Skip to content

fix(sidebar): gate working pill on NIP-OA ownership#1415

Draft
tellaho wants to merge 9 commits into
mainfrom
tho/pill-nipoa-gate
Draft

fix(sidebar): gate working pill on NIP-OA ownership#1415
tellaho wants to merge 9 commits into
mainfrom
tho/pill-nipoa-gate

Conversation

@tellaho

@tellaho tellaho commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

What

The sidebar "working" pill currently only lights for agents the local build manages. This makes it light for any agent the viewer OWNS (declared NIP-OA owner), regardless of which machine hosts it — matching the viewerIsOwner signal used everywhere else in the UI. Before this change, an owned-but-remote agent showed no pill.

How

A single-site change in the sidebar working-pill bridge (desktop/src/features/sidebar/lib/useActiveWorkingChannelsById.ts):

  • getOwnedRelayWorkingAgents collects relay agents whose profile ownerPubkey matches the current viewer (normalized, case-insensitive — same rule as viewerIsOwner at MembersSidebar.tsx:581).
  • mergeWorkingAgents merges those owned-remote agents with locally-managed agents as status: "deployed" and feeds the merged set into the existing observer + active-turn bridges. Managed agents win duplicate pubkeys (managed-first, case-insensitive seenPubkeys).
  • The tooltip name resolver is extended so owned-remote agents resolve to names, not just counts.

Why the relay posture is preserved (not loosened where it matters)

  • The relay subscription is already ownership-keyed: #p:[identity.pubkey] with server-side is_agent_owner. A viewer only ever receives observer frames for agents the relay has already confirmed they own.
  • The two client gates that suppressed the pill (hasActiveAgent start-gate, knownAgentPubkeys frame-trust set) were a strictly-narrower local-custody filter layered on top. This re-keys them to declared ownership so the client matches the relay's existing ownership scope — it grants no access to anything the relay wouldn't already stream.
  • A forged profile claiming ownerPubkey === you adds a pubkey to the trust set, but no frames arrive unless the relay actually streams them (real ownership required), and the sender == agent defense-in-depth check (observerRelayStore) is untouched. A client-side profile claim cannot manufacture telemetry access.
  • Blast radius: exactly 2 files, both in sidebar/lib. observerRelayStore.ts, ChannelScreen.tsx, and the profile panel are untouched.

Tests

  • getOwnedRelayWorkingAgents / mergeWorkingAgents unit coverage: owner-match, non-owned drop, no-viewer empty, case-insensitive dedupe (managed wins), owned-relay name resolution, and the ownerless-relay-agent guard (missing profile in batch + ownerPubkey: null both drop to []).
  • biome check . green, pnpm --dir desktop typecheck green, full desktop suite 1393 / 0 failures (sidebar + agents slice green incl. the new helper tests).

Follow-up (not in this PR)

  • No end-to-end proof the pill actually lights. The mechanism is verified by trace + unit tests, and the OWNED_RELAY_AGENT_PUBKEY fixture exists, but seeding an observer working frame for an owned-remote agent and asserting the pill appears would require building an observer-frame seed harness that doesn't exist yet. Disproportionate here; worth a follow-up e2e someday.

Rollback

Revert the implementation commit — both bridges fall back to managedAgents.

Co-authored-by: Taylor Ho taylorkmho@gmail.com
Signed-off-by: Taylor Ho taylorkmho@gmail.com

npub1223z34hd7vtwc6qj4s7flsxkj644nlre2nthu7lrrmkumhu3xddsrx9r6w and others added 3 commits June 30, 2026 19:31
Co-authored-by: Taylor Ho <taylorkmho@gmail.com>
Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
Co-authored-by: Taylor Ho <taylorkmho@gmail.com>
Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
Co-authored-by: Taylor Ho <taylorkmho@gmail.com>
Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
@tellaho tellaho force-pushed the tho/pill-nipoa-gate branch from 4516c77 to a8d1501 Compare July 1, 2026 02:33
npub1223z34hd7vtwc6qj4s7flsxkj644nlre2nthu7lrrmkumhu3xddsrx9r6w and others added 6 commits June 30, 2026 20:08
Co-authored-by: Taylor Ho <taylorkmho@gmail.com>
Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
Co-authored-by: Taylor Ho <taylorkmho@gmail.com>
Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
Co-authored-by: Taylor Ho <taylorkmho@gmail.com>
Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
Co-authored-by: Taylor Ho <taylorkmho@gmail.com>
Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
Co-authored-by: Taylor Ho <taylorkmho@gmail.com>
Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
Co-authored-by: Taylor Ho <taylorkmho@gmail.com>
Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
@tellaho tellaho marked this pull request as draft July 1, 2026 21:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant