v0.1.9 - program generates it's own private keys.

2025-11-20 07:53:58 -04:00
parent c1b615de32
commit e693fe3caa
36 changed files with 4542 additions and 188 deletions
--- a/src/admin_auth.c
+++ b/src/admin_auth.c
@@ -0,0 +1,509 @@
+/*
+ * Ginxsom Admin Authentication Module
+ * Handles Kind 23456/23457 admin events with NIP-44 encryption
+ * Based on c-relay's dm_admin.c implementation
+ */
+
+#include "ginxsom.h"
+#include "../nostr_core_lib/nostr_core/nostr_common.h"
+#include "../nostr_core_lib/nostr_core/nip001.h"
+#include "../nostr_core_lib/nostr_core/nip044.h"
+#include "../nostr_core_lib/nostr_core/utils.h"
+#include <cjson/cJSON.h>
+#include <sqlite3.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+
+// Forward declarations
+int get_blossom_private_key(char *seckey_out, size_t max_len);
+int validate_admin_pubkey(const char *pubkey);
+
+// Global variables for admin auth
+static char g_blossom_seckey[65] = "";  // Cached blossom server private key
+static int g_keys_loaded = 0;          // Whether keys have been loaded
+
+// Load blossom server keys if not already loaded
+static int ensure_keys_loaded(void) {
+    if (!g_keys_loaded) {
+        if (get_blossom_private_key(g_blossom_seckey, sizeof(g_blossom_seckey)) != 0) {
+            fprintf(stderr, "ERROR: Cannot load blossom private key for admin auth\n");
+            return -1;
+        }
+        g_keys_loaded = 1;
+    }
+    return 0;
+}
+
+// Validate that an event is a Kind 23456 admin command event
+int is_admin_command_event(cJSON *event, const char *relay_pubkey) {
+    if (!event || !relay_pubkey) {
+        return 0;
+    }
+
+    // Check kind = 23456 (admin command)
+    cJSON *kind = cJSON_GetObjectItem(event, "kind");
+    if (!cJSON_IsNumber(kind) || kind->valueint != 23456) {
+        return 0;
+    }
+
+    // Check tags for 'p' tag with relay pubkey
+    cJSON *tags = cJSON_GetObjectItem(event, "tags");
+    if (!cJSON_IsArray(tags)) {
+        return 0;
+    }
+
+    int found_p_tag = 0;
+    cJSON *tag = NULL;
+    cJSON_ArrayForEach(tag, tags) {
+        if (cJSON_IsArray(tag) && cJSON_GetArraySize(tag) >= 2) {
+            cJSON *tag_name = cJSON_GetArrayItem(tag, 0);
+            cJSON *tag_value = cJSON_GetArrayItem(tag, 1);
+
+            if (cJSON_IsString(tag_name) && strcmp(tag_name->valuestring, "p") == 0 &&
+                cJSON_IsString(tag_value) && strcmp(tag_value->valuestring, relay_pubkey) == 0) {
+                found_p_tag = 1;
+                break;
+            }
+        }
+    }
+
+    return found_p_tag;
+}
+
+// Validate admin event signature and pubkey
+int validate_admin_event(cJSON *event) {
+    if (!event) {
+        return 0;
+    }
+
+    // Get event fields
+    cJSON *pubkey = cJSON_GetObjectItem(event, "pubkey");
+    cJSON *sig = cJSON_GetObjectItem(event, "sig");
+
+    if (!cJSON_IsString(pubkey) || !cJSON_IsString(sig)) {
+        fprintf(stderr, "AUTH: Invalid event format - missing pubkey or sig\n");
+        return 0;
+    }
+
+    // Check if pubkey matches configured admin pubkey
+    if (!validate_admin_pubkey(pubkey->valuestring)) {
+        fprintf(stderr, "AUTH: Pubkey %s is not authorized admin\n", pubkey->valuestring);
+        return 0;
+    }
+
+    // TODO: Validate event signature using nostr_core_lib
+    // For now, assume signature is valid if pubkey matches
+    // In production, this should verify the signature cryptographically
+
+    return 1;
+}
+
+// Decrypt NIP-44 encrypted admin command
+int decrypt_admin_command(cJSON *event, char **decrypted_command_out) {
+    if (!event || !decrypted_command_out) {
+        return -1;
+    }
+
+    // Ensure we have the relay private key
+    if (ensure_keys_loaded() != 0) {
+        return -1;
+    }
+
+    // Get admin pubkey from event
+    cJSON *admin_pubkey_json = cJSON_GetObjectItem(event, "pubkey");
+    if (!cJSON_IsString(admin_pubkey_json)) {
+        fprintf(stderr, "AUTH: Missing or invalid pubkey in event\n");
+        return -1;
+    }
+
+    // Get encrypted content
+    cJSON *content = cJSON_GetObjectItem(event, "content");
+    if (!cJSON_IsString(content)) {
+        fprintf(stderr, "AUTH: Missing or invalid content in event\n");
+        return -1;
+    }
+
+    // Convert hex keys to bytes
+    unsigned char blossom_private_key[32];
+    unsigned char admin_public_key[32];
+    
+    if (nostr_hex_to_bytes(g_blossom_seckey, blossom_private_key, 32) != 0) {
+        fprintf(stderr, "AUTH: Failed to parse blossom private key\n");
+        return -1;
+    }
+    
+    if (nostr_hex_to_bytes(admin_pubkey_json->valuestring, admin_public_key, 32) != 0) {
+        fprintf(stderr, "AUTH: Failed to parse admin public key\n");
+        return -1;
+    }
+
+    // Allocate buffer for decrypted content
+    char decrypted_buffer[8192];
+    
+    // Decrypt using NIP-44
+    int result = nostr_nip44_decrypt(
+        blossom_private_key,
+        admin_public_key,
+        content->valuestring,
+        decrypted_buffer,
+        sizeof(decrypted_buffer)
+    );
+    
+    if (result != NOSTR_SUCCESS) {
+        fprintf(stderr, "AUTH: NIP-44 decryption failed with error code %d\n", result);
+        return -1;
+    }
+
+    // Allocate and copy decrypted content
+    *decrypted_command_out = malloc(strlen(decrypted_buffer) + 1);
+    if (!*decrypted_command_out) {
+        fprintf(stderr, "AUTH: Failed to allocate memory for decrypted content\n");
+        return -1;
+    }
+    strcpy(*decrypted_command_out, decrypted_buffer);
+
+    return 0;
+}
+
+// Parse decrypted command array
+int parse_admin_command(const char *decrypted_content, char ***command_array_out, int *command_count_out) {
+    if (!decrypted_content || !command_array_out || !command_count_out) {
+        return -1;
+    }
+
+    // Parse the decrypted content as JSON array
+    cJSON *content_json = cJSON_Parse(decrypted_content);
+    if (!content_json) {
+        fprintf(stderr, "AUTH: Failed to parse decrypted content as JSON\n");
+        return -1;
+    }
+
+    if (!cJSON_IsArray(content_json)) {
+        fprintf(stderr, "AUTH: Decrypted content is not a JSON array\n");
+        cJSON_Delete(content_json);
+        return -1;
+    }
+
+    int array_size = cJSON_GetArraySize(content_json);
+    if (array_size < 1) {
+        fprintf(stderr, "AUTH: Command array is empty\n");
+        cJSON_Delete(content_json);
+        return -1;
+    }
+
+    // Allocate command array
+    char **command_array = malloc(array_size * sizeof(char *));
+    if (!command_array) {
+        fprintf(stderr, "AUTH: Failed to allocate command array\n");
+        cJSON_Delete(content_json);
+        return -1;
+    }
+
+    // Parse each array element as string
+    for (int i = 0; i < array_size; i++) {
+        cJSON *item = cJSON_GetArrayItem(content_json, i);
+        if (!cJSON_IsString(item)) {
+            fprintf(stderr, "AUTH: Command array element %d is not a string\n", i);
+            // Clean up allocated strings
+            for (int j = 0; j < i; j++) {
+                free(command_array[j]);
+            }
+            free(command_array);
+            cJSON_Delete(content_json);
+            return -1;
+        }
+
+        command_array[i] = malloc(strlen(item->valuestring) + 1);
+        if (!command_array[i]) {
+            fprintf(stderr, "AUTH: Failed to allocate command string\n");
+            // Clean up allocated strings
+            for (int j = 0; j < i; j++) {
+                free(command_array[j]);
+            }
+            free(command_array);
+            cJSON_Delete(content_json);
+            return -1;
+        }
+        strcpy(command_array[i], item->valuestring);
+        if (!command_array[i]) {
+            fprintf(stderr, "AUTH: Failed to duplicate command string\n");
+            // Clean up allocated strings
+            for (int j = 0; j < i; j++) {
+                free(command_array[j]);
+            }
+            free(command_array);
+            cJSON_Delete(content_json);
+            return -1;
+        }
+    }
+
+    cJSON_Delete(content_json);
+    *command_array_out = command_array;
+    *command_count_out = array_size;
+
+    return 0;
+}
+
+// Process incoming admin command event (Kind 23456)
+int process_admin_command(cJSON *event, char ***command_array_out, int *command_count_out, char **admin_pubkey_out) {
+    if (!event || !command_array_out || !command_count_out || !admin_pubkey_out) {
+        return -1;
+    }
+
+    // Get blossom server pubkey from config
+    sqlite3 *db;
+    sqlite3_stmt *stmt;
+    char blossom_pubkey[65] = "";
+
+    if (sqlite3_open_v2("db/ginxsom.db", &db, SQLITE_OPEN_READONLY, NULL) != SQLITE_OK) {
+        return -1;
+    }
+
+    const char *sql = "SELECT value FROM config WHERE key = 'blossom_pubkey'";
+    if (sqlite3_prepare_v2(db, sql, -1, &stmt, NULL) == SQLITE_OK) {
+        if (sqlite3_step(stmt) == SQLITE_ROW) {
+            const char *pubkey = (const char *)sqlite3_column_text(stmt, 0);
+            if (pubkey) {
+                strncpy(blossom_pubkey, pubkey, sizeof(blossom_pubkey) - 1);
+            }
+        }
+        sqlite3_finalize(stmt);
+    }
+    sqlite3_close(db);
+
+    if (strlen(blossom_pubkey) != 64) {
+        fprintf(stderr, "ERROR: Cannot determine blossom pubkey for admin auth\n");
+        return -1;
+    }
+
+    // Check if it's a valid admin command event for us
+    if (!is_admin_command_event(event, blossom_pubkey)) {
+        return -1;
+    }
+
+    // Validate admin authentication (signature and pubkey)
+    if (!validate_admin_event(event)) {
+        return -1;
+    }
+
+    // Get admin pubkey from event
+    cJSON *admin_pubkey_json = cJSON_GetObjectItem(event, "pubkey");
+    if (!cJSON_IsString(admin_pubkey_json)) {
+        return -1;
+    }
+
+    *admin_pubkey_out = malloc(strlen(admin_pubkey_json->valuestring) + 1);
+    if (!*admin_pubkey_out) {
+        fprintf(stderr, "AUTH: Failed to allocate admin pubkey string\n");
+        return -1;
+    }
+    strcpy(*admin_pubkey_out, admin_pubkey_json->valuestring);
+    if (!*admin_pubkey_out) {
+        return -1;
+    }
+
+    // Decrypt the command
+    char *decrypted_content = NULL;
+    if (decrypt_admin_command(event, &decrypted_content) != 0) {
+        free(*admin_pubkey_out);
+        *admin_pubkey_out = NULL;
+        return -1;
+    }
+
+    // Parse the command array
+    if (parse_admin_command(decrypted_content, command_array_out, command_count_out) != 0) {
+        free(decrypted_content);
+        free(*admin_pubkey_out);
+        *admin_pubkey_out = NULL;
+        return -1;
+    }
+
+    free(decrypted_content);
+    return 0;
+}
+
+// Validate admin pubkey against configured admin
+int validate_admin_pubkey(const char *pubkey) {
+    if (!pubkey || strlen(pubkey) != 64) {
+        return 0;
+    }
+
+    sqlite3 *db;
+    sqlite3_stmt *stmt;
+    int result = 0;
+
+    if (sqlite3_open_v2("db/ginxsom.db", &db, SQLITE_OPEN_READONLY, NULL) != SQLITE_OK) {
+        return 0;
+    }
+
+    const char *sql = "SELECT value FROM config WHERE key = 'admin_pubkey'";
+    if (sqlite3_prepare_v2(db, sql, -1, &stmt, NULL) == SQLITE_OK) {
+        if (sqlite3_step(stmt) == SQLITE_ROW) {
+            const char *admin_pubkey = (const char *)sqlite3_column_text(stmt, 0);
+            if (admin_pubkey && strcmp(admin_pubkey, pubkey) == 0) {
+                result = 1;
+            }
+        }
+        sqlite3_finalize(stmt);
+    }
+    sqlite3_close(db);
+
+    return result;
+}
+
+// Create encrypted response for admin (Kind 23457)
+int create_admin_response(const char *response_json, const char *admin_pubkey, const char *original_event_id __attribute__((unused)), cJSON **response_event_out) {
+    if (!response_json || !admin_pubkey || !response_event_out) {
+        return -1;
+    }
+
+    // Ensure we have the relay private key
+    if (ensure_keys_loaded() != 0) {
+        return -1;
+    }
+
+    // Get blossom server pubkey from config
+    sqlite3 *db;
+    sqlite3_stmt *stmt;
+    char blossom_pubkey[65] = "";
+
+    if (sqlite3_open_v2("db/ginxsom.db", &db, SQLITE_OPEN_READONLY, NULL) != SQLITE_OK) {
+        return -1;
+    }
+
+    const char *sql = "SELECT value FROM config WHERE key = 'blossom_pubkey'";
+    if (sqlite3_prepare_v2(db, sql, -1, &stmt, NULL) == SQLITE_OK) {
+        if (sqlite3_step(stmt) == SQLITE_ROW) {
+            const char *pubkey = (const char *)sqlite3_column_text(stmt, 0);
+            if (pubkey) {
+                strncpy(blossom_pubkey, pubkey, sizeof(blossom_pubkey) - 1);
+            }
+        }
+        sqlite3_finalize(stmt);
+    }
+    sqlite3_close(db);
+
+    if (strlen(blossom_pubkey) != 64) {
+        fprintf(stderr, "ERROR: Cannot determine blossom pubkey for response\n");
+        return -1;
+    }
+
+    // Convert hex keys to bytes
+    unsigned char blossom_private_key[32];
+    unsigned char admin_public_key[32];
+    
+    if (nostr_hex_to_bytes(g_blossom_seckey, blossom_private_key, 32) != 0) {
+        fprintf(stderr, "AUTH: Failed to parse blossom private key\n");
+        return -1;
+    }
+    
+    if (nostr_hex_to_bytes(admin_pubkey, admin_public_key, 32) != 0) {
+        fprintf(stderr, "AUTH: Failed to parse admin public key\n");
+        return -1;
+    }
+
+    // Encrypt response using NIP-44
+    char encrypted_content[8192];
+    int result = nostr_nip44_encrypt(
+        blossom_private_key,
+        admin_public_key,
+        response_json,
+        encrypted_content,
+        sizeof(encrypted_content)
+    );
+    
+    if (result != NOSTR_SUCCESS) {
+        fprintf(stderr, "AUTH: NIP-44 encryption failed with error code %d\n", result);
+        return -1;
+    }
+
+    // Create Kind 23457 response event
+    cJSON *response_event = cJSON_CreateObject();
+    if (!response_event) {
+        fprintf(stderr, "AUTH: Failed to create response event JSON\n");
+        return -1;
+    }
+
+    // Set event fields
+    cJSON_AddNumberToObject(response_event, "kind", 23457);
+    cJSON_AddStringToObject(response_event, "pubkey", blossom_pubkey);
+    cJSON_AddNumberToObject(response_event, "created_at", (double)time(NULL));
+    cJSON_AddStringToObject(response_event, "content", encrypted_content);
+
+    // Add tags array with 'p' tag for admin
+    cJSON *tags = cJSON_CreateArray();
+    cJSON *p_tag = cJSON_CreateArray();
+    cJSON_AddItemToArray(p_tag, cJSON_CreateString("p"));
+    cJSON_AddItemToArray(p_tag, cJSON_CreateString(admin_pubkey));
+    cJSON_AddItemToArray(tags, p_tag);
+    cJSON_AddItemToObject(response_event, "tags", tags);
+
+    // Sign the event with blossom private key
+    // Convert private key hex to bytes
+    unsigned char blossom_private_key_bytes[32];
+    if (nostr_hex_to_bytes(g_blossom_seckey, blossom_private_key_bytes, 32) != 0) {
+        fprintf(stderr, "AUTH: Failed to parse blossom private key for signing\n");
+        cJSON_Delete(response_event);
+        return -1;
+    }
+
+    // Create a temporary event structure for signing
+    cJSON* temp_event = cJSON_Duplicate(response_event, 1);
+    if (!temp_event) {
+        fprintf(stderr, "AUTH: Failed to create temp event for signing\n");
+        cJSON_Delete(response_event);
+        return -1;
+    }
+
+    // Sign the event using nostr_core_lib
+    cJSON* signed_event = nostr_create_and_sign_event(
+        23457,  // Kind 23457 (admin response)
+        encrypted_content,  // content
+        cJSON_GetObjectItem(response_event, "tags"),  // tags
+        blossom_private_key_bytes,  // private key
+        (time_t)cJSON_GetNumberValue(cJSON_GetObjectItem(response_event, "created_at"))  // timestamp
+    );
+
+    if (!signed_event) {
+        fprintf(stderr, "AUTH: Failed to sign admin response event\n");
+        cJSON_Delete(response_event);
+        cJSON_Delete(temp_event);
+        return -1;
+    }
+
+    // Extract id and signature from signed event
+    cJSON* signed_id = cJSON_GetObjectItem(signed_event, "id");
+    cJSON* signed_sig = cJSON_GetObjectItem(signed_event, "sig");
+
+    if (signed_id && signed_sig) {
+        cJSON_AddStringToObject(response_event, "id", cJSON_GetStringValue(signed_id));
+        cJSON_AddStringToObject(response_event, "sig", cJSON_GetStringValue(signed_sig));
+    } else {
+        fprintf(stderr, "AUTH: Signed event missing id or sig\n");
+        cJSON_Delete(response_event);
+        cJSON_Delete(signed_event);
+        cJSON_Delete(temp_event);
+        return -1;
+    }
+
+    // Clean up temporary structures
+    cJSON_Delete(signed_event);
+    cJSON_Delete(temp_event);
+
+    *response_event_out = response_event;
+    return 0;
+}
+
+// Free command array allocated by parse_admin_command
+void free_command_array(char **command_array, int command_count) {
+    if (command_array) {
+        for (int i = 0; i < command_count; i++) {
+            if (command_array[i]) {
+                free(command_array[i]);
+            }
+        }
+        free(command_array);
+    }
+}
--- a/src/admin_handlers.c
+++ b/src/admin_handlers.c
@@ -0,0 +1,216 @@
+/*
+ * Ginxsom Admin Command Handlers
+ * Implements execution of admin commands received via Kind 23456 events
+ */
+
+#include "ginxsom.h"
+#include <cjson/cJSON.h>
+#include <sqlite3.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/statvfs.h>
+#include <dirent.h>
+
+// Forward declarations
+static cJSON* handle_blob_list(char **args, int arg_count);
+static cJSON* handle_blob_info(char **args, int arg_count);
+static cJSON* handle_blob_delete(char **args, int arg_count);
+static cJSON* handle_storage_stats(char **args, int arg_count);
+static cJSON* handle_config_get(char **args, int arg_count);
+static cJSON* handle_config_set(char **args, int arg_count);
+static cJSON* handle_help(char **args, int arg_count);
+
+// Command dispatch table
+typedef struct {
+    const char *command;
+    cJSON* (*handler)(char **args, int arg_count);
+    const char *description;
+} admin_command_t;
+
+static admin_command_t command_table[] = {
+    {"blob_list", handle_blob_list, "List all blobs"},
+    {"blob_info", handle_blob_info, "Get blob information"},
+    {"blob_delete", handle_blob_delete, "Delete a blob"},
+    {"storage_stats", handle_storage_stats, "Get storage statistics"},
+    {"config_get", handle_config_get, "Get configuration value"},
+    {"config_set", handle_config_set, "Set configuration value"},
+    {"help", handle_help, "Show available commands"},
+    {NULL, NULL, NULL}
+};
+
+// Execute admin command and return JSON response
+int execute_admin_command(char **command_array, int command_count, char **response_json_out) {
+    if (!command_array || command_count < 1 || !response_json_out) {
+        return -1;
+    }
+
+    const char *command = command_array[0];
+    
+    // Find command handler
+    admin_command_t *cmd = NULL;
+    for (int i = 0; command_table[i].command != NULL; i++) {
+        if (strcmp(command_table[i].command, command) == 0) {
+            cmd = &command_table[i];
+            break;
+        }
+    }
+
+    cJSON *response;
+    if (cmd) {
+        // Execute command handler
+        response = cmd->handler(command_array + 1, command_count - 1);
+    } else {
+        // Unknown command
+        response = cJSON_CreateObject();
+        cJSON_AddStringToObject(response, "status", "error");
+        cJSON_AddStringToObject(response, "message", "Unknown command");
+        cJSON_AddStringToObject(response, "command", command);
+    }
+
+    // Convert response to JSON string
+    char *json_str = cJSON_PrintUnformatted(response);
+    cJSON_Delete(response);
+
+    if (!json_str) {
+        return -1;
+    }
+
+    *response_json_out = json_str;
+    return 0;
+}
+
+// Command handlers
+
+static cJSON* handle_blob_list(char **args __attribute__((unused)), int arg_count __attribute__((unused))) {
+    cJSON *response = cJSON_CreateObject();
+    cJSON_AddStringToObject(response, "status", "success");
+    cJSON_AddStringToObject(response, "command", "blob_list");
+    
+    // TODO: Implement actual blob listing from database
+    cJSON *blobs = cJSON_CreateArray();
+    cJSON_AddItemToObject(response, "blobs", blobs);
+    cJSON_AddNumberToObject(response, "count", 0);
+    
+    return response;
+}
+
+static cJSON* handle_blob_info(char **args, int arg_count) {
+    cJSON *response = cJSON_CreateObject();
+    
+    if (arg_count < 1) {
+        cJSON_AddStringToObject(response, "status", "error");
+        cJSON_AddStringToObject(response, "message", "Missing blob hash argument");
+        return response;
+    }
+    
+    cJSON_AddStringToObject(response, "status", "success");
+    cJSON_AddStringToObject(response, "command", "blob_info");
+    cJSON_AddStringToObject(response, "hash", args[0]);
+    
+    // TODO: Implement actual blob info retrieval from database
+    cJSON_AddStringToObject(response, "message", "Not yet implemented");
+    
+    return response;
+}
+
+static cJSON* handle_blob_delete(char **args, int arg_count) {
+    cJSON *response = cJSON_CreateObject();
+    
+    if (arg_count < 1) {
+        cJSON_AddStringToObject(response, "status", "error");
+        cJSON_AddStringToObject(response, "message", "Missing blob hash argument");
+        return response;
+    }
+    
+    cJSON_AddStringToObject(response, "status", "success");
+    cJSON_AddStringToObject(response, "command", "blob_delete");
+    cJSON_AddStringToObject(response, "hash", args[0]);
+    
+    // TODO: Implement actual blob deletion
+    cJSON_AddStringToObject(response, "message", "Not yet implemented");
+    
+    return response;
+}
+
+static cJSON* handle_storage_stats(char **args __attribute__((unused)), int arg_count __attribute__((unused))) {
+    cJSON *response = cJSON_CreateObject();
+    cJSON_AddStringToObject(response, "status", "success");
+    cJSON_AddStringToObject(response, "command", "storage_stats");
+    
+    // Get filesystem stats
+    struct statvfs stat;
+    if (statvfs(".", &stat) == 0) {
+        unsigned long long total = stat.f_blocks * stat.f_frsize;
+        unsigned long long available = stat.f_bavail * stat.f_frsize;
+        unsigned long long used = total - available;
+        
+        cJSON_AddNumberToObject(response, "total_bytes", (double)total);
+        cJSON_AddNumberToObject(response, "used_bytes", (double)used);
+        cJSON_AddNumberToObject(response, "available_bytes", (double)available);
+    }
+    
+    // TODO: Add blob count and total blob size from database
+    cJSON_AddNumberToObject(response, "blob_count", 0);
+    cJSON_AddNumberToObject(response, "blob_total_bytes", 0);
+    
+    return response;
+}
+
+static cJSON* handle_config_get(char **args, int arg_count) {
+    cJSON *response = cJSON_CreateObject();
+    
+    if (arg_count < 1) {
+        cJSON_AddStringToObject(response, "status", "error");
+        cJSON_AddStringToObject(response, "message", "Missing config key argument");
+        return response;
+    }
+    
+    cJSON_AddStringToObject(response, "status", "success");
+    cJSON_AddStringToObject(response, "command", "config_get");
+    cJSON_AddStringToObject(response, "key", args[0]);
+    
+    // TODO: Implement actual config retrieval from database
+    cJSON_AddStringToObject(response, "value", "");
+    cJSON_AddStringToObject(response, "message", "Not yet implemented");
+    
+    return response;
+}
+
+static cJSON* handle_config_set(char **args, int arg_count) {
+    cJSON *response = cJSON_CreateObject();
+    
+    if (arg_count < 2) {
+        cJSON_AddStringToObject(response, "status", "error");
+        cJSON_AddStringToObject(response, "message", "Missing config key or value argument");
+        return response;
+    }
+    
+    cJSON_AddStringToObject(response, "status", "success");
+    cJSON_AddStringToObject(response, "command", "config_set");
+    cJSON_AddStringToObject(response, "key", args[0]);
+    cJSON_AddStringToObject(response, "value", args[1]);
+    
+    // TODO: Implement actual config update in database
+    cJSON_AddStringToObject(response, "message", "Not yet implemented");
+    
+    return response;
+}
+
+static cJSON* handle_help(char **args __attribute__((unused)), int arg_count __attribute__((unused))) {
+    cJSON *response = cJSON_CreateObject();
+    cJSON_AddStringToObject(response, "status", "success");
+    cJSON_AddStringToObject(response, "command", "help");
+    
+    cJSON *commands = cJSON_CreateArray();
+    for (int i = 0; command_table[i].command != NULL; i++) {
+        cJSON *cmd = cJSON_CreateObject();
+        cJSON_AddStringToObject(cmd, "command", command_table[i].command);
+        cJSON_AddStringToObject(cmd, "description", command_table[i].description);
+        cJSON_AddItemToArray(commands, cmd);
+    }
+    
+    cJSON_AddItemToObject(response, "commands", commands);
+    
+    return response;
+}
--- a/src/admin_websocket.c
+++ b/src/admin_websocket.c
@@ -0,0 +1,163 @@
+/*
+ * Ginxsom Admin WebSocket Module
+ * Handles WebSocket connections for Kind 23456/23457 admin commands
+ * Based on c-relay's WebSocket implementation
+ */
+
+#include "ginxsom.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <cjson/cJSON.h>
+#include <sqlite3.h>
+
+// Forward declarations from admin_auth.c
+int process_admin_command(cJSON *event, char ***command_array_out, int *command_count_out, char **admin_pubkey_out);
+void free_command_array(char **command_array, int command_count);
+int create_admin_response(const char *response_json, const char *admin_pubkey, const char *original_event_id, cJSON **response_event_out);
+
+// Forward declarations from admin_handlers.c (to be created)
+int execute_admin_command(char **command_array, int command_count, const char *admin_pubkey, char **response_json_out);
+
+// Handle WebSocket admin command endpoint (/api/admin)
+void handle_admin_websocket_request(void) {
+    // For now, this is a placeholder for WebSocket implementation
+    // In a full implementation, this would:
+    // 1. Upgrade HTTP connection to WebSocket
+    // 2. Handle WebSocket frames
+    // 3. Process Kind 23456 events
+    // 4. Send Kind 23457 responses
+
+    printf("Status: 501 Not Implemented\r\n");
+    printf("Content-Type: application/json\r\n\r\n");
+    printf("{\n");
+    printf("  \"error\": \"websocket_not_implemented\",\n");
+    printf("  \"message\": \"WebSocket admin endpoint not yet implemented\",\n");
+    printf("  \"note\": \"Use HTTP POST to /api/admin for now\"\n");
+    printf("}\n");
+}
+
+// Handle HTTP POST admin command endpoint (/api/admin)
+void handle_admin_command_post_request(void) {
+    // Read the request body (should contain Kind 23456 event JSON)
+    const char *content_length_str = getenv("CONTENT_LENGTH");
+    if (!content_length_str) {
+        printf("Status: 400 Bad Request\r\n");
+        printf("Content-Type: application/json\r\n\r\n");
+        printf("{\n");
+        printf("  \"error\": \"missing_content_length\",\n");
+        printf("  \"message\": \"Content-Length header required\"\n");
+        printf("}\n");
+        return;
+    }
+
+    long content_length = atol(content_length_str);
+    if (content_length <= 0 || content_length > 1024 * 1024) { // 1MB limit
+        printf("Status: 400 Bad Request\r\n");
+        printf("Content-Type: application/json\r\n\r\n");
+        printf("{\n");
+        printf("  \"error\": \"invalid_content_length\",\n");
+        printf("  \"message\": \"Content-Length must be between 1 and 1MB\"\n");
+        printf("}\n");
+        return;
+    }
+
+    // Read the request body
+    char *request_body = malloc(content_length + 1);
+    if (!request_body) {
+        printf("Status: 500 Internal Server Error\r\n");
+        printf("Content-Type: application/json\r\n\r\n");
+        printf("{\n");
+        printf("  \"error\": \"memory_allocation_failed\",\n");
+        printf("  \"message\": \"Failed to allocate memory for request body\"\n");
+        printf("}\n");
+        return;
+    }
+
+    size_t bytes_read = fread(request_body, 1, content_length, stdin);
+    if (bytes_read != (size_t)content_length) {
+        free(request_body);
+        printf("Status: 400 Bad Request\r\n");
+        printf("Content-Type: application/json\r\n\r\n");
+        printf("{\n");
+        printf("  \"error\": \"incomplete_request_body\",\n");
+        printf("  \"message\": \"Failed to read complete request body\"\n");
+        printf("}\n");
+        return;
+    }
+
+    request_body[content_length] = '\0';
+
+    // Parse the JSON event
+    cJSON *event = cJSON_Parse(request_body);
+    free(request_body);
+
+    if (!event) {
+        printf("Status: 400 Bad Request\r\n");
+        printf("Content-Type: application/json\r\n\r\n");
+        printf("{\n");
+        printf("  \"error\": \"invalid_json\",\n");
+        printf("  \"message\": \"Request body is not valid JSON\"\n");
+        printf("}\n");
+        return;
+    }
+
+    // Process the admin command
+    char **command_array = NULL;
+    int command_count = 0;
+    char *admin_pubkey = NULL;
+
+    int result = process_admin_command(event, &command_array, &command_count, &admin_pubkey);
+    cJSON_Delete(event);
+
+    if (result != 0) {
+        printf("Status: 400 Bad Request\r\n");
+        printf("Content-Type: application/json\r\n\r\n");
+        printf("{\n");
+        printf("  \"error\": \"invalid_admin_command\",\n");
+        printf("  \"message\": \"Failed to process admin command\"\n");
+        printf("}\n");
+        return;
+    }
+
+    // Execute the command
+    char *response_json = NULL;
+    int exec_result = execute_admin_command(command_array, command_count, admin_pubkey, &response_json);
+    free_command_array(command_array, command_count);
+    free(admin_pubkey);
+
+    if (exec_result != 0) {
+        printf("Status: 500 Internal Server Error\r\n");
+        printf("Content-Type: application/json\r\n\r\n");
+        printf("{\n");
+        printf("  \"error\": \"command_execution_failed\",\n");
+        printf("  \"message\": \"Failed to execute admin command\"\n");
+        printf("}\n");
+        return;
+    }
+
+    // Create the response event (Kind 23457)
+    cJSON *response_event = NULL;
+    int create_result = create_admin_response(response_json, admin_pubkey, NULL, &response_event);
+    free(response_json);
+
+    if (create_result != 0) {
+        printf("Status: 500 Internal Server Error\r\n");
+        printf("Content-Type: application/json\r\n\r\n");
+        printf("{\n");
+        printf("  \"error\": \"response_creation_failed\",\n");
+        printf("  \"message\": \"Failed to create admin response\"\n");
+        printf("}\n");
+        return;
+    }
+
+    // Return the response event as JSON
+    char *response_json_str = cJSON_Print(response_event);
+    cJSON_Delete(response_event);
+
+    printf("Status: 200 OK\r\n");
+    printf("Content-Type: application/json\r\n\r\n");
+    printf("%s\n", response_json_str);
+
+    free(response_json_str);
+}
--- a/src/ginxsom.h
+++ b/src/ginxsom.h
@@ -10,8 +10,8 @@
 // Version information (auto-updated by build system)
 #define VERSION_MAJOR 0
 #define VERSION_MINOR 1
-#define VERSION_PATCH 8
-#define VERSION "v0.1.8"
+#define VERSION_PATCH 9
+#define VERSION "v0.1.9"

 #include <stddef.h>
 #include <stdint.h>
--- a/src/main.c
+++ b/src/main.c
@@ -9,7 +9,6 @@
 #include "../nostr_core_lib/nostr_core/utils.h"
 #include <getopt.h>
 #include <curl/curl.h>
-#include <fcgi_stdio.h>
 #include <sqlite3.h>
 #include <stdint.h>
 #include <stdio.h>
@@ -30,6 +29,11 @@
 char g_db_path[MAX_PATH_LEN] = "db/ginxsom.db";
 char g_storage_dir[MAX_PATH_LEN] = ".";

+// Key management variables
+char g_admin_pubkey[65] = "";  // Admin public key for authorization
+char g_blossom_seckey[65] = "";  // Blossom server private key for decryption/signing
+int g_generate_keys = 0;       // Flag to generate keys on startup
+
 // Use global configuration variables
 #define DB_PATH g_db_path

@@ -60,6 +64,174 @@ const char *get_config_dir(char *buffer, size_t buffer_size) {
 }


+// Database initialization function
+int initialize_database(const char *db_path) {
+  sqlite3 *db;
+  char *err_msg = NULL;
+  int rc;
+
+  // Check if database file exists
+  struct stat st;
+  int db_exists = (stat(db_path, &st) == 0);
+
+  // Open database with CREATE flag
+  rc = sqlite3_open_v2(db_path, &db, 
+                       SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE, NULL);
+  if (rc != SQLITE_OK) {
+    fprintf(stderr, "Cannot open database: %s\n", sqlite3_errmsg(db));
+    sqlite3_close(db);
+    return -1;
+  }
+
+  // If database was just created, initialize schema
+  if (!db_exists) {
+    fprintf(stderr, "Database not found, initializing schema...\n");
+
+    // Enable foreign key constraints
+    rc = sqlite3_exec(db, "PRAGMA foreign_keys = ON;", NULL, NULL, &err_msg);
+    if (rc != SQLITE_OK) {
+      fprintf(stderr, "Failed to enable foreign keys: %s\n", err_msg);
+      sqlite3_free(err_msg);
+      sqlite3_close(db);
+      return -1;
+    }
+
+    // Create blobs table
+    const char *create_blobs = 
+      "CREATE TABLE IF NOT EXISTS blobs ("
+      "  sha256 TEXT PRIMARY KEY NOT NULL,"
+      "  size INTEGER NOT NULL,"
+      "  type TEXT NOT NULL,"
+      "  uploaded_at INTEGER NOT NULL,"
+      "  uploader_pubkey TEXT,"
+      "  filename TEXT,"
+      "  CHECK (length(sha256) = 64),"
+      "  CHECK (size >= 0),"
+      "  CHECK (uploaded_at > 0)"
+      ");";
+    
+    rc = sqlite3_exec(db, create_blobs, NULL, NULL, &err_msg);
+    if (rc != SQLITE_OK) {
+      fprintf(stderr, "Failed to create blobs table: %s\n", err_msg);
+      sqlite3_free(err_msg);
+      sqlite3_close(db);
+      return -1;
+    }
+
+    // Create config table
+    const char *create_config =
+      "CREATE TABLE IF NOT EXISTS config ("
+      "  key TEXT PRIMARY KEY NOT NULL,"
+      "  value TEXT NOT NULL,"
+      "  description TEXT,"
+      "  created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),"
+      "  updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))"
+      ");";
+    
+    rc = sqlite3_exec(db, create_config, NULL, NULL, &err_msg);
+    if (rc != SQLITE_OK) {
+      fprintf(stderr, "Failed to create config table: %s\n", err_msg);
+      sqlite3_free(err_msg);
+      sqlite3_close(db);
+      return -1;
+    }
+
+    // Create auth_rules table
+    const char *create_auth_rules =
+      "CREATE TABLE IF NOT EXISTS auth_rules ("
+      "  id INTEGER PRIMARY KEY AUTOINCREMENT,"
+      "  rule_type TEXT NOT NULL,"
+      "  rule_target TEXT NOT NULL,"
+      "  operation TEXT NOT NULL DEFAULT '*',"
+      "  enabled INTEGER NOT NULL DEFAULT 1,"
+      "  priority INTEGER NOT NULL DEFAULT 100,"
+      "  description TEXT,"
+      "  created_by TEXT,"
+      "  created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),"
+      "  updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),"
+      "  CHECK (rule_type IN ('pubkey_blacklist', 'pubkey_whitelist',"
+      "                       'hash_blacklist', 'mime_blacklist', 'mime_whitelist')),"
+      "  CHECK (operation IN ('upload', 'delete', 'list', '*')),"
+      "  CHECK (enabled IN (0, 1)),"
+      "  CHECK (priority >= 0),"
+      "  UNIQUE(rule_type, rule_target, operation)"
+      ");";
+    
+    rc = sqlite3_exec(db, create_auth_rules, NULL, NULL, &err_msg);
+    if (rc != SQLITE_OK) {
+      fprintf(stderr, "Failed to create auth_rules table: %s\n", err_msg);
+      sqlite3_free(err_msg);
+      sqlite3_close(db);
+      return -1;
+    }
+
+    // Create indexes
+    const char *create_indexes =
+      "CREATE INDEX IF NOT EXISTS idx_blobs_uploaded_at ON blobs(uploaded_at);"
+      "CREATE INDEX IF NOT EXISTS idx_blobs_uploader_pubkey ON blobs(uploader_pubkey);"
+      "CREATE INDEX IF NOT EXISTS idx_blobs_type ON blobs(type);"
+      "CREATE INDEX IF NOT EXISTS idx_config_updated_at ON config(updated_at);"
+      "CREATE INDEX IF NOT EXISTS idx_auth_rules_type_target ON auth_rules(rule_type, rule_target);"
+      "CREATE INDEX IF NOT EXISTS idx_auth_rules_operation ON auth_rules(operation);"
+      "CREATE INDEX IF NOT EXISTS idx_auth_rules_enabled ON auth_rules(enabled);"
+      "CREATE INDEX IF NOT EXISTS idx_auth_rules_priority ON auth_rules(priority);"
+      "CREATE INDEX IF NOT EXISTS idx_auth_rules_type_operation ON auth_rules(rule_type, operation, enabled);";
+    
+    rc = sqlite3_exec(db, create_indexes, NULL, NULL, &err_msg);
+    if (rc != SQLITE_OK) {
+      fprintf(stderr, "Failed to create indexes: %s\n", err_msg);
+      sqlite3_free(err_msg);
+      sqlite3_close(db);
+      return -1;
+    }
+
+    // Insert default configuration
+    const char *insert_config =
+      "INSERT OR IGNORE INTO config (key, value, description) VALUES"
+      "  ('max_file_size', '104857600', 'Maximum file size in bytes (100MB)'),"
+      "  ('auth_rules_enabled', 'true', 'Whether authentication rules are enabled for uploads'),"
+      "  ('server_name', 'ginxsom', 'Server name for responses'),"
+      "  ('admin_pubkey', '', 'Admin public key for API access'),"
+      "  ('admin_enabled', 'false', 'Whether admin API is enabled'),"
+      "  ('nip42_require_auth', 'false', 'Enable NIP-42 challenge/response authentication'),"
+      "  ('nip42_challenge_timeout', '600', 'NIP-42 challenge timeout in seconds'),"
+      "  ('nip42_time_tolerance', '300', 'NIP-42 timestamp tolerance in seconds');";
+    
+    rc = sqlite3_exec(db, insert_config, NULL, NULL, &err_msg);
+    if (rc != SQLITE_OK) {
+      fprintf(stderr, "Failed to insert default config: %s\n", err_msg);
+      sqlite3_free(err_msg);
+      sqlite3_close(db);
+      return -1;
+    }
+
+    // Create storage_stats view
+    const char *create_view =
+      "CREATE VIEW IF NOT EXISTS storage_stats AS "
+      "SELECT "
+      "  COUNT(*) as total_blobs, "
+      "  SUM(size) as total_bytes, "
+      "  AVG(size) as avg_blob_size, "
+      "  MIN(uploaded_at) as first_upload, "
+      "  MAX(uploaded_at) as last_upload, "
+      "  COUNT(DISTINCT uploader_pubkey) as unique_uploaders "
+      "FROM blobs;";
+    
+    rc = sqlite3_exec(db, create_view, NULL, NULL, &err_msg);
+    if (rc != SQLITE_OK) {
+      fprintf(stderr, "Failed to create storage_stats view: %s\n", err_msg);
+      sqlite3_free(err_msg);
+      sqlite3_close(db);
+      return -1;
+    }
+
+    fprintf(stderr, "Database schema initialized successfully\n");
+  }
+
+  sqlite3_close(db);
+  return 0;
+}
+
 // Function declarations
 void handle_options_request(void);
 void send_error_response(int status_code, const char *error_type,
@@ -67,6 +239,13 @@ void send_error_response(int status_code, const char *error_type,
 void log_request(const char *method, const char *uri, const char *auth_status,
                 int status_code);

+// Key management functions
+int generate_random_private_key_bytes(unsigned char *key_bytes, size_t len);
+int generate_server_keypair(void);
+int load_server_keys(void);
+int store_blossom_private_key(const char *seckey);
+int get_blossom_private_key(char *seckey_out, size_t max_len);
+
 // External validator function declarations
 const char *nostr_request_validator_get_last_violation_type(void);
 int nostr_generate_nip42_challenge(char *challenge_out, size_t challenge_size, const char *client_ip);
@@ -77,6 +256,262 @@ void handle_auth_challenge_request(void);
 // Handler function declarations with validation support
 void handle_delete_request_with_validation(const char *sha256, nostr_request_result_t *validation_result);

+// Key management function implementations
+
+// Generate random private key bytes using /dev/urandom
+int generate_random_private_key_bytes(unsigned char *key_bytes, size_t len) {
+  FILE *fp = fopen("/dev/urandom", "rb");
+  if (!fp) {
+    fprintf(stderr, "ERROR: Cannot open /dev/urandom for key generation\n");
+    return -1;
+  }
+
+  size_t bytes_read = fread(key_bytes, 1, len, fp);
+  fclose(fp);
+
+  if (bytes_read != len) {
+    fprintf(stderr, "ERROR: Failed to read %zu bytes from /dev/urandom\n", len);
+    return -1;
+  }
+
+  return 0;
+}
+
+// Generate server keypair and store in database
+int generate_server_keypair(void) {
+  fprintf(stderr, "DEBUG: generate_server_keypair() called\n");
+  unsigned char seckey_bytes[32];
+  char seckey_hex[65];
+  char pubkey_hex[65];
+
+  // Generate random private key
+  fprintf(stderr, "DEBUG: Generating random private key...\n");
+  if (generate_random_private_key_bytes(seckey_bytes, 32) != 0) {
+    fprintf(stderr, "DEBUG: Failed to generate random bytes\n");
+    return -1;
+  }
+
+  // Validate the private key
+  if (nostr_ec_private_key_verify(seckey_bytes) != NOSTR_SUCCESS) {
+    fprintf(stderr, "ERROR: Generated invalid private key\n");
+    return -1;
+  }
+
+  // Convert to hex
+  nostr_bytes_to_hex(seckey_bytes, 32, seckey_hex);
+
+  // Derive public key
+  unsigned char pubkey_bytes[32];
+  if (nostr_ec_public_key_from_private_key(seckey_bytes, pubkey_bytes) != NOSTR_SUCCESS) {
+    fprintf(stderr, "ERROR: Failed to derive public key\n");
+    return -1;
+  }
+
+  // Convert public key to hex
+  nostr_bytes_to_hex(pubkey_bytes, 32, pubkey_hex);
+
+  // Store private key securely
+  if (store_blossom_private_key(seckey_hex) != 0) {
+    fprintf(stderr, "ERROR: Failed to store blossom private key\n");
+    return -1;
+  }
+
+  // Store public key in config
+  sqlite3 *db;
+  sqlite3_stmt *stmt;
+  int rc;
+
+  rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE, NULL);
+  if (rc) {
+    fprintf(stderr, "ERROR: Can't open database for config: %s\n", sqlite3_errmsg(db));
+    return -1;
+  }
+
+  const char *sql = "INSERT OR REPLACE INTO config (key, value, description) VALUES (?, ?, ?)";
+  rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
+  if (rc != SQLITE_OK) {
+    fprintf(stderr, "ERROR: SQL prepare failed: %s\n", sqlite3_errmsg(db));
+    sqlite3_close(db);
+    return -1;
+  }
+
+  sqlite3_bind_text(stmt, 1, "blossom_pubkey", -1, SQLITE_STATIC);
+  sqlite3_bind_text(stmt, 2, pubkey_hex, -1, SQLITE_STATIC);
+  sqlite3_bind_text(stmt, 3, "Blossom server's public key for Nostr communication", -1, SQLITE_STATIC);
+
+  rc = sqlite3_step(stmt);
+  sqlite3_finalize(stmt);
+  sqlite3_close(db);
+
+  if (rc != SQLITE_DONE) {
+    fprintf(stderr, "ERROR: Failed to store blossom public key in config\n");
+    return -1;
+  }
+
+  // Display keys for admin setup
+  fprintf(stderr, "========================================\n");
+  fprintf(stderr, "SERVER KEYPAIR GENERATED SUCCESSFULLY\n");
+  fprintf(stderr, "========================================\n");
+  fprintf(stderr, "Blossom Public Key:  %s\n", pubkey_hex);
+  fprintf(stderr, "Blossom Private Key: %s\n", seckey_hex);
+  fprintf(stderr, "========================================\n");
+  fprintf(stderr, "IMPORTANT: Save the private key securely!\n");
+  fprintf(stderr, "This key is used for decrypting admin messages.\n");
+  fprintf(stderr, "========================================\n");
+
+  return 0;
+}
+
+// Load server keys from database
+int load_server_keys(void) {
+  fprintf(stderr, "DEBUG: load_server_keys() called\n");
+  sqlite3 *db;
+  sqlite3_stmt *stmt;
+  int rc;
+
+  // Try to load blossom private key
+  fprintf(stderr, "DEBUG: Trying to load blossom private key...\n");
+  if (get_blossom_private_key(g_blossom_seckey, sizeof(g_blossom_seckey)) != 0) {
+    fprintf(stderr, "DEBUG: No blossom private key found\n");
+    // No private key found - check if we should generate one
+    if (g_generate_keys) {
+      fprintf(stderr, "STARTUP: No blossom private key found, generating new keypair...\n");
+      if (generate_server_keypair() != 0) {
+        fprintf(stderr, "ERROR: Failed to generate server keypair\n");
+        return -1;
+      }
+    } else {
+      fprintf(stderr, "WARNING: No blossom private key found. Use --generate-keys to create one.\n");
+      // This is not fatal - server can still operate without admin features
+    }
+  } else {
+    fprintf(stderr, "STARTUP: Blossom private key loaded successfully\n");
+  }
+
+  // Load admin pubkey from command line or config
+  if (strlen(g_admin_pubkey) == 0) {
+    // Try to load from database config
+    rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
+    if (rc == SQLITE_OK) {
+      const char *sql = "SELECT value FROM config WHERE key = 'admin_pubkey'";
+      rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
+      if (rc == SQLITE_OK) {
+        rc = sqlite3_step(stmt);
+        if (rc == SQLITE_ROW) {
+          const char *pubkey = (const char *)sqlite3_column_text(stmt, 0);
+          if (pubkey && strlen(pubkey) == 64) {
+            strncpy(g_admin_pubkey, pubkey, sizeof(g_admin_pubkey) - 1);
+            fprintf(stderr, "STARTUP: Admin pubkey loaded from config: %s\n", g_admin_pubkey);
+          }
+        }
+        sqlite3_finalize(stmt);
+      }
+      sqlite3_close(db);
+    }
+  } else {
+    // Store admin pubkey in config if provided via command line
+    rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE, NULL);
+    if (rc == SQLITE_OK) {
+      const char *sql = "INSERT OR REPLACE INTO config (key, value, description) VALUES (?, ?, ?)";
+      rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
+      if (rc == SQLITE_OK) {
+        sqlite3_bind_text(stmt, 1, "admin_pubkey", -1, SQLITE_STATIC);
+        sqlite3_bind_text(stmt, 2, g_admin_pubkey, -1, SQLITE_STATIC);
+        sqlite3_bind_text(stmt, 3, "Admin public key for management authentication", -1, SQLITE_STATIC);
+        sqlite3_step(stmt);
+        sqlite3_finalize(stmt);
+      }
+      sqlite3_close(db);
+    }
+  }
+
+  return 0;
+}
+
+// Store blossom private key in dedicated table
+int store_blossom_private_key(const char *seckey) {
+  sqlite3 *db;
+  sqlite3_stmt *stmt;
+  int rc;
+
+  // Validate key format
+  if (!seckey || strlen(seckey) != 64) {
+    fprintf(stderr, "ERROR: Invalid blossom private key format\n");
+    return -1;
+  }
+
+  // Create blossom_seckey table if it doesn't exist
+  rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE, NULL);
+  if (rc) {
+    fprintf(stderr, "ERROR: Can't open database: %s\n", sqlite3_errmsg(db));
+    return -1;
+  }
+
+  // Create table
+  const char *create_sql = "CREATE TABLE IF NOT EXISTS blossom_seckey (id INTEGER PRIMARY KEY CHECK (id = 1), seckey TEXT NOT NULL, created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')), CHECK (length(seckey) = 64))";
+  rc = sqlite3_exec(db, create_sql, NULL, NULL, NULL);
+  if (rc != SQLITE_OK) {
+    fprintf(stderr, "ERROR: Failed to create blossom_seckey table: %s\n", sqlite3_errmsg(db));
+    sqlite3_close(db);
+    return -1;
+  }
+
+  // Store key
+  const char *sql = "INSERT OR REPLACE INTO blossom_seckey (id, seckey) VALUES (1, ?)";
+  rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
+  if (rc != SQLITE_OK) {
+    fprintf(stderr, "ERROR: SQL prepare failed: %s\n", sqlite3_errmsg(db));
+    sqlite3_close(db);
+    return -1;
+  }
+
+  sqlite3_bind_text(stmt, 1, seckey, -1, SQLITE_STATIC);
+  rc = sqlite3_step(stmt);
+  sqlite3_finalize(stmt);
+  sqlite3_close(db);
+
+  if (rc != SQLITE_DONE) {
+    fprintf(stderr, "ERROR: Failed to store blossom private key\n");
+    return -1;
+  }
+
+  return 0;
+}
+
+// Get blossom private key from database
+int get_blossom_private_key(char *seckey_out, size_t max_len) {
+  sqlite3 *db;
+  sqlite3_stmt *stmt;
+  int rc;
+
+  rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
+  if (rc) {
+    return -1;
+  }
+
+  const char *sql = "SELECT seckey FROM blossom_seckey WHERE id = 1 LIMIT 1";
+  rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
+  if (rc != SQLITE_OK) {
+    sqlite3_close(db);
+    return -1;
+  }
+
+  rc = sqlite3_step(stmt);
+  if (rc == SQLITE_ROW) {
+    const char *seckey = (const char *)sqlite3_column_text(stmt, 0);
+    if (seckey && strlen(seckey) == 64 && strlen(seckey) < max_len) {
+      strcpy(seckey_out, seckey);
+      sqlite3_finalize(stmt);
+      sqlite3_close(db);
+      return 0;
+    }
+  }
+
+  sqlite3_finalize(stmt);
+  sqlite3_close(db);
+  return -1;
+}
+
 // Insert blob metadata into database
 int insert_blob_metadata(const char *sha256, long size, const char *type,
                         long uploaded_at, const char *uploader_pubkey,
@@ -85,7 +520,7 @@ int insert_blob_metadata(const char *sha256, long size, const char *type,
  sqlite3_stmt *stmt;
  int rc;

-  rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE, NULL);
+  rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE, NULL);
  if (rc) {
    fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg(db));
    return 0;
@@ -140,7 +575,7 @@ int get_blob_metadata(const char *sha256, blob_metadata_t *metadata) {
  sqlite3_stmt *stmt;
  int rc;

-  rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY, NULL);
+  rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READONLY | SQLITE_OPEN_CREATE, NULL);
  if (rc) {
    fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg(db));
    return 0;
@@ -557,7 +992,7 @@ void handle_delete_request_with_validation(const char *sha256, nostr_request_res
  sqlite3_stmt *stmt;
  int rc;

-  rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE, NULL);
+  rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE, NULL);
  if (rc) {

    send_error_response(500, "database_error", "Failed to access database",
@@ -1296,7 +1731,13 @@ void handle_auth_challenge_request(void) {
 /////////////////////////////////////////////////////////////////////////////////////////

 int main(int argc, char *argv[]) {
+  fprintf(stderr, "DEBUG: main() started\n");
+  fflush(stderr);
+
  // Parse command line arguments
+  int use_test_keys = 0;
+  char test_server_privkey[65] = "";
+  
  for (int i = 1; i < argc; i++) {
    if (strcmp(argv[i], "--db-path") == 0 && i + 1 < argc) {
      strncpy(g_db_path, argv[i + 1], sizeof(g_db_path) - 1);
@@ -1305,21 +1746,180 @@ int main(int argc, char *argv[]) {
      strncpy(g_storage_dir, argv[i + 1], sizeof(g_storage_dir) - 1);
      i++; // Skip next argument
    } else if (strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-h") == 0) {
-      printf("Usage: %s [options]\n", argv[0]);
-      printf("Options:\n");
-      printf("  --db-path PATH       Database file path (default: db/ginxsom.db)\n");
-      printf("  --storage-dir DIR    Storage directory for files (default: blobs)\n");
-      printf("  --help, -h           Show this help message\n");
+      // Use write() directly to avoid FCGI printf redefinition
+      const char *help_text =
+        "Usage: ginxsom-fcgi [options]\n"
+        "Options:\n"
+        "  --db-path PATH          Database file path (default: db/ginxsom.db)\n"
+        "  --storage-dir DIR       Storage directory for files (default: blobs)\n"
+        "  --admin-pubkey KEY      Admin public key for management (64 hex chars)\n"
+        "  --server-privkey KEY    Server private key (64 hex chars, for testing)\n"
+        "  --test-keys             Use test keys from .test_keys file\n"
+        "  --generate-keys         Generate server keypair on startup\n"
+        "  --help, -h              Show this help message\n";
+      ssize_t written = write(STDOUT_FILENO, help_text, strlen(help_text));
+      (void)written; // Suppress unused variable warning
      return 0;
+    } else if (strcmp(argv[i], "--admin-pubkey") == 0 && i + 1 < argc) {
+      strncpy(g_admin_pubkey, argv[i + 1], sizeof(g_admin_pubkey) - 1);
+      i++; // Skip next argument
+    } else if (strcmp(argv[i], "--server-privkey") == 0 && i + 1 < argc) {
+      strncpy(test_server_privkey, argv[i + 1], sizeof(test_server_privkey) - 1);
+      i++; // Skip next argument
+    } else if (strcmp(argv[i], "--test-keys") == 0) {
+      use_test_keys = 1;
+    } else if (strcmp(argv[i], "--generate-keys") == 0) {
+      g_generate_keys = 1;
    } else {
      fprintf(stderr, "Unknown option: %s\n", argv[i]);
      fprintf(stderr, "Use --help for usage information\n");
      return 1;
    }
  }
+  
+  // Load test keys if requested
+  if (use_test_keys) {
+    FILE *keys_file = fopen(".test_keys", "r");
+    if (!keys_file) {
+      fprintf(stderr, "ERROR: Cannot open .test_keys file\n");
+      return 1;
+    }
+    
+    char line[256];
+    while (fgets(line, sizeof(line), keys_file)) {
+      // Parse ADMIN_PUBKEY='...'
+      if (strncmp(line, "ADMIN_PUBKEY='", 14) == 0) {
+        char *start = line + 14;
+        char *end = strchr(start, '\'');
+        if (end && (end - start) == 64) {
+          strncpy(g_admin_pubkey, start, 64);
+          g_admin_pubkey[64] = '\0';
+        }
+      }
+      // Parse SERVER_PRIVKEY='...'
+      else if (strncmp(line, "SERVER_PRIVKEY='", 16) == 0) {
+        char *start = line + 16;
+        char *end = strchr(start, '\'');
+        if (end && (end - start) == 64) {
+          strncpy(test_server_privkey, start, 64);
+          test_server_privkey[64] = '\0';
+        }
+      }
+    }
+    fclose(keys_file);
+    
+    fprintf(stderr, "STARTUP: Using test keys from .test_keys\n");
+    fprintf(stderr, "STARTUP: Admin pubkey: %s\n", g_admin_pubkey);
+    fprintf(stderr, "STARTUP: Server privkey loaded from test keys\n");
+  }

  fprintf(stderr, "STARTUP: Using database path: %s\n", g_db_path);
  fprintf(stderr, "STARTUP: Using storage directory: %s\n", g_storage_dir);
+  if (strlen(g_admin_pubkey) > 0) {
+    fprintf(stderr, "STARTUP: Admin pubkey specified: %s\n", g_admin_pubkey);
+  }
+  if (g_generate_keys) {
+    fprintf(stderr, "STARTUP: Will generate server keypair\n");
+  }
+
+  fprintf(stderr, "DEBUG: About to initialize database\n");
+
+  // Initialize database (create if doesn't exist)
+  fprintf(stderr, "STARTUP: Initializing database...\n");
+  if (initialize_database(g_db_path) != 0) {
+    fprintf(stderr, "FATAL ERROR: Failed to initialize database\n");
+    return 1;
+  }
+  fprintf(stderr, "STARTUP: Database ready\n");
+
+  // CRITICAL: Initialize nostr crypto system BEFORE key operations
+  fprintf(stderr, "STARTUP: Initializing nostr crypto system...\r\n");
+  int crypto_init_result = nostr_crypto_init();
+  fprintf(stderr, "CRYPTO INIT RESULT: %d\r\n", crypto_init_result);
+  if (crypto_init_result != 0) {
+    fprintf(stderr,
+            "FATAL ERROR: Failed to initialize nostr crypto system\r\n");
+    return 1;
+  }
+  fprintf(stderr, "STARTUP: nostr crypto system initialized successfully\r\n");
+
+  // Initialize server keys (now that crypto is initialized)
+  fprintf(stderr, "STARTUP: Initializing server keys...\n");
+  fflush(stderr);
+  
+  // If test keys were provided via command line, store them in database
+  if (test_server_privkey[0] != '\0') {
+    // Store test private key in database
+    strncpy(g_blossom_seckey, test_server_privkey, sizeof(g_blossom_seckey) - 1);
+    g_blossom_seckey[64] = '\0';
+    
+    fprintf(stderr, "STARTUP: Storing test server private key in database...\n");
+    if (store_blossom_private_key(test_server_privkey) != 0) {
+      fprintf(stderr, "ERROR: Failed to store test private key\n");
+      return 1;
+    }
+    
+    // Derive and store public key
+    unsigned char seckey_bytes[32];
+    if (nostr_hex_to_bytes(test_server_privkey, seckey_bytes, 32) != NOSTR_SUCCESS) {
+      fprintf(stderr, "ERROR: Failed to parse test private key\n");
+      return 1;
+    }
+    
+    unsigned char pubkey_bytes[32];
+    if (nostr_ec_public_key_from_private_key(seckey_bytes, pubkey_bytes) != NOSTR_SUCCESS) {
+      fprintf(stderr, "ERROR: Failed to derive public key from test private key\n");
+      return 1;
+    }
+    
+    char pubkey_hex[65];
+    nostr_bytes_to_hex(pubkey_bytes, 32, pubkey_hex);
+    
+    // Store server public key in config
+    sqlite3 *db;
+    sqlite3_stmt *stmt;
+    int rc = sqlite3_open_v2(DB_PATH, &db, SQLITE_OPEN_READWRITE, NULL);
+    if (rc == SQLITE_OK) {
+      const char *sql = "INSERT OR REPLACE INTO config (key, value, description) VALUES (?, ?, ?)";
+      rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
+      if (rc == SQLITE_OK) {
+        sqlite3_bind_text(stmt, 1, "blossom_pubkey", -1, SQLITE_STATIC);
+        sqlite3_bind_text(stmt, 2, pubkey_hex, -1, SQLITE_STATIC);
+        sqlite3_bind_text(stmt, 3, "Blossom server's public key (TEST MODE)", -1, SQLITE_STATIC);
+        sqlite3_step(stmt);
+        sqlite3_finalize(stmt);
+      }
+      sqlite3_close(db);
+    }
+    
+    fprintf(stderr, "STARTUP: Test server keys stored in database\n");
+    fprintf(stderr, "STARTUP: Server pubkey: %s\n", pubkey_hex);
+    fprintf(stderr, "STARTUP: Admin pubkey: %s\n", g_admin_pubkey);
+    
+    // Now call load_server_keys to ensure admin_pubkey is also stored
+    int key_init_result = load_server_keys();
+    if (key_init_result != 0) {
+      fprintf(stderr, "WARNING: Failed to complete key initialization\n");
+    }
+  } else {
+    // Load keys from database (production mode)
+    int key_init_result = load_server_keys();
+    fprintf(stderr, "KEY INIT RESULT: %d\n", key_init_result);
+    fflush(stderr);
+    if (key_init_result != 0) {
+      fprintf(stderr, "FATAL ERROR: Failed to initialize server keys\n");
+      return 1;
+    }
+    fprintf(stderr, "STARTUP: Server keys initialized successfully\n");
+  }
+  fflush(stderr);
+
+  // If --generate-keys was specified, exit after key generation
+  if (g_generate_keys) {
+    fprintf(stderr, "Key generation completed, exiting.\n");
+    fflush(stderr);
+    return 0;
+  }

 // Initialize server configuration and identity
 // Try file-based config first, then fall back to database config
@@ -1327,25 +1927,16 @@ int config_loaded = 0;

 // Fall back to database configuration if file config failed
 if (!config_loaded /* && !initialize_server_config() */) {
-  fprintf(
-      stderr,
-      "STARTUP: No configuration found - server starting in setup mode\n");
-  fprintf(stderr, "STARTUP: Run interactive setup with: ginxsom --setup\n");
-      // For interactive mode (when stdin is available), offer setup
+ fprintf(
+     stderr,
+     "STARTUP: No configuration found - server starting in setup mode\n");
+ fprintf(stderr, "STARTUP: Run interactive setup with: ginxsom --setup\n");
+     // For interactive mode (when stdin is available), offer setup

 } else if (!config_loaded) {
-  fprintf(stderr, "STARTUP: Database configuration loaded successfully\n");
+ fprintf(stderr, "STARTUP: Database configuration loaded successfully\n");
 }

-  // CRITICAL: Initialize nostr crypto system for cryptographic operations
-  fprintf(stderr, "STARTUP: Initializing nostr crypto system...\r\n");
-  if (nostr_crypto_init() != 0) {
-    fprintf(stderr,
-            "FATAL ERROR: Failed to initialize nostr crypto system\r\n");
-    return 1;
-  }
-  fprintf(stderr, "STARTUP: nostr crypto system initialized successfully\r\n");
-
  // Initialize request validator system
  fprintf(stderr, "STARTUP: Initializing request validator system...\r\n");
  int validator_init_result =
--- a/src/request_validator.c
+++ b/src/request_validator.c
@@ -283,6 +283,16 @@ int nostr_validate_unified_request(const nostr_unified_request_t *request,
  //  PHASE 2: NOSTR EVENT VALIDATION (CPU Intensive ~2ms)
  /////////////////////////////////////////////////////////////////////

+  // Check if authentication is disabled first (regardless of header presence)
+  if (!g_auth_cache.auth_required) {
+    validator_debug_log("VALIDATOR_DEBUG: STEP 4 PASSED - Authentication "
+                        "disabled, allowing request\n");
+    result->valid = 1;
+    result->error_code = NOSTR_SUCCESS;
+    strcpy(result->reason, "Authentication disabled");
+    return NOSTR_SUCCESS;
+  }
+
  // Check if this is a BUD-09 report request - allow anonymous reporting
  if (request->operation && strcmp(request->operation, "report") == 0) {
    // BUD-09 allows anonymous reporting - pass through to bud09.c for validation
--- a/src/test_keygen.c
+++ b/src/test_keygen.c
@@ -0,0 +1,199 @@
+/*
+ * Test program for key generation
+ * Standalone version that doesn't require FastCGI
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sqlite3.h>
+#include "../nostr_core_lib/nostr_core/nostr_common.h"
+#include "../nostr_core_lib/nostr_core/utils.h"
+
+// Forward declarations
+int generate_random_private_key_bytes(unsigned char *key_bytes, size_t len);
+int generate_server_keypair(const char *db_path);
+int store_blossom_private_key(const char *db_path, const char *seckey);
+
+// Generate random private key bytes using /dev/urandom
+int generate_random_private_key_bytes(unsigned char *key_bytes, size_t len) {
+  FILE *fp = fopen("/dev/urandom", "rb");
+  if (!fp) {
+    fprintf(stderr, "ERROR: Cannot open /dev/urandom for key generation\n");
+    return -1;
+  }
+
+  size_t bytes_read = fread(key_bytes, 1, len, fp);
+  fclose(fp);
+
+  if (bytes_read != len) {
+    fprintf(stderr, "ERROR: Failed to read %zu bytes from /dev/urandom\n", len);
+    return -1;
+  }
+
+  return 0;
+}
+
+// Store blossom private key in dedicated table
+int store_blossom_private_key(const char *db_path, const char *seckey) {
+  sqlite3 *db;
+  sqlite3_stmt *stmt;
+  int rc;
+
+  // Validate key format
+  if (!seckey || strlen(seckey) != 64) {
+    fprintf(stderr, "ERROR: Invalid blossom private key format\n");
+    return -1;
+  }
+
+  // Create blossom_seckey table if it doesn't exist
+  rc = sqlite3_open_v2(db_path, &db, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE, NULL);
+  if (rc) {
+    fprintf(stderr, "ERROR: Can't open database: %s\n", sqlite3_errmsg(db));
+    return -1;
+  }
+
+  // Create table
+  const char *create_sql = "CREATE TABLE IF NOT EXISTS blossom_seckey (id INTEGER PRIMARY KEY CHECK (id = 1), seckey TEXT NOT NULL, created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')), CHECK (length(seckey) = 64))";
+  rc = sqlite3_exec(db, create_sql, NULL, NULL, NULL);
+  if (rc != SQLITE_OK) {
+    fprintf(stderr, "ERROR: Failed to create blossom_seckey table: %s\n", sqlite3_errmsg(db));
+    sqlite3_close(db);
+    return -1;
+  }
+
+  // Store key
+  const char *sql = "INSERT OR REPLACE INTO blossom_seckey (id, seckey) VALUES (1, ?)";
+  rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
+  if (rc != SQLITE_OK) {
+    fprintf(stderr, "ERROR: SQL prepare failed: %s\n", sqlite3_errmsg(db));
+    sqlite3_close(db);
+    return -1;
+  }
+
+  sqlite3_bind_text(stmt, 1, seckey, -1, SQLITE_STATIC);
+  rc = sqlite3_step(stmt);
+  sqlite3_finalize(stmt);
+  sqlite3_close(db);
+
+  if (rc != SQLITE_DONE) {
+    fprintf(stderr, "ERROR: Failed to store blossom private key\n");
+    return -1;
+  }
+
+  return 0;
+}
+
+// Generate server keypair and store in database
+int generate_server_keypair(const char *db_path) {
+  printf("Generating server keypair...\n");
+  unsigned char seckey_bytes[32];
+  char seckey_hex[65];
+  char pubkey_hex[65];
+
+  // Generate random private key
+  printf("Generating random private key...\n");
+  if (generate_random_private_key_bytes(seckey_bytes, 32) != 0) {
+    fprintf(stderr, "Failed to generate random bytes\n");
+    return -1;
+  }
+
+  // Validate the private key
+  if (nostr_ec_private_key_verify(seckey_bytes) != NOSTR_SUCCESS) {
+    fprintf(stderr, "ERROR: Generated invalid private key\n");
+    return -1;
+  }
+
+  // Convert to hex
+  nostr_bytes_to_hex(seckey_bytes, 32, seckey_hex);
+
+  // Derive public key
+  unsigned char pubkey_bytes[32];
+  if (nostr_ec_public_key_from_private_key(seckey_bytes, pubkey_bytes) != NOSTR_SUCCESS) {
+    fprintf(stderr, "ERROR: Failed to derive public key\n");
+    return -1;
+  }
+
+  // Convert public key to hex
+  nostr_bytes_to_hex(pubkey_bytes, 32, pubkey_hex);
+
+  // Store private key securely
+  if (store_blossom_private_key(db_path, seckey_hex) != 0) {
+    fprintf(stderr, "ERROR: Failed to store blossom private key\n");
+    return -1;
+  }
+
+  // Store public key in config
+  sqlite3 *db;
+  sqlite3_stmt *stmt;
+  int rc;
+
+  rc = sqlite3_open_v2(db_path, &db, SQLITE_OPEN_READWRITE, NULL);
+  if (rc) {
+    fprintf(stderr, "ERROR: Can't open database for config: %s\n", sqlite3_errmsg(db));
+    return -1;
+  }
+
+  const char *sql = "INSERT OR REPLACE INTO config (key, value, description) VALUES (?, ?, ?)";
+  rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
+  if (rc != SQLITE_OK) {
+    fprintf(stderr, "ERROR: SQL prepare failed: %s\n", sqlite3_errmsg(db));
+    sqlite3_close(db);
+    return -1;
+  }
+
+  sqlite3_bind_text(stmt, 1, "blossom_pubkey", -1, SQLITE_STATIC);
+  sqlite3_bind_text(stmt, 2, pubkey_hex, -1, SQLITE_STATIC);
+  sqlite3_bind_text(stmt, 3, "Blossom server's public key for Nostr communication", -1, SQLITE_STATIC);
+
+  rc = sqlite3_step(stmt);
+  sqlite3_finalize(stmt);
+  sqlite3_close(db);
+
+  if (rc != SQLITE_DONE) {
+    fprintf(stderr, "ERROR: Failed to store blossom public key in config\n");
+    return -1;
+  }
+
+  // Display keys for admin setup
+  printf("========================================\n");
+  printf("SERVER KEYPAIR GENERATED SUCCESSFULLY\n");
+  printf("========================================\n");
+  printf("Blossom Public Key:  %s\n", pubkey_hex);
+  printf("Blossom Private Key: %s\n", seckey_hex);
+  printf("========================================\n");
+  printf("IMPORTANT: Save the private key securely!\n");
+  printf("This key is used for decrypting admin messages.\n");
+  printf("========================================\n");
+
+  return 0;
+}
+
+int main(int argc, char *argv[]) {
+  const char *db_path = "db/ginxsom.db";
+  
+  if (argc > 1) {
+    db_path = argv[1];
+  }
+  
+  printf("Test Key Generation\n");
+  printf("===================\n");
+  printf("Database: %s\n\n", db_path);
+  
+  // Initialize nostr crypto
+  printf("Initializing nostr crypto system...\n");
+  if (nostr_crypto_init() != NOSTR_SUCCESS) {
+    fprintf(stderr, "FATAL: Failed to initialize nostr crypto\n");
+    return 1;
+  }
+  printf("Crypto system initialized\n\n");
+  
+  // Generate keypair
+  if (generate_server_keypair(db_path) != 0) {
+    fprintf(stderr, "FATAL: Key generation failed\n");
+    return 1;
+  }
+  
+  printf("\nKey generation test completed successfully!\n");
+  return 0;
+}
--- a/src/test_main.c
+++ b/src/test_main.c
@@ -0,0 +1,50 @@
+/*
+ * Minimal test version of main.c to debug startup issues
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "ginxsom.h"
+
+// Copy just the essential parts for testing
+char g_db_path[4096] = "db/ginxsom.db";
+char g_storage_dir[4096] = ".";
+char g_admin_pubkey[65] = "";
+char g_relay_seckey[65] = "";
+int g_generate_keys = 0;
+
+int main(int argc, char *argv[]) {
+  printf("DEBUG: main() started\n");
+  fflush(stdout);
+
+  // Parse minimal args
+  for (int i = 1; i < argc; i++) {
+    printf("DEBUG: arg %d: %s\n", i, argv[i]);
+    fflush(stdout);
+    if (strcmp(argv[i], "--generate-keys") == 0) {
+      g_generate_keys = 1;
+      printf("DEBUG: generate-keys flag set\n");
+      fflush(stdout);
+    } else if (strcmp(argv[i], "--help") == 0) {
+      printf("Usage: test_main [options]\n");
+      printf("  --generate-keys    Generate keys\n");
+      printf("  --help             Show help\n");
+      return 0;
+    }
+  }
+
+  printf("DEBUG: g_generate_keys = %d\n", g_generate_keys);
+  fflush(stdout);
+
+  if (g_generate_keys) {
+    printf("DEBUG: Would generate keys here\n");
+    fflush(stdout);
+    return 0;
+  }
+
+  printf("DEBUG: Normal startup would continue here\n");
+  fflush(stdout);
+
+  return 0;
+}