From c8ab2c9c294ae9401ff542d0eecc6606b7908412 Mon Sep 17 00:00:00 2001 From: DanConwayDev Date: Mon, 12 Jan 2026 21:51:57 +0000 Subject: feat(config): add event blacklist to block all events from specific authors Adds NGIT_EVENT_BLACKLIST option for blocking all events from specific npubs, taking precedence over all other validation to enable comprehensive moderation without affecting curation policy. Key features: - Simple npub-only format: ,,... - Checked FIRST before any other validation (including repository blacklist) - Blocks ALL event types (announcements, state events, PRs, comments, etc.) - Events never reach relay storage or purgatory - Specific rejection reason for operator debugging Implementation: - Add EventBlacklistConfig struct with check() method - Add NGIT_EVENT_BLACKLIST config option and event_blacklist_config() method - Add config field to PolicyContext for policy access - Add check_event_blacklist() to Nip34WritePolicy - Check event blacklist first in admit_event() method (before any other validation) - 4 new unit tests covering all blacklist behavior Configuration synced across all four sources: - src/config.rs: Core implementation with EventBlacklistConfig - .env.example: Comprehensive documentation with examples - docs/reference/configuration.md: Complete reference documentation - nix/module.nix: NixOS module option with environment mapping README updates: - Add comprehensive "Curation & Moderation" section - Document repository whitelists (GRASP-01 and GRASP-05 modes) - Document repository and event blacklists with precedence order - Add configuration table for all curation/moderation settings - Provide real-world examples for different relay configurations Testing: - 4 new tests for event blacklist functionality - All 336 library tests passing - All 64 integration tests passing - All 38 filter support tests passing Verification: - Repository blacklist confirmed to apply to sync (uses same admit_event flow) - Sync events validated through process_event_static -> write_policy.admit_event Use cases: - Block spam/abusive users completely - Prevent malicious actors from submitting any events - Temporary blocks for investigation - Moderation without affecting whitelist curation policy --- docs/reference/configuration.md | 92 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) (limited to 'docs/reference') diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md index b90686e..66f39f1 100644 --- a/docs/reference/configuration.md +++ b/docs/reference/configuration.md @@ -833,6 +833,98 @@ Blacklist does **not** affect NIP-11 metadata: --- +### Event Blacklist + +#### `NGIT_EVENT_BLACKLIST` + +**Description:** Blacklist events from specific authors (npubs) +**Type:** Comma-separated list of npubs +**Default:** Empty (no events are blacklisted by author) +**Required:** No + +**Format:** +- `npub1...` - Block all events from this author + +**Precedence:** Event blacklist takes precedence over **ALL** other validation: +- Blacklisted events are rejected **before** any other policy checks +- Applies to all event types (announcements, state events, PRs, etc.) +- Events never reach purgatory (rejected immediately) +- Overrides repository blacklist, whitelists, and all other policies + +**Examples:** + +```bash +# Block all events from specific author +NGIT_EVENT_BLACKLIST=npub1spam... + +# Block events from multiple authors +NGIT_EVENT_BLACKLIST=npub1spam...,npub1abuser...,npub1troll... +``` + +**Rejection Reason:** + +The event blacklist provides a specific rejection reason: +- **Format:** `"Event author is blacklisted"` + +This reason helps operators understand why an event was rejected without needing to flag it in metadata. + +**Behavior:** + +Event blacklist is checked **first** before all other validation: +1. Check event blacklist → Reject if author is blacklisted +2. Check repository blacklist (for announcements) → Reject if matched +3. Check event-type specific policies → Accept/Reject based on policy +4. Process event normally + +**Use Cases:** + +```bash +# Block spam/abusive users +NGIT_EVENT_BLACKLIST=npub1spammer...,npub1abuser... + +# Block malicious actors +NGIT_EVENT_BLACKLIST=npub1malware...,npub1phisher... + +# Temporary block for investigation +NGIT_EVENT_BLACKLIST=npub1suspicious... +``` + +**Comparison with Repository Blacklist:** + +| Configuration | Scope | Checked When | Applies To | +|---------------|-------|--------------|------------| +| Event Blacklist | Author-based | **First** (before all policies) | **All events** from author | +| Repository Blacklist | Repo-based | Second (announcements only) | Specific repositories | + +**Event Blacklist vs Repository Blacklist:** + +```bash +# Scenario: npub1alice is event-blacklisted +NGIT_EVENT_BLACKLIST=npub1alice... + +# Result: +# - ALL events from npub1alice are rejected (announcements, PRs, etc.) +# - Events never reach relay or purgatory +# - Rejection: "Event author npub1alice... is blacklisted" + +# Scenario: npub1alice/repo is repository-blacklisted +NGIT_REPOSITORY_BLACKLIST=npub1alice.../malware + +# Result: +# - Only announcements for npub1alice.../malware are rejected +# - Other events from npub1alice are still processed normally +# - PRs/state events for different repos from npub1alice are accepted +``` + +**NIP-11 Impact:** + +Event blacklist does **not** affect NIP-11 metadata: +- No `curation` field changes (blacklist is operational, not policy) +- Blacklist is transparent to clients (rejected with specific reason) +- Operators can use blacklist without advertising moderation + +--- + ### Logging Configuration #### `RUST_LOG` -- cgit v1.2.3