nostr-logging-system
npx machina-cli add skill besoeasy/open-skills/nostr-logging-system --openclawFiles (1)
SKILL.md
5.5 KB
Nostr Logging System
Use Nostr as a distributed logging transport: publish non-sensitive logs publicly, and send sensitive logs privately to the admin via Nostr DM.
When to use
- You want tamper-resistant, relay-distributed public operational logs.
- You want sensitive logs (errors with secrets, internal traces) delivered privately to an admin.
- You need a lightweight logging channel without centralized log infrastructure.
Required tools / APIs
- Node.js 18+
nostr-sdklibrary
Install:
npm install nostr-sdk
Environment variables:
# REQUIRED: admin Nostr public identity (npub or hex pubkey)
export ADMIN_NOSTR_PUBKEY="npub1..."
# REQUIRED for the logger identity (create if missing; see setup below)
export NOSTR_NSEC="nsec1..."
# Optional
export NOSTR_RELAYS="wss://relay.damus.io,wss://nos.lol,wss://relay.snort.social"
Setup flow (must do first)
- Ask the admin for their Nostr address (
npub/ public key). - Check whether you already have
NOSTR_NSECsaved. - If missing, generate a new keypair and save the
nsecfor future runs.
Generate and persist your nsec if missing (Node.js)
// setup-nostr-identity.js
const fs = require('fs');
const path = require('path');
const { generateRandomNsec, nsecToPublic } = require('nostr-sdk');
function ensureNostrIdentity() {
const envPath = path.resolve(process.cwd(), '.env');
const envText = fs.existsSync(envPath) ? fs.readFileSync(envPath, 'utf8') : '';
const fromProcess = process.env.NOSTR_NSEC;
const fromEnvFile = envText.match(/^NOSTR_NSEC=(.+)$/m)?.[1];
const currentNsec = fromProcess || fromEnvFile;
if (currentNsec && currentNsec.startsWith('nsec1')) {
console.log('NOSTR_NSEC already exists. Reusing saved key.');
return currentNsec;
}
const nsec = generateRandomNsec();
const pub = nsecToPublic(nsec);
const line = `NOSTR_NSEC=${nsec}`;
const nextEnv = envText.includes('NOSTR_NSEC=')
? envText.replace(/^NOSTR_NSEC=.*$/m, line)
: `${envText}${envText.endsWith('\n') || envText.length === 0 ? '' : '\n'}${line}\n`;
fs.writeFileSync(envPath, nextEnv, 'utf8');
console.log('Generated new Nostr identity. Saved NOSTR_NSEC to .env');
console.log('Your npub:', pub.npub);
return nsec;
}
ensureNostrIdentity();
Run:
node setup-nostr-identity.js
Skills
1. Public log event (non-sensitive)
const { posttoNostr } = require('nostr-sdk');
async function logPublic(message, level = 'info') {
const tags = [
['t', 'logs'],
['t', 'public'],
['t', level]
];
return posttoNostr(`[PUBLIC_LOG] ${message}`, {
nsec: process.env.NOSTR_NSEC,
tags,
relays: null,
powDifficulty: 4
});
}
// Example:
// await logPublic('Worker started successfully', 'info');
2. Sensitive log to admin DM
const { sendMessageNIP17 } = require('nostr-sdk');
async function logSensitiveToAdmin(message) {
const admin = process.env.ADMIN_NOSTR_PUBKEY;
if (!admin) throw new Error('Missing ADMIN_NOSTR_PUBKEY');
return sendMessageNIP17(admin, `[SENSITIVE_LOG] ${message}`, {
nsec: process.env.NOSTR_NSEC
});
}
// Example:
// await logSensitiveToAdmin('DB auth retry failed for tenant=alpha');
3. Route logs by sensitivity (single logger)
const { posttoNostr, sendMessageNIP17 } = require('nostr-sdk');
async function logNostrEvent({ level = 'info', message, sensitive = false, context = {} }) {
if (!process.env.NOSTR_NSEC) throw new Error('Missing NOSTR_NSEC');
if (!process.env.ADMIN_NOSTR_PUBKEY) throw new Error('Missing ADMIN_NOSTR_PUBKEY');
const payload = JSON.stringify({
ts: new Date().toISOString(),
level,
message,
context
});
if (sensitive) {
return sendMessageNIP17(process.env.ADMIN_NOSTR_PUBKEY, `[SENSITIVE_LOG] ${payload}`, {
nsec: process.env.NOSTR_NSEC
});
}
return posttoNostr(`[PUBLIC_LOG] ${payload}`, {
nsec: process.env.NOSTR_NSEC,
tags: [['t', 'logs'], ['t', 'public'], ['t', level]],
relays: null,
powDifficulty: 4
});
}
// Example:
// await logNostrEvent({ level: 'info', message: 'Cron completed', sensitive: false });
// await logNostrEvent({ level: 'error', message: 'JWT parse failed', sensitive: true, context: { userId: 42 } });
Agent prompt
Use the Nostr Logging System skill.
Rules:
1) Ask for admin Nostr address first (npub/public key) and store as ADMIN_NOSTR_PUBKEY.
2) Check if NOSTR_NSEC already exists in environment/.env.
3) If missing, generate a new identity and persist NOSTR_NSEC for future runs.
4) Route logs:
- Non-sensitive -> public Nostr note with tags logs/public/<level>
- Sensitive -> private DM to ADMIN_NOSTR_PUBKEY using NIP-17
5) Never publish secrets in public notes.
Best practices
- Redact secrets (tokens, private keys, passwords) before logging.
- Treat anything user-identifying as sensitive by default.
- Add stable tags (
logs,service-name,env) for easier filtering. - Use multiple relays for better delivery and resilience.
- Rotate logger identity keys if compromised.
Troubleshooting
Missing ADMIN_NOSTR_PUBKEY: Ask admin fornpub/public key and export it.Missing NOSTR_NSEC: Run the setup script to generate and persist identity.- Low publish success: Add more relays or retry with lower POW difficulty.
- DM not received: Confirm admin key is correct and relay supports DMs.
See also
Source
git clone https://github.com/besoeasy/open-skills/blob/main/skills/nostr-logging-system/SKILL.mdView on GitHub Overview
Publish operational logs over Nostr as a distributed transport. Public events expose non-sensitive logs across relays for tamper-resistant visibility, while sensitive logs are sent privately to an admin via DM. It offers a lightweight alternative to centralized logging infrastructure.
How This Skill Works
The system runs on Node.js 18+ using the nostr-sdk. Public logs are posted as events with tags like t: logs and t: public, including a level, to configured relays. Sensitive logs are sent privately to the admin via Nostr DM using the admin pubkey (ADMIN_NOSTR_PUBKEY) and the logger's nsec (NOSTR_NSEC). Identities and relay endpoints are defined via environment variables, and payloads can include a timestamp, level, message, and context.
When to Use It
- You need tamper-resistant, relay-distributed public operational logs.
- You want sensitive logs (with secrets) delivered privately to an admin.
- You prefer a lightweight logging channel without centralized infrastructure.
- You want clear separation between public visibility and private admin alerts.
- You’re operating a Node.js app and want minimal setup using nostr-sdk.
Quick Start
- Step 1: Install nostr-sdk and set required env vars (ADMIN_NOSTR_PUBKEY, NOSTR_NSEC); optionally configure NOSTR_RELAYS
- Step 2: Implement public and sensitive log emitters (logPublic, logSensitiveToAdmin, logNostrEvent) using the examples
- Step 3: Run a sample script to publish a public log or send a private admin DM (e.g., node sample-logs.js)
Best Practices
- Use non-sensitive public logs with concise messages and explicit levels (info, warn, error).
- Keep sensitive data out of public logs; send those logs privately to admin via DM.
- Persist NOSTR_NSEC securely (e.g., .env or secret store) and avoid hardcoding.
- Validate that ADMIN_NOSTR_PUBKEY is set before attempting private log delivery.
- Include structured payloads (ts, level, message, context) to simplify filtering and searching.
Example Use Cases
- Public log example: await logPublic('Worker started successfully', 'info')
- Sensitive log example: await logSensitiveToAdmin('DB auth token expired for tenant=alpha')
- Routing example: await logNostrEvent({ level: 'error', message: 'Unhandled error', sensitive: true, context: { reqId: 'abc' } })
- Relay setup: configure multiple relays in NOSTR_RELAYS to ensure delivery
- Error handling: detect missing NOSTR_NSEC or ADMIN_NOSTR_PUBKEY and fail gracefully
Frequently Asked Questions
Add this skill to your agents
