feat(config): add repository whitelist for curated GRASP-01 acceptance

Adds NGIT_REPOSITORY_WHITELIST option for curated relay operation that accepts only whitelisted repositories while maintaining GRASP-01 compliance (announcements must list the service). This differs from archive whitelist which enables GRASP-05 mode and doesn't require service listing. Key features: - Supports three whitelist formats: npub, npub/identifier, identifier - Enforces mutual exclusivity with archive read-only mode - Updates NIP-11 curation field when whitelist is enabled - Maintains GRASP-01 compliance (doesn't add GRASP-05 support) Configuration synced across all four sources: src/config.rs, docs/reference/configuration.md, nix/module.nix, and .env.example as required by AGENTS.md.
author: DanConwayDev <DanConwayDev@protonmail.com> 2026-01-12 21:06:39 +0000
committer: DanConwayDev <DanConwayDev@protonmail.com> 2026-01-12 21:21:52 +0000
commit: 82b56c37b26a2fac1a294873e539b19b9325dca6 (patch)
tree: 07800949230f13f91fec2eebbd94b8fbb00dd83f /src/nostr/builder.rs
parent: a12927181c571fc1641772ad44dd4c6a4ab209d9 (diff)
1 files changed, 25 insertions, 23 deletions
diff --git a/src/nostr/builder.rs b/src/nostr/builder.rs
index 33f2fe5..10f7648 100644
--- a/src/nostr/builder.rs
+++ b/src/nostr/builder.rs
@@ -51,15 +51,14 @@ impl std::fmt::Debug for Nip34WritePolicy {
 impl Nip34WritePolicy {
    pub fn new(
-        domain: impl Into<String>,
        database: SharedDatabase,
        git_data_path: impl Into<std::path::PathBuf>,
        purgatory: std::sync::Arc<crate::purgatory::Purgatory>,
-        archive_config: crate::config::ArchiveConfig,
+        config: crate::config::Config,
    ) -> Self {
-        let ctx = PolicyContext::new(domain, database, git_data_path, purgatory);
+        let ctx = PolicyContext::new(&config.domain, database, git_data_path, purgatory);
        Self {
-            announcement_policy: AnnouncementPolicy::new(ctx.clone(), archive_config),
+            announcement_policy: AnnouncementPolicy::new(ctx.clone(), config.clone()),
            state_policy: StatePolicy::new(ctx.clone()),
            pr_event_policy: PrEventPolicy::new(ctx.clone()),
            related_event_policy: RelatedEventPolicy::new(ctx.clone()),
@@ -568,28 +567,31 @@ pub async fn create_relay(
    // Clone Arc for the write policy so both relay and policy can access the database
    let git_data_path = config.effective_git_data_path();
-    // Parse archive configuration
+    // Parse and log archive configuration
-    let archive_config = config
+    if let Ok(archive_config) = config.archive_config() {
-        .archive_config()
+        if archive_config.enabled() {
-        .map_err(|e| anyhow::anyhow!("Failed to parse archive configuration: {}", e))?;
+            tracing::info!(
+                "GRASP-05 archive mode enabled: archive_all={}, whitelist_entries={}, read_only={}",
-    if archive_config.enabled() {
+                archive_config.archive_all,
-        tracing::info!(
+                archive_config.whitelist.len(),
-            "GRASP-05 archive mode enabled: archive_all={}, whitelist_entries={}, read_only={}",
+                archive_config.read_only
-            archive_config.archive_all,
+            );
-            archive_config.whitelist.len(),
+        }
-            archive_config.read_only
+    }
-        );
+    // Parse and log repository configuration
+    if let Ok(repository_config) = config.repository_config() {
+        if repository_config.enabled() {
+            tracing::info!(
+                "Repository whitelist enabled: whitelist_entries={}",
+                repository_config.whitelist.len()
+            );
+        }
    }
    // Create write policy with purgatory integration
-    let write_policy = Nip34WritePolicy::new(
+    let write_policy =
-        &config.domain,
+        Nip34WritePolicy::new(database.clone(), &git_data_path, purgatory, config.clone());
-        database.clone(),
-        &git_data_path,
-        purgatory,
-        archive_config,
-    );
    let relay = LocalRelayBuilder::default()
        .database(database.clone())
author	DanConwayDev <DanConwayDev@protonmail.com>	2026-01-12 21:06:39 +0000
committer	DanConwayDev <DanConwayDev@protonmail.com>	2026-01-12 21:21:52 +0000
commit	82b56c37b26a2fac1a294873e539b19b9325dca6 (patch)
tree	07800949230f13f91fec2eebbd94b8fbb00dd83f /src/nostr/builder.rs
parent	a12927181c571fc1641772ad44dd4c6a4ab209d9 (diff)

diff --git a/src/nostr/builder.rs b/src/nostr/builder.rs index 33f2fe5..10f7648 100644 --- a/src/nostr/builder.rs +++ b/src/nostr/builder.rs
@@ -51,15 +51,14 @@ impl std::fmt::Debug for Nip34WritePolicy {
51		51
52	impl Nip34WritePolicy {	52	impl Nip34WritePolicy {
53	pub fn new(	53	pub fn new(
54	domain: impl Into<String>,
55	database: SharedDatabase,	54	database: SharedDatabase,
56	git_data_path: impl Into<std::path::PathBuf>,	55	git_data_path: impl Into<std::path::PathBuf>,
57	purgatory: std::sync::Arc<crate::purgatory::Purgatory>,	56	purgatory: std::sync::Arc<crate::purgatory::Purgatory>,
58	archive_config: crate::config::ArchiveConfig,	57	config: crate::config::Config,
59	) -> Self {	58	) -> Self {
60	let ctx = PolicyContext::new(domain, database, git_data_path, purgatory);	59	let ctx = PolicyContext::new(&config.domain, database, git_data_path, purgatory);
61	Self {	60	Self {
62	announcement_policy: AnnouncementPolicy::new(ctx.clone(), archive_config),	61	announcement_policy: AnnouncementPolicy::new(ctx.clone(), config.clone()),
63	state_policy: StatePolicy::new(ctx.clone()),	62	state_policy: StatePolicy::new(ctx.clone()),
64	pr_event_policy: PrEventPolicy::new(ctx.clone()),	63	pr_event_policy: PrEventPolicy::new(ctx.clone()),
65	related_event_policy: RelatedEventPolicy::new(ctx.clone()),	64	related_event_policy: RelatedEventPolicy::new(ctx.clone()),
@@ -568,28 +567,31 @@ pub async fn create_relay(
568	// Clone Arc for the write policy so both relay and policy can access the database	567	// Clone Arc for the write policy so both relay and policy can access the database
569	let git_data_path = config.effective_git_data_path();	568	let git_data_path = config.effective_git_data_path();
570		569
571	// Parse archive configuration	570	// Parse and log archive configuration
572	let archive_config = config	571	if let Ok(archive_config) = config.archive_config() {
573	.archive_config()	572	if archive_config.enabled() {
574	.map_err(\|e\| anyhow::anyhow!("Failed to parse archive configuration: {}", e))?;	573	tracing::info!(
575		574	"GRASP-05 archive mode enabled: archive_all={}, whitelist_entries={}, read_only={}",
576	if archive_config.enabled() {	575	archive_config.archive_all,
577	tracing::info!(	576	archive_config.whitelist.len(),
578	"GRASP-05 archive mode enabled: archive_all={}, whitelist_entries={}, read_only={}",	577	archive_config.read_only
579	archive_config.archive_all,	578	);
580	archive_config.whitelist.len(),	579	}
581	archive_config.read_only	580	}
582	);	581
		582	// Parse and log repository configuration
		583	if let Ok(repository_config) = config.repository_config() {
		584	if repository_config.enabled() {
		585	tracing::info!(
		586	"Repository whitelist enabled: whitelist_entries={}",
		587	repository_config.whitelist.len()
		588	);
		589	}
583	}	590	}
584		591
585	// Create write policy with purgatory integration	592	// Create write policy with purgatory integration
586	let write_policy = Nip34WritePolicy::new(	593	let write_policy =
587	&config.domain,	594	Nip34WritePolicy::new(database.clone(), &git_data_path, purgatory, config.clone());
588	database.clone(),
589	&git_data_path,
590	purgatory,
591	archive_config,
592	);
593		595
594	let relay = LocalRelayBuilder::default()	596	let relay = LocalRelayBuilder::default()
595	.database(database.clone())	597	.database(database.clone())