Add SEIP server discovery: <id>.<region>.seip.<domain> + NS slot claiming

Major discovery redesign for scalable, region-aware server selection
across hundreds of community servers.

DNS hierarchy:
- Servers register as <id>.<region>.seip.lemonade-nexus.io
- _config TXT includes region + load (connected client count)
- First 9 servers claim ns1-ns9 via democratic gossip (LWW tiebreak)
- NS glue records served by our authoritative DNS, cached globally

Server changes:
- ServerConfig: add --region / SP_REGION (auto-detected via geo-IP)
- resolve_server_region(): config > persisted > auto-detect
- GossipService: NsSlotClaim (0x14) message type, try_claim_ns_slot()
- GossipPeer: region field, included in ServerHello
- DnsService: publish_seip_records(), update_load(), set_server_region()
- Multi-answer A responses for region wildcards (capped at 5)
- _config TXT now includes region= and load= fields

Client changes (Swift):
- Region-aware discovery: detect own region via ip-api.com geo lookup
- Query <region>.seip.<domain> for servers in same region first
- Fallback to adjacent regions ordered by geographic distance
- Score = latency_ms + (load * 10) for load-aware server selection
- Backward-compatible legacy discovery as final fallback

Author: Geramy

apps/LemonadeNexusMac/Sources/LemonadeNexusMac/Services/DnsDiscovery.swift

@@ -0,0 +1 @@
+---

apps/LemonadeNexusMac/Testing/Temporary/CTestCostData.txt

@@ -0,0 +1,3 @@
+Start testing: Mar 17 22:30 PDT
+----------------------------------------------------------
+End testing: Mar 17 22:30 PDT

apps/LemonadeNexusMac/Testing/Temporary/LastTest.log

@@ -18,6 +18,7 @@ struct ServerConfig {
     uint16_t    dns_port{53};
     std::string bind_address{"0.0.0.0"};
     std::string public_ip;              // public-facing IP for DNS glue records (auto-detected if empty)
+    std::string region;                 // cloud region code (e.g. "us-east", auto-detected if empty)
 
     // Storage
     std::string data_root{"data"};

projects/LemonadeNexus/include/LemonadeNexus/Core/ServerConfig.hpp

@@ -36,6 +36,12 @@ void resolve_server_hostname(
     const std::filesystem::path& data_root,
     gossip::GossipService& gossip);
 
+/// Resolve server region: config > persisted > auto-detect via HostnameGenerator.
+/// Mutates config.region in-place and persists to data/identity/region.
+void resolve_server_region(
+    ServerConfig& config,
+    const std::filesystem::path& data_root);
+
 /// Resolve public IP: config > non-wildcard bind address > ipify auto-detect.
 [[nodiscard]] std::string resolve_public_ip(const ServerConfig& config);
 

projects/LemonadeNexus/include/LemonadeNexus/Core/ServerIdentity.hpp

@@ -79,6 +79,21 @@ class GossipService : public core::IService<GossipService>,
     /// Broadcast a backbone IPAM allocation delta to all peers.
     void broadcast_backbone_ipam_delta(const ipam::BackboneAllocationDelta& delta);
 
+    /// Set the cloud region code for this server (e.g. "us-east-1").
+    void set_our_region(const std::string& region);
+
+    /// Set the DNS base domain for NS slot FQDN construction (default: "lemonade-nexus.io").
+    void set_dns_base_domain(const std::string& domain);
+
+    /// Attempt to claim the lowest available NS slot (ns1-ns9) via gossip.
+    void try_claim_ns_slot(const std::string& our_public_ip);
+
+    /// Returns our claimed NS slot number (1-9), or nullopt if we don't hold one.
+    [[nodiscard]] std::optional<uint8_t> our_ns_slot() const;
+
+    /// Returns all currently claimed NS slots (for status reporting).
+    [[nodiscard]] std::vector<NsSlotClaimData> get_ns_slots() const;
+
     /// Try to add a gossip peer as a WireGuard backbone peer.
     void try_add_backbone_wg_peer(const GossipPeer& peer);
 
@@ -227,6 +242,16 @@ class GossipService : public core::IService<GossipService>,
     void handle_backbone_ipam_sync(const asio::ip::udp::endpoint& sender,
                                     const uint8_t* payload, std::size_t payload_len);
 
+    // NS slot claim handler
+    void handle_ns_slot_claim(const asio::ip::udp::endpoint& sender,
+                               const uint8_t* payload, std::size_t payload_len);
+
+    /// Broadcast an NS slot claim to all known peers.
+    void broadcast_ns_slot_claim(const NsSlotClaimData& claim);
+
+    /// Register an NS slot claim in the local DNS service (if available).
+    void register_ns_slot_in_dns(const NsSlotClaimData& claim);
+
     // Verify a server certificate against the root pubkey
     [[nodiscard]] bool verify_server_certificate(const ServerCertificate& cert) const;
 
@@ -281,6 +306,12 @@ class GossipService : public core::IService<GossipService>,
     std::vector<std::string>                reconstruction_shares_;
     uint8_t                                 reconstruction_threshold_{0};
 
+    // Democratic NS slot claiming (ns1-ns9 bootstrap nameservers)
+    std::string                      our_region_;
+    std::string                      dns_base_domain_{"lemonade-nexus.io"};
+    std::array<NsSlotClaimData, 9>   ns_slots_{};       // slot 0 = ns1, slot 8 = ns9
+    std::optional<uint8_t>           our_ns_slot_;
+
     // Distributed ACL sync (nullptr = ACL sync disabled)
     acl::ACLService*                 acl_{nullptr};
 

projects/LemonadeNexus/include/LemonadeNexus/Gossip/GossipService.hpp

@@ -32,6 +32,7 @@ enum class GossipMsgType : uint8_t {
     AclDelta              = 0x11, // "ACL grant/revoke — distributed permission sync"
     DnsRecordSync         = 0x12, // "DNS record add/remove — distributed authoritative DNS"
     BackboneIpamSync      = 0x13, // "backbone IP allocate/release — server mesh IPAM sync"
+    NsSlotClaim           = 0x14, // "democratic NS slot claim — ns1-ns9 bootstrap nameservers"
 };
 
 #pragma pack(push, 1)
@@ -54,6 +55,7 @@ struct GossipPeer {
     std::string backbone_endpoint;   // "ip:port" (gossip port, over WG backbone — preferred when available)
     std::string wg_pubkey;           // base64 X25519 WireGuard public key
     std::string backbone_ip;         // "172.16.0.X" (empty until allocated)
+    std::string region;              // cloud region code (e.g. "us-east-1")
     uint16_t    http_port{9100};     // HTTP control plane port
     uint64_t    last_seen{0};        // Unix timestamp
     float       reputation{1.0f};
@@ -185,4 +187,19 @@ struct DnsRecordDelta {
     std::string signature;        // Ed25519 over canonical JSON (excludes this field)
 };
 
+// ---------------------------------------------------------------------------
+// Democratic NS slot claiming (ns1-ns9 bootstrap nameservers)
+// ---------------------------------------------------------------------------
+
+/// A signed NS slot claim that propagates via gossip.
+/// The first 9 servers to join the mesh claim ns1-ns9 slots (LWW conflict resolution).
+struct NsSlotClaimData {
+    uint8_t     slot{0};           // 1-9
+    std::string server_pubkey;     // base64 Ed25519
+    std::string server_ip;         // public IP
+    std::string region;            // cloud region code
+    uint64_t    timestamp{0};      // LWW conflict resolution
+    std::string signature;         // Ed25519 signature
+};
+
 } // namespace nexus::gossip

projects/LemonadeNexus/include/LemonadeNexus/Gossip/GossipTypes.hpp

@@ -54,8 +54,11 @@ using DnsRecordCallback = std::function<void(const std::string& delta_id,
 ///   <hostname>.<base_domain>                   -> Any node matching the hostname
 ///   <hostname>.<region>.relays.<base_domain>   -> Relay in specific region
 ///   <hostname>.relays.<base_domain>            -> Relay by hostname (any region)
-///   _config.<hostname>.<base_domain>            -> TXT record with port config
-///   _acme-challenge.<domain>                   -> ACME DNS-01 TXT challenge
+///   <id>.<region>.seip.<base_domain>              -> Server's public IP (SEIP A record)
+///   <region>.seip.<base_domain>                  -> All servers in region (multi-A)
+///   _config.<id>.<region>.seip.<base_domain>     -> Server config TXT (SEIP)
+///   _config.<hostname>.<base_domain>             -> TXT record with port config
+///   _acme-challenge.<domain>                     -> ACME DNS-01 TXT challenge
 class DnsService : public core::IService<DnsService>,
                     public IDnsProvider<DnsService> {
     friend class core::IService<DnsService>;
@@ -150,6 +153,8 @@ class DnsService : public core::IService<DnsService>,
         uint16_t relay_port{9103};
         uint16_t dns_port{53};
         uint16_t private_http_port{9101};
+        std::string region;
+        uint32_t connected_clients{0};
     };
 
     /// Set the port configuration to publish via TXT records.
@@ -164,6 +169,22 @@ class DnsService : public core::IService<DnsService>,
     [[nodiscard]] std::optional<std::string> resolve_config_txt(
         const std::string& hostname);
 
+    // -----------------------------------------------------------------
+    // SEIP DNS record hierarchy
+    // -----------------------------------------------------------------
+
+    /// Set the region for this server (used in SEIP record publishing).
+    void set_server_region(const std::string& region);
+
+    /// Publish SEIP A and _config TXT records under <id>.<region>.seip.<domain>.
+    void publish_seip_records(const std::string& server_id,
+                              const std::string& region,
+                              const std::string& public_ip);
+
+    /// Update the connected-client load count and re-publish the SEIP _config
+    /// TXT record if the count changed (avoids gossip spam).
+    void update_load(uint32_t connected_client_count);
+
 private:
     void start_receive();
     void handle_query(std::size_t bytes);
@@ -188,6 +209,14 @@ class DnsService : public core::IService<DnsService>,
     [[nodiscard]] std::vector<uint8_t> build_nxdomain(
         const unsigned char* query_data, std::size_t query_len);
 
+    /// Build a DNS response with multiple A records (for region-wildcard SEIP queries).
+    /// Caps at 5 IPs to stay within the 512-byte UDP limit.
+    [[nodiscard]] std::vector<uint8_t> build_multi_a_response(
+        const unsigned char* query_data, std::size_t query_len,
+        const std::string& qname,
+        const std::vector<std::string>& ips,
+        uint32_t ttl);
+
     // --- Dynamic record lookup ---
     [[nodiscard]] std::optional<std::string> lookup_dynamic_txt(const std::string& fqdn);
     [[nodiscard]] std::optional<std::string> lookup_dynamic_a(const std::string& fqdn);
@@ -225,6 +254,11 @@ class DnsService : public core::IService<DnsService>,
     // SOA state
     std::string              soa_email_;          // e.g. "admin.domain.com"
     std::atomic<uint32_t>    soa_serial_{1};      // auto-incremented on zone changes
+
+    // SEIP server discovery
+    std::string              server_region_;       // this server's region
+    std::string              seip_server_id_;      // cached for update_load() re-publish
+    std::string              seip_server_fqdn_;    // cached server FQDN for TXT host= field
 };
 
 } // namespace nexus::network

projects/LemonadeNexus/include/LemonadeNexus/Network/DnsService.hpp

@@ -41,6 +41,7 @@ void to_json(json& j, const ServerConfig& c) {
         {"acme_eab_hmac_key",   c.acme_eab_hmac_key},
         {"dns_provider",        c.dns_provider},
         {"public_ip",           c.public_ip},
+        {"region",              c.region},
         {"server_hostname",     c.server_hostname},
         {"auto_tls",            c.auto_tls},
         {"dns_base_domain",     c.dns_base_domain},
@@ -89,6 +90,7 @@ void from_json(const json& j, ServerConfig& c) {
     if (j.contains("acme_eab_hmac_key"))   j.at("acme_eab_hmac_key").get_to(c.acme_eab_hmac_key);
     if (j.contains("dns_provider"))        j.at("dns_provider").get_to(c.dns_provider);
     if (j.contains("public_ip"))           j.at("public_ip").get_to(c.public_ip);
+    if (j.contains("region"))              j.at("region").get_to(c.region);
     if (j.contains("server_hostname"))     j.at("server_hostname").get_to(c.server_hostname);
     if (j.contains("auto_tls"))            j.at("auto_tls").get_to(c.auto_tls);
     if (j.contains("dns_base_domain"))     j.at("dns_base_domain").get_to(c.dns_base_domain);
@@ -157,6 +159,7 @@ void print_usage(const char* prog) {
     spdlog::info("  --tls-cert-path <path>     Path to TLS certificate PEM (manual override)");
     spdlog::info("  --tls-key-path <path>      Path to TLS private key PEM (manual override)");
     spdlog::info("  --no-auto-tls              Disable automatic TLS certificate via ACME");
+    spdlog::info("  --region <code>            Cloud region (e.g. us-east, eu-west; auto-detected if omitted)");
     spdlog::info("  --require-tee              Require TEE hardware attestation for Tier 1");
     spdlog::info("  --tee-platform <name>      Override TEE platform detection (sgx/tdx/sev-snp/secure-enclave)");
     spdlog::info("  --help, -h                 Show this help");
@@ -273,6 +276,8 @@ ServerConfig load_config(int argc, char* argv[]) {
             config.require_tee_attestation = true;
         } else if (std::strcmp(argv[i], "--tee-platform") == 0 && i + 1 < argc) {
             config.tee_platform_override = argv[++i];
+        } else if (std::strcmp(argv[i], "--region") == 0 && i + 1 < argc) {
+            config.region = argv[++i];
         }
     }
 
@@ -307,6 +312,7 @@ ServerConfig load_config(int argc, char* argv[]) {
     if (const char* v = std::getenv("SP_ENROLLMENT_QUORUM")) config.enrollment_quorum_ratio = std::atof(v);
     if (std::getenv("SP_REQUIRE_TEE"))                   config.require_tee_attestation   = true;
     if (const char* v = std::getenv("SP_TEE_PLATFORM"))  config.tee_platform_override     = v;
+    if (const char* v = std::getenv("SP_REGION"))        config.region                    = v;
     if (const char* v = std::getenv("SP_SERVER_HOSTNAME"))    config.server_hostname       = v;
     if (const char* v = std::getenv("SP_ACME_EAB_KID"))       config.acme_eab_kid          = v;
     if (const char* v = std::getenv("SP_ACME_EAB_HMAC_KEY"))  config.acme_eab_hmac_key     = v;

projects/LemonadeNexus/src/Core/ServerConfig.cpp

@@ -110,6 +110,42 @@ void resolve_server_hostname(
                   config.server_hostname, region_code);
 }
 
+void resolve_server_region(ServerConfig& config,
+                            const std::filesystem::path& data_root) {
+    if (!config.region.empty()) {
+        spdlog::info("Region: configured as '{}'", config.region);
+        return;
+    }
+
+    // Try loading persisted region
+    auto region_path = data_root / "identity" / "region";
+    if (std::filesystem::exists(region_path)) {
+        std::ifstream ifs(region_path);
+        std::string persisted;
+        std::getline(ifs, persisted);
+        if (!persisted.empty()) {
+            config.region = persisted;
+            spdlog::info("Region: loaded persisted '{}'", config.region);
+            return;
+        }
+    }
+
+    // Auto-detect via HostnameGenerator (HTTP geo-IP lookup)
+    auto detected = HostnameGenerator::detect_region();
+    if (detected) {
+        config.region = *detected;
+        // Persist for stable region across restarts
+        std::filesystem::create_directories(region_path.parent_path());
+        std::ofstream ofs(region_path);
+        ofs << config.region;
+        spdlog::info("Region: auto-detected '{}', persisted", config.region);
+    } else {
+        config.region = "unknown";
+        spdlog::warn("Region: auto-detection failed, using 'unknown'. "
+                      "Set --region <code> for accurate geo-aware discovery.");
+    }
+}
+
 std::string resolve_public_ip(const ServerConfig& config) {
     std::string ip = config.public_ip;
     if (ip.empty() && config.bind_address != "0.0.0.0" && !config.bind_address.empty()) {