feat: rename allowed_pubkeys to allowed_npubs with normalization

- Config now accepts npub format only (human-readable)
- Automatically converts npubs to hex pubkeys at load time
- Updated InterceptorOptions.AllowedPubkeys -> AllowedNpubs
- Added validation to reject hex format in config (npub only)
- Updated documentation to clarify npub-only config
- Added comprehensive tests for npub normalization

Config is for humans (npub), internal code uses hex pubkeys.

2 files changed, 10 insertions, 7 deletions

diff --git a/internal/auth/README.md b/internal/auth/README.md
index c41b6cb..df0de6a 100644
--- a/internal/auth/README.md
+++ b/internal/auth/README.md
@@ -209,7 +209,9 @@ authOpts := &auth.InterceptorOptions{
 - **`TimestampWindow`**: Maximum age of events in seconds (default: 60)
 - **`Required`**: Whether to reject unauthenticated requests (default: false)
 - **`ValidatePayload`**: Whether to verify payload hash when present (default: false)
-- **`AllowedPubkeys`**: Optional whitelist of allowed pubkeys (nil = allow all)
+- **`AllowedNpubs`**: Optional whitelist of allowed pubkeys (nil = allow all)
+  - Config accepts npub format only (human-readable bech32)
+  - Automatically normalized to hex format (computer-readable) at config load time
 
 ### NostrCredentials Options
 
diff --git a/internal/auth/interceptor.go b/internal/auth/interceptor.go
index c055a15..7d785bf 100644
--- a/internal/auth/interceptor.go
+++ b/internal/auth/interceptor.go
@@ -35,10 +35,11 @@ type InterceptorOptions struct {
         // Default: false
         ValidatePayload bool
 
-        // AllowedPubkeys is an optional whitelist of allowed pubkeys.
+        // AllowedNpubs is an optional whitelist of allowed pubkeys (hex format).
+        // Config accepts npub format only, normalized to hex at load time.
         // If nil or empty, all valid signatures are accepted.
         // Default: nil (allow all)
-        AllowedPubkeys []string
+        AllowedNpubs []string
 
         // SkipMethods is a list of gRPC methods that bypass authentication.
         // Useful for public endpoints like health checks or relay info.
@@ -53,7 +54,7 @@ func DefaultInterceptorOptions() *InterceptorOptions {
                 TimestampWindow: 60,
                 Required:        false,
                 ValidatePayload: false,
-                AllowedPubkeys:  nil,
+                AllowedNpubs:    nil,
                 SkipMethods:     nil,
         }
 }
@@ -168,9 +169,9 @@ func validateAuthFromContext(ctx context.Context, method string, opts *Intercept
         // Extract pubkey
         pubkey := ExtractPubkey(event)
 
-        // Check whitelist if configured
-        if len(opts.AllowedPubkeys) > 0 {
-                if !contains(opts.AllowedPubkeys, pubkey) {
+        // Check whitelist if configured (all values are already normalized to hex)
+        if len(opts.AllowedNpubs) > 0 {
+                if !contains(opts.AllowedNpubs, pubkey) {
                         return "", fmt.Errorf("pubkey not in whitelist")
                 }
         }