From 7cc5d37cbf4f02f0bb7eee6342dc1ede5a841a7b Mon Sep 17 00:00:00 2001
From: DanConwayDev <DanConwayDev@protonmail.com>
Date: Fri, 9 Jan 2026 07:57:54 +0000
Subject: feat: replace owner-npub with relay-owner-nsec for persistent
 operator identity

Replace the owner-npub configuration option with relay-owner-nsec to provide
a persistent cryptographic identity for the relay operator. This addresses
NIP-42 authentication requirements discovered during sync debugging.

Motivation:
- Some relays (e.g., relay.damus.io) require NIP-42 authentication for
  advanced features like NIP-77 negentropy sync
- Previously used random ephemeral keys per connection, providing no
  persistent identity
- Other relays can now recognize us by pubkey for reputation-based rate
  limiting
- Ensures consistency between NIP-11 pubkey and authentication key

Changes:
- Config: relay_owner_nsec with auto-load/generate from .relay-owner.nsec
- NIP-11: Pubkey derived from nsec instead of separate npub field
- Sync: RelayConnection now uses operator keys for NIP-42 auth
- Docs: Updated README, .env.example, and added .relay-owner.nsec to gitignore

Key Features:
- Auto-generates key on first run and saves to .relay-owner.nsec
- Loads existing key from file on subsequent runs
- Can override via CLI flag or environment variable
- Enables reputation building across relay network
- Future-ready for event signing and WoT calculations

Testing:
- 225/232 tests passing (7 pre-existing purgatory failures unrelated)
- Verified key generation, loading, and NIP-11 derivation
- Release build successful

Related: work/sync-debug-analysis.md, work/relay-owner-nsec-implementation.md
---
 src/sync/mod.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'src/sync/mod.rs')

diff --git a/src/sync/mod.rs b/src/sync/mod.rs
index 280f857..6da2644 100644
--- a/src/sync/mod.rs
+++ b/src/sync/mod.rs
@@ -1396,8 +1396,12 @@ impl SyncManager {
     async fn register_relay(&mut self, relay_url: String) {
         // Create RelayConnection if not exists
         if !self.connections.contains_key(&relay_url) {
+            // Get relay owner keys for NIP-42 authentication
+            let keys = self.config.relay_owner_keys()
+                .expect("relay_owner_keys should be available");
+            
             let connection =
-                RelayConnection::new_with_database(relay_url.clone(), Arc::clone(&self.database));
+                RelayConnection::new_with_database(relay_url.clone(), Arc::clone(&self.database), keys);
             self.connections.insert(relay_url.clone(), connection);
             tracing::debug!(relay = %relay_url, "Registered new relay connection");
         }
-- 
cgit v1.2.3