Dockerfile

@@ -1,32 +1,20 @@
-# Patched from upstream kind-0/nsecbunkerd Dockerfile to use pnpm — the
-# upstream version uses `npm install` but package.json declares
-# `@nostr-dev-kit/ndk` as `workspace:*`, which only pnpm understands.
-# A clean clone of upstream fails to build with `EUNSUPPORTEDPROTOCOL`
-# under npm. Switching to pnpm matches the lockfile that ships in-repo.
-# Also drops `--frozen-lockfile` because the upstream pnpm-lock.yaml is
-# out of date vs. package.json (ERR_PNPM_OUTDATED_LOCKFILE) — bug to
-# file upstream once we've verified the rest of the stack works.
-
 FROM node:20.11-bullseye AS build
 
 WORKDIR /app
 
-RUN npm install -g pnpm@9
-
-# Copy lockfile + manifest first so the install layer caches across
-# source changes.
-COPY package.json pnpm-lock.yaml ./
-RUN pnpm install --no-frozen-lockfile
+# Copy package files and install dependencies
+COPY package*.json ./
+RUN npm install
 
 # Copy application files
 COPY . .
 
 # Generate prisma client and build the application
 RUN npx prisma generate
-RUN pnpm run build
+RUN npm run build
 
 # Runtime stage
-FROM node:20.11-alpine AS runtime
+FROM node:20.11-alpine as runtime
 
 WORKDIR /app
 
@@ -34,13 +22,11 @@ RUN apk update && \
     apk add --no-cache openssl && \
     rm -rf /var/cache/apk/*
 
-RUN npm install -g pnpm@9
-
 # Copy built files from the build stage
 COPY --from=build /app .
 
-# Install only runtime dependencies (pnpm respects the workspace protocol)
-RUN pnpm install --prod --no-frozen-lockfile
+# Install only runtime dependencies
+RUN npm install --only=production
 
 EXPOSE 3000
 

package.json

@@ -39,7 +39,7 @@
     "@fastify/view": "^8.2.0",
     "@inquirer/password": "^1.1.2",
     "@inquirer/prompts": "^1.2.3",
-    "@nostr-dev-kit/ndk": "2.8.1",
+    "@nostr-dev-kit/ndk": "workspace:*",
     "@prisma/client": "^5.4.1",
     "@scure/base": "^1.1.1",
     "@types/yargs": "^17.0.24",

src/daemon/admin/index.ts

@@ -122,12 +122,7 @@ class AdminInterface {
 
             this.rpc.on('request', (req) => this.handleRequest(req));
 
-            // pingOrDie disabled — NDK 2.8.1 outbox model doesn't echo
-            // self-published events back through subscriptions on
-            // non-public relay channels, so the watchdog fires false
-            // positives and exits the bunker every 50s on private relays.
-            // See aiolabs/nsecbunkerd#4 + #7.
-            // pingOrDie(this.ndk);
+            pingOrDie(this.ndk);
         }).catch((err) => {
             console.log('❌ admin connection failed');
             console.log(err);

src/daemon/run.ts

@@ -230,14 +230,8 @@ class Daemon {
 
         if (nsec.startsWith('nsec1')) {
             try {
-                // NDK 2.8.1's NDKPrivateKeySigner constructor passes its
-                // arg straight to nostr-tools getPublicKey() which requires
-                // 32-byte hex / bytes / bigint, not bech32. Without this
-                // decode, every key created via create_new_key fails to
-                // load with the nostr-tools getPublicKey type error, so
-                // the bunker can never sign for any target it provisions.
-                // See aiolabs/nsecbunkerd#8.
-                hexpk = nip19.decode(nsec).data as string;
+                const key = new NDKPrivateKeySigner(nsec);
+                hexpk = key.privateKey!;
             } catch(e) {
                 console.error(`Error loading key ${name}:`, e);
                 return