feat(config): add event blacklist to block all events from specific authors

Adds NGIT_EVENT_BLACKLIST option for blocking all events from specific npubs, taking precedence over all other validation to enable comprehensive moderation without affecting curation policy. Key features: - Simple npub-only format: <npub>,<npub>,... - Checked FIRST before any other validation (including repository blacklist) - Blocks ALL event types (announcements, state events, PRs, comments, etc.) - Events never reach relay storage or purgatory - Specific rejection reason for operator debugging Implementation: - Add EventBlacklistConfig struct with check() method - Add NGIT_EVENT_BLACKLIST config option and event_blacklist_config() method - Add config field to PolicyContext for policy access - Add check_event_blacklist() to Nip34WritePolicy - Check event blacklist first in admit_event() method (before any other validation) - 4 new unit tests covering all blacklist behavior Configuration synced across all four sources: - src/config.rs: Core implementation with EventBlacklistConfig - .env.example: Comprehensive documentation with examples - docs/reference/configuration.md: Complete reference documentation - nix/module.nix: NixOS module option with environment mapping README updates: - Add comprehensive "Curation & Moderation" section - Document repository whitelists (GRASP-01 and GRASP-05 modes) - Document repository and event blacklists with precedence order - Add configuration table for all curation/moderation settings - Provide real-world examples for different relay configurations Testing: - 4 new tests for event blacklist functionality - All 336 library tests passing - All 64 integration tests passing - All 38 filter support tests passing Verification: - Repository blacklist confirmed to apply to sync (uses same admit_event flow) - Sync events validated through process_event_static -> write_policy.admit_event Use cases: - Block spam/abusive users completely - Prevent malicious actors from submitting any events - Temporary blocks for investigation - Moderation without affecting whitelist curation policy
author: DanConwayDev <DanConwayDev@protonmail.com> 2026-01-12 21:51:57 +0000
committer: DanConwayDev <DanConwayDev@protonmail.com> 2026-01-12 21:51:57 +0000
commit: c8ab2c9c294ae9401ff542d0eecc6606b7908412 (patch)
tree: 2ecf96e0265c855940df149781a0a24640408e1e /src/nostr/policy
parent: 70c577f10bbe150b6b13bec545dc8720ad005a64 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/nostr/policy/mod.rs b/src/nostr/policy/mod.rs
index dc023a9..1566b6c 100644
--- a/src/nostr/policy/mod.rs
+++ b/src/nostr/policy/mod.rs
@@ -32,6 +32,8 @@ pub struct PolicyContext {
    pub purgatory: Arc<Purgatory>,
    /// Local relay for notifying WebSocket subscribers (set after relay creation)
    pub local_relay: Arc<std::sync::RwLock<Option<LocalRelay>>>,
+    /// Configuration reference for policy settings (includes blacklists)
+    pub config: crate::config::Config,
 }
 impl PolicyContext {
@@ -40,6 +42,7 @@ impl PolicyContext {
        database: SharedDatabase,
        git_data_path: impl Into<std::path::PathBuf>,
        purgatory: Arc<Purgatory>,
+        config: crate::config::Config,
    ) -> Self {
        Self {
            domain: domain.into(),
@@ -47,6 +50,7 @@ impl PolicyContext {
            git_data_path: git_data_path.into(),
            purgatory,
            local_relay: Arc::new(std::sync::RwLock::new(None)),
+            config,
        }
    }
author	DanConwayDev <DanConwayDev@protonmail.com>	2026-01-12 21:51:57 +0000
committer	DanConwayDev <DanConwayDev@protonmail.com>	2026-01-12 21:51:57 +0000
commit	c8ab2c9c294ae9401ff542d0eecc6606b7908412 (patch)
tree	2ecf96e0265c855940df149781a0a24640408e1e /src/nostr/policy
parent	70c577f10bbe150b6b13bec545dc8720ad005a64 (diff)