@openclaw/nostr 2026.5.9-beta.1 → 2026.5.10-beta.1

package/dist/api.js

@@ -1,7 +1,7 @@
 import { o as resolveNostrAccount } from "./setup-surface-DxAaUTyC.js";
 import { getPluginRuntimeGatewayRequestScope } from "./runtime-api.js";
-import { n as NostrProfileSchema } from "./config-schema-DIk4jlBg.js";
-import { a as setNostrRuntime, i as getNostrRuntime, n as nostrPlugin, o as contentToProfile, r as publishNostrProfile, t as getNostrProfileState } from "./channel-C6LnxRyg.js";
+import { n as NostrProfileSchema } from "./config-schema-Clq-vlF1.js";
+import { a as setNostrRuntime, i as getNostrRuntime, n as nostrPlugin, o as contentToProfile, r as publishNostrProfile, t as getNostrProfileState } from "./channel-BSOktL3g.js";
 import { z } from "openclaw/plugin-sdk/zod";
 import { SimplePool, verifyEvent } from "nostr-tools";
 import { normalizeLowercaseStringOrEmpty, normalizeOptionalLowercaseString, readStringValue } from "openclaw/plugin-sdk/text-runtime";

package/dist/{channel-C6LnxRyg.js → channel-BSOktL3g.js}

@@ -1,5 +1,5 @@
 import { a as resolveDefaultNostrAccountId, c as validatePrivateKey, i as listNostrAccountIds, n as nostrSetupWizard, o as resolveNostrAccount, s as normalizePubkey, t as nostrSetupAdapter } from "./setup-surface-DxAaUTyC.js";
-import { a as collectStatusIssuesFromLastError, c as formatPairingApproveHint, i as buildChannelConfigSchema, l as resolveInboundDirectDmAccessWithRuntime, n as NostrProfileSchema, o as createDefaultChannelRuntimeState, r as DEFAULT_ACCOUNT_ID, s as createPreCryptoDirectDmAuthorizer, t as NostrConfigSchema } from "./config-schema-DIk4jlBg.js";
+import { a as collectStatusIssuesFromLastError, i as buildChannelConfigSchema, n as NostrProfileSchema, o as createDefaultChannelRuntimeState, r as DEFAULT_ACCOUNT_ID, s as formatPairingApproveHint, t as NostrConfigSchema } from "./config-schema-Clq-vlF1.js";
 import { t as DEFAULT_RELAYS } from "./default-relays-DLwdWOTu.js";
 import { describeAccountSnapshot } from "openclaw/plugin-sdk/account-helpers";
 import { createScopedDmSecurityResolver, createTopLevelChannelConfigAdapter } from "openclaw/plugin-sdk/channel-config-helpers";
@@ -8,6 +8,7 @@ import { createChannelMessageAdapterFromOutbound } from "openclaw/plugin-sdk/cha
 import { buildPassiveChannelStatusSummary, buildTrafficStatusSummary, safeParseJsonWithSchema } from "openclaw/plugin-sdk/extension-shared";
 import { createComputedAccountStatusAdapter } from "openclaw/plugin-sdk/status-helpers";
 import { z } from "openclaw/plugin-sdk/zod";
+import { resolveStableChannelMessageIngress } from "openclaw/plugin-sdk/channel-ingress-runtime";
 import { createChannelPairingController } from "openclaw/plugin-sdk/channel-pairing";
 import { attachChannelToResult } from "openclaw/plugin-sdk/channel-send-result";
 import { SimplePool, finalizeEvent, getPublicKey, verifyEvent } from "nostr-tools";
@@ -1096,38 +1097,38 @@ async function sendEncryptedDm(pool, sk, toPubkey, text, relays, metrics, circui
 //#region extensions/nostr/src/gateway.ts
 const activeBuses = /* @__PURE__ */ new Map();
 const metricsSnapshots = /* @__PURE__ */ new Map();
+const ACCESS_GROUP_PREFIX = "accessGroup:";
+function parseNostrAccessGroupAllowFromEntry(entry) {
+	const trimmed = entry.trim();
+	if (!trimmed.startsWith(ACCESS_GROUP_PREFIX)) return null;
+	return trimmed.slice(12).trim() || null;
+}
 function normalizeNostrAllowEntry(entry) {
 	const trimmed = entry.trim();
 	if (!trimmed) return null;
 	if (trimmed === "*") return "*";
+	const accessGroup = parseNostrAccessGroupAllowFromEntry(trimmed);
+	if (accessGroup) return `accessGroup:${accessGroup}`;
 	try {
 		return normalizePubkey(trimmed.replace(/^nostr:/i, ""));
 	} catch {
 		return null;
 	}
 }
-function isNostrSenderAllowed(senderPubkey, allowFrom) {
-	const normalizedSender = normalizePubkey(senderPubkey);
-	for (const entry of allowFrom) {
-		const normalized = normalizeNostrAllowEntry(entry);
-		if (normalized === "*" || normalized === normalizedSender) return true;
+function normalizeNostrSenderPubkey(value) {
+	try {
+		return normalizePubkey(value);
+	} catch {
+		return null;
 	}
-	return false;
-}
-async function resolveNostrDirectAccess(params) {
-	return resolveInboundDirectDmAccessWithRuntime({
-		cfg: params.cfg,
-		channel: "nostr",
-		accountId: params.accountId,
-		dmPolicy: params.dmPolicy,
-		allowFrom: params.allowFrom,
-		senderId: params.senderPubkey,
-		rawBody: params.rawBody,
-		isSenderAllowed: isNostrSenderAllowed,
-		runtime: params.runtime,
-		modeWhenAccessGroupsOff: "configured"
-	});
 }
+const nostrIngressIdentity = {
+	key: "nostr-pubkey",
+	normalizeEntry: normalizeNostrAllowEntry,
+	normalizeSubject: normalizeNostrSenderPubkey,
+	sensitivity: "pii",
+	entryIdPrefix: "nostr-entry"
+};
 const startNostrGatewayAccount = async (ctx) => {
 	const account = ctx.account;
 	ctx.setStatus({
@@ -1142,38 +1143,42 @@ const startNostrGatewayAccount = async (ctx) => {
 		channel: "nostr",
 		accountId: account.accountId
 	});
-	const resolveInboundAccess = async (senderPubkey, rawBody) => await resolveNostrDirectAccess({
-		cfg: ctx.cfg,
+	const resolveInboundAccess = async (senderPubkey, rawBody) => await resolveStableChannelMessageIngress({
+		channelId: "nostr",
 		accountId: account.accountId,
+		identity: nostrIngressIdentity,
+		cfg: ctx.cfg,
+		useDefaultPairingStore: true,
+		subject: { stableId: senderPubkey },
+		conversation: {
+			kind: "direct",
+			id: senderPubkey
+		},
 		dmPolicy: account.config.dmPolicy ?? "pairing",
 		allowFrom: account.config.allowFrom,
-		senderPubkey,
-		rawBody,
-		runtime: {
-			shouldComputeCommandAuthorized: runtime.channel.commands.shouldComputeCommandAuthorized,
-			resolveCommandAuthorizedFromAuthorizers: runtime.channel.commands.resolveCommandAuthorizedFromAuthorizers
-		}
+		command: runtime.channel.commands.shouldComputeCommandAuthorized(rawBody, ctx.cfg) ? { modeWhenAccessGroupsOff: "configured" } : void 0
 	});
 	let busHandle = null;
-	const authorizeSender = createPreCryptoDirectDmAuthorizer({
-		resolveAccess: async (senderPubkey) => await resolveInboundAccess(senderPubkey, ""),
-		issuePairingChallenge: async ({ senderId, reply }) => {
+	const authorizeSender = async (input) => {
+		const resolved = await resolveInboundAccess(input.senderId, "");
+		if (resolved.senderAccess.decision === "allow") return "allow";
+		if (resolved.senderAccess.decision === "pairing") {
 			await pairing.issueChallenge({
-				senderId,
-				senderIdLine: `Your Nostr pubkey: ${senderId}`,
-				sendPairingReply: reply,
+				senderId: input.senderId,
+				senderIdLine: `Your Nostr pubkey: ${input.senderId}`,
+				sendPairingReply: input.reply,
 				onCreated: () => {
-					ctx.log?.debug?.(`[${account.accountId}] nostr pairing request sender=${senderId}`);
+					ctx.log?.debug?.(`[${account.accountId}] nostr pairing request sender=${input.senderId}`);
 				},
 				onReplyError: (err) => {
-					ctx.log?.warn?.(`[${account.accountId}] nostr pairing reply failed for ${senderId}: ${String(err)}`);
+					ctx.log?.warn?.(`[${account.accountId}] nostr pairing reply failed for ${input.senderId}: ${String(err)}`);
 				}
 			});
-		},
-		onBlocked: ({ senderId, reason }) => {
-			ctx.log?.debug?.(`[${account.accountId}] blocked Nostr sender ${senderId} (${reason})`);
+			return "pairing";
 		}
-	});
+		ctx.log?.debug?.(`[${account.accountId}] blocked Nostr sender ${input.senderId} (${resolved.senderAccess.reasonCode})`);
+		return "block";
+	};
 	const bus = await startNostrBus({
 		accountId: account.accountId,
 		privateKey: account.privateKey,
@@ -1184,8 +1189,8 @@ const startNostrGatewayAccount = async (ctx) => {
 		}),
 		onMessage: async (senderPubkey, text, reply, meta) => {
 			const resolvedAccess = await resolveInboundAccess(senderPubkey, text);
-			if (resolvedAccess.access.decision !== "allow") {
-				ctx.log?.warn?.(`[${account.accountId}] dropping Nostr DM after preflight drift (${senderPubkey}, ${resolvedAccess.access.reason})`);
+			if (resolvedAccess.senderAccess.decision !== "allow") {
+				ctx.log?.warn?.(`[${account.accountId}] dropping Nostr DM after preflight drift (${senderPubkey}, ${resolvedAccess.senderAccess.reasonCode})`);
 				return;
 			}
 			const { dispatchInboundDirectDmWithRuntime } = await import("./inbound-direct-dm-runtime-22bZWcIW.js");
@@ -1206,7 +1211,7 @@ const startNostrGatewayAccount = async (ctx) => {
 				rawBody: text,
 				messageId: meta.eventId,
 				timestamp: meta.createdAt * 1e3,
-				commandAuthorized: resolvedAccess.commandAuthorized,
+				commandAuthorized: resolvedAccess.commandAccess.requested ? resolvedAccess.commandAccess.authorized : void 0,
 				deliver: async (payload) => {
 					const outboundText = payload && typeof payload === "object" && "text" in payload ? payload.text ?? "" : "";
 					if (!outboundText.trim()) return;

package/dist/channel-plugin-api.js

@@ -1,2 +1,2 @@
-import { n as nostrPlugin } from "./channel-C6LnxRyg.js";
+import { n as nostrPlugin } from "./channel-BSOktL3g.js";
 export { nostrPlugin };

package/dist/{config-schema-DIk4jlBg.js → config-schema-Clq-vlF1.js}

@@ -1,6 +1,5 @@
 import { collectStatusIssuesFromLastError, createDefaultChannelRuntimeState } from "openclaw/plugin-sdk/status-helpers";
 import { DEFAULT_ACCOUNT_ID, buildChannelConfigSchema, formatPairingApproveHint } from "openclaw/plugin-sdk/channel-plugin-common";
-import { createPreCryptoDirectDmAuthorizer, resolveInboundDirectDmAccessWithRuntime } from "openclaw/plugin-sdk/direct-dm-access";
 import { AllowFromListSchema, DmPolicySchema, MarkdownConfigSchema } from "openclaw/plugin-sdk/channel-config-primitives";
 import { buildSecretInputSchema } from "openclaw/plugin-sdk/secret-input";
 import { z } from "openclaw/plugin-sdk/zod";
@@ -61,4 +60,4 @@ const NostrConfigSchema = z.object({
 	profile: NostrProfileSchema.optional()
 });
 //#endregion
-export { collectStatusIssuesFromLastError as a, formatPairingApproveHint as c, buildChannelConfigSchema as i, resolveInboundDirectDmAccessWithRuntime as l, NostrProfileSchema as n, createDefaultChannelRuntimeState as o, DEFAULT_ACCOUNT_ID as r, createPreCryptoDirectDmAuthorizer as s, NostrConfigSchema as t };
+export { collectStatusIssuesFromLastError as a, buildChannelConfigSchema as i, NostrProfileSchema as n, createDefaultChannelRuntimeState as o, DEFAULT_ACCOUNT_ID as r, formatPairingApproveHint as s, NostrConfigSchema as t };

package/dist/setup-plugin-api.js

@@ -1,4 +1,4 @@
-import { i as buildChannelConfigSchema, t as NostrConfigSchema } from "./config-schema-DIk4jlBg.js";
+import { i as buildChannelConfigSchema, t as NostrConfigSchema } from "./config-schema-Clq-vlF1.js";
 import { t as DEFAULT_RELAYS } from "./default-relays-DLwdWOTu.js";
 import { describeAccountSnapshot } from "openclaw/plugin-sdk/account-helpers";
 import { patchTopLevelChannelConfigSection } from "openclaw/plugin-sdk/setup";

package/dist/test-api.js

@@ -1,2 +1,2 @@
-import { n as nostrPlugin } from "./channel-C6LnxRyg.js";
+import { n as nostrPlugin } from "./channel-BSOktL3g.js";
 export { nostrPlugin };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/nostr",
-  "version": "2026.5.9-beta.1",
+  "version": "2026.5.10-beta.1",
   "description": "OpenClaw Nostr channel plugin for NIP-04 encrypted DMs",
   "repository": {
     "type": "git",
@@ -15,7 +15,7 @@
     "openclaw": "workspace:*"
   },
   "peerDependencies": {
-    "openclaw": ">=2026.5.9-beta.1"
+    "openclaw": ">=2026.5.10-beta.1"
   },
   "peerDependenciesMeta": {
     "openclaw": {
@@ -53,10 +53,10 @@
       "minHostVersion": ">=2026.4.10"
     },
     "compat": {
-      "pluginApi": ">=2026.5.9-beta.1"
+      "pluginApi": ">=2026.5.10-beta.1"
     },
     "build": {
-      "openclawVersion": "2026.5.9-beta.1"
+      "openclawVersion": "2026.5.10-beta.1"
     },
     "release": {
       "publishToClawHub": true,