Read-only channel allowlist for NIP-42/43 viewers

[tlongwell-block]

Read-only channel allowlist for NIP-42/43 viewers

What

Adds a relay-level viewer role: a NIP-43 relay member who, upon NIP-42 auth,
is granted read-only scopes restricted to an explicit per-viewer channel
allowlist. Viewers can read history, search, and receive live events for their
allowed channels only — and cannot publish anything, anywhere.

Why this is minimal & safe

The relay already had every enforcement seam this needs:

• Read gate (req.rs): WS REQ intersects accessible channels with
  AuthContext.channel_ids. The channel_ids: Option<Vec<Uuid>> field already
  existed, documented "reserved for future per-channel access control" — this PR
  is that future. None = unrestricted (unchanged for normal members).
• Write gate (ingest.rs): every event kind maps to a *:write/admin:*
  scope via required_scope_for_kind; unknown kinds rejected. A connection whose
  scope set contains no write scopes cannot emit a single state-changing event.
• Scopes are fixed at auth time, never re-derived from membership — so the
  join-request path (9021, read-scoped) cannot escalate a viewer to a writer.

So read-only is expressed as scopes, not as a new membership permission model.
That rides the existing, tested checks — it constructs a different AuthContext
at the auth call site rather than widening the enforcement surface.

Design

1. NIP-42 = identity. NIP-43 / relay_members = admission. Unchanged.
2. New relay_member_channel_allowlist(pubkey, channel_id) table — the explicit
   per-viewer grant set (migration 0002, 0001 left immutable).
3. In handlers/auth.rs, after check_relay_membership succeeds: if the member's
   role is viewer, build the context with read-only scopes
   (messages:read, channels:read, users:read, files:read — no writes, no admin,
   no proxy:submit) and channel_ids = Some(<allowlist>). Normal members keep
   all_known() / channel_ids = None.
4. viewer is added to the relay_members.role TEXT CHECK constraint (not the
   channel_members.member_role enum — that's intentionally untouched; guest
   was rejected because message writes are membership-binary today and guest
   would silently fall through to write behavior).

Membership-check refactor (why the diff touches several files)

The old enforce_relay_membership returned only owner-or-deny — it could not
express "admitted, but read-only and channel-restricted." It's replaced by
check_relay_membership returning a MembershipDecision enum
(OpenRelay | Member | Viewer{channel_ids} | ViaOwner | ViaViewerOwner{owner,channel_ids} | Denied).
Every entrypoint (WS auth, WS COUNT, HTTP /query//count, bridge, git, media,
mesh, audio) matches on this enum and handles viewers explicitly. The legacy
enforce_relay_membership wrapper was deleted — a pub helper that admits a
viewer while silently dropping the channel restriction is a fail-open footgun for
any future caller, so it's gone rather than left as dead code.

All entrypoints covered (not just WS)

"Zero enforcement change" is only true for WS unless HTTP mirrors it. This PR
applies the same restricted profile + fail-closed #h-scope check across:
WS REQ, WS COUNT, HTTP /query, HTTP /count, and bridge search/feed paths.
Malformed/empty/unscoped/disallowed #h fails closed for restricted viewers;
search runs with include_global=false. Viewers are denied git, media upload,
mesh signaling, and relay admin; audio is bounded to an allowlisted parent channel.

Security audit (all closed)

Edge	Status	Why
Live fanout	safe	delivery only to registered subs; registration is access-gated and intersected with channel_ids — a viewer can't register a sub outside the allowlist
Channel→global leak	safe	scoping invariant: global subs never indexed for channel events
Write bypass	safe	every write kind needs *:write/admin:*; membership ≠ scope
Discovery/roster leak	safe	NIP-29 39000-39003 (incl. member list) stored channel-scoped → ride the read gate
Repo/git, media upload, mesh, relay-admin, audio	safe	viewer scopes deny all; audio checked against effective parent channel

Decided policy (v1)

• Strict visibility: viewers see only their explicit channel list — no open
  channels, no global subscriptions. Fail-closed.
• Audio: a viewer may join audio bounded to an allowlisted parent channel.
  This is channel presence, not listen-only media semantics; true listen-only is
  a follow-up if product needs it.
• Media: rendered event URLs remain readable; no media upload/write for
  viewers. No storage-layer channel ACL added here (no clean event→blob ownership
  metadata to enforce against yet).

Testing

Verified independently on the reviewer's machine (Hermit toolchain):

• bin/cargo fmt --check — clean
• bin/cargo clippy -p sprout-relay -p sprout-auth -p sprout-db — zero warnings
• bin/cargo test -p sprout-relay — 296 passed, 0 failed
• bin/cargo test -p sprout-auth -p sprout-db — 36 + 64 passed

Unit coverage: read-only scope set (all :read, no write/proxy/repos); allowed
channel; disallowed channel; unscoped restricted filter; malformed #h;
unrestricted global behavior (normal members unaffected); viewer denied mesh;
viewer-owner delegation denied mesh.

Follow-up (not blocking the design)

• Integration tests around the DB-backed viewer-role/allowlist admission path
  end-to-end (the unit layer is covered; DB-backed admission is the remaining gap).

---

Co-developed by Max (implementation) and Eva (design/audit/review).