feat(grasp-05): implement archive mode for backup/mirror operation

Implements GRASP-05 specification for accepting repository announcements
that don't list this relay, enabling archive, mirror, and backup use cases.

Core Features:
- Three whitelist formats: <npub>, <npub>/<identifier>, <identifier>
- Archive-all mode for complete ecosystem mirrors
- Fail-fast npub validation at startup
- Read-only enforcement (archived repos reject pushes)
- Full GRASP-02 sync (git data + Nostr events)
- Dynamic archive status (no flags/metadata)

Implementation:
- Add ArchiveWhitelistEntry enum with Pubkey/Repository/Identifier variants
- Add ArchiveConfig with validation and matching logic
- Update AnnouncementResult to include AcceptArchive variant
- Refactor validate_announcement() to return AnnouncementResult with archive check
- Update AnnouncementPolicy with catch-all pattern for cleaner code
- Wire archive config through builder and policy layers

Configuration:
- NGIT_ARCHIVE_ALL: Accept all announcements (⚠️ storage risk)
- NGIT_ARCHIVE_WHITELIST: Comma-separated whitelist entries
- Updated docs, .env.example, and nix/module.nix

Testing:
- 28 unit tests for config parsing and whitelist matching
- 7 integration tests for archive mode validation
- All 296 tests passing

Validation Priority:
1. Lists our service → Accept (GRASP-01, read/write)
2. Is maintainer → AcceptMaintainer (multi-maintainer, read/write)
3. Matches archive config → AcceptArchive (GRASP-05, read-only)
4. None of above → Reject

Security Considerations:
- Archive-all mode has storage/bandwidth DoS risk
- Identifier-only format matches any pubkey (use npub/identifier for high-value)
- Invalid npubs cause startup failure (fail-fast)

Documentation:
- Concise explanation focused on rationale
- Reference docs updated with all config options
- README updated to reflect completed feature
- Removed from roadmap, added to compliance section

See docs/explanation/grasp-05-archive.md for details.

1 files changed, 10 insertions, 7 deletions

diff --git a/README.md b/README.md
index 8621288..6de9d89 100644
--- a/README.md
+++ b/README.md
@@ -137,10 +137,17 @@ See [GRASP-02 Proactive Sync](docs/explanation/grasp-02-proactive-sync.md) for f
 
 **See**: [GRASP-02 Proactive Sync](docs/explanation/grasp-02-proactive-sync.md) and [Purgatory Git Data Sync](docs/explanation/grasp-02-proactive-sync-purgatory-git-data.md)
 
-### GRASP-05 (Archive) - Planned
+### GRASP-05 (Archive) ✅
 
-- 🔄 Accept repositories not listing this instance
-- 🔄 Backup/mirror mode operation
+- ✅ Accept repositories not listing this instance via configurable whitelist
+- ✅ Three whitelist formats: `<npub>`, `<npub>/<identifier>`, `<identifier>`
+- ✅ Read-only mirroring with full GRASP-02 sync (git data + Nostr events)
+- ✅ Archive-all mode for complete ecosystem mirrors
+- ✅ Fail-fast npub validation at startup
+
+**Archive mode enables backup/mirror operation** - accept repository announcements that don't list your relay, useful for creating archives of critical projects or running comprehensive mirrors. Archived repositories are read-only with full event and git data sync.
+
+**See**: [GRASP-05 Archive Mode](docs/explanation/grasp-05-archive.md)
 
 ## Roadmap
 
@@ -223,10 +230,6 @@ This a useful feature of other git servers.
 
 **Future enhancement**: should we periodically scan relays in UserGraspLists to check for announcements that list our relay?
 
-### GRASP-5 Archive
-
-This not only is an important stand alone feature, it can be used to help to test sync features and have a local backup thats easy to deploy (set as bootstrap).
-
 ## Technology Stack
 
 - **Rust**: Core language