Remove auto-profile creation and add auth config docs (v0.48.11)

- Remove createDefaultProfile() function from nostr.js that auto-created
  placeholder profiles for new users - profiles should not be auto-generated
- Add auth-required configuration caution section to CLAUDE.md documenting
  risks of enabling NIP-42 auth on production relays

Files modified:
- CLAUDE.md: Added auth-required configuration section
- app/web/src/nostr.js: Removed createDefaultProfile and auto-profile logic
- app/web/dist/bundle.js: Rebuilt with changes
- pkg/version/version: v0.48.11

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

CLAUDE.md

@@ -130,6 +130,21 @@ if timeout > DefaultTimeoutSeconds {
 - Provide public API methods (`IsEnabled()`, `CheckPolicy()`)
 - Never change unexported→exported to fix bugs
 
+### 6. Auth-Required Configuration (CAUTION)
+
+**Be extremely careful when modifying auth-related settings in deployment configs.**
+
+The `ORLY_AUTH_REQUIRED` and `ORLY_AUTH_TO_WRITE` settings control whether clients must authenticate via NIP-42 before interacting with the relay. Changing these on a production relay can:
+
+- **Lock out all existing clients** if they don't support NIP-42 auth
+- **Break automated systems** (bots, bridges, scrapers) that depend on anonymous access
+- **Cause data sync issues** if upstream relays can't push events
+
+Before enabling auth-required on any deployment:
+1. Verify all expected clients support NIP-42
+2. Ensure the relay identity key is properly configured
+3. Test with a non-production instance first
+
 ## Database Backends
 
 | Backend | Use Case | Build |

app/web/src/nostr.js

@@ -480,14 +480,9 @@ export async function fetchUserProfile(pubkey) {
     console.warn("Failed to fetch profile from fallback relays:", error);
   }
 
-  // 4) No profile found anywhere - create a default profile for new users
-  console.log("No profile found for pubkey, creating default:", pubkey);
-  try {
-    return await createDefaultProfile(pubkey);
-  } catch (e) {
-    console.error("Failed to create default profile:", e);
-    return null;
-  }
+  // 4) No profile found anywhere
+  console.log("No profile found for pubkey:", pubkey);
+  return null;
 }
 
 // Helper to fetch profile from fallback relays
@@ -561,57 +556,6 @@ async function processProfileEvent(profileEvent, pubkey) {
   return profile;
 }
 
-/**
- * Create a default profile for new users
- * @param {string} pubkey - The user's public key (hex)
- * @returns {Promise<Object>} - The created profile
- */
-async function createDefaultProfile(pubkey) {
-  // Generate name from first 6 chars of pubkey
-  const shortId = pubkey.slice(0, 6);
-  const defaultName = `testuser${shortId}`;
-
-  // Get the current origin for the logo URL
-  const logoUrl = `${window.location.origin}/orly.png`;
-
-  const profileContent = {
-    name: defaultName,
-    display_name: defaultName,
-    picture: logoUrl,
-    about: "New ORLY user"
-  };
-
-  const profile = {
-    name: defaultName,
-    displayName: defaultName,
-    picture: logoUrl,
-    about: "New ORLY user",
-    pubkey: pubkey
-  };
-
-  // Try to publish the profile if we have a signer
-  if (nostrClient.signer) {
-    try {
-      const event = {
-        kind: 0,
-        content: JSON.stringify(profileContent),
-        tags: [],
-        created_at: Math.floor(Date.now() / 1000)
-      };
-
-      // Sign and publish using the websocket-auth client
-      const signedEvent = await nostrClient.signer.signEvent(event);
-      await nostrClient.publish(signedEvent);
-      console.log("Default profile published:", signedEvent.id);
-    } catch (e) {
-      console.warn("Failed to publish default profile:", e);
-      // Still return the profile even if publishing fails
-    }
-  }
-
-  return profile;
-}
-
 // Fetch events
 export async function fetchEvents(filters, options = {}) {
   console.log(`Starting event fetch with filters:`, JSON.stringify(filters, null, 2));

pkg/version/version

@@ -1 +1 @@
-v0.48.10
+v0.48.11