chore: sync upstream main into vanish optimization branch

Resolve worker factory merge conflict by keeping vanish-aware UserRepository wiring and upstream NIP-05 repository wiring so vanish and gift-wrap flows remain compatible.

Made-with: Cursor

Author: vikashsiwach

CONFIGURATION.md

@@ -119,4 +119,10 @@ Running `nostream` for the first time creates the settings file in `<project_roo
 | limits.message.ipWhitelist                  | List of IPs (IPv4 or IPv6) to ignore rate limits. |
 | limits.admissionCheck.rateLimits[].period          | Rate limit period in milliseconds. |
 | limits.admissionCheck.rateLimits[].rate            | Maximum number of admission checks during period. |
-| limits.admissionCheck.ipWhitelist                  | List of IPs (IPv4 or IPv6) to ignore rate limits. |
+| limits.admissionCheck.ipWhitelist                  | List of IPs (IPv4 or IPv6) to ignore rate limits. |
+| nip05.mode                                  | NIP-05 verification mode: `enabled` requires verification, `passive` verifies without blocking, `disabled` does nothing. Defaults to `disabled`. |
+| nip05.verifyExpiration                      | Time in milliseconds before a successful NIP-05 verification expires and needs re-checking. Defaults to 604800000 (1 week). |
+| nip05.verifyUpdateFrequency                 | Minimum interval in milliseconds between re-verification attempts for a given author. Defaults to 86400000 (24 hours). |
+| nip05.maxConsecutiveFailures                | Number of consecutive verification failures before giving up on an author. Defaults to 20. |
+| nip05.domainWhitelist                       | List of domains allowed for NIP-05 verification. If set, only authors verified at these domains can publish. |
+| nip05.domainBlacklist                       | List of domains blocked from NIP-05 verification. Authors with NIP-05 at these domains will be rejected. |

migrations/20260409_120000_create_nip05_verifications_table.js

@@ -0,0 +1,21 @@
+exports.up = function (knex) {
+  return knex.schema.createTable('nip05_verifications', function (table) {
+    table.binary('pubkey').notNullable().primary()
+    table.text('nip05').notNullable()
+    table.text('domain').notNullable()
+    table.boolean('is_verified').notNullable().defaultTo(false)
+    table.timestamp('last_verified_at', { useTz: true }).nullable()
+    table.timestamp('last_checked_at', { useTz: true }).notNullable().defaultTo(knex.fn.now())
+    table.integer('failure_count').notNullable().defaultTo(0)
+    table.timestamp('created_at', { useTz: true }).notNullable().defaultTo(knex.fn.now())
+    table.timestamp('updated_at', { useTz: true }).notNullable().defaultTo(knex.fn.now())
+
+    table.index(['domain'], 'idx_nip05_verifications_domain')
+    table.index(['is_verified'], 'idx_nip05_verifications_is_verified')
+    table.index(['last_checked_at'], 'idx_nip05_verifications_last_checked_at')
+  })
+}
+
+exports.down = function (knex) {
+  return knex.schema.dropTable('nip05_verifications')
+}

package-lock.json

@@ -31,8 +31,8 @@
     "prestart": "npm run build",
     "start": "cd dist && node src/index.js",
     "build:check": "npm run build -- --noEmit",
-    "lint": "ESLINT_USE_FLAT_CONFIG=false eslint --ext .ts ./src ./test",
-    "lint:report": "ESLINT_USE_FLAT_CONFIG=false eslint -o .lint-reports/eslint.json -f json --ext .ts ./src ./test",
+    "lint": "cross-env ESLINT_USE_FLAT_CONFIG=false eslint --ext .ts ./src ./test",
+    "lint:report": "cross-env ESLINT_USE_FLAT_CONFIG=false eslint -o .lint-reports/eslint.json -f json --ext .ts ./src ./test",
     "lint:fix": "npm run lint -- --fix",
     "knip": "knip --config .knip.json --production --no-progress --reporter compact",
     "check:all": "npm run lint && npm run knip",
@@ -81,6 +81,8 @@
     "@commitlint/config-conventional": "17.2.0",
     "@cucumber/cucumber": "10.2.1",
     "@cucumber/pretty-formatter": "1.0.0",
+    "@eslint/eslintrc": "^3.3.1",
+    "@eslint/js": "^9.39.1",
     "@semantic-release/commit-analyzer": "9.0.2",
     "@semantic-release/git": "10.0.1",
     "@semantic-release/github": "8.1.0",
@@ -98,13 +100,12 @@
     "@types/sinon": "^10.0.11",
     "@types/sinon-chai": "^3.2.8",
     "@types/ws": "^8.5.12",
-    "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.39.1",
     "@typescript-eslint/eslint-plugin": "^8.58.1",
     "@typescript-eslint/parser": "^8.58.1",
     "chai": "^4.3.6",
     "chai-as-promised": "^7.1.1",
     "conventional-changelog-conventionalcommits": "5.0.0",
+    "cross-env": "^10.1.0",
     "cz-conventional-changelog": "3.3.0",
     "eslint": "^9.39.4",
     "husky": "8.0.2",
@@ -126,11 +127,11 @@
   },
   "dependencies": {
     "@noble/secp256k1": "1.7.1",
+    "accepts": "^1.3.8",
     "axios": "^1.15.0",
     "bech32": "2.0.0",
     "debug": "4.3.4",
     "dotenv": "16.0.3",
-    "accepts": "^1.3.8",
     "express": "4.22.1",
     "helmet": "6.0.1",
     "js-yaml": "4.1.1",

package.json

@@ -35,6 +35,24 @@ paymentsProcessors:
   opennode:
     baseURL: api.opennode.com
     callbackBaseURL: https://nostream.your-domain.com/callbacks/opennode
+nip05:
+  # NIP-05 verification of event authors as a spam reduction measure.
+  # mode: 'enabled' requires NIP-05 for publishing (except kind 0),
+  #        'passive' verifies but never blocks, 'disabled' does nothing.
+  mode: disabled
+  # How long (ms) a successful verification remains valid before re-check.
+  # Matches nostr-rs-relay default of 1 week.
+  verifyExpiration: 604800000
+  # Minimum interval (ms) between re-verification attempts for a given author.
+  # Matches nostr-rs-relay default of 24 hours.
+  verifyUpdateFrequency: 86400000
+  # How many consecutive failed checks before giving up on verifying an author.
+  # Matches nostr-rs-relay default of 20.
+  maxConsecutiveFailures: 20
+  # Only allow authors with NIP-05 at these domains (empty = allow all)
+  domainWhitelist: []
+  # Block authors with NIP-05 at these domains
+  domainBlacklist: []
 network:
   maxPayloadSize: 524288
   # Comment the next line if using CloudFlare proxy

resources/default-settings.yaml

@@ -0,0 +1,25 @@
+import { Pubkey } from './base'
+
+export interface Nip05Verification {
+  pubkey: Pubkey
+  nip05: string
+  domain: string
+  isVerified: boolean
+  lastVerifiedAt: Date | null
+  lastCheckedAt: Date
+  failureCount: number
+  createdAt: Date
+  updatedAt: Date
+}
+
+export interface DBNip05Verification {
+  pubkey: Buffer
+  nip05: string
+  domain: string
+  is_verified: boolean
+  last_verified_at: Date | null
+  last_checked_at: Date
+  failure_count: number
+  created_at: Date
+  updated_at: Date
+}

src/@types/nip05.ts

@@ -5,6 +5,7 @@ import { DBEvent, Event } from './event'
 import { EventKinds } from '../constants/base'
 import { EventKindsRange } from './settings'
 import { Invoice } from './invoice'
+import { Nip05Verification } from './nip05'
 import { SubscriptionFilter } from './subscription'
 import { User } from './user'
 
@@ -66,3 +67,14 @@ export interface IUserRepository {
   setVanished(pubkey: Pubkey, vanished: boolean, client?: DatabaseClient): Promise<number>
   admitUser(pubkey: Pubkey, admittedAt: Date, client?: DatabaseClient): Promise<void>
 }
+
+export interface INip05VerificationRepository {
+  findByPubkey(pubkey: Pubkey): Promise<Nip05Verification | undefined>
+  upsert(verification: Nip05Verification): Promise<number>
+  findPendingVerifications(
+    updateFrequencyMs: number,
+    maxFailures: number,
+    limit: number,
+  ): Promise<Nip05Verification[]>
+  deleteByPubkey(pubkey: Pubkey): Promise<number>
+}