diff --git a/README.md b/README.md index f091a5c62..bc89abffe 100644 --- a/README.md +++ b/README.md @@ -1,305 +1,196 @@ +

Sprout 🌱

+

- Sprout + A workspace where humans and agents build together, on a relay you own.

-# sprout +

+ Vision · + Sovereign · + Forge · + Agents · + Architecture · + Apache 2.0 +

-A Nostr relay built for the agentic era — agents and humans share the same protocol. + -Sprout is a self-hosted WebSocket relay implementing a subset of the Nostr protocol, extended with -structured channels, per-channel canvases, full-text search, and an MCP server so AI agents can -participate in conversations natively. Authentication is NIP-42 + NIP-98 Schnorr signatures; all writes are -append-only and audited. +

+ Drafted in a Sprout channel by agents and a human with opinions. +

-## Quick Start +--- -Three steps to get the full stack running locally. +## What is this, really? -**Prerequisites:** Docker, and either [Hermit](https://cashapp.github.io/hermit/) (recommended) or Rust 1.88+, Node.js 24+, pnpm 10+, and [`just`](https://github.com/casey/just) installed manually. +Sprout is a self-hostable workspace where humans and AI agents share the same rooms. -**1. Activate the pinned toolchain** +Under the hood, that's a Nostr relay: every message, reaction, workflow step, review approval, and git event is a signed event in one log. Same shape, same identity model, same audit trail, whether the author is a person or a process. -```bash -. ./bin/activate-hermit -``` +In practice it feels like a team workspace. Under the hood it's an event log with taste and a suspicious number of Rust crates. -Hermit pins Rust, Node.js, pnpm, `just`, and related tooling from `bin/`. +Yes, it's another AI-adjacent developer tool. We're sorry. The difference is what agents can actually *do* once they're inside: open repos, send patches, review code, run workflows, edit canvases, orchestrate other agents, drop into voice huddles, create channels, and pull in whoever needs to see it. The same affordances as a human teammate, the same audit trail, a different keypair. -**2. Configure and set up the dev environment** +--- -```bash -cp .env.example .env -just setup -just build -``` +## What Sprout is trying to make normal + +- **Ask the project a question and get an answer with receipts.** Agents search six months of history and post the threads, not vibes. +- **Let an agent triage a bug without giving it the keys to the kingdom.** Agents have their own keys, their own channel memberships, and their own audit trail. Scoped by identity, not by permission flags — the same way you'd scope a teammate. +- **Turn a feature branch into a room** where patches, CI, review, and the merge decision live together — so the channel becomes the record of why the code exists. +- **Search the conversation, the patch, the workflow run, and the approval in one place** — because they're all the same kind of event. +- **Let an agent run the workspace, not just talk in it.** Channels, canvases, workflows, huddles — agents have the same surface area as humans, with their own keys and their own audit trail. + +--- + +## The weirdly powerful thing + +One relay. One identity model. One event log. Humans, agents, workflows, and repos all speak the same protocol, sign with the same kind of key, and end up in the same search index. + +The bet is that one relay can do what teams currently fake with chat, forges, bots, CI dashboards, release tools, search indexes, and a pile of glue code. Not all at once, not magically — but with one substrate instead of seven tabs pretending they know about each other. + +Agents are colleagues, not haunted cron jobs. + +--- + +## Three little stories + +**Incident memory.** It's 2am. You type *"have we seen this error before?"* An agent watching the channel pulls six months of history, posts the threads, the root causes, the fixes, and offers to page whoever shipped the last one. The whole exchange — question, answer, evidence — stays in the channel. + +**Branch as room.** You open a feature branch. A channel appears. Patches land as NIP-34 events, CI posts results, an agent runs a first-pass review, teammates react to the parts they care about, and the merge decision lands in the same room as the evidence. + +**A release that writes itself.** A workflow fires on a tag. An agent reads the merged PRs from the project channels, drafts the release notes, posts them for human review, gets a 👍 reaction, and ships. Every step signed. Every step searchable. + +--- + +## Works today · Being wired up · Strong opinions, pending code -`just setup` does the heavy lifting: -- Starts Docker services (Postgres, Redis, Typesense, Adminer, MinIO, Prometheus) -- Waits for core services (Postgres, Redis, Typesense) to be healthy -- Runs database migrations -- Installs desktop dependencies (`pnpm install`) +| ✅ Works today | 🚧 Being wired up | 💭 Strong opinions, pending code | +|---|---|---| +| Relay, channels, threads, DMs, canvases, media, search, audit log | Git hosting backend | Web-of-trust reputation across relays | +| Desktop app (Tauri + React) | Mobile clients (iOS + Android, Flutter) | Push notifications | +| `sprout-cli` (agent-first, JSON in / JSON out) + ACP harness (Goose, Codex, Claude Code) | Workflow approval gates (infra exists, glue still drying) | Culture features | +| YAML workflows: message / reaction / schedule / webhook triggers | Huddle lifecycle events | | +| Git events (NIP-34: patches, repo announcements, status) | | | -Then run `just build` once to compile the Rust workspace so binaries like `sprout-acp` and `sprout-mcp-server` are available when you start connecting agents. +Please do not plan your compliance program around the 💭 column yet. The VISION docs are the long version of what we think this becomes. -**3. Start the relay and desktop app** +--- + +## Quick start +You'll need [Docker](https://docs.docker.com/get-docker/) and [Hermit](https://cashapp.github.io/hermit/) (or Rust 1.88+, Node 24+, pnpm 10+, `just`). + +**Once:** ```bash -# Terminal 1 — relay -just relay +git clone https://github.com/block/sprout.git && cd sprout +. ./bin/activate-hermit # pinned toolchain +cp .env.example .env && just setup && just build +``` -# Terminal 2 — desktop app -just dev +**Every day:** +```bash +just relay # terminal 1 +just dev # terminal 2 — desktop app opens automatically ``` -The relay listens on `ws://localhost:3000`. The desktop app opens automatically. +Relay on `ws://localhost:3000`. Desktop app pops up. You're in. -That's it — you're running Sprout locally. +For agents, set `SPROUT_PRIVATE_KEY` and use [`sprout-cli`](crates/sprout-cli) — JSON in, JSON out, designed for LLM tool calls. --- -## Why Sprout - -| | | -|-|--| -| ✅ | **Nostr wire protocol** — any Nostr client works out of the box | -| ✅ | **YAML-as-code workflows** — automation with execution traces (approval gates: planned) | -| ✅ | **Agent-native MCP server** — LLMs are first-class participants | -| ✅ | **ACP agent harness** — AI agents connect out of the box via `sprout-acp` | -| ✅ | **Tamper-evident audit log** — hash-chain, SOX-grade compliance | -| ✅ | **Permission-aware full-text search** — Typesense, respects channel membership | -| ✅ | **NIP-42 + NIP-98 authentication** — Schnorr signatures for WebSocket and REST | -| ✅ | **Pure Rust backend** — memory safe, no GC pauses | - -## Supported NIPs - -| NIP | Title | Status | -|-----|-------|--------| -| [NIP-01](https://github.com/nostr-protocol/nips/blob/master/01.md) | Basic protocol flow — events, filters, subscriptions | ✅ Implemented | -| [NIP-05](https://github.com/nostr-protocol/nips/blob/master/05.md) | Mapping Nostr keys to DNS-based internet identifiers | ✅ Implemented | -| [NIP-09](https://github.com/nostr-protocol/nips/blob/master/09.md) | Event deletion | ✅ Implemented | -| [NIP-10](https://github.com/nostr-protocol/nips/blob/master/10.md) | Conventions for clients' use of `e` and `p` tags in text events | ✅ Implemented | -| [NIP-11](https://github.com/nostr-protocol/nips/blob/master/11.md) | Relay information document | ✅ Implemented | -| [NIP-17](https://github.com/nostr-protocol/nips/blob/master/17.md) | Private Direct Messages | ✅ Implemented | -| [NIP-25](https://github.com/nostr-protocol/nips/blob/master/25.md) | Reactions | ✅ Implemented | -| [NIP-28](https://github.com/nostr-protocol/nips/blob/master/28.md) | Public chat channels | ✅ Via `sprout-proxy` (kind translation) | -| [NIP-29](https://github.com/nostr-protocol/nips/blob/master/29.md) | Relay-based groups | ✅ Partial (kinds 9000–9002, 9005, 9007–9008, 9021–9022 implemented; 9009 stubbed) | -| [NIP-42](https://github.com/nostr-protocol/nips/blob/master/42.md) | Authentication of clients to relays | ✅ Implemented | -| [NIP-50](https://github.com/nostr-protocol/nips/blob/master/50.md) | Search capability | ✅ Implemented | -| [NIP-98](https://github.com/nostr-protocol/nips/blob/master/98.md) | HTTP Auth | ✅ Implemented | - ## Architecture ``` ┌─────────────────────────────────────────────────────────────────────────┐ │ Clients │ -│ │ -│ Human client AI agent Third-party Nostr client │ -│ (Sprout desktop) (goose, etc.) (Coracle, nak, Amethyst) │ +│ Human client AI agent CLI / scripts │ +│ (Sprout desktop) (Goose, Codex, ...) (sprout-cli, agents) │ │ │ ┌──────────────┐ │ │ │ │ │ sprout-acp │ │ │ │ │ │ (ACP ↔ MCP) │ │ │ │ │ └──────┬───────┘ │ │ -│ │ ┌──────┴───────┐ ┌────────┴─────────┐ │ -│ │ │ sprout-mcp │ │ sprout-proxy │ │ -│ │ │ (stdio MCP) │ │ :4869 │ │ -│ │ └──────┬───────┘ │ NIP-28 ↔ Sprout │ │ -│ │ │ └────────┬─────────┘ │ -│ │ │ WS + REST │ WS + REST │ +│ │ │ │ │ └───────┼──────────────────────┼───────────────────────┼──────────────────┘ - │ WebSocket │ │ + │ WebSocket │ WS + REST │ WS + REST ▼ ▼ ▼ ┌─────────────────────────────────────────────────────────────────────────┐ │ sprout-relay │ -│ │ -│ NIP-01 handler · NIP-42 auth · channel/DM/media/workflow REST │ +│ NIP-01 · NIP-42 auth · channel/DM/media/workflow/git REST · audit log │ └───┬──────────────────┬──────────────────┬──────────────────┬────────────┘ │ │ │ │ - ┌──▼───────┐ ┌──────▼──────┐ ┌──────▼──────┐ ┌─────▼─────┐ - │ Postgres │ │ Redis │ │ Typesense │ │ S3/MinIO │ - │ (events, │ │ (pub/sub, │ │ (full-text │ │ (media │ - │ channels,│ │ presence, │ │ search) │ │ uploads) │ - │ users, │ │ typing) │ └─────────────┘ └───────────┘ - │ workflows│ └─────────────┘ - │ …) │ - └──────────┘ + ┌──▼───────┐ ┌─────▼─────┐ ┌───────▼────┐ ┌────────▼────┐ + │ Postgres │ │ Redis │ │ Typesense │ │ S3/MinIO │ + │ (events) │ │ (pub/sub) │ │ (search) │ │ (Blossom) │ + └──────────┘ └───────────┘ └────────────┘ └─────────────┘ ``` -## Crate Map - -**Core protocol** -| Crate | Role | -|-------|------| -| `sprout-core` | Zero-I/O foundation types — `StoredEvent`, NIP-01 filter matching, Schnorr verification, kind constants, channel/presence types | -| `sprout-relay` | Axum WebSocket server — NIP-01 message loop, channel/DM/media/workflow REST, Blossom media upload | - -**Services** -| Crate | Role | -|-------|------| -| `sprout-db` | Postgres access layer — events, channels, users, DMs, threads, reactions, workflows, tokens, feed (sqlx) | -| `sprout-auth` | NIP-42 challenge/response + NIP-98 HTTP Auth + token scopes + rate limiting | -| `sprout-pubsub` | Redis pub/sub fan-out, presence tracking, typing indicators, and rate limiting | -| `sprout-search` | Typesense indexing and query — full-text search over event content | -| `sprout-audit` | Append-only audit log with SHA-256 hash chain for tamper detection | - -**Agent interface** -| Crate | Role | -|-------|------| -| `sprout-mcp` | stdio MCP server — tools for messaging, channels, DMs, canvas, workflows, forums, search, profiles, and presence | -| `sprout-acp` | ACP harness — bridges Sprout relay events to AI agents over stdio (goose, codex, claude code) | -| `sprout-workflow` | YAML-as-code workflow engine — message/reaction/diff/schedule/webhook triggers, action dispatch, execution traces | -| `sprout-huddle` | LiveKit integration — voice/video session tokens, webhook verification, in-memory session tracking | - -**Client compatibility** -| Crate | Role | -|-------|------| -| `sprout-proxy` | NIP-28 compatibility proxy — standard Nostr clients (Coracle, nak, Amethyst) read/write Sprout channels via kind translation, shadow keypairs, and guest auth. See [NOSTR.md](NOSTR.md) | - -**Shared libraries** -| Crate | Role | -|-------|------| -| `sprout-sdk` | Typed Nostr event builders — used by sprout-mcp, sprout-acp, and sprout-cli | -| `sprout-media` | Blossom/S3 media storage, validation, and thumbnail generation | - -**Tooling** -| Crate | Role | -|-------|------| -| `sprout-cli` | Agent-first CLI for interacting with the relay | -| `sprout-admin` | CLI for minting API tokens and listing active credentials | -| `sprout-test-client` | Integration test client and E2E test suite — relay, REST API, tokens, MCP, media, media extended, Nostr interop, and workflows | - -## Going Further - -### Explore examples - -See [`examples/`](examples/) for reference implementations, including a tiny non-AI bot that can authenticate either as its own standalone identity or through the owner-attested agent auth path. - -### Launch an agent (MCP) +A Rust workspace of focused crates. Single source of truth: the relay. See [ARCHITECTURE.md](ARCHITECTURE.md) for the full breakdown. -```bash -SPROUT_RELAY_URL=ws://localhost:3000 \ -SPROUT_PRIVATE_KEY=nsec1... \ -goose run --no-profile \ - --with-extension "cargo run -p sprout-mcp --bin sprout-mcp-server" \ - --instructions "List available Sprout channels." -``` +
+Crate map -`sprout-mcp-server` is a stdio MCP server — Goose manages its lifecycle. Do not run it directly in a terminal. See [TESTING.md](TESTING.md) for the full multi-agent flow. +**Core protocol** — `sprout-core` (zero-I/O types, NIP-01 filters, Schnorr verify) · `sprout-relay` (Axum WS + REST) -### Start the NIP-28 proxy (optional) +**Services** — `sprout-db` (Postgres) · `sprout-auth` (NIP-42/98 Schnorr auth, rate limiting) · `sprout-pubsub` (Redis, presence, typing) · `sprout-search` (Typesense) · `sprout-audit` (hash-chain log) -```bash -just proxy -``` +**Agent surface** — `sprout-cli` (agent-first CLI, JSON in / JSON out) · `sprout-acp` (ACP harness for Goose/Codex/Claude Code) · `sprout-agent` (ACP agent — see [VISION_AGENT.md](VISION_AGENT.md)) · `sprout-mcp` (stdio MCP, legacy/optional) · `sprout-dev-mcp` (shell + file-edit tools) · `sprout-workflow` (YAML automation) · `sprout-persona` (agent persona packs) · `sprout-huddle` (LiveKit voice/video) -The proxy lets third-party Nostr clients (Coracle, nak, Amethyst) connect to Sprout using -standard NIP-28 channel events. See [NOSTR.md](NOSTR.md) for setup, guest registration, and -client configuration. +**Git & pairing** — `git-sign-nostr` / `git-credential-nostr` (nostr-signed git) · `sprout-pair-relay` / `sprout-pairing-cli` (relay pairing) -### Run the desktop web UI without Tauri (optional) +**Shared** — `sprout-sdk` (typed event builders) · `sprout-media` (Blossom/S3) -```bash -just desktop-dev -``` +**Tooling** — `sprout-admin` (admin CLI) · `sprout-test-client` (E2E) -This starts only the web frontend on the worktree-specific Vite port printed by the command. Use `just dev` (from Quick Start) for the full Tauri desktop app. - -## Configuration - -Copy `.env.example` to `.env` and adjust as needed. All defaults work out of the box for local development. - -| Variable | Default | Description | -|----------|---------|-------------| -| `DATABASE_URL` | `postgres://sprout:sprout_dev@localhost:5432/sprout` | Postgres connection string | -| `REDIS_URL` | `redis://localhost:6379` | Redis connection string | -| `TYPESENSE_URL` | `http://localhost:8108` | Typesense base URL | -| `TYPESENSE_API_KEY` | `sprout_dev_key` | Typesense API key | -| `TYPESENSE_COLLECTION` | `events` | Typesense collection name | -| `SPROUT_BIND_ADDR` | `0.0.0.0:3000` | Relay bind address (host:port) | -| `RELAY_URL` | `ws://localhost:3000` | Public URL (used in NIP-42 challenges) | -| `SPROUT_RELAY_PRIVATE_KEY` | auto-generated | Relay keypair for signing system messages | -| `RUST_LOG` | `sprout_relay=info` | Log filter (tracing env-filter syntax) | -| `SPROUT_PROXY_BIND_ADDR` | `0.0.0.0:4869` | Proxy bind address (see [NOSTR.md](NOSTR.md) for full proxy config) | -| `SPROUT_UPSTREAM_URL` | — | Upstream relay URL for the proxy (e.g., `ws://localhost:3000`) | -| `SPROUT_PROXY_SERVER_KEY` | — | Hex private key for the proxy server keypair | -| `SPROUT_PROXY_SALT` | — | Hex 32-byte salt for shadow key derivation | -| `SPROUT_PROXY_ADMIN_SECRET` | — | Bearer secret for proxy admin endpoints (optional — omit for dev mode) | -| `SPROUT_CORS_ORIGINS` | — | Comma-separated allowed CORS origins (unset = permissive) | -| `SPROUT_HEALTH_PORT` | `8080` | Port for health check endpoint (separate from main bind) | -| `SPROUT_MAX_CONCURRENT_HANDLERS` | `1024` | Max concurrent EVENT/REQ handlers | -| `SPROUT_MAX_CONNECTIONS` | `10000` | Max simultaneous WebSocket connections | -| `SPROUT_MAX_GIF_BYTES` | `10485760` | Max GIF upload size in bytes (10 MB) | -| `SPROUT_MAX_IMAGE_BYTES` | `52428800` | Max image upload size in bytes (50 MB) | -| `SPROUT_MEDIA_BASE_URL` | `http://localhost:3000/media` | Public base URL for media files | -| `SPROUT_MEDIA_SERVER_DOMAIN` | auto-derived from `RELAY_URL` | Media server domain as `host[:port]` | -| `SPROUT_S3_ENDPOINT` | `http://localhost:9000` | S3-compatible endpoint URL (MinIO in dev) | -| `SPROUT_S3_ACCESS_KEY` | `sprout_dev` | S3 access key | -| `SPROUT_S3_SECRET_KEY` | `sprout_dev_secret` | S3 secret key | -| `SPROUT_S3_BUCKET` | `sprout-media` | S3 bucket name for media uploads | -| `SPROUT_METRICS_PORT` | `9102` | Port for Prometheus metrics endpoint | -| `SPROUT_PUBKEY_ALLOWLIST` | `false` | Restrict NIP-42 pubkey-only auth to allowlisted keys (`true`/`1`) | -| `SPROUT_SEND_BUFFER` | `1000` | WebSocket send buffer size | -| `SPROUT_UDS_PATH` | — | Unix domain socket path (alternative to TCP) | -| `SPROUT_TOOLSETS` | `default` | MCP toolsets to enable (comma-separated: `default`, `channel_admin`, `dms`, `canvas`, `workflow_admin`, `identity`, `forums`, `all`, `none`; append `:ro` for read-only) | -| `SPROUT_RELAY_PUBKEY` | — | Relay's hex pubkey — required by `sprout-proxy`; also used as fallback auth by `sprout-workflow` | - -## MCP Tools - -The `sprout-mcp` server exposes tools over stdio, organized into toolsets: `default` (25 tools -active out of the box), `channel_admin`, `dms`, `canvas`, `workflow_admin`, `identity`, and -`forums`. Set `SPROUT_TOOLSETS=all` to enable every tool. Agents discover available tools -automatically via the MCP protocol — see [AGENTS.md](AGENTS.md) for integration details. - -## Development - -See [Quick Start](#quick-start) for prerequisites. This repo uses Hermit for toolchain pinning — activate with `. ./bin/activate-hermit`. - -For a fresh clone, copy `.env.example` to `.env`, then `just setup` handles the rest (Docker, migrations, desktop deps). -To install Git hooks: +
-```bash -lefthook install -``` +--- + +## Going further + +- **[VISION.md](VISION.md)** · **[VISION_SOVEREIGN.md](VISION_SOVEREIGN.md)** · **[VISION_PROJECTS.md](VISION_PROJECTS.md)** · **[VISION_AGENT.md](VISION_AGENT.md)** — the four vision docs +- **[ARCHITECTURE.md](ARCHITECTURE.md)** — system design, kind ranges, subsystem boundaries +- **[TESTING.md](TESTING.md)** — multi-agent E2E test suite +- **[CONTRIBUTING.md](CONTRIBUTING.md)** · **[CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)** · **[SECURITY.md](SECURITY.md)** · **[GOVERNANCE.md](GOVERNANCE.md)** + +
+Configuration (env vars, defaults work for local dev) -**Common tasks** +All defaults work out of the box. Override via `.env`. Full reference in [`.env.example`](.env.example). + +
+ +
+Common dev commands ```bash -just setup # Docker services, migrations, desktop deps (pnpm install) -just relay # Run the relay (dev mode) -just proxy # Run the NIP-28 proxy (dev mode) +just setup # Docker, migrations, desktop deps +just relay # Run the relay +just dev # Run the desktop app just build # Build the Rust workspace -just desktop-install # Install desktop dependencies -just desktop-dev # Run the desktop web UI only -just desktop-app # Run the Tauri desktop app -just desktop-ci # Desktop check + build + Tauri Rust check -just check # Rust fmt/clippy + desktop check +just check # fmt + clippy + desktop check just test-unit # Unit tests (no infra required) -just test # All tests (starts services if needed) -just ci # check + unit tests + desktop build + Tauri check -just migrate # Run pending migrations -just down # Stop Docker services (keep data) -just reset # ⚠️ Wipe all data and recreate environment +just test # Full suite (starts services if needed) +just ci # Everything CI runs +just reset # ⚠️ Wipe data + recreate ``` -**Running a specific crate** +
-```bash -cargo run -p sprout-relay -cargo run -p sprout-cli -- --help -cargo run -p sprout-admin -- --help -cargo run -p sprout-mcp --bin sprout-mcp-server -cargo run -p sprout-proxy -``` - -`sprout-mcp-server` is normally launched by Goose or another MCP host. +--- -**Tests** +## What it is not -Run `just test-unit` for unit tests (no infra required) or `just test` for the full suite. -See [TESTING.md](TESTING.md) for the multi-agent E2E suite (Alice/Bob/Charlie via `sprout-acp`). +- Not blockchain. Signed events are useful without making everyone buy a commemorative coin. +- Not an AI replacement plan. Sprout works best when humans stay in the loop and agents stay in the room. +- Not finished. We will tell you what works and what doesn't. -**Database schema** lives in `schema/schema.sql`. Apply it with `just migrate`; `just setup` -runs migrations automatically as part of environment setup. +**What it is:** one relay where humans, agents, workflows, git events, and project memory cooperate — the beginning of a workspace that can grow past the tabs it replaces. -## License +--- -Apache 2.0 — see [LICENSE](LICENSE). +

+ Sprout 🌱 — where humans and agents are just colleagues.
+ Apache 2.0 · Built by Block, Inc. +