.log(`✅ Issuance completed: ${event.task.name}`);
+      break;
+    case 'failed':
+      console.log(`❌ Issuance failed: ${event.error}`);
+      break;
+  }
+});
+```
+
+Each issuance goes through four steps: **prepare** (10%) → **authorize** (40%) → **finalize** (30%) → **store** (20%).
+
+## Certificate Managers
+
+SmartAcme uses the `ICertManager` interface for pluggable certificate storage.
+
+### 🗄️ MongoCertManager
+
+Persistent storage backed by MongoDB using `@push.rocks/smartdata`:
+
+```typescript
+import { certmanagers } from '@push.rocks/smartacme';
+
+const certManager = new certmanagers.MongoCertManager({
+  mongoDbUrl: 'mongodb://localhost:27017',
+  mongoDbName: 'myapp',
+  mongoDbPass: 'secret',
+});
+```
+
+### 🧪 MemoryCertManager
+
+In-memory storage, ideal for testing or ephemeral workloads:
+
+```typescript
+import { certmanagers } from '@push.rocks/smartacme';
+
+const certManager = new certmanagers.MemoryCertManager();
+```
+
+### 🔧 Custom Certificate Manager
+
+Implement the `ICertManager` interface for your own storage backend:
+
+```typescript
+import type { ICertManager, Cert } from '@push.rocks/smartacme';
+
+class RedisCertManager implements ICertManager {
+  async init(): Promise<void> { /* connect */ }
+  async retrieveCertificate(domainName: string): Promise<Cert | null> { /* lookup */ }
+  async storeCertificate(cert: Cert): Promise<void> { /* save */ }
+  async deleteCertificate(domainName: string): Promise<void> { /* remove */ }
+  async close(): Promise<void> { /* disconnect */ }
+  async wipe(): Promise<void> { /* clear all */ }
+}
+```
+
+## Challenge Handlers
+
+SmartAcme ships with three built-in ACME challenge handlers. All implement `IChallengeHandler<T>`.
+
+### 🌐 Dns01Handler
+
+Uses Cloudflare (or any `IConvenientDnsProvider`) to set and remove DNS TXT records for `dns-01` challenges:
+
+```typescript
+import { handlers } from '@push.rocks/smartacme';
+import * as cloudflare from '@apiclient.xyz/cloudflare';
+
+const cfAccount = new cloudflare.CloudflareAccount('YOUR_CF_TOKEN');
+const dnsHandler = new handlers.Dns01Handler(cfAccount);
+```
+
+DNS-01 is **required** for wildcard certificates and works regardless of server accessibility.
+
+### 📁 Http01Webroot
+
+Writes challenge response files to a filesystem webroot for `http-01` validation:
+
+```typescript
+import { handlers } from '@push.rocks/smartacme';
+
+const httpHandler = new handlers.Http01Webroot({
+  webroot: '/var/www/html',
+});
+```
+
+The handler writes to `<webroot>/.well-known/acme-challenge/<token>` and cleans up after validation.
+
+### 🧠 Http01MemoryHandler
+
+In-memory HTTP-01 handler — stores challenge tokens in memory and serves them via `handleRequest()`:
+
+```typescript
+import { handlers } from '@push.rocks/smartacme';
+
+const memHandler = new handlers.Http01MemoryHandler();
+
+// Integrate with any HTTP server (Express, Koa, raw http, etc.)
+app.use((req, res, next) => memHandler.handleRequest(req, res, next));
+```
+
+Perfect for serverless or container environments where filesystem access is limited.
+
+### 🔧 Custom Challenge Handler
+
+Implement `IChallengeHandler<T>` for custom challenge types:
+
+```typescript
+import type { handlers } from '@push.rocks/smartacme';
+
+interface MyChallenge {
+  type: string;
+  token: string;
+  keyAuthorization: string;
+}
+
+class MyHandler implements handlers.IChallengeHandler<MyChallenge> {
+  getSupportedTypes(): string[] { return ['http-01']; }
+  async prepare(ch: MyChallenge): Promise<void> { /* set up challenge response */ }
+  async cleanup(ch: MyChallenge): Promise<void> { /* tear down */ }
+  async checkWetherDomainIsSupported(domain: string): Promise<boolean> { return true; }
+}
+```
+
+## Error Handling
+
+SmartAcme provides structured ACME error handling via the `AcmeError` class, which carries full RFC 8555 error information:
+
+```typescript
+import { AcmeError } from '@push.rocks/smartacme/ts/acme/acme.classes.error.js';
+
+try {
+  const cert = await smartAcme.getCertificateForDomain('example.com');
+} catch (err) {
+  if (err instanceof AcmeError) {
+    console.log(err.status);        // HTTP status code (e.g. 429)
+    console.log(err.type);          // ACME error URN (e.g. 'urn:ietf:params:acme:error:rateLimited')
+    console.log(err.detail);        // Human-readable message
+    console.log(err.subproblems);   // Per-identifier sub-errors (RFC 8555 §6.7.1)
+    console.log(err.retryAfter);    // Retry-After value in seconds
+    console.log(err.isRateLimited); // true for 429 or rateLimited type
+    console.log(err.isRetryable);   // true for 429, 503, 5xx, badNonce; false for 403/404/409
+  }
+}
+```
+
+The built-in retry logic is **error-aware**: non-retryable errors (403, 404, 409) are thrown immediately without wasting retry attempts, and rate-limited responses respect the server's `Retry-After` header instead of using blind exponential backoff.
+
+## Domain Matching
+
+SmartAcme automatically maps subdomains to their base domain for certificate lookups:
+
+```
+subdomain.example.com → certificate for example.com  ✅
+*.example.com         → certificate for example.com  ✅
+a.b.example.com       → not supported (4+ levels)    ❌
+```
+
+## Environment
+
+| Environment     | Description |
+|----------------|-------------|
+| `production`   | Let's Encrypt production servers. Certificates are browser-trusted. [Rate limits](https://letsencrypt.org/docs/rate-limits/) apply. |
+| `integration`  | Let's Encrypt staging servers. No rate limits, but certificates are **not** browser-trusted. Use for testing. |
+
+## Complete Example with HTTP-01
+
+```typescript
+import { SmartAcme, certmanagers, handlers } from '@push.rocks/smartacme';
+import * as http from 'http';
+
+// In-memory handler for HTTP-01 challenges
+const memHandler = new handlers.Http01MemoryHandler();
+
+// Create HTTP server that serves ACME challenges
+const server = http.createServer((req, res) => {
+  memHandler.handleRequest(req, res, () => {
+    res.statusCode = 200;
+    res.end('OK');
+  });
+});
+server.listen(80);
+
+// Set up SmartAcme with in-memory storage and HTTP-01
+const smartAcme = new SmartAcme({
+  accountEmail: 'admin@example.com',
+  certManager: new certmanagers.MemoryCertManager(),
+  environment: 'production',
+  challengeHandlers: [memHandler],
+  challengePriority: ['http-01'],
+});
+
+await smartAcme.start();
+
+const cert = await smartAcme.getCertificateForDomain('example.com');
+// Use cert.publicKey and cert.privateKey with your HTTPS server
+
+await smartAcme.stop();
+server.close();
+```
+
+## Architecture
+
+Under the hood, SmartAcme uses a fully custom RFC 8555-compliant ACME protocol implementation (no external ACME libraries). Key internal modules:
+
+| Module | Purpose |
+|--------|---------|
+| `AcmeClient` | Top-level ACME facade — orders, authorizations, finalization |
+| `AcmeCrypto` | RSA key generation, JWK/JWS (RFC 7515/7638), CSR via `@peculiar/x509` |
+| `AcmeHttpClient` | JWS-signed HTTP transport with nonce management and structured logging |
+| `AcmeError` | Structured error class with type URN, subproblems, Retry-After, retryability |
+| `AcmeOrderManager` | Order lifecycle — create, poll, finalize, download certificate |
+| `AcmeChallengeManager` | Key authorization computation and challenge completion |
+| `TaskManager` | Constraint-based concurrency control, rate limiting, and request deduplication via `@push.rocks/taskbuffer` |
+
+All cryptographic operations use `node:crypto`. The only external crypto dependency is `@peculiar/x509` for CSR generation.
+
+## License and Legal Information
+
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.
+
+**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
+
+### Trademarks
+
+This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
+
+Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
+
+### Company Information
+
+Task Venture Capital GmbH
+Registered at District Court Bremen HRB 35230 HB, Germany
+
+For any legal inquiries or further information, please contact us via email at hello@task.vc.
+
+By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.

readme.plan.md

@@ -0,0 +1,3 @@
+## Plan
+
+Move the 

test/test.acme-challenge.ts

@@ -0,0 +1,64 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as crypto from 'node:crypto';
+import { AcmeCrypto } from '../ts/acme/acme.classes.crypto.js';
+import { AcmeChallengeManager } from '../ts/acme/acme.classes.challenge.js';
+
+// Create a shared key and fake httpClient for all tests
+let accountKeyPem: string;
+let challengeManager: AcmeChallengeManager;
+
+tap.test('setup: create key and challenge manager', async () => {
+  accountKeyPem = AcmeCrypto.createRsaPrivateKey();
+  // AcmeChallengeManager only needs httpClient for complete(), not for getKeyAuthorization()
+  // Pass null since we only test the sync crypto method
+  challengeManager = new AcmeChallengeManager(null as any, accountKeyPem);
+});
+
+// --- http-01 ---
+
+tap.test('http-01 returns token.thumbprint', async () => {
+  const challenge = { type: 'http-01', url: 'https://acme.example/chall/1', status: 'pending', token: 'test-token-abc' };
+  const result = challengeManager.getKeyAuthorization(challenge);
+
+  const jwk = AcmeCrypto.getJwk(accountKeyPem);
+  const thumbprint = AcmeCrypto.getJwkThumbprint(jwk);
+  expect(result).toEqual(`test-token-abc.${thumbprint}`);
+});
+
+// --- dns-01 ---
+
+tap.test('dns-01 returns base64url(sha256(token.thumbprint))', async () => {
+  const challenge = { type: 'dns-01', url: 'https://acme.example/chall/2', status: 'pending', token: 'dns-token-xyz' };
+  const result = challengeManager.getKeyAuthorization(challenge);
+
+  // Manual computation
+  const jwk = AcmeCrypto.getJwk(accountKeyPem);
+  const thumbprint = AcmeCrypto.getJwkThumbprint(jwk);
+  const keyAuth = `dns-token-xyz.${thumbprint}`;
+  const expected = crypto.createHash('sha256').update(keyAuth).digest().toString('base64url');
+  expect(result).toEqual(expected);
+});
+
+tap.test('dns-01 output is base64url (no +, /, =)', async () => {
+  const challenge = { type: 'dns-01', url: 'https://acme.example/chall/3', status: 'pending', token: 'another-token' };
+  const result = challengeManager.getKeyAuthorization(challenge);
+  expect(result).not.toInclude('+');
+  expect(result).not.toInclude('/');
+  expect(result).not.toInclude('=');
+});
+
+tap.test('http-01 and dns-01 differ for same token', async () => {
+  const token = 'shared-token-123';
+  const httpResult = challengeManager.getKeyAuthorization({ type: 'http-01', url: 'https://acme.example/c/1', status: 'pending', token });
+  const dnsResult = challengeManager.getKeyAuthorization({ type: 'dns-01', url: 'https://acme.example/c/2', status: 'pending', token });
+  expect(httpResult).not.toEqual(dnsResult);
+});
+
+tap.test('deterministic across calls', async () => {
+  const challenge = { type: 'http-01', url: 'https://acme.example/c/x', status: 'pending', token: 'stable-token' };
+  const r1 = challengeManager.getKeyAuthorization(challenge);
+  const r2 = challengeManager.getKeyAuthorization(challenge);
+  expect(r1).toEqual(r2);
+});
+
+export default tap.start();

test/test.acme-crypto.ts

@@ -0,0 +1,161 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as crypto from 'node:crypto';
+import { AcmeCrypto } from '../ts/acme/acme.classes.crypto.js';
+
+// --- createRsaPrivateKey ---
+
+tap.test('createRsaPrivateKey returns valid PEM', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  expect(pem).toStartWith('-----BEGIN PRIVATE KEY-----');
+  expect(pem).toInclude('-----END PRIVATE KEY-----');
+});
+
+tap.test('createRsaPrivateKey creates RSA key type', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const keyObj = crypto.createPrivateKey(pem);
+  expect(keyObj.asymmetricKeyType).toEqual('rsa');
+});
+
+tap.test('createRsaPrivateKey respects modulusLength', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey(4096);
+  const keyObj = crypto.createPrivateKey(pem);
+  expect(keyObj.asymmetricKeyDetails!.modulusLength).toEqual(4096);
+});
+
+// --- getJwk ---
+
+tap.test('getJwk returns sorted keys {e, kty, n}', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jwk = AcmeCrypto.getJwk(pem);
+  const keys = Object.keys(jwk);
+  expect(keys).toEqual(['e', 'kty', 'n']);
+  expect(jwk.kty).toEqual('RSA');
+  expect(typeof jwk.e).toEqual('string');
+  expect(typeof jwk.n).toEqual('string');
+});
+
+tap.test('getJwk is deterministic for same key', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jwk1 = AcmeCrypto.getJwk(pem);
+  const jwk2 = AcmeCrypto.getJwk(pem);
+  expect(JSON.stringify(jwk1)).toEqual(JSON.stringify(jwk2));
+});
+
+// --- getJwkThumbprint ---
+
+tap.test('getJwkThumbprint matches manual SHA-256 computation', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jwk = AcmeCrypto.getJwk(pem);
+  const thumbprint = AcmeCrypto.getJwkThumbprint(jwk);
+
+  // Manual computation
+  const canonical = JSON.stringify({ e: jwk.e, kty: jwk.kty, n: jwk.n });
+  const expected = crypto.createHash('sha256').update(canonical).digest().toString('base64url');
+  expect(thumbprint).toEqual(expected);
+});
+
+tap.test('getJwkThumbprint is base64url format (no +, /, =)', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jwk = AcmeCrypto.getJwk(pem);
+  const thumbprint = AcmeCrypto.getJwkThumbprint(jwk);
+  expect(thumbprint).not.toInclude('+');
+  expect(thumbprint).not.toInclude('/');
+  expect(thumbprint).not.toInclude('=');
+});
+
+// --- createJws ---
+
+tap.test('createJws returns correct structure', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jwk = AcmeCrypto.getJwk(pem);
+  const jws = AcmeCrypto.createJws(pem, 'https://acme.example/new-acct', { foo: 'bar' }, {
+    nonce: 'test-nonce',
+    jwk,
+  });
+  expect(typeof jws.protected).toEqual('string');
+  expect(typeof jws.payload).toEqual('string');
+  expect(typeof jws.signature).toEqual('string');
+});
+
+tap.test('createJws protected header contains alg, nonce, url, jwk', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jwk = AcmeCrypto.getJwk(pem);
+  const jws = AcmeCrypto.createJws(pem, 'https://acme.example/new-acct', { foo: 'bar' }, {
+    nonce: 'test-nonce',
+    jwk,
+  });
+  const header = JSON.parse(Buffer.from(jws.protected, 'base64url').toString());
+  expect(header.alg).toEqual('RS256');
+  expect(header.nonce).toEqual('test-nonce');
+  expect(header.url).toEqual('https://acme.example/new-acct');
+  expect(header.jwk).toBeTruthy();
+  expect(header.kid).toBeFalsy();
+});
+
+tap.test('createJws uses kid when provided instead of jwk', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jws = AcmeCrypto.createJws(pem, 'https://acme.example/order', { test: 1 }, {
+    nonce: 'nonce-2',
+    kid: 'https://acme.example/acct/1',
+  });
+  const header = JSON.parse(Buffer.from(jws.protected, 'base64url').toString());
+  expect(header.kid).toEqual('https://acme.example/acct/1');
+  expect(header.jwk).toBeFalsy();
+});
+
+tap.test('createJws POST-as-GET produces empty payload', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jws = AcmeCrypto.createJws(pem, 'https://acme.example/order/1', null, {
+    nonce: 'nonce-3',
+    kid: 'https://acme.example/acct/1',
+  });
+  expect(jws.payload).toEqual('');
+});
+
+tap.test('createJws signature is verifiable', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jwk = AcmeCrypto.getJwk(pem);
+  const jws = AcmeCrypto.createJws(pem, 'https://acme.example/test', { val: 1 }, {
+    nonce: 'nonce-v',
+    jwk,
+  });
+
+  const sigInput = `${jws.protected}.${jws.payload}`;
+  const pubKey = crypto.createPublicKey(pem);
+  const verified = crypto.verify(
+    'sha256',
+    Buffer.from(sigInput),
+    pubKey,
+    Buffer.from(jws.signature, 'base64url'),
+  );
+  expect(verified).toBeTrue();
+});
+
+// --- createCsr ---
+
+tap.test('createCsr returns [keyPem, csrPem] with valid PEM formats', async () => {
+  const [keyPem, csrPem] = await AcmeCrypto.createCsr({ commonName: 'example.com' });
+  expect(keyPem).toStartWith('-----BEGIN PRIVATE KEY-----');
+  expect(csrPem).toInclude('CERTIFICATE REQUEST');
+});
+
+tap.test('createCsr uses existing key when provided', async () => {
+  const existingKey = AcmeCrypto.createRsaPrivateKey();
+  const [keyPem, csrPem] = await AcmeCrypto.createCsr({ commonName: 'example.com' }, existingKey);
+  expect(keyPem).toEqual(existingKey);
+  expect(csrPem).toInclude('CERTIFICATE REQUEST');
+});
+
+// --- pemToBuffer ---
+
+tap.test('pemToBuffer strips headers and returns Buffer', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const buf = AcmeCrypto.pemToBuffer(pem);
+  expect(buf).toBeInstanceOf(Buffer);
+  expect(buf.length).toBeGreaterThan(0);
+  // Verify it doesn't contain PEM header text
+  const str = buf.toString('utf-8');
+  expect(str).not.toInclude('-----BEGIN');
+});
+
+export default tap.start();

test/test.acme-error.ts

@@ -0,0 +1,103 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { AcmeError } from '../ts/acme/acme.classes.error.js';
+
+// --- Basic error properties ---
+
+tap.test('AcmeError extends Error', async () => {
+  const err = new AcmeError({ status: 400 });
+  expect(err).toBeInstanceOf(Error);
+  expect(err).toBeInstanceOf(AcmeError);
+});
+
+tap.test('AcmeError has correct name', async () => {
+  const err = new AcmeError({ status: 400 });
+  expect(err.name).toEqual('AcmeError');
+});
+
+tap.test('message includes type, status, url, and detail', async () => {
+  const err = new AcmeError({
+    status: 403,
+    type: 'urn:ietf:params:acme:error:unauthorized',
+    detail: 'Account is deactivated',
+    url: 'https://acme.example/order/1',
+  });
+  expect(err.message).toInclude('403');
+  expect(err.message).toInclude('urn:ietf:params:acme:error:unauthorized');
+  expect(err.message).toInclude('https://acme.example/order/1');
+  expect(err.message).toInclude('Account is deactivated');
+});
+
+tap.test('preserves all properties including subproblems', async () => {
+  const subproblems = [
+    { type: 'urn:ietf:params:acme:error:caa', detail: 'CAA record prevents issuance', identifier: { type: 'dns', value: 'example.com' } },
+  ];
+  const err = new AcmeError({
+    status: 403,
+    type: 'urn:ietf:params:acme:error:unauthorized',
+    detail: 'Forbidden',
+    subproblems,
+    url: 'https://acme.example/chall/1',
+    retryAfter: 30,
+  });
+  expect(err.status).toEqual(403);
+  expect(err.type).toEqual('urn:ietf:params:acme:error:unauthorized');
+  expect(err.detail).toEqual('Forbidden');
+  expect(err.subproblems.length).toEqual(1);
+  expect(err.subproblems[0].type).toEqual('urn:ietf:params:acme:error:caa');
+  expect(err.url).toEqual('https://acme.example/chall/1');
+  expect(err.retryAfter).toEqual(30);
+});
+
+tap.test('default values for optional fields', async () => {
+  const err = new AcmeError({ status: 500 });
+  expect(err.type).toEqual('');
+  expect(err.detail).toEqual('');
+  expect(err.subproblems).toEqual([]);
+  expect(err.url).toEqual('');
+  expect(err.retryAfter).toEqual(0);
+});
+
+// --- isRateLimited ---
+
+tap.test('isRateLimited is true for status 429', async () => {
+  const err = new AcmeError({ status: 429 });
+  expect(err.isRateLimited).toBeTrue();
+});
+
+tap.test('isRateLimited is true for rateLimited type URN', async () => {
+  const err = new AcmeError({
+    status: 403,
+    type: 'urn:ietf:params:acme:error:rateLimited',
+  });
+  expect(err.isRateLimited).toBeTrue();
+});
+
+tap.test('isRateLimited is false for regular 400', async () => {
+  const err = new AcmeError({ status: 400, type: 'urn:ietf:params:acme:error:malformed' });
+  expect(err.isRateLimited).toBeFalse();
+});
+
+// --- isRetryable ---
+
+tap.test('isRetryable is true for 429', async () => {
+  const err = new AcmeError({ status: 429 });
+  expect(err.isRetryable).toBeTrue();
+});
+
+tap.test('isRetryable is true for 503 and 500', async () => {
+  expect(new AcmeError({ status: 503 }).isRetryable).toBeTrue();
+  expect(new AcmeError({ status: 500 }).isRetryable).toBeTrue();
+});
+
+tap.test('isRetryable is true for badNonce type', async () => {
+  const err = new AcmeError({ status: 400, type: 'urn:ietf:params:acme:error:badNonce' });
+  expect(err.isRetryable).toBeTrue();
+});
+
+tap.test('isRetryable is false for 403, 404, 409', async () => {
+  expect(new AcmeError({ status: 403 }).isRetryable).toBeFalse();
+  expect(new AcmeError({ status: 404 }).isRetryable).toBeFalse();
+  expect(new AcmeError({ status: 409 }).isRetryable).toBeFalse();
+});
+
+export default tap.start();

test/test.certmatcher.ts

@@ -0,0 +1,29 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartacmeCertMatcher } from '../ts/smartacme.classes.certmatcher.js';
+
+tap.test('should match 2-level domain', async () => {
+  const matcher = new SmartacmeCertMatcher();
+  expect(matcher.getCertificateDomainNameByDomainName('example.com')).toEqual('example.com');
+});
+
+tap.test('should match 3-level domain', async () => {
+  const matcher = new SmartacmeCertMatcher();
+  expect(matcher.getCertificateDomainNameByDomainName('subdomain.example.com')).toEqual('example.com');
+});
+
+tap.test('should return undefined for deeper domain', async () => {
+  const matcher = new SmartacmeCertMatcher();
+  // domain with 4 or more levels
+  const result = matcher.getCertificateDomainNameByDomainName('a.b.example.com');
+  expect(result).toEqual(undefined);
+});
+
+// Wildcard domain handling
+tap.test('should strip wildcard prefix and return base domain', async () => {
+  const matcher = new SmartacmeCertMatcher();
+  expect(matcher.getCertificateDomainNameByDomainName('*.example.com')).toEqual('example.com');
+  expect(matcher.getCertificateDomainNameByDomainName('*.sub.example.com')).toEqual('sub.example.com');
+  expect(matcher.getCertificateDomainNameByDomainName('*.a.b.example.com')).toEqual('a.b.example.com');
+});
+
+export default tap.start();

test/test.handlers-dns01.ts

@@ -0,0 +1,34 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { Dns01Handler } from '../ts/handlers/Dns01Handler.js';
+
+tap.test('Dns01Handler prepare and cleanup calls Cloudflare and DNS functions', async () => {
+  let setCalled = false;
+  let removeCalled = false;
+  // fake Cloudflare API
+  const fakeCF: any = {
+    convenience: {
+      acmeSetDnsChallenge: async (_ch: any) => {
+        setCalled = true;
+      },
+      acmeRemoveDnsChallenge: async (_ch: any) => {
+        removeCalled = true;
+      },
+    },
+  };
+  // fake DNS checker
+  const fakeDNS: any = {
+    checkUntilAvailable: async (host: string, rr: string, val: string, count: number, interval: number) => {
+      expect(host).toEqual('test.host');
+      expect(rr).toEqual('TXT');
+      expect(val).toEqual('token');
+    },
+  };
+  const handler = new Dns01Handler(fakeCF, fakeDNS);
+  const input = { hostName: 'test.host', challenge: 'token' };
+  await handler.prepare(input);
+  expect(setCalled).toEqual(true);
+  await handler.cleanup(input);
+  expect(removeCalled).toEqual(true);
+});
+
+export default tap.start();

test/test.handlers-http01-memory.ts

@@ -0,0 +1,58 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { Http01MemoryHandler } from '../ts/handlers/Http01MemoryHandler.js';
+
+tap.test('Http01MemoryHandler serves in-memory challenges and cleans up', async () => {
+  const handler = new Http01MemoryHandler();
+  const token = 'testtoken';
+  const keyAuth = 'keyAuthValue';
+  const webPath = `/.well-known/acme-challenge/${token}`;
+  const challenge = { type: 'http-01', token, keyAuthorization: keyAuth, webPath };
+
+  // Prepare challenge (store in memory)
+  await handler.prepare(challenge);
+
+  // Serve existing challenge without next()
+  const req1: any = { url: webPath };
+  const res1: any = {
+    statusCode: 0,
+    headers: {} as Record<string, string>,
+    body: '',
+    setHeader(name: string, value: string) { this.headers[name] = value; },
+    end(body?: string) { this.body = body || ''; },
+  };
+  handler.handleRequest(req1, res1);
+  expect(res1.statusCode).toEqual(200);
+  expect(res1.body).toEqual(keyAuth);
+  expect(res1.headers['content-type']).toEqual('text/plain');
+
+  // Cleanup challenge (remove from memory)
+  await handler.cleanup(challenge);
+
+  // Serve after cleanup without next() should give 404
+  const req2: any = { url: webPath };
+  const res2: any = {
+    statusCode: 0,
+    headers: {} as Record<string, string>,
+    body: '',
+    setHeader(name: string, value: string) { this.headers[name] = value; },
+    end(body?: string) { this.body = body || ''; },
+  };
+  handler.handleRequest(req2, res2);
+  expect(res2.statusCode).toEqual(404);
+
+  // Serve after cleanup with next() should call next
+  const req3: any = { url: webPath };
+  let nextCalled = false;
+  const next = () => { nextCalled = true; };
+  const res3: any = {
+    statusCode: 0,
+    headers: {} as Record<string, string>,
+    body: '',
+    setHeader(name: string, value: string) { this.headers[name] = value; },
+    end(body?: string) { this.body = body || ''; },
+  };
+  handler.handleRequest(req3, res3, next);
+  expect(nextCalled).toEqual(true);
+});
+
+export default tap.start();

test/test.handlers-http01.ts

@@ -0,0 +1,26 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { Http01Webroot } from '../ts/handlers/Http01Handler.js';
+import { promises as fs } from 'fs';
+import * as path from 'path';
+import os from 'os';
+
+tap.test('Http01Webroot writes challenge file and removes it on cleanup', async () => {
+  // create temporary webroot directory
+  const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'http01-'));
+  const handler = new Http01Webroot({ webroot: tmpDir });
+  const token = 'testtoken';
+  const keyAuth = 'keyAuthValue';
+  const webPath = `/.well-known/acme-challenge/${token}`;
+  const input = { type: 'http-01', token, keyAuthorization: keyAuth, webPath };
+  // prepare should write the file
+  await handler.prepare(input);
+  const filePath = path.join(tmpDir, webPath);
+  const content = await fs.readFile(filePath, 'utf8');
+  expect(content).toEqual(keyAuth);
+  // cleanup should remove the file
+  await handler.cleanup(input);
+  const exists = await fs.stat(filePath).then(() => true).catch(() => false);
+  expect(exists).toEqual(false);
+});
+
+export default tap.start();

test/test.http01-only.ts

@@ -0,0 +1,172 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartAcme, certmanagers } from '../ts/index.js';
+import { Http01MemoryHandler } from '../ts/handlers/Http01MemoryHandler.js';
+
+// Test that HTTP-01 only configuration works without wildcard certificates
+tap.test('HTTP-01 only configuration should work for regular domains', async () => {
+  const memHandler = new Http01MemoryHandler();
+  
+  // Stub the domain support check to always return true for testing
+  memHandler.checkWetherDomainIsSupported = async () => true;
+  
+  const certManager = new certmanagers.MemoryCertManager();
+  const smartAcmeInstance = new SmartAcme({
+    accountEmail: 'test@example.com',
+    certManager,
+    environment: 'integration',
+    retryOptions: {},
+    challengeHandlers: [memHandler],
+    challengePriority: ['http-01'],
+  });
+
+  // Stub the start method to avoid actual ACME connections
+  smartAcmeInstance.start = async () => {
+    smartAcmeInstance.certmanager = certManager;
+    smartAcmeInstance.certmatcher = {
+      getCertificateDomainNameByDomainName: (domain: string) => domain.replace('*.', '')
+    } as any;
+    await smartAcmeInstance.certmanager.init();
+  };
+  await smartAcmeInstance.start();
+
+  // Stub the core certificate methods to avoid actual ACME calls
+  (smartAcmeInstance as any).client = {
+    createOrder: async (orderPayload: any) => {
+      // Verify no wildcard is included in default request
+      const identifiers = orderPayload.identifiers;
+      expect(identifiers.length).toEqual(1);
+      expect(identifiers[0].value).toEqual('example.com');
+      expect(identifiers.find((id: any) => id.value.startsWith('*.'))).toBeUndefined();
+      return { status: 'pending', authorizations: [], finalize: '', certificate: '' };
+    },
+    getAuthorizations: async () => [],
+    finalizeOrder: async () => {},
+    getCertificate: async () => '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
+  } as any;
+
+  (smartAcmeInstance as any).retry = async (fn: () => Promise<any>) => fn();
+  
+  // Mock certmanager methods
+  smartAcmeInstance.certmanager.retrieveCertificate = async () => null;
+  smartAcmeInstance.certmanager.storeCertificate = async (cert: any) => cert;
+  
+  // Request certificate without wildcard
+  const cert = await smartAcmeInstance.getCertificateForDomain('example.com');
+  expect(cert).toBeDefined();
+});
+
+tap.test('should only include wildcard when explicitly requested with DNS-01', async () => {
+  const dnsHandler = {
+    getSupportedTypes: () => ['dns-01'],
+    prepare: async () => {},
+    cleanup: async () => {},
+    checkWetherDomainIsSupported: async () => true,
+  };
+  
+  const certManager2 = new certmanagers.MemoryCertManager();
+  const smartAcmeInstance = new SmartAcme({
+    accountEmail: 'test@example.com',
+    certManager: certManager2,
+    environment: 'integration',
+    retryOptions: {},
+    challengeHandlers: [dnsHandler],
+    challengePriority: ['dns-01'],
+  });
+
+  // Stub the start method to avoid actual ACME connections
+  smartAcmeInstance.start = async () => {
+    smartAcmeInstance.certmanager = certManager2;
+    smartAcmeInstance.certmatcher = {
+      getCertificateDomainNameByDomainName: (domain: string) => domain.replace('*.', '')
+    } as any;
+    await smartAcmeInstance.certmanager.init();
+  };
+  await smartAcmeInstance.start();
+
+  // Stub the core certificate methods
+  (smartAcmeInstance as any).client = {
+    createOrder: async (orderPayload: any) => {
+      const identifiers = orderPayload.identifiers;
+      expect(identifiers.length).toEqual(2);
+      expect(identifiers[0].value).toEqual('example.com');
+      expect(identifiers[1].value).toEqual('*.example.com');
+      return { status: 'pending', authorizations: [], finalize: '', certificate: '' };
+    },
+    getAuthorizations: async () => [],
+    finalizeOrder: async () => {},
+    getCertificate: async () => '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
+  } as any;
+
+  (smartAcmeInstance as any).retry = async (fn: () => Promise<any>) => fn();
+  
+  // Mock certmanager methods
+  smartAcmeInstance.certmanager.retrieveCertificate = async () => null;
+  smartAcmeInstance.certmanager.storeCertificate = async (cert: any) => cert;
+  
+  // Request certificate with wildcard
+  const cert = await smartAcmeInstance.getCertificateForDomain('example.com', { includeWildcard: true });
+  expect(cert).toBeDefined();
+});
+
+tap.test('should skip wildcard if requested but no DNS-01 handler available', async () => {
+  const httpHandler = new Http01MemoryHandler();
+  httpHandler.checkWetherDomainIsSupported = async () => true;
+  
+  const certManager3 = new certmanagers.MemoryCertManager();
+  const smartAcmeInstance = new SmartAcme({
+    accountEmail: 'test@example.com',
+    certManager: certManager3,
+    environment: 'integration',
+    retryOptions: {},
+    challengeHandlers: [httpHandler],
+    challengePriority: ['http-01'],
+  });
+
+  // Stub the start method to avoid actual ACME connections
+  smartAcmeInstance.start = async () => {
+    smartAcmeInstance.certmanager = certManager3;
+    smartAcmeInstance.certmatcher = {
+      getCertificateDomainNameByDomainName: (domain: string) => domain.replace('*.', '')
+    } as any;
+    await smartAcmeInstance.certmanager.init();
+  };
+  await smartAcmeInstance.start();
+
+  // Mock logger to capture warning
+  const logSpy = { called: false, message: '' };
+  smartAcmeInstance.logger.log = async (level: string, message: string) => {
+    if (level === 'warn') {
+      logSpy.called = true;
+      logSpy.message = message;
+    }
+  };
+
+  // Stub the core certificate methods
+  (smartAcmeInstance as any).client = {
+    createOrder: async (orderPayload: any) => {
+      const identifiers = orderPayload.identifiers;
+      // Should only have regular domain, no wildcard
+      expect(identifiers.length).toEqual(1);
+      expect(identifiers[0].value).toEqual('example.com');
+      return { status: 'pending', authorizations: [], finalize: '', certificate: '' };
+    },
+    getAuthorizations: async () => [],
+    finalizeOrder: async () => {},
+    getCertificate: async () => '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
+  } as any;
+
+  (smartAcmeInstance as any).retry = async (fn: () => Promise<any>) => fn();
+  
+  // Mock certmanager methods
+  smartAcmeInstance.certmanager.retrieveCertificate = async () => null;
+  smartAcmeInstance.certmanager.storeCertificate = async (cert: any) => cert;
+  
+  // Request certificate with wildcard (should be skipped)
+  const cert = await smartAcmeInstance.getCertificateForDomain('example.com', { includeWildcard: true });
+  
+  expect(cert).toBeDefined();
+  expect(logSpy.called).toBeTrue();
+  expect(logSpy.message).toContain('Wildcard certificate requested but no DNS-01 handler available');
+});
+
+export default tap.start();

test/test.smartacme.integration.ts

@@ -0,0 +1,52 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { Qenv } from '@push.rocks/qenv';
+import * as cloudflare from '@apiclient.xyz/cloudflare';
+import { SmartAcme, certmanagers } from '../ts/index.js';
+import { Dns01Handler } from '../ts/handlers/Dns01Handler.js';
+
+// Load environment variables for credentials (stored under .nogit/)
+const testQenv = new Qenv('./', './.nogit/');
+// Cloudflare API token for DNS-01 challenge (must be set in .nogit/ or env)
+const cfToken = (await testQenv.getEnvVarOnDemand('CF_TOKEN'))!;
+const cfAccount = new cloudflare.CloudflareAccount(cfToken);
+// MongoDB connection settings for certificate storage (must be set in .nogit/ or env)
+const mongoDbName = (await testQenv.getEnvVarOnDemand('MONGODB_DATABASE'))!;
+const mongoDbPass = (await testQenv.getEnvVarOnDemand('MONGODB_PASSWORD'))!;
+const mongoDbUrl = (await testQenv.getEnvVarOnDemand('MONGODB_URL'))!;
+
+
+let smartAcmeInstance: SmartAcme;
+
+tap.test('create SmartAcme instance with DNS-01 handler and start', async () => {
+  smartAcmeInstance = new SmartAcme({
+    accountEmail: 'domains@lossless.org',
+    // certManager: new MongoCertManager({ mongoDbName, mongoDbPass, mongoDbUrl }),
+    certManager: new certmanagers.MemoryCertManager(),
+    environment: 'integration',
+    retryOptions: {},
+    challengeHandlers: [new Dns01Handler(cfAccount)],
+    challengePriority: ['dns-01'],
+  });
+  await smartAcmeInstance.start();
+  expect(smartAcmeInstance).toBeInstanceOf(SmartAcme);
+});
+
+tap.test('should wipe the certmanager for this test', async () => {
+  await smartAcmeInstance.certmanager.wipe();
+});
+
+tap.test('get a domain certificate covering bleu.de and *.bleu.de via DNS-01 challenge', async () => {
+  const domain = 'bleu.de';
+  const cert = await smartAcmeInstance.getCertificateForDomain(domain, { includeWildcard: true });
+  expect(cert).toHaveProperty('domainName');
+  expect(cert.domainName).toEqual(domain);
+  expect(cert).toHaveProperty('publicKey');
+  expect(typeof cert.publicKey).toEqual('string');
+  expect(cert.publicKey.length).toBeGreaterThan(0);
+});
+
+tap.test('stop SmartAcme instance', async () => {
+  await smartAcmeInstance.stop();
+});
+
+export default tap.start();

test/test.smartacme.ts

@@ -0,0 +1,61 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartAcme, certmanagers } from '../ts/index.js';
+import { Cert } from '../ts/index.js';
+import type { IChallengeHandler } from '../ts/handlers/IChallengeHandler.js';
+
+// Dummy handler for testing
+class DummyHandler implements IChallengeHandler<any> {
+  getSupportedTypes(): string[] { return ['dns-01']; }
+  async prepare(_: any): Promise<void> { /* no-op */ }
+  async cleanup(_: any): Promise<void> { /* no-op */ }
+  async checkWetherDomainIsSupported(_: string): Promise<boolean> { return true; }
+}
+
+tap.test('constructor throws without challengeHandlers', async () => {
+  expect(() => new SmartAcme({
+    accountEmail: 'test@example.com',
+    certManager: new certmanagers.MemoryCertManager(),
+    environment: 'integration',
+    retryOptions: {},
+  } as any)).toThrow();
+});
+
+tap.test('constructor accepts valid challengeHandlers', async () => {
+  const sa = new SmartAcme({
+    accountEmail: 'test@example.com',
+    certManager: new certmanagers.MemoryCertManager(),
+    environment: 'integration',
+    retryOptions: {},
+    challengeHandlers: [new DummyHandler()],
+  });
+  expect(sa).toBeInstanceOf(SmartAcme);
+});
+// Wildcard certificate stub for integration mode (unit test override)
+tap.test('get wildcard certificate stub in integration mode', async () => {
+  // Temporarily stub SmartAcme.start and getCertificateForDomain for wildcard
+  const origStart = SmartAcme.prototype.start;
+  const origGetCert = SmartAcme.prototype.getCertificateForDomain;
+  try {
+    SmartAcme.prototype.start = async function(): Promise<void> { /* no-op */ };
+    SmartAcme.prototype.getCertificateForDomain = async function(domain: string) {
+      return new Cert({ domainName: domain });
+    };
+    const sa = new SmartAcme({
+      accountEmail: 'domains@lossless.org',
+      certManager: new certmanagers.MemoryCertManager(),
+      environment: 'integration',
+      retryOptions: {},
+      challengeHandlers: [new DummyHandler()],
+    });
+    await sa.start();
+    const domainWildcard = '*.example.com';
+    const cert = await sa.getCertificateForDomain(domainWildcard);
+    expect(cert.domainName).toEqual(domainWildcard);
+    await sa.stop();
+  } finally {
+    SmartAcme.prototype.start = origStart;
+    SmartAcme.prototype.getCertificateForDomain = origGetCert;
+  }
+});
+
+export default tap.start();

test/test.ts

@@ -1,42 +0,0 @@
-import { tap, expect } from '@pushrocks/tapbundle';
-import { Qenv } from '@pushrocks/qenv';
-
-const testQenv = new Qenv('./', './.nogit/');
-
-import * as smartacme from '../ts/index';
-
-let smartAcmeInstance: smartacme.SmartAcme;
-
-tap.test('should create a valid instance of SmartAcme', async () => {
-  smartAcmeInstance = new smartacme.SmartAcme({
-    accountEmail: 'domains@lossless.org',
-    accountPrivateKey: null,
-    mongoDescriptor: {
-      mongoDbName: testQenv.getEnvVarRequired('MONGODB_DATABASE'),
-      mongoDbPass: testQenv.getEnvVarRequired('MONGODB_PASSWORD'),
-      mongoDbUrl: testQenv.getEnvVarRequired('MONGODB_URL')
-    },
-    removeChallenge: async (...args) => {
-      console.log(args);
-    },
-    setChallenge: async (...args) => {
-      console.log(args);
-    },
-    environment: "integration"
-  });
-  await smartAcmeInstance.init();
-  // await smartAcmeInstance.getCertificateForDomain('bleu.de');
-});
-
-tap.test('certmatcher should correctly match domains', async () => {
-  const certMatcherMod = await import('../ts/smartacme.classes.certmatcher'); 
-  const certMatcher = new certMatcherMod.CertMatcher();
-  const matchedCert = certMatcher.getCertificateDomainNameByDomainName('level3.level2.level1');
-  expect(matchedCert).to.equal('level2.level1');
-});
-
-tap.test('should stop correctly', async () => {
-  await smartAcmeInstance.stop();
-});
-
-tap.start();

test/test.wildcard-options.ts

@@ -0,0 +1,94 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { SmartAcme, certmanagers } from '../ts/index.js';
+import { SmartacmeCert as Cert } from '../ts/smartacme.classes.cert.js';
+
+// Simple test to verify wildcard options are correctly processed
+tap.test('should not include wildcard by default for regular domain', async () => {
+  let orderPayload: any = null;
+  
+  // Override the SmartAcme prototype methods for testing
+  const origGetCert = SmartAcme.prototype.getCertificateForDomain;
+  
+  // Create a minimal test version of getCertificateForDomain
+  SmartAcme.prototype.getCertificateForDomain = async function(
+    domainArg: string,
+    options?: { includeWildcard?: boolean }
+  ) {
+    const certDomainName = domainArg.replace('*.', '');
+    const identifiers = [];
+    
+    if (domainArg.startsWith('*.')) {
+      identifiers.push({ type: 'dns', value: domainArg });
+    } else {
+      identifiers.push({ type: 'dns', value: certDomainName });
+      
+      if (options?.includeWildcard) {
+        const hasDnsHandler = this.challengeHandlers.some((h) =>
+          h.getSupportedTypes().includes('dns-01')
+        );
+        
+        if (hasDnsHandler) {
+          identifiers.push({ type: 'dns', value: `*.${certDomainName}` });
+        }
+      }
+    }
+    
+    orderPayload = { identifiers };
+    return new Cert({ domainName: certDomainName });
+  };
+  
+  try {
+    // Create instance with HTTP-01 only
+    const smartAcme = new SmartAcme({
+      accountEmail: 'test@example.com',
+      certManager: new certmanagers.MemoryCertManager(),
+      environment: 'integration',
+      challengeHandlers: [{
+        getSupportedTypes: () => ['http-01'],
+        prepare: async () => {},
+        cleanup: async () => {},
+        checkWetherDomainIsSupported: async () => true,
+      }],
+    });
+    
+    // Test 1: Regular domain without wildcard option
+    await smartAcme.getCertificateForDomain('example.com');
+    expect(orderPayload.identifiers.length).toEqual(1);
+    expect(orderPayload.identifiers[0].value).toEqual('example.com');
+    
+    // Test 2: Regular domain with wildcard option (but no DNS-01 handler)
+    await smartAcme.getCertificateForDomain('example.com', { includeWildcard: true });
+    expect(orderPayload.identifiers.length).toEqual(1);
+    expect(orderPayload.identifiers[0].value).toEqual('example.com');
+    
+    // Create instance with DNS-01
+    const smartAcmeDns = new SmartAcme({
+      accountEmail: 'test@example.com',
+      certManager: new certmanagers.MemoryCertManager(),
+      environment: 'integration',
+      challengeHandlers: [{
+        getSupportedTypes: () => ['dns-01'],
+        prepare: async () => {},
+        cleanup: async () => {},
+        checkWetherDomainIsSupported: async () => true,
+      }],
+    });
+    
+    // Test 3: Regular domain with wildcard option and DNS-01 handler
+    await smartAcmeDns.getCertificateForDomain('example.com', { includeWildcard: true });
+    expect(orderPayload.identifiers.length).toEqual(2);
+    expect(orderPayload.identifiers[0].value).toEqual('example.com');
+    expect(orderPayload.identifiers[1].value).toEqual('*.example.com');
+    
+    // Test 4: Direct wildcard request
+    await smartAcmeDns.getCertificateForDomain('*.example.com');
+    expect(orderPayload.identifiers.length).toEqual(1);
+    expect(orderPayload.identifiers[0].value).toEqual('*.example.com');
+    
+  } finally {
+    // Restore original method
+    SmartAcme.prototype.getCertificateForDomain = origGetCert;
+  }
+});
+
+export default tap.start();

ts/00_commitinfo_data.ts

@@ -0,0 +1,8 @@
+/**
+ * autocreated commitinfo by @push.rocks/commitinfo
+ */
+export const commitinfo = {
+  name: '@push.rocks/smartacme',
+  version: '9.1.3',
+  description: 'A TypeScript-based ACME client for LetsEncrypt certificate management with a focus on simplicity and power.'
+}

ts/acme/acme.classes.account.ts

@@ -0,0 +1,45 @@
+import type { AcmeHttpClient } from './acme.classes.http-client.js';
+import type { IAcmeAccount, IAcmeAccountCreateRequest } from './acme.interfaces.js';
+
+/**
+ * ACME account management - registration and key management
+ */
+export class AcmeAccount {
+  private httpClient: AcmeHttpClient;
+  private accountUrl: string | null = null;
+
+  constructor(httpClient: AcmeHttpClient) {
+    this.httpClient = httpClient;
+  }
+
+  /**
+   * Register or retrieve an ACME account.
+   * Uses JWK (not kid) since account URL is not yet known.
+   * Captures account URL from Location header for subsequent requests.
+   */
+  async create(request: IAcmeAccountCreateRequest): Promise<IAcmeAccount> {
+    const dir = await this.httpClient.getDirectory();
+    const response = await this.httpClient.signedRequest(dir.newAccount, request, {
+      useJwk: true,
+    });
+
+    // Capture account URL from Location header (used as kid for future requests)
+    const location = response.headers['location'];
+    if (location) {
+      this.accountUrl = location;
+      this.httpClient.kid = location;
+    }
+
+    return response.data as IAcmeAccount;
+  }
+
+  /**
+   * Get the account URL (kid) for use in JWS headers
+   */
+  getAccountUrl(): string {
+    if (!this.accountUrl) {
+      throw new Error('Account not yet created - call create() first');
+    }
+    return this.accountUrl;
+  }
+}

ts/acme/acme.classes.challenge.ts

@@ -0,0 +1,45 @@
+import * as crypto from 'node:crypto';
+import { AcmeCrypto } from './acme.classes.crypto.js';
+import type { AcmeHttpClient } from './acme.classes.http-client.js';
+import type { IAcmeChallenge } from './acme.interfaces.js';
+
+/**
+ * ACME challenge operations - key authorization computation and challenge completion
+ */
+export class AcmeChallengeManager {
+  private httpClient: AcmeHttpClient;
+  private accountKeyPem: string;
+
+  constructor(httpClient: AcmeHttpClient, accountKeyPem: string) {
+    this.httpClient = httpClient;
+    this.accountKeyPem = accountKeyPem;
+  }
+
+  /**
+   * Compute the key authorization for a challenge.
+   * For http-01: returns `token.thumbprint`
+   * For dns-01: returns `base64url(sha256(token.thumbprint))`
+   *
+   * This is a synchronous, pure-crypto computation.
+   */
+  getKeyAuthorization(challenge: IAcmeChallenge): string {
+    const jwk = AcmeCrypto.getJwk(this.accountKeyPem);
+    const thumbprint = AcmeCrypto.getJwkThumbprint(jwk);
+    const keyAuth = `${challenge.token}.${thumbprint}`;
+
+    if (challenge.type === 'dns-01') {
+      // DNS-01 uses base64url(SHA-256(keyAuthorization))
+      return crypto.createHash('sha256').update(keyAuth).digest().toString('base64url');
+    }
+
+    // HTTP-01 and others use the raw key authorization
+    return keyAuth;
+  }
+
+  /**
+   * Notify the ACME server to validate a challenge (POST {} to challenge URL)
+   */
+  async complete(challenge: IAcmeChallenge): Promise<void> {
+    await this.httpClient.signedRequest(challenge.url, {});
+  }
+}

ts/acme/acme.classes.client.ts

@@ -0,0 +1,106 @@
+import { AcmeCrypto } from './acme.classes.crypto.js';
+import { ACME_DIRECTORY_URLS } from './acme.classes.directory.js';
+import { AcmeHttpClient, type TAcmeLogger } from './acme.classes.http-client.js';
+import { AcmeAccount } from './acme.classes.account.js';
+import { AcmeOrderManager } from './acme.classes.order.js';
+import { AcmeChallengeManager } from './acme.classes.challenge.js';
+import type {
+  IAcmeAccount,
+  IAcmeAccountCreateRequest,
+  IAcmeAuthorization,
+  IAcmeChallenge,
+  IAcmeIdentifier,
+  IAcmeOrder,
+} from './acme.interfaces.js';
+
+export interface IAcmeClientOptions {
+  directoryUrl: string;
+  accountKeyPem: string;
+  logger?: TAcmeLogger;
+}
+
+/**
+ * Top-level ACME client facade.
+ * Composes HTTP transport, account management, order lifecycle, and challenge handling.
+ */
+export class AcmeClient {
+  private httpClient: AcmeHttpClient;
+  private account: AcmeAccount;
+  private orderManager: AcmeOrderManager;
+  private challengeManager: AcmeChallengeManager;
+
+  /** Well-known CA directory URLs */
+  static directory = ACME_DIRECTORY_URLS;
+  /** Crypto utilities */
+  static crypto = AcmeCrypto;
+
+  constructor(options: IAcmeClientOptions) {
+    this.httpClient = new AcmeHttpClient(options.directoryUrl, options.accountKeyPem, options.logger);
+    this.account = new AcmeAccount(this.httpClient);
+    this.orderManager = new AcmeOrderManager(this.httpClient);
+    this.challengeManager = new AcmeChallengeManager(this.httpClient, options.accountKeyPem);
+  }
+
+  /**
+   * Register or retrieve an ACME account
+   */
+  async createAccount(request: IAcmeAccountCreateRequest): Promise<IAcmeAccount> {
+    return this.account.create(request);
+  }
+
+  /**
+   * Create a new certificate order
+   */
+  async createOrder(opts: { identifiers: IAcmeIdentifier[] }): Promise<IAcmeOrder> {
+    return this.orderManager.create(opts);
+  }
+
+  /**
+   * Get all authorizations for an order
+   */
+  async getAuthorizations(order: IAcmeOrder): Promise<IAcmeAuthorization[]> {
+    return this.orderManager.getAuthorizations(order);
+  }
+
+  /**
+   * Compute the key authorization string for a challenge (sync)
+   */
+  getChallengeKeyAuthorization(challenge: IAcmeChallenge): string {
+    return this.challengeManager.getKeyAuthorization(challenge);
+  }
+
+  /**
+   * Notify the ACME server to validate a challenge
+   */
+  async completeChallenge(challenge: IAcmeChallenge): Promise<void> {
+    return this.challengeManager.complete(challenge);
+  }
+
+  /**
+   * Poll an ACME resource until it reaches valid/ready status
+   */
+  async waitForValidStatus(item: { url: string }): Promise<any> {
+    return this.orderManager.waitForValidStatus(item);
+  }
+
+  /**
+   * Finalize an order by submitting the CSR
+   */
+  async finalizeOrder(order: IAcmeOrder, csrPem: string): Promise<void> {
+    return this.orderManager.finalize(order, csrPem);
+  }
+
+  /**
+   * Download the certificate chain (PEM)
+   */
+  async getCertificate(order: IAcmeOrder): Promise<string> {
+    return this.orderManager.getCertificate(order);
+  }
+
+  /**
+   * Destroy HTTP transport to release sockets and allow process exit.
+   */
+  destroy(): void {
+    this.httpClient.destroy();
+  }
+}

ts/acme/acme.classes.crypto.ts

@@ -0,0 +1,220 @@
+import * as crypto from 'node:crypto';
+import type { IAcmeCsrOptions } from './acme.interfaces.js';
+
+/**
+ * All cryptographic operations for the ACME protocol.
+ * Uses node:crypto for key gen, JWK, JWS signing.
+ * Uses @peculiar/x509 for CSR generation (no native Node.js CSR API).
+ */
+export class AcmeCrypto {
+  /**
+   * Generate an RSA private key in PEM format
+   */
+  static createRsaPrivateKey(modulusLength = 2048): string {
+    const { privateKey } = crypto.generateKeyPairSync('rsa', {
+      modulusLength,
+      publicKeyEncoding: { type: 'spki', format: 'pem' },
+      privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
+    });
+    return privateKey;
+  }
+
+  /**
+   * Export public JWK from PEM private key, keys sorted alphabetically per RFC 7638
+   */
+  static getJwk(keyPem: string): Record<string, string> {
+    const keyObj = crypto.createPublicKey(keyPem);
+    const jwk = keyObj.export({ format: 'jwk' }) as Record<string, any>;
+    if (jwk.kty === 'RSA') {
+      return { e: jwk.e, kty: jwk.kty, n: jwk.n };
+    } else if (jwk.kty === 'EC') {
+      return { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y };
+    }
+    throw new Error(`Unsupported key type: ${jwk.kty}`);
+  }
+
+  /**
+   * Compute JWK Thumbprint (SHA-256, base64url) per RFC 7638
+   */
+  static getJwkThumbprint(jwk: Record<string, string>): string {
+    let canonical: string;
+    if (jwk.kty === 'RSA') {
+      canonical = JSON.stringify({ e: jwk.e, kty: jwk.kty, n: jwk.n });
+    } else if (jwk.kty === 'EC') {
+      canonical = JSON.stringify({ crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y });
+    } else {
+      throw new Error(`Unsupported key type: ${jwk.kty}`);
+    }
+    const hash = crypto.createHash('sha256').update(canonical).digest();
+    return hash.toString('base64url');
+  }
+
+  /**
+   * Create a flattened JWS for ACME requests (RFC 7515)
+   * payload=null means POST-as-GET (empty string payload)
+   */
+  static createJws(
+    keyPem: string,
+    url: string,
+    payload: any | null,
+    options: { nonce: string; kid?: string; jwk?: Record<string, string> },
+  ): { protected: string; payload: string; signature: string } {
+    const header: Record<string, any> = {
+      alg: AcmeCrypto.getAlg(keyPem),
+      nonce: options.nonce,
+      url,
+    };
+    if (options.kid) {
+      header.kid = options.kid;
+    } else if (options.jwk) {
+      header.jwk = options.jwk;
+    } else {
+      header.jwk = AcmeCrypto.getJwk(keyPem);
+    }
+
+    const protectedB64 = Buffer.from(JSON.stringify(header)).toString('base64url');
+    const payloadB64 =
+      payload !== null ? Buffer.from(JSON.stringify(payload)).toString('base64url') : '';
+
+    const signingInput = `${protectedB64}.${payloadB64}`;
+    const keyObj = crypto.createPrivateKey(keyPem);
+    const alg = AcmeCrypto.getAlg(keyPem);
+
+    let signature: Buffer;
+    if (alg.startsWith('RS')) {
+      signature = crypto.sign('sha256', Buffer.from(signingInput), keyObj);
+    } else if (alg.startsWith('ES')) {
+      signature = crypto.sign('sha256', Buffer.from(signingInput), {
+        key: keyObj,
+        dsaEncoding: 'ieee-p1363',
+      });
+    } else {
+      throw new Error(`Unsupported algorithm: ${alg}`);
+    }
+
+    return {
+      protected: protectedB64,
+      payload: payloadB64,
+      signature: signature.toString('base64url'),
+    };
+  }
+
+  /**
+   * Create a CSR (PKCS#10) via @peculiar/x509
+   * Returns [privateKeyPem, csrPem]
+   */
+  static async createCsr(
+    options: IAcmeCsrOptions,
+    existingKeyPem?: string,
+  ): Promise<[string, string]> {
+    const x509 = await import('@peculiar/x509');
+    const { webcrypto } = crypto;
+    x509.cryptoProvider.set(webcrypto as any);
+
+    let keys: CryptoKeyPair;
+    let keyPem: string;
+
+    if (existingKeyPem) {
+      keys = await AcmeCrypto.importKeyPairToWebCrypto(existingKeyPem, webcrypto);
+      keyPem = existingKeyPem;
+    } else {
+      keys = (await webcrypto.subtle.generateKey(
+        {
+          name: 'RSASSA-PKCS1-v1_5',
+          modulusLength: 2048,
+          publicExponent: new Uint8Array([1, 0, 1]),
+          hash: 'SHA-256',
+        },
+        true,
+        ['sign', 'verify'],
+      )) as CryptoKeyPair;
+
+      const pkcs8 = await webcrypto.subtle.exportKey('pkcs8', keys.privateKey);
+      const b64 = Buffer.from(pkcs8).toString('base64');
+      const lines = b64.match(/.{1,64}/g)!;
+      keyPem = `-----BEGIN PRIVATE KEY-----\n${lines.join('\n')}\n-----END PRIVATE KEY-----\n`;
+    }
+
+    // Collect all DNS names for SAN (CN is always included)
+    const sanNames: string[] = [options.commonName];
+    if (options.altNames) {
+      for (const name of options.altNames) {
+        if (!sanNames.includes(name)) {
+          sanNames.push(name);
+        }
+      }
+    }
+
+    const csr = await x509.Pkcs10CertificateRequestGenerator.create({
+      name: `CN=${options.commonName}`,
+      keys,
+      signingAlgorithm: { name: 'RSASSA-PKCS1-v1_5' },
+      extensions: [
+        new x509.SubjectAlternativeNameExtension(
+          sanNames.map((name) => ({ type: 'dns' as const, value: name })),
+        ),
+      ],
+    });
+
+    // Convert to PEM
+    const csrPem = csr.toString('pem');
+
+    return [keyPem, csrPem];
+  }
+
+  /**
+   * Convert PEM to raw DER Buffer (strip headers, decode base64)
+   */
+  static pemToBuffer(pem: string): Buffer {
+    const lines = pem
+      .split('\n')
+      .filter((line) => !line.startsWith('-----') && line.trim().length > 0);
+    return Buffer.from(lines.join(''), 'base64');
+  }
+
+  /**
+   * Determine JWS algorithm from key type
+   */
+  private static getAlg(keyPem: string): string {
+    const keyObj = crypto.createPrivateKey(keyPem);
+    const keyType = keyObj.asymmetricKeyType;
+    if (keyType === 'rsa') return 'RS256';
+    if (keyType === 'ec') {
+      const details = keyObj.asymmetricKeyDetails;
+      if (details?.namedCurve === 'prime256v1' || details?.namedCurve === 'P-256') return 'ES256';
+      if (details?.namedCurve === 'secp384r1' || details?.namedCurve === 'P-384') return 'ES384';
+      return 'ES256';
+    }
+    throw new Error(`Unsupported key type: ${keyType}`);
+  }
+
+  /**
+   * Import a PEM private key into WebCrypto as a CryptoKeyPair
+   */
+  private static async importKeyPairToWebCrypto(
+    keyPem: string,
+    wc: typeof crypto.webcrypto,
+  ): Promise<CryptoKeyPair> {
+    const keyObj = crypto.createPrivateKey(keyPem);
+    const pkcs8Der = keyObj.export({ type: 'pkcs8', format: 'der' });
+    const privateKey = await wc.subtle.importKey(
+      'pkcs8',
+      pkcs8Der,
+      { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' },
+      true,
+      ['sign'],
+    );
+
+    const pubKeyObj = crypto.createPublicKey(keyPem);
+    const spkiDer = pubKeyObj.export({ type: 'spki', format: 'der' });
+    const publicKey = await wc.subtle.importKey(
+      'spki',
+      spkiDer,
+      { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' },
+      true,
+      ['verify'],
+    );
+
+    return { privateKey: privateKey as unknown as CryptoKey, publicKey: publicKey as unknown as CryptoKey };
+  }
+}

ts/acme/acme.classes.directory.ts

@@ -0,0 +1,13 @@
+/**
+ * ACME directory URL constants for well-known CAs
+ */
+export const ACME_DIRECTORY_URLS = {
+  letsencrypt: {
+    production: 'https://acme-v02.api.letsencrypt.org/directory',
+    staging: 'https://acme-staging-v02.api.letsencrypt.org/directory',
+  },
+  buypass: {
+    production: 'https://api.buypass.com/acme/directory',
+    staging: 'https://api.test4.buypass.no/acme/directory',
+  },
+} as const;

ts/acme/acme.classes.error.ts

@@ -0,0 +1,55 @@
+/**
+ * Structured ACME protocol error with RFC 8555 fields.
+ * Provides type URN, subproblems, Retry-After, and retryability classification.
+ */
+export class AcmeError extends Error {
+  public readonly status: number;
+  public readonly type: string;
+  public readonly detail: string;
+  public readonly subproblems: Array<{ type: string; detail: string; identifier?: { type: string; value: string } }>;
+  public readonly url: string;
+  public readonly retryAfter: number;
+
+  constructor(options: {
+    message?: string;
+    status: number;
+    type?: string;
+    detail?: string;
+    subproblems?: Array<{ type: string; detail: string; identifier?: { type: string; value: string } }>;
+    url?: string;
+    retryAfter?: number;
+  }) {
+    const type = options.type || '';
+    const detail = options.detail || '';
+    const url = options.url || '';
+    const msg =
+      options.message ||
+      `ACME error: ${type || 'unknown'} (HTTP ${options.status}) at ${url || 'unknown'} - ${detail || 'no detail'}`;
+    super(msg);
+    this.name = 'AcmeError';
+    this.status = options.status;
+    this.type = type;
+    this.detail = detail;
+    this.subproblems = options.subproblems || [];
+    this.url = url;
+    this.retryAfter = options.retryAfter || 0;
+  }
+
+  /**
+   * True for HTTP 429 or ACME rateLimited type URN
+   */
+  get isRateLimited(): boolean {
+    return this.status === 429 || this.type === 'urn:ietf:params:acme:error:rateLimited';
+  }
+
+  /**
+   * True for transient/retryable errors: 429, 503, 5xx, badNonce.
+   * False for definitive client errors: 400 (non-badNonce), 403, 404, 409.
+   */
+  get isRetryable(): boolean {
+    if (this.type === 'urn:ietf:params:acme:error:badNonce') return true;
+    if (this.status === 429 || this.status === 503) return true;
+    if (this.status >= 500) return true;
+    return false;
+  }
+}

ts/acme/acme.classes.http-client.ts

@@ -0,0 +1,249 @@
+import * as https from 'node:https';
+import * as http from 'node:http';
+import { AcmeCrypto } from './acme.classes.crypto.js';
+import { AcmeError } from './acme.classes.error.js';
+import type { IAcmeDirectory, IAcmeHttpResponse } from './acme.interfaces.js';
+
+export type TAcmeLogger = (level: string, message: string, data?: any) => void;
+
+/**
+ * JWS-signed HTTP transport for ACME protocol.
+ * Handles nonce management, bad-nonce retries, and signed requests.
+ */
+export class AcmeHttpClient {
+  private directoryUrl: string;
+  private accountKeyPem: string;
+  private directory: IAcmeDirectory | null = null;
+  private nonce: string | null = null;
+  public kid: string | null = null;
+  private logger?: TAcmeLogger;
+  private httpsAgent: https.Agent;
+  private httpAgent: http.Agent;
+
+  constructor(directoryUrl: string, accountKeyPem: string, logger?: TAcmeLogger) {
+    this.directoryUrl = directoryUrl;
+    this.accountKeyPem = accountKeyPem;
+    this.logger = logger;
+    this.httpsAgent = new https.Agent({ keepAlive: false });
+    this.httpAgent = new http.Agent({ keepAlive: false });
+  }
+
+  /**
+   * Destroy HTTP agents to release sockets and allow process exit.
+   */
+  destroy(): void {
+    this.httpsAgent.destroy();
+    this.httpAgent.destroy();
+  }
+
+  private log(level: string, message: string, data?: any): void {
+    if (this.logger) {
+      this.logger(level, message, data);
+    }
+  }
+
+  /**
+   * GET the ACME directory (cached after first call)
+   */
+  async getDirectory(): Promise<IAcmeDirectory> {
+    if (this.directory) return this.directory;
+    const response = await this.httpRequest(this.directoryUrl, 'GET');
+    if (response.status !== 200) {
+      throw new AcmeError({
+        status: response.status,
+        type: response.data?.type || '',
+        detail: `Failed to fetch ACME directory`,
+        url: this.directoryUrl,
+      });
+    }
+    this.directory = response.data as IAcmeDirectory;
+    return this.directory;
+  }
+
+  /**
+   * Fetch a fresh nonce via HEAD to newNonce
+   */
+  async getNonce(): Promise<string> {
+    if (this.nonce) {
+      const n = this.nonce;
+      this.nonce = null;
+      return n;
+    }
+    const dir = await this.getDirectory();
+    const response = await this.httpRequest(dir.newNonce, 'HEAD');
+    const nonce = response.headers['replay-nonce'];
+    if (!nonce) {
+      throw new Error('No replay-nonce header in newNonce response');
+    }
+    return nonce;
+  }
+
+  /**
+   * Send a JWS-signed POST request to an ACME endpoint.
+   * Handles nonce rotation and bad-nonce retries (up to 5).
+   * payload=null means POST-as-GET.
+   */
+  async signedRequest(
+    url: string,
+    payload: any | null,
+    options?: { useJwk?: boolean },
+  ): Promise<IAcmeHttpResponse> {
+    const maxRetries = 5;
+
+    for (let attempt = 0; attempt <= maxRetries; attempt++) {
+      const nonce = await this.getNonce();
+
+      const jwsOptions: { nonce: string; kid?: string; jwk?: Record<string, string> } = { nonce };
+      if (options?.useJwk) {
+        jwsOptions.jwk = AcmeCrypto.getJwk(this.accountKeyPem);
+      } else if (this.kid) {
+        jwsOptions.kid = this.kid;
+      } else {
+        jwsOptions.jwk = AcmeCrypto.getJwk(this.accountKeyPem);
+      }
+
+      const jws = AcmeCrypto.createJws(this.accountKeyPem, url, payload, jwsOptions);
+      const body = JSON.stringify(jws);
+
+      const response = await this.httpRequest(url, 'POST', body, {
+        'Content-Type': 'application/jose+json',
+      });
+
+      // Save nonce from response for reuse
+      if (response.headers['replay-nonce']) {
+        this.nonce = response.headers['replay-nonce'];
+      }
+
+      this.log('debug', `ACME request: POST ${url} → ${response.status}`);
+
+      // Retry on bad-nonce
+      if (
+        response.status === 400 &&
+        response.data?.type === 'urn:ietf:params:acme:error:badNonce'
+      ) {
+        this.log('debug', `Bad nonce on attempt ${attempt + 1}, retrying`);
+        if (attempt < maxRetries) {
+          this.nonce = null; // Force fresh nonce
+          continue;
+        }
+      }
+
+      // Throw on error responses
+      if (response.status >= 400) {
+        const retryAfterRaw = response.headers['retry-after'];
+        let retryAfter = 0;
+        if (retryAfterRaw) {
+          const parsed = parseInt(retryAfterRaw, 10);
+          if (!isNaN(parsed)) {
+            retryAfter = parsed;
+          }
+        }
+
+        const acmeError = new AcmeError({
+          status: response.status,
+          type: response.data?.type || '',
+          detail: response.data?.detail || JSON.stringify(response.data),
+          subproblems: response.data?.subproblems,
+          url,
+          retryAfter,
+        });
+
+        if (acmeError.isRateLimited) {
+          this.log('warn', `RATE LIMITED: ${url} (HTTP ${response.status}), Retry-After: ${retryAfter}s`, {
+            type: acmeError.type,
+            detail: acmeError.detail,
+            retryAfter,
+          });
+        } else {
+          this.log('warn', `ACME error: ${url} (HTTP ${response.status})`, {
+            type: acmeError.type,
+            detail: acmeError.detail,
+          });
+        }
+
+        throw acmeError;
+      }
+
+      return response;
+    }
+
+    throw new Error('Max bad-nonce retries exceeded');
+  }
+
+  /**
+   * Raw HTTP request using native node:https
+   */
+  private httpRequest(
+    url: string,
+    method: string,
+    body?: string,
+    headers?: Record<string, string>,
+  ): Promise<IAcmeHttpResponse> {
+    return new Promise((resolve, reject) => {
+      const urlObj = new URL(url);
+      const isHttps = urlObj.protocol === 'https:';
+      const lib = isHttps ? https : http;
+
+      const requestHeaders: Record<string, string | number> = {
+        ...headers,
+        'User-Agent': 'smartacme-acme-client/1.0',
+      };
+      if (body) {
+        requestHeaders['Content-Length'] = Buffer.byteLength(body);
+      }
+
+      const options: https.RequestOptions = {
+        hostname: urlObj.hostname,
+        port: urlObj.port || (isHttps ? 443 : 80),
+        path: urlObj.pathname + urlObj.search,
+        method,
+        headers: requestHeaders,
+        agent: isHttps ? this.httpsAgent : this.httpAgent,
+      };
+
+      const req = lib.request(options, (res) => {
+        const chunks: Buffer[] = [];
+        res.on('data', (chunk: Buffer) => chunks.push(chunk));
+        res.on('end', () => {
+          const responseBody = Buffer.concat(chunks).toString('utf-8');
+
+          // Normalize headers to lowercase single-value
+          const responseHeaders: Record<string, string> = {};
+          for (const [key, value] of Object.entries(res.headers)) {
+            if (typeof value === 'string') {
+              responseHeaders[key.toLowerCase()] = value;
+            } else if (Array.isArray(value)) {
+              responseHeaders[key.toLowerCase()] = value[0];
+            }
+          }
+
+          // Parse JSON if applicable, otherwise return raw string
+          let data: any;
+          const contentType = responseHeaders['content-type'] || '';
+          if (contentType.includes('json')) {
+            try {
+              data = JSON.parse(responseBody);
+            } catch {
+              data = responseBody;
+            }
+          } else {
+            data = responseBody;
+          }
+
+          resolve({
+            status: res.statusCode || 0,
+            headers: responseHeaders,
+            data,
+          });
+        });
+      });
+
+      req.on('error', reject);
+      req.setTimeout(30000, () => {
+        req.destroy(new Error('Request timeout'));
+      });
+      if (body) req.write(body);
+      req.end();
+    });
+  }
+}

ts/acme/acme.classes.order.ts

@@ -0,0 +1,125 @@
+import { AcmeCrypto } from './acme.classes.crypto.js';
+import { AcmeError } from './acme.classes.error.js';
+import type { AcmeHttpClient } from './acme.classes.http-client.js';
+import type {
+  IAcmeAuthorization,
+  IAcmeIdentifier,
+  IAcmeOrder,
+} from './acme.interfaces.js';
+
+/**
+ * ACME order lifecycle management.
+ * Handles order creation, authorization retrieval, finalization, and certificate download.
+ */
+export class AcmeOrderManager {
+  private httpClient: AcmeHttpClient;
+
+  constructor(httpClient: AcmeHttpClient) {
+    this.httpClient = httpClient;
+  }
+
+  /**
+   * Create a new ACME order for the given identifiers
+   */
+  async create(opts: { identifiers: IAcmeIdentifier[] }): Promise<IAcmeOrder> {
+    const dir = await this.httpClient.getDirectory();
+    const response = await this.httpClient.signedRequest(dir.newOrder, {
+      identifiers: opts.identifiers,
+    });
+
+    const order = response.data as IAcmeOrder;
+    // Capture order URL from Location header
+    order.url = response.headers['location'] || '';
+    return order;
+  }
+
+  /**
+   * Retrieve all authorizations for an order (POST-as-GET each authorization URL)
+   */
+  async getAuthorizations(order: IAcmeOrder): Promise<IAcmeAuthorization[]> {
+    const authorizations: IAcmeAuthorization[] = [];
+    for (const authzUrl of order.authorizations) {
+      const response = await this.httpClient.signedRequest(authzUrl, null);
+      authorizations.push(response.data as IAcmeAuthorization);
+    }
+    return authorizations;
+  }
+
+  /**
+   * Finalize an order by submitting the CSR.
+   * Waits for the order to reach 'valid' status.
+   * Mutates the order object with updated status and certificate URL.
+   */
+  async finalize(order: IAcmeOrder, csrPem: string): Promise<void> {
+    // Convert PEM CSR to base64url DER for ACME
+    const csrDer = AcmeCrypto.pemToBuffer(csrPem);
+    const csrB64url = csrDer.toString('base64url');
+
+    const response = await this.httpClient.signedRequest(order.finalize, { csr: csrB64url });
+
+    // Update order with response data
+    const updatedOrder = response.data;
+    order.status = updatedOrder.status;
+    if (updatedOrder.certificate) {
+      order.certificate = updatedOrder.certificate;
+    }
+
+    // If not yet valid, poll until it is
+    if (order.status !== 'valid' && order.url) {
+      const finalOrder = await this.waitForValidStatus({ url: order.url });
+      order.status = finalOrder.status;
+      order.certificate = finalOrder.certificate;
+    }
+  }
+
+  /**
+   * Download the certificate chain (PEM) from the order's certificate URL
+   */
+  async getCertificate(order: IAcmeOrder): Promise<string> {
+    if (!order.certificate) {
+      throw new Error('Order does not have a certificate URL - finalize first');
+    }
+    const response = await this.httpClient.signedRequest(order.certificate, null);
+    // Certificate chain is returned as PEM text
+    return typeof response.data === 'string' ? response.data : response.data.toString();
+  }
+
+  /**
+   * Poll an ACME resource (order or challenge) until it reaches 'valid' or 'ready' status.
+   * Uses exponential backoff with Retry-After header support.
+   */
+  async waitForValidStatus(
+    item: { url: string },
+    opts?: { maxAttempts?: number; initialDelayMs?: number },
+  ): Promise<any> {
+    const maxAttempts = opts?.maxAttempts ?? 30;
+    const initialDelay = opts?.initialDelayMs ?? 1000;
+
+    for (let i = 0; i < maxAttempts; i++) {
+      const response = await this.httpClient.signedRequest(item.url, null);
+      const body = response.data;
+
+      if (body.status === 'valid' || body.status === 'ready') {
+        return body;
+      }
+      if (body.status === 'invalid') {
+        const challengeError = body.challenges?.find((c: any) => c.error)?.error;
+        throw new AcmeError({
+          status: 0,
+          type: challengeError?.type || 'urn:ietf:params:acme:error:rejectedIdentifier',
+          detail: challengeError?.detail || JSON.stringify(body),
+          subproblems: challengeError?.subproblems,
+          url: item.url,
+        });
+      }
+
+      // Respect Retry-After header, otherwise exponential backoff
+      const retryAfter = parseInt(response.headers['retry-after'] || '0', 10);
+      const delay =
+        retryAfter > 0 ? retryAfter * 1000 : Math.min(initialDelay * Math.pow(2, i), 30000);
+      await new Promise((resolve) => setTimeout(resolve, delay));
+    }
+
+    throw new Error(`Timeout waiting for valid status after ${maxAttempts} attempts`);
+  }
+}

ts/acme/acme.interfaces.ts

@@ -0,0 +1,74 @@
+/**
+ * ACME Protocol interfaces per RFC 8555
+ */
+
+export interface IAcmeDirectory {
+  newNonce: string;
+  newAccount: string;
+  newOrder: string;
+  newAuthz?: string;
+  revokeCert?: string;
+  keyChange?: string;
+  meta?: IAcmeDirectoryMeta;
+}
+
+export interface IAcmeDirectoryMeta {
+  termsOfService?: string;
+  website?: string;
+  caaIdentities?: string[];
+  externalAccountRequired?: boolean;
+}
+
+export interface IAcmeIdentifier {
+  type: 'dns';
+  value: string;
+}
+
+export interface IAcmeAccount {
+  status: string;
+  contact?: string[];
+  termsOfServiceAgreed?: boolean;
+  orders?: string;
+}
+
+export interface IAcmeAccountCreateRequest {
+  termsOfServiceAgreed: boolean;
+  contact?: string[];
+}
+
+export interface IAcmeOrder {
+  url: string;
+  status: string;
+  expires?: string;
+  identifiers: IAcmeIdentifier[];
+  authorizations: string[];
+  finalize: string;
+  certificate?: string;
+}
+
+export interface IAcmeAuthorization {
+  identifier: IAcmeIdentifier;
+  status: string;
+  expires?: string;
+  challenges: IAcmeChallenge[];
+  wildcard?: boolean;
+}
+
+export interface IAcmeChallenge {
+  type: string;
+  url: string;
+  status: string;
+  token: string;
+  validated?: string;
+}
+
+export interface IAcmeCsrOptions {
+  commonName: string;
+  altNames?: string[];
+}
+
+export interface IAcmeHttpResponse {
+  status: number;
+  headers: Record<string, string>;
+  data: any;
+}

ts/acme/index.ts

@@ -0,0 +1,16 @@
+export { AcmeClient, type IAcmeClientOptions } from './acme.classes.client.js';
+export { AcmeCrypto } from './acme.classes.crypto.js';
+export { AcmeError } from './acme.classes.error.js';
+export { ACME_DIRECTORY_URLS } from './acme.classes.directory.js';
+export type {
+  IAcmeDirectory,
+  IAcmeDirectoryMeta,
+  IAcmeIdentifier,
+  IAcmeAccount,
+  IAcmeAccountCreateRequest,
+  IAcmeOrder,
+  IAcmeAuthorization,
+  IAcmeChallenge,
+  IAcmeCsrOptions,
+  IAcmeHttpResponse,
+} from './acme.interfaces.js';

ts/certmanagers/index.ts

@@ -0,0 +1,2 @@
+export * from './memory.js';
+export * from './mongo.js';

ts/certmanagers/memory.ts

@@ -0,0 +1,38 @@
+import * as plugins from '../plugins.js';
+import type { ICertManager } from '../interfaces/certmanager.js';
+import { SmartacmeCert } from '../smartacme.classes.cert.js';
+
+/**
+ * In-memory certificate manager for mongoless mode.
+ * Stores certificates in memory only and does not connect to MongoDB.
+ */
+export class MemoryCertManager implements ICertManager {
+  private certs: Map<string, SmartacmeCert> = new Map();
+
+
+  public async init(): Promise<void> {
+    // no-op for in-memory store
+  }
+
+  public async retrieveCertificate(domainName: string): Promise<SmartacmeCert | null> {
+    return this.certs.get(domainName) ?? null;
+  }
+
+  public async storeCertificate(cert: SmartacmeCert): Promise<void> {
+    this.certs.set(cert.domainName, cert);
+  }
+
+  public async deleteCertificate(domainName: string): Promise<void> {
+    this.certs.delete(domainName);
+  }
+
+  public async close(): Promise<void> {
+    // no-op
+  }
+  /**
+   * Wipe all certificates from the in-memory store (for testing)
+   */
+  public async wipe(): Promise<void> {
+    this.certs.clear();
+  }
+}

ts/certmanagers/mongo.ts

@@ -0,0 +1,51 @@
+import * as plugins from '../plugins.js';
+import type { ICertManager } from '../interfaces/certmanager.js';
+import { SmartacmeCert } from '../smartacme.classes.cert.js';
+
+/**
+ * MongoDB-backed certificate manager using EasyStore from smartdata.
+ */
+export class MongoCertManager implements ICertManager {
+  private db: plugins.smartdata.SmartdataDb;
+  private store: plugins.smartdata.EasyStore<Record<string, any>>;
+
+  /**
+   * @param mongoDescriptor MongoDB connection settings
+   */
+  constructor(mongoDescriptor: plugins.smartdata.IMongoDescriptor) {
+    this.db = new plugins.smartdata.SmartdataDb(mongoDescriptor);
+    this.store = new plugins.smartdata.EasyStore<Record<string, any>>(
+      'smartacme-certs',
+      this.db,
+    );
+  }
+
+  public async init(): Promise<void> {
+    await this.db.init();
+  }
+
+  public async retrieveCertificate(domainName: string): Promise<SmartacmeCert | null> {
+    const data = await this.store.readKey(domainName);
+    return data ? new SmartacmeCert(data) : null;
+  }
+
+  public async storeCertificate(cert: SmartacmeCert): Promise<void> {
+    // write plain object for persistence
+    await this.store.writeKey(cert.domainName, { ...cert });
+  }
+
+  public async deleteCertificate(domainName: string): Promise<void> {
+    await this.store.deleteKey(domainName);
+  }
+
+  public async close(): Promise<void> {
+    await this.db.close();
+  }
+  /**
+   * Wipe all certificates from the persistent store (for integration testing)
+   */
+  public async wipe(): Promise<void> {
+    // clear all keys in the easy store
+    await this.store.wipe();
+  }
+}

ts/handlers/Dns01Handler.ts

@@ -0,0 +1,36 @@
+import * as plugins from '../plugins.js';
+import type { IChallengeHandler } from './IChallengeHandler.js';
+
+/**
+ * DNS-01 challenge handler using CloudflareAccount and Smartdns.
+ */
+export class Dns01Handler implements IChallengeHandler<plugins.tsclass.network.IDnsChallenge> {
+  private cf: plugins.tsclass.network.IConvenientDnsProvider;
+  private smartdns: plugins.smartdnsClient.Smartdns;
+
+  constructor(
+    convenientDnsProvider: plugins.tsclass.network.IConvenientDnsProvider,
+    smartdnsInstance?: plugins.smartdnsClient.Smartdns,
+  ) {
+    this.cf = convenientDnsProvider;
+    this.smartdns = smartdnsInstance ?? new plugins.smartdnsClient.Smartdns({});
+  }
+
+  public getSupportedTypes(): string[] {
+    return ['dns-01'];
+  }
+
+  public async prepare(ch: plugins.tsclass.network.IDnsChallenge): Promise<void> {
+    // set DNS TXT record
+    await this.cf.convenience.acmeSetDnsChallenge(ch);
+  }
+
+  public async cleanup(ch: plugins.tsclass.network.IDnsChallenge): Promise<void> {
+    // remove DNS TXT record
+    await this.cf.convenience.acmeRemoveDnsChallenge(ch);
+  }
+
+  public async checkWetherDomainIsSupported(domainArg: string): Promise<boolean> {
+    return this.cf.convenience.isDomainSupported(domainArg);
+  }
+}

ts/handlers/Http01Handler.ts

@@ -0,0 +1,69 @@
+import * as plugins from '../plugins.js';
+import type { IChallengeHandler } from './IChallengeHandler.js';
+
+/**
+ * HTTP-01 ACME challenge handler using file-system webroot.
+ * Writes and removes the challenge file under <webroot>/.well-known/acme-challenge/. 
+ */
+export interface Http01WebrootOptions {
+  /**
+   * Directory that serves HTTP requests for /.well-known/acme-challenge
+   */
+  webroot: string;
+}
+
+export class Http01Webroot implements IChallengeHandler<{
+  type: string;
+  token: string;
+  keyAuthorization: string;
+  webPath: string;
+}> {
+  private smartnetworkInstance = new plugins.smartnetwork.SmartNetwork();
+  private smartdnsClient = new plugins.smartdnsClient.Smartdns({});
+  
+  private webroot: string;
+
+  constructor(options: Http01WebrootOptions) {
+    this.webroot = options.webroot;
+  }
+
+  public getSupportedTypes(): string[] {
+    return ['http-01'];
+  }
+
+  public async prepare(ch: { token: string; keyAuthorization: string; webPath: string }): Promise<void> {
+    const relWebPath = ch.webPath.replace(/^\/+/, '');
+    const filePath = plugins.path.join(this.webroot, relWebPath);
+    const dir = plugins.path.dirname(filePath);
+    await plugins.fs.promises.mkdir(dir, { recursive: true });
+    await plugins.fs.promises.writeFile(filePath, ch.keyAuthorization, 'utf8');
+  }
+
+  public async verify(ch: { webPath: string; keyAuthorization: string }): Promise<void> {
+    // Optional: implement HTTP polling if desired
+    return;
+  }
+
+  public async cleanup(ch: { token: string; webPath: string }): Promise<void> {
+    const relWebPath = ch.webPath.replace(/^\/+/, '');
+    const filePath = plugins.path.join(this.webroot, relWebPath);
+    try {
+      await plugins.fs.promises.unlink(filePath);
+    } catch {
+      // ignore missing file
+    }
+  }
+
+  public async checkWetherDomainIsSupported(domainArg: string): Promise<boolean> {
+    const publicIps = await this.smartnetworkInstance.getPublicIps();
+    const aRecords = await this.smartdnsClient.getRecordsA(domainArg);
+    const aaaaRecords = await this.smartdnsClient.getRecordsAAAA(domainArg);
+    if (aRecords.length && aRecords.some(record => record.value !== publicIps.v4)) {
+      return false;
+    }
+    if (aaaaRecords.length && aaaaRecords.some(record => record.value !== publicIps.v6)) {
+      return false;
+    }
+    return true;
+  }
+}

ts/handlers/Http01MemoryHandler.ts

@@ -0,0 +1,83 @@
+import * as plugins from '../plugins.js';
+import type { IChallengeHandler } from './IChallengeHandler.js';
+
+/**
+ * HTTP-01 ACME challenge handler using in-memory storage.
+ * Stores challenge tokens and key authorizations in memory
+ * and serves them via handleRequest for arbitrary HTTP servers.
+ */
+export interface Http01MemoryHandlerChallenge {
+  type: string;
+  token: string;
+  keyAuthorization: string;
+  webPath: string;
+}
+
+export class Http01MemoryHandler implements IChallengeHandler<Http01MemoryHandlerChallenge> {
+  private smartnetworkInstance = new plugins.smartnetwork.SmartNetwork();
+  private smartdnsClient = new plugins.smartdnsClient.Smartdns({});
+  private store: Map<string, string> = new Map();
+
+  public getSupportedTypes(): string[] {
+    return ['http-01'];
+  }
+
+  public async prepare(ch: Http01MemoryHandlerChallenge): Promise<void> {
+    this.store.set(ch.token, ch.keyAuthorization);
+  }
+
+  public async verify(_ch: Http01MemoryHandlerChallenge): Promise<void> {
+    // No-op
+    return;
+  }
+
+  public async cleanup(ch: Http01MemoryHandlerChallenge): Promise<void> {
+    this.store.delete(ch.token);
+  }
+
+  /**
+   * HTTP request handler for serving ACME HTTP-01 challenges.
+   * @param req HTTP request object (should have url property)
+   * @param res HTTP response object
+   * @param next Optional next() callback for Express-style fallthrough
+   */
+  public handleRequest(req: any, res: any, next?: () => void): void {
+    const url = req.url || '';
+    const prefix = '/.well-known/acme-challenge/';
+    if (!url.startsWith(prefix)) {
+      if (next) {
+        return next();
+      }
+      res.statusCode = 404;
+      return res.end();
+    }
+    const token = url.slice(prefix.length);
+    const keyAuth = this.store.get(token);
+    if (keyAuth !== undefined) {
+      if (typeof res.status === 'function' && typeof res.send === 'function') {
+        return res.status(200).send(keyAuth);
+      }
+      res.statusCode = 200;
+      res.setHeader('content-type', 'text/plain');
+      return res.end(keyAuth);
+    }
+    if (next) {
+      return next();
+    }
+    res.statusCode = 404;
+    return res.end();
+  }
+
+  public async checkWetherDomainIsSupported(domainArg: string): Promise<boolean> {
+    const publicIps = await this.smartnetworkInstance.getPublicIps();
+    const aRecords = await this.smartdnsClient.getRecordsA(domainArg);
+    const aaaaRecords = await this.smartdnsClient.getRecordsAAAA(domainArg);
+    if (aRecords.length && aRecords.some((record) => record.value !== publicIps.v4)) {
+      return false;
+    }
+    if (aaaaRecords.length && aaaaRecords.some((record) => record.value !== publicIps.v6)) {
+      return false;
+    }
+    return true;
+  }
+}

ts/handlers/IChallengeHandler.ts

@@ -0,0 +1,24 @@
+/**
+ * Pluggable interface for ACME challenge handlers.
+ * Supports DNS-01, HTTP-01, TLS-ALPN-01, or custom challenge types.
+ */
+export interface IChallengeHandler<T> {
+  /**
+   * ACME challenge types this handler supports (e.g. ['dns-01']).
+   */
+  getSupportedTypes(): string[];
+  /**
+   * Prepare the challenge: set DNS record, start HTTP/TLS server, etc.
+   */
+  prepare(ch: T): Promise<void>;
+  /**
+   * Optional extra verify step (HTTP GET, ALPN handshake).
+   */
+  verify?(ch: T): Promise<void>;
+  /**
+   * Clean up resources: remove DNS record, stop server.
+   */
+  cleanup(ch: T): Promise<void>;
+
+  checkWetherDomainIsSupported(domainArg: string): Promise<boolean>;
+}

ts/handlers/index.ts

@@ -0,0 +1,5 @@
+export type { IChallengeHandler } from './IChallengeHandler.js';
+// Removed legacy handler adapter
+export { Dns01Handler } from './Dns01Handler.js';
+export { Http01Webroot } from './Http01Handler.js';
+export { Http01MemoryHandler } from './Http01MemoryHandler.js';

ts/index.ts

@@ -1,3 +1,14 @@
-export * from './smartacme.classes.smartacme';
+export * from './smartacme.classes.smartacme.js';
+export { SmartacmeCert as Cert } from './smartacme.classes.cert.js';
+export type { ICertManager } from './interfaces/certmanager.js';
 
-export * from './smartacme.classes.certremoteclient';
+// certmanagers
+import * as certmanagers from './certmanagers/index.js';
+export { certmanagers };
+
+// handlers
+import * as handlers from './handlers/index.js';
+export { handlers };
+
+// re-export taskbuffer event types for consumers
+export type { ITaskEvent, ITaskMetadata } from '@push.rocks/taskbuffer';

ts/interfaces/cert.ts

@@ -1,10 +0,0 @@
-export type TCertStatus = 'existing' | 'nonexisting' | 'pending' | 'failed';
-
-export interface ICert {
-  id: string;
-  domainName: string;
-  created: number;
-  privateKey: string;
-  publicKey: string;
-  csr: string;
-}

ts/interfaces/certmanager.ts

@@ -0,0 +1,36 @@
+import type { SmartacmeCert } from '../smartacme.classes.cert.js';
+
+// (ICertRecord removed; use SmartacmeCert directly)
+
+/**
+ * Interface for certificate storage managers.
+ * Users can implement this to provide custom persistence (in-memory,
+ * file-based, Redis, etc.).
+ */
+export interface ICertManager {
+  /**
+   * Initialize the store (e.g., connect to database).
+   */
+  init(): Promise<void>;
+  /**
+   * Retrieve a certificate record by domain name.
+   * Returns null if none found.
+   */
+  retrieveCertificate(domainName: string): Promise<SmartacmeCert | null>;
+  /**
+   * Store a certificate record. Fulfills any pending interests.
+   */
+  storeCertificate(cert: SmartacmeCert): Promise<void>;
+  /**
+   * Delete a certificate record by domain name.
+   */
+  deleteCertificate(domainName: string): Promise<void>;
+  /**
+   * Close the store (e.g., disconnect database).
+   */
+  close(): Promise<void>;
+  /**
+   * Optional: wipe all stored certificates (e.g., for integration testing)
+   */
+  wipe(): Promise<void>;
+}

ts/interfaces/certremote.ts

@@ -1,11 +0,0 @@
-import { ICert, TCertStatus } from './cert';
-
-export interface ICertRemoteRequest {
-  secret: string;
-  domainName: string;
-}
-
-export interface ICertRemoteResponse {
-  status: TCertStatus;
-  certificate?: ICert;
-}

ts/interfaces/index.ts

@@ -1,3 +1 @@
-export * from './accountdata';
-export * from './cert';
-export * from './certremote';
+export * from './accountdata.js';

ts/plugins.ts

@@ -0,0 +1,48 @@
+// node native
+import * as fs from 'fs';
+import * as path from 'path';
+
+export { fs, path };
+
+// @apiclient.xyz scope
+import * as cloudflare from '@apiclient.xyz/cloudflare';
+
+export { cloudflare };
+
+// @push.rocks scope
+import * as lik from '@push.rocks/lik';
+import * as smartdata from '@push.rocks/smartdata';
+import * as smartdelay from '@push.rocks/smartdelay';
+import * as smartdnsClient from '@push.rocks/smartdns/client';
+import * as smartlog from '@push.rocks/smartlog';
+import * as smartnetwork from '@push.rocks/smartnetwork';
+import * as smartunique from '@push.rocks/smartunique';
+import * as smartstring from '@push.rocks/smartstring';
+import * as smarttime from '@push.rocks/smarttime';
+import * as taskbuffer from '@push.rocks/taskbuffer';
+
+export {
+  lik,
+  smartdata,
+  smartdelay,
+  smartdnsClient,
+  smartlog,
+  smartnetwork,
+  smartunique,
+  smartstring,
+  smarttime,
+  taskbuffer,
+};
+
+// @tsclass scope
+import * as tsclass from '@tsclass/tsclass';
+
+export { tsclass };
+
+// acme protocol (custom implementation)
+import * as acme from './acme/index.js';
+
+export { acme };
+// local handlers for challenge types
+import * as handlers from './handlers/index.js';
+export { handlers };

ts/smartacme.classes.cert.ts

@@ -1,40 +1,39 @@
-import * as plugins from './smartacme.plugins';
+import * as plugins from './plugins.js';
 
-import * as interfaces from './interfaces';
-
-import { CertManager } from './smartacme.classes.certmanager';
-
-import { Collection, svDb, unI } from '@pushrocks/smartdata';
-import { ICert } from './interfaces';
-
-@plugins.smartdata.Collection(() => {
-  return CertManager.activeDB;
-})
-export class Cert extends plugins.smartdata.SmartDataDbDoc<Cert> implements interfaces.ICert {
-  @unI()
+/**
+ * Plain certificate record.
+ */
+export class SmartacmeCert {
   public id: string;
-
-  @svDb()
   public domainName: string;
-
-  @svDb()
   public created: number;
-
-  @svDb()
   public privateKey: string;
-  
-  @svDb()
   public publicKey: string;
-  
-  @svDb()
   public csr: string;
+  public validUntil: number;
 
-  constructor(optionsArg: ICert) {
-    super();
-    if (optionsArg) {
-      Object.keys(optionsArg).forEach(key => {
-        this[key] = optionsArg[key];
-      });
-    }
+  constructor(data: Partial<SmartacmeCert> = {}) {
+    this.id = data.id || '';
+    this.domainName = data.domainName || '';
+    this.created = data.created || Date.now();
+    this.privateKey = data.privateKey || '';
+    this.publicKey = data.publicKey || '';
+    this.csr = data.csr || '';
+    this.validUntil = data.validUntil || 0;
+  }
+
+  /**
+   * Check if certificate is still valid.
+   */
+  public isStillValid(): boolean {
+    return this.validUntil >= Date.now();
+  }
+
+  /**
+   * Check if certificate needs renewal (e.g., expires in <10 days).
+   */
+  public shouldBeRenewed(): boolean {
+    const threshold = Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ days: 10 });
+    return this.validUntil < threshold;
   }
 }

ts/smartacme.classes.certmanager.ts

@@ -1,104 +0,0 @@
-import * as plugins from './smartacme.plugins';
-import { Cert } from './smartacme.classes.cert';
-import { SmartAcme } from './smartacme.classes.smartacme';
-
-import * as interfaces from './interfaces';
-
-
-export class CertManager {
-  // =========
-  // STATIC
-  // =========
-  public static activeDB: plugins.smartdata.SmartdataDb;
-  
-  
-  // =========
-  // INSTANCE
-  // =========
-  private mongoDescriptor: plugins.smartdata.IMongoDescriptor;
-  public smartdataDb: plugins.smartdata.SmartdataDb;
-
-  public pendingMap: plugins.lik.Stringmap;
-
-  constructor(smartAcmeArg: SmartAcme,optionsArg: {
-    mongoDescriptor: plugins.smartdata.IMongoDescriptor;
-  }) {
-    this.mongoDescriptor = optionsArg.mongoDescriptor;
-  }
-
-  public async init () {
-    // Smartdata DB
-    this.smartdataDb = new plugins.smartdata.SmartdataDb(this.mongoDescriptor);
-    await this.smartdataDb.init();
-    CertManager.activeDB = this.smartdataDb;
-
-    // Pending Map
-    this.pendingMap = new plugins.lik.Stringmap();
-  }
-
-  /**
-   * retrieves a certificate
-   * @returns the Cert class or null
-   * @param domainName the domain Name to retrieve the vcertificate for
-   */
-  public async retrieveCertificate(domainName: string): Promise<Cert> {
-    await this.checkCerts();
-    const existingCertificate: Cert = await Cert.getInstance({
-      domainName
-    });
-
-    if(existingCertificate) {
-      return existingCertificate;
-    } else {
-      return null;
-    }
-
-  }
-
-  /**
-   * stores the certificate
-   * @param optionsArg 
-   */
-  public async storeCertificate(optionsArg: interfaces.ICert) {
-    const cert = new Cert(optionsArg);
-    await cert.save();
-    this.pendingMap.removeString(optionsArg.domainName);
-  }
-
-  public async deleteCertificate(domainNameArg: string) {
-
-  }
-
-  /**
-   * announce a certificate as being in the process of being retrieved
-   */
-  public async announceCertificate (domainNameArg: string) {
-    this.pendingMap.addString(domainNameArg);
-  }
-
-  /**
-   * gets the status of a certificate by certDomain name
-   * @param certDomainArg
-   */
-  public async getCertificateStatus(certDomainArg: string): Promise<interfaces.TCertStatus> {
-    const isPending = this.pendingMap.checkString(certDomainArg);
-    if (isPending) {
-      return 'pending';
-    }
-
-    // otherwise lets continue
-    const existingCertificate = await this.retrieveCertificate(certDomainArg);
-    if (existingCertificate) {
-      return 'existing';
-    }
-
-    return 'nonexisting';
-  }
-
-  /**
-   * checks all certs for expiration
-   */
-  private async checkCerts() {
-    // TODO
-  };
-}

ts/smartacme.classes.certmatcher.ts

@@ -1,10 +1,26 @@
-import * as plugins from './smartacme.plugins';
+import * as plugins from './plugins.js';
+import * as interfaces from './interfaces/index.js';
 
-export class CertMatcher {
-  public getCertificateDomainNameByDomainName(domainNameArg: string): string {
+/**
+ * certmatcher is responsible for matching certificates
+ */
+export class SmartacmeCertMatcher {
+  /**
+   * creates a domainName for the certificate that will include the broadest scope
+   * for wild card certificates
+   * @param domainNameArg the domainNameArg to create the scope from
+   */
+  public getCertificateDomainNameByDomainName(domainNameArg: string): string | undefined {
+    // Handle wildcard domains by stripping the '*.' prefix.
+    if (domainNameArg.startsWith('*.')) {
+      return domainNameArg.slice(2);
+    }
     const originalDomain = new plugins.smartstring.Domain(domainNameArg);
+    // For domains with up to 3 levels (no level4), return base domain.
     if (!originalDomain.level4) {
       return `${originalDomain.level2}.${originalDomain.level1}`;
     }
+    // Deeper domains (4+ levels) are not supported.
+    return undefined;
   }
 }

ts/smartacme.classes.certremoteclient.ts

@@ -1,56 +0,0 @@
-import * as plugins from './smartacme.plugins';
-import * as interfaces from './interfaces';
-
-// tslint:disable-next-line: max-classes-per-file
-export class CertRemoteClient {
-  private remoteUrl: string;
-  private secret: string;
-  private logger: plugins.smartlog.Smartlog;
-
-  constructor(optionsArg: {
-    remoteUrl: string;
-    secret: string;
-    logger?: plugins.smartlog.Smartlog;
-  }) {
-    this.remoteUrl = optionsArg.remoteUrl;
-    this.secret = optionsArg.secret;
-    optionsArg.logger
-      ? (this.logger = optionsArg.logger)
-      : (this.logger = plugins.smartlog.defaultLogger);
-  }
-
-  /**
-   *
-   * @param domainNameArg
-   */
-  public async getCertificateForDomain(domainNameArg: string): Promise<interfaces.ICert> {
-    let certificate: interfaces.ICert;
-    const doRequestCycle = async (): Promise<interfaces.ICert> => {
-      const responseBody: interfaces.ICertRemoteResponse = (await plugins.smartrequest.postJson(
-        this.remoteUrl,
-        {
-          requestBody: <interfaces.ICertRemoteRequest>{
-            domainName: domainNameArg,
-            secret: this.secret
-          }
-        }
-      )).body;
-      console.log(responseBody);
-      switch (responseBody.status as interfaces.TCertStatus) {
-        case 'pending':
-          await plugins.smartdelay.delayFor(5000);
-          const finalResponse = await doRequestCycle();
-          return finalResponse;
-        case 'existing':
-          this.logger.log('ok', `got certificate for ${domainNameArg}`);
-          return responseBody.certificate;
-        case 'failed':
-        default:
-          console.log(`could not retrieve certificate for ${domainNameArg}`);
-          return null;
-      }
-    };
-    certificate = await doRequestCycle();
-    return certificate;
-  }
-}

ts/smartacme.classes.smartacme.ts

@@ -1,22 +1,74 @@
-import * as plugins from './smartacme.plugins';
-import { Cert } from './smartacme.classes.cert';
-import { CertManager } from './smartacme.classes.certmanager';
-import { CertMatcher } from './smartacme.classes.certmatcher';
+import * as plugins from './plugins.js';
+import type { ICertManager } from './interfaces/certmanager.js';
+import { SmartacmeCertMatcher } from './smartacme.classes.certmatcher.js';
+import { commitinfo } from './00_commitinfo_data.js';
+import { SmartacmeCert } from './smartacme.classes.cert.js';
 
-import * as interfaces from './interfaces';
-import { request } from 'http';
+// ── Types & constants for certificate issuance task ──────────────────────────
+
+interface ICertIssuanceInput {
+  certDomainName: string;
+  domainArg: string;
+  isWildcardRequest: boolean;
+  includeWildcard: boolean;
+}
+
+const CERT_ISSUANCE_STEPS = [
+  { name: 'prepare',   description: 'Creating ACME order',         percentage: 10 },
+  { name: 'authorize', description: 'Solving ACME challenges',     percentage: 40 },
+  { name: 'finalize',  description: 'Finalizing and getting cert', percentage: 30 },
+  { name: 'store',     description: 'Storing certificate',         percentage: 20 },
+] as const;
 
 /**
  * the options for the class @see SmartAcme
  */
 export interface ISmartAcmeOptions {
-  accountPrivateKey?: string;
   accountEmail: string;
-  mongoDescriptor: plugins.smartdata.IMongoDescriptor;
-  setChallenge: (domainName: string, keyAuthorization: string) => Promise<any>;
-  removeChallenge: (domainName: string) => Promise<any>;
+  accountPrivateKey?: string;
+  /**
+   * Certificate storage manager (e.g., Mongo or in-memory).
+   */
+  certManager: ICertManager;
+  // Removed legacy setChallenge/removeChallenge in favor of `challengeHandlers`
   environment: 'production' | 'integration';
-  logger?: plugins.smartlog.Smartlog;
+  /**
+   * Optional retry/backoff configuration for transient failures
+   */
+  retryOptions?: {
+    /** number of retry attempts */
+    retries?: number;
+    /** backoff multiplier */
+    factor?: number;
+    /** initial delay in milliseconds */
+    minTimeoutMs?: number;
+    /** maximum delay cap in milliseconds */
+    maxTimeoutMs?: number;
+  };
+  /**
+   * Pluggable ACME challenge handlers (DNS-01, HTTP-01, TLS-ALPN-01, etc.)
+   */
+  challengeHandlers?: plugins.handlers.IChallengeHandler<any>[];
+  /**
+   * Order of challenge types to try (e.g. ['http-01','dns-01']).
+   * Defaults to ['dns-01'] or first supported type from handlers.
+   */
+  challengePriority?: string[];
+  /**
+   * Maximum number of concurrent ACME issuances across all domains.
+   * Defaults to 5.
+   */
+  maxConcurrentIssuances?: number;
+  /**
+   * Maximum ACME orders allowed within the sliding window.
+   * Defaults to 250 (conservative limit under Let's Encrypt's 300/3h).
+   */
+  maxOrdersPerWindow?: number;
+  /**
+   * Sliding window duration in milliseconds for rate limiting.
+   * Defaults to 3 hours (10_800_000 ms).
+   */
+  orderWindowMs?: number;
 }
 
 /**
@@ -33,182 +85,492 @@ export class SmartAcme {
   private options: ISmartAcmeOptions;
 
   // the acme client
-  private client: any;
-  private smartdns = new plugins.smartdns.Smartdns();
+  private client: plugins.acme.AcmeClient;
+  private smartdns = new plugins.smartdnsClient.Smartdns({});
   public logger: plugins.smartlog.Smartlog;
 
   // the account private key
   private privateKey: string;
 
-  // challenge fullfillment
-  private setChallenge: (domainName: string, keyAuthorization: string) => Promise<any>;
-  private removeChallenge: (domainName: string) => Promise<any>;
 
-  // certmanager
-  private certmanager: CertManager;
-  private certmatcher: CertMatcher;
+  // certificate manager for persistence (implements ICertManager)
+  public certmanager: ICertManager;
+  // configured pluggable ACME challenge handlers
+  public challengeHandlers: plugins.handlers.IChallengeHandler<any>[];
+
+
+  private certmatcher: SmartacmeCertMatcher;
+  // retry/backoff configuration (resolved with defaults)
+  private retryOptions: { retries: number; factor: number; minTimeoutMs: number; maxTimeoutMs: number };
+  // track pending DNS challenges for graceful shutdown
+  private pendingChallenges: plugins.tsclass.network.IDnsChallenge[] = [];
+  // priority order of challenge types
+  private challengePriority: string[];
+  // TaskManager for coordinating concurrent certificate requests
+  private taskManager: plugins.taskbuffer.TaskManager;
+  // Single reusable task for certificate issuance
+  private certIssuanceTask: plugins.taskbuffer.Task<undefined, typeof CERT_ISSUANCE_STEPS>;
+  // bound signal handlers so they can be removed on stop()
+  private boundSigintHandler: (() => void) | null = null;
+  private boundSigtermHandler: (() => void) | null = null;
 
   /**
-   * the remote handler to hand the request and response to.
+   * Exposes the aggregated task event stream for observing certificate issuance progress.
    */
-  public certremoteHandler = async (
-    req: plugins.smartexpress.Request,
-    res: plugins.smartexpress.Response
-  ) => {
-    const requestBody: interfaces.ICertRemoteRequest = req.body;
-    const certDomain = this.certmatcher.getCertificateDomainNameByDomainName(
-      requestBody.domainName
-    );
-    let status: interfaces.TCertStatus = await this.certmanager.getCertificateStatus(certDomain);
-    let response: interfaces.ICertRemoteResponse;
-    switch (status) {
-      case 'existing':
-        this.logger.log('ok', `certificate exists for ${certDomain}. Sending certificate!`);
-        response = {
-          status,
-          certificate: await (await this.certmanager.retrieveCertificate(
-            certDomain
-          )).createSavableObject()
-        };
-        break;
-      default:
-        if (status === 'nonexisting') {
-          this.getCertificateForDomain(certDomain);
-          status = 'pending';
-        }
-        response = {
-          status
-        };
-        break;
-    }
-    res.status(200);
-    res.send(response);
-    res.end();
+  public get certIssuanceEvents(): plugins.taskbuffer.TaskManager['taskSubject'] {
+    return this.taskManager.taskSubject;
   }
 
   constructor(optionsArg: ISmartAcmeOptions) {
     this.options = optionsArg;
-    this.options.logger
-      ? (this.logger = optionsArg.logger)
-      : (this.logger = plugins.smartlog.defaultLogger);
+    this.logger = plugins.smartlog.Smartlog.createForCommitinfo(commitinfo);
+    // enable console output for structured logging
+    this.logger.enableConsole();
+    // initialize retry/backoff options
+    this.retryOptions = {
+      retries: optionsArg.retryOptions?.retries ?? 10,
+      factor: optionsArg.retryOptions?.factor ?? 4,
+      minTimeoutMs: optionsArg.retryOptions?.minTimeoutMs ?? 1000,
+      maxTimeoutMs: optionsArg.retryOptions?.maxTimeoutMs ?? 60000,
+    };
+    // initialize challenge handlers (must provide at least one)
+    if (!optionsArg.challengeHandlers || optionsArg.challengeHandlers.length === 0) {
+      throw new Error(
+        'You must provide at least one ACME challenge handler via options.challengeHandlers',
+      );
+    }
+    this.challengeHandlers = optionsArg.challengeHandlers;
+    // initialize challenge priority
+    this.challengePriority =
+      optionsArg.challengePriority && optionsArg.challengePriority.length > 0
+        ? optionsArg.challengePriority
+        : this.challengeHandlers.map((h) => h.getSupportedTypes()[0]);
+
+    // ── TaskManager setup ──────────────────────────────────────────────────
+    this.taskManager = new plugins.taskbuffer.TaskManager();
+
+    // Constraint 1: Per-domain mutex — one issuance at a time per TLD, with result sharing
+    const certDomainMutex = new plugins.taskbuffer.TaskConstraintGroup({
+      name: 'cert-domain-mutex',
+      maxConcurrent: 1,
+      resultSharingMode: 'share-latest',
+      constraintKeyForExecution: (_task, input?: ICertIssuanceInput) => {
+        return input?.certDomainName ?? null;
+      },
+      shouldExecute: async (_task, input?: ICertIssuanceInput) => {
+        if (!input?.certDomainName || !this.certmanager) return true;
+        // Safety net: if a valid cert is already cached, skip re-issuance
+        const existing = await this.certmanager.retrieveCertificate(input.certDomainName);
+        if (existing && !existing.shouldBeRenewed()) {
+          return false;
+        }
+        return true;
+      },
+    });
+
+    // Constraint 2: Global concurrency cap
+    const acmeGlobalConcurrency = new plugins.taskbuffer.TaskConstraintGroup({
+      name: 'acme-global-concurrency',
+      maxConcurrent: optionsArg.maxConcurrentIssuances ?? 5,
+      constraintKeyForExecution: () => 'global',
+    });
+
+    // Constraint 3: Account-level rate limiting
+    const acmeAccountRateLimit = new plugins.taskbuffer.TaskConstraintGroup({
+      name: 'acme-account-rate-limit',
+      rateLimit: {
+        maxPerWindow: optionsArg.maxOrdersPerWindow ?? 250,
+        windowMs: optionsArg.orderWindowMs ?? 10_800_000,
+      },
+      constraintKeyForExecution: () => 'account',
+    });
+
+    this.taskManager.addConstraintGroup(certDomainMutex);
+    this.taskManager.addConstraintGroup(acmeGlobalConcurrency);
+    this.taskManager.addConstraintGroup(acmeAccountRateLimit);
+
+    // Create the single reusable certificate issuance task
+    this.certIssuanceTask = new plugins.taskbuffer.Task({
+      name: 'cert-issuance',
+      steps: CERT_ISSUANCE_STEPS,
+      taskFunction: async (input: ICertIssuanceInput) => {
+        return this.performCertificateIssuance(input);
+      },
+    });
+
+    this.taskManager.addTask(this.certIssuanceTask);
   }
 
   /**
-   * inits the instance
+   * starts the instance
    * ```ts
-   * await myCloudlyInstance.init() // does not support options
+   * await myCloudlyInstance.start() // does not support options
    * ```
    */
-  public async init() {
+  public async start() {
     this.privateKey =
-      this.options.accountPrivateKey || (await plugins.acme.forge.createPrivateKey());
-    this.setChallenge = this.options.setChallenge;
-    this.removeChallenge = this.options.removeChallenge;
+      this.options.accountPrivateKey || plugins.acme.AcmeCrypto.createRsaPrivateKey();
 
-    // CertMangaer
-    this.certmanager = new CertManager(this, {
-      mongoDescriptor: this.options.mongoDescriptor
-    });
+    // Initialize certificate manager
+    if (!this.options.certManager) {
+      throw new Error('You must provide a certManager via options.certManager');
+    }
+    this.certmanager = this.options.certManager;
     await this.certmanager.init();
 
     // CertMatcher
-    this.certmatcher = new CertMatcher();
+    this.certmatcher = new SmartacmeCertMatcher();
 
     // ACME Client
-    this.client = new plugins.acme.Client({
+    this.client = new plugins.acme.AcmeClient({
       directoryUrl: (() => {
         if (this.options.environment === 'production') {
-          return plugins.acme.directory.letsencrypt.production;
+          return plugins.acme.ACME_DIRECTORY_URLS.letsencrypt.production;
         } else {
-          return plugins.acme.directory.letsencrypt.staging;
+          return plugins.acme.ACME_DIRECTORY_URLS.letsencrypt.staging;
         }
       })(),
-      accountKey: this.privateKey
+      accountKeyPem: this.privateKey,
+      logger: (level, message, data) => {
+        this.logger.log(level as any, message, data);
+      },
     });
 
     /* Register account */
     await this.client.createAccount({
       termsOfServiceAgreed: true,
-      contact: [`mailto:${this.options.accountEmail}`]
+      contact: [`mailto:${this.options.accountEmail}`],
     });
+
+    // Start the task manager
+    await this.taskManager.start();
+
+    // Setup graceful shutdown handlers (store references for removal in stop())
+    this.boundSigintHandler = () => this.handleSignal('SIGINT');
+    this.boundSigtermHandler = () => this.handleSignal('SIGTERM');
+    process.on('SIGINT', this.boundSigintHandler);
+    process.on('SIGTERM', this.boundSigtermHandler);
   }
 
+  /**
+   * Stops the SmartAcme instance and closes certificate store connections.
+   */
   public async stop() {
-    await this.certmanager.smartdataDb.close();
+    // Remove signal handlers so the process can exit cleanly
+    if (this.boundSigintHandler) {
+      process.removeListener('SIGINT', this.boundSigintHandler);
+      this.boundSigintHandler = null;
+    }
+    if (this.boundSigtermHandler) {
+      process.removeListener('SIGTERM', this.boundSigtermHandler);
+      this.boundSigtermHandler = null;
+    }
+    // Stop the task manager
+    await this.taskManager.stop();
+    // Destroy ACME HTTP transport (closes keep-alive sockets)
+    if (this.client) {
+      this.client.destroy();
+    }
+    // Destroy DNS client (kills Rust bridge child process if spawned)
+    if (this.smartdns) {
+      this.smartdns.destroy();
+    }
+    if (this.certmanager && typeof (this.certmanager as any).close === 'function') {
+      await (this.certmanager as any).close();
+    }
   }
+    /** Retry helper with exponential backoff and AcmeError awareness */
+    private async retry<T>(operation: () => Promise<T>, operationName: string = 'operation'): Promise<T> {
+      let attempt = 0;
+      let delay = this.retryOptions.minTimeoutMs;
+      while (true) {
+        try {
+          return await operation();
+        } catch (err) {
+          // Check if it's a non-retryable ACME error — throw immediately
+          if (err instanceof plugins.acme.AcmeError) {
+            if (!err.isRetryable) {
+              await this.logger.log('error', `Operation ${operationName} failed with non-retryable error (${err.type}, HTTP ${err.status}) at ${err.url}`, err);
+              throw err;
+            }
+            // For rate-limited errors, use server-specified Retry-After delay
+            if (err.isRateLimited && err.retryAfter > 0) {
+              delay = err.retryAfter * 1000;
+              await this.logger.log('warn', `Operation ${operationName} rate-limited, Retry-After: ${err.retryAfter}s`, err);
+            }
+          }
 
-  public async getCertificateForDomain(domainArg: string): Promise<Cert> {
-    const certDomain = this.certmatcher.getCertificateDomainNameByDomainName(domainArg);
-    await this.certmanager.announceCertificate(certDomain);
-    const retrievedCertificate = await this.certmanager.retrieveCertificate(certDomain);
-
-    if (retrievedCertificate) {
-      return retrievedCertificate;
+          attempt++;
+          if (attempt > this.retryOptions.retries) {
+            await this.logger.log('error', `Operation ${operationName} failed after ${attempt} attempts`, err);
+            throw err;
+          }
+          await this.logger.log('warn', `Operation ${operationName} failed on attempt ${attempt}, retrying in ${delay}ms`, err);
+          await plugins.smartdelay.delayFor(delay);
+          delay = Math.min(delay * this.retryOptions.factor, this.retryOptions.maxTimeoutMs);
+        }
+      }
+    }
+    /** Clean up pending challenges and shut down */
+    private async handleShutdown(): Promise<void> {
+      for (const input of [...this.pendingChallenges]) {
+        const type: string = (input as any).type;
+        const handler = this.challengeHandlers.find((h) => h.getSupportedTypes().includes(type));
+        if (handler) {
+          try {
+            await handler.cleanup(input);
+            await this.logger.log('info', `Removed pending ${type} challenge during shutdown`, input);
+          } catch (err) {
+            await this.logger.log('error', `Failed to remove pending ${type} challenge during shutdown`, err);
+          }
+        } else {
+          await this.logger.log(
+            'warn',
+            `No handler for pending challenge type '${type}' during shutdown; skipping cleanup`,
+            input,
+          );
+        }
+      }
+      this.pendingChallenges = [];
+      await this.stop();
+    }
+    /** Handle process signals for graceful shutdown */
+    private handleSignal(sig: string): void {
+      this.logger.log('info', `Received signal ${sig}, shutting down gracefully`);
+      this.handleShutdown()
+        .then(() => process.exit(0))
+        .catch((err) => {
+          this.logger.log('error', 'Error during shutdown', err).then(() => process.exit(1));
+        });
     }
 
-    /* Place new order */
-    const order = await this.client.createOrder({
-      identifiers: [{ type: 'dns', value: certDomain }, { type: 'dns', value: `*.${certDomain}` }]
-    });
+  /**
+   * gets a certificate
+   * it runs through the following steps
+   *
+   * * look in the database
+   * * if in the database and still valid return it
+   * * if not in the database announce it
+   * * then get it from letsencrypt
+   * * store it
+   * * retrieve it from the database and return it
+   *
+   * @param domainArg
+   * @param options Optional configuration for certificate generation
+   */
+  public async getCertificateForDomain(
+    domainArg: string,
+    options?: { includeWildcard?: boolean }
+  ): Promise<SmartacmeCert> {
+    // Determine if this is a wildcard request (e.g., '*.example.com').
+    const isWildcardRequest = domainArg.startsWith('*.');
+    // Determine the base domain for certificate retrieval/issuance.
+    const certDomainName = this.certmatcher.getCertificateDomainNameByDomainName(domainArg);
+    if (!certDomainName) {
+      throw new Error(`Cannot determine certificate domain for ${domainArg}`);
+    }
+    // Wildcard certificates require DNS-01 challenge support.
+    if (isWildcardRequest) {
+      const hasDnsHandler = this.challengeHandlers.some((h) =>
+        h.getSupportedTypes().includes('dns-01'),
+      );
+      if (!hasDnsHandler) {
+        throw new Error('Wildcard certificate requests require a DNS-01 challenge handler');
+      }
+    }
+    // Retrieve any existing certificate record by base domain.
+    const retrievedCertificate = await this.certmanager.retrieveCertificate(certDomainName);
 
-    /* Get authorizations and select challenges */
-    const authorizations = await this.client.getAuthorizations(order);
+    if (retrievedCertificate && !retrievedCertificate.shouldBeRenewed()) {
+      return retrievedCertificate;
+    } else if (retrievedCertificate && retrievedCertificate.shouldBeRenewed()) {
+      // Remove old certificate via certManager
+      await this.certmanager.deleteCertificate(certDomainName);
+    }
 
-    for (const authz of authorizations) {
-      console.log(authz);
-      const domainDnsName: string = `_acme-challenge.${authz.identifier.value}`;
-      const dnsChallenge: string = authz.challenges.find(challengeArg => {
-        return challengeArg.type === 'dns-01';
-      });
-      // process.exit(1);
-      const keyAuthorization: string = await this.client.getChallengeKeyAuthorization(dnsChallenge);
+    // Build issuance input and trigger the constrained task
+    const issuanceInput: ICertIssuanceInput = {
+      certDomainName,
+      domainArg,
+      isWildcardRequest,
+      includeWildcard: options?.includeWildcard ?? false,
+    };
 
-      try {
-        /* Satisfy challenge */
-        await this.setChallenge(domainDnsName, keyAuthorization);
-        await this.smartdns.checkUntilAvailable(domainDnsName, 'TXT', keyAuthorization, 100, 5000);
-        console.log('Cool down an extra 60 second for region availability');
-        await plugins.smartdelay.delayFor(60000);
+    const result = await this.taskManager.triggerTaskConstrained(
+      this.certIssuanceTask,
+      issuanceInput,
+    );
 
-        /* Verify that challenge is satisfied */
-        await this.client.verifyChallenge(authz, dnsChallenge);
+    // If we got a cert directly (either from execution or result sharing), return it
+    if (result != null) {
+      return result;
+    }
 
-        /* Notify ACME provider that challenge is satisfied */
-        await this.client.completeChallenge(dnsChallenge);
+    // If shouldExecute returned false (cert appeared in cache), read from cache
+    const cachedCert = await this.certmanager.retrieveCertificate(certDomainName);
+    if (cachedCert) {
+      return cachedCert;
+    }
 
-        /* Wait for ACME provider to respond with valid status */
-        await this.client.waitForValidStatus(dnsChallenge);
-      } finally {
-        /* Clean up challenge response */
-        try {
-          await this.removeChallenge(domainDnsName);
-        } catch (e) {
-          console.log(e);
+    throw new Error(`Certificate issuance failed for ${certDomainName}`);
+  }
+
+  /**
+   * Performs the actual ACME certificate issuance flow.
+   * Called by the certIssuanceTask's taskFunction.
+   */
+  private async performCertificateIssuance(input: ICertIssuanceInput): Promise<SmartacmeCert> {
+    const { certDomainName, isWildcardRequest, includeWildcard } = input;
+
+    // ── Step: prepare ─────────────────────────────────────────────────────
+    this.certIssuanceTask.notifyStep('prepare');
+
+    // Build identifiers array based on request
+    const identifiers: Array<{ type: 'dns'; value: string }> = [];
+
+    if (isWildcardRequest) {
+      identifiers.push({ type: 'dns', value: `*.${certDomainName}` });
+      identifiers.push({ type: 'dns', value: certDomainName });
+    } else {
+      identifiers.push({ type: 'dns', value: certDomainName });
+
+      if (includeWildcard) {
+        const hasDnsHandler = this.challengeHandlers.some((h) =>
+          h.getSupportedTypes().includes('dns-01'),
+        );
+        if (!hasDnsHandler) {
+          this.logger.log('warn', 'Wildcard certificate requested but no DNS-01 handler available. Skipping wildcard.');
+        } else {
+          identifiers.push({ type: 'dns', value: `*.${certDomainName}` });
         }
       }
     }
 
-    /* Finalize order */
-    const [key, csr] = await plugins.acme.forge.createCsr({
-      commonName: `*.${certDomain}`,
-      altNames: [certDomain]
+    /* Place new order with retry */
+    const order = await this.retry(() => this.client.createOrder({
+      identifiers,
+    }), 'createOrder');
+
+    // ── Step: authorize ───────────────────────────────────────────────────
+    this.certIssuanceTask.notifyStep('authorize');
+
+    /* Get authorizations and select challenges */
+    const authorizations = await this.retry(() => this.client.getAuthorizations(order), 'getAuthorizations');
+
+    for (const authz of authorizations) {
+      await this.logger.log('debug', 'Authorization received', authz);
+      // select a handler based on configured priority
+      let selectedHandler: { type: string; handler: plugins.handlers.IChallengeHandler<any> } | null = null;
+      let selectedChallengeArg: any = null;
+      for (const type of this.challengePriority) {
+        const candidate = authz.challenges.find((c: any) => c.type === type);
+        if (!candidate) continue;
+        const handler = this.challengeHandlers.find((h) => h.getSupportedTypes().includes(type));
+        if (handler) {
+          selectedHandler = { type, handler };
+          selectedChallengeArg = candidate;
+          break;
+        }
+      }
+      if (!selectedHandler) {
+        throw new Error(`No challenge handler for domain ${authz.identifier.value}: supported types [${this.challengePriority.join(',')}]`);
+      }
+      const { type, handler } = selectedHandler;
+      // build handler input with keyAuthorization
+      let challengeInput: any;
+      // retrieve keyAuthorization for challenge
+      const keyAuth = await this.client.getChallengeKeyAuthorization(selectedChallengeArg);
+      if (type === 'dns-01') {
+        challengeInput = { type, hostName: `_acme-challenge.${authz.identifier.value}`, challenge: keyAuth };
+      } else if (type === 'http-01') {
+        challengeInput = {
+          type,
+          token: (selectedChallengeArg as any).token,
+          keyAuthorization: keyAuth,
+          webPath: `/.well-known/acme-challenge/${(selectedChallengeArg as any).token}`,
+        };
+      } else {
+        challengeInput = { type, keyAuthorization: keyAuth, ...selectedChallengeArg };
+      }
+      this.pendingChallenges.push(challengeInput);
+      try {
+        await this.retry(() => handler.prepare(challengeInput), `${type}.prepare`);
+        if (type === 'dns-01') {
+          const dnsInput = challengeInput as { hostName: string; challenge: string };
+          await this.retry(
+            () => this.smartdns.checkUntilAvailable(dnsInput.hostName, 'TXT', dnsInput.challenge, 100, 5000),
+            `${type}.propagation`,
+          );
+          this.logger.log('info', 'Cooling down for 1 minute before ACME verification');
+          await plugins.smartdelay.delayFor(60000);
+        }
+        await this.retry(
+          () => this.client.completeChallenge(selectedChallengeArg),
+          `${type}.completeChallenge`,
+        );
+        try {
+          await this.retry(
+            () => this.client.waitForValidStatus(selectedChallengeArg),
+            `${type}.waitForValidStatus`,
+          );
+        } catch (err) {
+          await this.logger.log(
+            'warn',
+            `Challenge ${type} did not reach valid status in time, proceeding to finalize`,
+            err,
+          );
+        }
+      } finally {
+        try {
+          await this.retry(() => handler.cleanup(challengeInput), `${type}.cleanup`);
+        } catch (err) {
+          await this.logger.log('error', `Error during ${type}.cleanup`, err);
+        } finally {
+          this.pendingChallenges = this.pendingChallenges.filter((c) => c !== challengeInput);
+        }
+      }
+    }
+
+    // ── Step: finalize ────────────────────────────────────────────────────
+    this.certIssuanceTask.notifyStep('finalize');
+
+    const csrDomains: string[] = [];
+    let commonName: string;
+
+    if (isWildcardRequest) {
+      commonName = `*.${certDomainName}`;
+      csrDomains.push(certDomainName);
+    } else {
+      commonName = certDomainName;
+      if (includeWildcard && identifiers.some(id => id.value === `*.${certDomainName}`)) {
+        csrDomains.push(`*.${certDomainName}`);
+      }
+    }
+
+    const [key, csr] = await plugins.acme.AcmeCrypto.createCsr({
+      commonName,
+      altNames: csrDomains,
     });
 
-    await this.client.finalizeOrder(order, csr);
-    const cert = await this.client.getCertificate(order);
+    await this.retry(() => this.client.finalizeOrder(order, csr), 'finalizeOrder');
+    const cert = await this.retry(() => this.client.getCertificate(order), 'getCertificate');
 
-    /* Done */
+    // ── Step: store ───────────────────────────────────────────────────────
+    this.certIssuanceTask.notifyStep('store');
 
-    await this.certmanager.storeCertificate({
+    const certRecord = new SmartacmeCert({
       id: plugins.smartunique.shortId(),
-      domainName: certDomain,
+      domainName: certDomainName,
       privateKey: key.toString(),
       publicKey: cert.toString(),
       csr: csr.toString(),
-      created: Date.now()
+      created: Date.now(),
+      validUntil: Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ days: 90 }),
     });
+    await this.certmanager.storeCertificate(certRecord);
 
-    const newCertificate = await this.certmanager.retrieveCertificate(certDomain);
-    return newCertificate;
+    const newCertificate = await this.certmanager.retrieveCertificate(certDomainName);
+    return newCertificate ?? certRecord;
   }
+
 }

ts/smartacme.plugins.ts

@@ -1,19 +0,0 @@
-// @pushrocks scope
-import * as lik from '@pushrocks/lik';
-import * as smartdata from '@pushrocks/smartdata';
-import * as smartdelay from '@pushrocks/smartdelay';
-import * as smartdns from '@pushrocks/smartdns';
-import * as smartexpress from '@pushrocks/smartexpress';
-import * as smartlog from '@pushrocks/smartlog';
-import * as smartpromise from '@pushrocks/smartpromise';
-import * as smartrequest from '@pushrocks/smartrequest';
-import * as smartunique from '@pushrocks/smartunique';
-import * as smartstring from '@pushrocks/smartstring';
-import * as smarttime from '@pushrocks/smarttime';
-
-export { lik, smartdata, smartdelay, smartdns, smartexpress, smartlog, smartpromise, smartrequest, smartunique, smartstring, smarttime };
-
-// thirs party scope
-import * as acme from 'acme-client';
-
-export { acme };

tsconfig.json

@@ -1,7 +1,22 @@
 {
   "compilerOptions": {
     "experimentalDecorators": true,
-    "target": "es2017",
-    "module": "commonjs"
-  }
+    "emitDecoratorMetadata": true,
+    "useDefineForClassFields": false,
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "esModuleInterop": true,
+    "verbatimModuleSyntax": true,
+    "baseUrl": ".",
+    "paths": {}
+  },
+  "include": [
+    "ts/**/*.ts"
+  ],
+  "exclude": [
+    "node_modules",
+    "test",
+    "dist_*/**/*.d.ts"
+  ]
 }

tslint.json

@@ -1,17 +0,0 @@
-{
-  "extends": ["tslint:latest", "tslint-config-prettier"],
-  "rules": {
-    "semicolon": [true, "always"],
-    "no-console": false,
-    "ordered-imports": false,
-    "object-literal-sort-keys": false,
-    "member-ordering": {
-      "options":{
-        "order": [
-          "static-method"
-        ]
-      }
-    }
-  },
-  "defaultSeverity": "warning"
-}