@openclaw/nostr 2026.2.13 → 2026.2.15

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## 2026.2.15
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
+## 2026.2.14
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
 ## 2026.2.13
 
 ### Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/nostr",
-  "version": "2026.2.13",
+  "version": "2026.2.15",
   "description": "OpenClaw Nostr channel plugin for NIP-04 encrypted DMs",
   "type": "module",
   "dependencies": {

package/src/channel.ts

@@ -1,5 +1,7 @@
 import {
   buildChannelConfigSchema,
+  collectStatusIssuesFromLastError,
+  createDefaultChannelRuntimeState,
   DEFAULT_ACCOUNT_ID,
   formatPairingApproveHint,
   type ChannelPlugin,
@@ -157,28 +159,8 @@ export const nostrPlugin: ChannelPlugin<ResolvedNostrAccount> = {
   },
 
   status: {
-    defaultRuntime: {
-      accountId: DEFAULT_ACCOUNT_ID,
-      running: false,
-      lastStartAt: null,
-      lastStopAt: null,
-      lastError: null,
-    },
-    collectStatusIssues: (accounts) =>
-      accounts.flatMap((account) => {
-        const lastError = typeof account.lastError === "string" ? account.lastError.trim() : "";
-        if (!lastError) {
-          return [];
-        }
-        return [
-          {
-            channel: "nostr",
-            accountId: account.accountId,
-            kind: "runtime" as const,
-            message: `Channel error: ${lastError}`,
-          },
-        ];
-      }),
+    defaultRuntime: createDefaultChannelRuntimeState(DEFAULT_ACCOUNT_ID),
+    collectStatusIssues: (accounts) => collectStatusIssuesFromLastError("nostr", accounts),
     buildChannelSummary: ({ snapshot }) => ({
       configured: snapshot.configured ?? false,
       publicKey: snapshot.publicKey ?? null,

package/src/nostr-profile-http.test.ts

@@ -29,12 +29,21 @@ import { importProfileFromRelays } from "./nostr-profile-import.js";
 // Test Helpers
 // ============================================================================
 
-function createMockRequest(method: string, url: string, body?: unknown): IncomingMessage {
+function createMockRequest(
+  method: string,
+  url: string,
+  body?: unknown,
+  opts?: { headers?: Record<string, string>; remoteAddress?: string },
+): IncomingMessage {
   const socket = new Socket();
+  Object.defineProperty(socket, "remoteAddress", {
+    value: opts?.remoteAddress ?? "127.0.0.1",
+    configurable: true,
+  });
   const req = new IncomingMessage(socket);
   req.method = method;
   req.url = url;
-  req.headers = { host: "localhost:3000" };
+  req.headers = { host: "localhost:3000", ...(opts?.headers ?? {}) };
 
   if (body) {
     const bodyStr = JSON.stringify(body);
@@ -206,6 +215,36 @@ describe("nostr-profile-http", () => {
       expect(ctx.updateConfigProfile).toHaveBeenCalled();
     });
 
+    it("rejects profile mutation from non-loopback remote address", async () => {
+      const ctx = createMockContext();
+      const handler = createNostrProfileHttpHandler(ctx);
+      const req = createMockRequest(
+        "PUT",
+        "/api/channels/nostr/default/profile",
+        { name: "attacker" },
+        { remoteAddress: "198.51.100.10" },
+      );
+      const res = createMockResponse();
+
+      await handler(req, res);
+      expect(res._getStatusCode()).toBe(403);
+    });
+
+    it("rejects cross-origin profile mutation attempts", async () => {
+      const ctx = createMockContext();
+      const handler = createNostrProfileHttpHandler(ctx);
+      const req = createMockRequest(
+        "PUT",
+        "/api/channels/nostr/default/profile",
+        { name: "attacker" },
+        { headers: { origin: "https://evil.example" } },
+      );
+      const res = createMockResponse();
+
+      await handler(req, res);
+      expect(res._getStatusCode()).toBe(403);
+    });
+
     it("rejects private IP in picture URL (SSRF protection)", async () => {
       const ctx = createMockContext();
       const handler = createNostrProfileHttpHandler(ctx);
@@ -327,6 +366,36 @@ describe("nostr-profile-http", () => {
       expect(data.saved).toBe(false); // autoMerge not requested
     });
 
+    it("rejects import mutation from non-loopback remote address", async () => {
+      const ctx = createMockContext();
+      const handler = createNostrProfileHttpHandler(ctx);
+      const req = createMockRequest(
+        "POST",
+        "/api/channels/nostr/default/profile/import",
+        {},
+        { remoteAddress: "203.0.113.10" },
+      );
+      const res = createMockResponse();
+
+      await handler(req, res);
+      expect(res._getStatusCode()).toBe(403);
+    });
+
+    it("rejects cross-origin import mutation attempts", async () => {
+      const ctx = createMockContext();
+      const handler = createNostrProfileHttpHandler(ctx);
+      const req = createMockRequest(
+        "POST",
+        "/api/channels/nostr/default/profile/import",
+        {},
+        { headers: { origin: "https://evil.example" } },
+      );
+      const res = createMockResponse();
+
+      await handler(req, res);
+      expect(res._getStatusCode()).toBe(403);
+    });
+
     it("auto-merges when requested", async () => {
       const ctx = createMockContext({
         getConfigProfile: vi.fn().mockReturnValue({ about: "local bio" }),

package/src/nostr-profile-http.ts

@@ -261,6 +261,73 @@ function parseAccountIdFromPath(pathname: string): string | null {
   return match?.[1] ?? null;
 }
 
+function isLoopbackRemoteAddress(remoteAddress: string | undefined): boolean {
+  if (!remoteAddress) {
+    return false;
+  }
+
+  const ipLower = remoteAddress.toLowerCase().replace(/^\[|\]$/g, "");
+
+  // IPv6 loopback
+  if (ipLower === "::1") {
+    return true;
+  }
+
+  // IPv4 loopback (127.0.0.0/8)
+  if (ipLower === "127.0.0.1" || ipLower.startsWith("127.")) {
+    return true;
+  }
+
+  // IPv4-mapped IPv6
+  const v4Mapped = ipLower.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/);
+  if (v4Mapped) {
+    return isLoopbackRemoteAddress(v4Mapped[1]);
+  }
+
+  return false;
+}
+
+function isLoopbackOriginLike(value: string): boolean {
+  try {
+    const url = new URL(value);
+    const hostname = url.hostname.toLowerCase();
+    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
+  } catch {
+    return false;
+  }
+}
+
+function enforceLoopbackMutationGuards(
+  ctx: NostrProfileHttpContext,
+  req: IncomingMessage,
+  res: ServerResponse,
+): boolean {
+  // Mutation endpoints are local-control-plane only.
+  const remoteAddress = req.socket.remoteAddress;
+  if (!isLoopbackRemoteAddress(remoteAddress)) {
+    ctx.log?.warn?.(`Rejected mutation from non-loopback remoteAddress=${String(remoteAddress)}`);
+    sendJson(res, 403, { ok: false, error: "Forbidden" });
+    return false;
+  }
+
+  // CSRF guard: browsers send Origin/Referer on cross-site requests.
+  const origin = req.headers.origin;
+  if (typeof origin === "string" && !isLoopbackOriginLike(origin)) {
+    ctx.log?.warn?.(`Rejected mutation with non-loopback origin=${origin}`);
+    sendJson(res, 403, { ok: false, error: "Forbidden" });
+    return false;
+  }
+
+  const referer = req.headers.referer ?? req.headers.referrer;
+  if (typeof referer === "string" && !isLoopbackOriginLike(referer)) {
+    ctx.log?.warn?.(`Rejected mutation with non-loopback referer=${referer}`);
+    sendJson(res, 403, { ok: false, error: "Forbidden" });
+    return false;
+  }
+
+  return true;
+}
+
 // ============================================================================
 // HTTP Handler
 // ============================================================================
@@ -343,6 +410,10 @@ async function handleUpdateProfile(
   req: IncomingMessage,
   res: ServerResponse,
 ): Promise<true> {
+  if (!enforceLoopbackMutationGuards(ctx, req, res)) {
+    return true;
+  }
+
   // Rate limiting
   if (!checkRateLimit(accountId)) {
     sendJson(res, 429, { ok: false, error: "Rate limit exceeded (5 requests/minute)" });
@@ -442,6 +513,10 @@ async function handleImportProfile(
   req: IncomingMessage,
   res: ServerResponse,
 ): Promise<true> {
+  if (!enforceLoopbackMutationGuards(ctx, req, res)) {
+    return true;
+  }
+
   // Get account info
   const accountInfo = ctx.getAccountInfo(accountId);
   if (!accountInfo) {

package/src/nostr-profile.fuzz.test.ts

@@ -98,7 +98,10 @@ describe("profile unicode attacks", () => {
     });
 
     it("handles excessive combining characters (Zalgo text)", () => {
-      const zalgo = "t̷̢̧̨̡̛̛̛͎̩̝̪̲̲̞̠̹̗̩͓̬̱̪̦͙̬̲̤͙̱̫̝̪̱̫̯̬̭̠̖̲̥̖̫̫̤͇̪̣̫̪̖̱̯̣͎̯̲̱̤̪̣̖̲̪̯͓̖̤̫̫̲̱̲̫̲̖̫̪̯̱̱̪̖̯e̶̡̧̨̧̛̛̛̖̪̯̱̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪s̶̨̧̛̛̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯̖̪̯̖̪̱̪̯t";
+      // Keep the source small (faster transforms) while still exercising
+      // "lots of combining marks" behavior.
+      const marks = "\u0301\u0300\u0336\u034f\u035c\u0360";
+      const zalgo = `t${marks.repeat(256)}e${marks.repeat(256)}s${marks.repeat(256)}t`;
       const profile: NostrProfile = {
         name: zalgo.slice(0, 256), // Truncate to fit limit
       };
@@ -453,7 +456,7 @@ describe("event creation edge cases", () => {
 
     // Create events in quick succession
     let lastTimestamp = 0;
-    for (let i = 0; i < 100; i++) {
+    for (let i = 0; i < 25; i++) {
       const event = createProfileEvent(TEST_SK, profile, lastTimestamp);
       expect(event.created_at).toBeGreaterThan(lastTimestamp);
       lastTimestamp = event.created_at;