feat: materialize agent_owner_pubkey on NIP-OA auth#491
Merged
Conversation
… DB backfill) When an agent authenticates via NIP-OA, the relay now: 1. Stashes the verified owner on AuthContext.agent_owner_pubkey (session-scoped) - Only set if DB confirms the relationship (first-write-wins) - Observer frames use this as a fast path (skip DB/cache lookup) 2. Idempotently backfills users.agent_owner_pubkey in the DB - Creates user rows if needed (ensure_user for both agent and owner) - Uses existing set_agent_owner (WHERE agent_owner_pubkey IS NULL) - First-write-wins: if already owned by someone else, verifies match - Pre-warms observer_owner_cache on successful backfill This enables cross-connection features (observer frames, channel policy) to work for BYO agents that were never provisioned through the desktop. Security properties: - Does NOT add agent to relay_members (NIP-OA still required every connect) - Session fast-path only activates if DB confirms the owner relationship - Conflicting owner (agent already owned by someone else) is handled safely - Backfill failure is non-fatal (auth succeeds, just no fast-path/backfill) Changes: - sprout-auth: AuthContext gains agent_owner_pubkey field - api/mod.rs: enforce_relay_membership returns Option<PublicKey> - handlers/auth.rs: captures owner, backfills DB, stashes on context - handlers/event.rs: observer frame fast-path from AuthContext
5a32918 to
50942e7
Compare
This was referenced May 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #490. When an agent authenticates via NIP-OA, the relay now materializes the agent→owner relationship so cross-connection features (observer frames, channel add/remove policy) work for BYO agents.
What it does
Session-scoped fast path —
AuthContext.agent_owner_pubkeyis set on successful NIP-OA auth, enabling zero-DB-lookup observer frame authorization for the current connection.Idempotent DB backfill — On first NIP-OA auth, writes
users.agent_owner_pubkeyso cross-connection features (owner managing agent from a separate session) work without desktop provisioning.Safety properties
agent_owner_pubkeyis notrelay_members. Agent still needs valid NIP-OA every connection.set_agent_ownerusesWHERE agent_owner_pubkey IS NULL. If already owned by someone else, session fast-path only activates afteris_agent_ownerDB confirmation.observer_owner_cacheon successful backfill.ensure_usercalled for both agent and owner beforeset_agent_owner.ensure_user(owner)handles this.set_agent_owneris a no-op (column already set). Zero behavioral change.Changes
sprout-auth/lib.rs:AuthContextgainsagent_owner_pubkey: Option<PublicKey>sprout-relay/api/mod.rs:enforce_relay_membershipreturnsOption<PublicKey>(owner on NIP-OA success)sprout-relay/handlers/auth.rs: captures owner, validates against DB, backfills, stashes on contextsprout-relay/handlers/event.rs: observer frame fast-path fromAuthContextTesting
cargo build --workspace✅cargo clippy --workspace --all-targets -- -D warnings✅cargo test -p sprout-relay -p sprout-auth✅agent_owner_pubkeycorrectly backfilled in DB