feat: announcement purgatory

Extends purgatory to hold repository announcements until git data arrives,
preventing empty repositories from being served to clients.

When an announcement is received, a bare repo is created immediately and the
announcement is held in purgatory. It is only promoted and served once a git
push confirms real content exists. If no push arrives before expiry, the bare
repo is deleted and the announcement is silently discarded.

Key behaviours:
- Soft expiry: announcements are hidden from clients but kept alive while git
  pushes are in progress, reviving on successful push
- Expiry is extended when a matching state event or git push is observed
- NIP-09 deletion events remove announcements from purgatory
- Purgatory state (announcements, state events, PR events, expired set) is
  persisted to disk on graceful shutdown and restored on startup, with elapsed
  downtime subtracted from expiry deadlines
- Purgatory announcements drive StateOnly sync in the sync system so state
  events are fetched from listed relays before promotion
- SyncLevel added to RepoSyncIndex to distinguish purgatory repos (StateOnly)
  from promoted repos (Full L2+L3 sync)

7 files changed, 880 insertions, 14 deletions

diff --git a/src/nostr/builder.rs b/src/nostr/builder.rs
index 713c129..7a05348 100644
--- a/src/nostr/builder.rs
+++ b/src/nostr/builder.rs
@@ -14,10 +14,11 @@ use nostr_relay_builder::prelude::*;
 use crate::config::{Config, DatabaseBackend};
 use crate::nostr::events::RepositoryAnnouncement;
 use crate::nostr::policy::{
-    AnnouncementPolicy, AnnouncementResult, PolicyContext, PrEventPolicy, ReferenceResult,
-    RelatedEventPolicy, StatePolicy, StateResult,
+    AnnouncementPolicy, AnnouncementResult, DeletionPolicy, PolicyContext, PrEventPolicy,
+    ReferenceResult, RelatedEventPolicy, StatePolicy, StateResult,
 };
 
+
 /// Type alias for the shared database used by the relay
 pub type SharedDatabase = Arc<dyn NostrDatabase>;
 
@@ -28,6 +29,7 @@ pub type SharedDatabase = Arc<dyn NostrDatabase>;
 /// - `StatePolicy` - State event validation + ref alignment
 /// - `PrEventPolicy` - PR/PR Update validation
 /// - `RelatedEventPolicy` - Forward/backward reference checking
+/// - `DeletionPolicy` - NIP-09 event deletion request handling
 ///
 /// Uses stateful database queries to check event relationships.
 #[derive(Clone)]
@@ -37,6 +39,7 @@ pub struct Nip34WritePolicy {
     state_policy: StatePolicy,
     pr_event_policy: PrEventPolicy,
     related_event_policy: RelatedEventPolicy,
+    deletion_policy: DeletionPolicy,
 }
 
 impl std::fmt::Debug for Nip34WritePolicy {
@@ -68,6 +71,7 @@ impl Nip34WritePolicy {
             state_policy: StatePolicy::new(ctx.clone()),
             pr_event_policy: PrEventPolicy::new(ctx.clone()),
             related_event_policy: RelatedEventPolicy::new(ctx.clone()),
+            deletion_policy: DeletionPolicy::new(ctx.clone()),
             ctx,
         }
     }
@@ -205,6 +209,30 @@ impl Nip34WritePolicy {
                     }
                 }
             }
+            AnnouncementResult::AcceptPurgatory => {
+                // New announcement - add to purgatory
+                match self.announcement_policy.add_to_purgatory(event) {
+                    Ok(()) => {
+                        tracing::info!(
+                            "Accepted announcement to purgatory: {} (waiting for git data)",
+                            event_id_str
+                        );
+
+                        WritePolicyResult::Reject {
+                            status: true, // Client sees OK
+                            message: "purgatory: won't be served until git data arrives".into(),
+                        }
+                    }
+                    Err(e) => {
+                        tracing::warn!(
+                            "Failed to add announcement to purgatory {}: {}",
+                            event_id_str,
+                            e
+                        );
+                        WritePolicyResult::reject(e)
+                    }
+                }
+            }
             AnnouncementResult::AcceptMaintainer => {
                 // Parse announcement to get details for logging
                 match RepositoryAnnouncement::from_event(event.clone()) {
@@ -621,6 +649,7 @@ impl WritePolicy for Nip34WritePolicy {
                     );
                     WritePolicyResult::Accept
                 }
+                Kind::EventDeletion => self.deletion_policy.handle(event).await,
                 _ => self.handle_related_event(event, "Event").await,
             }
         })
diff --git a/src/nostr/policy/announcement.rs b/src/nostr/policy/announcement.rs
index 15a6e58..b366f0b 100644
--- a/src/nostr/policy/announcement.rs
+++ b/src/nostr/policy/announcement.rs
@@ -3,6 +3,8 @@
 /// Handles validation of NIP-34 repository announcements (kind 30617)
 /// according to GRASP-01 specification.
 use nostr_relay_builder::prelude::{Alphabet, Event, Filter, Kind, PublicKey, SingleLetterTag};
+use std::collections::HashSet;
+use std::time::Duration;
 
 use super::PolicyContext;
 use crate::config::Config;
@@ -11,12 +13,14 @@ use crate::nostr::events::{validate_announcement, RepositoryAnnouncement};
 /// Result of announcement policy evaluation
 #[derive(Debug, Clone, PartialEq)]
 pub enum AnnouncementResult {
-    /// Accept: Event lists our service (GRASP-01 compliant)
+    /// Accept: Event lists our service (GRASP-01 compliant) - replacement announcement
     Accept,
     /// Accept as maintainer: Event accepted via maintainer exception (multi-maintainer)
     AcceptMaintainer,
     /// Accept as archive: Event accepted via GRASP-05 archive whitelist (read-only)
     AcceptArchive,
+    /// Accept to purgatory: New announcement, waiting for git data
+    AcceptPurgatory,
     /// Reject: Event fails validation with reason
     Reject(String),
 }
@@ -35,10 +39,13 @@ impl AnnouncementPolicy {
 
     /// Validate a repository announcement event
     ///
-    /// Returns `Accept` if the announcement lists the service properly,
-    /// `AcceptMaintainer` if accepted via maintainer exception,
-    /// `AcceptArchive` if accepted via GRASP-05 archive config,
-    /// or `Reject` with reason.
+    /// Returns:
+    /// - `Accept` if this is a replacement announcement (active announcement exists in DB or
+    ///   purgatory)
+    /// - `AcceptPurgatory` if this is a new announcement (no active announcement exists)
+    /// - `AcceptMaintainer` if accepted via maintainer exception
+    /// - `AcceptArchive` if accepted via GRASP-05 archive config
+    /// - `Reject` with reason if validation fails
     pub async fn validate(&self, event: &Event) -> AnnouncementResult {
         // First, try validation (GRASP-01 + GRASP-05)
         let validation_result = validate_announcement(event, &self.config);
@@ -49,6 +56,23 @@ impl AnnouncementPolicy {
                 // GRASP-01 Exception: Accept announcements from recursive maintainers
                 match RepositoryAnnouncement::from_event(event.clone()) {
                     Ok(announcement) => {
+                        // If this pubkey+identifier has a purgatory entry AND the incoming
+                        // event is strictly newer, the owner is sending a replacement that
+                        // removes our service. Clear the purgatory entry and its bare repo.
+                        //
+                        // If the incoming event is older than the purgatory entry (e.g. a
+                        // relay replay of a superseded announcement), ignore it — the newer
+                        // purgatory entry takes precedence and must not be evicted.
+                        let should_evict = self
+                            .ctx
+                            .purgatory
+                            .find_announcement(&event.pubkey, &announcement.identifier)
+                            .is_some_and(|entry| event.created_at > entry.event.created_at);
+
+                        if should_evict {
+                            self.remove_purgatory_announcement(&event.pubkey, &announcement.identifier);
+                        }
+
                         match self
                             .is_maintainer_in_any_announcement(
                                 &announcement.identifier,
@@ -67,11 +91,221 @@ impl AnnouncementPolicy {
                     Err(_) => AnnouncementResult::Reject(reason),
                 }
             }
-            // Accept, AcceptArchive, or AcceptMaintainer - return as-is
+            AnnouncementResult::Accept | AnnouncementResult::AcceptArchive => {
+                // Parse announcement to check for existing active announcement
+                match RepositoryAnnouncement::from_event(event.clone()) {
+                    Ok(announcement) => {
+                        let in_db = match self
+                            .has_db_announcement(&event.pubkey, &announcement.identifier)
+                            .await
+                        {
+                            Ok(v) => v,
+                            Err(e) => {
+                                tracing::warn!(
+                                    error = %e,
+                                    "Failed to check for existing DB announcement - rejecting"
+                                );
+                                return AnnouncementResult::Reject(format!(
+                                    "Database error checking existing announcement: {}",
+                                    e
+                                ));
+                            }
+                        };
+
+                        if in_db {
+                            // Replacement announcement with DB entry - accept immediately
+                            tracing::debug!(
+                                identifier = %announcement.identifier,
+                                "Replacement announcement (DB) - accepting immediately"
+                            );
+                            return validation_result;
+                        }
+
+                        let in_purgatory = self
+                            .ctx
+                            .purgatory
+                            .has_purgatory_announcement(&event.pubkey, &announcement.identifier);
+
+                        if in_purgatory {
+                            // Replacement announcement with purgatory entry - replace it and
+                            // extend expiry so the new announcement gets a fresh 30-minute window.
+                            tracing::debug!(
+                                identifier = %announcement.identifier,
+                                "Replacement announcement (purgatory) - replacing purgatory entry"
+                            );
+                            self.replace_purgatory_announcement(event, &announcement);
+                            // Return Accept (not AcceptPurgatory) - this is a replacement, not new
+                            return validation_result;
+                        }
+
+                        // No existing announcement - route to purgatory
+                        tracing::debug!(
+                            identifier = %announcement.identifier,
+                            "New announcement - routing to purgatory"
+                        );
+                        AnnouncementResult::AcceptPurgatory
+                    }
+                    Err(e) => AnnouncementResult::Reject(format!(
+                        "Failed to parse announcement: {}",
+                        e
+                    )),
+                }
+            }
+            // AcceptPurgatory shouldn't come from validate_announcement, but handle it
             result => result,
         }
     }
 
+    /// Replace a purgatory announcement entry with a newer event.
+    ///
+    /// Called when a replacement announcement arrives for a (pubkey, identifier) pair
+    /// that is currently in purgatory. Updates the purgatory entry and extends the
+    /// expiry so the new announcement has a fresh waiting window.
+    fn replace_purgatory_announcement(
+        &self,
+        event: &Event,
+        announcement: &RepositoryAnnouncement,
+    ) {
+        let repo_path = self.ctx.git_data_path.join(announcement.repo_path());
+        let relays: HashSet<String> = announcement.relays.iter().cloned().collect();
+
+        // add_announcement uses the (owner, identifier) key so it overwrites the old entry
+        self.ctx.purgatory.add_announcement(
+            event.clone(),
+            announcement.identifier.clone(),
+            event.pubkey,
+            repo_path,
+            relays,
+        );
+
+        // Extend the announcement's expiry (reset to full 30 min window)
+        self.ctx.purgatory.extend_announcement_expiry(
+            &event.pubkey,
+            &announcement.identifier,
+            Duration::from_secs(1800),
+        );
+
+        // Also extend any state events waiting for this identifier
+        let state_entries = self.ctx.purgatory.find_state(&announcement.identifier);
+        if !state_entries.is_empty() {
+            let state_ids: Vec<_> = state_entries.iter().map(|e| e.event.id).collect();
+            self.ctx.purgatory.extend_expiry(
+                &announcement.identifier,
+                &state_ids,
+                Duration::from_secs(1800),
+            );
+        }
+    }
+
+    /// Remove a purgatory announcement and clean up associated resources.
+    ///
+    /// Called when a replacement announcement is rejected (owner removed our service).
+    /// Deletes the bare repository from disk and removes any state events waiting for
+    /// this identifier.
+    fn remove_purgatory_announcement(&self, pubkey: &PublicKey, identifier: &str) {
+        // Get the repo path before removing from purgatory
+        if let Some(entry) = self.ctx.purgatory.find_announcement(pubkey, identifier) {
+            // Delete the bare repository from disk
+            if entry.repo_path.exists() {
+                if let Err(e) = std::fs::remove_dir_all(&entry.repo_path) {
+                    tracing::warn!(
+                        path = %entry.repo_path.display(),
+                        error = %e,
+                        "Failed to delete bare repository during purgatory cleanup"
+                    );
+                } else {
+                    tracing::info!(
+                        path = %entry.repo_path.display(),
+                        "Deleted bare repository for rejected purgatory announcement"
+                    );
+                }
+            }
+        }
+
+        // Remove the announcement from purgatory
+        self.ctx.purgatory.remove_announcement(pubkey, identifier);
+
+        // Only remove state events if no other owner still has an announcement in purgatory
+        // for this identifier. State events are keyed by identifier alone, so blindly removing
+        // them would also discard state events legitimately belonging to a different owner's
+        // repository that happens to share the same identifier string.
+        let other_owners_remain = !self
+            .ctx
+            .purgatory
+            .get_announcements_by_identifier(identifier)
+            .is_empty();
+
+        if !other_owners_remain {
+            self.ctx.purgatory.remove_state(identifier);
+        }
+
+        tracing::info!(
+            identifier = %identifier,
+            other_owners_remain = %other_owners_remain,
+            "Cleared purgatory entry: owner removed our service from announcement"
+        );
+    }
+
+    /// Check if there's an announcement in the database for this (pubkey, identifier).
+    ///
+    /// Only checks the database (promoted announcements). For purgatory checks use
+    /// `purgatory.has_purgatory_announcement()` directly.
+    async fn has_db_announcement(
+        &self,
+        pubkey: &PublicKey,
+        identifier: &str,
+    ) -> Result<bool, String> {
+        let filter = Filter::new()
+            .kind(Kind::GitRepoAnnouncement)
+            .author(*pubkey)
+            .custom_tag(
+                SingleLetterTag::lowercase(Alphabet::D),
+                identifier.to_string(),
+            );
+
+        let events: Vec<Event> = match self.ctx.database.query(filter).await {
+            Ok(events) => events.into_iter().collect(),
+            Err(e) => return Err(format!("Database query failed: {}", e)),
+        };
+
+        Ok(!events.is_empty())
+    }
+
+    /// Add an announcement to purgatory
+    ///
+    /// Creates the bare repository and stores the announcement in purgatory
+    /// until git data arrives.
+    pub fn add_to_purgatory(&self, event: &Event) -> Result<(), String> {
+        let announcement = RepositoryAnnouncement::from_event(event.clone())
+            .map_err(|e| format!("Failed to parse announcement: {}", e))?;
+
+        // Create bare repository
+        self.ensure_bare_repository(&announcement)?;
+
+        // Build repo path
+        let repo_path = self.ctx.git_data_path.join(announcement.repo_path());
+
+        // Extract relays from announcement
+        let relays: HashSet<String> = announcement.relays.iter().cloned().collect();
+
+        // Add to purgatory
+        self.ctx.purgatory.add_announcement(
+            event.clone(),
+            announcement.identifier.clone(),
+            event.pubkey,
+            repo_path,
+            relays,
+        );
+
+        tracing::info!(
+            identifier = %announcement.identifier,
+            event_id = %event.id,
+            "Added announcement to purgatory"
+        );
+
+        Ok(())
+    }
+
     /// Create a bare git repository if it doesn't exist
     /// Path format: <git_data_path>/<npub>/<identifier>.git
     pub fn ensure_bare_repository(
@@ -117,6 +351,11 @@ impl AnnouncementPolicy {
     ///
     /// This enables accepting announcements from maintainers even when they don't list
     /// this GRASP server, for maintainer chain discovery and GRASP-02 sync.
+    ///
+    /// Checks both the database (promoted announcements) and purgatory (announcements
+    /// waiting for git data). This is necessary because a maintainer's announcement
+    /// (which lists the recursive maintainer) may still be in purgatory when the
+    /// recursive maintainer's announcement arrives.
     async fn is_maintainer_in_any_announcement(
         &self,
         identifier: &str,
@@ -128,12 +367,26 @@ impl AnnouncementPolicy {
             identifier.to_string(),
         );
 
-        let announcements: Vec<Event> = match self.ctx.database.query(filter).await {
+        let db_announcements: Vec<Event> = match self.ctx.database.query(filter).await {
             Ok(events) => events.into_iter().collect(),
             Err(e) => return Err(format!("Database query failed: {}", e)),
         };
 
-        if announcements.is_empty() {
+        // Also collect purgatory announcements for this identifier
+        let purgatory_announcements: Vec<Event> = self
+            .ctx
+            .purgatory
+            .get_announcements_by_identifier(identifier)
+            .into_iter()
+            .map(|entry| entry.event)
+            .collect();
+
+        let all_announcements: Vec<&Event> = db_announcements
+            .iter()
+            .chain(purgatory_announcements.iter())
+            .collect();
+
+        if all_announcements.is_empty() {
             // No existing announcements for this identifier - author cannot be a maintainer
             return Ok(false);
         }
@@ -141,14 +394,14 @@ impl AnnouncementPolicy {
         let author_hex = author.to_hex();
 
         // Check each announcement to see if author is listed as a maintainer
-        for event in &announcements {
+        for event in &all_announcements {
             // Check if author is the owner of this announcement
             if event.pubkey == *author {
                 return Ok(true);
             }
 
             // Check if author is listed in the maintainers tag
-            if let Ok(announcement) = RepositoryAnnouncement::from_event(event.clone()) {
+            if let Ok(announcement) = RepositoryAnnouncement::from_event((*event).clone()) {
                 if announcement.maintainers.contains(&author_hex) {
                     return Ok(true);
                 }
diff --git a/src/nostr/policy/deletion.rs b/src/nostr/policy/deletion.rs
new file mode 100644
index 0000000..6457c90
--- /dev/null
+++ b/src/nostr/policy/deletion.rs
@@ -0,0 +1,498 @@
+/// Deletion Policy - NIP-09 event deletion request handling
+///
+/// Handles kind 5 (EventDeletion) events that request removal of purgatory entries
+/// for repository announcements (kind 30617) and state events (kind 30618).
+///
+/// ## NIP-09 Rules Enforced
+///
+/// - Only the event author can delete their own events (pubkey must match)
+/// - `e` tags reference specific event IDs to delete
+/// - `a` tags reference addressable events by coordinate (`<kind>:<pubkey>:<d-identifier>`)
+/// - When an `a` tag is used, all versions up to `created_at` of the deletion request
+///   are considered deleted
+///
+/// ## Purgatory Interaction
+///
+/// - Kind 30617 (announcement) in purgatory: entry removed, bare repo deleted from disk
+/// - Kind 30618 (state event) in purgatory: matching state event(s) removed by event ID
+///   or by (author, identifier) coordinate
+use nostr_relay_builder::prelude::{Event, WritePolicyResult};
+
+use super::PolicyContext;
+
+/// Policy for handling NIP-09 event deletion requests
+#[derive(Clone)]
+pub struct DeletionPolicy {
+    ctx: PolicyContext,
+}
+
+impl DeletionPolicy {
+    pub fn new(ctx: PolicyContext) -> Self {
+        Self { ctx }
+    }
+
+    /// Process a kind 5 (EventDeletion) event.
+    ///
+    /// Checks whether the deletion request targets any purgatory announcements
+    /// and removes them if so. The deletion event itself is always accepted
+    /// (relays should store deletion requests per NIP-09).
+    ///
+    /// Only the event author can delete their own events — this is enforced by
+    /// checking that the purgatory entry's owner matches `event.pubkey`.
+    pub async fn handle(&self, event: &Event) -> WritePolicyResult {
+        // Process purgatory removals synchronously (no async needed)
+        self.remove_purgatory_targets(event);
+
+        // Always accept the deletion event itself so it is stored and
+        // can prevent re-acceptance of the deleted event in the future.
+        WritePolicyResult::Accept
+    }
+
+    /// Remove any purgatory entries targeted by this deletion event.
+    ///
+    /// Handles both reference styles from NIP-09:
+    /// - `e` tags: event ID references — match against announcement or state event IDs
+    /// - `a` tags: addressable coordinate references — `30617:…` or `30618:…`
+    ///
+    /// Only removes entries where the purgatory entry's author matches the deletion
+    /// event's pubkey (enforces author-only deletion).
+    fn remove_purgatory_targets(&self, event: &Event) {
+        let author = &event.pubkey;
+
+        for tag in event.tags.iter() {
+            let tag_vec = tag.as_slice();
+            if tag_vec.len() < 2 {
+                continue;
+            }
+
+            match tag_vec[0].as_str() {
+                "e" => {
+                    // Event ID reference: find purgatory announcement with this event ID
+                    let target_id = &tag_vec[1];
+                    self.remove_by_event_id(author, target_id, event.created_at.as_secs());
+                }
+                "a" => {
+                    // Addressable coordinate reference: `<kind>:<pubkey>:<d-identifier>`
+                    let coord = &tag_vec[1];
+                    self.remove_by_coordinate(author, coord, event.created_at.as_secs());
+                }
+                _ => {}
+            }
+        }
+    }
+
+    /// Remove a purgatory entry (announcement, state event, or PR event) matched by event ID.
+    ///
+    /// Checks in order: announcements (30617), state events (30618), PR/PR-update events.
+    /// Only removes entries whose author matches `author`.
+    fn remove_by_event_id(
+        &self,
+        author: &nostr_relay_builder::prelude::PublicKey,
+        target_id_hex: &str,
+        _deletion_created_at: u64,
+    ) {
+        // --- Check PR events (kind 1617/1618) first — O(1) direct lookup ---
+        // PR purgatory is keyed by event ID hex, so this is the cheapest check.
+        // Only remove if the entry has an actual event (not a placeholder) and the
+        // event's author matches the deletion request author.
+        if let Some(entry) = self.ctx.purgatory.find_pr(target_id_hex) {
+            if let Some(ref event) = entry.event {
+                if event.pubkey == *author {
+                    tracing::info!(
+                        event_id = %target_id_hex,
+                        author = %author.to_hex(),
+                        "Deletion request: removing purgatory PR event by event ID"
+                    );
+                    self.ctx.purgatory.remove_pr(target_id_hex);
+                    return;
+                }
+            }
+            // Entry exists but is a placeholder or wrong author — don't remove
+            return;
+        }
+
+        // --- Check announcements (kind 30617) ---
+        // The DashMap doesn't expose a direct "find by event ID" method, so we use
+        // the announcements_for_sync snapshot to enumerate all (repo_id, _) pairs.
+        let all = self.ctx.purgatory.announcements_for_sync();
+        for (repo_id, _) in all {
+            // repo_id format: "30617:{pubkey_hex}:{identifier}"
+            let parts: Vec<&str> = repo_id.splitn(3, ':').collect();
+            if parts.len() != 3 {
+                continue;
+            }
+            let entry_pubkey_hex = parts[1];
+            let identifier = parts[2];
+
+            if entry_pubkey_hex != author.to_hex() {
+                continue;
+            }
+
+            if let Some(entry) = self.ctx.purgatory.find_announcement(author, identifier) {
+                if entry.event.id.to_hex() == target_id_hex {
+                    tracing::info!(
+                        event_id = %target_id_hex,
+                        identifier = %identifier,
+                        author = %author.to_hex(),
+                        "Deletion request: removing purgatory announcement by event ID"
+                    );
+                    self.evict_purgatory_entry(author, identifier);
+                    return; // event IDs are unique
+                }
+            }
+        }
+
+        // --- Check state events (kind 30618) ---
+        // State events are keyed by identifier; scan all identifiers for a match.
+        let state_identifiers = self.ctx.purgatory.get_all_identifiers();
+        for identifier in state_identifiers {
+            let entries = self.ctx.purgatory.find_state(&identifier);
+            for entry in entries {
+                if entry.author == *author && entry.event.id.to_hex() == target_id_hex {
+                    tracing::info!(
+                        event_id = %target_id_hex,
+                        identifier = %identifier,
+                        author = %author.to_hex(),
+                        "Deletion request: removing purgatory state event by event ID"
+                    );
+                    self.ctx.purgatory.remove_state_event(&identifier, &entry.event.id);
+                    return; // event IDs are unique
+                }
+            }
+        }
+    }
+
+    /// Remove a purgatory entry matched by addressable coordinate.
+    ///
+    /// The coordinate format is `<kind>:<pubkey>:<d-identifier>`.
+    /// Handles kind 30617 (announcements) and kind 30618 (state events).
+    ///
+    /// Per NIP-09, all versions up to `deletion_created_at` are considered deleted.
+    fn remove_by_coordinate(
+        &self,
+        author: &nostr_relay_builder::prelude::PublicKey,
+        coordinate: &str,
+        deletion_created_at: u64,
+    ) {
+        // Parse coordinate: `<kind>:<pubkey>:<d-identifier>`
+        let parts: Vec<&str> = coordinate.splitn(3, ':').collect();
+        if parts.len() != 3 {
+            return;
+        }
+
+        let kind_str = parts[0];
+        let coord_pubkey_hex = parts[1];
+        let identifier = parts[2];
+
+        // The coordinate pubkey must match the deletion event author
+        if coord_pubkey_hex != author.to_hex() {
+            tracing::debug!(
+                coord_pubkey = %coord_pubkey_hex,
+                deletion_author = %author.to_hex(),
+                "Ignoring deletion: coordinate pubkey does not match deletion author"
+            );
+            return;
+        }
+
+        match kind_str {
+            "30617" => {
+                // Announcement purgatory entry
+                if let Some(entry) = self.ctx.purgatory.find_announcement(author, identifier) {
+                    if entry.event.created_at.as_secs() <= deletion_created_at {
+                        tracing::info!(
+                            identifier = %identifier,
+                            author = %author.to_hex(),
+                            "Deletion request: removing purgatory announcement by coordinate"
+                        );
+                        self.evict_purgatory_entry(author, identifier);
+                    } else {
+                        tracing::debug!(
+                            identifier = %identifier,
+                            author = %author.to_hex(),
+                            "Ignoring deletion: purgatory announcement is newer than deletion request"
+                        );
+                    }
+                }
+            }
+            "30618" => {
+                // State event purgatory entries for this (author, identifier).
+                // Remove all entries authored by `author` with created_at ≤ deletion_created_at.
+                let entries = self.ctx.purgatory.find_state(identifier);
+                let mut removed = 0usize;
+                for entry in entries {
+                    if entry.author == *author
+                        && entry.event.created_at.as_secs() <= deletion_created_at
+                    {
+                        self.ctx.purgatory.remove_state_event(identifier, &entry.event.id);
+                        removed += 1;
+                    }
+                }
+                if removed > 0 {
+                    tracing::info!(
+                        identifier = %identifier,
+                        author = %author.to_hex(),
+                        removed = %removed,
+                        "Deletion request: removed purgatory state event(s) by coordinate"
+                    );
+                }
+            }
+            _ => {
+                // Other kinds not handled
+            }
+        }
+    }
+
+    /// Remove a purgatory announcement and delete its bare repository from disk.
+    fn evict_purgatory_entry(
+        &self,
+        author: &nostr_relay_builder::prelude::PublicKey,
+        identifier: &str,
+    ) {
+        // Get repo path before removing
+        if let Some(entry) = self.ctx.purgatory.find_announcement(author, identifier) {
+            if entry.repo_path.exists() {
+                if let Err(e) = std::fs::remove_dir_all(&entry.repo_path) {
+                    tracing::warn!(
+                        path = %entry.repo_path.display(),
+                        error = %e,
+                        "Failed to delete bare repository during deletion request processing"
+                    );
+                } else {
+                    tracing::info!(
+                        path = %entry.repo_path.display(),
+                        "Deleted bare repository for deletion-requested purgatory announcement"
+                    );
+                }
+            }
+        }
+
+        self.ctx.purgatory.remove_announcement(author, identifier);
+
+        // Remove state events for this identifier only if no other owner's
+        // announcement remains in purgatory (state events are keyed by identifier alone)
+        let other_owners_remain = !self
+            .ctx
+            .purgatory
+            .get_announcements_by_identifier(identifier)
+            .is_empty();
+
+        if !other_owners_remain {
+            self.ctx.purgatory.remove_state(identifier);
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::nostr::policy::PolicyContext;
+    use crate::purgatory::Purgatory;
+    use nostr_relay_builder::prelude::*;
+    use std::collections::HashSet;
+    use std::path::PathBuf;
+    use std::sync::Arc;
+
+    fn make_context() -> PolicyContext {
+        let db = Arc::new(MemoryDatabase::with_opts(MemoryDatabaseOptions {
+            events: true,
+            max_events: None,
+        }));
+        let purgatory = Arc::new(Purgatory::new(PathBuf::new()));
+        let config = crate::config::Config::for_testing();
+        PolicyContext::new("test.example.com", db, PathBuf::new(), purgatory, config)
+    }
+
+    fn make_announcement_event(keys: &Keys, identifier: &str) -> Event {
+        EventBuilder::new(Kind::GitRepoAnnouncement, "")
+            .tags(vec![
+                Tag::identifier(identifier),
+                Tag::custom(TagKind::custom("clone"), vec!["https://example.com/repo.git"]),
+            ])
+            .sign_with_keys(keys)
+            .unwrap()
+    }
+
+    fn add_to_purgatory(ctx: &PolicyContext, event: &Event, identifier: &str) {
+        ctx.purgatory.add_announcement(
+            event.clone(),
+            identifier.to_string(),
+            event.pubkey,
+            PathBuf::new(),
+            HashSet::new(),
+        );
+    }
+
+    #[tokio::test]
+    async fn test_deletion_by_event_id_removes_purgatory_entry() {
+        let ctx = make_context();
+        let keys = Keys::generate();
+        let identifier = "my-repo";
+
+        let announcement = make_announcement_event(&keys, identifier);
+        add_to_purgatory(&ctx, &announcement, identifier);
+
+        assert!(ctx.purgatory.has_purgatory_announcement(&keys.public_key(), identifier));
+
+        // Build kind 5 deletion event referencing the announcement by event ID
+        let deletion = EventBuilder::new(Kind::EventDeletion, "")
+            .tags(vec![
+                Tag::event(announcement.id),
+                Tag::custom(TagKind::custom("k"), vec!["30617"]),
+            ])
+            .sign_with_keys(&keys)
+            .unwrap();
+
+        let policy = DeletionPolicy::new(ctx.clone());
+        let result = policy.handle(&deletion).await;
+
+        assert!(matches!(result, WritePolicyResult::Accept));
+        assert!(
+            !ctx.purgatory.has_purgatory_announcement(&keys.public_key(), identifier),
+            "Purgatory entry should have been removed"
+        );
+    }
+
+    #[tokio::test]
+    async fn test_deletion_by_coordinate_removes_purgatory_entry() {
+        let ctx = make_context();
+        let keys = Keys::generate();
+        let identifier = "my-repo";
+
+        let announcement = make_announcement_event(&keys, identifier);
+        add_to_purgatory(&ctx, &announcement, identifier);
+
+        assert!(ctx.purgatory.has_purgatory_announcement(&keys.public_key(), identifier));
+
+        // Build kind 5 deletion event referencing the announcement by coordinate
+        let coord = format!("30617:{}:{}", keys.public_key().to_hex(), identifier);
+        let deletion = EventBuilder::new(Kind::EventDeletion, "")
+            .tags(vec![
+                Tag::custom(TagKind::custom("a"), vec![coord]),
+                Tag::custom(TagKind::custom("k"), vec!["30617"]),
+            ])
+            .sign_with_keys(&keys)
+            .unwrap();
+
+        let policy = DeletionPolicy::new(ctx.clone());
+        let result = policy.handle(&deletion).await;
+
+        assert!(matches!(result, WritePolicyResult::Accept));
+        assert!(
+            !ctx.purgatory.has_purgatory_announcement(&keys.public_key(), identifier),
+            "Purgatory entry should have been removed"
+        );
+    }
+
+    #[tokio::test]
+    async fn test_deletion_by_wrong_author_does_not_remove() {
+        let ctx = make_context();
+        let owner_keys = Keys::generate();
+        let attacker_keys = Keys::generate();
+        let identifier = "my-repo";
+
+        let announcement = make_announcement_event(&owner_keys, identifier);
+        add_to_purgatory(&ctx, &announcement, identifier);
+
+        // Attacker tries to delete by event ID
+        let deletion = EventBuilder::new(Kind::EventDeletion, "")
+            .tags(vec![
+                Tag::event(announcement.id),
+                Tag::custom(TagKind::custom("k"), vec!["30617"]),
+            ])
+            .sign_with_keys(&attacker_keys)
+            .unwrap();
+
+        let policy = DeletionPolicy::new(ctx.clone());
+        let result = policy.handle(&deletion).await;
+
+        assert!(matches!(result, WritePolicyResult::Accept));
+        assert!(
+            ctx.purgatory.has_purgatory_announcement(&owner_keys.public_key(), identifier),
+            "Purgatory entry should NOT have been removed by wrong author"
+        );
+    }
+
+    #[tokio::test]
+    async fn test_deletion_by_coordinate_wrong_author_does_not_remove() {
+        let ctx = make_context();
+        let owner_keys = Keys::generate();
+        let attacker_keys = Keys::generate();
+        let identifier = "my-repo";
+
+        let announcement = make_announcement_event(&owner_keys, identifier);
+        add_to_purgatory(&ctx, &announcement, identifier);
+
+        // Attacker tries to delete by coordinate using owner's pubkey in coord
+        // but signs with their own key — coord pubkey != deletion author
+        let coord = format!("30617:{}:{}", owner_keys.public_key().to_hex(), identifier);
+        let deletion = EventBuilder::new(Kind::EventDeletion, "")
+            .tags(vec![
+                Tag::custom(TagKind::custom("a"), vec![coord]),
+                Tag::custom(TagKind::custom("k"), vec!["30617"]),
+            ])
+            .sign_with_keys(&attacker_keys)
+            .unwrap();
+
+        let policy = DeletionPolicy::new(ctx.clone());
+        let result = policy.handle(&deletion).await;
+
+        assert!(matches!(result, WritePolicyResult::Accept));
+        assert!(
+            ctx.purgatory.has_purgatory_announcement(&owner_keys.public_key(), identifier),
+            "Purgatory entry should NOT have been removed by wrong author"
+        );
+    }
+
+    #[tokio::test]
+    async fn test_deletion_of_nonexistent_entry_is_accepted() {
+        let ctx = make_context();
+        let keys = Keys::generate();
+
+        // No purgatory entry exists — deletion should still be accepted
+        let deletion = EventBuilder::new(Kind::EventDeletion, "")
+            .tags(vec![
+                Tag::custom(TagKind::custom("a"), vec![
+                    format!("30617:{}:nonexistent", keys.public_key().to_hex())
+                ]),
+            ])
+            .sign_with_keys(&keys)
+            .unwrap();
+
+        let policy = DeletionPolicy::new(ctx.clone());
+        let result = policy.handle(&deletion).await;
+
+        assert!(matches!(result, WritePolicyResult::Accept));
+    }
+
+    #[tokio::test]
+    async fn test_deletion_by_coordinate_respects_created_at() {
+        let ctx = make_context();
+        let keys = Keys::generate();
+        let identifier = "my-repo";
+
+        // Create announcement with a future timestamp
+        let future_ts = Timestamp::now().as_secs() + 3600; // 1 hour in the future
+        let announcement = EventBuilder::new(Kind::GitRepoAnnouncement, "")
+            .tags(vec![Tag::identifier(identifier)])
+            .custom_created_at(Timestamp::from(future_ts))
+            .sign_with_keys(&keys)
+            .unwrap();
+        add_to_purgatory(&ctx, &announcement, identifier);
+
+        // Deletion event with current timestamp (older than announcement)
+        let coord = format!("30617:{}:{}", keys.public_key().to_hex(), identifier);
+        let deletion = EventBuilder::new(Kind::EventDeletion, "")
+            .tags(vec![Tag::custom(TagKind::custom("a"), vec![coord])])
+            .sign_with_keys(&keys)
+            .unwrap();
+
+        let policy = DeletionPolicy::new(ctx.clone());
+        let result = policy.handle(&deletion).await;
+
+        assert!(matches!(result, WritePolicyResult::Accept));
+        assert!(
+            ctx.purgatory.has_purgatory_announcement(&keys.public_key(), identifier),
+            "Purgatory entry should NOT be removed: entry is newer than deletion request"
+        );
+    }
+}
diff --git a/src/nostr/policy/mod.rs b/src/nostr/policy/mod.rs
index 1566b6c..f5b981a 100644
--- a/src/nostr/policy/mod.rs
+++ b/src/nostr/policy/mod.rs
@@ -6,11 +6,13 @@
 /// - `PrEventPolicy` - PR/PR Update validation
 /// - `RelatedEventPolicy` - Forward/backward reference checking
 mod announcement;
+mod deletion;
 mod pr_event;
 mod related;
 mod state;
 
 pub use announcement::{AnnouncementPolicy, AnnouncementResult};
+pub use deletion::DeletionPolicy;
 pub use pr_event::PrEventPolicy;
 pub use related::{ReferenceResult, RelatedEventPolicy};
 pub use state::{StatePolicy, StateResult};
diff --git a/src/nostr/policy/pr_event.rs b/src/nostr/policy/pr_event.rs
index 00e09c3..072e445 100644
--- a/src/nostr/policy/pr_event.rs
+++ b/src/nostr/policy/pr_event.rs
@@ -127,6 +127,10 @@ impl PrEventPolicy {
                 .ok_or_else(|| anyhow::anyhow!("No identifier in PR event"))?;
 
             // Fetch repository data
+            // NOTE: Only fetch from database, NOT purgatory. Incoming PR events should
+            // only be accepted for announcements that have been promoted (validated).
+            // If the announcement is still in purgatory, the PR event should also go
+            // to purgatory and wait for the announcement to be promoted.
             let db_repo_data = fetch_repository_data(&self.ctx.database, &identifier).await?;
 
             // Extract owner pubkey from source repo path
@@ -203,6 +207,10 @@ impl PrEventPolicy {
         let identifier = parts[2];
 
         // 2. Fetch repo data
+        // NOTE: Only fetch from database, NOT purgatory. Incoming PR events should
+        // only be accepted for announcements that have been promoted (validated).
+        // If the announcement is still in purgatory, the PR event should also go
+        // to purgatory and wait for the announcement to be promoted.
         let db_repo_data = fetch_repository_data(&self.ctx.database, identifier).await?;
 
         // 3. Extract list of maintainers from "a 30617:<maintainer>:<identifier>" tags
diff --git a/src/nostr/policy/related.rs b/src/nostr/policy/related.rs
index 7ce87db..cfe04a7 100644
--- a/src/nostr/policy/related.rs
+++ b/src/nostr/policy/related.rs
@@ -139,6 +139,11 @@ impl RelatedEventPolicy {
                 .push((addr, pubkey, identifier));
         }
 
+        // NOTE: Intentionally only checks the database (promoted announcements), not purgatory.
+        // Related events should only be accepted once the repository announcement has been
+        // validated (promoted via git data). Events referencing purgatory-only repositories
+        // are correctly rejected as orphans and can be re-submitted after promotion.
+
         // Query each kind group
         for (kind, refs) in by_kind {
             let authors: Vec<PublicKey> = refs.iter().map(|(_, pk, _)| *pk).collect();
diff --git a/src/nostr/policy/state.rs b/src/nostr/policy/state.rs
index 3411077..df743ae 100644
--- a/src/nostr/policy/state.rs
+++ b/src/nostr/policy/state.rs
@@ -1,3 +1,4 @@
+use std::collections::HashSet;
 use std::path::{Path, PathBuf};
 
 use anyhow::{Context, Result};
@@ -10,7 +11,7 @@ use nostr_relay_builder::prelude::Event;
 
 use super::PolicyContext;
 use crate::git;
-use crate::git::authorization::fetch_repository_data;
+use crate::git::authorization::fetch_repository_data_with_purgatory;
 use crate::nostr::events::{validate_state, RepositoryAnnouncement, RepositoryState};
 
 /// Result of state policy evaluation
@@ -76,7 +77,13 @@ impl StatePolicy {
         }
 
         // Get all repositories and state events from db with identifier
-        let db_repo_data = fetch_repository_data(&self.ctx.database, &state.identifier).await?;
+        // Include purgatory announcements for authorization
+        let db_repo_data = fetch_repository_data_with_purgatory(
+            &self.ctx.database,
+            &self.ctx.purgatory,
+            &state.identifier,
+        )
+        .await?;
 
         // CRITICAL: Check if author is authorized via maintainer set
         // State events MUST be rejected if author is not in maintainer set of any accepted announcement
@@ -139,6 +146,34 @@ impl StatePolicy {
             "State event author authorized via maintainer set"
         );
 
+        // Extend expiry for any purgatory announcements for this identifier.
+        //
+        // Per design doc decision #4: state event arrival extends the purgatory
+        // announcement's expiry (reset the 30-minute protocol timer). This prevents
+        // premature expiry during slow sync operations — the repo is actively receiving
+        // metadata so it should stay alive.
+        //
+        // We extend for all owners that authorized this state event, since the state
+        // event proves the repo is active regardless of which owner's announcement
+        // authorized it.
+        for owner_hex in &authorized_owners {
+            if let Ok(owner_pk) = nostr_sdk::PublicKey::from_hex(owner_hex) {
+                if self.ctx.purgatory.has_purgatory_announcement(&owner_pk, &state.identifier) {
+                    self.ctx.purgatory.extend_announcement_expiry(
+                        &owner_pk,
+                        &state.identifier,
+                        std::time::Duration::from_secs(1800),
+                    );
+                    tracing::debug!(
+                        event_id = %event.id,
+                        identifier = %state.identifier,
+                        owner = %owner_hex,
+                        "Extended purgatory announcement expiry due to state event arrival"
+                    );
+                }
+            }
+        }
+
         // Duplicate check in db
         if db_repo_data.states.iter().any(|e| e.event.id.eq(&event.id)) {
             tracing::debug!("processed state event duplicate (in db): {}", event.id);
@@ -186,6 +221,42 @@ impl StatePolicy {
                 }
             }
 
+            // After copying OIDs to other owner repos, promote any purgatory announcements
+            // for those repos. This handles the case where two maintainers push to the same
+            // identifier on the same relay with identical commit hashes: the second maintainer's
+            // announcement sits in purgatory, and when their state event arrives the relay copies
+            // commits from the first maintainer's repo — but without this call the announcement
+            // would stay in purgatory indefinitely.
+            let local_relay = self.ctx.get_local_relay();
+            let empty_oids: HashSet<String> = HashSet::new();
+            for announcement in &db_repo_data.announcements {
+                let target_repo_path = self.ctx.git_data_path.join(announcement.repo_path());
+                if target_repo_path != repo_with_git_data {
+                    // OIDs were copied to this repo by process_state_with_git_data;
+                    // check if there's a purgatory announcement waiting for it.
+                    if let Err(e) = crate::git::sync::process_newly_available_git_data(
+                        &target_repo_path,
+                        &empty_oids,
+                        &self.ctx.database,
+                        local_relay.as_ref(),
+                        &self.ctx.purgatory,
+                        &self.ctx.git_data_path,
+                        None,
+                        None,
+                    )
+                    .await
+                    {
+                        tracing::warn!(
+                            identifier = %state.identifier,
+                            event_id = %event.id,
+                            repo_path = %target_repo_path.display(),
+                            error = %e,
+                            "Failed to process purgatory announcements for target repo after git sync copy"
+                        );
+                    }
+                }
+            }
+
             // Event will be saved and broadcast by relay builder
             Ok(WritePolicyResult::Accept)
         } else {