Fetch provider whitelist from Nostr and restrict interactions to whitelisted providers

[sh1ftred]

Summary

Fetch a provider whitelist from Nostr and make routstrd interact only with whitelisted providers.

Motivation

routstrd currently discovers/routes to available providers and lets users enable/disable providers locally. To reduce exposure to untrusted or malicious providers, the daemon should support a Nostr-backed allowlist and filter provider discovery, model fetching, routing, refunds, and provider-management views through that allowlist.

Proposed behavior

• On daemon startup, fetch the provider whitelist from Nostr.
• Treat the whitelist as the source of truth for providers the daemon is allowed to contact.
• Only bootstrap/fetch models from whitelisted providers.
• Only route inference requests to whitelisted providers.
• Ignore or reject explicit provider overrides (--provider, provider config, query/header provider selection) when the provider is not whitelisted.
• Ensure provider list/status endpoints do not expose or select non-whitelisted discovered providers as usable.
• Refresh the whitelist periodically or provide a command/API path to refresh it without restarting.
• Fail safely if the whitelist cannot be fetched:
  • Prefer not interacting with any non-whitelisted provider.
  • Log a clear warning/error describing whether cached whitelist data is being used or routing is disabled.

Implementation notes / questions

• Define the Nostr event kind/tag format and trusted pubkey/relay configuration for publishing the whitelist.
• Consider caching the last successfully fetched whitelist in the local store so the daemon can continue operating during temporary Nostr/relay failures.
• Add config options for Nostr relays, whitelist publisher pubkey(s), refresh interval, and possibly a development override.
• Apply filtering at the provider registry/manager layer so all higher-level paths inherit the whitelist constraints.

Acceptance criteria

• Daemon can fetch and parse the provider whitelist from Nostr.
• Non-whitelisted providers are never contacted for model discovery, inference routing, or refunds.
• Explicit provider selection fails with a clear error when the provider is not whitelisted.
• Cached whitelist behavior is documented and tested.
• Unit/integration tests cover whitelist fetch success, fetch failure, cache fallback, and provider filtering.
• README/config docs describe how to configure the Nostr whitelist source.