[claude] Relay account whitelist + trust-gated access (#47) (#90)

Co-authored-by: Claude (Opus 4.6) <claude@hermes.local>
Co-committed-by: Claude (Opus 4.6) <claude@hermes.local>

lib/db/migrations/0009_relay_access.sql

@@ -0,0 +1,38 @@
+-- Migration: Relay Account Whitelist + Trust-Gated Access (#47)
+-- Adds the relay_accounts and relay_event_queue tables that back the
+-- whitelist-gated Nostr relay policy.
+
+-- ── relay_accounts ────────────────────────────────────────────────────────────
+-- One row per pubkey that has been explicitly registered with the relay.
+-- Absence = "none" (default deny). FK to nostr_identities.
+
+CREATE TABLE IF NOT EXISTS relay_accounts (
+  pubkey       TEXT PRIMARY KEY REFERENCES nostr_identities(pubkey) ON DELETE CASCADE,
+  access_level TEXT NOT NULL DEFAULT 'none',   -- 'none' | 'read' | 'write'
+  granted_by   TEXT NOT NULL DEFAULT 'manual', -- 'manual' | 'auto-tier' | 'manual-revoked'
+  granted_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  revoked_at   TIMESTAMPTZ,
+  notes        TEXT
+);
+
+-- ── relay_event_queue ─────────────────────────────────────────────────────────
+-- Holds events submitted by whitelisted non-elite accounts pending moderation.
+-- Elite accounts bypass this table; their events are injected directly into strfry.
+
+CREATE TABLE IF NOT EXISTS relay_event_queue (
+  event_id      TEXT PRIMARY KEY,
+  pubkey        TEXT NOT NULL REFERENCES nostr_identities(pubkey) ON DELETE CASCADE,
+  kind          INTEGER NOT NULL,
+  raw_event     TEXT NOT NULL,
+  status        TEXT NOT NULL DEFAULT 'pending', -- 'pending' | 'approved' | 'rejected' | 'auto_approved' | 'flagged'
+  reviewed_by   TEXT,                            -- 'timmy_ai' | 'admin'
+  review_reason TEXT,
+  created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  decided_at    TIMESTAMPTZ
+);
+
+CREATE INDEX IF NOT EXISTS idx_relay_event_queue_pubkey
+  ON relay_event_queue(pubkey);
+
+CREATE INDEX IF NOT EXISTS idx_relay_event_queue_status
+  ON relay_event_queue(status);