feat(config): add event blacklist to block all events from specific authors

Adds NGIT_EVENT_BLACKLIST option for blocking all events from specific npubs,
taking precedence over all other validation to enable comprehensive moderation
without affecting curation policy.

Key features:
- Simple npub-only format: <npub>,<npub>,...
- Checked FIRST before any other validation (including repository blacklist)
- Blocks ALL event types (announcements, state events, PRs, comments, etc.)
- Events never reach relay storage or purgatory
- Specific rejection reason for operator debugging

Implementation:
- Add EventBlacklistConfig struct with check() method
- Add NGIT_EVENT_BLACKLIST config option and event_blacklist_config() method
- Add config field to PolicyContext for policy access
- Add check_event_blacklist() to Nip34WritePolicy
- Check event blacklist first in admit_event() method (before any other validation)
- 4 new unit tests covering all blacklist behavior

Configuration synced across all four sources:
- src/config.rs: Core implementation with EventBlacklistConfig
- .env.example: Comprehensive documentation with examples
- docs/reference/configuration.md: Complete reference documentation
- nix/module.nix: NixOS module option with environment mapping

README updates:
- Add comprehensive "Curation & Moderation" section
- Document repository whitelists (GRASP-01 and GRASP-05 modes)
- Document repository and event blacklists with precedence order
- Add configuration table for all curation/moderation settings
- Provide real-world examples for different relay configurations

Testing:
- 4 new tests for event blacklist functionality
- All 336 library tests passing
- All 64 integration tests passing
- All 38 filter support tests passing

Verification:
- Repository blacklist confirmed to apply to sync (uses same admit_event flow)
- Sync events validated through process_event_static -> write_policy.admit_event

Use cases:
- Block spam/abusive users completely
- Prevent malicious actors from submitting any events
- Temporary blocks for investigation
- Moderation without affecting whitelist curation policy

1 files changed, 92 insertions, 0 deletions

diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md
index b90686e..66f39f1 100644
--- a/docs/reference/configuration.md
+++ b/docs/reference/configuration.md
@@ -833,6 +833,98 @@ Blacklist does **not** affect NIP-11 metadata:
 
 ---
 
+### Event Blacklist
+
+#### `NGIT_EVENT_BLACKLIST`
+
+**Description:** Blacklist events from specific authors (npubs)  
+**Type:** Comma-separated list of npubs  
+**Default:** Empty (no events are blacklisted by author)  
+**Required:** No
+
+**Format:**
+- `npub1...` - Block all events from this author
+
+**Precedence:** Event blacklist takes precedence over **ALL** other validation:
+- Blacklisted events are rejected **before** any other policy checks
+- Applies to all event types (announcements, state events, PRs, etc.)
+- Events never reach purgatory (rejected immediately)
+- Overrides repository blacklist, whitelists, and all other policies
+
+**Examples:**
+
+```bash
+# Block all events from specific author
+NGIT_EVENT_BLACKLIST=npub1spam...
+
+# Block events from multiple authors
+NGIT_EVENT_BLACKLIST=npub1spam...,npub1abuser...,npub1troll...
+```
+
+**Rejection Reason:**
+
+The event blacklist provides a specific rejection reason:
+- **Format:** `"Event author <npub> is blacklisted"`
+
+This reason helps operators understand why an event was rejected without needing to flag it in metadata.
+
+**Behavior:**
+
+Event blacklist is checked **first** before all other validation:
+1. Check event blacklist → Reject if author is blacklisted
+2. Check repository blacklist (for announcements) → Reject if matched
+3. Check event-type specific policies → Accept/Reject based on policy
+4. Process event normally
+
+**Use Cases:**
+
+```bash
+# Block spam/abusive users
+NGIT_EVENT_BLACKLIST=npub1spammer...,npub1abuser...
+
+# Block malicious actors
+NGIT_EVENT_BLACKLIST=npub1malware...,npub1phisher...
+
+# Temporary block for investigation
+NGIT_EVENT_BLACKLIST=npub1suspicious...
+```
+
+**Comparison with Repository Blacklist:**
+
+| Configuration | Scope | Checked When | Applies To |
+|---------------|-------|--------------|------------|
+| Event Blacklist | Author-based | **First** (before all policies) | **All events** from author |
+| Repository Blacklist | Repo-based | Second (announcements only) | Specific repositories |
+
+**Event Blacklist vs Repository Blacklist:**
+
+```bash
+# Scenario: npub1alice is event-blacklisted
+NGIT_EVENT_BLACKLIST=npub1alice...
+
+# Result:
+# - ALL events from npub1alice are rejected (announcements, PRs, etc.)
+# - Events never reach relay or purgatory
+# - Rejection: "Event author npub1alice... is blacklisted"
+
+# Scenario: npub1alice/repo is repository-blacklisted
+NGIT_REPOSITORY_BLACKLIST=npub1alice.../malware
+
+# Result:
+# - Only announcements for npub1alice.../malware are rejected
+# - Other events from npub1alice are still processed normally
+# - PRs/state events for different repos from npub1alice are accepted
+```
+
+**NIP-11 Impact:**
+
+Event blacklist does **not** affect NIP-11 metadata:
+- No `curation` field changes (blacklist is operational, not policy)
+- Blacklist is transparent to clients (rejected with specific reason)
+- Operators can use blacklist without advertising moderation
+
+---
+
 ### Logging Configuration
 
 #### `RUST_LOG`