LLM/moltbot
1
0
Fork 0
mirror of https://github.com/moltbot/moltbot.git synced 2026-04-26 16:06:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(nostr): enforce inbound dm policy before decrypt

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-22 09:36:07 -07:00
parent a94ec3b79b
commit 1ee9611079
9 changed files with 748 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/channels/nostr.md
View File

@@ -130,6 +130,12 @@ Notes:
- **open**: public inbound DMs (requires `allowFrom: ["*"]`).
- **disabled**: ignore inbound DMs.
Enforcement notes:
- Sender policy is checked before signature verification and NIP-04 decryption.
- Pairing replies are sent without processing the original DM body.
- Inbound DMs are rate-limited and oversized payloads are dropped before decrypt.
### Allowlist example
```json5
@@ -234,6 +240,7 @@ docker run -p 7777:7777 ghcr.io/hoytech/strfry
- Never commit private keys.
- Use environment variables for keys.
- Consider `allowlist` for production bots.
- Pairing and allowlist policy is enforced before decrypt, so unknown senders cannot force full crypto work.
## Limitations (MVP)

2
docs/channels/pairing.md
View File

@@ -36,7 +36,7 @@ openclaw pairing list telegram
openclaw pairing approve telegram <CODE>
```
Supported channels: `telegram`, `whatsapp`, `signal`, `imessage`, `discord`, `slack`, `feishu`.
Supported channels: `telegram`, `whatsapp`, `signal`, `imessage`, `discord`, `slack`, `feishu`, `nostr`.
### Where the state lives