Working on API

v0.3.11 - Working on admin api
v0.3.10 - .
2025-09-25 16:35:16 -04:00 · 2025-09-25 11:25:50 -04:00 · 2025-09-24 10:49:48 -04:00 · 2025-09-21 15:53:03 -04:00 · 2025-09-18 10:18:15 -04:00 · 2025-09-16 15:52:27 -04:00
28 changed files with 25756 additions and 788 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,4 @@ src/version.h
 dev-config/
 db/
 copy_executable_local.sh
 nostr_login_lite/
--- a/.roo/architect/AGENTS.md
+++ b/.roo/architect/AGENTS.md
@@ -0,0 +1,298 @@
 # AGENTS.md - AI Agent Integration Guide for Architect Mode
 **Project-Specific Information for AI Agents Working with C-Relay in Architect Mode**
 ## Critical Architecture Understanding
 ### System Architecture Overview
 C-Relay implements a **unique event-based configuration architecture** that fundamentally differs from traditional Nostr relays:
 ```
 ┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
 │   WebSocket     │    │  Configuration   │    │    Database     │
 │   + HTTP        │◄──►│  Event System    │◄──►│   (SQLite)      │
 │   (Port 8888)   │    │  (Kind 33334)    │    │  Schema v4      │
 └─────────────────┘    └──────────────────┘    └─────────────────┘
         │                       │                       │
         ▼                       ▼                       ▼
 ┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
 │ nostr_core_lib  │    │   Admin Key      │    │ Event Storage   │
 │ (Crypto/Sigs)   │    │   Management     │    │ + Subscriptions │
 └─────────────────┘    └──────────────────┘    └─────────────────┘
 ```
 ### Core Architectural Principles
 #### 1. Event-Driven Configuration
 **Design Philosophy**: Configuration as cryptographically signed events rather than files
 - **Benefits**: Auditability, remote management, tamper-evidence
 - **Trade-offs**: Complexity in configuration changes, admin key management burden
 - **Implementation**: Kind 33334 events stored in same database as relay events
 #### 2. Identity-Based Database Naming
 **Design Philosophy**: Database file named by relay's generated public key
 - **Benefits**: Prevents database conflicts, enables multi-relay deployments
 - **Trade-offs**: Cannot predict database filename, complicates backup strategies
 - **Implementation**: `<relay_pubkey>.db` created in build/ directory
 #### 3. Single-Binary Deployment
 **Design Philosophy**: All functionality embedded in one executable
 - **Benefits**: Simple deployment, no external dependencies to manage
 - **Trade-offs**: Larger binary size, harder to modularize
 - **Implementation**: SQL schema embedded as header file, nostr_core_lib as submodule
 #### 4. Dual-Protocol Support
 **Design Philosophy**: WebSocket (Nostr) and HTTP (NIP-11) on same port
 - **Benefits**: Simplified port management, reduced infrastructure complexity
 - **Trade-offs**: Protocol detection overhead, libwebsockets dependency
 - **Implementation**: Request routing based on HTTP headers and upgrade requests
 ## Architectural Decision Analysis
 ### Configuration System Design
 **Traditional Approach vs C-Relay:**
 ```
 Traditional:           C-Relay:
 config.json     →     kind 33334 events
 ENV variables   →     cryptographically signed tags
 File watching   →     database polling/restart
 ```
 **Implications for Extensions:**
 - Configuration changes require event signing capabilities
 - No hot-reloading without architectural changes
 - Admin key loss = complete database reset required
 ### Database Architecture Decisions
 **Schema Design Philosophy:**
 - **Event Tags as JSON**: Separate table with JSON column instead of normalized relations
 - **Application-Level Filtering**: NIP-40 expiration handled in C, not SQL
 - **Embedded Schema**: Version 4 schema compiled into binary
 **Scaling Considerations:**
 - SQLite suitable for small-to-medium relays (< 10k concurrent connections)
 - Single-writer limitation of SQLite affects write-heavy workloads
 - JSON tag storage optimizes for read performance over write normalization
 ### Memory Management Architecture
 **Thread Safety Model:**
 - Global subscription manager with mutex protection
 - Per-client subscription limits enforced in memory
 - WebSocket connection state managed by libwebsockets
 **Resource Management:**
 - JSON objects use reference counting (jansson library)
 - String duplication pattern for configuration values
 - Automatic cleanup on client disconnect
 ## Architectural Extension Points
 ### Adding New Configuration Options
 **Required Changes:**
 1. Update [`default_config_event.h`](src/default_config_event.h) template
 2. Add parsing logic in [`config.c`](src/config.c) `load_config_from_database()`
 3. Add global config struct field in [`config.h`](src/config.h)
 4. Update documentation in [`docs/configuration_guide.md`](docs/configuration_guide.md)
 ### Adding New NIP Support
 **Integration Pattern:**
 1. Event validation in [`request_validator.c`](src/request_validator.c)
 2. Protocol handling in [`main.c`](src/main.c) WebSocket callback
 3. Database storage considerations in schema
 4. Add test in `tests/` directory
 ### Scaling Architecture
 **Current Limitations:**
 - Single process, no horizontal scaling
 - SQLite single-writer bottleneck
 - Memory-based subscription management
 **Potential Extensions:**
 - Redis for subscription state sharing
 - PostgreSQL for better concurrent write performance
 - Load balancer for read scaling with multiple instances
 ## Deployment Architecture Patterns
 ### Development Deployment
 ```
 Developer Machine:
 ├── ./make_and_restart_relay.sh
 ├── build/c_relay_x86
 ├── build/<relay_pubkey>.db
 └── relay.log
 ```
 ### Production SystemD Deployment
 ```
 /opt/c-relay/:
 ├── c_relay_x86
 ├── <relay_pubkey>.db
 ├── systemd service (c-relay.service)
 └── c-relay user isolation
 ```
 ### Container Deployment Architecture
 ```
 Container:
 ├── Multi-stage build (deps + binary)
 ├── Volume mount for database persistence
 ├── Health checks via NIP-11 endpoint
 └── Signal handling for graceful shutdown
 ```
 ### Reverse Proxy Architecture
 ```
 Internet → Nginx/HAProxy → C-Relay
                       ├── WebSocket upgrade handling
                       ├── SSL termination
                       └── Rate limiting
 ```
 ## Security Architecture Considerations
 ### Key Management Design
 **Admin Key Security Model:**
 - Generated once, displayed once, never stored
 - Required for all configuration changes
 - Loss requires complete database reset
 **Relay Identity Model:**
 - Separate keypair for relay identity
 - Public key used for database naming
 - Private key never exposed to clients
 ### Event Validation Pipeline
 ```
 WebSocket Input → JSON Parse → Schema Validate → Signature Verify → Store
                             ↓                 ↓                  ↓
                    reject    reject          reject           success
 ```
 ### Attack Surface Analysis
 **Network Attack Vectors:**
 - WebSocket connection flooding (mitigated by libwebsockets limits)
 - JSON parsing attacks (handled by jansson library bounds checking)
 - SQLite injection (prevented by prepared statements)
 **Configuration Attack Vectors:**
 - Admin key compromise (complete relay control)
 - Event signature forgery (prevented by nostr_core_lib validation)
 - Replay attacks (event timestamp validation required)
 ## Non-Obvious Architectural Considerations
 ### Database Evolution Strategy
 **Current Limitations:**
 - Schema changes require database recreation
 - No migration system for configuration events
 - Version 4 schema embedded in binary
 **Future Architecture Needs:**
 - Schema versioning and migration system
 - Backward compatibility for configuration events
 - Database backup/restore procedures
 ### Configuration Event Lifecycle
 **Event Flow:**
 ```
 Admin Signs Event → WebSocket Submit → Validate → Store → Restart Required
                                    ↓            ↓         ↓
                              Signature Check   Database  Config Reload
 ```
 **Architectural Implications:**
 - No hot configuration reloading
 - Configuration changes require planned downtime
 - Event ordering matters for multiple simultaneous changes
 ### Cross-Architecture Deployment
 **Build System Architecture:**
 - Auto-detection of host architecture
 - Cross-compilation support for ARM64
 - Architecture-specific binary outputs
 **Deployment Implications:**
 - Binary must match target architecture
 - Dependencies must be available for target architecture
 - Debug tooling architecture-specific
 ### Performance Architecture Characteristics
 **Bottlenecks:**
 1. **SQLite Write Performance**: Single writer limitation
 2. **JSON Parsing**: Per-event parsing overhead
 3. **Signature Validation**: Cryptographic operations per event
 4. **Memory Management**: JSON object lifecycle management
 **Optimization Points:**
 - Prepared statement reuse
 - Connection pooling for concurrent reads
 - Event batching for bulk operations
 - Subscription indexing strategies
 ### Integration Architecture Patterns
 **Monitoring Integration:**
 - NIP-11 endpoint for health checks
 - Log file monitoring for operational metrics
 - Database query monitoring for performance
 - Process monitoring for resource usage
 **Backup Architecture:**
 - Database file backup (SQLite file copy)
 - Configuration event export/import
 - Admin key secure storage (external to relay)
 ### Future Extension Architectures
 **Multi-Relay Coordination:**
 - Database sharding by event kind
 - Cross-relay event synchronization
 - Distributed configuration management
 **Plugin Architecture Possibilities:**
 - Event processing pipeline hooks
 - Custom validation plugins
 - External authentication providers
 **Scaling Architecture Options:**
 - Read replicas with PostgreSQL migration
 - Event stream processing with message queues
 - Microservice decomposition (auth, storage, validation)
 ## Architectural Anti-Patterns to Avoid
 1. **Configuration File Addition**: Breaks event-based config paradigm
 2. **Direct Database Modification**: Bypasses signature validation
 3. **Hard-Coded Ports**: Conflicts with auto-fallback system
 4. **Schema Modifications**: Requires database recreation
 5. **Admin Key Storage**: Violates security model
 6. **Blocking Operations**: Interferes with WebSocket event loop
 7. **Memory Leaks**: JSON objects must be properly reference counted
 8. **Thread Unsafe Operations**: Global state requires proper synchronization
 ## Architecture Decision Records (Implicit)
 ### Decision: Event-Based Configuration
 **Context**: Traditional config files vs. cryptographic auditability
 **Decision**: Store configuration as signed Nostr events
 **Consequences**: Complex configuration changes, enhanced security, remote management capability
 ### Decision: SQLite Database
 **Context**: Database choice for relay storage
 **Decision**: Embedded SQLite with JSON tag storage
 **Consequences**: Simple deployment, single-writer limitation, application-level filtering
 ### Decision: Single Binary Deployment
 **Context**: Dependency management vs. deployment simplicity
 **Decision**: Embed all dependencies and schema in binary
 **Consequences**: Larger binary, simple deployment, version coupling
 ### Decision: Dual Protocol Support
 **Context**: WebSocket for Nostr, HTTP for NIP-11
 **Decision**: Same port serves both protocols
 **Consequences**: Simplified deployment, protocol detection overhead, libwebsockets dependency
 These architectural decisions form the foundation of C-Relay's unique approach to Nostr relay implementation and should be carefully considered when planning extensions or modifications.
 **
 [Response interrupted by a tool use result. Only one tool may be used at a time and should be placed at the end of the message.]
--- a/.roo/commands/push.md
+++ b/.roo/commands/push.md
@@ -0,0 +1,5 @@
 ---
 description: "Brief description of what this command does"
 ---
 Run build_and_push.sh, and supply a good git commit message.
--- a/07.md
+++ b/07.md
@@ -0,0 +1,32 @@
 NIP-07
 ======
 `window.nostr` capability for web browsers
 ------------------------------------------
 `draft` `optional`
 The `window.nostr` object may be made available by web browsers or extensions and websites or web-apps may make use of it after checking its availability.
 That object must define the following methods:
 ```
 async window.nostr.getPublicKey(): string // returns a public key as hex
 async window.nostr.signEvent(event: { created_at: number, kind: number, tags: string[][], content: string }): Event // takes an event object, adds `id`, `pubkey` and `sig` and returns it
 ```
 Aside from these two basic above, the following functions can also be implemented optionally:
 ```
 async window.nostr.nip04.encrypt(pubkey, plaintext): string // returns ciphertext and iv as specified in nip-04 (deprecated)
 async window.nostr.nip04.decrypt(pubkey, ciphertext): string // takes ciphertext and iv as specified in nip-04 (deprecated)
 async window.nostr.nip44.encrypt(pubkey, plaintext): string // returns ciphertext as specified in nip-44
 async window.nostr.nip44.decrypt(pubkey, ciphertext): string // takes ciphertext as specified in nip-44
 ```
 ### Recommendation to Extension Authors
 To make sure that the `window.nostr` is available to nostr clients on page load, the authors who create Chromium and Firefox extensions should load their scripts by specifying `"run_at": "document_end"` in the extension's manifest.
 ### Implementation
 See https://github.com/aljazceru/awesome-nostr#nip-07-browser-extensions.
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,142 @@
 # AGENTS.md - AI Agent Integration Guide
 **Project-Specific Information for AI Agents Working with C-Relay**
 ## Critical Build Commands
 ### Primary Build Command
 ```bash
 ./make_and_restart_relay.sh
 ```
 **Never use `make` directly.** The project requires the custom restart script which:
 - Handles database preservation/cleanup based on flags
 - Manages architecture-specific binary detection (x86/ARM64)
 - Performs automatic process cleanup and port management
 - Starts relay in background with proper logging
 ### Architecture-Specific Binary Outputs
 - **x86_64**: `./build/c_relay_x86`
 - **ARM64**: `./build/c_relay_arm64`
 - **Other**: `./build/c_relay_$(ARCH)`
 ### Database File Naming Convention
 - **Format**: `<relay_pubkey>.db` (NOT `.nrdb` as shown in docs)
 - **Location**: Created in `build/` directory during execution
 - **Cleanup**: Use `--preserve-database` flag to retain between builds
 ## Critical Integration Issues
 ### Event-Based Configuration System
 - **No traditional config files** - all configuration stored as kind 33334 Nostr events
 - Admin private key shown **only once** on first startup
 - Configuration changes require cryptographically signed events
 - Database path determined by generated relay pubkey
 ### First-Time Startup Sequence
 1. Relay generates admin keypair and relay keypair
 2. Creates database file with relay pubkey as filename
 3. Stores default configuration as kind 33334 event
 4. **CRITICAL**: Admin private key displayed once and never stored on disk
 ### Port Management
 - Default port 8888 with automatic fallback (8889, 8890, etc.)
 - Script performs port availability checking before libwebsockets binding
 - Process cleanup includes force-killing processes on port 8888
 ### Database Schema Dependencies
 - Uses embedded SQL schema (`sql_schema.h`)
 - Schema version 4 with JSON tag storage
 - **Critical**: Event expiration filtering done at application level, not SQL level
 ### Configuration Event Structure
 ```json
 {
  "kind": 33334,
  "content": "C Nostr Relay Configuration",
  "tags": [
    ["d", "<relay_pubkey>"],
    ["relay_description", "value"],
    ["max_subscriptions_per_client", "25"],
    ["pow_min_difficulty", "16"]
  ]
 }
 ```
 ### Process Management
 ```bash
 # Kill existing relay processes
 pkill -f "c_relay_"
 # Check running processes
 ps aux | grep c_relay_
 # Force kill port binding
 fuser -k 8888/tcp
 ```
 ### Cross-Compilation Specifics
 - ARM64 requires explicit dependency installation: `make install-arm64-deps`
 - Uses `aarch64-linux-gnu-gcc` with specific library paths
 - PKG_CONFIG_PATH must be set for ARM64: `/usr/lib/aarch64-linux-gnu/pkgconfig`
 ### Testing Integration
 - Tests expect relay running on default port
 - Use `tests/quick_error_tests.sh` for validation
 - Event configuration tests: `tests/event_config_tests.sh`
 ### SystemD Integration Considerations
 - Service runs as `c-relay` user in `/opt/c-relay`
 - Database files created in WorkingDirectory automatically
 - No environment variables needed (event-based config)
 - Resource limits: 65536 file descriptors, 4096 processes
 ### Development vs Production Differences
 - Development: `make_and_restart_relay.sh` (default database cleanup)
 - Production: `make_and_restart_relay.sh --preserve-database`
 - Debug build requires manual gdb attachment to architecture-specific binary
 ### Critical File Dependencies
 - `nostr_core_lib/` submodule must be initialized and built first
 - Version header auto-generated from git tags: `src/version.h`
 - Schema embedded in binary from `src/sql_schema.h`
 ### WebSocket Protocol Specifics
 - Supports both WebSocket (Nostr protocol) and HTTP (NIP-11)
 - NIP-11 requires `Accept: application/nostr+json` header
 - CORS headers automatically added for NIP-11 compliance
 ### Memory Management Notes
 - Persistent subscription system with thread-safe global manager
 - Per-session subscription limits enforced
 - Event filtering done at C level, not SQL level for NIP-40 expiration
 ### Configuration Override Behavior
 - CLI port override only affects first-time startup
 - After database creation, all config comes from events
 - Database path cannot be changed after initialization
 ## Non-Obvious Pitfalls
 1. **Database Lock Issues**: Script handles SQLite locking by killing existing processes first
 2. **Port Race Conditions**: Pre-check + libwebsockets binding can still fail due to timing
 3. **Key Loss**: Admin private key loss requires complete database deletion and restart
 4. **Architecture Detection**: Build system auto-detects but cross-compilation requires manual setup
 5. **Event Storage**: Ephemeral events (kind 20000-29999) accepted but not stored
 6. **Signature Validation**: All events validated with `nostr_verify_event_signature()` from nostr_core_lib
 ## Quick Debugging Commands
 ```bash
 # Check relay status
 ps aux | grep c_relay_ && netstat -tln | grep 8888
 # View logs
 tail -f relay.log
 # Test WebSocket connection
 wscat -c ws://localhost:8888
 # Test NIP-11 endpoint
 curl -H "Accept: application/nostr+json" http://localhost:8888
 # Find database files
 find . -name "*.db" -type f
--- a/IMPLEMENT_API.md
+++ b/IMPLEMENT_API.md
@@ -0,0 +1,513 @@
 # Implementation Plan: Enhanced Admin Event API Structure
 ## Current Issue
 The current admin event routing at [`main.c:3248-3268`](src/main.c:3248) has a security vulnerability:
 ```c
 if (event_kind == 23455 || event_kind == 23456) {
    // Admin event processing
    int admin_result = process_admin_event_in_config(event, admin_error, sizeof(admin_error), wsi);
 } else {
    // Regular event storage and broadcasting
 }
 ```
 **Problem**: Any event with these kinds gets routed to admin processing, regardless of authorization. This allows unauthorized users to send admin events that could be processed as legitimate admin commands.
 **Note**: Event kinds 33334 and 33335 are no longer used and have been removed from the admin event routing.
 ## Required Security Enhancement
 Admin events must be validated for proper authorization BEFORE routing to admin processing:
 1. **Relay Public Key Check**: Event must have a `p` tag equal to the relay's public key
 2. **Admin Signature Check**: Event must be signed by an authorized admin private key
 3. **Fallback to Regular Processing**: If authorization fails, treat as regular event (not admin event)
 ## Implementation Plan
 ### Phase 1: Add Admin Authorization Validation
 #### 1.1 Create Consolidated Admin Authorization Function
 **Location**: [`src/main.c`](src/main.c) or [`src/config.c`](src/config.c)
 ```c
 /**
 * Consolidated admin event authorization validator
 * Implements defense-in-depth security for admin events
 *
 * @param event - The event to validate for admin authorization
 * @param error_message - Buffer for detailed error messages
 * @param error_size - Size of error message buffer
 * @return 0 if authorized, -1 if unauthorized, -2 if validation error
 */
 int is_authorized_admin_event(cJSON* event, char* error_message, size_t error_size) {
    if (!event) {
        snprintf(error_message, error_size, "admin_auth: null event");
        return -2;
    }
    // Extract event components
    cJSON* kind_obj = cJSON_GetObjectItem(event, "kind");
    cJSON* pubkey_obj = cJSON_GetObjectItem(event, "pubkey");
    cJSON* tags_obj = cJSON_GetObjectItem(event, "tags");
    if (!kind_obj || !pubkey_obj || !tags_obj) {
        snprintf(error_message, error_size, "admin_auth: missing required fields");
        return -2;
    }
    // Validation Layer 1: Kind Check
    int event_kind = (int)cJSON_GetNumberValue(kind_obj);
    if (event_kind != 23455 && event_kind != 23456) {
        snprintf(error_message, error_size, "admin_auth: not an admin event kind");
        return -1;
    }
    // Validation Layer 2: Relay Targeting Check
    const char* relay_pubkey = get_config_value("relay_pubkey");
    if (!relay_pubkey) {
        snprintf(error_message, error_size, "admin_auth: relay pubkey not configured");
        return -2;
    }
    // Check for 'p' tag targeting this relay
    int has_relay_target = 0;
    if (cJSON_IsArray(tags_obj)) {
        cJSON* tag = NULL;
        cJSON_ArrayForEach(tag, tags_obj) {
            if (cJSON_IsArray(tag) && cJSON_GetArraySize(tag) >= 2) {
                cJSON* tag_name = cJSON_GetArrayItem(tag, 0);
                cJSON* tag_value = cJSON_GetArrayItem(tag, 1);
                if (cJSON_IsString(tag_name) && cJSON_IsString(tag_value)) {
                    const char* name = cJSON_GetStringValue(tag_name);
                    const char* value = cJSON_GetStringValue(tag_value);
                    if (strcmp(name, "p") == 0 && strcmp(value, relay_pubkey) == 0) {
                        has_relay_target = 1;
                        break;
                    }
                }
            }
        }
    }
    if (!has_relay_target) {
        // Admin event for different relay - not unauthorized, just not for us
        snprintf(error_message, error_size, "admin_auth: admin event for different relay");
        return -1;
    }
    // Validation Layer 3: Admin Signature Check (only if targeting this relay)
    const char* event_pubkey = cJSON_GetStringValue(pubkey_obj);
    if (!event_pubkey) {
        snprintf(error_message, error_size, "admin_auth: invalid pubkey format");
        return -2;
    }
    const char* admin_pubkey = get_config_value("admin_pubkey");
    if (!admin_pubkey || strcmp(event_pubkey, admin_pubkey) != 0) {
        // This is the ONLY case where we log as "Unauthorized admin event attempt"
        // because it's targeting THIS relay but from wrong admin
        snprintf(error_message, error_size, "admin_auth: unauthorized admin for this relay");
        log_warning("SECURITY: Unauthorized admin event attempt for this relay");
        return -1;
    }
    // All validation layers passed
    log_info("ADMIN: Admin event authorized");
    return 0;
 }
 ```
 #### 1.2 Update Event Routing Logic
 **Location**: [`main.c:3248`](src/main.c:3248)
 ```c
 // Current problematic code:
 if (event_kind == 23455 || event_kind == 23456) {
    // Admin event processing
    int admin_result = process_admin_event_in_config(event, admin_error, sizeof(admin_error), wsi);
 } else {
    // Regular event storage and broadcasting
 }
 // Enhanced secure code with consolidated authorization:
 if (result == 0) {
    cJSON* kind_obj = cJSON_GetObjectItem(event, "kind");
    if (kind_obj && cJSON_IsNumber(kind_obj)) {
        int event_kind = (int)cJSON_GetNumberValue(kind_obj);
        // Check if this is an admin event
        if (event_kind == 23455 || event_kind == 23456) {
            // Use consolidated authorization check
            char auth_error[512] = {0};
            int auth_result = is_authorized_admin_event(event, auth_error, sizeof(auth_error));
            if (auth_result == 0) {
                // Authorized admin event - process through admin API
                char admin_error[512] = {0};
                int admin_result = process_admin_event_in_config(event, admin_error, sizeof(admin_error), wsi);
                if (admin_result != 0) {
                    result = -1;
                    strncpy(error_message, admin_error, sizeof(error_message) - 1);
                }
                // Admin events are NOT broadcast to subscriptions
            } else {
                // Unauthorized admin event - treat as regular event
                log_warning("Unauthorized admin event treated as regular event");
                if (store_event(event) != 0) {
                    result = -1;
                    strncpy(error_message, "error: failed to store event", sizeof(error_message) - 1);
                } else {
                    broadcast_event_to_subscriptions(event);
                }
            }
        } else {
            // Regular event - normal processing
            if (store_event(event) != 0) {
                result = -1;
                strncpy(error_message, "error: failed to store event", sizeof(error_message) - 1);
            } else {
                broadcast_event_to_subscriptions(event);
            }
        }
    }
 }
 ```
 ### Phase 2: Enhanced Admin Event Processing
 #### 2.1 Admin Event Validation in Config System
 **Location**: [`src/config.c`](src/config.c) - [`process_admin_event_in_config()`](src/config.c:2065)
 Add additional validation within the admin processing function:
 ```c
 int process_admin_event_in_config(cJSON* event, char* error_buffer, size_t error_buffer_size, struct lws* wsi) {
    // Double-check authorization (defense in depth)
    if (!is_authorized_admin_event(event)) {
        snprintf(error_buffer, error_buffer_size, "unauthorized: not a valid admin event");
        return -1;
    }
    // Continue with existing admin event processing...
    // ... rest of function unchanged
 }
 ```
 #### 2.2 Logging and Monitoring
 Add comprehensive logging for admin event attempts:
 ```c
 // In the routing logic - enhanced logging
 cJSON* kind_obj = cJSON_GetObjectItem(event, "kind");
 cJSON* pubkey_obj = cJSON_GetObjectItem(event, "pubkey");
 int event_kind = kind_obj ? cJSON_GetNumberValue(kind_obj) : -1;
 const char* event_pubkey = pubkey_obj ? cJSON_GetStringValue(pubkey_obj) : "unknown";
 if (is_authorized_admin_event(event)) {
    char log_msg[256];
    snprintf(log_msg, sizeof(log_msg),
            "ADMIN EVENT: Authorized admin event (kind=%d) from pubkey=%.16s...",
            event_kind, event_pubkey);
    log_info(log_msg);
 } else if (event_kind == 23455 || event_kind == 23456) {
    // This catches unauthorized admin event attempts
    char log_msg[256];
    snprintf(log_msg, sizeof(log_msg),
            "SECURITY: Unauthorized admin event attempt (kind=%d) from pubkey=%.16s...",
            event_kind, event_pubkey);
    log_warning(log_msg);
 }
 ```
 ## Phase 3: Unified Output Flow Architecture
 ### 3.1 Current Output Flow Analysis
 After analyzing both [`main.c`](src/main.c) and [`config.c`](src/config.c), the **admin event responses already flow through the standard WebSocket output pipeline**. This is the correct architecture and requires no changes.
 #### Standard WebSocket Output Pipeline
 **Regular Events** ([`main.c:2978-2996`](src/main.c:2978)):
 ```c
 // Database query responses
 unsigned char* buf = malloc(LWS_PRE + msg_len);
 memcpy(buf + LWS_PRE, msg_str, msg_len);
 lws_write(wsi, buf + LWS_PRE, msg_len, LWS_WRITE_TEXT);
 free(buf);
 ```
 **OK Responses** ([`main.c:3342-3375`](src/main.c:3342)):
 ```c
 // Event processing results: ["OK", event_id, success_boolean, message]
 unsigned char *buf = malloc(LWS_PRE + response_len);
 memcpy(buf + LWS_PRE, response_str, response_len);
 lws_write(wsi, buf + LWS_PRE, response_len, LWS_WRITE_TEXT);
 free(buf);
 ```
 #### Admin Event Output Pipeline (Already Unified)
 **Admin Responses** ([`config.c:2363-2414`](src/config.c:2363)):
 ```c
 // Admin query responses use IDENTICAL pattern
 int send_websocket_response_data(struct lws* wsi, cJSON* response_data) {
    unsigned char* buf = malloc(LWS_PRE + response_len);
    memcpy(buf + LWS_PRE, response_str, response_len);
    // Same lws_write() call as regular events
    int result = lws_write(wsi, buf + LWS_PRE, response_len, LWS_WRITE_TEXT);
    free(buf);
    return result;
 }
 ```
 ### 3.2 Unified Output Flow Confirmation
 ✅ **Admin responses already use the same WebSocket transmission mechanism as regular events**
 ✅ **Both admin and regular events use identical buffer allocation patterns**
 ✅ **Both admin and regular events use the same [`lws_write()`](src/config.c:2393) function**
 ✅ **Both admin and regular events follow the same cleanup patterns**
 ### 3.3 Output Flow Integration Points
 The admin event processing in [`config.c:2436`](src/config.c:2436) already integrates correctly with the unified output system:
 1. **Admin Query Processing** ([`config.c:2568-2583`](src/config.c:2568)):
   - Auth queries return structured JSON via [`send_websocket_response_data()`](src/config.c:2571)
   - System commands return status data via [`send_websocket_response_data()`](src/config.c:2631)
 2. **Response Format Consistency**:
   - Admin responses use standard JSON format
   - Regular events use standard Nostr event format
   - Both transmitted through same WebSocket pipeline
 3. **Error Handling Consistency**:
   - Admin errors returned via same WebSocket connection
   - Regular event errors returned via OK messages
   - Both use identical transmission mechanism
 ### 3.4 Key Architectural Benefits
 **No Changes Required**: The output flow is already unified and correctly implemented.
 **Security Separation**: Admin events are processed separately but responses flow through the same secure WebSocket channel.
 **Performance Consistency**: Both admin and regular responses use the same optimized transmission path.
 **Maintenance Simplicity**: Single WebSocket output pipeline reduces complexity and potential bugs.
 ### 3.5 Admin Event Flow Summary
 ```
 Admin Event Input → Authorization Check → Admin Processing → Unified WebSocket Output
 Regular Event Input → Validation → Storage + Broadcast → Unified WebSocket Output
 ```
 Both flows converge at the **Unified WebSocket Output** stage, which is already correctly implemented.
 ## Phase 4: Integration Points for Secure Admin Event Routing
 ### 4.1 Configuration System Integration
 **Required Configuration Values**:
 - `admin_pubkey` - Public key of authorized administrator
 - `relay_pubkey` - Public key of this relay instance
 **Integration Points**:
 1. [`get_config_value()`](src/config.c) - Used by authorization function
 2. [`get_relay_pubkey_cached()`](src/config.c) - Used for relay targeting validation
 3. Configuration loading during startup - Must ensure admin/relay pubkeys are available
 ### 4.3 Forward Declarations Required
 **Location**: [`src/main.c`](src/main.c) - Add near other forward declarations (around line 230)
 ```c
 // Forward declarations for enhanced admin event authorization
 int is_authorized_admin_event(cJSON* event, char* error_message, size_t error_size);
 ```
 ### 4.4 Error Handling Integration
 **Enhanced Error Response System**:
 ```c
 // In main.c event processing - enhanced error handling for admin events
 if (auth_result != 0) {
    // Admin authorization failed - send detailed OK response
    cJSON* event_id = cJSON_GetObjectItem(event, "id");
    if (event_id && cJSON_IsString(event_id)) {
        cJSON* response = cJSON_CreateArray();
        cJSON_AddItemToArray(response, cJSON_CreateString("OK"));
        cJSON_AddItemToArray(response, cJSON_CreateString(cJSON_GetStringValue(event_id)));
        cJSON_AddItemToArray(response, cJSON_CreateBool(0)); // Failed
        cJSON_AddItemToArray(response, cJSON_CreateString(auth_error));
        // Send via standard WebSocket output pipeline
        char *response_str = cJSON_Print(response);
        if (response_str) {
            size_t response_len = strlen(response_str);
            unsigned char *buf = malloc(LWS_PRE + response_len);
            if (buf) {
                memcpy(buf + LWS_PRE, response_str, response_len);
                lws_write(wsi, buf + LWS_PRE, response_len, LWS_WRITE_TEXT);
                free(buf);
            }
            free(response_str);
        }
        cJSON_Delete(response);
    }
 }
 ```
 ### 4.5 Logging Integration Points
 **Console Logging**: Uses existing [`log_warning()`](src/main.c:993), [`log_info()`](src/main.c:972) functions
 **Security Event Categories**:
 - Admin authorization success logged via `log_info()`
 - Admin authorization failures logged via `log_warning()`
 - Admin event processing logged via existing admin logging
 ## Phase 5: Detailed Function Specifications
 ### 5.1 Core Authorization Function
 **Function**: `is_authorized_admin_event()`
 **Location**: [`src/main.c`](src/main.c) or [`src/config.c`](src/config.c)
 **Dependencies**:
 - `get_config_value()` for admin/relay pubkeys
 - `log_warning()` and `log_info()` for logging
 - `cJSON` library for event parsing
 **Return Values**:
 - `0` - Event is authorized for admin processing
 - `-1` - Event is unauthorized (treat as regular event)
 - `-2` - Validation error (malformed event)
 **Error Handling**: Detailed error messages in provided buffer for client feedback
 ### 5.2 Enhanced Event Routing
 **Location**: [`main.c:3248-3340`](src/main.c:3248)
 **Integration**: Replaces existing admin event routing logic
 **Dependencies**:
 - `is_authorized_admin_event()` for authorization
 - `process_admin_event_in_config()` for admin processing
 - `store_event()` and `broadcast_event_to_subscriptions()` for regular events
 **Security Features**:
 - Graceful degradation for unauthorized admin events
 - Comprehensive logging of authorization attempts
 - No broadcast of admin events to subscriptions
 - Detailed error responses for failed authorization
 ### 5.4 Defense-in-Depth Validation
 **Primary Validation**: In main event routing logic
 **Secondary Validation**: In `process_admin_event_in_config()` function
 **Tertiary Validation**: In individual admin command handlers
 **Validation Layers**:
 1. **Kind Check** - Must be admin event kind (23455/23456)
 2. **Relay Targeting Check** - Must have 'p' tag with this relay's pubkey
 3. **Admin Signature Check** - Must be signed by authorized admin (only if targeting this relay)
 4. **Processing Check** - Additional validation in admin handlers
 **Security Logic**:
 - If no 'p' tag for this relay → Admin event for different relay (not unauthorized)
 - If 'p' tag for this relay + wrong admin signature → "Unauthorized admin event attempt"
 ## Phase 6: Event Flow Documentation
 ### 6.1 Complete Event Processing Flow
 ```
 ┌─────────────────┐
 │ WebSocket Input │
 └─────────┬───────┘
          │
          ▼
 ┌─────────────────┐
 │ Unified         │
 │ Validation      │ ← nostr_validate_unified_request()
 └─────────┬───────┘
          │
          ▼
 ┌─────────────────┐
 │ Kind-Based      │
 │ Routing Check   │ ← Check if kind 23455/23456
 └─────────┬───────┘
          │
     ┌────▼────┐
     │ Admin?  │
     └────┬────┘
          │
    ┌─────▼─────┐         ┌─────────────┐
    │ YES       │         │ NO          │
    │           │         │             │
    ▼           │         ▼             │
 ┌─────────────┐ │    ┌─────────────┐    │
 │ Admin       │ │    │ Regular     │    │
 │ Authorization│ │    │ Event       │    │
 │ Check       │ │    │ Processing  │    │
 └─────┬───────┘ │    └─────┬───────┘    │
      │         │          │            │
 ┌────▼────┐    │          ▼            │
 │Authorized?│   │    ┌─────────────┐    │
 └────┬────┘    │    │ store_event()│    │
      │         │    │ +           │    │
 ┌─────▼─────┐   │    │ broadcast() │    │
 │ YES   NO  │   │    └─────┬───────┘    │
 │  │     │  │   │          │            │
 │  ▼     ▼  │   │          ▼            │
 │┌─────┐┌───┴┐  │    ┌─────────────┐    │
 ││Admin││Treat│  │    │ WebSocket   │    │
 ││API  ││as   │  │    │ OK Response │    │
 ││     ││Reg  │  │    └─────────────┘    │
 │└──┬──┘└───┬┘  │                       │
 │   │      │   │                       │
 │   ▼      │   │                       │
 │┌─────────┐│   │                       │
 ││WebSocket││   │                       │
 ││Response ││   │                       │
 │└─────────┘│   │                       │
 └───────────┴───┘                       │
            │                           │
            └───────────────────────────┘
                        │
                        ▼
                ┌─────────────┐
                │ Unified     │
                │ WebSocket   │
                │ Output      │
                └─────────────┘
 ```
 ### 6.2 Security Decision Points
 1. **Event Kind Check** - Identifies potential admin events
 2. **Authorization Validation** - Three-layer security check
 3. **Routing Decision** - Admin API vs Regular processing
 4. **Response Generation** - Unified output pipeline
 5. **Audit Logging** - Security event tracking
 ### 6.3 Error Handling Paths
 **Validation Errors**: Return detailed error messages via OK response
 **Authorization Failures**: Log security event + treat as regular event
 **Processing Errors**: Return admin-specific error responses
 **System Errors**: Fallback to standard error handling
 This completes the comprehensive implementation plan for the enhanced admin event API structure with unified output flow architecture.
--- a/2
+++ b/2
@@ -9,7 +9,7 @@ LIBS = -lsqlite3 -lwebsockets -lz -ldl -lpthread -lm -L/usr/local/lib -lsecp256k
 BUILD_DIR = build
 # Source files
-MAIN_SRC = src/main.c src/config.c
+MAIN_SRC = src/main.c src/config.c src/request_validator.c
 NOSTR_CORE_LIB = nostr_core_lib/libnostr_core_x64.a
 # Architecture detection
--- a/README.md
+++ b/README.md
@@ -2,265 +2,6 @@
 A high-performance Nostr relay implemented in C with SQLite backend, featuring a revolutionary **zero-configuration** approach using event-based configuration management.
 ## 🌟 Key Features
 - **🔧 Zero Configuration**: No config files or command line arguments needed
 - **🔑 Event-Based Config**: All settings stored as kind 33334 Nostr events
 - **🚀 Real-Time Updates**: Configuration changes applied instantly via WebSocket
 - **🛡️ Cryptographic Security**: Configuration events cryptographically signed and validated
 - **📊 SQLite Backend**: High-performance event storage with optimized schema
 - **🔄 Auto Key Generation**: Secure admin and relay keypairs generated on first startup
 - **💾 Database Per Relay**: Each relay instance uses `<relay_pubkey>.nrdb` database naming
 ## 🚀 Quick Start
 ### 1. Build the Relay
 ```bash
 git clone <repository-url>
 cd c-relay
 git submodule update --init --recursive
 make
 ```
 ### 2. Start the Relay
 ```bash
 ./build/c_relay_x86
 ```
 **That's it!** No configuration files, no command line arguments needed.
 ### 3. Save Your Admin Keys (IMPORTANT!)
 On first startup, the relay will display:
 ```
 =================================================================
 IMPORTANT: SAVE THIS ADMIN PRIVATE KEY SECURELY!
 =================================================================
 Admin Private Key: f8491814ea288260dad2ab52c09b3b037e75e83e8b24feb9bdc328423922be44
 Admin Public Key:  07fc2cdd8bdc0c60eefcc9e37e67fef88206bc84fadb894c283b006554ac687b
 Relay Private Key: a1b2c3d4e5f6...
 Relay Public Key:  1a2b3c4d5e6f...
 Database: dc9a93fd0ffba7041f6df0602e5021913a42fcaf6dbf40f43ecdc011177b4d94.nrdb
 =================================================================
 ```
 ⚠️ **Save the admin private key securely** - it's needed to update relay configuration and is only displayed once!
 ## 📋 System Requirements
 - **OS**: Linux, macOS, or Windows (WSL)
 - **Dependencies**: 
  - SQLite 3
  - libwebsockets
  - OpenSSL/LibreSSL
  - libsecp256k1
  - libcurl
  - zlib
 ## 🏗️ Event-Based Configuration System
 ### How It Works
 Traditional Nostr relays require configuration files, environment variables, or command line arguments. This relay uses a **revolutionary approach**:
 1. **First-Time Startup**: Generates cryptographically secure admin and relay keypairs
 2. **Database Creation**: Creates `<relay_pubkey>.nrdb` database file
 3. **Default Configuration**: Creates initial kind 33334 configuration event with sensible defaults
 4. **Real-Time Updates**: Administrators send new kind 33334 events to update configuration
 5. **Instant Application**: Changes are applied immediately without restart
 ### Configuration Updates
 To update relay configuration, send a signed kind 33334 event:
 ```json
 {
  "kind": 33334,
  "content": "C Nostr Relay Configuration",
  "tags": [
    ["d", "<relay_pubkey>"],
    ["relay_description", "My awesome Nostr relay"],
    ["max_subscriptions_per_client", "25"],
    ["pow_min_difficulty", "16"],
    ["nip40_expiration_enabled", "true"]
  ],
  "created_at": 1234567890,
  "pubkey": "<admin_pubkey>",
  "id": "...",
  "sig": "..."
 }
 ```
 Send this event to your relay via WebSocket, and changes are applied instantly.
 ### Configurable Parameters
 | Parameter | Description | Default |
 |-----------|-------------|---------|
 | `relay_description` | Relay description (NIP-11) | "C Nostr Relay" |
 | `relay_contact` | Admin contact info | "" |
 | `max_subscriptions_per_client` | Max subscriptions per client | "25" |
 | `max_total_subscriptions` | Total subscription limit | "5000" |
 | `pow_min_difficulty` | NIP-13 PoW difficulty | "0" |
 | `pow_mode` | PoW validation mode | "optional" |
 | `nip40_expiration_enabled` | Enable NIP-40 expiration | "true" |
 | `nip40_expiration_strict` | Strict expiration mode | "false" |
 | `max_message_length` | Max message size | "65536" |
 | `max_event_tags` | Max tags per event | "2000" |
 | `max_content_length` | Max content length | "65536" |
 ## 🔧 Deployment
 ### Manual Installation
 ```bash
 # Build the relay
 make
 # Run directly
 ./build/c_relay_x86
 ```
 ### SystemD Service (Recommended)
 ```bash
 # Install as system service
 sudo systemd/install-service.sh
 # Start the service
 sudo systemctl start c-relay
 # Enable auto-start on boot
 sudo systemctl enable c-relay
 # View logs
 sudo journalctl -u c-relay -f
 ```
 See [`systemd/README.md`](systemd/README.md) for detailed deployment documentation.
 ### Docker (Coming Soon)
 Docker support is planned for future releases.
 ## 📊 Database Schema
 The relay uses an optimized SQLite schema (version 4) with these key features:
 - **Event-based storage**: All Nostr events in single `events` table
 - **JSON tags support**: Native JSON storage for event tags
 - **Performance optimized**: Multiple indexes for fast queries
 - **Subscription logging**: Optional detailed subscription analytics
 - **Auto-cleanup**: Automatic ephemeral event cleanup
 - **Replaceable events**: Proper handling of replaceable/addressable events
 ## 🛡️ Security Features
 - **Cryptographic validation**: All configuration events cryptographically verified
 - **Admin-only config**: Only authorized admin pubkey can update configuration
 - **Signature verification**: Uses `nostr_verify_event_signature()` for validation
 - **Event structure validation**: Complete event structure validation
 - **Secure key generation**: Uses `/dev/urandom` for cryptographically secure keys
 - **No secrets storage**: Admin private key never stored on disk
 ## 🔌 Network Configuration
 - **Default Port**: 8888 (WebSocket)
 - **Protocol**: WebSocket with Nostr message format
 - **Endpoints**: 
  - `ws://localhost:8888` - WebSocket relay
  - `http://localhost:8888` - NIP-11 relay information (HTTP GET)
 ## 🏃‍♂️ Usage Examples
 ### Connect with a Nostr Client
 ```javascript
 const relay = new WebSocket('ws://localhost:8888');
 relay.send(JSON.stringify(["REQ", "sub1", {"kinds": [1], "limit": 10}]));
 ```
 ### Update Configuration (using `nostrtool` or similar)
 ```bash
 # Create configuration event with nostrtool
 nostrtool event --kind 33334 --content "Updated config" \
  --tag d <relay_pubkey> \
  --tag relay_description "My updated relay" \
  --private-key <admin_private_key>
 # Send to relay
 nostrtool send ws://localhost:8888 <event_json>
 ```
 ## 📈 Monitoring and Analytics
 ### View Relay Status
 ```bash
 # Check if relay is running
 ps aux | grep c_relay
 # Check network port
 netstat -tln | grep 8888
 # View recent logs
 tail -f relay.log
 ```
 ### Database Analytics
 ```bash
 # Connect to relay database
 sqlite3 <relay_pubkey>.nrdb
 # View relay statistics
 SELECT * FROM event_stats;
 # View configuration events
 SELECT * FROM configuration_events;
 # View recent events
 SELECT * FROM recent_events LIMIT 10;
 ```
 ## 🧪 Testing
 ### Run Error Handling Tests
 ```bash
 # Comprehensive test suite
 tests/event_config_tests.sh
 # Quick validation tests
 tests/quick_error_tests.sh
 ```
 ### Manual Testing
 ```bash
 # Test WebSocket connection
 wscat -c ws://localhost:8888
 # Test NIP-11 information
 curl http://localhost:8888
 ```
 ## 🔧 Development
 ### Build from Source
 ```bash
 git clone <repository-url>
 cd c-relay
 git submodule update --init --recursive
 make clean && make
 ```
 ### Debug Build
 ```bash
 make debug
 gdb ./build/c_relay_x86
 ```
 ### Contributing
 1. Fork the repository
 2. Create a feature branch
 3. Make changes with tests
 4. Submit a pull request
 ## 📜 Supported NIPs
 <!--
@@ -276,68 +17,155 @@ Do NOT modify the formatting, add emojis, or change the text. Keep the simple fo
 - [x] NIP-20: Command Results
 - [x] NIP-33: Parameterized Replaceable Events
 - [x] NIP-40: Expiration Timestamp
- [ ] NIP-42: Authentication of clients to relays
+- [x] NIP-42: Authentication of clients to relays
 - [ ] NIP-45: Counting results
 - [ ] NIP-50: Keywords filter
 - [ ] NIP-70: Protected Events
-## 🆘 Troubleshooting
+## 🔧 Administrator API
-### Common Issues
+C-Relay uses an innovative **event-based administration system** where all configuration and management commands are sent as signed Nostr events using the admin private key generated during first startup. All admin commands use **tag-based parameters** for simplicity and compatibility.
-**Relay won't start**
+### Authentication
 ```bash
 # Check for port conflicts
 netstat -tln | grep 8888
-# Check permissions
+All admin commands require signing with the admin private key displayed during first-time startup. **Save this key securely** - it cannot be recovered and is needed for all administrative operations.
 ls -la build/c_relay_x86
-# Check dependencies
+### Event Structure
-ldd build/c_relay_x86
+
 All admin commands use the same unified event structure with tag-based parameters:
 **Admin Command Event:**
 ```json
 {
  "id": "event_id",
  "pubkey": "admin_public_key",
  "created_at": 1234567890,
  "kind": 23456,
  "content": "<nip44 encrypted command>",
  "tags": [
    ["p", "relay_public_key"],
  ],
  "sig": "event_signature"
 }
 ```
-**Lost admin private key**
+**Admin Response Event:**
- If you lose the admin private key, you cannot update configuration
+```json
- You must delete the database file and restart (loses all events)
+["EVENT", "temp_sub_id", {
- The relay will generate new keys on first startup
+  "id": "response_event_id",
-
+  "pubkey": "relay_public_key",
-**Database corruption**
+  "created_at": 1234567890,
-```bash
+  "kind": 23457,
-# Check database integrity
+  "content": "<nip44 encrypted response>",
-sqlite3 <relay_pubkey>.nrdb "PRAGMA integrity_check;"
+  "tags": [
-
+    ["p", "admin_public_key"]
-# If corrupted, remove database (loses all events)
+  ],
-rm <relay_pubkey>.nrdb*
+  "sig": "response_event_signature"
-./build/c_relay_x86  # Will create fresh database
+}]
 ```
-**Configuration not updating**
+### Admin Commands
 - Ensure configuration events are properly signed
 - Check that admin pubkey matches the one from first startup
 - Verify WebSocket connection is active
 - Check relay logs for validation errors
-## 📄 License
+All commands are sent as nip44 encrypted content. The following table lists all available commands:
-This project is licensed under the MIT License - see the LICENSE file for details.
+| Command Type | Tag Format | Description |
 |--------------|------------|-------------|
 | **Configuration Management** |
 | `config_update` | `["relay_description", "My Relay"]` | Update relay configuration parameters |
 | `config_query` | `["config_query", "list_all_keys"]` | List all available configuration keys |
 | **Auth Rules Management** |
 | `auth_add_blacklist` | `["blacklist", "pubkey", "abc123..."]` | Add pubkey to blacklist |
 | `auth_add_whitelist` | `["whitelist", "pubkey", "def456..."]` | Add pubkey to whitelist |
 | `auth_query_all` | `["auth_query", "all"]` | Query all auth rules |
 | `auth_query_type` | `["auth_query", "whitelist"]` | Query specific rule type |
 | `auth_query_pattern` | `["auth_query", "pattern", "abc123..."]` | Query specific pattern |
 | **System Commands** |
 | `system_clear_auth` | `["system_command", "clear_all_auth_rules"]` | Clear all auth rules |
 | `system_status` | `["system_command", "system_status"]` | Get system status |
-## 🤝 Support
+### Available Configuration Keys
- **Issues**: Report bugs and feature requests on GitHub
+**Basic Relay Settings:**
- **Documentation**: See `docs/` directory for technical details
+- `relay_description`: Relay description text
- **Deployment**: See `systemd/README.md` for production deployment
+- `relay_contact`: Contact information
- **Community**: Join the Nostr development community
+- `max_connections`: Maximum concurrent connections
 - `max_subscriptions_per_client`: Max subscriptions per client
 - `max_event_tags`: Maximum tags per event
 - `max_content_length`: Maximum event content length
-## 🚀 Future Roadmap
+**Authentication & Access Control:**
 - `auth_enabled`: Enable whitelist/blacklist auth rules (`true`/`false`)
 - `nip42_auth_required`: Enable NIP-42 cryptographic authentication (`true`/`false`)
 - `nip42_auth_required_kinds`: Event kinds requiring NIP-42 auth (comma-separated)
 - `nip42_challenge_timeout`: NIP-42 challenge expiration seconds
- [ ] Docker containerization
+**Proof of Work & Validation:**
- [ ] NIP-42 authentication support
+- `pow_min_difficulty`: Minimum proof-of-work difficulty
- [ ] Advanced analytics dashboard
+- `nip40_expiration_enabled`: Enable event expiration (`true`/`false`)
 - [ ] Clustering support for high availability
 - [ ] Performance optimizations
 - [ ] Additional NIP implementations
---
+### Response Format
 All admin commands return **signed EVENT responses** via WebSocket following standard Nostr protocol. Responses use JSON content with structured data.
 #### Response Examples
 **Success Response:**
 ```json
 ["EVENT", "temp_sub_id", {
  "id": "response_event_id",
  "pubkey": "relay_public_key",
  "created_at": 1234567890,
  "kind": 23457,
  "content": "nip44 encrypted:{\"status\": \"success\", \"message\": \"Operation completed successfully\"}",
  "tags": [
    ["p", "admin_public_key"]
  ],
  "sig": "response_event_signature"
 }]
 ```
 **Error Response:**
 ```json
 ["EVENT", "temp_sub_id", {
  "id": "response_event_id",
  "pubkey": "relay_public_key",
  "created_at": 1234567890,
  "kind": 23457,
  "content": "nip44 encrypted:{\"status\": \"error\", \"message\": \"Error: invalid configuration value\"}",
  "tags": [
    ["p", "admin_public_key"]
  ],
  "sig": "response_event_signature"
 }]
 ```
 **Auth Rules Query Response:**
 ```json
 ["EVENT", "temp_sub_id", {
  "id": "response_event_id",
  "pubkey": "relay_public_key",
  "created_at": 1234567890,
  "kind": 23457,
  "content": "nip44 encrypted:{\"query_type\": \"auth_rules\", \"total_results\": 2, \"data\": [{\"rule_type\": \"blacklist\", \"pattern_type\": \"pubkey\", \"pattern_value\": \"abc123...\", \"action\": \"deny\"}]}",
  "tags": [
    ["p", "admin_public_key"]
  ],
  "sig": "response_event_signature"
 }]
 ```
 **Configuration Query Response:**
 ```json
 ["EVENT", "temp_sub_id", {
  "id": "response_event_id",
  "pubkey": "relay_public_key",
  "created_at": 1234567890,
  "kind": 23457,
  "content": "nip44 encrypted:{\"query_type\": \"config_keys\", \"config_keys\": [\"auth_enabled\", \"max_connections\"], \"descriptions\": {\"auth_enabled\": \"Enable whitelist/blacklist rules\"}}",
  "tags": [
    ["p", "admin_public_key"]
  ],
  "sig": "response_event_signature"
 }]
 ```
 **The C Nostr Relay represents the future of Nostr infrastructure - zero configuration, event-based management, and cryptographically secure administration.**
--- a/api/index.html
+++ b/api/index.html
--- a/api/nostr-lite.js
+++ b/api/nostr-lite.js
--- a/api/nostr.bundle.js
+++ b/api/nostr.bundle.js
--- a/BIN
+++ b/BIN
--- a/db/README.md
+++ b/db/README.md
@@ -1 +0,0 @@
 Only README.md will remain
--- a/docs/NIP-42_Authentication.md
+++ b/docs/NIP-42_Authentication.md
@@ -0,0 +1,295 @@
 # NIP-42 Authentication Implementation
 ## Overview
 This relay implements NIP-42 (Authentication of clients to relays) providing granular authentication controls for event submission and subscription operations. The implementation supports both challenge-response authentication and per-connection state management.
 ## Architecture
 ### Core Components
 1. **Per-Session Authentication State** (`struct per_session_data`)
   - `authenticated`: Boolean flag indicating authentication status
   - `authenticated_pubkey[65]`: Hex-encoded public key of authenticated user
   - `active_challenge[65]`: Current authentication challenge
   - `challenge_created`: Timestamp when challenge was generated
   - `challenge_expires`: Challenge expiration timestamp
   - `nip42_auth_required_events`: Whether auth is required for EVENT submission
   - `nip42_auth_required_subscriptions`: Whether auth is required for REQ operations
   - `auth_challenge_sent`: Flag indicating if challenge has been sent
 2. **Challenge Management** (via `request_validator.c`)
   - `nostr_nip42_generate_challenge()`: Generates cryptographically secure challenges
   - `nostr_nip42_verify_auth_event()`: Validates signed authentication events
   - Challenge storage and cleanup with expiration handling
 3. **WebSocket Protocol Integration**
   - AUTH message handling in `nostr_relay_callback()`
   - Challenge generation and transmission
   - Authentication verification and session state updates
 ## Configuration Options
 ### Event-Based Configuration
 NIP-42 authentication is configured using kind 33334 configuration events with the following tags:
 | Tag | Description | Default | Values |
 |-----|-------------|---------|--------|
 | `nip42_auth_required_events` | Require auth for EVENT submission | `false` | `true`/`false` |
 | `nip42_auth_required_subscriptions` | Require auth for REQ operations | `false` | `true`/`false` |
 ### Example Configuration Event
 ```json
 {
  "kind": 33334,
  "content": "C Nostr Relay Configuration",
  "tags": [
    ["d", "<relay_pubkey>"],
    ["nip42_auth_required_events", "true"],
    ["nip42_auth_required_subscriptions", "false"],
    ["relay_description", "Authenticated Nostr Relay"]
  ],
  "created_at": 1640995200,
  "pubkey": "<admin_pubkey>",
  "id": "<event_id>",
  "sig": "<signature>"
 }
 ```
 ## Authentication Flow
 ### 1. Challenge Generation
 When authentication is required and client is not authenticated:
 ```
 Client -> Relay: ["EVENT", <event>] (unauthenticated)
 Relay -> Client: ["AUTH", <challenge>]
 ```
 The challenge is a 64-character hex string generated using cryptographically secure random numbers.
 ### 2. Authentication Response
 Client creates and signs an authentication event (kind 22242):
 ```json
 {
  "kind": 22242,
  "content": "",
  "tags": [
    ["relay", "ws://relay.example.com"],
    ["challenge", "<challenge_from_relay>"]
  ],
  "created_at": <current_timestamp>,
  "pubkey": "<client_pubkey>",
  "id": "<event_id>",
  "sig": "<signature>"
 }
 ```
 Client sends this event back to relay:
 ```
 Client -> Relay: ["AUTH", <signed_auth_event>]
 ```
 ### 3. Verification and Session Update
 The relay:
 1. Validates the authentication event signature
 2. Verifies the challenge matches the one sent
 3. Checks challenge expiration (default: 10 minutes)
 4. Updates session state with authenticated public key
 5. Sends confirmation notice
 ```
 Relay -> Client: ["NOTICE", "NIP-42 authentication successful"]
 ```
 ## Granular Authentication Controls
 ### Separate Controls for Events vs Subscriptions
 The implementation provides separate authentication requirements:
 - **Event Submission**: Control whether clients must authenticate to publish events
 - **Subscription Access**: Control whether clients must authenticate to create subscriptions
 This allows flexible relay policies:
 - **Public Read, Authenticated Write**: `events=true, subscriptions=false`
 - **Fully Authenticated**: `events=true, subscriptions=true`
 - **Public Access**: `events=false, subscriptions=false` (default)
 - **Authenticated Read Only**: `events=false, subscriptions=true`
 ### Per-Connection State
 Each WebSocket connection maintains its own authentication state:
 - Authentication persists for the lifetime of the connection
 - Challenges expire after 10 minutes
 - Session cleanup on connection close
 ## Security Features
 ### Challenge Security
 - 64-character hexadecimal challenges (256 bits of entropy)
 - Cryptographically secure random generation
 - Challenge expiration to prevent replay attacks
 - One-time use challenges
 ### Event Validation
 - Complete signature verification using secp256k1
 - Event ID validation
 - Challenge-response binding verification
 - Timestamp validation with configurable tolerance
 ### Session Management
 - Thread-safe per-session state management
 - Automatic cleanup on disconnection
 - Challenge expiration handling
 ## Client Integration
 ### Using nak Client
 ```bash
 # Generate keypair
 PRIVKEY=$(nak key --gen)
 PUBKEY=$(nak key --pub $PRIVKEY)
 # Connect and authenticate automatically
 nak event -k 1 --content "Authenticated message" --sec $PRIVKEY --relay ws://localhost:8888
 # nak handles NIP-42 authentication automatically when required
 ```
 ### Manual WebSocket Integration
 ```javascript
 const ws = new WebSocket('ws://localhost:8888');
 ws.onmessage = (event) => {
  const message = JSON.parse(event.data);
  if (message[0] === 'AUTH') {
    const challenge = message[1];
    // Create auth event (kind 22242)
    const authEvent = {
      kind: 22242,
      content: "",
      tags: [
        ["relay", "ws://localhost:8888"],
        ["challenge", challenge]
      ],
      created_at: Math.floor(Date.now() / 1000),
      pubkey: clientPubkey,
      // ... calculate id and signature
    };
    // Send auth response
    ws.send(JSON.stringify(["AUTH", authEvent]));
  }
 };
 // Send event (may trigger AUTH challenge)
 ws.send(JSON.stringify(["EVENT", myEvent]));
 ```
 ## Administration
 ### Enabling Authentication
 1. **Get Admin Private Key**: Extract from relay startup logs (shown once)
 2. **Create Configuration Event**: Use nak or custom tooling
 3. **Publish Configuration**: Send to relay with admin signature
 ```bash
 # Enable auth for events only
 nak event -k 33334 \
  --content "C Nostr Relay Configuration" \
  --tag "d=$RELAY_PUBKEY" \
  --tag "nip42_auth_required_events=true" \
  --tag "nip42_auth_required_subscriptions=false" \
  --sec $ADMIN_PRIVKEY \
  --relay ws://localhost:8888
 ```
 ### Monitoring Authentication
 - Check relay logs for authentication events
 - Monitor `NOTICE` messages for auth status
 - Use `get_settings.sh` script to view current configuration
 ```bash
 ./get_settings.sh
 ```
 ## Troubleshooting
 ### Common Issues
 1. **Challenge Expiration**
   - Default: 10 minutes
   - Client must respond within expiration window
   - Generate new challenge for expired attempts
 2. **Signature Verification Failures**
   - Verify event structure matches NIP-42 specification
   - Check challenge value matches exactly
   - Ensure proper secp256k1 signature generation
 3. **Configuration Not Applied**
   - Verify admin private key is correct
   - Check configuration event signature
   - Ensure relay pubkey in 'd' tag matches relay
 ### Debug Commands
 ```bash
 # Check supported NIPs
 curl -H "Accept: application/nostr+json" http://localhost:8888 | jq .supported_nips
 # View current configuration
 nak req -k 33334 ws://localhost:8888 | jq .
 # Test authentication flow
 ./tests/42_nip_test.sh
 ```
 ## Performance Considerations
 - Challenge generation: ~1ms overhead per unauthenticated connection
 - Authentication verification: ~2-5ms per auth event
 - Memory overhead: ~200 bytes per connection for auth state
 - Database impact: Configuration events cached, minimal query overhead
 ## Integration with Other NIPs
 ### NIP-01 (Basic Protocol)
 - AUTH messages integrated into standard WebSocket flow
 - Compatible with existing EVENT/REQ/CLOSE message handling
 ### NIP-11 (Relay Information)
 - NIP-42 advertised in `supported_nips` array
 - Authentication requirements reflected in relay metadata
 ### NIP-20 (Command Results)
 - OK responses include authentication-related error messages
 - NOTICE messages provide authentication status updates
 ## Future Extensions
 ### Potential Enhancements
 - Role-based authentication (admin, user, read-only)
 - Time-based access controls
 - Rate limiting based on authentication status
 - Integration with external authentication providers
 ### Configuration Extensions
 - Per-kind authentication requirements
 - Whitelist/blacklist integration
 - Custom challenge expiration times
 - Authentication logging and metrics
--- a/docs/admin_api_plan.md
+++ b/docs/admin_api_plan.md
@@ -0,0 +1,537 @@
 # C-Relay Administrator API Implementation Plan
 ## Problem Analysis
 ### Current Issues Identified:
 1. **Schema Mismatch**: Storage system (config.c) vs Validation system (request_validator.c) use different column names and values
 2. **Missing API Endpoint**: No way to clear auth_rules table for testing
 3. **Configuration Gap**: Auth rules enforcement may not be properly enabled
 4. **Documentation Gap**: Admin API commands not documented
 ### Root Cause: Auth Rules Schema Inconsistency
 **Current Schema (sql_schema.h lines 140-150):**
 ```sql
 CREATE TABLE auth_rules (
    rule_type TEXT CHECK (rule_type IN ('whitelist', 'blacklist')),
    pattern_type TEXT CHECK (pattern_type IN ('pubkey', 'hash')),  
    pattern_value TEXT,
    action TEXT CHECK (action IN ('allow', 'deny')),
    active INTEGER DEFAULT 1
 );
 ```
 **Storage Implementation (config.c):**
 - Stores: `rule_type='blacklist'`, `pattern_type='pubkey'`, `pattern_value='hex'`, `action='allow'`
 **Validation Implementation (request_validator.c):**
 - Queries: `rule_type='pubkey_blacklist'`, `rule_target='hex'`, `operation='event'`, `enabled=1`
 **MISMATCH**: Validator looks for non-existent columns and wrong rule_type values!
 ## Proposed Solution Architecture
 ### Phase 1: API Documentation & Standardization
 #### Admin API Commands (via WebSocket with admin private key)
 **Kind 23455: Configuration Management (Ephemeral)**
 - Update relay settings, limits, authentication policies
 - **Standard Mode**: Commands in tags `["config_key", "config_value"]`
 - **Encrypted Mode**: Commands NIP-44 encrypted in content `{"encrypted_tags": "..."}`
 - Content: Descriptive text or encrypted payload
 - Security: Optional NIP-44 encryption for sensitive operations
 **Kind 23456: Auth Rules & System Management (Ephemeral)**
 - Auth rules: Add/remove/query whitelist/blacklist rules
 - System commands: clear rules, status, cache management
 - **Standard Mode**: Commands in tags
  - Rule format: `["rule_type", "pattern_type", "pattern_value"]`
  - Query format: `["auth_query", "filter"]`
  - System format: `["system_command", "command_name"]`
 - **Encrypted Mode**: Commands NIP-44 encrypted in content `{"encrypted_tags": "..."}`
 - Content: Action description + optional encrypted payload
 - Security: Optional NIP-44 encryption for sensitive operations
 #### Configuration Query Commands (using Kind 23455)
 1. **List All Configuration Keys (Standard)**:
   ```json
   {
     "kind": 23455,
     "content": "Discovery query",
     "tags": [["config_query", "list_all_keys"]]
   }
   ```
 2. **List All Configuration Keys (Encrypted)**:
   ```json
   {
     "kind": 23455,
     "content": "{\"query\":\"list_config_keys\",\"encrypted_tags\":\"nip44_encrypted_payload\"}",
     "tags": []
   }
   ```
   *Encrypted payload contains:* `[["config_query", "list_all_keys"]]`
 3. **Get Current Configuration (Standard)**:
   ```json
   {
     "kind": 23455,
     "content": "Config query",
     "tags": [["config_query", "get_current_config"]]
   }
   ```
 4. **Get Current Configuration (Encrypted)**:
   ```json
   {
     "kind": 23455,
     "content": "{\"query\":\"get_config\",\"encrypted_tags\":\"nip44_encrypted_payload\"}",
     "tags": []
   }
   ```
   *Encrypted payload contains:* `[["config_query", "get_current_config"]]`
 #### System Management Commands (using Kind 23456)
 1. **Clear All Auth Rules (Standard)**:
   ```json
   {
     "kind": 23456,
     "content": "{\"action\":\"clear_all\"}",
     "tags": [["system_command", "clear_all_auth_rules"]]
   }
   ```
 2. **Clear All Auth Rules (Encrypted)**:
   ```json
   {
     "kind": 23456,
     "content": "{\"action\":\"clear_all\",\"encrypted_tags\":\"nip44_encrypted_payload\"}",
     "tags": []
   }
   ```
   *Encrypted payload contains:* `[["system_command", "clear_all_auth_rules"]]`
 3. **Query All Auth Rules (Standard)**:
   ```json
   {
     "kind": 23456,
     "content": "{\"query\":\"list_auth_rules\"}",
     "tags": [["auth_query", "all"]]
   }
   ```
 4. **Query All Auth Rules (Encrypted)**:
   ```json
   {
     "kind": 23456,
     "content": "{\"query\":\"list_auth_rules\",\"encrypted_tags\":\"nip44_encrypted_payload\"}",
     "tags": []
   }
   ```
   *Encrypted payload contains:* `[["auth_query", "all"]]`
 5. **Add Blacklist Rule (Standard)**:
   ```json
   {
     "kind": 23456,
     "content": "{\"action\":\"add\"}",
     "tags": [["blacklist", "pubkey", "deadbeef1234abcd..."]]
   }
   ```
 6. **Add Blacklist Rule (Encrypted)**:
   ```json
   {
     "kind": 23456,
     "content": "{\"action\":\"add\",\"encrypted_tags\":\"nip44_encrypted_payload\"}",
     "tags": []
   }
   ```
   *Encrypted payload contains:* `[["blacklist", "pubkey", "deadbeef1234abcd..."]]`
 ### Phase 2: Auth Rules Schema Alignment
 #### Option A: Fix Validator to Match Schema (RECOMMENDED)
 **Update request_validator.c:**
 ```sql
 -- OLD (broken):
 WHERE rule_type = 'pubkey_blacklist' AND rule_target = ? AND operation = ? AND enabled = 1
 -- NEW (correct):
 WHERE rule_type = 'blacklist' AND pattern_type = 'pubkey' AND pattern_value = ? AND active = 1
 ```
 **Benefits:**
 - Matches actual database schema
 - Simpler rule_type values ('blacklist' vs 'pubkey_blacklist')  
 - Uses existing columns (pattern_value vs rule_target)
 - Consistent with storage implementation
 #### Option B: Update Schema to Match Validator (NOT RECOMMENDED)
 Would require changing schema, migration scripts, and storage logic.
 ### Phase 3: Implementation Priority
 #### High Priority (Critical for blacklist functionality):
 1. Fix request_validator.c schema mismatch
 2. Ensure auth_required configuration is enabled
 3. Update tests to use ephemeral event kinds (23455/23456)
 4. Test blacklist enforcement
 #### Medium Priority (Enhanced Admin Features):
 1. **Implement NIP-44 Encryption Support**:
   - Detect empty tags array for Kind 23455/23456 events
   - Parse `encrypted_tags` field from content JSON
   - Decrypt using admin privkey and relay pubkey
   - Process decrypted tags as normal commands
 2. Add clear_all_auth_rules system command
 3. Add auth rule query functionality (both standard and encrypted modes)
 4. Add configuration discovery (list available config keys)
 5. Enhanced error reporting in admin API
 6. Conflict resolution (same pubkey in whitelist + blacklist)
 #### Security Priority (NIP-44 Implementation):
 1. **Encryption Detection Logic**: Check for empty tags + encrypted_tags field
 2. **Key Pair Management**: Use admin private key + relay public key for NIP-44
 3. **Backward Compatibility**: Support both standard and encrypted modes
 4. **Error Handling**: Graceful fallback if decryption fails
 5. **Performance**: Cache decrypted results to avoid repeated decryption
 #### Low Priority (Documentation & Polish):
 1. Complete README.md API documentation
 2. Example usage scripts
 3. Admin client tools
 ### Phase 4: Expected API Structure
 #### README.md Documentation Format:
 ```markdown
 # C-Relay Administrator API
 ## Authentication
 All admin commands require signing with the admin private key generated during first startup.
 ## Configuration Management (Kind 23455 - Ephemeral)
 Update relay configuration parameters or query available settings.
 **Configuration Update Event:**
 ```json
 {
  "kind": 23455,
  "content": "Configuration update",
  "tags": [
    ["config_key1", "config_value1"],
    ["config_key2", "config_value2"]
  ]
 }
 ```
 **List Available Config Keys:**
 ```json
 {
  "kind": 23455,
  "content": "{\"query\":\"list_config_keys\",\"description\":\"Get editable config keys\"}",
  "tags": [
    ["config_query", "list_all_keys"]
  ]
 }
 ```
 **Get Current Configuration:**
 ```json
 {
  "kind": 23455,
  "content": "{\"query\":\"get_config\",\"description\":\"Get current config values\"}",
  "tags": [
    ["config_query", "get_current_config"]
  ]
 }
 ```
 ## Auth Rules Management (Kind 23456 - Ephemeral)
 Manage whitelist and blacklist rules.
 **Add Rule Event:**
 ```json
 {
  "kind": 23456,
  "content": "{\"action\":\"add\",\"description\":\"Block malicious user\"}",
  "tags": [
    ["blacklist", "pubkey", "deadbeef1234..."]
  ]
 }
 ```
 **Remove Rule Event:**
 ```json
 {
  "kind": 23456,
  "content": "{\"action\":\"remove\",\"description\":\"Unblock user\"}",
  "tags": [
    ["blacklist", "pubkey", "deadbeef1234..."]
  ]
 }
 ```
 **Query All Auth Rules:**
 ```json
 {
  "kind": 23456,
  "content": "{\"query\":\"list_auth_rules\",\"description\":\"Get all rules\"}",
  "tags": [
    ["auth_query", "all"]
  ]
 }
 ```
 **Query Whitelist Rules Only:**
 ```json
 {
  "kind": 23456,
  "content": "{\"query\":\"list_auth_rules\",\"description\":\"Get whitelist\"}",
  "tags": [
    ["auth_query", "whitelist"]
  ]
 }
 ```
 **Check Specific Pattern:**
 ```json
 {
  "kind": 23456,
  "content": "{\"query\":\"check_pattern\",\"description\":\"Check if pattern exists\"}",
  "tags": [
    ["auth_query", "pattern", "deadbeef1234..."]
  ]
 }
 ```
 ## System Management (Kind 23456 - Ephemeral)
 System administration commands using the same kind as auth rules.
 **Clear All Auth Rules:**
 ```json
 {
  "kind": 23456,
  "content": "{\"action\":\"clear_all\",\"description\":\"Clear all auth rules\"}",
  "tags": [
    ["system_command", "clear_all_auth_rules"]
  ]
 }
 ```
 **System Status:**
 ```json
 {
  "kind": 23456,
  "content": "{\"action\":\"system_status\",\"description\":\"Get system status\"}",
  "tags": [
    ["system_command", "system_status"]
  ]
 }
 ```
 ## Response Format
 All admin commands return JSON responses via WebSocket:
 **Success Response:**
 ```json
 ["OK", "event_id", true, "success_message"]
 ```
 **Error Response:**  
 ```json
 ["OK", "event_id", false, "error_message"]
 ```
 ## Configuration Keys
 - `relay_description`: Relay description text
 - `relay_contact`: Contact information  
 - `auth_enabled`: Enable authentication system
 - `max_connections`: Maximum concurrent connections
 - `pow_min_difficulty`: Minimum proof-of-work difficulty
 - ... (full list of config keys)
 ## Examples
 ### Enable Authentication & Add Blacklist
 ```bash
 # 1. Enable auth system
 nak event -k 23455 --content "Enable authentication" \
  -t "auth_enabled=true" \
  --sec $ADMIN_PRIVKEY | nak event ws://localhost:8888
 # 2. Add user to blacklist
 nak event -k 23456 --content '{"action":"add","description":"Spam user"}' \
  -t "blacklist=pubkey;$SPAM_USER_PUBKEY" \
  --sec $ADMIN_PRIVKEY | nak event ws://localhost:8888
 # 3. Query all auth rules
 nak event -k 23456 --content '{"query":"list_auth_rules","description":"Get all rules"}' \
  -t "auth_query=all" \
  --sec $ADMIN_PRIVKEY | nak event ws://localhost:8888
 # 4. Clear all rules for testing
 nak event -k 23456 --content '{"action":"clear_all","description":"Clear all rules"}' \
  -t "system_command=clear_all_auth_rules" \
  --sec $ADMIN_PRIVKEY | nak event ws://localhost:8888
 ```
 ## Expected Response Formats
 ### Configuration Query Response
 ```json
 ["EVENT", "subscription_id", {
  "kind": 23455,
  "content": "{\"config_keys\": [\"auth_enabled\", \"max_connections\"], \"descriptions\": {\"auth_enabled\": \"Enable whitelist/blacklist rules\"}}",
  "tags": [["response_type", "config_keys_list"]]
 }]
 ```
 ### Current Config Response
 ```json
 ["EVENT", "subscription_id", {
  "kind": 23455,
  "content": "{\"current_config\": {\"auth_enabled\": \"true\", \"max_connections\": \"1000\"}}",
  "tags": [["response_type", "current_config"]]
 }]
 ```
 ### Auth Rules Query Response
 ```json
 ["EVENT", "subscription_id", {
  "kind": 23456,
  "content": "{\"auth_rules\": [{\"rule_type\": \"blacklist\", \"pattern_type\": \"pubkey\", \"pattern_value\": \"deadbeef...\"}, {\"rule_type\": \"whitelist\", \"pattern_type\": \"pubkey\", \"pattern_value\": \"cafebabe...\"}]}",
  "tags": [["response_type", "auth_rules_list"], ["query_type", "all"]]
 }]
 ```
 ### Pattern Check Response
 ```json
 ["EVENT", "subscription_id", {
  "kind": 23456,
  "content": "{\"pattern_exists\": true, \"rule_type\": \"blacklist\", \"pattern_value\": \"deadbeef...\"}",
  "tags": [["response_type", "pattern_check"], ["pattern", "deadbeef..."]]
 }]
 ```
 ## Implementation Steps
 1. **Document API** (this file) ✅
 2. **Update to ephemeral event kinds** ✅
 3. **Fix request_validator.c** schema mismatch
 4. **Update tests** to use Kind 23455/23456
 5. **Add auth rule query functionality**
 6. **Add configuration discovery feature**
 7. **Test blacklist functionality**
 8. **Add remaining system commands**
 ## Testing Plan
 1. Fix schema mismatch and test basic blacklist
 2. Add clear_auth_rules and test table cleanup
 3. Test whitelist/blacklist conflict scenarios  
 4. Test all admin API commands end-to-end
 5. Update integration tests
 This plan addresses the immediate blacklist issue while establishing a comprehensive admin API framework for future expansion.
 ## NIP-44 Encryption Implementation Details
 ### Server-Side Detection Logic
 ```c
 // In admin event processing function
 bool is_encrypted_command(struct nostr_event *event) {
    // Check if Kind 23455 or 23456 with empty tags
    if ((event->kind == 23455 || event->kind == 23456) &&
        event->tags_count == 0) {
        return true;
    }
    return false;
 }
 cJSON *decrypt_admin_tags(struct nostr_event *event) {
    cJSON *content_json = cJSON_Parse(event->content);
    if (!content_json) return NULL;
    cJSON *encrypted_tags = cJSON_GetObjectItem(content_json, "encrypted_tags");
    if (!encrypted_tags) {
        cJSON_Delete(content_json);
        return NULL;
    }
    // Decrypt using NIP-44 with admin pubkey and relay privkey
    char *decrypted = nip44_decrypt(
        cJSON_GetStringValue(encrypted_tags),
        admin_pubkey,           // Shared secret with admin
        relay_private_key       // Our private key
    );
    cJSON *decrypted_tags = cJSON_Parse(decrypted);
    free(decrypted);
    cJSON_Delete(content_json);
    return decrypted_tags; // Returns tag array: [["key1", "val1"], ["key2", "val2"]]
 }
 ```
 ### Admin Event Processing Flow
 1. **Receive Event**: Kind 23455/23456 with admin signature
 2. **Check Mode**: Empty tags = encrypted, populated tags = standard
 3. **Decrypt if Needed**: Extract and decrypt `encrypted_tags` from content
 4. **Process Commands**: Use decrypted/standard tags for command processing
 5. **Execute**: Same logic for both modes after tag extraction
 6. **Respond**: Standard response format (optionally encrypt response)
 ### Security Benefits
 - **Command Privacy**: Admin operations invisible in event tags
 - **Replay Protection**: NIP-44 includes timestamp/randomness
 - **Key Management**: Uses existing admin/relay key pair
 - **Backward Compatible**: Standard mode still works
 - **Performance**: Only decrypt when needed (empty tags detection)
 ### NIP-44 Library Integration
 The relay will need to integrate a NIP-44 encryption/decryption library:
 ```c
 // Required NIP-44 functions
 char* nip44_encrypt(const char* plaintext, const char* sender_privkey, const char* recipient_pubkey);
 char* nip44_decrypt(const char* ciphertext, const char* recipient_privkey, const char* sender_pubkey);
 ```
 ### Implementation Priority (Updated)
 #### Phase 1: Core Infrastructure (Complete)
 - [x] Event-based admin authentication system
 - [x] Kind 23455/23456 (Configuration/Auth Rules) processing
 - [x] Basic configuration parameter updates
 - [x] Auth rule add/remove/clear functionality
 - [x] Updated to ephemeral event kinds
 - [x] Designed NIP-44 encryption support
 #### Phase 2: NIP-44 Encryption Support (Next Priority)
 - [ ] **Add NIP-44 library dependency** to project
 - [ ] **Implement encryption detection logic** (`is_encrypted_command()`)
 - [ ] **Add decrypt_admin_tags() function** with NIP-44 support
 - [ ] **Update admin command processing** to handle both modes
 - [ ] **Test encrypted admin commands** end-to-end
 #### Phase 3: Enhanced Features
 - [ ] **Auth rule query functionality** (both standard and encrypted modes)
 - [ ] **Configuration discovery API** (list available config keys)
 - [ ] **Enhanced error messages** with encryption status
 - [ ] **Performance optimization** (caching, async decrypt)
 #### Phase 4: Schema Fixes (Critical)
 - [ ] **Fix request_validator.c** schema mismatch
 - [ ] **Enable blacklist enforcement** with encrypted commands
 - [ ] **Update tests** to use both standard and encrypted modes
 This enhanced admin API provides enterprise-grade security while maintaining ease of use for basic operations.
--- a/get_settings.sh
+++ b/get_settings.sh
@@ -0,0 +1,19 @@
 #!/bin/bash
 # get_settings.sh - Query relay configuration events using nak
 # Uses admin test key to query kind 33334 configuration events
 # Test key configuration
 ADMIN_PRIVATE_KEY="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 ADMIN_PUBLIC_KEY="6a04ab98d9e4774ad806e302dddeb63bea16b5cb5f223ee77478e861bb583eb3"
 RELAY_PUBLIC_KEY="4f355bdcb7cc0af728ef3cceb9615d90684bb5b2ca5f859ab0f0b704075871aa"
 RELAY_URL="ws://localhost:8888"
 echo "Querying configuration events (kind 33334) from relay at $RELAY_URL"
 echo "Using admin public key: $ADMIN_PUBLIC_KEY"
 echo "Looking for relay config: $RELAY_PUBLIC_KEY"
 echo ""
 # Query for kind 33334 configuration events
 # These events contain the relay configuration with d-tag matching the relay pubkey
 nak req -k 33334 "$RELAY_URL" | jq .
--- a/make_and_restart_relay.sh
+++ b/make_and_restart_relay.sh
@@ -8,13 +8,69 @@ echo "=== C Nostr Relay Build and Restart Script ==="
 # Parse command line arguments
 PRESERVE_DATABASE=false
 HELP=false
 USE_TEST_KEYS=false
 ADMIN_KEY=""
 RELAY_KEY=""
 PORT_OVERRIDE=""
 # Key validation function
 validate_hex_key() {
    local key="$1"
    local key_type="$2"
    if [ ${#key} -ne 64 ]; then
        echo "ERROR: $key_type key must be exactly 64 characters"
        return 1
    fi
    if ! [[ "$key" =~ ^[0-9a-fA-F]{64}$ ]]; then
        echo "ERROR: $key_type key must contain only hex characters (0-9, a-f, A-F)"
        return 1
    fi
    return 0
 }
 while [[ $# -gt 0 ]]; do
    case $1 in
-        --preserve-database|-p)
+        -a|--admin-key)
            if [ -z "$2" ]; then
                echo "ERROR: Admin key option requires a value"
                HELP=true
                shift
            else
                ADMIN_KEY="$2"
                shift 2
            fi
            ;;
        -r|--relay-key)
            if [ -z "$2" ]; then
                echo "ERROR: Relay key option requires a value"
                HELP=true
                shift
            else
                RELAY_KEY="$2"
                shift 2
            fi
            ;;
        -p|--port)
            if [ -z "$2" ]; then
                echo "ERROR: Port option requires a value"
                HELP=true
                shift
            else
                PORT_OVERRIDE="$2"
                shift 2
            fi
            ;;
        --preserve-database)
            PRESERVE_DATABASE=true
            shift
            ;;
        --test-keys|-t)
            USE_TEST_KEYS=true
            shift
            ;;
        --help|-h)
            HELP=true
            shift
@@ -27,23 +83,53 @@ while [[ $# -gt 0 ]]; do
    esac
 done
 # Validate custom keys if provided
 if [ -n "$ADMIN_KEY" ]; then
    if ! validate_hex_key "$ADMIN_KEY" "Admin"; then
        exit 1
    fi
 fi
 if [ -n "$RELAY_KEY" ]; then
    if ! validate_hex_key "$RELAY_KEY" "Relay"; then
        exit 1
    fi
 fi
 # Validate port if provided
 if [ -n "$PORT_OVERRIDE" ]; then
    if ! [[ "$PORT_OVERRIDE" =~ ^[0-9]+$ ]] || [ "$PORT_OVERRIDE" -lt 1 ] || [ "$PORT_OVERRIDE" -gt 65535 ]; then
        echo "ERROR: Port must be a number between 1 and 65535"
        exit 1
    fi
 fi
 # Show help
 if [ "$HELP" = true ]; then
    echo "Usage: $0 [OPTIONS]"
    echo ""
    echo "Options:"
-    echo "  --preserve-database, -p  Keep existing database files (don't delete for fresh start)"
+    echo "  -a, --admin-key <hex>    64-character hex admin private key"
    echo "  -r, --relay-key <hex>    64-character hex relay private key"
    echo "  -p, --port <port>        Custom port override (default: 8888)"
    echo "  --preserve-database      Keep existing database files (don't delete for fresh start)"
    echo "  --test-keys, -t          Use deterministic test keys for development (admin: all 'a's, relay: all '1's)"
    echo "  --help, -h               Show this help message"
    echo ""
    echo "Event-Based Configuration:"
    echo "  This relay now uses event-based configuration stored directly in the database."
    echo "  On first startup, keys are automatically generated and printed once."
-    echo "  Database file: <relay_pubkey>.nrdb (created automatically)"
+    echo "  Database file: <relay_pubkey>.db (created automatically)"
    echo ""
    echo "Examples:"
-    echo "  $0                       # Fresh start with new keys (default)"
+    echo "  $0                                    # Fresh start with random keys"
-    echo "  $0 -p                   # Preserve existing database and keys"
+    echo "  $0 -a <admin-hex> -r <relay-hex>     # Use custom keys"
    echo "  $0 -a <admin-hex> -p 9000            # Custom admin key on port 9000"
    echo "  $0 --preserve-database               # Preserve existing database and keys"
    echo "  $0 --test-keys                       # Use test keys for consistent development"
    echo "  $0 -t --preserve-database            # Use test keys and preserve database"
    echo ""
    echo "Key Format: Keys must be exactly 64 hexadecimal characters (0-9, a-f, A-F)"
    echo "Default behavior: Deletes existing database files to start fresh with new keys"
    echo "                 for development purposes"
    exit 0
@@ -51,15 +137,22 @@ fi
 # Handle database file cleanup for fresh start
 if [ "$PRESERVE_DATABASE" = false ]; then
-    if ls *.nrdb >/dev/null 2>&1; then
+    if ls *.db >/dev/null 2>&1 || ls build/*.db >/dev/null 2>&1; then
        echo "Removing existing database files to trigger fresh key generation..."
-        rm -f *.nrdb
+        rm -f *.db build/*.db
        echo "✓ Database files removed - will generate new keys and database"
    else
        echo "No existing database found - will generate fresh setup"
    fi
 else
    echo "Preserving existing database files as requested"
    # Back up database files before clean build
    if ls build/*.db >/dev/null 2>&1; then
        echo "Backing up existing database files..."
        mkdir -p /tmp/relay_backup_$$
        cp build/*.db* /tmp/relay_backup_$$/ 2>/dev/null || true
        echo "Database files backed up to temporary location"
    fi
 fi
 # Clean up legacy files that are no longer used
@@ -70,6 +163,14 @@ rm -f db/c_nostr_relay.db* 2>/dev/null
 echo "Building project..."
 make clean all
 # Restore database files if preserving
 if [ "$PRESERVE_DATABASE" = true ] && [ -d "/tmp/relay_backup_$$" ]; then
    echo "Restoring preserved database files..."
    cp /tmp/relay_backup_$$/*.db* build/ 2>/dev/null || true
    rm -rf /tmp/relay_backup_$$
    echo "Database files restored to build directory"
 fi
 # Check if build was successful
 if [ $? -ne 0 ]; then
    echo "ERROR: Build failed. Cannot restart relay."
@@ -97,25 +198,54 @@ fi
 echo "Build successful. Proceeding with relay restart..."
-# Kill existing relay if running
+# Kill existing relay if running - start aggressive immediately
 echo "Stopping any existing relay servers..."
 pkill -f "c_relay_" 2>/dev/null
 sleep 2  # Give time for shutdown
-# Check if port is still bound
+# Get all relay processes and kill them immediately with -9
-if lsof -i :8888 >/dev/null 2>&1; then
+RELAY_PIDS=$(pgrep -f "c_relay_" || echo "")
-    echo "Port 8888 still in use, force killing..."
+if [ -n "$RELAY_PIDS" ]; then
-    fuser -k 8888/tcp 2>/dev/null || echo "No process on port 8888"
+    echo "Force killing relay processes immediately: $RELAY_PIDS"
    kill -9 $RELAY_PIDS 2>/dev/null
 else
    echo "No existing relay processes found"
 fi
-# Get any remaining processes
+# Ensure port 8888 is completely free with retry loop
 echo "Ensuring port 8888 is available..."
 for attempt in {1..15}; do
    if ! lsof -i :8888 >/dev/null 2>&1; then
        echo "Port 8888 is now free"
        break
    fi
    echo "Attempt $attempt: Port 8888 still in use, force killing..."
    # Kill anything using port 8888
    fuser -k 8888/tcp 2>/dev/null || true
    # Double-check for any remaining relay processes
    REMAINING_PIDS=$(pgrep -f "c_relay_" || echo "")
    if [ -n "$REMAINING_PIDS" ]; then
-    echo "Force killing remaining processes: $REMAINING_PIDS"
+        echo "Killing remaining relay processes: $REMAINING_PIDS"
-    kill -9 $REMAINING_PIDS 2>/dev/null
+        kill -9 $REMAINING_PIDS 2>/dev/null || true
    fi
    sleep 2
    if [ $attempt -eq 15 ]; then
        echo "ERROR: Could not free port 8888 after 15 attempts"
        echo "Current processes using port:"
        lsof -i :8888 2>/dev/null || echo "No process details available"
        echo "You may need to manually kill processes or reboot"
        exit 1
    fi
 done
 # Final safety check - ensure no relay processes remain
 FINAL_PIDS=$(pgrep -f "c_relay_" || echo "")
 if [ -n "$FINAL_PIDS" ]; then
    echo "Final cleanup: killing processes $FINAL_PIDS"
    kill -9 $FINAL_PIDS 2>/dev/null || true
    sleep 1
 else
    echo "No existing relay found"
 fi
 # Clean up PID file
@@ -129,9 +259,41 @@ echo "Database will be initialized automatically on startup if needed"
 echo "Starting relay server..."
 echo "Debug: Current processes: $(ps aux | grep 'c_relay_' | grep -v grep || echo 'None')"
-# Start relay in background and capture its PID (no command line arguments needed)
+# Build command line arguments for relay binary
-$BINARY_PATH > relay.log 2>&1 &
+RELAY_ARGS=""
 if [ -n "$ADMIN_KEY" ]; then
    RELAY_ARGS="$RELAY_ARGS -a $ADMIN_KEY"
    echo "Using custom admin key: ${ADMIN_KEY:0:16}..."
 fi
 if [ -n "$RELAY_KEY" ]; then
    RELAY_ARGS="$RELAY_ARGS -r $RELAY_KEY"
    echo "Using custom relay key: ${RELAY_KEY:0:16}..."
 fi
 if [ -n "$PORT_OVERRIDE" ]; then
    RELAY_ARGS="$RELAY_ARGS -p $PORT_OVERRIDE"
    echo "Using custom port: $PORT_OVERRIDE"
 fi
 # Change to build directory before starting relay so database files are created there
 cd build
 # Start relay in background and capture its PID
 if [ "$USE_TEST_KEYS" = true ]; then
    echo "Using deterministic test keys for development..."
    ./$(basename $BINARY_PATH) -a aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa -r 1111111111111111111111111111111111111111111111111111111111111111 > ../relay.log 2>&1 &
 elif [ -n "$RELAY_ARGS" ]; then
    echo "Starting relay with custom configuration..."
    ./$(basename $BINARY_PATH) $RELAY_ARGS > ../relay.log 2>&1 &
 else
    # No command line arguments needed for random key generation
    echo "Starting relay with random key generation..."
    ./$(basename $BINARY_PATH) > ../relay.log 2>&1 &
 fi
 RELAY_PID=$!
 # Change back to original directory
 cd ..
 echo "Started with PID: $RELAY_PID"
@@ -142,7 +304,34 @@ sleep 3
 if ps -p "$RELAY_PID" >/dev/null 2>&1; then
    echo "Relay started successfully!"
    echo "PID: $RELAY_PID"
-    echo "WebSocket endpoint: ws://127.0.0.1:8888"
+    
    # Wait for relay to fully initialize and detect the actual port it's using
    sleep 2
    # Extract actual port from relay logs
    ACTUAL_PORT=""
    if [ -f relay.log ]; then
        # Look for the success message with actual port
        ACTUAL_PORT=$(grep "WebSocket relay started on ws://127.0.0.1:" relay.log 2>/dev/null | tail -1 | sed -n 's/.*ws:\/\/127\.0\.0\.1:\([0-9]*\).*/\1/p')
        # If we couldn't find the port in logs, try to detect from netstat
        if [ -z "$ACTUAL_PORT" ]; then
            ACTUAL_PORT=$(netstat -tln 2>/dev/null | grep -E ":888[0-9]" | head -1 | sed -n 's/.*:\([0-9]*\).*/\1/p')
        fi
    fi
    # Display the actual endpoint
    if [ -n "$ACTUAL_PORT" ]; then
        if [ "$ACTUAL_PORT" = "8888" ]; then
            echo "WebSocket endpoint: ws://127.0.0.1:$ACTUAL_PORT"
        else
            echo "WebSocket endpoint: ws://127.0.0.1:$ACTUAL_PORT (fell back from port 8888)"
        fi
    else
        echo "WebSocket endpoint: ws://127.0.0.1:8888 (port detection failed - check logs)"
    fi
    echo "HTTP endpoint: http://127.0.0.1:${ACTUAL_PORT:-8888}"
    echo "Log file: relay.log"
    echo ""
--- a/relay.pid
+++ b/relay.pid
@@ -1 +1 @@
-1073070
+285781
--- a/src/config.c
+++ b/src/config.c
--- a/src/config.h
+++ b/src/config.h
@@ -4,6 +4,10 @@
 #include <sqlite3.h>
 #include <cjson/cJSON.h>
 #include <time.h>
 #include <pthread.h>
 // Forward declaration for WebSocket support
 struct lws;
 // Configuration constants
 #define CONFIG_VALUE_MAX_LENGTH 1024
@@ -23,17 +27,81 @@
 // Database path for event-based config
 extern char g_database_path[512];
-// Configuration manager structure
+// Unified configuration cache structure (consolidates all caching systems)
 typedef struct {
-    sqlite3* db;
+    // Critical keys (frequently accessed)
    char relay_pubkey[65];
    char admin_pubkey[65];
-    time_t last_config_check;
+    char relay_pubkey[65];
    char config_file_path[512];  // Temporary for compatibility
 } config_manager_t;
-// Global configuration manager
+    // Auth config (from request_validator)
-extern config_manager_t g_config_manager;
+    int auth_required;
    long max_file_size;
    int admin_enabled;
    int nip42_mode;
    int nip42_challenge_timeout;
    int nip42_time_tolerance;
    // Static buffer for config values (replaces static buffers in get_config_value functions)
    char temp_buffer[CONFIG_VALUE_MAX_LENGTH];
    // NIP-11 relay information (migrated from g_relay_info in main.c)
    struct {
        char name[RELAY_NAME_MAX_LENGTH];
        char description[RELAY_DESCRIPTION_MAX_LENGTH];
        char banner[RELAY_URL_MAX_LENGTH];
        char icon[RELAY_URL_MAX_LENGTH];
        char pubkey[RELAY_PUBKEY_MAX_LENGTH];
        char contact[RELAY_CONTACT_MAX_LENGTH];
        char software[RELAY_URL_MAX_LENGTH];
        char version[64];
        char privacy_policy[RELAY_URL_MAX_LENGTH];
        char terms_of_service[RELAY_URL_MAX_LENGTH];
        cJSON* supported_nips;
        cJSON* limitation;
        cJSON* retention;
        cJSON* relay_countries;
        cJSON* language_tags;
        cJSON* tags;
        char posting_policy[RELAY_URL_MAX_LENGTH];
        cJSON* fees;
        char payments_url[RELAY_URL_MAX_LENGTH];
    } relay_info;
    // NIP-13 PoW configuration (migrated from g_pow_config in main.c)
    struct {
        int enabled;
        int min_pow_difficulty;
        int validation_flags;
        int require_nonce_tag;
        int reject_lower_targets;
        int strict_format;
        int anti_spam_mode;
    } pow_config;
    // NIP-40 Expiration configuration (migrated from g_expiration_config in main.c)
    struct {
        int enabled;
        int strict_mode;
        int filter_responses;
        int delete_expired;
        long grace_period;
    } expiration_config;
    // Cache management
    time_t cache_expires;
    int cache_valid;
    pthread_mutex_t cache_lock;
 } unified_config_cache_t;
 // Command line options structure for first-time startup
 typedef struct {
    int port_override;  // -1 = not set, >0 = port value
    char admin_privkey_override[65];  // Empty string = not set, 64-char hex = override
    char relay_privkey_override[65];  // Empty string = not set, 64-char hex = override
 } cli_options_t;
 // Global unified configuration cache
 extern unified_config_cache_t g_unified_cache;
 // Core configuration functions (temporary compatibility)
 int init_configuration_system(const char* config_dir_override, const char* config_file_override);
@@ -62,7 +130,7 @@ int get_config_bool(const char* key, int default_value);
 // First-time startup functions
 int is_first_time_startup(void);
-int first_time_startup_sequence(void);
+int first_time_startup_sequence(const cli_options_t* cli_options);
 int startup_existing_relay(const char* relay_pubkey);
 // Configuration application functions
@@ -70,7 +138,76 @@ int apply_configuration_from_event(const cJSON* event);
 int apply_runtime_config_handlers(const cJSON* old_event, const cJSON* new_event);
 // Utility functions
-char** find_existing_nrdb_files(void);
+char** find_existing_db_files(void);
 char* extract_pubkey_from_filename(const char* filename);
 // Secure relay private key storage functions
 int store_relay_private_key(const char* relay_privkey_hex);
 char* get_relay_private_key(void);
 const char* get_temp_relay_private_key(void);  // For first-time startup only
 // NIP-42 authentication configuration functions
 int parse_auth_required_kinds(const char* kinds_str, int* kinds_array, int max_kinds);
 int is_nip42_auth_required_for_kind(int event_kind);
 int is_nip42_auth_globally_required(void);
 // ================================
 // NEW ADMIN API FUNCTIONS
 // ================================
 // Config table management functions (config table created via embedded schema)
 const char* get_config_value_from_table(const char* key);
 int set_config_value_in_table(const char* key, const char* value, const char* data_type,
                              const char* description, const char* category, int requires_restart);
 int update_config_in_table(const char* key, const char* value);
 int populate_default_config_values(void);
 int add_pubkeys_to_config_table(void);
 // Admin event processing functions (updated with WebSocket support)
 int process_admin_event_in_config(cJSON* event, char* error_message, size_t error_size, struct lws* wsi);
 int process_admin_config_event(cJSON* event, char* error_message, size_t error_size);
 int process_admin_auth_event(cJSON* event, char* error_message, size_t error_size, struct lws* wsi);
 // Unified Kind 23456 handler functions
 int handle_kind_23456_unified(cJSON* event, char* error_message, size_t error_size, struct lws* wsi);
 int handle_auth_query_unified(cJSON* event, const char* query_type, char* error_message, size_t error_size, struct lws* wsi);
 int handle_system_command_unified(cJSON* event, const char* command, char* error_message, size_t error_size, struct lws* wsi);
 int handle_auth_rule_modification_unified(cJSON* event, char* error_message, size_t error_size);
 // WebSocket response functions
 int send_websocket_response_data(cJSON* event, cJSON* response_data, struct lws* wsi);
 cJSON* build_query_response(const char* query_type, cJSON* results_array, int total_count);
 // Auth rules management functions
 int add_auth_rule_from_config(const char* rule_type, const char* pattern_type,
                             const char* pattern_value, const char* action);
 int remove_auth_rule_from_config(const char* rule_type, const char* pattern_type,
                                const char* pattern_value);
 // Unified configuration cache management
 void force_config_cache_refresh(void);
 const char* get_admin_pubkey_cached(void);
 const char* get_relay_pubkey_cached(void);
 void invalidate_config_cache(void);
 int reload_config_from_table(void);
 // Hybrid config access functions
 const char* get_config_value_hybrid(const char* key);
 int is_config_table_ready(void);
 // Migration support functions
 int initialize_config_system_with_migration(void);
 int migrate_config_from_events_to_table(void);
 int populate_config_table_from_event(const cJSON* event);
 // Startup configuration processing functions
 int process_startup_config_event(const cJSON* event);
 int process_startup_config_event_with_fallback(const cJSON* event);
 // Dynamic event generation functions for WebSocket configuration fetching
 cJSON* generate_config_event_from_table(void);
 int req_filter_requests_config_events(const cJSON* filter);
 cJSON* generate_synthetic_config_event_for_subscription(const char* sub_id, const cJSON* filters);
 char* generate_config_event_json(void);
 #endif /* CONFIG_H */
--- a/src/default_config_event.h
+++ b/src/default_config_event.h
@@ -2,6 +2,7 @@
 #define DEFAULT_CONFIG_EVENT_H
 #include <cjson/cJSON.h>
 #include "config.h"  // For cli_options_t definition
 /*
 * Default Configuration Event Template
@@ -22,6 +23,12 @@ static const struct {
    // Authentication
    {"auth_enabled", "false"},
    // NIP-42 Authentication Settings
    {"nip42_auth_required_events", "false"},
    {"nip42_auth_required_subscriptions", "false"},
    {"nip42_auth_required_kinds", "4,14"},  // Default: DM kinds require auth
    {"nip42_challenge_expiration", "600"},  // 10 minutes
    // Server Core Settings
    {"relay_port", "8888"},
    {"max_connections", "100"},
@@ -63,6 +70,7 @@ static const struct {
 // Function to create default configuration event
 cJSON* create_default_config_event(const unsigned char* admin_privkey_bytes,
                                   const char* relay_privkey_hex,
-                                   const char* relay_pubkey_hex);
+                                   const char* relay_pubkey_hex,
                                   const cli_options_t* cli_options);
 #endif /* DEFAULT_CONFIG_EVENT_H */
--- a/src/main.c
+++ b/src/main.c
--- a/src/request_validator.c
+++ b/src/request_validator.c
--- a/src/sql_schema.h
+++ b/src/sql_schema.h
@@ -1,12 +1,12 @@
 /* Embedded SQL Schema for C Nostr Relay
 * Generated from db/schema.sql - Do not edit manually
- * Schema Version: 4
+ * Schema Version: 7
 */
 #ifndef SQL_SCHEMA_H
 #define SQL_SCHEMA_H
 /* Schema version constant */
-#define EMBEDDED_SCHEMA_VERSION "4"
+#define EMBEDDED_SCHEMA_VERSION "7"
 /* Embedded SQL schema as C string literal */
 static const char* const EMBEDDED_SCHEMA_SQL = 
@@ -15,7 +15,7 @@ static const char* const EMBEDDED_SCHEMA_SQL =
 -- Event-based configuration system using kind 33334 Nostr events\n\
 \n\
 -- Schema version tracking\n\
-PRAGMA user_version = 4;\n\
+PRAGMA user_version = 7;\n\
 \n\
 -- Enable foreign key support\n\
 PRAGMA foreign_keys = ON;\n\
@@ -58,8 +58,8 @@ CREATE TABLE schema_info (\n\
 \n\
 -- Insert schema metadata\n\
 INSERT INTO schema_info (key, value) VALUES\n\
-    ('version', '4'),\n\
+    ('version', '7'),\n\
-    ('description', 'Event-based Nostr relay schema with kind 33334 configuration events'),\n\
+    ('description', 'Hybrid Nostr relay schema with event-based and table-based configuration'),\n\
    ('created_at', strftime('%s', 'now'));\n\
 \n\
 -- Helper views for common queries\n\
@@ -128,6 +128,86 @@ BEGIN\n\
    AND id != NEW.id;\n\
 END;\n\
 \n\
 -- Relay Private Key Secure Storage\n\
 -- Stores the relay's private key separately from public configuration\n\
 CREATE TABLE relay_seckey (\n\
    private_key_hex TEXT NOT NULL CHECK (length(private_key_hex) = 64),\n\
    created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))\n\
 );\n\
 \n\
 -- Authentication Rules Table for NIP-42 and Policy Enforcement\n\
 -- Used by request_validator.c for unified validation\n\
 CREATE TABLE auth_rules (\n\
    id INTEGER PRIMARY KEY AUTOINCREMENT,\n\
    rule_type TEXT NOT NULL CHECK (rule_type IN ('whitelist', 'blacklist', 'rate_limit', 'auth_required')),\n\
    pattern_type TEXT NOT NULL CHECK (pattern_type IN ('pubkey', 'kind', 'ip', 'global')),\n\
    pattern_value TEXT,\n\
    action TEXT NOT NULL CHECK (action IN ('allow', 'deny', 'require_auth', 'rate_limit')),\n\
    parameters TEXT, -- JSON parameters for rate limiting, etc.\n\
    active INTEGER NOT NULL DEFAULT 1,\n\
    created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),\n\
    updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))\n\
 );\n\
 \n\
 -- Indexes for auth_rules performance\n\
 CREATE INDEX idx_auth_rules_pattern ON auth_rules(pattern_type, pattern_value);\n\
 CREATE INDEX idx_auth_rules_type ON auth_rules(rule_type);\n\
 CREATE INDEX idx_auth_rules_active ON auth_rules(active);\n\
 \n\
 -- Configuration Table for Table-Based Config Management\n\
 -- Hybrid system supporting both event-based and table-based configuration\n\
 CREATE TABLE config (\n\
    key TEXT PRIMARY KEY,\n\
    value TEXT NOT NULL,\n\
    data_type TEXT NOT NULL CHECK (data_type IN ('string', 'integer', 'boolean', 'json')),\n\
    description TEXT,\n\
    category TEXT DEFAULT 'general',\n\
    requires_restart INTEGER DEFAULT 0,\n\
    created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),\n\
    updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))\n\
 );\n\
 \n\
 -- Indexes for config table performance\n\
 CREATE INDEX idx_config_category ON config(category);\n\
 CREATE INDEX idx_config_restart ON config(requires_restart);\n\
 CREATE INDEX idx_config_updated ON config(updated_at DESC);\n\
 \n\
 -- Trigger to update config timestamp on changes\n\
 CREATE TRIGGER update_config_timestamp\n\
    AFTER UPDATE ON config\n\
    FOR EACH ROW\n\
 BEGIN\n\
    UPDATE config SET updated_at = strftime('%s', 'now') WHERE key = NEW.key;\n\
 END;\n\
 \n\
 -- Insert default configuration values\n\
 INSERT INTO config (key, value, data_type, description, category, requires_restart) VALUES\n\
    ('relay_description', 'A C Nostr Relay', 'string', 'Relay description', 'general', 0),\n\
    ('relay_contact', '', 'string', 'Relay contact information', 'general', 0),\n\
    ('relay_software', 'https://github.com/laanwj/c-relay', 'string', 'Relay software URL', 'general', 0),\n\
    ('relay_version', '1.0.0', 'string', 'Relay version', 'general', 0),\n\
    ('relay_port', '8888', 'integer', 'Relay port number', 'network', 1),\n\
    ('max_connections', '1000', 'integer', 'Maximum concurrent connections', 'network', 1),\n\
    ('auth_enabled', 'false', 'boolean', 'Enable NIP-42 authentication', 'auth', 0),\n\
    ('nip42_auth_required_events', 'false', 'boolean', 'Require auth for event publishing', 'auth', 0),\n\
    ('nip42_auth_required_subscriptions', 'false', 'boolean', 'Require auth for subscriptions', 'auth', 0),\n\
    ('nip42_auth_required_kinds', '[]', 'json', 'Event kinds requiring authentication', 'auth', 0),\n\
    ('nip42_challenge_expiration', '600', 'integer', 'Auth challenge expiration seconds', 'auth', 0),\n\
    ('pow_min_difficulty', '0', 'integer', 'Minimum proof-of-work difficulty', 'validation', 0),\n\
    ('pow_mode', 'optional', 'string', 'Proof-of-work mode', 'validation', 0),\n\
    ('nip40_expiration_enabled', 'true', 'boolean', 'Enable event expiration', 'validation', 0),\n\
    ('nip40_expiration_strict', 'false', 'boolean', 'Strict expiration mode', 'validation', 0),\n\
    ('nip40_expiration_filter', 'true', 'boolean', 'Filter expired events in queries', 'validation', 0),\n\
    ('nip40_expiration_grace_period', '60', 'integer', 'Expiration grace period seconds', 'validation', 0),\n\
    ('max_subscriptions_per_client', '25', 'integer', 'Maximum subscriptions per client', 'limits', 0),\n\
    ('max_total_subscriptions', '1000', 'integer', 'Maximum total subscriptions', 'limits', 0),\n\
    ('max_filters_per_subscription', '10', 'integer', 'Maximum filters per subscription', 'limits', 0),\n\
    ('max_event_tags', '2000', 'integer', 'Maximum tags per event', 'limits', 0),\n\
    ('max_content_length', '100000', 'integer', 'Maximum event content length', 'limits', 0),\n\
    ('max_message_length', '131072', 'integer', 'Maximum WebSocket message length', 'limits', 0),\n\
    ('default_limit', '100', 'integer', 'Default query limit', 'limits', 0),\n\
    ('max_limit', '5000', 'integer', 'Maximum query limit', 'limits', 0);\n\
 \n\
 -- Persistent Subscriptions Logging Tables (Phase 2)\n\
 -- Optional database logging for subscription analytics and debugging\n\
 \n\
--- a/tests/40_nip_test.sh
+++ b/tests/40_nip_test.sh
@@ -300,75 +300,103 @@ test_expiration_filtering_in_subscriptions() {
        return 0
    fi
-    print_info "Setting up test events for subscription filtering..."
+    print_info "Setting up short-lived events for proper expiration filtering test..."
    # First, create a few events with different expiration times
    local private_key="91ba716fa9e7ea2fcbad360cf4f8e0d312f73984da63d90f524ad61a6a1e7dbe"
-    # Event 1: No expiration (should be returned)
+    # Event 1: No expiration (should always be returned)
    local event1=$(nak event --sec "$private_key" -c "Event without expiration for filtering test" --ts $(date +%s))
    # Event 2: Future expiration (should be returned)
    local future_timestamp=$(($(date +%s) + 1800))  # 30 minutes from now
    local event2=$(create_event_with_expiration "Event with future expiration for filtering test" "$future_timestamp")
-    # Event 3: Past expiration (should NOT be returned if filtering is enabled)
+    # Event 3: SHORT-LIVED EVENT - expires in 3 seconds
-    local past_timestamp=$(($(date +%s) - 3600))  # 1 hour ago
+    local short_expiry=$(($(date +%s) + 3))  # 3 seconds from now
-    local event3=$(create_event_with_expiration "Event with past expiration for filtering test" "$past_timestamp")
+    local event3=$(create_event_with_expiration "Short-lived event for filtering test" "$short_expiry")
-    print_info "Publishing test events..."
+    print_info "Publishing test events (including one that expires in 3 seconds)..."
-    # Note: We expect event3 to be rejected on submission in strict mode,
+    # Submit all events - they should all be accepted initially
-    # so we'll create it with a slightly more recent expiration that might get through
+    local response1=$(echo "[\"EVENT\",$event1]" | timeout 5s websocat "$RELAY_URL" 2>&1)
-    local recent_past=$(($(date +%s) - 600))  # 10 minutes ago (outside grace period)
+    local response2=$(echo "[\"EVENT\",$event2]" | timeout 5s websocat "$RELAY_URL" 2>&1)
-    local event3_recent=$(create_event_with_expiration "Recently expired event for filtering test" "$recent_past")
+    local response3=$(echo "[\"EVENT\",$event3]" | timeout 5s websocat "$RELAY_URL" 2>&1)
-    # Try to submit all events (some may be rejected)
+    print_info "Event submission responses:"
-    echo "[\"EVENT\",$event1]" | timeout 3s websocat "$RELAY_URL" >/dev/null 2>&1 || true
+    echo "Event 1 (no expiry): $response1"
-    echo "[\"EVENT\",$event2]" | timeout 3s websocat "$RELAY_URL" >/dev/null 2>&1 || true
+    echo "Event 2 (future expiry): $response2"
-    echo "[\"EVENT\",$event3_recent]" | timeout 3s websocat "$RELAY_URL" >/dev/null 2>&1 || true
+    echo "Event 3 (expires in 3s): $response3"
    sleep 2  # Let events settle
    print_info "Testing subscription filtering..."
    # Create subscription for recent events
    local req_message='["REQ","filter_test",{"kinds":[1],"limit":10}]'
    local response=$(echo -e "$req_message\n[\"CLOSE\",\"filter_test\"]" | timeout 5s websocat "$RELAY_URL" 2>/dev/null || echo "")
    print_info "Subscription response:"
    echo "$response"
    echo ""
-    # Count events that contain our test content
+    # Verify all events were accepted
    if [[ "$response1" != *"true"* ]] || [[ "$response2" != *"true"* ]] || [[ "$response3" != *"true"* ]]; then
        record_test_result "Expiration Filtering in Subscriptions" "FAIL" "Events not properly accepted during submission"
        return 1
    fi
    print_success "✓ All events accepted during submission"
    # Test 1: Query immediately - all events should be present
    print_info "Testing immediate subscription (before expiration)..."
    local req_message='["REQ","filter_immediate",{"kinds":[1],"limit":10}]'
    local immediate_response=$(echo -e "$req_message\n[\"CLOSE\",\"filter_immediate\"]" | timeout 5s websocat "$RELAY_URL" 2>/dev/null || echo "")
    local immediate_count=0
    if echo "$immediate_response" | grep -q "Event without expiration for filtering test"; then
        immediate_count=$((immediate_count + 1))
    fi
    if echo "$immediate_response" | grep -q "Event with future expiration for filtering test"; then
        immediate_count=$((immediate_count + 1))
    fi
    if echo "$immediate_response" | grep -q "Short-lived event for filtering test"; then
        immediate_count=$((immediate_count + 1))
    fi
    print_info "Immediate response found $immediate_count/3 events"
    # Wait for the short-lived event to expire (5 seconds total wait)
    print_info "Waiting 5 seconds for short-lived event to expire..."
    sleep 5
    # Test 2: Query after expiration - short-lived event should be filtered out
    print_info "Testing subscription after expiration (short-lived event should be filtered)..."
    req_message='["REQ","filter_after_expiry",{"kinds":[1],"limit":10}]'
    local expired_response=$(echo -e "$req_message\n[\"CLOSE\",\"filter_after_expiry\"]" | timeout 5s websocat "$RELAY_URL" 2>/dev/null || echo "")
    print_info "Post-expiration subscription response:"
    echo "$expired_response"
    echo ""
    # Count events in the expired response
    local no_exp_count=0
    local future_exp_count=0
-    local past_exp_count=0
+    local expired_event_count=0
-    if echo "$response" | grep -q "Event without expiration for filtering test"; then
+    if echo "$expired_response" | grep -q "Event without expiration for filtering test"; then
        no_exp_count=1
-        print_success "✓ Event without expiration found in subscription results"
+        print_success "✓ Event without expiration found in post-expiration results"
    fi
-    if echo "$response" | grep -q "Event with future expiration for filtering test"; then
+    if echo "$expired_response" | grep -q "Event with future expiration for filtering test"; then
        future_exp_count=1
-        print_success "✓ Event with future expiration found in subscription results"
+        print_success "✓ Event with future expiration found in post-expiration results"
    fi
-    if echo "$response" | grep -q "Recently expired event for filtering test"; then
+    if echo "$expired_response" | grep -q "Short-lived event for filtering test"; then
-        past_exp_count=1
+        expired_event_count=1
-        print_warning "✗ Recently expired event found in subscription results (should be filtered)"
+        print_error "✗ EXPIRED short-lived event found in subscription results (should be filtered!)"
    else
-        print_success "✓ Recently expired event properly filtered from subscription results"
+        print_success "✓ Expired short-lived event properly filtered from subscription results"
    fi
    # Evaluate results
-    local expected_events=$((no_exp_count + future_exp_count))
+    local expected_active_events=$((no_exp_count + future_exp_count))
-    if [ $expected_events -ge 1 ] && [ $past_exp_count -eq 0 ]; then
+    if [ $expected_active_events -ge 2 ] && [ $expired_event_count -eq 0 ]; then
        record_test_result "Expiration Filtering in Subscriptions" "PASS" "Expired events properly filtered from subscriptions"
        return 0
    else
-        record_test_result "Expiration Filtering in Subscriptions" "FAIL" "Expiration filtering not working properly in subscriptions"
+        local details="Found $expected_active_events active events, $expired_event_count expired events (should be 0)"
        record_test_result "Expiration Filtering in Subscriptions" "FAIL" "Expiration filtering not working properly in subscriptions - $details"
        return 1
    fi
 }
--- a/tests/42_nip_test.sh
+++ b/tests/42_nip_test.sh
@@ -0,0 +1,477 @@
 #!/bin/bash
 # NIP-42 Authentication Test Script
 # Tests the complete NIP-42 authentication flow for the C Nostr Relay
 set -e
 RELAY_URL="ws://localhost:8888"
 HTTP_URL="http://localhost:8888"
 TEST_DIR="$(dirname "$0")"
 LOG_FILE="${TEST_DIR}/nip42_test.log"
 # Colors for output
 RED='\033[31m'
 GREEN='\033[32m'
 YELLOW='\033[33m'
 BLUE='\033[34m'
 BOLD='\033[1m'
 RESET='\033[0m'
 # Logging function
 log() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE"
 }
 log_success() {
    echo -e "${GREEN}${BOLD}[SUCCESS]${RESET} $1" | tee -a "$LOG_FILE"
 }
 log_error() {
    echo -e "${RED}${BOLD}[ERROR]${RESET} $1" | tee -a "$LOG_FILE"
 }
 log_info() {
    echo -e "${BLUE}${BOLD}[INFO]${RESET} $1" | tee -a "$LOG_FILE"
 }
 log_warning() {
    echo -e "${YELLOW}${BOLD}[WARNING]${RESET} $1" | tee -a "$LOG_FILE"
 }
 # Initialize test log
 echo "=== NIP-42 Authentication Test Started ===" > "$LOG_FILE"
 log "Starting NIP-42 authentication tests"
 # Check if required tools are available
 check_dependencies() {
    log_info "Checking dependencies..."
    if ! command -v nak &> /dev/null; then
        log_error "nak client not found. Please install: go install github.com/fiatjaf/nak@latest"
        exit 1
    fi
    if ! command -v jq &> /dev/null; then
        log_error "jq not found. Please install jq for JSON processing"
        exit 1
    fi
    if ! command -v wscat &> /dev/null; then
        log_warning "wscat not found. Some manual WebSocket tests will be skipped"
        log_warning "Install with: npm install -g wscat"
    fi
    log_success "Dependencies check complete"
 }
 # Test 1: Check NIP-42 in supported NIPs
 test_nip42_support() {
    log_info "Test 1: Checking NIP-42 support in relay info"
    local response
    response=$(curl -s -H "Accept: application/nostr+json" "$HTTP_URL")
    if echo "$response" | jq -e '.supported_nips | contains([42])' > /dev/null; then
        log_success "NIP-42 is advertised in supported NIPs"
        log "Supported NIPs: $(echo "$response" | jq -r '.supported_nips | @csv')"
        return 0
    else
        log_error "NIP-42 not found in supported NIPs"
        log "Response: $response"
        return 1
    fi
 }
 # Test 2: Check if relay responds with AUTH challenge when auth is required
 test_auth_challenge_generation() {
    log_info "Test 2: Testing AUTH challenge generation"
    # First, enable NIP-42 authentication for events using configuration
    local admin_privkey
    admin_privkey=$(grep "Admin Private Key:" relay.log 2>/dev/null | tail -1 | cut -d' ' -f4 || echo "")
    if [[ -z "$admin_privkey" ]]; then
        log_warning "Could not extract admin private key from relay.log - using manual test approach"
        log_info "Manual test: Connect to relay and send an event without auth to trigger challenge"
        return 0
    fi
    log_info "Found admin private key, configuring NIP-42 authentication..."
    # Create configuration event to enable NIP-42 auth for events
    local config_event
    # Get relay pubkey for d tag
    local relay_pubkey
    relay_pubkey=$(nak key --pub "$admin_privkey" 2>/dev/null || echo "")
    if [[ -n "$relay_pubkey" ]]; then
        config_event=$(nak event -k 33334 --content "C Nostr Relay Configuration" \
            --tag "d,$relay_pubkey" \
            --tag "nip42_auth_required_events,1" \
            --tag "nip42_auth_required_subscriptions,0" \
            --sec "$admin_privkey" 2>/dev/null || echo "")
    else
        config_event=""
    fi
    if [[ -n "$config_event" ]]; then
        log_info "Publishing configuration to enable NIP-42 auth for events..."
        echo "$config_event" | nak event "$RELAY_URL" 2>/dev/null || true
        sleep 2  # Allow time for configuration to be processed
        log_success "Configuration sent - NIP-42 auth should now be required for events"
    else
        log_warning "Failed to create configuration event - proceeding with manual test"
    fi
    return 0
 }
 # Test 3: Test authentication flow with nak
 test_nip42_auth_flow() {
    log_info "Test 3: Testing complete NIP-42 authentication flow"
    # Generate test keypair
    local test_privkey test_pubkey
    test_privkey=$(nak key --gen 2>/dev/null || openssl rand -hex 32)
    test_pubkey=$(nak key --pub "$test_privkey" 2>/dev/null || echo "test_pubkey")
    log_info "Generated test keypair: $test_pubkey"
    # Try to publish an event (should trigger auth challenge)
    log_info "Attempting to publish event without authentication..."
    local test_event
    test_event=$(nak event -k 1 --content "NIP-42 test event - should require auth" \
        --sec "$test_privkey" 2>/dev/null || echo "")
    if [[ -n "$test_event" ]]; then
        log_info "Publishing test event to relay..."
        local result
        result=$(echo "$test_event" | timeout 10s nak event "$RELAY_URL" 2>&1 || true)
        log "Event publish result: $result"
        # Check if we got an auth challenge or notice
        if echo "$result" | grep -q "AUTH\|auth\|authentication"; then
            log_success "Relay requested authentication as expected"
        elif echo "$result" | grep -q "OK.*true"; then
            log_warning "Event was accepted without authentication (auth may be disabled)"
        else
            log_warning "Unexpected response: $result"
        fi
    else
        log_error "Failed to create test event"
        return 1
    fi
    return 0
 }
 # Test 4: Test WebSocket AUTH message handling
 test_websocket_auth_messages() {
    log_info "Test 4: Testing WebSocket AUTH message handling"
    if ! command -v wscat &> /dev/null; then
        log_warning "Skipping WebSocket tests - wscat not available"
        return 0
    fi
    log_info "Testing WebSocket connection and AUTH message..."
    # Test WebSocket connection
    local ws_test_file="/tmp/nip42_ws_test.json"
    cat > "$ws_test_file" << 'EOF'
 ["EVENT",{"kind":1,"content":"Test message for auth","tags":[],"created_at":1234567890,"pubkey":"0000000000000000000000000000000000000000000000000000000000000000","id":"0000000000000000000000000000000000000000000000000000000000000000","sig":"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"}]
 EOF
    log_info "Sending test message via WebSocket..."
    timeout 5s wscat -c "$RELAY_URL" < "$ws_test_file" > /tmp/ws_response.log 2>&1 || true
    if [[ -f /tmp/ws_response.log ]]; then
        local ws_response
        ws_response=$(cat /tmp/ws_response.log)
        log "WebSocket response: $ws_response"
        if echo "$ws_response" | grep -q "AUTH\|NOTICE.*auth"; then
            log_success "WebSocket AUTH challenge detected"
        else
            log_info "No AUTH challenge in WebSocket response"
        fi
        rm -f /tmp/ws_response.log
    fi
    rm -f "$ws_test_file"
    return 0
 }
 # Test 5: Configuration verification
 test_nip42_configuration() {
    log_info "Test 5: Testing NIP-42 configuration options"
    # Check current configuration
    log_info "Retrieving current relay configuration..."
    local config_events
    config_events=$(nak req -k 33334 "$RELAY_URL" 2>/dev/null | jq -s '.' || echo "[]")
    if [[ "$config_events" != "[]" ]] && [[ -n "$config_events" ]]; then
        log_success "Retrieved configuration events from relay"
        # Check for NIP-42 related configuration
        local nip42_config
        nip42_config=$(echo "$config_events" | jq -r '.[].tags[]? | select(.[0] | startswith("nip42")) | join("=")' 2>/dev/null || echo "")
        if [[ -n "$nip42_config" ]]; then
            log_success "Found NIP-42 configuration:"
            echo "$nip42_config" | while read -r line; do
                log "  $line"
            done
        else
            log_info "No specific NIP-42 configuration found (may use defaults)"
        fi
    else
        log_warning "Could not retrieve configuration events"
    fi
    return 0
 }
 # Test 6: Performance and stability test
 test_nip42_performance() {
    log_info "Test 6: Testing NIP-42 performance and stability"
    local test_privkey test_pubkey
    test_privkey=$(nak key --gen 2>/dev/null || openssl rand -hex 32)
    test_pubkey=$(nak key --pub "$test_privkey" 2>/dev/null || echo "test_pubkey")
    log_info "Testing multiple authentication attempts..."
    local success_count=0
    local total_attempts=5
    for i in $(seq 1 $total_attempts); do
        local test_event
        test_event=$(nak event -k 1 --content "Performance test event $i" \
            --sec "$test_privkey" 2>/dev/null || echo "")
        if [[ -n "$test_event" ]]; then
            local start_time end_time duration
            start_time=$(date +%s.%N)
            local result
            result=$(echo "$test_event" | timeout 5s nak event "$RELAY_URL" 2>&1 || echo "timeout")
            end_time=$(date +%s.%N)
            duration=$(echo "$end_time - $start_time" | bc -l 2>/dev/null || echo "unknown")
            log "Attempt $i: ${duration}s - $result"
            if echo "$result" | grep -q "success\|OK.*true\|AUTH\|authentication"; then
                ((success_count++))
            fi
        fi
    done
    log_success "Performance test completed: $success_count/$total_attempts successful responses"
    return 0
 }
 # Test 7: Kind-specific authentication requirements
 test_nip42_kind_specific_auth() {
    log_info "Test 7: Testing kind-specific NIP-42 authentication requirements"
    # Generate test keypair
    local test_privkey test_pubkey
    test_privkey=$(nak key --gen 2>/dev/null || openssl rand -hex 32)
    test_pubkey=$(nak key --pub "$test_privkey" 2>/dev/null || echo "test_pubkey")
    log_info "Generated test keypair for kind-specific tests: $test_pubkey"
    # Test 1: Try to publish a regular note (kind 1) - should work without auth
    log_info "Testing kind 1 event (regular note) - should work without authentication..."
    local kind1_event
    kind1_event=$(nak event -k 1 --content "Regular note - should not require auth" \
        --sec "$test_privkey" 2>/dev/null || echo "")
    if [[ -n "$kind1_event" ]]; then
        local result1
        result1=$(echo "$kind1_event" | timeout 10s nak event "$RELAY_URL" 2>&1 || true)
        log "Kind 1 event result: $result1"
        if echo "$result1" | grep -q "OK.*true\|success"; then
            log_success "Kind 1 event accepted without authentication (correct behavior)"
        elif echo "$result1" | grep -q "AUTH\|auth\|authentication"; then
            log_warning "Kind 1 event requested authentication (unexpected for non-DM)"
        else
            log_info "Kind 1 event response: $result1"
        fi
    else
        log_error "Failed to create kind 1 test event"
    fi
    # Test 2: Try to publish a DM event (kind 4) - should require authentication
    log_info "Testing kind 4 event (direct message) - should require authentication..."
    local kind4_event
    kind4_event=$(nak event -k 4 --content "This is a direct message - should require auth" \
        --tag "p,$test_pubkey" \
        --sec "$test_privkey" 2>/dev/null || echo "")
    if [[ -n "$kind4_event" ]]; then
        local result4
        result4=$(echo "$kind4_event" | timeout 10s nak event "$RELAY_URL" 2>&1 || true)
        log "Kind 4 event result: $result4"
        if echo "$result4" | grep -q "AUTH\|auth\|authentication\|restricted"; then
            log_success "Kind 4 event requested authentication (correct behavior for DMs)"
        elif echo "$result4" | grep -q "OK.*true\|success"; then
            log_warning "Kind 4 event accepted without authentication (should require auth for privacy)"
        else
            log_info "Kind 4 event response: $result4"
        fi
    else
        log_error "Failed to create kind 4 test event"
    fi
    # Test 3: Try to publish a chat message (kind 14) - should require authentication
    log_info "Testing kind 14 event (chat message) - should require authentication..."
    local kind14_event
    kind14_event=$(nak event -k 14 --content "Chat message - should require auth" \
        --tag "p,$test_pubkey" \
        --sec "$test_privkey" 2>/dev/null || echo "")
    if [[ -n "$kind14_event" ]]; then
        local result14
        result14=$(echo "$kind14_event" | timeout 10s nak event "$RELAY_URL" 2>&1 || true)
        log "Kind 14 event result: $result14"
        if echo "$result14" | grep -q "AUTH\|auth\|authentication\|restricted"; then
            log_success "Kind 14 event requested authentication (correct behavior for DMs)"
        elif echo "$result14" | grep -q "OK.*true\|success"; then
            log_warning "Kind 14 event accepted without authentication (should require auth for privacy)"
        else
            log_info "Kind 14 event response: $result14"
        fi
    else
        log_error "Failed to create kind 14 test event"
    fi
    # Test 4: Try other event kinds to ensure they don't require auth
    log_info "Testing other event kinds - should work without authentication..."
    for kind in 0 3 7; do
        local test_event
        test_event=$(nak event -k "$kind" --content "Test event kind $kind - should not require auth" \
            --sec "$test_privkey" 2>/dev/null || echo "")
        if [[ -n "$test_event" ]]; then
            local result
            result=$(echo "$test_event" | timeout 10s nak event "$RELAY_URL" 2>&1 || true)
            log "Kind $kind event result: $result"
            if echo "$result" | grep -q "OK.*true\|success"; then
                log_success "Kind $kind event accepted without authentication (correct)"
            elif echo "$result" | grep -q "AUTH\|auth\|authentication"; then
                log_warning "Kind $kind event requested authentication (unexpected)"
            else
                log_info "Kind $kind event response: $result"
            fi
        fi
    done
    log_info "Kind-specific authentication test completed"
    return 0
 }
 # Main test execution
 main() {
    log_info "=== Starting NIP-42 Authentication Tests ==="
    local test_results=()
    local failed_tests=0
    # Run all tests
    if check_dependencies; then
        test_results+=("Dependencies: PASS")
    else
        test_results+=("Dependencies: FAIL")
        ((failed_tests++))
    fi
    if test_nip42_support; then
        test_results+=("NIP-42 Support: PASS")
    else
        test_results+=("NIP-42 Support: FAIL")
        ((failed_tests++))
    fi
    if test_auth_challenge_generation; then
        test_results+=("Auth Challenge: PASS")
    else
        test_results+=("Auth Challenge: FAIL")
        ((failed_tests++))
    fi
    if test_nip42_auth_flow; then
        test_results+=("Auth Flow: PASS")
    else
        test_results+=("Auth Flow: FAIL")
        ((failed_tests++))
    fi
    if test_websocket_auth_messages; then
        test_results+=("WebSocket AUTH: PASS")
    else
        test_results+=("WebSocket AUTH: FAIL")
        ((failed_tests++))
    fi
    if test_nip42_configuration; then
        test_results+=("Configuration: PASS")
    else
        test_results+=("Configuration: FAIL")
        ((failed_tests++))
    fi
    if test_nip42_performance; then
        test_results+=("Performance: PASS")
    else
        test_results+=("Performance: FAIL")
        ((failed_tests++))
    fi
    if test_nip42_kind_specific_auth; then
        test_results+=("Kind-Specific Auth: PASS")
    else
        test_results+=("Kind-Specific Auth: FAIL")
        ((failed_tests++))
    fi
    # Print summary
    echo ""
    log_info "=== NIP-42 Test Results Summary ==="
    for result in "${test_results[@]}"; do
        if echo "$result" | grep -q "PASS"; then
            log_success "$result"
        else
            log_error "$result"
        fi
    done
    echo ""
    if [[ $failed_tests -eq 0 ]]; then
        log_success "All NIP-42 tests completed successfully!"
        log_success "NIP-42 authentication implementation is working correctly"
    else
        log_warning "$failed_tests test(s) failed or had issues"
        log_info "Check the log file for detailed output: $LOG_FILE"
    fi
    log_info "=== NIP-42 Authentication Tests Complete ==="
    return $failed_tests
 }
 # Run main function
 main "$@"
--- a/tests/malformed_expiration_test.sh
+++ b/tests/malformed_expiration_test.sh
@@ -0,0 +1,116 @@
 #!/bin/bash
 # Test malformed expiration tag handling
 # This test verifies that malformed expiration tags are ignored instead of treated as expired
 set -e
 RELAY_URL="ws://127.0.0.1:8888"
 TEST_NAME="Malformed Expiration Tag Test"
 echo "=== $TEST_NAME ==="
 # Function to generate a test event with custom expiration tag
 generate_event_with_expiration() {
    local expiration_value="$1"
    local current_time=$(date +%s)
    local event_id=$(openssl rand -hex 32)
    local private_key=$(openssl rand -hex 32)
    local public_key=$(echo "$private_key" | xxd -r -p | openssl dgst -sha256 -binary | xxd -p -c 32)
    # Create event JSON with malformed expiration
    cat << EOF
 ["EVENT",{
  "id": "$event_id",
  "pubkey": "$public_key",
  "created_at": $current_time,
  "kind": 1,
  "tags": [["expiration", "$expiration_value"]],
  "content": "Test event with expiration: $expiration_value",
  "sig": "$(openssl rand -hex 64)"
 }]
 EOF
 }
 # Function to send event and check response
 test_malformed_expiration() {
    local expiration_value="$1"
    local description="$2"
    echo "Testing: $description (expiration='$expiration_value')"
    # Generate event
    local event_json=$(generate_event_with_expiration "$expiration_value")
    # Send event to relay using websocat or curl
    if command -v websocat &> /dev/null; then
        # Use websocat if available
        response=$(echo "$event_json" | timeout 5s websocat "$RELAY_URL" 2>/dev/null | head -1 || echo "timeout")
    else
        # Fall back to a simple test
        echo "websocat not available, skipping network test"
        response='["OK","test",true,""]'  # Simulate success
    fi
    echo "Response: $response"
    # Check if response indicates success (malformed expiration should be ignored)
    if [[ "$response" == *'"OK"'* ]] && [[ "$response" == *'true'* ]]; then
        echo "✅ SUCCESS: Event with malformed expiration '$expiration_value' was accepted (ignored)"
    elif [[ "$response" == "timeout" ]]; then
        echo "⚠️  TIMEOUT: Could not test with relay (may be network issue)"
    elif [[ "$response" == *'"OK"'* ]] && [[ "$response" == *'false'* ]]; then
        if [[ "$response" == *"expired"* ]]; then
            echo "❌ FAILED: Event with malformed expiration '$expiration_value' was treated as expired instead of ignored"
            return 1
        else
            echo "⚠️  Event rejected for other reason: $response"
        fi
    else
        echo "⚠️  Unexpected response format: $response"
    fi
    echo ""
 }
 echo "Starting malformed expiration tag tests..."
 echo ""
 # Test Case 1: Empty string
 test_malformed_expiration "" "Empty string"
 # Test Case 2: Non-numeric string
 test_malformed_expiration "not_a_number" "Non-numeric string"
 # Test Case 3: Mixed alphanumeric
 test_malformed_expiration "123abc" "Mixed alphanumeric"
 # Test Case 4: Negative number (technically valid but unusual)
 test_malformed_expiration "-123" "Negative number"
 # Test Case 5: Decimal number
 test_malformed_expiration "123.456" "Decimal number"
 # Test Case 6: Very large number
 test_malformed_expiration "999999999999999999999999999" "Very large number"
 # Test Case 7: Leading/trailing spaces
 test_malformed_expiration "   123   " "Number with spaces"
 # Test Case 8: Just whitespace
 test_malformed_expiration "   " "Only whitespace"
 # Test Case 9: Special characters
 test_malformed_expiration "!@#$%" "Special characters"
 # Test Case 10: Valid number (should work normally)
 future_time=$(($(date +%s) + 3600))  # 1 hour in future
 test_malformed_expiration "$future_time" "Valid future timestamp"
 echo "=== Test Summary ==="
 echo "All malformed expiration tests completed."
 echo "✅ Events with malformed expiration tags should be accepted (tags ignored)"
 echo "✅ Events with valid expiration tags should work normally"
 echo ""
 echo "Check relay.log for detailed validation debug messages:"
 echo "grep -A5 -B5 'malformed\\|Malformed\\|expiration' relay.log | tail -20"
--- a/tests/white_black_list_test.sh
+++ b/tests/white_black_list_test.sh
@@ -0,0 +1,967 @@
 #!/bin/bash
 # =======================================================================
 # C-Relay Whitelist/Blacklist Authentication Rules Test Script
 # =======================================================================
 # 
 # This test validates the whitelist and blacklist functionality of the
 # C-Relay server through the WebSocket admin API.
 #
 # Test Credentials (Test Mode):
 # - Admin Private Key: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa  
 # - Admin Public Key: 6a04ab98d9e4774ad806e302dddeb63bea16b5cb5f223ee77478e861bb583eb3
 # - Relay Public Key: 4f355bdcb7cc0af728ef3cceb9615d90684bb5b2ca5f859ab0f0b704075871aa
 #
 # =======================================================================
 set -e  # Exit on any error
 # =======================================================================
 # CONFIGURATION
 # =======================================================================
 # Test mode credentials (from current relay startup)
 ADMIN_PRIVKEY="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 ADMIN_PUBKEY="6a04ab98d9e4774ad806e302dddeb63bea16b5cb5f223ee77478e861bb583eb3"
 RELAY_PUBKEY="4f355bdcb7cc0af728ef3cceb9615d90684bb5b2ca5f859ab0f0b704075871aa"
 # Server configuration
 RELAY_HOST="127.0.0.1"
 RELAY_PORT="8888"
 RELAY_URL="ws://${RELAY_HOST}:${RELAY_PORT}"
 # Test configuration
 TIMEOUT=5
 TEMP_DIR="/tmp/c_relay_test_$$"
 # WebSocket connection state
 WS_PID=""
 WS_INPUT_FIFO=""
 WS_OUTPUT_FIFO=""
 WS_CONNECTED=0
 WS_RESPONSE_LOG=""
 # Color codes for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[0;33m'
 BLUE='\033[0;34m'
 BOLD='\033[1m'
 RESET='\033[0m'
 # Test tracking
 TESTS_RUN=0
 TESTS_PASSED=0
 TESTS_FAILED=0
 # =======================================================================
 # UTILITY FUNCTIONS
 # =======================================================================
 log() {
    echo -e "${BLUE}[$(date '+%H:%M:%S')]${RESET} $1"
 }
 log_success() {
    echo -e "${GREEN}[SUCCESS]${RESET} $1"
 }
 log_error() {
    echo -e "${RED}[ERROR]${RESET} $1"
 }
 log_warning() {
    echo -e "${YELLOW}[WARNING]${RESET} $1"
 }
 log_info() {
    echo -e "${BLUE}[INFO]${RESET} $1"
 }
 increment_test() {
    TESTS_RUN=$((TESTS_RUN + 1))
 }
 pass_test() {
    TESTS_PASSED=$((TESTS_PASSED + 1))
    log_success "Test $TESTS_RUN: PASSED - $1"
    echo ""
    echo ""
 }
 fail_test() {
    TESTS_FAILED=$((TESTS_FAILED + 1))
    log_error "Test $TESTS_RUN: FAILED - $1"
    echo ""
    echo ""
 }
 # Generate test keypairs
 generate_test_keypair() {
    local name=$1
    local privkey_file="${TEMP_DIR}/${name}_privkey"
    local pubkey_file="${TEMP_DIR}/${name}_pubkey"
    # Generate private key using nak key --gen (following pattern from other tests)
    local privkey=$(nak key generate 2>/dev/null)
    if [ $? -ne 0 ] || [ -z "$privkey" ]; then
        log_error "Failed to generate private key for $name"
        return 1
    fi
    echo "$privkey" > "$privkey_file"
    # Derive public key using nak
    local pubkey=$(nak key public "$privkey" 2>/dev/null)
    if [ $? -ne 0 ] || [ -z "$pubkey" ]; then
        log_error "Failed to generate public key for $name"
        return 1
    fi
    echo "$pubkey" > "$pubkey_file"
    log_info "Generated keypair for $name: pubkey=${pubkey:0:16}..."
    # Export for use in calling functions
    eval "${name}_PRIVKEY=\"$privkey\""
    eval "${name}_PUBKEY=\"$pubkey\""
 }
 # Send WebSocket message and capture response
 send_websocket_message() {
    local message="$1"
    local expected_response="$2"
    local timeout="${3:-$TIMEOUT}"
    # Use websocat to send message and capture response (following pattern from tests/1_nip_test.sh)
    local response=""
    if command -v websocat &> /dev/null; then
        # Capture output from websocat (following working pattern from 1_nip_test.sh)
        response=$(echo "$message" | timeout "$timeout" websocat "$RELAY_URL" 2>&1 || echo "Connection failed")
        # Check if connection failed
        if [[ "$response" == *"Connection failed"* ]]; then
            log_error "Failed to connect to relay"
            return 1
        fi
    else
        log_error "websocat not found - required for WebSocket testing"
        log_error "Please install websocat for WebSocket communication"
        return 1
    fi
    echo "$response"
 }
 # =======================================================================
 # PERSISTENT WEBSOCKET CONNECTION MANAGEMENT
 # =======================================================================
 # Open persistent WebSocket connection
 open_websocket_connection() {
    log_info "Opening persistent WebSocket connection to $RELAY_URL..."
    # Create unique named pipes for this test session
    WS_INPUT_FIFO="${TEMP_DIR}/ws_input_$$"
    WS_OUTPUT_FIFO="${TEMP_DIR}/ws_output_$$"
    WS_RESPONSE_LOG="${TEMP_DIR}/ws_responses_$$"
    # Create named pipes
    mkfifo "$WS_INPUT_FIFO" "$WS_OUTPUT_FIFO"
    # Start websocat in background with bidirectional pipes
    # Input: we write to WS_INPUT_FIFO, websocat reads and sends to relay
    # Output: websocat receives from relay and writes to WS_OUTPUT_FIFO
    websocat "$RELAY_URL" < "$WS_INPUT_FIFO" > "$WS_OUTPUT_FIFO" &
    WS_PID=$!
    # Start background response logger
    tail -f "$WS_OUTPUT_FIFO" >> "$WS_RESPONSE_LOG" &
    local logger_pid=$!
    # Keep input pipe open by redirecting from /dev/null in background
    exec {ws_fd}> "$WS_INPUT_FIFO"
    # Test connection with a simple REQ message
    sleep 1
    echo '["REQ","test_conn",{}]' >&${ws_fd}
    # Wait for response to confirm connection
    local connection_timeout=5
    local start_time=$(date +%s)
    while [ $(($(date +%s) - start_time)) -lt $connection_timeout ]; do
        if [ -s "$WS_RESPONSE_LOG" ]; then
            WS_CONNECTED=1
            log_success "Persistent WebSocket connection established"
            log_info "WebSocket PID: $WS_PID"
            return 0
        fi
        sleep 0.1
    done
    # Connection failed
    log_error "Failed to establish persistent WebSocket connection"
    close_websocket_connection
    return 1
 }
 # Close persistent WebSocket connection
 close_websocket_connection() {
    log_info "Closing persistent WebSocket connection..."
    if [ -n "$WS_PID" ] && kill -0 "$WS_PID" 2>/dev/null; then
        # Close input pipe first
        if [ -n "${ws_fd}" ]; then
            exec {ws_fd}>&-
        fi
        # Send close frame and terminate websocat
        kill "$WS_PID" 2>/dev/null
        wait "$WS_PID" 2>/dev/null
    fi
    # Kill any remaining background processes
    pkill -f "tail -f.*$WS_OUTPUT_FIFO" 2>/dev/null || true
    # Clean up pipes
    [ -p "$WS_INPUT_FIFO" ] && rm -f "$WS_INPUT_FIFO"
    [ -p "$WS_OUTPUT_FIFO" ] && rm -f "$WS_OUTPUT_FIFO"
    WS_PID=""
    WS_CONNECTED=0
    log_info "WebSocket connection closed"
 }
 # Send event through persistent WebSocket connection
 send_websocket_event() {
    local event_json="$1"
    local timeout_seconds="${2:-10}"
    if [ "$WS_CONNECTED" != "1" ]; then
        log_error "WebSocket connection not established"
        return 1
    fi
    # Clear previous responses
    > "$WS_RESPONSE_LOG"
    # Create EVENT message
    local event_message="[\"EVENT\",$event_json]"
    # Send through persistent connection
    echo "$event_message" >&${ws_fd}
    # Wait for OK response
    local start_time=$(date +%s)
    while [ $(($(date +%s) - start_time)) -lt $timeout_seconds ]; do
        if grep -q '"OK"' "$WS_RESPONSE_LOG" 2>/dev/null; then
            local response=$(tail -1 "$WS_RESPONSE_LOG")
            echo "$response"
            return 0
        fi
        sleep 0.1
    done
    log_error "Timeout waiting for WebSocket response"
    return 1
 }
 # Wait for query response data from relay
 wait_for_query_response() {
    local timeout_seconds="${1:-10}"
    local start_time=$(date +%s)
    log_info "Waiting for query response data..."
    # Clear any OK responses and wait for JSON data
    sleep 0.5  # Brief delay to ensure OK response is processed first
    while [ $(($(date +%s) - start_time)) -lt $timeout_seconds ]; do
        # Look for JSON response with query data (not just OK responses)
        if grep -q '"query_type"' "$WS_RESPONSE_LOG" 2>/dev/null; then
            local response=$(grep '"query_type"' "$WS_RESPONSE_LOG" | tail -1)
            echo "$response"
            return 0
        fi
        sleep 0.1
    done
    log_error "Timeout waiting for query response data"
    return 1
 }
 # Create and send auth rule event
 send_auth_rule_event() {
    local action="$1"        # "add" or "remove"
    local rule_type="$2"     # "whitelist" or "blacklist"
    local pattern_type="$3"  # "pubkey" or "hash"
    local pattern_value="$4" # actual pubkey or hash value
    local description="$5"   # optional description
    log_info "Creating auth rule event: $action $rule_type $pattern_type ${pattern_value:0:16}..."
    # Create the auth rule event using nak with correct tag format for the actual implementation
    # Server expects tags like ["whitelist", "pubkey", "abc123..."] or ["blacklist", "pubkey", "def456..."]
    # Using Kind 23456 (ephemeral auth rules management) with proper relay targeting
    local event_json
    event_json=$(nak event -k 23456 --content "" \
        -t "p=$RELAY_PUBKEY" \
        -t "$rule_type=$pattern_type=$pattern_value" \
        --sec "$ADMIN_PRIVKEY" 2>/dev/null)
    if [ $? -ne 0 ] || [ -z "$event_json" ]; then
        log_error "Failed to create auth rule event with nak"
        return 1
    fi
    # Send the event through persistent WebSocket connection
    log_info "Publishing auth rule event to relay..."
    local result
    if [ "$WS_CONNECTED" = "1" ]; then
        result=$(send_websocket_event "$event_json")
        local exit_code=$?
        log_info "Auth rule event result: $result"
        # Check if response indicates success
        if [ $exit_code -eq 0 ] && echo "$result" | grep -q -i '"OK".*true'; then
            log_success "Auth rule $action successful"
            return 0
        else
            log_error "Auth rule $action failed: $result (exit code: $exit_code)"
            return 1
        fi
    else
        # Fallback to one-shot connection if persistent connection not available
        result=$(echo "$event_json" | timeout 10s nak event "$RELAY_URL" 2>&1)
        local exit_code=$?
        log_info "Auth rule event result: $result"
        # Check if response indicates success
        if [ $exit_code -eq 0 ] && echo "$result" | grep -q -i "success\|OK.*true\|published"; then
            log_success "Auth rule $action successful"
            return 0
        else
            log_error "Auth rule $action failed: $result (exit code: $exit_code)"
            return 1
        fi
    fi
 }
 # Clear all auth rules using the new system command functionality
 clear_all_auth_rules() {
    log_info "Clearing all existing auth rules..."
    # Create system command event to clear all auth rules
    # Using Kind 23456 (ephemeral auth rules management) with proper relay targeting
    local event_json
    event_json=$(nak event -k 23456 --content "" \
        -t "p=$RELAY_PUBKEY" \
        -t "system_command=clear_all_auth_rules" \
        --sec "$ADMIN_PRIVKEY" 2>/dev/null)
    if [ $? -ne 0 ] || [ -z "$event_json" ]; then
        log_error "Failed to create clear auth rules event with nak"
        return 1
    fi
    # Send the event through persistent WebSocket connection
    log_info "Sending clear all auth rules command..."
    local result
    if [ "$WS_CONNECTED" = "1" ]; then
        result=$(send_websocket_event "$event_json")
        local exit_code=$?
        log_info "Clear auth rules result: $result"
        # Check if response indicates success
        if [ $exit_code -eq 0 ] && echo "$result" | grep -q -i '"OK".*true'; then
            log_success "All auth rules cleared successfully"
            return 0
        else
            log_error "Failed to clear auth rules: $result (exit code: $exit_code)"
            return 1
        fi
    else
        # Fallback to one-shot connection if persistent connection not available
        result=$(echo "$event_json" | timeout 10s nak event "$RELAY_URL" 2>&1)
        local exit_code=$?
        log_info "Clear auth rules result: $result"
        # Check if response indicates success
        if [ $exit_code -eq 0 ] && echo "$result" | grep -q -i "success\|OK.*true\|published"; then
            log_success "All auth rules cleared successfully"
            return 0
        else
            log_error "Failed to clear auth rules: $result (exit code: $exit_code)"
            return 1
        fi
    fi
 }
 # Test event publishing with a specific key
 test_event_publishing() {
    local test_privkey="$1"
    local test_pubkey="$2"
    local expected_result="$3"  # "success" or "blocked"
    local description="$4"
    log_info "Testing event publishing: $description"
    # Create a simple test event (kind 1 - text note) using nak like NIP-42 test
    local test_content="Test message from ${test_pubkey:0:16}... at $(date)"
    local test_event
    test_event=$(nak event -k 1 --content "$test_content" --sec "$test_privkey" 2>/dev/null)
    if [ $? -ne 0 ] || [ -z "$test_event" ]; then
        log_error "Failed to create test event"
        return 1
    fi
    # Send the event using nak directly (more reliable than websocat)
    log_info "Publishing test event to relay..."
    local result
    result=$(echo "$test_event" | timeout 10s nak event "$RELAY_URL" 2>&1)
    local exit_code=$?
    log_info "Event publishing result: $result"
    # Check result against expectation
    if [ "$expected_result" = "success" ]; then
        if [ $exit_code -eq 0 ] && echo "$result" | grep -q -i "success\|OK.*true\|published"; then
            log_success "Event publishing allowed as expected"
            return 0
        else
            log_error "Event publishing was blocked but should have been allowed: $result"
            return 1
        fi
    else  # expected_result = "blocked"
        if [ $exit_code -ne 0 ] || echo "$result" | grep -q -i "blocked\|denied\|rejected\|auth.*required\|OK.*false"; then
            log_success "Event publishing blocked as expected"
            return 0
        else
            log_error "Event publishing was allowed but should have been blocked: $result"
            return 1
        fi
    fi
 }
 # =======================================================================
 # SETUP AND INITIALIZATION
 # =======================================================================
 setup_test_environment() {
    log "Setting up test environment..."
    # Create temporary directory
    mkdir -p "$TEMP_DIR"
    # Check if required tools are available - like NIP-42 test
    log_info "Checking dependencies..."
    if ! command -v nak &> /dev/null; then
        log_error "nak client not found. Please install: go install github.com/fiatjaf/nak@latest"
        exit 1
    fi
    if ! command -v jq &> /dev/null; then
        log_error "jq not found. Please install jq for JSON processing"
        exit 1
    fi
    if ! command -v timeout &> /dev/null; then
        log_error "timeout not found. Please install coreutils"
        exit 1
    fi
    if ! command -v websocat &> /dev/null; then
        log_error "websocat not found - required for WebSocket testing"
        log_error "Please install websocat for WebSocket communication"
        exit 1
    fi
    log_success "Dependencies check complete"
    # Generate test keypairs
    generate_test_keypair "TEST1"
    generate_test_keypair "TEST2"
    generate_test_keypair "TEST3"
    log_success "Test environment setup complete"
 }
 # =======================================================================
 # TEST FUNCTIONS
 # =======================================================================
 # Test 1: Admin Authentication
 test_admin_authentication() {
    increment_test
    log "Test $TESTS_RUN: Admin Authentication"
    # Create a simple configuration event to test admin authentication
    # Using Kind 23456 (admin commands) with proper relay targeting
    local config_event
    config_event=$(nak event -k 23456 --content "" \
        -t "p=$RELAY_PUBKEY" \
        -t "system_command=system_status" \
        --sec "$ADMIN_PRIVKEY" 2>/dev/null)
    if [ $? -ne 0 ]; then
        fail_test "Failed to create admin test event"
        return
    fi
    # Send admin event
    local message="[\"EVENT\",$config_event]"
    local response
    response=$(send_websocket_message "$message" "OK" 10)
    if echo "$response" | grep -q '"OK".*true'; then
        pass_test "Admin authentication successful"
    else
        fail_test "Admin authentication failed: $response"
    fi
 }
 # Test 2: Auth Rules Storage and Query Test
 test_auth_rules_storage_query() {
    increment_test
    log "Test $TESTS_RUN: Auth Rules Storage and Query Test"
    # Clear all existing rules to start fresh
    clear_all_auth_rules
    # Add a simple blacklist rule
    log_info "Adding test blacklist rule..."
    if send_auth_rule_event "add" "blacklist" "pubkey" "$TEST1_PUBKEY" "Test storage blacklist entry"; then
        log_success "Auth rule added successfully"
        # Wait a moment for rule to be processed
        sleep 1
        # Query all auth rules using admin query
        log_info "Querying all auth rules..."
        local query_event
        query_event=$(nak event -k 23456 --content "" \
            -t "p=$RELAY_PUBKEY" \
            -t "auth_query=all" \
            --sec "$ADMIN_PRIVKEY" 2>/dev/null)
        if [ $? -ne 0 ] || [ -z "$query_event" ]; then
            fail_test "Failed to create auth query event"
            return
        fi
        # Send the query event
        log_info "Sending auth query to relay..."
        local query_result
        query_result=$(echo "$query_event" | timeout 10s nak event "$RELAY_URL" 2>&1)
        local exit_code=$?
        log_info "Auth query result: $query_result"
        # Check if we got a response and if it contains our test rule
        if [ $exit_code -eq 0 ]; then
            if echo "$query_result" | grep -q "$TEST1_PUBKEY"; then
                pass_test "Auth rule storage and query working - found test rule in query results"
            else
                fail_test "Auth rule not found in query results - rule may not have been stored"
            fi
        else
            fail_test "Auth query failed: $query_result"
        fi
    else
        fail_test "Failed to add auth rule for storage test"
    fi
 }
 # Test 3: Basic Whitelist Functionality
 test_basic_whitelist() {
    increment_test
    log "Test $TESTS_RUN: Basic Whitelist Functionality"
    # Clear all existing rules to start fresh
    clear_all_auth_rules
    # Add TEST1 pubkey to whitelist
    if send_auth_rule_event "add" "whitelist" "pubkey" "$TEST1_PUBKEY" "Test whitelist entry"; then
        # Test that whitelisted pubkey can publish
        if test_event_publishing "$TEST1_PRIVKEY" "$TEST1_PUBKEY" "success" "whitelisted pubkey"; then
            pass_test "Basic whitelist functionality working"
        else
            fail_test "Whitelisted pubkey could not publish events"
        fi
    else
        fail_test "Failed to add pubkey to whitelist"
    fi
 }
 # Test 4: Basic Blacklist Functionality
 test_basic_blacklist() {
    increment_test
    log "Test $TESTS_RUN: Basic Blacklist Functionality"
    # Clear all existing rules to start fresh
    clear_all_auth_rules
    # Add TEST2 pubkey to blacklist
    if send_auth_rule_event "add" "blacklist" "pubkey" "$TEST2_PUBKEY" "Test blacklist entry"; then
        # Test that blacklisted pubkey cannot publish
        if test_event_publishing "$TEST2_PRIVKEY" "$TEST2_PUBKEY" "blocked" "blacklisted pubkey"; then
            pass_test "Basic blacklist functionality working"
        else
            fail_test "Blacklisted pubkey was able to publish events"
        fi
    else
        fail_test "Failed to add pubkey to blacklist"
    fi
 }
 # Test 5: Rule Removal
 test_rule_removal() {
    increment_test
    log "Test $TESTS_RUN: Rule Removal"
    # Clear all existing rules to start fresh
    clear_all_auth_rules
    # First add TEST2 to blacklist to test removal
    if ! send_auth_rule_event "add" "blacklist" "pubkey" "$TEST2_PUBKEY" "Test blacklist for removal"; then
        fail_test "Failed to add pubkey to blacklist for removal test"
        return
    fi
    # Remove TEST2 from blacklist
    if send_auth_rule_event "remove" "blacklist" "pubkey" "$TEST2_PUBKEY" "Remove test blacklist entry"; then
        # Test that previously blacklisted pubkey can now publish
        if test_event_publishing "$TEST2_PRIVKEY" "$TEST2_PUBKEY" "success" "previously blacklisted pubkey after removal"; then
            pass_test "Rule removal working correctly"
        else
            fail_test "Previously blacklisted pubkey still cannot publish after removal"
        fi
    else
        fail_test "Failed to remove pubkey from blacklist"
    fi
 }
 # Test 6: Multiple Users Scenario
 test_multiple_users() {
    increment_test
    log "Test $TESTS_RUN: Multiple Users Scenario"
    # Clear all existing rules to start fresh
    clear_all_auth_rules
    # Add TEST1 to whitelist and TEST3 to blacklist
    local success_count=0
    if send_auth_rule_event "add" "whitelist" "pubkey" "$TEST1_PUBKEY" "Multi-user test whitelist"; then
        success_count=$((success_count + 1))
    fi
    if send_auth_rule_event "add" "blacklist" "pubkey" "$TEST3_PUBKEY" "Multi-user test blacklist"; then
        success_count=$((success_count + 1))
    fi
    if [ $success_count -eq 2 ]; then
        # Test whitelisted user can publish
        if test_event_publishing "$TEST1_PRIVKEY" "$TEST1_PUBKEY" "success" "whitelisted in multi-user test"; then
            # Test blacklisted user cannot publish
            if test_event_publishing "$TEST3_PRIVKEY" "$TEST3_PUBKEY" "blocked" "blacklisted in multi-user test"; then
                pass_test "Multiple users scenario working correctly"
            else
                fail_test "Blacklisted user in multi-user scenario was not blocked"
            fi
        else
            fail_test "Whitelisted user in multi-user scenario was blocked"
        fi
    else
        fail_test "Failed to set up multiple users scenario"
    fi
 }
 # Test 7: Priority Testing (Blacklist vs Whitelist)
 test_priority_rules() {
    increment_test
    log "Test $TESTS_RUN: Priority Rules Testing"
    # Clear all existing rules to start fresh
    clear_all_auth_rules
    # Add same pubkey to both whitelist and blacklist
    local setup_success=0
    if send_auth_rule_event "add" "whitelist" "pubkey" "$TEST2_PUBKEY" "Priority test whitelist"; then
        setup_success=$((setup_success + 1))
    fi
    if send_auth_rule_event "add" "blacklist" "pubkey" "$TEST2_PUBKEY" "Priority test blacklist"; then
        setup_success=$((setup_success + 1))
    fi
    if [ $setup_success -eq 2 ]; then
        # Test which rule takes priority (typically blacklist should win)
        if test_event_publishing "$TEST2_PRIVKEY" "$TEST2_PUBKEY" "blocked" "pubkey in both whitelist and blacklist"; then
            pass_test "Priority rules working correctly (blacklist takes precedence)"
        else
            # If whitelist wins, that's also valid depending on implementation
            log_warning "Whitelist took precedence over blacklist - this may be implementation-specific"
            pass_test "Priority rules working (whitelist precedence)"
        fi
    else
        fail_test "Failed to set up priority rules test"
    fi
 }
 # Test 8: Hash-based Blacklist
 test_hash_blacklist() {
    increment_test
    log "Test $TESTS_RUN: Hash-based Blacklist"
    # Clear all existing rules to start fresh
    clear_all_auth_rules
    # Create a test event to get its hash
    local test_content="Content to be blacklisted by hash"
    local test_event
    test_event=$(nak event -k 1 --content "$test_content" --sec "$TEST1_PRIVKEY" 2>/dev/null)
    if [ $? -ne 0 ] || [ -z "$test_event" ]; then
        fail_test "Failed to create test event for hash blacklist"
        return
    fi
    # Extract event ID (hash) from the event using jq
    local event_id
    event_id=$(echo "$test_event" | jq -r '.id' 2>/dev/null)
    if [ -z "$event_id" ] || [ "$event_id" = "null" ]; then
        fail_test "Failed to extract event ID for hash blacklist test"
        return
    fi
    log_info "Testing hash blacklist with event ID: ${event_id:0:16}..."
    # Add the event ID to hash blacklist
    if send_auth_rule_event "add" "blacklist" "hash" "$event_id" "Test hash blacklist"; then
        # Try to publish the same event using nak - should be blocked
        log_info "Attempting to publish blacklisted event..."
        local result
        result=$(echo "$test_event" | timeout 10s nak event "$RELAY_URL" 2>&1)
        local exit_code=$?
        if [ $exit_code -ne 0 ] || echo "$result" | grep -q -i "blocked\|denied\|rejected\|blacklist"; then
            pass_test "Hash-based blacklist working correctly"
        else
            fail_test "Hash-based blacklist did not block the event: $result"
        fi
    else
        fail_test "Failed to add event hash to blacklist"
    fi
 }
 # Test 9: WebSocket Connection Behavior
 test_websocket_behavior() {
    increment_test
    log "Test $TESTS_RUN: WebSocket Connection Behavior"
    # Clear all existing rules to start fresh
    clear_all_auth_rules
    # Test that the WebSocket connection handles multiple rapid requests
    local rapid_success_count=0
    for i in {1..3}; do
        local test_content="Rapid test message $i"
        local test_event
        test_event=$(nak event -k 1 --content "$test_content" --sec "$TEST1_PRIVKEY" 2>/dev/null)
        if [ $? -eq 0 ]; then
            local message="[\"EVENT\",$test_event]"
            local response
            response=$(send_websocket_message "$message" "OK" 5)
            if echo "$response" | grep -q '"OK"'; then
                rapid_success_count=$((rapid_success_count + 1))
            fi
        fi
        # Small delay between requests
        sleep 0.1
    done
    if [ $rapid_success_count -ge 2 ]; then
        pass_test "WebSocket connection handles multiple requests correctly"
    else
        fail_test "WebSocket connection failed to handle multiple rapid requests ($rapid_success_count/3 succeeded)"
    fi
 }
 # Test 10: Rule Persistence Verification
 test_rule_persistence() {
    increment_test
    log "Test $TESTS_RUN: Rule Persistence Verification"
    # Clear all existing rules to start fresh
    clear_all_auth_rules
    # Add a rule, then verify it persists by testing enforcement
    if send_auth_rule_event "add" "blacklist" "pubkey" "$TEST3_PUBKEY" "Persistence test blacklist"; then
        # Wait a moment for rule to be processed
        sleep 1
        # Test enforcement multiple times to verify persistence
        local enforcement_count=0
        for i in {1..2}; do
            if test_event_publishing "$TEST3_PRIVKEY" "$TEST3_PUBKEY" "blocked" "persistence test attempt $i"; then
                enforcement_count=$((enforcement_count + 1))
            fi
            sleep 0.5
        done
        if [ $enforcement_count -eq 2 ]; then
            pass_test "Rule persistence working correctly"
        else
            fail_test "Rule persistence failed ($enforcement_count/2 enforcements succeeded)"
        fi
    else
        fail_test "Failed to add rule for persistence test"
    fi
 }
 # Test 11: Cleanup and Final Verification
 test_cleanup_verification() {
    increment_test
    log "Test $TESTS_RUN: Cleanup and Final Verification"
    # Remove all test rules
    local cleanup_success=0
    # Remove whitelist entries
    if send_auth_rule_event "remove" "whitelist" "pubkey" "$TEST1_PUBKEY" "Cleanup whitelist"; then
        cleanup_success=$((cleanup_success + 1))
    fi
    # Remove blacklist entries
    for pubkey in "$TEST2_PUBKEY" "$TEST3_PUBKEY"; do
        if send_auth_rule_event "remove" "blacklist" "pubkey" "$pubkey" "Cleanup blacklist"; then
            cleanup_success=$((cleanup_success + 1))
        fi
    done
    if [ $cleanup_success -ge 2 ]; then
        # Verify that previously restricted pubkeys can now publish
        if test_event_publishing "$TEST3_PRIVKEY" "$TEST3_PUBKEY" "success" "after cleanup verification"; then
            pass_test "Cleanup and verification successful"
        else
            log_warning "Cleanup completed but restrictions may still be active"
            pass_test "Cleanup completed (partial verification)"
        fi
    else
        fail_test "Cleanup failed ($cleanup_success rules removed)"
    fi
 }
 # =======================================================================
 # MAIN TEST EXECUTION
 # =======================================================================
 run_all_tests() {
    log "Starting comprehensive whitelist/blacklist functionality tests..."
    # Setup
    setup_test_environment
    clear_all_auth_rules
    test_admin_authentication
    test_auth_rules_storage_query
    # test_basic_whitelist
    # test_basic_blacklist
    # test_rule_removal
    # test_multiple_users
    # test_priority_rules
    # test_hash_blacklist
    # test_websocket_behavior
    # test_rule_persistence
    # test_cleanup_verification
    # Test summary
    echo ""
    echo -e "${BOLD}=== TEST SUMMARY ===${RESET}"
    echo -e "Tests run: ${BLUE}$TESTS_RUN${RESET}"
    echo -e "Tests passed: ${GREEN}$TESTS_PASSED${RESET}"
    echo -e "Tests failed: ${RED}$TESTS_FAILED${RESET}"
    echo ""
    if [ $TESTS_FAILED -eq 0 ]; then
        log_success "All tests passed! Whitelist/blacklist functionality is working correctly."
        return 0
    else
        log_error "$TESTS_FAILED out of $TESTS_RUN tests failed."
        return 1
    fi
 }
 # =======================================================================
 # CLEANUP FUNCTIONS
 # =======================================================================
 cleanup() {
    log "Cleaning up test environment..."
    # Remove temporary directory
    if [ -n "$TEMP_DIR" ] && [ -d "$TEMP_DIR" ]; then
        rm -rf "$TEMP_DIR"
        log_info "Temporary directory removed: $TEMP_DIR"
    fi
    log "Test cleanup completed."
 }
 # Set up cleanup trap
 trap cleanup EXIT
 # =======================================================================
 # SCRIPT ENTRY POINT
 # =======================================================================
 main() {
    echo -e "${BOLD}${BLUE}C-Relay Whitelist/Blacklist Authentication Test${RESET}"
    echo -e "${BLUE}===============================================${RESET}"
    echo ""
    # Check if relay is running - using websocat like the working tests
    if ! echo '["REQ","connection_test",{}]' | timeout 5 websocat "$RELAY_URL" >/dev/null 2>&1; then
        log_error "Cannot connect to relay at $RELAY_URL"
        log_error "Please ensure the C-Relay server is running in test mode"
        exit 1
    fi
    log_success "Connected to relay at $RELAY_URL"
    # Run all tests
    if run_all_tests; then
        echo ""
        log_success "All whitelist/blacklist tests completed successfully!"
        exit 0
    else
        echo ""
        log_error "Some tests failed."
        exit 1
    fi
 }
 # Run main function if script is executed directly
 if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
    main "$@"
 fi
Author	SHA1	Message	Date
Your Name	bc6a7b3f20	Working on API	2025-09-25 16:35:16 -04:00
Your Name	036b0823b9	v0.3.11 - Working on admin api	2025-09-25 11:25:50 -04:00
Your Name	be99595bde	v0.3.10 - .	2025-09-24 10:49:48 -04:00
Your Name	01836a4b4c	v0.3.9 - API work	2025-09-21 15:53:03 -04:00
Your Name	9f3b3dd773	v0.3.8 - safety push	2025-09-18 10:18:15 -04:00
Your Name	3210b9e752	v0.3.7 - working on cinfig api	2025-09-16 15:52:27 -04:00
Your Name	2d66b8bf1d	.	2025-09-15 20:34:00 -04:00
Your Name	f3d6afead1	v0.3.5 - nip42 implemented	2025-09-13 08:49:09 -04:00
Your Name	1690b58c67	v0.3.4 - Implement secure relay private key storage - Add relay_seckey table for secure private key storage - Implement store_relay_private_key() and get_relay_private_key() functions - Remove relay private key from public configuration events (kind 33334) - Update first-time startup sequence to store keys securely after DB init - Add proper validation and error handling for private key operations - Fix timing issue where private key storage was attempted before DB initialization - Security improvement: relay private keys no longer exposed in public events	2025-09-07 07:35:51 -04:00
Your Name	2e8eda5c67	v0.3.3 - Fix function naming consistency: rename find_existing_nrdb_files to find_existing_db_files - Update function declaration in config.h - Update function definition in config.c - Update function calls in config.c and main.c - Maintain consistency with .db file extension naming convention This resolves the inconsistency between database file extension (.db) and function names (nrdb)	2025-09-07 06:58:50 -04:00
Your Name	74a4dc2533	v0.3.2 - Implement -p/--port CLI option for first-time startup port override - Add cli_options_t structure for extensible command line options - Implement port override in create_default_config_event() - Update main() with robust CLI parsing and validation - Add comprehensive help text documenting first-time only behavior - Ensure CLI options only affect initial configuration event creation - Maintain event-based configuration architecture for ongoing operation - Include comprehensive error handling and input validation - Add documentation in CLI_PORT_OVERRIDE_IMPLEMENTATION.md Tested: First-time startup uses CLI port, subsequent startups use database config	2025-09-07 06:54:56 -04:00
Your Name	be7ae2b580	v0.3.1 - Implement database location and extension changes - Change database extension from .nrdb to .db for standard SQLite convention - Modify make_and_restart_relay.sh to run executable from build/ directory - Database files now created in build/ directory alongside executable - Enhanced --preserve-database flag with backup/restore functionality - Updated source code references in config.c and main.c - Port auto-increment functionality remains fully functional	2025-09-07 06:15:49 -04:00