[feature] blocklist-silenced and allowlist-silenced federation modes

[tsmethurst]

Right now we've got two federation modes: blocklist -- allow any correctly-addressed communication from any instance as long as it's not on a block, and allowlist -- allow any correctly-addressed communication from any instance on the allowlist.

This works OK for basic stuff like ensuring your instance isn't federating with arseholes etc.

However, it would be pretty neat if we had a couple more nuanced federation modes like blocklist-silenced and allowlist-silenced.

They'd work basically like the above basic federation modes, but with a few differences:

blocklist-silenced mode: like in blocklist mode, instances on the blocklist would still not be able to communicate with your instance at all. However, instances not on the blocklist would be considered "silenced" by default. In other words, any Create Activities sent to your instance by people you don't follow would be dropped, including replies, DM's, and new top-level statuses mentioning you. Follow requests, likes, boosts, etc, still OK (tbd). Instances with an explicit allow entry would be able to communicate with your instance as normal (ie., not silenced).

allowlist-silenced mode: like in allowlist mode, instances not on the allowlist would not be able to communicate with your instance at all. However, even instances on the allowlist would be considered "silenced" by default, so you'd only be able to receive Create Activities from people you follow. This would be the strictest federation mode.

The advantage of running in blocklist-silenced mode is that you can interact with people you follow as though there were no restrictions in place, but you're shielded from seeing crappy replies (and spam!) from people you don't follow. For really trusted instances where you're not worried about crap replies and want to be a bit more permissive with discovering people via them replying to your posts and stuff, you can just add an allowlist entry for that instance.

The disadvantage, of course, is that if we drop replies from people you don't follow, that doesn't stop those replies from being circulated to other instances, and shown on other instances as replies to your post. This is similar to the issue that auth-fetch-off Mastodon has, where people on domains that you've blocked can have a whole conversation using your post as a centerpiece, which you're blithely unaware of because your instance refuses their messages.

We'd have to be very careful in documentation to clearly describe the advantages and disadvantages of running in such a mode.