chore: merge upstream main and resolve NIP-25/NIP-12 conflicts

Author: CKodidela

.changeset/dark-places-tickle.md

@@ -0,0 +1,5 @@
+---
+"nostream": patch
+---
+
+Fix root HTML negotiation and subpath-aware template links behind trusted proxies.

.changeset/geohash-prefix-filters.md

@@ -0,0 +1,9 @@
+---
+"nostream": patch
+---
+
+Implement geohash wildcard/prefix behavior for `#g` filters (closes #265): a
+criterion ending in `*` matches any event `g` tag whose value starts with the
+prefix before `*`; exact matching (no `*`) is unchanged. Only normal geohash
+prefixes are intended as input. This is a Nostream extension, not part of
+NIP-12.

.changeset/huge-trains-nail.md

@@ -0,0 +1,5 @@
+---
+"nostream": patch
+---
+
+Use timingSafeEqual for Nodeless webhook HMAC verification and guard against missing NODELESS_WEBHOOK_SECRET

.changeset/jolly-canyons-glow.md

@@ -0,0 +1,5 @@
+---
+"nostream": minor
+---
+
+perf: added k6 performance tests for connection and message rate limiting

.changeset/thirty-turtles-design.md

@@ -0,0 +1,5 @@
+---
+"nostream": patch
+---
+
+Fix Redis cache connection config to skip AUTH when `REDIS_PASSWORD` is unset

CONTRIBUTING.md

@@ -302,6 +302,41 @@ To observe client and subscription counts in real-time during a test, you can in
    docker compose logs -f nostream
    ```
 
+## Performance Testing (k6)
+
+Nostream includes k6-based load tests to validate rate limiter behavior under concurrent WebSocket
+connections. These tests verify that connection and message rate limits are correctly enforced.
+
+### Prerequisites
+
+Install [k6](https://grafana.com/docs/k6/latest/set-up/install-k6/) before running performance
+tests. k6 is a standalone Go binary and is not included as an npm dependency.
+
+### Running the Tests
+
+Ensure the relay is running first (`pnpm run cli -- start`), then:
+
+```bash
+# Test connection rate limiting
+pnpm run cli -- dev test:perf:connection
+
+# Test message rate limiting
+pnpm run cli -- dev test:perf:message
+```
+
+To test against a different relay instance:
+
+```bash
+k6 run -e RELAY_URL=ws://your-host:8008 test/performance/connection-limiting-k6.ts
+```
+
+### What the Tests Validate
+
+- **Connection rate limiter** — Ramps concurrent connections through multiple stages and verifies
+  the relay rejects excess connections beyond the configured limit (default: 12 conn/sec).
+- **Message rate limiter** — Opens WebSocket connections and sends continuous REQ messages,
+  verifying the relay returns NOTICE rejections when the message rate limit is exceeded.
+
 ## Local Quality Checks
 
 Run dead code and dependency analysis before opening a pull request:

package.json

@@ -77,6 +77,8 @@
     "test:load": "node -r ts-node/register ./scripts/security-load-test.ts",
     "smoke:nip03": "node -r ts-node/register scripts/smoke-nip03.ts",
     "test:integration": "cucumber-js",
+    "test:performance:connection-rate-limit": "k6 run test/performance/connection-limiting-k6.ts",
+    "test:performance:message-rate-limit": "k6 run test/performance/message-limiting-k6.ts",
     "cover:integration": "nyc --report-dir .coverage/integration pnpm run test:integration -p cover",
     "export": "node --env-file-if-exists=.env -r ts-node/register src/scripts/export-events.ts",
     "docker:compose:start": "pnpm run cli -- start",
@@ -125,6 +127,7 @@
     "@types/chai-as-promised": "^7.1.5",
     "@types/express": "4.17.21",
     "@types/js-yaml": "4.0.5",
+    "@types/k6": "^1.7.0",
     "@types/mocha": "^9.1.1",
     "@types/node": "^24.12.2",
     "@types/pg": "^8.6.5",
@@ -154,10 +157,9 @@
     "node": ">=24.14.1"
   },
   "dependencies": {
-    "@getalby/sdk": "^5.0.0",
     "@clack/prompts": "^1.2.0",
+    "@getalby/sdk": "^5.0.0",
     "@noble/secp256k1": "1.7.1",
-    "accepts": "^1.3.8",
     "axios": "^1.15.0",
     "cac": "^7.0.0",
     "colorette": "^2.0.20",

pnpm-lock.yaml

@@ -9,7 +9,7 @@
   </head>
   <body lang="en">
     <main class="container">
-      <form method="post" action="/invoices">
+      <form method="post" action="{{path_prefix}}/invoices">
         <div class="row">
           <div class="col">
             <h1 class="mt-4 mb-4 text-center text-nowrap">{{name}}</h1>
@@ -46,7 +46,7 @@ <h1 class="mt-4 mb-4 text-center text-nowrap">{{name}}</h1>
               <div class="form-check">
                 <input class="form-check-input" type="checkbox" id="tosAccepted" name="tosAccepted" value="yes" required>
                 <label class="form-check-label" for="tosAccepted">
-                  I have read and agree to the <a href="/terms" class="card-link" target="_blank" rel="noopener noreferrer">Terms of Service</a>
+                  I have read and agree to the <a href="{{path_prefix}}/terms" class="card-link" target="_blank" rel="noopener noreferrer">Terms of Service</a>
                 </label>
               </div>
             </div>

resources/get-invoice.html

@@ -46,7 +46,7 @@ <h5 class="card-title">Admission Required</h5>
                 This relay requires a one-time admission fee of <strong>{{amount}} sats</strong>
                 to publish events. Reading events is free.
               </p>
-              <a href="/invoices" class="btn btn-warning">Pay Admission Fee</a>
+              <a href="{{path_prefix}}/invoices" class="btn btn-warning">Pay Admission Fee</a>
             </div>
           </div>
 
@@ -62,9 +62,9 @@ <h5 class="card-title">Open Relay</h5>
 
           <!-- Legal links -->
           <div class="d-flex justify-content-center gap-3 mt-2 mb-5">
-            <a href="/terms" class="text-muted small">Terms of Service</a>
+            <a href="{{path_prefix}}/terms" class="text-muted small">Terms of Service</a>
             <span class="text-muted small">·</span>
-            <a href="/privacy" class="text-muted small">Privacy Policy</a>
+            <a href="{{path_prefix}}/privacy" class="text-muted small">Privacy Policy</a>
           </div>
 
         </div>