v0.3.14 - I think the admin api is finally working

IMPLEMENT_API.md

@@ -0,0 +1,513 @@
+# Implementation Plan: Enhanced Admin Event API Structure
+
+## Current Issue
+
+The current admin event routing at [`main.c:3248-3268`](src/main.c:3248) has a security vulnerability:
+
+```c
+if (event_kind == 23455 || event_kind == 23456) {
+    // Admin event processing
+    int admin_result = process_admin_event_in_config(event, admin_error, sizeof(admin_error), wsi);
+} else {
+    // Regular event storage and broadcasting
+}
+```
+
+**Problem**: Any event with these kinds gets routed to admin processing, regardless of authorization. This allows unauthorized users to send admin events that could be processed as legitimate admin commands.
+
+**Note**: Event kinds 33334 and 33335 are no longer used and have been removed from the admin event routing.
+
+## Required Security Enhancement
+
+Admin events must be validated for proper authorization BEFORE routing to admin processing:
+
+1. **Relay Public Key Check**: Event must have a `p` tag equal to the relay's public key
+2. **Admin Signature Check**: Event must be signed by an authorized admin private key
+3. **Fallback to Regular Processing**: If authorization fails, treat as regular event (not admin event)
+
+## Implementation Plan
+
+### Phase 1: Add Admin Authorization Validation
+
+#### 1.1 Create Consolidated Admin Authorization Function
+**Location**: [`src/main.c`](src/main.c) or [`src/config.c`](src/config.c)
+
+```c
+/**
+ * Consolidated admin event authorization validator
+ * Implements defense-in-depth security for admin events
+ *
+ * @param event - The event to validate for admin authorization
+ * @param error_message - Buffer for detailed error messages
+ * @param error_size - Size of error message buffer
+ * @return 0 if authorized, -1 if unauthorized, -2 if validation error
+ */
+int is_authorized_admin_event(cJSON* event, char* error_message, size_t error_size) {
+    if (!event) {
+        snprintf(error_message, error_size, "admin_auth: null event");
+        return -2;
+    }
+    
+    // Extract event components
+    cJSON* kind_obj = cJSON_GetObjectItem(event, "kind");
+    cJSON* pubkey_obj = cJSON_GetObjectItem(event, "pubkey");
+    cJSON* tags_obj = cJSON_GetObjectItem(event, "tags");
+    
+    if (!kind_obj || !pubkey_obj || !tags_obj) {
+        snprintf(error_message, error_size, "admin_auth: missing required fields");
+        return -2;
+    }
+    
+    // Validation Layer 1: Kind Check
+    int event_kind = (int)cJSON_GetNumberValue(kind_obj);
+    if (event_kind != 23455 && event_kind != 23456) {
+        snprintf(error_message, error_size, "admin_auth: not an admin event kind");
+        return -1;
+    }
+    
+    // Validation Layer 2: Relay Targeting Check
+    const char* relay_pubkey = get_config_value("relay_pubkey");
+    if (!relay_pubkey) {
+        snprintf(error_message, error_size, "admin_auth: relay pubkey not configured");
+        return -2;
+    }
+    
+    // Check for 'p' tag targeting this relay
+    int has_relay_target = 0;
+    if (cJSON_IsArray(tags_obj)) {
+        cJSON* tag = NULL;
+        cJSON_ArrayForEach(tag, tags_obj) {
+            if (cJSON_IsArray(tag) && cJSON_GetArraySize(tag) >= 2) {
+                cJSON* tag_name = cJSON_GetArrayItem(tag, 0);
+                cJSON* tag_value = cJSON_GetArrayItem(tag, 1);
+                
+                if (cJSON_IsString(tag_name) && cJSON_IsString(tag_value)) {
+                    const char* name = cJSON_GetStringValue(tag_name);
+                    const char* value = cJSON_GetStringValue(tag_value);
+                    
+                    if (strcmp(name, "p") == 0 && strcmp(value, relay_pubkey) == 0) {
+                        has_relay_target = 1;
+                        break;
+                    }
+                }
+            }
+        }
+    }
+    
+    if (!has_relay_target) {
+        // Admin event for different relay - not unauthorized, just not for us
+        snprintf(error_message, error_size, "admin_auth: admin event for different relay");
+        return -1;
+    }
+    
+    // Validation Layer 3: Admin Signature Check (only if targeting this relay)
+    const char* event_pubkey = cJSON_GetStringValue(pubkey_obj);
+    if (!event_pubkey) {
+        snprintf(error_message, error_size, "admin_auth: invalid pubkey format");
+        return -2;
+    }
+    
+    const char* admin_pubkey = get_config_value("admin_pubkey");
+    if (!admin_pubkey || strcmp(event_pubkey, admin_pubkey) != 0) {
+        // This is the ONLY case where we log as "Unauthorized admin event attempt"
+        // because it's targeting THIS relay but from wrong admin
+        snprintf(error_message, error_size, "admin_auth: unauthorized admin for this relay");
+        log_warning("SECURITY: Unauthorized admin event attempt for this relay");
+        return -1;
+    }
+    
+    // All validation layers passed
+    log_info("ADMIN: Admin event authorized");
+    return 0;
+}
+
+```
+
+#### 1.2 Update Event Routing Logic
+**Location**: [`main.c:3248`](src/main.c:3248)
+
+```c
+// Current problematic code:
+if (event_kind == 23455 || event_kind == 23456) {
+    // Admin event processing
+    int admin_result = process_admin_event_in_config(event, admin_error, sizeof(admin_error), wsi);
+} else {
+    // Regular event storage and broadcasting
+}
+
+// Enhanced secure code with consolidated authorization:
+if (result == 0) {
+    cJSON* kind_obj = cJSON_GetObjectItem(event, "kind");
+    if (kind_obj && cJSON_IsNumber(kind_obj)) {
+        int event_kind = (int)cJSON_GetNumberValue(kind_obj);
+        
+        // Check if this is an admin event
+        if (event_kind == 23455 || event_kind == 23456) {
+            // Use consolidated authorization check
+            char auth_error[512] = {0};
+            int auth_result = is_authorized_admin_event(event, auth_error, sizeof(auth_error));
+            
+            if (auth_result == 0) {
+                // Authorized admin event - process through admin API
+                char admin_error[512] = {0};
+                int admin_result = process_admin_event_in_config(event, admin_error, sizeof(admin_error), wsi);
+                
+                if (admin_result != 0) {
+                    result = -1;
+                    strncpy(error_message, admin_error, sizeof(error_message) - 1);
+                }
+                // Admin events are NOT broadcast to subscriptions
+            } else {
+                // Unauthorized admin event - treat as regular event
+                log_warning("Unauthorized admin event treated as regular event");
+                if (store_event(event) != 0) {
+                    result = -1;
+                    strncpy(error_message, "error: failed to store event", sizeof(error_message) - 1);
+                } else {
+                    broadcast_event_to_subscriptions(event);
+                }
+            }
+        } else {
+            // Regular event - normal processing
+            if (store_event(event) != 0) {
+                result = -1;
+                strncpy(error_message, "error: failed to store event", sizeof(error_message) - 1);
+            } else {
+                broadcast_event_to_subscriptions(event);
+            }
+        }
+    }
+}
+```
+
+### Phase 2: Enhanced Admin Event Processing
+
+#### 2.1 Admin Event Validation in Config System
+**Location**: [`src/config.c`](src/config.c) - [`process_admin_event_in_config()`](src/config.c:2065)
+
+Add additional validation within the admin processing function:
+
+```c
+int process_admin_event_in_config(cJSON* event, char* error_buffer, size_t error_buffer_size, struct lws* wsi) {
+    // Double-check authorization (defense in depth)
+    if (!is_authorized_admin_event(event)) {
+        snprintf(error_buffer, error_buffer_size, "unauthorized: not a valid admin event");
+        return -1;
+    }
+    
+    // Continue with existing admin event processing...
+    // ... rest of function unchanged
+}
+```
+
+#### 2.2 Logging and Monitoring
+Add comprehensive logging for admin event attempts:
+
+```c
+// In the routing logic - enhanced logging
+cJSON* kind_obj = cJSON_GetObjectItem(event, "kind");
+cJSON* pubkey_obj = cJSON_GetObjectItem(event, "pubkey");
+int event_kind = kind_obj ? cJSON_GetNumberValue(kind_obj) : -1;
+const char* event_pubkey = pubkey_obj ? cJSON_GetStringValue(pubkey_obj) : "unknown";
+
+if (is_authorized_admin_event(event)) {
+    char log_msg[256];
+    snprintf(log_msg, sizeof(log_msg),
+            "ADMIN EVENT: Authorized admin event (kind=%d) from pubkey=%.16s...",
+            event_kind, event_pubkey);
+    log_info(log_msg);
+} else if (event_kind == 23455 || event_kind == 23456) {
+    // This catches unauthorized admin event attempts
+    char log_msg[256];
+    snprintf(log_msg, sizeof(log_msg),
+            "SECURITY: Unauthorized admin event attempt (kind=%d) from pubkey=%.16s...",
+            event_kind, event_pubkey);
+    log_warning(log_msg);
+}
+```
+
+## Phase 3: Unified Output Flow Architecture
+
+### 3.1 Current Output Flow Analysis
+
+After analyzing both [`main.c`](src/main.c) and [`config.c`](src/config.c), the **admin event responses already flow through the standard WebSocket output pipeline**. This is the correct architecture and requires no changes.
+
+#### Standard WebSocket Output Pipeline
+
+**Regular Events** ([`main.c:2978-2996`](src/main.c:2978)):
+```c
+// Database query responses
+unsigned char* buf = malloc(LWS_PRE + msg_len);
+memcpy(buf + LWS_PRE, msg_str, msg_len);
+lws_write(wsi, buf + LWS_PRE, msg_len, LWS_WRITE_TEXT);
+free(buf);
+```
+
+**OK Responses** ([`main.c:3342-3375`](src/main.c:3342)):
+```c
+// Event processing results: ["OK", event_id, success_boolean, message]
+unsigned char *buf = malloc(LWS_PRE + response_len);
+memcpy(buf + LWS_PRE, response_str, response_len);
+lws_write(wsi, buf + LWS_PRE, response_len, LWS_WRITE_TEXT);
+free(buf);
+```
+
+#### Admin Event Output Pipeline (Already Unified)
+
+**Admin Responses** ([`config.c:2363-2414`](src/config.c:2363)):
+```c
+// Admin query responses use IDENTICAL pattern
+int send_websocket_response_data(struct lws* wsi, cJSON* response_data) {
+    unsigned char* buf = malloc(LWS_PRE + response_len);
+    memcpy(buf + LWS_PRE, response_str, response_len);
+    
+    // Same lws_write() call as regular events
+    int result = lws_write(wsi, buf + LWS_PRE, response_len, LWS_WRITE_TEXT);
+    
+    free(buf);
+    return result;
+}
+```
+
+### 3.2 Unified Output Flow Confirmation
+
+✅ **Admin responses already use the same WebSocket transmission mechanism as regular events**
+
+✅ **Both admin and regular events use identical buffer allocation patterns**
+
+✅ **Both admin and regular events use the same [`lws_write()`](src/config.c:2393) function**
+
+✅ **Both admin and regular events follow the same cleanup patterns**
+
+### 3.3 Output Flow Integration Points
+
+The admin event processing in [`config.c:2436`](src/config.c:2436) already integrates correctly with the unified output system:
+
+1. **Admin Query Processing** ([`config.c:2568-2583`](src/config.c:2568)):
+   - Auth queries return structured JSON via [`send_websocket_response_data()`](src/config.c:2571)
+   - System commands return status data via [`send_websocket_response_data()`](src/config.c:2631)
+
+2. **Response Format Consistency**:
+   - Admin responses use standard JSON format
+   - Regular events use standard Nostr event format
+   - Both transmitted through same WebSocket pipeline
+
+3. **Error Handling Consistency**:
+   - Admin errors returned via same WebSocket connection
+   - Regular event errors returned via OK messages
+   - Both use identical transmission mechanism
+
+### 3.4 Key Architectural Benefits
+
+**No Changes Required**: The output flow is already unified and correctly implemented.
+
+**Security Separation**: Admin events are processed separately but responses flow through the same secure WebSocket channel.
+
+**Performance Consistency**: Both admin and regular responses use the same optimized transmission path.
+
+**Maintenance Simplicity**: Single WebSocket output pipeline reduces complexity and potential bugs.
+
+### 3.5 Admin Event Flow Summary
+
+```
+Admin Event Input → Authorization Check → Admin Processing → Unified WebSocket Output
+Regular Event Input → Validation → Storage + Broadcast → Unified WebSocket Output
+```
+
+Both flows converge at the **Unified WebSocket Output** stage, which is already correctly implemented.
+
+## Phase 4: Integration Points for Secure Admin Event Routing
+
+### 4.1 Configuration System Integration
+
+**Required Configuration Values**:
+- `admin_pubkey` - Public key of authorized administrator
+- `relay_pubkey` - Public key of this relay instance
+
+**Integration Points**:
+1. [`get_config_value()`](src/config.c) - Used by authorization function
+2. [`get_relay_pubkey_cached()`](src/config.c) - Used for relay targeting validation
+3. Configuration loading during startup - Must ensure admin/relay pubkeys are available
+
+### 4.3 Forward Declarations Required
+
+**Location**: [`src/main.c`](src/main.c) - Add near other forward declarations (around line 230)
+
+```c
+// Forward declarations for enhanced admin event authorization
+int is_authorized_admin_event(cJSON* event, char* error_message, size_t error_size);
+```
+
+### 4.4 Error Handling Integration
+
+**Enhanced Error Response System**:
+
+```c
+// In main.c event processing - enhanced error handling for admin events
+if (auth_result != 0) {
+    // Admin authorization failed - send detailed OK response
+    cJSON* event_id = cJSON_GetObjectItem(event, "id");
+    if (event_id && cJSON_IsString(event_id)) {
+        cJSON* response = cJSON_CreateArray();
+        cJSON_AddItemToArray(response, cJSON_CreateString("OK"));
+        cJSON_AddItemToArray(response, cJSON_CreateString(cJSON_GetStringValue(event_id)));
+        cJSON_AddItemToArray(response, cJSON_CreateBool(0)); // Failed
+        cJSON_AddItemToArray(response, cJSON_CreateString(auth_error));
+        
+        // Send via standard WebSocket output pipeline
+        char *response_str = cJSON_Print(response);
+        if (response_str) {
+            size_t response_len = strlen(response_str);
+            unsigned char *buf = malloc(LWS_PRE + response_len);
+            if (buf) {
+                memcpy(buf + LWS_PRE, response_str, response_len);
+                lws_write(wsi, buf + LWS_PRE, response_len, LWS_WRITE_TEXT);
+                free(buf);
+            }
+            free(response_str);
+        }
+        cJSON_Delete(response);
+    }
+}
+```
+
+### 4.5 Logging Integration Points
+
+**Console Logging**: Uses existing [`log_warning()`](src/main.c:993), [`log_info()`](src/main.c:972) functions
+
+**Security Event Categories**:
+- Admin authorization success logged via `log_info()`
+- Admin authorization failures logged via `log_warning()`
+- Admin event processing logged via existing admin logging
+
+## Phase 5: Detailed Function Specifications
+
+### 5.1 Core Authorization Function
+
+**Function**: `is_authorized_admin_event()`
+**Location**: [`src/main.c`](src/main.c) or [`src/config.c`](src/config.c)
+**Dependencies**:
+- `get_config_value()` for admin/relay pubkeys
+- `log_warning()` and `log_info()` for logging
+- `cJSON` library for event parsing
+
+**Return Values**:
+- `0` - Event is authorized for admin processing
+- `-1` - Event is unauthorized (treat as regular event)
+- `-2` - Validation error (malformed event)
+
+**Error Handling**: Detailed error messages in provided buffer for client feedback
+
+### 5.2 Enhanced Event Routing
+
+**Location**: [`main.c:3248-3340`](src/main.c:3248)
+**Integration**: Replaces existing admin event routing logic
+**Dependencies**:
+- `is_authorized_admin_event()` for authorization
+- `process_admin_event_in_config()` for admin processing
+- `store_event()` and `broadcast_event_to_subscriptions()` for regular events
+
+**Security Features**:
+- Graceful degradation for unauthorized admin events
+- Comprehensive logging of authorization attempts
+- No broadcast of admin events to subscriptions
+- Detailed error responses for failed authorization
+
+### 5.4 Defense-in-Depth Validation
+
+**Primary Validation**: In main event routing logic
+**Secondary Validation**: In `process_admin_event_in_config()` function
+**Tertiary Validation**: In individual admin command handlers
+
+**Validation Layers**:
+1. **Kind Check** - Must be admin event kind (23455/23456)
+2. **Relay Targeting Check** - Must have 'p' tag with this relay's pubkey
+3. **Admin Signature Check** - Must be signed by authorized admin (only if targeting this relay)
+4. **Processing Check** - Additional validation in admin handlers
+
+**Security Logic**:
+- If no 'p' tag for this relay → Admin event for different relay (not unauthorized)
+- If 'p' tag for this relay + wrong admin signature → "Unauthorized admin event attempt"
+
+## Phase 6: Event Flow Documentation
+
+### 6.1 Complete Event Processing Flow
+
+```
+┌─────────────────┐
+│ WebSocket Input │
+└─────────┬───────┘
+          │
+          ▼
+┌─────────────────┐
+│ Unified         │
+│ Validation      │ ← nostr_validate_unified_request()
+└─────────┬───────┘
+          │
+          ▼
+┌─────────────────┐
+│ Kind-Based      │
+│ Routing Check   │ ← Check if kind 23455/23456
+└─────────┬───────┘
+          │
+     ┌────▼────┐
+     │ Admin?  │
+     └────┬────┘
+          │
+    ┌─────▼─────┐         ┌─────────────┐
+    │ YES       │         │ NO          │
+    │           │         │             │
+    ▼           │         ▼             │
+┌─────────────┐ │    ┌─────────────┐    │
+│ Admin       │ │    │ Regular     │    │
+│ Authorization│ │    │ Event       │    │
+│ Check       │ │    │ Processing  │    │
+└─────┬───────┘ │    └─────┬───────┘    │
+      │         │          │            │
+ ┌────▼────┐    │          ▼            │
+ │Authorized?│   │    ┌─────────────┐    │
+ └────┬────┘    │    │ store_event()│    │
+      │         │    │ +           │    │
+┌─────▼─────┐   │    │ broadcast() │    │
+│ YES   NO  │   │    └─────┬───────┘    │
+│  │     │  │   │          │            │
+│  ▼     ▼  │   │          ▼            │
+│┌─────┐┌───┴┐  │    ┌─────────────┐    │
+││Admin││Treat│  │    │ WebSocket   │    │
+││API  ││as   │  │    │ OK Response │    │
+││     ││Reg  │  │    └─────────────┘    │
+│└──┬──┘└───┬┘  │                       │
+│   │      │   │                       │
+│   ▼      │   │                       │
+│┌─────────┐│   │                       │
+││WebSocket││   │                       │
+││Response ││   │                       │
+│└─────────┘│   │                       │
+└───────────┴───┘                       │
+            │                           │
+            └───────────────────────────┘
+                        │
+                        ▼
+                ┌─────────────┐
+                │ Unified     │
+                │ WebSocket   │
+                │ Output      │
+                └─────────────┘
+```
+
+### 6.2 Security Decision Points
+
+1. **Event Kind Check** - Identifies potential admin events
+2. **Authorization Validation** - Three-layer security check
+3. **Routing Decision** - Admin API vs Regular processing
+4. **Response Generation** - Unified output pipeline
+5. **Audit Logging** - Security event tracking
+
+### 6.3 Error Handling Paths
+
+**Validation Errors**: Return detailed error messages via OK response
+**Authorization Failures**: Log security event + treat as regular event
+**Processing Errors**: Return admin-specific error responses
+**System Errors**: Fallback to standard error handling
+
+This completes the comprehensive implementation plan for the enhanced admin event API structure with unified output flow architecture.

README.md

@@ -22,4 +22,150 @@ Do NOT modify the formatting, add emojis, or change the text. Keep the simple fo
 - [ ] NIP-50: Keywords filter
 - [ ] NIP-70: Protected Events
 
+## 🔧 Administrator API
+
+C-Relay uses an innovative **event-based administration system** where all configuration and management commands are sent as signed Nostr events using the admin private key generated during first startup. All admin commands use **tag-based parameters** for simplicity and compatibility.
+
+### Authentication
+
+All admin commands require signing with the admin private key displayed during first-time startup. **Save this key securely** - it cannot be recovered and is needed for all administrative operations.
+
+### Event Structure
+
+All admin commands use the same unified event structure with tag-based parameters:
+
+**Admin Command Event:**
+```json
+{
+  "id": "event_id",
+  "pubkey": "admin_public_key",
+  "created_at": 1234567890,
+  "kind": 23456,
+  "content": "<nip44 encrypted command>",
+  "tags": [
+    ["p", "relay_public_key"],
+  ],
+  "sig": "event_signature"
+}
+```
+
+**Admin Response Event:**
+```json
+["EVENT", "temp_sub_id", {
+  "id": "response_event_id",
+  "pubkey": "relay_public_key",
+  "created_at": 1234567890,
+  "kind": 23457,
+  "content": "<nip44 encrypted response>",
+  "tags": [
+    ["p", "admin_public_key"]
+  ],
+  "sig": "response_event_signature"
+}]
+```
+
+### Admin Commands
+
+All commands are sent as nip44 encrypted content. The following table lists all available commands:
+
+| Command Type | Tag Format | Description |
+|--------------|------------|-------------|
+| **Configuration Management** |
+| `config_update` | `["relay_description", "My Relay"]` | Update relay configuration parameters |
+| `config_query` | `["config_query", "list_all_keys"]` | List all available configuration keys |
+| **Auth Rules Management** |
+| `auth_add_blacklist` | `["blacklist", "pubkey", "abc123..."]` | Add pubkey to blacklist |
+| `auth_add_whitelist` | `["whitelist", "pubkey", "def456..."]` | Add pubkey to whitelist |
+| `auth_query_all` | `["auth_query", "all"]` | Query all auth rules |
+| `auth_query_type` | `["auth_query", "whitelist"]` | Query specific rule type |
+| `auth_query_pattern` | `["auth_query", "pattern", "abc123..."]` | Query specific pattern |
+| **System Commands** |
+| `system_clear_auth` | `["system_command", "clear_all_auth_rules"]` | Clear all auth rules |
+| `system_status` | `["system_command", "system_status"]` | Get system status |
+
+### Available Configuration Keys
+
+**Basic Relay Settings:**
+- `relay_description`: Relay description text
+- `relay_contact`: Contact information
+- `max_connections`: Maximum concurrent connections
+- `max_subscriptions_per_client`: Max subscriptions per client
+- `max_event_tags`: Maximum tags per event
+- `max_content_length`: Maximum event content length
+
+**Authentication & Access Control:**
+- `auth_enabled`: Enable whitelist/blacklist auth rules (`true`/`false`)
+- `nip42_auth_required`: Enable NIP-42 cryptographic authentication (`true`/`false`)
+- `nip42_auth_required_kinds`: Event kinds requiring NIP-42 auth (comma-separated)
+- `nip42_challenge_timeout`: NIP-42 challenge expiration seconds
+
+**Proof of Work & Validation:**
+- `pow_min_difficulty`: Minimum proof-of-work difficulty
+- `nip40_expiration_enabled`: Enable event expiration (`true`/`false`)
+
+### Response Format
+
+All admin commands return **signed EVENT responses** via WebSocket following standard Nostr protocol. Responses use JSON content with structured data.
+
+#### Response Examples
+
+**Success Response:**
+```json
+["EVENT", "temp_sub_id", {
+  "id": "response_event_id",
+  "pubkey": "relay_public_key",
+  "created_at": 1234567890,
+  "kind": 23457,
+  "content": "nip44 encrypted:{\"status\": \"success\", \"message\": \"Operation completed successfully\"}",
+  "tags": [
+    ["p", "admin_public_key"]
+  ],
+  "sig": "response_event_signature"
+}]
+```
+
+**Error Response:**
+```json
+["EVENT", "temp_sub_id", {
+  "id": "response_event_id",
+  "pubkey": "relay_public_key",
+  "created_at": 1234567890,
+  "kind": 23457,
+  "content": "nip44 encrypted:{\"status\": \"error\", \"message\": \"Error: invalid configuration value\"}",
+  "tags": [
+    ["p", "admin_public_key"]
+  ],
+  "sig": "response_event_signature"
+}]
+```
+
+**Auth Rules Query Response:**
+```json
+["EVENT", "temp_sub_id", {
+  "id": "response_event_id",
+  "pubkey": "relay_public_key",
+  "created_at": 1234567890,
+  "kind": 23457,
+  "content": "nip44 encrypted:{\"query_type\": \"auth_rules\", \"total_results\": 2, \"data\": [{\"rule_type\": \"blacklist\", \"pattern_type\": \"pubkey\", \"pattern_value\": \"abc123...\", \"action\": \"deny\"}]}",
+  "tags": [
+    ["p", "admin_public_key"]
+  ],
+  "sig": "response_event_signature"
+}]
+```
+
+**Configuration Query Response:**
+```json
+["EVENT", "temp_sub_id", {
+  "id": "response_event_id",
+  "pubkey": "relay_public_key",
+  "created_at": 1234567890,
+  "kind": 23457,
+  "content": "nip44 encrypted:{\"query_type\": \"config_keys\", \"config_keys\": [\"auth_enabled\", \"max_connections\"], \"descriptions\": {\"auth_enabled\": \"Enable whitelist/blacklist rules\"}}",
+  "tags": [
+    ["p", "admin_public_key"]
+  ],
+  "sig": "response_event_signature"
+}]
+```
 

docs/admin_api_plan.md

@@ -0,0 +1,537 @@
+# C-Relay Administrator API Implementation Plan
+
+## Problem Analysis
+
+### Current Issues Identified:
+
+1. **Schema Mismatch**: Storage system (config.c) vs Validation system (request_validator.c) use different column names and values
+2. **Missing API Endpoint**: No way to clear auth_rules table for testing
+3. **Configuration Gap**: Auth rules enforcement may not be properly enabled
+4. **Documentation Gap**: Admin API commands not documented
+
+### Root Cause: Auth Rules Schema Inconsistency
+
+**Current Schema (sql_schema.h lines 140-150):**
+```sql
+CREATE TABLE auth_rules (
+    rule_type TEXT CHECK (rule_type IN ('whitelist', 'blacklist')),
+    pattern_type TEXT CHECK (pattern_type IN ('pubkey', 'hash')),  
+    pattern_value TEXT,
+    action TEXT CHECK (action IN ('allow', 'deny')),
+    active INTEGER DEFAULT 1
+);
+```
+
+**Storage Implementation (config.c):**
+- Stores: `rule_type='blacklist'`, `pattern_type='pubkey'`, `pattern_value='hex'`, `action='allow'`
+
+**Validation Implementation (request_validator.c):**
+- Queries: `rule_type='pubkey_blacklist'`, `rule_target='hex'`, `operation='event'`, `enabled=1`
+
+**MISMATCH**: Validator looks for non-existent columns and wrong rule_type values!
+
+## Proposed Solution Architecture
+
+### Phase 1: API Documentation & Standardization
+
+#### Admin API Commands (via WebSocket with admin private key)
+
+**Kind 23455: Configuration Management (Ephemeral)**
+- Update relay settings, limits, authentication policies
+- **Standard Mode**: Commands in tags `["config_key", "config_value"]`
+- **Encrypted Mode**: Commands NIP-44 encrypted in content `{"encrypted_tags": "..."}`
+- Content: Descriptive text or encrypted payload
+- Security: Optional NIP-44 encryption for sensitive operations
+
+**Kind 23456: Auth Rules & System Management (Ephemeral)**
+- Auth rules: Add/remove/query whitelist/blacklist rules
+- System commands: clear rules, status, cache management
+- **Standard Mode**: Commands in tags
+  - Rule format: `["rule_type", "pattern_type", "pattern_value"]`
+  - Query format: `["auth_query", "filter"]`
+  - System format: `["system_command", "command_name"]`
+- **Encrypted Mode**: Commands NIP-44 encrypted in content `{"encrypted_tags": "..."}`
+- Content: Action description + optional encrypted payload
+- Security: Optional NIP-44 encryption for sensitive operations
+
+#### Configuration Query Commands (using Kind 23455)
+
+1. **List All Configuration Keys (Standard)**:
+   ```json
+   {
+     "kind": 23455,
+     "content": "Discovery query",
+     "tags": [["config_query", "list_all_keys"]]
+   }
+   ```
+
+2. **List All Configuration Keys (Encrypted)**:
+   ```json
+   {
+     "kind": 23455,
+     "content": "{\"query\":\"list_config_keys\",\"encrypted_tags\":\"nip44_encrypted_payload\"}",
+     "tags": []
+   }
+   ```
+   *Encrypted payload contains:* `[["config_query", "list_all_keys"]]`
+
+3. **Get Current Configuration (Standard)**:
+   ```json
+   {
+     "kind": 23455,
+     "content": "Config query",
+     "tags": [["config_query", "get_current_config"]]
+   }
+   ```
+
+4. **Get Current Configuration (Encrypted)**:
+   ```json
+   {
+     "kind": 23455,
+     "content": "{\"query\":\"get_config\",\"encrypted_tags\":\"nip44_encrypted_payload\"}",
+     "tags": []
+   }
+   ```
+   *Encrypted payload contains:* `[["config_query", "get_current_config"]]`
+
+#### System Management Commands (using Kind 23456)
+
+1. **Clear All Auth Rules (Standard)**:
+   ```json
+   {
+     "kind": 23456,
+     "content": "{\"action\":\"clear_all\"}",
+     "tags": [["system_command", "clear_all_auth_rules"]]
+   }
+   ```
+
+2. **Clear All Auth Rules (Encrypted)**:
+   ```json
+   {
+     "kind": 23456,
+     "content": "{\"action\":\"clear_all\",\"encrypted_tags\":\"nip44_encrypted_payload\"}",
+     "tags": []
+   }
+   ```
+   *Encrypted payload contains:* `[["system_command", "clear_all_auth_rules"]]`
+
+3. **Query All Auth Rules (Standard)**:
+   ```json
+   {
+     "kind": 23456,
+     "content": "{\"query\":\"list_auth_rules\"}",
+     "tags": [["auth_query", "all"]]
+   }
+   ```
+
+4. **Query All Auth Rules (Encrypted)**:
+   ```json
+   {
+     "kind": 23456,
+     "content": "{\"query\":\"list_auth_rules\",\"encrypted_tags\":\"nip44_encrypted_payload\"}",
+     "tags": []
+   }
+   ```
+   *Encrypted payload contains:* `[["auth_query", "all"]]`
+
+5. **Add Blacklist Rule (Standard)**:
+   ```json
+   {
+     "kind": 23456,
+     "content": "{\"action\":\"add\"}",
+     "tags": [["blacklist", "pubkey", "deadbeef1234abcd..."]]
+   }
+   ```
+
+6. **Add Blacklist Rule (Encrypted)**:
+   ```json
+   {
+     "kind": 23456,
+     "content": "{\"action\":\"add\",\"encrypted_tags\":\"nip44_encrypted_payload\"}",
+     "tags": []
+   }
+   ```
+   *Encrypted payload contains:* `[["blacklist", "pubkey", "deadbeef1234abcd..."]]`
+
+### Phase 2: Auth Rules Schema Alignment
+
+#### Option A: Fix Validator to Match Schema (RECOMMENDED)
+
+**Update request_validator.c:**
+```sql
+-- OLD (broken):
+WHERE rule_type = 'pubkey_blacklist' AND rule_target = ? AND operation = ? AND enabled = 1
+
+-- NEW (correct):
+WHERE rule_type = 'blacklist' AND pattern_type = 'pubkey' AND pattern_value = ? AND active = 1
+```
+
+**Benefits:**
+- Matches actual database schema
+- Simpler rule_type values ('blacklist' vs 'pubkey_blacklist')  
+- Uses existing columns (pattern_value vs rule_target)
+- Consistent with storage implementation
+
+#### Option B: Update Schema to Match Validator (NOT RECOMMENDED)
+
+Would require changing schema, migration scripts, and storage logic.
+
+### Phase 3: Implementation Priority
+
+#### High Priority (Critical for blacklist functionality):
+1. Fix request_validator.c schema mismatch
+2. Ensure auth_required configuration is enabled
+3. Update tests to use ephemeral event kinds (23455/23456)
+4. Test blacklist enforcement
+
+#### Medium Priority (Enhanced Admin Features):
+1. **Implement NIP-44 Encryption Support**:
+   - Detect empty tags array for Kind 23455/23456 events
+   - Parse `encrypted_tags` field from content JSON
+   - Decrypt using admin privkey and relay pubkey
+   - Process decrypted tags as normal commands
+2. Add clear_all_auth_rules system command
+3. Add auth rule query functionality (both standard and encrypted modes)
+4. Add configuration discovery (list available config keys)
+5. Enhanced error reporting in admin API
+6. Conflict resolution (same pubkey in whitelist + blacklist)
+
+#### Security Priority (NIP-44 Implementation):
+1. **Encryption Detection Logic**: Check for empty tags + encrypted_tags field
+2. **Key Pair Management**: Use admin private key + relay public key for NIP-44
+3. **Backward Compatibility**: Support both standard and encrypted modes
+4. **Error Handling**: Graceful fallback if decryption fails
+5. **Performance**: Cache decrypted results to avoid repeated decryption
+
+#### Low Priority (Documentation & Polish):
+1. Complete README.md API documentation
+2. Example usage scripts
+3. Admin client tools
+
+### Phase 4: Expected API Structure
+
+#### README.md Documentation Format:
+
+```markdown
+# C-Relay Administrator API
+
+## Authentication
+All admin commands require signing with the admin private key generated during first startup.
+
+## Configuration Management (Kind 23455 - Ephemeral)
+Update relay configuration parameters or query available settings.
+
+**Configuration Update Event:**
+```json
+{
+  "kind": 23455,
+  "content": "Configuration update",
+  "tags": [
+    ["config_key1", "config_value1"],
+    ["config_key2", "config_value2"]
+  ]
+}
+```
+
+**List Available Config Keys:**
+```json
+{
+  "kind": 23455,
+  "content": "{\"query\":\"list_config_keys\",\"description\":\"Get editable config keys\"}",
+  "tags": [
+    ["config_query", "list_all_keys"]
+  ]
+}
+```
+
+**Get Current Configuration:**
+```json
+{
+  "kind": 23455,
+  "content": "{\"query\":\"get_config\",\"description\":\"Get current config values\"}",
+  "tags": [
+    ["config_query", "get_current_config"]
+  ]
+}
+```
+
+## Auth Rules Management (Kind 23456 - Ephemeral)
+Manage whitelist and blacklist rules.
+
+**Add Rule Event:**
+```json
+{
+  "kind": 23456,
+  "content": "{\"action\":\"add\",\"description\":\"Block malicious user\"}",
+  "tags": [
+    ["blacklist", "pubkey", "deadbeef1234..."]
+  ]
+}
+```
+
+**Remove Rule Event:**
+```json
+{
+  "kind": 23456,
+  "content": "{\"action\":\"remove\",\"description\":\"Unblock user\"}",
+  "tags": [
+    ["blacklist", "pubkey", "deadbeef1234..."]
+  ]
+}
+```
+
+**Query All Auth Rules:**
+```json
+{
+  "kind": 23456,
+  "content": "{\"query\":\"list_auth_rules\",\"description\":\"Get all rules\"}",
+  "tags": [
+    ["auth_query", "all"]
+  ]
+}
+```
+
+**Query Whitelist Rules Only:**
+```json
+{
+  "kind": 23456,
+  "content": "{\"query\":\"list_auth_rules\",\"description\":\"Get whitelist\"}",
+  "tags": [
+    ["auth_query", "whitelist"]
+  ]
+}
+```
+
+**Check Specific Pattern:**
+```json
+{
+  "kind": 23456,
+  "content": "{\"query\":\"check_pattern\",\"description\":\"Check if pattern exists\"}",
+  "tags": [
+    ["auth_query", "pattern", "deadbeef1234..."]
+  ]
+}
+```
+
+## System Management (Kind 23456 - Ephemeral)
+System administration commands using the same kind as auth rules.
+
+**Clear All Auth Rules:**
+```json
+{
+  "kind": 23456,
+  "content": "{\"action\":\"clear_all\",\"description\":\"Clear all auth rules\"}",
+  "tags": [
+    ["system_command", "clear_all_auth_rules"]
+  ]
+}
+```
+
+**System Status:**
+```json
+{
+  "kind": 23456,
+  "content": "{\"action\":\"system_status\",\"description\":\"Get system status\"}",
+  "tags": [
+    ["system_command", "system_status"]
+  ]
+}
+```
+
+## Response Format
+All admin commands return JSON responses via WebSocket:
+
+**Success Response:**
+```json
+["OK", "event_id", true, "success_message"]
+```
+
+**Error Response:**  
+```json
+["OK", "event_id", false, "error_message"]
+```
+
+## Configuration Keys
+- `relay_description`: Relay description text
+- `relay_contact`: Contact information  
+- `auth_enabled`: Enable authentication system
+- `max_connections`: Maximum concurrent connections
+- `pow_min_difficulty`: Minimum proof-of-work difficulty
+- ... (full list of config keys)
+
+## Examples
+
+### Enable Authentication & Add Blacklist
+```bash
+# 1. Enable auth system
+nak event -k 23455 --content "Enable authentication" \
+  -t "auth_enabled=true" \
+  --sec $ADMIN_PRIVKEY | nak event ws://localhost:8888
+
+# 2. Add user to blacklist
+nak event -k 23456 --content '{"action":"add","description":"Spam user"}' \
+  -t "blacklist=pubkey;$SPAM_USER_PUBKEY" \
+  --sec $ADMIN_PRIVKEY | nak event ws://localhost:8888
+
+# 3. Query all auth rules
+nak event -k 23456 --content '{"query":"list_auth_rules","description":"Get all rules"}' \
+  -t "auth_query=all" \
+  --sec $ADMIN_PRIVKEY | nak event ws://localhost:8888
+
+# 4. Clear all rules for testing
+nak event -k 23456 --content '{"action":"clear_all","description":"Clear all rules"}' \
+  -t "system_command=clear_all_auth_rules" \
+  --sec $ADMIN_PRIVKEY | nak event ws://localhost:8888
+```
+
+## Expected Response Formats
+
+### Configuration Query Response
+```json
+["EVENT", "subscription_id", {
+  "kind": 23455,
+  "content": "{\"config_keys\": [\"auth_enabled\", \"max_connections\"], \"descriptions\": {\"auth_enabled\": \"Enable whitelist/blacklist rules\"}}",
+  "tags": [["response_type", "config_keys_list"]]
+}]
+```
+
+### Current Config Response
+```json
+["EVENT", "subscription_id", {
+  "kind": 23455,
+  "content": "{\"current_config\": {\"auth_enabled\": \"true\", \"max_connections\": \"1000\"}}",
+  "tags": [["response_type", "current_config"]]
+}]
+```
+
+### Auth Rules Query Response
+```json
+["EVENT", "subscription_id", {
+  "kind": 23456,
+  "content": "{\"auth_rules\": [{\"rule_type\": \"blacklist\", \"pattern_type\": \"pubkey\", \"pattern_value\": \"deadbeef...\"}, {\"rule_type\": \"whitelist\", \"pattern_type\": \"pubkey\", \"pattern_value\": \"cafebabe...\"}]}",
+  "tags": [["response_type", "auth_rules_list"], ["query_type", "all"]]
+}]
+```
+
+### Pattern Check Response
+```json
+["EVENT", "subscription_id", {
+  "kind": 23456,
+  "content": "{\"pattern_exists\": true, \"rule_type\": \"blacklist\", \"pattern_value\": \"deadbeef...\"}",
+  "tags": [["response_type", "pattern_check"], ["pattern", "deadbeef..."]]
+}]
+```
+
+## Implementation Steps
+
+1. **Document API** (this file) ✅
+2. **Update to ephemeral event kinds** ✅
+3. **Fix request_validator.c** schema mismatch
+4. **Update tests** to use Kind 23455/23456
+5. **Add auth rule query functionality**
+6. **Add configuration discovery feature**
+7. **Test blacklist functionality**
+8. **Add remaining system commands**
+
+## Testing Plan
+
+1. Fix schema mismatch and test basic blacklist
+2. Add clear_auth_rules and test table cleanup
+3. Test whitelist/blacklist conflict scenarios  
+4. Test all admin API commands end-to-end
+5. Update integration tests
+
+This plan addresses the immediate blacklist issue while establishing a comprehensive admin API framework for future expansion.
+
+## NIP-44 Encryption Implementation Details
+
+### Server-Side Detection Logic
+```c
+// In admin event processing function
+bool is_encrypted_command(struct nostr_event *event) {
+    // Check if Kind 23455 or 23456 with empty tags
+    if ((event->kind == 23455 || event->kind == 23456) &&
+        event->tags_count == 0) {
+        return true;
+    }
+    return false;
+}
+
+cJSON *decrypt_admin_tags(struct nostr_event *event) {
+    cJSON *content_json = cJSON_Parse(event->content);
+    if (!content_json) return NULL;
+    
+    cJSON *encrypted_tags = cJSON_GetObjectItem(content_json, "encrypted_tags");
+    if (!encrypted_tags) {
+        cJSON_Delete(content_json);
+        return NULL;
+    }
+    
+    // Decrypt using NIP-44 with admin pubkey and relay privkey
+    char *decrypted = nip44_decrypt(
+        cJSON_GetStringValue(encrypted_tags),
+        admin_pubkey,           // Shared secret with admin
+        relay_private_key       // Our private key
+    );
+    
+    cJSON *decrypted_tags = cJSON_Parse(decrypted);
+    free(decrypted);
+    cJSON_Delete(content_json);
+    
+    return decrypted_tags; // Returns tag array: [["key1", "val1"], ["key2", "val2"]]
+}
+```
+
+### Admin Event Processing Flow
+1. **Receive Event**: Kind 23455/23456 with admin signature
+2. **Check Mode**: Empty tags = encrypted, populated tags = standard
+3. **Decrypt if Needed**: Extract and decrypt `encrypted_tags` from content
+4. **Process Commands**: Use decrypted/standard tags for command processing
+5. **Execute**: Same logic for both modes after tag extraction
+6. **Respond**: Standard response format (optionally encrypt response)
+
+### Security Benefits
+- **Command Privacy**: Admin operations invisible in event tags
+- **Replay Protection**: NIP-44 includes timestamp/randomness
+- **Key Management**: Uses existing admin/relay key pair
+- **Backward Compatible**: Standard mode still works
+- **Performance**: Only decrypt when needed (empty tags detection)
+
+### NIP-44 Library Integration
+The relay will need to integrate a NIP-44 encryption/decryption library:
+
+```c
+// Required NIP-44 functions
+char* nip44_encrypt(const char* plaintext, const char* sender_privkey, const char* recipient_pubkey);
+char* nip44_decrypt(const char* ciphertext, const char* recipient_privkey, const char* sender_pubkey);
+```
+
+### Implementation Priority (Updated)
+
+#### Phase 1: Core Infrastructure (Complete)
+- [x] Event-based admin authentication system
+- [x] Kind 23455/23456 (Configuration/Auth Rules) processing
+- [x] Basic configuration parameter updates
+- [x] Auth rule add/remove/clear functionality
+- [x] Updated to ephemeral event kinds
+- [x] Designed NIP-44 encryption support
+
+#### Phase 2: NIP-44 Encryption Support (Next Priority)
+- [ ] **Add NIP-44 library dependency** to project
+- [ ] **Implement encryption detection logic** (`is_encrypted_command()`)
+- [ ] **Add decrypt_admin_tags() function** with NIP-44 support
+- [ ] **Update admin command processing** to handle both modes
+- [ ] **Test encrypted admin commands** end-to-end
+
+#### Phase 3: Enhanced Features
+- [ ] **Auth rule query functionality** (both standard and encrypted modes)
+- [ ] **Configuration discovery API** (list available config keys)
+- [ ] **Enhanced error messages** with encryption status
+- [ ] **Performance optimization** (caching, async decrypt)
+
+#### Phase 4: Schema Fixes (Critical)
+- [ ] **Fix request_validator.c** schema mismatch
+- [ ] **Enable blacklist enforcement** with encrypted commands
+- [ ] **Update tests** to use both standard and encrypted modes
+
+This enhanced admin API provides enterprise-grade security while maintaining ease of use for basic operations.

make_and_restart_relay.sh

@@ -198,25 +198,54 @@ fi
 
 echo "Build successful. Proceeding with relay restart..."
 
-# Kill existing relay if running
+# Kill existing relay if running - start aggressive immediately
 echo "Stopping any existing relay servers..."
-pkill -f "c_relay_" 2>/dev/null
-sleep 2  # Give time for shutdown
 
-# Check if port is still bound
-if lsof -i :8888 >/dev/null 2>&1; then
-    echo "Port 8888 still in use, force killing..."
-    fuser -k 8888/tcp 2>/dev/null || echo "No process on port 8888"
+# Get all relay processes and kill them immediately with -9
+RELAY_PIDS=$(pgrep -f "c_relay_" || echo "")
+if [ -n "$RELAY_PIDS" ]; then
+    echo "Force killing relay processes immediately: $RELAY_PIDS"
+    kill -9 $RELAY_PIDS 2>/dev/null
+else
+    echo "No existing relay processes found"
 fi
 
-# Get any remaining processes
-REMAINING_PIDS=$(pgrep -f "c_relay_" || echo "")
-if [ -n "$REMAINING_PIDS" ]; then
-    echo "Force killing remaining processes: $REMAINING_PIDS"
-    kill -9 $REMAINING_PIDS 2>/dev/null
+# Ensure port 8888 is completely free with retry loop
+echo "Ensuring port 8888 is available..."
+for attempt in {1..15}; do
+    if ! lsof -i :8888 >/dev/null 2>&1; then
+        echo "Port 8888 is now free"
+        break
+    fi
+    
+    echo "Attempt $attempt: Port 8888 still in use, force killing..."
+    # Kill anything using port 8888
+    fuser -k 8888/tcp 2>/dev/null || true
+    
+    # Double-check for any remaining relay processes
+    REMAINING_PIDS=$(pgrep -f "c_relay_" || echo "")
+    if [ -n "$REMAINING_PIDS" ]; then
+        echo "Killing remaining relay processes: $REMAINING_PIDS"
+        kill -9 $REMAINING_PIDS 2>/dev/null || true
+    fi
+    
+    sleep 2
+    
+    if [ $attempt -eq 15 ]; then
+        echo "ERROR: Could not free port 8888 after 15 attempts"
+        echo "Current processes using port:"
+        lsof -i :8888 2>/dev/null || echo "No process details available"
+        echo "You may need to manually kill processes or reboot"
+        exit 1
+    fi
+done
+
+# Final safety check - ensure no relay processes remain
+FINAL_PIDS=$(pgrep -f "c_relay_" || echo "")
+if [ -n "$FINAL_PIDS" ]; then
+    echo "Final cleanup: killing processes $FINAL_PIDS"
+    kill -9 $FINAL_PIDS 2>/dev/null || true
     sleep 1
-else
-    echo "No existing relay found"
 fi
 
 # Clean up PID file

relay.pid

@@ -1 +1 @@
-1307796
+652192

src/config.h

@@ -6,6 +6,9 @@
 #include <time.h>
 #include <pthread.h>
 
+// Forward declaration for WebSocket support
+struct lws;
+
 // Configuration constants
 #define CONFIG_VALUE_MAX_LENGTH 1024
 #define RELAY_NAME_MAX_LENGTH 256
@@ -160,10 +163,20 @@ int update_config_in_table(const char* key, const char* value);
 int populate_default_config_values(void);
 int add_pubkeys_to_config_table(void);
 
-// Admin event processing functions
-int process_admin_event_in_config(cJSON* event, char* error_message, size_t error_size);
+// Admin event processing functions (updated with WebSocket support)
+int process_admin_event_in_config(cJSON* event, char* error_message, size_t error_size, struct lws* wsi);
 int process_admin_config_event(cJSON* event, char* error_message, size_t error_size);
-int process_admin_auth_event(cJSON* event, char* error_message, size_t error_size);
+int process_admin_auth_event(cJSON* event, char* error_message, size_t error_size, struct lws* wsi);
+
+// Unified Kind 23456 handler functions
+int handle_kind_23456_unified(cJSON* event, char* error_message, size_t error_size, struct lws* wsi);
+int handle_auth_query_unified(cJSON* event, const char* query_type, char* error_message, size_t error_size, struct lws* wsi);
+int handle_system_command_unified(cJSON* event, const char* command, char* error_message, size_t error_size, struct lws* wsi);
+int handle_auth_rule_modification_unified(cJSON* event, char* error_message, size_t error_size, struct lws* wsi);
+
+// Admin response functions
+int send_admin_response_event(const cJSON* response_data, const char* recipient_pubkey, struct lws* wsi);
+cJSON* build_query_response(const char* query_type, cJSON* results_array, int total_count);
 
 // Auth rules management functions
 int add_auth_rule_from_config(const char* rule_type, const char* pattern_type,

src/main.c

@@ -228,7 +228,10 @@ int nostr_validate_unified_request(const char* json_string, size_t json_length);
 int handle_configuration_event(cJSON* event, char* error_message, size_t error_size);
 
 // Forward declaration for admin event processing (kinds 33334 and 33335)
-int process_admin_event_in_config(cJSON* event, char* error_message, size_t error_size);
+int process_admin_event_in_config(cJSON* event, char* error_message, size_t error_size, struct lws* wsi);
+
+// Forward declaration for enhanced admin event authorization
+int is_authorized_admin_event(cJSON* event, char* error_message, size_t error_size);
 
 // Forward declaration for NOTICE message support
 void send_notice_message(struct lws* wsi, const char* message);
@@ -972,28 +975,28 @@ static void get_timestamp_string(char* buffer, size_t buffer_size) {
 void log_info(const char* message) {
     char timestamp[32];
     get_timestamp_string(timestamp, sizeof(timestamp));
-    printf("[%s] " BLUE "[INFO]" RESET " %s\n", timestamp, message);
+    printf("[%s] [INFO] %s\n", timestamp, message);
     fflush(stdout);
 }
 
 void log_success(const char* message) {
     char timestamp[32];
     get_timestamp_string(timestamp, sizeof(timestamp));
-    printf("[%s] " GREEN "[SUCCESS]" RESET " %s\n", timestamp, message);
+    printf("[%s] [SUCCESS] %s\n", timestamp, message);
     fflush(stdout);
 }
 
 void log_error(const char* message) {
     char timestamp[32];
     get_timestamp_string(timestamp, sizeof(timestamp));
-    printf("[%s] " RED "[ERROR]" RESET " %s\n", timestamp, message);
+    printf("[%s] [ERROR] %s\n", timestamp, message);
     fflush(stdout);
 }
 
 void log_warning(const char* message) {
     char timestamp[32];
     get_timestamp_string(timestamp, sizeof(timestamp));
-    printf("[%s] " YELLOW "[WARNING]" RESET " %s\n", timestamp, message);
+    printf("[%s] [WARNING] %s\n", timestamp, message);
     fflush(stdout);
 }
 
@@ -3009,6 +3012,109 @@ int handle_req_message(const char* sub_id, cJSON* filters, struct lws *wsi, stru
     
     return events_sent;
 }
+/////////////////////////////////////////////////////////////////////////////////////////
+/////////////////////////////////////////////////////////////////////////////////////////
+//             ADMIN EVENT AUTHORIZATION
+/////////////////////////////////////////////////////////////////////////////////////////
+/////////////////////////////////////////////////////////////////////////////////////////
+
+// Enhanced admin event authorization function
+int is_authorized_admin_event(cJSON* event, char* error_buffer, size_t error_buffer_size) {
+    if (!event || !error_buffer) {
+        if (error_buffer && error_buffer_size > 0) {
+            snprintf(error_buffer, error_buffer_size, "Invalid parameters for admin authorization");
+        }
+        return -1;
+    }
+    
+    // Step 1: Verify event kind is admin type
+    cJSON *kind_json = cJSON_GetObjectItem(event, "kind");
+    if (!kind_json || !cJSON_IsNumber(kind_json)) {
+        snprintf(error_buffer, error_buffer_size, "Missing or invalid event kind");
+        return -1;
+    }
+    
+    int event_kind = kind_json->valueint;
+    if (event_kind != 33334 && event_kind != 33335 && event_kind != 23455 && event_kind != 23456) {
+        snprintf(error_buffer, error_buffer_size, "Event kind %d is not an admin event type", event_kind);
+        return -1;
+    }
+    
+    // Step 2: Check if event targets this relay (look for 'p' tag with our relay pubkey)
+    cJSON *tags = cJSON_GetObjectItem(event, "tags");
+    if (!tags || !cJSON_IsArray(tags)) {
+        // No tags array - treat as regular event for different relay
+        log_info("Admin event has no tags array - treating as event for different relay");
+        snprintf(error_buffer, error_buffer_size, "Admin event not targeting this relay (no tags)");
+        return -1;
+    }
+    
+    int targets_this_relay = 0;
+    cJSON *tag;
+    cJSON_ArrayForEach(tag, tags) {
+        if (cJSON_IsArray(tag)) {
+            cJSON *tag_name = cJSON_GetArrayItem(tag, 0);
+            cJSON *tag_value = cJSON_GetArrayItem(tag, 1);
+            
+            if (tag_name && cJSON_IsString(tag_name) &&
+                tag_value && cJSON_IsString(tag_value) &&
+                strcmp(tag_name->valuestring, "p") == 0) {
+                
+                // Compare with our relay pubkey
+                const char* relay_pubkey = get_config_value("relay_pubkey");
+                if (relay_pubkey && strcmp(tag_value->valuestring, relay_pubkey) == 0) {
+                    targets_this_relay = 1;
+                    break;
+                }
+            }
+        }
+    }
+    
+    if (!targets_this_relay) {
+        // Admin event for different relay - not an error, just not for us
+        log_info("Admin event targets different relay - treating as regular event");
+        snprintf(error_buffer, error_buffer_size, "Admin event not targeting this relay");
+        return -1;
+    }
+    
+    // Step 3: Verify admin signature authorization
+    cJSON *pubkey_json = cJSON_GetObjectItem(event, "pubkey");
+    if (!pubkey_json || !cJSON_IsString(pubkey_json)) {
+        log_warning("Unauthorized admin event attempt: missing or invalid pubkey");
+        snprintf(error_buffer, error_buffer_size, "Unauthorized admin event attempt: missing pubkey");
+        return -1;
+    }
+    
+    // Get admin pubkey from configuration
+    const char* admin_pubkey = get_config_value("admin_pubkey");
+    if (!admin_pubkey || strlen(admin_pubkey) == 0) {
+        log_warning("Unauthorized admin event attempt: no admin pubkey configured");
+        snprintf(error_buffer, error_buffer_size, "Unauthorized admin event attempt: no admin configured");
+        return -1;
+    }
+    
+    // Compare pubkeys
+    if (strcmp(pubkey_json->valuestring, admin_pubkey) != 0) {
+        log_warning("Unauthorized admin event attempt: pubkey mismatch");
+        char warning_msg[256];
+        snprintf(warning_msg, sizeof(warning_msg), 
+                "Unauthorized admin event attempt from pubkey: %.32s...", pubkey_json->valuestring);
+        log_warning(warning_msg);
+        snprintf(error_buffer, error_buffer_size, "Unauthorized admin event attempt: invalid admin pubkey");
+        return -1;
+    }
+    
+    // Step 4: Verify event signature
+    if (nostr_verify_event_signature(event) != 0) {
+        log_warning("Unauthorized admin event attempt: invalid signature");
+        snprintf(error_buffer, error_buffer_size, "Unauthorized admin event attempt: signature verification failed");
+        return -1;
+    }
+    
+    // All checks passed - authorized admin event
+    log_info("Admin event authorization successful");
+    return 0;
+}
 
 
 
@@ -3097,11 +3203,18 @@ static int nostr_relay_callback(struct lws *wsi, enum lws_callback_reasons reaso
                     memcpy(message, in, len);
                     message[len] = '\0';
                     
-                    log_info("Received WebSocket message");
-                    
-                    // Parse JSON message
+                    // Parse JSON message (this is the normal program flow)
                     cJSON* json = cJSON_Parse(message);
                     if (json && cJSON_IsArray(json)) {
+                        // Log the complete parsed JSON message once
+                        char* complete_message = cJSON_Print(json);
+                        if (complete_message) {
+                            char debug_msg[2048];
+                            snprintf(debug_msg, sizeof(debug_msg),
+                                     "Received complete WebSocket message: %s", complete_message);
+                            log_info(debug_msg);
+                            free(complete_message);
+                        }
                         // Get message type
                         cJSON* type = cJSON_GetArrayItem(json, 0);
                         if (type && cJSON_IsString(type)) {
@@ -3115,11 +3228,30 @@ static int nostr_relay_callback(struct lws *wsi, enum lws_callback_reasons reaso
                                     cJSON* kind_obj = cJSON_GetObjectItem(event_obj, "kind");
                                     int event_kind = kind_obj && cJSON_IsNumber(kind_obj) ? (int)cJSON_GetNumberValue(kind_obj) : -1;
                                     
+                                    // Extract pubkey and event ID for debugging
+                                    cJSON* pubkey_obj = cJSON_GetObjectItem(event_obj, "pubkey");
+                                    cJSON* id_obj = cJSON_GetObjectItem(event_obj, "id");
+                                    const char* event_pubkey = pubkey_obj ? cJSON_GetStringValue(pubkey_obj) : "unknown";
+                                    const char* event_id = id_obj ? cJSON_GetStringValue(id_obj) : "unknown";
+                                    
+                                    char debug_event_msg[512];
+                                    snprintf(debug_event_msg, sizeof(debug_event_msg),
+                                            "DEBUG EVENT: Processing kind %d event from pubkey %.16s... ID %.16s...",
+                                            event_kind, event_pubkey, event_id);
+                                    log_info(debug_event_msg);
+                                    
                                     // Check if NIP-42 authentication is required for this event kind or globally
                                     int auth_required = is_nip42_auth_globally_required() || is_nip42_auth_required_for_kind(event_kind);
                                     
+                                    char debug_auth_msg[256];
+                                    snprintf(debug_auth_msg, sizeof(debug_auth_msg),
+                                            "DEBUG AUTH: auth_required=%d, pss->authenticated=%d, event_kind=%d",
+                                            auth_required, pss ? pss->authenticated : -1, event_kind);
+                                    log_info(debug_auth_msg);
+                                    
                                     if (pss && auth_required && !pss->authenticated) {
                                         if (!pss->auth_challenge_sent) {
+                                            log_info("DEBUG AUTH: Sending NIP-42 authentication challenge");
                                             send_nip42_auth_challenge(wsi, pss);
                                         } else {
                                             char auth_msg[256];
@@ -3170,6 +3302,8 @@ static int nostr_relay_callback(struct lws *wsi, enum lws_callback_reasons reaso
                                         return 0;
                                     }
                                     
+                                    log_info("DEBUG VALIDATION: Starting unified validator");
+                                    
                                     // Call unified validator with JSON string
                                     size_t event_json_len = strlen(event_json_str);
                                     int validation_result = nostr_validate_unified_request(event_json_str, event_json_len);
@@ -3177,6 +3311,11 @@ static int nostr_relay_callback(struct lws *wsi, enum lws_callback_reasons reaso
                                     // Map validation result to old result format (0 = success, -1 = failure)
                                     int result = (validation_result == NOSTR_SUCCESS) ? 0 : -1;
                                     
+                                    char debug_validation_msg[256];
+                                    snprintf(debug_validation_msg, sizeof(debug_validation_msg),
+                                            "DEBUG VALIDATION: validation_result=%d, result=%d", validation_result, result);
+                                    log_info(debug_validation_msg);
+                                    
                                     // Generate error message based on validation result
                                     char error_message[512] = {0};
                                     if (result != 0) {
@@ -3206,55 +3345,129 @@ static int nostr_relay_callback(struct lws *wsi, enum lws_callback_reasons reaso
                                                 strncpy(error_message, "error: validation failed", sizeof(error_message) - 1);
                                                 break;
                                         }
+                                        char debug_error_msg[256];
+                                        snprintf(debug_error_msg, sizeof(debug_error_msg),
+                                                "DEBUG VALIDATION ERROR: %s", error_message);
+                                        log_warning(debug_error_msg);
                                     } else {
-                                        log_info("Event validated successfully using unified validator");
+                                        log_info("DEBUG VALIDATION: Event validated successfully using unified validator");
                                     }
                                     
                                     // Cleanup event JSON string
                                     free(event_json_str);
                                     
-                                    // Check for admin events (kinds 33334 and 33335) and intercept them
+                                    // Check for admin events (kinds 33334, 33335, 23455, and 23456) and intercept them
                                     if (result == 0) {
                                         cJSON* kind_obj = cJSON_GetObjectItem(event, "kind");
                                         if (kind_obj && cJSON_IsNumber(kind_obj)) {
                                             int event_kind = (int)cJSON_GetNumberValue(kind_obj);
                                             
-                                            if (event_kind == 33334 || event_kind == 33335) {
-                                                // This is an admin event - process it through the admin API instead of normal storage
-                                                log_info("Admin event detected, processing through admin API");
+                                            log_info("DEBUG ADMIN: Checking if admin event processing is needed");
+                                            
+                                            // Log reception of Kind 23455 and 23456 events
+                                            if (event_kind == 23455 || event_kind == 23456) {
+                                                char* event_json_debug = cJSON_Print(event);
+                                                char debug_received_msg[1024];
+                                                snprintf(debug_received_msg, sizeof(debug_received_msg),
+                                                        "RECEIVED Kind %d event: %s", event_kind,
+                                                        event_json_debug ? event_json_debug : "Failed to serialize");
+                                                log_info(debug_received_msg);
                                                 
-                                                char admin_error[512] = {0};
-                                                if (process_admin_event_in_config(event, admin_error, sizeof(admin_error)) != 0) {
-                                                    log_error("Failed to process admin event through admin API");
+                                                if (event_json_debug) {
+                                                    free(event_json_debug);
+                                                }
+                                            }
+                                            
+                                            if (event_kind == 33334 || event_kind == 33335 || event_kind == 23455 || event_kind == 23456) {
+                                                // Enhanced admin event security - check authorization first
+                                                log_info("DEBUG ADMIN: Admin event detected, checking authorization");
+                                                
+                                                char auth_error[512] = {0};
+                                                int auth_result = is_authorized_admin_event(event, auth_error, sizeof(auth_error));
+                                                
+                                                if (auth_result != 0) {
+                                                    // Authorization failed - log and reject
+                                                    log_warning("DEBUG ADMIN: Admin event authorization failed");
                                                     result = -1;
-                                                    size_t error_len = strlen(admin_error);
+                                                    size_t error_len = strlen(auth_error);
                                                     size_t copy_len = (error_len < sizeof(error_message) - 1) ? error_len : sizeof(error_message) - 1;
-                                                    memcpy(error_message, admin_error, copy_len);
+                                                    memcpy(error_message, auth_error, copy_len);
                                                     error_message[copy_len] = '\0';
+                                                    
+                                                    char debug_auth_error_msg[600];
+                                                    snprintf(debug_auth_error_msg, sizeof(debug_auth_error_msg),
+                                                            "DEBUG ADMIN AUTH ERROR: %.400s", auth_error);
+                                                    log_warning(debug_auth_error_msg);
                                                 } else {
-                                                    log_success("Admin event processed successfully through admin API");
-                                                    // Admin events are processed by the admin API, not broadcast to subscriptions
+                                                    // Authorization successful - process through admin API
+                                                    log_info("DEBUG ADMIN: Admin event authorized, processing through admin API");
+                                                    
+                                                    char admin_error[512] = {0};
+                                                    int admin_result = process_admin_event_in_config(event, admin_error, sizeof(admin_error), wsi);
+                                                    
+                                                    char debug_admin_msg[256];
+                                                    snprintf(debug_admin_msg, sizeof(debug_admin_msg),
+                                                            "DEBUG ADMIN: process_admin_event_in_config returned %d", admin_result);
+                                                    log_info(debug_admin_msg);
+                                                    
+                                                    // Log results for Kind 23455 and 23456 events
+                                                    if (event_kind == 23455 || event_kind == 23456) {
+                                                        if (admin_result == 0) {
+                                                            char success_result_msg[256];
+                                                            snprintf(success_result_msg, sizeof(success_result_msg),
+                                                                    "SUCCESS: Kind %d event processed successfully", event_kind);
+                                                            log_success(success_result_msg);
+                                                        } else {
+                                                            char error_result_msg[512];
+                                                            snprintf(error_result_msg, sizeof(error_result_msg),
+                                                                    "ERROR: Kind %d event processing failed: %s", event_kind, admin_error);
+                                                            log_error(error_result_msg);
+                                                        }
+                                                    }
+                                                    
+                                                    if (admin_result != 0) {
+                                                        log_error("DEBUG ADMIN: Failed to process admin event through admin API");
+                                                        result = -1;
+                                                        size_t error_len = strlen(admin_error);
+                                                        size_t copy_len = (error_len < sizeof(error_message) - 1) ? error_len : sizeof(error_message) - 1;
+                                                        memcpy(error_message, admin_error, copy_len);
+                                                        error_message[copy_len] = '\0';
+                                                        
+                                                        char debug_admin_error_msg[600];
+                                                        snprintf(debug_admin_error_msg, sizeof(debug_admin_error_msg),
+                                                                "DEBUG ADMIN ERROR: %.400s", admin_error);
+                                                        log_error(debug_admin_error_msg);
+                                                    } else {
+                                                        log_success("DEBUG ADMIN: Admin event processed successfully through admin API");
+                                                        // Admin events are processed by the admin API, not broadcast to subscriptions
+                                                    }
                                                 }
                                             } else {
                                                 // Regular event - store in database and broadcast
+                                                log_info("DEBUG STORAGE: Regular event - storing in database");
                                                 if (store_event(event) != 0) {
-                                                    log_error("Failed to store event in database");
+                                                    log_error("DEBUG STORAGE: Failed to store event in database");
                                                     result = -1;
                                                     strncpy(error_message, "error: failed to store event", sizeof(error_message) - 1);
                                                 } else {
-                                                    log_info("Event stored successfully in database");
+                                                    log_info("DEBUG STORAGE: Event stored successfully in database");
                                                     // Broadcast event to matching persistent subscriptions
-                                                    broadcast_event_to_subscriptions(event);
+                                                    int broadcast_count = broadcast_event_to_subscriptions(event);
+                                                    char debug_broadcast_msg[128];
+                                                    snprintf(debug_broadcast_msg, sizeof(debug_broadcast_msg),
+                                                            "DEBUG BROADCAST: Event broadcast to %d subscriptions", broadcast_count);
+                                                    log_info(debug_broadcast_msg);
                                                 }
                                             }
                                         } else {
                                             // Event without valid kind - try normal storage
+                                            log_warning("DEBUG STORAGE: Event without valid kind - trying normal storage");
                                             if (store_event(event) != 0) {
-                                                log_error("Failed to store event in database");
+                                                log_error("DEBUG STORAGE: Failed to store event without kind in database");
                                                 result = -1;
                                                 strncpy(error_message, "error: failed to store event", sizeof(error_message) - 1);
                                             } else {
-                                                log_info("Event stored successfully in database");
+                                                log_info("DEBUG STORAGE: Event without kind stored successfully in database");
                                                 broadcast_event_to_subscriptions(event);
                                             }
                                         }
@@ -3272,11 +3485,22 @@ static int nostr_relay_callback(struct lws *wsi, enum lws_callback_reasons reaso
                                         // TODO: REPLACE - Remove wasteful cJSON_Print conversion
                                         char *response_str = cJSON_Print(response);
                                         if (response_str) {
+                                            char debug_response_msg[512];
+                                            snprintf(debug_response_msg, sizeof(debug_response_msg),
+                                                    "DEBUG RESPONSE: Sending OK response: %s", response_str);
+                                            log_info(debug_response_msg);
+                                            
                                             size_t response_len = strlen(response_str);
                                             unsigned char *buf = malloc(LWS_PRE + response_len);
                                             if (buf) {
                                                 memcpy(buf + LWS_PRE, response_str, response_len);
-                                                lws_write(wsi, buf + LWS_PRE, response_len, LWS_WRITE_TEXT);
+                                                int write_result = lws_write(wsi, buf + LWS_PRE, response_len, LWS_WRITE_TEXT);
+                                                
+                                                char debug_write_msg[128];
+                                                snprintf(debug_write_msg, sizeof(debug_write_msg),
+                                                        "DEBUG RESPONSE: lws_write returned %d", write_result);
+                                                log_info(debug_write_msg);
+                                                
                                                 free(buf);
                                             }
                                             free(response_str);

src/request_validator.c

@@ -629,28 +629,26 @@ static int check_database_auth_rules(const char *pubkey, const char *operation,
 
   // Step 1: Check pubkey blacklist (highest priority)
   const char *blacklist_sql =
-      "SELECT rule_type, description FROM auth_rules WHERE rule_type = "
-      "'pubkey_blacklist' AND rule_target = ? AND operation = ? AND enabled = "
-      "1 ORDER BY priority LIMIT 1";
+      "SELECT rule_type, action FROM auth_rules WHERE rule_type = "
+      "'blacklist' AND pattern_type = 'pubkey' AND pattern_value = ? LIMIT 1";
   rc = sqlite3_prepare_v2(db, blacklist_sql, -1, &stmt, NULL);
   if (rc == SQLITE_OK) {
     sqlite3_bind_text(stmt, 1, pubkey, -1, SQLITE_STATIC);
-    sqlite3_bind_text(stmt, 2, operation ? operation : "", -1, SQLITE_STATIC);
 
     if (sqlite3_step(stmt) == SQLITE_ROW) {
-      const char *description = (const char *)sqlite3_column_text(stmt, 1);
+      const char *action = (const char *)sqlite3_column_text(stmt, 1);
       validator_debug_log("VALIDATOR_DEBUG: RULES ENGINE - STEP 1 FAILED - "
                           "Pubkey blacklisted\n");
       char blacklist_msg[256];
       sprintf(blacklist_msg,
-              "VALIDATOR_DEBUG: RULES ENGINE - Blacklist rule matched: %s\n",
-              description ? description : "Unknown");
+              "VALIDATOR_DEBUG: RULES ENGINE - Blacklist rule matched: action=%s\n",
+              action ? action : "deny");
       validator_debug_log(blacklist_msg);
 
       // Set specific violation details for status code mapping
       strcpy(g_last_rule_violation.violation_type, "pubkey_blacklist");
-      sprintf(g_last_rule_violation.reason, "%s: Public key blacklisted",
-              description ? description : "TEST_PUBKEY_BLACKLIST");
+      sprintf(g_last_rule_violation.reason, "Public key blacklisted: %s",
+              action ? action : "PUBKEY_BLACKLIST");
 
       sqlite3_finalize(stmt);
       sqlite3_close(db);
@@ -664,29 +662,27 @@ static int check_database_auth_rules(const char *pubkey, const char *operation,
   // Step 2: Check hash blacklist
   if (resource_hash) {
     const char *hash_blacklist_sql =
-        "SELECT rule_type, description FROM auth_rules WHERE rule_type = "
-        "'hash_blacklist' AND rule_target = ? AND operation = ? AND enabled = "
-        "1 ORDER BY priority LIMIT 1";
+        "SELECT rule_type, action FROM auth_rules WHERE rule_type = "
+        "'blacklist' AND pattern_type = 'hash' AND pattern_value = ? LIMIT 1";
     rc = sqlite3_prepare_v2(db, hash_blacklist_sql, -1, &stmt, NULL);
     if (rc == SQLITE_OK) {
       sqlite3_bind_text(stmt, 1, resource_hash, -1, SQLITE_STATIC);
-      sqlite3_bind_text(stmt, 2, operation ? operation : "", -1, SQLITE_STATIC);
 
       if (sqlite3_step(stmt) == SQLITE_ROW) {
-        const char *description = (const char *)sqlite3_column_text(stmt, 1);
+        const char *action = (const char *)sqlite3_column_text(stmt, 1);
         validator_debug_log("VALIDATOR_DEBUG: RULES ENGINE - STEP 2 FAILED - "
                             "Hash blacklisted\n");
         char hash_blacklist_msg[256];
         sprintf(
             hash_blacklist_msg,
-            "VALIDATOR_DEBUG: RULES ENGINE - Hash blacklist rule matched: %s\n",
-            description ? description : "Unknown");
+            "VALIDATOR_DEBUG: RULES ENGINE - Hash blacklist rule matched: action=%s\n",
+            action ? action : "deny");
         validator_debug_log(hash_blacklist_msg);
 
         // Set specific violation details for status code mapping
         strcpy(g_last_rule_violation.violation_type, "hash_blacklist");
-        sprintf(g_last_rule_violation.reason, "%s: File hash blacklisted",
-                description ? description : "TEST_HASH_BLACKLIST");
+        sprintf(g_last_rule_violation.reason, "File hash blacklisted: %s",
+                action ? action : "HASH_BLACKLIST");
 
         sqlite3_finalize(stmt);
         sqlite3_close(db);
@@ -703,22 +699,20 @@ static int check_database_auth_rules(const char *pubkey, const char *operation,
 
   // Step 3: Check pubkey whitelist
   const char *whitelist_sql =
-      "SELECT rule_type, description FROM auth_rules WHERE rule_type = "
-      "'pubkey_whitelist' AND rule_target = ? AND operation = ? AND enabled = "
-      "1 ORDER BY priority LIMIT 1";
+      "SELECT rule_type, action FROM auth_rules WHERE rule_type = "
+      "'whitelist' AND pattern_type = 'pubkey' AND pattern_value = ? LIMIT 1";
   rc = sqlite3_prepare_v2(db, whitelist_sql, -1, &stmt, NULL);
   if (rc == SQLITE_OK) {
     sqlite3_bind_text(stmt, 1, pubkey, -1, SQLITE_STATIC);
-    sqlite3_bind_text(stmt, 2, operation ? operation : "", -1, SQLITE_STATIC);
 
     if (sqlite3_step(stmt) == SQLITE_ROW) {
-      const char *description = (const char *)sqlite3_column_text(stmt, 1);
+      const char *action = (const char *)sqlite3_column_text(stmt, 1);
       validator_debug_log("VALIDATOR_DEBUG: RULES ENGINE - STEP 3 PASSED - "
                           "Pubkey whitelisted\n");
       char whitelist_msg[256];
       sprintf(whitelist_msg,
-              "VALIDATOR_DEBUG: RULES ENGINE - Whitelist rule matched: %s\n",
-              description ? description : "Unknown");
+              "VALIDATOR_DEBUG: RULES ENGINE - Whitelist rule matched: action=%s\n",
+              action ? action : "allow");
       validator_debug_log(whitelist_msg);
       sqlite3_finalize(stmt);
       sqlite3_close(db);
@@ -731,12 +725,10 @@ static int check_database_auth_rules(const char *pubkey, const char *operation,
 
   // Step 4: Check if any whitelist rules exist - if yes, deny by default
   const char *whitelist_exists_sql =
-      "SELECT COUNT(*) FROM auth_rules WHERE rule_type = 'pubkey_whitelist' "
-      "AND operation = ? AND enabled = 1 LIMIT 1";
+      "SELECT COUNT(*) FROM auth_rules WHERE rule_type = 'whitelist' "
+      "AND pattern_type = 'pubkey' LIMIT 1";
   rc = sqlite3_prepare_v2(db, whitelist_exists_sql, -1, &stmt, NULL);
   if (rc == SQLITE_OK) {
-    sqlite3_bind_text(stmt, 1, operation ? operation : "", -1, SQLITE_STATIC);
-
     if (sqlite3_step(stmt) == SQLITE_ROW) {
       int whitelist_count = sqlite3_column_int(stmt, 0);
       if (whitelist_count > 0) {

tests/nip42_test.log

@@ -1,93 +0,0 @@
-=== NIP-42 Authentication Test Started ===
-2025-09-13 08:48:02 - Starting NIP-42 authentication tests
-[INFO] === Starting NIP-42 Authentication Tests ===
-[INFO] Checking dependencies...
-[SUCCESS] Dependencies check complete
-[INFO] Test 1: Checking NIP-42 support in relay info
-[SUCCESS] NIP-42 is advertised in supported NIPs
-2025-09-13 08:48:02 - Supported NIPs: 1,9,11,13,15,20,40,42
-[INFO] Test 2: Testing AUTH challenge generation
-[INFO] Found admin private key, configuring NIP-42 authentication...
-[WARNING] Failed to create configuration event - proceeding with manual test
-[INFO] Test 3: Testing complete NIP-42 authentication flow
-[INFO] Generated test keypair: test_pubkey
-[INFO] Attempting to publish event without authentication...
-[INFO] Publishing test event to relay...
-2025-09-13 08:48:03 - Event publish result: connecting to ws://localhost:8888... ok.
-{"kind":1,"id":"c42a8cbdd1cc6ea3e7fd060919c57386aef0c35da272ba2fa34b45f80934cfca","pubkey":"d0111448b3bd0da6aa699b92163f684291bb43bc213aa54a2ee726c2acde76e8","created_at":1757767683,"tags":[],"content":"NIP-42 test event - should require auth","sig":"d2a2c7efc00e06d8d8582fa05b2ec8cb96979525770dff9ef36a91df6d53807c86115581de2d6058d7d64eebe3b7d7404cc03dbb2ad1e91d140283703c2dec53"}
-publishing to ws://localhost:8888... success.
-[SUCCESS] Relay requested authentication as expected
-[INFO] Test 4: Testing WebSocket AUTH message handling
-[INFO] Testing WebSocket connection and AUTH message...
-[INFO] Sending test message via WebSocket...
-2025-09-13 08:48:03 - WebSocket response: 
-[INFO] No AUTH challenge in WebSocket response
-[INFO] Test 5: Testing NIP-42 configuration options
-[INFO] Retrieving current relay configuration...
-[SUCCESS] Retrieved configuration events from relay
-[SUCCESS] Found NIP-42 configuration:
-2025-09-13 08:48:04 -   nip42_auth_required_events=false
-2025-09-13 08:48:04 -   nip42_auth_required_subscriptions=false
-2025-09-13 08:48:04 -   nip42_auth_required_kinds=4,14
-2025-09-13 08:48:04 -   nip42_challenge_expiration=600
-[INFO] Test 6: Testing NIP-42 performance and stability
-[INFO] Testing multiple authentication attempts...
-2025-09-13 08:48:05 - Attempt 1: .271641300s - connecting to ws://localhost:8888... ok.
-{"kind":1,"id":"916049dbd6835443e8fd553bd12a37ef03060a01fedb099b414ea2cc18b597eb","pubkey":"b383f405d81860ec9b0eebf88612093ab18dc6abd322639b19ac79969599c8c4","created_at":1757767685,"tags":[],"content":"Performance test event 1","sig":"b04e0b38bbb49e0aa3c8a69530071bb08d917c4ba12eae38045a487c43e83f6dc1389ac4640453b0492d9c991df37f71e25ef501fd48c4c11c878e6cb3fa7a84"}
-publishing to ws://localhost:8888... success.
-2025-09-13 08:48:05 - Attempt 2: .259343520s - connecting to ws://localhost:8888... ok.
-{"kind":1,"id":"e4495a56ec6f1ba2759eabbf0128aec615c53acf3e4720be7726dcd7163da703","pubkey":"b383f405d81860ec9b0eebf88612093ab18dc6abd322639b19ac79969599c8c4","created_at":1757767685,"tags":[],"content":"Performance test event 2","sig":"d1efe3f576eeded4e292ec22f2fea12296fa17ed2f87a8cd2dde0444b594ef55f7d74b680aeca11295a16397df5ccc53a938533947aece27efb965e6c643b62c"}
-publishing to ws://localhost:8888... success.
-2025-09-13 08:48:06 - Attempt 3: .221167032s - connecting to ws://localhost:8888... ok.
-{"kind":1,"id":"55035b4c95a2c93a169236c7f5f5bd627838ec13522c88cf82d8b55516560cd9","pubkey":"b383f405d81860ec9b0eebf88612093ab18dc6abd322639b19ac79969599c8c4","created_at":1757767686,"tags":[],"content":"Performance test event 3","sig":"4bd581580a5a2416e6a9af44c055333635832dbf21793517f16100f1366c73437659545a8a712dcc4623a801b9deccd372b36b658309e7102a4300c3f481facb"}
-publishing to ws://localhost:8888... success.
-2025-09-13 08:48:06 - Attempt 4: .260219496s - connecting to ws://localhost:8888... ok.
-{"kind":1,"id":"58dee587a1a0f085ff44441b3074f5ff42715088ee24e694107100df3c63ff2b","pubkey":"b383f405d81860ec9b0eebf88612093ab18dc6abd322639b19ac79969599c8c4","created_at":1757767686,"tags":[],"content":"Performance test event 4","sig":"b6174b0c56138466d3bb228ef2ced1d917f7253b76c624235fa3b661c9fa109c78ae557c4ddaf0e6232aa597608916f0dfba1c192f8b90ffb819c36ac1e4e516"}
-publishing to ws://localhost:8888... success.
-2025-09-13 08:48:07 - Attempt 5: .260125188s - connecting to ws://localhost:8888... ok.
-{"kind":1,"id":"b8069c80f98fff3780eaeb605baf1a5818c9ab05185c1776a28469d2b0b32c6a","pubkey":"b383f405d81860ec9b0eebf88612093ab18dc6abd322639b19ac79969599c8c4","created_at":1757767687,"tags":[],"content":"Performance test event 5","sig":"5130d3a0c778728747b12aae77f2516db5b055d8ec43f413a4b117fcadb6025a49b6f602307bbe758bd97557e326e8735631fd03dc45c9296509e94aa305adf2"}
-publishing to ws://localhost:8888... success.
-[SUCCESS] Performance test completed: 5/5 successful responses
-[INFO] Test 7: Testing kind-specific NIP-42 authentication requirements
-[INFO] Generated test keypair for kind-specific tests: test_pubkey
-[INFO] Testing kind 1 event (regular note) - should work without authentication...
-2025-09-13 08:48:08 - Kind 1 event result: connecting to ws://localhost:8888... ok.
-{"kind":1,"id":"f2ac02a5290db3797c0b7b38435920d5db593d333e582454d8ed32da4c141b74","pubkey":"da031504ff61656d1829f723c52f526d7591400fb9e2aecb7b4ef5aeeea66fc7","created_at":1757767688,"tags":[],"content":"Regular note - should not require auth","sig":"8e4272d9cb258fc4b140eb8e8c2e802c3e8b62e34c17c9e545d83c68dfb86ffd2cdd4a8153660b663a46906459aa67719257ac263f21d1f8a6185806e055dcfd"}
-publishing to ws://localhost:8888... success.
-[SUCCESS] Kind 1 event accepted without authentication (correct behavior)
-[INFO] Testing kind 4 event (direct message) - should require authentication...
-2025-09-13 08:48:18 - Kind 4 event result: connecting to ws://localhost:8888... ok.
-{"kind":4,"id":"935af23e2bf7efd324d86a0c82631e5ebe492edf21920ed0f548faa73a18ac1d","pubkey":"da031504ff61656d1829f723c52f526d7591400fb9e2aecb7b4ef5aeeea66fc7","created_at":1757767688,"tags":[["p,test_pubkey"]],"content":"This is a direct message - should require auth","sig":"b2b86ee394b41505ddbd787c22f4223665770d84a21dd03e74bf4e8fa879ff82dd6b1f7d6921d93f8d89787102c3dc3012e6270d66ca5b5d4b87f1a545481e76"}
-publishing to ws://localhost:8888... 
-[SUCCESS] Kind 4 event requested authentication (correct behavior for DMs)
-[INFO] Testing kind 14 event (chat message) - should require authentication...
-2025-09-13 08:48:28 - Kind 14 event result: connecting to ws://localhost:8888... ok.
-{"kind":14,"id":"aeb1ac58dd465c90ce5a70c7b16e3cc32fae86c221bb2e86ca29934333604669","pubkey":"da031504ff61656d1829f723c52f526d7591400fb9e2aecb7b4ef5aeeea66fc7","created_at":1757767698,"tags":[["p,test_pubkey"]],"content":"Chat message - should require auth","sig":"24e23737e6684e4ef01c08d72304e6f235ce75875b94b37460065f9ead986438435585818ba104e7f78f14345406b5d03605c925042e9c06fed8c99369cd8694"}
-publishing to ws://localhost:8888... 
-[SUCCESS] Kind 14 event requested authentication (correct behavior for DMs)
-[INFO] Testing other event kinds - should work without authentication...
-2025-09-13 08:48:29 - Kind 0 event result: connecting to ws://localhost:8888... ok.
-{"kind":0,"id":"3b2cc834dd874ebbe07c2da9e41c07b3f0c61a57b4d6b7299c2243dbad29f2ca","pubkey":"da031504ff61656d1829f723c52f526d7591400fb9e2aecb7b4ef5aeeea66fc7","created_at":1757767709,"tags":[],"content":"Test event kind 0 - should not require auth","sig":"4f2016fde84d72cf5a5aa4c0ec5de677ef06c7971ca2dd756b02a94c47604fae1c67254703a2df3d17b13fee2d9c45661b76086f29ac93820a4c062fc52dea74"}
-publishing to ws://localhost:8888... success.
-[SUCCESS] Kind 0 event accepted without authentication (correct)
-2025-09-13 08:48:29 - Kind 3 event result: connecting to ws://localhost:8888... ok.
-{"kind":3,"id":"6e1ea0b1cbf342feea030fa39226c316e730c5d333fa8333495748afd386ec80","pubkey":"da031504ff61656d1829f723c52f526d7591400fb9e2aecb7b4ef5aeeea66fc7","created_at":1757767709,"tags":[],"content":"Test event kind 3 - should not require auth","sig":"e5f66c5f022497f8888f003a8bfbb5e807a2520d314c80889548efa267f9d6de28d5ee7b0588cc8660f2963ab44e530c8a74d71a227148e5a6843fcef4de2197"}
-publishing to ws://localhost:8888... success.
-[SUCCESS] Kind 3 event accepted without authentication (correct)
-2025-09-13 08:48:30 - Kind 7 event result: connecting to ws://localhost:8888... ok.
-{"kind":7,"id":"a64466b9899cad257313e2dced357fd3f87f40bd7e13e29372689aae7c718919","pubkey":"da031504ff61656d1829f723c52f526d7591400fb9e2aecb7b4ef5aeeea66fc7","created_at":1757767710,"tags":[],"content":"Test event kind 7 - should not require auth","sig":"78d18bcb0c2b11b4e2b74bcdfb140564b4563945e983014a279977356e50b57f3c5a262fa55de26dbd4c8d8b9f5beafbe21af869be64079f54a712284f03d9ac"}
-publishing to ws://localhost:8888... success.
-[SUCCESS] Kind 7 event accepted without authentication (correct)
-[INFO] Kind-specific authentication test completed
-[INFO] === NIP-42 Test Results Summary ===
-[SUCCESS] Dependencies: PASS
-[SUCCESS] NIP-42 Support: PASS
-[SUCCESS] Auth Challenge: PASS
-[SUCCESS] Auth Flow: PASS
-[SUCCESS] WebSocket AUTH: PASS
-[SUCCESS] Configuration: PASS
-[SUCCESS] Performance: PASS
-[SUCCESS] Kind-Specific Auth: PASS
-[SUCCESS] All NIP-42 tests completed successfully!
-[SUCCESS] NIP-42 authentication implementation is working correctly
-[INFO] === NIP-42 Authentication Tests Complete ===