• nostr-sqlite
• rely
• blossy
• rate
• Vertex Crawler
• Vertex Relay
• npub.world, Leak Banner

§nostr-sqlite

nostr-sqlite received several correctness and performance fixes this quarter. The most critical was a bug that caused queries filtering on multiple tag types (e.g. both #e and #p) to return incorrect results, a silent data integrity issue affecting any relay or application built on the library. The query builder was also simplified and a documented edge case in the count query was fixed.

On the performance side, the default in-memory cache was raised from 2MB to 64MB and the database lock timeout was tuned upward, meaningfully reducing contention under concurrent load.

Support for Nostr’s delete event (kind:5) was also completed: a new atomic operation now removes all referenced events in a single transaction, correctly handling both e and a tag types.

Other minor improvements can be found here.

§rely

rely received a focused round of improvements to NIP-42 auth handling and developer ergonomics. Auth validation is now stricter and more correct, URL normalization was improved to handle edge cases that previously could cause valid auth attempts to be rejected. Developers also have more control over auth challenge configuration, and subscriptions now carry a request ID that makes per-request tracking and logging much easier.

Other minor improvements can be found here.

§blossy

blossy delivered on two fronts this quarter: security and new capabilities.

On the security side, the Blossom authorization scheme was updated to comply with BUD-11, which I co-authored. This closes the upload authorization replay vulnerability that was identified and reported last quarter.

On the capabilities side, blossy now supports range requests, which are essential for streaming video and audio, a client can fetch only the bytes it needs rather than the whole blob. Server builders can also now redirect blob downloads to an external URL (e.g. a CDN) rather than always serving files directly, unlocking new deployment architectures.

Other minor improvements can be found here.

§rate

rate reached a stable, complete state this quarter. The token bucket rate limiter now has a clean API for penalizing, rewarding, and inspecting balances, a fixed data race, and thorough documentation. The library is ready for use in production in relays, blossom servers for IP- or pubkey-based rate limiting.

§Vertex Crawler

§New Relay Pool

After months of painful bugs and missing events, I’ve finally decided to write from scratch a relay pool implementation that satisfied the special needs of Vertex. I needed a way to:

dynamically add and remove relays from the pool, as they are discovered using the gossip model automatically re-open closed subscriptions with backoff automatically re-open closed relay connections with backoff, replaying all active subscriptions

Achieving these goals allowed a much wider and accurate coverage of Nostr activity, as shown by the npub.world public statistics, which dramatically increased after deploying the new pool on Mar 13.

Other improvements can be found here.

§Nsec Leak Detection

The most impactful work of the quarter is a real-time nsec leak detection engine built into the crawler.

Accidentally posting one’s private key (nsec) in a Nostr note is a serious and irreversible incident, once a key is public, anyone who sees it controls that account permanently. The crawler is uniquely positioned to detect this: it already processes a large portion of the Nostr firehose, so adding a detection pass over incoming notes is a natural extension.

The pipeline works in stages: incoming events are first checked with a fast pre-filter to identify candidates, then candidate keys are fully validated before being stored. Confirmed leaks are persisted in a dedicated database, the node’s status is updated in the social graph, and a hook fires immediately so other parts of the system, the relay and npub.world, can act on it in real time.

Other improvements can be found here.

§Vertex Relay

Added to VerifyReputation a proof of leak, if found. The proof of leak is the signature, using the leaked nsec, over the fixed message vertex-proof-leak:

§npub.world, Leak Banner

npub.world, the Nostr profile explorer, was updated to surface leak information to users:

• Added a LeakBanner on profile pages that warns when a user’s private key has been detected as leaked, along with the timestamp of the leak
• Made dark mode the default theme
• Added a top navigation bar with links to stats, GitHub, and a theme selector
• Switched to self-hosting fonts instead of requesting them from Google (a small privacy improvement)
• Added a “learn more” toggle to the relay pool explainer on the stats page, which now also documents the expanded relay coverage from NIP-65 discovery