|
| 1 | +# Contributing to Nostr WoT Extension |
| 2 | + |
| 3 | +Thank you for your interest in contributing! This extension provides NIP-07 signing, Web of Trust distance checking, and trust score badge injection for Nostr web clients. |
| 4 | + |
| 5 | +## Getting Started |
| 6 | + |
| 7 | +### Prerequisites |
| 8 | + |
| 9 | +- Node.js 18+ (for running tests) |
| 10 | +- Chrome or Firefox browser |
| 11 | +- Basic familiarity with browser extension development (MV3) |
| 12 | + |
| 13 | +### Setup |
| 14 | + |
| 15 | +```bash |
| 16 | +git clone https://github.com/user/nostr-wot-extension.git |
| 17 | +cd nostr-wot-extension |
| 18 | +``` |
| 19 | + |
| 20 | +No build step required — the extension uses plain ES modules with no bundler. |
| 21 | + |
| 22 | +### Loading the Extension |
| 23 | + |
| 24 | +**Chrome:** |
| 25 | +1. Open `chrome://extensions` |
| 26 | +2. Enable "Developer mode" |
| 27 | +3. Click "Load unpacked" and select the project directory |
| 28 | + |
| 29 | +**Firefox:** |
| 30 | +1. Open `about:debugging#/runtime/this-firefox` |
| 31 | +2. Click "Load Temporary Add-on" |
| 32 | +3. Select any file in the project directory (e.g., `manifest.json`) |
| 33 | + |
| 34 | +### Running Tests |
| 35 | + |
| 36 | +```bash |
| 37 | +node --test tests/ |
| 38 | +``` |
| 39 | + |
| 40 | +Tests use Node.js native `node:test` module with browser API mocks in `tests/helpers/`. |
| 41 | + |
| 42 | +## Project Structure |
| 43 | + |
| 44 | +``` |
| 45 | +├── background.js # Service worker — all business logic |
| 46 | +├── content.js # Content script (ISOLATED world) — message bridge |
| 47 | +├── inject.js # Page script (MAIN world) — window.nostr API |
| 48 | +├── badges/ |
| 49 | +│ ├── engine.js # Badge injection engine (MAIN world) |
| 50 | +│ ├── badges.css # Badge visual styles |
| 51 | +│ └── adapters/ # Per-site badge adapters |
| 52 | +│ ├── primal.js |
| 53 | +│ ├── snort.js |
| 54 | +│ ├── nostrudel.js |
| 55 | +│ ├── coracle.js |
| 56 | +│ ├── iris.js |
| 57 | +│ └── generic.js # Fallback for any site with npub links |
| 58 | +├── lib/ |
| 59 | +│ ├── crypto/ # Pure JS crypto (secp256k1, schnorr, NIPs) |
| 60 | +│ ├── storage.js # IndexedDB per-account graph storage |
| 61 | +│ ├── sync.js # BFS graph sync from relays |
| 62 | +│ ├── graph.js # Precomputed BFS with typed array cache |
| 63 | +│ ├── scoring.js # Trust score calculation |
| 64 | +│ ├── vault.js # AES-256-GCM encrypted key vault |
| 65 | +│ ├── signer.js # NIP-07 signing coordinator |
| 66 | +│ ├── permissions.js # Per-site permission storage |
| 67 | +│ ├── accounts.js # Account creation/import |
| 68 | +│ ├── nip46.js # NIP-46 Nostr Connect client |
| 69 | +│ └── browser.js # Cross-browser compatibility shim |
| 70 | +├── popup/ # Extension popup (tab-based UI) |
| 71 | +├── onboarding/ # First-run setup wizard |
| 72 | +├── prompt/ # Signing request approval popup |
| 73 | +├── docs/ |
| 74 | +│ ├── architecture.md # Technical architecture reference |
| 75 | +│ └── add_badge.md # Guide for adding badge support |
| 76 | +└── tests/ # Node.js test suite |
| 77 | +``` |
| 78 | + |
| 79 | +## Types of Contributions |
| 80 | + |
| 81 | +### Adding Badge Support for a New Nostr Client |
| 82 | + |
| 83 | +This is the easiest way to contribute. See [docs/add_badge.md](docs/add_badge.md) for the full guide. |
| 84 | + |
| 85 | +**Quick version:** |
| 86 | +1. Inspect the target site's DOM structure |
| 87 | +2. Add a site adapter to `wot-badges.js` |
| 88 | +3. Test on the actual site |
| 89 | +4. Submit a PR with screenshots |
| 90 | + |
| 91 | +### Bug Fixes |
| 92 | + |
| 93 | +1. Check existing issues first |
| 94 | +2. Create a failing test case if possible |
| 95 | +3. Fix the bug |
| 96 | +4. Verify existing tests still pass: `node --test tests/` |
| 97 | + |
| 98 | +### New Features |
| 99 | + |
| 100 | +1. Open an issue to discuss the feature first |
| 101 | +2. Reference the relevant NIP if applicable |
| 102 | +3. Follow existing patterns in the codebase |
| 103 | +4. Add tests for new backend logic |
| 104 | + |
| 105 | +## Pull Request Process |
| 106 | + |
| 107 | +### 1. Fork and Branch |
| 108 | + |
| 109 | +```bash |
| 110 | +git checkout -b feature/my-change |
| 111 | +``` |
| 112 | + |
| 113 | +Use these branch name prefixes: |
| 114 | +- `feature/` — new functionality |
| 115 | +- `fix/` — bug fixes |
| 116 | +- `badge/` — new site badge support |
| 117 | +- `docs/` — documentation |
| 118 | + |
| 119 | +### 2. Make Changes |
| 120 | + |
| 121 | +- Follow existing code style (no linter configured — match surrounding code) |
| 122 | +- Use plain ES modules, no build tools |
| 123 | +- Use optional chaining (`?.`) for DOM access |
| 124 | +- Zero private keys after use (`privkey.fill(0)` in `try/finally`) |
| 125 | +- Gate privileged message handlers via `PRIVILEGED_METHODS` Set |
| 126 | +- No external dependencies — the extension is self-contained |
| 127 | + |
| 128 | +### 3. Test |
| 129 | + |
| 130 | +```bash |
| 131 | +node --test tests/ |
| 132 | +``` |
| 133 | + |
| 134 | +For UI changes, manually test in Chrome and Firefox: |
| 135 | +- Open the popup and verify all tabs work |
| 136 | +- Test dark mode (system preference) |
| 137 | +- Test with 0 accounts, 1 account, and multiple accounts |
| 138 | +- Test with both signing accounts and read-only accounts |
| 139 | + |
| 140 | +### 4. Submit |
| 141 | + |
| 142 | +- Write a clear PR title (e.g., "badge: add support for habla.news") |
| 143 | +- Describe what changed and why |
| 144 | +- Include screenshots for UI changes |
| 145 | +- Reference any related issues |
| 146 | + |
| 147 | +## Architecture Notes |
| 148 | + |
| 149 | +Read [docs/architecture.md](docs/architecture.md) for the full technical reference. Key points: |
| 150 | + |
| 151 | +- **No build system** — files are loaded directly by the browser |
| 152 | +- **Message passing** — inject.js → content.js → background.js via `postMessage` and `runtime.sendMessage` |
| 153 | +- **Privileged methods** — vault, permission, and management operations are gated to internal extension pages via sender ID verification |
| 154 | +- **Per-account databases** — each account gets its own IndexedDB named `nostr-wot-{accountId}` |
| 155 | +- **Precomputed graph** — distances are cached in typed arrays for O(1) lookup after first query |
| 156 | + |
| 157 | +## Security Guidelines |
| 158 | + |
| 159 | +- Never log or expose private keys |
| 160 | +- Always zero `Uint8Array` private keys after use |
| 161 | +- Validate all inputs from web pages (content script allowlists) |
| 162 | +- Use `sender.id` checks for privileged operations |
| 163 | +- Rate-limit external-facing API methods |
| 164 | +- Verify event signatures before trusting relay data |
| 165 | + |
| 166 | +## Code of Conduct |
| 167 | + |
| 168 | +Be respectful, constructive, and focused on building great software. Technical disagreements are welcome; personal attacks are not. |
0 commit comments