You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
mleku
ea4a54c5e7
Add Cashu blind signature access tokens (NIP-XX draft)
Implements privacy-preserving bearer tokens for relay access control using
Cashu-style blind signatures. Tokens prove whitelist membership without
linking issuance to usage.
Features:
- BDHKE crypto primitives (HashToCurve, Blind, Sign, Unblind, Verify)
- Keyset management with weekly rotation
- Token format with kind permissions and scope isolation
- Generic issuer/verifier with pluggable authorization
- HTTP endpoints: POST /cashu/mint, GET /cashu/keysets, GET /cashu/info
- ACL adapter bridging ORLY's access control to Cashu AuthzChecker
- Stateless revocation via ACL re-check on each token use
- Two-token rotation for seamless renewal (max 2 weeks after blacklist)
Configuration:
- ORLY_CASHU_ENABLED: Enable Cashu tokens
- ORLY_CASHU_TOKEN_TTL: Token validity (default: 1 week)
- ORLY_CASHU_SCOPES: Allowed scopes (relay, nip46, blossom, api)
- ORLY_CASHU_REAUTHORIZE: Re-check ACL on each verification
Files:
- pkg/cashu/bdhke/: Core blind signature cryptography
- pkg/cashu/keyset/: Keyset management and rotation
- pkg/cashu/token/: Token format with kind permissions
- pkg/cashu/issuer/: Token issuance with authorization
- pkg/cashu/verifier/: Token verification with middleware
- pkg/interfaces/cashu/: AuthzChecker, KeysetStore interfaces
- pkg/bunker/acl_adapter.go: ORLY ACL integration
- app/handle-cashu.go: HTTP endpoints
- docs/NIP-XX-CASHU-ACCESS-TOKENS.md: Full specification
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
2 weeks ago |
|
.aiassistant/rules
|
Refactor export functionality in App.svelte to support both GET and POST methods for event exports, enhancing flexibility in user permissions. Update server-side handling to accommodate pubkey filtering and improve response handling for file downloads. Adjust UI components to reflect these changes, ensuring a seamless user experience.
|
3 months ago |
|
.claude
|
Add git.mleku.dev remote push to release process (v0.40.1)
|
2 weeks ago |
|
.gitea
|
Use Gitea API directly for release creation (v0.36.14)
|
3 weeks ago |
|
.github/workflows
|
Add issue templates, CI workflows, and decentralization plan
|
4 weeks ago |
|
.plan
|
initial draft of hot reload policy
|
2 months ago |
|
app
|
Add Cashu blind signature access tokens (NIP-XX draft)
|
2 weeks ago |
|
cmd
|
Add nurl and vainstr CLI tools (v0.39.0)
|
2 weeks ago |
|
contrib/stella
|
Add serve mode, fix binary tags, document CLI tools, improve Docker
|
2 months ago |
|
docs
|
Add Cashu blind signature access tokens (NIP-XX draft)
|
2 weeks ago |
|
pkg
|
Add Cashu blind signature access tokens (NIP-XX draft)
|
2 weeks ago |
|
relay-tester
|
Refactor for interface clarity and dependency isolation.
|
1 month ago |
|
scripts
|
Add Neo4j integration tests and query rate-limiting logic
|
1 month ago |
|
.dockerignore
|
Add serve mode, fix binary tags, document CLI tools, improve Docker
|
2 months ago |
|
.gitignore
|
Decompose handle-event.go into DDD domain services (v0.36.15)
|
3 weeks ago |
|
BUG_REPORTS_AND_FEATURE_REQUEST_PROTOCOL.md
|
Add ORLY_POLICY_PATH for custom policy file location
|
4 weeks ago |
|
CLAUDE.md
|
Add nurl and vainstr CLI tools (v0.39.0)
|
2 weeks ago |
|
CONTRIBUTING.md
|
Add issue templates, CI workflows, and decentralization plan
|
4 weeks ago |
|
DDD_ANALYSIS.md
|
Decompose handle-event.go into DDD domain services (v0.36.15)
|
3 weeks ago |
|
Dockerfile
|
Add serve mode, fix binary tags, document CLI tools, improve Docker
|
2 months ago |
|
Dockerfile.relay-tester
|
Add serve mode, fix binary tags, document CLI tools, improve Docker
|
2 months ago |
|
INDEX.md
|
Add comprehensive documentation for CLAUDE and Nostr WebSocket skills
|
2 months ago |
|
LICENSE
|
Add initial project structure with README, LICENSE, and .gitignore config
|
5 months ago |
|
README.md
|
Add git.mleku.dev remote push to release process (v0.40.1)
|
2 weeks ago |
|
conversation.md
|
fix policy to ignore all req/events without auth
|
2 months ago |
|
docker-compose.yml
|
Interim release: documentation updates and rate limiting improvements
|
1 month ago |
|
enable-policy.sh
|
fix silent fail of loading policy with panic, and bogus fallback logic
|
2 months ago |
|
go.mod
|
Add WireGuard VPN with random /31 subnet isolation (v0.40.0)
|
2 weeks ago |
|
go.sum
|
Add WireGuard VPN with random /31 subnet isolation (v0.40.0)
|
2 weeks ago |
|
libsecp256k1.so
|
fully test and verify policy script functionality
|
2 months ago |
|
main.go
|
Interim release: documentation updates and rate limiting improvements
|
1 month ago |
|
policyfixes.md
|
fix policy to ignore all req/events without auth
|
2 months ago |
