Non-NIP new features and changes in v3: DEPLOYMENT - Unified nostream CLI/TUI replaces all scripts/* shell wrappers (start, stop, update, clean, info, dev) - nginx reverse proxy option added to docker-compose (nostream start --nginx) - I2P support added (nostream start --i2p) - New docker-compose variants: i2p, nginx, Windows - Docker DNS pre-flight check before startup - Dockerfile now auto-runs migrations on container start - Railway.app deployment template included PERFORMANCE - New hot-path PostgreSQL indexes for subscription, vanish, retention, and invoice queries - User admission check converted to a PostgreSQL stored function - User admission check result cached in Redis - EWMA rate limiter with configurable strategy support - Vanish (NIP-62) query optimized - db:benchmark and db:verify-index-impact tooling added IMPORT / EXPORT - Export events to JSON Lines (.jsonl) or JSON array (.json) - Import events from .jsonl or .json files - Gzip and XZ compression for both import and export PAYMENTS - NWC (Nostr Wallet Connect) added as a payment processor - Callback routes now only registered when the matching processor is active - LNbits: stale pending invoices now expired automatically - Nodeless: timing-safe HMAC comparison for webhook verification RELIABILITY & SECURITY - X-Forwarded-For no longer unconditionally trusted — trusted proxies must be configured - Dead WebSocket connections closed even when they have active subscriptions - Rate limiter TOCTOU race condition fixed via Lua atomic script - Mirroring: silent event drops fixed when mirror has no limits configured - Redis: AUTH skipped automatically when credentials are unset - CSP hardened: removed unsafe-inline, added script nonces - serialize-javascript updated to fix RCE CVE (GHSA-5c6j-r48x-rmvq) NEW SETTINGS - nip05.domainWhitelist / nip05.domainBlacklist - limits.event.retention.kind.whitelist - limits.event.retention.pubkey.whitelist - limits.admissionCheck.ipWhitelist - limits.message.ipWhitelist - info.self (relay pubkey for NIP-11 relay info) - Opt-in event retention purge (limits.event.retention) TOOLING (developer-facing) - pnpm replaces npm - Biome replaces ESLint + Prettier - Zod replaces Joi for validation - Changesets replaces semantic-release - Knip added for dead code detection - Pino replaces custom logging across adapters and services - CodeQL security analysis workflow added