Timmy_Foundation/timmy-config
16
0
Fork 0
Code Issues 57 Pull Requests 1 Actions 1 Packages Projects Releases Wiki Activity

[COMMS] define Nostur operator edge and Nostr ingress path (#177)

Browse Source
This commit was merged in pull request #177.
This commit is contained in:
Timmy Time
2026-04-04 22:46:55 +00:00
parent b1d147373b
commit 1b5e31663e
2 changed files with 191 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -51,6 +51,10 @@ The scripts in `bin/` are sidecar-managed operational helpers for the Hermes lay
Do NOT assume older prose about removed loops is still true at runtime. Do NOT assume older prose about removed loops is still true at runtime.
Audit the live machine first, then read `docs/automation-inventory.md` for the Audit the live machine first, then read `docs/automation-inventory.md` for the
current reality and stale-state risks. current reality and stale-state risks.
For communication-layer truth, read:
- `docs/comms-authority-map.md`
- `docs/nostur-operator-edge.md`
For fleet routing semantics over sovereign transport, read For fleet routing semantics over sovereign transport, read
`docs/ipc-hub-and-spoke-doctrine.md`. `docs/ipc-hub-and-spoke-doctrine.md`.

187
docs/nostur-operator-edge.md Normal file
View File

@@ -0,0 +1,187 @@
# Nostur Operator Edge
Status: doctrine and implementation path for #174
Parent epic: #173
Related issues:
- #166 Matrix/Conduit primary operator surface
- #175 Communication authority map
- #165 NATS internal bus
- #163 sovereign keypairs / identity
## Goal
Make Nostur a real operator-facing layer for Alexander without letting Nostr become a shadow task system.
Nostur is valuable because it gives the operator a sovereign, identity-linked mobile surface.
That does not mean Nostr should become the place where work lives.
## Design rule
Nostur is an ingress layer.
Gitea is execution truth.
Matrix is the private conversation surface.
NATS is internal transport.
If a command originates in Nostur and matters to the fleet, it must be normalized into Gitea before it is treated as active work.
## What Nostur is for
Use Nostur for:
- sovereign mobile operator access
- identity-linked quick commands
- acknowledgements and nudges
- emergency ingress when Matrix is unavailable or too heavy
- public or semi-public notes when intentionally used that way
Do not use Nostur for:
- hidden task queues
- final assignment truth
- long private operator/fleet discussion when Matrix is available
- routine agent-to-agent transport
## Operator path
### Path A: quick command from Nostur
Example intents:
- "open issue for this"
- "reassign this to Allegro"
- "summarize status"
- "mark this blocked"
- "create follow-up from this note"
Required system behavior:
1. accept Nostur event / DM from an authorized operator identity
2. verify identity against the allowed sovereign key set
3. classify message as one of:
- advisory only
- actionable command
- ambiguous / requires clarification
4. if actionable, translate it into one canonical Gitea object:
- new issue
- comment on existing issue
- explicit state mutation on an existing issue/PR
5. send acknowledgement back through Nostur with a link to the Gitea object
6. if private discussion is needed, continue in Matrix and point both sides at the same Gitea object
### Path B: status read from Nostur
For simple mobile reads, allow:
- current priority queue summary
- open blockers
- review queue summary
- health summary
- links to active epic/issues/PRs
These are read-only responses.
They do not mutate work state.
### Path C: public or semi-public edge
If Nostr is used publicly:
- never expose hidden internal queue truth
- publish only intentional summaries, announcements, or identity proofs
- public notes must not become a side-channel task system
## Ingress contract
For every actionable Nostur message, the bridge must emit a normalized ingress record with:
- source: nostr
- operator identity: npub or mapped principal identity
- received_at timestamp
- original event id
- normalized intent classification
- linked Gitea object id after creation or routing
- acknowledgement state
This record may live in logs or a small bridge event store, but the work itself must live in Gitea.
## Auth and identity
Nostur ingress should rely on sovereign key identity, not platform-issued bot identity.
Minimum model:
- allowlist of operator npubs
- optional challenge/response for higher-trust actions
- explicit mapping from operator identity to allowed command classes
Suggested command classes:
- read-only
- issue creation
- issue comment / note append
- assignment / routing request
- high-authority mutation requiring confirmation
The bridge must fail closed for unknown keys.
## Bridge behavior
The Nostur bridge should be small and stupid.
Responsibilities:
- receive event / DM
- authenticate sender
- normalize intent
- write/link Gitea truth
- optionally mirror conversation into Matrix
- return acknowledgement
Responsibilities it must NOT take on:
- hidden queue management
- second task database
- silent assignment logic outside coordinator doctrine
- freeform agent orchestration directly from relay chatter
## Recommended implementation sequence
### Step 1
Build read-only Nostur status responses.
Acceptance:
- Alexander can ask for status from Nostur
- response comes back with links to the canonical Gitea objects
- no queue mutation yet
### Step 2
Add explicit issue/comment creation from Nostur.
Acceptance:
- a Nostur command can create a new Gitea issue or append to an existing one
- acknowledgement message includes the issue URL
- no hidden state remains only in Nostr
### Step 3
Add Matrix handoff for private follow-up.
Acceptance:
- after Nostur ingress, the system can point the operator into Matrix for richer back-and-forth while preserving the same Gitea work object
### Step 4
Add authority tiers and confirmations.
Acceptance:
- low-risk actions can run directly
- higher-risk actions require explicit confirmation
- command classes are keyed to operator identity policy
## Non-goals
- replacing Matrix with Nostur for all private operator conversation
- using Nostr for the internal fleet bus
- letting relay notes replace issues, PRs, or review artifacts
## Operational rule
Nostur should make the system more sovereign and more convenient.
It must not make the system more ambiguous.
If Nostur ingress creates ambiguity, the bridge is wrong.
If it creates a clean Gitea-linked work object and gives Alexander a mobile sovereign edge, the bridge is right.
## Acceptance criteria
- [ ] Nostur has an explicit role in the stack
- [ ] Nostr ingress is mapped to Gitea execution truth
- [ ] read-only versus mutating commands are separated
- [ ] the bridge is defined as small and transport/ingress-focused
- [ ] the doc makes it impossible to justify shadow task state in Nostr