Merge branch 'master' into live

Merge pull request 'Upgrade strfry/deno, port strfry policies to @nostrify/policies' (#214 ) from chore/upgrade_strfry_deno into master
Reviewed-on: #214
2025-04-18 14:54:01 +04:00 · 2025-04-18 10:51:35 +00:00 · 2025-04-16 17:34:10 +04:00 · 2025-04-15 19:01:22 +04:00 · 2025-04-15 19:00:52 +04:00 · 2025-04-11 16:14:44 +04:00
60 changed files with 1238 additions and 769 deletions
--- a/.npmrc
+++ b/.npmrc
@@ -1 +0,0 @@
@jsr:registry=https://npm.jsr.io
--- a/2
+++ b/2
@@ -11,7 +11,7 @@ RUN apt-get update && apt-get install -y nodejs
 WORKDIR /akkounts
-COPY ["Gemfile", "Gemfile.lock", "package.json", "yarn.lock", "./"]
+COPY ["Gemfile", "Gemfile.lock", "package.json", "./"]
 RUN bundle install
 RUN gem install foreman
--- a/2
+++ b/2
@@ -44,6 +44,8 @@ gem 'pagy', '~> 6.0', '>= 6.0.2'
 gem 'flipper'
 gem 'flipper-active_record'
 gem 'flipper-ui'
 gem 'gpgme', '~> 2.0.24'
 gem 'zbase32', '~> 0.1.1'
 # HTTP requests
 gem 'faraday'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -197,6 +197,8 @@ GEM
      raabro (~> 1.4)
    globalid (1.2.1)
      activesupport (>= 6.1)
    gpgme (2.0.24)
      mini_portile2 (~> 2.7)
    hashdiff (1.1.0)
    i18n (1.14.1)
      concurrent-ruby (~> 1.0)
@@ -483,6 +485,7 @@ GEM
    xpath (3.2.0)
      nokogiri (~> 1.8)
    yard (0.9.34)
    zbase32 (0.1.1)
    zeitwerk (2.6.12)
 PLATFORMS
@@ -507,6 +510,7 @@ DEPENDENCIES
  flipper
  flipper-active_record
  flipper-ui
  gpgme (~> 2.0.24)
  image_processing (~> 1.12.2)
  importmap-rails
  jbuilder (~> 2.7)
@@ -540,6 +544,7 @@ DEPENDENCIES
  warden
  web-console (~> 4.2)
  webmock
  zbase32 (~> 0.1.1)
 BUNDLED WITH
-   2.5.11
+   2.5.5
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -30,7 +30,7 @@ class Admin::UsersController < Admin::BaseController
    amount = params[:amount].to_i
    notify_user = ActiveRecord::Type::Boolean.new.cast(params[:notify_user])
-    CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
+    UserManager::CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
    redirect_to admin_user_path(@user.cn), flash: {
      success: "Added #{amount} invitations to #{@user.cn}'s account"
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -21,10 +21,12 @@ class SettingsController < ApplicationController
    end
  end
  # PUT /settings/:section
  def update
    @user.preferences.merge!(user_params[:preferences] || {})
    @user.display_name = user_params[:display_name]
-    @user.avatar_new = user_params[:avatar]
+    @user.avatar_new   = user_params[:avatar]
    @user.pgp_pubkey   = user_params[:pgp_pubkey]
    if @user.save
      if @user.display_name && (@user.display_name != @user.ldap_entry[:display_name])
@@ -35,6 +37,10 @@ class SettingsController < ApplicationController
        LdapManager::UpdateAvatar.call(dn: @user.dn, file: @user.avatar_new)
      end
      if @user.pgp_pubkey && (@user.pgp_pubkey != @user.ldap_entry[:pgp_key])
        UserManager::UpdatePgpKey.call(user: @user)
      end
      redirect_to setting_path(@settings_section), flash: {
        success: 'Settings saved.'
      }
@@ -44,6 +50,7 @@ class SettingsController < ApplicationController
    end
  end
  # POST /settings/update_email
  def update_email
    if @user.valid_ldap_authentication?(security_params[:current_password])
      if @user.update email: email_params[:email]
@@ -61,6 +68,7 @@ class SettingsController < ApplicationController
    end
  end
  # POST /settings/reset_email_password
  def reset_email_password
    @user.current_password = security_params[:current_password]
@@ -83,6 +91,7 @@ class SettingsController < ApplicationController
    end
  end
  # POST /settings/reset_password
  def reset_password
    current_user.send_reset_password_instructions
    sign_out current_user
@@ -90,6 +99,7 @@ class SettingsController < ApplicationController
    redirect_to check_your_email_path, notice: msg
  end
  # POST /settings/set_nostr_pubkey
  def set_nostr_pubkey
    signed_event = Nostr::Event.new(**nostr_event_from_params)
@@ -152,7 +162,8 @@ class SettingsController < ApplicationController
    def user_params
      params.require(:user).permit(
-        :display_name, :avatar, preferences: UserPreferences.pref_keys
+        :display_name, :avatar, :pgp_pubkey,
        preferences: UserPreferences.pref_keys
      )
    end
--- a/app/controllers/signup_controller.rb
+++ b/app/controllers/signup_controller.rb
@@ -96,7 +96,7 @@ class SignupController < ApplicationController
    session[:new_user] = nil
    session[:validation_error] = nil
-    CreateAccount.call(account: {
+    UserManager::CreateAccount.call(account: {
      username: @user.cn,
      domain: Setting.primary_domain,
      email: @user.email,
--- a/app/controllers/web_key_directory_controller.rb
+++ b/app/controllers/web_key_directory_controller.rb
@@ -0,0 +1,35 @@
 class WebKeyDirectoryController < WellKnownController
  before_action :allow_cross_origin_requests
  # /.well-known/openpgpkey/hu/:hashed_username(.txt)
  def show
    @user = User.find_by(cn: params[:l].downcase)
    if @user.nil? ||
       @user.pgp_pubkey.blank? ||
       !@user.pgp_pubkey_contains_user_address?
      http_status :not_found and return
    end
    if params[:hashed_username] != @user.wkd_hash
      http_status :unprocessable_entity and return
    end
    respond_to do |format|
      format.text do
        response.headers['Content-Type'] = 'text/plain'
        render plain: @user.pgp_pubkey
      end
      format.any do
        key = @user.gnupg_key.export
        send_data key, filename: "#{@user.wkd_hash}.pem",
                       type: "application/octet-stream"
      end
    end
  end
  def policy
    head :ok
  end
 end
--- a/app/javascript/controllers/nostr_login_controller.js
+++ b/app/javascript/controllers/nostr_login_controller.js
@@ -1,5 +1,4 @@
 import { Controller } from "@hotwired/stimulus"
 // import { Nostrify } from '@nostrify/nostrify';
 // Connects to data-controller="nostr-login"
 export default class extends Controller {
@@ -7,9 +6,6 @@ export default class extends Controller {
  static values  = { site: String, sharedSecret: String }
  connect() {
    // window.Nostrify = Nostrify;
    // console.log(Nostrify);
    if (window.nostr) {
      this.loginButtonTarget.disabled = false
      this.loginFormTarget.classList.remove("hidden")
--- a/app/mailers/application_mailer.rb
+++ b/app/mailers/application_mailer.rb
@@ -1,3 +1,90 @@
 class ApplicationMailer < ActionMailer::Base
  default Rails.application.config.action_mailer.default_options
  layout 'mailer'
  private
    def send_mail
      @template ||= "#{self.class.name.underscore}/#{caller[0][/`([^']*)'/, 1]}"
      headers['Message-ID'] = message_id
      if @user.pgp_pubkey.present?
        mail(to: @user.email, subject: "...", content_type: pgp_content_type) do |format|
          format.text { render plain: pgp_content }
        end
      else
        mail(to: @user.email, subject: @subject) do |format|
          format.text { render @template }
        end
      end
    end
    def from_address
      self.class.default[:from]
    end
    def from_domain
      Mail::Address.new(from_address).domain
    end
    def message_id
      @message_id ||= "#{SecureRandom.uuid}@#{from_domain}"
    end
    def boundary
      @boundary ||= SecureRandom.hex(8)
    end
    def pgp_content_type
      "multipart/encrypted; protocol=\"application/pgp-encrypted\"; boundary=\"------------#{boundary}\""
    end
    def pgp_nested_content
      message_content = render_to_string(template: @template)
      message_content_base64 = Base64.encode64(message_content)
      nested_boundary = SecureRandom.hex(8)
      <<~NESTED_CONTENT
        Content-Type: multipart/mixed; boundary="------------#{nested_boundary}"; protected-headers="v1"
        Subject: #{@subject}
        From: <#{from_address}>
        To: #{@user.display_name || @user.cn} <#{@user.email}>
        Message-ID: <#{message_id}>
        --------------#{nested_boundary}
        Content-Type: text/plain; charset=UTF-8; format=flowed
        Content-Transfer-Encoding: base64
        #{message_content_base64}
        --------------#{nested_boundary}--
      NESTED_CONTENT
    end
    def pgp_content
      encrypted_content = UserManager::PgpEncrypt.call(user: @user, text: pgp_nested_content)
      encrypted_base64 = Base64.encode64(encrypted_content.to_s)
      <<~EMAIL_CONTENT
        This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156)
        --------------#{boundary}
        Content-Type: application/pgp-encrypted
        Content-Description: PGP/MIME version identification
        Version: 1
        --------------#{boundary}
        Content-Type: application/octet-stream; name="encrypted.asc"
        Content-Description: OpenPGP encrypted message
        Content-Disposition: inline; filename="encrypted.asc"
        -----BEGIN PGP MESSAGE-----
        #{encrypted_base64}
        -----END PGP MESSAGE-----
        --------------#{boundary}--
      EMAIL_CONTENT
    end
 end
--- a/app/mailers/custom_mailer.rb
+++ b/app/mailers/custom_mailer.rb
@@ -18,6 +18,6 @@ class CustomMailer < ApplicationMailer
    @user = params[:user]
    @subject = params[:subject]
    @body = params[:body]
-    mail(to: @user.email, subject: @subject)
+    send_mail
  end
 end
--- a/app/mailers/notification_mailer.rb
+++ b/app/mailers/notification_mailer.rb
@@ -3,7 +3,7 @@ class NotificationMailer < ApplicationMailer
    @user = params[:user]
    @amount_sats = params[:amount_sats]
    @subject = "Sats received"
-    mail to: @user.email, subject: @subject
+    send_mail
  end
  def remotestorage_auth_created
@@ -15,19 +15,19 @@ class NotificationMailer < ApplicationMailer
      "#{access} #{directory}"
    end
    @subject = "New app connected to your storage"
-    mail to: @user.email, subject: @subject
+    send_mail
  end
  def new_invitations_available
    @user = params[:user]
    @subject = "New invitations added to your account"
-    mail to: @user.email, subject: @subject
+    send_mail
  end
  def bitcoin_donation_confirmed
    @user = params[:user]
    @donation = params[:donation]
    @subject = "Donation confirmed"
-    mail to: @user.email, subject: @subject
+    send_mail
  end
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -3,9 +3,10 @@ require 'nostr'
 class User < ApplicationRecord
  include EmailValidatable
  attr_accessor :display_name
  attr_accessor :avatar_new
  attr_accessor :current_password
  attr_accessor :avatar_new
  attr_accessor :display_name
  attr_accessor :pgp_pubkey
  serialize :preferences, coder: UserPreferences
@@ -51,6 +52,8 @@ class User < ApplicationRecord
  validate :acceptable_avatar
  validate :acceptable_pgp_key_format, if: -> { defined?(@pgp_pubkey) && @pgp_pubkey.present? }
  #
  # Scopes
  #
@@ -165,6 +168,24 @@ class User < ApplicationRecord
    Nostr::PublicKey.new(nostr_pubkey).to_bech32
  end
  def pgp_pubkey
    @pgp_pubkey ||= ldap_entry[:pgp_key]
  end
  def gnupg_key
    return nil unless pgp_pubkey.present?
    GPGME::Key.import(pgp_pubkey)
    GPGME::Key.get(pgp_fpr)
  end
  def pgp_pubkey_contains_user_address?
    gnupg_key.uids.map(&:email).include?(address)
  end
  def wkd_hash
    ZBase32.encode(Digest::SHA1.digest(cn))
  end
  def avatar
    @avatar_base64 ||= LdapManager::FetchAvatar.call(cn: cn)
  end
@@ -214,4 +235,10 @@ class User < ApplicationRecord
        errors.add(:avatar, "must be a JPEG or PNG file")
      end
    end
    def acceptable_pgp_key_format
      unless GPGME::Key.valid?(pgp_pubkey)
        errors.add(:pgp_pubkey, 'is not a valid armored PGP public key block')
      end
    end
 end
--- a/app/services/create_account.rb
+++ b/app/services/create_account.rb
@@ -1,54 +0,0 @@
 class CreateAccount < ApplicationService
  def initialize(account:)
    @username   = account[:username]
    @domain     = account[:ou] || Setting.primary_domain
    @email      = account[:email]
    @password   = account[:password]
    @invitation = account[:invitation]
    @confirmed  = account[:confirmed]
  end
  def call
    user = create_user_in_database
    add_ldap_document
    create_lndhub_account(user) if Setting.lndhub_enabled
    if @invitation.present?
      update_invitation(user.id)
    end
  end
  private
  def create_user_in_database
    User.create!(
      cn: @username,
      ou: @domain,
      email: @email,
      password: @password,
      password_confirmation: @password,
      confirmed_at: @confirmed ? DateTime.now : nil
    )
  end
  def update_invitation(user_id)
    @invitation.update! invited_user_id: user_id, used_at: DateTime.now
  end
  def add_ldap_document
    hashed_pw = Devise.ldap_auth_password_builder.call(@password)
    CreateLdapUserJob.perform_later(
      username: @username,
      domain: @domain,
      email: @email,
      hashed_pw: hashed_pw,
      confirmed: @confirmed
    )
  end
  def create_lndhub_account(user)
    #TODO enable in development when we have a local lndhub (mock?) API
    return if Rails.env.development?
    CreateLndhubAccountJob.perform_later(user)
  end
 end
--- a/app/services/create_invitations.rb
+++ b/app/services/create_invitations.rb
@@ -1,17 +0,0 @@
 class CreateInvitations < ApplicationService
  def initialize(user:, amount:, notify: true)
    @user = user
    @amount = amount
    @notify = notify
  end
  def call
    @amount.times do
      Invitation.create(user: @user)
    end
    if @notify
      NotificationMailer.with(user: @user).new_invitations_available.deliver_later
    end
  end
 end
--- a/app/services/ldap_manager/update_pgp_key.rb
+++ b/app/services/ldap_manager/update_pgp_key.rb
@@ -0,0 +1,16 @@
 module LdapManager
  class UpdatePgpKey < LdapManagerService
    def initialize(dn:, pubkey:)
      @dn = dn
      @pubkey = pubkey
    end
    def call
      if @pubkey.present?
        replace_attribute @dn, :pgpKey, @pubkey
      else
        delete_attribute @dn, :pgpKey
      end
    end
  end
 end
--- a/app/services/ldap_service.rb
+++ b/app/services/ldap_service.rb
@@ -58,7 +58,7 @@ class LdapService < ApplicationService
    attributes = %w[
      dn cn uid mail displayName admin serviceEnabled
-      mailRoutingAddress mailpassword nostrKey
+      mailRoutingAddress mailpassword nostrKey pgpKey
    ]
    filter = Net::LDAP::Filter.eq("uid", args[:uid] || "*")
@@ -73,7 +73,8 @@ class LdapService < ApplicationService
        services_enabled: e.try(:serviceEnabled),
        email_maildrop: e.try(:mailRoutingAddress),
        email_password: e.try(:mailpassword),
-        nostr_key: e.try(:nostrKey) ? e.nostrKey.first : nil
+        nostr_key: e.try(:nostrKey) ? e.nostrKey.first : nil,
        pgp_key: e.try(:pgpKey) ? e.pgpKey.first : nil
      }
    end
  end
@@ -101,7 +102,7 @@ class LdapService < ApplicationService
    dn = "ou=#{ou},cn=users,#{ldap_suffix}"
    aci = <<-EOS
-(target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || userPassword || mail || mailRoutingAddress || serviceEnabled || nostrKey || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
+(target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || userPassword || mail || mailRoutingAddress || serviceEnabled || nostrKey || pgpKey || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
    EOS
    attrs = {
--- a/app/services/user_manager/create_account.rb
+++ b/app/services/user_manager/create_account.rb
@@ -0,0 +1,56 @@
 module UserManager
  class CreateAccount < UserManagerService
    def initialize(account:)
      @username   = account[:username]
      @domain     = account[:ou] || Setting.primary_domain
      @email      = account[:email]
      @password   = account[:password]
      @invitation = account[:invitation]
      @confirmed  = account[:confirmed]
    end
    def call
      user = create_user_in_database
      add_ldap_document
      create_lndhub_account(user) if Setting.lndhub_enabled
      if @invitation.present?
        update_invitation(user.id)
      end
    end
    private
    def create_user_in_database
      User.create!(
        cn: @username,
        ou: @domain,
        email: @email,
        password: @password,
        password_confirmation: @password,
        confirmed_at: @confirmed ? DateTime.now : nil
      )
    end
    def update_invitation(user_id)
      @invitation.update! invited_user_id: user_id, used_at: DateTime.now
    end
    def add_ldap_document
      hashed_pw = Devise.ldap_auth_password_builder.call(@password)
      CreateLdapUserJob.perform_later(
        username: @username,
        domain: @domain,
        email: @email,
        hashed_pw: hashed_pw,
        confirmed: @confirmed
      )
    end
    def create_lndhub_account(user)
      #TODO enable in development when we have a local lndhub (mock?) API
      return if Rails.env.development?
      CreateLndhubAccountJob.perform_later(user)
    end
  end
 end
--- a/app/services/user_manager/create_invitations.rb
+++ b/app/services/user_manager/create_invitations.rb
@@ -0,0 +1,19 @@
 module UserManager
  class CreateInvitations < UserManagerService
    def initialize(user:, amount:, notify: true)
      @user = user
      @amount = amount
      @notify = notify
    end
    def call
      @amount.times do
        Invitation.create(user: @user)
      end
      if @notify
        NotificationMailer.with(user: @user).new_invitations_available.deliver_later
      end
    end
  end
 end
--- a/app/services/user_manager/pgp_encrypt.rb
+++ b/app/services/user_manager/pgp_encrypt.rb
@@ -0,0 +1,19 @@
 require 'gpgme'
 module UserManager
  class PgpEncrypt < UserManagerService
    def initialize(user:, text:)
      @user = user
      @text = text
    end
    def call
      crypto = GPGME::Crypto.new
      crypto.encrypt(
        @text,
        recipients: @user.gnupg_key,
        always_trust: true
      )
    end
  end
 end
--- a/app/services/user_manager/update_pgp_key.rb
+++ b/app/services/user_manager/update_pgp_key.rb
@@ -0,0 +1,24 @@
 module UserManager
  class UpdatePgpKey < UserManagerService
    def initialize(user:)
      @user = user
    end
    def call
      if @user.pgp_pubkey.blank?
        @user.update! pgp_fpr: nil
      else
        result = GPGME::Key.import(@user.pgp_pubkey)
        if result.imports.present?
          @user.update! pgp_fpr: result.imports.first.fpr
        else
          # TODO notify Sentry, user
          raise "Failed to import OpenPGP pubkey"
        end
      end
      LdapManager::UpdatePgpKey.call(dn: @user.dn, pubkey: @user.pgp_pubkey)
    end
  end
 end
--- a/app/services/user_manager_service.rb
+++ b/app/services/user_manager_service.rb
@@ -0,0 +1,2 @@
 class UserManagerService < ApplicationService
 end
--- a/app/views/admin/users/show.html.erb
+++ b/app/views/admin/users/show.html.erb
@@ -89,13 +89,47 @@
    </section>
    <section class="sm:flex-1 sm:pt-0">
-      <% if @avatar.present? %>
+      <h3>LDAP</h3>
-      <h3>LDAP<h3>
+      <table class="divided">
-      <p>
+        <tbody>
-        <img src="data:image/jpeg;base64,<%= @avatar %>" class="h-48 w-48" />
+          <tr>
-      </p>
+            <th>Avatar</th>
-      <% end %>
+            <td>
-      <!-- <h3>Actions</h3> -->
+              <% if @avatar.present? %>
                <img src="data:image/jpeg;base64,<%= @avatar %>" class="h-48 w-48" />
              <% else %>
                &mdash;
              <% end %>
            </td>
          </tr>
          <tr>
            <th>Display name</th>
            <td><%= @user.display_name || "—" %></td>
          </tr>
          <tr>
            <th class="align-top">PGP key</th>
            <td class="align-top leading-5">
              <% if @user.pgp_pubkey.present? %>
                <span class="font-mono" title="<%= @user.pgp_fpr %>">
                  <% if @user.pgp_pubkey_contains_user_address? %>
                    <%= link_to wkd_key_url(hashed_username: @user.wkd_hash, l: @user.cn, format: :txt),
                      class: "ks-text-link", target: "_blank" do %>
                      <%= "#{@user.pgp_fpr[0, 8]}…#{@user.pgp_fpr[-8..-1]}" %>
                    <% end %>
                  <% else %>
                    <%= "#{@user.pgp_fpr[0, 8]}…#{@user.pgp_fpr[-8..-1]}" %>
                  <% end %>
                </span><br />
                <% @user.gnupg_key.uids.each do |uid| %>
                  <%= uid.uid %><br />
                <% end %>
              <% else %>
                &mdash;
              <% end %>
            </td>
          </tr>
        </tbody>
      </table>
    </section>
  </div>
@@ -205,7 +239,9 @@
            ) %>
          </td>
          <td class="text-right">
            <% if @user.nostr_pubkey.present? %>
            <%= link_to "Open profile", "https://njump.me/#{@user.nostr_pubkey_bech32}", class: "btn-sm btn-gray" %>
            <% end %>
          </td>
        </tr>
        <% end %>
--- a/app/views/settings/_account.html.erb
+++ b/app/views/settings/_account.html.erb
@@ -1,6 +1,6 @@
 <%= tag.section data: {
      controller: "settings--account--email",
-      "settings--account--email-validation-failed-value": @validation_errors.present?
+      "settings--account--email-validation-failed-value": @validation_errors&.[](:email)&.present?
    } do %>
  <h3>E-Mail</h3>
  <%= form_for(@user, url: update_email_settings_path, method: "post") do |f| %>
@@ -23,7 +23,7 @@
        </span>
      </button>
    </p>
-    <% if @validation_errors.present? && @validation_errors[:email].present? %>
+    <% if @validation_errors&.[](:email)&.present? %>
      <p class="error-msg"><%= @validation_errors[:email].first %></p>
    <% end %>
    <div class="initial-hidden">
@@ -41,10 +41,33 @@
 <% end %>
 <section>
  <h3>Password</h3>
-  <p class="mb-8">Use the following button to request an email with a password reset link:</p>
+  <p class="mb-6">Use the following button to request an email with a password reset link:</p>
  <%= form_with(url: reset_password_settings_path, method: :post) do %>
    <p>
      <%= submit_tag("Send me a password reset link", class: 'btn-md btn-gray w-full sm:w-auto') %>
    </p>
  <% end %>
 </section>
 <%= form_for(@user, url: setting_path(:account), html: { :method => :put }) do |f| %>
  <section class="!pt-8 sm:!pt-12">
    <h3>OpenPGP</h3>
    <ul role="list">
      <%= render FormElements::FieldsetComponent.new(
            title: "Public key",
            description: "Your OpenPGP public key in ASCII Armor format"
          ) do %>
        <%= f.text_area :pgp_pubkey,
          value: @user.pgp_pubkey,
          class: "h-24 w-full" %>
        <% if @validation_errors&.[](:pgp_pubkey)&.present? %>
          <p class="error-msg">This <%= @validation_errors[:pgp_pubkey].first %></p>
        <% end %>
      <% end %>
    </ul>
  </section>
  <section>
    <p class="pt-6 border-t border-gray-200 text-right">
      <%= f.submit 'Save', class: "btn-md btn-blue w-full md:w-auto" %>
    </p>
  </section>
 <% end %>
--- a/app/views/settings/_email.html.erb
+++ b/app/views/settings/_email.html.erb
@@ -5,7 +5,7 @@
  <h3>E-Mail Password</h3>
  <%= form_for(@user, url: reset_email_password_settings_path, method: "post") do |f| %>
    <%= hidden_field_tag :section, "email" %>
-    <p class="mb-8">
+    <p class="mb-6">
      Use the following button to generate a new email password:
    </p>
    <p class="hidden initial-visible">
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -57,16 +57,22 @@ Rails.application.configure do
  # routes, locales, etc. This feature depends on the listen gem.
  config.file_watcher = ActiveSupport::EventedFileUpdateChecker
  config.action_mailer.default_options = {
    from: "accounts@localhost"
  }
  # Don't actually send emails, cache them for viewing via letter opener
  config.action_mailer.delivery_method = :letter_opener
  # Don't care if the mailer can't send
  config.action_mailer.raise_delivery_errors = true
  # Base URL to be used by email template link helpers
-  config.action_mailer.default_url_options = { host: "localhost:3000", protocol: "http" }
+  config.action_mailer.default_url_options = {
    host: "localhost:3000",
    protocol: "http"
  }
  config.action_mailer.default_options = {
    from: "accounts@localhost",
    message_id: -> { "<#{Mail.random_tag}@localhost>" },
  }
  # Allow requests from any IP
  config.web_console.permissions = '0.0.0.0/0'
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -63,7 +63,7 @@ Rails.application.configure do
  outgoing_email_domain  = Mail::Address.new(outgoing_email_address).domain
  config.action_mailer.default_url_options = {
-    host: ENV['AKKOUNTS_DOMAIN'],
+    host: ENV.fetch('AKKOUNTS_DOMAIN'),
    protocol: "https",
  }
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -46,8 +46,12 @@ Rails.application.configure do
  config.action_mailer.default_url_options = {
    host: "accounts.kosmos.org",
-    protocol: "https",
+    protocol: "https"
-    from: "accounts@kosmos.org"
+  }
  config.action_mailer.default_options = {
    from: "accounts@kosmos.org",
    message_id: -> { "<#{Mail.random_tag}@kosmos.org>" },
  }
  config.active_job.queue_adapter = :test
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -70,10 +70,12 @@ Rails.application.routes.draw do
  get '.well-known/webfinger', to: 'webfinger#show'
  get '.well-known/nostr', to: 'well_known#nostr'
-  get '.well-known/lnurlp/:username', to: 'lnurlpay#index', as: 'lightning_address'
+  get '.well-known/lnurlp/:username', to: 'lnurlpay#index', as: :lightning_address
-  get '.well-known/keysend/:username', to: 'lnurlpay#keysend', as: 'lightning_address_keysend'
+  get '.well-known/keysend/:username', to: 'lnurlpay#keysend', as: :lightning_address_keysend
  get '.well-known/openpgpkey/hu/:hashed_username(.:format)', to: 'web_key_directory#show', as: :wkd_key
  get '.well-known/openpgpkey/policy', to: 'web_key_directory#policy'
-  get 'lnurlpay/:username/invoice', to: 'lnurlpay#invoice', as: 'lnurlpay_invoice'
+  get 'lnurlpay/:username/invoice', to: 'lnurlpay#invoice', as: :lnurlpay_invoice
  post 'webhooks/lndhub', to: 'webhooks#lndhub'
--- a/config/sidekiq.yml
+++ b/config/sidekiq.yml
@@ -1,4 +1,6 @@
 :concurrency: 2
 production:
  :concurrency: 10
 :queues:
  - default
  - mailers
--- a/db/migrate/20240922205634_add_pgp_fpr_to_users.rb
+++ b/db/migrate/20240922205634_add_pgp_fpr_to_users.rb
@@ -0,0 +1,5 @@
 class AddPgpFprToUsers < ActiveRecord::Migration[7.1]
  def change
    add_column :users, :pgp_fpr, :string
  end
 end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
-ActiveRecord::Schema[7.1].define(version: 2024_06_07_123654) do
+ActiveRecord::Schema[7.1].define(version: 2024_09_22_205634) do
  create_table "active_storage_attachments", force: :cascade do |t|
    t.string "name", null: false
    t.string "record_type", null: false
@@ -132,6 +132,7 @@ ActiveRecord::Schema[7.1].define(version: 2024_06_07_123654) do
    t.datetime "remember_created_at"
    t.string "remember_token"
    t.text "preferences"
    t.string "pgp_fpr"
    t.index ["email"], name: "index_users_on_email", unique: true
    t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
  end
--- a/db/seeds.rb
+++ b/db/seeds.rb
@@ -7,7 +7,7 @@ Sidekiq::Testing.inline! do
  puts "Create user: admin"
-  CreateAccount.call(account: {
+  UserManager::CreateAccount.call(account: {
    username: "admin", domain: "kosmos.org", email: "admin@example.com",
    password: "admin is admin", confirmed: true
  })
@@ -20,7 +20,7 @@ Sidekiq::Testing.inline! do
    email = Faker::Internet.unique.email
    next if username.length < 3
-    CreateAccount.call(account: {
+    UserManager::CreateAccount.call(account: {
      username: username, domain: "kosmos.org", email: email,
      password: "user is user", confirmed: true
    })
--- a/db/seeds/admin.asc
+++ b/db/seeds/admin.asc
@@ -0,0 +1,13 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mDMEZvGiUxYJKwYBBAHaRw8BAQdARPZXLqyB3nylJuzuARlOJxqc9mchMKHI4Cy+
 hPWlzja0GEFkbWluIDxhZG1pbkBrb3Ntb3Mub3JnPoiZBBMWCgBBFiEE0pie1+fG
 ImdZwzGnwgEYSg8AulYFAmbxolMCGwMFCQWjmoAFCwkIBwICIgIGFQoJCAsCBBYC
 AwECHgcCF4AACgkQwgEYSg8AulaldAEA7yzh7XRCdIJDHgLUvKHsy2NnyLaDD1Tl
 hyZWbl5og0IBAJAQ2Dm82YXMdUK3X1OGlK8KH5O4E5lSFY4+8/xx0UEJuDgEZvGi
 UxIKKwYBBAGXVQEFAQEHQJc8pzzeIF7Hm5z1eseRAqGvFa+V1BIDf+1XQzuJhhxi
 AwEIB4h+BBgWCgAmFiEE0pie1+fGImdZwzGnwgEYSg8AulYFAmbxolMCGwwFCQWj
 moAACgkQwgEYSg8AulbLtgEApZvuDqSP77lrl1jmtCAJEEZk/ofsRFkf1g3U3Zhm
 9PcA/1+AbcyqjLTcqIPjHmZyGEPiaAvEsBzbPKEPiL3JYhkG
 =45sx
 -----END PGP PUBLIC KEY BLOCK-----
--- a/deno.lock
+++ b/deno.lock
@@ -1,245 +0,0 @@
 {
  "version": "3",
  "packages": {
    "specifiers": {
      "jsr:@deno/cache-dir@0.8": "jsr:@deno/cache-dir@0.8.0",
      "jsr:@deno/emit": "jsr:@deno/emit@0.45.0",
      "jsr:@luca/esbuild-deno-loader@0.9": "jsr:@luca/esbuild-deno-loader@0.9.0",
      "jsr:@std/assert@^0.213.1": "jsr:@std/assert@0.213.1",
      "jsr:@std/assert@^0.218.2": "jsr:@std/assert@0.218.2",
      "jsr:@std/assert@^0.223.0": "jsr:@std/assert@0.223.0",
      "jsr:@std/bytes@^0.218.2": "jsr:@std/bytes@0.218.2",
      "jsr:@std/encoding@0.213": "jsr:@std/encoding@0.213.1",
      "jsr:@std/fmt@^0.218.2": "jsr:@std/fmt@0.218.2",
      "jsr:@std/fs@^0.218.2": "jsr:@std/fs@0.218.2",
      "jsr:@std/io@^0.218.2": "jsr:@std/io@0.218.2",
      "jsr:@std/jsonc@0.213": "jsr:@std/jsonc@0.213.1",
      "jsr:@std/path@0.213": "jsr:@std/path@0.213.1",
      "jsr:@std/path@^0.218.2": "jsr:@std/path@0.218.2",
      "jsr:@std/path@^0.223.0": "jsr:@std/path@0.223.0",
      "npm:esbuild@0.20": "npm:esbuild@0.20.2"
    },
    "jsr": {
      "@deno/cache-dir@0.8.0": {
        "integrity": "e87e80a404958f6350d903e6238b72afb92468378b0b32111f7a1e4916ac7fe7",
        "dependencies": [
          "jsr:@std/fmt@^0.218.2",
          "jsr:@std/fs@^0.218.2",
          "jsr:@std/io@^0.218.2",
          "jsr:@std/path@^0.218.2"
        ]
      },
      "@deno/emit@0.45.0": {
        "integrity": "b59d632e61dbe4be7e9e61235f02ad08ff124c714c31deb080c4de778da1894d",
        "dependencies": [
          "jsr:@deno/cache-dir@0.8",
          "jsr:@std/path@^0.223.0"
        ]
      },
      "@luca/esbuild-deno-loader@0.9.0": {
        "integrity": "288bbcede5c8a6f97e635f8fa4df779b13440ee0c0506d9e478fb6537789dc93",
        "dependencies": [
          "jsr:@std/encoding@0.213",
          "jsr:@std/jsonc@0.213",
          "jsr:@std/path@0.213",
          "npm:esbuild@0.20"
        ]
      },
      "@std/assert@0.213.1": {
        "integrity": "24c28178b30c8e0782c18e8e94ea72b16282207569cdd10ffb9d1d26f2edebfe"
      },
      "@std/assert@0.218.2": {
        "integrity": "7f0a5a1a8cf86607cd6c2c030584096e1ffad27fc9271429a8cb48cfbdee5eaf"
      },
      "@std/assert@0.223.0": {
        "integrity": "eb8d6d879d76e1cc431205bd346ed4d88dc051c6366365b1af47034b0670be24"
      },
      "@std/bytes@0.218.2": {
        "integrity": "91fe54b232dcca73856b79a817247f4a651dbb60d51baafafb6408c137241670"
      },
      "@std/encoding@0.213.1": {
        "integrity": "fcbb6928713dde941a18ca5db88ca1544d0755ec8fb20fe61e2dc8144b390c62"
      },
      "@std/fmt@0.218.2": {
        "integrity": "99526449d2505aa758b6cbef81e7dd471d8b28ec0dcb1491d122b284c548788a"
      },
      "@std/fs@0.218.2": {
        "integrity": "dd9431453f7282e8c577cc22c9e6d036055a9a980b5549f887d6012969fabcca"
      },
      "@std/io@0.218.2": {
        "integrity": "c64fbfa087b7c9d4d386c5672f291f607d88cb7d44fc299c20c713e345f2785f",
        "dependencies": [
          "jsr:@std/assert@^0.218.2",
          "jsr:@std/bytes@^0.218.2"
        ]
      },
      "@std/jsonc@0.213.1": {
        "integrity": "5578f21aa583b7eb7317eed077ffcde47b294f1056bdbb9aacec407758637bfe",
        "dependencies": [
          "jsr:@std/assert@^0.213.1"
        ]
      },
      "@std/path@0.213.1": {
        "integrity": "f187bf278a172752e02fcbacf6bd78a335ed320d080a7ed3a5a59c3e88abc673",
        "dependencies": [
          "jsr:@std/assert@^0.213.1"
        ]
      },
      "@std/path@0.218.2": {
        "integrity": "b568fd923d9e53ad76d17c513e7310bda8e755a3e825e6289a0ce536404e2662",
        "dependencies": [
          "jsr:@std/assert@^0.218.2"
        ]
      },
      "@std/path@0.223.0": {
        "integrity": "593963402d7e6597f5a6e620931661053572c982fc014000459edc1f93cc3989",
        "dependencies": [
          "jsr:@std/assert@^0.223.0"
        ]
      }
    },
    "npm": {
      "@esbuild/aix-ppc64@0.20.2": {
        "integrity": "sha512-D+EBOJHXdNZcLJRBkhENNG8Wji2kgc9AZ9KiPr1JuZjsNtyHzrsfLRrY0tk2H2aoFu6RANO1y1iPPUCDYWkb5g==",
        "dependencies": {}
      },
      "@esbuild/android-arm64@0.20.2": {
        "integrity": "sha512-mRzjLacRtl/tWU0SvD8lUEwb61yP9cqQo6noDZP/O8VkwafSYwZ4yWy24kan8jE/IMERpYncRt2dw438LP3Xmg==",
        "dependencies": {}
      },
      "@esbuild/android-arm@0.20.2": {
        "integrity": "sha512-t98Ra6pw2VaDhqNWO2Oph2LXbz/EJcnLmKLGBJwEwXX/JAN83Fym1rU8l0JUWK6HkIbWONCSSatf4sf2NBRx/w==",
        "dependencies": {}
      },
      "@esbuild/android-x64@0.20.2": {
        "integrity": "sha512-btzExgV+/lMGDDa194CcUQm53ncxzeBrWJcncOBxuC6ndBkKxnHdFJn86mCIgTELsooUmwUm9FkhSp5HYu00Rg==",
        "dependencies": {}
      },
      "@esbuild/darwin-arm64@0.20.2": {
        "integrity": "sha512-4J6IRT+10J3aJH3l1yzEg9y3wkTDgDk7TSDFX+wKFiWjqWp/iCfLIYzGyasx9l0SAFPT1HwSCR+0w/h1ES/MjA==",
        "dependencies": {}
      },
      "@esbuild/darwin-x64@0.20.2": {
        "integrity": "sha512-tBcXp9KNphnNH0dfhv8KYkZhjc+H3XBkF5DKtswJblV7KlT9EI2+jeA8DgBjp908WEuYll6pF+UStUCfEpdysA==",
        "dependencies": {}
      },
      "@esbuild/freebsd-arm64@0.20.2": {
        "integrity": "sha512-d3qI41G4SuLiCGCFGUrKsSeTXyWG6yem1KcGZVS+3FYlYhtNoNgYrWcvkOoaqMhwXSMrZRl69ArHsGJ9mYdbbw==",
        "dependencies": {}
      },
      "@esbuild/freebsd-x64@0.20.2": {
        "integrity": "sha512-d+DipyvHRuqEeM5zDivKV1KuXn9WeRX6vqSqIDgwIfPQtwMP4jaDsQsDncjTDDsExT4lR/91OLjRo8bmC1e+Cw==",
        "dependencies": {}
      },
      "@esbuild/linux-arm64@0.20.2": {
        "integrity": "sha512-9pb6rBjGvTFNira2FLIWqDk/uaf42sSyLE8j1rnUpuzsODBq7FvpwHYZxQ/It/8b+QOS1RYfqgGFNLRI+qlq2A==",
        "dependencies": {}
      },
      "@esbuild/linux-arm@0.20.2": {
        "integrity": "sha512-VhLPeR8HTMPccbuWWcEUD1Az68TqaTYyj6nfE4QByZIQEQVWBB8vup8PpR7y1QHL3CpcF6xd5WVBU/+SBEvGTg==",
        "dependencies": {}
      },
      "@esbuild/linux-ia32@0.20.2": {
        "integrity": "sha512-o10utieEkNPFDZFQm9CoP7Tvb33UutoJqg3qKf1PWVeeJhJw0Q347PxMvBgVVFgouYLGIhFYG0UGdBumROyiig==",
        "dependencies": {}
      },
      "@esbuild/linux-loong64@0.20.2": {
        "integrity": "sha512-PR7sp6R/UC4CFVomVINKJ80pMFlfDfMQMYynX7t1tNTeivQ6XdX5r2XovMmha/VjR1YN/HgHWsVcTRIMkymrgQ==",
        "dependencies": {}
      },
      "@esbuild/linux-mips64el@0.20.2": {
        "integrity": "sha512-4BlTqeutE/KnOiTG5Y6Sb/Hw6hsBOZapOVF6njAESHInhlQAghVVZL1ZpIctBOoTFbQyGW+LsVYZ8lSSB3wkjA==",
        "dependencies": {}
      },
      "@esbuild/linux-ppc64@0.20.2": {
        "integrity": "sha512-rD3KsaDprDcfajSKdn25ooz5J5/fWBylaaXkuotBDGnMnDP1Uv5DLAN/45qfnf3JDYyJv/ytGHQaziHUdyzaAg==",
        "dependencies": {}
      },
      "@esbuild/linux-riscv64@0.20.2": {
        "integrity": "sha512-snwmBKacKmwTMmhLlz/3aH1Q9T8v45bKYGE3j26TsaOVtjIag4wLfWSiZykXzXuE1kbCE+zJRmwp+ZbIHinnVg==",
        "dependencies": {}
      },
      "@esbuild/linux-s390x@0.20.2": {
        "integrity": "sha512-wcWISOobRWNm3cezm5HOZcYz1sKoHLd8VL1dl309DiixxVFoFe/o8HnwuIwn6sXre88Nwj+VwZUvJf4AFxkyrQ==",
        "dependencies": {}
      },
      "@esbuild/linux-x64@0.20.2": {
        "integrity": "sha512-1MdwI6OOTsfQfek8sLwgyjOXAu+wKhLEoaOLTjbijk6E2WONYpH9ZU2mNtR+lZ2B4uwr+usqGuVfFT9tMtGvGw==",
        "dependencies": {}
      },
      "@esbuild/netbsd-x64@0.20.2": {
        "integrity": "sha512-K8/DhBxcVQkzYc43yJXDSyjlFeHQJBiowJ0uVL6Tor3jGQfSGHNNJcWxNbOI8v5k82prYqzPuwkzHt3J1T1iZQ==",
        "dependencies": {}
      },
      "@esbuild/openbsd-x64@0.20.2": {
        "integrity": "sha512-eMpKlV0SThJmmJgiVyN9jTPJ2VBPquf6Kt/nAoo6DgHAoN57K15ZghiHaMvqjCye/uU4X5u3YSMgVBI1h3vKrQ==",
        "dependencies": {}
      },
      "@esbuild/sunos-x64@0.20.2": {
        "integrity": "sha512-2UyFtRC6cXLyejf/YEld4Hajo7UHILetzE1vsRcGL3earZEW77JxrFjH4Ez2qaTiEfMgAXxfAZCm1fvM/G/o8w==",
        "dependencies": {}
      },
      "@esbuild/win32-arm64@0.20.2": {
        "integrity": "sha512-GRibxoawM9ZCnDxnP3usoUDO9vUkpAxIIZ6GQI+IlVmr5kP3zUq+l17xELTHMWTWzjxa2guPNyrpq1GWmPvcGQ==",
        "dependencies": {}
      },
      "@esbuild/win32-ia32@0.20.2": {
        "integrity": "sha512-HfLOfn9YWmkSKRQqovpnITazdtquEW8/SoHW7pWpuEeguaZI4QnCRW6b+oZTztdBnZOS2hqJ6im/D5cPzBTTlQ==",
        "dependencies": {}
      },
      "@esbuild/win32-x64@0.20.2": {
        "integrity": "sha512-N49X4lJX27+l9jbLKSqZ6bKNjzQvHaT8IIFUy+YIqmXQdjYCToGWwOItDrfby14c78aDd5NHQl29xingXfCdLQ==",
        "dependencies": {}
      },
      "esbuild@0.20.2": {
        "integrity": "sha512-WdOOppmUNU+IbZ0PaDiTst80zjnrOkyJNHoKupIcVyU8Lvla3Ugx94VzkQ32Ijqd7UhHJy75gNWDMUekcrSJ6g==",
        "dependencies": {
          "@esbuild/aix-ppc64": "@esbuild/aix-ppc64@0.20.2",
          "@esbuild/android-arm": "@esbuild/android-arm@0.20.2",
          "@esbuild/android-arm64": "@esbuild/android-arm64@0.20.2",
          "@esbuild/android-x64": "@esbuild/android-x64@0.20.2",
          "@esbuild/darwin-arm64": "@esbuild/darwin-arm64@0.20.2",
          "@esbuild/darwin-x64": "@esbuild/darwin-x64@0.20.2",
          "@esbuild/freebsd-arm64": "@esbuild/freebsd-arm64@0.20.2",
          "@esbuild/freebsd-x64": "@esbuild/freebsd-x64@0.20.2",
          "@esbuild/linux-arm": "@esbuild/linux-arm@0.20.2",
          "@esbuild/linux-arm64": "@esbuild/linux-arm64@0.20.2",
          "@esbuild/linux-ia32": "@esbuild/linux-ia32@0.20.2",
          "@esbuild/linux-loong64": "@esbuild/linux-loong64@0.20.2",
          "@esbuild/linux-mips64el": "@esbuild/linux-mips64el@0.20.2",
          "@esbuild/linux-ppc64": "@esbuild/linux-ppc64@0.20.2",
          "@esbuild/linux-riscv64": "@esbuild/linux-riscv64@0.20.2",
          "@esbuild/linux-s390x": "@esbuild/linux-s390x@0.20.2",
          "@esbuild/linux-x64": "@esbuild/linux-x64@0.20.2",
          "@esbuild/netbsd-x64": "@esbuild/netbsd-x64@0.20.2",
          "@esbuild/openbsd-x64": "@esbuild/openbsd-x64@0.20.2",
          "@esbuild/sunos-x64": "@esbuild/sunos-x64@0.20.2",
          "@esbuild/win32-arm64": "@esbuild/win32-arm64@0.20.2",
          "@esbuild/win32-ia32": "@esbuild/win32-ia32@0.20.2",
          "@esbuild/win32-x64": "@esbuild/win32-x64@0.20.2"
        }
      }
    }
  },
  "remote": {
    "https://deno.land/x/denoflate@1.2.1/mod.ts": "f5628e44b80b3d80ed525afa2ba0f12408e3849db817d47a883b801f9ce69dd6",
    "https://deno.land/x/denoflate@1.2.1/pkg/denoflate.js": "b9f9ad9457d3f12f28b1fb35c555f57443427f74decb403113d67364e4f2caf4",
    "https://deno.land/x/denoflate@1.2.1/pkg/denoflate_bg.wasm.js": "d581956245407a2115a3d7e8d85a9641c032940a8e810acbd59ca86afd34d44d",
    "https://deno.land/x/esbuild@v0.20.1/mod.js": "d50e500b53ce67e31116beba3916b0f9275c0e1cc20bc5cadc0fc1b7a3b06fd9"
  },
  "workspace": {
    "packageJson": {
      "dependencies": [
        "npm:@jsr/nostrify__nostrify",
        "npm:@tailwindcss/forms@^0.5.3",
        "npm:autoprefixer@^10.4.13",
        "npm:postcss-flexbugs-fixes@^5.0.2",
        "npm:postcss-import@^15.0.1",
        "npm:postcss-nested@^6.0.0",
        "npm:postcss-preset-env@^7.8.3",
        "npm:postcss@^8.4.19",
        "npm:tailwindcss@^3.2.4"
      ]
    }
  }
 }
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -111,7 +111,7 @@ services:
      - redis
  strfry:
-    image: gitea.kosmos.org/kosmos/strfry-deno:1.1.1
+    image: gitea.kosmos.org/kosmos/strfry-deno:2.0.0
    volumes:
      - ./docker/strfry/strfry.conf:/etc/strfry.conf
      - ./extras/strfry:/opt/strfry
--- a/docs/dev/nostr.md
+++ b/docs/dev/nostr.md
@@ -0,0 +1,57 @@
 # Nostr
 ## strfry
 The `extras/strfry` directory contains code to integrate [strfry][1] with
 akkounts, so that notes published to the relay have to be authored by (or in
 some cases just related to) local users who have verified their Nostr public
 key.
 ### Requirements
 [Deno](https://deno.com/) needs to be installed on the machine that you run
 strfry on.
 We provide a Docker image with recent strfry and Deno builds:
 https://gitea.kosmos.org/kosmos/-/packages/container/strfry-deno/
 ### Configuration
 You can use either environment variables (see e.g. the `strfry` service in
 `docker-compose-yml`) or a local `.env` file in the same working directory
 that you place the extra files in (e.g. `/opt/strfry`).
 In your `strfry.conf`, configure `strfry-policy.ts` as the write policy, like so:
 ```
 writePolicy {
    plugin = "/opt/strfry/strfry-policy.ts"
 }
 ```
 All dependencies will be downloaded and cached automatically when the plugin is
 called for the first time.
 ### Manual tasks
 You can sync all notes authored by local users (any account that has verified
 their Nostr pubkey with akkounts) from a remote [strfry][1] relay via negentropy
 sync:
    deno run -A /opt/strfry/strfry-sync.ts wss://nostr.kosmos.org
 Or, in the running container when using Docker Compose:
    docker compose exec strfry deno run -A /opt/strfry/strfry-sync.ts wss://nostr.kosmos.org
 The `strfry` service container also exposes the local relay on your local host
 on port 4777.
 [nak](https://github.com/fiatjaf/nak) is a helpful tool for manual Nostr tasks.
 Here's how you can grab a note by its event ID from a remote relay and publish
 it to your local strfry for example:
    nak req -i 0fb010192685b86b0810b3de3706fbbf3b8c1db30b14533094a2b9700c820cdc nostr.kosmos.org | nak event ws://localhost:4777
 [1]: https://github.com/hoytech/strfry
--- a/extras/strfry/deno.lock
+++ b/extras/strfry/deno.lock
@@ -1,101 +1,231 @@
 {
-  "version": "3",
+  "version": "4",
-  "packages": {
+  "specifiers": {
-    "specifiers": {
+    "jsr:@nostr/tools@*": "2.3.1",
-      "jsr:@nostr/tools@^2.3.1": "jsr:@nostr/tools@2.3.1",
+    "jsr:@nostr/tools@^2.3.1": "2.3.1",
-      "npm:@noble/ciphers@^0.5.1": "npm:@noble/ciphers@0.5.3",
+    "jsr:@nostrify/nostrify@0.36": "0.36.2",
-      "npm:@noble/curves@1.2.0": "npm:@noble/curves@1.2.0",
+    "jsr:@nostrify/policies@*": "0.36.1",
-      "npm:@noble/hashes@1.3.1": "npm:@noble/hashes@1.3.1",
+    "jsr:@nostrify/strfry@*": "0.2.1",
-      "npm:@scure/base@1.1.1": "npm:@scure/base@1.1.1",
+    "jsr:@nostrify/types@0.35": "0.35.0",
-      "npm:ldapts": "npm:ldapts@7.0.12"
+    "jsr:@nostrify/types@0.36": "0.36.0",
    "jsr:@std/bytes@^1.0.5": "1.0.5",
    "jsr:@std/encoding@~0.224.1": "0.224.3",
    "jsr:@std/json@^1.0.1": "1.0.1",
    "jsr:@std/streams@^1.0.7": "1.0.9",
    "jsr:@std/streams@^1.0.8": "1.0.9",
    "npm:@noble/ciphers@~0.5.1": "0.5.3",
    "npm:@noble/curves@1.2.0": "1.2.0",
    "npm:@noble/hashes@1.3.1": "1.3.1",
    "npm:@scure/base@1.1.1": "1.1.1",
    "npm:@scure/bip32@^1.4.0": "1.6.2",
    "npm:@scure/bip39@^1.3.0": "1.5.4",
    "npm:ldapts@*": "7.0.12",
    "npm:lru-cache@^10.2.0": "10.4.3",
    "npm:nostr-tools@^2.7.0": "2.12.0",
    "npm:websocket-ts@^2.1.5": "2.2.1",
    "npm:zod@^3.23.8": "3.24.2"
  },
  "jsr": {
    "@nostr/tools@2.3.1": {
      "integrity": "af01dc45cb28784c584d7a0699707196f397bcc53946efa582a01b11ddde4d61",
      "dependencies": [
        "npm:@noble/ciphers",
        "npm:@noble/curves",
        "npm:@noble/hashes",
        "npm:@scure/base"
      ]
    },
-    "jsr": {
+    "@nostrify/nostrify@0.36.2": {
-      "@nostr/tools@2.3.1": {
+      "integrity": "cc4787ca170b623a2e5dfed1baa4426077daa6143af728ea7dd325d58f4d04d6",
-        "integrity": "af01dc45cb28784c584d7a0699707196f397bcc53946efa582a01b11ddde4d61",
+      "dependencies": [
-        "dependencies": [
+        "jsr:@nostrify/types@0.35",
-          "npm:@noble/ciphers@^0.5.1",
+        "jsr:@std/encoding",
-          "npm:@noble/curves@1.2.0",
+        "npm:@scure/bip32",
-          "npm:@noble/hashes@1.3.1",
+        "npm:@scure/bip39",
-          "npm:@scure/base@1.1.1"
+        "npm:lru-cache",
-        ]
+        "npm:nostr-tools",
-      }
+        "npm:websocket-ts",
        "npm:zod"
      ]
    },
-    "npm": {
+    "@nostrify/policies@0.36.1": {
-      "@noble/ciphers@0.5.3": {
+      "integrity": "6d59af115a687fcd18b6caebab0e4f50ee6cdb0aafa2aacd0aec2065021275b4",
-        "integrity": "sha512-B0+6IIHiqEs3BPMT0hcRmHvEj2QHOLu+uwt+tqDDeVd0oyVzh7BPrDcPjRnV1PV/5LaknXJJQvOuRGR0zQJz+w==",
+      "dependencies": [
-        "dependencies": {}
+        "jsr:@nostrify/nostrify",
-      },
+        "jsr:@nostrify/types@0.35",
-      "@noble/curves@1.2.0": {
+        "npm:nostr-tools"
-        "integrity": "sha512-oYclrNgRaM9SsBUBVbb8M6DTV7ZHRTKugureoYEncY5c65HOmRzvSiTE3y5CYaPYJA/GVkrhXEoF0M3Ya9PMnw==",
+      ]
-        "dependencies": {
+    },
-          "@noble/hashes": "@noble/hashes@1.3.2"
+    "@nostrify/strfry@0.2.1": {
-        }
+      "integrity": "be437b13f49e6564e557da23072bf642723a603568f672543a64d9fda6663432",
-      },
+      "dependencies": [
-      "@noble/hashes@1.3.1": {
+        "jsr:@nostrify/types@0.36",
-        "integrity": "sha512-EbqwksQwz9xDRGfDST86whPBgM65E0OH/pCgqW0GBVzO22bNE+NuIbeTb714+IfSjU3aRk47EUvXIb5bTsenKA==",
+        "jsr:@std/json",
-        "dependencies": {}
+        "jsr:@std/streams@^1.0.8"
-      },
+      ]
-      "@noble/hashes@1.3.2": {
+    },
-        "integrity": "sha512-MVC8EAQp7MvEcm30KWENFjgR+Mkmf+D189XJTkFIlwohU5hcBbn1ZkKq7KVTi2Hme3PMGF390DaL52beVrIihQ==",
+    "@nostrify/types@0.35.0": {
-        "dependencies": {}
+      "integrity": "b8d515563d467072694557d5626fa1600f74e83197eef45dd86a9a99c64f7fe6"
-      },
+    },
-      "@scure/base@1.1.1": {
+    "@nostrify/types@0.36.0": {
-        "integrity": "sha512-ZxOhsSyxYwLJj3pLZCefNitxsj093tb2vq90mp2txoYeBqbcjDjqFhyM8eUjq/uFm6zJ+mUuqxlS2FkuSY1MTA==",
+      "integrity": "b3413467debcbd298d217483df4e2aae6c335a34765c90ac7811cf7c637600e7"
-        "dependencies": {}
+    },
-      },
+    "@std/bytes@1.0.5": {
-      "@types/asn1@0.2.4": {
+      "integrity": "4465dd739d7963d964c809202ebea6d5c6b8e3829ef25c6a224290fbb8a1021e"
-        "integrity": "sha512-V91DSJ2l0h0gRhVP4oBfBzRBN9lAbPUkGDMCnwedqPKX2d84aAMc9CulOvxdw1f7DfEYx99afab+Rsm3e52jhA==",
+    },
-        "dependencies": {
+    "@std/encoding@0.224.3": {
-          "@types/node": "@types/node@18.16.19"
+      "integrity": "5e861b6d81be5359fad4155e591acf17c0207b595112d1840998bb9f476dbdaf"
-        }
+    },
-      },
+    "@std/json@1.0.1": {
-      "@types/node@18.16.19": {
+      "integrity": "1f0f70737e8827f9acca086282e903677bc1bb0c8ffcd1f21bca60039563049f",
-        "integrity": "sha512-IXl7o+R9iti9eBW4Wg2hx1xQDig183jj7YLn8F7udNceyfkbn1ZxmzZXuak20gR40D7pIkIY1kYGx5VIGbaHKA==",
+      "dependencies": [
-        "dependencies": {}
+        "jsr:@std/streams@^1.0.7"
-      },
+      ]
-      "@types/uuid@9.0.8": {
+    },
-        "integrity": "sha512-jg+97EGIcY9AGHJJRaaPVgetKDsrTgbRjQ5Msgjh/DQKEFl0DtyRr/VCOyD1T2R1MNeWPK/u7JoGhlDZnKBAfA==",
+    "@std/streams@1.0.9": {
-        "dependencies": {}
+      "integrity": "a9d26b1988cdd7aa7b1f4b51e1c36c1557f3f252880fa6cc5b9f37078b1a5035",
-      },
+      "dependencies": [
-      "asn1@0.2.6": {
+        "jsr:@std/bytes"
-        "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==",
+      ]
-        "dependencies": {
+    }
-          "safer-buffer": "safer-buffer@2.1.2"
+  },
-        }
+  "npm": {
-      },
+    "@noble/ciphers@0.5.3": {
-      "debug@4.3.5": {
+      "integrity": "sha512-B0+6IIHiqEs3BPMT0hcRmHvEj2QHOLu+uwt+tqDDeVd0oyVzh7BPrDcPjRnV1PV/5LaknXJJQvOuRGR0zQJz+w=="
-        "integrity": "sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==",
+    },
-        "dependencies": {
+    "@noble/curves@1.1.0": {
-          "ms": "ms@2.1.2"
+      "integrity": "sha512-091oBExgENk/kGj3AZmtBDMpxQPDtxQABR2B9lb1JbVTs6ytdzZNwvhxQ4MWasRNEzlbEH8jCWFCwhF/Obj5AA==",
-        }
+      "dependencies": [
-      },
+        "@noble/hashes@1.3.1"
-      "ldapts@7.0.12": {
+      ]
-        "integrity": "sha512-orwgIejUi/ZyGah9y8jWZmFUg8Ci5M8WAv0oZjSf3MVuk1sRBdor9Qy1ttGHbYpWj96HXKFunQ8AYZ8WWGp17g==",
+    },
-        "dependencies": {
+    "@noble/curves@1.2.0": {
-          "@types/asn1": "@types/asn1@0.2.4",
+      "integrity": "sha512-oYclrNgRaM9SsBUBVbb8M6DTV7ZHRTKugureoYEncY5c65HOmRzvSiTE3y5CYaPYJA/GVkrhXEoF0M3Ya9PMnw==",
-          "@types/uuid": "@types/uuid@9.0.8",
+      "dependencies": [
-          "asn1": "asn1@0.2.6",
+        "@noble/hashes@1.3.2"
-          "debug": "debug@4.3.5",
+      ]
-          "strict-event-emitter-types": "strict-event-emitter-types@2.0.0",
+    },
-          "uuid": "uuid@9.0.1"
+    "@noble/curves@1.8.2": {
-        }
+      "integrity": "sha512-vnI7V6lFNe0tLAuJMu+2sX+FcL14TaCWy1qiczg1VwRmPrpQCdq5ESXQMqUc2tluRNf6irBXrWbl1mGN8uaU/g==",
-      },
+      "dependencies": [
-      "ms@2.1.2": {
+        "@noble/hashes@1.7.2"
-        "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==",
+      ]
-        "dependencies": {}
+    },
-      },
+    "@noble/hashes@1.3.1": {
-      "safer-buffer@2.1.2": {
+      "integrity": "sha512-EbqwksQwz9xDRGfDST86whPBgM65E0OH/pCgqW0GBVzO22bNE+NuIbeTb714+IfSjU3aRk47EUvXIb5bTsenKA=="
-        "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
+    },
-        "dependencies": {}
+    "@noble/hashes@1.3.2": {
-      },
+      "integrity": "sha512-MVC8EAQp7MvEcm30KWENFjgR+Mkmf+D189XJTkFIlwohU5hcBbn1ZkKq7KVTi2Hme3PMGF390DaL52beVrIihQ=="
-      "strict-event-emitter-types@2.0.0": {
+    },
-        "integrity": "sha512-Nk/brWYpD85WlOgzw5h173aci0Teyv8YdIAEtV+N88nDB0dLlazZyJMIsN6eo1/AR61l+p6CJTG1JIyFaoNEEA==",
+    "@noble/hashes@1.7.2": {
-        "dependencies": {}
+      "integrity": "sha512-biZ0NUSxyjLLqo6KxEJ1b+C2NAx0wtDoFvCaXHGgUkeHzf3Xc1xKumFKREuT7f7DARNZ/slvYUwFG6B0f2b6hQ=="
-      },
+    },
-      "uuid@9.0.1": {
+    "@scure/base@1.1.1": {
-        "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
+      "integrity": "sha512-ZxOhsSyxYwLJj3pLZCefNitxsj093tb2vq90mp2txoYeBqbcjDjqFhyM8eUjq/uFm6zJ+mUuqxlS2FkuSY1MTA=="
-        "dependencies": {}
+    },
-      }
+    "@scure/base@1.2.4": {
      "integrity": "sha512-5Yy9czTO47mqz+/J8GM6GIId4umdCk1wc1q8rKERQulIoc8VP9pzDcghv10Tl2E7R96ZUx/PhND3ESYUQX8NuQ=="
    },
    "@scure/bip32@1.3.1": {
      "integrity": "sha512-osvveYtyzdEVbt3OfwwXFr4P2iVBL5u1Q3q4ONBfDY/UpOuXmOlbgwc1xECEboY8wIays8Yt6onaWMUdUbfl0A==",
      "dependencies": [
        "@noble/curves@1.1.0",
        "@noble/hashes@1.3.2",
        "@scure/base@1.1.1"
      ]
    },
    "@scure/bip32@1.6.2": {
      "integrity": "sha512-t96EPDMbtGgtb7onKKqxRLfE5g05k7uHnHRM2xdE6BP/ZmxaLtPek4J4KfVn/90IQNrU1IOAqMgiDtUdtbe3nw==",
      "dependencies": [
        "@noble/curves@1.8.2",
        "@noble/hashes@1.7.2",
        "@scure/base@1.2.4"
      ]
    },
    "@scure/bip39@1.2.1": {
      "integrity": "sha512-Z3/Fsz1yr904dduJD0NpiyRHhRYHdcnyh73FZWiV+/qhWi83wNJ3NWolYqCEN+ZWsUz2TWwajJggcRE9r1zUYg==",
      "dependencies": [
        "@noble/hashes@1.3.2",
        "@scure/base@1.1.1"
      ]
    },
    "@scure/bip39@1.5.4": {
      "integrity": "sha512-TFM4ni0vKvCfBpohoh+/lY05i9gRbSwXWngAsF4CABQxoaOHijxuaZ2R6cStDQ5CHtHO9aGJTr4ksVJASRRyMA==",
      "dependencies": [
        "@noble/hashes@1.7.2",
        "@scure/base@1.2.4"
      ]
    },
    "@types/asn1@0.2.4": {
      "integrity": "sha512-V91DSJ2l0h0gRhVP4oBfBzRBN9lAbPUkGDMCnwedqPKX2d84aAMc9CulOvxdw1f7DfEYx99afab+Rsm3e52jhA==",
      "dependencies": [
        "@types/node"
      ]
    },
    "@types/node@18.16.19": {
      "integrity": "sha512-IXl7o+R9iti9eBW4Wg2hx1xQDig183jj7YLn8F7udNceyfkbn1ZxmzZXuak20gR40D7pIkIY1kYGx5VIGbaHKA=="
    },
    "@types/uuid@9.0.8": {
      "integrity": "sha512-jg+97EGIcY9AGHJJRaaPVgetKDsrTgbRjQ5Msgjh/DQKEFl0DtyRr/VCOyD1T2R1MNeWPK/u7JoGhlDZnKBAfA=="
    },
    "asn1@0.2.6": {
      "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==",
      "dependencies": [
        "safer-buffer"
      ]
    },
    "debug@4.3.5": {
      "integrity": "sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==",
      "dependencies": [
        "ms"
      ]
    },
    "ldapts@7.0.12": {
      "integrity": "sha512-orwgIejUi/ZyGah9y8jWZmFUg8Ci5M8WAv0oZjSf3MVuk1sRBdor9Qy1ttGHbYpWj96HXKFunQ8AYZ8WWGp17g==",
      "dependencies": [
        "@types/asn1",
        "@types/uuid",
        "asn1",
        "debug",
        "strict-event-emitter-types",
        "uuid"
      ]
    },
    "lru-cache@10.4.3": {
      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ=="
    },
    "ms@2.1.2": {
      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
    },
    "nostr-tools@2.12.0": {
      "integrity": "sha512-pUWEb020gTvt1XZvTa8AKNIHWFapjsv2NKyk43Ez2nnvz6WSXsrTFE0XtkNLSRBjPn6EpxumKeNiVzLz74jNSA==",
      "dependencies": [
        "@noble/ciphers",
        "@noble/curves@1.2.0",
        "@noble/hashes@1.3.1",
        "@scure/base@1.1.1",
        "@scure/bip32@1.3.1",
        "@scure/bip39@1.2.1",
        "nostr-wasm"
      ]
    },
    "nostr-wasm@0.1.0": {
      "integrity": "sha512-78BTryCLcLYv96ONU8Ws3Q1JzjlAt+43pWQhIl86xZmWeegYCNLPml7yQ+gG3vR6V5h4XGj+TxO+SS5dsThQIA=="
    },
    "safer-buffer@2.1.2": {
      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
    },
    "strict-event-emitter-types@2.0.0": {
      "integrity": "sha512-Nk/brWYpD85WlOgzw5h173aci0Teyv8YdIAEtV+N88nDB0dLlazZyJMIsN6eo1/AR61l+p6CJTG1JIyFaoNEEA=="
    },
    "uuid@9.0.1": {
      "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA=="
    },
    "websocket-ts@2.2.1": {
      "integrity": "sha512-YKPDfxlK5qOheLZ2bTIiktZO1bpfGdNCPJmTEaPW7G9UXI1GKjDdeacOrsULUS000OPNxDVOyAuKLuIWPqWM0Q=="
    },
    "zod@3.24.2": {
      "integrity": "sha512-lY7CDW43ECgW9u1TcT3IoXHflywfVqDYze4waEz812jR/bZ8FHDsl7pFQoSZTz5N+2NqRXs8GBwnAwo3ZNxqhQ=="
    }
  },
  "remote": {
--- a/extras/strfry/ldap-policy.ts
+++ b/extras/strfry/ldap-policy.ts
@@ -1,8 +1,8 @@
-import type { IterablePubkeys, Policy } from 'https://gitlab.com/soapbox-pub/strfry-policies/-/raw/develop/mod.ts';
+import { NostrEvent, NostrRelayInfo, NostrRelayOK, NPolicy } from 'jsr:@nostrify/types@^0.35.0';
 import { nip57 } from 'jsr:@nostr/tools';
 import { Client } from 'npm:ldapts';
 import { nip57 } from '@nostr/tools';
-interface LdapConfig {
+export interface LdapConfig {
  url: string;
  bindDN: string;
  password: string;
@@ -10,68 +10,73 @@ interface LdapConfig {
  whitelistPubkeys?: IterablePubkeys;
 }
-const ldapPolicy: Policy<LdapConfig> = async (msg, opts) => {
+export class LdapPolicy implements NPolicy {
-  const client = new Client({ url: opts.url });
+  constructor(private opts: LdapConfig) {}
  const { kind, tags } = msg.event;
  let { pubkey } = msg.event;
  let out = { id: msg.event.id }
-  if (opts.whitelistPubkeys.includes(pubkey)) {
+  // deno-lint-ignore require-await
-    out['action'] = 'accept';
+  async call(event: NostrEvent): Promise<NostrRelayOK> {
-    out['msg'] = '';
+    const client = new Client({ url: this.opts.url });
-    return out;
+    const { id, kind, tags } = event;
-  }
+    let { pubkey } = event;
-  // Zap receipt
+    if (this.opts.whitelistPubkeys.includes(pubkey)) {
-  if (kind === 9735) {
+      return ['OK', id, true, ''];
    const descriptionTag = tags.find(([t, v]) => t === 'description' && v);
    const invalidZapRequestMsg = 'Zap receipts must contain a valid zap request from a relay member';
    if (typeof descriptionTag === 'undefined') {
      out['action'] = 'reject';
      out['msg'] = invalidZapRequestMsg;
      return out;
    }
-    const zapRequestJSON = descriptionTag[1];
+    // Zap receipt
-    const validationResult = nip57.validateZapRequest(zapRequestJSON);
+    if (kind === 9735) {
      const descriptionTag = tags.find(([t, v]) => t === 'description' && v);
      const invalidZapRequestMsg = 'Zap receipts must contain a valid zap request from a relay member';
-    // TODO
+      if (typeof descriptionTag === 'undefined') {
-    // The zap receipt event's pubkey MUST be the same as the recipient's lnurl provider's nostrPubkey (retrieved in step 1 of the protocol flow).
+        return ['OK', id, false, invalidZapRequestMsg];
-    // The invoiceAmount contained in the bolt11 tag of the zap receipt MUST equal the amount tag of the zap request (if present).
+      }
-    if (validationResult === null) {
+      const zapRequestJSON = descriptionTag[1];
-      pubkey = JSON.parse(zapRequestJSON).pubkey;
+      const validationResult = nip57.validateZapRequest(zapRequestJSON);
-    } else {
+
-      out['action'] = 'reject';
+      // TODO
-      out['msg'] = invalidZapRequestMsg;
+      // The zap receipt event's pubkey MUST be the same as the recipient's lnurl provider's nostrPubkey (retrieved in step 1 of the protocol flow).
-      return out;
+      // The invoiceAmount contained in the bolt11 tag of the zap receipt MUST equal the amount tag of the zap request (if present).
      if (validationResult === null) {
        pubkey = JSON.parse(zapRequestJSON).pubkey;
      } else {
        return ['OK', id, false, invalidZapRequestMsg];
      }
    }
    const out = { accept: true, msg: ''};
    try {
      await client.bind(this.opts.bindDN, this.opts.password);
      const { searchEntries } = await client.search(this.opts.searchDN, {
        filter: `(nostrKey=${pubkey})`,
        attributes: ['nostrKey']
      });
      const memberKey = searchEntries[0]?.nostrKey;
      if (memberKey === pubkey) {
        out['accept'] = true;
      } else {
        out['accept'] = false;
        out['msg'] = 'Only members can publish notes on this relay';
      }
    } catch (ex) {
      out['accept'] = false;
      out['msg'] = 'Auth service temporarily unavailable';
    } finally {
      await client.unbind();
      return ['OK', id, out['accept'], out['msg']];
    }
  }
-  try {
+  get info(): NostrRelayInfo {
-    await client.bind(opts.bindDN, opts.password);
+    return {
-
+      limitation: {
-    const { searchEntries } = await client.search(opts.searchDN, {
+        restricted_writes: true,
-      filter: `(nostrKey=${pubkey})`,
+      },
-      attributes: ['nostrKey']
+    };
    });
    const memberKey = searchEntries[0]?.nostrKey;
    if (memberKey === pubkey) {
      out['action'] = 'accept';
      out['msg'] = '';
    } else {
      out['action'] = 'reject';
      out['msg'] = 'Only members can publish notes on this relay';
    }
  } catch (ex) {
    out['action'] = 'reject';
    out['msg'] = 'Auth service temporarily unavailable';
  } finally {
    await client.unbind();
    return out;
  }
-};
+}
 export default ldapPolicy;
--- a/extras/strfry/strfry-policy.ts
+++ b/extras/strfry/strfry-policy.ts
@@ -1,20 +1,20 @@
 #!/bin/sh
-//bin/true; exec deno run -A "$0" "$@"
+//bin/true; exec deno run --unstable-kv -A "$0" "$@"
 import {
-  antiDuplicationPolicy,
+  AntiDuplicationPolicy,
-  hellthreadPolicy,
+  HellthreadPolicy,
-  pipeline,
+  PipePolicy,
  rateLimitPolicy,
  readStdin,
  writeStdout,
-} from 'https://gitlab.com/soapbox-pub/strfry-policies/-/raw/develop/mod.ts';
+} from 'jsr:@nostrify/policies';
-import ldapPolicy from './ldap-policy.ts';
+import { strfry } from 'jsr:@nostrify/strfry';
 import { LdapConfig, LdapPolicy } from './ldap-policy.ts';
 import { load } from "https://deno.land/std@0.224.0/dotenv/mod.ts";
 const dirname = new URL('.', import.meta.url).pathname;
 await load({ envPath: `${dirname}/.env`, export: true });
-const ldapConfig = {
+const ldapConfig: LdapConfig = {
  url: Deno.env.get("LDAP_URL"),
  bindDN: Deno.env.get("LDAP_BIND_DN"),
  password: Deno.env.get("LDAP_PASSWORD"),
@@ -22,13 +22,10 @@ const ldapConfig = {
  whitelistPubkeys: Deno.env.get("WHITELIST_PUBKEYS")?.split(',')
 }
-for await (const msg of readStdin()) {
+const policy = new PipePolicy([
-  const result = await pipeline(msg, [
+  new HellthreadPolicy({ limit: 10 }),
-    [hellthreadPolicy, { limit: 10 }],
+  new AntiDuplicationPolicy({ kv: await Deno.openKv(), expireIn: 60000, minLength: 50 }),
-    [antiDuplicationPolicy, { ttl: 60000, minLength: 50 }],
+  new LdapPolicy(ldapConfig)
-    [rateLimitPolicy, { whitelist: ['127.0.0.1'] }],
+]);
    [ldapPolicy, ldapConfig],
  ]);
-  writeStdout(result);
+await strfry(policy);
 }
--- a/lib/tasks/deno.rake
+++ b/lib/tasks/deno.rake
@@ -1,14 +0,0 @@
 namespace :deno do
  desc "Download and prepare a Deno package for importmap"
  task :prepare, [:package, :version] => :environment do |t, args|
    unless args[:package] && args[:version]
      raise "Usage: rake deno:prepare[package-name,version]"
    end
    # Build the package
    system "deno run -A scripts/build_deno_package.ts #{args[:package]} #{args[:version]}"
    # Pin the package using importmap
    # system "bin/importmap pin #{args[:package]} --to vendor/javascript/#{args[:package]}/build.js"
  end
 end
--- a/lib/tasks/ldap.rake
+++ b/lib/tasks/ldap.rake
@@ -21,7 +21,7 @@ namespace :ldap do
  desc "Add custom attributes to schema"
  task add_custom_attributes: :environment do |t, args|
-    %w[ admin service_enabled nostr_key ].each do |name|
+    %w[ admin service_enabled nostr_key pgp_key ].each do |name|
      Rake::Task["ldap:modify_ldap_schema"].invoke(name, "add")
      Rake::Task['ldap:modify_ldap_schema'].reenable
    end
@@ -29,7 +29,7 @@ namespace :ldap do
  desc "Delete custom attributes from schema"
  task delete_custom_attributes: :environment do |t, args|
-    %w[ admin service_enabled nostr_key ].each do |name|
+    %w[ admin service_enabled nostr_key pgp_key ].each do |name|
      Rake::Task["ldap:modify_ldap_schema"].invoke(name, "delete")
      Rake::Task['ldap:modify_ldap_schema'].reenable
    end
--- a/package.json
+++ b/package.json
@@ -2,7 +2,6 @@
  "name": "akkounts",
  "private": true,
  "dependencies": {
    "@nostrify/nostrify": "npm:@jsr/nostrify__nostrify",
    "@tailwindcss/forms": "^0.5.3",
    "autoprefixer": "^10.4.13",
    "postcss": "^8.4.19",
--- a/schemas/ldap/nostr_key.ldif
+++ b/schemas/ldap/nostr_key.ldif
@@ -5,5 +5,5 @@ attributeTypes: ( 1.3.6.1.4.1.61554.1.1.2.1.21
  NAME 'nostrKey'
  DESC 'Nostr public key'
  EQUALITY caseIgnoreMatch
-  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE )
--- a/schemas/ldap/pgp_key.ldif
+++ b/schemas/ldap/pgp_key.ldif
@@ -0,0 +1,8 @@
 dn: cn=schema
 changetype: modify
 add: attributeTypes
 attributeTypes: ( 1.3.6.1.4.1.3401.8.2.11
  NAME 'pgpKey'
  DESC 'OpenPGP public key block'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  SINGLE-VALUE )
--- a/scripts/build_deno_package.ts
+++ b/scripts/build_deno_package.ts
@@ -1,18 +0,0 @@
 import { bundle } from "jsr:@deno/emit";
 const [packageName, version] = Deno.args;
 if (!packageName || !version) {
  console.error('Usage: deno run -A build_deno_package.ts <package-name> <version>');
  process.exit(1);
 }
 const result = await bundle(
  new URL(`https://jsr.io/${packageName}/${version}/mod.ts`),
 );
 const { code } = result;
 const buildFolder = `vendor/javascript/${packageName}`;
 const buildFile = `${buildFolder}/build.js`
 await Deno.mkdir(buildFolder, { recursive: true });
 Deno.writeTextFileSync(buildFile, code);
--- a/spec/features/settings/account_spec.rb
+++ b/spec/features/settings/account_spec.rb
@@ -14,6 +14,7 @@ RSpec.describe 'Account settings', type: :feature do
        .with("invalid password").and_return(false)
      allow_any_instance_of(User).to receive(:valid_ldap_authentication?)
        .with("valid password").and_return(true)
      allow_any_instance_of(User).to receive(:pgp_pubkey).and_return(nil)
    end
    scenario 'fails with invalid password' do
@@ -55,4 +56,44 @@ RSpec.describe 'Account settings', type: :feature do
      end
    end
  end
  feature "Update OpenPGP key" do
    let(:invalid_key) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_invalid.asc") }
    let(:valid_key_alice) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
    let(:fingerprint_alice) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
    before do
      login_as user, :scope => :user
      allow_any_instance_of(User).to receive(:ldap_entry).and_return({
        uid: user.cn, ou: user.ou, display_name: nil, pgp_key: nil
      })
    end
    scenario 'rejects an invalid key' do
      expect(UserManager::UpdatePgpKey).not_to receive(:call)
      visit setting_path(:account)
      fill_in 'Public key', with: invalid_key
      click_button "Save"
      expect(current_url).to eq(setting_url(:account))
      within ".error-msg" do
        expect(page).to have_content("This is not a valid armored PGP public key block")
      end
    end
    scenario 'stores a valid key' do
      expect(UserManager::UpdatePgpKey).to receive(:call)
        .with(user: user).and_return(true)
      visit setting_path(:account)
      fill_in 'Public key', with: valid_key_alice
      click_button "Save"
      expect(current_url).to eq(setting_url(:account))
      within ".flash-msg" do
        expect(page).to have_content("Settings saved")
      end
    end
  end
 end
--- a/spec/features/settings/profile_spec.rb
+++ b/spec/features/settings/profile_spec.rb
@@ -9,7 +9,7 @@ RSpec.describe 'Profile settings', type: :feature do
    allow(user).to receive(:display_name).and_return("Mark")
    allow_any_instance_of(User).to receive(:dn).and_return("cn=mwahlberg,ou=kosmos.org,cn=users,dc=kosmos,dc=org")
    allow_any_instance_of(User).to receive(:ldap_entry).and_return({
-      uid: user.cn, ou: user.ou, display_name: "Mark"
+      uid: user.cn, ou: user.ou, display_name: "Mark", pgp_key: nil
    })
    allow_any_instance_of(User).to receive(:avatar).and_return(avatar_base64)
--- a/spec/features/signup_spec.rb
+++ b/spec/features/signup_spec.rb
@@ -52,7 +52,7 @@ RSpec.describe "Signup", type: :feature do
      click_button "Continue"
      expect(page).to have_content("Choose a password")
-      expect(CreateAccount).to receive(:call)
+      expect(UserManager::CreateAccount).to receive(:call)
        .with(account: {
          username: "tony", domain: "kosmos.org",
          email: "tony@example.com", password: "a-valid-password",
@@ -96,7 +96,7 @@ RSpec.describe "Signup", type: :feature do
      click_button "Create account"
      expect(page).to have_content("Password is too short")
-      expect(CreateAccount).to receive(:call)
+      expect(UserManager::CreateAccount).to receive(:call)
        .with(account: {
          username: "tony", domain: "kosmos.org",
          email: "tony@example.com", password: "a-valid-password",
--- a/spec/fixtures/files/pgp_key_invalid.asc
+++ b/spec/fixtures/files/pgp_key_invalid.asc
@@ -0,0 +1,11 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 b7O1u120JkFsaWNlIExvdmVsYWNlIDxhbGljZUBvcGVucGdwLmV4YW1wbGU+iJAE
 ExYIADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTrhbtfozp14V6UTmPy
 MVUMT0fjjgUCXaWfOgAKCRDyMVUMT0fjjukrAPoDnHBSogOmsHOsd9qGsiZpgRnO
 dypvbm+QtXZqth9rvwD9HcDC0tC+PHAsO7OTh1S1TC9RiJsvawAfCPaQZoed8gK4
 OARcRwTpEgorBgEEAZdVAQUBAQdAQv8GIa2rSTzgqbXCpDDYMiKRVitCsy203x3s
 E9+eviIDAQgHiHgEGBYIACAWIQTrhbtfozp14V6UTmPyMVUMT0fjjgUCXEcE6QIb
 DAAKCRDyMVUMT0fjjlnQAQDFHUs6TIcxrNTtEZFjUFm1M0PJ1Dng/cDW4xN80fsn
 0QEA22Kr7VkCjeAEC08VSTeV+QFsmz55/lntWkwYWhmvOgE=
 =iIGO
 -----END PGP PUBLIC KEY BLOCK-----
--- a/spec/fixtures/files/pgp_key_valid_alice.asc
+++ b/spec/fixtures/files/pgp_key_valid_alice.asc
@@ -0,0 +1,16 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Comment: Alice's OpenPGP certificate
 Comment: https://www.ietf.org/id/draft-bre-openpgp-samples-01.html
 mDMEXEcE6RYJKwYBBAHaRw8BAQdArjWwk3FAqyiFbFBKT4TzXcVBqPTB3gmzlC/U
 b7O1u120JkFsaWNlIExvdmVsYWNlIDxhbGljZUBvcGVucGdwLmV4YW1wbGU+iJAE
 ExYIADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTrhbtfozp14V6UTmPy
 MVUMT0fjjgUCXaWfOgAKCRDyMVUMT0fjjukrAPoDnHBSogOmsHOsd9qGsiZpgRnO
 dypvbm+QtXZqth9rvwD9HcDC0tC+PHAsO7OTh1S1TC9RiJsvawAfCPaQZoed8gK4
 OARcRwTpEgorBgEEAZdVAQUBAQdAQv8GIa2rSTzgqbXCpDDYMiKRVitCsy203x3s
 E9+eviIDAQgHiHgEGBYIACAWIQTrhbtfozp14V6UTmPyMVUMT0fjjgUCXEcE6QIb
 DAAKCRDyMVUMT0fjjlnQAQDFHUs6TIcxrNTtEZFjUFm1M0PJ1Dng/cDW4xN80fsn
 0QEA22Kr7VkCjeAEC08VSTeV+QFsmz55/lntWkwYWhmvOgE=
 =iIGO
 -----END PGP PUBLIC KEY BLOCK-----
--- a/spec/fixtures/files/pgp_key_valid_jimmy.asc
+++ b/spec/fixtures/files/pgp_key_valid_jimmy.asc
@@ -0,0 +1,13 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mDMEZvFjRhYJKwYBBAHaRw8BAQdACUxVX9bGlbuNR0MNYUyHHxTcOgm4qjwq8Bjg
 7P41OFK0GEppbW15IDxqaW1teUBrb3Ntb3Mub3JnPoiZBBMWCgBBFiEEMWv1FiNt
 r3cjaxX2BX2Tly+4YsMFAmbxY0YCGwMFCQWjmoAFCwkIBwICIgIGFQoJCAsCBBYC
 AwECHgcCF4AACgkQBX2Tly+4YsMjHgEAoOOLrv9pWbi8hhrSMkqJ7FJvsBTQF//U
 aJUQRa8CTgoBAI3kyGKZ8gOC8UOOKsUC0LiNCVXPyX45h8T4QFRdEVYKuDgEZvFj
 RhIKKwYBBAGXVQEFAQEHQIomqcQ59UjtQex54pz8qGqyxCj2DPJYUat9pXinDgN8
 AwEIB4h+BBgWCgAmFiEEMWv1FiNtr3cjaxX2BX2Tly+4YsMFAmbxY0YCGwwFCQWj
 moAACgkQBX2Tly+4YsPoVgEA/9Q5Gs1klP4u/nw343V57e9s4RKmEiRSkErnC9wW
 Iu0A/jp6Elz2pDQPB2XLwcb+n7JlgA05HI0zWj1+EoM7TC4J
 =KQbn
 -----END PGP PUBLIC KEY BLOCK-----
--- a/spec/fixtures/files/pgp_key_valid_jimmy.pem
+++ b/spec/fixtures/files/pgp_key_valid_jimmy.pem
--- a/spec/mailers/notification_mailer_spec.rb
+++ b/spec/mailers/notification_mailer_spec.rb
@@ -0,0 +1,87 @@
 # spec/mailers/welcome_mailer_spec.rb
 require 'rails_helper'
 RSpec.describe NotificationMailer, type: :mailer do
  describe '#lightning_sats_received' do
    context "without PGP key" do
      let(:user) { create(:user, cn: "phil", email: 'phil@example.com') }
      before do
        allow_any_instance_of(User).to receive(:ldap_entry).and_return({
          uid: user.cn, ou: user.ou, display_name: nil, pgp_key: nil
        })
      end
      describe "unencrypted email" do
        let(:mail) { described_class.with(user: user, amount_sats: 21000).lightning_sats_received }
        it 'renders the correct to/from headers' do
          expect(mail.to).to eq([user.email])
          expect(mail.from).to eq(['accounts@kosmos.org'])
        end
        it 'renders the correct subject' do
          expect(mail.subject).to eq('Sats received')
        end
        it 'uses the correct content type' do
          expect(mail.header['content-type'].to_s).to include('text/plain')
        end
        it 'renders the body with correct content' do
          expect(mail.body.encoded).to match(/You just received 21,000 sats/)
          expect(mail.body.encoded).to include(user.address)
        end
        it 'includes a link to the lightning service page' do
          expect(mail.body.encoded).to include("https://accounts.kosmos.org/services/lightning")
        end
      end
    end
    context "with PGP key" do
      let(:pgp_pubkey) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
      let(:pgp_fingerprint) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
      let(:user) { create(:user, id: 2, cn: "alice", email: 'alice@example.com', pgp_fpr: pgp_fingerprint) }
      before do
        allow_any_instance_of(User).to receive(:ldap_entry).and_return({
          uid: user.cn, ou: user.ou, display_name: nil, pgp_key: pgp_pubkey
        })
      end
      describe "encrypted email" do
        let(:mail) { described_class.with(user: user, amount_sats: 21000).lightning_sats_received }
        it 'renders the correct to/from headers' do
          expect(mail.to).to eq([user.email])
          expect(mail.from).to eq(['accounts@kosmos.org'])
        end
        it 'encrypts the subject line' do
          expect(mail.subject).to eq('...')
        end
        it 'uses the correct content type' do
          expect(mail.header['content-type'].to_s).to include('multipart/encrypted')
          expect(mail.header['content-type'].to_s).to include('protocol="application/pgp-encrypted"')
        end
        it 'renders the PGP version part' do
          expect(mail.body.encoded).to include("Content-Type: application/pgp-encrypted")
          expect(mail.body.encoded).to include("Content-Description: PGP/MIME version identification")
          expect(mail.body.encoded).to include("Version: 1")
        end
        it 'renders the encrypted PGP part' do
          expect(mail.body.encoded).to include('Content-Type: application/octet-stream; name="encrypted.asc"')
          expect(mail.body.encoded).to include('Content-Description: OpenPGP encrypted message')
          expect(mail.body.encoded).to include('Content-Disposition: inline; filename="encrypted.asc"')
          expect(mail.body.encoded).to include('-----BEGIN PGP MESSAGE-----')
          expect(mail.body.encoded).to include('hF4DR')
        end
      end
    end
  end
 end
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1,20 +1,16 @@
 require 'rails_helper'
 RSpec.describe User, type: :model do
-  let(:user) { create :user, cn: "philipp" }
+  let(:user) { create :user, cn: "philipp", ou: "kosmos.org", email: "philipp@example.com" }
  let(:dn) { "cn=philipp,ou=kosmos.org,cn=users,dc=kosmos,dc=org" }
  describe "#address" do
    let(:user) { build :user, cn: "jimmy", ou: "kosmos.org" }
    it "returns the user address" do
-      expect(user.address).to eq("jimmy@kosmos.org")
+      expect(user.address).to eq("philipp@kosmos.org")
    end
  end
  describe "#mastodon_address" do
    let(:user) { build :user, cn: "jimmy", ou: "kosmos.org" }
    context "Mastodon service not configured" do
      before do
        Setting.mastodon_enabled = false
@@ -32,7 +28,7 @@ RSpec.describe User, type: :model do
      describe "domain is the same as primary domain" do
        it "returns the user address" do
-          expect(user.mastodon_address).to eq("jimmy@kosmos.org")
+          expect(user.mastodon_address).to eq("philipp@kosmos.org")
        end
      end
@@ -42,7 +38,7 @@ RSpec.describe User, type: :model do
        end
        it "returns the user address" do
-          expect(user.mastodon_address).to eq("jimmy@kosmos.social")
+          expect(user.mastodon_address).to eq("philipp@kosmos.social")
        end
      end
@@ -239,7 +235,7 @@ RSpec.describe User, type: :model do
  describe "#nostr_pubkey" do
    before do
-      allow_any_instance_of(User).to receive(:ldap_entry)
+      allow(user).to receive(:ldap_entry)
        .and_return({ nostr_key: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3" })
    end
@@ -250,7 +246,7 @@ RSpec.describe User, type: :model do
  describe "#nostr_pubkey_bech32" do
    before do
-      allow_any_instance_of(User).to receive(:ldap_entry)
+      allow(user).to receive(:ldap_entry)
        .and_return({ nostr_key: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3" })
    end
@@ -258,4 +254,73 @@ RSpec.describe User, type: :model do
      expect(user.nostr_pubkey_bech32).to eq("npub1qlsc3g0lsl8pw8230w8d9wm6xxcax3f6pkemz5measrmwfxjxteslf2hac")
    end
  end
  describe "OpenPGP key" do
    let(:alice) { create :user, id: 2, cn: "alice", email: "alice@example.com" }
    let(:jimmy) { create :user, id: 3, cn: "jimmy", email: "jimmy@example.com" }
    let(:valid_key_alice) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
    let(:valid_key_jimmy) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_jimmy.asc") }
    let(:fingerprint_alice) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
    let(:fingerprint_jimmy) { "316BF516236DAF77236B15F6057D93972FB862C3" }
    let(:invalid_key) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_invalid.asc") }
    before do
      GPGME::Key.import(valid_key_alice)
      GPGME::Key.import(valid_key_jimmy)
      alice.update pgp_fpr: fingerprint_alice
      jimmy.update pgp_fpr: fingerprint_jimmy
      allow(alice).to receive(:ldap_entry).and_return({ pgp_key: valid_key_alice })
      allow(jimmy).to receive(:ldap_entry).and_return({ pgp_key: valid_key_jimmy })
    end
    after do
      alice.gnupg_key.delete!
      jimmy.gnupg_key.delete!
    end
    describe "#acceptable_pgp_key_format" do
      it "validates the record when the key is valid" do
        alice.pgp_pubkey = valid_key_alice
        expect(alice).to be_valid
      end
      it "adds a validation error when the key is not valid" do
        user.pgp_pubkey = invalid_key
        expect(user).to_not be_valid
        expect(user.errors[:pgp_pubkey]).to be_present
      end
    end
    describe "#pgp_pubkey" do
      it "returns the raw pubkey from LDAP" do
        expect(alice.pgp_pubkey).to eq(valid_key_alice)
      end
    end
    describe "#gnupg_key" do
      subject { alice.gnupg_key }
      it "returns a GPGME::Key object from the system's GPG keyring" do
        expect(subject).to be_a(GPGME::Key)
        expect(subject.fingerprint).to eq(fingerprint_alice)
        expect(subject.email).to eq("alice@openpgp.example")
      end
    end
    describe "#pgp_pubkey_contains_user_address?" do
      it "returns false when the user address is one of the UIDs of the key" do
        expect(alice.pgp_pubkey_contains_user_address?).to eq(false)
      end
      it "returns true when the user address is missing from the UIDs of the key" do
        expect(jimmy.pgp_pubkey_contains_user_address?).to eq(true)
      end
    end
    describe "wkd_hash" do
      it "returns a z-base32 encoded SHA-1 digest of the username" do
        expect(alice.wkd_hash).to eq("kei1q4tipxxu1yj79k9kfukdhfy631xe")
      end
    end
  end
 end
--- a/spec/requests/web_key_directory_spec.rb
+++ b/spec/requests/web_key_directory_spec.rb
@@ -0,0 +1,101 @@
 require 'rails_helper'
 RSpec.describe "OpenPGP Web Key Directory", type: :request do
  describe "policy" do
    it "returns an empty 200 response" do
      get "/.well-known/openpgpkey/policy"
      expect(response).to have_http_status(:ok)
      expect(response.body).to be_empty
    end
  end
  describe "non-existent user" do
    it "returns a 404 status" do
      get "/.well-known/openpgpkey/hu/fmb8gw3n4zdj4xpwaziki4mwcxr1368i?l=aristotle"
      expect(response).to have_http_status(:not_found)
    end
  end
  describe "user without pubkey" do
    let(:user) { create :user, cn: 'bernd', ou: 'kosmos.org' }
    it "returns a 404 status" do
      get "/.well-known/openpgpkey/hu/kp95h369c89sx8ia1hn447i868nqyz4t?l=bernd"
      expect(response).to have_http_status(:not_found)
    end
  end
  describe "user with pubkey" do
    let(:alice) { create :user, id: 2, cn: "alice", email: "alice@example.com" }
    let(:jimmy) { create :user, id: 3, cn: "jimmy", email: "jimmy@example.com" }
    let(:valid_key_alice) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
    let(:valid_key_jimmy) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_jimmy.asc") }
    let(:fingerprint_alice) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
    let(:fingerprint_jimmy) { "316BF516236DAF77236B15F6057D93972FB862C3" }
    let(:invalid_key) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_invalid.asc") }
    before do
      GPGME::Key.import(valid_key_alice)
      GPGME::Key.import(valid_key_jimmy)
      alice.update pgp_fpr: fingerprint_alice
      jimmy.update pgp_fpr: fingerprint_jimmy
    end
    after do
      alice.gnupg_key.delete!
      jimmy.gnupg_key.delete!
    end
    describe "pubkey does not contain user address" do
      before do
        allow_any_instance_of(User).to receive(:ldap_entry)
          .and_return({ pgp_key: valid_key_alice })
      end
      it "returns a 404 status" do
        get "/.well-known/openpgpkey/hu/kei1q4tipxxu1yj79k9kfukdhfy631xe?l=alice"
        expect(response).to have_http_status(:not_found)
      end
    end
    describe "pubkey contains user address" do
      before do
        allow_any_instance_of(User).to receive(:ldap_entry)
          .and_return({ pgp_key: valid_key_jimmy })
      end
      it "returns the pubkey in binary format" do
        get "/.well-known/openpgpkey/hu/yuca4ky39mhwkjo78qb8zjgbfj1hg3yf?l=jimmy"
        expect(response).to have_http_status(:ok)
        expect(response.headers['Content-Type']).to eq("application/octet-stream")
        expected_binary_data = File.binread("#{Rails.root}/spec/fixtures/files/pgp_key_valid_jimmy.pem")
        expect(response.body).to eq(expected_binary_data)
      end
      context "with wrong capitalization of username" do
        it "returns the pubkey as ASCII Armor plain text" do
          get "/.well-known/openpgpkey/hu/yuca4ky39mhwkjo78qb8zjgbfj1hg3yf?l=JimmY"
          expect(response).to have_http_status(:ok)
          expected_binary_data = File.binread("#{Rails.root}/spec/fixtures/files/pgp_key_valid_jimmy.pem")
          expect(response.body).to eq(expected_binary_data)
        end
      end
      context "with .txt extension" do
        it "returns the pubkey as ASCII Armor plain text" do
          get "/.well-known/openpgpkey/hu/yuca4ky39mhwkjo78qb8zjgbfj1hg3yf.txt?l=jimmy"
          expect(response).to have_http_status(:ok)
          expect(response.body).to eq(valid_key_jimmy)
          expect(response.headers['Content-Type']).to eq("text/plain")
        end
      end
      context "invalid URL" do
        it "returns a 422 status" do
          get "/.well-known/openpgpkey/hu/123456abcdef?l=alice"
          expect(response).to have_http_status(:not_found)
        end
      end
    end
  end
 end
--- a/spec/services/user_manager/create_account_spec.rb
+++ b/spec/services/user_manager/create_account_spec.rb
@@ -1,8 +1,8 @@
 require 'rails_helper'
-RSpec.describe CreateAccount, type: :model do
+RSpec.describe UserManager::CreateAccount, type: :model do
  describe "#create_user_in_database" do
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
      username: 'isaacnewton',
      email: 'isaacnewton@example.com',
      password: 'bright-ideas-in-autumn'
@@ -19,7 +19,7 @@ RSpec.describe CreateAccount, type: :model do
  describe "#update_invitation" do
    let(:invitation) { create :invitation }
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
      username: 'isaacnewton',
      email: 'isaacnewton@example.com',
      password: 'bright-ideas-in-autumn',
@@ -42,7 +42,7 @@ RSpec.describe CreateAccount, type: :model do
  describe "#add_ldap_document" do
    include ActiveJob::TestHelper
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
      username: 'halfinney',
      email: 'halfinney@example.com',
      password: 'remember-remember-the-5th-of-november'
@@ -68,7 +68,7 @@ RSpec.describe CreateAccount, type: :model do
  describe "#add_ldap_document for pre-confirmed account" do
    include ActiveJob::TestHelper
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
      username: 'halfinney',
      email: 'halfinney@example.com',
      password: 'remember-remember-the-5th-of-november',
@@ -89,7 +89,7 @@ RSpec.describe CreateAccount, type: :model do
  describe "#create_lndhub_account" do
    include ActiveJob::TestHelper
-    let(:service) { CreateAccount.new(account: {
+    let(:service) { described_class.new(account: {
      username: 'halfinney', email: 'halfinney@example.com',
      password: 'bright-ideas-in-winter'
    })}
--- a/spec/services/user_manager/create_invitations_spec.rb
+++ b/spec/services/user_manager/create_invitations_spec.rb
@@ -1,13 +1,13 @@
 require 'rails_helper'
-RSpec.describe CreateInvitations, type: :model do
+RSpec.describe UserManager::CreateInvitations, type: :model do
  include ActiveJob::TestHelper
  let(:user) { create :user }
  describe "#call" do
    before do
-      CreateInvitations.call(user: user, amount: 5)
+      described_class.call(user: user, amount: 5)
    end
    after(:each) { clear_enqueued_jobs }
@@ -28,7 +28,7 @@ RSpec.describe CreateInvitations, type: :model do
  describe "#call with notification disabled" do
    before do
-      CreateInvitations.call(user: user, amount: 3, notify: false)
+      described_class.call(user: user, amount: 3, notify: false)
    end
    after(:each) { clear_enqueued_jobs }
--- a/spec/services/user_manager/update_pgp_key_spec.rb
+++ b/spec/services/user_manager/update_pgp_key_spec.rb
@@ -0,0 +1,74 @@
 require 'rails_helper'
 RSpec.describe UserManager::UpdatePgpKey, type: :model do
  include ActiveJob::TestHelper
  let(:alice) { create :user, cn: "alice" }
  let(:dn)    { "cn=alice,ou=kosmos.org,cn=users,dc=kosmos,dc=org" }
  let(:pubkey_asc) { File.read("#{Rails.root}/spec/fixtures/files/pgp_key_valid_alice.asc") }
  let(:fingerprint) { "EB85BB5FA33A75E15E944E63F231550C4F47E38E" }
  before do
    allow(alice).to receive(:dn).and_return(dn)
    allow(alice).to receive(:ldap_entry).and_return({
      uid: alice.cn, ou: alice.ou, pgp_key: nil
    })
  end
  describe "#call" do
    context "with valid key" do
      before do
        alice.pgp_pubkey = pubkey_asc
        allow(LdapManager::UpdatePgpKey).to receive(:call)
          .with(dn: alice.dn, pubkey: pubkey_asc)
      end
      after do
        alice.gnupg_key.delete!
      end
      it "imports the key into the GnuPG keychain" do
        described_class.call(user: alice)
        expect(alice.gnupg_key).to be_present
      end
      it "stores the key's fingerprint on the user record" do
        described_class.call(user: alice)
        expect(alice.pgp_fpr).to eq(fingerprint)
      end
      it "updates the user's LDAP entry with the new key" do
        expect(LdapManager::UpdatePgpKey).to receive(:call)
          .with(dn: alice.dn, pubkey: pubkey_asc)
        described_class.call(user: alice)
      end
    end
    context "with empty key" do
      before do
        alice.update pgp_fpr: fingerprint
        alice.pgp_pubkey = ""
        allow(LdapManager::UpdatePgpKey).to receive(:call)
          .with(dn: alice.dn, pubkey: "")
      end
      it "does not attempt to import the key" do
        expect(GPGME::Key).not_to receive(:import)
        described_class.call(user: alice)
      end
      it "removes the key's fingerprint from the user record" do
        described_class.call(user: alice)
        expect(alice.pgp_fpr).to be_nil
      end
      it "removes the key from the user's LDAP entry" do
        expect(LdapManager::UpdatePgpKey).to receive(:call)
          .with(dn: alice.dn, pubkey: "")
        described_class.call(user: alice)
      end
    end
  end
 end
--- a/yarn.lock
+++ b/yarn.lock
@@ -108,90 +108,6 @@
  resolved "https://registry.npmjs.org/@csstools/selector-specificity/-/selector-specificity-2.0.2.tgz"
  integrity sha512-IkpVW/ehM1hWKln4fCA3NzJU8KwD+kIOvPZA4cqxoJHtE21CCzjyp+Kxbu0i5I4tBNOlXPL9mjwnWlL0VEG4Fg==
 "@jsr/nostrify__types@^0.35.0":
  version "0.35.0"
  resolved "https://npm.jsr.io/~/11/@jsr/nostrify__types/0.35.0.tgz#449D2F6DAE75E5FF660595CF3C45437D14409AF4"
  integrity sha512-dukOLFxyF7JwDvORLvb3PwMFs1HOBIkTyiewkujiGPaQ7FjvvGMiqY/QxbG0qZX5AmTtS65c/lLlg/ni1flrGQ==
 "@jsr/std__assert@^0.224.0":
  version "0.224.0"
  resolved "https://npm.jsr.io/~/11/@jsr/std__assert/0.224.0.tgz#B6D7D05F367C7991EC67B19758EDB5BD0D86B385"
  integrity sha512-RB0p0ydybgKSfTba6kHWytfpEJ0CBPi+byxZikLYa51L9uLINW52/j6n4KuiLFoh2cdFfpNZSNMY/dzQPW90DQ==
  dependencies:
    "@jsr/std__fmt" "^0.224.0"
    "@jsr/std__internal" "^0.224.0"
 "@jsr/std__crypto@^0.224.0":
  version "0.224.0"
  resolved "https://npm.jsr.io/~/11/@jsr/std__crypto/0.224.0.tgz#FA994A4B99E2D48B983E40B25D65A57BB405A04B"
  integrity sha512-qzZWI8VnH215FS7hmQsAeNafjLMkmSl1OOvexorVUEf1Zl9omHSN87MwIjtmyVXGLtpGRLzIhKXbeup1xO69Zw==
  dependencies:
    "@jsr/std__assert" "^0.224.0"
    "@jsr/std__encoding" "^0.224.0"
 "@jsr/std__encoding@^0.224.0", "@jsr/std__encoding@^0.224.1":
  version "0.224.3"
  resolved "https://npm.jsr.io/~/11/@jsr/std__encoding/0.224.3.tgz#ADBBF3F2EFA8C4F7A9063CFEF679AFF46B984FF0"
  integrity sha512-zAuX2QV1zwJ5RSmrnDGVerAtN3pBXpYYNlGzhERW9AiQ1UJd2/xruyB3i5NdTWy2OK2pjETswOj+0+prYTPlxQ==
 "@jsr/std__fmt@^0.224.0":
  version "0.224.0"
  resolved "https://npm.jsr.io/~/11/@jsr/std__fmt/0.224.0.tgz#8079EB480C2BE2414430ECCF98F24C1C325B1277"
  integrity sha512-lyrH5LesMB897QW0NIbZlGp72Ucopj2hMZW2wqB0NyZhuXfLH2sPBIUpCSf87kRKTGnx90JV905w4iTp0TD+Sg==
 "@jsr/std__internal@^0.224.0":
  version "0.224.0"
  resolved "https://npm.jsr.io/~/11/@jsr/std__internal/0.224.0.tgz#939D6DE44B7340EB097C464AFD7E7476E814B6BE"
  integrity sha512-inYzKOGAFK2tyy1D4NfwlbPiqEcSaXfOms3Tm4Y+1LmKSYOeB9wjqWHF4y/BJuYj8XUv61F7eaHaIw6NIlhBWg==
  dependencies:
    "@jsr/std__fmt" "^0.224.0"
 "@noble/ciphers@^0.5.1":
  version "0.5.3"
  resolved "https://registry.yarnpkg.com/@noble/ciphers/-/ciphers-0.5.3.tgz#48b536311587125e0d0c1535f73ec8375cd76b23"
  integrity sha512-B0+6IIHiqEs3BPMT0hcRmHvEj2QHOLu+uwt+tqDDeVd0oyVzh7BPrDcPjRnV1PV/5LaknXJJQvOuRGR0zQJz+w==
 "@noble/curves@1.2.0":
  version "1.2.0"
  resolved "https://registry.yarnpkg.com/@noble/curves/-/curves-1.2.0.tgz#92d7e12e4e49b23105a2555c6984d41733d65c35"
  integrity sha512-oYclrNgRaM9SsBUBVbb8M6DTV7ZHRTKugureoYEncY5c65HOmRzvSiTE3y5CYaPYJA/GVkrhXEoF0M3Ya9PMnw==
  dependencies:
    "@noble/hashes" "1.3.2"
 "@noble/curves@~1.1.0":
  version "1.1.0"
  resolved "https://registry.yarnpkg.com/@noble/curves/-/curves-1.1.0.tgz#f13fc667c89184bc04cccb9b11e8e7bae27d8c3d"
  integrity sha512-091oBExgENk/kGj3AZmtBDMpxQPDtxQABR2B9lb1JbVTs6ytdzZNwvhxQ4MWasRNEzlbEH8jCWFCwhF/Obj5AA==
  dependencies:
    "@noble/hashes" "1.3.1"
 "@noble/curves@~1.6.0":
  version "1.6.0"
  resolved "https://registry.yarnpkg.com/@noble/curves/-/curves-1.6.0.tgz#be5296ebcd5a1730fccea4786d420f87abfeb40b"
  integrity sha512-TlaHRXDehJuRNR9TfZDNQ45mMEd5dwUwmicsafcIX4SsNiqnCHKjE/1alYPd/lDRVhxdhUAlv8uEhMCI5zjIJQ==
  dependencies:
    "@noble/hashes" "1.5.0"
 "@noble/hashes@1.3.1":
  version "1.3.1"
  resolved "https://registry.yarnpkg.com/@noble/hashes/-/hashes-1.3.1.tgz#8831ef002114670c603c458ab8b11328406953a9"
  integrity sha512-EbqwksQwz9xDRGfDST86whPBgM65E0OH/pCgqW0GBVzO22bNE+NuIbeTb714+IfSjU3aRk47EUvXIb5bTsenKA==
 "@noble/hashes@1.3.2":
  version "1.3.2"
  resolved "https://registry.yarnpkg.com/@noble/hashes/-/hashes-1.3.2.tgz#6f26dbc8fbc7205873ce3cee2f690eba0d421b39"
  integrity sha512-MVC8EAQp7MvEcm30KWENFjgR+Mkmf+D189XJTkFIlwohU5hcBbn1ZkKq7KVTi2Hme3PMGF390DaL52beVrIihQ==
 "@noble/hashes@1.5.0", "@noble/hashes@~1.5.0":
  version "1.5.0"
  resolved "https://registry.yarnpkg.com/@noble/hashes/-/hashes-1.5.0.tgz#abadc5ca20332db2b1b2aa3e496e9af1213570b0"
  integrity sha512-1j6kQFb7QRru7eKN3ZDvRcP13rugwdxZqCjbiAVZfIJwgj2A65UmT4TgARXGlXgnRkORLTDTrO19ZErt7+QXgA==
 "@noble/hashes@~1.3.0", "@noble/hashes@~1.3.1":
  version "1.3.3"
  resolved "https://registry.yarnpkg.com/@noble/hashes/-/hashes-1.3.3.tgz#39908da56a4adc270147bb07968bf3b16cfe1699"
  integrity sha512-V7/fPHgl+jsVPXqqeOzT8egNj2iBIVt+ECeMMG8TdcnTikP3oaBtUVqpT/gYCR68aEBJSF+XbYUxStjbFMqIIA==
 "@nodelib/fs.scandir@2.1.5":
  version "2.1.5"
  resolved "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz"
@@ -213,66 +129,6 @@
    "@nodelib/fs.scandir" "2.1.5"
    fastq "^1.6.0"
 "@nostrify/nostrify@npm:@jsr/nostrify__nostrify":
  version "0.36.0"
  resolved "https://npm.jsr.io/~/11/@jsr/nostrify__nostrify/0.36.0.tgz#9A94131A51DCAA501C2AA69878DEE453E5796653"
  integrity sha512-8M/VHxP0qS1+nrt+GiDRBu3AtDaZhlOuPMH/BkqPtIyp1tAqBXAb6yCrAhxw/iORGUUronJpet1U8bEQz9K0xg==
  dependencies:
    "@jsr/nostrify__types" "^0.35.0"
    "@jsr/std__crypto" "^0.224.0"
    "@jsr/std__encoding" "^0.224.1"
    "@scure/base" "^1.1.6"
    "@scure/bip32" "^1.4.0"
    "@scure/bip39" "^1.3.0"
    lru-cache "^10.2.0"
    nostr-tools "^2.7.0"
    websocket-ts "^2.1.5"
    zod "^3.23.8"
 "@scure/base@1.1.1":
  version "1.1.1"
  resolved "https://registry.yarnpkg.com/@scure/base/-/base-1.1.1.tgz#ebb651ee52ff84f420097055f4bf46cfba403938"
  integrity sha512-ZxOhsSyxYwLJj3pLZCefNitxsj093tb2vq90mp2txoYeBqbcjDjqFhyM8eUjq/uFm6zJ+mUuqxlS2FkuSY1MTA==
 "@scure/base@^1.1.6", "@scure/base@~1.1.0", "@scure/base@~1.1.7", "@scure/base@~1.1.8":
  version "1.1.9"
  resolved "https://registry.yarnpkg.com/@scure/base/-/base-1.1.9.tgz#e5e142fbbfe251091f9c5f1dd4c834ac04c3dbd1"
  integrity sha512-8YKhl8GHiNI/pU2VMaofa2Tor7PJRAjwQLBBuilkJ9L5+13yVbC7JO/wS7piioAvPSwR3JKM1IJ/u4xQzbcXKg==
 "@scure/bip32@1.3.1":
  version "1.3.1"
  resolved "https://registry.yarnpkg.com/@scure/bip32/-/bip32-1.3.1.tgz#7248aea723667f98160f593d621c47e208ccbb10"
  integrity sha512-osvveYtyzdEVbt3OfwwXFr4P2iVBL5u1Q3q4ONBfDY/UpOuXmOlbgwc1xECEboY8wIays8Yt6onaWMUdUbfl0A==
  dependencies:
    "@noble/curves" "~1.1.0"
    "@noble/hashes" "~1.3.1"
    "@scure/base" "~1.1.0"
 "@scure/bip32@^1.4.0":
  version "1.5.0"
  resolved "https://registry.yarnpkg.com/@scure/bip32/-/bip32-1.5.0.tgz#dd4a2e1b8a9da60e012e776d954c4186db6328e6"
  integrity sha512-8EnFYkqEQdnkuGBVpCzKxyIwDCBLDVj3oiX0EKUFre/tOjL/Hqba1D6n/8RcmaQy4f95qQFrO2A8Sr6ybh4NRw==
  dependencies:
    "@noble/curves" "~1.6.0"
    "@noble/hashes" "~1.5.0"
    "@scure/base" "~1.1.7"
 "@scure/bip39@1.2.1":
  version "1.2.1"
  resolved "https://registry.yarnpkg.com/@scure/bip39/-/bip39-1.2.1.tgz#5cee8978656b272a917b7871c981e0541ad6ac2a"
  integrity sha512-Z3/Fsz1yr904dduJD0NpiyRHhRYHdcnyh73FZWiV+/qhWi83wNJ3NWolYqCEN+ZWsUz2TWwajJggcRE9r1zUYg==
  dependencies:
    "@noble/hashes" "~1.3.0"
    "@scure/base" "~1.1.0"
 "@scure/bip39@^1.3.0":
  version "1.4.0"
  resolved "https://registry.yarnpkg.com/@scure/bip39/-/bip39-1.4.0.tgz#664d4f851564e2e1d4bffa0339f9546ea55960a6"
  integrity sha512-BEEm6p8IueV/ZTfQLp/0vhw4NPnT9oWf5+28nvmeUICjP99f4vr2d+qc7AVGDDtwRep6ifR43Yed9ERVmiITzw==
  dependencies:
    "@noble/hashes" "~1.5.0"
    "@scure/base" "~1.1.8"
 "@tailwindcss/forms@^0.5.3":
  version "0.5.3"
  resolved "https://registry.npmjs.org/@tailwindcss/forms/-/forms-0.5.3.tgz"
@@ -543,11 +399,6 @@ lilconfig@^2.0.5, lilconfig@^2.0.6:
  resolved "https://registry.npmjs.org/lilconfig/-/lilconfig-2.0.6.tgz"
  integrity sha512-9JROoBW7pobfsx+Sq2JsASvCo6Pfo6WWoUW79HuB1BCoBXD4PLWJPqDF6fNj67pqBYTbAHkE57M1kS/+L1neOg==
 lru-cache@^10.2.0:
  version "10.4.3"
  resolved "https://registry.yarnpkg.com/lru-cache/-/lru-cache-10.4.3.tgz#410fc8a17b70e598013df257c2446b7f3383f119"
  integrity sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==
 merge2@^1.3.0:
  version "1.4.1"
  resolved "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz"
@@ -599,25 +450,6 @@ normalize-range@^0.1.2:
  resolved "https://registry.npmjs.org/normalize-range/-/normalize-range-0.1.2.tgz"
  integrity sha1-LRDAa9/TEuqXd2laTShDlFa3WUI=
 nostr-tools@^2.7.0:
  version "2.7.2"
  resolved "https://registry.yarnpkg.com/nostr-tools/-/nostr-tools-2.7.2.tgz#74a6ff543a81da1dcce9563b9317faa17221acce"
  integrity sha512-Bq3Ug0SZFtgtL1+0wCnAe8AJtI7yx/00/a2nUug9SkhfOwlKS92Tef12iCK9FdwXw+oFZWMtRnSwcLayQso+xA==
  dependencies:
    "@noble/ciphers" "^0.5.1"
    "@noble/curves" "1.2.0"
    "@noble/hashes" "1.3.1"
    "@scure/base" "1.1.1"
    "@scure/bip32" "1.3.1"
    "@scure/bip39" "1.2.1"
  optionalDependencies:
    nostr-wasm v0.1.0
 nostr-wasm@v0.1.0:
  version "0.1.0"
  resolved "https://registry.yarnpkg.com/nostr-wasm/-/nostr-wasm-0.1.0.tgz#17af486745feb2b7dd29503fdd81613a24058d94"
  integrity sha512-78BTryCLcLYv96ONU8Ws3Q1JzjlAt+43pWQhIl86xZmWeegYCNLPml7yQ+gG3vR6V5h4XGj+TxO+SS5dsThQIA==
 object-hash@^3.0.0:
  version "3.0.0"
  resolved "https://registry.npmjs.org/object-hash/-/object-hash-3.0.0.tgz"
@@ -1069,11 +901,6 @@ util-deprecate@^1.0.2:
  resolved "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz"
  integrity sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8=
 websocket-ts@^2.1.5:
  version "2.1.5"
  resolved "https://registry.yarnpkg.com/websocket-ts/-/websocket-ts-2.1.5.tgz#b6b51f0afca89d6bc7ff71c9e74540f19ae0262c"
  integrity sha512-rCNl9w6Hsir1azFm/pbjBEFzLD/gi7Th5ZgOxMifB6STUfTSovYAzryWw0TRvSZ1+Qu1Z5Plw4z42UfTNA9idA==
 xtend@^4.0.2:
  version "4.0.2"
  resolved "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz"
@@ -1083,8 +910,3 @@ yaml@^1.10.2:
  version "1.10.2"
  resolved "https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz"
  integrity sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==
 zod@^3.23.8:
  version "3.23.8"
  resolved "https://registry.yarnpkg.com/zod/-/zod-3.23.8.tgz#e37b957b5d52079769fb8097099b592f0ef4067d"
  integrity sha512-XBx9AXhXktjUqnepgTiE5flcKIYWi/rme0Eaj+5Y0lftuGBq+jyRu/md4WnuxqgP1ubdpNCsYEYPxrzVHD8d6g==
Author	SHA1	Message	Date
Râu Cao	b6bcfa2ee3	Merge branch 'master' into live All checks were successful continuous-integration/drone/push Build is passing Details	2025-04-18 14:54:01 +04:00
Râu Cao	536052e9bf	Merge pull request 'Upgrade strfry/deno, port strfry policies to @nostrify/policies' (#214 ) from chore/upgrade_strfry_deno into master All checks were successful continuous-integration/drone/push Build is passing Details Reviewed-on: #214	2025-04-18 10:51:35 +00:00
Râu Cao	b29a0abb0b	Document strfry integration All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details Release Drafter / Update release notes draft (pull_request) Successful in 3s Details	2025-04-16 17:34:10 +04:00
Râu Cao	29ff486683	Port strfry policies to @nostrify/policies Use packages from JSR and adapt code for new policy APIs	2025-04-15 19:01:22 +04:00
Râu Cao	e53b9dd186	Upgrade strfry docker image Contains latest strfry (1.0.4) and deno (2.2.10)	2025-04-15 19:00:52 +04:00
Râu Cao	a2921297fe	Fix seeds The CreateAccount service has moved to a namespace	2025-04-11 16:14:44 +04:00
Râu Cao	9082ee45d8	Merge branch 'master' into live	2025-01-02 08:32:15 -05:00
Râu Cao	7df56479a4	Fix 500 when pubkey is nil	2025-01-02 08:30:58 -05:00
Râu Cao	29264aad98	Merge branch 'master' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-10-16 13:33:35 +02:00
Râu Cao	8aa3ca9e23	Merge pull request 'Let users upload their OpenPGP public key, and serve WKD response' (#205 ) from feature/191-gpg_keys_wkd into master All checks were successful continuous-integration/drone/push Build is passing Details Reviewed-on: #205 Reviewed-by: galfert <garret.alfert@gmail.com>	2024-10-14 14:08:31 +00:00
Râu Cao	3ad1d03785	Merge pull request 'Encrypt all system emails for users with PGP key' (#207 ) from feature/encrypted_system_emails into feature/191-gpg_keys_wkd All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details Release Drafter / Update release notes draft (pull_request) Successful in 4s Details Reviewed-on: #207 Reviewed-by: galfert <garret.alfert@gmail.com>	2024-10-14 13:39:01 +00:00
Râu Cao	e258a8bd27	Merge pull request 'Use ASCII format for nostrKey LDAP schema' (#206 ) from chore/nostr_key_ldap_schema into master All checks were successful continuous-integration/drone/push Build is passing Details Reviewed-on: #206 Reviewed-by: galfert <garret.alfert@gmail.com>	2024-10-10 14:18:31 +00:00
Râu Cao	339462f320	Refactor mailer options usage All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details Release Drafter / Update release notes draft (pull_request) Successful in 5s Details	2024-10-08 14:06:10 +02:00
Râu Cao	c4c2d16342	Encrypt outgoing emails when possible	2024-10-08 14:05:50 +02:00
Râu Cao	3ee76e26ab	Re-import user's pubkey on access All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details Sometimes, the pubkey might not be imported in the local keychain (anymore), but at this point in the code it had been successfully imported at least once before. So we just (re-)import every time for it to never fail.	2024-10-08 11:34:18 +02:00
Râu Cao	729e4fd566	Add WKD policy endpoint All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details	2024-09-26 23:11:21 +02:00
Râu Cao	8ad6adbaeb	Use ASCII format for nostrKey LDAP schema Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details Release Drafter / Update release notes draft (pull_request) Failing after 10m11s Details No need for UTF-8	2024-09-25 18:35:48 +02:00
Râu Cao	534e5a9d3c	Gracefully handle wrong capitalization of username All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details	2024-09-25 00:20:30 +02:00
Râu Cao	1b72c97f42	Remove obsolete code	2024-09-25 00:17:30 +02:00
Râu Cao	bfd8ca16a9	Merge branch 'master' into feature/191-gpg_keys_wkd	2024-09-25 00:16:39 +02:00
Râu Cao	259b51a95e	Merge branch 'master' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-09-24 21:40:25 +02:00
Râu Cao	9f6fa6deba	Remove example link All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details Until we have a live example on kosmos.org	2024-09-23 20:36:05 +02:00
Râu Cao	37b106e73c	Whitespace All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/pr Build is passing Details	2024-09-23 19:22:52 +02:00
Râu Cao	c3f1f97e1a	Add display name and PGP key to admin user page Link the key to the ASCII Armor WKD endpoint, if it contains the user's account address	2024-09-23 19:21:59 +02:00
Râu Cao	4a677178e8	Add Web Key Directory endpoint Serve public keys in binary and armored text, if they contain a user's account address.	2024-09-23 19:20:10 +02:00
Râu Cao	3042a02a17	Allow users to update their OpenPGP pubkey All checks were successful continuous-integration/drone/push Build is passing Details	2024-09-23 18:13:39 +02:00
Râu Cao	118fddb497	Document URLs for settings controller actions No need to read the route sources all the time	2024-09-23 16:07:02 +02:00
Râu Cao	ba683a7b95	Move some Rails app services to UserManager namespace All checks were successful continuous-integration/drone/push Build is passing Details	2024-09-23 16:03:02 +02:00
Râu Cao	90a8a70c15	Add OpenPGP key to LDAP directory and User model All checks were successful continuous-integration/drone/push Build is passing Details	2024-09-23 15:20:00 +02:00
Râu Cao	fb369530e3	Merge branch 'master' into live Some checks failed continuous-integration/drone/push Build is failing Details	2024-09-14 17:18:09 +02:00
Râu Cao	5dc10a4d33	Merge branch 'master' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-09-14 16:46:27 +02:00
Râu Cao	2297c68046	Merge branch 'master' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-09-14 16:41:01 +02:00
Râu Cao	b82ab45c99	Merge branch 'master' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-09-14 14:57:35 +02:00
Râu Cao	d12c63db26	Merge branch 'master' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-09-10 16:07:24 +02:00
Râu Cao	e6a9ef84ce	Merge branch 'master' into live Some checks failed continuous-integration/drone/push Build is failing Details	2024-08-19 15:13:46 +02:00
Râu Cao	b7e91344a0	Merge branch 'master' into live Some checks failed continuous-integration/drone/push Build is failing Details	2024-08-19 14:48:35 +02:00
Râu Cao	0f07e32781	Merge branch 'master' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-08-17 14:49:29 +02:00
Râu Cao	1311b5ed6a	Merge branch 'master' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-08-17 14:46:00 +02:00
Râu Cao	12f82061e8	Merge branch 'master' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-08-17 14:42:32 +02:00
Râu Cao	a07b4369ab	Hide njump link for users without pubkey All checks were successful continuous-integration/drone/push Build is passing Details	2024-06-23 17:33:34 +02:00
Râu Cao	2605c06807	Merge branch 'feature/admin_pages' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-06-23 17:30:22 +02:00
Râu Cao	1db768fb15	Merge branch 'feature/admin_pages' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-06-23 17:27:03 +02:00
Râu Cao	8a7403df32	Merge branch 'feature/own_relay' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-06-20 15:52:03 +02:00
Râu Cao	f0295fef7a	Merge branch 'feature/own_relay' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-06-20 15:28:55 +02:00
Râu Cao	090affd304	Merge branch 'feature/own_relay' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-06-20 14:51:20 +02:00
Râu Cao	bafddd436b	Merge branch 'feature/own_relay' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-06-20 13:59:59 +02:00
Râu Cao	560f193c4b	Merge branch 'master' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-06-20 13:56:11 +02:00
Râu Cao	8aabbad5bb	Merge branch 'feature/strfry_zap_receipts' into live	2024-06-20 13:56:00 +02:00
Râu Cao	ba8d21eb7a	Merge branch 'master' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-06-09 13:29:57 +02:00
Râu Cao	53df455d53	Merge branch 'master' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-06-09 13:17:51 +02:00
Râu Cao	9f1af3a9aa	Merge branch 'master' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-06-07 14:13:53 +02:00
Râu Cao	1d09008ce2	Merge branch 'master' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-06-04 17:45:13 +02:00
Râu Cao	57c5317c38	Merge branch 'feature/170-nostr_zaps' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-05-21 18:29:13 +02:00
Râu Cao	41bd920060	Merge branch 'feature/170-nostr_zaps' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-05-21 18:09:09 +02:00
Râu Cao	0815fa6040	Merge branch 'feature/170-nostr_zaps' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-05-19 17:07:58 +02:00
Râu Cao	af0e99aa50	Merge branch 'feature/170-nostr_zaps' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-05-19 16:55:10 +02:00
Râu Cao	f05eec5255	Merge branch 'feature/170-nostr_zaps' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-05-19 16:48:28 +02:00
Râu Cao	66ca2dc6b0	Merge branch 'feature/173-nostr_ldap' into live All checks were successful continuous-integration/drone/push Build is passing Details	2024-05-19 13:44:24 +02:00
Râu Cao	800183e9da	Increase sidekiq concurrency in prod All checks were successful continuous-integration/drone/push Build is passing Details	2024-05-19 13:44:01 +02:00
		`@@ -0,0 +1,2 @@`
							`class UserManagerService < ApplicationService`
							`end`