feat: replace owner-npub with relay-owner-nsec for persistent operator identity

Replace the owner-npub configuration option with relay-owner-nsec to provide
a persistent cryptographic identity for the relay operator. This addresses
NIP-42 authentication requirements discovered during sync debugging.

Motivation:
- Some relays (e.g., relay.damus.io) require NIP-42 authentication for
  advanced features like NIP-77 negentropy sync
- Previously used random ephemeral keys per connection, providing no
  persistent identity
- Other relays can now recognize us by pubkey for reputation-based rate
  limiting
- Ensures consistency between NIP-11 pubkey and authentication key

Changes:
- Config: relay_owner_nsec with auto-load/generate from .relay-owner.nsec
- NIP-11: Pubkey derived from nsec instead of separate npub field
- Sync: RelayConnection now uses operator keys for NIP-42 auth
- Docs: Updated README, .env.example, and added .relay-owner.nsec to gitignore

Key Features:
- Auto-generates key on first run and saves to .relay-owner.nsec
- Loads existing key from file on subsequent runs
- Can override via CLI flag or environment variable
- Enables reputation building across relay network
- Future-ready for event signing and WoT calculations

Testing:
- 225/232 tests passing (7 pre-existing purgatory failures unrelated)
- Verified key generation, loading, and NIP-11 derivation
- Release build successful

Related: work/sync-debug-analysis.md, work/relay-owner-nsec-implementation.md

1 files changed, 4 insertions, 4 deletions

diff --git a/README.md b/README.md
index b8bff09..7077bc5 100644
--- a/README.md
+++ b/README.md
@@ -287,10 +287,10 @@ This means CLI flags always take precedence over environment variables, which ta
 ngit-grasp --help
 
 # Run with CLI flags (override everything else)
-ngit-grasp --domain relay.example.com --owner-npub npub1... --bind-address 0.0.0.0:8080
+ngit-grasp --domain relay.example.com --relay-owner-nsec nsec1... --bind-address 0.0.0.0:8080
 
 # Mix CLI flags with environment variables
-NGIT_OWNER_NPUB=npub1... ngit-grasp --domain relay.example.com
+NGIT_RELAY_OWNER_NSEC=nsec1... ngit-grasp --domain relay.example.com
 ```
 
 ### Configuration Options
@@ -300,7 +300,7 @@ NGIT_OWNER_NPUB=npub1... ngit-grasp --domain relay.example.com
 | Option            | CLI Flag              | Environment Variable     | Default                                      |
 | ----------------- | --------------------- | ------------------------ | -------------------------------------------- |
 | Domain            | `--domain`            | `NGIT_DOMAIN`            | (required)                                   |
-| Owner npub        | `--owner-npub`        | `NGIT_OWNER_NPUB`        | (optional)                                   |
+| Relay owner nsec  | `--relay-owner-nsec`  | `NGIT_RELAY_OWNER_NSEC`  | `.relay-owner.nsec` file (auto-generated)    |
 | Relay name        | `--relay-name`        | `NGIT_RELAY_NAME`        | `${domain} grasp relay`                      |
 | Relay description | `--relay-description` | `NGIT_RELAY_DESCRIPTION` | `Git Nostr Relay - a grasp implementation`   |
 | Git data path     | `--git-data-path`     | `NGIT_GIT_DATA_PATH`     | `./data/git` (temp dir for memory backend)   |
@@ -339,7 +339,7 @@ NGIT_OWNER_NPUB=npub1... ngit-grasp --domain relay.example.com
 ```bash
 # Using environment variables (recommended for production)
 export NGIT_DOMAIN=gitnostr.com
-export NGIT_OWNER_NPUB=npub1...
+export NGIT_RELAY_OWNER_NSEC=nsec1...  # Or let it auto-generate from .relay-owner.nsec
 export NGIT_BIND_ADDRESS=0.0.0.0:8080
 export NGIT_DATABASE_BACKEND=lmdb