NIP-07 ====== `window.nostr` capability for web browsers ------------------------------------------ `draft` `optional` The `window.nostr` object may be made available by web browsers or extensions and websites or web-apps may make use of it after checking its availability. That object must define the following methods: ``` async window.nostr.getPublicKey(): string // returns a public key as hex async window.nostr.signEvent(event: { created_at: number, kind: number, tags: string[][], content: string }): Event // takes an event object, adds `id`, `pubkey` and `sig` and returns it ``` Aside from these two basic above, the following functions can also be implemented optionally: ``` async window.nostr.nip04.encrypt(pubkey, plaintext): string // returns ciphertext and iv as specified in nip-04 (deprecated) async window.nostr.nip04.decrypt(pubkey, ciphertext): string // takes ciphertext and iv as specified in nip-04 (deprecated) async window.nostr.nip44.encrypt(pubkey, plaintext): string // returns ciphertext as specified in nip-44 async window.nostr.nip44.decrypt(pubkey, ciphertext): string // takes ciphertext as specified in nip-44 ``` ### Recommendation to Extension Authors To make sure that the `window.nostr` is available to nostr clients on page load, the authors who create Chromium and Firefox extensions should load their scripts by specifying `"run_at": "document_end"` in the extension's manifest. ### Implementation See https://github.com/aljazceru/awesome-nostr#nip-07-browser-extensions. ## GitRepublic Usage NIP-07 is the primary authentication method for GitRepublic. All user interactions that require signing events use the NIP-07 browser extension interface. ### Authentication Flow 1. **Availability Check**: GitRepublic checks for `window.nostr` availability on page load 2. **Public Key Retrieval**: When users need to authenticate, `getPublicKey()` is called to get their pubkey 3. **Event Signing**: All repository announcements, PRs, issues, and other events are signed using `signEvent()` ### Key Features - **Repository Creation**: Users sign repository announcement events (kind 30617) using NIP-07 - **Repository Updates**: Settings changes, maintainer additions, and other updates are signed via NIP-07 - **Pull Requests**: PR creation and updates are signed by the PR author - **Issues**: Issue creation and comments are signed by the author - **Commit Signatures**: Git commits can be signed using NIP-07 (client-side only, keys never leave browser) ### Security - Keys never leave the browser - all signing happens client-side - No server-side key storage required - Users maintain full control of their private keys **Implementation**: `src/lib/services/nostr/nip07-signer.ts`