check_giftwrap_recipient accepted a p tag of len 64 that parsed as hex in
any case, but the recipient-only READ gate compares #p to the authed
pubkey as a case-sensitive lowercase string. An uppercase/mixed-case p
tag therefore admitted fine but was permanently undeliverable, a payment
black hole. Now the p value must match ^[0-9a-f]{64}$.
A new check_giftwrap_tags guard (1059 only) rejects any tag other than
the single p tag, since a well-formed NIP-59 gift wrap legitimately
carries just that one tag. Closes the anti-bloat gap where a valid p tag
plus thousands of junk tags (up to the 128 KiB event ceiling) passed
admission unchecked.
Both checks are kind-1059-only and sit alongside the existing gift-wrap
retention/shape checks in CHECKS; no other kind's handling changes.
strfry's only automatic event-deletion trigger is a NIP-40 expiration tag,
reaped every ~9s. A Grin payment gift wrap (kind 1059) must never carry
one, so add a write-policy check that rejects it at admission. Also
require exactly one well-formed p tag (32-byte hex recipient) on 1059s so
a malformed gift wrap the recipient's client cannot route never lands on
the relay either.
Two new checks (check_giftwrap_expiration, check_giftwrap_recipient),
wired into CHECKS right after the kind whitelist so only already-allowed
1059s are inspected. Both fail closed on malformed tags, matching every
other check in this plugin. No change to the allowlist, auth, or paid-write
gate.
Public-note kinds are now accepted only from an operator-configured list of
author pubkeys (FLOONET_AUTHORIZED_AUTHORS, hex or npub). Closed by default:
with no authors set, kinds 1 and 30023 are rejected for everyone, so random
notes cannot be spammed to the relay. Every other kind is unaffected and
kind 0 profiles stay open.
- add 30023 (long-form article) to the default kind whitelist
- check_authorized_authors runs right after check_kind; LOCKED_KINDS {1,30023}
- pure-python bech32 npub decoder (no new deps); invalid entries logged/skipped
- load_config also reads a KEY=VALUE floonet.env next to the plugin
(FLOONET_ENV_FILE), env vars win, so config changes need no container
recreate; strfry reloads the plugin on mtime change (no restart)
- extend test_policy.py (32 tests green)
- scripts/purge_public_notes.sh (dry-run default) to clean pre-existing notes
- scripts/smoke_test_lockdown.py post-deploy check
- README + .env.example config docs
Extend the write-policy whitelist from the Goblin-wallet-only kinds to the
union with Magick Market so one relay serves both apps (default-deny for
everything else). Adds 1 note, 7 reaction, 14/16/17 order+receipt (Gamma),
1111 comment, 10000 mute/blacklist, 24133 remote signing, 30000/30003
NIP-51 sets, 30078 app data, 30402/30405/30406 listing/collection/shipping,
31990 handler info. Keeps the Goblin base including 13 seal and 27235
NIP-98. Plugin default, docstring, and tests updated together.
Stock strfry + a default-deny write-policy plugin (kinds 0,3,5,13,1059,
10002,10050,27235 only), NIP-42 auth, neutral NIP-11, a bundled name
authority (paid names/uses via GoblinPay), and a config-toggled co-located
mixnet exit. Docker Compose + Caddy + hardened systemd. strfry core stays
stock (plugin + config only). Validated end to end against real strfry.