Context
The branch nip55-relay-auth (commits bab99f3, 9a302fe, ea386f0) adds the building blocks for a NIP-42 relay-auth whitelist gate in keep-mobile/src/nip55.rs:
nip55_normalize_relay_host — canonicalizes a relay URL to host[:port] (ASCII-only, scheme/port/dot normalized).nip55_extract_relay_host — pulls the relay host from a kind-22242 auth event (fail-closed on missing/ambiguous tags).nip55_relay_auth_gate — returns AutoAccept / AutoReject / Defer based on a normalized whitelist.
These are UniFFI-exported but currently have no callers in keep-mobile or keep-android. handle_sign_event does no relay-auth gating, so the feature protects nothing as shipped.
Work to do
- Wire the gate into the signing path. Have the native (Kotlin) layer call
nip55_extract_relay_host + nip55_relay_auth_gate before signing a kind-22242 event, and map the outcomes correctly:
AutoAccept → sign without promptingAutoReject → reject (a true reject, not a prompt)Defer → fall through to the normal grant-resolution / prompt path
- Verify
kind == 22242 in the gated path. nip55_extract_relay_host already enforces this, but the caller must only route genuine relay-auth events through the gate so a non-auth event carrying a relay tag can't reach the auto-accept path.
- Normalize whitelist entries on write.
nip55_relay_auth_gate expects pre-normalized whitelist entries (via nip55_normalize_relay_host). If the storage layer persists raw wss://... strings, nothing matches and the gate silently fails closed. Normalize entries when they are saved.
Notes / intent to confirm
- Normalization is currently scheme-agnostic:
ws://host:80 and wss://host:443 canonicalize to the same host. If the gate is intended to be wss-only, this needs revisiting.
- Existing unit tests cover normalization and fail-closed extraction; add integration coverage once the native wiring lands.
Context
The branch
nip55-relay-auth(commitsbab99f3,9a302fe,ea386f0) adds the building blocks for a NIP-42 relay-auth whitelist gate inkeep-mobile/src/nip55.rs:nip55_normalize_relay_host— canonicalizes a relay URL tohost[:port](ASCII-only, scheme/port/dot normalized).nip55_extract_relay_host— pulls the relay host from a kind-22242 auth event (fail-closed on missing/ambiguous tags).nip55_relay_auth_gate— returnsAutoAccept/AutoReject/Deferbased on a normalized whitelist.These are UniFFI-exported but currently have no callers in keep-mobile or keep-android.
handle_sign_eventdoes no relay-auth gating, so the feature protects nothing as shipped.Work to do
nip55_extract_relay_host+nip55_relay_auth_gatebefore signing a kind-22242 event, and map the outcomes correctly:AutoAccept→ sign without promptingAutoReject→ reject (a true reject, not a prompt)Defer→ fall through to the normal grant-resolution / prompt pathkind == 22242in the gated path.nip55_extract_relay_hostalready enforces this, but the caller must only route genuine relay-auth events through the gate so a non-auth event carrying arelaytag can't reach the auto-accept path.nip55_relay_auth_gateexpects pre-normalized whitelist entries (vianip55_normalize_relay_host). If the storage layer persists rawwss://...strings, nothing matches and the gate silently fails closed. Normalize entries when they are saved.Notes / intent to confirm
ws://host:80andwss://host:443canonicalize to the same host. If the gate is intended to be wss-only, this needs revisiting.