Skip to content

Sidecar 1.3.0

Choose a tag to compare

@dmnyc dmnyc released this 11 Jul 11:43
499ccf2

Same build submitted to the Chrome Web Store. For most people the Chrome Web Store listing is the right way to install — it updates automatically. This release is for advanced users who want to load the packaged build manually (see the README's manual install instructions).

Added

  • Help & guides page — a built-in guide (one click from the top bar) covering accounts, how sites remember who you are, switching accounts, the client families, and the wallet.
  • Full encrypted vault backup — export every account and wallet connection into a single password-encrypted file, and restore it on another device.
  • NIP-49 (ncryptsec) key import/export, plus a consolidated tabbed per-account backup screen. Revealed keys and connection strings show a scannable QR with its own auto-hide countdown; for the long wallet string the QR and text are an either/or view.
  • NIP-05 verification — check a profile's identifier against its /.well-known/nostr.json.
  • Clearer signing prompt — human-readable event-kind labels and a heads-up on unusual or unrecognized kinds (including the NIP-17 DM setup kinds).
  • Connected Sites & Activity split into sub-tabs, each filterable by site and ordered by most-recent use.
  • Auto-zap daily cap — a rolling daily total across all sites, alongside the existing per-zap limit.
  • Configurable post-review countdown, more "open notes in" clients, an option to reuse an open client tab, a refreshed in-panel app directory, and a "share Sidecar with a friend" flow.

Changed

  • Multi-account signing — on sites where you've signed in with more than one account (Jumble, YakiHonne, Primal, …), every content sign confirms who's posting, so a client's own account switcher can't silently sign as the wrong key. Smoother inline account switching on first login, and an offer to reload the open client after you switch.
  • Window-correct approvals — a signing prompt now appears on the browser window the requesting page lives in, not wherever a pinned panel or the last-focused window happens to be.
  • Quieter approvals — repetitive background app-data syncs and DM-inbox loads are handled without a prompt for each (kind-based auto-allow for app settings, and a single approval that covers a decrypt burst), while notes, reactions, and DMs still confirm.
  • Notifications open instantly and reconcile in the background, live-append while the bell is open, and refresh the mute list on every open.

Security

  • Wallet spend limits — auto-zap now enforces a daily aggregate cap, and payments are serialized per account, so a signed-in site can't drain the wallet by firing many sub-cap zaps or a concurrent burst (this also closes a check-then-pay race in the per-site budgets).
  • Message origin gate — control messages (unlock, key reveal, owner sign/encrypt/decrypt, NWC) are restricted to an extension-page origin as defense-in-depth.
  • The keystore auto-erases after 21 failed unlocks, with escalating backoff between attempts.

Fixed

  • Numerous panel polish and robustness fixes: the approval popup keeps its action buttons in view, revealing a secret no longer collapses a long site list, list expansion and scroll position survive live re-renders, and button spacing across the reveal and vault screens.

Full changelog: CHANGELOG.md