@openclaw/nostr 2026.2.15 → 2026.2.19

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## 2026.2.19
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
+## 2026.2.16
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
 ## 2026.2.15
 
 ### Changes

package/index.ts

@@ -1,7 +1,7 @@
 import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
 import { emptyPluginConfigSchema } from "openclaw/plugin-sdk";
-import type { NostrProfile } from "./src/config-schema.js";
 import { nostrPlugin } from "./src/channel.js";
+import type { NostrProfile } from "./src/config-schema.js";
 import { createNostrProfileHttpHandler } from "./src/nostr-profile-http.js";
 import { setNostrRuntime, getNostrRuntime } from "./src/runtime.js";
 import { resolveNostrAccount } from "./src/types.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/nostr",
-  "version": "2026.2.15",
+  "version": "2026.2.19",
   "description": "OpenClaw Nostr channel plugin for NIP-04 encrypted DMs",
   "type": "module",
   "dependencies": {

package/src/channel.ts

@@ -7,10 +7,10 @@ import {
   type ChannelPlugin,
 } from "openclaw/plugin-sdk";
 import type { NostrProfile } from "./config-schema.js";
-import type { MetricEvent, MetricsSnapshot } from "./metrics.js";
-import type { ProfilePublishResult } from "./nostr-profile.js";
 import { NostrConfigSchema } from "./config-schema.js";
+import type { MetricEvent, MetricsSnapshot } from "./metrics.js";
 import { normalizePubkey, startNostrBus, type NostrBusHandle } from "./nostr-bus.js";
+import type { ProfilePublishResult } from "./nostr-profile.js";
 import { getNostrRuntime } from "./runtime.js";
 import {
   listNostrAccountIds,

package/src/metrics.ts

@@ -50,6 +50,24 @@ export type MetricName =
   | DecryptMetricName
   | MemoryMetricName;
 
+type RelayMetrics = {
+  connects: number;
+  disconnects: number;
+  reconnects: number;
+  errors: number;
+  messagesReceived: {
+    event: number;
+    eose: number;
+    closed: number;
+    notice: number;
+    ok: number;
+    auth: number;
+  };
+  circuitBreakerState: "closed" | "open" | "half_open";
+  circuitBreakerOpens: number;
+  circuitBreakerCloses: number;
+};
+
 // ============================================================================
 // Metric Event
 // ============================================================================
@@ -93,26 +111,7 @@ export interface MetricsSnapshot {
   };
 
   /** Relay stats by URL */
-  relays: Record<
-    string,
-    {
-      connects: number;
-      disconnects: number;
-      reconnects: number;
-      errors: number;
-      messagesReceived: {
-        event: number;
-        eose: number;
-        closed: number;
-        notice: number;
-        ok: number;
-        auth: number;
-      };
-      circuitBreakerState: "closed" | "open" | "half_open";
-      circuitBreakerOpens: number;
-      circuitBreakerCloses: number;
-    }
-  >;
+  relays: Record<string, RelayMetrics>;
 
   /** Rate limiting stats */
   rateLimiting: {
@@ -174,26 +173,7 @@ export function createMetrics(onMetric?: OnMetricCallback): NostrMetrics {
   };
 
   // Per-relay stats
-  const relays = new Map<
-    string,
-    {
-      connects: number;
-      disconnects: number;
-      reconnects: number;
-      errors: number;
-      messagesReceived: {
-        event: number;
-        eose: number;
-        closed: number;
-        notice: number;
-        ok: number;
-        auth: number;
-      };
-      circuitBreakerState: "closed" | "open" | "half_open";
-      circuitBreakerOpens: number;
-      circuitBreakerCloses: number;
-    }
-  >();
+  const relays = new Map<string, RelayMetrics>();
 
   // Rate limiting stats
   const rateLimiting = {

package/src/nostr-profile-http.test.ts

@@ -112,6 +112,23 @@ function createMockContext(overrides?: Partial<NostrProfileHttpContext>): NostrP
   };
 }
 
+function mockSuccessfulProfileImport() {
+  vi.mocked(importProfileFromRelays).mockResolvedValue({
+    ok: true,
+    profile: {
+      name: "imported",
+      displayName: "Imported User",
+    },
+    event: {
+      id: "evt123",
+      pubkey: "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234",
+      created_at: 1234567890,
+    },
+    relaysQueried: ["wss://relay.damus.io"],
+    sourceRelay: "wss://relay.damus.io",
+  });
+}
+
 // ============================================================================
 // Tests
 // ============================================================================
@@ -262,6 +279,23 @@ describe("nostr-profile-http", () => {
       expect(data.error).toContain("private");
     });
 
+    it("rejects ISATAP-embedded private IPv4 in picture URL", async () => {
+      const ctx = createMockContext();
+      const handler = createNostrProfileHttpHandler(ctx);
+      const req = createMockRequest("PUT", "/api/channels/nostr/default/profile", {
+        name: "hacker",
+        picture: "https://[2001:db8:1234::5efe:127.0.0.1]/evil.jpg",
+      });
+      const res = createMockResponse();
+
+      await handler(req, res);
+
+      expect(res._getStatusCode()).toBe(400);
+      const data = JSON.parse(res._getData());
+      expect(data.ok).toBe(false);
+      expect(data.error).toContain("private");
+    });
+
     it("rejects non-https URLs", async () => {
       const ctx = createMockContext();
       const handler = createNostrProfileHttpHandler(ctx);
@@ -342,20 +376,7 @@ describe("nostr-profile-http", () => {
       const req = createMockRequest("POST", "/api/channels/nostr/default/profile/import", {});
       const res = createMockResponse();
 
-      vi.mocked(importProfileFromRelays).mockResolvedValue({
-        ok: true,
-        profile: {
-          name: "imported",
-          displayName: "Imported User",
-        },
-        event: {
-          id: "evt123",
-          pubkey: "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234",
-          created_at: 1234567890,
-        },
-        relaysQueried: ["wss://relay.damus.io"],
-        sourceRelay: "wss://relay.damus.io",
-      });
+      mockSuccessfulProfileImport();
 
       await handler(req, res);
 
@@ -406,20 +427,7 @@ describe("nostr-profile-http", () => {
       });
       const res = createMockResponse();
 
-      vi.mocked(importProfileFromRelays).mockResolvedValue({
-        ok: true,
-        profile: {
-          name: "imported",
-          displayName: "Imported User",
-        },
-        event: {
-          id: "evt123",
-          pubkey: "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234",
-          created_at: 1234567890,
-        },
-        relaysQueried: ["wss://relay.damus.io"],
-        sourceRelay: "wss://relay.damus.io",
-      });
+      mockSuccessfulProfileImport();
 
       await handler(req, res);
 

package/src/nostr-profile-http.ts

@@ -8,7 +8,11 @@
  */
 
 import type { IncomingMessage, ServerResponse } from "node:http";
-import { readJsonBodyWithLimit, requestBodyErrorToText } from "openclaw/plugin-sdk";
+import {
+  isBlockedHostnameOrIp,
+  readJsonBodyWithLimit,
+  requestBodyErrorToText,
+} from "openclaw/plugin-sdk";
 import { z } from "zod";
 import { publishNostrProfile, getNostrProfileState } from "./channel.js";
 import { NostrProfileSchema, type NostrProfile } from "./config-schema.js";
@@ -98,72 +102,6 @@ async function withPublishLock<T>(accountId: string, fn: () => Promise<T>): Prom
 // SSRF Protection
 // ============================================================================
 
-// Block common private/internal hostnames (quick string check)
-const BLOCKED_HOSTNAMES = new Set([
-  "localhost",
-  "localhost.localdomain",
-  "127.0.0.1",
-  "::1",
-  "[::1]",
-  "0.0.0.0",
-]);
-
-// Check if an IP address (resolved) is in a private range
-function isPrivateIp(ip: string): boolean {
-  // Handle IPv4
-  const ipv4Match = ip.match(/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/);
-  if (ipv4Match) {
-    const [, a, b] = ipv4Match.map(Number);
-    // 127.0.0.0/8 (loopback)
-    if (a === 127) {
-      return true;
-    }
-    // 10.0.0.0/8 (private)
-    if (a === 10) {
-      return true;
-    }
-    // 172.16.0.0/12 (private)
-    if (a === 172 && b >= 16 && b <= 31) {
-      return true;
-    }
-    // 192.168.0.0/16 (private)
-    if (a === 192 && b === 168) {
-      return true;
-    }
-    // 169.254.0.0/16 (link-local)
-    if (a === 169 && b === 254) {
-      return true;
-    }
-    // 0.0.0.0/8
-    if (a === 0) {
-      return true;
-    }
-    return false;
-  }
-
-  // Handle IPv6
-  const ipLower = ip.toLowerCase().replace(/^\[|\]$/g, "");
-  // ::1 (loopback)
-  if (ipLower === "::1") {
-    return true;
-  }
-  // fe80::/10 (link-local)
-  if (ipLower.startsWith("fe80:")) {
-    return true;
-  }
-  // fc00::/7 (unique local)
-  if (ipLower.startsWith("fc") || ipLower.startsWith("fd")) {
-    return true;
-  }
-  // ::ffff:x.x.x.x (IPv4-mapped IPv6) - extract and check IPv4
-  const v4Mapped = ipLower.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/);
-  if (v4Mapped) {
-    return isPrivateIp(v4Mapped[1]);
-  }
-
-  return false;
-}
-
 function validateUrlSafety(urlStr: string): { ok: true } | { ok: false; error: string } {
   try {
     const url = new URL(urlStr);
@@ -174,18 +112,7 @@ function validateUrlSafety(urlStr: string): { ok: true } | { ok: false; error: s
 
     const hostname = url.hostname.toLowerCase();
 
-    // Quick hostname block check
-    if (BLOCKED_HOSTNAMES.has(hostname)) {
-      return { ok: false, error: "URL must not point to private/internal addresses" };
-    }
-
-    // Check if hostname is an IP address directly
-    if (isPrivateIp(hostname)) {
-      return { ok: false, error: "URL must not point to private/internal addresses" };
-    }
-
-    // Block suspicious TLDs that resolve to localhost
-    if (hostname.endsWith(".localhost") || hostname.endsWith(".local")) {
+    if (isBlockedHostnameOrIp(hostname)) {
       return { ok: false, error: "URL must not point to private/internal addresses" };
     }
 

package/src/nostr-state-store.test.ts

@@ -1,7 +1,7 @@
-import type { PluginRuntime } from "openclaw/plugin-sdk";
 import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
+import type { PluginRuntime } from "openclaw/plugin-sdk";
 import { describe, expect, it } from "vitest";
 import {
   readNostrBusState,
@@ -17,11 +17,13 @@ async function withTempStateDir<T>(fn: (dir: string) => Promise<T>) {
   setNostrRuntime({
     state: {
       resolveStateDir: (env, homedir) => {
-        const override = env.OPENCLAW_STATE_DIR?.trim() || env.OPENCLAW_STATE_DIR?.trim();
+        const stateEnv = env ?? process.env;
+        const override = stateEnv.OPENCLAW_STATE_DIR?.trim() || stateEnv.CLAWDBOT_STATE_DIR?.trim();
         if (override) {
           return override;
         }
-        return path.join(homedir(), ".openclaw");
+        const resolveHome = homedir ?? os.homedir;
+        return path.join(resolveHome(), ".openclaw");
       },
     },
   } as PluginRuntime);
@@ -90,7 +92,7 @@ describe("computeSinceTimestamp", () => {
   });
 
   it("uses lastProcessedAt when available", () => {
-    const state = {
+    const state: Parameters<typeof computeSinceTimestamp>[0] = {
       version: 2,
       lastProcessedAt: 1699999000,
       gatewayStartedAt: null,
@@ -100,7 +102,7 @@ describe("computeSinceTimestamp", () => {
   });
 
   it("uses gatewayStartedAt when lastProcessedAt is null", () => {
-    const state = {
+    const state: Parameters<typeof computeSinceTimestamp>[0] = {
       version: 2,
       lastProcessedAt: null,
       gatewayStartedAt: 1699998000,
@@ -110,7 +112,7 @@ describe("computeSinceTimestamp", () => {
   });
 
   it("uses the max of both timestamps", () => {
-    const state = {
+    const state: Parameters<typeof computeSinceTimestamp>[0] = {
       version: 2,
       lastProcessedAt: 1699999000,
       gatewayStartedAt: 1699998000,
@@ -120,7 +122,7 @@ describe("computeSinceTimestamp", () => {
   });
 
   it("falls back to now if both are null", () => {
-    const state = {
+    const state: Parameters<typeof computeSinceTimestamp>[0] = {
       version: 2,
       lastProcessedAt: null,
       gatewayStartedAt: null,

package/src/seen-tracker.ts

@@ -137,6 +137,27 @@ export function createSeenTracker(options?: SeenTrackerOptions): SeenTracker {
     entries.delete(idToEvict);
   }
 
+  function insertAtFront(id: string, seenAt: number): void {
+    const newEntry: Entry = {
+      seenAt,
+      prev: null,
+      next: head,
+    };
+
+    if (head) {
+      const headEntry = entries.get(head);
+      if (headEntry) {
+        headEntry.prev = id;
+      }
+    }
+
+    entries.set(id, newEntry);
+    head = id;
+    if (!tail) {
+      tail = id;
+    }
+  }
+
   // Prune expired entries
   function pruneExpired(): void {
     const now = Date.now();
@@ -180,25 +201,7 @@ export function createSeenTracker(options?: SeenTrackerOptions): SeenTracker {
       evictLRU();
     }
 
-    // Add new entry at front
-    const newEntry: Entry = {
-      seenAt: now,
-      prev: null,
-      next: head,
-    };
-
-    if (head) {
-      const headEntry = entries.get(head);
-      if (headEntry) {
-        headEntry.prev = id;
-      }
-    }
-
-    entries.set(id, newEntry);
-    head = id;
-    if (!tail) {
-      tail = id;
-    }
+    insertAtFront(id, now);
   }
 
   function has(id: string): boolean {
@@ -268,24 +271,7 @@ export function createSeenTracker(options?: SeenTrackerOptions): SeenTracker {
     for (let i = ids.length - 1; i >= 0; i--) {
       const id = ids[i];
       if (!entries.has(id) && entries.size < maxEntries) {
-        const newEntry: Entry = {
-          seenAt: now,
-          prev: null,
-          next: head,
-        };
-
-        if (head) {
-          const headEntry = entries.get(head);
-          if (headEntry) {
-            headEntry.prev = id;
-          }
-        }
-
-        entries.set(id, newEntry);
-        head = id;
-        if (!tail) {
-          tail = id;
-        }
+        insertAtFront(id, now);
       }
     }
   }