Last Notes
I'm getting a 504 Gateway timeout from Cloudflare when trying to view that link :(
Hah, yes, solarpunk is more of a mindset for me. I'm currently hooked up to the grid in Indiana powered by coal and natural gas 🙃. Solarpunk is a hopeful vision of what technology could do for humanity. The idea is that if we can achieve energy independence on a personal or community level through solar or other renewable sources then we could start to make more progress on the big threats to human thriving like climate change, information warfare, centralization of corporate and nation-state power. It's an optimistic alternative to cyberpunk, where technological advances lead to further consolidation of power by elites and increased oppression for the rest of us.
For me it's mainly that to Google I am ultimately a product to be sold, to Apple I'm still a customer. I know about Graphene and I actually plan switch one day. But it's a lot of friction for ultimately a pretty similar threat model.
Wow I forgot to remember about sublime text for 10 years or so.
I'm having new waves of imposter syndrome when it comes to AI use. I'm building in a less familiar ecosystem (Flutter) and AI is letting me do that way faster than if I didn't use it. Horcrux is quite literally software that wouldn't exist without AI, because I wouldn't have been able to squeeze the project into the timeline that got funded.
I like to think that I'm experienced enough to know where the tradeoffs are, where my code is weak, and what needs more attention. But until I have a successful product in the hands of users it's going to be hard to know whether the AI was a net positive. It's so hard to know anything objectively about software development and when it comes to AI there is all this concerning research about developers perceiving speed increases where there are none. I guess on some level I just believe I'm smarter than most other devs. That's the problem with us developers, isn't it 😓.
I'm happy to host a signer.
I hope this isn't a subtweet from my Horcrux demo today 😅
Maybe we should start a club. There must be at least three of us!
#note157y…kg6y
Here is a pretty detailed quarterly report on my Horcrux project for OpenSats, if that interests you: https://mattlorentz.com/2025/12/29/horcrux-end-of-year-update.html
Is anyone here going to EthDevner in February? I am not an ethereum person at all, but I have met a lot of cool people over the years (who are also not big ethereum people) who have been to this conference and loved it. I think I might go this year. They have a track for "Cypherpunks, Solarpunks & Communities". Idk what ethereum has to do with solarpunk but I kind of want to find out.
Playing ambient audio to keep your Nostr signer alive on iOS is hilarious and definitely against Apple's rules, but I love it. More power to you 😂
#nevent1q…t5pj
I’m sad to hear that. You are one of the most interesting voices in my feed!
Flutter. I gave it a shot so we’ll see.
Ok hodlbod has been COOKING on his frost signer thing with email login. I just got a demo from him and it has me more excited about Nostr than I have been in a long time.
- users can sign into Nostr apps via email (or someday any other identity system they like. Phone? Facebook? snail mail? Āhau?) but behind the scenes they still have a private key
- no server or company ever needs a full copy of their private key
- at any point they can extract their Nostr key from the system to use another one (like a bunker, hardware signer, or just a different group of signing servers, etc.)
The big problem with Nostr onboarding is that people need to put in a significant amount of work to understand and manage keys before they even get a chance to get any value out of the software. But pomade enables someone to join without thinking about keys, *and later* start caring and still be able to take full custody of their key. It is the second part that nobody has really done before, on Nostr or anywhere else that I know of. It's not bulletproof, but it combines all the best tech we have to balance ease-of-use, security, and user control.
If I vibe code my own workout app will I actually work out or no? 👍 / 👎
Who is “we”? Are you anonymous?
👍 I like to call it an ecosystem.
@npub1jlr…ynqn I think at some point I heard you say you get a summary of recent Nostr events every day. Is that from a DVM? Have you written about this somewhere? I would like to try something similar.
Because it’s slower than Chrome and Safari.
bug: it doesn't work in Firefox
I wrote up some instructions for running a promenade signer, if that's something that interests you. Promenade creates a cluster of servers that cooperatively sign of Nostr events without any of them knowing your Nostr secret key. Bleeding edge identity tech. Join us! #naddr1qv…t2nc
Whoah, thanks for the mega zap. Much appreciated 🙏🏻
This would require an overhaul of clients and any relays that use wot, auth, or similar features, correct?
I'm so excited that Satellite is back. It's always had my favorite design of any Nostr app.
#nevent1q…328t
I just posted a project update video for Keydex that shows the current features and future plans. Plus an announcement that I'm renaming the project from Keydex to Horcrux! Check it out: https://tube.tchncs.de/w/oyxzSzhocB3k6BNbVTdU7d
The release looks great! Satellite's thread view has always been my favorite, I'm so glad you kept and improved it.
I've been quiet lately but I've just been very heads down trying to get Keydex ready for it's first alpha usability test, which I'm about to head to right now! I'll try to post a project update this week, as I passed the halfway point on my (relatively tight) 4 month timeline recently.
hah, linking to 20 lines of source code for a feature as complex as search is such a flex 💪
Yeah I haven't used it much in the past couple weeks. I've been in more of a refactoring mode and have just been doing one-off prompts or using Cursor's plan mode for that. I would like to get back and try it on some more tightly scoped features though.
I should circle back to Claude code at some point but viewing and accepting changes with the Cursor diff viewer is just so ingrained in my workflow now, I think I would miss it a lot.
I just did a weird thing with gift wraps in Keydex and I want to make sure it's not dumb. I'm having a bug where lockboxes are showing back up on the devices of key holders after they have been removed. Like this:
1. Alice invites Bob to be a key holder for their lockbox
2. Bob accepts
3. Alice publishes a shard of the lockbox data for Bob to download, gift wrapped and addressed to Bob.
4. Bob changes their mind and deletes the lockbox from their device.
5. Later when Bob reopens the app it downloads the shard event again and recreates the lockbox.
Of course I could maintain some local state about what has been deleted, but it would be better to just nuke the shard from the relay. We could ask the original publisher to do it, but we can't guarantee they are online. So what if we just include the ephemeral key used to gift wrap the shard in the seal? Now Bob can publish a NIP-09 deletion request to delete the shard.
I could see this being useful in other places too. For instance you could have a type of direct message that gets deleted from relays as soon as it is downloaded by the recipient.
It seems to me like a rogue relay owner in a NIP-29 group is just as disastrous as a rogue group admin NIP-87?
And this isn't in NIP-87 but I don't see any reason you couldn't use FROSTR threshold signatures to publish events from the admin key. In this way a few admins could hold shards or you could even distribute a shard to every group member and have clients collaborate to approve membership changes or other policy changes?
I guess what I am dreaming of is not really NIP-87 exactly. It's more like NIP-29 plus encryption minus the assumption that the policy engine for the group is running at a particular DNS name. If you decouple the policy engine from the relay/DNS now you can innovate on that separately and create some really sweet trust structures, or not and just keep your group on a single relay.
You wouldn't have to trust them not to accidentally leak messages to the wrong people but they would still need the encryption key in order to service membership changes right? I supposed you could use one encryption key for membership changes and another for content? 🤔
Oh I never thought about this. Yeah you wouldn't be able to filter content by tag or author because everything is gift wrapped? Is that how this worked in Coracle groups @npub1jlr…ynqn?
It seems like spam wouldn't be too much of a problem though. Because all messages are giftwrapped with the shared key the relay can easily tell if a person is a valid member of a group or not by checking the pubkey and signature right? I suppose you would hit rate limits sooner with the shared key on a public relay, but I guess I'm assuming serious groups will have some kind of relationship with their main relays, paid or otherwise.
Keydex is going to be the first Nostr app I'm aware of that uses relays exclusively to relay data from one peer's device to another, not for long-term data storage. I'm going to use NIP-40 expiration tags on all events so that they only live on the relay for a few days, which makes Keydex closer to a peer-to-peer application that uses Nostr as the transport (and identity) layer.
Fun milestone for Keydex today: I had my first successful restore of data. I was able to fire up several copies of the app and create a lockbox, break it into shares, distribute them to peers via Nostr, initiate recovery, approve the recovery request, and reassemble the data.
There is still a ton of work to do but having the core flow working makes all the future changes feel small and incremental by comparison.
https://blossom.lorentz.is/be5d7d6161093d03ccc9513100ff0f255cdd2bf7f51fdd2cbcba66cd3950015a.png
oh interesting, I wonder if I've been hitting these rate limits and that's why I have so much trouble with signers.
I also have my own relay but I only allow events from my own pubkey to be published there. 🤔 So I could point clients to my own relay for NIP-46 messages but there's no easy way to add every client key to my allowlist... I guess I am running `nak bunker` on the same machine as my relay. Maybe I could jerry-rig some communication between nak and my relay config? Sounds fragile though.
Hm, should clients add an nsec field during bunker setup? Not for you to put your real nsec into, but rather one that you know is allowed to post to your relay. Then if the client becomes adversarial the worst they can do is post spam to your relay, which they can probably already do once they have remote signer permissions.
This is overbuilt but maybe there is a simpler solution inside. Maybe the bunker URL you paste initially should just include an nsec for the client to use?
Day 2 using Github's spec-kit for development did not go as well. The AI and I got lost trying to write reams of overly generic TDD test stubs. It felt like the AI couldn't really get a clear picture from just the spec requirements what it should be testing before the actual implementation code was written.
So today I changed course and changed my constitution (the like underlying spec doc for the repo) to use an outside-in development approach instead of TDD and we made a lot of progress. I also got a new playwright MCP set up for browser automation and it's working a lot better than the last one I had. After some considerable setup the LLM was generally able to run the app in the web browser and click around to test its own changes.
@npub1g2j…yjj6 what tool are you using to cross post across Nostr, scuttlebutt, Mastodon, etc.? I have been using OpenVibe but it has been really buggy lately.
"any kind of decentralized, democratic or liberal political structure thrives best when defense is easy, and suffers the most challenge when defense is hard - in those cases, the far more likely outcome is some period of war of all against all, and eventually an equilibrium of rule by the strongest."
A good (but long) blog post on focusing our collective efforts on developing defensive technologies to slant the future away from dystopia.
https://vitalik.eth.limo/general/2025/01/05/dacc2.html
Thanks @npub1yl8…vz34 for the link!
The official word is "no" 😢 (from telegram)
#nevent1q…g9q2
Spent a couple hours setting up the Keydex repo with Github spec-kit. No code yet but I have 1000 lines of markdown to show for it 🤷♂️ https://github.com/mplorentz/keydex
@npub1u92…hr58 @npub12hc…rdp4 @npub1v0l…qj49 not sure where to report this but I am getting this error at https://zap.stream/nogood :(
Unexpected Application Error!
error loading dynamically imported module: https://zap.stream/assets/markdown-D8ImU_5Q.js
I'm back in the code editor for the first time in a few weeks. It feels good 😊
Trying out Github's spec-kit tool for spec-driven development with AI: https://github.com/github/spec-kit?tab=readme-ov-file#-core-philosophy
Please flame me @npub180c…h6w6