Skip to main content

vector_core/
badges.rs

1//! Profile badges — fetch, validate, and cache.
2//!
3//! Badges are not loaded during the critical boot path. The cache is filled
4//! once after initial sync (see `refresh_own_badges`) so badge-gated perks
5//! (e.g. raised emoji-pack limits) resolve without an on-demand network
6//! round-trip. `has_vector_badge` is the cheap synchronous reader used by
7//! those gates.
8
9use nostr_sdk::prelude::*;
10use std::collections::HashSet;
11use std::sync::LazyLock;
12
13// Guy Fawkes Day 2025 — V for Vector badge claim window.
14const FAWKES_DAY_START: u64 = 1762300800; // 2025-11-05 00:00:00 UTC
15const FAWKES_DAY_END: u64 = 1762387200; // 2025-11-06 00:00:00 UTC
16
17/// Per-account settings key: "true" once we've confirmed the Vector badge.
18const BADGE_VECTOR_KEY: &str = "badge_vector";
19/// Per-account settings key: unix-secs of the last unsuccessful resolve pass.
20/// Throttles re-checking for accounts that don't (yet) hold the badge.
21const BADGE_CHECK_TS_KEY: &str = "badge_check_ts";
22/// Don't re-run the full retry loop more than this often for an account we've
23/// already checked without success. The claim window is permanently closed, so
24/// a non-holder can never become a holder — frequent restarts shouldn't each
25/// trigger a fresh relay sweep.
26const RECHECK_COOLDOWN_SECS: u64 = 6 * 3600;
27
28fn unix_now() -> u64 {
29    std::time::SystemTime::now()
30        .duration_since(std::time::UNIX_EPOCH)
31        .map(|d| d.as_secs())
32        .unwrap_or(0)
33}
34
35/// Whether a kind-30078 event is a valid Fawkes badge claim: right content and
36/// a timestamp inside the (half-open) event window. Pure so it's unit-testable.
37fn is_valid_fawkes_claim(content: &str, created_at: u64) -> bool {
38    content == "fawkes_badge_claimed"
39        && created_at >= FAWKES_DAY_START
40        && created_at < FAWKES_DAY_END
41}
42
43/// Fetch + validate whether `pubkey` holds the V for Vector (Guy Fawkes 2025)
44/// badge: a kind-30078 `d=fawkes_2025` claim published within the event window.
45///
46/// Queries the full relay pool rather than only the trusted relays: the claim
47/// was published during the event to whatever relays the holder used, and any
48/// single relay (including a trusted one) can be transiently down. Broadest
49/// net gives the best chance of locating the permanent claim.
50pub async fn has_fawkes_badge(pubkey: &PublicKey) -> Result<bool, String> {
51    let client = crate::state::nostr_client().ok_or("Nostr client not initialized")?;
52    let filter = Filter::new()
53        .author(*pubkey)
54        .kind(Kind::ApplicationSpecificData)
55        .custom_tag(SingleLetterTag::lowercase(Alphabet::D), "fawkes_2025")
56        // > 1 to tolerate relays serving superseded copies of the replaceable
57        // event alongside the current one.
58        .limit(10);
59    let mut events = client
60        .stream_events(filter, std::time::Duration::from_secs(10))
61        .await
62        .map_err(|e| e.to_string())?;
63    while let Some(event) = events.next().await {
64        if is_valid_fawkes_claim(&event.content, event.created_at.as_secs()) {
65            return Ok(true);
66        }
67    }
68    Ok(false)
69}
70
71/// Cached flag for whether we hold the Vector badge. Cheap + synchronous, so
72/// safe to call from limit checks. Defaults to false when unset — badge perks
73/// stay off until the cache is filled post-sync.
74pub fn has_vector_badge() -> bool {
75    crate::db::get_sql_setting(BADGE_VECTOR_KEY.to_string())
76        .ok()
77        .flatten()
78        .map(|v| v == "true")
79        .unwrap_or(false)
80}
81
82/// Per-account settings key: cached Bug Hunter NIP-58 tier (0-3). Filled by the
83/// award fetch; downgraded only on a seen issuer revocation, never on absence.
84const BADGE_BUG_HUNTER_TIER_KEY: &str = "badge_bug_hunter_tier";
85
86/// Per-account settings key: comma-separated hex ids of the award events backing
87/// the cached tier, so a revocation still resolves after the relays purge the award.
88const BADGE_BUG_HUNTER_AWARD_IDS_KEY: &str = "badge_bug_hunter_award_ids";
89
90/// Cached Bug Hunter tier (0-3) for the current account. Cheap + synchronous;
91/// 0 until the award fetch fills it.
92pub fn bug_hunter_tier() -> u8 {
93    crate::db::get_sql_setting(BADGE_BUG_HUNTER_TIER_KEY.to_string())
94        .ok()
95        .flatten()
96        .and_then(|v| v.parse::<u8>().ok())
97        .map(|t| t.min(3))
98        .unwrap_or(0)
99}
100
101/// The account's effective premium tier (0-3): the higher of the Bug Hunter tier
102/// and the V for Vector badge (full premium = tier 3). Per-account perks (emoji
103/// limits) read this.
104pub fn effective_tier() -> u8 {
105    bug_hunter_tier().max(if has_vector_badge() { 3 } else { 0 })
106}
107
108/// The highest effective tier across ALL accounts on this install. The
109/// multi-account cap is device-level (adding a profile spans accounts), so it
110/// must not drop when you switch to an un-badged account — unlike the per-account
111/// perks. Reads each account's badge state straight from its vector.db.
112pub fn max_account_tier() -> u8 {
113    let mut max = effective_tier();
114    if let Ok(accounts) = crate::db::get_accounts() {
115        for npub in accounts {
116            max = max.max(read_account_tier(&npub).unwrap_or(0));
117        }
118    }
119    max
120}
121
122/// A (possibly non-active) account's effective tier, read read-only from its
123/// vector.db settings (plaintext KV). None if the DB/keys are absent or locked.
124fn read_account_tier(npub: &str) -> Option<u8> {
125    let path = crate::db::account_dir(npub).ok()?.join("vector.db");
126    let conn = rusqlite::Connection::open_with_flags(&path, rusqlite::OpenFlags::SQLITE_OPEN_READ_ONLY).ok()?;
127    let get = |key: &str| -> Option<String> {
128        conn.query_row("SELECT value FROM settings WHERE key = ?1", rusqlite::params![key], |r| r.get(0)).ok()
129    };
130    let bug = get(BADGE_BUG_HUNTER_TIER_KEY).and_then(|v| v.parse::<u8>().ok()).map(|t| t.min(3)).unwrap_or(0);
131    let vector = get(BADGE_VECTOR_KEY).map(|v| v == "true").unwrap_or(false);
132    Some(bug.max(if vector { 3 } else { 0 }))
133}
134
135/// Record the result of an on-demand badge check. When the checked key is our
136/// own and the badge is present, persist it (sticky) and emit `badges_updated`
137/// so badge-gated perks (raised emoji-pack limits) turn on immediately — this is
138/// the safety net for a post-sync `refresh_own_badges` that missed the claim
139/// (the holding relay is often flaky during the saturated sync window) and is now
140/// sitting in its multi-hour re-check cooldown. An on-demand check runs at a
141/// quiet moment, so it lands where the sync-time sweep didn't.
142///
143/// No-op for other users, a negative result, or an account swap mid-check (the
144/// own-key comparison re-reads the *current* account, so a stale key never
145/// writes the wrong DB). No awaits, so the read + write stay on one account.
146pub fn note_own_badge_confirmed(pubkey: &PublicKey, has_badge: bool) {
147    if !has_badge || has_vector_badge() {
148        return;
149    }
150    if crate::state::my_public_key().as_ref() != Some(pubkey) {
151        return;
152    }
153    let _ = crate::db::set_sql_setting(BADGE_VECTOR_KEY.to_string(), "true".to_string());
154    crate::log_info!("[Badges] vector badge confirmed via on-demand check");
155    crate::traits::emit_event_json(
156        "badges_updated",
157        serde_json::json!({ "vector": true, "tier": effective_tier(), "bug_hunter": bug_hunter_tier() }),
158    );
159}
160
161/// Fetch our own badges and persist to the per-account cache. Called once
162/// after initial sync. The SessionGuard straddles the network fetch so a
163/// mid-fetch account swap can't write account A's badge into account B's DB.
164pub async fn refresh_own_badges() {
165    let session = crate::state::SessionGuard::capture();
166    let Some(pk) = crate::state::my_public_key() else {
167        crate::log_warn!("[Badges] refresh skipped — no public key");
168        return;
169    };
170
171    // Sticky: the badge is a permanent achievement, so once confirmed we never
172    // re-query (avoids a flaky relay later flipping it off) and never downgrade.
173    if has_vector_badge() {
174        crate::log_info!("[Badges] vector badge already cached — skipping refresh");
175        return;
176    }
177
178    // Throttle: skip the relay sweep if we already checked recently without
179    // success. The window is closed, so a miss now will still be a miss in an
180    // hour — no need to re-sweep on every restart.
181    let now = unix_now();
182    if let Some(last) = crate::db::get_sql_setting(BADGE_CHECK_TS_KEY.to_string())
183        .ok()
184        .flatten()
185        .and_then(|v| v.parse::<u64>().ok())
186    {
187        if now.saturating_sub(last) < RECHECK_COOLDOWN_SECS {
188            return;
189        }
190    }
191
192    crate::log_info!(
193        "[Badges] resolving own badges for {}…",
194        pk.to_bech32().unwrap_or_default()
195    );
196
197    // The holding relay (often the user's own) is flaky/overloaded during the
198    // heavy sync window, so retry a few times to catch it during a quiet
199    // moment. A miss leaves the badge cache untouched (records only the check
200    // time for the cooldown); the next boot past the cooldown tries again until
201    // it lands once (then sticky-cached forever).
202    const ATTEMPTS: u8 = 3;
203    for attempt in 1..=ATTEMPTS {
204        match has_fawkes_badge(&pk).await {
205            Ok(true) => {
206                if !session.is_valid() {
207                    return;
208                }
209                crate::log_info!("[Badges] vector badge confirmed (attempt {})", attempt);
210                let _ = crate::db::set_sql_setting(BADGE_VECTOR_KEY.to_string(), "true".to_string());
211                return;
212            }
213            Ok(false) => {
214                crate::log_info!("[Badges] vector badge not found (attempt {}/{})", attempt, ATTEMPTS);
215            }
216            Err(e) => {
217                crate::log_warn!("[Badges] refresh attempt {}/{} failed: {}", attempt, ATTEMPTS, e);
218            }
219        }
220        if !session.is_valid() {
221            return;
222        }
223        if attempt < ATTEMPTS {
224            tokio::time::sleep(std::time::Duration::from_secs(20)).await;
225        }
226    }
227    // Record the unsuccessful pass so the cooldown applies before re-sweeping.
228    if session.is_valid() {
229        let _ = crate::db::set_sql_setting(BADGE_CHECK_TS_KEY.to_string(), now.to_string());
230    }
231    crate::log_info!("[Badges] vector badge not resolved this boot — will retry after cooldown");
232}
233
234// ── Bug Hunter (NIP-58 tiered, team-awarded) ───────────────────────────────
235
236/// The Vector Team issuer key — the NIP-58 trust root for Bug Hunter badges.
237/// Only awards (kind 8) and revocations (kind 5) signed by this key are honored,
238/// so a forged award from any other key grants nothing.
239const BUG_HUNTER_ISSUER_NPUB: &str =
240    "npub1hrujuc08r4zcdtn0u6ts7u7apldcjqgftz0z7stmaaz9hwaf9jxs66f3yh";
241
242static BUG_HUNTER_ISSUER: LazyLock<PublicKey> = LazyLock::new(|| {
243    PublicKey::from_bech32(BUG_HUNTER_ISSUER_NPUB)
244        .expect("hardcoded Bug Hunter issuer npub must be valid")
245});
246
247/// Map a badge-definition `d` identifier to its tier. The display `name` can
248/// change freely; the `d` slug is the permanent identity.
249fn tier_from_slug(d: &str) -> Option<u8> {
250    match d {
251        "bug-hunter-tier-1" => Some(1),
252        "bug-hunter-tier-2" => Some(2),
253        "bug-hunter-tier-3" => Some(3),
254        _ => None,
255    }
256}
257
258/// Parse a NIP-58 `a`-tag coordinate (`30009:<issuer-hex>:<d>`) into a tier, but
259/// only when the kind is 30009 AND the author is our trusted issuer — an award
260/// pointing at a definition minted under any other key is ignored.
261fn tier_from_coord(coord: &str, issuer_hex: &str) -> Option<u8> {
262    let mut parts = coord.splitn(3, ':');
263    let kind = parts.next()?;
264    let author = parts.next()?;
265    let d = parts.next()?;
266    if kind != "30009" || author != issuer_hex {
267        return None;
268    }
269    tier_from_slug(d)
270}
271
272/// Fold awards (event id + tier) and the set of revoked award ids into the tier
273/// seen this fetch, plus whether a revocation actually applied to one of our
274/// awards. Pure so it's unit-testable. `saw_revocation` is the positive signal
275/// that justifies a downgrade (vs. a flaky-relay absence, which must not).
276fn fold_bug_hunter(awards: &[(EventId, u8)], revoked: &HashSet<EventId>) -> (u8, bool) {
277    let mut seen_tier = 0u8;
278    let mut saw_revocation = false;
279    for (id, tier) in awards {
280        if revoked.contains(id) {
281            saw_revocation = true;
282        } else {
283            seen_tier = seen_tier.max(*tier);
284        }
285    }
286    (seen_tier, saw_revocation)
287}
288
289/// Fetch `pubkey`'s raw Bug Hunter standing from the issuer: the seen kind-8
290/// awards (id + tier) whose `a` points at one of our tier definitions, plus the
291/// set of award ids the issuer has revoked (kind-5). Queries the full pool.
292async fn fetch_bug_hunter_raw(pubkey: &PublicKey) -> Result<(Vec<(EventId, u8)>, HashSet<EventId>), String> {
293    let client = crate::state::nostr_client().ok_or("Nostr client not initialized")?;
294    let issuer = *BUG_HUNTER_ISSUER;
295    let issuer_hex = issuer.to_hex();
296
297    // Awards: kind 8 signed by the issuer, p-tagging this user.
298    let award_filter = Filter::new()
299        .author(issuer)
300        .kind(Kind::Custom(8))
301        .custom_tag(SingleLetterTag::lowercase(Alphabet::P), pubkey.to_hex())
302        .limit(64);
303    let mut awards: Vec<(EventId, u8)> = Vec::new();
304    let mut stream = client
305        .stream_events(award_filter, std::time::Duration::from_secs(10))
306        .await
307        .map_err(|e| e.to_string())?;
308    while let Some(ev) = stream.next().await {
309        let coord = ev.tags.iter().find_map(|t| {
310            let s = t.as_slice();
311            if s.first().map(|k| k == "a").unwrap_or(false) {
312                s.get(1).cloned()
313            } else {
314                None
315            }
316        });
317        if let Some(c) = coord {
318            if let Some(tier) = tier_from_coord(&c, &issuer_hex) {
319                awards.push((ev.id, tier));
320            }
321        }
322    }
323
324    // Revocations: kind 5 from the issuer (NIP-09); each `e` tag names a revoked award.
325    let revoke_filter = Filter::new()
326        .author(issuer)
327        .kind(Kind::Custom(5))
328        .limit(256);
329    let mut revoked: HashSet<EventId> = HashSet::new();
330    let mut rstream = client
331        .stream_events(revoke_filter, std::time::Duration::from_secs(10))
332        .await
333        .map_err(|e| e.to_string())?;
334    while let Some(ev) = rstream.next().await {
335        for t in ev.tags.iter() {
336            let s = t.as_slice();
337            if s.first().map(|k| k == "e").unwrap_or(false) {
338                if let Some(id) = s.get(1).and_then(|h| EventId::from_hex(h).ok()) {
339                    revoked.insert(id);
340                }
341            }
342        }
343    }
344
345    Ok((awards, revoked))
346}
347
348/// Highest non-revoked tier + whether a seen award was revoked, for displaying
349/// another user's badge. Our own status goes through `refresh_own_bug_hunter`,
350/// which also catches revocation of a since-purged award.
351pub async fn fetch_bug_hunter_tier(pubkey: &PublicKey) -> Result<(u8, bool), String> {
352    let (awards, revoked) = fetch_bug_hunter_raw(pubkey).await?;
353    Ok(fold_bug_hunter(&awards, &revoked))
354}
355
356fn read_cached_award_ids() -> Vec<EventId> {
357    crate::db::get_sql_setting(BADGE_BUG_HUNTER_AWARD_IDS_KEY.to_string())
358        .ok()
359        .flatten()
360        .map(|s| s.split(',').filter_map(|h| EventId::from_hex(h.trim()).ok()).collect())
361        .unwrap_or_default()
362}
363
364fn write_cached_award_ids(ids: &[EventId]) {
365    let csv = ids.iter().map(|id| id.to_hex()).collect::<Vec<_>>().join(",");
366    let _ = crate::db::set_sql_setting(BADGE_BUG_HUNTER_AWARD_IDS_KEY.to_string(), csv);
367}
368
369/// Resolve + persist our own Bug Hunter tier (called post-sync). Sticky cache:
370/// upgrades apply immediately; a downgrade is honored ONLY on a seen revocation,
371/// never a mere absent award (flaky relay). The ids of the awards backing the
372/// current tier are cached so a revocation still resolves after the relays purge
373/// the award itself (NIP-09 deletion). SessionGuard straddles the fetch so a
374/// mid-fetch account swap can't write account A's tier into account B.
375pub async fn refresh_own_bug_hunter() {
376    let session = crate::state::SessionGuard::capture();
377    let Some(pk) = crate::state::my_public_key() else {
378        return;
379    };
380
381    let (awards, revoked) = match fetch_bug_hunter_raw(&pk).await {
382        Ok(r) => r,
383        Err(e) => {
384            crate::log_warn!("[Badges] bug hunter fetch failed: {}", e);
385            return;
386        }
387    };
388    if !session.is_valid() {
389        return;
390    }
391
392    // Highest non-revoked seen tier + the award ids backing it.
393    let mut seen_tier = 0u8;
394    let mut active_ids: Vec<EventId> = Vec::new();
395    let mut seen_revoked = false;
396    for (id, tier) in &awards {
397        if revoked.contains(id) {
398            seen_revoked = true;
399        } else {
400            seen_tier = seen_tier.max(*tier);
401            active_ids.push(*id);
402        }
403    }
404    // Also honor a revocation of an award we previously cached but that the relays
405    // have since purged (so it's no longer in `awards` to match directly).
406    let cached_revoked = read_cached_award_ids().iter().any(|id| revoked.contains(id));
407    let saw_revocation = seen_revoked || cached_revoked;
408
409    // Re-read the current account before any write: never persist A's state into B.
410    if crate::state::my_public_key().as_ref() != Some(&pk) {
411        return;
412    }
413
414    let cached = bug_hunter_tier();
415    let new_tier = if seen_tier > cached {
416        seen_tier
417    } else if seen_tier < cached && saw_revocation {
418        seen_tier
419    } else {
420        cached
421    };
422
423    // Remember the awards behind the current tier — but only when we actually saw
424    // awards, so a flaky empty fetch never wipes the memory we need for revocation.
425    if !awards.is_empty() {
426        write_cached_award_ids(&active_ids);
427    }
428    if new_tier == cached {
429        return;
430    }
431    let _ = crate::db::set_sql_setting(
432        BADGE_BUG_HUNTER_TIER_KEY.to_string(),
433        new_tier.to_string(),
434    );
435    crate::log_info!("[Badges] bug hunter tier {} -> {}", cached, new_tier);
436    crate::traits::emit_event_json(
437        "badges_updated",
438        serde_json::json!({ "vector": has_vector_badge(), "tier": effective_tier(), "bug_hunter": bug_hunter_tier() }),
439    );
440}
441
442#[cfg(test)]
443mod tests {
444    use super::*;
445
446    #[test]
447    fn fawkes_claim_window_boundaries() {
448        // Correct content, inside the window.
449        assert!(is_valid_fawkes_claim("fawkes_badge_claimed", FAWKES_DAY_START));
450        assert!(is_valid_fawkes_claim("fawkes_badge_claimed", FAWKES_DAY_END - 1));
451        // End is exclusive.
452        assert!(!is_valid_fawkes_claim("fawkes_badge_claimed", FAWKES_DAY_END));
453        // Before the window.
454        assert!(!is_valid_fawkes_claim("fawkes_badge_claimed", FAWKES_DAY_START - 1));
455        // Wrong / empty content, even inside the window.
456        assert!(!is_valid_fawkes_claim("", FAWKES_DAY_START));
457        assert!(!is_valid_fawkes_claim("something_else", FAWKES_DAY_START));
458    }
459
460    #[test]
461    fn bug_hunter_issuer_npub_is_valid() {
462        // A malformed hardcoded issuer would panic when the LazyLock forces.
463        let _ = *BUG_HUNTER_ISSUER;
464        assert!(PublicKey::from_bech32(BUG_HUNTER_ISSUER_NPUB).is_ok());
465    }
466
467    #[test]
468    fn tier_from_coord_trusts_only_issuer_kind_and_slug() {
469        let issuer = "abc123";
470        assert_eq!(tier_from_coord("30009:abc123:bug-hunter-tier-1", issuer), Some(1));
471        assert_eq!(tier_from_coord("30009:abc123:bug-hunter-tier-2", issuer), Some(2));
472        assert_eq!(tier_from_coord("30009:abc123:bug-hunter-tier-3", issuer), Some(3));
473        // Forged: a definition minted under another key.
474        assert_eq!(tier_from_coord("30009:evil:bug-hunter-tier-3", issuer), None);
475        // Wrong kind.
476        assert_eq!(tier_from_coord("30008:abc123:bug-hunter-tier-3", issuer), None);
477        // Unknown slug.
478        assert_eq!(tier_from_coord("30009:abc123:bug-hunter-tier-9", issuer), None);
479    }
480
481    #[test]
482    fn fold_bug_hunter_highest_non_revoked_with_revocation_flag() {
483        let id = |b: u8| EventId::from_hex(&format!("{:02x}", b).repeat(32)).unwrap();
484        // No revocations: highest tier, flag clear.
485        assert_eq!(fold_bug_hunter(&[(id(1), 1), (id(3), 3), (id(2), 2)], &HashSet::new()), (3, false));
486        // Revoke the tier-3 award: tier drops to 2, flag set.
487        let revoked: HashSet<EventId> = [id(3)].into_iter().collect();
488        assert_eq!(fold_bug_hunter(&[(id(1), 1), (id(3), 3), (id(2), 2)], &revoked), (2, true));
489        // No awards: tier 0, no revocation.
490        assert_eq!(fold_bug_hunter(&[], &HashSet::new()), (0, false));
491    }
492}