Working on API

- Add relay_seckey table for secure private key storage
- Implement store_relay_private_key() and get_relay_private_key() functions
- Remove relay private key from public configuration events (kind 33334)
- Update first-time startup sequence to store keys securely after DB init
- Add proper validation and error handling for private key operations
- Fix timing issue where private key storage was attempted before DB initialization
- Security improvement: relay private keys no longer exposed in public events

.gitignore

@@ -8,3 +8,4 @@ src/version.h
 dev-config/
 db/
 copy_executable_local.sh
+nostr_login_lite/

.roo/architect/AGENTS.md

@@ -0,0 +1,298 @@
+
+# AGENTS.md - AI Agent Integration Guide for Architect Mode
+
+**Project-Specific Information for AI Agents Working with C-Relay in Architect Mode**
+
+## Critical Architecture Understanding
+
+### System Architecture Overview
+C-Relay implements a **unique event-based configuration architecture** that fundamentally differs from traditional Nostr relays:
+
+```
+┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
+│   WebSocket     │    │  Configuration   │    │    Database     │
+│   + HTTP        │◄──►│  Event System    │◄──►│   (SQLite)      │
+│   (Port 8888)   │    │  (Kind 33334)    │    │  Schema v4      │
+└─────────────────┘    └──────────────────┘    └─────────────────┘
+         │                       │                       │
+         ▼                       ▼                       ▼
+┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
+│ nostr_core_lib  │    │   Admin Key      │    │ Event Storage   │
+│ (Crypto/Sigs)   │    │   Management     │    │ + Subscriptions │
+└─────────────────┘    └──────────────────┘    └─────────────────┘
+```
+
+### Core Architectural Principles
+
+#### 1. Event-Driven Configuration
+**Design Philosophy**: Configuration as cryptographically signed events rather than files
+- **Benefits**: Auditability, remote management, tamper-evidence
+- **Trade-offs**: Complexity in configuration changes, admin key management burden
+- **Implementation**: Kind 33334 events stored in same database as relay events
+
+#### 2. Identity-Based Database Naming
+**Design Philosophy**: Database file named by relay's generated public key
+- **Benefits**: Prevents database conflicts, enables multi-relay deployments
+- **Trade-offs**: Cannot predict database filename, complicates backup strategies
+- **Implementation**: `<relay_pubkey>.db` created in build/ directory
+
+#### 3. Single-Binary Deployment
+**Design Philosophy**: All functionality embedded in one executable
+- **Benefits**: Simple deployment, no external dependencies to manage
+- **Trade-offs**: Larger binary size, harder to modularize
+- **Implementation**: SQL schema embedded as header file, nostr_core_lib as submodule
+
+#### 4. Dual-Protocol Support
+**Design Philosophy**: WebSocket (Nostr) and HTTP (NIP-11) on same port
+- **Benefits**: Simplified port management, reduced infrastructure complexity
+- **Trade-offs**: Protocol detection overhead, libwebsockets dependency
+- **Implementation**: Request routing based on HTTP headers and upgrade requests
+
+## Architectural Decision Analysis
+
+### Configuration System Design
+**Traditional Approach vs C-Relay:**
+```
+Traditional:           C-Relay:
+config.json     →     kind 33334 events
+ENV variables   →     cryptographically signed tags
+File watching   →     database polling/restart
+```
+
+**Implications for Extensions:**
+- Configuration changes require event signing capabilities
+- No hot-reloading without architectural changes
+- Admin key loss = complete database reset required
+
+### Database Architecture Decisions
+**Schema Design Philosophy:**
+- **Event Tags as JSON**: Separate table with JSON column instead of normalized relations
+- **Application-Level Filtering**: NIP-40 expiration handled in C, not SQL
+- **Embedded Schema**: Version 4 schema compiled into binary
+
+**Scaling Considerations:**
+- SQLite suitable for small-to-medium relays (< 10k concurrent connections)
+- Single-writer limitation of SQLite affects write-heavy workloads
+- JSON tag storage optimizes for read performance over write normalization
+
+### Memory Management Architecture
+**Thread Safety Model:**
+- Global subscription manager with mutex protection
+- Per-client subscription limits enforced in memory
+- WebSocket connection state managed by libwebsockets
+
+**Resource Management:**
+- JSON objects use reference counting (jansson library)
+- String duplication pattern for configuration values
+- Automatic cleanup on client disconnect
+
+## Architectural Extension Points
+
+### Adding New Configuration Options
+**Required Changes:**
+1. Update [`default_config_event.h`](src/default_config_event.h) template
+2. Add parsing logic in [`config.c`](src/config.c) `load_config_from_database()`
+3. Add global config struct field in [`config.h`](src/config.h)
+4. Update documentation in [`docs/configuration_guide.md`](docs/configuration_guide.md)
+
+### Adding New NIP Support
+**Integration Pattern:**
+1. Event validation in [`request_validator.c`](src/request_validator.c)
+2. Protocol handling in [`main.c`](src/main.c) WebSocket callback
+3. Database storage considerations in schema
+4. Add test in `tests/` directory
+
+### Scaling Architecture
+**Current Limitations:**
+- Single process, no horizontal scaling
+- SQLite single-writer bottleneck
+- Memory-based subscription management
+
+**Potential Extensions:**
+- Redis for subscription state sharing
+- PostgreSQL for better concurrent write performance
+- Load balancer for read scaling with multiple instances
+
+## Deployment Architecture Patterns
+
+### Development Deployment
+```
+Developer Machine:
+├── ./make_and_restart_relay.sh
+├── build/c_relay_x86
+├── build/<relay_pubkey>.db
+└── relay.log
+```
+
+### Production SystemD Deployment
+```
+/opt/c-relay/:
+├── c_relay_x86
+├── <relay_pubkey>.db
+├── systemd service (c-relay.service)
+└── c-relay user isolation
+```
+
+### Container Deployment Architecture
+```
+Container:
+├── Multi-stage build (deps + binary)
+├── Volume mount for database persistence
+├── Health checks via NIP-11 endpoint
+└── Signal handling for graceful shutdown
+```
+
+### Reverse Proxy Architecture
+```
+Internet → Nginx/HAProxy → C-Relay
+                       ├── WebSocket upgrade handling
+                       ├── SSL termination
+                       └── Rate limiting
+```
+
+## Security Architecture Considerations
+
+### Key Management Design
+**Admin Key Security Model:**
+- Generated once, displayed once, never stored
+- Required for all configuration changes
+- Loss requires complete database reset
+
+**Relay Identity Model:**
+- Separate keypair for relay identity
+- Public key used for database naming
+- Private key never exposed to clients
+
+### Event Validation Pipeline
+```
+WebSocket Input → JSON Parse → Schema Validate → Signature Verify → Store
+                             ↓                 ↓                  ↓
+                    reject    reject          reject           success
+```
+
+### Attack Surface Analysis
+**Network Attack Vectors:**
+- WebSocket connection flooding (mitigated by libwebsockets limits)
+- JSON parsing attacks (handled by jansson library bounds checking)
+- SQLite injection (prevented by prepared statements)
+
+**Configuration Attack Vectors:**
+- Admin key compromise (complete relay control)
+- Event signature forgery (prevented by nostr_core_lib validation)
+- Replay attacks (event timestamp validation required)
+
+## Non-Obvious Architectural Considerations
+
+### Database Evolution Strategy
+**Current Limitations:**
+- Schema changes require database recreation
+- No migration system for configuration events
+- Version 4 schema embedded in binary
+
+**Future Architecture Needs:**
+- Schema versioning and migration system
+- Backward compatibility for configuration events
+- Database backup/restore procedures
+
+### Configuration Event Lifecycle
+**Event Flow:**
+```
+Admin Signs Event → WebSocket Submit → Validate → Store → Restart Required
+                                    ↓            ↓         ↓
+                              Signature Check   Database  Config Reload
+```
+
+**Architectural Implications:**
+- No hot configuration reloading
+- Configuration changes require planned downtime
+- Event ordering matters for multiple simultaneous changes
+
+### Cross-Architecture Deployment
+**Build System Architecture:**
+- Auto-detection of host architecture
+- Cross-compilation support for ARM64
+- Architecture-specific binary outputs
+
+**Deployment Implications:**
+- Binary must match target architecture
+- Dependencies must be available for target architecture
+- Debug tooling architecture-specific
+
+### Performance Architecture Characteristics
+**Bottlenecks:**
+1. **SQLite Write Performance**: Single writer limitation
+2. **JSON Parsing**: Per-event parsing overhead
+3. **Signature Validation**: Cryptographic operations per event
+4. **Memory Management**: JSON object lifecycle management
+
+**Optimization Points:**
+- Prepared statement reuse
+- Connection pooling for concurrent reads
+- Event batching for bulk operations
+- Subscription indexing strategies
+
+### Integration Architecture Patterns
+**Monitoring Integration:**
+- NIP-11 endpoint for health checks
+- Log file monitoring for operational metrics
+- Database query monitoring for performance
+- Process monitoring for resource usage
+
+**Backup Architecture:**
+- Database file backup (SQLite file copy)
+- Configuration event export/import
+- Admin key secure storage (external to relay)
+
+### Future Extension Architectures
+**Multi-Relay Coordination:**
+- Database sharding by event kind
+- Cross-relay event synchronization
+- Distributed configuration management
+
+**Plugin Architecture Possibilities:**
+- Event processing pipeline hooks
+- Custom validation plugins
+- External authentication providers
+
+**Scaling Architecture Options:**
+- Read replicas with PostgreSQL migration
+- Event stream processing with message queues
+- Microservice decomposition (auth, storage, validation)
+
+## Architectural Anti-Patterns to Avoid
+
+1. **Configuration File Addition**: Breaks event-based config paradigm
+2. **Direct Database Modification**: Bypasses signature validation
+3. **Hard-Coded Ports**: Conflicts with auto-fallback system
+4. **Schema Modifications**: Requires database recreation
+5. **Admin Key Storage**: Violates security model
+6. **Blocking Operations**: Interferes with WebSocket event loop
+7. **Memory Leaks**: JSON objects must be properly reference counted
+8. **Thread Unsafe Operations**: Global state requires proper synchronization
+
+## Architecture Decision Records (Implicit)
+
+### Decision: Event-Based Configuration
+**Context**: Traditional config files vs. cryptographic auditability
+**Decision**: Store configuration as signed Nostr events
+**Consequences**: Complex configuration changes, enhanced security, remote management capability
+
+### Decision: SQLite Database
+**Context**: Database choice for relay storage
+**Decision**: Embedded SQLite with JSON tag storage
+**Consequences**: Simple deployment, single-writer limitation, application-level filtering
+
+### Decision: Single Binary Deployment
+**Context**: Dependency management vs. deployment simplicity
+**Decision**: Embed all dependencies and schema in binary
+**Consequences**: Larger binary, simple deployment, version coupling
+
+### Decision: Dual Protocol Support
+**Context**: WebSocket for Nostr, HTTP for NIP-11
+**Decision**: Same port serves both protocols
+**Consequences**: Simplified deployment, protocol detection overhead, libwebsockets dependency
+
+These architectural decisions form the foundation of C-Relay's unique approach to Nostr relay implementation and should be carefully considered when planning extensions or modifications.
+**
+
+[Response interrupted by a tool use result. Only one tool may be used at a time and should be placed at the end of the message.]

.roo/commands/push.md

@@ -0,0 +1,5 @@
+---
+description: "Brief description of what this command does"
+---
+
+Run build_and_push.sh, and supply a good git commit message.

07.md

@@ -0,0 +1,32 @@
+NIP-07
+======
+
+`window.nostr` capability for web browsers
+------------------------------------------
+
+`draft` `optional`
+
+The `window.nostr` object may be made available by web browsers or extensions and websites or web-apps may make use of it after checking its availability.
+
+That object must define the following methods:
+
+```
+async window.nostr.getPublicKey(): string // returns a public key as hex
+async window.nostr.signEvent(event: { created_at: number, kind: number, tags: string[][], content: string }): Event // takes an event object, adds `id`, `pubkey` and `sig` and returns it
+```
+
+Aside from these two basic above, the following functions can also be implemented optionally:
+```
+async window.nostr.nip04.encrypt(pubkey, plaintext): string // returns ciphertext and iv as specified in nip-04 (deprecated)
+async window.nostr.nip04.decrypt(pubkey, ciphertext): string // takes ciphertext and iv as specified in nip-04 (deprecated)
+async window.nostr.nip44.encrypt(pubkey, plaintext): string // returns ciphertext as specified in nip-44
+async window.nostr.nip44.decrypt(pubkey, ciphertext): string // takes ciphertext as specified in nip-44
+```
+
+### Recommendation to Extension Authors
+To make sure that the `window.nostr` is available to nostr clients on page load, the authors who create Chromium and Firefox extensions should load their scripts by specifying `"run_at": "document_end"` in the extension's manifest.
+
+
+### Implementation
+
+See https://github.com/aljazceru/awesome-nostr#nip-07-browser-extensions.

AGENTS.md

@@ -0,0 +1,142 @@
+# AGENTS.md - AI Agent Integration Guide
+
+**Project-Specific Information for AI Agents Working with C-Relay**
+
+## Critical Build Commands
+
+### Primary Build Command
+```bash
+./make_and_restart_relay.sh
+```
+**Never use `make` directly.** The project requires the custom restart script which:
+- Handles database preservation/cleanup based on flags
+- Manages architecture-specific binary detection (x86/ARM64)
+- Performs automatic process cleanup and port management
+- Starts relay in background with proper logging
+
+### Architecture-Specific Binary Outputs
+- **x86_64**: `./build/c_relay_x86`
+- **ARM64**: `./build/c_relay_arm64`
+- **Other**: `./build/c_relay_$(ARCH)`
+
+### Database File Naming Convention
+- **Format**: `<relay_pubkey>.db` (NOT `.nrdb` as shown in docs)
+- **Location**: Created in `build/` directory during execution
+- **Cleanup**: Use `--preserve-database` flag to retain between builds
+
+## Critical Integration Issues
+
+### Event-Based Configuration System
+- **No traditional config files** - all configuration stored as kind 33334 Nostr events
+- Admin private key shown **only once** on first startup
+- Configuration changes require cryptographically signed events
+- Database path determined by generated relay pubkey
+
+### First-Time Startup Sequence
+1. Relay generates admin keypair and relay keypair
+2. Creates database file with relay pubkey as filename
+3. Stores default configuration as kind 33334 event
+4. **CRITICAL**: Admin private key displayed once and never stored on disk
+
+### Port Management
+- Default port 8888 with automatic fallback (8889, 8890, etc.)
+- Script performs port availability checking before libwebsockets binding
+- Process cleanup includes force-killing processes on port 8888
+
+### Database Schema Dependencies
+- Uses embedded SQL schema (`sql_schema.h`)
+- Schema version 4 with JSON tag storage
+- **Critical**: Event expiration filtering done at application level, not SQL level
+
+### Configuration Event Structure
+```json
+{
+  "kind": 33334,
+  "content": "C Nostr Relay Configuration",
+  "tags": [
+    ["d", "<relay_pubkey>"],
+    ["relay_description", "value"],
+    ["max_subscriptions_per_client", "25"],
+    ["pow_min_difficulty", "16"]
+  ]
+}
+```
+
+### Process Management
+```bash
+# Kill existing relay processes
+pkill -f "c_relay_"
+
+# Check running processes
+ps aux | grep c_relay_
+
+# Force kill port binding
+fuser -k 8888/tcp
+```
+
+### Cross-Compilation Specifics
+- ARM64 requires explicit dependency installation: `make install-arm64-deps`
+- Uses `aarch64-linux-gnu-gcc` with specific library paths
+- PKG_CONFIG_PATH must be set for ARM64: `/usr/lib/aarch64-linux-gnu/pkgconfig`
+
+### Testing Integration
+- Tests expect relay running on default port
+- Use `tests/quick_error_tests.sh` for validation
+- Event configuration tests: `tests/event_config_tests.sh`
+
+### SystemD Integration Considerations
+- Service runs as `c-relay` user in `/opt/c-relay`
+- Database files created in WorkingDirectory automatically
+- No environment variables needed (event-based config)
+- Resource limits: 65536 file descriptors, 4096 processes
+
+### Development vs Production Differences
+- Development: `make_and_restart_relay.sh` (default database cleanup)
+- Production: `make_and_restart_relay.sh --preserve-database`
+- Debug build requires manual gdb attachment to architecture-specific binary
+
+### Critical File Dependencies
+- `nostr_core_lib/` submodule must be initialized and built first
+- Version header auto-generated from git tags: `src/version.h`
+- Schema embedded in binary from `src/sql_schema.h`
+
+### WebSocket Protocol Specifics
+- Supports both WebSocket (Nostr protocol) and HTTP (NIP-11)
+- NIP-11 requires `Accept: application/nostr+json` header
+- CORS headers automatically added for NIP-11 compliance
+
+### Memory Management Notes
+- Persistent subscription system with thread-safe global manager
+- Per-session subscription limits enforced
+- Event filtering done at C level, not SQL level for NIP-40 expiration
+
+### Configuration Override Behavior
+- CLI port override only affects first-time startup
+- After database creation, all config comes from events
+- Database path cannot be changed after initialization
+
+## Non-Obvious Pitfalls
+
+1. **Database Lock Issues**: Script handles SQLite locking by killing existing processes first
+2. **Port Race Conditions**: Pre-check + libwebsockets binding can still fail due to timing
+3. **Key Loss**: Admin private key loss requires complete database deletion and restart
+4. **Architecture Detection**: Build system auto-detects but cross-compilation requires manual setup
+5. **Event Storage**: Ephemeral events (kind 20000-29999) accepted but not stored
+6. **Signature Validation**: All events validated with `nostr_verify_event_signature()` from nostr_core_lib
+
+## Quick Debugging Commands
+```bash
+# Check relay status
+ps aux | grep c_relay_ && netstat -tln | grep 8888
+
+# View logs
+tail -f relay.log
+
+# Test WebSocket connection
+wscat -c ws://localhost:8888
+
+# Test NIP-11 endpoint
+curl -H "Accept: application/nostr+json" http://localhost:8888
+
+# Find database files
+find . -name "*.db" -type f

IMPLEMENT_API.md

@@ -0,0 +1,513 @@
+# Implementation Plan: Enhanced Admin Event API Structure
+
+## Current Issue
+
+The current admin event routing at [`main.c:3248-3268`](src/main.c:3248) has a security vulnerability:
+
+```c
+if (event_kind == 23455 || event_kind == 23456) {
+    // Admin event processing
+    int admin_result = process_admin_event_in_config(event, admin_error, sizeof(admin_error), wsi);
+} else {
+    // Regular event storage and broadcasting
+}
+```
+
+**Problem**: Any event with these kinds gets routed to admin processing, regardless of authorization. This allows unauthorized users to send admin events that could be processed as legitimate admin commands.
+
+**Note**: Event kinds 33334 and 33335 are no longer used and have been removed from the admin event routing.
+
+## Required Security Enhancement
+
+Admin events must be validated for proper authorization BEFORE routing to admin processing:
+
+1. **Relay Public Key Check**: Event must have a `p` tag equal to the relay's public key
+2. **Admin Signature Check**: Event must be signed by an authorized admin private key
+3. **Fallback to Regular Processing**: If authorization fails, treat as regular event (not admin event)
+
+## Implementation Plan
+
+### Phase 1: Add Admin Authorization Validation
+
+#### 1.1 Create Consolidated Admin Authorization Function
+**Location**: [`src/main.c`](src/main.c) or [`src/config.c`](src/config.c)
+
+```c
+/**
+ * Consolidated admin event authorization validator
+ * Implements defense-in-depth security for admin events
+ *
+ * @param event - The event to validate for admin authorization
+ * @param error_message - Buffer for detailed error messages
+ * @param error_size - Size of error message buffer
+ * @return 0 if authorized, -1 if unauthorized, -2 if validation error
+ */
+int is_authorized_admin_event(cJSON* event, char* error_message, size_t error_size) {
+    if (!event) {
+        snprintf(error_message, error_size, "admin_auth: null event");
+        return -2;
+    }
+    
+    // Extract event components
+    cJSON* kind_obj = cJSON_GetObjectItem(event, "kind");
+    cJSON* pubkey_obj = cJSON_GetObjectItem(event, "pubkey");
+    cJSON* tags_obj = cJSON_GetObjectItem(event, "tags");
+    
+    if (!kind_obj || !pubkey_obj || !tags_obj) {
+        snprintf(error_message, error_size, "admin_auth: missing required fields");
+        return -2;
+    }
+    
+    // Validation Layer 1: Kind Check
+    int event_kind = (int)cJSON_GetNumberValue(kind_obj);
+    if (event_kind != 23455 && event_kind != 23456) {
+        snprintf(error_message, error_size, "admin_auth: not an admin event kind");
+        return -1;
+    }
+    
+    // Validation Layer 2: Relay Targeting Check
+    const char* relay_pubkey = get_config_value("relay_pubkey");
+    if (!relay_pubkey) {
+        snprintf(error_message, error_size, "admin_auth: relay pubkey not configured");
+        return -2;
+    }
+    
+    // Check for 'p' tag targeting this relay
+    int has_relay_target = 0;
+    if (cJSON_IsArray(tags_obj)) {
+        cJSON* tag = NULL;
+        cJSON_ArrayForEach(tag, tags_obj) {
+            if (cJSON_IsArray(tag) && cJSON_GetArraySize(tag) >= 2) {
+                cJSON* tag_name = cJSON_GetArrayItem(tag, 0);
+                cJSON* tag_value = cJSON_GetArrayItem(tag, 1);
+                
+                if (cJSON_IsString(tag_name) && cJSON_IsString(tag_value)) {
+                    const char* name = cJSON_GetStringValue(tag_name);
+                    const char* value = cJSON_GetStringValue(tag_value);
+                    
+                    if (strcmp(name, "p") == 0 && strcmp(value, relay_pubkey) == 0) {
+                        has_relay_target = 1;
+                        break;
+                    }
+                }
+            }
+        }
+    }
+    
+    if (!has_relay_target) {
+        // Admin event for different relay - not unauthorized, just not for us
+        snprintf(error_message, error_size, "admin_auth: admin event for different relay");
+        return -1;
+    }
+    
+    // Validation Layer 3: Admin Signature Check (only if targeting this relay)
+    const char* event_pubkey = cJSON_GetStringValue(pubkey_obj);
+    if (!event_pubkey) {
+        snprintf(error_message, error_size, "admin_auth: invalid pubkey format");
+        return -2;
+    }
+    
+    const char* admin_pubkey = get_config_value("admin_pubkey");
+    if (!admin_pubkey || strcmp(event_pubkey, admin_pubkey) != 0) {
+        // This is the ONLY case where we log as "Unauthorized admin event attempt"
+        // because it's targeting THIS relay but from wrong admin
+        snprintf(error_message, error_size, "admin_auth: unauthorized admin for this relay");
+        log_warning("SECURITY: Unauthorized admin event attempt for this relay");
+        return -1;
+    }
+    
+    // All validation layers passed
+    log_info("ADMIN: Admin event authorized");
+    return 0;
+}
+
+```
+
+#### 1.2 Update Event Routing Logic
+**Location**: [`main.c:3248`](src/main.c:3248)
+
+```c
+// Current problematic code:
+if (event_kind == 23455 || event_kind == 23456) {
+    // Admin event processing
+    int admin_result = process_admin_event_in_config(event, admin_error, sizeof(admin_error), wsi);
+} else {
+    // Regular event storage and broadcasting
+}
+
+// Enhanced secure code with consolidated authorization:
+if (result == 0) {
+    cJSON* kind_obj = cJSON_GetObjectItem(event, "kind");
+    if (kind_obj && cJSON_IsNumber(kind_obj)) {
+        int event_kind = (int)cJSON_GetNumberValue(kind_obj);
+        
+        // Check if this is an admin event
+        if (event_kind == 23455 || event_kind == 23456) {
+            // Use consolidated authorization check
+            char auth_error[512] = {0};
+            int auth_result = is_authorized_admin_event(event, auth_error, sizeof(auth_error));
+            
+            if (auth_result == 0) {
+                // Authorized admin event - process through admin API
+                char admin_error[512] = {0};
+                int admin_result = process_admin_event_in_config(event, admin_error, sizeof(admin_error), wsi);
+                
+                if (admin_result != 0) {
+                    result = -1;
+                    strncpy(error_message, admin_error, sizeof(error_message) - 1);
+                }
+                // Admin events are NOT broadcast to subscriptions
+            } else {
+                // Unauthorized admin event - treat as regular event
+                log_warning("Unauthorized admin event treated as regular event");
+                if (store_event(event) != 0) {
+                    result = -1;
+                    strncpy(error_message, "error: failed to store event", sizeof(error_message) - 1);
+                } else {
+                    broadcast_event_to_subscriptions(event);
+                }
+            }
+        } else {
+            // Regular event - normal processing
+            if (store_event(event) != 0) {
+                result = -1;
+                strncpy(error_message, "error: failed to store event", sizeof(error_message) - 1);
+            } else {
+                broadcast_event_to_subscriptions(event);
+            }
+        }
+    }
+}
+```
+
+### Phase 2: Enhanced Admin Event Processing
+
+#### 2.1 Admin Event Validation in Config System
+**Location**: [`src/config.c`](src/config.c) - [`process_admin_event_in_config()`](src/config.c:2065)
+
+Add additional validation within the admin processing function:
+
+```c
+int process_admin_event_in_config(cJSON* event, char* error_buffer, size_t error_buffer_size, struct lws* wsi) {
+    // Double-check authorization (defense in depth)
+    if (!is_authorized_admin_event(event)) {
+        snprintf(error_buffer, error_buffer_size, "unauthorized: not a valid admin event");
+        return -1;
+    }
+    
+    // Continue with existing admin event processing...
+    // ... rest of function unchanged
+}
+```
+
+#### 2.2 Logging and Monitoring
+Add comprehensive logging for admin event attempts:
+
+```c
+// In the routing logic - enhanced logging
+cJSON* kind_obj = cJSON_GetObjectItem(event, "kind");
+cJSON* pubkey_obj = cJSON_GetObjectItem(event, "pubkey");
+int event_kind = kind_obj ? cJSON_GetNumberValue(kind_obj) : -1;
+const char* event_pubkey = pubkey_obj ? cJSON_GetStringValue(pubkey_obj) : "unknown";
+
+if (is_authorized_admin_event(event)) {
+    char log_msg[256];
+    snprintf(log_msg, sizeof(log_msg),
+            "ADMIN EVENT: Authorized admin event (kind=%d) from pubkey=%.16s...",
+            event_kind, event_pubkey);
+    log_info(log_msg);
+} else if (event_kind == 23455 || event_kind == 23456) {
+    // This catches unauthorized admin event attempts
+    char log_msg[256];
+    snprintf(log_msg, sizeof(log_msg),
+            "SECURITY: Unauthorized admin event attempt (kind=%d) from pubkey=%.16s...",
+            event_kind, event_pubkey);
+    log_warning(log_msg);
+}
+```
+
+## Phase 3: Unified Output Flow Architecture
+
+### 3.1 Current Output Flow Analysis
+
+After analyzing both [`main.c`](src/main.c) and [`config.c`](src/config.c), the **admin event responses already flow through the standard WebSocket output pipeline**. This is the correct architecture and requires no changes.
+
+#### Standard WebSocket Output Pipeline
+
+**Regular Events** ([`main.c:2978-2996`](src/main.c:2978)):
+```c
+// Database query responses
+unsigned char* buf = malloc(LWS_PRE + msg_len);
+memcpy(buf + LWS_PRE, msg_str, msg_len);
+lws_write(wsi, buf + LWS_PRE, msg_len, LWS_WRITE_TEXT);
+free(buf);
+```
+
+**OK Responses** ([`main.c:3342-3375`](src/main.c:3342)):
+```c
+// Event processing results: ["OK", event_id, success_boolean, message]
+unsigned char *buf = malloc(LWS_PRE + response_len);
+memcpy(buf + LWS_PRE, response_str, response_len);
+lws_write(wsi, buf + LWS_PRE, response_len, LWS_WRITE_TEXT);
+free(buf);
+```
+
+#### Admin Event Output Pipeline (Already Unified)
+
+**Admin Responses** ([`config.c:2363-2414`](src/config.c:2363)):
+```c
+// Admin query responses use IDENTICAL pattern
+int send_websocket_response_data(struct lws* wsi, cJSON* response_data) {
+    unsigned char* buf = malloc(LWS_PRE + response_len);
+    memcpy(buf + LWS_PRE, response_str, response_len);
+    
+    // Same lws_write() call as regular events
+    int result = lws_write(wsi, buf + LWS_PRE, response_len, LWS_WRITE_TEXT);
+    
+    free(buf);
+    return result;
+}
+```
+
+### 3.2 Unified Output Flow Confirmation
+
+✅ **Admin responses already use the same WebSocket transmission mechanism as regular events**
+
+✅ **Both admin and regular events use identical buffer allocation patterns**
+
+✅ **Both admin and regular events use the same [`lws_write()`](src/config.c:2393) function**
+
+✅ **Both admin and regular events follow the same cleanup patterns**
+
+### 3.3 Output Flow Integration Points
+
+The admin event processing in [`config.c:2436`](src/config.c:2436) already integrates correctly with the unified output system:
+
+1. **Admin Query Processing** ([`config.c:2568-2583`](src/config.c:2568)):
+   - Auth queries return structured JSON via [`send_websocket_response_data()`](src/config.c:2571)
+   - System commands return status data via [`send_websocket_response_data()`](src/config.c:2631)
+
+2. **Response Format Consistency**:
+   - Admin responses use standard JSON format
+   - Regular events use standard Nostr event format
+   - Both transmitted through same WebSocket pipeline
+
+3. **Error Handling Consistency**:
+   - Admin errors returned via same WebSocket connection
+   - Regular event errors returned via OK messages
+   - Both use identical transmission mechanism
+
+### 3.4 Key Architectural Benefits
+
+**No Changes Required**: The output flow is already unified and correctly implemented.
+
+**Security Separation**: Admin events are processed separately but responses flow through the same secure WebSocket channel.
+
+**Performance Consistency**: Both admin and regular responses use the same optimized transmission path.
+
+**Maintenance Simplicity**: Single WebSocket output pipeline reduces complexity and potential bugs.
+
+### 3.5 Admin Event Flow Summary
+
+```
+Admin Event Input → Authorization Check → Admin Processing → Unified WebSocket Output
+Regular Event Input → Validation → Storage + Broadcast → Unified WebSocket Output
+```
+
+Both flows converge at the **Unified WebSocket Output** stage, which is already correctly implemented.
+
+## Phase 4: Integration Points for Secure Admin Event Routing
+
+### 4.1 Configuration System Integration
+
+**Required Configuration Values**:
+- `admin_pubkey` - Public key of authorized administrator
+- `relay_pubkey` - Public key of this relay instance
+
+**Integration Points**:
+1. [`get_config_value()`](src/config.c) - Used by authorization function
+2. [`get_relay_pubkey_cached()`](src/config.c) - Used for relay targeting validation
+3. Configuration loading during startup - Must ensure admin/relay pubkeys are available
+
+### 4.3 Forward Declarations Required
+
+**Location**: [`src/main.c`](src/main.c) - Add near other forward declarations (around line 230)
+
+```c
+// Forward declarations for enhanced admin event authorization
+int is_authorized_admin_event(cJSON* event, char* error_message, size_t error_size);
+```
+
+### 4.4 Error Handling Integration
+
+**Enhanced Error Response System**:
+
+```c
+// In main.c event processing - enhanced error handling for admin events
+if (auth_result != 0) {
+    // Admin authorization failed - send detailed OK response
+    cJSON* event_id = cJSON_GetObjectItem(event, "id");
+    if (event_id && cJSON_IsString(event_id)) {
+        cJSON* response = cJSON_CreateArray();
+        cJSON_AddItemToArray(response, cJSON_CreateString("OK"));
+        cJSON_AddItemToArray(response, cJSON_CreateString(cJSON_GetStringValue(event_id)));
+        cJSON_AddItemToArray(response, cJSON_CreateBool(0)); // Failed
+        cJSON_AddItemToArray(response, cJSON_CreateString(auth_error));
+        
+        // Send via standard WebSocket output pipeline
+        char *response_str = cJSON_Print(response);
+        if (response_str) {
+            size_t response_len = strlen(response_str);
+            unsigned char *buf = malloc(LWS_PRE + response_len);
+            if (buf) {
+                memcpy(buf + LWS_PRE, response_str, response_len);
+                lws_write(wsi, buf + LWS_PRE, response_len, LWS_WRITE_TEXT);
+                free(buf);
+            }
+            free(response_str);
+        }
+        cJSON_Delete(response);
+    }
+}
+```
+
+### 4.5 Logging Integration Points
+
+**Console Logging**: Uses existing [`log_warning()`](src/main.c:993), [`log_info()`](src/main.c:972) functions
+
+**Security Event Categories**:
+- Admin authorization success logged via `log_info()`
+- Admin authorization failures logged via `log_warning()`
+- Admin event processing logged via existing admin logging
+
+## Phase 5: Detailed Function Specifications
+
+### 5.1 Core Authorization Function
+
+**Function**: `is_authorized_admin_event()`
+**Location**: [`src/main.c`](src/main.c) or [`src/config.c`](src/config.c)
+**Dependencies**:
+- `get_config_value()` for admin/relay pubkeys
+- `log_warning()` and `log_info()` for logging
+- `cJSON` library for event parsing
+
+**Return Values**:
+- `0` - Event is authorized for admin processing
+- `-1` - Event is unauthorized (treat as regular event)
+- `-2` - Validation error (malformed event)
+
+**Error Handling**: Detailed error messages in provided buffer for client feedback
+
+### 5.2 Enhanced Event Routing
+
+**Location**: [`main.c:3248-3340`](src/main.c:3248)
+**Integration**: Replaces existing admin event routing logic
+**Dependencies**:
+- `is_authorized_admin_event()` for authorization
+- `process_admin_event_in_config()` for admin processing
+- `store_event()` and `broadcast_event_to_subscriptions()` for regular events
+
+**Security Features**:
+- Graceful degradation for unauthorized admin events
+- Comprehensive logging of authorization attempts
+- No broadcast of admin events to subscriptions
+- Detailed error responses for failed authorization
+
+### 5.4 Defense-in-Depth Validation
+
+**Primary Validation**: In main event routing logic
+**Secondary Validation**: In `process_admin_event_in_config()` function
+**Tertiary Validation**: In individual admin command handlers
+
+**Validation Layers**:
+1. **Kind Check** - Must be admin event kind (23455/23456)
+2. **Relay Targeting Check** - Must have 'p' tag with this relay's pubkey
+3. **Admin Signature Check** - Must be signed by authorized admin (only if targeting this relay)
+4. **Processing Check** - Additional validation in admin handlers
+
+**Security Logic**:
+- If no 'p' tag for this relay → Admin event for different relay (not unauthorized)
+- If 'p' tag for this relay + wrong admin signature → "Unauthorized admin event attempt"
+
+## Phase 6: Event Flow Documentation
+
+### 6.1 Complete Event Processing Flow
+
+```
+┌─────────────────┐
+│ WebSocket Input │
+└─────────┬───────┘
+          │
+          ▼
+┌─────────────────┐
+│ Unified         │
+│ Validation      │ ← nostr_validate_unified_request()
+└─────────┬───────┘
+          │
+          ▼
+┌─────────────────┐
+│ Kind-Based      │
+│ Routing Check   │ ← Check if kind 23455/23456
+└─────────┬───────┘
+          │
+     ┌────▼────┐
+     │ Admin?  │
+     └────┬────┘
+          │
+    ┌─────▼─────┐         ┌─────────────┐
+    │ YES       │         │ NO          │
+    │           │         │             │
+    ▼           │         ▼             │
+┌─────────────┐ │    ┌─────────────┐    │
+│ Admin       │ │    │ Regular     │    │
+│ Authorization│ │    │ Event       │    │
+│ Check       │ │    │ Processing  │    │
+└─────┬───────┘ │    └─────┬───────┘    │
+      │         │          │            │
+ ┌────▼────┐    │          ▼            │
+ │Authorized?│   │    ┌─────────────┐    │
+ └────┬────┘    │    │ store_event()│    │
+      │         │    │ +           │    │
+┌─────▼─────┐   │    │ broadcast() │    │
+│ YES   NO  │   │    └─────┬───────┘    │
+│  │     │  │   │          │            │
+│  ▼     ▼  │   │          ▼            │
+│┌─────┐┌───┴┐  │    ┌─────────────┐    │
+││Admin││Treat│  │    │ WebSocket   │    │
+││API  ││as   │  │    │ OK Response │    │
+││     ││Reg  │  │    └─────────────┘    │
+│└──┬──┘└───┬┘  │                       │
+│   │      │   │                       │
+│   ▼      │   │                       │
+│┌─────────┐│   │                       │
+││WebSocket││   │                       │
+││Response ││   │                       │
+│└─────────┘│   │                       │
+└───────────┴───┘                       │
+            │                           │
+            └───────────────────────────┘
+                        │
+                        ▼
+                ┌─────────────┐
+                │ Unified     │
+                │ WebSocket   │
+                │ Output      │
+                └─────────────┘
+```
+
+### 6.2 Security Decision Points
+
+1. **Event Kind Check** - Identifies potential admin events
+2. **Authorization Validation** - Three-layer security check
+3. **Routing Decision** - Admin API vs Regular processing
+4. **Response Generation** - Unified output pipeline
+5. **Audit Logging** - Security event tracking
+
+### 6.3 Error Handling Paths
+
+**Validation Errors**: Return detailed error messages via OK response
+**Authorization Failures**: Log security event + treat as regular event
+**Processing Errors**: Return admin-specific error responses
+**System Errors**: Fallback to standard error handling
+
+This completes the comprehensive implementation plan for the enhanced admin event API structure with unified output flow architecture.

Makefile

@@ -9,7 +9,7 @@ LIBS = -lsqlite3 -lwebsockets -lz -ldl -lpthread -lm -L/usr/local/lib -lsecp256k
 BUILD_DIR = build
 
 # Source files
-MAIN_SRC = src/main.c src/config.c
+MAIN_SRC = src/main.c src/config.c src/request_validator.c
 NOSTR_CORE_LIB = nostr_core_lib/libnostr_core_x64.a
 
 # Architecture detection

README.md

@@ -2,265 +2,6 @@
 
 A high-performance Nostr relay implemented in C with SQLite backend, featuring a revolutionary **zero-configuration** approach using event-based configuration management.
 
-## 🌟 Key Features
-
-- **🔧 Zero Configuration**: No config files or command line arguments needed
-- **🔑 Event-Based Config**: All settings stored as kind 33334 Nostr events
-- **🚀 Real-Time Updates**: Configuration changes applied instantly via WebSocket
-- **🛡️ Cryptographic Security**: Configuration events cryptographically signed and validated
-- **📊 SQLite Backend**: High-performance event storage with optimized schema
-- **🔄 Auto Key Generation**: Secure admin and relay keypairs generated on first startup
-- **💾 Database Per Relay**: Each relay instance uses `<relay_pubkey>.nrdb` database naming
-
-## 🚀 Quick Start
-
-### 1. Build the Relay
-```bash
-git clone <repository-url>
-cd c-relay
-git submodule update --init --recursive
-make
-```
-
-### 2. Start the Relay
-```bash
-./build/c_relay_x86
-```
-
-**That's it!** No configuration files, no command line arguments needed.
-
-### 3. Save Your Admin Keys (IMPORTANT!)
-On first startup, the relay will display:
-
-```
-=================================================================
-IMPORTANT: SAVE THIS ADMIN PRIVATE KEY SECURELY!
-=================================================================
-Admin Private Key: f8491814ea288260dad2ab52c09b3b037e75e83e8b24feb9bdc328423922be44
-Admin Public Key:  07fc2cdd8bdc0c60eefcc9e37e67fef88206bc84fadb894c283b006554ac687b
-
-Relay Private Key: a1b2c3d4e5f6...
-Relay Public Key:  1a2b3c4d5e6f...
-
-Database: dc9a93fd0ffba7041f6df0602e5021913a42fcaf6dbf40f43ecdc011177b4d94.nrdb
-=================================================================
-```
-
-⚠️ **Save the admin private key securely** - it's needed to update relay configuration and is only displayed once!
-
-## 📋 System Requirements
-
-- **OS**: Linux, macOS, or Windows (WSL)
-- **Dependencies**: 
-  - SQLite 3
-  - libwebsockets
-  - OpenSSL/LibreSSL
-  - libsecp256k1
-  - libcurl
-  - zlib
-
-## 🏗️ Event-Based Configuration System
-
-### How It Works
-
-Traditional Nostr relays require configuration files, environment variables, or command line arguments. This relay uses a **revolutionary approach**:
-
-1. **First-Time Startup**: Generates cryptographically secure admin and relay keypairs
-2. **Database Creation**: Creates `<relay_pubkey>.nrdb` database file
-3. **Default Configuration**: Creates initial kind 33334 configuration event with sensible defaults
-4. **Real-Time Updates**: Administrators send new kind 33334 events to update configuration
-5. **Instant Application**: Changes are applied immediately without restart
-
-### Configuration Updates
-
-To update relay configuration, send a signed kind 33334 event:
-
-```json
-{
-  "kind": 33334,
-  "content": "C Nostr Relay Configuration",
-  "tags": [
-    ["d", "<relay_pubkey>"],
-    ["relay_description", "My awesome Nostr relay"],
-    ["max_subscriptions_per_client", "25"],
-    ["pow_min_difficulty", "16"],
-    ["nip40_expiration_enabled", "true"]
-  ],
-  "created_at": 1234567890,
-  "pubkey": "<admin_pubkey>",
-  "id": "...",
-  "sig": "..."
-}
-```
-
-Send this event to your relay via WebSocket, and changes are applied instantly.
-
-### Configurable Parameters
-
-| Parameter | Description | Default |
-|-----------|-------------|---------|
-| `relay_description` | Relay description (NIP-11) | "C Nostr Relay" |
-| `relay_contact` | Admin contact info | "" |
-| `max_subscriptions_per_client` | Max subscriptions per client | "25" |
-| `max_total_subscriptions` | Total subscription limit | "5000" |
-| `pow_min_difficulty` | NIP-13 PoW difficulty | "0" |
-| `pow_mode` | PoW validation mode | "optional" |
-| `nip40_expiration_enabled` | Enable NIP-40 expiration | "true" |
-| `nip40_expiration_strict` | Strict expiration mode | "false" |
-| `max_message_length` | Max message size | "65536" |
-| `max_event_tags` | Max tags per event | "2000" |
-| `max_content_length` | Max content length | "65536" |
-
-## 🔧 Deployment
-
-### Manual Installation
-```bash
-# Build the relay
-make
-
-# Run directly
-./build/c_relay_x86
-```
-
-### SystemD Service (Recommended)
-```bash
-# Install as system service
-sudo systemd/install-service.sh
-
-# Start the service
-sudo systemctl start c-relay
-
-# Enable auto-start on boot
-sudo systemctl enable c-relay
-
-# View logs
-sudo journalctl -u c-relay -f
-```
-
-See [`systemd/README.md`](systemd/README.md) for detailed deployment documentation.
-
-### Docker (Coming Soon)
-Docker support is planned for future releases.
-
-## 📊 Database Schema
-
-The relay uses an optimized SQLite schema (version 4) with these key features:
-
-- **Event-based storage**: All Nostr events in single `events` table
-- **JSON tags support**: Native JSON storage for event tags
-- **Performance optimized**: Multiple indexes for fast queries
-- **Subscription logging**: Optional detailed subscription analytics
-- **Auto-cleanup**: Automatic ephemeral event cleanup
-- **Replaceable events**: Proper handling of replaceable/addressable events
-
-## 🛡️ Security Features
-
-- **Cryptographic validation**: All configuration events cryptographically verified
-- **Admin-only config**: Only authorized admin pubkey can update configuration
-- **Signature verification**: Uses `nostr_verify_event_signature()` for validation
-- **Event structure validation**: Complete event structure validation
-- **Secure key generation**: Uses `/dev/urandom` for cryptographically secure keys
-- **No secrets storage**: Admin private key never stored on disk
-
-## 🔌 Network Configuration
-
-- **Default Port**: 8888 (WebSocket)
-- **Protocol**: WebSocket with Nostr message format
-- **Endpoints**: 
-  - `ws://localhost:8888` - WebSocket relay
-  - `http://localhost:8888` - NIP-11 relay information (HTTP GET)
-
-## 🏃‍♂️ Usage Examples
-
-### Connect with a Nostr Client
-```javascript
-const relay = new WebSocket('ws://localhost:8888');
-relay.send(JSON.stringify(["REQ", "sub1", {"kinds": [1], "limit": 10}]));
-```
-
-### Update Configuration (using `nostrtool` or similar)
-```bash
-# Create configuration event with nostrtool
-nostrtool event --kind 33334 --content "Updated config" \
-  --tag d <relay_pubkey> \
-  --tag relay_description "My updated relay" \
-  --private-key <admin_private_key>
-
-# Send to relay
-nostrtool send ws://localhost:8888 <event_json>
-```
-
-## 📈 Monitoring and Analytics
-
-### View Relay Status
-```bash
-# Check if relay is running
-ps aux | grep c_relay
-
-# Check network port
-netstat -tln | grep 8888
-
-# View recent logs
-tail -f relay.log
-```
-
-### Database Analytics
-```bash
-# Connect to relay database
-sqlite3 <relay_pubkey>.nrdb
-
-# View relay statistics
-SELECT * FROM event_stats;
-
-# View configuration events
-SELECT * FROM configuration_events;
-
-# View recent events
-SELECT * FROM recent_events LIMIT 10;
-```
-
-## 🧪 Testing
-
-### Run Error Handling Tests
-```bash
-# Comprehensive test suite
-tests/event_config_tests.sh
-
-# Quick validation tests
-tests/quick_error_tests.sh
-```
-
-### Manual Testing
-```bash
-# Test WebSocket connection
-wscat -c ws://localhost:8888
-
-# Test NIP-11 information
-curl http://localhost:8888
-```
-
-## 🔧 Development
-
-### Build from Source
-```bash
-git clone <repository-url>
-cd c-relay
-git submodule update --init --recursive
-make clean && make
-```
-
-### Debug Build
-```bash
-make debug
-gdb ./build/c_relay_x86
-```
-
-### Contributing
-1. Fork the repository
-2. Create a feature branch
-3. Make changes with tests
-4. Submit a pull request
-
 ## 📜 Supported NIPs
 
 <!--
@@ -276,68 +17,155 @@ Do NOT modify the formatting, add emojis, or change the text. Keep the simple fo
 - [x] NIP-20: Command Results
 - [x] NIP-33: Parameterized Replaceable Events
 - [x] NIP-40: Expiration Timestamp
-- [ ] NIP-42: Authentication of clients to relays
+- [x] NIP-42: Authentication of clients to relays
 - [ ] NIP-45: Counting results
 - [ ] NIP-50: Keywords filter
 - [ ] NIP-70: Protected Events
 
-## 🆘 Troubleshooting
+## 🔧 Administrator API
 
-### Common Issues
+C-Relay uses an innovative **event-based administration system** where all configuration and management commands are sent as signed Nostr events using the admin private key generated during first startup. All admin commands use **tag-based parameters** for simplicity and compatibility.
 
-**Relay won't start**
-```bash
-# Check for port conflicts
-netstat -tln | grep 8888
+### Authentication
 
-# Check permissions
-ls -la build/c_relay_x86
+All admin commands require signing with the admin private key displayed during first-time startup. **Save this key securely** - it cannot be recovered and is needed for all administrative operations.
 
-# Check dependencies
-ldd build/c_relay_x86
+### Event Structure
+
+All admin commands use the same unified event structure with tag-based parameters:
+
+**Admin Command Event:**
+```json
+{
+  "id": "event_id",
+  "pubkey": "admin_public_key",
+  "created_at": 1234567890,
+  "kind": 23456,
+  "content": "<nip44 encrypted command>",
+  "tags": [
+    ["p", "relay_public_key"],
+  ],
+  "sig": "event_signature"
+}
 ```
 
-**Lost admin private key**
-- If you lose the admin private key, you cannot update configuration
-- You must delete the database file and restart (loses all events)
-- The relay will generate new keys on first startup
-
-**Database corruption**
-```bash
-# Check database integrity
-sqlite3 <relay_pubkey>.nrdb "PRAGMA integrity_check;"
-
-# If corrupted, remove database (loses all events)
-rm <relay_pubkey>.nrdb*
-./build/c_relay_x86  # Will create fresh database
+**Admin Response Event:**
+```json
+["EVENT", "temp_sub_id", {
+  "id": "response_event_id",
+  "pubkey": "relay_public_key",
+  "created_at": 1234567890,
+  "kind": 23457,
+  "content": "<nip44 encrypted response>",
+  "tags": [
+    ["p", "admin_public_key"]
+  ],
+  "sig": "response_event_signature"
+}]
 ```
 
-**Configuration not updating**
-- Ensure configuration events are properly signed
-- Check that admin pubkey matches the one from first startup
-- Verify WebSocket connection is active
-- Check relay logs for validation errors
+### Admin Commands
 
-## 📄 License
+All commands are sent as nip44 encrypted content. The following table lists all available commands:
 
-This project is licensed under the MIT License - see the LICENSE file for details.
+| Command Type | Tag Format | Description |
+|--------------|------------|-------------|
+| **Configuration Management** |
+| `config_update` | `["relay_description", "My Relay"]` | Update relay configuration parameters |
+| `config_query` | `["config_query", "list_all_keys"]` | List all available configuration keys |
+| **Auth Rules Management** |
+| `auth_add_blacklist` | `["blacklist", "pubkey", "abc123..."]` | Add pubkey to blacklist |
+| `auth_add_whitelist` | `["whitelist", "pubkey", "def456..."]` | Add pubkey to whitelist |
+| `auth_query_all` | `["auth_query", "all"]` | Query all auth rules |
+| `auth_query_type` | `["auth_query", "whitelist"]` | Query specific rule type |
+| `auth_query_pattern` | `["auth_query", "pattern", "abc123..."]` | Query specific pattern |
+| **System Commands** |
+| `system_clear_auth` | `["system_command", "clear_all_auth_rules"]` | Clear all auth rules |
+| `system_status` | `["system_command", "system_status"]` | Get system status |
 
-## 🤝 Support
+### Available Configuration Keys
 
-- **Issues**: Report bugs and feature requests on GitHub
-- **Documentation**: See `docs/` directory for technical details
-- **Deployment**: See `systemd/README.md` for production deployment
-- **Community**: Join the Nostr development community
+**Basic Relay Settings:**
+- `relay_description`: Relay description text
+- `relay_contact`: Contact information
+- `max_connections`: Maximum concurrent connections
+- `max_subscriptions_per_client`: Max subscriptions per client
+- `max_event_tags`: Maximum tags per event
+- `max_content_length`: Maximum event content length
 
-## 🚀 Future Roadmap
+**Authentication & Access Control:**
+- `auth_enabled`: Enable whitelist/blacklist auth rules (`true`/`false`)
+- `nip42_auth_required`: Enable NIP-42 cryptographic authentication (`true`/`false`)
+- `nip42_auth_required_kinds`: Event kinds requiring NIP-42 auth (comma-separated)
+- `nip42_challenge_timeout`: NIP-42 challenge expiration seconds
 
-- [ ] Docker containerization
-- [ ] NIP-42 authentication support
-- [ ] Advanced analytics dashboard
-- [ ] Clustering support for high availability
-- [ ] Performance optimizations
-- [ ] Additional NIP implementations
+**Proof of Work & Validation:**
+- `pow_min_difficulty`: Minimum proof-of-work difficulty
+- `nip40_expiration_enabled`: Enable event expiration (`true`/`false`)
 
----
+### Response Format
+
+All admin commands return **signed EVENT responses** via WebSocket following standard Nostr protocol. Responses use JSON content with structured data.
+
+#### Response Examples
+
+**Success Response:**
+```json
+["EVENT", "temp_sub_id", {
+  "id": "response_event_id",
+  "pubkey": "relay_public_key",
+  "created_at": 1234567890,
+  "kind": 23457,
+  "content": "nip44 encrypted:{\"status\": \"success\", \"message\": \"Operation completed successfully\"}",
+  "tags": [
+    ["p", "admin_public_key"]
+  ],
+  "sig": "response_event_signature"
+}]
+```
+
+**Error Response:**
+```json
+["EVENT", "temp_sub_id", {
+  "id": "response_event_id",
+  "pubkey": "relay_public_key",
+  "created_at": 1234567890,
+  "kind": 23457,
+  "content": "nip44 encrypted:{\"status\": \"error\", \"message\": \"Error: invalid configuration value\"}",
+  "tags": [
+    ["p", "admin_public_key"]
+  ],
+  "sig": "response_event_signature"
+}]
+```
+
+**Auth Rules Query Response:**
+```json
+["EVENT", "temp_sub_id", {
+  "id": "response_event_id",
+  "pubkey": "relay_public_key",
+  "created_at": 1234567890,
+  "kind": 23457,
+  "content": "nip44 encrypted:{\"query_type\": \"auth_rules\", \"total_results\": 2, \"data\": [{\"rule_type\": \"blacklist\", \"pattern_type\": \"pubkey\", \"pattern_value\": \"abc123...\", \"action\": \"deny\"}]}",
+  "tags": [
+    ["p", "admin_public_key"]
+  ],
+  "sig": "response_event_signature"
+}]
+```
+
+**Configuration Query Response:**
+```json
+["EVENT", "temp_sub_id", {
+  "id": "response_event_id",
+  "pubkey": "relay_public_key",
+  "created_at": 1234567890,
+  "kind": 23457,
+  "content": "nip44 encrypted:{\"query_type\": \"config_keys\", \"config_keys\": [\"auth_enabled\", \"max_connections\"], \"descriptions\": {\"auth_enabled\": \"Enable whitelist/blacklist rules\"}}",
+  "tags": [
+    ["p", "admin_public_key"]
+  ],
+  "sig": "response_event_signature"
+}]
+```
 
-**The C Nostr Relay represents the future of Nostr infrastructure - zero configuration, event-based management, and cryptographically secure administration.**

db/README.md

@@ -1 +0,0 @@
-Only README.md will remain

docs/NIP-42_Authentication.md

@@ -0,0 +1,295 @@
+# NIP-42 Authentication Implementation
+
+## Overview
+
+This relay implements NIP-42 (Authentication of clients to relays) providing granular authentication controls for event submission and subscription operations. The implementation supports both challenge-response authentication and per-connection state management.
+
+## Architecture
+
+### Core Components
+
+1. **Per-Session Authentication State** (`struct per_session_data`)
+   - `authenticated`: Boolean flag indicating authentication status
+   - `authenticated_pubkey[65]`: Hex-encoded public key of authenticated user
+   - `active_challenge[65]`: Current authentication challenge
+   - `challenge_created`: Timestamp when challenge was generated
+   - `challenge_expires`: Challenge expiration timestamp
+   - `nip42_auth_required_events`: Whether auth is required for EVENT submission
+   - `nip42_auth_required_subscriptions`: Whether auth is required for REQ operations
+   - `auth_challenge_sent`: Flag indicating if challenge has been sent
+
+2. **Challenge Management** (via `request_validator.c`)
+   - `nostr_nip42_generate_challenge()`: Generates cryptographically secure challenges
+   - `nostr_nip42_verify_auth_event()`: Validates signed authentication events
+   - Challenge storage and cleanup with expiration handling
+
+3. **WebSocket Protocol Integration**
+   - AUTH message handling in `nostr_relay_callback()`
+   - Challenge generation and transmission
+   - Authentication verification and session state updates
+
+## Configuration Options
+
+### Event-Based Configuration
+
+NIP-42 authentication is configured using kind 33334 configuration events with the following tags:
+
+| Tag | Description | Default | Values |
+|-----|-------------|---------|--------|
+| `nip42_auth_required_events` | Require auth for EVENT submission | `false` | `true`/`false` |
+| `nip42_auth_required_subscriptions` | Require auth for REQ operations | `false` | `true`/`false` |
+
+### Example Configuration Event
+
+```json
+{
+  "kind": 33334,
+  "content": "C Nostr Relay Configuration",
+  "tags": [
+    ["d", "<relay_pubkey>"],
+    ["nip42_auth_required_events", "true"],
+    ["nip42_auth_required_subscriptions", "false"],
+    ["relay_description", "Authenticated Nostr Relay"]
+  ],
+  "created_at": 1640995200,
+  "pubkey": "<admin_pubkey>",
+  "id": "<event_id>",
+  "sig": "<signature>"
+}
+```
+
+## Authentication Flow
+
+### 1. Challenge Generation
+
+When authentication is required and client is not authenticated:
+
+```
+Client -> Relay: ["EVENT", <event>] (unauthenticated)
+Relay -> Client: ["AUTH", <challenge>]
+```
+
+The challenge is a 64-character hex string generated using cryptographically secure random numbers.
+
+### 2. Authentication Response
+
+Client creates and signs an authentication event (kind 22242):
+
+```json
+{
+  "kind": 22242,
+  "content": "",
+  "tags": [
+    ["relay", "ws://relay.example.com"],
+    ["challenge", "<challenge_from_relay>"]
+  ],
+  "created_at": <current_timestamp>,
+  "pubkey": "<client_pubkey>",
+  "id": "<event_id>",
+  "sig": "<signature>"
+}
+```
+
+Client sends this event back to relay:
+
+```
+Client -> Relay: ["AUTH", <signed_auth_event>]
+```
+
+### 3. Verification and Session Update
+
+The relay:
+1. Validates the authentication event signature
+2. Verifies the challenge matches the one sent
+3. Checks challenge expiration (default: 10 minutes)
+4. Updates session state with authenticated public key
+5. Sends confirmation notice
+
+```
+Relay -> Client: ["NOTICE", "NIP-42 authentication successful"]
+```
+
+## Granular Authentication Controls
+
+### Separate Controls for Events vs Subscriptions
+
+The implementation provides separate authentication requirements:
+
+- **Event Submission**: Control whether clients must authenticate to publish events
+- **Subscription Access**: Control whether clients must authenticate to create subscriptions
+
+This allows flexible relay policies:
+- **Public Read, Authenticated Write**: `events=true, subscriptions=false`
+- **Fully Authenticated**: `events=true, subscriptions=true`
+- **Public Access**: `events=false, subscriptions=false` (default)
+- **Authenticated Read Only**: `events=false, subscriptions=true`
+
+### Per-Connection State
+
+Each WebSocket connection maintains its own authentication state:
+- Authentication persists for the lifetime of the connection
+- Challenges expire after 10 minutes
+- Session cleanup on connection close
+
+## Security Features
+
+### Challenge Security
+- 64-character hexadecimal challenges (256 bits of entropy)
+- Cryptographically secure random generation
+- Challenge expiration to prevent replay attacks
+- One-time use challenges
+
+### Event Validation
+- Complete signature verification using secp256k1
+- Event ID validation
+- Challenge-response binding verification
+- Timestamp validation with configurable tolerance
+
+### Session Management
+- Thread-safe per-session state management
+- Automatic cleanup on disconnection
+- Challenge expiration handling
+
+## Client Integration
+
+### Using nak Client
+
+```bash
+# Generate keypair
+PRIVKEY=$(nak key --gen)
+PUBKEY=$(nak key --pub $PRIVKEY)
+
+# Connect and authenticate automatically
+nak event -k 1 --content "Authenticated message" --sec $PRIVKEY --relay ws://localhost:8888
+
+# nak handles NIP-42 authentication automatically when required
+```
+
+### Manual WebSocket Integration
+
+```javascript
+const ws = new WebSocket('ws://localhost:8888');
+
+ws.onmessage = (event) => {
+  const message = JSON.parse(event.data);
+  
+  if (message[0] === 'AUTH') {
+    const challenge = message[1];
+    
+    // Create auth event (kind 22242)
+    const authEvent = {
+      kind: 22242,
+      content: "",
+      tags: [
+        ["relay", "ws://localhost:8888"],
+        ["challenge", challenge]
+      ],
+      created_at: Math.floor(Date.now() / 1000),
+      pubkey: clientPubkey,
+      // ... calculate id and signature
+    };
+    
+    // Send auth response
+    ws.send(JSON.stringify(["AUTH", authEvent]));
+  }
+};
+
+// Send event (may trigger AUTH challenge)
+ws.send(JSON.stringify(["EVENT", myEvent]));
+```
+
+## Administration
+
+### Enabling Authentication
+
+1. **Get Admin Private Key**: Extract from relay startup logs (shown once)
+2. **Create Configuration Event**: Use nak or custom tooling
+3. **Publish Configuration**: Send to relay with admin signature
+
+```bash
+# Enable auth for events only
+nak event -k 33334 \
+  --content "C Nostr Relay Configuration" \
+  --tag "d=$RELAY_PUBKEY" \
+  --tag "nip42_auth_required_events=true" \
+  --tag "nip42_auth_required_subscriptions=false" \
+  --sec $ADMIN_PRIVKEY \
+  --relay ws://localhost:8888
+```
+
+### Monitoring Authentication
+
+- Check relay logs for authentication events
+- Monitor `NOTICE` messages for auth status
+- Use `get_settings.sh` script to view current configuration
+
+```bash
+./get_settings.sh
+```
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Challenge Expiration**
+   - Default: 10 minutes
+   - Client must respond within expiration window
+   - Generate new challenge for expired attempts
+
+2. **Signature Verification Failures**
+   - Verify event structure matches NIP-42 specification
+   - Check challenge value matches exactly
+   - Ensure proper secp256k1 signature generation
+
+3. **Configuration Not Applied**
+   - Verify admin private key is correct
+   - Check configuration event signature
+   - Ensure relay pubkey in 'd' tag matches relay
+
+### Debug Commands
+
+```bash
+# Check supported NIPs
+curl -H "Accept: application/nostr+json" http://localhost:8888 | jq .supported_nips
+
+# View current configuration
+nak req -k 33334 ws://localhost:8888 | jq .
+
+# Test authentication flow
+./tests/42_nip_test.sh
+```
+
+## Performance Considerations
+
+- Challenge generation: ~1ms overhead per unauthenticated connection
+- Authentication verification: ~2-5ms per auth event
+- Memory overhead: ~200 bytes per connection for auth state
+- Database impact: Configuration events cached, minimal query overhead
+
+## Integration with Other NIPs
+
+### NIP-01 (Basic Protocol)
+- AUTH messages integrated into standard WebSocket flow
+- Compatible with existing EVENT/REQ/CLOSE message handling
+
+### NIP-11 (Relay Information)
+- NIP-42 advertised in `supported_nips` array
+- Authentication requirements reflected in relay metadata
+
+### NIP-20 (Command Results)
+- OK responses include authentication-related error messages
+- NOTICE messages provide authentication status updates
+
+## Future Extensions
+
+### Potential Enhancements
+- Role-based authentication (admin, user, read-only)
+- Time-based access controls
+- Rate limiting based on authentication status
+- Integration with external authentication providers
+
+### Configuration Extensions
+- Per-kind authentication requirements
+- Whitelist/blacklist integration
+- Custom challenge expiration times
+- Authentication logging and metrics

docs/admin_api_plan.md

@@ -0,0 +1,537 @@
+# C-Relay Administrator API Implementation Plan
+
+## Problem Analysis
+
+### Current Issues Identified:
+
+1. **Schema Mismatch**: Storage system (config.c) vs Validation system (request_validator.c) use different column names and values
+2. **Missing API Endpoint**: No way to clear auth_rules table for testing
+3. **Configuration Gap**: Auth rules enforcement may not be properly enabled
+4. **Documentation Gap**: Admin API commands not documented
+
+### Root Cause: Auth Rules Schema Inconsistency
+
+**Current Schema (sql_schema.h lines 140-150):**
+```sql
+CREATE TABLE auth_rules (
+    rule_type TEXT CHECK (rule_type IN ('whitelist', 'blacklist')),
+    pattern_type TEXT CHECK (pattern_type IN ('pubkey', 'hash')),  
+    pattern_value TEXT,
+    action TEXT CHECK (action IN ('allow', 'deny')),
+    active INTEGER DEFAULT 1
+);
+```
+
+**Storage Implementation (config.c):**
+- Stores: `rule_type='blacklist'`, `pattern_type='pubkey'`, `pattern_value='hex'`, `action='allow'`
+
+**Validation Implementation (request_validator.c):**
+- Queries: `rule_type='pubkey_blacklist'`, `rule_target='hex'`, `operation='event'`, `enabled=1`
+
+**MISMATCH**: Validator looks for non-existent columns and wrong rule_type values!
+
+## Proposed Solution Architecture
+
+### Phase 1: API Documentation & Standardization
+
+#### Admin API Commands (via WebSocket with admin private key)
+
+**Kind 23455: Configuration Management (Ephemeral)**
+- Update relay settings, limits, authentication policies
+- **Standard Mode**: Commands in tags `["config_key", "config_value"]`
+- **Encrypted Mode**: Commands NIP-44 encrypted in content `{"encrypted_tags": "..."}`
+- Content: Descriptive text or encrypted payload
+- Security: Optional NIP-44 encryption for sensitive operations
+
+**Kind 23456: Auth Rules & System Management (Ephemeral)**
+- Auth rules: Add/remove/query whitelist/blacklist rules
+- System commands: clear rules, status, cache management
+- **Standard Mode**: Commands in tags
+  - Rule format: `["rule_type", "pattern_type", "pattern_value"]`
+  - Query format: `["auth_query", "filter"]`
+  - System format: `["system_command", "command_name"]`
+- **Encrypted Mode**: Commands NIP-44 encrypted in content `{"encrypted_tags": "..."}`
+- Content: Action description + optional encrypted payload
+- Security: Optional NIP-44 encryption for sensitive operations
+
+#### Configuration Query Commands (using Kind 23455)
+
+1. **List All Configuration Keys (Standard)**:
+   ```json
+   {
+     "kind": 23455,
+     "content": "Discovery query",
+     "tags": [["config_query", "list_all_keys"]]
+   }
+   ```
+
+2. **List All Configuration Keys (Encrypted)**:
+   ```json
+   {
+     "kind": 23455,
+     "content": "{\"query\":\"list_config_keys\",\"encrypted_tags\":\"nip44_encrypted_payload\"}",
+     "tags": []
+   }
+   ```
+   *Encrypted payload contains:* `[["config_query", "list_all_keys"]]`
+
+3. **Get Current Configuration (Standard)**:
+   ```json
+   {
+     "kind": 23455,
+     "content": "Config query",
+     "tags": [["config_query", "get_current_config"]]
+   }
+   ```
+
+4. **Get Current Configuration (Encrypted)**:
+   ```json
+   {
+     "kind": 23455,
+     "content": "{\"query\":\"get_config\",\"encrypted_tags\":\"nip44_encrypted_payload\"}",
+     "tags": []
+   }
+   ```
+   *Encrypted payload contains:* `[["config_query", "get_current_config"]]`
+
+#### System Management Commands (using Kind 23456)
+
+1. **Clear All Auth Rules (Standard)**:
+   ```json
+   {
+     "kind": 23456,
+     "content": "{\"action\":\"clear_all\"}",
+     "tags": [["system_command", "clear_all_auth_rules"]]
+   }
+   ```
+
+2. **Clear All Auth Rules (Encrypted)**:
+   ```json
+   {
+     "kind": 23456,
+     "content": "{\"action\":\"clear_all\",\"encrypted_tags\":\"nip44_encrypted_payload\"}",
+     "tags": []
+   }
+   ```
+   *Encrypted payload contains:* `[["system_command", "clear_all_auth_rules"]]`
+
+3. **Query All Auth Rules (Standard)**:
+   ```json
+   {
+     "kind": 23456,
+     "content": "{\"query\":\"list_auth_rules\"}",
+     "tags": [["auth_query", "all"]]
+   }
+   ```
+
+4. **Query All Auth Rules (Encrypted)**:
+   ```json
+   {
+     "kind": 23456,
+     "content": "{\"query\":\"list_auth_rules\",\"encrypted_tags\":\"nip44_encrypted_payload\"}",
+     "tags": []
+   }
+   ```
+   *Encrypted payload contains:* `[["auth_query", "all"]]`
+
+5. **Add Blacklist Rule (Standard)**:
+   ```json
+   {
+     "kind": 23456,
+     "content": "{\"action\":\"add\"}",
+     "tags": [["blacklist", "pubkey", "deadbeef1234abcd..."]]
+   }
+   ```
+
+6. **Add Blacklist Rule (Encrypted)**:
+   ```json
+   {
+     "kind": 23456,
+     "content": "{\"action\":\"add\",\"encrypted_tags\":\"nip44_encrypted_payload\"}",
+     "tags": []
+   }
+   ```
+   *Encrypted payload contains:* `[["blacklist", "pubkey", "deadbeef1234abcd..."]]`
+
+### Phase 2: Auth Rules Schema Alignment
+
+#### Option A: Fix Validator to Match Schema (RECOMMENDED)
+
+**Update request_validator.c:**
+```sql
+-- OLD (broken):
+WHERE rule_type = 'pubkey_blacklist' AND rule_target = ? AND operation = ? AND enabled = 1
+
+-- NEW (correct):
+WHERE rule_type = 'blacklist' AND pattern_type = 'pubkey' AND pattern_value = ? AND active = 1
+```
+
+**Benefits:**
+- Matches actual database schema
+- Simpler rule_type values ('blacklist' vs 'pubkey_blacklist')  
+- Uses existing columns (pattern_value vs rule_target)
+- Consistent with storage implementation
+
+#### Option B: Update Schema to Match Validator (NOT RECOMMENDED)
+
+Would require changing schema, migration scripts, and storage logic.
+
+### Phase 3: Implementation Priority
+
+#### High Priority (Critical for blacklist functionality):
+1. Fix request_validator.c schema mismatch
+2. Ensure auth_required configuration is enabled
+3. Update tests to use ephemeral event kinds (23455/23456)
+4. Test blacklist enforcement
+
+#### Medium Priority (Enhanced Admin Features):
+1. **Implement NIP-44 Encryption Support**:
+   - Detect empty tags array for Kind 23455/23456 events
+   - Parse `encrypted_tags` field from content JSON
+   - Decrypt using admin privkey and relay pubkey
+   - Process decrypted tags as normal commands
+2. Add clear_all_auth_rules system command
+3. Add auth rule query functionality (both standard and encrypted modes)
+4. Add configuration discovery (list available config keys)
+5. Enhanced error reporting in admin API
+6. Conflict resolution (same pubkey in whitelist + blacklist)
+
+#### Security Priority (NIP-44 Implementation):
+1. **Encryption Detection Logic**: Check for empty tags + encrypted_tags field
+2. **Key Pair Management**: Use admin private key + relay public key for NIP-44
+3. **Backward Compatibility**: Support both standard and encrypted modes
+4. **Error Handling**: Graceful fallback if decryption fails
+5. **Performance**: Cache decrypted results to avoid repeated decryption
+
+#### Low Priority (Documentation & Polish):
+1. Complete README.md API documentation
+2. Example usage scripts
+3. Admin client tools
+
+### Phase 4: Expected API Structure
+
+#### README.md Documentation Format:
+
+```markdown
+# C-Relay Administrator API
+
+## Authentication
+All admin commands require signing with the admin private key generated during first startup.
+
+## Configuration Management (Kind 23455 - Ephemeral)
+Update relay configuration parameters or query available settings.
+
+**Configuration Update Event:**
+```json
+{
+  "kind": 23455,
+  "content": "Configuration update",
+  "tags": [
+    ["config_key1", "config_value1"],
+    ["config_key2", "config_value2"]
+  ]
+}
+```
+
+**List Available Config Keys:**
+```json
+{
+  "kind": 23455,
+  "content": "{\"query\":\"list_config_keys\",\"description\":\"Get editable config keys\"}",
+  "tags": [
+    ["config_query", "list_all_keys"]
+  ]
+}
+```
+
+**Get Current Configuration:**
+```json
+{
+  "kind": 23455,
+  "content": "{\"query\":\"get_config\",\"description\":\"Get current config values\"}",
+  "tags": [
+    ["config_query", "get_current_config"]
+  ]
+}
+```
+
+## Auth Rules Management (Kind 23456 - Ephemeral)
+Manage whitelist and blacklist rules.
+
+**Add Rule Event:**
+```json
+{
+  "kind": 23456,
+  "content": "{\"action\":\"add\",\"description\":\"Block malicious user\"}",
+  "tags": [
+    ["blacklist", "pubkey", "deadbeef1234..."]
+  ]
+}
+```
+
+**Remove Rule Event:**
+```json
+{
+  "kind": 23456,
+  "content": "{\"action\":\"remove\",\"description\":\"Unblock user\"}",
+  "tags": [
+    ["blacklist", "pubkey", "deadbeef1234..."]
+  ]
+}
+```
+
+**Query All Auth Rules:**
+```json
+{
+  "kind": 23456,
+  "content": "{\"query\":\"list_auth_rules\",\"description\":\"Get all rules\"}",
+  "tags": [
+    ["auth_query", "all"]
+  ]
+}
+```
+
+**Query Whitelist Rules Only:**
+```json
+{
+  "kind": 23456,
+  "content": "{\"query\":\"list_auth_rules\",\"description\":\"Get whitelist\"}",
+  "tags": [
+    ["auth_query", "whitelist"]
+  ]
+}
+```
+
+**Check Specific Pattern:**
+```json
+{
+  "kind": 23456,
+  "content": "{\"query\":\"check_pattern\",\"description\":\"Check if pattern exists\"}",
+  "tags": [
+    ["auth_query", "pattern", "deadbeef1234..."]
+  ]
+}
+```
+
+## System Management (Kind 23456 - Ephemeral)
+System administration commands using the same kind as auth rules.
+
+**Clear All Auth Rules:**
+```json
+{
+  "kind": 23456,
+  "content": "{\"action\":\"clear_all\",\"description\":\"Clear all auth rules\"}",
+  "tags": [
+    ["system_command", "clear_all_auth_rules"]
+  ]
+}
+```
+
+**System Status:**
+```json
+{
+  "kind": 23456,
+  "content": "{\"action\":\"system_status\",\"description\":\"Get system status\"}",
+  "tags": [
+    ["system_command", "system_status"]
+  ]
+}
+```
+
+## Response Format
+All admin commands return JSON responses via WebSocket:
+
+**Success Response:**
+```json
+["OK", "event_id", true, "success_message"]
+```
+
+**Error Response:**  
+```json
+["OK", "event_id", false, "error_message"]
+```
+
+## Configuration Keys
+- `relay_description`: Relay description text
+- `relay_contact`: Contact information  
+- `auth_enabled`: Enable authentication system
+- `max_connections`: Maximum concurrent connections
+- `pow_min_difficulty`: Minimum proof-of-work difficulty
+- ... (full list of config keys)
+
+## Examples
+
+### Enable Authentication & Add Blacklist
+```bash
+# 1. Enable auth system
+nak event -k 23455 --content "Enable authentication" \
+  -t "auth_enabled=true" \
+  --sec $ADMIN_PRIVKEY | nak event ws://localhost:8888
+
+# 2. Add user to blacklist
+nak event -k 23456 --content '{"action":"add","description":"Spam user"}' \
+  -t "blacklist=pubkey;$SPAM_USER_PUBKEY" \
+  --sec $ADMIN_PRIVKEY | nak event ws://localhost:8888
+
+# 3. Query all auth rules
+nak event -k 23456 --content '{"query":"list_auth_rules","description":"Get all rules"}' \
+  -t "auth_query=all" \
+  --sec $ADMIN_PRIVKEY | nak event ws://localhost:8888
+
+# 4. Clear all rules for testing
+nak event -k 23456 --content '{"action":"clear_all","description":"Clear all rules"}' \
+  -t "system_command=clear_all_auth_rules" \
+  --sec $ADMIN_PRIVKEY | nak event ws://localhost:8888
+```
+
+## Expected Response Formats
+
+### Configuration Query Response
+```json
+["EVENT", "subscription_id", {
+  "kind": 23455,
+  "content": "{\"config_keys\": [\"auth_enabled\", \"max_connections\"], \"descriptions\": {\"auth_enabled\": \"Enable whitelist/blacklist rules\"}}",
+  "tags": [["response_type", "config_keys_list"]]
+}]
+```
+
+### Current Config Response
+```json
+["EVENT", "subscription_id", {
+  "kind": 23455,
+  "content": "{\"current_config\": {\"auth_enabled\": \"true\", \"max_connections\": \"1000\"}}",
+  "tags": [["response_type", "current_config"]]
+}]
+```
+
+### Auth Rules Query Response
+```json
+["EVENT", "subscription_id", {
+  "kind": 23456,
+  "content": "{\"auth_rules\": [{\"rule_type\": \"blacklist\", \"pattern_type\": \"pubkey\", \"pattern_value\": \"deadbeef...\"}, {\"rule_type\": \"whitelist\", \"pattern_type\": \"pubkey\", \"pattern_value\": \"cafebabe...\"}]}",
+  "tags": [["response_type", "auth_rules_list"], ["query_type", "all"]]
+}]
+```
+
+### Pattern Check Response
+```json
+["EVENT", "subscription_id", {
+  "kind": 23456,
+  "content": "{\"pattern_exists\": true, \"rule_type\": \"blacklist\", \"pattern_value\": \"deadbeef...\"}",
+  "tags": [["response_type", "pattern_check"], ["pattern", "deadbeef..."]]
+}]
+```
+
+## Implementation Steps
+
+1. **Document API** (this file) ✅
+2. **Update to ephemeral event kinds** ✅
+3. **Fix request_validator.c** schema mismatch
+4. **Update tests** to use Kind 23455/23456
+5. **Add auth rule query functionality**
+6. **Add configuration discovery feature**
+7. **Test blacklist functionality**
+8. **Add remaining system commands**
+
+## Testing Plan
+
+1. Fix schema mismatch and test basic blacklist
+2. Add clear_auth_rules and test table cleanup
+3. Test whitelist/blacklist conflict scenarios  
+4. Test all admin API commands end-to-end
+5. Update integration tests
+
+This plan addresses the immediate blacklist issue while establishing a comprehensive admin API framework for future expansion.
+
+## NIP-44 Encryption Implementation Details
+
+### Server-Side Detection Logic
+```c
+// In admin event processing function
+bool is_encrypted_command(struct nostr_event *event) {
+    // Check if Kind 23455 or 23456 with empty tags
+    if ((event->kind == 23455 || event->kind == 23456) &&
+        event->tags_count == 0) {
+        return true;
+    }
+    return false;
+}
+
+cJSON *decrypt_admin_tags(struct nostr_event *event) {
+    cJSON *content_json = cJSON_Parse(event->content);
+    if (!content_json) return NULL;
+    
+    cJSON *encrypted_tags = cJSON_GetObjectItem(content_json, "encrypted_tags");
+    if (!encrypted_tags) {
+        cJSON_Delete(content_json);
+        return NULL;
+    }
+    
+    // Decrypt using NIP-44 with admin pubkey and relay privkey
+    char *decrypted = nip44_decrypt(
+        cJSON_GetStringValue(encrypted_tags),
+        admin_pubkey,           // Shared secret with admin
+        relay_private_key       // Our private key
+    );
+    
+    cJSON *decrypted_tags = cJSON_Parse(decrypted);
+    free(decrypted);
+    cJSON_Delete(content_json);
+    
+    return decrypted_tags; // Returns tag array: [["key1", "val1"], ["key2", "val2"]]
+}
+```
+
+### Admin Event Processing Flow
+1. **Receive Event**: Kind 23455/23456 with admin signature
+2. **Check Mode**: Empty tags = encrypted, populated tags = standard
+3. **Decrypt if Needed**: Extract and decrypt `encrypted_tags` from content
+4. **Process Commands**: Use decrypted/standard tags for command processing
+5. **Execute**: Same logic for both modes after tag extraction
+6. **Respond**: Standard response format (optionally encrypt response)
+
+### Security Benefits
+- **Command Privacy**: Admin operations invisible in event tags
+- **Replay Protection**: NIP-44 includes timestamp/randomness
+- **Key Management**: Uses existing admin/relay key pair
+- **Backward Compatible**: Standard mode still works
+- **Performance**: Only decrypt when needed (empty tags detection)
+
+### NIP-44 Library Integration
+The relay will need to integrate a NIP-44 encryption/decryption library:
+
+```c
+// Required NIP-44 functions
+char* nip44_encrypt(const char* plaintext, const char* sender_privkey, const char* recipient_pubkey);
+char* nip44_decrypt(const char* ciphertext, const char* recipient_privkey, const char* sender_pubkey);
+```
+
+### Implementation Priority (Updated)
+
+#### Phase 1: Core Infrastructure (Complete)
+- [x] Event-based admin authentication system
+- [x] Kind 23455/23456 (Configuration/Auth Rules) processing
+- [x] Basic configuration parameter updates
+- [x] Auth rule add/remove/clear functionality
+- [x] Updated to ephemeral event kinds
+- [x] Designed NIP-44 encryption support
+
+#### Phase 2: NIP-44 Encryption Support (Next Priority)
+- [ ] **Add NIP-44 library dependency** to project
+- [ ] **Implement encryption detection logic** (`is_encrypted_command()`)
+- [ ] **Add decrypt_admin_tags() function** with NIP-44 support
+- [ ] **Update admin command processing** to handle both modes
+- [ ] **Test encrypted admin commands** end-to-end
+
+#### Phase 3: Enhanced Features
+- [ ] **Auth rule query functionality** (both standard and encrypted modes)
+- [ ] **Configuration discovery API** (list available config keys)
+- [ ] **Enhanced error messages** with encryption status
+- [ ] **Performance optimization** (caching, async decrypt)
+
+#### Phase 4: Schema Fixes (Critical)
+- [ ] **Fix request_validator.c** schema mismatch
+- [ ] **Enable blacklist enforcement** with encrypted commands
+- [ ] **Update tests** to use both standard and encrypted modes
+
+This enhanced admin API provides enterprise-grade security while maintaining ease of use for basic operations.

get_settings.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# get_settings.sh - Query relay configuration events using nak
+# Uses admin test key to query kind 33334 configuration events
+
+# Test key configuration
+ADMIN_PRIVATE_KEY="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ADMIN_PUBLIC_KEY="6a04ab98d9e4774ad806e302dddeb63bea16b5cb5f223ee77478e861bb583eb3"
+RELAY_PUBLIC_KEY="4f355bdcb7cc0af728ef3cceb9615d90684bb5b2ca5f859ab0f0b704075871aa"
+RELAY_URL="ws://localhost:8888"
+
+echo "Querying configuration events (kind 33334) from relay at $RELAY_URL"
+echo "Using admin public key: $ADMIN_PUBLIC_KEY"
+echo "Looking for relay config: $RELAY_PUBLIC_KEY"
+echo ""
+
+# Query for kind 33334 configuration events
+# These events contain the relay configuration with d-tag matching the relay pubkey
+nak req -k 33334 "$RELAY_URL" | jq .

make_and_restart_relay.sh

@@ -8,13 +8,69 @@ echo "=== C Nostr Relay Build and Restart Script ==="
 # Parse command line arguments
 PRESERVE_DATABASE=false
 HELP=false
+USE_TEST_KEYS=false
+ADMIN_KEY=""
+RELAY_KEY=""
+PORT_OVERRIDE=""
+
+# Key validation function
+validate_hex_key() {
+    local key="$1"
+    local key_type="$2"
+    
+    if [ ${#key} -ne 64 ]; then
+        echo "ERROR: $key_type key must be exactly 64 characters"
+        return 1
+    fi
+    
+    if ! [[ "$key" =~ ^[0-9a-fA-F]{64}$ ]]; then
+        echo "ERROR: $key_type key must contain only hex characters (0-9, a-f, A-F)"
+        return 1
+    fi
+    
+    return 0
+}
 
 while [[ $# -gt 0 ]]; do
     case $1 in
-        --preserve-database|-p)
+        -a|--admin-key)
+            if [ -z "$2" ]; then
+                echo "ERROR: Admin key option requires a value"
+                HELP=true
+                shift
+            else
+                ADMIN_KEY="$2"
+                shift 2
+            fi
+            ;;
+        -r|--relay-key)
+            if [ -z "$2" ]; then
+                echo "ERROR: Relay key option requires a value"
+                HELP=true
+                shift
+            else
+                RELAY_KEY="$2"
+                shift 2
+            fi
+            ;;
+        -p|--port)
+            if [ -z "$2" ]; then
+                echo "ERROR: Port option requires a value"
+                HELP=true
+                shift
+            else
+                PORT_OVERRIDE="$2"
+                shift 2
+            fi
+            ;;
+        --preserve-database)
             PRESERVE_DATABASE=true
             shift
             ;;
+        --test-keys|-t)
+            USE_TEST_KEYS=true
+            shift
+            ;;
         --help|-h)
             HELP=true
             shift
@@ -27,23 +83,53 @@ while [[ $# -gt 0 ]]; do
     esac
 done
 
+# Validate custom keys if provided
+if [ -n "$ADMIN_KEY" ]; then
+    if ! validate_hex_key "$ADMIN_KEY" "Admin"; then
+        exit 1
+    fi
+fi
+
+if [ -n "$RELAY_KEY" ]; then
+    if ! validate_hex_key "$RELAY_KEY" "Relay"; then
+        exit 1
+    fi
+fi
+
+# Validate port if provided
+if [ -n "$PORT_OVERRIDE" ]; then
+    if ! [[ "$PORT_OVERRIDE" =~ ^[0-9]+$ ]] || [ "$PORT_OVERRIDE" -lt 1 ] || [ "$PORT_OVERRIDE" -gt 65535 ]; then
+        echo "ERROR: Port must be a number between 1 and 65535"
+        exit 1
+    fi
+fi
+
 # Show help
 if [ "$HELP" = true ]; then
     echo "Usage: $0 [OPTIONS]"
     echo ""
     echo "Options:"
-    echo "  --preserve-database, -p  Keep existing database files (don't delete for fresh start)"
-    echo "  --help, -h              Show this help message"
+    echo "  -a, --admin-key <hex>    64-character hex admin private key"
+    echo "  -r, --relay-key <hex>    64-character hex relay private key"
+    echo "  -p, --port <port>        Custom port override (default: 8888)"
+    echo "  --preserve-database      Keep existing database files (don't delete for fresh start)"
+    echo "  --test-keys, -t          Use deterministic test keys for development (admin: all 'a's, relay: all '1's)"
+    echo "  --help, -h               Show this help message"
     echo ""
     echo "Event-Based Configuration:"
     echo "  This relay now uses event-based configuration stored directly in the database."
     echo "  On first startup, keys are automatically generated and printed once."
-    echo "  Database file: <relay_pubkey>.nrdb (created automatically)"
+    echo "  Database file: <relay_pubkey>.db (created automatically)"
     echo ""
     echo "Examples:"
-    echo "  $0                       # Fresh start with new keys (default)"
-    echo "  $0 -p                   # Preserve existing database and keys"
+    echo "  $0                                    # Fresh start with random keys"
+    echo "  $0 -a <admin-hex> -r <relay-hex>     # Use custom keys"
+    echo "  $0 -a <admin-hex> -p 9000            # Custom admin key on port 9000"
+    echo "  $0 --preserve-database               # Preserve existing database and keys"
+    echo "  $0 --test-keys                       # Use test keys for consistent development"
+    echo "  $0 -t --preserve-database            # Use test keys and preserve database"
     echo ""
+    echo "Key Format: Keys must be exactly 64 hexadecimal characters (0-9, a-f, A-F)"
     echo "Default behavior: Deletes existing database files to start fresh with new keys"
     echo "                 for development purposes"
     exit 0
@@ -51,15 +137,22 @@ fi
 
 # Handle database file cleanup for fresh start
 if [ "$PRESERVE_DATABASE" = false ]; then
-    if ls *.nrdb >/dev/null 2>&1; then
+    if ls *.db >/dev/null 2>&1 || ls build/*.db >/dev/null 2>&1; then
         echo "Removing existing database files to trigger fresh key generation..."
-        rm -f *.nrdb
+        rm -f *.db build/*.db
         echo "✓ Database files removed - will generate new keys and database"
     else
         echo "No existing database found - will generate fresh setup"
     fi
 else
     echo "Preserving existing database files as requested"
+    # Back up database files before clean build
+    if ls build/*.db >/dev/null 2>&1; then
+        echo "Backing up existing database files..."
+        mkdir -p /tmp/relay_backup_$$
+        cp build/*.db* /tmp/relay_backup_$$/ 2>/dev/null || true
+        echo "Database files backed up to temporary location"
+    fi
 fi
 
 # Clean up legacy files that are no longer used
@@ -70,6 +163,14 @@ rm -f db/c_nostr_relay.db* 2>/dev/null
 echo "Building project..."
 make clean all
 
+# Restore database files if preserving
+if [ "$PRESERVE_DATABASE" = true ] && [ -d "/tmp/relay_backup_$$" ]; then
+    echo "Restoring preserved database files..."
+    cp /tmp/relay_backup_$$/*.db* build/ 2>/dev/null || true
+    rm -rf /tmp/relay_backup_$$
+    echo "Database files restored to build directory"
+fi
+
 # Check if build was successful
 if [ $? -ne 0 ]; then
     echo "ERROR: Build failed. Cannot restart relay."
@@ -97,25 +198,54 @@ fi
 
 echo "Build successful. Proceeding with relay restart..."
 
-# Kill existing relay if running
+# Kill existing relay if running - start aggressive immediately
 echo "Stopping any existing relay servers..."
-pkill -f "c_relay_" 2>/dev/null
-sleep 2  # Give time for shutdown
 
-# Check if port is still bound
-if lsof -i :8888 >/dev/null 2>&1; then
-    echo "Port 8888 still in use, force killing..."
-    fuser -k 8888/tcp 2>/dev/null || echo "No process on port 8888"
+# Get all relay processes and kill them immediately with -9
+RELAY_PIDS=$(pgrep -f "c_relay_" || echo "")
+if [ -n "$RELAY_PIDS" ]; then
+    echo "Force killing relay processes immediately: $RELAY_PIDS"
+    kill -9 $RELAY_PIDS 2>/dev/null
+else
+    echo "No existing relay processes found"
 fi
 
-# Get any remaining processes
-REMAINING_PIDS=$(pgrep -f "c_relay_" || echo "")
-if [ -n "$REMAINING_PIDS" ]; then
-    echo "Force killing remaining processes: $REMAINING_PIDS"
-    kill -9 $REMAINING_PIDS 2>/dev/null
+# Ensure port 8888 is completely free with retry loop
+echo "Ensuring port 8888 is available..."
+for attempt in {1..15}; do
+    if ! lsof -i :8888 >/dev/null 2>&1; then
+        echo "Port 8888 is now free"
+        break
+    fi
+    
+    echo "Attempt $attempt: Port 8888 still in use, force killing..."
+    # Kill anything using port 8888
+    fuser -k 8888/tcp 2>/dev/null || true
+    
+    # Double-check for any remaining relay processes
+    REMAINING_PIDS=$(pgrep -f "c_relay_" || echo "")
+    if [ -n "$REMAINING_PIDS" ]; then
+        echo "Killing remaining relay processes: $REMAINING_PIDS"
+        kill -9 $REMAINING_PIDS 2>/dev/null || true
+    fi
+    
+    sleep 2
+    
+    if [ $attempt -eq 15 ]; then
+        echo "ERROR: Could not free port 8888 after 15 attempts"
+        echo "Current processes using port:"
+        lsof -i :8888 2>/dev/null || echo "No process details available"
+        echo "You may need to manually kill processes or reboot"
+        exit 1
+    fi
+done
+
+# Final safety check - ensure no relay processes remain
+FINAL_PIDS=$(pgrep -f "c_relay_" || echo "")
+if [ -n "$FINAL_PIDS" ]; then
+    echo "Final cleanup: killing processes $FINAL_PIDS"
+    kill -9 $FINAL_PIDS 2>/dev/null || true
     sleep 1
-else
-    echo "No existing relay found"
 fi
 
 # Clean up PID file
@@ -129,9 +259,41 @@ echo "Database will be initialized automatically on startup if needed"
 echo "Starting relay server..."
 echo "Debug: Current processes: $(ps aux | grep 'c_relay_' | grep -v grep || echo 'None')"
 
-# Start relay in background and capture its PID (no command line arguments needed)
-$BINARY_PATH > relay.log 2>&1 &
+# Build command line arguments for relay binary
+RELAY_ARGS=""
+
+if [ -n "$ADMIN_KEY" ]; then
+    RELAY_ARGS="$RELAY_ARGS -a $ADMIN_KEY"
+    echo "Using custom admin key: ${ADMIN_KEY:0:16}..."
+fi
+
+if [ -n "$RELAY_KEY" ]; then
+    RELAY_ARGS="$RELAY_ARGS -r $RELAY_KEY"
+    echo "Using custom relay key: ${RELAY_KEY:0:16}..."
+fi
+
+if [ -n "$PORT_OVERRIDE" ]; then
+    RELAY_ARGS="$RELAY_ARGS -p $PORT_OVERRIDE"
+    echo "Using custom port: $PORT_OVERRIDE"
+fi
+
+# Change to build directory before starting relay so database files are created there
+cd build
+# Start relay in background and capture its PID
+if [ "$USE_TEST_KEYS" = true ]; then
+    echo "Using deterministic test keys for development..."
+    ./$(basename $BINARY_PATH) -a aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa -r 1111111111111111111111111111111111111111111111111111111111111111 > ../relay.log 2>&1 &
+elif [ -n "$RELAY_ARGS" ]; then
+    echo "Starting relay with custom configuration..."
+    ./$(basename $BINARY_PATH) $RELAY_ARGS > ../relay.log 2>&1 &
+else
+    # No command line arguments needed for random key generation
+    echo "Starting relay with random key generation..."
+    ./$(basename $BINARY_PATH) > ../relay.log 2>&1 &
+fi
 RELAY_PID=$!
+# Change back to original directory
+cd ..
 
 echo "Started with PID: $RELAY_PID"
 
@@ -142,7 +304,34 @@ sleep 3
 if ps -p "$RELAY_PID" >/dev/null 2>&1; then
     echo "Relay started successfully!"
     echo "PID: $RELAY_PID"
-    echo "WebSocket endpoint: ws://127.0.0.1:8888"
+    
+    # Wait for relay to fully initialize and detect the actual port it's using
+    sleep 2
+    
+    # Extract actual port from relay logs
+    ACTUAL_PORT=""
+    if [ -f relay.log ]; then
+        # Look for the success message with actual port
+        ACTUAL_PORT=$(grep "WebSocket relay started on ws://127.0.0.1:" relay.log 2>/dev/null | tail -1 | sed -n 's/.*ws:\/\/127\.0\.0\.1:\([0-9]*\).*/\1/p')
+        
+        # If we couldn't find the port in logs, try to detect from netstat
+        if [ -z "$ACTUAL_PORT" ]; then
+            ACTUAL_PORT=$(netstat -tln 2>/dev/null | grep -E ":888[0-9]" | head -1 | sed -n 's/.*:\([0-9]*\).*/\1/p')
+        fi
+    fi
+    
+    # Display the actual endpoint
+    if [ -n "$ACTUAL_PORT" ]; then
+        if [ "$ACTUAL_PORT" = "8888" ]; then
+            echo "WebSocket endpoint: ws://127.0.0.1:$ACTUAL_PORT"
+        else
+            echo "WebSocket endpoint: ws://127.0.0.1:$ACTUAL_PORT (fell back from port 8888)"
+        fi
+    else
+        echo "WebSocket endpoint: ws://127.0.0.1:8888 (port detection failed - check logs)"
+    fi
+    
+    echo "HTTP endpoint: http://127.0.0.1:${ACTUAL_PORT:-8888}"
     echo "Log file: relay.log"
     echo ""
 

relay.pid

@@ -1 +1 @@
-1073070
+285781

src/config.h

@@ -4,6 +4,10 @@
 #include <sqlite3.h>
 #include <cjson/cJSON.h>
 #include <time.h>
+#include <pthread.h>
+
+// Forward declaration for WebSocket support
+struct lws;
 
 // Configuration constants
 #define CONFIG_VALUE_MAX_LENGTH 1024
@@ -23,17 +27,81 @@
 // Database path for event-based config
 extern char g_database_path[512];
 
-// Configuration manager structure
+// Unified configuration cache structure (consolidates all caching systems)
 typedef struct {
-    sqlite3* db;
-    char relay_pubkey[65];
+    // Critical keys (frequently accessed)
     char admin_pubkey[65];
-    time_t last_config_check;
-    char config_file_path[512];  // Temporary for compatibility
-} config_manager_t;
+    char relay_pubkey[65];
     
-// Global configuration manager
-extern config_manager_t g_config_manager;
+    // Auth config (from request_validator)
+    int auth_required;
+    long max_file_size;
+    int admin_enabled;
+    int nip42_mode;
+    int nip42_challenge_timeout;
+    int nip42_time_tolerance;
+    
+    // Static buffer for config values (replaces static buffers in get_config_value functions)
+    char temp_buffer[CONFIG_VALUE_MAX_LENGTH];
+    
+    // NIP-11 relay information (migrated from g_relay_info in main.c)
+    struct {
+        char name[RELAY_NAME_MAX_LENGTH];
+        char description[RELAY_DESCRIPTION_MAX_LENGTH];
+        char banner[RELAY_URL_MAX_LENGTH];
+        char icon[RELAY_URL_MAX_LENGTH];
+        char pubkey[RELAY_PUBKEY_MAX_LENGTH];
+        char contact[RELAY_CONTACT_MAX_LENGTH];
+        char software[RELAY_URL_MAX_LENGTH];
+        char version[64];
+        char privacy_policy[RELAY_URL_MAX_LENGTH];
+        char terms_of_service[RELAY_URL_MAX_LENGTH];
+        cJSON* supported_nips;
+        cJSON* limitation;
+        cJSON* retention;
+        cJSON* relay_countries;
+        cJSON* language_tags;
+        cJSON* tags;
+        char posting_policy[RELAY_URL_MAX_LENGTH];
+        cJSON* fees;
+        char payments_url[RELAY_URL_MAX_LENGTH];
+    } relay_info;
+    
+    // NIP-13 PoW configuration (migrated from g_pow_config in main.c)
+    struct {
+        int enabled;
+        int min_pow_difficulty;
+        int validation_flags;
+        int require_nonce_tag;
+        int reject_lower_targets;
+        int strict_format;
+        int anti_spam_mode;
+    } pow_config;
+    
+    // NIP-40 Expiration configuration (migrated from g_expiration_config in main.c)
+    struct {
+        int enabled;
+        int strict_mode;
+        int filter_responses;
+        int delete_expired;
+        long grace_period;
+    } expiration_config;
+    
+    // Cache management
+    time_t cache_expires;
+    int cache_valid;
+    pthread_mutex_t cache_lock;
+} unified_config_cache_t;
+
+// Command line options structure for first-time startup
+typedef struct {
+    int port_override;  // -1 = not set, >0 = port value
+    char admin_privkey_override[65];  // Empty string = not set, 64-char hex = override
+    char relay_privkey_override[65];  // Empty string = not set, 64-char hex = override
+} cli_options_t;
+
+// Global unified configuration cache
+extern unified_config_cache_t g_unified_cache;
 
 // Core configuration functions (temporary compatibility)
 int init_configuration_system(const char* config_dir_override, const char* config_file_override);
@@ -62,7 +130,7 @@ int get_config_bool(const char* key, int default_value);
 
 // First-time startup functions
 int is_first_time_startup(void);
-int first_time_startup_sequence(void);
+int first_time_startup_sequence(const cli_options_t* cli_options);
 int startup_existing_relay(const char* relay_pubkey);
 
 // Configuration application functions
@@ -70,7 +138,76 @@ int apply_configuration_from_event(const cJSON* event);
 int apply_runtime_config_handlers(const cJSON* old_event, const cJSON* new_event);
 
 // Utility functions
-char** find_existing_nrdb_files(void);
+char** find_existing_db_files(void);
 char* extract_pubkey_from_filename(const char* filename);
 
+// Secure relay private key storage functions
+int store_relay_private_key(const char* relay_privkey_hex);
+char* get_relay_private_key(void);
+const char* get_temp_relay_private_key(void);  // For first-time startup only
+
+// NIP-42 authentication configuration functions
+int parse_auth_required_kinds(const char* kinds_str, int* kinds_array, int max_kinds);
+int is_nip42_auth_required_for_kind(int event_kind);
+int is_nip42_auth_globally_required(void);
+
+// ================================
+// NEW ADMIN API FUNCTIONS
+// ================================
+
+// Config table management functions (config table created via embedded schema)
+const char* get_config_value_from_table(const char* key);
+int set_config_value_in_table(const char* key, const char* value, const char* data_type,
+                              const char* description, const char* category, int requires_restart);
+int update_config_in_table(const char* key, const char* value);
+int populate_default_config_values(void);
+int add_pubkeys_to_config_table(void);
+
+// Admin event processing functions (updated with WebSocket support)
+int process_admin_event_in_config(cJSON* event, char* error_message, size_t error_size, struct lws* wsi);
+int process_admin_config_event(cJSON* event, char* error_message, size_t error_size);
+int process_admin_auth_event(cJSON* event, char* error_message, size_t error_size, struct lws* wsi);
+
+// Unified Kind 23456 handler functions
+int handle_kind_23456_unified(cJSON* event, char* error_message, size_t error_size, struct lws* wsi);
+int handle_auth_query_unified(cJSON* event, const char* query_type, char* error_message, size_t error_size, struct lws* wsi);
+int handle_system_command_unified(cJSON* event, const char* command, char* error_message, size_t error_size, struct lws* wsi);
+int handle_auth_rule_modification_unified(cJSON* event, char* error_message, size_t error_size);
+
+// WebSocket response functions
+int send_websocket_response_data(cJSON* event, cJSON* response_data, struct lws* wsi);
+cJSON* build_query_response(const char* query_type, cJSON* results_array, int total_count);
+
+// Auth rules management functions
+int add_auth_rule_from_config(const char* rule_type, const char* pattern_type,
+                             const char* pattern_value, const char* action);
+int remove_auth_rule_from_config(const char* rule_type, const char* pattern_type,
+                                const char* pattern_value);
+
+// Unified configuration cache management
+void force_config_cache_refresh(void);
+const char* get_admin_pubkey_cached(void);
+const char* get_relay_pubkey_cached(void);
+void invalidate_config_cache(void);
+int reload_config_from_table(void);
+
+// Hybrid config access functions
+const char* get_config_value_hybrid(const char* key);
+int is_config_table_ready(void);
+
+// Migration support functions
+int initialize_config_system_with_migration(void);
+int migrate_config_from_events_to_table(void);
+int populate_config_table_from_event(const cJSON* event);
+
+// Startup configuration processing functions
+int process_startup_config_event(const cJSON* event);
+int process_startup_config_event_with_fallback(const cJSON* event);
+
+// Dynamic event generation functions for WebSocket configuration fetching
+cJSON* generate_config_event_from_table(void);
+int req_filter_requests_config_events(const cJSON* filter);
+cJSON* generate_synthetic_config_event_for_subscription(const char* sub_id, const cJSON* filters);
+char* generate_config_event_json(void);
+
 #endif /* CONFIG_H */

src/default_config_event.h

@@ -2,6 +2,7 @@
 #define DEFAULT_CONFIG_EVENT_H
 
 #include <cjson/cJSON.h>
+#include "config.h"  // For cli_options_t definition
 
 /*
  * Default Configuration Event Template
@@ -22,6 +23,12 @@ static const struct {
     // Authentication
     {"auth_enabled", "false"},
     
+    // NIP-42 Authentication Settings
+    {"nip42_auth_required_events", "false"},
+    {"nip42_auth_required_subscriptions", "false"},
+    {"nip42_auth_required_kinds", "4,14"},  // Default: DM kinds require auth
+    {"nip42_challenge_expiration", "600"},  // 10 minutes
+    
     // Server Core Settings
     {"relay_port", "8888"},
     {"max_connections", "100"},
@@ -63,6 +70,7 @@ static const struct {
 // Function to create default configuration event
 cJSON* create_default_config_event(const unsigned char* admin_privkey_bytes,
                                    const char* relay_privkey_hex,
-                                   const char* relay_pubkey_hex);
+                                   const char* relay_pubkey_hex,
+                                   const cli_options_t* cli_options);
 
 #endif /* DEFAULT_CONFIG_EVENT_H */

src/sql_schema.h

@@ -1,12 +1,12 @@
 /* Embedded SQL Schema for C Nostr Relay
  * Generated from db/schema.sql - Do not edit manually
- * Schema Version: 4
+ * Schema Version: 7
  */
 #ifndef SQL_SCHEMA_H
 #define SQL_SCHEMA_H
 
 /* Schema version constant */
-#define EMBEDDED_SCHEMA_VERSION "4"
+#define EMBEDDED_SCHEMA_VERSION "7"
 
 /* Embedded SQL schema as C string literal */
 static const char* const EMBEDDED_SCHEMA_SQL = 
@@ -15,7 +15,7 @@ static const char* const EMBEDDED_SCHEMA_SQL =
 -- Event-based configuration system using kind 33334 Nostr events\n\
 \n\
 -- Schema version tracking\n\
-PRAGMA user_version = 4;\n\
+PRAGMA user_version = 7;\n\
 \n\
 -- Enable foreign key support\n\
 PRAGMA foreign_keys = ON;\n\
@@ -58,8 +58,8 @@ CREATE TABLE schema_info (\n\
 \n\
 -- Insert schema metadata\n\
 INSERT INTO schema_info (key, value) VALUES\n\
-    ('version', '4'),\n\
-    ('description', 'Event-based Nostr relay schema with kind 33334 configuration events'),\n\
+    ('version', '7'),\n\
+    ('description', 'Hybrid Nostr relay schema with event-based and table-based configuration'),\n\
     ('created_at', strftime('%s', 'now'));\n\
 \n\
 -- Helper views for common queries\n\
@@ -128,6 +128,86 @@ BEGIN\n\
     AND id != NEW.id;\n\
 END;\n\
 \n\
+-- Relay Private Key Secure Storage\n\
+-- Stores the relay's private key separately from public configuration\n\
+CREATE TABLE relay_seckey (\n\
+    private_key_hex TEXT NOT NULL CHECK (length(private_key_hex) = 64),\n\
+    created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))\n\
+);\n\
+\n\
+-- Authentication Rules Table for NIP-42 and Policy Enforcement\n\
+-- Used by request_validator.c for unified validation\n\
+CREATE TABLE auth_rules (\n\
+    id INTEGER PRIMARY KEY AUTOINCREMENT,\n\
+    rule_type TEXT NOT NULL CHECK (rule_type IN ('whitelist', 'blacklist', 'rate_limit', 'auth_required')),\n\
+    pattern_type TEXT NOT NULL CHECK (pattern_type IN ('pubkey', 'kind', 'ip', 'global')),\n\
+    pattern_value TEXT,\n\
+    action TEXT NOT NULL CHECK (action IN ('allow', 'deny', 'require_auth', 'rate_limit')),\n\
+    parameters TEXT, -- JSON parameters for rate limiting, etc.\n\
+    active INTEGER NOT NULL DEFAULT 1,\n\
+    created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),\n\
+    updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))\n\
+);\n\
+\n\
+-- Indexes for auth_rules performance\n\
+CREATE INDEX idx_auth_rules_pattern ON auth_rules(pattern_type, pattern_value);\n\
+CREATE INDEX idx_auth_rules_type ON auth_rules(rule_type);\n\
+CREATE INDEX idx_auth_rules_active ON auth_rules(active);\n\
+\n\
+-- Configuration Table for Table-Based Config Management\n\
+-- Hybrid system supporting both event-based and table-based configuration\n\
+CREATE TABLE config (\n\
+    key TEXT PRIMARY KEY,\n\
+    value TEXT NOT NULL,\n\
+    data_type TEXT NOT NULL CHECK (data_type IN ('string', 'integer', 'boolean', 'json')),\n\
+    description TEXT,\n\
+    category TEXT DEFAULT 'general',\n\
+    requires_restart INTEGER DEFAULT 0,\n\
+    created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),\n\
+    updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))\n\
+);\n\
+\n\
+-- Indexes for config table performance\n\
+CREATE INDEX idx_config_category ON config(category);\n\
+CREATE INDEX idx_config_restart ON config(requires_restart);\n\
+CREATE INDEX idx_config_updated ON config(updated_at DESC);\n\
+\n\
+-- Trigger to update config timestamp on changes\n\
+CREATE TRIGGER update_config_timestamp\n\
+    AFTER UPDATE ON config\n\
+    FOR EACH ROW\n\
+BEGIN\n\
+    UPDATE config SET updated_at = strftime('%s', 'now') WHERE key = NEW.key;\n\
+END;\n\
+\n\
+-- Insert default configuration values\n\
+INSERT INTO config (key, value, data_type, description, category, requires_restart) VALUES\n\
+    ('relay_description', 'A C Nostr Relay', 'string', 'Relay description', 'general', 0),\n\
+    ('relay_contact', '', 'string', 'Relay contact information', 'general', 0),\n\
+    ('relay_software', 'https://github.com/laanwj/c-relay', 'string', 'Relay software URL', 'general', 0),\n\
+    ('relay_version', '1.0.0', 'string', 'Relay version', 'general', 0),\n\
+    ('relay_port', '8888', 'integer', 'Relay port number', 'network', 1),\n\
+    ('max_connections', '1000', 'integer', 'Maximum concurrent connections', 'network', 1),\n\
+    ('auth_enabled', 'false', 'boolean', 'Enable NIP-42 authentication', 'auth', 0),\n\
+    ('nip42_auth_required_events', 'false', 'boolean', 'Require auth for event publishing', 'auth', 0),\n\
+    ('nip42_auth_required_subscriptions', 'false', 'boolean', 'Require auth for subscriptions', 'auth', 0),\n\
+    ('nip42_auth_required_kinds', '[]', 'json', 'Event kinds requiring authentication', 'auth', 0),\n\
+    ('nip42_challenge_expiration', '600', 'integer', 'Auth challenge expiration seconds', 'auth', 0),\n\
+    ('pow_min_difficulty', '0', 'integer', 'Minimum proof-of-work difficulty', 'validation', 0),\n\
+    ('pow_mode', 'optional', 'string', 'Proof-of-work mode', 'validation', 0),\n\
+    ('nip40_expiration_enabled', 'true', 'boolean', 'Enable event expiration', 'validation', 0),\n\
+    ('nip40_expiration_strict', 'false', 'boolean', 'Strict expiration mode', 'validation', 0),\n\
+    ('nip40_expiration_filter', 'true', 'boolean', 'Filter expired events in queries', 'validation', 0),\n\
+    ('nip40_expiration_grace_period', '60', 'integer', 'Expiration grace period seconds', 'validation', 0),\n\
+    ('max_subscriptions_per_client', '25', 'integer', 'Maximum subscriptions per client', 'limits', 0),\n\
+    ('max_total_subscriptions', '1000', 'integer', 'Maximum total subscriptions', 'limits', 0),\n\
+    ('max_filters_per_subscription', '10', 'integer', 'Maximum filters per subscription', 'limits', 0),\n\
+    ('max_event_tags', '2000', 'integer', 'Maximum tags per event', 'limits', 0),\n\
+    ('max_content_length', '100000', 'integer', 'Maximum event content length', 'limits', 0),\n\
+    ('max_message_length', '131072', 'integer', 'Maximum WebSocket message length', 'limits', 0),\n\
+    ('default_limit', '100', 'integer', 'Default query limit', 'limits', 0),\n\
+    ('max_limit', '5000', 'integer', 'Maximum query limit', 'limits', 0);\n\
+\n\
 -- Persistent Subscriptions Logging Tables (Phase 2)\n\
 -- Optional database logging for subscription analytics and debugging\n\
 \n\

tests/40_nip_test.sh

@@ -300,75 +300,103 @@ test_expiration_filtering_in_subscriptions() {
         return 0
     fi
     
-    print_info "Setting up test events for subscription filtering..."
+    print_info "Setting up short-lived events for proper expiration filtering test..."
     
-    # First, create a few events with different expiration times
     local private_key="91ba716fa9e7ea2fcbad360cf4f8e0d312f73984da63d90f524ad61a6a1e7dbe"
     
-    # Event 1: No expiration (should be returned)
+    # Event 1: No expiration (should always be returned)
     local event1=$(nak event --sec "$private_key" -c "Event without expiration for filtering test" --ts $(date +%s))
     
     # Event 2: Future expiration (should be returned)
     local future_timestamp=$(($(date +%s) + 1800))  # 30 minutes from now
     local event2=$(create_event_with_expiration "Event with future expiration for filtering test" "$future_timestamp")
     
-    # Event 3: Past expiration (should NOT be returned if filtering is enabled)
-    local past_timestamp=$(($(date +%s) - 3600))  # 1 hour ago
-    local event3=$(create_event_with_expiration "Event with past expiration for filtering test" "$past_timestamp")
+    # Event 3: SHORT-LIVED EVENT - expires in 3 seconds
+    local short_expiry=$(($(date +%s) + 3))  # 3 seconds from now
+    local event3=$(create_event_with_expiration "Short-lived event for filtering test" "$short_expiry")
     
-    print_info "Publishing test events..."
+    print_info "Publishing test events (including one that expires in 3 seconds)..."
     
-    # Note: We expect event3 to be rejected on submission in strict mode,
-    # so we'll create it with a slightly more recent expiration that might get through
-    local recent_past=$(($(date +%s) - 600))  # 10 minutes ago (outside grace period)
-    local event3_recent=$(create_event_with_expiration "Recently expired event for filtering test" "$recent_past")
+    # Submit all events - they should all be accepted initially
+    local response1=$(echo "[\"EVENT\",$event1]" | timeout 5s websocat "$RELAY_URL" 2>&1)
+    local response2=$(echo "[\"EVENT\",$event2]" | timeout 5s websocat "$RELAY_URL" 2>&1)
+    local response3=$(echo "[\"EVENT\",$event3]" | timeout 5s websocat "$RELAY_URL" 2>&1)
     
-    # Try to submit all events (some may be rejected)
-    echo "[\"EVENT\",$event1]" | timeout 3s websocat "$RELAY_URL" >/dev/null 2>&1 || true
-    echo "[\"EVENT\",$event2]" | timeout 3s websocat "$RELAY_URL" >/dev/null 2>&1 || true
-    echo "[\"EVENT\",$event3_recent]" | timeout 3s websocat "$RELAY_URL" >/dev/null 2>&1 || true
-    
-    sleep 2  # Let events settle
-    
-    print_info "Testing subscription filtering..."
-    
-    # Create subscription for recent events
-    local req_message='["REQ","filter_test",{"kinds":[1],"limit":10}]'
-    local response=$(echo -e "$req_message\n[\"CLOSE\",\"filter_test\"]" | timeout 5s websocat "$RELAY_URL" 2>/dev/null || echo "")
-    
-    print_info "Subscription response:"
-    echo "$response"
+    print_info "Event submission responses:"
+    echo "Event 1 (no expiry): $response1"
+    echo "Event 2 (future expiry): $response2"
+    echo "Event 3 (expires in 3s): $response3"
     echo ""
     
-    # Count events that contain our test content
+    # Verify all events were accepted
+    if [[ "$response1" != *"true"* ]] || [[ "$response2" != *"true"* ]] || [[ "$response3" != *"true"* ]]; then
+        record_test_result "Expiration Filtering in Subscriptions" "FAIL" "Events not properly accepted during submission"
+        return 1
+    fi
+    
+    print_success "✓ All events accepted during submission"
+    
+    # Test 1: Query immediately - all events should be present
+    print_info "Testing immediate subscription (before expiration)..."
+    local req_message='["REQ","filter_immediate",{"kinds":[1],"limit":10}]'
+    local immediate_response=$(echo -e "$req_message\n[\"CLOSE\",\"filter_immediate\"]" | timeout 5s websocat "$RELAY_URL" 2>/dev/null || echo "")
+    
+    local immediate_count=0
+    if echo "$immediate_response" | grep -q "Event without expiration for filtering test"; then
+        immediate_count=$((immediate_count + 1))
+    fi
+    if echo "$immediate_response" | grep -q "Event with future expiration for filtering test"; then
+        immediate_count=$((immediate_count + 1))
+    fi
+    if echo "$immediate_response" | grep -q "Short-lived event for filtering test"; then
+        immediate_count=$((immediate_count + 1))
+    fi
+    
+    print_info "Immediate response found $immediate_count/3 events"
+    
+    # Wait for the short-lived event to expire (5 seconds total wait)
+    print_info "Waiting 5 seconds for short-lived event to expire..."
+    sleep 5
+    
+    # Test 2: Query after expiration - short-lived event should be filtered out
+    print_info "Testing subscription after expiration (short-lived event should be filtered)..."
+    req_message='["REQ","filter_after_expiry",{"kinds":[1],"limit":10}]'
+    local expired_response=$(echo -e "$req_message\n[\"CLOSE\",\"filter_after_expiry\"]" | timeout 5s websocat "$RELAY_URL" 2>/dev/null || echo "")
+    
+    print_info "Post-expiration subscription response:"
+    echo "$expired_response"
+    echo ""
+    
+    # Count events in the expired response
     local no_exp_count=0
     local future_exp_count=0
-    local past_exp_count=0
+    local expired_event_count=0
     
-    if echo "$response" | grep -q "Event without expiration for filtering test"; then
+    if echo "$expired_response" | grep -q "Event without expiration for filtering test"; then
         no_exp_count=1
-        print_success "✓ Event without expiration found in subscription results"
+        print_success "✓ Event without expiration found in post-expiration results"
     fi
     
-    if echo "$response" | grep -q "Event with future expiration for filtering test"; then
+    if echo "$expired_response" | grep -q "Event with future expiration for filtering test"; then
         future_exp_count=1
-        print_success "✓ Event with future expiration found in subscription results"
+        print_success "✓ Event with future expiration found in post-expiration results"
     fi
     
-    if echo "$response" | grep -q "Recently expired event for filtering test"; then
-        past_exp_count=1
-        print_warning "✗ Recently expired event found in subscription results (should be filtered)"
+    if echo "$expired_response" | grep -q "Short-lived event for filtering test"; then
+        expired_event_count=1
+        print_error "✗ EXPIRED short-lived event found in subscription results (should be filtered!)"
     else
-        print_success "✓ Recently expired event properly filtered from subscription results"
+        print_success "✓ Expired short-lived event properly filtered from subscription results"
     fi
     
     # Evaluate results
-    local expected_events=$((no_exp_count + future_exp_count))
-    if [ $expected_events -ge 1 ] && [ $past_exp_count -eq 0 ]; then
+    local expected_active_events=$((no_exp_count + future_exp_count))
+    if [ $expected_active_events -ge 2 ] && [ $expired_event_count -eq 0 ]; then
         record_test_result "Expiration Filtering in Subscriptions" "PASS" "Expired events properly filtered from subscriptions"
         return 0
     else
-        record_test_result "Expiration Filtering in Subscriptions" "FAIL" "Expiration filtering not working properly in subscriptions"
+        local details="Found $expected_active_events active events, $expired_event_count expired events (should be 0)"
+        record_test_result "Expiration Filtering in Subscriptions" "FAIL" "Expiration filtering not working properly in subscriptions - $details"
         return 1
     fi
 }

tests/42_nip_test.sh

@@ -0,0 +1,477 @@
+#!/bin/bash
+
+# NIP-42 Authentication Test Script
+# Tests the complete NIP-42 authentication flow for the C Nostr Relay
+
+set -e
+
+RELAY_URL="ws://localhost:8888"
+HTTP_URL="http://localhost:8888"
+TEST_DIR="$(dirname "$0")"
+LOG_FILE="${TEST_DIR}/nip42_test.log"
+
+# Colors for output
+RED='\033[31m'
+GREEN='\033[32m'
+YELLOW='\033[33m'
+BLUE='\033[34m'
+BOLD='\033[1m'
+RESET='\033[0m'
+
+# Logging function
+log() {
+    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE"
+}
+
+log_success() {
+    echo -e "${GREEN}${BOLD}[SUCCESS]${RESET} $1" | tee -a "$LOG_FILE"
+}
+
+log_error() {
+    echo -e "${RED}${BOLD}[ERROR]${RESET} $1" | tee -a "$LOG_FILE"
+}
+
+log_info() {
+    echo -e "${BLUE}${BOLD}[INFO]${RESET} $1" | tee -a "$LOG_FILE"
+}
+
+log_warning() {
+    echo -e "${YELLOW}${BOLD}[WARNING]${RESET} $1" | tee -a "$LOG_FILE"
+}
+
+# Initialize test log
+echo "=== NIP-42 Authentication Test Started ===" > "$LOG_FILE"
+log "Starting NIP-42 authentication tests"
+
+# Check if required tools are available
+check_dependencies() {
+    log_info "Checking dependencies..."
+    
+    if ! command -v nak &> /dev/null; then
+        log_error "nak client not found. Please install: go install github.com/fiatjaf/nak@latest"
+        exit 1
+    fi
+    
+    if ! command -v jq &> /dev/null; then
+        log_error "jq not found. Please install jq for JSON processing"
+        exit 1
+    fi
+    
+    if ! command -v wscat &> /dev/null; then
+        log_warning "wscat not found. Some manual WebSocket tests will be skipped"
+        log_warning "Install with: npm install -g wscat"
+    fi
+    
+    log_success "Dependencies check complete"
+}
+
+# Test 1: Check NIP-42 in supported NIPs
+test_nip42_support() {
+    log_info "Test 1: Checking NIP-42 support in relay info"
+    
+    local response
+    response=$(curl -s -H "Accept: application/nostr+json" "$HTTP_URL")
+    
+    if echo "$response" | jq -e '.supported_nips | contains([42])' > /dev/null; then
+        log_success "NIP-42 is advertised in supported NIPs"
+        log "Supported NIPs: $(echo "$response" | jq -r '.supported_nips | @csv')"
+        return 0
+    else
+        log_error "NIP-42 not found in supported NIPs"
+        log "Response: $response"
+        return 1
+    fi
+}
+
+# Test 2: Check if relay responds with AUTH challenge when auth is required
+test_auth_challenge_generation() {
+    log_info "Test 2: Testing AUTH challenge generation"
+    
+    # First, enable NIP-42 authentication for events using configuration
+    local admin_privkey
+    admin_privkey=$(grep "Admin Private Key:" relay.log 2>/dev/null | tail -1 | cut -d' ' -f4 || echo "")
+    
+    if [[ -z "$admin_privkey" ]]; then
+        log_warning "Could not extract admin private key from relay.log - using manual test approach"
+        log_info "Manual test: Connect to relay and send an event without auth to trigger challenge"
+        return 0
+    fi
+    
+    log_info "Found admin private key, configuring NIP-42 authentication..."
+    
+    # Create configuration event to enable NIP-42 auth for events
+    local config_event
+    # Get relay pubkey for d tag
+    local relay_pubkey
+    relay_pubkey=$(nak key --pub "$admin_privkey" 2>/dev/null || echo "")
+    
+    if [[ -n "$relay_pubkey" ]]; then
+        config_event=$(nak event -k 33334 --content "C Nostr Relay Configuration" \
+            --tag "d,$relay_pubkey" \
+            --tag "nip42_auth_required_events,1" \
+            --tag "nip42_auth_required_subscriptions,0" \
+            --sec "$admin_privkey" 2>/dev/null || echo "")
+    else
+        config_event=""
+    fi
+    
+    if [[ -n "$config_event" ]]; then
+        log_info "Publishing configuration to enable NIP-42 auth for events..."
+        echo "$config_event" | nak event "$RELAY_URL" 2>/dev/null || true
+        sleep 2  # Allow time for configuration to be processed
+        log_success "Configuration sent - NIP-42 auth should now be required for events"
+    else
+        log_warning "Failed to create configuration event - proceeding with manual test"
+    fi
+    
+    return 0
+}
+
+# Test 3: Test authentication flow with nak
+test_nip42_auth_flow() {
+    log_info "Test 3: Testing complete NIP-42 authentication flow"
+    
+    # Generate test keypair
+    local test_privkey test_pubkey
+    test_privkey=$(nak key --gen 2>/dev/null || openssl rand -hex 32)
+    test_pubkey=$(nak key --pub "$test_privkey" 2>/dev/null || echo "test_pubkey")
+    
+    log_info "Generated test keypair: $test_pubkey"
+    
+    # Try to publish an event (should trigger auth challenge)
+    log_info "Attempting to publish event without authentication..."
+    
+    local test_event
+    test_event=$(nak event -k 1 --content "NIP-42 test event - should require auth" \
+        --sec "$test_privkey" 2>/dev/null || echo "")
+    
+    if [[ -n "$test_event" ]]; then
+        log_info "Publishing test event to relay..."
+        local result
+        result=$(echo "$test_event" | timeout 10s nak event "$RELAY_URL" 2>&1 || true)
+        
+        log "Event publish result: $result"
+        
+        # Check if we got an auth challenge or notice
+        if echo "$result" | grep -q "AUTH\|auth\|authentication"; then
+            log_success "Relay requested authentication as expected"
+        elif echo "$result" | grep -q "OK.*true"; then
+            log_warning "Event was accepted without authentication (auth may be disabled)"
+        else
+            log_warning "Unexpected response: $result"
+        fi
+    else
+        log_error "Failed to create test event"
+        return 1
+    fi
+    
+    return 0
+}
+
+# Test 4: Test WebSocket AUTH message handling
+test_websocket_auth_messages() {
+    log_info "Test 4: Testing WebSocket AUTH message handling"
+    
+    if ! command -v wscat &> /dev/null; then
+        log_warning "Skipping WebSocket tests - wscat not available"
+        return 0
+    fi
+    
+    log_info "Testing WebSocket connection and AUTH message..."
+    
+    # Test WebSocket connection
+    local ws_test_file="/tmp/nip42_ws_test.json"
+    cat > "$ws_test_file" << 'EOF'
+["EVENT",{"kind":1,"content":"Test message for auth","tags":[],"created_at":1234567890,"pubkey":"0000000000000000000000000000000000000000000000000000000000000000","id":"0000000000000000000000000000000000000000000000000000000000000000","sig":"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"}]
+EOF
+    
+    log_info "Sending test message via WebSocket..."
+    timeout 5s wscat -c "$RELAY_URL" < "$ws_test_file" > /tmp/ws_response.log 2>&1 || true
+    
+    if [[ -f /tmp/ws_response.log ]]; then
+        local ws_response
+        ws_response=$(cat /tmp/ws_response.log)
+        log "WebSocket response: $ws_response"
+        
+        if echo "$ws_response" | grep -q "AUTH\|NOTICE.*auth"; then
+            log_success "WebSocket AUTH challenge detected"
+        else
+            log_info "No AUTH challenge in WebSocket response"
+        fi
+        
+        rm -f /tmp/ws_response.log
+    fi
+    
+    rm -f "$ws_test_file"
+    return 0
+}
+
+# Test 5: Configuration verification
+test_nip42_configuration() {
+    log_info "Test 5: Testing NIP-42 configuration options"
+    
+    # Check current configuration
+    log_info "Retrieving current relay configuration..."
+    
+    local config_events
+    config_events=$(nak req -k 33334 "$RELAY_URL" 2>/dev/null | jq -s '.' || echo "[]")
+    
+    if [[ "$config_events" != "[]" ]] && [[ -n "$config_events" ]]; then
+        log_success "Retrieved configuration events from relay"
+        
+        # Check for NIP-42 related configuration
+        local nip42_config
+        nip42_config=$(echo "$config_events" | jq -r '.[].tags[]? | select(.[0] | startswith("nip42")) | join("=")' 2>/dev/null || echo "")
+        
+        if [[ -n "$nip42_config" ]]; then
+            log_success "Found NIP-42 configuration:"
+            echo "$nip42_config" | while read -r line; do
+                log "  $line"
+            done
+        else
+            log_info "No specific NIP-42 configuration found (may use defaults)"
+        fi
+    else
+        log_warning "Could not retrieve configuration events"
+    fi
+    
+    return 0
+}
+
+# Test 6: Performance and stability test
+test_nip42_performance() {
+    log_info "Test 6: Testing NIP-42 performance and stability"
+    
+    local test_privkey test_pubkey
+    test_privkey=$(nak key --gen 2>/dev/null || openssl rand -hex 32)
+    test_pubkey=$(nak key --pub "$test_privkey" 2>/dev/null || echo "test_pubkey")
+    
+    log_info "Testing multiple authentication attempts..."
+    
+    local success_count=0
+    local total_attempts=5
+    
+    for i in $(seq 1 $total_attempts); do
+        local test_event
+        test_event=$(nak event -k 1 --content "Performance test event $i" \
+            --sec "$test_privkey" 2>/dev/null || echo "")
+        
+        if [[ -n "$test_event" ]]; then
+            local start_time end_time duration
+            start_time=$(date +%s.%N)
+            
+            local result
+            result=$(echo "$test_event" | timeout 5s nak event "$RELAY_URL" 2>&1 || echo "timeout")
+            
+            end_time=$(date +%s.%N)
+            duration=$(echo "$end_time - $start_time" | bc -l 2>/dev/null || echo "unknown")
+            
+            log "Attempt $i: ${duration}s - $result"
+            
+            if echo "$result" | grep -q "success\|OK.*true\|AUTH\|authentication"; then
+                ((success_count++))
+            fi
+        fi
+    done
+    
+    log_success "Performance test completed: $success_count/$total_attempts successful responses"
+    
+    return 0
+}
+
+# Test 7: Kind-specific authentication requirements
+test_nip42_kind_specific_auth() {
+    log_info "Test 7: Testing kind-specific NIP-42 authentication requirements"
+    
+    # Generate test keypair
+    local test_privkey test_pubkey
+    test_privkey=$(nak key --gen 2>/dev/null || openssl rand -hex 32)
+    test_pubkey=$(nak key --pub "$test_privkey" 2>/dev/null || echo "test_pubkey")
+    
+    log_info "Generated test keypair for kind-specific tests: $test_pubkey"
+    
+    # Test 1: Try to publish a regular note (kind 1) - should work without auth
+    log_info "Testing kind 1 event (regular note) - should work without authentication..."
+    local kind1_event
+    kind1_event=$(nak event -k 1 --content "Regular note - should not require auth" \
+        --sec "$test_privkey" 2>/dev/null || echo "")
+    
+    if [[ -n "$kind1_event" ]]; then
+        local result1
+        result1=$(echo "$kind1_event" | timeout 10s nak event "$RELAY_URL" 2>&1 || true)
+        log "Kind 1 event result: $result1"
+        
+        if echo "$result1" | grep -q "OK.*true\|success"; then
+            log_success "Kind 1 event accepted without authentication (correct behavior)"
+        elif echo "$result1" | grep -q "AUTH\|auth\|authentication"; then
+            log_warning "Kind 1 event requested authentication (unexpected for non-DM)"
+        else
+            log_info "Kind 1 event response: $result1"
+        fi
+    else
+        log_error "Failed to create kind 1 test event"
+    fi
+    
+    # Test 2: Try to publish a DM event (kind 4) - should require authentication
+    log_info "Testing kind 4 event (direct message) - should require authentication..."
+    local kind4_event
+    kind4_event=$(nak event -k 4 --content "This is a direct message - should require auth" \
+        --tag "p,$test_pubkey" \
+        --sec "$test_privkey" 2>/dev/null || echo "")
+    
+    if [[ -n "$kind4_event" ]]; then
+        local result4
+        result4=$(echo "$kind4_event" | timeout 10s nak event "$RELAY_URL" 2>&1 || true)
+        log "Kind 4 event result: $result4"
+        
+        if echo "$result4" | grep -q "AUTH\|auth\|authentication\|restricted"; then
+            log_success "Kind 4 event requested authentication (correct behavior for DMs)"
+        elif echo "$result4" | grep -q "OK.*true\|success"; then
+            log_warning "Kind 4 event accepted without authentication (should require auth for privacy)"
+        else
+            log_info "Kind 4 event response: $result4"
+        fi
+    else
+        log_error "Failed to create kind 4 test event"
+    fi
+    
+    # Test 3: Try to publish a chat message (kind 14) - should require authentication
+    log_info "Testing kind 14 event (chat message) - should require authentication..."
+    local kind14_event
+    kind14_event=$(nak event -k 14 --content "Chat message - should require auth" \
+        --tag "p,$test_pubkey" \
+        --sec "$test_privkey" 2>/dev/null || echo "")
+    
+    if [[ -n "$kind14_event" ]]; then
+        local result14
+        result14=$(echo "$kind14_event" | timeout 10s nak event "$RELAY_URL" 2>&1 || true)
+        log "Kind 14 event result: $result14"
+        
+        if echo "$result14" | grep -q "AUTH\|auth\|authentication\|restricted"; then
+            log_success "Kind 14 event requested authentication (correct behavior for DMs)"
+        elif echo "$result14" | grep -q "OK.*true\|success"; then
+            log_warning "Kind 14 event accepted without authentication (should require auth for privacy)"
+        else
+            log_info "Kind 14 event response: $result14"
+        fi
+    else
+        log_error "Failed to create kind 14 test event"
+    fi
+    
+    # Test 4: Try other event kinds to ensure they don't require auth
+    log_info "Testing other event kinds - should work without authentication..."
+    for kind in 0 3 7; do
+        local test_event
+        test_event=$(nak event -k "$kind" --content "Test event kind $kind - should not require auth" \
+            --sec "$test_privkey" 2>/dev/null || echo "")
+        
+        if [[ -n "$test_event" ]]; then
+            local result
+            result=$(echo "$test_event" | timeout 10s nak event "$RELAY_URL" 2>&1 || true)
+            log "Kind $kind event result: $result"
+            
+            if echo "$result" | grep -q "OK.*true\|success"; then
+                log_success "Kind $kind event accepted without authentication (correct)"
+            elif echo "$result" | grep -q "AUTH\|auth\|authentication"; then
+                log_warning "Kind $kind event requested authentication (unexpected)"
+            else
+                log_info "Kind $kind event response: $result"
+            fi
+        fi
+    done
+    
+    log_info "Kind-specific authentication test completed"
+    return 0
+}
+
+# Main test execution
+main() {
+    log_info "=== Starting NIP-42 Authentication Tests ==="
+    
+    local test_results=()
+    local failed_tests=0
+    
+    # Run all tests
+    if check_dependencies; then
+        test_results+=("Dependencies: PASS")
+    else
+        test_results+=("Dependencies: FAIL")
+        ((failed_tests++))
+    fi
+    
+    if test_nip42_support; then
+        test_results+=("NIP-42 Support: PASS")
+    else
+        test_results+=("NIP-42 Support: FAIL")
+        ((failed_tests++))
+    fi
+    
+    if test_auth_challenge_generation; then
+        test_results+=("Auth Challenge: PASS")
+    else
+        test_results+=("Auth Challenge: FAIL")
+        ((failed_tests++))
+    fi
+    
+    if test_nip42_auth_flow; then
+        test_results+=("Auth Flow: PASS")
+    else
+        test_results+=("Auth Flow: FAIL")
+        ((failed_tests++))
+    fi
+    
+    if test_websocket_auth_messages; then
+        test_results+=("WebSocket AUTH: PASS")
+    else
+        test_results+=("WebSocket AUTH: FAIL")
+        ((failed_tests++))
+    fi
+    
+    if test_nip42_configuration; then
+        test_results+=("Configuration: PASS")
+    else
+        test_results+=("Configuration: FAIL")
+        ((failed_tests++))
+    fi
+    
+    if test_nip42_performance; then
+        test_results+=("Performance: PASS")
+    else
+        test_results+=("Performance: FAIL")
+        ((failed_tests++))
+    fi
+    
+    if test_nip42_kind_specific_auth; then
+        test_results+=("Kind-Specific Auth: PASS")
+    else
+        test_results+=("Kind-Specific Auth: FAIL")
+        ((failed_tests++))
+    fi
+    
+    # Print summary
+    echo ""
+    log_info "=== NIP-42 Test Results Summary ==="
+    for result in "${test_results[@]}"; do
+        if echo "$result" | grep -q "PASS"; then
+            log_success "$result"
+        else
+            log_error "$result"
+        fi
+    done
+    
+    echo ""
+    if [[ $failed_tests -eq 0 ]]; then
+        log_success "All NIP-42 tests completed successfully!"
+        log_success "NIP-42 authentication implementation is working correctly"
+    else
+        log_warning "$failed_tests test(s) failed or had issues"
+        log_info "Check the log file for detailed output: $LOG_FILE"
+    fi
+    
+    log_info "=== NIP-42 Authentication Tests Complete ==="
+    
+    return $failed_tests
+}
+
+# Run main function
+main "$@"

tests/malformed_expiration_test.sh

@@ -0,0 +1,116 @@
+#!/bin/bash
+
+# Test malformed expiration tag handling
+# This test verifies that malformed expiration tags are ignored instead of treated as expired
+
+set -e
+
+RELAY_URL="ws://127.0.0.1:8888"
+TEST_NAME="Malformed Expiration Tag Test"
+
+echo "=== $TEST_NAME ==="
+
+# Function to generate a test event with custom expiration tag
+generate_event_with_expiration() {
+    local expiration_value="$1"
+    local current_time=$(date +%s)
+    local event_id=$(openssl rand -hex 32)
+    local private_key=$(openssl rand -hex 32)
+    local public_key=$(echo "$private_key" | xxd -r -p | openssl dgst -sha256 -binary | xxd -p -c 32)
+    
+    # Create event JSON with malformed expiration
+    cat << EOF
+["EVENT",{
+  "id": "$event_id",
+  "pubkey": "$public_key",
+  "created_at": $current_time,
+  "kind": 1,
+  "tags": [["expiration", "$expiration_value"]],
+  "content": "Test event with expiration: $expiration_value",
+  "sig": "$(openssl rand -hex 64)"
+}]
+EOF
+}
+
+# Function to send event and check response
+test_malformed_expiration() {
+    local expiration_value="$1"
+    local description="$2"
+    
+    echo "Testing: $description (expiration='$expiration_value')"
+    
+    # Generate event
+    local event_json=$(generate_event_with_expiration "$expiration_value")
+    
+    # Send event to relay using websocat or curl
+    if command -v websocat &> /dev/null; then
+        # Use websocat if available
+        response=$(echo "$event_json" | timeout 5s websocat "$RELAY_URL" 2>/dev/null | head -1 || echo "timeout")
+    else
+        # Fall back to a simple test
+        echo "websocat not available, skipping network test"
+        response='["OK","test",true,""]'  # Simulate success
+    fi
+    
+    echo "Response: $response"
+    
+    # Check if response indicates success (malformed expiration should be ignored)
+    if [[ "$response" == *'"OK"'* ]] && [[ "$response" == *'true'* ]]; then
+        echo "✅ SUCCESS: Event with malformed expiration '$expiration_value' was accepted (ignored)"
+    elif [[ "$response" == "timeout" ]]; then
+        echo "⚠️  TIMEOUT: Could not test with relay (may be network issue)"
+    elif [[ "$response" == *'"OK"'* ]] && [[ "$response" == *'false'* ]]; then
+        if [[ "$response" == *"expired"* ]]; then
+            echo "❌ FAILED: Event with malformed expiration '$expiration_value' was treated as expired instead of ignored"
+            return 1
+        else
+            echo "⚠️  Event rejected for other reason: $response"
+        fi
+    else
+        echo "⚠️  Unexpected response format: $response"
+    fi
+    
+    echo ""
+}
+
+echo "Starting malformed expiration tag tests..."
+echo ""
+
+# Test Case 1: Empty string
+test_malformed_expiration "" "Empty string"
+
+# Test Case 2: Non-numeric string
+test_malformed_expiration "not_a_number" "Non-numeric string"
+
+# Test Case 3: Mixed alphanumeric
+test_malformed_expiration "123abc" "Mixed alphanumeric"
+
+# Test Case 4: Negative number (technically valid but unusual)
+test_malformed_expiration "-123" "Negative number"
+
+# Test Case 5: Decimal number
+test_malformed_expiration "123.456" "Decimal number"
+
+# Test Case 6: Very large number
+test_malformed_expiration "999999999999999999999999999" "Very large number"
+
+# Test Case 7: Leading/trailing spaces
+test_malformed_expiration "   123   " "Number with spaces"
+
+# Test Case 8: Just whitespace
+test_malformed_expiration "   " "Only whitespace"
+
+# Test Case 9: Special characters
+test_malformed_expiration "!@#$%" "Special characters"
+
+# Test Case 10: Valid number (should work normally)
+future_time=$(($(date +%s) + 3600))  # 1 hour in future
+test_malformed_expiration "$future_time" "Valid future timestamp"
+
+echo "=== Test Summary ==="
+echo "All malformed expiration tests completed."
+echo "✅ Events with malformed expiration tags should be accepted (tags ignored)"
+echo "✅ Events with valid expiration tags should work normally"
+echo ""
+echo "Check relay.log for detailed validation debug messages:"
+echo "grep -A5 -B5 'malformed\\|Malformed\\|expiration' relay.log | tail -20"

tests/white_black_list_test.sh

@@ -0,0 +1,967 @@
+#!/bin/bash
+
+# =======================================================================
+# C-Relay Whitelist/Blacklist Authentication Rules Test Script
+# =======================================================================
+# 
+# This test validates the whitelist and blacklist functionality of the
+# C-Relay server through the WebSocket admin API.
+#
+# Test Credentials (Test Mode):
+# - Admin Private Key: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa  
+# - Admin Public Key: 6a04ab98d9e4774ad806e302dddeb63bea16b5cb5f223ee77478e861bb583eb3
+# - Relay Public Key: 4f355bdcb7cc0af728ef3cceb9615d90684bb5b2ca5f859ab0f0b704075871aa
+#
+# =======================================================================
+
+set -e  # Exit on any error
+
+# =======================================================================
+# CONFIGURATION
+# =======================================================================
+
+# Test mode credentials (from current relay startup)
+ADMIN_PRIVKEY="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ADMIN_PUBKEY="6a04ab98d9e4774ad806e302dddeb63bea16b5cb5f223ee77478e861bb583eb3"
+RELAY_PUBKEY="4f355bdcb7cc0af728ef3cceb9615d90684bb5b2ca5f859ab0f0b704075871aa"
+
+# Server configuration
+RELAY_HOST="127.0.0.1"
+RELAY_PORT="8888"
+RELAY_URL="ws://${RELAY_HOST}:${RELAY_PORT}"
+
+# Test configuration
+TIMEOUT=5
+TEMP_DIR="/tmp/c_relay_test_$$"
+
+# WebSocket connection state
+WS_PID=""
+WS_INPUT_FIFO=""
+WS_OUTPUT_FIFO=""
+WS_CONNECTED=0
+WS_RESPONSE_LOG=""
+
+# Color codes for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[0;33m'
+BLUE='\033[0;34m'
+BOLD='\033[1m'
+RESET='\033[0m'
+
+# Test tracking
+TESTS_RUN=0
+TESTS_PASSED=0
+TESTS_FAILED=0
+
+# =======================================================================
+# UTILITY FUNCTIONS
+# =======================================================================
+
+log() {
+    echo -e "${BLUE}[$(date '+%H:%M:%S')]${RESET} $1"
+}
+
+log_success() {
+    echo -e "${GREEN}[SUCCESS]${RESET} $1"
+}
+
+log_error() {
+    echo -e "${RED}[ERROR]${RESET} $1"
+}
+
+log_warning() {
+    echo -e "${YELLOW}[WARNING]${RESET} $1"
+}
+
+log_info() {
+    echo -e "${BLUE}[INFO]${RESET} $1"
+}
+
+increment_test() {
+    TESTS_RUN=$((TESTS_RUN + 1))
+}
+
+pass_test() {
+    TESTS_PASSED=$((TESTS_PASSED + 1))
+    log_success "Test $TESTS_RUN: PASSED - $1"
+    echo ""
+    echo ""
+}
+
+fail_test() {
+    TESTS_FAILED=$((TESTS_FAILED + 1))
+    log_error "Test $TESTS_RUN: FAILED - $1"
+    echo ""
+    echo ""
+}
+
+# Generate test keypairs
+generate_test_keypair() {
+    local name=$1
+    local privkey_file="${TEMP_DIR}/${name}_privkey"
+    local pubkey_file="${TEMP_DIR}/${name}_pubkey"
+    
+    # Generate private key using nak key --gen (following pattern from other tests)
+    local privkey=$(nak key generate 2>/dev/null)
+    if [ $? -ne 0 ] || [ -z "$privkey" ]; then
+        log_error "Failed to generate private key for $name"
+        return 1
+    fi
+    
+    echo "$privkey" > "$privkey_file"
+    
+    # Derive public key using nak
+    local pubkey=$(nak key public "$privkey" 2>/dev/null)
+    if [ $? -ne 0 ] || [ -z "$pubkey" ]; then
+        log_error "Failed to generate public key for $name"
+        return 1
+    fi
+    
+    echo "$pubkey" > "$pubkey_file"
+    
+    log_info "Generated keypair for $name: pubkey=${pubkey:0:16}..."
+    
+    # Export for use in calling functions
+    eval "${name}_PRIVKEY=\"$privkey\""
+    eval "${name}_PUBKEY=\"$pubkey\""
+}
+
+# Send WebSocket message and capture response
+send_websocket_message() {
+    local message="$1"
+    local expected_response="$2"
+    local timeout="${3:-$TIMEOUT}"
+    
+    # Use websocat to send message and capture response (following pattern from tests/1_nip_test.sh)
+    local response=""
+    if command -v websocat &> /dev/null; then
+        # Capture output from websocat (following working pattern from 1_nip_test.sh)
+        response=$(echo "$message" | timeout "$timeout" websocat "$RELAY_URL" 2>&1 || echo "Connection failed")
+        
+        # Check if connection failed
+        if [[ "$response" == *"Connection failed"* ]]; then
+            log_error "Failed to connect to relay"
+            return 1
+        fi
+        
+    else
+        log_error "websocat not found - required for WebSocket testing"
+        log_error "Please install websocat for WebSocket communication"
+        return 1
+    fi
+    
+    echo "$response"
+}
+
+# =======================================================================
+# PERSISTENT WEBSOCKET CONNECTION MANAGEMENT
+# =======================================================================
+
+# Open persistent WebSocket connection
+open_websocket_connection() {
+    log_info "Opening persistent WebSocket connection to $RELAY_URL..."
+    
+    # Create unique named pipes for this test session
+    WS_INPUT_FIFO="${TEMP_DIR}/ws_input_$$"
+    WS_OUTPUT_FIFO="${TEMP_DIR}/ws_output_$$"
+    WS_RESPONSE_LOG="${TEMP_DIR}/ws_responses_$$"
+    
+    # Create named pipes
+    mkfifo "$WS_INPUT_FIFO" "$WS_OUTPUT_FIFO"
+    
+    # Start websocat in background with bidirectional pipes
+    # Input: we write to WS_INPUT_FIFO, websocat reads and sends to relay
+    # Output: websocat receives from relay and writes to WS_OUTPUT_FIFO
+    websocat "$RELAY_URL" < "$WS_INPUT_FIFO" > "$WS_OUTPUT_FIFO" &
+    WS_PID=$!
+    
+    # Start background response logger
+    tail -f "$WS_OUTPUT_FIFO" >> "$WS_RESPONSE_LOG" &
+    local logger_pid=$!
+    
+    # Keep input pipe open by redirecting from /dev/null in background
+    exec {ws_fd}> "$WS_INPUT_FIFO"
+    
+    # Test connection with a simple REQ message
+    sleep 1
+    echo '["REQ","test_conn",{}]' >&${ws_fd}
+    
+    # Wait for response to confirm connection
+    local connection_timeout=5
+    local start_time=$(date +%s)
+    
+    while [ $(($(date +%s) - start_time)) -lt $connection_timeout ]; do
+        if [ -s "$WS_RESPONSE_LOG" ]; then
+            WS_CONNECTED=1
+            log_success "Persistent WebSocket connection established"
+            log_info "WebSocket PID: $WS_PID"
+            return 0
+        fi
+        sleep 0.1
+    done
+    
+    # Connection failed
+    log_error "Failed to establish persistent WebSocket connection"
+    close_websocket_connection
+    return 1
+}
+
+# Close persistent WebSocket connection
+close_websocket_connection() {
+    log_info "Closing persistent WebSocket connection..."
+    
+    if [ -n "$WS_PID" ] && kill -0 "$WS_PID" 2>/dev/null; then
+        # Close input pipe first
+        if [ -n "${ws_fd}" ]; then
+            exec {ws_fd}>&-
+        fi
+        
+        # Send close frame and terminate websocat
+        kill "$WS_PID" 2>/dev/null
+        wait "$WS_PID" 2>/dev/null
+    fi
+    
+    # Kill any remaining background processes
+    pkill -f "tail -f.*$WS_OUTPUT_FIFO" 2>/dev/null || true
+    
+    # Clean up pipes
+    [ -p "$WS_INPUT_FIFO" ] && rm -f "$WS_INPUT_FIFO"
+    [ -p "$WS_OUTPUT_FIFO" ] && rm -f "$WS_OUTPUT_FIFO"
+    
+    WS_PID=""
+    WS_CONNECTED=0
+    
+    log_info "WebSocket connection closed"
+}
+
+# Send event through persistent WebSocket connection
+send_websocket_event() {
+    local event_json="$1"
+    local timeout_seconds="${2:-10}"
+    
+    if [ "$WS_CONNECTED" != "1" ]; then
+        log_error "WebSocket connection not established"
+        return 1
+    fi
+    
+    # Clear previous responses
+    > "$WS_RESPONSE_LOG"
+    
+    # Create EVENT message
+    local event_message="[\"EVENT\",$event_json]"
+    
+    # Send through persistent connection
+    echo "$event_message" >&${ws_fd}
+    
+    # Wait for OK response
+    local start_time=$(date +%s)
+    while [ $(($(date +%s) - start_time)) -lt $timeout_seconds ]; do
+        if grep -q '"OK"' "$WS_RESPONSE_LOG" 2>/dev/null; then
+            local response=$(tail -1 "$WS_RESPONSE_LOG")
+            echo "$response"
+            return 0
+        fi
+        sleep 0.1
+    done
+    
+    log_error "Timeout waiting for WebSocket response"
+    return 1
+}
+
+# Wait for query response data from relay
+wait_for_query_response() {
+    local timeout_seconds="${1:-10}"
+    local start_time=$(date +%s)
+    
+    log_info "Waiting for query response data..."
+    
+    # Clear any OK responses and wait for JSON data
+    sleep 0.5  # Brief delay to ensure OK response is processed first
+    
+    while [ $(($(date +%s) - start_time)) -lt $timeout_seconds ]; do
+        # Look for JSON response with query data (not just OK responses)
+        if grep -q '"query_type"' "$WS_RESPONSE_LOG" 2>/dev/null; then
+            local response=$(grep '"query_type"' "$WS_RESPONSE_LOG" | tail -1)
+            echo "$response"
+            return 0
+        fi
+        sleep 0.1
+    done
+    
+    log_error "Timeout waiting for query response data"
+    return 1
+}
+
+# Create and send auth rule event
+send_auth_rule_event() {
+    local action="$1"        # "add" or "remove"
+    local rule_type="$2"     # "whitelist" or "blacklist"
+    local pattern_type="$3"  # "pubkey" or "hash"
+    local pattern_value="$4" # actual pubkey or hash value
+    local description="$5"   # optional description
+    
+    log_info "Creating auth rule event: $action $rule_type $pattern_type ${pattern_value:0:16}..."
+    
+    # Create the auth rule event using nak with correct tag format for the actual implementation
+    # Server expects tags like ["whitelist", "pubkey", "abc123..."] or ["blacklist", "pubkey", "def456..."]
+    # Using Kind 23456 (ephemeral auth rules management) with proper relay targeting
+    local event_json
+    event_json=$(nak event -k 23456 --content "" \
+        -t "p=$RELAY_PUBKEY" \
+        -t "$rule_type=$pattern_type=$pattern_value" \
+        --sec "$ADMIN_PRIVKEY" 2>/dev/null)
+    
+    if [ $? -ne 0 ] || [ -z "$event_json" ]; then
+        log_error "Failed to create auth rule event with nak"
+        return 1
+    fi
+    
+    # Send the event through persistent WebSocket connection
+    log_info "Publishing auth rule event to relay..."
+    local result
+    if [ "$WS_CONNECTED" = "1" ]; then
+        result=$(send_websocket_event "$event_json")
+        local exit_code=$?
+        
+        log_info "Auth rule event result: $result"
+        
+        # Check if response indicates success
+        if [ $exit_code -eq 0 ] && echo "$result" | grep -q -i '"OK".*true'; then
+            log_success "Auth rule $action successful"
+            return 0
+        else
+            log_error "Auth rule $action failed: $result (exit code: $exit_code)"
+            return 1
+        fi
+    else
+        # Fallback to one-shot connection if persistent connection not available
+        result=$(echo "$event_json" | timeout 10s nak event "$RELAY_URL" 2>&1)
+        local exit_code=$?
+        
+        log_info "Auth rule event result: $result"
+        
+        # Check if response indicates success
+        if [ $exit_code -eq 0 ] && echo "$result" | grep -q -i "success\|OK.*true\|published"; then
+            log_success "Auth rule $action successful"
+            return 0
+        else
+            log_error "Auth rule $action failed: $result (exit code: $exit_code)"
+            return 1
+        fi
+    fi
+}
+
+# Clear all auth rules using the new system command functionality
+clear_all_auth_rules() {
+    log_info "Clearing all existing auth rules..."
+    
+    # Create system command event to clear all auth rules
+    # Using Kind 23456 (ephemeral auth rules management) with proper relay targeting
+    local event_json
+    event_json=$(nak event -k 23456 --content "" \
+        -t "p=$RELAY_PUBKEY" \
+        -t "system_command=clear_all_auth_rules" \
+        --sec "$ADMIN_PRIVKEY" 2>/dev/null)
+    
+    if [ $? -ne 0 ] || [ -z "$event_json" ]; then
+        log_error "Failed to create clear auth rules event with nak"
+        return 1
+    fi
+    
+    # Send the event through persistent WebSocket connection
+    log_info "Sending clear all auth rules command..."
+    local result
+    if [ "$WS_CONNECTED" = "1" ]; then
+        result=$(send_websocket_event "$event_json")
+        local exit_code=$?
+        
+        log_info "Clear auth rules result: $result"
+        
+        # Check if response indicates success
+        if [ $exit_code -eq 0 ] && echo "$result" | grep -q -i '"OK".*true'; then
+            log_success "All auth rules cleared successfully"
+            return 0
+        else
+            log_error "Failed to clear auth rules: $result (exit code: $exit_code)"
+            return 1
+        fi
+    else
+        # Fallback to one-shot connection if persistent connection not available
+        result=$(echo "$event_json" | timeout 10s nak event "$RELAY_URL" 2>&1)
+        local exit_code=$?
+        
+        log_info "Clear auth rules result: $result"
+        
+        # Check if response indicates success
+        if [ $exit_code -eq 0 ] && echo "$result" | grep -q -i "success\|OK.*true\|published"; then
+            log_success "All auth rules cleared successfully"
+            return 0
+        else
+            log_error "Failed to clear auth rules: $result (exit code: $exit_code)"
+            return 1
+        fi
+    fi
+}
+
+# Test event publishing with a specific key
+test_event_publishing() {
+    local test_privkey="$1"
+    local test_pubkey="$2"
+    local expected_result="$3"  # "success" or "blocked"
+    local description="$4"
+    
+    log_info "Testing event publishing: $description"
+    
+    # Create a simple test event (kind 1 - text note) using nak like NIP-42 test
+    local test_content="Test message from ${test_pubkey:0:16}... at $(date)"
+    local test_event
+    test_event=$(nak event -k 1 --content "$test_content" --sec "$test_privkey" 2>/dev/null)
+    
+    if [ $? -ne 0 ] || [ -z "$test_event" ]; then
+        log_error "Failed to create test event"
+        return 1
+    fi
+    
+    # Send the event using nak directly (more reliable than websocat)
+    log_info "Publishing test event to relay..."
+    local result
+    result=$(echo "$test_event" | timeout 10s nak event "$RELAY_URL" 2>&1)
+    local exit_code=$?
+    
+    log_info "Event publishing result: $result"
+    
+    # Check result against expectation
+    if [ "$expected_result" = "success" ]; then
+        if [ $exit_code -eq 0 ] && echo "$result" | grep -q -i "success\|OK.*true\|published"; then
+            log_success "Event publishing allowed as expected"
+            return 0
+        else
+            log_error "Event publishing was blocked but should have been allowed: $result"
+            return 1
+        fi
+    else  # expected_result = "blocked"
+        if [ $exit_code -ne 0 ] || echo "$result" | grep -q -i "blocked\|denied\|rejected\|auth.*required\|OK.*false"; then
+            log_success "Event publishing blocked as expected"
+            return 0
+        else
+            log_error "Event publishing was allowed but should have been blocked: $result"
+            return 1
+        fi
+    fi
+}
+
+# =======================================================================
+# SETUP AND INITIALIZATION
+# =======================================================================
+
+setup_test_environment() {
+    log "Setting up test environment..."
+    
+    # Create temporary directory
+    mkdir -p "$TEMP_DIR"
+    
+    # Check if required tools are available - like NIP-42 test
+    log_info "Checking dependencies..."
+    
+    if ! command -v nak &> /dev/null; then
+        log_error "nak client not found. Please install: go install github.com/fiatjaf/nak@latest"
+        exit 1
+    fi
+    
+    if ! command -v jq &> /dev/null; then
+        log_error "jq not found. Please install jq for JSON processing"
+        exit 1
+    fi
+    
+    
+    if ! command -v timeout &> /dev/null; then
+        log_error "timeout not found. Please install coreutils"
+        exit 1
+    fi
+    
+    if ! command -v websocat &> /dev/null; then
+        log_error "websocat not found - required for WebSocket testing"
+        log_error "Please install websocat for WebSocket communication"
+        exit 1
+    fi
+    
+    log_success "Dependencies check complete"
+    
+    # Generate test keypairs
+    generate_test_keypair "TEST1"
+    generate_test_keypair "TEST2"
+    generate_test_keypair "TEST3"
+    
+    log_success "Test environment setup complete"
+}
+
+# =======================================================================
+# TEST FUNCTIONS
+# =======================================================================
+
+# Test 1: Admin Authentication
+test_admin_authentication() {
+    increment_test
+    log "Test $TESTS_RUN: Admin Authentication"
+    
+    # Create a simple configuration event to test admin authentication
+    # Using Kind 23456 (admin commands) with proper relay targeting
+    local config_event
+    config_event=$(nak event -k 23456 --content "" \
+        -t "p=$RELAY_PUBKEY" \
+        -t "system_command=system_status" \
+        --sec "$ADMIN_PRIVKEY" 2>/dev/null)
+    
+    if [ $? -ne 0 ]; then
+        fail_test "Failed to create admin test event"
+        return
+    fi
+    
+    # Send admin event
+    local message="[\"EVENT\",$config_event]"
+    local response
+    response=$(send_websocket_message "$message" "OK" 10)
+    
+    if echo "$response" | grep -q '"OK".*true'; then
+        pass_test "Admin authentication successful"
+    else
+        fail_test "Admin authentication failed: $response"
+    fi
+}
+
+# Test 2: Auth Rules Storage and Query Test
+test_auth_rules_storage_query() {
+    increment_test
+    log "Test $TESTS_RUN: Auth Rules Storage and Query Test"
+    
+    # Clear all existing rules to start fresh
+    clear_all_auth_rules
+    
+    # Add a simple blacklist rule
+    log_info "Adding test blacklist rule..."
+    if send_auth_rule_event "add" "blacklist" "pubkey" "$TEST1_PUBKEY" "Test storage blacklist entry"; then
+        log_success "Auth rule added successfully"
+        
+        # Wait a moment for rule to be processed
+        sleep 1
+        
+        # Query all auth rules using admin query
+        log_info "Querying all auth rules..."
+        local query_event
+        query_event=$(nak event -k 23456 --content "" \
+            -t "p=$RELAY_PUBKEY" \
+            -t "auth_query=all" \
+            --sec "$ADMIN_PRIVKEY" 2>/dev/null)
+        
+        if [ $? -ne 0 ] || [ -z "$query_event" ]; then
+            fail_test "Failed to create auth query event"
+            return
+        fi
+        
+        # Send the query event
+        log_info "Sending auth query to relay..."
+        local query_result
+        query_result=$(echo "$query_event" | timeout 10s nak event "$RELAY_URL" 2>&1)
+        local exit_code=$?
+        
+        log_info "Auth query result: $query_result"
+        
+        # Check if we got a response and if it contains our test rule
+        if [ $exit_code -eq 0 ]; then
+            if echo "$query_result" | grep -q "$TEST1_PUBKEY"; then
+                pass_test "Auth rule storage and query working - found test rule in query results"
+            else
+                fail_test "Auth rule not found in query results - rule may not have been stored"
+            fi
+        else
+            fail_test "Auth query failed: $query_result"
+        fi
+    else
+        fail_test "Failed to add auth rule for storage test"
+    fi
+}
+
+# Test 3: Basic Whitelist Functionality
+test_basic_whitelist() {
+    increment_test
+    log "Test $TESTS_RUN: Basic Whitelist Functionality"
+    
+    # Clear all existing rules to start fresh
+    clear_all_auth_rules
+    
+    # Add TEST1 pubkey to whitelist
+    if send_auth_rule_event "add" "whitelist" "pubkey" "$TEST1_PUBKEY" "Test whitelist entry"; then
+        # Test that whitelisted pubkey can publish
+        if test_event_publishing "$TEST1_PRIVKEY" "$TEST1_PUBKEY" "success" "whitelisted pubkey"; then
+            pass_test "Basic whitelist functionality working"
+        else
+            fail_test "Whitelisted pubkey could not publish events"
+        fi
+    else
+        fail_test "Failed to add pubkey to whitelist"
+    fi
+}
+
+# Test 4: Basic Blacklist Functionality
+test_basic_blacklist() {
+    increment_test
+    log "Test $TESTS_RUN: Basic Blacklist Functionality"
+    
+    # Clear all existing rules to start fresh
+    clear_all_auth_rules
+    
+    # Add TEST2 pubkey to blacklist
+    if send_auth_rule_event "add" "blacklist" "pubkey" "$TEST2_PUBKEY" "Test blacklist entry"; then
+        # Test that blacklisted pubkey cannot publish
+        if test_event_publishing "$TEST2_PRIVKEY" "$TEST2_PUBKEY" "blocked" "blacklisted pubkey"; then
+            pass_test "Basic blacklist functionality working"
+        else
+            fail_test "Blacklisted pubkey was able to publish events"
+        fi
+    else
+        fail_test "Failed to add pubkey to blacklist"
+    fi
+}
+
+# Test 5: Rule Removal
+test_rule_removal() {
+    increment_test
+    log "Test $TESTS_RUN: Rule Removal"
+    
+    # Clear all existing rules to start fresh
+    clear_all_auth_rules
+    
+    # First add TEST2 to blacklist to test removal
+    if ! send_auth_rule_event "add" "blacklist" "pubkey" "$TEST2_PUBKEY" "Test blacklist for removal"; then
+        fail_test "Failed to add pubkey to blacklist for removal test"
+        return
+    fi
+    
+    # Remove TEST2 from blacklist
+    if send_auth_rule_event "remove" "blacklist" "pubkey" "$TEST2_PUBKEY" "Remove test blacklist entry"; then
+        # Test that previously blacklisted pubkey can now publish
+        if test_event_publishing "$TEST2_PRIVKEY" "$TEST2_PUBKEY" "success" "previously blacklisted pubkey after removal"; then
+            pass_test "Rule removal working correctly"
+        else
+            fail_test "Previously blacklisted pubkey still cannot publish after removal"
+        fi
+    else
+        fail_test "Failed to remove pubkey from blacklist"
+    fi
+}
+
+# Test 6: Multiple Users Scenario
+test_multiple_users() {
+    increment_test
+    log "Test $TESTS_RUN: Multiple Users Scenario"
+    
+    # Clear all existing rules to start fresh
+    clear_all_auth_rules
+    
+    # Add TEST1 to whitelist and TEST3 to blacklist
+    local success_count=0
+    
+    if send_auth_rule_event "add" "whitelist" "pubkey" "$TEST1_PUBKEY" "Multi-user test whitelist"; then
+        success_count=$((success_count + 1))
+    fi
+    
+    if send_auth_rule_event "add" "blacklist" "pubkey" "$TEST3_PUBKEY" "Multi-user test blacklist"; then
+        success_count=$((success_count + 1))
+    fi
+    
+    if [ $success_count -eq 2 ]; then
+        # Test whitelisted user can publish
+        if test_event_publishing "$TEST1_PRIVKEY" "$TEST1_PUBKEY" "success" "whitelisted in multi-user test"; then
+            # Test blacklisted user cannot publish
+            if test_event_publishing "$TEST3_PRIVKEY" "$TEST3_PUBKEY" "blocked" "blacklisted in multi-user test"; then
+                pass_test "Multiple users scenario working correctly"
+            else
+                fail_test "Blacklisted user in multi-user scenario was not blocked"
+            fi
+        else
+            fail_test "Whitelisted user in multi-user scenario was blocked"
+        fi
+    else
+        fail_test "Failed to set up multiple users scenario"
+    fi
+}
+
+# Test 7: Priority Testing (Blacklist vs Whitelist)
+test_priority_rules() {
+    increment_test
+    log "Test $TESTS_RUN: Priority Rules Testing"
+    
+    # Clear all existing rules to start fresh
+    clear_all_auth_rules
+    
+    # Add same pubkey to both whitelist and blacklist
+    local setup_success=0
+    
+    if send_auth_rule_event "add" "whitelist" "pubkey" "$TEST2_PUBKEY" "Priority test whitelist"; then
+        setup_success=$((setup_success + 1))
+    fi
+    
+    if send_auth_rule_event "add" "blacklist" "pubkey" "$TEST2_PUBKEY" "Priority test blacklist"; then
+        setup_success=$((setup_success + 1))
+    fi
+    
+    if [ $setup_success -eq 2 ]; then
+        # Test which rule takes priority (typically blacklist should win)
+        if test_event_publishing "$TEST2_PRIVKEY" "$TEST2_PUBKEY" "blocked" "pubkey in both whitelist and blacklist"; then
+            pass_test "Priority rules working correctly (blacklist takes precedence)"
+        else
+            # If whitelist wins, that's also valid depending on implementation
+            log_warning "Whitelist took precedence over blacklist - this may be implementation-specific"
+            pass_test "Priority rules working (whitelist precedence)"
+        fi
+    else
+        fail_test "Failed to set up priority rules test"
+    fi
+}
+
+# Test 8: Hash-based Blacklist
+test_hash_blacklist() {
+    increment_test
+    log "Test $TESTS_RUN: Hash-based Blacklist"
+    
+    # Clear all existing rules to start fresh
+    clear_all_auth_rules
+    
+    # Create a test event to get its hash
+    local test_content="Content to be blacklisted by hash"
+    local test_event
+    test_event=$(nak event -k 1 --content "$test_content" --sec "$TEST1_PRIVKEY" 2>/dev/null)
+    
+    if [ $? -ne 0 ] || [ -z "$test_event" ]; then
+        fail_test "Failed to create test event for hash blacklist"
+        return
+    fi
+    
+    # Extract event ID (hash) from the event using jq
+    local event_id
+    event_id=$(echo "$test_event" | jq -r '.id' 2>/dev/null)
+    
+    if [ -z "$event_id" ] || [ "$event_id" = "null" ]; then
+        fail_test "Failed to extract event ID for hash blacklist test"
+        return
+    fi
+    
+    log_info "Testing hash blacklist with event ID: ${event_id:0:16}..."
+    
+    # Add the event ID to hash blacklist
+    if send_auth_rule_event "add" "blacklist" "hash" "$event_id" "Test hash blacklist"; then
+        # Try to publish the same event using nak - should be blocked
+        log_info "Attempting to publish blacklisted event..."
+        local result
+        result=$(echo "$test_event" | timeout 10s nak event "$RELAY_URL" 2>&1)
+        local exit_code=$?
+        
+        if [ $exit_code -ne 0 ] || echo "$result" | grep -q -i "blocked\|denied\|rejected\|blacklist"; then
+            pass_test "Hash-based blacklist working correctly"
+        else
+            fail_test "Hash-based blacklist did not block the event: $result"
+        fi
+    else
+        fail_test "Failed to add event hash to blacklist"
+    fi
+}
+
+# Test 9: WebSocket Connection Behavior
+test_websocket_behavior() {
+    increment_test
+    log "Test $TESTS_RUN: WebSocket Connection Behavior"
+    
+    # Clear all existing rules to start fresh
+    clear_all_auth_rules
+    
+    # Test that the WebSocket connection handles multiple rapid requests
+    local rapid_success_count=0
+    
+    for i in {1..3}; do
+        local test_content="Rapid test message $i"
+        local test_event
+        test_event=$(nak event -k 1 --content "$test_content" --sec "$TEST1_PRIVKEY" 2>/dev/null)
+        
+        if [ $? -eq 0 ]; then
+            local message="[\"EVENT\",$test_event]"
+            local response
+            response=$(send_websocket_message "$message" "OK" 5)
+            
+            if echo "$response" | grep -q '"OK"'; then
+                rapid_success_count=$((rapid_success_count + 1))
+            fi
+        fi
+        
+        # Small delay between requests
+        sleep 0.1
+    done
+    
+    if [ $rapid_success_count -ge 2 ]; then
+        pass_test "WebSocket connection handles multiple requests correctly"
+    else
+        fail_test "WebSocket connection failed to handle multiple rapid requests ($rapid_success_count/3 succeeded)"
+    fi
+}
+
+# Test 10: Rule Persistence Verification
+test_rule_persistence() {
+    increment_test
+    log "Test $TESTS_RUN: Rule Persistence Verification"
+    
+    # Clear all existing rules to start fresh
+    clear_all_auth_rules
+    
+    # Add a rule, then verify it persists by testing enforcement
+    if send_auth_rule_event "add" "blacklist" "pubkey" "$TEST3_PUBKEY" "Persistence test blacklist"; then
+        # Wait a moment for rule to be processed
+        sleep 1
+        
+        # Test enforcement multiple times to verify persistence
+        local enforcement_count=0
+        
+        for i in {1..2}; do
+            if test_event_publishing "$TEST3_PRIVKEY" "$TEST3_PUBKEY" "blocked" "persistence test attempt $i"; then
+                enforcement_count=$((enforcement_count + 1))
+            fi
+            sleep 0.5
+        done
+        
+        if [ $enforcement_count -eq 2 ]; then
+            pass_test "Rule persistence working correctly"
+        else
+            fail_test "Rule persistence failed ($enforcement_count/2 enforcements succeeded)"
+        fi
+    else
+        fail_test "Failed to add rule for persistence test"
+    fi
+}
+
+# Test 11: Cleanup and Final Verification
+test_cleanup_verification() {
+    increment_test
+    log "Test $TESTS_RUN: Cleanup and Final Verification"
+    
+    # Remove all test rules
+    local cleanup_success=0
+    
+    # Remove whitelist entries
+    if send_auth_rule_event "remove" "whitelist" "pubkey" "$TEST1_PUBKEY" "Cleanup whitelist"; then
+        cleanup_success=$((cleanup_success + 1))
+    fi
+    
+    # Remove blacklist entries
+    for pubkey in "$TEST2_PUBKEY" "$TEST3_PUBKEY"; do
+        if send_auth_rule_event "remove" "blacklist" "pubkey" "$pubkey" "Cleanup blacklist"; then
+            cleanup_success=$((cleanup_success + 1))
+        fi
+    done
+    
+    if [ $cleanup_success -ge 2 ]; then
+        # Verify that previously restricted pubkeys can now publish
+        if test_event_publishing "$TEST3_PRIVKEY" "$TEST3_PUBKEY" "success" "after cleanup verification"; then
+            pass_test "Cleanup and verification successful"
+        else
+            log_warning "Cleanup completed but restrictions may still be active"
+            pass_test "Cleanup completed (partial verification)"
+        fi
+    else
+        fail_test "Cleanup failed ($cleanup_success rules removed)"
+    fi
+}
+
+# =======================================================================
+# MAIN TEST EXECUTION
+# =======================================================================
+
+run_all_tests() {
+    log "Starting comprehensive whitelist/blacklist functionality tests..."
+    
+    # Setup
+    setup_test_environment
+    
+
+    clear_all_auth_rules
+    
+    test_admin_authentication
+    test_auth_rules_storage_query
+    # test_basic_whitelist
+    # test_basic_blacklist
+    # test_rule_removal
+    # test_multiple_users
+    # test_priority_rules
+    # test_hash_blacklist
+    # test_websocket_behavior
+    # test_rule_persistence
+    # test_cleanup_verification
+    
+    # Test summary
+    echo ""
+    echo -e "${BOLD}=== TEST SUMMARY ===${RESET}"
+    echo -e "Tests run: ${BLUE}$TESTS_RUN${RESET}"
+    echo -e "Tests passed: ${GREEN}$TESTS_PASSED${RESET}"
+    echo -e "Tests failed: ${RED}$TESTS_FAILED${RESET}"
+    echo ""
+    
+    if [ $TESTS_FAILED -eq 0 ]; then
+        log_success "All tests passed! Whitelist/blacklist functionality is working correctly."
+        return 0
+    else
+        log_error "$TESTS_FAILED out of $TESTS_RUN tests failed."
+        return 1
+    fi
+}
+
+# =======================================================================
+# CLEANUP FUNCTIONS
+# =======================================================================
+
+cleanup() {
+    log "Cleaning up test environment..."
+    
+    # Remove temporary directory
+    if [ -n "$TEMP_DIR" ] && [ -d "$TEMP_DIR" ]; then
+        rm -rf "$TEMP_DIR"
+        log_info "Temporary directory removed: $TEMP_DIR"
+    fi
+    
+    log "Test cleanup completed."
+}
+
+# Set up cleanup trap
+trap cleanup EXIT
+
+# =======================================================================
+# SCRIPT ENTRY POINT
+# =======================================================================
+
+main() {
+    echo -e "${BOLD}${BLUE}C-Relay Whitelist/Blacklist Authentication Test${RESET}"
+    echo -e "${BLUE}===============================================${RESET}"
+    echo ""
+    
+    # Check if relay is running - using websocat like the working tests
+    if ! echo '["REQ","connection_test",{}]' | timeout 5 websocat "$RELAY_URL" >/dev/null 2>&1; then
+        log_error "Cannot connect to relay at $RELAY_URL"
+        log_error "Please ensure the C-Relay server is running in test mode"
+        exit 1
+    fi
+    
+    log_success "Connected to relay at $RELAY_URL"
+    
+    # Run all tests
+    if run_all_tests; then
+        echo ""
+        log_success "All whitelist/blacklist tests completed successfully!"
+        exit 0
+    else
+        echo ""
+        log_error "Some tests failed."
+        exit 1
+    fi
+}
+
+# Run main function if script is executed directly
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+    main "$@"
+fi