feat: integrate config system into relay main.go

Add support for loading configuration from YAML file via -config flag.
Wire up auth, rate limiting, and metrics interceptors based on config.

Changes:
- Add -config flag to relay command
- Use config types directly in auth package (AuthOperationConfig)
- Add conversion methods: RateLimitConfig.ToRateLimiter(), MetricsConfig.ToMetrics()
- Add Metrics.Serve() method for prometheus HTTP endpoint
- Update main.go to initialize interceptors from config
- Fix type naming: OperationAuthConfig -> AuthOperationConfig for consistency

Config now supports complete relay setup including auth read/write
allowlists, rate limiting, and prometheus metrics.

3 files changed, 10 insertions, 13 deletions

diff --git a/internal/auth/README.md b/internal/auth/README.md
index de37010..98d1437 100644
--- a/internal/auth/README.md
+++ b/internal/auth/README.md
@@ -142,11 +142,11 @@ import (
 
 // Create auth options
 authOpts := &auth.InterceptorOptions{
-    Read: auth.OperationAuthConfig{
+    Read: auth.AuthOperationConfig{
         Enabled:      true, // Require auth for reads
         AllowedNpubs: nil,  // Accept any valid signature
     },
-    Write: auth.OperationAuthConfig{
+    Write: auth.AuthOperationConfig{
         Enabled:      true,
         AllowedNpubs: []string{"hex-pubkey-1", "hex-pubkey-2"}, // Whitelist
     },
diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go
index 7b0fa13..68c68f5 100644
--- a/internal/auth/auth_test.go
+++ b/internal/auth/auth_test.go
@@ -243,11 +243,11 @@ func TestValidateAuthFromContext(t *testing.T) {
         ctx := metadata.NewIncomingContext(context.Background(), md)
 
         opts := &InterceptorOptions{
-                Read: OperationAuthConfig{
+                Read: AuthOperationConfig{
                         Enabled:      true,
                         AllowedNpubs: nil,
                 },
-                Write: OperationAuthConfig{
+                Write: AuthOperationConfig{
                         Enabled:      true,
                         AllowedNpubs: nil,
                 },
diff --git a/internal/auth/interceptor.go b/internal/auth/interceptor.go
index 42c2688..67450ce 100644
--- a/internal/auth/interceptor.go
+++ b/internal/auth/interceptor.go
@@ -18,28 +18,25 @@ const (
 )
 
 type InterceptorOptions struct {
-        Read            OperationAuthConfig
-        Write           OperationAuthConfig
+        Read            AuthOperationConfig
+        Write           AuthOperationConfig
         TimestampWindow int64
         ValidatePayload bool
         SkipMethods     []string
 }
 
-// OperationAuthConfig configures auth for read or write operations.
-// Three states: disabled (allow all), enabled with empty list (require auth),
-// enabled with npubs (whitelist only). Npubs normalized to hex at load time.
-type OperationAuthConfig struct {
+type AuthOperationConfig struct {
         Enabled      bool
         AllowedNpubs []string
 }
 
 func DefaultInterceptorOptions() *InterceptorOptions {
         return &InterceptorOptions{
-                Read: OperationAuthConfig{
+                Read: AuthOperationConfig{
                         Enabled:      false,
                         AllowedNpubs: nil,
                 },
-                Write: OperationAuthConfig{
+                Write: AuthOperationConfig{
                         Enabled:      false,
                         AllowedNpubs: nil,
                 },
@@ -154,7 +151,7 @@ func validateAuthFromContext(ctx context.Context, method string, opts *Intercept
 
         pubkey := ExtractPubkey(event)
 
-        var opConfig OperationAuthConfig
+        var opConfig AuthOperationConfig
         if isWriteMethod(method) {
                 opConfig = opts.Write
         } else {