feat: relay membership with NIP-43 compliance#448
Merged
tlongwell-block merged 2 commits intomainfrom May 1, 2026
Merged
Conversation
## Why Sprout's vision (VISION_SOVEREIGN.md) is a self-hosted relay that serves as your entire workspace — code, conversation, agents, automation. A workspace needs a front door: the relay operator decides who can connect. Without relay-level membership, any pubkey can read and write to the relay. NIP-43 is the Nostr standard for relay access metadata. It defines how relays advertise their member list and how users join/leave. Implementing NIP-43 means standard Nostr clients (Amethyst, Coracle) can discover and interact with Sprout's membership system using the protocol they already speak. This builds on the git repo permissions work (PR #441) — that PR gates who can push to repos; this PR gates who can connect to the relay at all. Together they form the access control stack: relay membership → channel membership → repo permissions. ## What ### Core relay membership system - `relay_members` table with role hierarchy (owner/admin/member) - Admin commands: kind 9030 (add), 9031 (remove), 9032 (change role) - Enforcement at all 7 auth entry points (WebSocket, REST, audio, git, media, tokens, API) — non-members are rejected before any operation - Owner bootstrap from RELAY_OWNER_PUBKEY on first startup - REST API for listing/managing members - Config: SPROUT_REQUIRE_RELAY_MEMBERSHIP, RELAY_OWNER_PUBKEY ### NIP-43 compliance layer (Tier 1) - NIP-11 `self` field: relay signing pubkey advertised (conditional on stable key via SPROUT_RELAY_PRIVATE_KEY) - kind 13534: membership list snapshot, relay-signed, published on startup and after every membership change - kind 8000/8001: member added/removed announcements, relay-signed - kind 28936: leave request handler — members can remove themselves - All relay-signed events carry NIP-70 "-" tag (protected event) - Config guard: hard-fail startup if membership enabled without stable key ### Security - Replay protection: ±120s timestamp window on admin commands and leave requests - Owner lockout prevention: owner cannot leave or be removed - Role enforcement: only admins+ can add/remove, only owner can change roles - Channel-scoped and proxy tokens blocked from admin commands - NIP-70 "-" tag validated on leave requests - Relay-signed events bypass client ingest pipeline (no trust escalation) ### Testing - Unit tests for tag extraction, role validation - E2E test script (scripts/e2e-relay-membership.sh) - Red team exercise: 14/15 tests pass (5 happy path, 5 negative, 5 adversarial) ### Deferred (Tier 2) - Invite flow (kinds 28934/28935) — separate product decision - NIP-70 enforcement on ingest pipeline — defense-in-depth, not blocking - Kind-specific subscription gating — connection-level auth already sufficient 23 files changed, ~2000 insertions
tlongwell-block
force-pushed
the
feat/nip43-relay-membership
branch
from
5ef2acf to
4d32858
Compare
tlongwell-block
force-pushed
the
feat/nip43-relay-membership
branch
from
3668f86 to
386017a
Compare
12 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Sprout's vision (VISION_SOVEREIGN.md) is a self-hosted relay that serves as your entire workspace — code, conversation, agents, automation. A workspace needs a front door: the relay operator decides who can connect. Without relay-level membership, any pubkey can read and write to the relay.
NIP-43 is the Nostr standard for relay access metadata. It defines how relays advertise their member list and how users join/leave. Implementing NIP-43 means standard Nostr clients (Amethyst, Coracle) can discover and interact with Sprout's membership system using the protocol they already speak.
This builds on the git repo permissions work (#441) — that PR gates who can push to repos; this PR gates who can connect to the relay at all. Together they form the access control stack: relay membership → channel membership → repo permissions.
What
Core relay membership system
relay_memberstable with role hierarchy (owner / admin / member)RELAY_OWNER_PUBKEYon first startupSPROUT_REQUIRE_RELAY_MEMBERSHIP,RELAY_OWNER_PUBKEYNIP-43 compliance layer (Tier 1)
selffield: relay signing pubkey advertised (conditional on stable key viaSPROUT_RELAY_PRIVATE_KEY)Security
Testing
scripts/e2e-relay-membership.sh)Deferred (Tier 2)
Architecture
Files changed (23 files, ~2000 insertions)
kind.rsrelay_members.rs,lib.rsrelay_admin.rsside_effects.rsingest.rsnip11.rs,router.rsconfig.rs,main.rsauth.rs,mod.rs,tokens.rs,media.rs,transport.rs,handler.rsrelay_members.rs(api)0001_relay_members.sqle2e-relay-membership.sh