feat: replace owner-npub with relay-owner-nsec for persistent operator identity

Replace the owner-npub configuration option with relay-owner-nsec to provide a persistent cryptographic identity for the relay operator. This addresses NIP-42 authentication requirements discovered during sync debugging. Motivation: - Some relays (e.g., relay.damus.io) require NIP-42 authentication for advanced features like NIP-77 negentropy sync - Previously used random ephemeral keys per connection, providing no persistent identity - Other relays can now recognize us by pubkey for reputation-based rate limiting - Ensures consistency between NIP-11 pubkey and authentication key Changes: - Config: relay_owner_nsec with auto-load/generate from .relay-owner.nsec - NIP-11: Pubkey derived from nsec instead of separate npub field - Sync: RelayConnection now uses operator keys for NIP-42 auth - Docs: Updated README, .env.example, and added .relay-owner.nsec to gitignore Key Features: - Auto-generates key on first run and saves to .relay-owner.nsec - Loads existing key from file on subsequent runs - Can override via CLI flag or environment variable - Enables reputation building across relay network - Future-ready for event signing and WoT calculations Testing: - 225/232 tests passing (7 pre-existing purgatory failures unrelated) - Verified key generation, loading, and NIP-11 derivation - Release build successful Related: work/sync-debug-analysis.md, work/relay-owner-nsec-implementation.md
author: DanConwayDev <DanConwayDev@protonmail.com> 2026-01-09 07:57:54 +0000
committer: DanConwayDev <DanConwayDev@protonmail.com> 2026-01-09 07:57:54 +0000
commit: 7cc5d37cbf4f02f0bb7eee6342dc1ede5a841a7b (patch)
tree: 62d3dcf291a7ca67d18cf397b448fb98d62553ba /src/sync/relay_connection.rs
parent: 6bc2d70f6dd351521e522cc4d0f1ac188848ad26 (diff)
1 files changed, 14 insertions, 8 deletions
diff --git a/src/sync/relay_connection.rs b/src/sync/relay_connection.rs
index 21d864d..d0090c8 100644
--- a/src/sync/relay_connection.rs
+++ b/src/sync/relay_connection.rs
@@ -106,9 +106,10 @@ impl RelayConnection {
    ///
    /// # Arguments
    /// * `url` - The relay URL to connect to (with or without scheme, e.g., "relay.example.com" or "wss://relay.example.com")
-    pub fn new(url: String) -> Self {
+    /// * `keys` - Cryptographic keys for NIP-42 authentication (typically the relay operator's keys)
+    pub fn new(url: String, keys: Keys) -> Self {
        let normalized_url = Self::normalize_url(&url);
-        let client = Client::default();
+        let client = Client::new(keys);
        Self {
            url: normalized_url,
            client,
@@ -122,9 +123,10 @@ impl RelayConnection {
    /// # Arguments
    /// * `url` - The relay URL to connect to (with or without scheme, e.g., "relay.example.com" or "wss://relay.example.com")
    /// * `database` - Shared database for local event comparison during negentropy sync
-    pub fn new_with_database(url: String, database: SharedDatabase) -> Self {
+    /// * `keys` - Cryptographic keys for NIP-42 authentication (typically the relay operator's keys)
+    pub fn new_with_database(url: String, database: SharedDatabase, keys: Keys) -> Self {
        let normalized_url = Self::normalize_url(&url);
-        let client = Client::default();
+        let client = Client::new(keys);
        Self {
            url: normalized_url,
            client,
@@ -553,19 +555,22 @@ mod tests {
    #[test]
    fn test_new_normalizes_url() {
-        let conn = RelayConnection::new("relay.example.com".to_string());
+        let keys = Keys::generate();
+        let conn = RelayConnection::new("relay.example.com".to_string(), keys);
        assert_eq!(conn.url(), "wss://relay.example.com");
    }
    #[test]
    fn test_new_preserves_wss_scheme() {
-        let conn = RelayConnection::new("wss://relay.example.com".to_string());
+        let keys = Keys::generate();
+        let conn = RelayConnection::new("wss://relay.example.com".to_string(), keys);
        assert_eq!(conn.url(), "wss://relay.example.com");
    }
    #[test]
    fn test_new_preserves_ws_scheme() {
-        let conn = RelayConnection::new("ws://relay.example.com".to_string());
+        let keys = Keys::generate();
+        let conn = RelayConnection::new("ws://relay.example.com".to_string(), keys);
        assert_eq!(conn.url(), "ws://relay.example.com");
    }
@@ -573,7 +578,8 @@ mod tests {
    fn test_new_with_database_normalizes_url() {
        // This test just verifies the URL normalization works
        // We can't easily test with_database without a real database
-        let conn = RelayConnection::new("git.shakespeare.diy".to_string());
+        let keys = Keys::generate();
+        let conn = RelayConnection::new("git.shakespeare.diy".to_string(), keys);
        assert_eq!(conn.url(), "wss://git.shakespeare.diy");
    }
author	DanConwayDev <DanConwayDev@protonmail.com>	2026-01-09 07:57:54 +0000
committer	DanConwayDev <DanConwayDev@protonmail.com>	2026-01-09 07:57:54 +0000
commit	7cc5d37cbf4f02f0bb7eee6342dc1ede5a841a7b (patch)
tree	62d3dcf291a7ca67d18cf397b448fb98d62553ba /src/sync/relay_connection.rs
parent	6bc2d70f6dd351521e522cc4d0f1ac188848ad26 (diff)