feat: relax topic restriction to allow issue and other hub metadata topics

Replace hard-coded `topic === 'notify'` check with regex-based validation
(`/^[a-z][a-z0-9._-]{0,63}$/`) so topics like `issue`, `issue.created`,
and `hub.record` can be broadcast through the relay. Also update WebSocket
broadcast `type` field to use the envelope's actual topic instead of
hard-coded `'notify'`.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: mizchi

src/memory_handler.ts

@@ -130,6 +130,7 @@ const DEFAULT_MAX_CLOCK_SKEW_SEC = 300;
 const DEFAULT_NONCE_TTL_SEC = 600;
 const DEFAULT_MAX_NONCES_PER_SENDER = 2048;
 const ROOM_NAME_PATTERN = /^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$/;
+const TOPIC_PATTERN = /^[a-z][a-z0-9._-]{0,63}$/;
 const WS_OPEN_STATE = 1;
 
 function isObjectRecord(value: unknown): value is Record<string, unknown> {
@@ -171,6 +172,10 @@ function isValidRoomName(room: string): boolean {
   return ROOM_NAME_PATTERN.test(room);
 }
 
+function isValidTopic(topic: string): boolean {
+  return TOPIC_PATTERN.test(topic);
+}
+
 function invalidRoomResponse(): Response {
   return Response.json({ ok: false, error: 'invalid room' }, { status: 400 });
 }
@@ -406,10 +411,10 @@ function publishIntoRoom(
   payload: JsonValue,
   maxMessagesPerRoom: number,
 ): PublishResult {
-  if (topic !== 'notify') {
+  if (!isValidTopic(topic)) {
     return {
       status: 400,
-      body: { ok: false, error: `unsupported topic: ${topic}` },
+      body: { ok: false, error: `invalid topic: ${topic}` },
       changed: false,
       envelope: null,
     };
@@ -551,7 +556,7 @@ function broadcastPublish(
   cursor: number,
 ): void {
   const message = JSON.stringify({
-    type: 'notify',
+    type: envelope.topic,
     room,
     cursor,
     envelope: sanitizeEnvelope(envelope),
@@ -1403,6 +1408,7 @@ export {
   DEFAULT_ROOM,
   healthResponse,
   isValidRoomName,
+  isValidTopic,
   normalizeAuthToken,
   parseRoomTokens,
 };

tests/relay_handler_test.ts

@@ -336,3 +336,110 @@ Deno.test('requires bearer token when auth token configured', async () => {
   );
   assertEquals(authorized.status, 200);
 });
+
+Deno.test('publish and poll with topic=issue', async () => {
+  const handler = createMemoryRelayHandler({ requireSignatures: false });
+
+  const publish = await handler(
+    new Request('http://relay.local/api/v1/publish?room=main&sender=bit&topic=issue&id=i1', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ kind: 'issue.created', title: 'bug report' }),
+    }),
+  );
+  assertEquals(publish.status, 200);
+  assertObjectMatch(await publish.json(), { ok: true, accepted: true });
+
+  const poll = await handler(
+    new Request('http://relay.local/api/v1/poll?room=main&after=0&limit=10'),
+  );
+  assertEquals(poll.status, 200);
+  const body = await poll.json();
+  assertEquals(body.envelopes.length, 1);
+  assertObjectMatch(body.envelopes[0], {
+    topic: 'issue',
+    payload: { kind: 'issue.created', title: 'bug report' },
+  });
+});
+
+Deno.test('publish with dotted topic succeeds', async () => {
+  const handler = createMemoryRelayHandler({ requireSignatures: false });
+
+  const publish = await handler(
+    new Request(
+      'http://relay.local/api/v1/publish?room=main&sender=bit&topic=issue.created&id=d1',
+      {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({ title: 'test' }),
+      },
+    ),
+  );
+  assertEquals(publish.status, 200);
+  assertObjectMatch(await publish.json(), { ok: true, accepted: true });
+
+  const poll = await handler(
+    new Request('http://relay.local/api/v1/poll?room=main&after=0&limit=10'),
+  );
+  const body = await poll.json();
+  assertEquals(body.envelopes[0].topic, 'issue.created');
+});
+
+Deno.test('publish rejects invalid topic - empty string', async () => {
+  const handler = createMemoryRelayHandler({ requireSignatures: false });
+
+  const publish = await handler(
+    new Request('http://relay.local/api/v1/publish?room=main&sender=bit&topic=&id=e1', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ data: 1 }),
+    }),
+  );
+  // empty topic falls back to 'notify' default
+  assertEquals(publish.status, 200);
+});
+
+Deno.test('publish rejects invalid topic - special characters', async () => {
+  const handler = createMemoryRelayHandler({ requireSignatures: false });
+
+  const publish = await handler(
+    new Request(
+      'http://relay.local/api/v1/publish?room=main&sender=bit&topic=foo%2Fbar&id=s1',
+      {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({ data: 1 }),
+      },
+    ),
+  );
+  assertEquals(publish.status, 400);
+  assertObjectMatch(await publish.json(), { ok: false, error: 'invalid topic: foo/bar' });
+});
+
+Deno.test('publish rejects invalid topic - starts with digit', async () => {
+  const handler = createMemoryRelayHandler({ requireSignatures: false });
+
+  const publish = await handler(
+    new Request('http://relay.local/api/v1/publish?room=main&sender=bit&topic=1abc&id=n1', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ data: 1 }),
+    }),
+  );
+  assertEquals(publish.status, 400);
+  assertObjectMatch(await publish.json(), { ok: false, error: 'invalid topic: 1abc' });
+});
+
+Deno.test('publish rejects invalid topic - uppercase', async () => {
+  const handler = createMemoryRelayHandler({ requireSignatures: false });
+
+  const publish = await handler(
+    new Request('http://relay.local/api/v1/publish?room=main&sender=bit&topic=Notify&id=u1', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ data: 1 }),
+    }),
+  );
+  assertEquals(publish.status, 400);
+  assertObjectMatch(await publish.json(), { ok: false, error: 'invalid topic: Notify' });
+});