muxstr.git - Nostr relay with gRPC, HTTP/JSON, and WebSocket interfaces

	Commit message (Collapse)	Author	Age	Files	Lines
*	refactor: migrate nostr dependency to code.northwest.io	bndw	17 hours	3	-3/+3
\| \| \| \|	Updated all import references from northwest.io/nostr to code.northwest.io/nostr and removed the local replace directive from go.mod. The module is now resolved from the published repository.
*	fix: add YAML tags to AuthOperationConfig	bndw	42 hours	1	-2/+2
\| \| \| \| \| \| \| \|	The AuthOperationConfig struct was missing YAML tags, causing the config loader to not properly parse allowed_npubs from YAML. This was causing TestNpubNormalization to fail with an index out of range panic because AllowedNpubs was always empty.
*	feat: integrate config system into relay main.go	bndw	3 days	3	-13/+10
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Add support for loading configuration from YAML file via -config flag. Wire up auth, rate limiting, and metrics interceptors based on config. Changes: - Add -config flag to relay command - Use config types directly in auth package (AuthOperationConfig) - Add conversion methods: RateLimitConfig.ToRateLimiter(), MetricsConfig.ToMetrics() - Add Metrics.Serve() method for prometheus HTTP endpoint - Update main.go to initialize interceptors from config - Fix type naming: OperationAuthConfig -> AuthOperationConfig for consistency Config now supports complete relay setup including auth read/write allowlists, rate limiting, and prometheus metrics.
*	refactor: remove frivolous comments from auth validation/credentials	bndw	3 days	3	-61/+9
\| \| \| \|	Also removed internal/nostr package - now using northwest.io/nostr library.
*	refactor: remove frivolous comments from auth and config	bndw	3 days	1	-68/+10
\| \| \| \| \|	Removed ~100 lines of obvious comments that just repeated what the code does. Kept only comments that add clarity or valuable detail.
*	refactor: restructure auth config for better UX	bndw	3 days	3	-61/+103
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Changed from flat structure to hierarchical read/write config: Before: auth: enabled: bool required: bool allowed_npubs_read: [] allowed_npubs_write: [] After: auth: read: enabled: bool allowed_npubs: [] write: enabled: bool allowed_npubs: [] Three states per operation: - enabled=false: no auth, allow all - enabled=true, allowed_npubs=[]: auth required, any valid signature - enabled=true, allowed_npubs=[...]: auth required, whitelist only Much clearer semantics and easier to reason about.
*	refactor: simplify isWriteMethod to only check actual API methods	bndw	3 days	2	-33/+7
\| \| \| \| \|	Replace pattern-matching with explicit checks for PublishEvent/PublishBatch. API is small and well-defined - no need for extensible pattern matching.
*	feat: add separate read/write allowlists for granular access control	bndw	3 days	3	-13/+105
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	- Split allowed_npubs into allowed_npubs_read and allowed_npubs_write - Write operations: Publish, Delete, Create, Update, Insert, Remove, Set, Put - Read operations: everything else (Query, Subscribe, Get, List, etc.) - Auth interceptor checks appropriate list based on method type - Enables common patterns: - Public relay: only some can write, everyone can read - Private relay: restricted read and write - Open relay: everyone can read and write - Updated config, docs, and comprehensive tests Use cases: "only some can write, everyone can read"
*	feat: rename allowed_pubkeys to allowed_npubs with normalization	bndw	3 days	2	-7/+10
\| \| \| \| \| \| \| \| \| \| \|	- Config now accepts npub format only (human-readable) - Automatically converts npubs to hex pubkeys at load time - Updated InterceptorOptions.AllowedPubkeys -> AllowedNpubs - Added validation to reject hex format in config (npub only) - Updated documentation to clarify npub-only config - Added comprehensive tests for npub normalization Config is for humans (npub), internal code uses hex pubkeys.
*	docs: clarify NIP-98 relationship to NIP-42 and write access control	bndw	3 days	1	-4/+60
\| \| \| \| \| \| \| \| \|	Explain that the gRPC NIP-98 implementation is effectively NIP-42 for reads (same pattern: authenticate once, stream many events) and adds standardized relay access control for writes (beyond event.sig). Add comparison table showing functional equivalence for streaming reads and the additional benefits for write access control.
*	feat: implement NIP-98 HTTP auth for gRPC	bndw	3 days	5	-0/+951
	Add comprehensive NIP-98 authentication support following the standard gRPC credentials.PerRPCCredentials pattern. Client-side: - NostrCredentials implements PerRPCCredentials interface - Automatically signs each request with kind 27235 event - Drop-in replacement for OAuth2/JWT in gRPC clients Server-side: - Unary and stream interceptors for validation - Extracts and validates NIP-98 events from Authorization headers - Configurable options (timestamp window, whitelists, skip methods) - Adds authenticated pubkey to request context Security features: - Replay protection via timestamp validation - Optional payload hash verification - Signature verification using schnorr - TLS requirement option Includes comprehensive test coverage and detailed README with usage examples and security considerations.