perf(bunker): make NIP-46 publish non-blocking at app wiring level; resolve immediately and let responses drive timing/results

- Helps align our request shape with Amber's expected BunkerRequest format

.gitignore

@@ -11,4 +11,5 @@ dist
 # Reference Projects
 applesauce
 primal-web-app
+Amber
 

Amber.md

@@ -0,0 +1,77 @@
+## Boris ↔ Amber bunker: current findings
+
+- **Environment**
+  - Client: Boris (web) using `applesauce` stack (`NostrConnectSigner`, `RelayPool`).
+  - Bunker: Amber (mobile).
+  - We restored a `nostr-connect` account from localStorage and re-wired the signer to the app `RelayPool` before use.
+
+## What we changed client-side
+
+- **Signer wiring**
+  - Bound `NostrConnectSigner.subscriptionMethod/publishMethod` to the app `RelayPool` at startup.
+  - After deserialization, recreated the signer with pool context and merged its relays with app `RELAYS` (includes local relays).
+  - Opened the signer subscription and performed a guarded `connect()` with default permissions including `nip04_encrypt/decrypt` and `nip44_encrypt/decrypt`.
+
+- **Probes and timeouts**
+  - Initial probe tried `decrypt('invalid-ciphertext')` → timed out.
+  - Switched to roundtrip probes: `encrypt(self, ... )` then `decrypt(self, cipher)` for both nip-44 and nip-04.
+  - Increased probe timeout from 3s → 10s; increased bookmark decrypt timeout from 15s → 30s.
+
+- **Logging**
+  - Added logs for publish/subscribe and parsed the NIP-46 request content length.
+  - Confirmed NIP‑46 request events are kind `24133` with a single `p` tag (expected). The method is inside the encrypted content, so it prints as `method: undefined` (expected).
+
+## Evidence from logs (client)
+
+```
+[bunker] ✅ Wired NostrConnectSigner to RelayPool publish/subscription
+[bunker] 🔗 Signer relays merged with app RELAYS: (19) [...]
+[bunker] subscribe via signer: { relays: [...], filters: [...] }
+[bunker] ✅ Signer subscription opened
+[bunker] publish via signer: { relays: [...], kind: 24133, tags: [['p', <remote>]], contentLength: 260|304|54704 }
+[bunker] 🔎 Probe nip44 roundtrip (encrypt→decrypt)… → probe timeout after 10000ms
+[bunker] 🔎 Probe nip04 roundtrip (encrypt→decrypt)… → probe timeout after 10000ms
+bookmarkProcessing.ts: ❌ nip44.decrypt failed: Decrypt timeout after 30000ms
+bookmarkProcessing.ts: ❌ nip04.decrypt failed: Decrypt timeout after 30000ms
+```
+
+Notes:
+- Final signer status shows `listening: true`, `isConnected: true`, and requests are published to 19 relays (includes Amber’s).
+
+## Evidence from Amber (device)
+
+- Activity screen shows multiple entries for: “Encrypt data using nip 4” and “Encrypt data using nip 44” with green checkmarks.
+- No entries for “Decrypt data using nip 4” or “Decrypt data using nip 44”.
+
+## Interpretation
+
+- Transport and publish paths are working: Boris is publishing NIP‑46 requests (kind 24133) and Amber receives them (ENCRYPT activity visible).
+- The persistent failure is specific to DECRYPT handling: Amber does not show any DECRYPT activity and Boris receives no decrypt responses within 10–30s windows.
+- Client-side wiring is likely correct (subscription open, permissions requested, relays merged). The remaining issue appears provider-side in Amber’s NIP‑46 decrypt handling or permission gating.
+
+## Repro steps (quick)
+
+1) Revoke Boris in Amber.
+2) Reconnect with a fresh bunker URI; approve signing and both encrypt/decrypt scopes for nip‑04 and nip‑44.
+3) Keep Amber unlocked and foregrounded.
+4) Reload Boris; observe:
+   - Logs showing `publish via signer` for kind 24133.
+   - In Amber, activity should include “Decrypt data using nip 4/44”.
+
+If DECRYPT entries still don’t appear:
+
+- This points to Amber’s NIP‑46 provider not executing/authorizing `nip04_decrypt`/`nip44_decrypt` methods, or not publishing responses.
+
+## Suggestions for Amber-side debugging
+
+- Verify permission gating allows `nip04_decrypt` and `nip44_decrypt` (not just encrypt).
+- Confirm the provider recognizes NIP‑46 methods `nip04_decrypt` and `nip44_decrypt` in the decrypted payload and routes them to decrypt routines.
+- Ensure the response event is published back to the same relays and correctly addressed to the client (`p` tag set and content encrypted back to client pubkey).
+- Add activity logging for “Decrypt …” attempts and failures to surface denial/exception states.
+
+## Current conclusion
+
+- Client is configured and publishing requests correctly; encryption proves end‑to‑end path is alive.
+- The missing DECRYPT activity in Amber is the blocker. Fixing Amber’s NIP‑46 decrypt handling should resolve bookmark decryption in Boris without further client changes.
+
+

CHANGELOG.md

@@ -7,6 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.6.24] - 2025-01-16
+
+### Fixed
+
+- TypeScript global declarations for build-time defines
+  - Added proper type declarations for `__APP_VERSION__`, `__GIT_COMMIT__`, `__GIT_BRANCH__`, `__BUILD_TIME__`, and `__GIT_COMMIT_URL__`
+  - Resolved ESLint no-undef errors for build-time injected variables
+  - Added Node.js environment hint to Vite configuration
+
 ## [0.6.23] - 2025-01-16
 
 ### Fixed
@@ -1751,7 +1760,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Optimize relay usage following applesauce-relay best practices
 - Use applesauce-react event models for better profile handling
 
-[Unreleased]: https://github.com/dergigi/boris/compare/v0.6.23...HEAD
+[Unreleased]: https://github.com/dergigi/boris/compare/v0.6.24...HEAD
+[0.6.24]: https://github.com/dergigi/boris/compare/v0.6.23...v0.6.24
 [0.6.23]: https://github.com/dergigi/boris/compare/v0.6.22...v0.6.23
 [0.6.21]: https://github.com/dergigi/boris/compare/v0.6.20...v0.6.21
 [0.6.20]: https://github.com/dergigi/boris/compare/v0.6.19...v0.6.20

src/App.tsx

@@ -4,10 +4,13 @@ import { FontAwesomeIcon } from '@fortawesome/react-fontawesome'
 import { faSpinner } from '@fortawesome/free-solid-svg-icons'
 import { EventStoreProvider, AccountsProvider, Hooks } from 'applesauce-react'
 import { EventStore } from 'applesauce-core'
-import { AccountManager } from 'applesauce-accounts'
+import { AccountManager, Accounts } from 'applesauce-accounts'
 import { registerCommonAccountTypes } from 'applesauce-accounts/accounts'
 import { RelayPool } from 'applesauce-relay'
+import { NostrConnectSigner } from 'applesauce-signers'
+import { getDefaultBunkerPermissions } from './services/nostrConnect'
 import { createAddressLoader } from 'applesauce-loaders/loaders'
+import Debug from './components/Debug'
 import Bookmarks from './components/Bookmarks'
 import RouteDebug from './components/RouteDebug'
 import Toast from './components/Toast'
@@ -15,6 +18,7 @@ import { useToast } from './hooks/useToast'
 import { useOnlineStatus } from './hooks/useOnlineStatus'
 import { RELAYS } from './config/relays'
 import { SkeletonThemeProvider } from './components/Skeletons'
+import { DebugBus } from './utils/debugBus'
 
 const DEFAULT_ARTICLE = import.meta.env.VITE_DEFAULT_ARTICLE_NADDR || 
   'naddr1qvzqqqr4gupzqmjxss3dld622uu8q25gywum9qtg4w4cv4064jmg20xsac2aam5nqqxnzd3cxqmrzv3exgmr2wfesgsmew'
@@ -166,6 +170,7 @@ function AppRoutes({
           />
         } 
       />
+      <Route path="/debug" element={<Debug />} />
       <Route path="/" element={<Navigate to={`/a/${DEFAULT_ARTICLE}`} replace />} />
     </Routes>
   )
@@ -187,20 +192,57 @@ function App() {
       // Register common account types (needed for deserialization)
       registerCommonAccountTypes(accounts)
       
+      // Create relay pool and set it up BEFORE loading accounts
+      // NostrConnectAccount.fromJSON needs this to restore the signer
+      const pool = new RelayPool()
+      // Wire the signer to use this pool; make publish non-blocking so callers don't
+      // wait for every relay send to finish. Responses still resolve the pending request.
+      NostrConnectSigner.subscriptionMethod = pool.subscription.bind(pool)
+      NostrConnectSigner.publishMethod = (relays: string[], event: unknown) => {
+        const result: any = pool.publish(relays, event as any)
+        if (result && typeof (result as any).subscribe === 'function') {
+          try { (result as any).subscribe({ complete: () => {}, error: () => {} }) } catch {}
+        }
+        // Return an already-resolved promise so upstream await finishes immediately
+        return Promise.resolve()
+      }
+      console.log('[bunker] ✅ Wired NostrConnectSigner to RelayPool publish/subscription (before account load)')
+      
+      // Create a relay group for better event deduplication and management
+      pool.group(RELAYS)
+      console.log('[bunker] Created relay group with', RELAYS.length, 'relays (including local)')
+      
       // Load persisted accounts from localStorage
       try {
-        const json = JSON.parse(localStorage.getItem('accounts') || '[]')
+        const accountsJson = localStorage.getItem('accounts')
+        console.log('[bunker] Raw accounts from localStorage:', accountsJson)
+        
+        const json = JSON.parse(accountsJson || '[]')
+        console.log('[bunker] Parsed accounts:', json.length, 'accounts')
+        
         await accounts.fromJSON(json)
-        console.log('Loaded', accounts.accounts.length, 'accounts from storage')
+        console.log('[bunker] Loaded', accounts.accounts.length, 'accounts from storage')
+        console.log('[bunker] Account types:', accounts.accounts.map(a => ({ id: a.id, type: a.type })))
         
         // Load active account from storage
         const activeId = localStorage.getItem('active')
-        if (activeId && accounts.getAccount(activeId)) {
-          accounts.setActive(activeId)
-          console.log('Restored active account:', activeId)
+        console.log('[bunker] Active ID from localStorage:', activeId)
+        
+        if (activeId) {
+          const account = accounts.getAccount(activeId)
+          console.log('[bunker] Found account for ID?', !!account, account?.type)
+          
+          if (account) {
+            accounts.setActive(activeId)
+            console.log('[bunker] ✅ Restored active account:', activeId, 'type:', account.type)
+          } else {
+            console.warn('[bunker] ⚠️  Active ID found but account not in list')
+          }
+        } else {
+          console.log('[bunker] No active account ID in localStorage')
         }
       } catch (err) {
-        console.error('Failed to load accounts from storage:', err)
+        console.error('[bunker] ❌ Failed to load accounts from storage:', err)
       }
       
       // Subscribe to accounts changes and persist to localStorage
@@ -217,12 +259,197 @@ function App() {
         }
       })
       
-      const pool = new RelayPool()
+      // Reconnect bunker signers when active account changes
+      // Keep track of which accounts we've already reconnected to avoid double-connecting
+      const reconnectedAccounts = new Set<string>()
       
-      // Create a relay group for better event deduplication and management
-      pool.group(RELAYS)
-      console.log('Created relay group with', RELAYS.length, 'relays (including local)')
-      console.log('Relay URLs:', RELAYS)
+            const bunkerReconnectSub = accounts.active$.subscribe(async (account) => {
+              console.log('[bunker] Active account changed:', { 
+                hasAccount: !!account, 
+                type: account?.type,
+                id: account?.id 
+              })
+              
+              if (account && account.type === 'nostr-connect') {
+                const nostrConnectAccount = account as Accounts.NostrConnectAccount<unknown>
+                // Disable applesauce account queueing so decrypt requests aren't serialized behind earlier ops
+                try {
+                  if (!(nostrConnectAccount as unknown as { disableQueue?: boolean }).disableQueue) {
+                    (nostrConnectAccount as unknown as { disableQueue?: boolean }).disableQueue = true
+                    console.log('[bunker] ⚙️  Disabled account request queueing for nostr-connect')
+                  }
+                } catch (err) { console.warn('[bunker] failed to disable queue', err) }
+                // Note: for Amber bunker, the remote signer pubkey is the user's pubkey. This is expected.
+                
+                // Skip if we've already reconnected this account
+                if (reconnectedAccounts.has(account.id)) {
+                  console.log('[bunker] ⏭️  Already reconnected this account, skipping')
+                  return
+                }
+                
+                console.log('[bunker] Account detected. Status:', {
+                  listening: nostrConnectAccount.signer.listening,
+                  isConnected: nostrConnectAccount.signer.isConnected,
+                  hasRemote: !!nostrConnectAccount.signer.remote,
+                  bunkerRelays: nostrConnectAccount.signer.relays
+                })
+                
+                try {
+                  // For restored signers, ensure they have the pool's subscription methods
+                  // The signer was created in fromJSON without pool context, so we need to recreate it
+                  const signerData = nostrConnectAccount.toJSON().signer
+                  
+                  // Add bunker's relays to the pool BEFORE recreating the signer
+                  // This ensures the pool has all relays when the signer sets up its methods
+                  const bunkerRelays = signerData.relays || []
+                  const existingRelayUrls = new Set(Array.from(pool.relays.keys()))
+                  const newBunkerRelays = bunkerRelays.filter(url => !existingRelayUrls.has(url))
+                  
+                  if (newBunkerRelays.length > 0) {
+                    console.log('[bunker] Adding bunker relays to pool BEFORE signer recreation:', newBunkerRelays)
+                    pool.group(newBunkerRelays)
+                  } else {
+                    console.log('[bunker] Bunker relays already in pool')
+                  }
+                  
+                  const recreatedSigner = new NostrConnectSigner({
+                    relays: signerData.relays,
+                    pubkey: nostrConnectAccount.pubkey,
+                    remote: signerData.remote,
+                    signer: nostrConnectAccount.signer.signer, // Use the existing SimpleSigner
+                    pool: pool
+                  })
+                  // Ensure local relays are included for NIP-46 request/response traffic (e.g., Amber bunker)
+                  try {
+                    const mergedRelays = Array.from(new Set([...(signerData.relays || []), ...RELAYS]))
+                    recreatedSigner.relays = mergedRelays
+                    console.log('[bunker] 🔗 Signer relays merged with app RELAYS:', mergedRelays)
+                  } catch (err) { console.warn('[bunker] failed to merge signer relays', err) }
+                  
+                  // Replace the signer on the account
+                  nostrConnectAccount.signer = recreatedSigner
+                  console.log('[bunker] ✅ Signer recreated with pool context')
+
+                  // Debug: log publish/subscription calls made by signer (decrypt/sign requests)
+                  // IMPORTANT: bind originals to preserve `this` context used internally by the signer
+                  const originalPublish = (recreatedSigner as unknown as { publishMethod: (relays: string[], event: unknown) => unknown }).publishMethod.bind(recreatedSigner)
+                  ;(recreatedSigner as unknown as { publishMethod: (relays: string[], event: unknown) => unknown }).publishMethod = (relays: string[], event: unknown) => {
+                    try {
+                      let method: string | undefined
+                      const content = (event as { content?: unknown })?.content
+                      if (typeof content === 'string') {
+                        try {
+                          const parsed = JSON.parse(content) as { method?: string; id?: unknown }
+                          method = parsed?.method
+                        } catch (err) { console.warn('[bunker] failed to parse event content', err) }
+                      }
+                      const summary = {
+                        relays,
+                        kind: (event as { kind?: number })?.kind,
+                        method,
+                        // include tags array for debugging (NIP-46 expects method tag)
+                        tags: (event as { tags?: unknown })?.tags,
+                        contentLength: typeof content === 'string' ? content.length : undefined
+                      }
+                      console.log('[bunker] publish via signer:', summary)
+                      try { DebugBus.info('bunker', 'publish', summary) } catch (err) { console.warn('[bunker] failed to log to DebugBus', err) }
+                    } catch (err) { console.warn('[bunker] failed to log publish summary', err) }
+                    // Fire-and-forget publish: trigger the publish but do not return the
+                    // Observable/Promise to upstream to avoid their awaiting of completion.
+                    const result = originalPublish(relays, event)
+                    if (result && typeof (result as { subscribe?: unknown }).subscribe === 'function') {
+                      try { (result as { subscribe: (h: { complete?: () => void; error?: (e: unknown) => void }) => unknown }).subscribe({ complete: () => {}, error: () => {} }) } catch {}
+                    }
+                    // If it's a Promise, simply ignore it (no await) so it resolves in the background.
+                    // Return a benign object so callers that probe for a "subscribe" property
+                    // (e.g., applesauce makeRequest) won't throw on `"subscribe" in result`.
+                    return {} as unknown as never
+                  }
+                  const originalSubscribe = (recreatedSigner as unknown as { subscriptionMethod: (relays: string[], filters: unknown[]) => unknown }).subscriptionMethod.bind(recreatedSigner)
+                  ;(recreatedSigner as unknown as { subscriptionMethod: (relays: string[], filters: unknown[]) => unknown }).subscriptionMethod = (relays: string[], filters: unknown[]) => {
+                    try {
+                      console.log('[bunker] subscribe via signer:', { relays, filters })
+                      try { DebugBus.info('bunker', 'subscribe', { relays, filters }) } catch (err) { console.warn('[bunker] failed to log subscribe to DebugBus', err) }
+                    } catch (err) { console.warn('[bunker] failed to log subscribe summary', err) }
+                    return originalSubscribe(relays, filters)
+                  }
+
+                  
+                  // Just ensure the signer is listening for responses - don't call connect() again
+                  // The fromBunkerURI already connected with permissions during login
+                  if (!nostrConnectAccount.signer.listening) {
+                    console.log('[bunker] Opening signer subscription...')
+                    await nostrConnectAccount.signer.open()
+                    console.log('[bunker] ✅ Signer subscription opened')
+                  } else {
+                    console.log('[bunker] ✅ Signer already listening')
+                  }
+                  
+                  // Attempt a guarded reconnect to ensure Amber authorizes decrypt operations
+                  try {
+                    if (nostrConnectAccount.signer.remote && !reconnectedAccounts.has(account.id)) {
+                      const permissions = getDefaultBunkerPermissions()
+                      console.log('[bunker] Attempting guarded connect() with permissions to ensure decrypt perms', { count: permissions.length })
+                      await nostrConnectAccount.signer.connect(undefined, permissions)
+                      console.log('[bunker] ✅ Guarded connect() succeeded with permissions')
+                    }
+                  } catch (e) {
+                    console.warn('[bunker] ⚠️ Guarded connect() failed:', e)
+                  }
+                  
+                  // Give the subscription a moment to fully establish before allowing decrypt operations
+                  // This ensures the signer is ready to handle and receive responses
+                  await new Promise(resolve => setTimeout(resolve, 100))
+                  console.log("[bunker] Subscription ready after startup delay")
+                  // Fire-and-forget: probe decrypt path to verify Amber responds to NIP-46 decrypt
+                  try {
+                    const withTimeout = async <T,>(p: Promise<T>, ms = 10000): Promise<T> => {
+                      return await Promise.race([
+                        p,
+                        new Promise<T>((_, rej) => setTimeout(() => rej(new Error(`probe timeout after ${ms}ms`)), ms)),
+                      ])
+                    }
+                    setTimeout(async () => {
+                      const self = nostrConnectAccount.pubkey
+                      // Try a roundtrip so the bunker can respond successfully
+                      try {
+                        console.log('[bunker] 🔎 Probe nip44 roundtrip (encrypt→decrypt)…')
+                        const cipher44 = await withTimeout(nostrConnectAccount.signer.nip44!.encrypt(self, 'probe-nip44'))
+                        const plain44 = await withTimeout(nostrConnectAccount.signer.nip44!.decrypt(self, cipher44))
+                        console.log('[bunker] 🔎 Probe nip44 responded:', typeof plain44 === 'string' ? plain44 : typeof plain44)
+                      } catch (err) {
+                        console.log('[bunker] 🔎 Probe nip44 result:', err instanceof Error ? err.message : err)
+                      }
+                      try {
+                        console.log('[bunker] 🔎 Probe nip04 roundtrip (encrypt→decrypt)…')
+                        const cipher04 = await withTimeout(nostrConnectAccount.signer.nip04!.encrypt(self, 'probe-nip04'))
+                        const plain04 = await withTimeout(nostrConnectAccount.signer.nip04!.decrypt(self, cipher04))
+                        console.log('[bunker] 🔎 Probe nip04 responded:', typeof plain04 === 'string' ? plain04 : typeof plain04)
+                      } catch (err) {
+                        console.log('[bunker] 🔎 Probe nip04 result:', err instanceof Error ? err.message : err)
+                      }
+                    }, 0)
+                  } catch (err) {
+                    console.log('[bunker] 🔎 Probe setup failed:', err)
+                  }
+                  // The bunker remembers the permissions from the initial connection
+                  nostrConnectAccount.signer.isConnected = true
+                  
+                  console.log('[bunker] Final signer status:', {
+                    listening: nostrConnectAccount.signer.listening,
+                    isConnected: nostrConnectAccount.signer.isConnected,
+                    remote: nostrConnectAccount.signer.remote,
+                    relays: nostrConnectAccount.signer.relays
+                  })
+                  
+                  // Mark this account as reconnected
+                  reconnectedAccounts.add(account.id)
+                  console.log('[bunker] 🎉 Signer ready for signing')
+                } catch (error) {
+                  console.error('[bunker] ❌ Failed to open signer:', error)
+                }
+              }
+            })
       
       // Keep all relay connections alive indefinitely by creating a persistent subscription
       // This prevents disconnection when no other subscriptions are active
@@ -252,6 +479,7 @@ function App() {
       return () => {
         accountsSub.unsubscribe()
         activeSub.unsubscribe()
+        bunkerReconnectSub.unsubscribe()
         // Clean up keep-alive subscription if it exists
         const poolWithSub = pool as unknown as { _keepAliveSubscription?: { unsubscribe: () => void } }
         if (poolWithSub._keepAliveSubscription) {
@@ -268,7 +496,7 @@ function App() {
     return () => {
       if (cleanup) cleanup()
     }
-  }, [])
+  }, [isOnline, showToast])
 
   // Monitor online/offline status
   useEffect(() => {

src/components/BookmarkList.tsx

@@ -21,6 +21,7 @@ import { RELAYS } from '../config/relays'
 import { Hooks } from 'applesauce-react'
 import BookmarkFilters, { BookmarkFilterType } from './BookmarkFilters'
 import { filterBookmarksByType } from '../utils/bookmarkTypeClassifier'
+import LoginOptions from './LoginOptions'
 
 interface BookmarkListProps {
   bookmarks: Bookmark[]
@@ -153,7 +154,9 @@ export const BookmarkList: React.FC<BookmarkListProps> = ({
         />
       )}
       
-      {filteredBookmarks.length === 0 && allIndividualBookmarks.length > 0 ? (
+      {!activeAccount ? (
+        <LoginOptions />
+      ) : filteredBookmarks.length === 0 && allIndividualBookmarks.length > 0 ? (
         <div className="empty-state">
           <p>No bookmarks match this filter.</p>
         </div>
@@ -170,7 +173,6 @@ export const BookmarkList: React.FC<BookmarkListProps> = ({
           <div className="empty-state">
             <p>No bookmarks found.</p>
             <p>Add bookmarks using your nostr client to see them here.</p>
-            <p>If you aren't on nostr yet, start here: <a href="https://nstart.me/" target="_blank" rel="noopener noreferrer">nstart.me</a></p>
           </div>
         )
       ) : (

src/components/Debug.tsx

@@ -0,0 +1,395 @@
+import React, { useEffect, useMemo, useState } from 'react'
+import { FontAwesomeIcon } from '@fortawesome/react-fontawesome'
+import { faClock, faSpinner } from '@fortawesome/free-solid-svg-icons'
+import { Hooks } from 'applesauce-react'
+import { Accounts } from 'applesauce-accounts'
+import { NostrConnectSigner } from 'applesauce-signers'
+import { getDefaultBunkerPermissions } from '../services/nostrConnect'
+import { DebugBus, type DebugLogEntry } from '../utils/debugBus'
+import VersionFooter from './VersionFooter'
+
+const defaultPayload = 'The quick brown fox jumps over the lazy dog.'
+
+const Debug: React.FC = () => {
+  const activeAccount = Hooks.useActiveAccount()
+  const accountManager = Hooks.useAccountManager()
+  const [payload, setPayload] = useState<string>(defaultPayload)
+  const [cipher44, setCipher44] = useState<string>('')
+  const [cipher04, setCipher04] = useState<string>('')
+  const [plain44, setPlain44] = useState<string>('')
+  const [plain04, setPlain04] = useState<string>('')
+  const [tEncrypt44, setTEncrypt44] = useState<number | null>(null)
+  const [tEncrypt04, setTEncrypt04] = useState<number | null>(null)
+  const [tDecrypt44, setTDecrypt44] = useState<number | null>(null)
+  const [tDecrypt04, setTDecrypt04] = useState<number | null>(null)
+  const [logs, setLogs] = useState<DebugLogEntry[]>(DebugBus.snapshot())
+  const [debugEnabled, setDebugEnabled] = useState<boolean>(() => localStorage.getItem('debug') === '*')
+  
+  // Bunker login state
+  const [bunkerUri, setBunkerUri] = useState<string>('')
+  const [isBunkerLoading, setIsBunkerLoading] = useState<boolean>(false)
+  const [bunkerError, setBunkerError] = useState<string | null>(null)
+  
+  // Live timing state
+  const [liveTiming, setLiveTiming] = useState<{
+    nip44?: { type: 'encrypt' | 'decrypt'; startTime: number }
+    nip04?: { type: 'encrypt' | 'decrypt'; startTime: number }
+  }>({})
+
+  useEffect(() => {
+    return DebugBus.subscribe((e) => setLogs(prev => [...prev, e].slice(-300)))
+  }, [])
+
+  // Live timer effect - triggers re-renders for live timing updates
+  useEffect(() => {
+    const interval = setInterval(() => {
+      // Force re-render to update live timing display
+      setLiveTiming(prev => prev)
+    }, 16) // ~60fps for smooth updates
+    return () => clearInterval(interval)
+  }, [])
+
+  const signer = useMemo(() => (activeAccount as unknown as { signer?: unknown })?.signer, [activeAccount])
+  const pubkey = (activeAccount as unknown as { pubkey?: string })?.pubkey
+
+  const hasNip04 = typeof (signer as { nip04?: { encrypt?: unknown; decrypt?: unknown } } | undefined)?.nip04?.encrypt === 'function'
+  const hasNip44 = typeof (signer as { nip44?: { encrypt?: unknown; decrypt?: unknown } } | undefined)?.nip44?.encrypt === 'function'
+
+  const doEncrypt = async (mode: 'nip44' | 'nip04') => {
+    if (!signer || !pubkey) return
+    try {
+      const api = (signer as { [key: string]: { encrypt: (pubkey: string, message: string) => Promise<string> } })[mode]
+      DebugBus.info('debug', `encrypt start ${mode}`, { pubkey, len: payload.length })
+      
+      // Start live timing
+      const start = performance.now()
+      setLiveTiming(prev => ({ ...prev, [mode]: { type: 'encrypt', startTime: start } }))
+      
+      const cipher = await api.encrypt(pubkey, payload)
+      const ms = Math.round(performance.now() - start)
+      
+      // Stop live timing
+      setLiveTiming(prev => ({ ...prev, [mode]: undefined }))
+      
+      DebugBus.info('debug', `encrypt done ${mode}`, { len: typeof cipher === 'string' ? cipher.length : -1, ms })
+      if (mode === 'nip44') setCipher44(cipher)
+      else setCipher04(cipher)
+      if (mode === 'nip44') setTEncrypt44(ms)
+      else setTEncrypt04(ms)
+    } catch (e) {
+      // Stop live timing on error
+      setLiveTiming(prev => ({ ...prev, [mode]: undefined }))
+      DebugBus.error('debug', `encrypt error ${mode}`, e instanceof Error ? e.message : String(e))
+    }
+  }
+
+  const doDecrypt = async (mode: 'nip44' | 'nip04') => {
+    if (!signer || !pubkey) return
+    try {
+      const api = (signer as { [key: string]: { decrypt: (pubkey: string, ciphertext: string) => Promise<string> } })[mode]
+      const cipher = mode === 'nip44' ? cipher44 : cipher04
+      if (!cipher) {
+        DebugBus.warn('debug', `no cipher to decrypt for ${mode}`)
+        return
+      }
+      DebugBus.info('debug', `decrypt start ${mode}`, { len: cipher.length })
+      
+      // Start live timing
+      const start = performance.now()
+      setLiveTiming(prev => ({ ...prev, [mode]: { type: 'decrypt', startTime: start } }))
+      
+      const plain = await api.decrypt(pubkey, cipher)
+      const ms = Math.round(performance.now() - start)
+      
+      // Stop live timing
+      setLiveTiming(prev => ({ ...prev, [mode]: undefined }))
+      
+      DebugBus.info('debug', `decrypt done ${mode}`, { len: typeof plain === 'string' ? plain.length : -1, ms })
+      if (mode === 'nip44') setPlain44(String(plain))
+      else setPlain04(String(plain))
+      if (mode === 'nip44') setTDecrypt44(ms)
+      else setTDecrypt04(ms)
+    } catch (e) {
+      // Stop live timing on error
+      setLiveTiming(prev => ({ ...prev, [mode]: undefined }))
+      DebugBus.error('debug', `decrypt error ${mode}`, e instanceof Error ? e.message : String(e))
+    }
+  }
+
+  const toggleDebug = () => {
+    const next = !debugEnabled
+    setDebugEnabled(next)
+    if (next) localStorage.setItem('debug', '*')
+    else localStorage.removeItem('debug')
+  }
+
+  const handleBunkerLogin = async () => {
+    if (!bunkerUri.trim()) {
+      setBunkerError('Please enter a bunker URI')
+      return
+    }
+
+    if (!bunkerUri.startsWith('bunker://')) {
+      setBunkerError('Invalid bunker URI. Must start with bunker://')
+      return
+    }
+
+    try {
+      setIsBunkerLoading(true)
+      setBunkerError(null)
+      
+      // Create signer from bunker URI with default permissions
+      const permissions = getDefaultBunkerPermissions()
+      const signer = await NostrConnectSigner.fromBunkerURI(bunkerUri, { permissions })
+      
+      // Get pubkey from signer
+      const pubkey = await signer.getPublicKey()
+      
+      // Create account from signer
+      const account = new Accounts.NostrConnectAccount(pubkey, signer)
+      
+      // Add to account manager and set active
+      accountManager.addAccount(account)
+      accountManager.setActive(account)
+      
+      // Clear input on success
+      setBunkerUri('')
+    } catch (err) {
+      console.error('[bunker] Login failed:', err)
+      const errorMessage = err instanceof Error ? err.message : 'Failed to connect to bunker'
+      
+      // Check for permission-related errors
+      if (errorMessage.toLowerCase().includes('permission') || errorMessage.toLowerCase().includes('unauthorized')) {
+        setBunkerError('Your bunker connection is missing signing permissions. Reconnect and approve signing.')
+      } else {
+        setBunkerError(errorMessage)
+      }
+    } finally {
+      setIsBunkerLoading(false)
+    }
+  }
+
+  const CodeBox = ({ value }: { value: string }) => (
+    <div className="h-20 overflow-y-auto font-mono text-xs leading-relaxed p-2 bg-gray-100 dark:bg-gray-800 rounded whitespace-pre-wrap break-all">
+      {value || '—'}
+    </div>
+  )
+
+  const getLiveTiming = (mode: 'nip44' | 'nip04', type: 'encrypt' | 'decrypt') => {
+    const timing = liveTiming[mode]
+    if (timing && timing.type === type) {
+      const elapsed = Math.round(performance.now() - timing.startTime)
+      return elapsed
+    }
+    return null
+  }
+
+  const Stat = ({ label, value, mode, type }: { 
+    label: string; 
+    value?: string | number | null;
+    mode?: 'nip44' | 'nip04';
+    type?: 'encrypt' | 'decrypt';
+  }) => {
+    const liveValue = mode && type ? getLiveTiming(mode, type) : null
+    const isLive = !!liveValue
+    
+    let displayValue: string
+    if (isLive) {
+      displayValue = ''
+    } else if (value !== null && value !== undefined) {
+      displayValue = `${value}ms`
+    } else {
+      displayValue = '—'
+    }
+    
+    return (
+      <span className="badge" style={{ marginRight: 8 }}>
+        <FontAwesomeIcon icon={faClock} style={{ marginRight: 4, fontSize: '0.8em' }} />
+        {label}: {isLive ? (
+          <FontAwesomeIcon icon={faSpinner} className="animate-spin" style={{ fontSize: '0.8em' }} />
+        ) : (
+          displayValue
+        )}
+      </span>
+    )
+  }
+
+  return (
+    <div className="settings-view">
+      <div className="settings-header">
+        <h2>Debug</h2>
+        <div className="settings-header-actions">
+          <span className="opacity-70">Active pubkey:</span> <code className="text-sm">{pubkey || 'none'}</code>
+        </div>
+      </div>
+
+      <div className="settings-content">
+
+        {/* Bunker Login Section */}
+        <div className="settings-section">
+          <h3 className="section-title">Bunker Connection</h3>
+          {!activeAccount ? (
+            <div>
+              <div className="text-sm opacity-70 mb-3">Connect to your bunker (Nostr Connect signer) to enable encryption/decryption testing</div>
+              <div className="flex gap-2 mb-3">
+                <input
+                  type="text"
+                  className="input flex-1"
+                  placeholder="bunker://..."
+                  value={bunkerUri}
+                  onChange={(e) => setBunkerUri(e.target.value)}
+                  disabled={isBunkerLoading}
+                />
+                <button 
+                  className="btn btn-primary" 
+                  onClick={handleBunkerLogin}
+                  disabled={isBunkerLoading || !bunkerUri.trim()}
+                >
+                  {isBunkerLoading ? 'Connecting...' : 'Connect'}
+                </button>
+              </div>
+              {bunkerError && (
+                <div className="text-sm text-red-600 dark:text-red-400 mb-2">{bunkerError}</div>
+              )}
+            </div>
+          ) : (
+            <div className="flex items-center justify-between">
+              <div>
+                <div className="text-sm opacity-70">Connected to bunker</div>
+                <div className="text-sm font-mono">{pubkey}</div>
+              </div>
+                  <button
+                    className="btn"
+                    style={{ 
+                      background: 'rgb(220 38 38)', 
+                      color: 'white', 
+                      border: '1px solid rgb(220 38 38)',
+                      padding: '0.75rem 1.5rem',
+                      borderRadius: '6px',
+                      fontSize: '1rem',
+                      cursor: 'pointer',
+                      transition: 'background-color 0.2s'
+                    }}
+                    onMouseEnter={(e) => e.currentTarget.style.background = 'rgb(185 28 28)'}
+                    onMouseLeave={(e) => e.currentTarget.style.background = 'rgb(220 38 38)'}
+                    onClick={() => accountManager.removeAccount(activeAccount)}
+                  >
+                    Disconnect
+                  </button>
+            </div>
+          )}
+        </div>
+
+        {/* Encryption Tools Section */}
+        <div className="settings-section">
+          <h3 className="section-title">Encryption Tools</h3>
+          <div className="setting-group">
+            <label className="setting-label">Payload</label>
+                <textarea 
+                  className="textarea w-full bg-gray-50 dark:bg-gray-900 border border-gray-200 dark:border-gray-700" 
+                  value={payload} 
+                  onChange={e => setPayload(e.target.value)} 
+                  rows={3} 
+                />
+            <div className="flex gap-2 mt-3 justify-end">
+              <button className="btn btn-secondary" onClick={() => setPayload(defaultPayload)}>Reset</button>
+              <button className="btn btn-secondary" onClick={() => { setCipher44(''); setCipher04(''); setPlain44(''); setPlain04(''); setTEncrypt44(null); setTEncrypt04(null); setTDecrypt44(null); setTDecrypt04(null) }}>Clear</button>
+            </div>
+          </div>
+          
+          <div className="grid" style={{ gap: 12, gridTemplateColumns: 'minmax(0,1fr) minmax(0,1fr)' }}>
+            <div className="setting-group">
+              <label className="setting-label">NIP-44</label>
+              <div className="flex gap-2 mb-3">
+                <button className="btn btn-primary" onClick={() => doEncrypt('nip44')} disabled={!hasNip44}>Encrypt</button>
+                <button className="btn btn-secondary" onClick={() => doDecrypt('nip44')} disabled={!cipher44}>Decrypt</button>
+              </div>
+              <label className="block text-sm opacity-70 mb-2">Encrypted:</label>
+              <CodeBox value={cipher44} />
+              <div className="mt-3">
+                <span className="text-sm opacity-70">Plain:</span>
+                <CodeBox value={plain44} />
+              </div>
+            </div>
+
+            <div className="setting-group">
+              <label className="setting-label">NIP-04</label>
+              <div className="flex gap-2 mb-3">
+                <button className="btn btn-primary" onClick={() => doEncrypt('nip04')} disabled={!hasNip04}>Encrypt</button>
+                <button className="btn btn-secondary" onClick={() => doDecrypt('nip04')} disabled={!cipher04}>Decrypt</button>
+              </div>
+              <label className="block text-sm opacity-70 mb-2">Encrypted:</label>
+              <CodeBox value={cipher04} />
+              <div className="mt-3">
+                <span className="text-sm opacity-70">Plain:</span>
+                <CodeBox value={plain04} />
+              </div>
+            </div>
+          </div>
+        </div>
+
+        {/* Performance Timing Section */}
+        <div className="settings-section">
+          <h3 className="section-title">Performance Timing</h3>
+          <div className="text-sm opacity-70 mb-3">Encryption and decryption operation durations</div>
+          <div className="grid" style={{ gap: 12, gridTemplateColumns: 'minmax(0,1fr) minmax(0,1fr)' }}>
+            <div className="setting-group">
+              <label className="setting-label">NIP-44</label>
+              <div className="flex flex-wrap items-center gap-2">
+                <Stat label="enc" value={tEncrypt44} mode="nip44" type="encrypt" />
+                <Stat label="dec" value={tDecrypt44} mode="nip44" type="decrypt" />
+              </div>
+            </div>
+            <div className="setting-group">
+              <label className="setting-label">NIP-04</label>
+              <div className="flex flex-wrap items-center gap-2">
+                <Stat label="enc" value={tEncrypt04} mode="nip04" type="encrypt" />
+                <Stat label="dec" value={tDecrypt04} mode="nip04" type="decrypt" />
+              </div>
+            </div>
+          </div>
+        </div>
+
+        {/* Debug Logs Section */}
+        <div className="settings-section">
+          <h3 className="section-title">Debug Logs</h3>
+          <div className="text-sm opacity-70 mb-3">Recent bunker logs:</div>
+            <div className="max-h-192 overflow-y-auto font-mono text-xs leading-relaxed">
+            {logs.length === 0 ? (
+              <div className="text-sm opacity-50 italic">No logs yet</div>
+            ) : (
+              logs.slice(-200).map((l, i) => (
+                <div key={i} className="mb-1 p-2 bg-gray-100 dark:bg-gray-800 rounded">
+                  <span className="opacity-70">[{new Date(l.ts).toLocaleTimeString()}]</span> <span className="font-semibold">{l.level.toUpperCase()}</span> {l.source}: {l.message}
+                  {l.data !== undefined && (
+                    <span className="opacity-70"> — {typeof l.data === 'string' ? l.data : JSON.stringify(l.data)}</span>
+                  )}
+                </div>
+              ))
+            )}
+          </div>
+            <div className="mt-3">
+              <div className="flex justify-end mb-2">
+                <label className="flex items-center gap-2 cursor-pointer">
+                  <input
+                    type="checkbox"
+                    checked={debugEnabled}
+                    onChange={toggleDebug}
+                    className="checkbox"
+                  />
+                  <span className="text-sm">Show all applesauce debug logs</span>
+                </label>
+              </div>
+              <div className="flex justify-end">
+                <button className="btn btn-secondary" onClick={() => setLogs([])}>Clear logs</button>
+              </div>
+            </div>
+        </div>
+      </div>
+
+      <VersionFooter />
+    </div>
+  )
+}
+
+export default Debug

src/components/LoginOptions.tsx

@@ -0,0 +1,179 @@
+import React, { useState } from 'react'
+import { Hooks } from 'applesauce-react'
+import { Accounts } from 'applesauce-accounts'
+import { NostrConnectSigner } from 'applesauce-signers'
+import { getDefaultBunkerPermissions } from '../services/nostrConnect'
+
+const LoginOptions: React.FC = () => {
+  const accountManager = Hooks.useAccountManager()
+  const [showBunkerInput, setShowBunkerInput] = useState(false)
+  const [bunkerUri, setBunkerUri] = useState('')
+  const [isLoading, setIsLoading] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+
+  const handleExtensionLogin = async () => {
+    try {
+      setIsLoading(true)
+      setError(null)
+      const account = await Accounts.ExtensionAccount.fromExtension()
+      accountManager.addAccount(account)
+      accountManager.setActive(account)
+    } catch (err) {
+      console.error('Extension login failed:', err)
+      setError('Login failed. Please install a nostr browser extension and try again.')
+    } finally {
+      setIsLoading(false)
+    }
+  }
+
+  const handleBunkerLogin = async () => {
+    if (!bunkerUri.trim()) {
+      setError('Please enter a bunker URI')
+      return
+    }
+
+    if (!bunkerUri.startsWith('bunker://')) {
+      setError('Invalid bunker URI. Must start with bunker://')
+      return
+    }
+
+    try {
+      setIsLoading(true)
+      setError(null)
+      
+      // Create signer from bunker URI with default permissions
+      const permissions = getDefaultBunkerPermissions()
+      const signer = await NostrConnectSigner.fromBunkerURI(bunkerUri, { permissions })
+      
+      // Get pubkey from signer
+      const pubkey = await signer.getPublicKey()
+      
+      // Create account from signer
+      const account = new Accounts.NostrConnectAccount(pubkey, signer)
+      
+      // Add to account manager and set active
+      accountManager.addAccount(account)
+      accountManager.setActive(account)
+      
+      // Clear input on success
+      setBunkerUri('')
+      setShowBunkerInput(false)
+    } catch (err) {
+      console.error('[bunker] Login failed:', err)
+      const errorMessage = err instanceof Error ? err.message : 'Failed to connect to bunker'
+      
+      // Check for permission-related errors
+      if (errorMessage.toLowerCase().includes('permission') || errorMessage.toLowerCase().includes('unauthorized')) {
+        setError('Your bunker connection is missing signing permissions. Reconnect and approve signing.')
+      } else {
+        setError(errorMessage)
+      }
+    } finally {
+      setIsLoading(false)
+    }
+  }
+
+  return (
+    <div className="empty-state">
+      <p style={{ marginBottom: '1rem' }}>Login with:</p>
+      
+      <div style={{ display: 'flex', flexDirection: 'column', gap: '0.75rem', maxWidth: '300px', margin: '0 auto' }}>
+        <button
+          onClick={handleExtensionLogin}
+          disabled={isLoading}
+          style={{
+            padding: '0.75rem 1.5rem',
+            fontSize: '1rem',
+            cursor: isLoading ? 'wait' : 'pointer',
+            opacity: isLoading ? 0.6 : 1
+          }}
+        >
+          {isLoading && !showBunkerInput ? 'Connecting...' : 'Extension'}
+        </button>
+        
+        {!showBunkerInput ? (
+          <button
+            onClick={() => setShowBunkerInput(true)}
+            disabled={isLoading}
+            style={{
+              padding: '0.75rem 1.5rem',
+              fontSize: '1rem',
+              cursor: isLoading ? 'wait' : 'pointer',
+              opacity: isLoading ? 0.6 : 1
+            }}
+          >
+            Bunker
+          </button>
+        ) : (
+          <div style={{ display: 'flex', flexDirection: 'column', gap: '0.5rem' }}>
+            <input
+              type="text"
+              placeholder="bunker://..."
+              value={bunkerUri}
+              onChange={(e) => setBunkerUri(e.target.value)}
+              disabled={isLoading}
+              style={{
+                padding: '0.75rem',
+                fontSize: '0.9rem',
+                width: '100%',
+                boxSizing: 'border-box'
+              }}
+              onKeyDown={(e) => {
+                if (e.key === 'Enter') {
+                  handleBunkerLogin()
+                }
+              }}
+            />
+            <div style={{ display: 'flex', gap: '0.5rem' }}>
+              <button
+                onClick={handleBunkerLogin}
+                disabled={isLoading || !bunkerUri.trim()}
+                style={{
+                  padding: '0.5rem 1rem',
+                  fontSize: '0.9rem',
+                  flex: 1,
+                  cursor: isLoading || !bunkerUri.trim() ? 'not-allowed' : 'pointer',
+                  opacity: isLoading || !bunkerUri.trim() ? 0.6 : 1
+                }}
+              >
+                {isLoading && showBunkerInput ? 'Connecting...' : 'Connect'}
+              </button>
+              <button
+                onClick={() => {
+                  setShowBunkerInput(false)
+                  setBunkerUri('')
+                  setError(null)
+                }}
+                disabled={isLoading}
+                style={{
+                  padding: '0.5rem 1rem',
+                  fontSize: '0.9rem',
+                  cursor: isLoading ? 'not-allowed' : 'pointer',
+                  opacity: isLoading ? 0.6 : 1
+                }}
+              >
+                Cancel
+              </button>
+            </div>
+          </div>
+        )}
+      </div>
+      
+      {error && (
+        <p style={{ color: 'var(--color-error, #ef4444)', marginTop: '1rem', fontSize: '0.9rem' }}>
+          {error}
+        </p>
+      )}
+      
+      <p style={{ marginTop: '1.5rem', fontSize: '0.9rem' }}>
+        If you aren't on nostr yet, start here:{' '}
+        <a href="https://nstart.me/" target="_blank" rel="noopener noreferrer">
+          nstart.me
+        </a>
+      </p>
+    </div>
+  )
+}
+
+export default LoginOptions
+

src/components/Settings.tsx

@@ -1,4 +1,3 @@
-/* global __APP_VERSION__, __GIT_COMMIT__, __GIT_COMMIT_URL__ */
 import React, { useState, useEffect, useRef } from 'react'
 import { faTimes, faUndo } from '@fortawesome/free-solid-svg-icons'
 import { RelayPool } from 'applesauce-relay'
@@ -12,6 +11,7 @@ import ZapSettings from './Settings/ZapSettings'
 import RelaySettings from './Settings/RelaySettings'
 import PWASettings from './Settings/PWASettings'
 import { useRelayStatus } from '../hooks/useRelayStatus'
+import VersionFooter from './VersionFooter'
 
 const DEFAULT_SETTINGS: UserSettings = {
   collapseOnArticleOpen: true,
@@ -168,21 +168,7 @@ const Settings: React.FC<SettingsProps> = ({ settings, onSave, onClose, relayPoo
         <PWASettings settings={localSettings} onUpdate={handleUpdate} onClose={onClose} />
         <RelaySettings relayStatuses={relayStatuses} onClose={onClose} />
       </div>
-      <div className="text-xs opacity-60 mt-4 px-4 pb-3 select-text">
-        <span>Version {typeof __APP_VERSION__ !== 'undefined' ? __APP_VERSION__ : 'dev'}</span>
-        {typeof __GIT_COMMIT__ !== 'undefined' && __GIT_COMMIT__ ? (
-          <span>
-            {' '}·
-            {typeof __GIT_COMMIT_URL__ !== 'undefined' && __GIT_COMMIT_URL__ ? (
-              <a href={__GIT_COMMIT_URL__} target="_blank" rel="noopener noreferrer">
-                <code>{__GIT_COMMIT__.slice(0, 7)}</code>
-              </a>
-            ) : (
-              <code>{__GIT_COMMIT__.slice(0, 7)}</code>
-            )}
-          </span>
-        ) : null}
-      </div>
+      <VersionFooter />
     </div>
   )
 }

src/components/VersionFooter.tsx

@@ -0,0 +1,32 @@
+/* global __APP_VERSION__, __GIT_COMMIT__, __GIT_COMMIT_URL__, __RELEASE_URL__ */
+import React from 'react'
+
+const VersionFooter: React.FC = () => {
+  return (
+    <div className="text-xs opacity-60 mt-4 px-4 pb-3 select-text">
+      <span>
+        {typeof __RELEASE_URL__ !== 'undefined' && __RELEASE_URL__ ? (
+          <a href={__RELEASE_URL__} target="_blank" rel="noopener noreferrer">
+            Version {typeof __APP_VERSION__ !== 'undefined' ? __APP_VERSION__ : 'dev'}
+          </a>
+        ) : (
+          `Version ${typeof __APP_VERSION__ !== 'undefined' ? __APP_VERSION__ : 'dev'}`
+        )}
+      </span>
+      {typeof __GIT_COMMIT__ !== 'undefined' && __GIT_COMMIT__ ? (
+        <span>
+          {' '}·{' '}
+          {typeof __GIT_COMMIT_URL__ !== 'undefined' && __GIT_COMMIT_URL__ ? (
+            <a href={__GIT_COMMIT_URL__} target="_blank" rel="noopener noreferrer">
+              <code>{__GIT_COMMIT__.slice(0, 7)}</code>
+            </a>
+          ) : (
+            <code>{__GIT_COMMIT__.slice(0, 7)}</code>
+          )}
+        </span>
+      ) : null}
+    </div>
+  )
+}
+
+export default VersionFooter

src/config/relays.ts

@@ -7,6 +7,7 @@
 export const RELAYS = [
   'ws://localhost:10547',
   'ws://localhost:4869',
+  'wss://relay.nsec.app',
   'wss://relay.damus.io',
   'wss://nos.lol',
   'wss://relay.nostr.band',

src/hooks/useHighlightCreation.ts

@@ -9,6 +9,7 @@ import { ReadableContent } from '../services/readerService'
 import { createHighlight } from '../services/highlightCreationService'
 import { HighlightButtonRef } from '../components/HighlightButton'
 import { UserSettings } from '../services/settingsService'
+import { useToast } from './useToast'
 
 interface UseHighlightCreationParams {
   activeAccount: IAccount | undefined
@@ -32,6 +33,7 @@ export const useHighlightCreation = ({
   settings
 }: UseHighlightCreationParams) => {
   const highlightButtonRef = useRef<HighlightButtonRef>(null)
+  const { showToast } = useToast()
 
   const handleTextSelection = useCallback((text: string) => {
     highlightButtonRef.current?.updateSelection(text)
@@ -92,10 +94,19 @@ export const useHighlightCreation = ({
       })
     } catch (error) {
       console.error('❌ Failed to create highlight:', error)
+      
+      // Show user-friendly error messages
+      const errorMessage = error instanceof Error ? error.message : 'Failed to create highlight'
+      if (errorMessage.toLowerCase().includes('permission') || errorMessage.toLowerCase().includes('unauthorized')) {
+        showToast('Reconnect bunker and approve signing permissions to create highlights')
+      } else {
+        showToast(`Failed to create highlight: ${errorMessage}`)
+      }
+      
       // Re-throw to allow parent to handle
       throw error
     }
-  }, [activeAccount, relayPool, eventStore, currentArticle, selectedUrl, readerContent, onHighlightCreated, settings])
+  }, [activeAccount, relayPool, eventStore, currentArticle, selectedUrl, readerContent, onHighlightCreated, settings, showToast])
 
   return {
     highlightButtonRef,

src/services/bookmarkProcessing.ts

@@ -11,6 +11,18 @@ type UnlockHiddenTagsFn = typeof Helpers.unlockHiddenTags
 type HiddenContentSigner = Parameters<UnlockHiddenTagsFn>[1]
 type UnlockMode = Parameters<UnlockHiddenTagsFn>[2]
 
+/**
+ * Wrap a decrypt promise with a timeout to prevent hanging (using 30s timeout for bunker)
+ */
+function withDecryptTimeout<T>(promise: Promise<T>, timeoutMs = 30000): Promise<T> {
+  return Promise.race([
+    promise,
+    new Promise<T>((_, reject) =>
+      setTimeout(() => reject(new Error(`Decrypt timeout after ${timeoutMs}ms`)), timeoutMs)
+    )
+  ])
+}
+
 export async function collectBookmarksFromEvents(
   bookmarkListEvents: NostrEvent[],
   activeAccount: ActiveAccount,
@@ -80,7 +92,8 @@ export async function collectBookmarksFromEvents(
         } catch {
           try {
             await Helpers.unlockHiddenTags(evt, signerCandidate as HiddenContentSigner, 'nip44' as UnlockMode)
-          } catch {
+          } catch (err) {
+          console.log("[bunker] ❌ nip44.decrypt failed:", err instanceof Error ? err.message : String(err))
             // ignore
           }
         }
@@ -88,24 +101,26 @@ export async function collectBookmarksFromEvents(
         let decryptedContent: string | undefined
         try {
           if (hasNip44Decrypt(signerCandidate)) {
-            decryptedContent = await (signerCandidate as { nip44: { decrypt: DecryptFn } }).nip44.decrypt(
+            decryptedContent = await withDecryptTimeout((signerCandidate as { nip44: { decrypt: DecryptFn } }).nip44.decrypt(
               evt.pubkey,
               evt.content
-            )
+            ))
           }
-        } catch {
+        } catch (err) {
+          console.log("[bunker] ❌ nip44.decrypt failed:", err instanceof Error ? err.message : String(err))
           // ignore
         }
 
         if (!decryptedContent) {
           try {
             if (hasNip04Decrypt(signerCandidate)) {
-              decryptedContent = await (signerCandidate as { nip04: { decrypt: DecryptFn } }).nip04.decrypt(
+              decryptedContent = await withDecryptTimeout((signerCandidate as { nip04: { decrypt: DecryptFn } }).nip04.decrypt(
                 evt.pubkey,
                 evt.content
-              )
+              ))
             }
-          } catch {
+          } catch (err) {
+          console.log("[bunker] ❌ nip04.decrypt failed:", err instanceof Error ? err.message : String(err))
             // ignore
           }
         }
@@ -127,7 +142,7 @@ export async function collectBookmarksFromEvents(
             Reflect.set(evt, BookmarkHiddenSymbol, manualPrivate)
             Reflect.set(evt, 'EncryptedContentSymbol', decryptedContent)
             // Don't set latestContent to decrypted JSON - it's not user-facing content
-          } catch {
+          } catch (err) {
             // ignore
           }
         }

src/services/bookmarkService.ts

@@ -85,7 +85,7 @@ export const fetchBookmarks = async (
     }
     // Aggregate across events
     const maybeAccount = activeAccount as AccountWithExtension
-    console.log('🔐 Account object:', {
+    console.log('[bunker] 🔐 Account object:', {
       hasSignEvent: typeof maybeAccount?.signEvent === 'function',
       hasSigner: !!maybeAccount?.signer,
       accountType: typeof maybeAccount,
@@ -102,12 +102,19 @@ export const fetchBookmarks = async (
       signerCandidate = maybeAccount.signer
     }
 
-    console.log('🔑 Signer candidate:', !!signerCandidate, typeof signerCandidate)
+    console.log('[bunker] 🔑 Signer candidate:', !!signerCandidate, typeof signerCandidate)
     if (signerCandidate) {
-      console.log('🔑 Signer has nip04:', hasNip04Decrypt(signerCandidate))
-      console.log('🔑 Signer has nip44:', hasNip44Decrypt(signerCandidate))
+      console.log('[bunker] 🔑 Signer has nip04:', hasNip04Decrypt(signerCandidate))
+      console.log('[bunker] 🔑 Signer has nip44:', hasNip44Decrypt(signerCandidate))
     }
-    const { publicItemsAll, privateItemsAll, newestCreatedAt, latestContent, allTags } = await collectBookmarksFromEvents(
+    
+    // Debug relay connectivity for bunker relays
+    try {
+      const urls = Array.from(relayPool.relays.values()).map(r => ({ url: r.url, connected: (r as unknown as { connected?: boolean }).connected }))
+      console.log('[bunker] Relay connections:', urls)
+    } catch (err) { console.warn('[bunker] Failed to read relay connections', err) }
+
+const { publicItemsAll, privateItemsAll, newestCreatedAt, latestContent, allTags } = await collectBookmarksFromEvents(
       bookmarkListEvents,
       activeAccount,
       signerCandidate

src/services/highlightCreationService.ts

@@ -46,7 +46,8 @@ export async function createHighlight(
   }
 
   // Create EventFactory with the account as signer
-  const factory = new EventFactory({ signer: account })
+  console.log("[bunker] Creating EventFactory with signer:", { signerType: account.signer?.constructor?.name })
+  const factory = new EventFactory({ signer: account.signer })
 
   let blueprintSource: NostrEvent | AddressPointer | string
   let context: string | undefined
@@ -116,7 +117,9 @@ export async function createHighlight(
   }
 
   // Sign the event
+  console.log('[bunker] Signing highlight event...', { kind: highlightEvent.kind, tags: highlightEvent.tags.length })
   const signedEvent = await factory.sign(highlightEvent)
+  console.log('[bunker] ✅ Highlight signed successfully!', { id: signedEvent.id.slice(0, 8) })
 
   // Use unified write service to store and publish
   await publishEvent(relayPool, eventStore, signedEvent)

src/services/nostrConnect.ts

@@ -0,0 +1,26 @@
+import { NostrConnectSigner } from 'applesauce-signers'
+
+/**
+ * Get default NIP-46 permissions for bunker connections
+ * These permissions cover all event kinds and encryption/decryption operations Boris needs
+ */
+export function getDefaultBunkerPermissions(): string[] {
+  return [
+    // Signing permissions for event kinds we create
+    ...NostrConnectSigner.buildSigningPermissions([
+      0,      // Profile metadata
+      5,      // Event deletion
+      7,      // Reactions (nostr events)
+      17,     // Reactions (websites)
+      9802,   // Highlights
+      30078,  // Settings & reading positions
+      39701,  // Web bookmarks
+    ]),
+    // Encryption/decryption for hidden content
+    'nip04_encrypt',
+    'nip04_decrypt',
+    'nip44_encrypt',
+    'nip44_decrypt',
+  ]
+}
+

src/services/writeService.ts

@@ -52,6 +52,11 @@ export async function publishEvent(
     })
     .catch((error) => {
       console.warn('⚠️ Failed to publish event to relays (event still saved locally):', error)
+      
+      // Surface common bunker signing errors for debugging
+      if (error instanceof Error && error.message.includes('permission')) {
+        console.warn('💡 Hint: This may be a bunker permission issue. Ensure your bunker connection has signing permissions.')
+      }
     })
 }
 

src/utils/debugBus.ts

@@ -0,0 +1,36 @@
+export type DebugLevel = 'info' | 'warn' | 'error'
+
+export interface DebugLogEntry {
+  ts: number
+  level: DebugLevel
+  source: string
+  message: string
+  data?: unknown
+}
+
+type Listener = (entry: DebugLogEntry) => void
+
+const listeners = new Set<Listener>()
+const buffer: DebugLogEntry[] = []
+const MAX_BUFFER = 300
+
+export const DebugBus = {
+  log(level: DebugLevel, source: string, message: string, data?: unknown): void {
+    const entry: DebugLogEntry = { ts: Date.now(), level, source, message, data }
+    buffer.push(entry)
+    if (buffer.length > MAX_BUFFER) buffer.shift()
+    listeners.forEach(l => {
+      try { l(entry) } catch (err) { console.warn('[DebugBus] listener error:', err) }
+    })
+  },
+  info(source: string, message: string, data?: unknown): void { this.log('info', source, message, data) },
+  warn(source: string, message: string, data?: unknown): void { this.log('warn', source, message, data) },
+  error(source: string, message: string, data?: unknown): void { this.log('error', source, message, data) },
+  subscribe(listener: Listener): () => void {
+    listeners.add(listener)
+    return () => listeners.delete(listener)
+  },
+  snapshot(): DebugLogEntry[] { return buffer.slice() }
+}
+
+

src/vite-env.d.ts

@@ -15,3 +15,4 @@ declare const __GIT_COMMIT__: string
 declare const __GIT_BRANCH__: string
 declare const __BUILD_TIME__: string
 declare const __GIT_COMMIT_URL__: string
+declare const __RELEASE_URL__: string

vite.config.ts

@@ -36,6 +36,30 @@ const { commit, branch } = getGitMetadata()
 const version = getPackageVersion()
 const buildTime = new Date().toISOString()
 
+function getReleaseUrl(version: string): string {
+  if (!version) return ''
+  const provider = process.env.VERCEL_GIT_PROVIDER || ''
+  const owner = process.env.VERCEL_GIT_REPO_OWNER || ''
+  const slug = process.env.VERCEL_GIT_REPO_SLUG || ''
+  if (provider.toLowerCase() === 'github' && owner && slug) {
+    return `https://github.com/${owner}/${slug}/releases/tag/v${version}`
+  }
+  try {
+    const remote = execSync('git config --get remote.origin.url', { stdio: ['ignore', 'pipe', 'ignore'] }).toString().trim()
+    if (remote.includes('github.com')) {
+      // git@github.com:owner/repo.git or https://github.com/owner/repo.git
+      const https = remote.startsWith('git@')
+        ? `https://github.com/${remote.split(':')[1]}`
+        : remote
+      const cleaned = https.replace(/\.git$/, '')
+      return `${cleaned}/releases/tag/v${version}`
+    }
+  } catch {
+    // ignore
+  }
+  return ''
+}
+
 function getCommitUrl(commit: string): string {
   if (!commit) return ''
   const provider = process.env.VERCEL_GIT_PROVIDER || ''
@@ -60,6 +84,7 @@ function getCommitUrl(commit: string): string {
   return ''
 }
 
+const releaseUrl = getReleaseUrl(version)
 const commitUrl = getCommitUrl(commit)
 
 export default defineConfig({
@@ -68,7 +93,8 @@ export default defineConfig({
     __GIT_COMMIT__: JSON.stringify(commit),
     __GIT_BRANCH__: JSON.stringify(branch),
     __BUILD_TIME__: JSON.stringify(buildTime),
-    __GIT_COMMIT_URL__: JSON.stringify(commitUrl)
+    __GIT_COMMIT_URL__: JSON.stringify(commitUrl),
+    __RELEASE_URL__: JSON.stringify(releaseUrl)
   },
   plugins: [
     react(),
@@ -115,7 +141,7 @@ export default defineConfig({
     mainFields: ['module', 'jsnext:main', 'jsnext', 'main']
   },
   optimizeDeps: {
-    include: ['applesauce-core', 'applesauce-factory', 'applesauce-relay', 'applesauce-react'],
+    include: ['applesauce-core', 'applesauce-factory', 'applesauce-relay', 'applesauce-react', 'applesauce-accounts', 'applesauce-signers'],
     esbuildOptions: {
       resolveExtensions: ['.js', '.ts', '.tsx', '.json']
     }
@@ -132,7 +158,7 @@ export default defineConfig({
     }
   },
   ssr: {
-    noExternal: ['applesauce-core', 'applesauce-factory', 'applesauce-relay']
+    noExternal: ['applesauce-core', 'applesauce-factory', 'applesauce-relay', 'applesauce-accounts', 'applesauce-signers']
   }
 })