- Add 'serve' subcommand for ephemeral RAM-based relay at /dev/shm with
open ACL mode for testing and benchmarking
- Fix e-tag and p-tag decoding to use ValueHex()/ValueBinary() methods
instead of Value() which returns raw bytes for binary-optimized storage
- Document all command-line tools in readme.adoc (relay-tester, benchmark,
stresstest, blossomtest, aggregator, convert, FIND, policytest, etc.)
- Switch Docker images from Alpine to Debian for proper libsecp256k1
Schnorr signature and ECDH support required by Nostr
- Upgrade Docker Go version from 1.21 to 1.25
- Add ramdisk mode (--ramdisk) to benchmark script for eliminating disk
I/O bottlenecks in performance measurements
- Add docker-compose.ramdisk.yml for tmpfs-based benchmark volumes
- Add test coverage for privileged policy with binary-encoded p-tags
- Fix blossom test to expect 200 OK for anonymous uploads when auth is
not required (RequireAuth=false with ACL mode 'none')
- Update follows ACL to handle both binary and hex p-tag formats
- Grant owner access to all users in serve mode via None ACL
- Add benchmark reports from multi-relay comparison run
- Update CLAUDE.md with binary tag handling documentation
- Bump version to v0.30.2
Policy System Verification & Testing (Latest Updates) Authentication & Security:
Verified policy system enforces authentication for all REQ and EVENT messages when enabled
Confirmed AUTH challenges are sent immediately on connection and repeated until authentication succeeds
Validated unauthenticated requests are silently rejected regardless of other policy rules
Access Control Logic:
Confirmed privileged flag only restricts read access (REQ queries), not write operations (EVENT submissions)
Validated read_allow and privileged use OR logic: users get access if EITHER they're in the allow list OR they're a party to the event (author/p-tag)
This design allows both explicit whitelisting and privacy for involved parties
Kind Whitelisting:
Verified kind filtering properly rejects unlisted events in all scenarios:
Explicit kind.whitelist: Only listed kinds accepted, even if rules exist for other kinds
Implicit whitelist (rules only): Only kinds with defined rules accepted
Blacklist mode: Blacklisted kinds rejected, others require rules
Added comprehensive test suite (10 scenarios) covering edge cases and real-world configurations
