nappup 1.8.5 → 1.9.0

package/README.md

@@ -26,7 +26,7 @@ nappup [directory] [options]
 
 | Flag | Description |
 |------|-------------|
-| `-s <secret_key>` | Your Nostr secret key (hex or nsec format) used to sign the application event. See [Authentication](#authentication) for alternatives. |
+| `-s <secret_key>` | Your Nostr secret key (hex, nsec, or `bunker://` URL) used to sign the application event. See [Authentication](#authentication) for alternatives. |
 | `-d <d_tag>` | The identifier (`d` tag) for your application. Any UTF-8 text up to 260 characters. If omitted, defaults to the directory name. Avoid generic names like `dist` or `build` - use something unique among your other apps like `mycoolapp`. |
 | `-y` | Skip confirmation prompt. Useful for CI/CD pipelines or automated scripts. |
 | `-r` | Force re-upload. By default, Napp Up! might skip files that haven't changed. Use this flag to ensure everything is pushed fresh. |
@@ -43,13 +43,18 @@ Napp Up! supports multiple ways to provide your Nostr secret key:
    nappup -s nsec1...
    ```
 
-2. **Environment variable**: Set `NOSTR_SECRET_KEY` in your environment or a `.env` file:
+2. **Remote signer (NIP-46)**: Pass a `bunker://` URL to sign events via a remote signer like [nak](https://github.com/fiatjaf/nak?tab=readme-ov-file#start-a-bunker-that-persists-its-metadata-secret-key-relays-authorized-client-pubkeys-to-disc) or [Amber](https://github.com/greenart7c3/Amber):
+   ```bash
+   nappup -s 'bunker://<pubkey>?relay=wss://relay.example.com&secret=<token>'
+   ```
+
+3. **Environment variable**: Set `NOSTR_SECRET_KEY` in your environment or a `.env` file (also supports `bunker://` URLs):
    ```bash
    export NOSTR_SECRET_KEY=nsec1...
    nappup ./dist
    ```
 
-3. **Auto-generated key**: If no key is provided, Napp Up! will generate a new keypair automatically and store it (as nsec) in your project's `.env` file for future use.
+4. **Auto-generated key**: If no key is provided, Napp Up! will generate a new keypair automatically and store it (as nsec) in your project's `.env` file for future use.
 
 ### Examples
 

package/bin/nappup/index.js

@@ -34,4 +34,18 @@ await confirmArgs(args)
 
 const fileList = await toFileList(getFiles(dir), dir)
 
-await toApp(fileList, await NostrSigner.create(sk), { log: console.log.bind(console), dTag, channel, shouldReupload })
+const bunkerUrl = sk?.startsWith('bunker://') ? sk : (!sk && process.env.NOSTR_SECRET_KEY?.startsWith('bunker://')) ? process.env.NOSTR_SECRET_KEY : null
+
+let signer
+if (bunkerUrl) {
+  const { default: NostrBunkerSigner } = await import('#services/bunker-signer.js')
+  signer = await NostrBunkerSigner.create(bunkerUrl)
+} else {
+  signer = await NostrSigner.create(sk)
+}
+
+try {
+  await toApp(fileList, signer, { log: console.log.bind(console), dTag, channel, shouldReupload })
+} finally {
+  await signer.close?.()
+}

package/package.json

@@ -6,7 +6,7 @@
     "url": "git+https://github.com/44billion/nappup.git"
   },
   "license": "MIT",
-  "version": "1.8.5",
+  "version": "1.9.0",
   "description": "Nostr App Uploader",
   "type": "module",
   "scripts": {

package/src/index.js

@@ -75,7 +75,7 @@ export async function toApp (fileList, nostrSigner, { log = () => {}, onEvent =
     nostrSigner.getRelays = getRelays
   }
   const writeRelays = [...new Set((await nostrSigner.getRelays()).write.map(r => r.trim().replace(/\/$/, '')))]
-  log(`Found ${writeRelays.length} outbox relays for pubkey ${nostrSigner.getPublicKey()}:\n${writeRelays.join(', ')}`)
+  log(`Found ${writeRelays.length} outbox relays for pubkey ${await nostrSigner.getPublicKey()}:\n${writeRelays.join(', ')}`)
   if (writeRelays.length === 0) throw new Error('No outbox relays found')
 
   if (typeof dTag === 'string') {

package/src/services/bunker-signer.js

@@ -0,0 +1,55 @@
+import { generateSecretKey } from 'nostr-tools/pure'
+import { BunkerSigner, parseBunkerInput } from 'nostr-tools/nip46'
+import { getRelays } from '#helpers/signer.js'
+
+const CONNECT_TIMEOUT = 30_000
+const createToken = Symbol('createToken')
+
+export default class NostrBunkerSigner {
+  #bunker
+  #publicKey // hex, cached
+
+  constructor (token, bunker, publicKey) {
+    if (token !== createToken) throw new Error('Use NostrBunkerSigner.create(bunkerUrl) to instantiate this class.')
+    this.#bunker = bunker
+    this.#publicKey = publicKey
+  }
+
+  static async create (bunkerUrl) {
+    const bp = await parseBunkerInput(bunkerUrl)
+    if (!bp) throw new Error('Invalid bunker URL')
+    if (bp.relays.length === 0) throw new Error('Bunker URL must include at least one relay (?relay=wss://...)')
+
+    const clientSk = generateSecretKey()
+    const bunker = new BunkerSigner(clientSk, bp)
+
+    await Promise.race([
+      bunker.connect(),
+      new Promise((_, reject) => setTimeout(() => reject(new Error('Bunker connection timed out')), CONNECT_TIMEOUT))
+    ])
+
+    const publicKey = await bunker.getPublicKey()
+    return new this(createToken, bunker, publicKey)
+  }
+
+  getPublicKey () {
+    return this.#publicKey
+  }
+
+  signEvent (event) {
+    return this.#bunker.signEvent(event)
+  }
+
+  async getRelays () {
+    return getRelays.call(this)
+  }
+
+  nip44 = {
+    encrypt: (pubkey, plaintext) => this.#bunker.nip44Encrypt(pubkey, plaintext),
+    decrypt: (pubkey, ciphertext) => this.#bunker.nip44Decrypt(pubkey, ciphertext)
+  }
+
+  async close () {
+    await this.#bunker.close()
+  }
+}

package/src/services/nostr-signer.js

@@ -46,6 +46,7 @@ export default class NostrSigner {
     let isNewSk = false
     if (process.env.NOSTR_SECRET_KEY) {
       let envSk = process.env.NOSTR_SECRET_KEY
+      if (envSk.startsWith('bunker://')) throw new Error('bunker:// URLs are not supported by NostrSigner. Use NostrBunkerSigner.create() instead.')
       if (envSk.startsWith('nsec')) envSk = nsecDecode(envSk)
       skBytes = base16ToBytes(envSk)
     } else {