feat(config): add repository blacklist to block specific repos/npubs/identifiers

Adds NGIT_REPOSITORY_BLACKLIST option for blocking repositories, taking precedence
over all whitelists (archive and repository) to enable moderation without affecting
curation policy.

Key features:
- Three blacklist formats: <npub>, <npub>/<identifier>, <identifier>
- Blacklist checked first before any other validation
- Overrides archive whitelist and repository whitelist
- Specific rejection reasons based on match type (npub/identifier/both)
- Not flagged in NIP-11 curation (operational, not policy)

Implementation:
- Add BlacklistConfig struct with check() method returning detailed reasons
- Add NGIT_REPOSITORY_BLACKLIST config option and blacklist_config() method
- Update validate_announcement() to check blacklist first with specific reasons
- 12 new unit tests covering all blacklist behavior and precedence

Configuration synced across all four sources:
- src/config.rs: Core implementation with BlacklistConfig
- .env.example: Comprehensive documentation with examples
- docs/reference/configuration.md: Complete reference documentation
- nix/module.nix: NixOS module option with environment mapping

Testing:
- 12 new tests for blacklist functionality (config + validation)
- All 332 library tests passing
- All 38 integration tests passing

Use cases:
- Block spam/malware repos by identifier
- Block abusive users by npub
- Block specific problematic repos by npub/identifier
- Temporary blocks for investigation

1 files changed, 143 insertions, 0 deletions

diff --git a/src/config.rs b/src/config.rs
index 37b1c1e..5f8cbca 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -195,6 +195,55 @@ impl Default for RepositoryConfig {
     }
 }
 
+/// Repository blacklist configuration
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct BlacklistConfig {
+    /// Blacklist entries for blocking specific repositories
+    ///
+    /// If empty, no repositories are blacklisted.
+    /// Blacklist takes precedence over both archive and repository whitelists.
+    pub blacklist: Vec<WhitelistEntry>,
+}
+
+impl BlacklistConfig {
+    /// Check if repository blacklist is enabled (non-empty blacklist)
+    pub fn enabled(&self) -> bool {
+        !self.blacklist.is_empty()
+    }
+
+    /// Check if an announcement matches the repository blacklist
+    ///
+    /// Returns Some(reason) if blacklisted, None if not blacklisted.
+    /// The reason indicates what type of match occurred (npub, npub/identifier, or identifier).
+    pub fn check(&self, npub: &str, identifier: &str) -> Option<String> {
+        for entry in &self.blacklist {
+            if entry.matches(npub, identifier) {
+                let reason = match entry {
+                    WhitelistEntry::Pubkey(_) => {
+                        format!("Repository owner {} is blacklisted", npub)
+                    }
+                    WhitelistEntry::Repository { .. } => {
+                        format!("Repository {}/{} is blacklisted", npub, identifier)
+                    }
+                    WhitelistEntry::Identifier(_) => {
+                        format!("Repository identifier {} is blacklisted", identifier)
+                    }
+                };
+                return Some(reason);
+            }
+        }
+        None
+    }
+}
+
+impl Default for BlacklistConfig {
+    fn default() -> Self {
+        Self {
+            blacklist: Vec::new(),
+        }
+    }
+}
+
 /// Database backend type for the relay
 #[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq, Default, ValueEnum)]
 #[serde(rename_all = "lowercase")]
@@ -373,6 +422,12 @@ pub struct Config {
     /// When set, only announcements matching the whitelist AND listing the service are accepted
     #[arg(long, env = "NGIT_REPOSITORY_WHITELIST", default_value = "")]
     pub repository_whitelist: String,
+
+    /// Repository blacklist: comma-separated list of npub/identifier/npub/identifier entries to reject
+    /// Formats: "npub1...", "npub1.../identifier", "identifier"
+    /// Blacklist takes precedence over all whitelists (archive and repository)
+    #[arg(long, env = "NGIT_REPOSITORY_BLACKLIST", default_value = "")]
+    pub repository_blacklist: String,
 }
 
 impl Config {
@@ -549,6 +604,14 @@ impl Config {
         RepositoryConfig { whitelist }
     }
 
+    /// Get parsed repository blacklist configuration
+    ///
+    /// This method assumes config has been validated - call Config::validate() first!
+    pub fn blacklist_config(&self) -> BlacklistConfig {
+        let blacklist = WhitelistEntry::parse_whitelist(&self.repository_blacklist);
+        BlacklistConfig { blacklist }
+    }
+
     /// Create config for testing
     #[cfg(test)]
     pub fn for_testing() -> Self {
@@ -583,6 +646,7 @@ impl Config {
             archive_whitelist: String::new(),
             archive_read_only: None,
             repository_whitelist: String::new(),
+            repository_blacklist: String::new(),
         }
     }
 }
@@ -1105,4 +1169,83 @@ mod tests {
             .to_string()
             .contains("relay_owner_nsec not set"));
     }
+
+    #[test]
+    fn test_blacklist_config_parsing() {
+        let keys = Keys::generate();
+        let test_npub = keys.public_key().to_bech32().unwrap();
+        let config = Config {
+            repository_blacklist: format!("{},bitcoin-core", test_npub),
+            ..Config::for_testing()
+        };
+        let blacklist_config = config.blacklist_config();
+        assert_eq!(blacklist_config.blacklist.len(), 2);
+        assert!(blacklist_config.enabled());
+    }
+
+    #[test]
+    fn test_blacklist_config_empty() {
+        let config = Config::for_testing();
+        let blacklist_config = config.blacklist_config();
+        assert!(blacklist_config.blacklist.is_empty());
+        assert!(!blacklist_config.enabled());
+    }
+
+    #[test]
+    fn test_blacklist_check_npub() {
+        let keys = Keys::generate();
+        let test_npub = keys.public_key().to_bech32().unwrap();
+        let config = BlacklistConfig {
+            blacklist: vec![WhitelistEntry::Pubkey(test_npub.clone())],
+        };
+
+        let result = config.check(&test_npub, "any-repo");
+        assert!(result.is_some());
+        let reason = result.unwrap();
+        assert!(reason.contains("owner"));
+        assert!(reason.contains(&test_npub));
+    }
+
+    #[test]
+    fn test_blacklist_check_identifier() {
+        let config = BlacklistConfig {
+            blacklist: vec![WhitelistEntry::Identifier("banned-repo".to_string())],
+        };
+
+        let result = config.check("npub1alice", "banned-repo");
+        assert!(result.is_some());
+        let reason = result.unwrap();
+        assert!(reason.contains("identifier"));
+        assert!(reason.contains("banned-repo"));
+    }
+
+    #[test]
+    fn test_blacklist_check_repository() {
+        let keys = Keys::generate();
+        let test_npub = keys.public_key().to_bech32().unwrap();
+        let config = BlacklistConfig {
+            blacklist: vec![WhitelistEntry::Repository {
+                npub: test_npub.clone(),
+                identifier: "specific-repo".to_string(),
+            }],
+        };
+
+        let result = config.check(&test_npub, "specific-repo");
+        assert!(result.is_some());
+        let reason = result.unwrap();
+        assert!(reason.contains(&test_npub));
+        assert!(reason.contains("specific-repo"));
+    }
+
+    #[test]
+    fn test_blacklist_check_not_blacklisted() {
+        let keys = Keys::generate();
+        let test_npub = keys.public_key().to_bech32().unwrap();
+        let config = BlacklistConfig {
+            blacklist: vec![WhitelistEntry::Identifier("banned-repo".to_string())],
+        };
+
+        let result = config.check(&test_npub, "allowed-repo");
+        assert!(result.is_none());
+    }
 }