feat: FEDERATED_STATIC_ONLY, federation blocklist, Indonesia-first i18n

FEDERATED_STATIC_ONLY=true (static-only node safety flag)
- processManager.ts: startSiteProcess() throws 400 when STATIC_ONLY is set
  with clear error message directing user to a dynamic-capable node
- sites.ts: POST /api/sites blocks nlpl/dynamic/node/python site types
  with STATIC_ONLY_NODE error code
- federation.ts: capabilities array dynamically omits 'dynamic-hosting'
  and 'nlpl' when STATIC_ONLY=true — peers can see this in /.well-known/federation
- resourceConfig.ts: FEDERATED_STATIC_ONLY exported, logs at startup
- NlplPanel.tsx: amber warning banner when staticOnlyMode=true in runtimeInfo
- nlpl.ts: staticOnlyMode field added to GET /nlpl/runtime-info response
- .env.example: full documentation with what is/isn't affected

Federation blocklist (defederation)
- lib/db/src/schema/federationBlocks.ts: federation_blocks table
  (id, node_domain UNIQUE, reason, blocked_by, created_at, updated_at)
- lib/db/src/schema/index.ts: federationBlocks exported
- lib/db/migrations/0000_initial_schema.sql: federation_blocks table added
- routes/federationBlocks.ts: full CRUD + enforcement
  GET    /api/federation/blocks              — list (admin only)
  POST   /api/federation/blocks              — add block (admin) + updates nodes.status
  DELETE /api/federation/blocks/:domain      — remove block (admin)
  GET    /api/federation/blocks/check?domain — public check endpoint for peers
  In-memory Set<string> for O(1) checks on every federation request
  loadBlocklist() called at startup, Set updated on every mutation
- federation.ts: isBlocked() checked at top of ping and sync handlers
  — blocked nodes get 403 before any signature verification
- index.ts: loadBlocklist() awaited in startup sequence

Indonesia-first i18n (Southeast Asia language detection)
- i18n/index.ts: getInitialLanguage() — deterministic language selection:
  1. Stored localStorage preference (fh_language)
  2. Browser navigator.language (id* → Bahasa, en* → English)
  3. fh-node-region meta tag — ap-southeast* nodes → Bahasa Indonesia
  4. Timezone detection — WIB/WITA/WIT → Bahasa Indonesia
  5. English fallback
  Uses lng: getInitialLanguage() to set deterministically before LanguageDetector
- index.html: <meta name='fh-node-region' content='%VITE_NODE_REGION%'>
  injected — replaced by Vite at build time from .env
- .env.example: VITE_NODE_REGION documented (defaults to NODE_REGION)

Author: The No Hands Company

.env.example

@@ -236,3 +236,29 @@ DYNAMIC_MAX_RESTARTS=5
 #   Global rate limit:   300    → 60 req/min
 #   Compression:         level 6 → level 1 (fastest)
 LOW_RESOURCE=false
+
+# ── Static-only mode (federation safety) ─────────────────────────────────────
+# Set to "true" to disable dynamic site hosting (NLPL, Node.js, Python).
+# Recommended for:
+#   - Volunteer nodes that only want to serve static sites
+#   - Nodes in high-trust federation networks where dynamic execution is risky
+#   - Nodes with very limited resources (no spare CPU for process management)
+#
+# When enabled:
+#   - POST /api/sites with siteType nlpl/dynamic/node/python → 400 error
+#   - POST /api/sites/:id/nlpl/start → 400 error with clear message
+#   - Federation meta endpoint advertises capabilities: ["static"] (no "dynamic")
+#   - Dashboard shows a banner on dynamic site pages
+#
+# Does NOT affect:
+#   - Already-registered dynamic sites (they just can't be started)
+#   - The build pipeline (git clone + npm build → static output is fine)
+#   - Federation replication of static sites from other nodes
+FEDERATED_STATIC_ONLY=false
+
+# ── Frontend node region hint (i18n) ─────────────────────────────────────────
+# Injected into index.html as <meta name="fh-node-region">.
+# Used by the frontend to default to Bahasa Indonesia for Southeast Asian nodes.
+# Set to your node's AWS-style region (same value as NODE_REGION).
+# Example: ap-southeast-3 (Jakarta) will default the UI to Bahasa Indonesia.
+VITE_NODE_REGION=${NODE_REGION:-}

artifacts/api-server/src/index.ts

@@ -26,6 +26,7 @@ import { startAnalyticsFlusher, stopAnalyticsFlusher } from "./lib/analyticsFlus
 import { startGossipPusher, stopGossipPusher } from "./routes/gossip";
 import { getRedisClient, closeRedis } from "./lib/redis";
 import { startSyncRetryQueue, stopSyncRetryQueue } from "./lib/syncRetryQueue";
+import { loadBlocklist } from "./routes/federationBlocks";
 import { startAcmeRenewalScheduler, stopAcmeRenewalScheduler } from "./lib/acme";
 import { stopAllProcesses } from "./lib/processManager";
 import { startSiteHealthMonitor, stopSiteHealthMonitor } from "./lib/siteHealthMonitor";
@@ -128,6 +129,7 @@ ensureLocalNode()
     });
 
     startHealthMonitor();
+    await loadBlocklist();
     startAnalyticsFlusher();
     startGossipPusher();
     startSyncRetryQueue();

artifacts/api-server/src/lib/processManager.ts

@@ -267,6 +267,14 @@ export async function startSiteProcess(opts: {
   workDir: string;
   entryFile: string;
 }): Promise<{ port: number }> {
+  // Respect FEDERATED_STATIC_ONLY — operator may disable dynamic hosting
+  // for security/simplicity, especially important for volunteer nodes
+  if (process.env.FEDERATED_STATIC_ONLY === "true") {
+    throw new Error(
+      "Dynamic site hosting is disabled on this node (FEDERATED_STATIC_ONLY=true). " +
+      "This node only serves static sites. Contact the node operator to enable dynamic hosting.",
+    );
+  }
   const existing = processes.get(opts.siteId);
   if (existing && (existing.status === "running" || existing.status === "starting")) {
     return { port: existing.port };

artifacts/api-server/src/lib/resourceConfig.ts

@@ -86,6 +86,16 @@ export const GOSSIP_INTERVAL_MS = LOW_RESOURCE
   ? parseInt(process.env.GOSSIP_INTERVAL_MS ?? "600000")  // 10 minutes
   : parseInt(process.env.GOSSIP_INTERVAL_MS ?? "300000"); // 5 minutes
 
+/** Whether dynamic site hosting (NLPL/Node/Python) is disabled on this node */
+export const FEDERATED_STATIC_ONLY = process.env.FEDERATED_STATIC_ONLY === "true";
+
+if (FEDERATED_STATIC_ONLY) {
+  console.warn(
+    "[config] FEDERATED_STATIC_ONLY=true — dynamic site hosting disabled. " +
+    "This node only serves static sites (HTML/CSS/JS)."
+  );
+}
+
 if (LOW_RESOURCE) {
   // Log once at startup so operators know the mode is active
   // Using console directly since the logger may not be initialised yet

artifacts/api-server/src/routes/federation.ts

@@ -8,6 +8,7 @@ import { federationLimiter, writeLimiter } from "../middleware/rateLimiter";
 import { parsePagination, buildPaginatedResponse } from "../lib/pagination";
 import logger from "../lib/logger";
 import { resolveConflict } from "../lib/conflictResolution";
+import { isBlocked } from "./federationBlocks";
 import { federationSyncsTotal, federationPeersTotal } from "../lib/metrics";
 
 const router: IRouter = Router();
@@ -27,7 +28,13 @@ router.get("/federation/meta", asyncHandler(async (_req, res) => {
     nodeCount: allNodes.length,
     activeSites: activeDeployments.length,
     joinedAt: localNode?.joinedAt ?? new Date().toISOString(),
-    capabilities: ["site-hosting", "node-federation", "key-verification", "site-replication"],
+    capabilities: [
+      "site-hosting",
+      "node-federation",
+      "key-verification",
+      "site-replication",
+      ...(process.env.FEDERATED_STATIC_ONLY === "true" ? [] : ["dynamic-hosting", "nlpl"]),
+    ],
   });
 }));
 
@@ -38,6 +45,12 @@ router.post("/federation/ping", federationLimiter, asyncHandler(async (req, res)
     throw AppError.badRequest("Missing required fields: nodeDomain, challenge, signature");
   }
 
+  // Reject blocked nodes immediately
+  if (isBlocked(nodeDomain)) {
+    logger.warn({ nodeDomain }, "[federation] Ping rejected — node is on blocklist");
+    throw AppError.forbidden("This node is not permitted to federate with us.");
+  }
+
   // Reject stale messages — prevents replay attacks
   if (timestamp) {
     const messageAge = Math.abs(Date.now() - parseInt(timestamp, 10));
@@ -205,6 +218,14 @@ router.post("/federation/sync", asyncHandler(async (req, res) => {
     throw AppError.badRequest("Missing siteDomain or deploymentId");
   }
 
+  // Reject blocked nodes
+  const fromHeader = (req.body as { fromDomain?: string }).fromDomain ??
+    req.headers["x-federation-from"] as string | undefined;
+  if (fromHeader && isBlocked(fromHeader)) {
+    logger.warn({ fromDomain: fromHeader, siteDomain }, "[federation] Sync rejected — node is on blocklist");
+    throw AppError.forbidden("This node is not permitted to federate with us.");
+  }
+
   // Verify the signature on the sync message
   const signature = req.headers["x-federation-signature"] as string | undefined;
 

artifacts/api-server/src/routes/federationBlocks.ts

@@ -0,0 +1,114 @@
+/**
+ * Federation blocklist routes.
+ *
+ * Operators can block specific peer nodes from federating with this node.
+ * Blocked nodes cannot handshake, ping, sync, or appear in bootstrap.
+ *
+ * Routes:
+ *   GET    /api/federation/blocks           — list blocked nodes (admin)
+ *   POST   /api/federation/blocks           — add a block (admin)
+ *   DELETE /api/federation/blocks/:domain   — remove a block (admin)
+ *   GET    /api/federation/blocks/check     — check if a domain is blocked (public — for peers)
+ */
+
+import { Router, type IRouter, type Request, type Response } from "express";
+import { z } from "zod/v4";
+import { db, federationBlocksTable, nodesTable } from "@workspace/db";
+import { eq } from "drizzle-orm";
+import { asyncHandler, AppError } from "../lib/errors";
+import { requireAdmin } from "../middleware/requireAdmin";
+import { writeLimiter } from "../middleware/rateLimiter";
+import logger from "../lib/logger";
+
+const router: IRouter = Router();
+
+// In-memory Set for O(1) block checks on every incoming federation request.
+// Loaded at startup and kept in sync with DB mutations.
+export const blockedDomains = new Set<string>();
+
+/** Load all blocked domains into the in-memory set at startup */
+export async function loadBlocklist(): Promise<void> {
+  try {
+    const rows = await db.select({ nodeDomain: federationBlocksTable.nodeDomain }).from(federationBlocksTable);
+    blockedDomains.clear();
+    for (const row of rows) blockedDomains.add(row.nodeDomain.toLowerCase());
+    logger.info({ count: blockedDomains.size }, "[blocklist] Loaded federation blocklist");
+  } catch (err) {
+    logger.warn({ err }, "[blocklist] Failed to load blocklist — continuing without it");
+  }
+}
+
+/** Returns true if the given domain is on the blocklist */
+export function isBlocked(domain: string): boolean {
+  return blockedDomains.has(domain.toLowerCase());
+}
+
+// ── GET /api/federation/blocks ────────────────────────────────────────────────
+
+router.get("/federation/blocks", requireAdmin, asyncHandler(async (req: Request, res: Response) => {
+  const blocks = await db.select().from(federationBlocksTable).orderBy(federationBlocksTable.createdAt);
+  res.json({ blocks, total: blocks.length });
+}));
+
+// ── POST /api/federation/blocks ───────────────────────────────────────────────
+
+router.post("/federation/blocks", requireAdmin, writeLimiter, asyncHandler(async (req: Request, res: Response) => {
+  const { nodeDomain, reason } = z.object({
+    nodeDomain: z.string().min(1).max(253).toLowerCase(),
+    reason:     z.string().max(500).optional(),
+  }).parse(req.body);
+
+  // Check if already blocked
+  const [existing] = await db.select({ id: federationBlocksTable.id }).from(federationBlocksTable)
+    .where(eq(federationBlocksTable.nodeDomain, nodeDomain));
+  if (existing) throw AppError.conflict(`${nodeDomain} is already blocked`);
+
+  const [block] = await db.insert(federationBlocksTable).values({
+    nodeDomain,
+    reason:    reason ?? null,
+    blockedBy: req.user?.id ?? null,
+  }).returning();
+
+  // Update in-memory set immediately
+  blockedDomains.add(nodeDomain);
+
+  // Mark the peer node as inactive if it exists in our nodes table
+  await db.update(nodesTable)
+    .set({ status: "inactive" })
+    .where(eq(nodesTable.domain, nodeDomain));
+
+  logger.info({ nodeDomain, reason, blockedBy: req.user?.id }, "[blocklist] Node blocked");
+
+  res.status(201).json({ block, message: `${nodeDomain} is now blocked from federating with this node.` });
+}));
+
+// ── DELETE /api/federation/blocks/:domain ────────────────────────────────────
+
+router.delete("/federation/blocks/:domain", requireAdmin, writeLimiter, asyncHandler(async (req: Request, res: Response) => {
+  const domain = (req.params.domain as string).toLowerCase();
+
+  const [deleted] = await db.delete(federationBlocksTable)
+    .where(eq(federationBlocksTable.nodeDomain, domain))
+    .returning();
+
+  if (!deleted) throw AppError.notFound(`No block found for ${domain}`);
+
+  blockedDomains.delete(domain);
+
+  logger.info({ domain, unblockedBy: req.user?.id }, "[blocklist] Node unblocked");
+
+  res.json({ message: `${domain} has been unblocked and can federate with this node again.` });
+}));
+
+// ── GET /api/federation/blocks/check?domain= ─────────────────────────────────
+// Public endpoint — peers can check if they're blocked before attempting handshake.
+// Returns 200 with { blocked: true/false } rather than 403 so peers can handle it gracefully.
+
+router.get("/federation/blocks/check", asyncHandler(async (req: Request, res: Response) => {
+  const domain = ((req.query.domain as string) ?? "").toLowerCase();
+  if (!domain) throw AppError.badRequest("domain query parameter required");
+
+  res.json({ domain, blocked: isBlocked(domain) });
+}));
+
+export default router;

artifacts/api-server/src/routes/index.ts

@@ -16,6 +16,7 @@ import adminRouter from "./admin";
 import gossipRouter from "./gossip";
 import webhooksRouter from "./webhooks";
 import tlsRouter from "./tls";
+import federationBlocksRouter from "./federationBlocks";
 import redirectsRouter from "./redirects";
 import invitationsRouter from "./invitations";
 import formsRouter from "./forms";
@@ -47,6 +48,7 @@ router.use(domainsRouter);
 router.use(adminRouter);
 router.use(webhooksRouter);
 router.use(tlsRouter);
+router.use(federationBlocksRouter);
 router.use(redirectsRouter);
 router.use(invitationsRouter);
 router.use(formsRouter);

artifacts/api-server/src/routes/nlpl.ts

@@ -88,6 +88,7 @@ router.get("/nlpl/runtime-info", asyncHandler(async (req: Request, res: Response
     nlplVersion,
     pythonVersion,
     pythonBin: PYTHON_BIN,
+    staticOnlyMode: process.env.FEDERATED_STATIC_ONLY === "true",
     portRange: {
       start: parseInt(process.env.DYNAMIC_PORT_START ?? "9000"),
       end: parseInt(process.env.DYNAMIC_PORT_END ?? "9999"),

artifacts/api-server/src/routes/sites.ts

@@ -71,9 +71,22 @@ router.get("/sites", asyncHandler(async (req, res) => {
 }));
 
 router.post("/sites", writeLimiter, asyncHandler(async (req, res) => {
+  if (!req.isAuthenticated()) throw AppError.unauthorized();
+
   const parsed = CreateSiteBody.safeParse(req.body);
   if (!parsed.success) throw AppError.badRequest(parsed.error.message);
 
+  // Enforce FEDERATED_STATIC_ONLY — only allow static/blog/portfolio site types
+  const dynamicTypes = ["nlpl", "dynamic", "node", "python"];
+  if (process.env.FEDERATED_STATIC_ONLY === "true" && dynamicTypes.includes(parsed.data.siteType ?? "")) {
+    throw AppError.badRequest(
+      `This node operates in static-only mode (FEDERATED_STATIC_ONLY=true). ` +
+      `Dynamic site types (${dynamicTypes.join(", ")}) are not permitted. ` +
+      `Create a static site or use a node that supports dynamic hosting.`,
+      "STATIC_ONLY_NODE",
+    );
+  }
+
   const [existing] = await db.select().from(sitesTable).where(eq(sitesTable.domain, parsed.data.domain));
   if (existing) throw AppError.conflict(`Domain '${parsed.data.domain}' is already registered`);
 

artifacts/federated-hosting/index.html

@@ -5,6 +5,11 @@
     <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1" />
     <title>Federated Hosting</title>
     <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
+    <!-- Node region — used by i18n to default to Bahasa for Indonesian nodes.
+         The TypeScript server replaces this placeholder at runtime via the
+         /api/health endpoint, or operators can set it at build time.
+         Format: AWS-style region e.g. ap-southeast-3 (Jakarta), us-east-1 -->
+    <meta name="fh-node-region" content="%VITE_NODE_REGION%" />
     <link rel="preconnect" href="https://fonts.googleapis.com">
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
     <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet">