Unnamed repository; edit this file 'description' to name the repository. https://upleb.uk/npub1tkq8unhsd5jqx6ueex5lcpsgknrpquxuk44ftpjlpm3ulaake7xs76txrw/ngit-grasp-mirror/atom?h=master 2026-04-10T16:42:35+00:00 2026-04-10T16:42:35+00:00 DanConwayDev DanConwayDev@protonmail.com 2026-04-10T16:42:35+00:00 urn:sha1:dfd20a39a7ddaea07103cac45d4d79bc7e6ce0d7 NIP-01 places no restriction on d tag characters and NIP-34 only recommends kebab-case without mandating it. Rejecting identifiers with whitespace or other URL-unsafe characters was therefore overly strict. The correct approach (per NIP-34 PR #2312 and GRASP-01) is to store identifiers verbatim on disk and percent-encode them when constructing URLs. The previous commit already handled the incoming direction (percent-decoding URL paths before filesystem lookup); this commit handles the outgoing direction and removes the validation restriction. Changes: - validate_identifier: drop whitespace rejection; only reject chars that are unsafe as filesystem directory names (/, \, null, . / ..) - git/mod.rs: add percent_encode() alongside percent_decode() - landing.rs: percent-encode identifier in nostr:// clone URL and gitworkshop link (also fixes a pre-existing bug where the clone URL displayed literal '{npub}' / '{identifier}' instead of the values) 2026-04-09T15:24:17+00:00 DanConwayDev DanConwayDev@protonmail.com 2026-04-09T15:24:17+00:00 urn:sha1:2d74b9ca69b3a1e0b9a2359c12cc2d1979fc6130 Two bugs allowed a repository announcement with a space-containing identifier ('kuboslopp by Shakespeare') to enter purgatory and create a bare repo on disk, but then fail to serve git data over HTTP. Bug 1 (serving): parse_git_url and parse_repo_url did not percent-decode the URL path before resolving the filesystem path. A client requesting /npub.../kuboslopp%20by%20Shakespeare.git/info/refs had the identifier extracted as 'kuboslopp%20by%20Shakespeare' (literal %20), which did not match the on-disk directory 'kuboslopp by Shakespeare.git'. Fix: add percent_decode() in src/git/mod.rs and apply it to the repo component in both parse_git_url and parse_repo_url. Bug 2 (validation): validate_announcement did not check that the identifier is safe as a filesystem path component and URL segment. Identifiers containing whitespace, path separators, null bytes, or reserved names (. / ..) should be rejected at acceptance time. Fix: add validate_identifier() in src/nostr/events.rs and call it from validate_announcement before any other policy checks. 2026-02-26T15:42:09+00:00 DanConwayDev DanConwayDev@protonmail.com 2026-02-26T15:42:09+00:00 urn:sha1:9d86cf15f0275ffeee4519bd054e3b61dc8992ac Fix pre-existing clippy lints: - &PathBuf -> &Path in audit_cleanup.rs - too_many_arguments on process_newly_available_git_data, process_purgatory_announcements, and HttpService::new - clone_on_copy for PublicKey (Copy type) in purgatory cleanup loop 2026-02-23T15:20:59+00:00 DanConwayDev DanConwayDev@protonmail.com 2026-02-23T15:20:59+00:00 urn:sha1:113928aa84894ea8f65c247d9987527e792b32a9 2026-02-23T12:05:29+00:00 DanConwayDev DanConwayDev@protonmail.com 2026-02-23T11:17:10+00:00 urn:sha1:70749ea9df1f6061c332112c617b615f91d79d48 When an owner announcement is promoted from purgatory via a git push, any maintainer announcements sitting in the rejected_events_index hot cache were never re-processed. The invalidate_and_get call only existed in SyncManager::process_event_static (the nostr sync path); the git push promotion path (http -> handlers -> git::sync) had no access to the rejected_events_index at all. Thread rejected_events_index and write_policy through the git push path: - process_purgatory_announcements: after saving the promoted announcement, parse its maintainers tag and call invalidate_and_get() for each, then re-process any returned hot-cache events via admit_event + save - process_newly_available_git_data: accept optional write_policy and rejected_events_index, pass them through to process_purgatory_announcements - handle_receive_pack: accept Arc<Nip34WritePolicy> and Arc<RejectedEventsIndex>, pass them to process_newly_available_git_data - HttpService / run_server: carry the two new fields, clone into each handle_receive_pack call - main.rs: obtain rejected_events_index from sync_manager before moving it into its task; wrap write_policy in Arc for the HTTP server - RealSyncContext::process_newly_available_git_data: pass None for both new params (purgatory sync path already handles this via SyncManager::process_event_static) Also rewrite the maintainer_reprocessing integration tests to correctly exercise the hot-cache path now that announcements require git data before being released from purgatory: - Start relay_b with relay_a as bootstrap so its SyncManager syncs maintainer announcements via negentropy before the owner git push - Use push_unique_git_data_to_relay (new helper) to give each maintainer a distinct commit hash, preventing git from skipping pack transfer - Make wait_for_event_on_relay poll in a retry loop so transient timing gaps between DB write and query do not cause false negatives 2026-02-03T22:00:31+00:00 DanConwayDev DanConwayDev@protonmail.com 2026-02-03T22:00:31+00:00 urn:sha1:22d93ea5e707e99d67ab367d60c7a9d867b7665c Previously, some IO errors in git handlers were logged while others were not, leading to inconsistent observability. Additionally, the HTTP layer logged all git errors redundantly, adding no useful context beyond what was already logged at the source. Changes: - Add error logging to all previously unlogged IO operations in handle_upload_pack and handle_receive_pack (stdin writes, stdout/stderr reads, process waits) - Remove redundant error logging at HTTP layer since all errors are now logged at their source with full context - Ensures consistent error-level logging for all git subprocess failures This provides complete observability of git operations while eliminating duplicate log entries that don't add value. 2026-01-21T16:05:02+00:00 DanConwayDev DanConwayDev@protonmail.com 2026-01-21T16:05:02+00:00 urn:sha1:22c9ccd8f17815c960e797a545ab3cb1385ffcf8 The NIP-11 specification requires the pubkey field to be a 64-character hex string, but we were incorrectly using npub (bech32) format. Changes: - Add Config::relay_owner_pubkey_hex() method to get hex format - Update NIP-11 document to use hex format instead of npub - Update test to verify 64-char hex string instead of npub format Fixes nak relay command error: 'must be a hex string of 64 characters' 2026-01-21T15:55:08+00:00 DanConwayDev DanConwayDev@protonmail.com 2026-01-21T15:55:08+00:00 urn:sha1:68cca2e28a5edc9b8da72f483980818e4a13fb52 Modern git clients send Content-Encoding: gzip on POST requests to /git-upload-pack for efficiency. Without decompression, the compressed binary data was passed directly to git upload-pack, which expected pkt-line format, causing: fatal: protocol error: bad line length character: ?? error: RPC failed; HTTP 500 This was discovered in production when git clone requests consistently failed with HTTP 500 errors. The fix extracts the Content-Encoding header and uses flate2::GzDecoder to decompress gzip bodies before passing them to the git subprocess. 2026-01-12T21:21:53+00:00 DanConwayDev DanConwayDev@protonmail.com 2026-01-12T21:20:00+00:00 urn:sha1:1948312d40f34fca868d1ef6d6d94e165c09738c Refactors configuration validation to fail fast on fatal errors at startup while gracefully handling recoverable issues (e.g., malformed whitelist entries). Changes: - Add Config::validate() for eager validation called immediately after load - Remove Result<> from archive_config() and repository_config() methods - WhitelistEntry::parse_whitelist() skips invalid entries with warnings - Validate relay_owner_nsec format in Config::validate() - Update all call sites to remove Result handling from config getters Benefits: - Fatal config errors (incompatible settings) fail at startup, not runtime - Recoverable errors (bad whitelist entries) logged as warnings and skipped - No Result handling scattered throughout runtime code after validation - Config methods safe to call without error handling after validate() Testing: - Add 7 new tests for validation edge cases and error handling - Total config tests: 40 (up from 33) - All 320 library tests passing Breaking change: Config users must call config.validate() after Config::load() to ensure configuration is valid. This is enforced in main.rs. 2026-01-12T21:21:52+00:00 DanConwayDev DanConwayDev@protonmail.com 2026-01-12T21:06:39+00:00 urn:sha1:82b56c37b26a2fac1a294873e539b19b9325dca6 Adds NGIT_REPOSITORY_WHITELIST option for curated relay operation that accepts only whitelisted repositories while maintaining GRASP-01 compliance (announcements must list the service). This differs from archive whitelist which enables GRASP-05 mode and doesn't require service listing. Key features: - Supports three whitelist formats: npub, npub/identifier, identifier - Enforces mutual exclusivity with archive read-only mode - Updates NIP-11 curation field when whitelist is enabled - Maintains GRASP-01 compliance (doesn't add GRASP-05 support) Configuration synced across all four sources: src/config.rs, docs/reference/configuration.md, nix/module.nix, and .env.example as required by AGENTS.md.