ncc-02-js 0.3.1 → 0.5.0

package/dist/privacy.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Parse the required `private` tag from an event.
+ * @param {any[]} tags
+ * @returns {boolean | null}
+ */
+export function parsePrivateFlag(tags: any[]): boolean | null;
+/**
+ * Extract all `privateRecipients` ciphertext values from an event.
+ * @param {any[]} tags
+ * @returns {string[]}
+ */
+export function collectPrivateRecipients(tags: any[]): string[];
+/**
+ * Encrypt a list of recipient pubkeys so they can be published in a service record.
+ * @param {string | Uint8Array | NipSigner} ownerPrivateKey
+ * @param {string[]} recipients
+ * @returns {Promise<string[]>}
+ */
+export function encryptPrivateRecipients(ownerPrivateKey: string | Uint8Array | NipSigner, recipients: string[]): Promise<string[]>;
+/**
+ * Decrypt a single private recipient ciphertext.
+ * @param {string} ciphertext
+ * @param {string} ownerPubkey
+ * @param {string | Uint8Array | NipSigner} recipientPrivateKey
+ * @returns {Promise<string>}
+ */
+export function decryptPrivateRecipient(ciphertext: string, ownerPubkey: string, recipientPrivateKey: string | Uint8Array | NipSigner): Promise<string>;
+/**
+ * Check whether the provided private key matches one of the encrypted recipients.
+ * @param {string[]} privateRecipients
+ * @param {string} ownerPubkey
+ * @param {string | Uint8Array | NipSigner} recipientPrivateKey
+ * @returns {Promise<boolean>}
+ */
+export function isPrivateRecipientAuthorized(privateRecipients: string[], ownerPubkey: string, recipientPrivateKey: string | Uint8Array | NipSigner): Promise<boolean>;
+export type NipSigner = {
+    nip44Encrypt?: (thirdPartyPubkey: string, plaintext: string) => Promise<string> | string;
+    nip44Decrypt?: (ownerPubkey: string, ciphertext: string) => Promise<string> | string;
+    nip04?: {
+        encrypt: (thirdPartyPubkey: string, plaintext: string) => Promise<string> | string;
+        decrypt: (ownerPubkey: string, ciphertext: string) => Promise<string> | string;
+    };
+    getPublicKey?: () => Promise<string> | string;
+};

package/dist/resolver.d.ts

@@ -12,13 +12,18 @@ export class NCC02Error extends Error {
     cause: any;
 }
 /**
- * @typedef {Object} ResolvedService
+ * @typedef {Object} ServiceStatus
  * @property {string|undefined} endpoint
  * @property {string|undefined} fingerprint
  * @property {number} expiry
- * @property {any[]} attestations
+ * @property {boolean} isRevoked
+ * @property {number} attestationCount
+ * @property {Array<{eventId:string, level:string, pubkey:string}>} attestations
  * @property {string} eventId
  * @property {string} pubkey
+ * @property {any} serviceEvent
+ * @property {boolean} isPrivate
+ * @property {string[]} privateRecipients
  */
 /**
  * Resolver for NCC-02 Service Records.
@@ -52,6 +57,18 @@ export class NCC02Resolver {
      * @returns {Promise<import('nostr-tools').Event[]>}
      */
     _query(filter: import("nostr-tools").Filter): Promise<import("nostr-tools").Event[]>;
+    /**
+     * Returns the first event sorted by freshness (newest created_at, tie broken by id).
+     * @param {import('nostr-tools').Event[]} events
+     * @returns {import('nostr-tools').Event|null}
+     */
+    _freshestEvent(events: import("nostr-tools").Event[]): import("nostr-tools").Event | null;
+    /**
+     * Query helper that returns only the freshest event matching the filter.
+     * @param {import('nostr-tools').Filter} filter
+     * @returns {Promise<import('nostr-tools').Event | null>}
+     */
+    _queryFreshest(filter: import("nostr-tools").Filter): Promise<import("nostr-tools").Event | null>;
     /**
      * Resolves a service for a given pubkey and service identifier.
      *
@@ -61,41 +78,88 @@ export class NCC02Resolver {
      * @param {boolean} [options.requireAttestation=false] - If true, fails if no trusted attestation is found.
      * @param {string} [options.minLevel=null] - Minimum trust level ('self', 'verified', 'hardened').
      * @param {string} [options.standard='nostr-service-trust-v0.1'] - Expected trust standard.
-     * @throws {NCC02Error} If verification or policy checks fail.
-     * @returns {Promise<ResolvedService>} The verified service details.
+    * @throws {NCC02Error} If verification or policy checks fail.
+    * @returns {Promise<ServiceStatus>} The service status including trust metadata.
      */
     resolve(pubkey: string, serviceId: string, options?: {
         requireAttestation?: boolean;
         minLevel?: string;
         standard?: string;
-    }): Promise<ResolvedService>;
+    }): Promise<ServiceStatus>;
     /**
-     * @param {string | undefined} actual
-     * @param {string} required
+     * @param {any} serviceEvent
+     * @param {Object} options
+     * @param {string} options.pubkey
+     * @param {string} options.serviceId
+     * @param {string|null} options.standard
+     * @param {string|null} options.minLevel
+     */
+    _buildTrustData(serviceEvent: any, options: {
+        pubkey: string;
+        serviceId: string;
+        standard: string | null;
+        minLevel: string | null;
+    }): Promise<{
+        validAttestations: {
+            pubkey: string;
+            level: any;
+            eventId: string;
+        }[];
+        isRevoked: boolean;
+    }>;
+    /**
+     * @param {any[]} revocations
+     * @returns {Record<string, any[]>}
      */
-    _isLevelSufficient(actual: string | undefined, required: string): boolean;
+    /**
+     * @param {any[]} revocations
+     * @returns {Record<string, any[]>}
+     */
+    _groupValidRevocations(revocations: any[]): Record<string, any[]>;
     /**
      * @param {any} att
-     * @param {any} tags
+     * @param {Record<string, string>} tags
      * @param {any[]} revocations
      */
-    _isAttestationValid(att: any, tags: any, revocations: any[]): boolean;
+    /**
+     * @param {any} att
+     * @param {Record<string, string>} tags
+     * @param {any[]} [revocations]
+     */
+    _evaluateAttestation(att: any, tags: Record<string, string>, revocations?: any[]): {
+        valid: boolean;
+        revoked: boolean;
+    };
+    /**
+     * @param {string | undefined} actual
+     * @param {string} required
+     */
+    _isLevelSufficient(actual: string | undefined, required: string): boolean;
     /**
      * Verifies that the actual fingerprint found during transport-level connection
      * matches the one declared in the signed service record.
      *
-     * @param {ResolvedService} resolved - The object returned by resolve().
+     * @param {ServiceStatus} resolved - The object returned by resolve().
      * @param {string} actualFingerprint - The fingerprint obtained from the service.
      * @returns {boolean}
      */
-    verifyEndpoint(resolved: ResolvedService, actualFingerprint: string): boolean;
+    verifyEndpoint(resolved: ServiceStatus, actualFingerprint: string): boolean;
 }
-export type ResolvedService = {
+export type ServiceStatus = {
     endpoint: string | undefined;
     fingerprint: string | undefined;
     expiry: number;
-    attestations: any[];
+    isRevoked: boolean;
+    attestationCount: number;
+    attestations: Array<{
+        eventId: string;
+        level: string;
+        pubkey: string;
+    }>;
     eventId: string;
     pubkey: string;
+    serviceEvent: any;
+    isPrivate: boolean;
+    privateRecipients: string[];
 };
 import { SimplePool } from 'nostr-tools';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ncc-02-js",
-  "version": "0.3.1",
+  "version": "0.5.0",
   "description": "Nostr-native service discovery and trust implementation (NCC-02)",
   "main": "dist/index.cjs",
   "module": "dist/index.mjs",

package/src/index.js

@@ -1,3 +1,4 @@
 export * from './models.js';
 export * from './resolver.js';
 export * from './mockRelay.js';
+export * from './privacy.js';

package/src/models.js

@@ -1,6 +1,13 @@
 import { finalizeEvent, verifyEvent, getPublicKey } from 'nostr-tools/pure';
 import { hexToBytes } from 'nostr-tools/utils';
 
+/**
+ * @typedef {Object} NostrSigner
+ * @property {() => Promise<string>} getPublicKey
+ * @property {(event: any) => Promise<any>} signEvent
+ * @property {(event: any) => Promise<any>} [decryptEvent]
+ */
+
 /**
  * NCC-02 Nostr Event Kinds
  */
@@ -15,12 +22,78 @@ export const KINDS = {
  */
 export class NCC02Builder {
   /**
-   * @param {string | Uint8Array} privateKey - The private key to sign events with.
+   * @param {string | Uint8Array | NostrSigner} signer - Raw private key or asynchronous signer.
+   */
+  constructor(signer) {
+    if (!signer) throw new Error('Signer or private key is required');
+    this.signer = this._normalizeSigner(signer);
+    this._pubkeyPromise = this.signer.getPublicKey();
+    this._pubkey = undefined;
+  }
+
+  async _getPublicKey() {
+    if (!this._pubkey) {
+      this._pubkey = await this._pubkeyPromise;
+    }
+    return this._pubkey;
+  }
+
+  /**
+   * @param {any} event
+   */
+  async _finalizeEvent(event) {
+    const pubkey = await this._getPublicKey();
+    const eventWithPubkey = { ...event, pubkey };
+    const signed = await this.signer.signEvent(eventWithPubkey);
+    if (!signed || typeof signed.id !== 'string' || typeof signed.sig !== 'string') {
+      throw new Error('Signer must return a signed event with id and sig');
+    }
+    return signed;
+  }
+
+  /**
+   * @param {any} signer
+   * @returns {NostrSigner}
    */
-  constructor(privateKey) {
-    if (!privateKey) throw new Error('Private key is required');
-    this.sk = typeof privateKey === 'string' ? hexToBytes(privateKey) : privateKey;
-    this.pk = getPublicKey(this.sk);
+  _normalizeSigner(signer) {
+    if (typeof signer === 'string' || signer instanceof Uint8Array) {
+      const privateKey = typeof signer === 'string' ? hexToBytes(signer) : signer;
+      const pubkey = getPublicKey(privateKey);
+      return {
+        getPublicKey: async () => pubkey,
+        /** @param {any} event */
+        signEvent: async (event) => {
+          const clonedEvent = {
+            ...event,
+            tags: Array.isArray(event.tags) ? event.tags.map((/** @type {any[]} */ tag) => [...tag]) : []
+          };
+          return finalizeEvent(clonedEvent, privateKey);
+        }
+      };
+    }
+
+    if (typeof signer === 'object' && signer !== null) {
+      if (typeof signer.getPublicKey === 'function' && typeof signer.signEvent === 'function') {
+        return {
+          getPublicKey: async () => {
+            const pubkey = await signer.getPublicKey();
+            if (typeof pubkey !== 'string') throw new Error('Signer.getPublicKey must return a hex string');
+            return pubkey;
+          },
+          /** @param {any} event */
+          signEvent: async (event) => {
+            const signed = await signer.signEvent(event);
+            if (!signed || typeof signed.id !== 'string' || typeof signed.sig !== 'string') {
+              throw new Error('Signer.signEvent must return a signed event');
+            }
+            return signed;
+          },
+          decryptEvent: typeof signer.decryptEvent === 'function' ? signer.decryptEvent.bind(signer) : undefined
+        };
+      }
+    }
+
+    throw new Error('Unsupported signer provided to NCC02Builder');
   }
 
   /**
@@ -30,27 +103,37 @@ export class NCC02Builder {
    * @param {string} [options.endpoint] - The 'u' tag URI.
    * @param {string} [options.fingerprint] - The 'k' tag fingerprint.
    * @param {number} [options.expiryDays=14] - Expiry in days.
+   * @param {boolean} [options.isPrivate=false] - Whether the service is private (adds required `private` tag).
+   * @param {string[]} [options.privateRecipients] - Optional encrypted ciphertexts for authorized recipients.
    */
-  createServiceRecord(options) {
-    const { serviceId, endpoint, fingerprint, expiryDays = 14 } = options;
+  async createServiceRecord(options) {
+    const { serviceId, endpoint, fingerprint, expiryDays = 14, isPrivate = false, privateRecipients } = options;
     if (!serviceId) throw new Error('serviceId (d tag) is required');
+    if (typeof isPrivate !== 'boolean') throw new Error('isPrivate must be a boolean value');
 
     const expiry = Math.floor(Date.now() / 1000) + (expiryDays * 24 * 60 * 60);
     const tags = [
       ['d', serviceId],
       ['exp', expiry.toString()]
     ];
-    if(endpoint) tags.push(['u', endpoint]);
-    if(fingerprint) tags.push(['k', fingerprint]);
+    tags.push(['private', isPrivate ? 'true' : 'false']);
+    if (endpoint) tags.push(['u', endpoint]);
+    if (fingerprint) tags.push(['k', fingerprint]);
+    if (privateRecipients) {
+      if (!Array.isArray(privateRecipients)) throw new Error('privateRecipients must be an array');
+      privateRecipients.forEach((cipher) => {
+        if (typeof cipher !== 'string') throw new Error('privateRecipients entries must be strings');
+        tags.push(['privateRecipients', cipher]);
+      });
+    }
 
     const event = {
       kind: KINDS.SERVICE_RECORD,
       created_at: Math.floor(Date.now() / 1000),
-      tags: tags,
-      content: `NCC-02 Service Record for ${serviceId}`,
-      pubkey: this.pk
+      tags,
+      content: `NCC-02 Service Record for ${serviceId}`
     };
-    return finalizeEvent(event, this.sk);
+    return this._finalizeEvent(event);
   }
 
   /**
@@ -62,7 +145,7 @@ export class NCC02Builder {
    * @param {string} [options.level='verified'] - The 'lvl' tag level.
    * @param {number} [options.validDays=30] - Validity in days.
    */
-  createAttestation(options) {
+  async createAttestation(options) {
     const { subjectPubkey, serviceId, serviceEventId, level = 'verified', validDays = 30 } = options;
     if (!subjectPubkey) throw new Error('subjectPubkey is required');
     if (!serviceId) throw new Error('serviceId is required');
@@ -82,10 +165,9 @@ export class NCC02Builder {
         ['nbf', now.toString()],
         ['exp', expiry.toString()]
       ],
-      content: 'NCC-02 Attestation',
-      pubkey: this.pk
+      content: 'NCC-02 Attestation'
     };
-    return finalizeEvent(event, this.sk);
+    return this._finalizeEvent(event);
   }
 
   /**
@@ -94,7 +176,7 @@ export class NCC02Builder {
    * @param {string} options.attestationId - The 'e' tag referencing the attestation.
    * @param {string} [options.reason=''] - Optional reason.
    */
-  createRevocation(options) {
+  async createRevocation(options) {
     const { attestationId, reason = '' } = options;
     if (!attestationId) throw new Error('attestationId (e tag) is required');
 
@@ -104,11 +186,10 @@ export class NCC02Builder {
     const event = {
       kind: KINDS.REVOCATION,
       created_at: Math.floor(Date.now() / 1000),
-      tags: tags,
-      content: 'NCC-02 Revocation',
-      pubkey: this.pk
+      tags,
+      content: 'NCC-02 Revocation'
     };
-    return finalizeEvent(event, this.sk);
+    return this._finalizeEvent(event);
   }
 }
 
@@ -119,3 +200,17 @@ export class NCC02Builder {
 export function verifyNCC02Event(event) {
   return verifyEvent(event);
 }
+
+/**
+ * Checks whether an NCC event has expired based on its 'exp' tag.
+ * @param {any} event
+ * @returns {boolean}
+ */
+export function isExpired(event) {
+  if (!event || !Array.isArray(event.tags)) return false;
+  const expTag = event.tags.find((/** @type {any[]} */ tag) => tag[0] === 'exp');
+  if (!expTag) return false;
+  const expiry = parseInt(expTag[1], 10);
+  if (Number.isNaN(expiry)) return false;
+  return expiry <= Math.floor(Date.now() / 1000);
+}

package/src/privacy.js

@@ -0,0 +1,217 @@
+import { nip19, nip44 } from 'nostr-tools';
+import { hexToBytes } from 'nostr-tools/utils';
+import { getPublicKey } from 'nostr-tools/pure';
+
+const PRIVATE_TAG = 'private';
+const PRIVATE_RECIPIENTS_TAG = 'privateRecipients';
+const HEX_REGEX = /^[0-9a-f]{64}$/i;
+
+/**
+ * @typedef {Object} NipSigner
+ * @property {(thirdPartyPubkey: string, plaintext: string) => Promise<string> | string} [nip44Encrypt]
+ * @property {(ownerPubkey: string, ciphertext: string) => Promise<string> | string} [nip44Decrypt]
+ * @property {{encrypt: (thirdPartyPubkey: string, plaintext: string) => Promise<string> | string, decrypt: (ownerPubkey: string, ciphertext: string) => Promise<string> | string}} [nip04]
+ * @property {() => Promise<string> | string} [getPublicKey]
+ */
+
+/**
+ * Normalize a pubkey string (hex or npub) into a lowercase hex string.
+ * @param {string} value
+ * @returns {string}
+ */
+function normalizeHexPubkey(value) {
+  if (typeof value !== 'string') {
+    throw new Error('Pubkey must be a string');
+  }
+  const lower = value.toLowerCase();
+  if (HEX_REGEX.test(lower)) {
+    return lower;
+  }
+  try {
+    const decoded = nip19.decode(value);
+    if (decoded.type === 'npub' && typeof decoded.data === 'string') {
+      return decoded.data.toLowerCase();
+    }
+  } catch {
+    /** fall through */
+  }
+  throw new Error('Unsupported pubkey format');
+}
+
+/**
+ * Convert a lowercase hex pubkey into a canonical npub value.
+ * @param {string} hexPubkey
+ * @returns {string}
+ */
+function toNpub(hexPubkey) {
+  return nip19.npubEncode(hexPubkey);
+}
+
+/**
+ * Ensure we work with Uint8Array private keys for NIP-44 helpers.
+ * @param {string|Uint8Array} key
+ * @returns {Uint8Array}
+ */
+function toUint8ArrayKey(key) {
+  if (typeof key === 'string') {
+    return hexToBytes(key);
+  }
+  if (key instanceof Uint8Array) {
+    return key;
+  }
+  throw new Error('Private key must be a hex string or Uint8Array');
+}
+
+/**
+ * @param {string | Uint8Array | NipSigner} owner
+ * @returns {(recipientHex: string, plaintext: string) => Promise<string>}
+ */
+function createNip44Encryptor(owner) {
+  if (typeof owner === 'string' || owner instanceof Uint8Array) {
+    const ownerKeyBytes = toUint8ArrayKey(owner);
+    return async (recipientHex, plaintext) => {
+      const conversationKey = nip44.getConversationKey(ownerKeyBytes, recipientHex);
+      return nip44.encrypt(plaintext, conversationKey);
+    };
+  }
+
+  if (owner && typeof owner === 'object') {
+    if (typeof owner.nip44Encrypt === 'function') {
+      const encryptFn = owner.nip44Encrypt.bind(owner);
+      return (recipientHex, plaintext) => Promise.resolve(encryptFn(recipientHex, plaintext));
+    }
+    if (owner.nip04 && typeof owner.nip04.encrypt === 'function') {
+      const encryptFn = owner.nip04.encrypt.bind(owner.nip04);
+      return (recipientHex, plaintext) => Promise.resolve(encryptFn(recipientHex, plaintext));
+    }
+  }
+
+  throw new Error('Unsupported owner signer; must be private key or NIP-44/NIP-04 capable signer');
+}
+
+/**
+ * @param {string | Uint8Array | NipSigner} recipient
+ * @returns {(ownerHex: string, ciphertext: string) => Promise<string>}
+ */
+function createNip44Decryptor(recipient) {
+  if (typeof recipient === 'string' || recipient instanceof Uint8Array) {
+    const recipientKeyBytes = toUint8ArrayKey(recipient);
+    return async (ownerHex, ciphertext) => {
+      const conversationKey = nip44.getConversationKey(recipientKeyBytes, ownerHex);
+      return nip44.decrypt(ciphertext, conversationKey);
+    };
+  }
+
+  if (recipient && typeof recipient === 'object') {
+    if (typeof recipient.nip44Decrypt === 'function') {
+      const decryptFn = recipient.nip44Decrypt.bind(recipient);
+      return (ownerHex, ciphertext) => Promise.resolve(decryptFn(ownerHex, ciphertext));
+    }
+    if (recipient.nip04 && typeof recipient.nip04.decrypt === 'function') {
+      const decryptFn = recipient.nip04.decrypt.bind(recipient.nip04);
+      return (ownerHex, ciphertext) => Promise.resolve(decryptFn(ownerHex, ciphertext));
+    }
+  }
+
+  throw new Error('Unsupported recipient signer; must be private key or NIP-44/NIP-04 capable signer');
+}
+
+/**
+ * Resolve a pubkey for either a raw key or a signer object.
+ * @param {string | Uint8Array | NipSigner} recipient
+ * @returns {Promise<string>}
+ */
+async function resolveRecipientPubkey(recipient) {
+  if (typeof recipient === 'string' || recipient instanceof Uint8Array) {
+    return normalizeHexPubkey(getPublicKey(toUint8ArrayKey(recipient)));
+  }
+  if (recipient && typeof recipient.getPublicKey === 'function') {
+    const pubkey = await recipient.getPublicKey();
+    return normalizeHexPubkey(pubkey);
+  }
+  throw new Error('Recipient must provide a private key or a NIP signer with getPublicKey()');
+}
+
+/**
+ * Parse the required `private` tag from an event.
+ * @param {any[]} tags
+ * @returns {boolean | null}
+ */
+export function parsePrivateFlag(tags) {
+  if (!Array.isArray(tags)) return null;
+  const tag = tags.find((t) => Array.isArray(t) && t[0] === PRIVATE_TAG);
+  if (!tag || typeof tag[1] !== 'string') return null;
+  const normalized = tag[1].toLowerCase();
+  if (normalized === 'true') return true;
+  if (normalized === 'false') return false;
+  return null;
+}
+
+/**
+ * Extract all `privateRecipients` ciphertext values from an event.
+ * @param {any[]} tags
+ * @returns {string[]}
+ */
+export function collectPrivateRecipients(tags) {
+  if (!Array.isArray(tags)) return [];
+  return tags
+    .filter((t) => Array.isArray(t) && t[0] === PRIVATE_RECIPIENTS_TAG && typeof t[1] === 'string')
+    .map((t) => t[1]);
+}
+
+/**
+ * Encrypt a list of recipient pubkeys so they can be published in a service record.
+ * @param {string | Uint8Array | NipSigner} ownerPrivateKey
+ * @param {string[]} recipients
+ * @returns {Promise<string[]>}
+ */
+export async function encryptPrivateRecipients(ownerPrivateKey, recipients) {
+  if (!Array.isArray(recipients)) {
+    throw new Error('recipients must be an array of pubkeys');
+  }
+  const encryptor = createNip44Encryptor(ownerPrivateKey);
+  const encrypted = [];
+  for (const recipient of recipients) {
+    const recipientHex = normalizeHexPubkey(recipient);
+    const recipientNpub = toNpub(recipientHex);
+    encrypted.push(await encryptor(recipientHex, recipientNpub));
+  }
+  return encrypted;
+}
+
+/**
+ * Decrypt a single private recipient ciphertext.
+ * @param {string} ciphertext
+ * @param {string} ownerPubkey
+ * @param {string | Uint8Array | NipSigner} recipientPrivateKey
+ * @returns {Promise<string>}
+ */
+export async function decryptPrivateRecipient(ciphertext, ownerPubkey, recipientPrivateKey) {
+  const ownerHex = normalizeHexPubkey(ownerPubkey);
+  const decryptor = createNip44Decryptor(recipientPrivateKey);
+  return decryptor(ownerHex, ciphertext);
+}
+
+/**
+ * Check whether the provided private key matches one of the encrypted recipients.
+ * @param {string[]} privateRecipients
+ * @param {string} ownerPubkey
+ * @param {string | Uint8Array | NipSigner} recipientPrivateKey
+ * @returns {Promise<boolean>}
+ */
+export async function isPrivateRecipientAuthorized(privateRecipients, ownerPubkey, recipientPrivateKey) {
+  if (!Array.isArray(privateRecipients) || privateRecipients.length === 0) return false;
+  const ownerHex = normalizeHexPubkey(ownerPubkey);
+  const recipientPubkey = await resolveRecipientPubkey(recipientPrivateKey);
+  const expectedNpub = toNpub(normalizeHexPubkey(recipientPubkey));
+  const decryptor = createNip44Decryptor(recipientPrivateKey);
+  for (const ciphertext of privateRecipients) {
+    try {
+      const decrypted = await decryptor(ownerHex, ciphertext);
+      if (decrypted === expectedNpub) return true;
+    } catch {
+      // ignore decrypt errors, ciphertext might not target this recipient
+    }
+  }
+  return false;
+}