@openclaw/nostr 2026.3.13 → 2026.5.1-beta.2

package/src/nostr-profile-http.ts

@@ -8,21 +8,38 @@
  */
 
 import type { IncomingMessage, ServerResponse } from "node:http";
+import { z } from "openclaw/plugin-sdk/zod";
+import { publishNostrProfile, getNostrProfileState } from "./channel.js";
+import { NostrProfileSchema, type NostrProfile } from "./config-schema.js";
 import {
   createFixedWindowRateLimiter,
-  isBlockedHostnameOrIp,
+  getPluginRuntimeGatewayRequestScope,
   readJsonBodyWithLimit,
   requestBodyErrorToText,
-} from "openclaw/plugin-sdk/nostr";
-import { z } from "zod";
-import { publishNostrProfile, getNostrProfileState } from "./channel.js";
-import { NostrProfileSchema, type NostrProfile } from "./config-schema.js";
+} from "./nostr-profile-http-runtime.js";
 import { importProfileFromRelays, mergeProfiles } from "./nostr-profile-import.js";
+import { validateUrlSafety } from "./nostr-profile-url-safety.js";
 
 // ============================================================================
 // Types
 // ============================================================================
 
+function readStringValue(value: unknown): string | undefined {
+  return typeof value === "string" ? value : undefined;
+}
+
+function normalizeOptionalLowercaseString(value: unknown): string | undefined {
+  if (typeof value !== "string") {
+    return undefined;
+  }
+  const trimmed = value.trim();
+  return trimmed ? trimmed.toLowerCase() : undefined;
+}
+
+function normalizeLowercaseStringOrEmpty(value: unknown): string {
+  return normalizeOptionalLowercaseString(value) ?? "";
+}
+
 export interface NostrProfileHttpContext {
   /** Get current profile from config */
   getConfigProfile: (accountId: string) => NostrProfile | undefined;
@@ -98,33 +115,6 @@ async function withPublishLock<T>(accountId: string, fn: () => Promise<T>): Prom
   }
 }
 
-// ============================================================================
-// SSRF Protection
-// ============================================================================
-
-function validateUrlSafety(urlStr: string): { ok: true } | { ok: false; error: string } {
-  try {
-    const url = new URL(urlStr);
-
-    if (url.protocol !== "https:") {
-      return { ok: false, error: "URL must use https:// protocol" };
-    }
-
-    const hostname = url.hostname.toLowerCase();
-
-    if (isBlockedHostnameOrIp(hostname)) {
-      return { ok: false, error: "URL must not point to private/internal addresses" };
-    }
-
-    return { ok: true };
-  } catch {
-    return { ok: false, error: "Invalid URL format" };
-  }
-}
-
-// Export for use in import validation
-export { validateUrlSafety };
-
 // ============================================================================
 // Validation Schemas
 // ============================================================================
@@ -147,6 +137,8 @@ const ProfileUpdateSchema = NostrProfileSchema.extend({
   lud16: lud16FormatSchema,
 });
 
+const PROFILE_MUTATION_SCOPE = "operator.admin";
+
 // ============================================================================
 // Request Helpers
 // ============================================================================
@@ -193,7 +185,7 @@ function isLoopbackRemoteAddress(remoteAddress: string | undefined): boolean {
     return false;
   }
 
-  const ipLower = remoteAddress.toLowerCase().replace(/^\[|\]$/g, "");
+  const ipLower = normalizeLowercaseStringOrEmpty(remoteAddress).replace(/^\[|\]$/g, "");
 
   // IPv6 loopback
   if (ipLower === "::1") {
@@ -217,7 +209,7 @@ function isLoopbackRemoteAddress(remoteAddress: string | undefined): boolean {
 function isLoopbackOriginLike(value: string): boolean {
   try {
     const url = new URL(value);
-    const hostname = url.hostname.toLowerCase();
+    const hostname = normalizeLowercaseStringOrEmpty(url.hostname);
     return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
   } catch {
     return false;
@@ -228,7 +220,7 @@ function firstHeaderValue(value: string | string[] | undefined): string | undefi
   if (Array.isArray(value)) {
     return value[0];
   }
-  return typeof value === "string" ? value : undefined;
+  return readStringValue(value);
 }
 
 function normalizeIpCandidate(raw: string): string {
@@ -290,7 +282,9 @@ function enforceLoopbackMutationGuards(
     return false;
   }
 
-  const secFetchSite = firstHeaderValue(req.headers["sec-fetch-site"])?.trim().toLowerCase();
+  const secFetchSite = normalizeOptionalLowercaseString(
+    firstHeaderValue(req.headers["sec-fetch-site"]),
+  );
   if (secFetchSite === "cross-site") {
     ctx.log?.warn?.("Rejected mutation with cross-site sec-fetch-site header");
     sendJson(res, 403, { ok: false, error: "Forbidden" });
@@ -315,6 +309,21 @@ function enforceLoopbackMutationGuards(
   return true;
 }
 
+function enforceGatewayMutationScope(
+  ctx: NostrProfileHttpContext,
+  accountId: string,
+  res: ServerResponse,
+): boolean {
+  const runtimeScopes = getPluginRuntimeGatewayRequestScope()?.client?.connect?.scopes;
+  const scopes = Array.isArray(runtimeScopes) ? runtimeScopes : [];
+  if (scopes.includes(PROFILE_MUTATION_SCOPE)) {
+    return true;
+  }
+  ctx.log?.warn?.(`[${accountId}] Rejected profile mutation missing ${PROFILE_MUTATION_SCOPE}`);
+  sendJson(res, 403, { ok: false, error: `missing scope: ${PROFILE_MUTATION_SCOPE}` });
+  return false;
+}
+
 // ============================================================================
 // HTTP Handler
 // ============================================================================
@@ -397,6 +406,9 @@ async function handleUpdateProfile(
   req: IncomingMessage,
   res: ServerResponse,
 ): Promise<true> {
+  if (!enforceGatewayMutationScope(ctx, accountId, res)) {
+    return true;
+  }
   if (!enforceLoopbackMutationGuards(ctx, req, res)) {
     return true;
   }
@@ -500,6 +512,9 @@ async function handleImportProfile(
   req: IncomingMessage,
   res: ServerResponse,
 ): Promise<true> {
+  if (!enforceGatewayMutationScope(ctx, accountId, res)) {
+    return true;
+  }
   if (!enforceLoopbackMutationGuards(ctx, req, res)) {
     return true;
   }

package/src/nostr-profile-import.ts

@@ -7,14 +7,14 @@
 
 import { SimplePool, verifyEvent, type Event } from "nostr-tools";
 import type { NostrProfile } from "./config-schema.js";
-import { validateUrlSafety } from "./nostr-profile-http.js";
+import { validateUrlSafety } from "./nostr-profile-url-safety.js";
 import { contentToProfile, type ProfileContent } from "./nostr-profile.js";
 
 // ============================================================================
 // Types
 // ============================================================================
 
-export interface ProfileImportResult {
+interface ProfileImportResult {
   /** Whether the import was successful */
   ok: boolean;
   /** The imported profile (if found and valid) */
@@ -33,7 +33,7 @@ export interface ProfileImportResult {
   sourceRelay?: string;
 }
 
-export interface ProfileImportOptions {
+interface ProfileImportOptions {
   /** The public key to fetch profile for */
   pubkey: string;
   /** Relay URLs to query */

package/src/nostr-profile-url-safety.ts

@@ -0,0 +1,21 @@
+import { isBlockedHostnameOrIp } from "openclaw/plugin-sdk/ssrf-runtime";
+
+export function validateUrlSafety(urlStr: string): { ok: true } | { ok: false; error: string } {
+  try {
+    const url = new URL(urlStr);
+
+    if (url.protocol !== "https:") {
+      return { ok: false, error: "URL must use https:// protocol" };
+    }
+
+    const hostname = url.hostname.trim().toLowerCase();
+
+    if (isBlockedHostnameOrIp(hostname)) {
+      return { ok: false, error: "URL must not point to private/internal addresses" };
+    }
+
+    return { ok: true };
+  } catch {
+    return { ok: false, error: "Invalid URL format" };
+  }
+}

package/src/nostr-profile.fuzz.test.ts

@@ -1,15 +1,10 @@
 import { describe, expect, it } from "vitest";
 import type { NostrProfile } from "./config-schema.js";
 import {
-  createProfileEvent,
   profileToContent,
-  validateProfile,
   sanitizeProfileForDisplay,
-} from "./nostr-profile.js";
-
-// Test private key
-const TEST_HEX_KEY = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
-const TEST_SK = new Uint8Array(TEST_HEX_KEY.match(/.{2}/g)!.map((byte) => parseInt(byte, 16)));
+  validateProfile,
+} from "./nostr-profile-core.js";
 
 // ============================================================================
 // Unicode Attack Vectors
@@ -51,9 +46,13 @@ describe("profile unicode attacks", () => {
       };
       const result = validateProfile(profile);
       expect(result.valid).toBe(true);
+      expect(result.profile).toBeDefined();
+      if (!result.profile) {
+        throw new Error("expected validated profile");
+      }
 
       // UI should escape or handle this
-      const sanitized = sanitizeProfileForDisplay(result.profile!);
+      const sanitized = sanitizeProfileForDisplay(result.profile);
       expect(sanitized.name).toBeDefined();
     });
 
@@ -429,52 +428,3 @@ describe("profile type confusion", () => {
     expect(({} as Record<string, unknown>).polluted).toBeUndefined();
   });
 });
-
-// ============================================================================
-// Event Creation Edge Cases
-// ============================================================================
-
-describe("event creation edge cases", () => {
-  it("handles profile with all fields at max length", () => {
-    const profile: NostrProfile = {
-      name: "a".repeat(256),
-      displayName: "b".repeat(256),
-      about: "c".repeat(2000),
-      nip05: "d".repeat(200) + "@example.com",
-      lud16: "e".repeat(200) + "@example.com",
-    };
-
-    const event = createProfileEvent(TEST_SK, profile);
-    expect(event.kind).toBe(0);
-
-    // Content should be parseable JSON
-    expect(() => JSON.parse(event.content)).not.toThrow();
-  });
-
-  it("handles rapid sequential events with monotonic timestamps", () => {
-    const profile: NostrProfile = { name: "rapid" };
-
-    // Create events in quick succession
-    let lastTimestamp = 0;
-    for (let i = 0; i < 25; i++) {
-      const event = createProfileEvent(TEST_SK, profile, lastTimestamp);
-      expect(event.created_at).toBeGreaterThan(lastTimestamp);
-      lastTimestamp = event.created_at;
-    }
-  });
-
-  it("handles JSON special characters in content", () => {
-    const profile: NostrProfile = {
-      name: 'test"user',
-      about: "line1\nline2\ttab\\backslash",
-    };
-
-    const event = createProfileEvent(TEST_SK, profile);
-    const parsed = JSON.parse(event.content) as { name: string; about: string };
-
-    expect(parsed.name).toBe('test"user');
-    expect(parsed.about).toContain("\n");
-    expect(parsed.about).toContain("\t");
-    expect(parsed.about).toContain("\\");
-  });
-});

package/src/nostr-profile.test.ts

@@ -9,11 +9,13 @@ import {
   sanitizeProfileForDisplay,
   type ProfileContent,
 } from "./nostr-profile.js";
+import { TEST_HEX_PRIVATE_KEY_BYTES } from "./test-fixtures.js";
 
-// Test private key (DO NOT use in production - this is a known test key)
-const TEST_HEX_KEY = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
-const TEST_SK = new Uint8Array(TEST_HEX_KEY.match(/.{2}/g)!.map((byte) => parseInt(byte, 16)));
-const TEST_PUBKEY = getPublicKey(TEST_SK);
+const TEST_PUBKEY = getPublicKey(TEST_HEX_PRIVATE_KEY_BYTES);
+
+function createTestProfileEvent(profile: NostrProfile, lastPublishedAt?: number) {
+  return createProfileEvent(TEST_HEX_PRIVATE_KEY_BYTES, profile, lastPublishedAt);
+}
 
 // ============================================================================
 // Profile Content Conversion Tests
@@ -123,7 +125,7 @@ describe("createProfileEvent", () => {
       about: "A test bot",
     };
 
-    const event = createProfileEvent(TEST_SK, profile);
+    const event = createTestProfileEvent(profile);
 
     expect(event.kind).toBe(0);
     expect(event.pubkey).toBe(TEST_PUBKEY);
@@ -139,7 +141,7 @@ describe("createProfileEvent", () => {
       about: "Testing JSON serialization",
     };
 
-    const event = createProfileEvent(TEST_SK, profile);
+    const event = createTestProfileEvent(profile);
     const parsedContent = JSON.parse(event.content) as ProfileContent;
 
     expect(parsedContent.name).toBe("jsontest");
@@ -149,14 +151,14 @@ describe("createProfileEvent", () => {
 
   it("produces a verifiable signature", () => {
     const profile: NostrProfile = { name: "signaturetest" };
-    const event = createProfileEvent(TEST_SK, profile);
+    const event = createTestProfileEvent(profile);
 
     expect(verifyEvent(event)).toBe(true);
   });
 
   it("uses current timestamp when no lastPublishedAt provided", () => {
     const profile: NostrProfile = { name: "timestamptest" };
-    const event = createProfileEvent(TEST_SK, profile);
+    const event = createTestProfileEvent(profile);
 
     const expectedTimestamp = Math.floor(Date.now() / 1000);
     expect(event.created_at).toBe(expectedTimestamp);
@@ -167,7 +169,7 @@ describe("createProfileEvent", () => {
     const futureTimestamp = 1705320000 + 3600; // 1 hour in the future
     const profile: NostrProfile = { name: "monotonictest" };
 
-    const event = createProfileEvent(TEST_SK, profile, futureTimestamp);
+    const event = createTestProfileEvent(profile, futureTimestamp);
 
     expect(event.created_at).toBe(futureTimestamp + 1);
   });
@@ -176,7 +178,7 @@ describe("createProfileEvent", () => {
     const pastTimestamp = 1705320000 - 3600; // 1 hour in the past
     const profile: NostrProfile = { name: "pasttest" };
 
-    const event = createProfileEvent(TEST_SK, profile, pastTimestamp);
+    const event = createTestProfileEvent(profile, pastTimestamp);
 
     const expectedTimestamp = Math.floor(Date.now() / 1000);
     expect(event.created_at).toBe(expectedTimestamp);
@@ -364,7 +366,7 @@ describe("edge cases", () => {
     expect(content.name).toBe("🤖 Bot");
     expect(content.about).toBe("I am a 🤖 robot! 🎉");
 
-    const event = createProfileEvent(TEST_SK, profile);
+    const event = createTestProfileEvent(profile);
     const parsed = JSON.parse(event.content) as ProfileContent;
     expect(parsed.name).toBe("🤖 Bot");
   });
@@ -378,7 +380,7 @@ describe("edge cases", () => {
     const content = profileToContent(profile);
     expect(content.name).toBe("日本語ユーザー");
 
-    const event = createProfileEvent(TEST_SK, profile);
+    const event = createTestProfileEvent(profile);
     expect(verifyEvent(event)).toBe(true);
   });
 
@@ -390,7 +392,7 @@ describe("edge cases", () => {
     const content = profileToContent(profile);
     expect(content.about).toBe("Line 1\nLine 2\nLine 3");
 
-    const event = createProfileEvent(TEST_SK, profile);
+    const event = createTestProfileEvent(profile);
     const parsed = JSON.parse(event.content) as ProfileContent;
     expect(parsed.about).toBe("Line 1\nLine 2\nLine 3");
   });
@@ -404,7 +406,7 @@ describe("edge cases", () => {
     const result = validateProfile(profile);
     expect(result.valid).toBe(true);
 
-    const event = createProfileEvent(TEST_SK, profile);
+    const event = createTestProfileEvent(profile);
     expect(verifyEvent(event)).toBe(true);
   });
 });

package/src/nostr-profile.ts

@@ -6,7 +6,16 @@
  */
 
 import { finalizeEvent, SimplePool, type Event } from "nostr-tools";
-import { type NostrProfile, NostrProfileSchema } from "./config-schema.js";
+import { formatErrorMessage } from "openclaw/plugin-sdk/error-runtime";
+import type { NostrProfile } from "./config-schema.js";
+import { profileToContent } from "./nostr-profile-core.js";
+export {
+  contentToProfile,
+  profileToContent,
+  sanitizeProfileForDisplay,
+  validateProfile,
+  type ProfileContent,
+} from "./nostr-profile-core.js";
 
 // ============================================================================
 // Types
@@ -24,94 +33,6 @@ export interface ProfilePublishResult {
   createdAt: number;
 }
 
-/** NIP-01 profile content (JSON inside kind:0 event) */
-export interface ProfileContent {
-  name?: string;
-  display_name?: string;
-  about?: string;
-  picture?: string;
-  banner?: string;
-  website?: string;
-  nip05?: string;
-  lud16?: string;
-}
-
-// ============================================================================
-// Profile Content Conversion
-// ============================================================================
-
-/**
- * Convert our config profile schema to NIP-01 content format.
- * Strips undefined fields and validates URLs.
- */
-export function profileToContent(profile: NostrProfile): ProfileContent {
-  const validated = NostrProfileSchema.parse(profile);
-
-  const content: ProfileContent = {};
-
-  if (validated.name !== undefined) {
-    content.name = validated.name;
-  }
-  if (validated.displayName !== undefined) {
-    content.display_name = validated.displayName;
-  }
-  if (validated.about !== undefined) {
-    content.about = validated.about;
-  }
-  if (validated.picture !== undefined) {
-    content.picture = validated.picture;
-  }
-  if (validated.banner !== undefined) {
-    content.banner = validated.banner;
-  }
-  if (validated.website !== undefined) {
-    content.website = validated.website;
-  }
-  if (validated.nip05 !== undefined) {
-    content.nip05 = validated.nip05;
-  }
-  if (validated.lud16 !== undefined) {
-    content.lud16 = validated.lud16;
-  }
-
-  return content;
-}
-
-/**
- * Convert NIP-01 content format back to our config profile schema.
- * Useful for importing existing profiles from relays.
- */
-export function contentToProfile(content: ProfileContent): NostrProfile {
-  const profile: NostrProfile = {};
-
-  if (content.name !== undefined) {
-    profile.name = content.name;
-  }
-  if (content.display_name !== undefined) {
-    profile.displayName = content.display_name;
-  }
-  if (content.about !== undefined) {
-    profile.about = content.about;
-  }
-  if (content.picture !== undefined) {
-    profile.picture = content.picture;
-  }
-  if (content.banner !== undefined) {
-    profile.banner = content.banner;
-  }
-  if (content.website !== undefined) {
-    profile.website = content.website;
-  }
-  if (content.nip05 !== undefined) {
-    profile.nip05 = content.nip05;
-  }
-  if (content.lud16 !== undefined) {
-    profile.lud16 = content.lud16;
-  }
-
-  return profile;
-}
-
 // ============================================================================
 // Event Creation
 // ============================================================================
@@ -167,7 +88,7 @@ const RELAY_PUBLISH_TIMEOUT_MS = 5000;
  * @param event - Signed profile event (kind:0)
  * @returns Publish results with successes and failures
  */
-export async function publishProfileEvent(
+async function publishProfileEvent(
   pool: SimplePool,
   relays: string[],
   event: Event,
@@ -182,12 +103,11 @@ export async function publishProfileEvent(
         setTimeout(() => reject(new Error("timeout")), RELAY_PUBLISH_TIMEOUT_MS);
       });
 
-      // oxlint-disable-next-line typescript/no-floating-promises
-      await Promise.race([pool.publish([relay], event), timeoutPromise]);
+      await Promise.race([...pool.publish([relay], event), timeoutPromise]);
 
       successes.push(relay);
     } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : String(err);
+      const errorMessage = formatErrorMessage(err);
       failures.push({ relay, error: errorMessage });
     }
   });
@@ -222,56 +142,3 @@ export async function publishProfile(
   const event = createProfileEvent(sk, profile, lastPublishedAt);
   return publishProfileEvent(pool, relays, event);
 }
-
-// ============================================================================
-// Profile Validation Helpers
-// ============================================================================
-
-/**
- * Validate a profile without throwing (returns result object).
- */
-export function validateProfile(profile: unknown): {
-  valid: boolean;
-  profile?: NostrProfile;
-  errors?: string[];
-} {
-  const result = NostrProfileSchema.safeParse(profile);
-
-  if (result.success) {
-    return { valid: true, profile: result.data };
-  }
-
-  return {
-    valid: false,
-    errors: result.error.issues.map((e) => `${e.path.join(".")}: ${e.message}`),
-  };
-}
-
-/**
- * Sanitize profile text fields to prevent XSS when displaying in UI.
- * Escapes HTML special characters.
- */
-export function sanitizeProfileForDisplay(profile: NostrProfile): NostrProfile {
-  const escapeHtml = (str: string | undefined): string | undefined => {
-    if (str === undefined) {
-      return undefined;
-    }
-    return str
-      .replace(/&/g, "&")
-      .replace(/</g, "&lt;")
-      .replace(/>/g, "&gt;")
-      .replace(/"/g, "&quot;")
-      .replace(/'/g, "&#039;");
-  };
-
-  return {
-    name: escapeHtml(profile.name),
-    displayName: escapeHtml(profile.displayName),
-    about: escapeHtml(profile.about),
-    picture: profile.picture, // URLs already validated by schema
-    banner: profile.banner,
-    website: profile.website,
-    nip05: escapeHtml(profile.nip05),
-    lud16: escapeHtml(profile.lud16),
-  };
-}