Sprout speaks Nostr. Nothing else.

.github/workflows/ci.yml

@@ -160,15 +160,16 @@ jobs:
             RELAY_URL=ws://localhost:3000 \
             SPROUT_BIND_ADDR=0.0.0.0:3000 \
             SPROUT_REQUIRE_AUTH_TOKEN=false \
+            SPROUT_RECONCILE_CHANNELS=true \
             ./target/ci/sprout-relay > /tmp/sprout-relay.log 2>&1 &
           echo $! > /tmp/sprout-relay.pid
           for attempt in $(seq 1 60); do
             if ! kill -0 "$(cat /tmp/sprout-relay.pid)" 2>/dev/null; then
               cat /tmp/sprout-relay.log
               exit 1
             fi
-            status_code=$(curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:3000/api/channels || true)
-            if [ "${status_code}" != "000" ]; then
+            status_code=$(curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:3000/_readiness || true)
+            if [ "${status_code}" = "200" ]; then
               exit 0
             fi
             sleep 1

crates/sprout-acp/Cargo.toml

@@ -45,6 +45,11 @@ chrono = { workspace = true }
 # URL parsing
 url = { workspace = true }
 
+# NIP-98 HTTP auth signing
+sha2 = { workspace = true }
+base64 = "0.22"
+hex = { workspace = true }
+
 # Logging
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }

crates/sprout-acp/src/config.rs

@@ -183,8 +183,9 @@ pub struct CliArgs {
     #[arg(long, env = "SPROUT_PRIVATE_KEY")]
     pub private_key: String,
 
-    #[arg(long, env = "SPROUT_API_TOKEN")]
-    pub api_token: Option<String>,
+    /// Agent owner pubkey (64-char hex). Used for --respond-to=owner-only gate.
+    #[arg(long, env = "SPROUT_ACP_AGENT_OWNER")]
+    pub agent_owner: Option<String>,
 
     #[arg(long, env = "SPROUT_ACP_AGENT_COMMAND", default_value = "goose")]
     pub agent_command: String,
@@ -380,7 +381,6 @@ pub struct ChannelFilter {
 #[derive(Debug)]
 pub struct Config {
     pub keys: Keys,
-    pub api_token: Option<String>,
     pub relay_url: String,
     pub agent_command: String,
     pub agent_args: Vec<String>,
@@ -418,6 +418,9 @@ pub struct Config {
     pub persona_env_vars: Vec<(String, String)>,
     /// Whether to publish encrypted observer frames through the relay.
     pub relay_observer: bool,
+    /// Agent owner pubkey (hex). Used for `--respond-to=owner-only` gate.
+    /// Replaces the old REST-based owner lookup.
+    pub agent_owner: Option<String>,
 }
 
 /// Validate and deduplicate allowlist entries: each must be exactly 64 hex chars.
@@ -724,7 +727,6 @@ impl Config {
 
         let config = Config {
             keys,
-            api_token: args.api_token,
             relay_url: args.relay_url,
             agent_command,
             agent_args,
@@ -754,6 +756,7 @@ impl Config {
             respond_to_allowlist,
             persona_env_vars,
             relay_observer: args.relay_observer,
+            agent_owner: args.agent_owner.map(|s| s.trim().to_ascii_lowercase()),
         };
 
         Ok(config)
@@ -1085,7 +1088,6 @@ mod tests {
     fn test_config(mode: SubscribeMode) -> Config {
         Config {
             keys: nostr::Keys::generate(),
-            api_token: None,
             relay_url: "ws://localhost:3000".into(),
             agent_command: "goose".into(),
             agent_args: vec!["acp".into()],
@@ -1115,6 +1117,7 @@ mod tests {
             respond_to_allowlist: HashSet::new(),
             persona_env_vars: vec![],
             relay_observer: false,
+            agent_owner: None,
         }
     }