coracle/flotilla
1
6
Fork 24
Code Issues 42 Pull Requests 2 Actions Packages Projects 5 Releases Wiki Activity

feat(rbac): implement NIP-29 room roles and permission gating (#47) #220

Open
Khushvendra wants to merge 5 commits from Khushvendra/flotilla:feat/nip29-rbac-47 into dev
pull from: Khushvendra/flotilla:feat/nip29-rbac-47
merge into: coracle:dev
Conversation 5 Commits 5 Files Changed 16
+865 -177
Khushvendra commented 2026-04-17 11:43:06 +00:00
Contributor
Copy Link
Copy Source

Addresses #47.

Summary
This introduces a forward-compatible NIP-29 RBAC implementation for room and space moderation/authorization.The app now parses role definitions from kind 39003, resolves user permissions from assigned roles, and updates moderation/admin UI gates from binary admin checks to permission-based checks.

Changes Made

  • Added a dedicated RBAC core module to parse and derive role state:
    • Role definitions from kind 39003 tags:
      • role
      • role-label
      • role-color
      • role-order
      • role-permission
      • role-access
  • Added role-aware derivations:
    • deriveRoomRoles
    • deriveUserRoles
    • deriveUserPermissions
    • hasPermission
    • deriveUserIsSpaceAdmin
    • deriveUserIsRoomAdmin
    • deriveSpaceMemberRoleInfo
    • roleColorToCSS
  • Refactored room member/admin list parsing to preserve role annotations:
    • Room members/admins now resolve as structured entries with pubkey + roles
  • Updated sync and storage to include kind 39003 role events.
  • Added RoleBadge reusable component and integrated role badges/grouping in member/profile/detail UIs.
  • Replaced key binary admin checks with permission checks in:
    • Event delete moderation action
    • Room metadata edit/delete visibility
    • Space metadata edit visibility
    • Profile moderation actions
    • Space/room member management controls
  • Updated space action queue filtering to respect effective permissions.

Backward compatibility

  • If relays do not publish role-permission tags, behavior falls back to current admin semantics:
    • room admin lists still grant full room moderation permissions
    • NIP-86 supported-methods fallback remains for space admin determination

Validation

  • Lint formatting is clean for this branch’s changes.
  • Project typecheck still reports existing unrelated baseline issues in poll/capacitor-share areas outside this feature.

Manual test plan

  • Verify role badges and grouping in room/space members
  • Verify profile role badges
  • Verify delete/edit actions appear only with relevant permissions:
    • 9005 for delete event
    • 9002 for room/space metadata edit
    • 9000/9001/9009 for member operations
  • Verify relays without role tags still behave with legacy admin fallback
Addresses #47. **Summary** This introduces a forward-compatible NIP-29 RBAC implementation for room and space moderation/authorization.The app now parses role definitions from kind 39003, resolves user permissions from assigned roles, and updates moderation/admin UI gates from binary admin checks to permission-based checks. **Changes Made** * Added a dedicated RBAC core module to parse and derive role state: * Role definitions from kind 39003 tags: * role * role-label * role-color * role-order * role-permission * role-access * Added role-aware derivations: * deriveRoomRoles * deriveUserRoles * deriveUserPermissions * hasPermission * deriveUserIsSpaceAdmin * deriveUserIsRoomAdmin * deriveSpaceMemberRoleInfo * roleColorToCSS * Refactored room member/admin list parsing to preserve role annotations: * Room members/admins now resolve as structured entries with pubkey + roles * Updated sync and storage to include kind 39003 role events. * Added RoleBadge reusable component and integrated role badges/grouping in member/profile/detail UIs. * Replaced key binary admin checks with permission checks in: * Event delete moderation action * Room metadata edit/delete visibility * Space metadata edit visibility * Profile moderation actions * Space/room member management controls * Updated space action queue filtering to respect effective permissions. **Backward compatibility** * If relays do not publish role-permission tags, behavior falls back to current admin semantics: * room admin lists still grant full room moderation permissions * NIP-86 supported-methods fallback remains for space admin determination **Validation** * Lint formatting is clean for this branch’s changes. * Project typecheck still reports existing unrelated baseline issues in poll/capacitor-share areas outside this feature. **Manual test plan** * Verify role badges and grouping in room/space members * Verify profile role badges * Verify delete/edit actions appear only with relevant permissions: * 9005 for delete event * 9002 for room/space metadata edit * 9000/9001/9009 for member operations * Verify relays without role tags still behave with legacy admin fallback
hodlbod reviewed 2026-04-17 18:10:53 +00:00
hodlbod left a comment
Owner
Copy Link
Copy Source

This looks very good, nice and organized. Just a few comments.

  • Use constants instead of hard coded kind numbers
  • Add a sortRolesDesc helper to encapsulate the ugly sorting behavior
This looks very good, nice and organized. Just a few comments. - [ ] Use constants instead of hard coded kind numbers - [ ] Add a `sortRolesDesc` helper to encapsulate the ugly sorting behavior
src/app/components/RoomMembers.svelte Outdated
@@ -46,0 +103,4 @@
})
const removeUndefined = <T,>(items: Array<T | undefined>): T[] =>
items.filter((item): item is T => item !== undefined)
hodlbod commented 2026-04-17 17:39:44 +00:00
Owner
Copy Link
Copy Source

This exists already in @welshman/lib

This exists already in @welshman/lib
Khushvendra marked this conversation as resolved
src/app/core/roles.ts Outdated
@@ -0,0 +319,4 @@
set(false)
})
}),
)
hodlbod commented 2026-04-17 18:06:12 +00:00
Owner
Copy Link
Copy Source

This is redundant with deriveSupportedMethods in core/state.

This is redundant with `deriveSupportedMethods` in core/state.
Khushvendra marked this conversation as resolved
src/app/core/roles.ts Outdated
@@ -0,0 +501,4 @@
([$permissions, $isSpaceAdmin]) => $isSpaceAdmin || $permissions.size > 0,
)
export const hasPermission = (url: string, h: string, kind: number) =>
hodlbod commented 2026-04-17 18:08:47 +00:00
Owner
Copy Link
Copy Source

should be deriveHasPermission

should be deriveHasPermission
Khushvendra marked this conversation as resolved
src/app/core/state.ts Outdated
@@ -820,3 +823,1 @@
uniq(getPubkeyTagValues(event?.tags ?? [])),
)
}
export const deriveRoomMembers = deriveRoomMembersByRole
hodlbod commented 2026-04-17 18:09:51 +00:00
Owner
Copy Link
Copy Source

Instead of re-exporting, update imports

Instead of re-exporting, update imports
Khushvendra marked this conversation as resolved
src/app/core/state.ts Outdated
@@ -852,3 +843,1 @@
return []
})
}
export const deriveRoomAdmins = deriveRoomAdminsByRole
hodlbod commented 2026-04-17 18:09:54 +00:00
Owner
Copy Link
Copy Source

Instead of re-exporting, update imports

Instead of re-exporting, update imports
Khushvendra marked this conversation as resolved
src/app/core/state.ts Outdated
@@ -983,3 +981,1 @@
return store
})
export const deriveUserIsSpaceAdmin = deriveUserIsSpaceAdminByRole
hodlbod commented 2026-04-17 18:10:08 +00:00
Owner
Copy Link
Copy Source

Instead of re-exporting, update imports

Instead of re-exporting, update imports
Khushvendra marked this conversation as resolved
src/app/core/state.ts Outdated
@@ -1051,3 +1045,1 @@
[pubkey, deriveRoomAdmins(url, h), deriveUserIsSpaceAdmin(url)],
([$pubkey, $admins, $isSpaceAdmin]) => $isSpaceAdmin || $admins.includes($pubkey!),
)
export const deriveUserIsRoomAdmin = deriveUserIsRoomAdminByRole
hodlbod commented 2026-04-17 18:10:14 +00:00
Owner
Copy Link
Copy Source

Instead of re-exporting, update imports

Instead of re-exporting, update imports
Khushvendra marked this conversation as resolved
hodlbod reviewed 2026-04-17 23:16:01 +00:00
src/app/components/RoomDetail.svelte Outdated
@@ -68,0 +85,4 @@
accessLabel: Array.from(role.access).join(", "),
})),
),
)
hodlbod commented 2026-04-17 23:04:27 +00:00
Owner
Copy Link
Copy Source

Instead of mapping to an ad hoc data type, I would just defer the display logic until it's needed. You could add helper functions if needed.

Instead of mapping to an ad hoc data type, I would just defer the display logic until it's needed. You could add helper functions if needed.
Khushvendra marked this conversation as resolved
src/app/components/RoomDetail.svelte Outdated
@@ -259,0 +288,4 @@
<RoleBadge
role={role.name}
label={role.label}
color={role.color}
hodlbod commented 2026-04-17 23:05:14 +00:00
Owner
Copy Link
Copy Source

Since role is a defined data type, I would just pass the whole thing in and RoleBadge can accept a RoleDefinition

Since role is a defined data type, I would just pass the whole thing in and RoleBadge can accept a `RoleDefinition`
Khushvendra marked this conversation as resolved
src/app/components/RoomMembers.svelte Outdated
@@ -46,0 +69,4 @@
label: string
color?: number
order?: number
members: RoomMember[]
hodlbod commented 2026-04-17 23:08:57 +00:00
Owner
Copy Link
Copy Source

Try to re-use defined types when possible. This mostly overlaps with RoleDefinition.

Try to re-use defined types when possible. This mostly overlaps with RoleDefinition.
Khushvendra marked this conversation as resolved
src/app/components/RoomMembers.svelte Outdated
@@ -46,0 +106,4 @@
}
return groups
})
hodlbod commented 2026-04-17 23:10:13 +00:00
Owner
Copy Link
Copy Source

This whole thing could probably go in the roles.ts file. See if you can define types that make sense in this context. The fewer named (and especially ad-hoc) types, the easier the code is to read.

This whole thing could probably go in the `roles.ts` file. See if you can define types that make sense in this context. The fewer named (and especially ad-hoc) types, the easier the code is to read.
Khushvendra marked this conversation as resolved
src/app/components/SpaceMembers.svelte Outdated
@@ -45,0 +63,4 @@
roleDefinitions: Array<{name: string; label?: string; color?: number; order?: number}>
primaryRole?: {name: string; label?: string; color?: number}
sortKey: number
}
hodlbod commented 2026-04-17 23:11:01 +00:00
Owner
Copy Link
Copy Source

Same thing, see if you can adjust the data model so that this use case falls out naturally instead of being shoehorned in.

Same thing, see if you can adjust the data model so that this use case falls out naturally instead of being shoehorned in.
Khushvendra marked this conversation as resolved
src/app/components/SpaceMembers.svelte Outdated
@@ -45,0 +105,4 @@
label: member.primaryRole.label || roleName,
color: member.primaryRole.color,
order: member.sortKey,
members: [],
hodlbod commented 2026-04-17 23:11:19 +00:00
Owner
Copy Link
Copy Source

Lots of copying, this could be much simplified if you can make the data model flow

Lots of copying, this could be much simplified if you can make the data model flow
Khushvendra marked this conversation as resolved
src/app/core/roles.ts Outdated
@@ -0,0 +75,4 @@
hasPermissionTags: boolean
userPermissions: Set<number>
memberRoles: Map<string, RoleDefinition[]>
}
hodlbod commented 2026-04-17 23:15:58 +00:00
Owner
Copy Link
Copy Source

These types are the place where the most time should be spent on the next revision. These types aren't bad, but I think we could cut probably ~100 LOC by making them cleaner. I don't have time right now to give it the necessary thought though.

These types are the place where the most time should be spent on the next revision. These types aren't bad, but I think we could cut probably ~100 LOC by making them cleaner. I don't have time right now to give it the necessary thought though.
Khushvendra commented 2026-04-19 08:35:43 +00:00
Author
Contributor
Copy Link
Copy Source

ill have a look into this (less code = always better)

ill have a look into this (less code = always better)
Khushvendra marked this conversation as resolved
hodlbod reviewed 2026-04-21 17:36:06 +00:00
hodlbod left a comment
Owner
Copy Link
Copy Source

Looks very good, just a few more nitpicks

Looks very good, just a few more nitpicks
src/app/components/EventMenu.svelte Outdated
@@ -37,0 +41,4 @@
const h = getTagValue("h", event.tags)
const canDelete = h
? deriveHasPermission(url, h, ROOM_PERMISSION_DELETE_EVENT)
: deriveUserIsSpaceAdmin(url)
hodlbod commented 2026-04-21 17:19:42 +00:00
Owner
Copy Link
Copy Source

This ternary logic is halfway duplicated between callers and deriveHasPermission, since that function also takes into account deriveUserIsSpaceAdmin. I think a clean way to handle this would be to push the h tag check down by making it optional in deriveHasPermission. This will drastically simplify all our permission checks.

This ternary logic is halfway duplicated between callers and `deriveHasPermission`, since that function also takes into account `deriveUserIsSpaceAdmin`. I think a clean way to handle this would be to push the `h` tag check down by making it optional in `deriveHasPermission`. This will drastically simplify all our permission checks.
Khushvendra marked this conversation as resolved
src/app/core/roles.ts Outdated
@@ -0,0 +93,4 @@
}
const deriveEventsForUrl = (url: string, filters: Filter[] = [{}]) =>
deriveArray(deriveEventsByIdForUrl({url, tracker, repository, filters}))
hodlbod commented 2026-04-21 17:22:41 +00:00
Owner
Copy Link
Copy Source

This function exists already in core/state

This function exists already in core/state
Khushvendra marked this conversation as resolved
src/app/core/roles.ts Outdated
@@ -0,0 +255,4 @@
)
export const deriveRoomMembers = (url: string, h: string) =>
derived(deriveRoomListStore(url, h), $events => {
hodlbod commented 2026-04-21 17:26:14 +00:00
Owner
Copy Link
Copy Source

This could be simplified to

derived(
  deriveEventsForUrl(url, [{kinds: [ROOM_MEMBERS], '#d': [h]}]),
  ([event]) => {

The reason being that Repository handles replaceable event deduplication.

This could be simplified to ``` derived( deriveEventsForUrl(url, [{kinds: [ROOM_MEMBERS], '#d': [h]}]), ([event]) => { ``` The reason being that Repository handles replaceable event deduplication.
Khushvendra marked this conversation as resolved
src/app/core/roles.ts Outdated
@@ -0,0 +262,4 @@
})
export const deriveRoomAdmins = (url: string, h: string) =>
derived(deriveRoomListStore(url, h), $events => {
hodlbod commented 2026-04-21 17:26:22 +00:00
Owner
Copy Link
Copy Source

Same thing here, which means you can remove deriveRoomListStore

Same thing here, which means you can remove `deriveRoomListStore`
Khushvendra marked this conversation as resolved
src/app/core/roles.ts Outdated
@@ -0,0 +270,4 @@
const deriveRoomRoleState = simpleCache(([url, h]: [string, string]) =>
derived(deriveEventsForUrl(url, [{kinds: [ROOM_ROLES], "#d": [h]}]), $events =>
parseRoleState(getLatestEventByKind($events, ROOM_ROLES, h)),
hodlbod commented 2026-04-21 17:27:16 +00:00
Owner
Copy Link
Copy Source

Same here, no need for getLatest, just use the zero or one event provided. That means you can remove getLatestEventByKind too

Same here, no need for getLatest, just use the zero or one event provided. That means you can remove `getLatestEventByKind` too
Khushvendra marked this conversation as resolved
src/app/core/roles.ts Outdated
@@ -0,0 +438,4 @@
})
}
return snapshots
hodlbod commented 2026-04-21 17:31:12 +00:00
Owner
Copy Link
Copy Source

I don't understand the purpose of snapshots, couldn't you just use the latest event of each kind and parse members on demand? Or do you expect that to be computationally intensive? It seems odd to couple roles/members/admins like this instead of access each individually. Since this function is used in only one place it might just make sense to fold the logic in there to avoid the entire idea of snapshots.

I don't understand the purpose of snapshots, couldn't you just use the latest event of each kind and parse members on demand? Or do you expect that to be computationally intensive? It seems odd to couple roles/members/admins like this instead of access each individually. Since this function is used in only one place it might just make sense to fold the logic in there to avoid the entire idea of snapshots.
Khushvendra marked this conversation as resolved
src/app/core/state.ts Outdated
@@ -903,0 +892,4 @@
deriveUserSpacePermissions(url),
],
([$events, $isAdmin, $permissions]) => {
if (!$isAdmin) {
hodlbod commented 2026-04-21 17:34:44 +00:00
Owner
Copy Link
Copy Source

This seems unnecessary to me, isn't this taken into account by deriveUserSpacePermissions?

This seems unnecessary to me, isn't this taken into account by `deriveUserSpacePermissions`?
Khushvendra marked this conversation as resolved
src/app/core/state.ts Outdated
@@ -907,0 +906,4 @@
$permissions.has(ROOM_PERMISSION_ADD_MEMBER) ||
$permissions.has(ROOM_PERMISSION_REMOVE_MEMBER) ||
$permissions.has(ROOM_PERMISSION_BAN_USER) ||
$permissions.size === 0
hodlbod commented 2026-04-21 17:35:36 +00:00
Owner
Copy Link
Copy Source

The permissions.size is here because this assumes permissions aren't filled for the space admin, but I think that is actually done in the roles file.

The permissions.size is here because this assumes permissions aren't filled for the space admin, but I think that is actually done in the roles file.
Khushvendra marked this conversation as resolved
Khushvendra commented 2026-04-24 14:31:59 +00:00
Author
Contributor
Copy Link
Copy Source

@hodlbod Working on this, been a bit busy with the university exams. Sorry for the delay

@hodlbod Working on this, been a bit busy with the university exams. Sorry for the delay
hodlbod added 5 commits 2026-05-04 21:29:34 +00:00
feat(rbac): implement NIP-29 room roles and permission gating (#47) 559db6b930
Address RBAC review feedback 9756199fdf
Refactor role view models and member grouping 7568827d71
Polish RBAC role/member stores and remove state-role cycle 98bcf4c398
refactor: address PR review feedback for RBAC ba07c339eb
hodlbod force-pushed feat/nip29-rbac-47 from c2ea1cefc5 to ba07c339eb 2026-05-04 21:29:34 +00:00 Compare
hodlbod reviewed 2026-05-04 23:59:41 +00:00
hodlbod left a comment
Owner
Copy Link
Copy Source

Ok, unfortunately on another review I don't think I can merge this PR because it confuses room-level role based access control with space-level permissions. I think we need to take a step back and think about how group owners might actually use this and well as create a working backend implementation on zooid as well to test against.

Ok, unfortunately on another review I don't think I can merge this PR because it confuses room-level role based access control with space-level permissions. I think we need to take a step back and think about how group owners might actually use this and well as create a working backend implementation on zooid as well to test against.
src/app/components/SpaceMembers.svelte
@@ -42,0 +45,4 @@
const memberGroups = deriveGroupedSpaceMembers(url, members)
const canAddMember = deriveUserHasSpacePermission(url, ROOM_PERMISSION_ADD_MEMBER)
const canBanByPermission = deriveUserHasSpacePermission(url, ROOM_PERMISSION_BAN_USER)
const canUnallowByPermission = deriveUserHasSpacePermission(url, ROOM_PERMISSION_REMOVE_MEMBER)
hodlbod commented 2026-05-04 23:55:13 +00:00
Owner
Copy Link
Copy Source

I think this is mixing different concerns, the ability for a relay admin to ban/add relay members has nothing to do with a group admin's ability to ban/add group members. These actions should be based exclusively on nip 86 management methods (or equivalent rbac that we're planning to add to nip 43). Looking more closely at this whole PR, I am afraid we're creating a confusing mess — room roles should only apply to rooms, not spaces.

I think this is mixing different concerns, the ability for a relay admin to ban/add relay members has nothing to do with a group admin's ability to ban/add group members. These actions should be based exclusively on nip 86 management methods (or equivalent rbac that we're planning to add to nip 43). Looking more closely at this whole PR, I am afraid we're creating a confusing mess — room roles should only apply to rooms, not spaces.
This pull request can be merged automatically.
This branch is out-of-date with the base branch
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u https://gitea.coracle.social/Khushvendra/flotilla feat/nip29-rbac-47:Khushvendra-feat/nip29-rbac-47
git checkout Khushvendra-feat/nip29-rbac-47
Sign in to join this conversation.
Reviewers
No Reviewers
hodlbod
Labels
Clear labels
design
For issues related to design work. Development should be done in another issue and refer back to this one.
 dev
Issues related to development work
 easy
Issues that can be executed on by new contributors
 idea
For issues that aren't yet actionable
 priority
For issues related to high priority features and bugs
 usability
Issues that have to be validated with real live human beings.
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
hodlbod (hodlbod) mplorentz (Matt Lorentz) sakshamjain (Saksham Jain) sondreb triesap userAdityaa (Aditya Chaudhary)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: coracle/flotilla#220
Delete Branch "Khushvendra/flotilla:feat/nip29-rbac-47"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?