Browser-agnostic protocol engine for the napplet protocol.
Alpha status: Kehto is an early runtime implementation for a draft NIP-5D protocol. NAP contracts and runtime APIs are not final; treat this package as current implementation guidance, not as a stable protocol guarantee.
pnpm add @kehto/runtime
@kehto/runtime is Kehto's NIP-5D protocol engine. It owns every incoming napplet message, gates it through the ACL enforcement layer, routes it to the correct NAP handler, and emits the corresponding reply envelope.
The runtime is built around the current draft dispatch contract from @napplet/core — createDispatch() + registerNap() — so routing is declarative, not a hand-rolled switch. It covers the NIP-5D domains currently supported by Kehto:
identity.getProfile, identity.getFollows, identity.getPublicKey, …inc.channel.*, inc.emit, cross-napplet pub/subkeys.forward, keys.action, keys.bindmedia.* playback & transport controlnotify.send, notify.channel.register, badge/permission flowsrelay.publish, relay.publishEncrypted, relay.subscribestorage.get/set/remove/keys with quota enforcementtheme.get, theme.changed fan-outSigning is shell-mediated inside relay.publish / relay.publishEncrypted (NIP-44 default, NIP-04 opt-in). The legacy signer domain is dissolved — napplets never see a host-injected nostr object and cannot call signer-sign RPCs directly.
Everything plugs into a single factory, createRuntime(), via a RuntimeAdapter hook bag — persistence, relay pool, auth, services, and so on. No DOM, no postMessage, no localStorage: those live in @kehto/shell.
import { createRuntime } from '@kehto/runtime';
const runtime = createRuntime({
aclPersistence: aclStore,
manifestPersistence: manifestStore,
relayPool: myRelayPoolAdapter,
auth: myAuthAdapter,
// ... further adapter hooks
});
// Incoming NIP-5D draft envelope from a napplet:
runtime.handleMessage('window-1', {
type: 'relay.publish',
id: 'evt-42',
event: { kind: 1, content: 'hello', /* ... */ },
});
createRuntime — primary entry point; Runtime interface typecreateEnforceGate — legacy pubkey-keyed ACL gatecreateNapEnforceGate — NIP-5D windowId-keyed ACL gateresolveCapabilitiesNap — map a NIP-5D envelope to required capabilities (re-exported from @kehto/acl)formatDenialReason — denied: <capability> canonical stringcreateSessionRegistry — bidirectional windowId ↔ SessionEntry storecreateNappKeyRegistry — deprecated alias retained for v1.1 migration consumerscreateAclState — persistence-backed wrapper around @kehto/acl statecreateManifestCache — NIP-5A aggregate-hash cache with persistence hookscreateReplayDetector — duplicate-event + timestamp-window guardcreateEventBuffer — ring buffer with subscription deliverymatchesFilter, matchesAnyFilter — pure NIP-01 filter helpersRING_BUFFER_SIZE — default ring buffer capacity constanthandleStorageNap — canonical storage.* NIP-5D handlercleanupNappState — remove persisted state when a napplet window closesrouteServiceMessage — domain-prefix router into the service registrynotifyServiceWindowDestroyed — lifecycle fan-out to every service handler40+ interfaces — including Runtime, RuntimeAdapter, SendToNapplet, RelayPoolAdapter, ServiceHandler, ServiceRegistry, NappletMessage, SessionEntry, AclEntryExternal, AclCheckEvent, and the per-adapter hook types — are exported from ./types.js for host-app integration.
Retained for migration consumers; new integrations should use current NIP-5D envelope types from @napplet/core. Slated for removal once upstream restores those exports.
Re-exported constants cover the v1.1 bus-kind enum, auth event kind, shell bridge URI, protocol version string, the full capability list, destructive-kind set, and the replay window seconds. Re-exported types cover the v1.1 capability union, bus-kind numeric union, and service descriptor shape. See the typedoc API reference below for the exact identifier list and current numeric values.
Full package docs: docs/packages/runtime.md.
Generated API module: docs/api/modules/_kehto_runtime.html (run pnpm docs:api).
MIT