Bump version to v0.8.5.

Add Docker deployment and Apache reverse proxy setup

lgtm 👍

.aiassistant/rules/rules.md

@@ -94,4 +94,6 @@ use the source of the relay-tester to help guide what expectations the test has,
 and use context7 for information about the nostr protocol, and use additional 
 log statements to help locate the cause of bugs
 
-always use Go v1.25.1 for everything involving Go
+always use Go v1.25.1 for everything involving Go
+
+always use the nips repository that is available at /nips in the root of the repository for documentation about nostr protocol

.idea/jsLibraryMappings.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="JavaScriptLibraryMappings">
+    <file url="file://$PROJECT_DIR$/../github.com/jumble" libraries="{jumble/node_modules}" />
+    <file url="file://$PROJECT_DIR$/../github.com/mleku/jumble" libraries="{jumble/node_modules}" />
+  </component>
+</project>

APACHE-PROXY-GUIDE.md

@@ -0,0 +1,364 @@
+# Apache Reverse Proxy Guide for Docker Apps
+
+**Complete guide for WebSocket-enabled applications - covers both Plesk and Standard Apache**
+**Updated with real-world troubleshooting solutions**
+
+## 🎯 **What This Solves**
+- WebSocket connection failures (`NS_ERROR_WEBSOCKET_CONNECTION_REFUSED`)
+- Nostr relay connectivity issues (`HTTP 426` instead of WebSocket upgrade)
+- Docker container proxy configuration
+- SSL certificate integration
+- Plesk configuration conflicts and virtual host precedence issues
+
+## 🐳 **Step 1: Deploy Your Docker Application**
+
+### **For Stella's Orly Relay:**
+```bash
+# Pull and run the relay
+docker run -d \
+  --name stella-relay \
+  --restart unless-stopped \
+  -p 127.0.0.1:7777:7777 \
+  -v /data/orly-relay:/data \
+  -e ORLY_OWNERS=npub1v30tsz9vw6ylpz63g0a702nj3xa26t3m7p5us8f2y2sd8v6cnsvq465zjx \
+  -e ORLY_ADMINS=npub1v30tsz9vw6ylpz63g0a702nj3xa26t3m7p5us8f2y2sd8v6cnsvq465zjx,npub1l5sga6xg72phsz5422ykujprejwud075ggrr3z2hwyrfgr7eylqstegx9z \
+  silberengel/orly-relay:latest
+
+# Test the relay
+curl -I http://127.0.0.1:7777
+# Should return: HTTP/1.1 426 Upgrade Required
+```
+
+### **For Web Apps (like Jumble):**
+```bash
+# Run with fixed port for easier proxy setup
+docker run -d \
+  --name jumble-app \
+  --restart unless-stopped \
+  -p 127.0.0.1:3000:80 \
+  -e NODE_ENV=production \
+  silberengel/imwald-jumble:latest
+
+# Test the app
+curl -I http://127.0.0.1:3000
+```
+
+## 🔧 **Step 2A: PLESK Configuration**
+
+### **For Your Friend's Standard Apache Setup:**
+
+**Tell your friend to create `/etc/apache2/sites-available/domain.conf`:**
+
+```apache
+<VirtualHost *:443>
+    ServerName your-domain.com
+    
+    # SSL Configuration (Let's Encrypt)
+    SSLEngine on
+    SSLCertificateFile /etc/letsencrypt/live/your-domain.com/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem
+    
+    # Enable required modules first:
+    # sudo a2enmod proxy proxy_http proxy_wstunnel rewrite headers ssl
+    
+    # Proxy settings
+    ProxyPreserveHost On
+    ProxyRequests Off
+    
+    # WebSocket upgrade handling - CRITICAL for apps with WebSockets
+    RewriteEngine On
+    RewriteCond %{HTTP:Upgrade} websocket [NC]
+    RewriteCond %{HTTP:Connection} upgrade [NC]
+    RewriteRule ^/?(.*) "ws://127.0.0.1:PORT/$1" [P,L]
+    
+    # Regular HTTP proxy
+    ProxyPass / http://127.0.0.1:PORT/
+    ProxyPassReverse / http://127.0.0.1:PORT/
+    
+    # Headers for modern web apps
+    Header always set X-Forwarded-Proto "https"
+    Header always set X-Forwarded-Port "443"
+    Header always set X-Forwarded-For %{REMOTE_ADDR}s
+    
+    # Security headers
+    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
+    Header always set X-Content-Type-Options nosniff
+    Header always set X-Frame-Options SAMEORIGIN
+</VirtualHost>
+
+# Redirect HTTP to HTTPS
+<VirtualHost *:80>
+    ServerName your-domain.com
+    Redirect permanent / https://your-domain.com/
+</VirtualHost>
+```
+
+**Then enable it:**
+```bash
+sudo a2ensite domain.conf
+sudo systemctl reload apache2
+```
+
+### **For Plesk Users (You):**
+
+⚠️ **Important**: Plesk often doesn't apply Apache directives correctly through the interface. If the interface method fails, use the "Direct Apache Override" method below.
+
+#### **Method 1: Plesk Interface (Try First)**
+
+1. **Go to Plesk** → Websites & Domains → **your-domain.com**
+2. **Click "Apache & nginx Settings"**
+3. **DISABLE nginx** (uncheck "Proxy mode" and "Smart static files processing")
+4. **Clear HTTP section** (leave empty)
+5. **In HTTPS section, add:**
+
+**For Nostr Relay (port 7777):**
+```apache
+ProxyRequests Off
+ProxyPreserveHost On
+ProxyPass / ws://127.0.0.1:7777/
+ProxyPassReverse / ws://127.0.0.1:7777/
+Header always set Access-Control-Allow-Origin "*"
+```
+
+6. **Click "Apply"** and wait 60 seconds
+
+#### **Method 2: Direct Apache Override (If Plesk Interface Fails)**
+
+If Plesk doesn't apply your configuration (common issue), bypass it entirely:
+
+```bash
+# Create direct Apache override
+sudo tee /etc/apache2/conf-available/relay-override.conf << 'EOF'
+<VirtualHost YOUR_SERVER_IP:443>
+    ServerName your-domain.com
+    ServerAlias www.your-domain.com
+    ServerAlias ipv4.your-domain.com
+    
+    SSLEngine on
+    SSLCertificateFile /etc/letsencrypt/live/your-domain.com/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem
+    
+    DocumentRoot /var/www/relay
+    
+    # For Nostr relay - proxy everything to WebSocket
+    ProxyRequests Off
+    ProxyPreserveHost On
+    ProxyPass / ws://127.0.0.1:7777/
+    ProxyPassReverse / ws://127.0.0.1:7777/
+    
+    # CORS headers
+    Header always set Access-Control-Allow-Origin "*"
+    Header always set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+    
+    # Logging
+    ErrorLog /var/log/apache2/relay-error.log
+    CustomLog /var/log/apache2/relay-access.log combined
+</VirtualHost>
+EOF
+
+# Enable the override
+sudo a2enconf relay-override
+sudo mkdir -p /var/www/relay
+sudo systemctl restart apache2
+
+# Remove Plesk config if it conflicts
+sudo rm /etc/apache2/plesk.conf.d/vhosts/your-domain.com.conf
+```
+
+#### **Method 3: Debugging Plesk Issues**
+
+If configurations aren't being applied:
+
+```bash
+# Check if Plesk applied your config
+grep -E "(ProxyPass|proxy)" /etc/apache2/plesk.conf.d/vhosts/your-domain.com.conf
+
+# Check virtual host precedence
+apache2ctl -S | grep your-domain.com
+
+# Check Apache modules
+apache2ctl -M | grep -E "(proxy|rewrite)"
+```
+
+#### **For Web Apps (port 3000 or 32768):**
+```apache
+ProxyPreserveHost On
+ProxyRequests Off
+
+# WebSocket upgrade handling
+RewriteEngine On
+RewriteCond %{HTTP:Upgrade} websocket [NC]
+RewriteCond %{HTTP:Connection} upgrade [NC]
+RewriteRule ^/?(.*) "ws://127.0.0.1:32768/$1" [P,L]
+
+# Regular HTTP proxy
+ProxyPass / http://127.0.0.1:32768/
+ProxyPassReverse / http://127.0.0.1:32768/
+
+# Headers
+ProxyAddHeaders On
+Header always set X-Forwarded-Proto "https"
+Header always set X-Forwarded-Port "443"
+```
+
+### **Method B: Direct Apache Override (RECOMMENDED for Plesk)**
+
+⚠️ **Use this if Plesk interface doesn't work** (common issue):
+
+```bash
+# Create direct Apache override with your server's IP
+sudo tee /etc/apache2/conf-available/relay-override.conf << 'EOF'
+<VirtualHost YOUR_SERVER_IP:443>
+    ServerName your-domain.com
+    ServerAlias www.your-domain.com
+    ServerAlias ipv4.your-domain.com
+    
+    SSLEngine on
+    SSLCertificateFile /etc/letsencrypt/live/your-domain.com/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem
+    
+    DocumentRoot /var/www/relay
+    
+    # For Nostr relay - proxy everything to WebSocket
+    ProxyRequests Off
+    ProxyPreserveHost On
+    ProxyPass / ws://127.0.0.1:7777/
+    ProxyPassReverse / ws://127.0.0.1:7777/
+    
+    # CORS headers
+    Header always set Access-Control-Allow-Origin "*"
+    
+    # Logging
+    ErrorLog /var/log/apache2/relay-error.log
+    CustomLog /var/log/apache2/relay-access.log combined
+</VirtualHost>
+EOF
+
+# Enable override and create directory
+sudo a2enconf relay-override
+sudo mkdir -p /var/www/relay
+sudo systemctl restart apache2
+
+# Remove conflicting Plesk config if needed
+sudo rm /etc/apache2/plesk.conf.d/vhosts/your-domain.com.conf
+```
+
+## ⚡ **Step 3: Enable Required Modules**
+
+In Plesk, you might need to enable modules. SSH to your server:
+
+```bash
+# Enable Apache modules
+sudo a2enmod proxy
+sudo a2enmod proxy_http
+sudo a2enmod proxy_wstunnel
+sudo a2enmod rewrite
+sudo systemctl restart apache2
+```
+
+## ⚡ **Step 4: Alternative - Nginx in Plesk**
+
+If Apache keeps giving issues, switch to Nginx in Plesk:
+
+1. Go to Plesk → Websites & Domains → orly-relay.imwald.eu
+2. Click "Apache & nginx Settings"
+3. Enable "nginx" and set it to serve static files
+4. In "Additional nginx directives" add:
+
+```nginx
+location / {
+    proxy_pass http://127.0.0.1:7777;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+}
+```
+
+## 🧪 **Testing**
+
+After making changes:
+
+1. **Apply settings** in Plesk
+2. **Wait 30 seconds** for changes to take effect
+3. **Test WebSocket**:
+   ```bash
+   # From your server
+   echo '["REQ","test",{}]' | websocat wss://orly-relay.imwald.eu/
+   ```
+
+## 🎯 **Expected Result**
+
+- ✅ No more "websocket error" in browser console
+- ✅ `wss://orly-relay.imwald.eu/` connects successfully
+- ✅ Jumble app can publish notes
+
+## 🚨 **Real-World Troubleshooting Guide**
+
+*Based on actual deployment experience with Plesk and WebSocket issues*
+
+### **Critical Issues & Solutions:**
+
+#### **🔴 HTTP 503 Service Unavailable**
+- **Cause**: Docker container not running
+- **Check**: `docker ps | grep relay`
+- **Fix**: `docker start container-name`
+
+#### **🔴 HTTP 426 Instead of WebSocket Upgrade**
+- **Cause**: Apache using `http://` proxy instead of `ws://`
+- **Fix**: Use `ProxyPass / ws://127.0.0.1:7777/` (not `http://`)
+
+#### **🔴 Plesk Configuration Not Applied**
+- **Symptom**: Config not in `/etc/apache2/plesk.conf.d/vhosts/domain.conf`
+- **Solution**: Use Direct Apache Override method (bypass Plesk interface)
+
+#### **🔴 Virtual Host Conflicts**
+- **Check**: `apache2ctl -S | grep domain.com`
+- **Fix**: Remove Plesk config: `sudo rm /etc/apache2/plesk.conf.d/vhosts/domain.conf`
+
+#### **🔴 Nginx Intercepting (Plesk)**
+- **Symptom**: Response shows `Server: nginx`
+- **Fix**: Disable nginx in Plesk settings
+
+### **Debug Commands:**
+```bash
+# Essential debugging
+docker ps | grep relay                   # Container running?
+curl -I http://127.0.0.1:7777           # Local relay (should return 426)
+apache2ctl -S | grep domain.com         # Virtual host precedence
+grep ProxyPass /etc/apache2/plesk.conf.d/vhosts/domain.conf  # Config applied?
+
+# WebSocket testing
+echo '["REQ","test",{}]' | websocat wss://domain.com/     # Root path
+echo '["REQ","test",{}]' | websocat wss://domain.com/ws/  # /ws/ path
+```
+
+### **Working Solution (Proven):**
+```apache
+<VirtualHost SERVER_IP:443>
+    ServerName domain.com
+    SSLEngine on
+    SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
+    DocumentRoot /var/www/relay
+    
+    # Direct WebSocket proxy - this is the key!
+    ProxyRequests Off
+    ProxyPreserveHost On
+    ProxyPass / ws://127.0.0.1:7777/
+    ProxyPassReverse / ws://127.0.0.1:7777/
+    
+    Header always set Access-Control-Allow-Origin "*"
+</VirtualHost>
+```
+
+---
+
+**Key Lessons**: 
+1. Plesk interface often fails to apply Apache directives
+2. Use `ws://` proxy for Nostr relays, not `http://`
+3. Direct Apache config files are more reliable than Plesk interface
+4. Always check virtual host precedence with `apache2ctl -S`

DOCKER.md

@@ -0,0 +1,188 @@
+# Docker Deployment Guide
+
+## Quick Start
+
+### 1. Basic Relay Setup
+
+```bash
+# Build and start the relay
+docker-compose up -d
+
+# View logs
+docker-compose logs -f stella-relay
+
+# Stop the relay
+docker-compose down
+```
+
+### 2. With Nginx Proxy (for SSL/domain setup)
+
+```bash
+# Start relay with nginx proxy
+docker-compose --profile proxy up -d
+
+# Configure SSL certificates in nginx/ssl/
+# Then update nginx/nginx.conf to enable HTTPS
+```
+
+## Configuration
+
+### Environment Variables
+
+Copy `env.example` to `.env` and customize:
+
+```bash
+cp env.example .env
+# Edit .env with your settings
+```
+
+Key settings:
+- `ORLY_OWNERS`: Owner npubs (comma-separated, full control)
+- `ORLY_ADMINS`: Admin npubs (comma-separated, deletion permissions)
+- `ORLY_PORT`: Port to listen on (default: 7777)
+- `ORLY_MAX_CONNECTIONS`: Max concurrent connections
+- `ORLY_CONCURRENT_WORKERS`: CPU cores for concurrent processing (0 = auto)
+
+### Data Persistence
+
+The relay data is stored in `./data` directory which is mounted as a volume.
+
+### Performance Tuning
+
+Based on the v0.4.8 optimizations:
+- Concurrent event publishing using all CPU cores
+- Optimized BadgerDB access patterns
+- Configurable batch sizes and cache settings
+
+## Development
+
+### Local Build
+
+```bash
+# Pull the latest image (recommended)
+docker pull silberengel/orly-relay:latest
+
+# Or build locally if needed
+docker build -t silberengel/orly-relay:latest .
+
+# Run with custom settings
+docker run -p 7777:7777 -v $(pwd)/data:/data silberengel/orly-relay:latest
+```
+
+### Testing
+
+```bash
+# Test WebSocket connection
+websocat ws://localhost:7777
+
+# Run stress tests (if available in cmd/stresstest)
+go run ./cmd/stresstest -relay ws://localhost:7777
+```
+
+## Production Deployment
+
+### SSL Setup
+
+1. Get SSL certificates (Let's Encrypt recommended)
+2. Place certificates in `nginx/ssl/`
+3. Update `nginx/nginx.conf` to enable HTTPS
+4. Start with proxy profile: `docker-compose --profile proxy up -d`
+
+### Monitoring
+
+- Health checks are configured for both services
+- Logs are rotated (max 10MB, 3 files)
+- Resource limits are set to prevent runaway processes
+
+### Security
+
+- Runs as non-root user (uid 1000)
+- Rate limiting configured in nginx
+- Configurable authentication and event size limits
+
+## Troubleshooting
+
+### Common Issues (Real-World Experience)
+
+#### **Container Issues:**
+1. **Port already in use**: Change `ORLY_PORT` in docker-compose.yml
+2. **Permission denied**: Ensure `./data` directory is writable
+3. **Container won't start**: Check logs with `docker logs container-name`
+
+#### **WebSocket Issues:**
+4. **HTTP 426 instead of WebSocket upgrade**: 
+   - Use `ws://127.0.0.1:7777` in proxy config, not `http://`
+   - Ensure `proxy_wstunnel` module is enabled
+5. **Connection refused in browser but works with websocat**:
+   - Clear browser cache and service workers
+   - Try incognito mode
+   - Add CORS headers to Apache/nginx config
+
+#### **Plesk-Specific Issues:**
+6. **Plesk not applying Apache directives**:
+   - Check if config appears in `/etc/apache2/plesk.conf.d/vhosts/domain.conf`
+   - Use direct Apache override if Plesk interface fails
+7. **Virtual host conflicts**:
+   - Check precedence with `apache2ctl -S`
+   - Remove conflicting Plesk configs if needed
+
+#### **SSL Certificate Issues:**
+8. **Self-signed certificate after Let's Encrypt**:
+   - Plesk might not be using the correct certificate
+   - Import Let's Encrypt certs into Plesk or use direct Apache config
+
+### Debug Commands
+
+```bash
+# Container debugging
+docker ps | grep relay
+docker logs stella-relay
+curl -I http://127.0.0.1:7777  # Should return HTTP 426
+
+# WebSocket testing
+echo '["REQ","test",{}]' | websocat wss://domain.com/
+echo '["REQ","test",{}]' | websocat wss://domain.com/ws/
+
+# Apache debugging (for reverse proxy issues)
+apache2ctl -S | grep domain.com
+apache2ctl -M | grep -E "(proxy|rewrite)"
+grep ProxyPass /etc/apache2/plesk.conf.d/vhosts/domain.conf
+```
+
+### Logs
+
+```bash
+# View relay logs
+docker-compose logs -f stella-relay
+
+# View nginx logs (if using proxy)
+docker-compose logs -f nginx
+
+# Apache logs (for reverse proxy debugging)
+sudo tail -f /var/log/apache2/error.log
+sudo tail -f /var/log/apache2/domain-error.log
+```
+
+### Working Reverse Proxy Config
+
+**For Apache (direct config file):**
+```apache
+<VirtualHost SERVER_IP:443>
+    ServerName domain.com
+    SSLEngine on
+    SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
+    
+    # Direct WebSocket proxy for Nostr relay
+    ProxyRequests Off
+    ProxyPreserveHost On
+    ProxyPass / ws://127.0.0.1:7777/
+    ProxyPassReverse / ws://127.0.0.1:7777/
+    
+    Header always set Access-Control-Allow-Origin "*"
+</VirtualHost>
+```
+
+---
+
+*Crafted for Stella's digital forest* 🌲

Dockerfile

@@ -0,0 +1,78 @@
+# Dockerfile for Stella's Nostr Relay (next.orly.dev)
+# Owner: npub1v30tsz9vw6ylpz63g0a702nj3xa26t3m7p5us8f2y2sd8v6cnsvq465zjx
+
+FROM golang:alpine AS builder
+
+# Install build dependencies
+RUN apk add --no-cache \
+    git \
+    build-base \
+    autoconf \
+    automake \
+    libtool \
+    pkgconfig
+
+# Install secp256k1 library from Alpine packages
+RUN apk add --no-cache libsecp256k1-dev
+
+# Set working directory
+WORKDIR /build
+
+# Copy go modules first (for better caching)
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy source code
+COPY . .
+
+# Build the relay with optimizations from v0.4.8
+RUN CGO_ENABLED=1 GOOS=linux go build -ldflags "-w -s" -o relay .
+
+# Create non-root user for security
+RUN adduser -D -u 1000 stella && \
+    chown -R 1000:1000 /build
+
+# Final stage - minimal runtime image
+FROM alpine:latest
+
+# Install only runtime dependencies
+RUN apk add --no-cache \
+    ca-certificates \
+    curl \
+    libsecp256k1 \
+    libsecp256k1-dev
+
+WORKDIR /app
+
+# Copy binary from builder
+COPY --from=builder /build/relay /app/relay
+
+# Create runtime user and directories
+RUN adduser -D -u 1000 stella && \
+    mkdir -p /data /profiles /app && \
+    chown -R 1000:1000 /data /profiles /app
+
+# Expose the relay port
+EXPOSE 7777
+
+# Set environment variables for Stella's relay
+ENV ORLY_DATA_DIR=/data
+ENV ORLY_LISTEN=0.0.0.0
+ENV ORLY_PORT=7777
+ENV ORLY_LOG_LEVEL=info
+ENV ORLY_MAX_CONNECTIONS=1000
+ENV ORLY_OWNERS=npub1v30tsz9vw6ylpz63g0a702nj3xa26t3m7p5us8f2y2sd8v6cnsvq465zjx
+ENV ORLY_ADMINS=npub1v30tsz9vw6ylpz63g0a702nj3xa26t3m7p5us8f2y2sd8v6cnsvq465zjx,npub1l5sga6xg72phsz5422ykujprejwud075ggrr3z2hwyrfgr7eylqstegx9z
+
+# Health check to ensure relay is responding
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+  CMD sh -c "code=\$(curl -s -o /dev/null -w '%{http_code}' http://127.0.0.1:7777 || echo 000); echo \$code | grep -E '^(101|200|400|404|426)$' >/dev/null || exit 1"
+
+# Create volume for persistent data
+VOLUME ["/data"]
+
+# Drop privileges and run as stella user
+USER 1000:1000
+
+# Run Stella's Nostr relay
+CMD ["/app/relay"]

SERVICE-WORKER-FIX.md

@@ -0,0 +1,101 @@
+# Service Worker Certificate Caching Fix
+
+## 🚨 **Problem**
+When accessing Jumble from the ImWald landing page, the service worker serves a cached self-signed certificate instead of the new Let's Encrypt certificate.
+
+## ⚡ **Solutions**
+
+### **Option 1: Force Service Worker Update**
+Add this to your Jumble app's service worker or main JavaScript:
+
+```javascript
+// Force service worker update and certificate refresh
+if ('serviceWorker' in navigator) {
+  navigator.serviceWorker.getRegistrations().then(function(registrations) {
+    for(let registration of registrations) {
+      registration.update(); // Force update
+    }
+  });
+}
+
+// Clear all caches on certificate update
+if ('caches' in window) {
+  caches.keys().then(function(names) {
+    for (let name of names) {
+      caches.delete(name);
+    }
+  });
+}
+```
+
+### **Option 2: Update Service Worker Cache Strategy**
+In your service worker file, add cache busting for SSL-sensitive requests:
+
+```javascript
+// In your service worker
+self.addEventListener('fetch', function(event) {
+  // Don't cache HTTPS requests that might have certificate issues
+  if (event.request.url.startsWith('https://') && 
+      event.request.url.includes('imwald.eu')) {
+    event.respondWith(
+      fetch(event.request, { cache: 'no-store' })
+    );
+    return;
+  }
+  
+  // Your existing fetch handling...
+});
+```
+
+### **Option 3: Version Your Service Worker**
+Update your service worker with a new version number:
+
+```javascript
+// At the top of your service worker
+const CACHE_VERSION = 'v2.0.1'; // Increment this when certificates change
+const CACHE_NAME = `jumble-cache-${CACHE_VERSION}`;
+
+// Clear old caches
+self.addEventListener('activate', function(event) {
+  event.waitUntil(
+    caches.keys().then(function(cacheNames) {
+      return Promise.all(
+        cacheNames.map(function(cacheName) {
+          if (cacheName !== CACHE_NAME) {
+            return caches.delete(cacheName);
+          }
+        })
+      );
+    })
+  );
+});
+```
+
+### **Option 4: Add Cache Headers**
+In your Plesk Apache config for Jumble, add:
+
+```apache
+# Prevent service worker from caching SSL-sensitive content
+Header always set Cache-Control "no-cache, no-store, must-revalidate"
+Header always set Pragma "no-cache"
+Header always set Expires "0"
+
+# Only for service worker file
+<Files "sw.js">
+    Header always set Cache-Control "no-cache, no-store, must-revalidate"
+</Files>
+```
+
+## 🧹 **Immediate User Fix**
+
+For users experiencing the certificate issue:
+
+1. **Clear browser data** for jumble.imwald.eu
+2. **Unregister service worker**:
+   - F12 → Application → Service Workers → Unregister
+3. **Hard refresh**: Ctrl+Shift+R
+4. **Or use incognito mode** to test
+
+---
+
+This will prevent the service worker from serving stale certificate data.

WEBSOCKET-DEBUG.md

@@ -0,0 +1,109 @@
+# WebSocket Connection Debug Guide
+
+## 🚨 **Current Issue**
+`wss://orly-relay.imwald.eu/` returns `NS_ERROR_WEBSOCKET_CONNECTION_REFUSED`
+
+## 🔍 **Debug Steps**
+
+### **Step 1: Verify Relay is Running**
+```bash
+# On your server
+curl -I http://127.0.0.1:7777
+# Should return: HTTP/1.1 426 Upgrade Required
+
+docker ps | grep stella
+# Should show running container
+```
+
+### **Step 2: Test Apache Modules**
+```bash
+# Check if WebSocket modules are enabled
+apache2ctl -M | grep -E "(proxy|rewrite)"
+
+# If missing, enable them:
+sudo a2enmod proxy
+sudo a2enmod proxy_http
+sudo a2enmod proxy_wstunnel
+sudo a2enmod rewrite
+sudo a2enmod headers
+sudo systemctl restart apache2
+```
+
+### **Step 3: Check Apache Configuration**
+```bash
+# Check what Plesk generated
+sudo cat /etc/apache2/plesk.conf.d/vhosts/orly-relay.imwald.eu.conf
+
+# Look for proxy and rewrite rules
+grep -E "(Proxy|Rewrite)" /etc/apache2/plesk.conf.d/vhosts/orly-relay.imwald.eu.conf
+```
+
+### **Step 4: Test Direct WebSocket Connection**
+```bash
+# Test if the issue is Apache or the relay itself
+echo '["REQ","test",{}]' | websocat ws://127.0.0.1:7777/
+
+# If that works, the issue is Apache proxy
+# If that fails, the issue is the relay
+```
+
+### **Step 5: Check Apache Error Logs**
+```bash
+# Watch Apache errors in real-time
+sudo tail -f /var/log/apache2/error.log
+
+# Then try connecting to wss://orly-relay.imwald.eu/ and see what errors appear
+```
+
+## 🔧 **Specific Plesk Fix**
+
+Based on your current status, try this **exact configuration** in Plesk:
+
+### **Go to Apache & nginx Settings for orly-relay.imwald.eu:**
+
+**Clear both HTTP and HTTPS sections, then add to HTTPS:**
+
+```apache
+# Enable proxy
+ProxyRequests Off
+ProxyPreserveHost On
+
+# WebSocket handling - the key part
+RewriteEngine On
+RewriteCond %{HTTP:Upgrade} =websocket [NC]
+RewriteCond %{HTTP:Connection} upgrade [NC]
+RewriteRule /(.*) ws://127.0.0.1:7777/$1 [P,L]
+
+# Fallback for regular HTTP
+RewriteCond %{HTTP:Upgrade} !=websocket [NC]
+RewriteRule /(.*) http://127.0.0.1:7777/$1 [P,L]
+
+# Headers
+ProxyAddHeaders On
+```
+
+### **Alternative Simpler Version:**
+If the above doesn't work, try just:
+
+```apache
+ProxyPass / http://127.0.0.1:7777/
+ProxyPassReverse / http://127.0.0.1:7777/
+ProxyPass /ws ws://127.0.0.1:7777/
+ProxyPassReverse /ws ws://127.0.0.1:7777/
+```
+
+## 🧪 **Testing Commands**
+
+```bash
+# Test the WebSocket after each change
+echo '["REQ","test",{}]' | websocat wss://orly-relay.imwald.eu/
+
+# Check what's actually being served
+curl -v https://orly-relay.imwald.eu/ 2>&1 | grep -E "(HTTP|upgrade|connection)"
+```
+
+## 🎯 **Expected Fix**
+
+The issue is likely that Apache isn't properly handling the WebSocket upgrade request. The `proxy_wstunnel` module and correct rewrite rules should fix this.
+
+Try the **simpler ProxyPass version first** - it's often more reliable in Plesk environments.

app/config/config.go

@@ -23,25 +23,29 @@ import (
 // and default values. It defines parameters for app behaviour, storage
 // locations, logging, and network settings used across the relay service.
 type C struct {
-	AppName         string        `env:"ORLY_APP_NAME" usage:"set a name to display on information about the relay" default:"ORLY"`
-	DataDir         string        `env:"ORLY_DATA_DIR" usage:"storage location for the event store" default:"~/.local/share/ORLY"`
-	Listen          string        `env:"ORLY_LISTEN" default:"0.0.0.0" usage:"network listen address"`
-	Port            int           `env:"ORLY_PORT" default:"3334" usage:"port to listen on"`
-	HealthPort      int           `env:"ORLY_HEALTH_PORT" default:"0" usage:"optional health check HTTP port; 0 disables"`
-	EnableShutdown  bool          `env:"ORLY_ENABLE_SHUTDOWN" default:"false" usage:"if true, expose /shutdown on the health port to gracefully stop the process (for profiling)"`
-	LogLevel        string        `env:"ORLY_LOG_LEVEL" default:"info" usage:"relay log level: fatal error warn info debug trace"`
-	DBLogLevel      string        `env:"ORLY_DB_LOG_LEVEL" default:"info" usage:"database log level: fatal error warn info debug trace"`
-	LogToStdout     bool          `env:"ORLY_LOG_TO_STDOUT" default:"false" usage:"log to stdout instead of stderr"`
-	Pprof           string        `env:"ORLY_PPROF" usage:"enable pprof in modes: cpu,memory,allocation,heap,block,goroutine,threadcreate,mutex"`
-	PprofPath       string        `env:"ORLY_PPROF_PATH" usage:"optional directory to write pprof profiles into (inside container); default is temporary dir"`
-	PprofHTTP       bool          `env:"ORLY_PPROF_HTTP" default:"false" usage:"if true, expose net/http/pprof on port 6060"`
-	OpenPprofWeb    bool          `env:"ORLY_OPEN_PPROF_WEB" default:"false" usage:"if true, automatically open the pprof web viewer when profiling is enabled"`
-	IPWhitelist     []string      `env:"ORLY_IP_WHITELIST" usage:"comma-separated list of IP addresses to allow access from, matches on prefixes to allow private subnets, eg 10.0.0 = 10.0.0.0/8"`
-	Admins          []string      `env:"ORLY_ADMINS" usage:"comma-separated list of admin npubs"`
-	Owners          []string      `env:"ORLY_OWNERS" usage:"comma-separated list of owner npubs, who have full control of the relay for wipe and restart and other functions"`
-	ACLMode         string        `env:"ORLY_ACL_MODE" usage:"ACL mode: follows,none" default:"none"`
-	SpiderMode      string        `env:"ORLY_SPIDER_MODE" usage:"spider mode: none,follow" default:"none"`
-	SpiderFrequency time.Duration `env:"ORLY_SPIDER_FREQUENCY" usage:"spider frequency in seconds" default:"1h"`
+	AppName             string        `env:"ORLY_APP_NAME" usage:"set a name to display on information about the relay" default:"ORLY"`
+	DataDir             string        `env:"ORLY_DATA_DIR" usage:"storage location for the event store" default:"~/.local/share/ORLY"`
+	Listen              string        `env:"ORLY_LISTEN" default:"0.0.0.0" usage:"network listen address"`
+	Port                int           `env:"ORLY_PORT" default:"3334" usage:"port to listen on"`
+	HealthPort          int           `env:"ORLY_HEALTH_PORT" default:"0" usage:"optional health check HTTP port; 0 disables"`
+	EnableShutdown      bool          `env:"ORLY_ENABLE_SHUTDOWN" default:"false" usage:"if true, expose /shutdown on the health port to gracefully stop the process (for profiling)"`
+	LogLevel            string        `env:"ORLY_LOG_LEVEL" default:"info" usage:"relay log level: fatal error warn info debug trace"`
+	DBLogLevel          string        `env:"ORLY_DB_LOG_LEVEL" default:"info" usage:"database log level: fatal error warn info debug trace"`
+	LogToStdout         bool          `env:"ORLY_LOG_TO_STDOUT" default:"false" usage:"log to stdout instead of stderr"`
+	Pprof               string        `env:"ORLY_PPROF" usage:"enable pprof in modes: cpu,memory,allocation,heap,block,goroutine,threadcreate,mutex"`
+	PprofPath           string        `env:"ORLY_PPROF_PATH" usage:"optional directory to write pprof profiles into (inside container); default is temporary dir"`
+	PprofHTTP           bool          `env:"ORLY_PPROF_HTTP" default:"false" usage:"if true, expose net/http/pprof on port 6060"`
+	OpenPprofWeb        bool          `env:"ORLY_OPEN_PPROF_WEB" default:"false" usage:"if true, automatically open the pprof web viewer when profiling is enabled"`
+	IPWhitelist         []string      `env:"ORLY_IP_WHITELIST" usage:"comma-separated list of IP addresses to allow access from, matches on prefixes to allow private subnets, eg 10.0.0 = 10.0.0.0/8"`
+	Admins              []string      `env:"ORLY_ADMINS" usage:"comma-separated list of admin npubs"`
+	Owners              []string      `env:"ORLY_OWNERS" usage:"comma-separated list of owner npubs, who have full control of the relay for wipe and restart and other functions"`
+	ACLMode             string        `env:"ORLY_ACL_MODE" usage:"ACL mode: follows,none" default:"none"`
+	SpiderMode          string        `env:"ORLY_SPIDER_MODE" usage:"spider mode: none,follow" default:"none"`
+	SpiderFrequency     time.Duration `env:"ORLY_SPIDER_FREQUENCY" usage:"spider frequency in seconds" default:"1h"`
+	NWCUri              string        `env:"ORLY_NWC_URI" usage:"NWC (Nostr Wallet Connect) connection string for Lightning payments"`
+	SubscriptionEnabled bool          `env:"ORLY_SUBSCRIPTION_ENABLED" default:"false" usage:"enable subscription-based access control requiring payment for non-directory events"`
+	MonthlyPriceSats    int64         `env:"ORLY_MONTHLY_PRICE_SATS" default:"6000" usage:"price in satoshis for one month subscription (default ~$2 USD)"`
+	RelayURL            string        `env:"ORLY_RELAY_URL" usage:"base URL for the relay dashboard (e.g., https://relay.example.com)"`
 
 	// Web UI and dev mode settings
 	WebDisableEmbedded bool   `env:"ORLY_WEB_DISABLE" default:"false" usage:"disable serving the embedded web UI; useful for hot-reload during development"`
@@ -136,6 +140,21 @@ func GetEnv() (requested bool) {
 	return
 }
 
+// IdentityRequested checks if the first command line argument is "identity" and returns
+// whether the relay identity should be printed and the program should exit.
+//
+// Return Values
+//   - requested: true if the 'identity' subcommand was provided, false otherwise.
+func IdentityRequested() (requested bool) {
+	if len(os.Args) > 1 {
+		switch strings.ToLower(os.Args[1]) {
+		case "identity":
+			requested = true
+		}
+	}
+	return
+}
+
 // KV is a key/value pair.
 type KV struct{ Key, Value string }
 

app/handle-auth.go

@@ -50,6 +50,34 @@ func (l *Listener) HandleAuth(b []byte) (err error) {
 			env.Event.Pubkey,
 		)
 		l.authedPubkey.Store(env.Event.Pubkey)
+		
+		// Check if this is a first-time user and create welcome note
+		go l.handleFirstTimeUser(env.Event.Pubkey)
 	}
 	return
 }
+
+// handleFirstTimeUser checks if user is logging in for first time and creates welcome note
+func (l *Listener) handleFirstTimeUser(pubkey []byte) {
+	// Check if this is a first-time user
+	isFirstTime, err := l.Server.D.IsFirstTimeUser(pubkey)
+	if err != nil {
+		log.E.F("failed to check first-time user status: %v", err)
+		return
+	}
+	
+	if !isFirstTime {
+		return // Not a first-time user
+	}
+	
+	// Get payment processor to create welcome note
+	if l.Server.paymentProcessor != nil {
+		// Set the dashboard URL based on the current HTTP request
+		dashboardURL := l.Server.DashboardURL(l.req)
+		l.Server.paymentProcessor.SetDashboardURL(dashboardURL)
+		
+		if err := l.Server.paymentProcessor.CreateWelcomeNote(pubkey); err != nil {
+			log.E.F("failed to create welcome note for first-time user: %v", err)
+		}
+	}
+}

app/handle-delete.go

@@ -145,12 +145,10 @@ func (l *Listener) HandleDelete(env *eventenvelope.Submission) (err error) {
 					if ev, err = l.FetchEventBySerial(s); chk.E(err) {
 						continue
 					}
-					// check that the author is the same as the signer of the
-					// delete, for the e tag case the author is the signer of
-					// the event.
-					if !utils.FastEqual(env.E.Pubkey, ev.Pubkey) {
+					// allow deletion if the signer is the author OR an admin/owner
+					if !(ownerDelete || utils.FastEqual(env.E.Pubkey, ev.Pubkey)) {
 						log.W.F(
-							"HandleDelete: attempted deletion of event %s by different user - delete pubkey=%s, event pubkey=%s",
+							"HandleDelete: attempted deletion of event %s by unauthorized user - delete pubkey=%s, event pubkey=%s",
 							hex.Enc(ev.ID), hex.Enc(env.E.Pubkey),
 							hex.Enc(ev.Pubkey),
 						)

app/handle-relayinfo.go

@@ -4,9 +4,12 @@ import (
 	"encoding/json"
 	"net/http"
 	"sort"
+	"strings"
 
 	"lol.mleku.dev/chk"
 	"lol.mleku.dev/log"
+	"next.orly.dev/pkg/crypto/p256k"
+	"next.orly.dev/pkg/encoders/hex"
 	"next.orly.dev/pkg/protocol/relayinfo"
 	"next.orly.dev/pkg/version"
 )
@@ -31,16 +34,16 @@ func (s *Server) HandleRelayInfo(w http.ResponseWriter, r *http.Request) {
 	var info *relayinfo.T
 	supportedNIPs := relayinfo.GetList(
 		relayinfo.BasicProtocol,
-		// relayinfo.Authentication,
-		// relayinfo.EncryptedDirectMessage,
+		relayinfo.Authentication,
+		relayinfo.EncryptedDirectMessage,
 		relayinfo.EventDeletion,
 		relayinfo.RelayInformationDocument,
-		// relayinfo.GenericTagQueries,
+		relayinfo.GenericTagQueries,
 		// relayinfo.NostrMarketplace,
 		relayinfo.EventTreatment,
 		// relayinfo.CommandResults,
 		relayinfo.ParameterizedReplaceableEvents,
-		// relayinfo.ExpirationTimestamp,
+		relayinfo.ExpirationTimestamp,
 		relayinfo.ProtectedEvents,
 		relayinfo.RelayListMetadata,
 	)
@@ -48,32 +51,47 @@ func (s *Server) HandleRelayInfo(w http.ResponseWriter, r *http.Request) {
 		supportedNIPs = relayinfo.GetList(
 			relayinfo.BasicProtocol,
 			relayinfo.Authentication,
-			// relayinfo.EncryptedDirectMessage,
+			relayinfo.EncryptedDirectMessage,
 			relayinfo.EventDeletion,
 			relayinfo.RelayInformationDocument,
-			// relayinfo.GenericTagQueries,
+			relayinfo.GenericTagQueries,
 			// relayinfo.NostrMarketplace,
 			relayinfo.EventTreatment,
 			// relayinfo.CommandResults,
-			// relayinfo.ParameterizedReplaceableEvents,
-			// relayinfo.ExpirationTimestamp,
+			relayinfo.ParameterizedReplaceableEvents,
+			relayinfo.ExpirationTimestamp,
 			relayinfo.ProtectedEvents,
 			relayinfo.RelayListMetadata,
 		)
 	}
 	sort.Sort(supportedNIPs)
 	log.T.Ln("supported NIPs", supportedNIPs)
+	// Construct description with dashboard URL
+	dashboardURL := s.DashboardURL(r)
+	description := version.Description + " dashboard: " + dashboardURL
+
+	// Get relay identity pubkey as hex
+	var relayPubkey string
+	if skb, err := s.D.GetRelayIdentitySecret(); err == nil && len(skb) == 32 {
+		sign := new(p256k.Signer)
+		if err := sign.InitSec(skb); err == nil {
+			relayPubkey = hex.Enc(sign.Pub())
+		}
+	}
+
 	info = &relayinfo.T{
 		Name:        s.Config.AppName,
-		Description: version.Description,
+		Description: description,
+		PubKey:      relayPubkey,
 		Nips:        supportedNIPs,
 		Software:    version.URL,
-		Version:     version.V,
+		Version:     strings.TrimPrefix(version.V, "v"),
 		Limitation: relayinfo.Limits{
 			AuthRequired:     s.Config.ACLMode != "none",
 			RestrictedWrites: s.Config.ACLMode != "none",
+			PaymentRequired:  s.Config.MonthlyPriceSats > 0,
 		},
-		Icon: "https://cdn.satellite.earth/ac9778868fbf23b63c47c769a74e163377e6ea94d3f0f31711931663d035c4f6.png",
+		Icon: "https://i.nostr.build/6wGXAn7Zaw9mHxFg.png",
 	}
 	if err := json.NewEncoder(w).Encode(info); chk.E(err) {
 	}

app/handle-req.go

@@ -4,12 +4,14 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/dgraph-io/badger/v4"
 	"lol.mleku.dev/chk"
 	"lol.mleku.dev/log"
 	"next.orly.dev/pkg/acl"
+	"next.orly.dev/pkg/encoders/bech32encoding"
 	"next.orly.dev/pkg/encoders/envelopes/authenvelope"
 	"next.orly.dev/pkg/encoders/envelopes/closedenvelope"
 	"next.orly.dev/pkg/encoders/envelopes/eoseenvelope"
@@ -34,9 +36,6 @@ func (l *Listener) HandleReq(msg []byte) (err error) {
 	if _, err = env.Unmarshal(msg); chk.E(err) {
 		return normalize.Error.Errorf(err.Error())
 	}
-	// if len(rem) > 0 {
-	// 	log.I.F("REQ extra bytes: '%s'", rem)
-	// }
 	// send a challenge to the client to auth if an ACL is active
 	if acl.Registry.Active.Load() != "none" {
 		if err = authenvelope.NewChallengeWith(l.challenge.Load()).
@@ -57,58 +56,15 @@ func (l *Listener) HandleReq(msg []byte) (err error) {
 		return
 	default:
 		// user has read access or better, continue
-		// log.D.F("user has %s access", accessLevel)
 	}
 	var events event.S
 	for _, f := range *env.Filters {
-		// idsLen := 0
-		// kindsLen := 0
-		// authorsLen := 0
-		// tagsLen := 0
-		// if f != nil {
-		// 	if f.Ids != nil {
-		// 		idsLen = f.Ids.Len()
-		// 	}
-		// 	if f.Kinds != nil {
-		// 		kindsLen = f.Kinds.Len()
-		// 	}
-		// 	if f.Authors != nil {
-		// 		authorsLen = f.Authors.Len()
-		// 	}
-		// 	if f.Tags != nil {
-		// 		tagsLen = f.Tags.Len()
-		// 	}
-		// }
-		// log.T.F(
-		// 	"REQ %s: filter summary ids=%d kinds=%d authors=%d tags=%d",
-		// 	env.Subscription, idsLen, kindsLen, authorsLen, tagsLen,
-		// )
 		if f != nil && f.Authors != nil && f.Authors.Len() > 0 {
 			var authors []string
 			for _, a := range f.Authors.T {
 				authors = append(authors, hex.Enc(a))
 			}
-			// log.T.F("REQ %s: authors=%v", env.Subscription, authors)
 		}
-		// if f != nil && f.Kinds != nil && f.Kinds.Len() > 0 {
-		// 	log.T.F("REQ %s: kinds=%v", env.Subscription, f.Kinds.ToUint16())
-		// }
-		// if f != nil && f.Ids != nil && f.Ids.Len() > 0 {
-		// 	var ids []string
-		// 	for _, id := range f.Ids.T {
-		// 		ids = append(ids, hex.Enc(id))
-		// 	}
-		// 	// var lim any
-		// 	// if pointers.Present(f.Limit) {
-		// 	// 	lim = *f.Limit
-		// 	// } else {
-		// 	// 	lim = nil
-		// 	// }
-		// 	// log.T.F(
-		// 	// 	"REQ %s: ids filter count=%d ids=%v limit=%v", env.Subscription,
-		// 	// 	f.Ids.Len(), ids, lim,
-		// 	// )
-		// }
 		if f != nil && pointers.Present(f.Limit) {
 			if *f.Limit == 0 {
 				continue
@@ -119,15 +75,10 @@ func (l *Listener) HandleReq(msg []byte) (err error) {
 			context.Background(), 30*time.Second,
 		)
 		defer cancel()
-		// log.T.F(
-		// 	"HandleReq: About to QueryEvents for %s, main context done: %v",
-		// 	l.remote, l.ctx.Err() != nil,
-		// )
 		if events, err = l.QueryEvents(queryCtx, f); chk.E(err) {
 			if errors.Is(err, badger.ErrDBClosed) {
 				return
 			}
-			// log.T.F("HandleReq: QueryEvents error for %s: %v", l.remote, err)
 			err = nil
 		}
 		defer func() {
@@ -135,14 +86,49 @@ func (l *Listener) HandleReq(msg []byte) (err error) {
 				ev.Free()
 			}
 		}()
-		// log.T.F(
-		// 	"HandleReq: QueryEvents completed for %s, found %d events",
-		// 	l.remote, len(events),
-		// )
 	}
 	var tmp event.S
 privCheck:
 	for _, ev := range events {
+		// Check for private tag first
+		privateTags := ev.Tags.GetAll([]byte("private"))
+		if len(privateTags) > 0 && accessLevel != "admin" {
+			pk := l.authedPubkey.Load()
+			if pk == nil {
+				continue // no auth, can't access private events
+			}
+
+			// Convert authenticated pubkey to npub for comparison
+			authedNpub, err := bech32encoding.BinToNpub(pk)
+			if err != nil {
+				continue // couldn't convert pubkey, skip
+			}
+
+			// Check if authenticated npub is in any private tag
+			authorized := false
+			for _, privateTag := range privateTags {
+				authorizedNpubs := strings.Split(
+					string(privateTag.Value()), ",",
+				)
+				for _, npub := range authorizedNpubs {
+					if strings.TrimSpace(npub) == string(authedNpub) {
+						authorized = true
+						break
+					}
+				}
+				if authorized {
+					break
+				}
+			}
+
+			if !authorized {
+				continue // not authorized to see this private event
+			}
+
+			tmp = append(tmp, ev)
+			continue
+		}
+
 		if kind.IsPrivileged(ev.Kind) &&
 			accessLevel != "admin" { // admins can see all events
 			// log.T.C(

app/handle-websocket.go

@@ -153,7 +153,7 @@ whitelist:
 			continue
 		}
 		// log.T.F("received message from %s: %s", remote, string(msg))
-		go listener.HandleMessage(msg, remote)
+		listener.HandleMessage(msg, remote)
 	}
 }
 

app/main.go

@@ -8,7 +8,8 @@ import (
 	"lol.mleku.dev/chk"
 	"lol.mleku.dev/log"
 	"next.orly.dev/app/config"
-	database "next.orly.dev/pkg/database"
+	"next.orly.dev/pkg/crypto/keys"
+	"next.orly.dev/pkg/database"
 	"next.orly.dev/pkg/encoders/bech32encoding"
 	"next.orly.dev/pkg/protocol/publish"
 )
@@ -47,6 +48,38 @@ func Run(
 	}
 	// Initialize the user interface
 	l.UserInterface()
+
+	// Ensure a relay identity secret key exists when subscriptions and NWC are enabled
+	if cfg.SubscriptionEnabled && cfg.NWCUri != "" {
+		if skb, e := db.GetOrCreateRelayIdentitySecret(); e != nil {
+			log.E.F("failed to ensure relay identity key: %v", e)
+		} else if pk, e2 := keys.SecretBytesToPubKeyHex(skb); e2 == nil {
+			log.I.F("relay identity loaded (pub=%s)", pk)
+			// ensure relay identity pubkey is considered an admin for ACL follows mode
+			found := false
+			for _, a := range cfg.Admins {
+				if a == pk {
+					found = true
+					break
+				}
+			}
+			if !found {
+				cfg.Admins = append(cfg.Admins, pk)
+				log.I.F("added relay identity to admins for follow-list whitelisting")
+			}
+		}
+	}
+
+	if l.paymentProcessor, err = NewPaymentProcessor(ctx, cfg, db); err != nil {
+		log.E.F("failed to create payment processor: %v", err)
+		// Continue without payment processor
+	} else {
+		if err = l.paymentProcessor.Start(); err != nil {
+			log.E.F("failed to start payment processor: %v", err)
+		} else {
+			log.I.F("payment processor started successfully")
+		}
+	}
 	addr := fmt.Sprintf("%s:%d", cfg.Listen, cfg.Port)
 	log.I.F("starting listener on http://%s", addr)
 	go func() {

app/payment_processor.go

@@ -0,0 +1,894 @@
+package app
+
+import (
+	"context"
+	// std hex not used; use project hex encoder instead
+	"fmt"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/dgraph-io/badger/v4"
+	"lol.mleku.dev/chk"
+	"lol.mleku.dev/log"
+	"next.orly.dev/app/config"
+	"next.orly.dev/pkg/acl"
+	"next.orly.dev/pkg/crypto/p256k"
+	"next.orly.dev/pkg/database"
+	"next.orly.dev/pkg/encoders/bech32encoding"
+	"next.orly.dev/pkg/encoders/event"
+	"next.orly.dev/pkg/encoders/hex"
+	"next.orly.dev/pkg/encoders/json"
+	"next.orly.dev/pkg/encoders/kind"
+	"next.orly.dev/pkg/encoders/tag"
+	"next.orly.dev/pkg/encoders/timestamp"
+	"next.orly.dev/pkg/protocol/nwc"
+)
+
+// PaymentProcessor handles NWC payment notifications and updates subscriptions
+type PaymentProcessor struct {
+	nwcClient    *nwc.Client
+	db           *database.D
+	config       *config.C
+	ctx          context.Context
+	cancel       context.CancelFunc
+	wg           sync.WaitGroup
+	dashboardURL string
+}
+
+// NewPaymentProcessor creates a new payment processor
+func NewPaymentProcessor(
+	ctx context.Context, cfg *config.C, db *database.D,
+) (pp *PaymentProcessor, err error) {
+	if cfg.NWCUri == "" {
+		return nil, fmt.Errorf("NWC URI not configured")
+	}
+
+	var nwcClient *nwc.Client
+	if nwcClient, err = nwc.NewClient(cfg.NWCUri); chk.E(err) {
+		return nil, fmt.Errorf("failed to create NWC client: %w", err)
+	}
+
+	c, cancel := context.WithCancel(ctx)
+
+	pp = &PaymentProcessor{
+		nwcClient: nwcClient,
+		db:        db,
+		config:    cfg,
+		ctx:       c,
+		cancel:    cancel,
+	}
+
+	return pp, nil
+}
+
+// Start begins listening for payment notifications
+func (pp *PaymentProcessor) Start() error {
+	// start NWC notifications listener
+	pp.wg.Add(1)
+	go func() {
+		defer pp.wg.Done()
+		if err := pp.listenForPayments(); err != nil {
+			log.E.F("payment processor error: %v", err)
+		}
+	}()
+	// start periodic follow-list sync if subscriptions are enabled
+	if pp.config != nil && pp.config.SubscriptionEnabled {
+		pp.wg.Add(1)
+		go func() {
+			defer pp.wg.Done()
+			pp.runFollowSyncLoop()
+		}()
+		// start daily subscription checker
+		pp.wg.Add(1)
+		go func() {
+			defer pp.wg.Done()
+			pp.runDailySubscriptionChecker()
+		}()
+	}
+	return nil
+}
+
+// Stop gracefully stops the payment processor
+func (pp *PaymentProcessor) Stop() {
+	if pp.cancel != nil {
+		pp.cancel()
+	}
+	pp.wg.Wait()
+}
+
+// listenForPayments subscribes to NWC notifications and processes payments
+func (pp *PaymentProcessor) listenForPayments() error {
+	return pp.nwcClient.SubscribeNotifications(pp.ctx, pp.handleNotification)
+}
+
+// runFollowSyncLoop periodically syncs the relay identity follow list with active subscribers
+func (pp *PaymentProcessor) runFollowSyncLoop() {
+	t := time.NewTicker(10 * time.Minute)
+	defer t.Stop()
+	// do an initial sync shortly after start
+	_ = pp.syncFollowList()
+	for {
+		select {
+		case <-pp.ctx.Done():
+			return
+		case <-t.C:
+			if err := pp.syncFollowList(); err != nil {
+				log.W.F("follow list sync failed: %v", err)
+			}
+		}
+	}
+}
+
+// runDailySubscriptionChecker checks once daily for subscription expiry warnings and trial reminders
+func (pp *PaymentProcessor) runDailySubscriptionChecker() {
+	t := time.NewTicker(24 * time.Hour)
+	defer t.Stop()
+	// do an initial check shortly after start
+	_ = pp.checkSubscriptionStatus()
+	for {
+		select {
+		case <-pp.ctx.Done():
+			return
+		case <-t.C:
+			if err := pp.checkSubscriptionStatus(); err != nil {
+				log.W.F("subscription status check failed: %v", err)
+			}
+		}
+	}
+}
+
+// syncFollowList builds a kind-3 event from the relay identity containing only active subscribers
+func (pp *PaymentProcessor) syncFollowList() error {
+	// ensure we have a relay identity secret
+	skb, err := pp.db.GetRelayIdentitySecret()
+	if err != nil || len(skb) != 32 {
+		return nil // nothing to do if no identity
+	}
+	// collect active subscribers
+	actives, err := pp.getActiveSubscriberPubkeys()
+	if err != nil {
+		return err
+	}
+	// signer
+	sign := new(p256k.Signer)
+	if err := sign.InitSec(skb); err != nil {
+		return err
+	}
+	// build follow list event
+	ev := event.New()
+	ev.Kind = kind.FollowList.K
+	ev.Pubkey = sign.Pub()
+	ev.CreatedAt = timestamp.Now().V
+	ev.Tags = tag.NewS()
+	for _, pk := range actives {
+		*ev.Tags = append(*ev.Tags, tag.NewFromAny("p", hex.Enc(pk)))
+	}
+	// sign and save
+	ev.Sign(sign)
+	if _, _, err := pp.db.SaveEvent(pp.ctx, ev); err != nil {
+		return err
+	}
+	log.I.F(
+		"updated relay follow list with %d active subscribers", len(actives),
+	)
+	return nil
+}
+
+// getActiveSubscriberPubkeys scans the subscription records and returns active ones
+func (pp *PaymentProcessor) getActiveSubscriberPubkeys() ([][]byte, error) {
+	prefix := []byte("sub:")
+	now := time.Now()
+	var out [][]byte
+	err := pp.db.DB.View(
+		func(txn *badger.Txn) error {
+			it := txn.NewIterator(badger.DefaultIteratorOptions)
+			defer it.Close()
+			for it.Seek(prefix); it.ValidForPrefix(prefix); it.Next() {
+				item := it.Item()
+				key := item.KeyCopy(nil)
+				// key format: sub:<hexpub>
+				hexpub := string(key[len(prefix):])
+				var sub database.Subscription
+				if err := item.Value(
+					func(val []byte) error {
+						return json.Unmarshal(val, &sub)
+					},
+				); err != nil {
+					return err
+				}
+				if now.Before(sub.TrialEnd) || (!sub.PaidUntil.IsZero() && now.Before(sub.PaidUntil)) {
+					if b, err := hex.Dec(hexpub); err == nil {
+						out = append(out, b)
+					}
+				}
+			}
+			return nil
+		},
+	)
+	return out, err
+}
+
+// checkSubscriptionStatus scans all subscriptions and creates warning/reminder notes
+func (pp *PaymentProcessor) checkSubscriptionStatus() error {
+	prefix := []byte("sub:")
+	now := time.Now()
+	sevenDaysFromNow := now.AddDate(0, 0, 7)
+
+	return pp.db.DB.View(
+		func(txn *badger.Txn) error {
+			it := txn.NewIterator(badger.DefaultIteratorOptions)
+			defer it.Close()
+			for it.Seek(prefix); it.ValidForPrefix(prefix); it.Next() {
+				item := it.Item()
+				key := item.KeyCopy(nil)
+				// key format: sub:<hexpub>
+				hexpub := string(key[len(prefix):])
+				
+				var sub database.Subscription
+				if err := item.Value(
+					func(val []byte) error {
+						return json.Unmarshal(val, &sub)
+					},
+				); err != nil {
+					continue // skip invalid subscription records
+				}
+				
+				pubkey, err := hex.Dec(hexpub)
+				if err != nil {
+					continue // skip invalid pubkey
+				}
+				
+				// Check if paid subscription is expiring in 7 days
+				if !sub.PaidUntil.IsZero() {
+					// Format dates for comparison (ignore time component)
+					paidUntilDate := sub.PaidUntil.Truncate(24 * time.Hour)
+					sevenDaysDate := sevenDaysFromNow.Truncate(24 * time.Hour)
+					
+					if paidUntilDate.Equal(sevenDaysDate) {
+						go pp.createExpiryWarningNote(pubkey, sub.PaidUntil)
+					}
+				}
+				
+				// Check if user is on trial (no paid subscription, trial not expired)
+				if sub.PaidUntil.IsZero() && now.Before(sub.TrialEnd) {
+					go pp.createTrialReminderNote(pubkey, sub.TrialEnd)
+				}
+			}
+			return nil
+		},
+	)
+}
+
+// createExpiryWarningNote creates a warning note for users whose paid subscription expires in 7 days
+func (pp *PaymentProcessor) createExpiryWarningNote(userPubkey []byte, expiryTime time.Time) error {
+	// Get relay identity secret to sign the note
+	skb, err := pp.db.GetRelayIdentitySecret()
+	if err != nil || len(skb) != 32 {
+		return fmt.Errorf("no relay identity configured")
+	}
+
+	// Initialize signer
+	sign := new(p256k.Signer)
+	if err := sign.InitSec(skb); err != nil {
+		return fmt.Errorf("failed to initialize signer: %w", err)
+	}
+
+	monthlyPrice := pp.config.MonthlyPriceSats
+	if monthlyPrice <= 0 {
+		monthlyPrice = 6000
+	}
+
+	// Get relay npub for content link
+	relayNpubForContent, err := bech32encoding.BinToNpub(sign.Pub())
+	if err != nil {
+		return fmt.Errorf("failed to encode relay npub: %w", err)
+	}
+
+	// Create the warning note content
+	content := fmt.Sprintf(`⚠️ Subscription Expiring Soon ⚠️
+
+Your paid subscription to this relay will expire in 7 days on %s.
+
+💰 To extend your subscription:
+- Monthly price: %d sats
+- Zap this note with your payment amount
+- Each %d sats = 30 days of access
+
+⚡ Payment Instructions:
+1. Use any Lightning wallet that supports zaps
+2. Zap this note with your payment
+3. Your subscription will be automatically extended
+
+Don't lose access to your private relay! Extend your subscription today.
+
+Relay: nostr:%s
+
+Log in to the relay dashboard to access your configuration at: %s`, 
+		expiryTime.Format("2006-01-02 15:04:05 UTC"), monthlyPrice, monthlyPrice, string(relayNpubForContent), pp.getDashboardURL())
+
+	// Build the event
+	ev := event.New()
+	ev.Kind = kind.TextNote.K // Kind 1 for text note
+	ev.Pubkey = sign.Pub()
+	ev.CreatedAt = timestamp.Now().V
+	ev.Content = []byte(content)
+	ev.Tags = tag.NewS()
+
+	// Add "p" tag for the user
+	*ev.Tags = append(*ev.Tags, tag.NewFromAny("p", hex.Enc(userPubkey)))
+
+	// Add expiration tag (5 days from creation)
+	noteExpiry := time.Now().AddDate(0, 0, 5)
+	*ev.Tags = append(*ev.Tags, tag.NewFromAny("expiration", fmt.Sprintf("%d", noteExpiry.Unix())))
+
+	// Add "private" tag with authorized npubs (user and relay)
+	var authorizedNpubs []string
+	
+	// Add user npub
+	userNpub, err := bech32encoding.BinToNpub(userPubkey)
+	if err == nil {
+		authorizedNpubs = append(authorizedNpubs, string(userNpub))
+	}
+	
+	// Add relay npub
+	relayNpub, err := bech32encoding.BinToNpub(sign.Pub())
+	if err == nil {
+		authorizedNpubs = append(authorizedNpubs, string(relayNpub))
+	}
+
+	// Create the private tag with comma-separated npubs
+	if len(authorizedNpubs) > 0 {
+		privateTagValue := strings.Join(authorizedNpubs, ",")
+		*ev.Tags = append(*ev.Tags, tag.NewFromAny("private", privateTagValue))
+	}
+
+	// Add a special tag to mark this as an expiry warning
+	*ev.Tags = append(*ev.Tags, tag.NewFromAny("warning", "subscription-expiry"))
+
+	// Sign and save the event
+	ev.Sign(sign)
+	if _, _, err := pp.db.SaveEvent(pp.ctx, ev); err != nil {
+		return fmt.Errorf("failed to save expiry warning note: %w", err)
+	}
+
+	log.I.F("created expiry warning note for user %s (expires %s)", hex.Enc(userPubkey), expiryTime.Format("2006-01-02"))
+	return nil
+}
+
+// createTrialReminderNote creates a reminder note for users on trial to support the relay
+func (pp *PaymentProcessor) createTrialReminderNote(userPubkey []byte, trialEnd time.Time) error {
+	// Get relay identity secret to sign the note
+	skb, err := pp.db.GetRelayIdentitySecret()
+	if err != nil || len(skb) != 32 {
+		return fmt.Errorf("no relay identity configured")
+	}
+
+	// Initialize signer
+	sign := new(p256k.Signer)
+	if err := sign.InitSec(skb); err != nil {
+		return fmt.Errorf("failed to initialize signer: %w", err)
+	}
+
+	monthlyPrice := pp.config.MonthlyPriceSats
+	if monthlyPrice <= 0 {
+		monthlyPrice = 6000
+	}
+
+	// Calculate daily rate
+	dailyRate := monthlyPrice / 30
+
+	// Get relay npub for content link
+	relayNpubForContent, err := bech32encoding.BinToNpub(sign.Pub())
+	if err != nil {
+		return fmt.Errorf("failed to encode relay npub: %w", err)
+	}
+
+	// Create the reminder note content
+	content := fmt.Sprintf(`🆓 Free Trial Reminder 🆓
+
+You're currently using this relay for FREE! Your trial expires on %s.
+
+🙏 Support Relay Operations:
+This relay provides you with private, censorship-resistant communication. Please consider supporting its continued operation.
+
+💰 Subscription Details:
+- Monthly price: %d sats (%d sats/day)
+- Fair pricing for premium service
+- Helps keep the relay running 24/7
+
+⚡ How to Subscribe:
+Simply zap this note with your payment amount:
+- Each %d sats = 30 days of access
+- Payment is processed automatically
+- No account setup required
+
+Thank you for considering supporting decentralized communication!
+
+Relay: nostr:%s
+
+Log in to the relay dashboard to access your configuration at: %s`, 
+		trialEnd.Format("2006-01-02 15:04:05 UTC"), monthlyPrice, dailyRate, monthlyPrice, string(relayNpubForContent), pp.getDashboardURL())
+
+	// Build the event
+	ev := event.New()
+	ev.Kind = kind.TextNote.K // Kind 1 for text note
+	ev.Pubkey = sign.Pub()
+	ev.CreatedAt = timestamp.Now().V
+	ev.Content = []byte(content)
+	ev.Tags = tag.NewS()
+
+	// Add "p" tag for the user
+	*ev.Tags = append(*ev.Tags, tag.NewFromAny("p", hex.Enc(userPubkey)))
+
+	// Add expiration tag (5 days from creation)
+	noteExpiry := time.Now().AddDate(0, 0, 5)
+	*ev.Tags = append(*ev.Tags, tag.NewFromAny("expiration", fmt.Sprintf("%d", noteExpiry.Unix())))
+
+	// Add "private" tag with authorized npubs (user and relay)
+	var authorizedNpubs []string
+	
+	// Add user npub
+	userNpub, err := bech32encoding.BinToNpub(userPubkey)
+	if err == nil {
+		authorizedNpubs = append(authorizedNpubs, string(userNpub))
+	}
+	
+	// Add relay npub
+	relayNpub, err := bech32encoding.BinToNpub(sign.Pub())
+	if err == nil {
+		authorizedNpubs = append(authorizedNpubs, string(relayNpub))
+	}
+
+	// Create the private tag with comma-separated npubs
+	if len(authorizedNpubs) > 0 {
+		privateTagValue := strings.Join(authorizedNpubs, ",")
+		*ev.Tags = append(*ev.Tags, tag.NewFromAny("private", privateTagValue))
+	}
+
+	// Add a special tag to mark this as a trial reminder
+	*ev.Tags = append(*ev.Tags, tag.NewFromAny("reminder", "trial-support"))
+
+	// Sign and save the event
+	ev.Sign(sign)
+	if _, _, err := pp.db.SaveEvent(pp.ctx, ev); err != nil {
+		return fmt.Errorf("failed to save trial reminder note: %w", err)
+	}
+
+	log.I.F("created trial reminder note for user %s (trial ends %s)", hex.Enc(userPubkey), trialEnd.Format("2006-01-02"))
+	return nil
+}
+
+// handleNotification processes incoming payment notifications
+func (pp *PaymentProcessor) handleNotification(
+	notificationType string, notification map[string]any,
+) error {
+	// Only process payment_received notifications
+	if notificationType != "payment_received" {
+		return nil
+	}
+
+	amount, ok := notification["amount"].(float64)
+	if !ok {
+		return fmt.Errorf("invalid amount")
+	}
+
+	// Prefer explicit payer/relay pubkeys if provided in metadata
+	var payerPubkey []byte
+	var userNpub string
+	if metadata, ok := notification["metadata"].(map[string]any); ok {
+		if s, ok := metadata["payer_pubkey"].(string); ok && s != "" {
+			if pk, err := decodeAnyPubkey(s); err == nil {
+				payerPubkey = pk
+			}
+		}
+		if payerPubkey == nil {
+			if s, ok := metadata["sender_pubkey"].(string); ok && s != "" { // alias
+				if pk, err := decodeAnyPubkey(s); err == nil {
+					payerPubkey = pk
+				}
+			}
+		}
+		// Optional: the intended subscriber npub (for backwards compat)
+		if userNpub == "" {
+			if npubField, ok := metadata["npub"].(string); ok {
+				userNpub = npubField
+			}
+		}
+		// If relay identity pubkey is provided, verify it matches ours
+		if s, ok := metadata["relay_pubkey"].(string); ok && s != "" {
+			if rpk, err := decodeAnyPubkey(s); err == nil {
+				if skb, err := pp.db.GetRelayIdentitySecret(); err == nil && len(skb) == 32 {
+					var signer p256k.Signer
+					if err := signer.InitSec(skb); err == nil {
+						if !strings.EqualFold(hex.Enc(rpk), hex.Enc(signer.Pub())) {
+							log.W.F("relay_pubkey in payment metadata does not match this relay identity: got %s want %s", hex.Enc(rpk), hex.Enc(signer.Pub()))
+						}
+					}
+				}
+			}
+		}
+	}
+
+	// Fallback: extract npub from description or metadata
+	description, _ := notification["description"].(string)
+	if userNpub == "" {
+		userNpub = pp.extractNpubFromDescription(description)
+	}
+
+	var pubkey []byte
+	var err error
+	if payerPubkey != nil {
+		pubkey = payerPubkey
+	} else {
+		if userNpub == "" {
+			return fmt.Errorf("no payer_pubkey or npub provided in payment notification")
+		}
+		pubkey, err = pp.npubToPubkey(userNpub)
+		if err != nil {
+			return fmt.Errorf("invalid npub: %w", err)
+		}
+	}
+
+	satsReceived := int64(amount / 1000)
+	monthlyPrice := pp.config.MonthlyPriceSats
+	if monthlyPrice <= 0 {
+		monthlyPrice = 6000
+	}
+
+	days := int((float64(satsReceived) / float64(monthlyPrice)) * 30)
+	if days < 1 {
+		return fmt.Errorf("payment amount too small")
+	}
+
+	if err := pp.db.ExtendSubscription(pubkey, days); err != nil {
+		return fmt.Errorf("failed to extend subscription: %w", err)
+	}
+
+	// Record payment history
+	invoice, _ := notification["invoice"].(string)
+	preimage, _ := notification["preimage"].(string)
+	if err := pp.db.RecordPayment(
+		pubkey, satsReceived, invoice, preimage,
+	); err != nil {
+		log.E.F("failed to record payment: %v", err)
+	}
+
+	// Log helpful identifiers
+	var payerHex = hex.Enc(pubkey)
+	if userNpub == "" {
+		log.I.F("payment processed: payer %s %d sats -> %d days", payerHex, satsReceived, days)
+	} else {
+		log.I.F("payment processed: %s (%s) %d sats -> %d days", userNpub, payerHex, satsReceived, days)
+	}
+
+	// Update ACL follows cache and relay follow list immediately
+	if pp.config != nil && pp.config.ACLMode == "follows" {
+		acl.Registry.AddFollow(pubkey)
+	}
+	// Trigger an immediate follow-list sync in background (best-effort)
+	go func() { _ = pp.syncFollowList() }()
+
+	// Create a note with payment confirmation and private tag
+	if err := pp.createPaymentNote(pubkey, satsReceived, days); err != nil {
+		log.E.F("failed to create payment note: %v", err)
+	}
+
+	return nil
+}
+
+// createPaymentNote creates a note recording the payment with private tag for authorization
+func (pp *PaymentProcessor) createPaymentNote(payerPubkey []byte, satsReceived int64, days int) error {
+	// Get relay identity secret to sign the note
+	skb, err := pp.db.GetRelayIdentitySecret()
+	if err != nil || len(skb) != 32 {
+		return fmt.Errorf("no relay identity configured")
+	}
+
+	// Initialize signer
+	sign := new(p256k.Signer)
+	if err := sign.InitSec(skb); err != nil {
+		return fmt.Errorf("failed to initialize signer: %w", err)
+	}
+
+	// Get subscription info to determine expiry
+	sub, err := pp.db.GetSubscription(payerPubkey)
+	if err != nil {
+		return fmt.Errorf("failed to get subscription: %w", err)
+	}
+
+	var expiryTime time.Time
+	if sub != nil && !sub.PaidUntil.IsZero() {
+		expiryTime = sub.PaidUntil
+	} else {
+		expiryTime = time.Now().AddDate(0, 0, days)
+	}
+
+	// Get relay npub for content link
+	relayNpubForContent, err := bech32encoding.BinToNpub(sign.Pub())
+	if err != nil {
+		return fmt.Errorf("failed to encode relay npub: %w", err)
+	}
+
+	// Create the note content with nostr:npub link and dashboard link
+	content := fmt.Sprintf("Payment received: %d sats for %d days. Subscription expires: %s\n\nRelay: nostr:%s\n\nLog in to the relay dashboard to access your configuration at: %s", 
+		satsReceived, days, expiryTime.Format("2006-01-02 15:04:05 UTC"), string(relayNpubForContent), pp.getDashboardURL())
+
+	// Build the event
+	ev := event.New()
+	ev.Kind = kind.TextNote.K // Kind 1 for text note
+	ev.Pubkey = sign.Pub()
+	ev.CreatedAt = timestamp.Now().V
+	ev.Content = []byte(content)
+	ev.Tags = tag.NewS()
+
+	// Add "p" tag for the payer
+	*ev.Tags = append(*ev.Tags, tag.NewFromAny("p", hex.Enc(payerPubkey)))
+
+	// Add expiration tag (5 days from creation)
+	noteExpiry := time.Now().AddDate(0, 0, 5)
+	*ev.Tags = append(*ev.Tags, tag.NewFromAny("expiration", fmt.Sprintf("%d", noteExpiry.Unix())))
+
+	// Add "private" tag with authorized npubs (payer and relay)
+	var authorizedNpubs []string
+	
+	// Add payer npub
+	payerNpub, err := bech32encoding.BinToNpub(payerPubkey)
+	if err == nil {
+		authorizedNpubs = append(authorizedNpubs, string(payerNpub))
+	}
+	
+	// Add relay npub
+	relayNpub, err := bech32encoding.BinToNpub(sign.Pub())
+	if err == nil {
+		authorizedNpubs = append(authorizedNpubs, string(relayNpub))
+	}
+
+	// Create the private tag with comma-separated npubs
+	if len(authorizedNpubs) > 0 {
+		privateTagValue := strings.Join(authorizedNpubs, ",")
+		*ev.Tags = append(*ev.Tags, tag.NewFromAny("private", privateTagValue))
+	}
+
+	// Sign and save the event
+	ev.Sign(sign)
+	if _, _, err := pp.db.SaveEvent(pp.ctx, ev); err != nil {
+		return fmt.Errorf("failed to save payment note: %w", err)
+	}
+
+	log.I.F("created payment note for %s with private authorization", hex.Enc(payerPubkey))
+	return nil
+}
+
+// CreateWelcomeNote creates a welcome note for first-time users with private tag for authorization
+func (pp *PaymentProcessor) CreateWelcomeNote(userPubkey []byte) error {
+	// Get relay identity secret to sign the note
+	skb, err := pp.db.GetRelayIdentitySecret()
+	if err != nil || len(skb) != 32 {
+		return fmt.Errorf("no relay identity configured")
+	}
+
+	// Initialize signer
+	sign := new(p256k.Signer)
+	if err := sign.InitSec(skb); err != nil {
+		return fmt.Errorf("failed to initialize signer: %w", err)
+	}
+
+	monthlyPrice := pp.config.MonthlyPriceSats
+	if monthlyPrice <= 0 {
+		monthlyPrice = 6000
+	}
+
+	// Get relay npub for content link
+	relayNpubForContent, err := bech32encoding.BinToNpub(sign.Pub())
+	if err != nil {
+		return fmt.Errorf("failed to encode relay npub: %w", err)
+	}
+
+	// Create the welcome note content with nostr:npub link
+	content := fmt.Sprintf(`Welcome to the relay! 🎉
+
+You have a FREE 30-day trial that started when you first logged in.
+
+💰 Subscription Details:
+- Monthly price: %d sats
+- Trial period: 30 days from first login
+
+💡 How to Subscribe:
+To extend your subscription after the trial ends, simply zap this note with the amount you want to pay. Each %d sats = 30 days of access.
+
+⚡ Payment Instructions:
+1. Use any Lightning wallet that supports zaps
+2. Zap this note with your payment
+3. Your subscription will be automatically extended
+
+Relay: nostr:%s
+
+Log in to the relay dashboard to access your configuration at: %s
+
+Enjoy your time on the relay!`, monthlyPrice, monthlyPrice, string(relayNpubForContent), pp.getDashboardURL())
+
+	// Build the event
+	ev := event.New()
+	ev.Kind = kind.TextNote.K // Kind 1 for text note
+	ev.Pubkey = sign.Pub()
+	ev.CreatedAt = timestamp.Now().V
+	ev.Content = []byte(content)
+	ev.Tags = tag.NewS()
+
+	// Add "p" tag for the user
+	*ev.Tags = append(*ev.Tags, tag.NewFromAny("p", hex.Enc(userPubkey)))
+
+	// Add expiration tag (5 days from creation)
+	noteExpiry := time.Now().AddDate(0, 0, 5)
+	*ev.Tags = append(*ev.Tags, tag.NewFromAny("expiration", fmt.Sprintf("%d", noteExpiry.Unix())))
+
+	// Add "private" tag with authorized npubs (user and relay)
+	var authorizedNpubs []string
+	
+	// Add user npub
+	userNpub, err := bech32encoding.BinToNpub(userPubkey)
+	if err == nil {
+		authorizedNpubs = append(authorizedNpubs, string(userNpub))
+	}
+	
+	// Add relay npub
+	relayNpub, err := bech32encoding.BinToNpub(sign.Pub())
+	if err == nil {
+		authorizedNpubs = append(authorizedNpubs, string(relayNpub))
+	}
+
+	// Create the private tag with comma-separated npubs
+	if len(authorizedNpubs) > 0 {
+		privateTagValue := strings.Join(authorizedNpubs, ",")
+		*ev.Tags = append(*ev.Tags, tag.NewFromAny("private", privateTagValue))
+	}
+
+	// Add a special tag to mark this as a welcome note
+	*ev.Tags = append(*ev.Tags, tag.NewFromAny("welcome", "first-time-user"))
+
+	// Sign and save the event
+	ev.Sign(sign)
+	if _, _, err := pp.db.SaveEvent(pp.ctx, ev); err != nil {
+		return fmt.Errorf("failed to save welcome note: %w", err)
+	}
+
+	log.I.F("created welcome note for first-time user %s", hex.Enc(userPubkey))
+	return nil
+}
+
+// SetDashboardURL sets the dynamic dashboard URL based on HTTP request
+func (pp *PaymentProcessor) SetDashboardURL(url string) {
+	pp.dashboardURL = url
+}
+
+// getDashboardURL returns the dashboard URL for the relay
+func (pp *PaymentProcessor) getDashboardURL() string {
+	// Use dynamic URL if available
+	if pp.dashboardURL != "" {
+		return pp.dashboardURL
+	}
+	// Fallback to static config
+	if pp.config.RelayURL != "" {
+		return pp.config.RelayURL
+	}
+	// Default fallback if no URL is configured
+	return "https://your-relay.example.com"
+}
+
+// extractNpubFromDescription extracts an npub from the payment description
+func (pp *PaymentProcessor) extractNpubFromDescription(description string) string {
+	// check if the entire description is just an npub
+	description = strings.TrimSpace(description)
+	if strings.HasPrefix(description, "npub1") && len(description) == 63 {
+		return description
+	}
+
+	// Look for npub1... pattern in the description
+	parts := strings.Fields(description)
+	for _, part := range parts {
+		if strings.HasPrefix(part, "npub1") && len(part) == 63 {
+			return part
+		}
+	}
+
+	return ""
+}
+
+// npubToPubkey converts an npub string to pubkey bytes
+func (pp *PaymentProcessor) npubToPubkey(npubStr string) ([]byte, error) {
+	// Validate npub format
+	if !strings.HasPrefix(npubStr, "npub1") || len(npubStr) != 63 {
+		return nil, fmt.Errorf("invalid npub format")
+	}
+
+	// Decode using bech32encoding
+	prefix, value, err := bech32encoding.Decode([]byte(npubStr))
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode npub: %w", err)
+	}
+
+	if !strings.EqualFold(string(prefix), "npub") {
+		return nil, fmt.Errorf("invalid prefix: %s", string(prefix))
+	}
+
+	pubkey, ok := value.([]byte)
+	if !ok {
+		return nil, fmt.Errorf("decoded value is not []byte")
+	}
+
+	return pubkey, nil
+}
+
+// UpdateRelayProfile creates or updates the relay's kind 0 profile with subscription information
+func (pp *PaymentProcessor) UpdateRelayProfile() error {
+	// Get relay identity secret to sign the profile
+	skb, err := pp.db.GetRelayIdentitySecret()
+	if err != nil || len(skb) != 32 {
+		return fmt.Errorf("no relay identity configured")
+	}
+
+	// Initialize signer
+	sign := new(p256k.Signer)
+	if err := sign.InitSec(skb); err != nil {
+		return fmt.Errorf("failed to initialize signer: %w", err)
+	}
+
+	monthlyPrice := pp.config.MonthlyPriceSats
+	if monthlyPrice <= 0 {
+		monthlyPrice = 6000
+	}
+
+	// Calculate daily rate
+	dailyRate := monthlyPrice / 30
+
+	// Get relay wss:// URL - use dashboard URL but with wss:// scheme
+	relayURL := strings.Replace(pp.getDashboardURL(), "https://", "wss://", 1)
+
+	// Create profile content as JSON
+	profileContent := fmt.Sprintf(`{
+	"name": "Relay Bot",
+	"about": "This relay requires a subscription to access. Zap any of my notes to pay for access. Monthly price: %d sats (%d sats/day). Relay: %s",
+	"lud16": "",
+	"nip05": "",
+	"website": "%s"
+}`, monthlyPrice, dailyRate, relayURL, pp.getDashboardURL())
+
+	// Build the profile event
+	ev := event.New()
+	ev.Kind = kind.ProfileMetadata.K // Kind 0 for profile metadata
+	ev.Pubkey = sign.Pub()
+	ev.CreatedAt = timestamp.Now().V
+	ev.Content = []byte(profileContent)
+	ev.Tags = tag.NewS()
+
+	// Sign and save the event
+	ev.Sign(sign)
+	if _, _, err := pp.db.SaveEvent(pp.ctx, ev); err != nil {
+		return fmt.Errorf("failed to save relay profile: %w", err)
+	}
+
+	log.I.F("updated relay profile with subscription information")
+	return nil
+}
+
+// decodeAnyPubkey decodes a public key from either hex string or npub format
+func decodeAnyPubkey(s string) ([]byte, error) {
+	s = strings.TrimSpace(s)
+	if strings.HasPrefix(s, "npub1") {
+		prefix, value, err := bech32encoding.Decode([]byte(s))
+		if err != nil {
+			return nil, fmt.Errorf("failed to decode npub: %w", err)
+		}
+		if !strings.EqualFold(string(prefix), "npub") {
+			return nil, fmt.Errorf("invalid prefix: %s", string(prefix))
+		}
+		b, ok := value.([]byte)
+		if !ok {
+			return nil, fmt.Errorf("decoded value is not []byte")
+		}
+		return b, nil
+	}
+	// assume hex-encoded public key
+	return hex.Dec(s)
+}

app/server.go

@@ -40,6 +40,8 @@ type Server struct {
 	// Challenge storage for HTTP UI authentication
 	challengeMutex sync.RWMutex
 	challenges     map[string][]byte
+	
+	paymentProcessor *PaymentProcessor
 }
 
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -111,6 +113,15 @@ func (s *Server) ServiceURL(req *http.Request) (st string) {
 	return proto + "://" + host
 }
 
+// DashboardURL constructs HTTPS URL for the dashboard based on the HTTP request
+func (s *Server) DashboardURL(req *http.Request) string {
+	host := req.Header.Get("X-Forwarded-Host")
+	if host == "" {
+		host = req.Host
+	}
+	return "https://" + host
+}
+
 // UserInterface sets up a basic Nostr NDK interface that allows users to log into the relay user interface
 func (s *Server) UserInterface() {
 	if s.mux == nil {
@@ -406,13 +417,14 @@ func (s *Server) handleExport(w http.ResponseWriter, r *http.Request) {
 
 	w.Header().Set("Content-Type", "application/x-ndjson")
 	filename := "events-" + time.Now().UTC().Format("20060102-150405Z") + ".jsonl"
-	w.Header().Set("Content-Disposition", "attachment; filename=\""+filename+"\"")
+	w.Header().Set(
+		"Content-Disposition", "attachment; filename=\""+filename+"\"",
+	)
 
 	// Stream export
 	s.D.Export(s.Ctx, w, pks...)
 }
 
-
 // handleExportMine streams only the authenticated user's events as JSONL (NDJSON).
 func (s *Server) handleExportMine(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
@@ -434,7 +446,9 @@ func (s *Server) handleExportMine(w http.ResponseWriter, r *http.Request) {
 
 	w.Header().Set("Content-Type", "application/x-ndjson")
 	filename := "my-events-" + time.Now().UTC().Format("20060102-150405Z") + ".jsonl"
-	w.Header().Set("Content-Disposition", "attachment; filename=\""+filename+"\"")
+	w.Header().Set(
+		"Content-Disposition", "attachment; filename=\""+filename+"\"",
+	)
 
 	// Stream export for this user's pubkey only
 	s.D.Export(s.Ctx, w, pubkey)
@@ -482,7 +496,7 @@ func (s *Server) handleImport(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "Empty request body", http.StatusBadRequest)
 			return
 		}
- 	s.D.Import(r.Body)
+		s.D.Import(r.Body)
 	}
 
 	w.Header().Set("Content-Type", "application/json")
@@ -552,7 +566,7 @@ func (s *Server) handleEventsMine(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Events are already sorted by QueryEvents in reverse chronological order
-	
+
 	// Apply offset and limit manually since QueryEvents doesn't support offset
 	totalEvents := len(events)
 	start := offset
@@ -568,11 +582,11 @@ func (s *Server) handleEventsMine(w http.ResponseWriter, r *http.Request) {
 
 	// Convert events to JSON response format
 	type EventResponse struct {
-		ID        string    `json:"id"`
-		Kind      int       `json:"kind"`
-		CreatedAt int64     `json:"created_at"`
-		Content   string    `json:"content"`
-		RawJSON   string    `json:"raw_json"`
+		ID        string `json:"id"`
+		Kind      int    `json:"kind"`
+		CreatedAt int64  `json:"created_at"`
+		Content   string `json:"content"`
+		RawJSON   string `json:"raw_json"`
 	}
 
 	response := struct {

app/web/dist/index.html

@@ -5,7 +5,7 @@
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>Nostr Relay</title>
     
-  <link rel="stylesheet" crossorigin href="./index-q4cwd1fy.css"><script type="module" crossorigin src="./index-sskmjaqz.js"></script></head>
+  <link rel="stylesheet" crossorigin href="./index-q4cwd1fy.css"><script type="module" crossorigin src="./index-w8zpqk4w.js"></script></head>
   <body>
     <script>
       // Apply system theme preference immediately to avoid flash of wrong theme

debug-websocket.sh

@@ -0,0 +1,116 @@
+#!/bin/bash
+# WebSocket Debug Script for Stella's Orly Relay
+
+echo "🔍 Debugging WebSocket Connection for orly-relay.imwald.eu"
+echo "=================================================="
+
+echo ""
+echo "📋 Step 1: Check if relay container is running"
+echo "----------------------------------------------"
+docker ps | grep -E "(stella|relay|orly)" || echo "❌ No relay containers found"
+
+echo ""
+echo "📋 Step 2: Test local relay connection"
+echo "--------------------------------------"
+if curl -s -I http://127.0.0.1:7777 | grep -q "426"; then
+    echo "✅ Local relay responding correctly (HTTP 426)"
+else
+    echo "❌ Local relay not responding correctly"
+    curl -I http://127.0.0.1:7777
+fi
+
+echo ""
+echo "📋 Step 3: Check Apache modules"
+echo "------------------------------"
+if apache2ctl -M 2>/dev/null | grep -q "proxy_wstunnel"; then
+    echo "✅ proxy_wstunnel module enabled"
+else
+    echo "❌ proxy_wstunnel module NOT enabled"
+    echo "Run: sudo a2enmod proxy_wstunnel"
+fi
+
+if apache2ctl -M 2>/dev/null | grep -q "rewrite"; then
+    echo "✅ rewrite module enabled"
+else
+    echo "❌ rewrite module NOT enabled"
+    echo "Run: sudo a2enmod rewrite"
+fi
+
+echo ""
+echo "📋 Step 4: Check Plesk Apache configuration"
+echo "------------------------------------------"
+if [ -f "/etc/apache2/plesk.conf.d/vhosts/orly-relay.imwald.eu.conf" ]; then
+    echo "✅ Plesk config file exists"
+    echo "Current proxy configuration:"
+    grep -E "(Proxy|Rewrite|proxy|rewrite)" /etc/apache2/plesk.conf.d/vhosts/orly-relay.imwald.eu.conf || echo "❌ No proxy/rewrite rules found"
+else
+    echo "❌ Plesk config file not found"
+fi
+
+echo ""
+echo "📋 Step 5: Test WebSocket connections"
+echo "------------------------------------"
+
+# Test with curl first (simpler)
+echo "Testing HTTP upgrade request to local relay..."
+if curl -s -I -H "Connection: Upgrade" -H "Upgrade: websocket" http://127.0.0.1:7777 | grep -q "426\|101"; then
+    echo "✅ Local relay accepts upgrade requests"
+else
+    echo "❌ Local relay doesn't accept upgrade requests"
+fi
+
+echo "Testing HTTP upgrade request to remote relay..."
+if curl -s -I -H "Connection: Upgrade" -H "Upgrade: websocket" https://orly-relay.imwald.eu | grep -q "426\|101"; then
+    echo "✅ Remote relay accepts upgrade requests"
+else
+    echo "❌ Remote relay doesn't accept upgrade requests"
+    echo "This indicates Apache proxy issue"
+fi
+
+# Try to install websocat if not available
+if ! command -v websocat >/dev/null 2>&1; then
+    echo ""
+    echo "📥 Installing websocat for proper WebSocket testing..."
+    if wget -q https://github.com/vi/websocat/releases/download/v1.12.0/websocat.x86_64-unknown-linux-musl -O websocat 2>/dev/null; then
+        chmod +x websocat
+        echo "✅ websocat installed"
+    else
+        echo "❌ Could not install websocat (no internet or wget issue)"
+        echo "Manual install: wget https://github.com/vi/websocat/releases/download/v1.12.0/websocat.x86_64-unknown-linux-musl -O websocat && chmod +x websocat"
+    fi
+fi
+
+# Test with websocat if available
+if command -v ./websocat >/dev/null 2>&1; then
+    echo ""
+    echo "Testing actual WebSocket connection..."
+    echo "Local WebSocket test:"
+    timeout 3 bash -c 'echo "[\"REQ\",\"test\",{}]" | ./websocat ws://127.0.0.1:7777/' 2>/dev/null || echo "❌ Local WebSocket failed"
+    
+    echo "Remote WebSocket test (ignoring SSL):"
+    timeout 3 bash -c 'echo "[\"REQ\",\"test\",{}]" | ./websocat --insecure wss://orly-relay.imwald.eu/' 2>/dev/null || echo "❌ Remote WebSocket failed"
+fi
+
+echo ""
+echo "📋 Step 6: Check ports and connections"
+echo "------------------------------------"
+echo "Ports listening on 7777:"
+netstat -tlnp 2>/dev/null | grep :7777 || ss -tlnp 2>/dev/null | grep :7777 || echo "❌ No process listening on port 7777"
+
+echo ""
+echo "📋 Step 7: Test SSL certificate"
+echo "------------------------------"
+echo "Certificate issuer:"
+echo | openssl s_client -connect orly-relay.imwald.eu:443 -servername orly-relay.imwald.eu 2>/dev/null | openssl x509 -noout -issuer 2>/dev/null || echo "❌ SSL test failed"
+
+echo ""
+echo "🎯 RECOMMENDED NEXT STEPS:"
+echo "========================="
+echo "1. If proxy_wstunnel is missing: sudo a2enmod proxy_wstunnel && sudo systemctl restart apache2"
+echo "2. If no proxy rules found: Add configuration in Plesk Apache & nginx Settings"
+echo "3. If local WebSocket fails: Check if relay container is actually running"
+echo "4. If remote WebSocket fails but local works: Apache proxy configuration issue"
+echo ""
+echo "🔧 Try this simple Plesk configuration:"
+echo "ProxyPass / http://127.0.0.1:7777/"
+echo "ProxyPassReverse / http://127.0.0.1:7777/"

docker-compose.yml

@@ -0,0 +1,93 @@
+# Docker Compose for Stella's Nostr Relay
+# Owner: npub1v30tsz9vw6ylpz63g0a702nj3xa26t3m7p5us8f2y2sd8v6cnsvq465zjx
+
+version: '3.8'
+
+services:
+  stella-relay:
+    image: silberengel/orly-relay:latest 
+    container_name: stella-nostr-relay
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:7777:7777"
+    volumes:
+      - relay_data:/data
+      - ./profiles:/profiles:ro
+    environment:
+      # Relay Configuration
+      - ORLY_DATA_DIR=/data
+      - ORLY_LISTEN=0.0.0.0
+      - ORLY_PORT=7777
+      - ORLY_LOG_LEVEL=info
+      - ORLY_MAX_CONNECTIONS=1000
+      - ORLY_OWNERS=npub1v30tsz9vw6ylpz63g0a702nj3xa26t3m7p5us8f2y2sd8v6cnsvq465zjx
+      - ORLY_ADMINS=npub1v30tsz9vw6ylpz63g0a702nj3xa26t3m7p5us8f2y2sd8v6cnsvq465zjx,npub1l5sga6xg72phsz5422ykujprejwud075ggrr3z2hwyrfgr7eylqstegx9z
+      
+      # Performance Settings (based on v0.4.8 optimizations)
+      - ORLY_CONCURRENT_WORKERS=0  # 0 = auto-detect CPU cores
+      - ORLY_BATCH_SIZE=1000
+      - ORLY_CACHE_SIZE=10000
+      
+      # Database Settings
+      - BADGER_LOG_LEVEL=ERROR
+      - BADGER_SYNC_WRITES=false  # Better performance, slightly less durability
+      
+      # Security Settings
+      - ORLY_REQUIRE_AUTH=false
+      - ORLY_MAX_EVENT_SIZE=65536
+      - ORLY_MAX_SUBSCRIPTIONS=20
+      
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:7777"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    
+    # Resource limits
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+          cpus: '1.0'
+        reservations:
+          memory: 256M
+          cpus: '0.25'
+    
+    # Logging configuration
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  # Optional: Nginx reverse proxy for SSL/domain setup
+  nginx:
+    image: nginx:alpine
+    container_name: stella-nginx
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./nginx/ssl:/etc/nginx/ssl:ro
+      - nginx_logs:/var/log/nginx
+    depends_on:
+      - stella-relay
+    profiles:
+      - proxy  # Only start with: docker-compose --profile proxy up
+
+volumes:
+  relay_data:
+    driver: local
+    driver_opts:
+      type: none
+      o: bind
+      device: ./data
+  nginx_logs:
+    driver: local
+
+networks:
+  default:
+    name: stella-relay-network

go.mod

@@ -15,6 +15,7 @@ require (
 	github.com/templexxx/xhex v0.0.0-20200614015412-aed53437177b
 	go-simpler.org/env v0.12.0
 	go.uber.org/atomic v1.11.0
+	golang.org/x/crypto v0.41.0
 	golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b
 	golang.org/x/lint v0.0.0-20241112194109-818c5a804067
 	golang.org/x/net v0.43.0

go.sum

@@ -76,6 +76,8 @@ go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b h1:DXr+pvt3nC887026GRP39Ej11UATqWDmWuS99x26cD0=
 golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b/go.mod h1:4QTo5u+SEIbbKW1RacMZq1YEfOBqeXa19JeshGi+zc4=
 golang.org/x/exp/typeparams v0.0.0-20231108232855-2478ac86f678 h1:1P7xPZEwZMoBoz0Yze5Nx2/4pxj6nw9ZqHWXqP0iRgQ=

main.go

@@ -17,7 +17,9 @@ import (
 	"next.orly.dev/app"
 	"next.orly.dev/app/config"
 	"next.orly.dev/pkg/acl"
+	"next.orly.dev/pkg/crypto/keys"
 	"next.orly.dev/pkg/database"
+	"next.orly.dev/pkg/encoders/hex"
 	"next.orly.dev/pkg/spider"
 	"next.orly.dev/pkg/version"
 )
@@ -51,11 +53,32 @@ func main() {
 	runtime.GOMAXPROCS(runtime.NumCPU() * 4)
 	var err error
 	var cfg *config.C
-	if cfg, err = config.New(); chk.T(err) {
-	}
-	log.I.F("starting %s %s", cfg.AppName, version.V)
+ if cfg, err = config.New(); chk.T(err) {
+ }
+ log.I.F("starting %s %s", cfg.AppName, version.V)
 
-	// If OpenPprofWeb is true and profiling is enabled, we need to ensure HTTP profiling is also enabled
+ // Handle 'identity' subcommand: print relay identity secret and pubkey and exit
+ if config.IdentityRequested() {
+ 	ctx, cancel := context.WithCancel(context.Background())
+ 	defer cancel()
+ 	var db *database.D
+ 	if db, err = database.New(ctx, cancel, cfg.DataDir, cfg.DBLogLevel); chk.E(err) {
+ 		os.Exit(1)
+ 	}
+ 	defer db.Close()
+ 	skb, err := db.GetOrCreateRelayIdentitySecret()
+ 	if chk.E(err) {
+ 		os.Exit(1)
+ 	}
+ 	pk, err := keys.SecretBytesToPubKeyHex(skb)
+ 	if chk.E(err) {
+ 		os.Exit(1)
+ 	}
+ 	fmt.Printf("identity secret: %s\nidentity pubkey: %s\n", hex.Enc(skb), pk)
+ 	os.Exit(0)
+ }
+
+ // If OpenPprofWeb is true and profiling is enabled, we need to ensure HTTP profiling is also enabled
 	if cfg.OpenPprofWeb && cfg.Pprof != "" && !cfg.PprofHTTP {
 		log.I.F("enabling HTTP pprof server to support web viewer")
 		cfg.PprofHTTP = true

manage-relay.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+# Stella's Orly Relay Management Script
+
+set -e
+
+RELAY_SERVICE="stella-relay"
+RELAY_URL="ws://127.0.0.1:7777"
+
+case "${1:-}" in
+    "start")
+        echo "🚀 Starting Stella's Orly Relay..."
+        sudo systemctl start $RELAY_SERVICE
+        echo "✅ Relay started!"
+        ;;
+    "stop")
+        echo "⏹️  Stopping Stella's Orly Relay..."
+        sudo systemctl stop $RELAY_SERVICE
+        echo "✅ Relay stopped!"
+        ;;
+    "restart")
+        echo "🔄 Restarting Stella's Orly Relay..."
+        sudo systemctl restart $RELAY_SERVICE
+        echo "✅ Relay restarted!"
+        ;;
+    "status")
+        echo "📊 Stella's Orly Relay Status:"
+        sudo systemctl status $RELAY_SERVICE --no-pager
+        ;;
+    "logs")
+        echo "📜 Stella's Orly Relay Logs:"
+        sudo journalctl -u $RELAY_SERVICE -f --no-pager
+        ;;
+    "test")
+        echo "🧪 Testing relay connection..."
+        if curl -s -I http://127.0.0.1:7777 | grep -q "426 Upgrade Required"; then
+            echo "✅ Relay is responding correctly!"
+            echo "📡 WebSocket URL: $RELAY_URL"
+        else
+            echo "❌ Relay is not responding correctly"
+            exit 1
+        fi
+        ;;
+    "enable")
+        echo "🔧 Enabling relay to start at boot..."
+        sudo systemctl enable $RELAY_SERVICE
+        echo "✅ Relay will start automatically at boot!"
+        ;;
+    "disable")
+        echo "🔧 Disabling relay auto-start..."
+        sudo systemctl disable $RELAY_SERVICE
+        echo "✅ Relay will not start automatically at boot!"
+        ;;
+    "info")
+        echo "📋 Stella's Orly Relay Information:"
+        echo "   Service: $RELAY_SERVICE"
+        echo "   WebSocket URL: $RELAY_URL"
+        echo "   HTTP URL: http://127.0.0.1:7777"
+        echo "   Data Directory: /home/madmin/.local/share/orly-relay"
+        echo "   Config Directory: $(pwd)"
+        echo ""
+        echo "🔑 Admin NPubs:"
+        echo "   Stella: npub1v30tsz9vw6ylpz63g0a702nj3xa26t3m7p5us8f2y2sd8v6cnsvq465zjx"
+        echo "   Admin2: npub1l5sga6xg72phsz5422ykujprejwud075ggrr3z2hwyrfgr7eylqstegx9z"
+        ;;
+    *)
+        echo "🌲 Stella's Orly Relay Management Script"
+        echo ""
+        echo "Usage: $0 [COMMAND]"
+        echo ""
+        echo "Commands:"
+        echo "  start     Start the relay"
+        echo "  stop      Stop the relay"
+        echo "  restart   Restart the relay"
+        echo "  status    Show relay status"
+        echo "  logs      Show relay logs (follow mode)"
+        echo "  test      Test relay connection"
+        echo "  enable    Enable auto-start at boot"
+        echo "  disable   Disable auto-start at boot"
+        echo "  info      Show relay information"
+        echo ""
+        echo "Examples:"
+        echo "  $0 start      # Start the relay"
+        echo "  $0 status     # Check if it's running"
+        echo "  $0 test       # Test WebSocket connection"
+        echo "  $0 logs       # Watch real-time logs"
+        echo ""
+        echo "🌲 Crafted in the digital forest by Stella ✨"
+        ;;
+esac

pkg/acl/acl.go

@@ -66,3 +66,15 @@ func (s *S) Type() (typ string) {
 	}
 	return
 }
+
+// AddFollow forwards a pubkey to the active ACL if it supports dynamic follows
+func (s *S) AddFollow(pub []byte) {
+	for _, i := range s.ACL {
+		if i.Type() == s.Active.Load() {
+			if f, ok := i.(*Follows); ok {
+				f.AddFollow(pub)
+			}
+			break
+		}
+	}
+}

pkg/acl/follows.go

@@ -1,6 +1,7 @@
 package acl
 
 import (
+	"bytes"
 	"context"
 	"reflect"
 	"strings"
@@ -370,6 +371,32 @@ func (f *Follows) GetFollowedPubkeys() [][]byte {
 	return followedPubkeys
 }
 
+// AddFollow appends a pubkey to the in-memory follows list if not already present
+// and signals the syncer to refresh subscriptions.
+func (f *Follows) AddFollow(pub []byte) {
+	if len(pub) == 0 {
+		return
+	}
+	f.followsMx.Lock()
+	defer f.followsMx.Unlock()
+	for _, p := range f.follows {
+		if bytes.Equal(p, pub) {
+			return
+		}
+	}
+	b := make([]byte, len(pub))
+	copy(b, pub)
+	f.follows = append(f.follows, b)
+	// notify syncer if initialized
+	if f.updated != nil {
+		select {
+		case f.updated <- struct{}{}:
+		default:
+			// if channel is full or not yet listened to, ignore
+		}
+	}
+}
+
 func init() {
 	log.T.F("registering follows ACL")
 	Registry.Register(new(Follows))

pkg/crypto/encryption/README.md

@@ -0,0 +1 @@
+Code copied from https://github.com/paulmillr/nip44/tree/e7aed61aaf77240ac10c325683eed14b22e7950f/go.

pkg/crypto/encryption/doc.go

@@ -0,0 +1,3 @@
+// Package encryption contains the message encryption schemes defined in NIP-04
+// and NIP-44, used for encrypting the content of nostr messages.
+package encryption

pkg/crypto/encryption/nip4.go

@@ -0,0 +1,88 @@
+package encryption
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"encoding/base64"
+
+	"lol.mleku.dev/chk"
+	"lol.mleku.dev/errorf"
+	"lukechampine.com/frand"
+)
+
+// EncryptNip4 encrypts message with key using aes-256-cbc. key should be the shared secret generated by
+// ComputeSharedSecret.
+//
+// Returns: base64(encrypted_bytes) + "?iv=" + base64(initialization_vector).
+func EncryptNip4(msg, key []byte) (ct []byte, err error) {
+	// block size is 16 bytes
+	iv := make([]byte, 16)
+	if _, err = frand.Read(iv); chk.E(err) {
+		err = errorf.E("error creating initialization vector: %w", err)
+		return
+	}
+	// automatically picks aes-256 based on key length (32 bytes)
+	var block cipher.Block
+	if block, err = aes.NewCipher(key); chk.E(err) {
+		err = errorf.E("error creating block cipher: %w", err)
+		return
+	}
+	mode := cipher.NewCBCEncrypter(block, iv)
+	plaintext := []byte(msg)
+	// add padding
+	base := len(plaintext)
+	// this will be a number between 1 and 16 (inclusive), never 0
+	bs := block.BlockSize()
+	padding := bs - base%bs
+	// encode the padding in all the padding bytes themselves
+	padText := bytes.Repeat([]byte{byte(padding)}, padding)
+	paddedMsgBytes := append(plaintext, padText...)
+	ciphertext := make([]byte, len(paddedMsgBytes))
+	mode.CryptBlocks(ciphertext, paddedMsgBytes)
+	return []byte(base64.StdEncoding.EncodeToString(ciphertext) + "?iv=" +
+		base64.StdEncoding.EncodeToString(iv)), nil
+}
+
+// DecryptNip4 decrypts a content string using the shared secret key. The inverse operation to message ->
+// EncryptNip4(message, key).
+func DecryptNip4(content, key []byte) (msg []byte, err error) {
+	parts := bytes.Split(content, []byte("?iv="))
+	if len(parts) < 2 {
+		return nil, errorf.E(
+			"error parsing encrypted message: no initialization vector",
+		)
+	}
+	ciphertext := make([]byte, base64.StdEncoding.EncodedLen(len(parts[0])))
+	if _, err = base64.StdEncoding.Decode(ciphertext, parts[0]); chk.E(err) {
+		err = errorf.E("error decoding ciphertext from base64: %w", err)
+		return
+	}
+	iv := make([]byte, base64.StdEncoding.EncodedLen(len(parts[1])))
+	if _, err = base64.StdEncoding.Decode(iv, parts[1]); chk.E(err) {
+		err = errorf.E("error decoding iv from base64: %w", err)
+		return
+	}
+	var block cipher.Block
+	if block, err = aes.NewCipher(key); chk.E(err) {
+		err = errorf.E("error creating block cipher: %w", err)
+		return
+	}
+	mode := cipher.NewCBCDecrypter(block, iv)
+	msg = make([]byte, len(ciphertext))
+	mode.CryptBlocks(msg, ciphertext)
+	// remove padding
+	var (
+		plaintextLen = len(msg)
+	)
+	if plaintextLen > 0 {
+		// the padding amount is encoded in the padding bytes themselves
+		padding := int(msg[plaintextLen-1])
+		if padding > plaintextLen {
+			err = errorf.E("invalid padding amount: %d", padding)
+			return
+		}
+		msg = msg[0 : plaintextLen-padding]
+	}
+	return msg, nil
+}

pkg/crypto/encryption/nip44.go

@@ -0,0 +1,260 @@
+package encryption
+
+import (
+	"crypto/hmac"
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/binary"
+	"io"
+	"math"
+
+	"golang.org/x/crypto/chacha20"
+	"golang.org/x/crypto/hkdf"
+	"lol.mleku.dev/chk"
+	"lol.mleku.dev/errorf"
+	"next.orly.dev/pkg/crypto/p256k"
+	"next.orly.dev/pkg/crypto/sha256"
+	"next.orly.dev/pkg/interfaces/signer"
+	"next.orly.dev/pkg/utils"
+)
+
+const (
+	version          byte = 2
+	MinPlaintextSize      = 0x0001 // 1b msg => padded to 32b
+	MaxPlaintextSize      = 0xffff // 65535 (64kb-1) => padded to 64kb
+)
+
+type Opts struct {
+	err   error
+	nonce []byte
+}
+
+// Deprecated: use WithCustomNonce instead of WithCustomSalt, so the naming is less confusing
+var WithCustomSalt = WithCustomNonce
+
+// WithCustomNonce enables using a custom nonce (salt) instead of using the
+// system crypto/rand entropy source.
+func WithCustomNonce(salt []byte) func(opts *Opts) {
+	return func(opts *Opts) {
+		if len(salt) != 32 {
+			opts.err = errorf.E("salt must be 32 bytes, got %d", len(salt))
+		}
+		opts.nonce = salt
+	}
+}
+
+// Encrypt data using a provided symmetric conversation key using NIP-44
+// encryption (chacha20 cipher stream and sha256 HMAC).
+func Encrypt(
+	plaintext, conversationKey []byte, applyOptions ...func(opts *Opts),
+) (
+	cipherString []byte, err error,
+) {
+
+	var o Opts
+	for _, apply := range applyOptions {
+		apply(&o)
+	}
+	if chk.E(o.err) {
+		err = o.err
+		return
+	}
+	if o.nonce == nil {
+		o.nonce = make([]byte, 32)
+		if _, err = rand.Read(o.nonce); chk.E(err) {
+			return
+		}
+	}
+	var enc, cc20nonce, auth []byte
+	if enc, cc20nonce, auth, err = getKeys(
+		conversationKey, o.nonce,
+	); chk.E(err) {
+		return
+	}
+	plain := plaintext
+	size := len(plain)
+	if size < MinPlaintextSize || size > MaxPlaintextSize {
+		err = errorf.E("plaintext should be between 1b and 64kB")
+		return
+	}
+	padding := CalcPadding(size)
+	padded := make([]byte, 2+padding)
+	binary.BigEndian.PutUint16(padded, uint16(size))
+	copy(padded[2:], plain)
+	var cipher []byte
+	if cipher, err = encrypt(enc, cc20nonce, padded); chk.E(err) {
+		return
+	}
+	var mac []byte
+	if mac, err = sha256Hmac(auth, cipher, o.nonce); chk.E(err) {
+		return
+	}
+	ct := make([]byte, 0, 1+32+len(cipher)+32)
+	ct = append(ct, version)
+	ct = append(ct, o.nonce...)
+	ct = append(ct, cipher...)
+	ct = append(ct, mac...)
+	cipherString = make([]byte, base64.StdEncoding.EncodedLen(len(ct)))
+	base64.StdEncoding.Encode(cipherString, ct)
+	return
+}
+
+// Decrypt data that has been encoded using a provided symmetric conversation
+// key using NIP-44 encryption (chacha20 cipher stream and sha256 HMAC).
+func Decrypt(b64ciphertextWrapped, conversationKey []byte) (
+	plaintext []byte,
+	err error,
+) {
+	cLen := len(b64ciphertextWrapped)
+	if cLen < 132 || cLen > 87472 {
+		err = errorf.E("invalid payload length: %d", cLen)
+		return
+	}
+	if len(b64ciphertextWrapped) > 0 && b64ciphertextWrapped[0] == '#' {
+		err = errorf.E("unknown version")
+		return
+	}
+	var decoded []byte
+	if decoded, err = base64.StdEncoding.DecodeString(string(b64ciphertextWrapped)); chk.E(err) {
+		return
+	}
+	if decoded[0] != version {
+		err = errorf.E("unknown version %d", decoded[0])
+		return
+	}
+	dLen := len(decoded)
+	if dLen < 99 || dLen > 65603 {
+		err = errorf.E("invalid data length: %d", dLen)
+		return
+	}
+	nonce, ciphertext, givenMac := decoded[1:33], decoded[33:dLen-32], decoded[dLen-32:]
+	var enc, cc20nonce, auth []byte
+	if enc, cc20nonce, auth, err = getKeys(conversationKey, nonce); chk.E(err) {
+		return
+	}
+	var expectedMac []byte
+	if expectedMac, err = sha256Hmac(auth, ciphertext, nonce); chk.E(err) {
+		return
+	}
+	if !utils.FastEqual(givenMac, expectedMac) {
+		err = errorf.E("invalid hmac")
+		return
+	}
+	var padded []byte
+	if padded, err = encrypt(enc, cc20nonce, ciphertext); chk.E(err) {
+		return
+	}
+	unpaddedLen := binary.BigEndian.Uint16(padded[0:2])
+	if unpaddedLen < uint16(MinPlaintextSize) || unpaddedLen > uint16(MaxPlaintextSize) ||
+		len(padded) != 2+CalcPadding(int(unpaddedLen)) {
+		err = errorf.E("invalid padding")
+		return
+	}
+	unpadded := padded[2:][:unpaddedLen]
+	if len(unpadded) == 0 || len(unpadded) != int(unpaddedLen) {
+		err = errorf.E("invalid padding")
+		return
+	}
+	plaintext = unpadded
+	return
+}
+
+// GenerateConversationKeyFromHex performs an ECDH key generation hashed with the nip-44-v2 using hkdf.
+func GenerateConversationKeyFromHex(pkh, skh string) (ck []byte, err error) {
+	if skh >= "fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141" ||
+		skh == "0000000000000000000000000000000000000000000000000000000000000000" {
+		err = errorf.E(
+			"invalid private key: x coordinate %s is not on the secp256k1 curve",
+			skh,
+		)
+		return
+	}
+	var sign signer.I
+	if sign, err = p256k.NewSecFromHex(skh); chk.E(err) {
+		return
+	}
+	var pk []byte
+	if pk, err = p256k.HexToBin(pkh); chk.E(err) {
+		return
+	}
+	var shared []byte
+	if shared, err = sign.ECDH(pk); chk.E(err) {
+		return
+	}
+	ck = hkdf.Extract(sha256.New, shared, []byte("nip44-v2"))
+	return
+}
+
+func GenerateConversationKeyWithSigner(sign signer.I, pk []byte) (
+	ck []byte, err error,
+) {
+	var shared []byte
+	if shared, err = sign.ECDH(pk); chk.E(err) {
+		return
+	}
+	ck = hkdf.Extract(sha256.New, shared, []byte("nip44-v2"))
+	return
+}
+
+func encrypt(key, nonce, message []byte) (dst []byte, err error) {
+	var cipher *chacha20.Cipher
+	if cipher, err = chacha20.NewUnauthenticatedCipher(key, nonce); chk.E(err) {
+		return
+	}
+	dst = make([]byte, len(message))
+	cipher.XORKeyStream(dst, message)
+	return
+}
+
+func sha256Hmac(key, ciphertext, nonce []byte) (h []byte, err error) {
+	if len(nonce) != sha256.Size {
+		err = errorf.E("nonce aad must be 32 bytes")
+		return
+	}
+	hm := hmac.New(sha256.New, key)
+	hm.Write(nonce)
+	hm.Write(ciphertext)
+	h = hm.Sum(nil)
+	return
+}
+
+func getKeys(conversationKey, nonce []byte) (
+	enc, cc20nonce, auth []byte, err error,
+) {
+	if len(conversationKey) != 32 {
+		err = errorf.E("conversation key must be 32 bytes")
+		return
+	}
+	if len(nonce) != 32 {
+		err = errorf.E("nonce must be 32 bytes")
+		return
+	}
+	r := hkdf.Expand(sha256.New, conversationKey, nonce)
+	enc = make([]byte, 32)
+	if _, err = io.ReadFull(r, enc); chk.E(err) {
+		return
+	}
+	cc20nonce = make([]byte, 12)
+	if _, err = io.ReadFull(r, cc20nonce); chk.E(err) {
+		return
+	}
+	auth = make([]byte, 32)
+	if _, err = io.ReadFull(r, auth); chk.E(err) {
+		return
+	}
+	return
+}
+
+// CalcPadding creates padding for the message payload that is precisely a power
+// of two in order to reduce the chances of plaintext attack. This is plainly
+// retarded because it could blow out the message size a lot when just a random few
+// dozen bytes and a length prefix would achieve the same result.
+func CalcPadding(sLen int) (l int) {
+	if sLen <= 32 {
+		return 32
+	}
+	nextPower := 1 << int(math.Floor(math.Log2(float64(sLen-1)))+1)
+	chunk := int(math.Max(32, float64(nextPower/8)))
+	l = chunk * int(math.Floor(float64((sLen-1)/chunk))+1)
+	return
+}

pkg/crypto/keys/keys.go

@@ -0,0 +1,83 @@
+// Package keys is a set of helpers for generating and converting public/secret
+// keys to hex and back to binary.
+package keys
+
+import (
+	"bytes"
+
+	"lol.mleku.dev/chk"
+	"next.orly.dev/pkg/crypto/ec/schnorr"
+	"next.orly.dev/pkg/crypto/p256k"
+	"next.orly.dev/pkg/encoders/hex"
+	"next.orly.dev/pkg/utils"
+)
+
+// GeneratePrivateKey - deprecated, use GenerateSecretKeyHex
+var GeneratePrivateKey = func() string { return GenerateSecretKeyHex() }
+
+// GenerateSecretKey creates a new secret key and returns the bytes of the secret.
+func GenerateSecretKey() (skb []byte, err error) {
+	signer := &p256k.Signer{}
+	if err = signer.Generate(); chk.E(err) {
+		return
+	}
+	skb = signer.Sec()
+	return
+}
+
+// GenerateSecretKeyHex generates a secret key and encodes the bytes as hex.
+func GenerateSecretKeyHex() (sks string) {
+	skb, err := GenerateSecretKey()
+	if chk.E(err) {
+		return
+	}
+	return hex.Enc(skb)
+}
+
+// GetPublicKeyHex generates a public key from a hex encoded secret key.
+func GetPublicKeyHex(sk string) (pk string, err error) {
+	var b []byte
+	if b, err = hex.Dec(sk); chk.E(err) {
+		return
+	}
+	signer := &p256k.Signer{}
+	if err = signer.InitSec(b); chk.E(err) {
+		return
+	}
+
+	return hex.Enc(signer.Pub()), nil
+}
+
+// SecretBytesToPubKeyHex generates a public key from secret key bytes.
+func SecretBytesToPubKeyHex(skb []byte) (pk string, err error) {
+	signer := &p256k.Signer{}
+	if err = signer.InitSec(skb); chk.E(err) {
+		return
+	}
+	return hex.Enc(signer.Pub()), nil
+}
+
+// IsValid32ByteHex checks that a hex string is a valid 32 bytes lower case hex encoded value as
+// per nostr NIP-01 spec.
+func IsValid32ByteHex[V []byte | string](pk V) bool {
+	if utils.FastEqual(bytes.ToLower([]byte(pk)), []byte(pk)) {
+		return false
+	}
+	var err error
+	dec := make([]byte, 32)
+	if _, err = hex.DecBytes(dec, []byte(pk)); chk.E(err) {
+	}
+	return len(dec) == 32
+}
+
+// IsValidPublicKey checks that a hex encoded public key is a valid BIP-340 public key.
+func IsValidPublicKey[V []byte | string](pk V) bool {
+	v, _ := hex.Dec(string(pk))
+	_, err := schnorr.ParsePubKey(v)
+	return err == nil
+}
+
+// HexPubkeyToBytes decodes a pubkey from hex encoded string/bytes.
+func HexPubkeyToBytes[V []byte | string](hpk V) (pkb []byte, err error) {
+	return hex.DecAppend(nil, []byte(hpk))
+}

pkg/database/identity.go

@@ -0,0 +1,81 @@
+package database
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/dgraph-io/badger/v4"
+	"lol.mleku.dev/chk"
+	"lol.mleku.dev/log"
+	"next.orly.dev/pkg/crypto/keys"
+	"next.orly.dev/pkg/encoders/hex"
+)
+
+const relayIdentitySecretKey = "relay:identity:sk"
+
+// GetRelayIdentitySecret returns the relay identity secret key bytes if present.
+// If the key is not found, returns (nil, badger.ErrKeyNotFound).
+func (d *D) GetRelayIdentitySecret() (skb []byte, err error) {
+	err = d.DB.View(func(txn *badger.Txn) error {
+		item, err := txn.Get([]byte(relayIdentitySecretKey))
+		if errors.Is(err, badger.ErrKeyNotFound) {
+			return err
+		}
+		if err != nil {
+			return err
+		}
+		return item.Value(func(val []byte) error {
+			// value stored as hex string
+			b, err := hex.Dec(string(val))
+			if err != nil {
+				return err
+			}
+			skb = make([]byte, len(b))
+			copy(skb, b)
+			return nil
+		})
+	})
+	return
+}
+
+// SetRelayIdentitySecret stores the relay identity secret key bytes (expects 32 bytes).
+func (d *D) SetRelayIdentitySecret(skb []byte) (err error) {
+	if len(skb) != 32 {
+		return fmt.Errorf("invalid secret key length: %d", len(skb))
+	}
+	val := []byte(hex.Enc(skb))
+	return d.DB.Update(func(txn *badger.Txn) error {
+		return txn.Set([]byte(relayIdentitySecretKey), val)
+	})
+}
+
+// GetOrCreateRelayIdentitySecret retrieves the existing relay identity secret
+// key or creates and stores a new one if none exists.
+func (d *D) GetOrCreateRelayIdentitySecret() (skb []byte, err error) {
+	// Try get fast path
+	if skb, err = d.GetRelayIdentitySecret(); err == nil && len(skb) == 32 {
+		return skb, nil
+	}
+	if err != nil && !errors.Is(err, badger.ErrKeyNotFound) {
+		return nil, err
+	}
+
+	// Create new key and store atomically
+	var gen []byte
+	if gen, err = keys.GenerateSecretKey(); chk.E(err) {
+		return nil, err
+	}
+	if err = d.SetRelayIdentitySecret(gen); chk.E(err) {
+		return nil, err
+	}
+	log.I.F("generated new relay identity key (pub=%s)", mustPub(gen))
+	return gen, nil
+}
+
+func mustPub(skb []byte) string {
+	pk, err := keys.SecretBytesToPubKeyHex(skb)
+	if err != nil {
+		return ""
+	}
+	return pk
+}

pkg/database/query-for-deleted.go

@@ -173,10 +173,10 @@ func (d *D) CheckForDeleted(ev *event.E, admins [][]byte) (err error) {
 				}
 			}
 			if ev.CreatedAt < maxTs {
-				// err = fmt.Errorf(
-				// 	"blocked: was deleted by address %s: event is older than the delete: event: %d delete: %d",
-				// 	at, ev.CreatedAt, maxTs,
-				// )
+				err = errorf.E(
+					"blocked: %0x was deleted by address %s because it is older than the delete: event: %d delete: %d",
+					ev.ID, at, ev.CreatedAt, maxTs,
+				)
 				return
 			}
 			return
@@ -203,22 +203,14 @@ func (d *D) CheckForDeleted(ev *event.E, admins [][]byte) (err error) {
 			return
 		}
 		if len(s) > 0 {
-			// For e-tag deletions (delete by ID), any deletion event means the event cannot be resubmitted
-			// regardless of timestamp, since it's a specific deletion of this exact event
-			// err = errorf.E(
-			// 	"blocked: was deleted by ID and cannot be resubmitted",
-			// 	// ev.ID,
-			// )
+			// Any e-tag deletion found means the exact event was deleted and cannot be resubmitted
+			err = errorf.E("blocked: %0x has been deleted", ev.ID)
 			return
 		}
 	}
 	if len(sers) > 0 {
-		// For e-tag deletions (delete by ID), any deletion event means the event cannot be resubmitted
-		// regardless of timestamp, since it's a specific deletion of this exact event
-		// err = errorf.E(
-		// 	"blocked: was deleted by ID and cannot be resubmitted",
-		// 	// ev.ID,
-		// )
+		// Any e-tag deletion found means the exact event was deleted and cannot be resubmitted
+		err = errorf.E("blocked: %0x has been deleted", ev.ID)
 		return
 	}
 

pkg/database/subscriptions.go

@@ -188,3 +188,30 @@ func (d *D) GetPaymentHistory(pubkey []byte) ([]Payment, error) {
 
 	return payments, err
 }
+
+// IsFirstTimeUser checks if a user is logging in for the first time and marks them as seen
+func (d *D) IsFirstTimeUser(pubkey []byte) (bool, error) {
+	key := fmt.Sprintf("firstlogin:%s", hex.EncodeToString(pubkey))
+	
+	isFirstTime := false
+	err := d.DB.Update(
+		func(txn *badger.Txn) error {
+			_, err := txn.Get([]byte(key))
+			if errors.Is(err, badger.ErrKeyNotFound) {
+				// First time - record the login
+				isFirstTime = true
+				now := time.Now()
+				data, err := json.Marshal(map[string]interface{}{
+					"first_login": now,
+				})
+				if err != nil {
+					return err
+				}
+				return txn.Set([]byte(key), data)
+			}
+			return err // Return any other error as-is
+		},
+	)
+	
+	return isFirstTime, err
+}

pkg/encoders/tag/tag.go

@@ -8,7 +8,7 @@ import (
 
 	"lol.mleku.dev/errorf"
 	"next.orly.dev/pkg/encoders/text"
-	utils "next.orly.dev/pkg/utils"
+	"next.orly.dev/pkg/utils"
 )
 
 // The tag position meanings, so they are clear when reading.

pkg/encoders/tag/tags.go

@@ -147,6 +147,9 @@ func (s *S) Unmarshal(b []byte) (r []byte, err error) {
 
 // GetFirst returns the first tag.T that has the same Key as t.
 func (s *S) GetFirst(t []byte) (first *T) {
+	if s == nil || len(*s) < 1 {
+		return
+	}
 	for _, tt := range *s {
 		if tt.Len() == 0 {
 			continue
@@ -159,10 +162,24 @@ func (s *S) GetFirst(t []byte) (first *T) {
 }
 
 func (s *S) GetAll(t []byte) (all []*T) {
+	if s == nil || len(*s) < 1 {
+		return
+	}
 	for _, tt := range *s {
+		if len(tt.T) < 1 {
+			continue
+		}
 		if utils.FastEqual(tt.T[0], t) {
 			all = append(all, tt)
 		}
 	}
 	return
 }
+
+func (s *S) GetTagElement(i int) (t *T) {
+	if s == nil || len(*s) < i {
+		return
+	}
+	t = (*s)[i]
+	return
+}

pkg/protocol/nwc/README.md

@@ -0,0 +1,56 @@
+# NWC Client
+
+Nostr Wallet Connect (NIP-47) client implementation.
+
+## Usage
+
+```go
+import "orly.dev/pkg/protocol/nwc"
+
+// Create client from NWC connection URI
+client, err := nwc.NewClient("nostr+walletconnect://...")
+if err != nil {
+    log.Fatal(err)
+}
+
+// Make requests
+var info map[string]any
+err = client.Request(ctx, "get_info", nil, &info)
+
+var balance map[string]any
+err = client.Request(ctx, "get_balance", nil, &balance)
+
+var invoice map[string]any
+params := map[string]any{"amount": 1000, "description": "test"}
+err = client.Request(ctx, "make_invoice", params, &invoice)
+```
+
+## Methods
+
+- `get_info` - Get wallet info
+- `get_balance` - Get wallet balance  
+- `make_invoice` - Create invoice
+- `lookup_invoice` - Check invoice status
+- `pay_invoice` - Pay invoice
+
+## Payment Notifications
+
+```go
+// Subscribe to payment notifications
+err = client.SubscribeNotifications(ctx, func(notificationType string, notification map[string]any) error {
+    if notificationType == "payment_received" {
+        amount := notification["amount"].(float64)
+        description := notification["description"].(string)
+        // Process payment...
+    }
+    return nil
+})
+```
+
+## Features
+
+- NIP-44 encryption
+- Event signing
+- Relay communication
+- Payment notifications
+- Error handling

pkg/protocol/nwc/client.go

@@ -0,0 +1,265 @@
+package nwc
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"time"
+
+	"lol.mleku.dev/chk"
+	"lol.mleku.dev/log"
+	"next.orly.dev/pkg/crypto/encryption"
+	"next.orly.dev/pkg/encoders/event"
+	"next.orly.dev/pkg/encoders/filter"
+	"next.orly.dev/pkg/encoders/hex"
+	"next.orly.dev/pkg/encoders/kind"
+	"next.orly.dev/pkg/encoders/tag"
+	"next.orly.dev/pkg/encoders/timestamp"
+	"next.orly.dev/pkg/interfaces/signer"
+	"next.orly.dev/pkg/protocol/ws"
+	"next.orly.dev/pkg/utils/values"
+)
+
+type Client struct {
+	relay           string
+	clientSecretKey signer.I
+	walletPublicKey []byte
+	conversationKey []byte
+}
+
+func NewClient(connectionURI string) (cl *Client, err error) {
+	var parts *ConnectionParams
+	if parts, err = ParseConnectionURI(connectionURI); chk.E(err) {
+		return
+	}
+	cl = &Client{
+		relay:           parts.relay,
+		clientSecretKey: parts.clientSecretKey,
+		walletPublicKey: parts.walletPublicKey,
+		conversationKey: parts.conversationKey,
+	}
+	return
+}
+
+func (cl *Client) Request(
+	c context.Context, method string, params, result any,
+) (err error) {
+	ctx, cancel := context.WithTimeout(c, 10*time.Second)
+	defer cancel()
+
+	request := map[string]any{"method": method}
+	if params != nil {
+		request["params"] = params
+	}
+
+	var req []byte
+	if req, err = json.Marshal(request); chk.E(err) {
+		return
+	}
+
+	var content []byte
+	if content, err = encryption.Encrypt(req, cl.conversationKey); chk.E(err) {
+		return
+	}
+
+	ev := &event.E{
+		Content:   content,
+		CreatedAt: time.Now().Unix(),
+		Kind:      23194,
+		Tags: tag.NewS(
+			tag.NewFromAny("encryption", "nip44_v2"),
+			tag.NewFromAny("p", hex.Enc(cl.walletPublicKey)),
+		),
+	}
+
+	if err = ev.Sign(cl.clientSecretKey); chk.E(err) {
+		return
+	}
+
+	var rc *ws.Client
+	if rc, err = ws.RelayConnect(ctx, cl.relay); chk.E(err) {
+		return
+	}
+	defer rc.Close()
+
+	var sub *ws.Subscription
+	if sub, err = rc.Subscribe(
+		ctx, filter.NewS(
+			&filter.F{
+				Limit: values.ToUintPointer(1),
+				Kinds: kind.NewS(kind.New(23195)),
+				Since: &timestamp.T{V: time.Now().Unix()},
+			},
+		),
+	); chk.E(err) {
+		return
+	}
+	defer sub.Unsub()
+
+	if err = rc.Publish(ctx, ev); chk.E(err) {
+		return fmt.Errorf("publish failed: %w", err)
+	}
+
+	select {
+	case <-ctx.Done():
+		return fmt.Errorf("no response from wallet (connection may be inactive)")
+	case e := <-sub.Events:
+		if e == nil {
+			return fmt.Errorf("subscription closed (wallet connection inactive)")
+		}
+		if len(e.Content) == 0 {
+			return fmt.Errorf("empty response content")
+		}
+		var raw []byte
+		if raw, err = encryption.Decrypt(
+			e.Content, cl.conversationKey,
+		); chk.E(err) {
+			return fmt.Errorf(
+				"decryption failed (invalid conversation key): %w", err,
+			)
+		}
+
+		var resp map[string]any
+		if err = json.Unmarshal(raw, &resp); chk.E(err) {
+			return
+		}
+
+		if errData, ok := resp["error"].(map[string]any); ok {
+			code, _ := errData["code"].(string)
+			msg, _ := errData["message"].(string)
+			return fmt.Errorf("%s: %s", code, msg)
+		}
+
+		if result != nil && resp["result"] != nil {
+			var resultBytes []byte
+			if resultBytes, err = json.Marshal(resp["result"]); chk.E(err) {
+				return
+			}
+			if err = json.Unmarshal(resultBytes, result); chk.E(err) {
+				return
+			}
+		}
+	}
+
+	return
+}
+
+// NotificationHandler is a callback for handling NWC notifications
+type NotificationHandler func(
+	notificationType string, notification map[string]any,
+) error
+
+// SubscribeNotifications subscribes to NWC notification events (kinds 23197/23196)
+// and handles them with the provided callback. It maintains a persistent connection
+// with auto-reconnection on disconnect.
+func (cl *Client) SubscribeNotifications(
+	c context.Context, handler NotificationHandler,
+) (err error) {
+	delay := time.Second
+	for {
+		if err = cl.subscribeNotificationsOnce(c, handler); err != nil {
+			if errors.Is(err, context.Canceled) {
+				return err
+			}
+			select {
+			case <-time.After(delay):
+				if delay < 30*time.Second {
+					delay *= 2
+				}
+			case <-c.Done():
+				return context.Canceled
+			}
+			continue
+		}
+		delay = time.Second
+	}
+}
+
+// subscribeNotificationsOnce performs a single subscription attempt
+func (cl *Client) subscribeNotificationsOnce(
+	c context.Context, handler NotificationHandler,
+) (err error) {
+	// Connect to relay
+	var rc *ws.Client
+	if rc, err = ws.RelayConnect(c, cl.relay); chk.E(err) {
+		return fmt.Errorf("relay connection failed: %w", err)
+	}
+	defer rc.Close()
+
+	// Subscribe to notification events filtered by "p" tag
+	// Support both NIP-44 (kind 23197) and legacy NIP-04 (kind 23196)
+	var sub *ws.Subscription
+	if sub, err = rc.Subscribe(
+		c, filter.NewS(
+			&filter.F{
+				Kinds: kind.NewS(kind.New(23197), kind.New(23196)),
+				Tags: tag.NewS(
+					tag.NewFromAny("p", hex.Enc(cl.clientSecretKey.Pub())),
+				),
+				Since: &timestamp.T{V: time.Now().Unix()},
+			},
+		),
+	); chk.E(err) {
+		return fmt.Errorf("subscription failed: %w", err)
+	}
+	defer sub.Unsub()
+
+	log.I.F(
+		"subscribed to NWC notifications from wallet %s",
+		hex.Enc(cl.walletPublicKey),
+	)
+
+	// Process notification events
+	for {
+		select {
+		case <-c.Done():
+			return context.Canceled
+		case ev := <-sub.Events:
+			if ev == nil {
+				// Channel closed, subscription ended
+				return fmt.Errorf("subscription closed")
+			}
+
+			// Process the notification event
+			if err := cl.processNotificationEvent(ev, handler); err != nil {
+				log.E.F("error processing notification: %v", err)
+				// Continue processing other notifications even if one fails
+			}
+		}
+	}
+}
+
+// processNotificationEvent decrypts and processes a single notification event
+func (cl *Client) processNotificationEvent(
+	ev *event.E, handler NotificationHandler,
+) (err error) {
+	// Decrypt the notification content
+	var decrypted []byte
+	if decrypted, err = encryption.Decrypt(
+		ev.Content, cl.conversationKey,
+	); err != nil {
+		return fmt.Errorf("failed to decrypt notification: %w", err)
+	}
+
+	// Parse the notification JSON
+	var notification map[string]any
+	if err = json.Unmarshal(decrypted, &notification); err != nil {
+		return fmt.Errorf("failed to parse notification JSON: %w", err)
+	}
+
+	// Extract notification type
+	notificationType, ok := notification["notification_type"].(string)
+	if !ok {
+		return fmt.Errorf("missing or invalid notification_type")
+	}
+
+	// Extract notification data
+	notificationData, ok := notification["notification"].(map[string]any)
+	if !ok {
+		return fmt.Errorf("missing or invalid notification data")
+	}
+
+	// Route to type-specific handler
+	return handler(notificationType, notificationData)
+}

pkg/protocol/nwc/crypto_test.go

@@ -0,0 +1,188 @@
+package nwc_test
+
+import (
+	"encoding/json"
+	"testing"
+	"time"
+
+	"next.orly.dev/pkg/crypto/encryption"
+	"next.orly.dev/pkg/crypto/p256k"
+	"next.orly.dev/pkg/encoders/event"
+	"next.orly.dev/pkg/encoders/hex"
+	"next.orly.dev/pkg/encoders/tag"
+	"next.orly.dev/pkg/protocol/nwc"
+	"next.orly.dev/pkg/utils"
+)
+
+func TestNWCConversationKey(t *testing.T) {
+	secret := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+	walletPubkey := "816fd7f1d000ae81a3da251c91866fc47f4bcd6ce36921e6d46773c32f1d548b"
+
+	uri := "nostr+walletconnect://" + walletPubkey + "?relay=wss://relay.getalby.com/v1&secret=" + secret
+
+	parts, err := nwc.ParseConnectionURI(uri)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Validate conversation key was generated
+	convKey := parts.GetConversationKey()
+	if len(convKey) == 0 {
+		t.Fatal("conversation key should not be empty")
+	}
+
+	// Validate wallet public key
+	walletKey := parts.GetWalletPublicKey()
+	if len(walletKey) == 0 {
+		t.Fatal("wallet public key should not be empty")
+	}
+
+	expected, err := hex.Dec(walletPubkey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(walletKey) != len(expected) {
+		t.Fatal("wallet public key length mismatch")
+	}
+
+	for i := range walletKey {
+		if walletKey[i] != expected[i] {
+			t.Fatal("wallet public key mismatch")
+		}
+	}
+
+	// Test passed
+}
+
+func TestNWCEncryptionDecryption(t *testing.T) {
+	secret := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+	walletPubkey := "816fd7f1d000ae81a3da251c91866fc47f4bcd6ce36921e6d46773c32f1d548b"
+
+	uri := "nostr+walletconnect://" + walletPubkey + "?relay=wss://relay.getalby.com/v1&secret=" + secret
+
+	parts, err := nwc.ParseConnectionURI(uri)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	convKey := parts.GetConversationKey()
+	testMessage := `{"method":"get_info","params":null}`
+
+	// Test encryption
+	encrypted, err := encryption.Encrypt([]byte(testMessage), convKey)
+	if err != nil {
+		t.Fatalf("encryption failed: %v", err)
+	}
+
+	if len(encrypted) == 0 {
+		t.Fatal("encrypted message should not be empty")
+	}
+
+	// Test decryption
+	decrypted, err := encryption.Decrypt(encrypted, convKey)
+	if err != nil {
+		t.Fatalf("decryption failed: %v", err)
+	}
+
+	if string(decrypted) != testMessage {
+		t.Fatalf(
+			"decrypted message mismatch: got %s, want %s", string(decrypted),
+			testMessage,
+		)
+	}
+
+	// Test passed
+}
+
+func TestNWCEventCreation(t *testing.T) {
+	secretBytes, err := hex.Dec("0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	clientKey := &p256k.Signer{}
+	if err := clientKey.InitSec(secretBytes); err != nil {
+		t.Fatal(err)
+	}
+
+	walletPubkey, err := hex.Dec("816fd7f1d000ae81a3da251c91866fc47f4bcd6ce36921e6d46773c32f1d548b")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	convKey, err := encryption.GenerateConversationKeyWithSigner(
+		clientKey, walletPubkey,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	request := map[string]any{"method": "get_info"}
+	reqBytes, err := json.Marshal(request)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	encrypted, err := encryption.Encrypt(reqBytes, convKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create NWC event
+	ev := &event.E{
+		Content:   encrypted,
+		CreatedAt: time.Now().Unix(),
+		Kind:      23194,
+		Tags: tag.NewS(
+			tag.NewFromAny("encryption", "nip44_v2"),
+			tag.NewFromAny("p", hex.Enc(walletPubkey)),
+		),
+	}
+
+	if err := ev.Sign(clientKey); err != nil {
+		t.Fatalf("event signing failed: %v", err)
+	}
+
+	// Validate event structure
+	if len(ev.Content) == 0 {
+		t.Fatal("event content should not be empty")
+	}
+
+	if len(ev.ID) == 0 {
+		t.Fatal("event should have ID after signing")
+	}
+
+	if len(ev.Sig) == 0 {
+		t.Fatal("event should have signature after signing")
+	}
+
+	// Validate tags
+	hasEncryption := false
+	hasP := false
+	for i := 0; i < ev.Tags.Len(); i++ {
+		tag := ev.Tags.GetTagElement(i)
+		if tag.Len() >= 2 {
+			if utils.FastEqual(
+				tag.T[0], "encryption",
+			) && utils.FastEqual(tag.T[1], "nip44_v2") {
+				hasEncryption = true
+			}
+			if utils.FastEqual(
+				tag.T[0], "p",
+			) && utils.FastEqual(tag.T[1], hex.Enc(walletPubkey)) {
+				hasP = true
+			}
+		}
+	}
+
+	if !hasEncryption {
+		t.Fatal("event missing encryption tag")
+	}
+
+	if !hasP {
+		t.Fatal("event missing p tag")
+	}
+
+	// Test passed
+}

pkg/protocol/nwc/mock_wallet_service.go

@@ -0,0 +1,495 @@
+package nwc
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/json"
+	"fmt"
+	"sync"
+	"time"
+
+	"lol.mleku.dev/chk"
+	"next.orly.dev/pkg/crypto/encryption"
+	"next.orly.dev/pkg/crypto/p256k"
+	"next.orly.dev/pkg/encoders/event"
+	"next.orly.dev/pkg/encoders/filter"
+	"next.orly.dev/pkg/encoders/hex"
+	"next.orly.dev/pkg/encoders/kind"
+	"next.orly.dev/pkg/encoders/tag"
+	"next.orly.dev/pkg/encoders/timestamp"
+	"next.orly.dev/pkg/interfaces/signer"
+	"next.orly.dev/pkg/protocol/ws"
+)
+
+// MockWalletService implements a mock NIP-47 wallet service for testing
+type MockWalletService struct {
+	relay            string
+	walletSecretKey  signer.I
+	walletPublicKey  []byte
+	client           *ws.Client
+	ctx              context.Context
+	cancel           context.CancelFunc
+	balance          int64 // in satoshis
+	balanceMutex     sync.RWMutex
+	connectedClients map[string][]byte // pubkey -> conversation key
+	clientsMutex     sync.RWMutex
+}
+
+// NewMockWalletService creates a new mock wallet service
+func NewMockWalletService(
+	relay string, initialBalance int64,
+) (service *MockWalletService, err error) {
+	// Generate wallet keypair
+	walletKey := &p256k.Signer{}
+	if err = walletKey.Generate(); chk.E(err) {
+		return
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	service = &MockWalletService{
+		relay:            relay,
+		walletSecretKey:  walletKey,
+		walletPublicKey:  walletKey.Pub(),
+		ctx:              ctx,
+		cancel:           cancel,
+		balance:          initialBalance,
+		connectedClients: make(map[string][]byte),
+	}
+	return
+}
+
+// Start begins the mock wallet service
+func (m *MockWalletService) Start() (err error) {
+	// Connect to relay
+	if m.client, err = ws.RelayConnect(m.ctx, m.relay); chk.E(err) {
+		return fmt.Errorf("failed to connect to relay: %w", err)
+	}
+
+	// Publish wallet info event
+	if err = m.publishWalletInfo(); chk.E(err) {
+		return fmt.Errorf("failed to publish wallet info: %w", err)
+	}
+
+	// Subscribe to request events
+	if err = m.subscribeToRequests(); chk.E(err) {
+		return fmt.Errorf("failed to subscribe to requests: %w", err)
+	}
+
+	return
+}
+
+// Stop stops the mock wallet service
+func (m *MockWalletService) Stop() {
+	if m.cancel != nil {
+		m.cancel()
+	}
+	if m.client != nil {
+		m.client.Close()
+	}
+}
+
+// GetWalletPublicKey returns the wallet's public key
+func (m *MockWalletService) GetWalletPublicKey() []byte {
+	return m.walletPublicKey
+}
+
+// publishWalletInfo publishes the NIP-47 info event (kind 13194)
+func (m *MockWalletService) publishWalletInfo() (err error) {
+	capabilities := []string{
+		"get_info",
+		"get_balance",
+		"make_invoice",
+		"pay_invoice",
+	}
+
+	info := map[string]any{
+		"capabilities":  capabilities,
+		"notifications": []string{"payment_received", "payment_sent"},
+	}
+
+	var content []byte
+	if content, err = json.Marshal(info); chk.E(err) {
+		return
+	}
+
+	ev := &event.E{
+		Content:   content,
+		CreatedAt: time.Now().Unix(),
+		Kind:      13194,
+		Tags:      tag.NewS(),
+	}
+
+	if err = ev.Sign(m.walletSecretKey); chk.E(err) {
+		return
+	}
+
+	return m.client.Publish(m.ctx, ev)
+}
+
+// subscribeToRequests subscribes to NWC request events (kind 23194)
+func (m *MockWalletService) subscribeToRequests() (err error) {
+	var sub *ws.Subscription
+	if sub, err = m.client.Subscribe(
+		m.ctx, filter.NewS(
+			&filter.F{
+				Kinds: kind.NewS(kind.New(23194)),
+				Tags: tag.NewS(
+					tag.NewFromAny("p", hex.Enc(m.walletPublicKey)),
+				),
+				Since: &timestamp.T{V: time.Now().Unix()},
+			},
+		),
+	); chk.E(err) {
+		return
+	}
+
+	// Handle incoming request events
+	go m.handleRequestEvents(sub)
+	return
+}
+
+// handleRequestEvents processes incoming NWC request events
+func (m *MockWalletService) handleRequestEvents(sub *ws.Subscription) {
+	for {
+		select {
+		case <-m.ctx.Done():
+			return
+		case ev := <-sub.Events:
+			if ev == nil {
+				continue
+			}
+			if err := m.processRequestEvent(ev); chk.E(err) {
+				fmt.Printf("Error processing request event: %v\n", err)
+			}
+		}
+	}
+}
+
+// processRequestEvent processes a single NWC request event
+func (m *MockWalletService) processRequestEvent(ev *event.E) (err error) {
+	// Get client pubkey from event
+	clientPubkey := ev.Pubkey
+	clientPubkeyHex := hex.Enc(clientPubkey)
+
+	// Generate or get conversation key
+	var conversationKey []byte
+	m.clientsMutex.Lock()
+	if existingKey, exists := m.connectedClients[clientPubkeyHex]; exists {
+		conversationKey = existingKey
+	} else {
+		if conversationKey, err = encryption.GenerateConversationKeyWithSigner(
+			m.walletSecretKey, clientPubkey,
+		); chk.E(err) {
+			m.clientsMutex.Unlock()
+			return
+		}
+		m.connectedClients[clientPubkeyHex] = conversationKey
+	}
+	m.clientsMutex.Unlock()
+
+	// Decrypt request content
+	var decrypted []byte
+	if decrypted, err = encryption.Decrypt(
+		ev.Content, conversationKey,
+	); chk.E(err) {
+		return
+	}
+
+	var request map[string]any
+	if err = json.Unmarshal(decrypted, &request); chk.E(err) {
+		return
+	}
+
+	method, ok := request["method"].(string)
+	if !ok {
+		return fmt.Errorf("invalid method")
+	}
+
+	params := request["params"]
+
+	// Process the method
+	var result any
+	if result, err = m.processMethod(method, params); chk.E(err) {
+		// Send error response
+		return m.sendErrorResponse(
+			clientPubkey, conversationKey, "INTERNAL", err.Error(),
+		)
+	}
+
+	// Send success response
+	return m.sendSuccessResponse(clientPubkey, conversationKey, result)
+}
+
+// processMethod handles the actual NWC method execution
+func (m *MockWalletService) processMethod(
+	method string, params any,
+) (result any, err error) {
+	switch method {
+	case "get_info":
+		return m.getInfo()
+	case "get_balance":
+		return m.getBalance()
+	case "make_invoice":
+		return m.makeInvoice(params)
+	case "pay_invoice":
+		return m.payInvoice(params)
+	default:
+		err = fmt.Errorf("unsupported method: %s", method)
+		return
+	}
+}
+
+// getInfo returns wallet information
+func (m *MockWalletService) getInfo() (result map[string]any, err error) {
+	result = map[string]any{
+		"alias":        "Mock Wallet",
+		"color":        "#3399FF",
+		"pubkey":       hex.Enc(m.walletPublicKey),
+		"network":      "mainnet",
+		"block_height": 850000,
+		"block_hash":   "0000000000000000000123456789abcdef",
+		"methods": []string{
+			"get_info", "get_balance", "make_invoice", "pay_invoice",
+		},
+	}
+	return
+}
+
+// getBalance returns the current wallet balance
+func (m *MockWalletService) getBalance() (result map[string]any, err error) {
+	m.balanceMutex.RLock()
+	balance := m.balance
+	m.balanceMutex.RUnlock()
+
+	result = map[string]any{
+		"balance": balance * 1000, // convert to msats
+	}
+	return
+}
+
+// makeInvoice creates a Lightning invoice
+func (m *MockWalletService) makeInvoice(params any) (
+	result map[string]any, err error,
+) {
+	paramsMap, ok := params.(map[string]any)
+	if !ok {
+		err = fmt.Errorf("invalid params")
+		return
+	}
+
+	amount, ok := paramsMap["amount"].(float64)
+	if !ok {
+		err = fmt.Errorf("missing or invalid amount")
+		return
+	}
+
+	description := ""
+	if desc, ok := paramsMap["description"].(string); ok {
+		description = desc
+	}
+
+	paymentHash := make([]byte, 32)
+	rand.Read(paymentHash)
+
+	// Generate a fake bolt11 invoice
+	bolt11 := fmt.Sprintf("lnbc%dm1pwxxxxxxx", int64(amount/1000))
+
+	result = map[string]any{
+		"type":         "incoming",
+		"invoice":      bolt11,
+		"description":  description,
+		"payment_hash": hex.Enc(paymentHash),
+		"amount":       int64(amount),
+		"created_at":   time.Now().Unix(),
+		"expires_at":   time.Now().Add(24 * time.Hour).Unix(),
+	}
+	return
+}
+
+// payInvoice pays a Lightning invoice
+func (m *MockWalletService) payInvoice(params any) (
+	result map[string]any, err error,
+) {
+	paramsMap, ok := params.(map[string]any)
+	if !ok {
+		err = fmt.Errorf("invalid params")
+		return
+	}
+
+	invoice, ok := paramsMap["invoice"].(string)
+	if !ok {
+		err = fmt.Errorf("missing or invalid invoice")
+		return
+	}
+
+	// Mock payment amount (would parse from invoice in real implementation)
+	amount := int64(1000) // 1000 msats
+
+	// Check balance
+	m.balanceMutex.Lock()
+	if m.balance*1000 < amount {
+		m.balanceMutex.Unlock()
+		err = fmt.Errorf("insufficient balance")
+		return
+	}
+	m.balance -= amount / 1000
+	m.balanceMutex.Unlock()
+
+	preimage := make([]byte, 32)
+	rand.Read(preimage)
+
+	result = map[string]any{
+		"type":       "outgoing",
+		"invoice":    invoice,
+		"amount":     amount,
+		"preimage":   hex.Enc(preimage),
+		"created_at": time.Now().Unix(),
+	}
+
+	// Emit payment_sent notification
+	go m.emitPaymentNotification("payment_sent", result)
+	return
+}
+
+// sendSuccessResponse sends a successful NWC response
+func (m *MockWalletService) sendSuccessResponse(
+	clientPubkey []byte, conversationKey []byte, result any,
+) (err error) {
+	response := map[string]any{
+		"result": result,
+	}
+
+	var responseBytes []byte
+	if responseBytes, err = json.Marshal(response); chk.E(err) {
+		return
+	}
+
+	return m.sendEncryptedResponse(clientPubkey, conversationKey, responseBytes)
+}
+
+// sendErrorResponse sends an error NWC response
+func (m *MockWalletService) sendErrorResponse(
+	clientPubkey []byte, conversationKey []byte, code, message string,
+) (err error) {
+	response := map[string]any{
+		"error": map[string]any{
+			"code":    code,
+			"message": message,
+		},
+	}
+
+	var responseBytes []byte
+	if responseBytes, err = json.Marshal(response); chk.E(err) {
+		return
+	}
+
+	return m.sendEncryptedResponse(clientPubkey, conversationKey, responseBytes)
+}
+
+// sendEncryptedResponse sends an encrypted response event (kind 23195)
+func (m *MockWalletService) sendEncryptedResponse(
+	clientPubkey []byte, conversationKey []byte, content []byte,
+) (err error) {
+	var encrypted []byte
+	if encrypted, err = encryption.Encrypt(
+		content, conversationKey,
+	); chk.E(err) {
+		return
+	}
+
+	ev := &event.E{
+		Content:   encrypted,
+		CreatedAt: time.Now().Unix(),
+		Kind:      23195,
+		Tags: tag.NewS(
+			tag.NewFromAny("encryption", "nip44_v2"),
+			tag.NewFromAny("p", hex.Enc(clientPubkey)),
+		),
+	}
+
+	if err = ev.Sign(m.walletSecretKey); chk.E(err) {
+		return
+	}
+
+	return m.client.Publish(m.ctx, ev)
+}
+
+// emitPaymentNotification emits a payment notification (kind 23197)
+func (m *MockWalletService) emitPaymentNotification(
+	notificationType string, paymentData map[string]any,
+) (err error) {
+	notification := map[string]any{
+		"notification_type": notificationType,
+		"notification":      paymentData,
+	}
+
+	var content []byte
+	if content, err = json.Marshal(notification); chk.E(err) {
+		return
+	}
+
+	// Send notification to all connected clients
+	m.clientsMutex.RLock()
+	defer m.clientsMutex.RUnlock()
+
+	for clientPubkeyHex, conversationKey := range m.connectedClients {
+		var clientPubkey []byte
+		if clientPubkey, err = hex.Dec(clientPubkeyHex); chk.E(err) {
+			continue
+		}
+
+		var encrypted []byte
+		if encrypted, err = encryption.Encrypt(
+			content, conversationKey,
+		); chk.E(err) {
+			continue
+		}
+
+		ev := &event.E{
+			Content:   encrypted,
+			CreatedAt: time.Now().Unix(),
+			Kind:      23197,
+			Tags: tag.NewS(
+				tag.NewFromAny("encryption", "nip44_v2"),
+				tag.NewFromAny("p", hex.Enc(clientPubkey)),
+			),
+		}
+
+		if err = ev.Sign(m.walletSecretKey); chk.E(err) {
+			continue
+		}
+
+		m.client.Publish(m.ctx, ev)
+	}
+	return
+}
+
+// SimulateIncomingPayment simulates an incoming payment for testing
+func (m *MockWalletService) SimulateIncomingPayment(
+	pubkey []byte, amount int64, description string,
+) (err error) {
+	// Add to balance
+	m.balanceMutex.Lock()
+	m.balance += amount / 1000 // convert msats to sats
+	m.balanceMutex.Unlock()
+
+	paymentHash := make([]byte, 32)
+	rand.Read(paymentHash)
+
+	preimage := make([]byte, 32)
+	rand.Read(preimage)
+
+	paymentData := map[string]any{
+		"type":         "incoming",
+		"invoice":      fmt.Sprintf("lnbc%dm1pwxxxxxxx", amount/1000),
+		"description":  description,
+		"amount":       amount,
+		"payment_hash": hex.Enc(paymentHash),
+		"preimage":     hex.Enc(preimage),
+		"created_at":   time.Now().Unix(),
+	}
+
+	// Emit payment_received notification
+	return m.emitPaymentNotification("payment_received", paymentData)
+}

pkg/protocol/nwc/nwc_test.go

@@ -0,0 +1,176 @@
+package nwc_test
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"next.orly.dev/pkg/protocol/nwc"
+	"next.orly.dev/pkg/protocol/ws"
+)
+
+func TestNWCClientCreation(t *testing.T) {
+	uri := "nostr+walletconnect://816fd7f1d000ae81a3da251c91866fc47f4bcd6ce36921e6d46773c32f1d548b?relay=wss://relay.getalby.com/v1&secret=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+
+	c, err := nwc.NewClient(uri)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if c == nil {
+		t.Fatal("client should not be nil")
+	}
+}
+
+func TestNWCInvalidURI(t *testing.T) {
+	invalidURIs := []string{
+		"invalid://test",
+		"nostr+walletconnect://",
+		"nostr+walletconnect://invalid",
+		"nostr+walletconnect://816fd7f1d000ae81a3da251c91866fc47f4bcd6ce36921e6d46773c32f1d548b",
+		"nostr+walletconnect://816fd7f1d000ae81a3da251c91866fc47f4bcd6ce36921e6d46773c32f1d548b?relay=invalid",
+	}
+
+	for _, uri := range invalidURIs {
+		_, err := nwc.NewClient(uri)
+		if err == nil {
+			t.Fatalf("expected error for invalid URI: %s", uri)
+		}
+	}
+}
+
+func TestNWCRelayConnection(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.TODO(), 5*time.Second)
+	defer cancel()
+
+	rc, err := ws.RelayConnect(ctx, "wss://relay.getalby.com/v1")
+	if err != nil {
+		t.Fatalf("relay connection failed: %v", err)
+	}
+	defer rc.Close()
+
+	t.Log("relay connection successful")
+}
+
+func TestNWCRequestTimeout(t *testing.T) {
+	uri := "nostr+walletconnect://816fd7f1d000ae81a3da251c91866fc47f4bcd6ce36921e6d46773c32f1d548b?relay=wss://relay.getalby.com/v1&secret=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+
+	c, err := nwc.NewClient(uri)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.TODO(), 2*time.Second)
+	defer cancel()
+
+	var r map[string]any
+	err = c.Request(ctx, "get_info", nil, &r)
+
+	if err == nil {
+		t.Log("wallet responded")
+		return
+	}
+
+	expectedErrors := []string{
+		"no response from wallet",
+		"subscription closed",
+		"timeout waiting for response",
+		"context deadline exceeded",
+	}
+
+	errorFound := false
+	for _, expected := range expectedErrors {
+		if contains(err.Error(), expected) {
+			errorFound = true
+			break
+		}
+	}
+
+	if !errorFound {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	t.Logf("proper timeout handling: %v", err)
+}
+
+func contains(s, substr string) bool {
+	return len(s) >= len(substr) && (s == substr || (len(s) > len(substr) &&
+		(s[:len(substr)] == substr || s[len(s)-len(substr):] == substr ||
+			findInString(s, substr))))
+}
+
+func findInString(s, substr string) bool {
+	for i := 0; i <= len(s)-len(substr); i++ {
+		if s[i:i+len(substr)] == substr {
+			return true
+		}
+	}
+	return false
+}
+
+func TestNWCEncryption(t *testing.T) {
+	uri := "nostr+walletconnect://816fd7f1d000ae81a3da251c91866fc47f4bcd6ce36921e6d46773c32f1d548b?relay=wss://relay.getalby.com/v1&secret=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+
+	c, err := nwc.NewClient(uri)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// We can't directly access private fields, but we can test the client creation
+	// check conversation key generation
+	if c == nil {
+		t.Fatal("client creation should succeed with valid URI")
+	}
+
+	// Test passed
+}
+
+func TestNWCEventFormat(t *testing.T) {
+	uri := "nostr+walletconnect://816fd7f1d000ae81a3da251c91866fc47f4bcd6ce36921e6d46773c32f1d548b?relay=wss://relay.getalby.com/v1&secret=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+
+	c, err := nwc.NewClient(uri)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Test client creation
+	// The Request method will create proper NWC events with:
+	// - Kind 23194 for requests
+	// - Proper encryption tag
+	// - Signed with client key
+
+	ctx, cancel := context.WithTimeout(context.TODO(), 1*time.Second)
+	defer cancel()
+
+	var r map[string]any
+	err = c.Request(ctx, "get_info", nil, &r)
+
+	// We expect this to fail due to inactive connection, but it should fail
+	// after creating and sending NWC event
+	if err == nil {
+		t.Log("wallet responded")
+		return
+	}
+
+	// Verify it failed for the right reason (connection/response issue, not formatting)
+	validFailures := []string{
+		"subscription closed",
+		"no response from wallet",
+		"context deadline exceeded",
+		"timeout waiting for response",
+	}
+
+	validFailure := false
+	for _, failure := range validFailures {
+		if contains(err.Error(), failure) {
+			validFailure = true
+			break
+		}
+	}
+
+	if !validFailure {
+		t.Fatalf("unexpected error type (suggests formatting issue): %v", err)
+	}
+
+	// Test passed
+}

pkg/protocol/nwc/uri.go

@@ -0,0 +1,81 @@
+package nwc
+
+import (
+	"errors"
+	"net/url"
+
+	"lol.mleku.dev/chk"
+	"next.orly.dev/pkg/crypto/encryption"
+	"next.orly.dev/pkg/crypto/p256k"
+	"next.orly.dev/pkg/interfaces/signer"
+)
+
+type ConnectionParams struct {
+	clientSecretKey signer.I
+	walletPublicKey []byte
+	conversationKey []byte
+	relay           string
+}
+
+// GetWalletPublicKey returns the wallet public key from the ConnectionParams.
+func (c *ConnectionParams) GetWalletPublicKey() []byte {
+	return c.walletPublicKey
+}
+
+// GetConversationKey returns the conversation key from the ConnectionParams.
+func (c *ConnectionParams) GetConversationKey() []byte {
+	return c.conversationKey
+}
+
+func ParseConnectionURI(nwcUri string) (parts *ConnectionParams, err error) {
+	var p *url.URL
+	if p, err = url.Parse(nwcUri); chk.E(err) {
+		return
+	}
+	if p == nil {
+		err = errors.New("invalid uri")
+		return
+	}
+	parts = &ConnectionParams{}
+	if p.Scheme != "nostr+walletconnect" {
+		err = errors.New("incorrect scheme")
+		return
+	}
+	if parts.walletPublicKey, err = p256k.HexToBin(p.Host); chk.E(err) {
+		err = errors.New("invalid public key")
+		return
+	}
+	query := p.Query()
+	var ok bool
+	var relay []string
+	if relay, ok = query["relay"]; !ok {
+		err = errors.New("missing relay parameter")
+		return
+	}
+	if len(relay) == 0 {
+		return nil, errors.New("no relays")
+	}
+	parts.relay = relay[0]
+	var secret string
+	if secret = query.Get("secret"); secret == "" {
+		err = errors.New("missing secret parameter")
+		return
+	}
+	var secretBytes []byte
+	if secretBytes, err = p256k.HexToBin(secret); chk.E(err) {
+		err = errors.New("invalid secret")
+		return
+	}
+	clientKey := &p256k.Signer{}
+	if err = clientKey.InitSec(secretBytes); chk.E(err) {
+		return
+	}
+	parts.clientSecretKey = clientKey
+	if parts.conversationKey, err = encryption.GenerateConversationKeyWithSigner(
+		clientKey,
+		parts.walletPublicKey,
+	); chk.E(err) {
+		return
+	}
+	return
+}

pkg/version/version

@@ -1 +1 @@
-v0.6.2
+v0.8.5

readme.adoc

@@ -20,4 +20,332 @@ ORLY is a nostr relay written from the ground up to be performant, low latency,
 
 ORLY uses a fast embedded link:https://github.com/hypermodeinc/badger[badger] database with a database designed for high performance querying and event storage.
 
-On linux platforms, it uses https://github.com/bitcoin/secp256k1[libsecp256k1]-enabled signature and signature verification (see link:pkg/p256k/README.md[here]).
+On linux platforms, it uses https://github.com/bitcoin/secp256k1[libsecp256k1]-enabled signature and signature verification (see link:pkg/crypto/p256k/README.md[here]).
+
+== building
+
+ORLY is a standard Go application that can be built using the Go toolchain.
+
+=== prerequisites
+
+- Go 1.25.0 or later
+- Git
+- For web UI: link:https://bun.sh/[Bun] JavaScript runtime
+
+=== basic build
+
+To build the relay binary only:
+
+[source,bash]
+----
+git clone <repository-url>
+cd next.orly.dev
+go build -o orly
+----
+
+=== building with web UI
+
+To build with the embedded web interface:
+
+[source,bash]
+----
+# Build the React web application
+cd app/web
+bun install
+bun run build
+
+# Build the Go binary from project root
+cd ../../
+go build -o orly
+----
+
+You can automate this process with a build script:
+
+[source,bash]
+----
+#!/bin/bash
+# build.sh
+echo "Building React app..."
+cd app/web
+bun install
+bun run build
+
+echo "Building Go binary..."
+cd ../../
+go build -o orly
+
+echo "Build complete!"
+----
+
+Make it executable with `chmod +x build.sh` and run with `./build.sh`.
+
+== secp256k1 dependency
+
+ORLY uses the optimized `libsecp256k1` C library from Bitcoin Core for schnorr signatures, providing 4x faster signing and ECDH operations compared to pure Go implementations.
+
+=== installation
+
+For Ubuntu/Debian, you can use the provided installation script:
+
+[source,bash]
+----
+./scripts/ubuntu_install_libsecp256k1.sh
+----
+
+Or install manually:
+
+[source,bash]
+----
+# Install build dependencies
+sudo apt -y install build-essential autoconf libtool
+
+# Initialize and build secp256k1
+cd pkg/crypto/p256k/secp256k1
+git submodule init
+git submodule update
+./autogen.sh
+./configure --enable-module-schnorrsig --enable-module-ecdh --prefix=/usr
+make
+sudo make install
+----
+
+=== fallback mode
+
+If you need to build without the C library dependency, disable CGO:
+
+[source,bash]
+----
+export CGO_ENABLED=0
+go build -o orly
+----
+
+This uses the pure Go `btcec` fallback library, which is slower but doesn't require system dependencies.
+
+== stress testing
+
+The stress tester is a tool for performance testing relay implementations under various load conditions.
+
+=== usage
+
+[source,bash]
+----
+cd cmd/stresstest
+go run . [options]
+----
+
+Or use the compiled binary:
+
+[source,bash]
+----
+./cmd/stresstest/stresstest [options]
+----
+
+=== options
+
+* `--address` - Relay address (default: localhost)
+* `--port` - Relay port (default: 3334)  
+* `--workers` - Number of concurrent publisher workers (default: 8)
+* `--duration` - How long to run the stress test (default: 60s)
+* `--publish-timeout` - Timeout waiting for OK per publish (default: 15s)
+* `--query-workers` - Number of concurrent query workers (default: 4)
+* `--query-timeout` - Subscription timeout for queries (default: 3s)
+* `--query-min-interval` - Minimum interval between queries per worker (default: 50ms)
+* `--query-max-interval` - Maximum interval between queries per worker (default: 300ms)
+* `--skip-cache` - Skip uploading example events before running
+
+=== example
+
+[source,bash]
+----
+# Run stress test against local relay for 2 minutes with 16 workers
+go run cmd/stresstest/main.go --address localhost --port 3334 --workers 16 --duration 120s
+
+# Test a remote relay with higher query load
+go run cmd/stresstest/main.go --address relay.example.com --port 443 --query-workers 8 --duration 300s
+----
+
+The stress tester will show real-time statistics including events sent/received per second, query counts, and results.
+
+== benchmarks
+
+The benchmark suite provides comprehensive performance testing and comparison across multiple relay implementations.
+
+=== quick start
+
+1. **Setup external relays:**
++
+[source,bash]
+----
+cd cmd/benchmark
+./setup-external-relays.sh
+----
+
+2. **Run all benchmarks:**
++
+[source,bash]
+----
+docker compose up --build
+----
+
+3. **View results:**
++
+[source,bash]
+----
+# View aggregate report
+cat reports/run_YYYYMMDD_HHMMSS/aggregate_report.txt
+
+# List individual relay results
+ls reports/run_YYYYMMDD_HHMMSS/
+----
+
+=== benchmark types
+
+The suite includes three main benchmark patterns:
+
+==== peak throughput test
+Tests maximum event ingestion rate with concurrent workers pushing events as fast as possible. Measures events/second, latency distribution, and success rate.
+
+==== burst pattern test  
+Simulates real-world traffic with alternating high-activity bursts and quiet periods to test relay behavior under varying loads.
+
+==== mixed read/write test
+Concurrent read and write operations to test query performance while events are being ingested. Measures combined throughput and latency.
+
+=== tested relays
+
+The benchmark suite compares:
+
+* **next.orly.dev** (this repository) - BadgerDB-based relay
+* **Khatru** - SQLite and Badger variants  
+* **Relayer** - Basic example implementation
+* **Strfry** - C++ LMDB-based relay
+* **nostr-rs-relay** - Rust-based relay with SQLite
+
+=== metrics reported
+
+* **Throughput**: Events processed per second
+* **Latency**: Average, P95, and P99 response times  
+* **Success Rate**: Percentage of successful operations
+* **Memory Usage**: Peak memory consumption during tests
+* **Error Analysis**: Detailed error reporting and categorization
+
+Results are timestamped and stored in the `reports/` directory for tracking performance improvements over time.
+
+== follows ACL
+
+The follows ACL (Access Control List) system provides a flexible way to control relay access based on social relationships in the Nostr network. It grants different access levels to users based on whether they are followed by designated admin users.
+
+=== how it works
+
+The follows ACL system operates by:
+
+1. **Admin Configuration**: Designated admin users are specified in the relay configuration
+2. **Follow List Discovery**: The system fetches follow lists (kind 3 events) from admin users
+3. **Access Level Assignment**:
+   - **Admin access**: Users listed as admins get full administrative privileges
+   - **Write access**: Users followed by any admin can publish events to the relay
+   - **Read access**: All other users can only read events from the relay
+
+=== configuration
+
+Enable the follows ACL system by setting the ACL mode:
+
+[source,bash]
+----
+export ORLY_ACL_MODE=follows
+export ORLY_ADMINS=npub1abc...,npub1xyz...
+----
+
+Or in your environment configuration:
+
+[source,env]
+----
+ORLY_ACL_MODE=follows
+ORLY_ADMINS=npub1abc123...,npub1xyz456...
+----
+
+=== usage example
+
+[source,bash]
+----
+# Set up a relay with follows ACL
+export ORLY_ACL_MODE=follows
+export ORLY_ADMINS=npub1fjqqy4a93z5zsjwsfxqhc2764kvykfdyttvldkkkdera8dr78vhsmmleku
+
+# Start the relay
+./orly
+----
+
+The relay will automatically:
+- Load the follow lists of the specified admin users
+- Grant write access to anyone followed by these admins
+- Provide read-only access to everyone else
+- Update follow lists dynamically as admins modify their follows
+
+== relay sync spider
+
+The relay sync spider is an intelligent synchronization system that discovers and syncs events from other Nostr relays based on social relationships. It works in conjunction with the follows ACL to create a distributed network of synchronized content.
+
+=== how it works
+
+The spider operates in two phases:
+
+1. **Relay Discovery**: 
+   - Finds relay lists (kind 10002 events) from followed users
+   - Builds a list of relays used by people in your social network
+   - Prioritizes relays mentioned by admin users
+
+2. **Event Synchronization**:
+   - Queries discovered relays for events from followed users
+   - Performs one-time historical sync (default: 1 month back)
+   - Runs periodic syncs to stay current with new events
+   - Validates and stores events locally
+
+=== configuration
+
+Enable the spider by setting the spider mode to "follow":
+
+[source,bash]
+----
+export ORLY_SPIDER_MODE=follow
+export ORLY_SPIDER_FREQUENCY=1h
+----
+
+Configuration options:
+
+* `ORLY_SPIDER_MODE` - Spider mode: "none" (disabled) or "follow" (enabled)
+* `ORLY_SPIDER_FREQUENCY` - How often to sync (default: 1h)
+
+=== usage example
+
+[source,bash]
+----
+# Enable both follows ACL and spider sync
+export ORLY_ACL_MODE=follows
+export ORLY_SPIDER_MODE=follow
+export ORLY_SPIDER_FREQUENCY=30m
+export ORLY_ADMINS=npub1fjqqy4a93z5zsjwsfxqhc2764kvykfdyttvldkkkdera8dr78vhsmmleku
+
+# Start the relay
+./orly
+----
+
+The spider will:
+- Perform a one-time sync of the last month's events
+- Discover relays from followed users' relay lists
+- Sync events from those relays every 30 minutes
+- Only sync events from users in the follow network
+
+=== benefits
+
+* **Decentralized Content**: Automatically aggregates content from your social network
+* **Reduced Relay Dependency**: Less reliance on single large relays
+* **Improved User Experience**: Users see content from their social circle even when offline from other relays
+* **Network Resilience**: Content remains accessible even if origin relays go offline
+
+=== technical notes
+
+* The spider only runs when `ORLY_ACL_MODE=follows` to ensure proper authorization
+* One-time sync is marked to prevent repeated historical syncs on restart
+* Event validation ensures only properly signed events are stored
+* Sync windows are configurable to balance freshness with resource usage

stella-relay.service

@@ -0,0 +1,39 @@
+[Unit]
+Description=Stella's Orly Nostr Relay
+Documentation=https://github.com/Silberengel/next.orly.dev
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=madmin
+Group=madmin
+WorkingDirectory=/home/madmin/Projects/GitCitadel/next.orly.dev
+ExecStart=docker compose up stella-relay
+ExecStop=docker compose down
+Restart=always
+RestartSec=10
+TimeoutStartSec=60
+TimeoutStopSec=30
+
+# Environment variables
+Environment=ORLY_DATA_DIR=/home/madmin/.local/share/orly-relay
+Environment=ORLY_LISTEN=127.0.0.1
+Environment=ORLY_PORT=7777
+Environment=ORLY_LOG_LEVEL=info
+Environment=ORLY_OWNERS=npub1v30tsz9vw6ylpz63g0a702nj3xa26t3m7p5us8f2y2sd8v6cnsvq465zjx
+Environment=ORLY_ADMINS=npub1v30tsz9vw6ylpz63g0a702nj3xa26t3m7p5us8f2y2sd8v6cnsvq465zjx,npub1l5sga6xg72phsz5422ykujprejwud075ggrr3z2hwyrfgr7eylqstegx9z
+
+# Security settings
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=read-only
+ReadWritePaths=/home/madmin/.local/share/orly-relay
+ReadWritePaths=/home/madmin/Projects/GitCitadel/next.orly.dev/data
+
+# Resource limits
+LimitNOFILE=65536
+LimitNPROC=4096
+
+[Install]
+WantedBy=multi-user.target