From aef9e24e405ad4cccd99b7f48ff35e5df01f365b Mon Sep 17 00:00:00 2001
From: mleku <me@mleku.dev>
Date: Sun, 28 Dec 2025 19:31:39 +0200
Subject: [PATCH] Require CAT for NIP-46 bunker connections (v0.42.0)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Enforce Cashu access token for kind 24133 events when Cashu is enabled and ACL is active
- Reject NIP-46 events without valid token with "restricted: NIP-46 requires Cashu access token"
- Verify token scope is NIP-46 or RELAY

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 app/handle-event.go | 21 +++++++++++++++++++++
 pkg/version/version |  2 +-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/app/handle-event.go b/app/handle-event.go
index d3b881c..ee71c2b 100644
--- a/app/handle-event.go
+++ b/app/handle-event.go
@@ -6,6 +6,7 @@ import (
 	"lol.mleku.dev/chk"
 	"lol.mleku.dev/log"
 	"next.orly.dev/pkg/acl"
+	"next.orly.dev/pkg/cashu/token"
 	"next.orly.dev/pkg/event/routing"
 	"git.mleku.dev/mleku/nostr/encoders/envelopes/authenvelope"
 	"git.mleku.dev/mleku/nostr/encoders/envelopes/eventenvelope"
@@ -140,6 +141,26 @@ func (l *Listener) HandleEvent(msg []byte) (err error) {
 		return
 	}
 
+	// Require Cashu token for NIP-46 events when Cashu is enabled and ACL is active
+	const kindNIP46 = 24133
+	if env.E.Kind == kindNIP46 && l.CashuVerifier != nil && l.Config.ACLMode != "none" {
+		if l.cashuToken == nil {
+			log.W.F("HandleEvent: rejecting NIP-46 event - Cashu access token required")
+			if err = Ok.Error(l, env, "restricted: NIP-46 requires Cashu access token"); chk.E(err) {
+				return
+			}
+			return
+		}
+		// Also verify the token has NIP-46 scope
+		if l.cashuToken.Scope != token.ScopeNIP46 && l.cashuToken.Scope != token.ScopeRelay {
+			log.W.F("HandleEvent: rejecting NIP-46 event - token scope %q not valid for NIP-46", l.cashuToken.Scope)
+			if err = Ok.Error(l, env, "restricted: access token scope not valid for NIP-46"); chk.E(err) {
+				return
+			}
+			return
+		}
+	}
+
 	// Handle NIP-43 special events before ACL checks
 	switch env.E.Kind {
 	case nip43.KindJoinRequest:
diff --git a/pkg/version/version b/pkg/version/version
index 9dedf1e..01efe7f 100644
--- a/pkg/version/version
+++ b/pkg/version/version
@@ -1 +1 @@
-v0.41.0
+v0.42.0