Policy System Verification & Testing (Latest Updates) Authentication & Security:
Verified policy system enforces authentication for all REQ and EVENT messages when enabled
Confirmed AUTH challenges are sent immediately on connection and repeated until authentication succeeds
Validated unauthenticated requests are silently rejected regardless of other policy rules
Access Control Logic:
Confirmed privileged flag only restricts read access (REQ queries), not write operations (EVENT submissions)
Validated read_allow and privileged use OR logic: users get access if EITHER they're in the allow list OR they're a party to the event (author/p-tag)
This design allows both explicit whitelisting and privacy for involved parties
Kind Whitelisting:
Verified kind filtering properly rejects unlisted events in all scenarios:
Explicit kind.whitelist: Only listed kinds accepted, even if rules exist for other kinds
Implicit whitelist (rules only): Only kinds with defined rules accepted
Blacklist mode: Blacklisted kinds rejected, others require rules
Added comprehensive test suite (10 scenarios) covering edge cases and real-world configurations
