Add protected chapter

2026-05-20 12:27:22 -07:00
parent f0d49c6fb8
commit 8ad0bc393b
8 changed files with 675 additions and 5 deletions
@@ -0,0 +1,147 @@
 # Protected Events
 The previous chapter introduced behavior tags through expiration: a tag
 that requests something of the network without touching what the event
 itself means. NIP-70 adds another, aimed at a different concern. Where
 expiration asks relays to stop serving an event after a time,
 NIP-70's `protected` tag asks them to be careful about who they accept
 it from in the first place. Its shape on the wire is a single, valueless
 tag:
 ```json
 ["-"]
 ```
 That is the whole thing — a tag whose name is a lone dash and which
 carries no value. Its mere presence is the signal. An event marked this
 way should be accepted by a relay only when it is published *directly by
 its author*: the connection delivering it must have authenticated over
 NIP-42, and the authenticated key must match the event's `pubkey`.
 ## What the marker asks for
 A relay that honors NIP-70 runs a small decision when a protected event
 arrives. If the connection has not authenticated, the relay issues a
 NIP-42 `AUTH` challenge and rejects the event for now, inviting the
 client to prove who it is and try again. If the connection *has*
 authenticated but the authenticated key is not the event's author, the
 relay rejects the event outright — someone other than the author is
 trying to push it. Only an authenticated author gets through.
 As with expiration, the marker is a cooperative request, not a guarantee.
 A relay is free to ignore it; a relay that has already stored the event
 keeps it; the signature stays valid regardless. The tag asks well-behaved
 relays to gate acceptance on authorship.
 ## The module
 ```rust {file=coracle-lib/src/lib.rs}
 pub mod protected;
 ```
 ```rust {file=coracle-lib/src/protected.rs}
 //! NIP-70 protected events: the valueless `["-"]` marker that asks
 //! relays to accept an event only from its authenticated author.
 //!
 //! This module is the stateless half of NIP-70 — building the tag and
 //! detecting it. The relay-side enforcement it implies (a NIP-42 `AUTH`
 //! challenge followed by a pubkey comparison) needs a live, authenticated
 //! connection and is handled in the relay layer.
 use crate::events::{Event, HashedEvent};
 use crate::tags::Tags;
 ```
 ## Detecting the marker
 Because the tag has no value, detection collapses to a single question:
 is a tag named `"-"` present? There is nothing to parse, so there is no
 `Option` and no malformed-versus-absent distinction to draw — the answer
 is a plain `bool`. `Tags::has` already answers exactly this.
 ```rust {file=coracle-lib/src/protected.rs}
 /// Whether the tag set carries the NIP-70 `["-"]` protected marker.
 ///
 /// A protected event asks relays to accept it only from its
 /// authenticated author. This function reports the marker's presence;
 /// acting on it is the relay's job.
 pub fn is_protected(tags: &Tags) -> bool {
    tags.has("-")
 }
 ```
 ## Building the tag
 The constructor produces a tag with the name `"-"` and no values. We
 build it through `Tag::new` like every other tag, passing an empty value
 iterator so the result is the one-element `["-"]`.
 ```rust {file=coracle-lib/src/tags.rs}
 impl Tag {
    /// Build a NIP-70 `["-"]` protected tag.
    ///
    /// The tag has a name (`"-"`) and no values; its presence asks
    /// relays to accept the event only from its authenticated author.
    pub fn protected() -> Tag {
        Tag::new("-", std::iter::empty::<String>())
    }
 }
 ```
 ## Methods on event types
 A caller holding an event wants to ask whether it is protected without
 reaching for its tags directly. Both `HashedEvent` and `Event` carry a
 `Tags` field, so the method facades delegate to the free function.
 ```rust {file=coracle-lib/src/protected.rs}
 impl HashedEvent {
    /// Whether this event carries the NIP-70 protected marker.
    pub fn is_protected(&self) -> bool {
        is_protected(&self.tags)
    }
 }
 impl Event {
    /// Whether this event carries the NIP-70 protected marker.
    pub fn is_protected(&self) -> bool {
        is_protected(&self.tags)
    }
 }
 ```
 ## Usage patterns
 **Marking an event protected.** Attach the tag at template construction,
 just like any other:
 ```rust
 let event = EventContent::new()
    .content("members only")
    .tags(vec![Tag::protected()])
    .kind(1)
    .stamp(now)
    .own(pubkey);
 ```
 **Checking on receipt.** A relay or client deciding how to handle an
 incoming event asks the event directly:
 ```rust
 if event.is_protected() {
    // only accept from an authenticated author
 }
 ```
 ## What's next
 Marking an event protected is half of NIP-70; honoring the mark is the
 other half, and it lives where connections and authentication do. The
 [Relay Authentication](26-relay-authentication.md) chapter implements the
 `AUTH` exchange and the author check that turn this tag into a rule.
 One consequence is worth flagging now: a protected event should not be
 re-broadcast by being embedded inside someone else's repost, since that
 would route it past the very acceptance check it asked for. Reposts are
 their own topic; the protected marker is simply something that logic will
 need to consult.
@@ -0,0 +1,160 @@
 # Plan: Protected Events
 ## Topic Summary
 NIP-70 defines an optional, valueless `["-"]` tag — the "protected" marker.
 Its presence asks relays to accept the event only when published directly by
 its author: the publishing connection must be NIP-42-authenticated and the
 authenticated pubkey must equal the event's `pubkey`. Relays receiving a
 protected event over an unauthenticated connection should issue an `AUTH`
 challenge and reject it for now; relays receiving one from an authenticated but
 non-matching connection should reject it outright.
 Like NIP-40 expiration, this is a **behavior tag** — orthogonal to kind, a
 cooperative request rather than a guarantee. This chapter adds tag-layer support
 only: a constructor, a boolean predicate, and method facades. Relay-side
 enforcement is deferred to the Relay Authentication chapter (ch 26), which has
 the NIP-42 machinery. The tag carries no value, so — unlike expiration — there
 is nothing to parse and no `get_*` function.
 ## Chapter Outline
 1. **Framing** — protected as a behavior tag, sibling to expiration; the
   `["-"]` tag has no value; the cooperative, relay-enforced (not cryptographic)
   nature of the request. Pick up the thread chapter 9 left dangling.
 2. **What the relay rule is** — state the NIP-42 auth-then-compare rule in prose
   so the reader understands what the tag *asks for*, and explain why none of
   that logic lives here (the tag layer is stateless; enforcement needs a
   connection and an authenticated pubkey — ch 26).
 3. **The module declaration** — `pub mod protected;` in `lib.rs` plus the module
   header doc comment.
 4. **The predicate** — `is_protected(&Tags) -> bool`. A thin wrapper over
   `Tags::has("-")`; justify it on consistency and discoverability (a named
   NIP-70 function), the same justification the expiration chapter used for its
   constructor. No value to parse means no `Option`, just `bool`.
 5. **Building the tag** — `Tag::protected() -> Tag` returning `["-"]`. One line;
   the narrative explains the unusual single-dash, valueless shape.
 6. **Methods on event types** — `is_protected(&self)` on both `HashedEvent` and
   `Event`, delegating to the free function.
 7. **Usage patterns** — building a protected event with the template builder;
   checking on receipt. Brief.
 8. **What's next** — bridge forward: enforcement lands with relay
   authentication (ch 26); note the NIP-18 repost interaction (a protected event
   shouldn't be embedded in a repost) as a forward reference, not implemented
   here.
 ## API Design
 ### Module `coracle-lib/src/protected.rs`
 ```rust
 use crate::events::{Event, HashedEvent};
 use crate::tags::Tags;
 /// True if the tag set carries the NIP-70 `["-"]` protected marker.
 pub fn is_protected(tags: &Tags) -> bool;
 impl HashedEvent {
    pub fn is_protected(&self) -> bool;
 }
 impl Event {
    pub fn is_protected(&self) -> bool;
 }
 ```
 `is_protected(tags)` is `tags.has("-")`.
 ### Tag constructor in `coracle-lib/src/tags.rs`
 ```rust
 impl Tag {
    /// Build a NIP-70 `["-"]` protected tag.
    pub fn protected() -> Tag;
 }
 ```
 Implemented as `Tag::new("-", std::iter::empty::<String>())` — a tag with the
 name `"-"` and no values, serializing as `["-"]`.
 ## Code Organization
 - **`coracle-lib/src/protected.rs`** — new module: the free function and the two
  method impls. Mirrors `expiration.rs`.
 - **`coracle-lib/src/lib.rs`** — add `pub mod protected;` (after `expiration`,
  matching SUMMARY order: ch 10 follows ch 9).
 - **`coracle-lib/src/tags.rs`** — append a `Tag::protected` constructor inside a
  new `impl Tag` block (code blocks targeting the same file concatenate; another
  `impl Tag` block at the end is valid Rust, exactly as `Tag::expiration` does).
 - **`coracle-lib/tests/protected.rs`** — hand-written integration test, not
  tangled. Covers the constructor shape, the predicate (present / absent), the
  method facades on both event types, and tag survival through hash + sign.
 ## Dependencies
 None. Pure std and existing crate types. No new `Cargo.toml` entries, no new
 workspace members.
 ## Narrative Notes
 - **Lead by connecting to expiration.** Chapter 9 ends with an explicit promise:
  "The next chapter introduces another — NIP-70's `protected` tag, which tells
  relays not to accept an event from anyone but its author." Open by fulfilling
  that promise. The reader already has the behavior-tag mental model.
 - **The valueless tag is the one novel thing.** Spend a sentence on why `["-"]`
  has no value and why that collapses the whole API to a boolean — there is no
  malformed-vs-absent distinction to make, no parse to fail.
 - **Be honest about enforcement.** This is the "hint, not guarantee" point from
  expiration, sharpened: the tag asks relays to require NIP-42 auth from the
  author. Without a cooperating relay, the tag does nothing. State the relay
  rule precisely (auth challenge, then pubkey comparison) so the reader knows
  what they're requesting, then say plainly that implementing it is ch 26's job.
 - **Justify the free function.** It is `tags.has("-")` and nothing more. Defend
  it the way ch 9 defended `Tag::expiration`: a named, discoverable NIP-70 entry
  point reads better at call sites and at the doc level than a bare string
  literal, and it keeps the protected-events surface symmetrical with the rest
  of the library (a free function on `&Tags` plus method sugar on the events).
 - **Keep it short.** This is the shortest behavior-tag chapter — no parsing, no
  timestamp comparison, no clock. Resist padding. The interest is conceptual
  (what the tag asks of the network), not mechanical.
 - **Forward references, not detours.** Mention enforcement (ch 26) and the
  repost interaction once each; do not explain them.
 ## Design Decisions
 - **Boolean, not `Option`.** The tag has no value; presence is the entire
  signal. `is_protected -> bool` is correct and matches every reference
  (`isProtectedEvent`, `IsProtected`, `Event::is_protected`).
 - **No `get_protected`.** Nothing to return but a bool, which `is_protected`
  already gives. A `get_*` would imply a value that does not exist.
 - **Free function on `&Tags` plus method facades.** Matches the
  `get_expiration`/`get_pow` pattern exactly. The free function is reusable by
  any caller holding a tag slice (e.g., a relay inspecting raw tags before
  reconstructing an `Event`); the methods are the ergonomic surface.
 - **Constructor in `tags.rs`, not `protected.rs`.** Lives with `Tag::new` and
  `Tag::expiration`; discoverable where callers build tags; no import from
  `protected` just to construct one. Identical placement reasoning to ch 9.
 - **Enforcement deferred to ch 26.** The acceptance rule needs an authenticated
  connection and a pubkey to compare against — state, not a stateless tag query.
  Putting a `should_accept`-style helper here (the option the user declined)
  would strand half the logic away from where the connection lives. The chapter
  describes the rule and points forward.
 - **No `set_protected(bool)` builder helper.** ndk/applesauce expose a
  toggle, but our builder surface is already chainable via
  `.tags(Tags::new().add(...))` / `Tag::protected()`. Adding a toggle would be
  ceremony, consistent with ch 9 declining `set_expiration`.
 - **Constructor uses an empty value iterator.** `Tag::new("-", iter::empty())`
  produces `["-"]`. Verified against `Tag::new`'s signature (name plus an
  `IntoIterator` of values); an empty iterator yields a one-element tag.
 ## Open Questions
 - Whether to show the relay-enforcement pseudocode inline. Decision: no — a prose
  statement of the rule is enough; code belongs in ch 26 where the connection and
  auth state exist. Showing non-tangled relay code here would invite the reader
  to think enforcement is part of this layer.
 - Whether to add a `Tags`-level convenience beyond the free function. Skip, per
  ch 9 reasoning: keep `Tags` a generic container; the named function lives in
  `protected.rs`.
 - Whether to document the NIP-18 repost interaction in depth. Keep it to a single
  forward-reference sentence; reposts are their own topic.
@@ -0,0 +1,230 @@
 # Research: Protected Events
 ## Topic Summary
 NIP-70 defines an optional, valueless `["-"]` tag — the "protected" marker.
 Its presence asks relays to accept the event *only* when it is published
 directly by its author, where "directly by its author" means the publishing
 connection has authenticated via NIP-42 and the authenticated pubkey matches
 the event's `pubkey`. A relay that receives a protected event over an
 unauthenticated connection should issue a NIP-42 `AUTH` challenge and reject
 the event for now; a relay that receives one from an authenticated connection
 whose pubkey is *not* the author should reject it outright.
 Like NIP-40 expiration, this is a **behavior tag**: orthogonal to the event's
 kind, it requests cooperation from the network rather than altering what the
 event means. It is a hint, not a guarantee — once an event is signed and held
 by anyone, no tag can claw it back.
 This chapter adds tag-layer support only, mirroring the Expiring Events
 chapter: a `Tag::protected()` constructor, an `is_protected(&Tags)` predicate,
 and `is_protected()` method facades on `HashedEvent` and `Event`. Relay-side
 enforcement (the NIP-42 auth-then-compare logic) is deferred to the Relay
 Authentication chapter (ch 26). The unusual property of this tag — that it
 carries no value — is the only thing distinguishing the API from expiration:
 there is nothing to parse, so there is no `get_*` function, just a boolean.
 ## Philosophy
 `ref/building-nostr` addresses NIP-70 directly and frames it the way this
 chapter should.
 - **Behavior tags are cooperative requests.** The book classifies tags as
  data, filter, or behavior tags, and names NIP-70 explicitly: *"the NIP 70
  protected tag `['-']` has no values. The presence of the tag merely indicates
  that relays should only accept such event if they're published directly by
  their author."* Behavior tags "determine how implementations should handle an
  event, independent of the specification which defines the event's kind." This
  is exactly the framing already used for expiration — and a reader arriving
  from chapter 9 will recognize it.
 - **Signed data cannot be unpublished.** *"Once it's published, there's no way
  to un-sign or un-publish the data. Anyone who has a copy can keep it."* The
  protected tag does not make an event secret; it asks relays to limit who they
  will *accept* it from going forward. The chapter must be honest that this is
  intent-signaling, not enforcement.
 - **Access control is the relay's job, via AUTH.** *"There is one additional
  responsibility that relays can't really delegate: access control. Access
  control on Nostr is implemented by the `AUTH` verb."* This is why NIP-70's
  enforcement story belongs to the networking layer and NIP-42, not to the
  stateless tag layer. The library's job here is only to read and write the
  marker.
 - **Censorship resistance vs. access control.** *"An architecture optimized for
  censorship resistance is necessarily not optimized for access controls or
  privacy."* Protected events ask relays to *limit* distribution, a deliberate
  deviation from nostr's broadcast default — useful framing for why this tag
  exists at all.
 - **Routing implications.** The book notes that access-controlled content (it
  cites NIP-29 groups) should *not* be routed by the usual outbox heuristic,
  since that would "leak" content meant to be protected. A brief forward
  reference: protected events interact with relay selection, but that is a later
  concern.
 ## Reference Implementation Analysis
 ### applesauce
 Supported, client-side only, in `applesauce-core`:
 - `isProtectedEvent(event)` — `helpers/event.ts:160`:
  `return event.tags.some((t) => t[0] === "-");`
 - `setProtected(set = true)` — `operations/event.ts:91`: adds the `["-"]`
  singleton tag, or removes it, via `setSingletonTag(["-"])` /
  `removeSingletonTag("-")`.
 - `protected(isProtected)` — `factories/event.ts:181`: fluent builder method on
  `EventFactory`.
 The `["-"]` tag is treated like any other singleton tag (`expiration`, `alt`),
 with no special-casing. No relay enforcement, no NIP-42 coupling. Notably,
 `isProtectedEvent` is never *called* elsewhere in the library except in tests —
 it is a primitive offered to consumers.
 ### ndk
 Supported as a getter/setter on `NDKEvent` (`core/src/events/index.ts:868`):
 ```typescript
 set isProtected(val: boolean) { this.removeTag("-"); if (val) this.tags.push(["-"]); }
 get isProtected(): boolean { return this.hasTag("-"); }
 ```
 The one place protection is *consumed* is reposts (`repost.ts:24`): when
 building a NIP-18 repost, a protected original is **not** JSON-embedded in the
 repost content. No relay-side enforcement; NDK is a client library, so the
 relay rule is out of scope by design.
 ### nostr-gadgets
 **Not implemented.** No references to nip70/protected/`["-"]` anywhere. The
 library is a high-level client utility layer (profile loading, lists, relay
 hints, outbox) that delegates event construction to `@nostr/tools` and never
 touches the protected tag.
 ### nostrlib
 The most complete implementation, including relay enforcement. Dedicated
 `nip70/nip70.go`:
 - `IsProtected(event) bool` — iterates tags, returns true if any tag is exactly
  `["-"]`.
 - `HasEmbeddedProtected(event) bool` — for reposts (kind 6/16), detects an
  embedded `["-"]` in the stringified content via substring search.
 Relay enforcement lives in the khatru handler (`khatru/handlers.go:192`):
 ```go
 if nip70.IsProtected(env.Event) {
    authed, is := GetAuthed(ctx)
    if !is {
        RequestAuth(ctx) // NIP-42 challenge
        // OK:false "auth-required: must be published by authenticated event author"
    } else if authed != env.Event.PubKey {
        // OK:false "blocked: must be published by event author"
    }
 } else if nip70.HasEmbeddedProtected(env.Event) {
    // OK:false "blocked: can't repost nip70 protected"
 }
 ```
 There is also an opt-in policy `OnlyAllowNIP70ProtectedEvents`. No client-side
 builder — callers append `["-"]` by hand. The auth-then-compare flow is the
 canonical relay logic and is what our ch 26 will implement.
 ### nostr-tools
 Minimal: the only handling is one inline check inside NIP-18 reposts
 (`nip18.ts:41`):
 ```typescript
 content: t.content === '' || reposted.tags?.find(tag => tag[0] === '-') ? '' : JSON.stringify(reposted),
 ```
 If a reposted event is protected, the repost content is emptied. No standalone
 detector, no builder, no relay rules — consistent with the library's low-level,
 minimal philosophy. A single test covers the repost-emptying behavior.
 ### rust-nostr
 First-class and the closest analog to our target design. The `-` tag is a named
 enum variant rather than a generic string tag:
 - `TagKind::Protected` ↔ `"-"` (`event/tag/kind.rs`).
 - `TagStandard::Protected`, parsed from `["-"]` (`event/tag/standard.rs`).
 - `Tag::protected() -> Self` (`event/tag/mod.rs:469`).
 - `Tag::is_protected(&self) -> bool` (`mod.rs:529`) —
  `matches!(self.as_standardized(), Some(TagStandard::Protected))`.
 - `Event::is_protected(&self) -> bool` (`event/mod.rs:263`) —
  `self.tags.find_standardized(TagKind::Protected).is_some()`.
 Relay enforcement in `nostr-relay-builder` mirrors nostrlib: if protected and
 not NIP-42-authenticated, send AUTH; if authed pubkey ≠ event pubkey, reject
 with "this event may only be published by its author". A `test_protected_event`
 round-trips `{"tags":[["-"]]}` JSON. Clean, minimal, self-contained; no separate
 NIP-70 module because the feature is small enough to live in the tag system.
 ### welshman
 **Not implemented.** No nip70/protected/`["-"]` handling anywhere. Welshman has
 generic tag utilities (`getTag`, `getTagValue`, specialized `p`/`e`/`a`/`t`
 helpers) and a NIP-42 auth event builder (`makeRelayAuth`), but nothing wires
 them to a protected-event rule. As the sibling library to this one, its absence
 is a small data point that NIP-70 is often skipped — but our chapter adds it.
 ## Common Patterns
 - **The tag is `["-"]`, valueless.** Every implementation that handles it agrees
  presence alone is the signal; there is nothing to parse. This is the single
  most important fact for our API: a boolean predicate, no `get_*`.
 - **Detection is a one-liner.** Universally "does any tag's first element equal
  `"-"`" — i.e., `tags.has("-")` in our existing `Tags` vocabulary.
 - **Construction is trivial.** A constructor that returns `["-"]`. rust-nostr
  gives it a named `Tag::protected()`; applesauce/ndk inline `["-"]`.
 - **Method on the event is the ergonomic surface.** rust-nostr, ndk, and
  applesauce all expose detection at the event level (`is_protected` /
  `isProtected`), which is where callers actually hold the data.
 - **Enforcement is relay-side and needs NIP-42.** nostrlib and rust-nostr
  implement the identical flow: protected + unauthenticated → AUTH challenge +
  reject; protected + authed-but-wrong-pubkey → reject. Client libraries
  (applesauce, ndk, nostr-tools, welshman) do *not* enforce; they only mark.
 - **The NIP-18 repost interaction recurs.** applesauce, ndk, nostr-tools, and
  nostrlib all special-case reposts so a protected event isn't re-broadcast by
  being embedded in someone else's repost content. This is a real, named
  consequence of the tag worth a forward reference, but it belongs to a reposts
  chapter, not here.
 - **Two libraries skip it entirely** (nostr-gadgets, welshman), confirming the
  feature is small and often deferred — which is why a focused, correct
  tag-layer treatment is worth having.
 ## Considerations for Our Implementation
 - **Mirror the expiration chapter's shape.** Free function on `&Tags`, a
  `Tag::protected()` constructor in `tags.rs`, method facades on `HashedEvent`
  and `Event`, a new `protected.rs` module, a hand-written integration test.
  Consistency with ch 9 is a feature: the reader has just seen this exact shape.
 - **No `get_*`, no parsing.** The tag has no value. The whole API is a boolean.
  `is_protected(&Tags)` is `tags.has("-")` — our `Tags::has` already does the
  work. The chapter should acknowledge that the free function is a thin wrapper
  and justify it on consistency and discoverability grounds (a named NIP-70
  function the reader can find), the same justification used for the expiration
  constructor.
 - **No `Timestamp`/value type concerns.** Unlike expiration there is no number,
  so none of expiration's parsing/`<` discussion applies. The chapter is
  shorter.
 - **The constructor goes in `tags.rs`,** appended as another `impl Tag` block,
  exactly like `Tag::expiration`. Discoverable next to `Tag::new`; no import
  from `protected` just to build a tag.
 - **Defer enforcement explicitly.** State the relay rule in prose — protected +
  authed-author-only — and name where it will be implemented (Relay
  Authentication, ch 26, which needs the NIP-42 machinery). Do not write
  acceptance logic here; the tag layer is stateless and has no notion of a
  connection or an authenticated pubkey.
 - **Mention the repost consequence briefly,** as a forward reference, without
  implementing it: a protected event should not be embedded in a NIP-18 repost.
 - **No dependencies.** Pure std + existing crate types. No new `Cargo.toml`
  entries, no workspace changes.
 - **The `"-"` tag name is unusual** (a single dash, not a word). Worth one
  sentence: it is intentionally terse and visually distinct, and it has no
  values, which is why it does not look like other tags.
@@ -15,7 +15,9 @@ fn fixed_secret() -> SecretKey {
 fn make_signed_event(kind: u16, tags: Vec<Tag>) -> coracle_lib::events::Event {
    let sk = fixed_secret();
    let pk = sk.public_key();
-    let hashed = EventContent::new("test", tags)
+    let hashed = EventContent::new()
        .content("test")
        .tags(tags)
        .kind(kind)
        .stamp(1_700_000_000)
        .own(pk)
@@ -13,7 +13,9 @@ fn fixed_secret() -> SecretKey {
 }
 fn build_hashed(content: &str, tags: Vec<Tag>) -> HashedEvent {
-    EventContent::new(content, tags)
+    EventContent::new()
        .content(content)
        .tags(tags)
        .kind(1)
        .stamp(1_700_000_000)
        .own(fixed_secret().public_key())
@@ -29,7 +31,7 @@ fn sign_fixture() -> Event {
 #[test]
 fn pipeline_progresses_through_types() {
-    let content = EventContent::new("hi", Tags::new());
+    let content = EventContent::new().content("hi").tags(Tags::new());
    let template: EventTemplate = content.kind(1);
    let stamped: StampedEvent = template.stamp(1_700_000_000);
    let owned: OwnedEvent = stamped.own(fixed_secret().public_key());
@@ -15,7 +15,9 @@ fn fixed_secret() -> SecretKey {
 fn make_event(kind: u16, timestamp: u64, tags: Vec<Tag>) -> Event {
    let sk = fixed_secret();
-    let hashed = EventContent::new("hello", tags)
+    let hashed = EventContent::new()
        .content("hello")
        .tags(tags)
        .kind(kind)
        .stamp(timestamp)
        .own(sk.public_key())
@@ -12,7 +12,9 @@ fn fixed_secret() -> SecretKey {
 }
 fn test_event() -> OwnedEvent {
-    EventContent::new("hello nostr", Tags::new())
+    EventContent::new()
        .content("hello nostr")
        .tags(Tags::new())
        .kind(1)
        .stamp(1_700_000_000)
        .own(fixed_secret().public_key())
@@ -0,0 +1,125 @@
 use coracle_lib::events::{EventContent, HashedEvent};
 use coracle_lib::keys::SecretKey;
 use coracle_lib::protected::is_protected;
 use coracle_lib::tags::{Tag, Tags};
 fn fixed_secret() -> SecretKey {
    let bytes: [u8; 32] = [
        1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25,
        26, 27, 28, 29, 30, 31, 32,
    ];
    SecretKey::from_hex(&hex::encode(bytes)).unwrap()
 }
 fn build_hashed(tags: Tags) -> HashedEvent {
    EventContent::new()
        .content("hi")
        .tags(tags)
        .kind(1)
        .stamp(1_700_000_000)
        .own(fixed_secret().public_key())
        .hash()
 }
 // --- Tag::protected constructor ---
 #[test]
 fn tag_constructor_shape() {
    let t = Tag::protected();
    assert_eq!(t.name(), "-");
    assert_eq!(t.len(), 1);
    assert!(t.values().is_empty());
 }
 #[test]
 fn tag_constructor_serializes_as_single_element() {
    let t = Tag::protected();
    assert_eq!(serde_json::to_string(&t).unwrap(), r#"["-"]"#);
 }
 // --- is_protected ---
 #[test]
 fn is_protected_false_when_tag_absent() {
    let tags = Tags::new();
    assert!(!is_protected(&tags));
 }
 #[test]
 fn is_protected_false_with_unrelated_tags() {
    let tags = Tags::from(vec![Tag::new("t", ["nostr"]), Tag::expiration(100)]);
    assert!(!is_protected(&tags));
 }
 #[test]
 fn is_protected_true_when_tag_present() {
    let tags = Tags::from(vec![Tag::protected()]);
    assert!(is_protected(&tags));
 }
 #[test]
 fn is_protected_true_among_other_tags() {
    let tags = Tags::from(vec![
        Tag::new("t", ["nostr"]),
        Tag::protected(),
        Tag::expiration(100),
    ]);
    assert!(is_protected(&tags));
 }
 #[test]
 fn is_protected_detects_a_raw_dash_tag() {
    // The marker is identified by name alone; a hand-built ["-"] is
    // equivalent to Tag::protected().
    let tags = Tags::from(vec![Tag::new("-", Vec::<String>::new())]);
    assert!(is_protected(&tags));
 }
 // --- HashedEvent method facade ---
 #[test]
 fn hashed_event_reports_protected() {
    let event = build_hashed(Tags::from(vec![Tag::protected()]));
    assert!(event.is_protected());
 }
 #[test]
 fn hashed_event_reports_unprotected() {
    let event = build_hashed(Tags::new());
    assert!(!event.is_protected());
 }
 // --- Event method facade ---
 #[test]
 fn signed_event_reports_protected() {
    let sk = fixed_secret();
    let hashed = build_hashed(Tags::from(vec![Tag::protected()]));
    let sig = sk.sign(&hashed.id);
    let signed = hashed.sign(sig);
    assert!(signed.is_protected());
 }
 #[test]
 fn protected_tag_survives_hashing_and_signing() {
    // The tag is part of the canonical hash input, so it must round-trip
    // through hash() and sign() intact and still verify.
    let sk = fixed_secret();
    let hashed = build_hashed(Tags::from(vec![Tag::protected()]));
    let sig = sk.sign(&hashed.id);
    let signed = hashed.sign(sig);
    assert!(signed.verify_id());
    assert!(signed.is_protected());
 }
 #[test]
 fn unprotected_event_stays_unprotected_through_signing() {
    let sk = fixed_secret();
    let hashed = build_hashed(Tags::new());
    let sig = sk.sign(&hashed.id);
    let signed = hashed.sign(sig);
    assert!(!signed.is_protected());
 }