persist and restore announcement events across graceful restarts

Extends purgatory persistence to include announcement purgatory entries.
On graceful shutdown, non-soft-expired announcements are serialised to
purgatory-state.json alongside state/PR/expired events; on startup they
are restored, skipping any entry whose bare repo path no longer exists.

Updates purgatory-design.md to reflect that purgatory persists through
graceful shutdown and documents the new PurgatoryState disk format.

Adds create_announcement_event helper to purgatory_helpers and three new
integration tests in purgatory_persistence covering the full save/restore
cycle, missing-repo skip, and the combined roundtrip with all entry types.

4 files changed, 493 insertions, 10 deletions

diff --git a/docs/explanation/purgatory-design.md b/docs/explanation/purgatory-design.md
index bd792d4..8e7d75c 100644
--- a/docs/explanation/purgatory-design.md
+++ b/docs/explanation/purgatory-design.md
@@ -39,14 +39,36 @@ This ensures we only serve announcements for repos that actually have content.
 
 ## Key Design Principles
 
-### 1. In-Memory Only
+### 1. Graceful-Shutdown Persistence
 
-Purgatory data is **not persisted** to disk. On restart, all purgatory entries are lost. This is acceptable because:
+Purgatory state is **saved to disk on graceful shutdown** and **restored on startup**. This preserves in-flight work across planned restarts (deployments, reboots).
+
+On `SIGINT` / Ctrl-C, `main.rs` calls `purgatory.save_to_disk()` before exiting. On startup, if the state file exists, `purgatory.restore_from_disk()` is called before the server begins accepting connections.
+
+**What is persisted:**
+
+| Store | Persisted? | Notes |
+|-------|-----------|-------|
+| `announcement_purgatory` | ✅ Yes | Non-soft-expired entries only (bare repo must exist) |
+| `state_events` | ✅ Yes | All active entries |
+| `pr_events` | ✅ Yes | Both events and placeholders |
+| `expired_events` | ✅ Yes | Prevents re-sync loops after restart |
+| `sync_queue` | ❌ No | Rebuilt automatically after restore |
+
+**What is NOT persisted (unclean shutdown):**
+
+On a crash or `SIGKILL`, the state file is not written. In that case:
 
 - Events are still on other relays (can be re-submitted)
 - Git data can be re-pushed
 - 30-minute expiry means data is transient anyway
 
+**State file location:** `<git_data_path>/purgatory-state.json`
+
+**Downtime accounting:** Expiry deadlines are stored as duration offsets from the save timestamp. On restore, elapsed downtime is subtracted from each deadline. Entries that expired during downtime are immediately swept by the next cleanup tick.
+
+**Soft-expired announcements are excluded:** Their bare repos have already been deleted, so they cannot be meaningfully restored. They will be re-fetched via background sync if needed.
+
 ### 2. Separate Storage for Each Event Type
 
 | Store | Index | Purpose |
@@ -233,6 +255,31 @@ pub struct Purgatory {
 }
 ```
 
+### Persistence State (Disk Format)
+
+`Instant` fields cannot be serialized directly. Each entry type has a corresponding `Serializable*` wrapper that stores time fields as `u64` second offsets from a `saved_at: SystemTime` reference point. On restore, elapsed downtime is subtracted to produce the correct remaining TTL.
+
+```rust
+struct PurgatoryState {
+    version: u32,                    // currently 1
+    saved_at: SystemTime,            // reference for offset math
+
+    /// Non-soft-expired announcements indexed by "owner_hex:identifier"
+    announcement_purgatory: HashMap<String, SerializableAnnouncementPurgatoryEntry>,
+
+    /// State events indexed by repository identifier
+    state_events: HashMap<String, Vec<SerializableStatePurgatoryEntry>>,
+
+    /// PR events (and placeholders) indexed by event ID hex
+    pr_events: HashMap<String, SerializablePrPurgatoryEntry>,
+
+    /// Expired event IDs → approximate expiry SystemTime
+    expired_events: HashMap<String, SystemTime>,
+}
+```
+
+The `announcement_purgatory` field uses `#[serde(default)]` so that state files written before announcement persistence was added (version 1 without the field) still deserialize correctly.
+
 ---
 
 ## Announcement Purgatory Flows
@@ -806,8 +853,9 @@ A background timer (`run_purgatory_announcement_sync`, every 5 seconds) ensures
 ```
 src/
 ├── purgatory/
-│   ├── mod.rs              # Main Purgatory struct and API
+│   ├── mod.rs              # Main Purgatory struct, API, save_to_disk, restore_from_disk
 │   ├── types.rs            # RefPair, AnnouncementPurgatoryEntry, StatePurgatoryEntry, PrPurgatoryEntry
+│   ├── persistence.rs      # instant_to_offset / offset_to_instant time conversion utilities
 │   ├── helpers.rs          # Ref extraction and matching functions
 │   └── sync/
 │       ├── mod.rs          # Sync module exports
@@ -835,7 +883,8 @@ src/
 
 Located in each module:
 
-- **[`src/purgatory/mod.rs`](../../src/purgatory/mod.rs)** - Core purgatory operations including announcement purgatory
+- **[`src/purgatory/mod.rs`](../../src/purgatory/mod.rs)** - Core purgatory operations including announcement purgatory; persistence round-trip tests for all entry types (state, PR, announcement, expired events, downtime calculation, soft-expired exclusion, missing-repo skip)
+- **[`src/purgatory/persistence.rs`](../../src/purgatory/persistence.rs)** - `instant_to_offset` / `offset_to_instant` round-trip tests
 - **[`src/purgatory/helpers.rs`](../../src/purgatory/helpers.rs)** - Ref matching logic
 - **[`src/purgatory/sync/functions.rs`](../../src/purgatory/sync/functions.rs)** - Sync functions with MockSyncContext
 - **[`src/purgatory/sync/throttle.rs`](../../src/purgatory/sync/throttle.rs)** - Throttle manager
@@ -852,6 +901,7 @@ Located in [`tests/`](../../tests/):
 - **Git-data-first flow** - Git push creates placeholder, event completes it
 - **Authorization with purgatory** - Push authorized by purgatory state
 - **Background sync** - Sync fetches git data and releases events
+- **Persistence across restart** - Save/restore cycle preserves all entry types including announcements
 
 ---
 
@@ -894,6 +944,14 @@ PR events can arrive before or after git data:
 
 **Solution:** `PrPurgatoryEntry.event: Option<Event>` with `None` = placeholder.
 
+### 6. Persistence Requires Instant → Duration Conversion
+
+`std::time::Instant` is not serializable and is not meaningful across process boundaries. Expiry deadlines must be converted to a portable form.
+
+**Solution:** Store each deadline as a `u64` second offset from a `saved_at: SystemTime` reference. On restore, subtract elapsed downtime from each offset to compute the new `Instant`. Entries whose deadline already passed during downtime get `expires_at = now` and are swept by the next cleanup tick.
+
+**Soft-expired announcements are excluded from persistence** because their bare repos have been deleted. Restoring them would leave purgatory entries pointing at non-existent repos. They are simply dropped; background sync will re-fetch the announcement event if needed.
+
 ---
 
 ## Related Documentation
diff --git a/src/purgatory/mod.rs b/src/purgatory/mod.rs
index f5f8b31..9a63bf6 100644
--- a/src/purgatory/mod.rs
+++ b/src/purgatory/mod.rs
@@ -83,9 +83,35 @@ struct SerializablePrPurgatoryEntry {
     expires_at_offset_secs: u64,
 }
 
+/// Serializable wrapper for `AnnouncementPurgatoryEntry` with time offsets.
+///
+/// Stores `Instant` fields as `Duration` offsets from the `saved_at` timestamp
+/// in `PurgatoryState`, allowing state to be persisted and restored across restarts.
+///
+/// Note: soft-expired entries (bare repo deleted) are NOT persisted — they have
+/// no git repo on disk and would be immediately cleaned up on restore anyway.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+struct SerializableAnnouncementPurgatoryEntry {
+    /// The nostr announcement event (kind 30617)
+    event: Event,
+    /// The repository identifier from the event's 'd' tag
+    identifier: String,
+    /// The owner pubkey (event author)
+    owner: PublicKey,
+    /// Path to the bare git repository (must exist on disk)
+    repo_path: PathBuf,
+    /// Relay URLs from the announcement (for sync registration)
+    relays: HashSet<String>,
+    /// Duration offset from saved_at for created_at
+    created_at_offset_secs: u64,
+    /// Duration offset from saved_at for expires_at
+    expires_at_offset_secs: u64,
+}
+
 /// Serializable purgatory state for disk persistence.
 ///
 /// Contains all purgatory data needed to restore state across restarts:
+/// - Announcement events (indexed by (owner, identifier)) — non-soft-expired only
 /// - State events (indexed by identifier)
 /// - PR events (indexed by event ID)
 /// - Expired events (to prevent re-sync loops)
@@ -97,6 +123,10 @@ struct PurgatoryState {
     version: u32,
     /// When this state was saved to disk
     saved_at: SystemTime,
+    /// Announcement events indexed by "owner_hex:identifier"
+    /// Only non-soft-expired entries are persisted (bare repo must exist).
+    #[serde(default)]
+    announcement_purgatory: HashMap<String, SerializableAnnouncementPurgatoryEntry>,
     /// State events indexed by repository identifier
     state_events: HashMap<String, Vec<SerializableStatePurgatoryEntry>>,
     /// PR events indexed by event ID (hex string)
@@ -1114,6 +1144,34 @@ impl Purgatory {
         let saved_at = SystemTime::now();
         let now_instant = Instant::now();
 
+        // Convert announcement_purgatory to serializable format.
+        // Skip soft-expired entries: their bare repos have been deleted, so they
+        // cannot be meaningfully restored (the repo path no longer exists on disk).
+        let mut announcement_purgatory = HashMap::new();
+        for entry in self.announcement_purgatory.iter() {
+            let e = entry.value();
+            if e.soft_expired {
+                continue;
+            }
+            let created_offset =
+                persistence::instant_to_offset(e.created_at, saved_at, now_instant);
+            let expires_offset =
+                persistence::instant_to_offset(e.expires_at, saved_at, now_instant);
+            let key = format!("{}:{}", e.owner.to_hex(), e.identifier);
+            announcement_purgatory.insert(
+                key,
+                SerializableAnnouncementPurgatoryEntry {
+                    event: e.event.clone(),
+                    identifier: e.identifier.clone(),
+                    owner: e.owner,
+                    repo_path: e.repo_path.clone(),
+                    relays: e.relays.clone(),
+                    created_at_offset_secs: created_offset.as_secs(),
+                    expires_at_offset_secs: expires_offset.as_secs(),
+                },
+            );
+        }
+
         // Convert state_events to serializable format
         let mut state_events = HashMap::new();
         for entry in self.state_events.iter() {
@@ -1176,6 +1234,7 @@ impl Purgatory {
         let state = PurgatoryState {
             version: 1,
             saved_at,
+            announcement_purgatory,
             state_events,
             pr_events,
             expired_events,
@@ -1187,6 +1246,7 @@ impl Purgatory {
 
         tracing::info!(
             path = %path.display(),
+            announcements = state.announcement_purgatory.len(),
             state_events = state.state_events.len(),
             pr_events = state.pr_events.len(),
             expired_events = state.expired_events.len(),
@@ -1234,6 +1294,45 @@ impl Purgatory {
 
         let now_instant = Instant::now();
 
+        // Restore announcement_purgatory.
+        // Skip entries whose bare repo no longer exists on disk — this can happen
+        // if the repo was deleted externally between save and restore.
+        for (_key, e) in state.announcement_purgatory {
+            if !e.repo_path.exists() {
+                tracing::warn!(
+                    owner = %e.owner,
+                    identifier = %e.identifier,
+                    repo_path = %e.repo_path.display(),
+                    "Skipping announcement restore: bare repo no longer exists"
+                );
+                continue;
+            }
+            let created_at = persistence::offset_to_instant(
+                Duration::from_secs(e.created_at_offset_secs),
+                state.saved_at,
+                now_instant,
+            );
+            let expires_at = persistence::offset_to_instant(
+                Duration::from_secs(e.expires_at_offset_secs),
+                state.saved_at,
+                now_instant,
+            );
+            let key = (e.owner, e.identifier.clone());
+            self.announcement_purgatory.insert(
+                key,
+                AnnouncementPurgatoryEntry {
+                    event: e.event,
+                    identifier: e.identifier,
+                    owner: e.owner,
+                    repo_path: e.repo_path,
+                    relays: e.relays,
+                    created_at,
+                    expires_at,
+                    soft_expired: false,
+                },
+            );
+        }
+
         // Restore state_events
         for (identifier, entries) in state.state_events {
             let restored_entries: Vec<StatePurgatoryEntry> = entries
@@ -1301,6 +1400,7 @@ impl Purgatory {
 
         tracing::info!(
             path = %path.display(),
+            announcements = self.announcement_purgatory.len(),
             state_events = self.state_events.len(),
             pr_events = self.pr_events.len(),
             expired_events = self.expired_events.len(),
@@ -2426,6 +2526,141 @@ async fn test_file_cleanup_after_successful_restore() {
 }
 
 #[tokio::test]
+async fn test_save_and_restore_announcement_events() {
+    use tempfile::tempdir;
+
+    let temp_dir = tempdir().unwrap();
+    let state_file = temp_dir.path().join("purgatory_state.json");
+
+    // Create a real bare repo directory so the restore path-existence check passes
+    let repo_dir = temp_dir.path().join("owner.git");
+    std::fs::create_dir_all(&repo_dir).unwrap();
+
+    let purgatory = Purgatory::new(PathBuf::new());
+    let keys = Keys::generate();
+
+    let ann_event = EventBuilder::text_note("announcement event")
+        .sign_with_keys(&keys)
+        .unwrap();
+    let ann_event_id = ann_event.id;
+
+    let mut relays = HashSet::new();
+    relays.insert("wss://relay.example.com".to_string());
+
+    purgatory.add_announcement(
+        ann_event.clone(),
+        "my-repo".to_string(),
+        keys.public_key(),
+        repo_dir.clone(),
+        relays.clone(),
+    );
+
+    // Save to disk
+    purgatory.save_to_disk(&state_file).unwrap();
+    assert!(state_file.exists());
+
+    // Create new purgatory and restore
+    let purgatory2 = Purgatory::new(PathBuf::new());
+    purgatory2.restore_from_disk(&state_file).unwrap();
+
+    // File should be deleted after restore
+    assert!(!state_file.exists());
+
+    // Verify announcement was restored
+    let (ann_count, _, _) = purgatory2.count();
+    assert_eq!(ann_count, 1);
+
+    let restored = purgatory2
+        .find_announcement(&keys.public_key(), "my-repo")
+        .unwrap();
+    assert_eq!(restored.event.id, ann_event_id);
+    assert_eq!(restored.identifier, "my-repo");
+    assert_eq!(restored.owner, keys.public_key());
+    assert_eq!(restored.repo_path, repo_dir);
+    assert_eq!(restored.relays, relays);
+    assert!(!restored.soft_expired);
+}
+
+#[tokio::test]
+async fn test_soft_expired_announcements_not_persisted() {
+    use tempfile::tempdir;
+
+    let temp_dir = tempdir().unwrap();
+    let state_file = temp_dir.path().join("purgatory_state.json");
+
+    let repo_dir = temp_dir.path().join("owner.git");
+    std::fs::create_dir_all(&repo_dir).unwrap();
+
+    let purgatory = Purgatory::new(PathBuf::new());
+    let keys = Keys::generate();
+
+    let ann_event = EventBuilder::text_note("announcement event")
+        .sign_with_keys(&keys)
+        .unwrap();
+
+    purgatory.add_announcement(
+        ann_event.clone(),
+        "my-repo".to_string(),
+        keys.public_key(),
+        repo_dir.clone(),
+        HashSet::new(),
+    );
+
+    // Manually mark as soft-expired (bare repo deleted)
+    let key = (keys.public_key(), "my-repo".to_string());
+    if let Some(mut entry) = purgatory.announcement_purgatory.get_mut(&key) {
+        entry.soft_expired = true;
+    }
+
+    // Save to disk — soft-expired entry should be excluded
+    purgatory.save_to_disk(&state_file).unwrap();
+
+    // Create new purgatory and restore
+    let purgatory2 = Purgatory::new(PathBuf::new());
+    purgatory2.restore_from_disk(&state_file).unwrap();
+
+    // Soft-expired announcement should NOT be restored
+    let (ann_count, _, _) = purgatory2.count();
+    assert_eq!(ann_count, 0);
+}
+
+#[tokio::test]
+async fn test_announcement_with_missing_repo_skipped_on_restore() {
+    use tempfile::tempdir;
+
+    let temp_dir = tempdir().unwrap();
+    let state_file = temp_dir.path().join("purgatory_state.json");
+
+    // Point to a repo path that does NOT exist
+    let missing_repo = temp_dir.path().join("nonexistent.git");
+
+    let purgatory = Purgatory::new(PathBuf::new());
+    let keys = Keys::generate();
+
+    let ann_event = EventBuilder::text_note("announcement event")
+        .sign_with_keys(&keys)
+        .unwrap();
+
+    purgatory.add_announcement(
+        ann_event.clone(),
+        "my-repo".to_string(),
+        keys.public_key(),
+        missing_repo.clone(),
+        HashSet::new(),
+    );
+
+    // Save to disk (repo path is serialized even though it doesn't exist)
+    purgatory.save_to_disk(&state_file).unwrap();
+
+    // Create new purgatory and restore — entry should be skipped
+    let purgatory2 = Purgatory::new(PathBuf::new());
+    purgatory2.restore_from_disk(&state_file).unwrap();
+
+    let (ann_count, _, _) = purgatory2.count();
+    assert_eq!(ann_count, 0);
+}
+
+#[tokio::test]
 async fn test_comprehensive_roundtrip() {
     use nostr_sdk::{Kind, Tag, TagKind};
     use tempfile::tempdir;
@@ -2433,10 +2668,27 @@ async fn test_comprehensive_roundtrip() {
     let temp_dir = tempdir().unwrap();
     let state_file = temp_dir.path().join("purgatory_state.json");
 
+    // Create a real bare repo directory for the announcement
+    let repo_dir = temp_dir.path().join("owner.git");
+    std::fs::create_dir_all(&repo_dir).unwrap();
+
     let purgatory = Purgatory::new(PathBuf::new());
     let keys1 = Keys::generate();
     let keys2 = Keys::generate();
 
+    // Add announcement
+    let ann_event = EventBuilder::text_note("announcement")
+        .sign_with_keys(&keys1)
+        .unwrap();
+    let ann_event_id = ann_event.id;
+    purgatory.add_announcement(
+        ann_event,
+        "repo1".to_string(),
+        keys1.public_key(),
+        repo_dir.clone(),
+        HashSet::new(),
+    );
+
     // Add multiple state events
     let state1 = EventBuilder::text_note("state 1")
         .sign_with_keys(&keys1)
@@ -2476,7 +2728,8 @@ async fn test_comprehensive_roundtrip() {
     purgatory.cleanup();
 
     // Verify initial state
-    let (_, state_count, pr_count) = purgatory.count();
+    let (ann_count, state_count, pr_count) = purgatory.count();
+    assert_eq!(ann_count, 1); // announcement
     assert_eq!(state_count, 2); // state1, state2 (expired_event was cleaned up)
     assert_eq!(pr_count, 2); // pr-1, pr-2
     assert_eq!(purgatory.expired_count(), 1); // expired_event
@@ -2489,11 +2742,18 @@ async fn test_comprehensive_roundtrip() {
     purgatory2.restore_from_disk(&state_file).unwrap();
 
     // Verify all data was restored correctly
-    let (_, state_count2, pr_count2) = purgatory2.count();
+    let (ann_count2, state_count2, pr_count2) = purgatory2.count();
+    assert_eq!(ann_count2, 1);
     assert_eq!(state_count2, 2);
     assert_eq!(pr_count2, 2);
     assert_eq!(purgatory2.expired_count(), 1);
 
+    // Verify announcement
+    let restored_ann = purgatory2
+        .find_announcement(&keys1.public_key(), "repo1")
+        .unwrap();
+    assert_eq!(restored_ann.event.id, ann_event_id);
+
     // Verify state events
     assert_eq!(purgatory2.find_state("repo1").len(), 1);
     assert_eq!(purgatory2.find_state("repo2").len(), 1);
diff --git a/tests/common/purgatory_helpers.rs b/tests/common/purgatory_helpers.rs
index 1d06f22..cfcea1c 100644
--- a/tests/common/purgatory_helpers.rs
+++ b/tests/common/purgatory_helpers.rs
@@ -338,6 +338,44 @@ pub fn build_repo_coord(keys: &Keys, identifier: &str) -> String {
     format!("30617:{}:{}", keys.public_key().to_hex(), identifier)
 }
 
+/// Create a repository announcement event (kind 30617) for purgatory tests.
+///
+/// Creates a minimal but valid NIP-34 repository announcement with a `d` tag,
+/// optional `clone` URLs, and optional `relays` URLs.
+///
+/// # Arguments
+/// * `keys` - Keys for signing
+/// * `identifier` - Repository identifier (d-tag)
+/// * `clone_urls` - Clone URLs to include (may be empty)
+/// * `relay_urls` - Relay URLs to include (may be empty)
+///
+/// # Returns
+/// * `Ok(Event)` - Signed announcement event
+/// * `Err(String)` - If signing fails
+pub fn create_announcement_event(
+    keys: &Keys,
+    identifier: &str,
+    clone_urls: &[&str],
+    relay_urls: &[&str],
+) -> Result<Event, String> {
+    let mut tags = vec![Tag::identifier(identifier)];
+
+    if !clone_urls.is_empty() {
+        let urls: Vec<String> = clone_urls.iter().map(|s| s.to_string()).collect();
+        tags.push(Tag::custom(TagKind::custom("clone"), urls));
+    }
+
+    if !relay_urls.is_empty() {
+        let urls: Vec<String> = relay_urls.iter().map(|s| s.to_string()).collect();
+        tags.push(Tag::custom(TagKind::custom("relays"), urls));
+    }
+
+    EventBuilder::new(Kind::GitRepoAnnouncement, "")
+        .tags(tags)
+        .sign_with_keys(keys)
+        .map_err(|e| format!("Failed to sign announcement event: {}", e))
+}
+
 /// Wait for an event to be served by a relay (not in purgatory).
 ///
 /// Polls the relay until the event is queryable, indicating it has
diff --git a/tests/purgatory_persistence.rs b/tests/purgatory_persistence.rs
index 5abbf15..05cb44b 100644
--- a/tests/purgatory_persistence.rs
+++ b/tests/purgatory_persistence.rs
@@ -31,9 +31,11 @@
 
 mod common;
 
+use common::purgatory_helpers::create_announcement_event;
 use ngit_grasp::purgatory::Purgatory;
 use ngit_grasp::sync::rejected_index::{EventType, RejectedEventsIndex, RejectionReason};
 use nostr_sdk::prelude::*;
+use std::collections::HashSet;
 use std::time::Duration;
 
 /// Helper to create a test event
@@ -116,12 +118,31 @@ async fn test_full_purgatory_save_restore_cycle() {
     // Add a PR placeholder (git-data-first scenario)
     purgatory.add_pr_placeholder("placeholder-id".to_string(), "commit-xyz".to_string());
 
-    // Note: We can't directly test expired events without accessing private fields,
-    // so we'll focus on testing state and PR events persistence
+    // Add an announcement to purgatory (requires a real directory for the repo path)
+    let repo_dir = temp_dir.path().join("repo.git");
+    std::fs::create_dir_all(&repo_dir).unwrap();
+    let ann_keys = Keys::generate();
+    let ann_event = create_announcement_event(
+        &ann_keys,
+        "my-repo",
+        &["http://example.com/my-repo.git"],
+        &["wss://relay.example.com"],
+    )
+    .unwrap();
+    let ann_event_id = ann_event.id;
+    let mut ann_relays = HashSet::new();
+    ann_relays.insert("wss://relay.example.com".to_string());
+    purgatory.add_announcement(
+        ann_event,
+        "my-repo".to_string(),
+        ann_keys.public_key(),
+        repo_dir.clone(),
+        ann_relays,
+    );
 
     // Verify initial counts
     let (announcement_count, state_count, pr_count) = purgatory.count();
-    assert_eq!(announcement_count, 0, "Should have 0 announcements");
+    assert_eq!(announcement_count, 1, "Should have 1 announcement");
     assert_eq!(state_count, 2, "Should have 2 state events");
     assert_eq!(
         pr_count, 3,
@@ -144,13 +165,22 @@ async fn test_full_purgatory_save_restore_cycle() {
 
     // Verify all data was restored
     let (announcement_count2, state_count2, pr_count2) = purgatory2.count();
-    assert_eq!(announcement_count2, 0, "Should have 0 announcements after restore");
+    assert_eq!(announcement_count2, 1, "Should have 1 announcement after restore");
     assert_eq!(state_count2, 2, "Should have 2 state events after restore");
     assert_eq!(
         pr_count2, 3,
         "Should have 3 PR events after restore (2 events + 1 placeholder)"
     );
 
+    // Verify announcement was restored correctly
+    let restored_ann = purgatory2
+        .find_announcement(&ann_keys.public_key(), "my-repo")
+        .expect("Announcement should be restored");
+    assert_eq!(restored_ann.event.id, ann_event_id);
+    assert_eq!(restored_ann.identifier, "my-repo");
+    assert_eq!(restored_ann.repo_path, repo_dir);
+    assert!(!restored_ann.soft_expired);
+
     // Verify specific state events
     let repo1_states = purgatory2.find_state("repo1");
     assert_eq!(repo1_states.len(), 1);
@@ -748,3 +778,100 @@ async fn test_rejected_cache_entries_expired_during_downtime() {
     assert_eq!(index2.hot_cache_len(), 0);
     assert_eq!(index2.cold_index_len(), 1);
 }
+
+/// Test 18: Announcement events are saved and restored across restarts
+#[tokio::test]
+async fn test_announcement_save_restore_cycle() {
+    let temp_dir = tempfile::tempdir().unwrap();
+    let git_data_path = temp_dir.path().join("git");
+    let state_path = temp_dir.path().join("purgatory.json");
+
+    // Create a real bare repo directory (restore skips entries whose path is missing)
+    let repo_dir = temp_dir.path().join("owner.git");
+    std::fs::create_dir_all(&repo_dir).unwrap();
+
+    let purgatory = Purgatory::new(&git_data_path);
+    let keys = Keys::generate();
+
+    let ann_event = create_announcement_event(
+        &keys,
+        "my-repo",
+        &["http://example.com/my-repo.git"],
+        &["wss://relay.example.com"],
+    )
+    .unwrap();
+    let ann_event_id = ann_event.id;
+
+    let mut relays = HashSet::new();
+    relays.insert("wss://relay.example.com".to_string());
+
+    purgatory.add_announcement(
+        ann_event,
+        "my-repo".to_string(),
+        keys.public_key(),
+        repo_dir.clone(),
+        relays.clone(),
+    );
+
+    let (ann_count, _, _) = purgatory.count();
+    assert_eq!(ann_count, 1);
+
+    // Save to disk
+    purgatory.save_to_disk(&state_path).unwrap();
+    assert!(state_path.exists());
+
+    // Restore into a fresh purgatory
+    let purgatory2 = Purgatory::new(&git_data_path);
+    purgatory2.restore_from_disk(&state_path).unwrap();
+
+    assert!(!state_path.exists(), "State file should be deleted after restore");
+
+    let (ann_count2, _, _) = purgatory2.count();
+    assert_eq!(ann_count2, 1, "Announcement should be restored");
+
+    let restored = purgatory2
+        .find_announcement(&keys.public_key(), "my-repo")
+        .expect("Announcement should be findable after restore");
+
+    assert_eq!(restored.event.id, ann_event_id);
+    assert_eq!(restored.identifier, "my-repo");
+    assert_eq!(restored.owner, keys.public_key());
+    assert_eq!(restored.repo_path, repo_dir);
+    assert_eq!(restored.relays, relays);
+    assert!(!restored.soft_expired);
+}
+
+/// Test 19: Announcement with missing repo path is skipped on restore
+#[tokio::test]
+async fn test_announcement_missing_repo_skipped_on_restore() {
+    let temp_dir = tempfile::tempdir().unwrap();
+    let git_data_path = temp_dir.path().join("git");
+    let state_path = temp_dir.path().join("purgatory.json");
+
+    // Point to a path that does NOT exist on disk
+    let missing_repo = temp_dir.path().join("nonexistent.git");
+
+    let purgatory = Purgatory::new(&git_data_path);
+    let keys = Keys::generate();
+
+    let ann_event = create_announcement_event(&keys, "my-repo", &[], &[]).unwrap();
+
+    purgatory.add_announcement(
+        ann_event,
+        "my-repo".to_string(),
+        keys.public_key(),
+        missing_repo,
+        HashSet::new(),
+    );
+
+    purgatory.save_to_disk(&state_path).unwrap();
+
+    let purgatory2 = Purgatory::new(&git_data_path);
+    purgatory2.restore_from_disk(&state_path).unwrap();
+
+    let (ann_count, _, _) = purgatory2.count();
+    assert_eq!(
+        ann_count, 0,
+        "Announcement with missing repo path must be skipped"
+    );
+}