feat: allow NIP-07 access while extension is locked

Add a toggle on the lock screen that lets websites use NIP-07 (getPublicKey,
signEvent, encrypt/decrypt) while the UI stays locked, as long as keys are
still in memory from a previous unlock in the session. Lock still protects
the UI — no viewing/exporting keys, changing settings, or vault access.

- background.js: conditional sessionKeys retention on lock, ask() bypass
  when keys available, new message handlers (getNostrAccessWhileLocked,
  setNostrAccessWhileLocked, getActiveProfileInfo)
- sidepanel.html: lock screen card with profile info, material-design
  toggle switch, copy-npub button, responsive layout, anchored footer
  with NostrKey.com / Ts&Cs / Donate links
- sidepanel.js: locked access state, renderLockedAccessCard() with
  color-coded status, toggle and copy handlers
- docs/support.html: add "Support the Project" donation card with
  Lightning address and Nostr link

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: vveerrgg

distros/chrome/background-sw.build.js

@@ -1185,6 +1185,10 @@ td {
   position: fixed;
 }
 
+.absolute {
+  position: absolute;
+}
+
 .relative {
   position: relative;
 }

distros/chrome/background.build.js

@@ -115,6 +115,47 @@
                 background-color: #a6e22e;
                 color: #272822;
             }
+            /* Material-style toggle switch */
+            .toggle-switch {
+                position: relative;
+                display: inline-block;
+                width: 44px;
+                height: 24px;
+                flex-shrink: 0;
+            }
+            .toggle-switch input {
+                opacity: 0;
+                width: 0;
+                height: 0;
+                position: absolute;
+            }
+            .toggle-slider {
+                position: absolute;
+                cursor: pointer;
+                top: 0; left: 0; right: 0; bottom: 0;
+                background-color: #49483e;
+                border-radius: 24px;
+                transition: background-color 0.2s ease;
+            }
+            .toggle-slider::before {
+                content: '';
+                position: absolute;
+                height: 18px;
+                width: 18px;
+                left: 3px;
+                bottom: 3px;
+                background-color: #8f908a;
+                border-radius: 50%;
+                transition: transform 0.2s ease, background-color 0.2s ease;
+                box-shadow: 0 1px 3px rgba(0,0,0,0.3);
+            }
+            .toggle-switch input:checked + .toggle-slider {
+                background-color: rgba(166, 226, 46, 0.3);
+            }
+            .toggle-switch input:checked + .toggle-slider::before {
+                transform: translateX(20px);
+                background-color: #a6e22e;
+            }
             .hidden { display: none !important; }
             @media (prefers-reduced-motion: reduce) {
                 *, *::before, *::after {
@@ -129,7 +170,8 @@
     <body>
         <div class="sidepanel-layout">
             <!-- LOCKED STATE -->
-            <div id="locked-view" class="sidepanel-content hidden">
+            <div id="locked-view" class="hidden" style="display:flex;flex-direction:column;height:100%;">
+                <div class="sidepanel-content" style="flex:1;overflow-y:auto;padding-left:max(8px, calc((100% - 320px) / 2));padding-right:max(8px, calc((100% - 320px) / 2));">
                 <div class="flex flex-col items-center gap-4 py-8">
                     <svg aria-hidden="true" width="48" height="48" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
                         <path d="M16 12V8a4 4 0 10-8 0v4" stroke="#a6e22e" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"></path>
@@ -150,20 +192,52 @@
                         <div id="unlock-error" class="text-sm font-bold mt-2 hidden" style="color:#fd971f;" aria-live="assertive"></div>
                         <button class="button w-full mt-3" type="submit">Unlock</button>
                     </form>
-                    <div style="margin-top:24px;text-align:center;">
+                    <div style="margin-top:8px;text-align:center;width:100%;max-width:320px;">
                         <button id="forgot-password-btn" type="button" style="background:none;border:none;color:#b0b0a8;font-size:0.85rem;cursor:pointer;text-decoration:underline;">
                             Forgot password? Start fresh
                         </button>
                     </div>
                     <!-- Reset confirmation (hidden by default) -->
-                    <div id="reset-confirm" class="hidden" style="margin-top:16px;padding:16px;background:#3e3d32;border-radius:8px;border:1px solid #f92672;">
+                    <div id="reset-confirm" class="hidden" style="width:100%;max-width:320px;margin-top:16px;padding:16px;background:#3e3d32;border-radius:8px;border:1px solid #f92672;box-sizing:border-box;">
                         <p style="color:#f92672;font-size:0.9rem;font-weight:bold;margin-bottom:8px;">Delete all data?</p>
                         <p style="color:#b0b0a8;font-size:0.85rem;margin-bottom:16px;">This will permanently delete all your profiles, keys, and vault data. This cannot be undone.</p>
                         <div class="flex gap-2">
                             <button id="confirm-reset-btn" class="button flex-1" type="button" style="border-color:#f92672;color:#f92672;">Delete Everything</button>
                             <button id="cancel-reset-btn" class="button flex-1" type="button">Cancel</button>
                         </div>
                     </div>
+                    <!-- Active profile + Nostr access toggle -->
+                    <div id="locked-access-card" class="hidden" style="width:100%;max-width:320px;margin-top:24px;padding:16px;background:#3e3d32;border-radius:12px;border:1px solid #49483e;">
+                        <div style="display:flex;align-items:center;justify-content:space-between;margin-bottom:12px;">
+                            <div style="min-width:0;flex:1;">
+                                <div style="font-size:0.8rem;color:#b0b0a8;">Active Profile</div>
+                                <div id="locked-profile-name" style="font-size:1rem;color:#f8f8f2;font-weight:600;margin-top:2px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap;">—</div>
+                                <div id="locked-profile-npub" style="font-size:0.75rem;color:#8f908a;margin-top:4px;font-family:monospace;overflow:hidden;text-overflow:ellipsis;white-space:nowrap;"></div>
+                            </div>
+                            <button id="copy-locked-npub-btn" class="button" type="button" title="Copy npub" aria-label="Copy public key" style="min-width:auto;padding:8px 12px;margin-left:12px;flex-shrink:0;">
+                                <svg aria-hidden="true" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="#a6e22e" stroke-width="1.5">
+                                    <path d="M19.4 20H9.6a.6.6 0 01-.6-.6V9.6a.6.6 0 01.6-.6h9.8a.6.6 0 01.6.6v9.8a.6.6 0 01-.6.6z"></path>
+                                    <path d="M15 9V4.6a.6.6 0 00-.6-.6H4.6a.6.6 0 00-.6.6v9.8a.6.6 0 00.6.6H9"></path>
+                                </svg>
+                            </button>
+                        </div>
+                        <label class="flex items-center gap-3 cursor-pointer" style="padding:4px 0;">
+                            <span class="toggle-switch">
+                                <input id="nostr-access-toggle" type="checkbox" />
+                                <span class="toggle-slider"></span>
+                            </span>
+                            <span style="color:#f8f8f2;font-size:14px;">Allow Nostr access while locked</span>
+                        </label>
+                        <p id="nostr-access-status" style="color:#b0b0a8;font-size:0.8rem;margin-top:6px;line-height:1.4;"></p>
+                    </div>
+                </div>
+                </div>
+                <div style="flex-shrink:0;padding:12px 16px;border-top:1px solid #49483e;background:#3e3d32;text-align:center;font-size:0.75rem;">
+                    <a href="https://nostrkey.com" target="_blank" rel="noopener" style="color:#b0b0a8;text-decoration:none;">NostrKey.com</a>
+                    <span style="color:#49483e;margin:0 6px;">|</span>
+                    <a href="https://nostrkey.com/terms.html" target="_blank" rel="noopener" style="color:#b0b0a8;text-decoration:none;">Ts &amp; Cs</a>
+                    <span style="color:#49483e;margin:0 6px;">|</span>
+                    <a href="https://nostrkey.com/support.html#donate" target="_blank" rel="noopener" style="color:#a6e22e;text-decoration:none;">Donate</a>
                 </div>
             </div>
 

distros/chrome/options.build.css

@@ -101,11 +101,12 @@ let locked = true; // start locked; determined on first isLocked check
 let encryptionEnabled = false; // cached encryption state for fast lookups
 let autoLockTimeout = 15 * 60 * 1000; // 15 minutes default
 let autoLockTimer = null;
+let nostrAccessWhileLocked = false;
 
 // Load persisted state on startup
 (async () => {
     log('[STARTUP] Reading persisted state...');
-    const data = await storage.get({ autoLockMinutes: 15, isEncrypted: false, passwordHash: null });
+    const data = await storage.get({ autoLockMinutes: 15, isEncrypted: false, passwordHash: null, nostrAccessWhileLocked: false });
     log(`[STARTUP] isEncrypted=${data.isEncrypted}, passwordHash=${data.passwordHash ? 'EXISTS' : 'null'}, autoLockMinutes=${data.autoLockMinutes}`);
     autoLockTimeout = data.autoLockMinutes * 60 * 1000;
     // Defensive: if passwordHash exists but flag is stale, self-heal
@@ -115,6 +116,7 @@ let autoLockTimer = null;
         data.isEncrypted = true;
     }
     encryptionEnabled = data.isEncrypted;
+    nostrAccessWhileLocked = !!data.nostrAccessWhileLocked;
     // If encryption is enabled, we start locked
     locked = encryptionEnabled;
     log(`[STARTUP] Final state: encryptionEnabled=${encryptionEnabled}, locked=${locked}`);
@@ -144,14 +146,16 @@ function resetAutoLock() {
  * Lock the session — clear all decrypted keys from memory.
  */
 function lockSession() {
-    sessionKeys.clear();
+    if (!nostrAccessWhileLocked) {
+        sessionKeys.clear();
+    }
     sessionPassword = null;
     locked = true;
     if (autoLockTimer) {
         clearTimeout(autoLockTimer);
         autoLockTimer = null;
     }
-    log('Session locked.');
+    log(`Session locked. Keys retained: ${nostrAccessWhileLocked && sessionKeys.size > 0}`);
 }
 
 /**
@@ -410,6 +414,7 @@ api.runtime.onMessage.addListener((message, _sender, sendResponse) => {
                     sessionPassword = null;
                     locked = false;
                     encryptionEnabled = false;
+                    nostrAccessWhileLocked = false;
                     // Re-initialize with default profile
                     await storage.set({
                         profiles: [{ name: 'Default Nostr Profile', privKey: '', pubKey: '' }],
@@ -442,6 +447,50 @@ api.runtime.onMessage.addListener((message, _sender, sendResponse) => {
             sendResponse(true);
             return true;
 
+        // --- Nostr access while locked ---
+        case 'getNostrAccessWhileLocked':
+            sendResponse(nostrAccessWhileLocked);
+            return true;
+        case 'setNostrAccessWhileLocked':
+            nostrAccessWhileLocked = !!message.payload;
+            storage.set({ nostrAccessWhileLocked: !!message.payload });
+            if (!message.payload && locked) {
+                sessionKeys.clear();  // Turning OFF while locked = clear keys immediately
+            }
+            sendResponse(true);
+            return true;
+        case 'getActiveProfileInfo':
+            (async () => {
+                try {
+                    const pi = await getProfileIndex();
+                    const profiles = await getProfiles();
+                    const profile = profiles[pi];
+                    if (!profile) {
+                        log('[getActiveProfileInfo] No profile found at index ' + pi);
+                        sendResponse({ name: 'Unknown', npub: '', hasKeys: false });
+                        return;
+                    }
+                    let npub = '';
+                    if (profile.type === 'bunker' && profile.remotePubkey) {
+                        npub = nip19.npubEncode(profile.remotePubkey);
+                    } else if (profile.pubKey) {
+                        npub = nip19.npubEncode(profile.pubKey);
+                    }
+                    const result = {
+                        name: profile.name || 'Unnamed Profile',
+                        npub,
+                        hasKeys: sessionKeys.has(pi),
+                        isBunker: profile.type === 'bunker',
+                    };
+                    log('[getActiveProfileInfo] Sending: ' + JSON.stringify(result));
+                    sendResponse(result);
+                } catch (e) {
+                    log('[getActiveProfileInfo] Error: ' + e.message);
+                    sendResponse({ name: 'Error', npub: '', hasKeys: false });
+                }
+            })();
+            return true;
+
         // --- NIP-49 ncryptsec handlers ---
         case 'ncryptsec.decrypt':
             reply(sendResponse, async () => {
@@ -920,10 +969,14 @@ async function ask(uuid, { kind, host, payload }) {
     if (!isBunker) {
         const isLocked = await checkLockState();
         if (isLocked) {
-            const sendResponse = validations[uuid];
-            delete validations[uuid];
-            sendResponse?.({ error: 'locked', message: 'Extension is locked. Please unlock with your master password.' });
-            return;
+            if (!(nostrAccessWhileLocked && sessionKeys.has(pi))) {
+                // No keys available — reject as before
+                const sendResponse = validations[uuid];
+                delete validations[uuid];
+                sendResponse?.({ error: 'locked', message: 'Extension is locked. Please unlock with your master password.' });
+                return;
+            }
+            // Keys available despite lock — proceed with permission check
         }
     }
 

distros/chrome/sidepanel.build.js

@@ -1185,6 +1185,10 @@ td {
   position: fixed;
 }
 
+.absolute {
+  position: absolute;
+}
+
 .relative {
   position: relative;
 }