feat: architecture review fixes, self-update system, CI pipeline, supply chain hardening

Architecture review (all P0+P1 issues now fixed):
- Add 10s timeout to 6 bare Nostr client.connect() calls
- Pin all 12 crypto deps to exact versions from Cargo.lock
- Pin all 15 floating container image tags to exact patch versions
- Add CI pipeline (cargo fmt + clippy + tests, frontend type-check + build)

Self-update system (git.tx1138.com):
- scripts/self-update.sh: pull, build, install, restart with rollback
- systemd timer checks daily at 3 AM
- update.check RPC does git-based checks when repo is present
- update.git-apply RPC triggers self-update from UI
- Default update URL changed from GitHub to git.tx1138.com
- Git added to ISO package list for fresh installs

Documentation:
- CHANGELOG v1.3.1 with all changes
- README updated (version, update system section)
- BETA-PROGRESS session #6 logged
- architecture-review.html: 4 issues marked FIXED, 8/12 refactoring done

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.claude/plans/memoized-plotting-sifakis.md

@@ -0,0 +1,145 @@
+# Architecture Review — Fix Remaining Issues
+
+## Context
+
+The architecture review (`docs/architecture-review.html`) identified 4 P0, 6 P1, and 6 medium-priority issues across the codebase. After research, **all 4 P0s and 4 of 6 P1s are already fixed**. This plan addresses the remaining open items that improve reliability and security during the beta freeze.
+
+**What's already fixed:** P0-1 (health RPC), P0-2 (health checks), P0-3 (backup rollback), P0-4 (nginx protections), P1-B (rate limiter cleanup), P1-C (systemd limits), P1-E (WS reconnect), P1-F (Vue error handler), Issue 11 (session async I/O).
+
+**What we're fixing now (4 items):**
+
+---
+
+## Item 1: Add 10s timeout to 6 bare `client.connect()` calls — DONE
+
+**Why:** A down Nostr relay hangs the async task indefinitely, blocking identity publishing, node discovery, and marketplace operations. Direct uptime impact.
+
+### Files & locations
+
+| File | Line | Function |
+|------|------|----------|
+| `core/archipelago/src/identity_manager.rs` | 409 | `publish_profile()` |
+| `core/archipelago/src/nostr_discovery.rs` | 113 | `publish_node_revocation()` |
+| `core/archipelago/src/nostr_discovery.rs` | 200 | `verify_revocation()` |
+| `core/archipelago/src/nostr_discovery.rs` | 264 | `discover_archipelago_nodes()` |
+| `core/archipelago/src/marketplace.rs` | 298 | `discover()` |
+| `core/archipelago/src/marketplace.rs` | 406 | `publish()` |
+
+### Pattern (from `nostr_handshake.rs:126`)
+
+Replace each `client.connect().await;` with:
+```rust
+if tokio::time::timeout(Duration::from_secs(10), client.connect()).await.is_err() {
+    tracing::warn!("Nostr relay connection timed out after 10s, continuing anyway");
+}
+```
+
+Ensure `use std::time::Duration;` is imported in each file. `tracing::warn!` is already available in all three files.
+
+### Risk: LOW — Mechanical pattern replication, no logic changes.
+
+---
+
+## Item 2: Pin all crypto dependency versions exactly — DONE
+
+**Why:** Floating versions (`"2.1"` instead of `"2.2.0"`) allow `cargo update` to silently change crypto libraries. Supply chain risk + project rules violation.
+
+### Versions (verified from Cargo.lock)
+
+**`core/archipelago/Cargo.toml`:**
+
+| Line | Current | Pin to |
+|------|---------|--------|
+| 44 | `sha2 = "0.10"` | `"0.10.9"` |
+| 45 | `hmac = "0.12"` | `"0.12.1"` |
+| 50 | `ed25519-dalek = { version = "2.1", ... }` | `version = "2.2.0"` |
+| 51 | `curve25519-dalek = "4"` | `"4.1.3"` |
+| 52 | `rand = "0.8"` | `"0.8.5"` |
+| 69 | `argon2 = "0.5"` | `"0.5.3"` |
+| 70 | `chacha20poly1305 = "0.10"` | `"0.10.1"` |
+| 81 | `zeroize = { version = "1.7", ... }` | `version = "1.8.2"` |
+| 92 | `hkdf = "0.12"` | `"0.12.4"` |
+
+**`core/security/Cargo.toml`:**
+
+| Line | Current | Pin to |
+|------|---------|--------|
+| 16 | `aes-gcm = "0.10"` | `"0.10.3"` |
+| 17 | `rand = "0.8"` | `"0.8.5"` |
+| 19 | `zeroize = { version = "1", ... }` | `version = "1.8.2"` |
+
+**Note:** `core/models/Cargo.toml` has `ed25519-dalek = "2.0.0"` but this crate is NOT in the workspace — it's dead code. Skip it.
+
+### Risk: LOW — Pins to versions already resolved in Cargo.lock. No actual dependency changes.
+
+---
+
+## Item 3: Pin all floating container image tags — DONE
+
+**Why:** Floating tags (`:1`, `:7`, `:alpine`, `:main`) mean two installs a week apart get different software. Supply chain risk and a support nightmare.
+
+### File: `scripts/image-versions.sh`
+
+| Line | Variable | Current Tag | Action |
+|------|----------|-------------|--------|
+| 16 | `MARIADB_IMAGE` | `:11.4` | SSH -> get exact patch version |
+| 21 | `POSTGRES_IMAGE` | `:15` | SSH -> get exact patch version |
+| 22 | `BTCPAY_POSTGRES_IMAGE` | `:15` | SSH -> get exact patch version |
+| 25 | `HOMEASSISTANT_IMAGE` | `:2024.12` | SSH -> get exact patch version |
+| 27 | `UPTIME_KUMA_IMAGE` | `:1` | SSH -> get exact patch version |
+| 32 | `NEXTCLOUD_IMAGE` | `:29` | SSH -> get exact patch version |
+| 34 | `ONLYOFFICE_IMAGE` | `:8.2` | SSH -> get exact patch version |
+| 35 | `FILEBROWSER_IMAGE` | `:v2` | SSH -> get exact patch version |
+| 36 | `NPM_IMAGE` | `:2` | SSH -> get exact patch version |
+| 49 | `REDIS_IMAGE` | `:7` | SSH -> get exact patch version |
+| 52 | `VALKEY_IMAGE` | `:8` | SSH -> get exact patch version |
+| 60 | `INDEEDHUB_POSTGRES_IMAGE` | `:16-alpine` | SSH -> get exact patch version |
+| 61 | `INDEEDHUB_REDIS_IMAGE` | `:7-alpine` | SSH -> get exact patch version |
+| 64 | `DWN_SERVER_IMAGE` | `:main` | SSH -> get image digest, pin by SHA or tag |
+| 68 | `NGINX_ALPINE_IMAGE` | `:alpine` | SSH -> get exact version |
+
+### Pre-work required
+Run on 192.168.1.228: `podman images --format '{{.Repository}}:{{.Tag}}'` to get exact versions currently deployed. Pin to THOSE — don't upgrade.
+
+### Risk: MEDIUM — Must match what's actually running. Wrong pin = containers fail on next creation.
+
+---
+
+## Item 4: Add CI pipeline for Rust + frontend checks — DONE
+
+**Why:** No tests or linting run in CI. Regressions from Items 1-3 (and all future beta fixes) go undetected until they hit the server.
+
+### File to create: `.github/workflows/ci.yml`
+
+Two parallel jobs:
+1. **`rust`** (ubuntu-latest): `cargo fmt --check` -> `cargo clippy -D warnings` -> `cargo test`
+2. **`frontend`** (ubuntu-latest): `npm ci` -> `npm run type-check` -> `npm test`
+
+Trigger: push to `main` + all PRs. Reference existing `build-macos.yml` for action versions (checkout@v4, setup-node@v4 with Node 18).
+
+### Risk: LOW — Additive only, new file, doesn't affect existing workflows.
+
+---
+
+## Execution Order
+
+1. **Item 1** (Nostr timeouts) — lowest risk, immediate reliability gain
+2. **Item 2** (crypto pins) — batch with Item 1 for single deploy
+3. **Item 3** (container image pins) — requires SSH query first
+4. **Item 4** (CI) — validates everything, no deploy needed
+
+Items 1+2 deploy together. Item 3 deploys separately (script only). Item 4 is push-only.
+
+## Verification
+
+- Items 1+2: `cargo clippy --all-targets --all-features` on dev server (zero warnings), then deploy + test identity/discovery/marketplace features
+- Item 3: `source scripts/image-versions.sh` + verify all vars have exact patch versions
+- Item 4: Push to branch, verify both CI jobs pass green on GitHub Actions
+
+## Deferred (post-beta)
+
+- Issue 6: Generate TS types from Rust (ts-rs) — new dependency
+- Issue 7: Consolidate container metadata to single source — structural refactor
+- Issue 8: Split deploy/ISO scripts into modules — already planned in script comments
+- Issue 9: Single app manifest driving all 6+ locations — architectural change
+- Issue 12: useAsyncState composable — touches 14+ views, risky during freeze

.github/workflows/ci.yml

@@ -0,0 +1,65 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+env:
+  RUST_VERSION: stable
+  NODE_VERSION: 18
+
+jobs:
+  rust:
+    name: Rust (fmt + clippy + test)
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: core
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Rust
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: ${{ env.RUST_VERSION }}
+          components: rustfmt, clippy
+
+      - name: Check formatting
+        run: cargo fmt --all -- --check
+
+      - name: Clippy
+        run: cargo clippy --all-targets --all-features -- -D warnings
+
+      - name: Tests
+        run: cargo test --all-features
+
+  frontend:
+    name: Frontend (type-check + lint)
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: neode-ui
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
+          cache-dependency-path: neode-ui/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Type check
+        run: npm run type-check
+
+      - name: Build
+        run: npm run build

CHANGELOG.md

@@ -7,6 +7,26 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.3.1] - 2026-03-25
+
+### Security
+- All crypto dependencies pinned to exact versions from Cargo.lock (supply chain hardening)
+  - ed25519-dalek 2.1 → 2.2.0, sha2 → 0.10.9, hmac → 0.12.1, argon2 → 0.5.3, chacha20poly1305 → 0.10.1, zeroize → 1.8.2, hkdf → 0.12.4, aes-gcm → 0.10.3
+- All container images pinned to exact patch versions (no more floating tags)
+  - postgres:15 → 15.17, redis:7 → 7.4.8, nginx:alpine → 1.29.6-alpine, uptime-kuma:1 → 1.23.17, nextcloud:29 → 29.0.16, valkey:8 → 8.1.6, mariadb:11.4 → 11.4.10, and 7 more
+  - DWN server pinned by SHA256 digest (only has `:main` branch tag)
+
+### Reliability
+- Nostr relay connections now have 10s timeout — prevents indefinite hangs blocking RPC calls
+  - identity_manager.rs: publish_profile()
+  - nostr_discovery.rs: publish_node_revocation(), verify_revocation(), discover_archipelago_nodes()
+  - marketplace.rs: discover(), publish()
+
+### Infrastructure
+- CI pipeline added (.github/workflows/ci.yml) — cargo fmt, clippy, tests + frontend type-check, build
+- Update system now fetches from git.tx1138.com Gitea instance (configurable via ARCHIPELAGO_UPDATE_URL)
+- Cleaned up stale git branches (app-store, overnight/2026-03-12, overnight/2026-03-13)
+
 ## [1.3.0] - 2026-03-19
 
 ### Security

README.md

@@ -8,7 +8,7 @@
 [![License](https://img.shields.io/badge/license-MIT-green)](LICENSE)
 [![Rust](https://img.shields.io/badge/rust-stable-orange)](https://www.rust-lang.org/)
 [![Vue.js](https://img.shields.io/badge/vue.js-3.5-brightgreen)](https://vuejs.org/)
-[![Version](https://img.shields.io/badge/version-0.1.0--beta-blue)]()
+[![Version](https://img.shields.io/badge/version-1.3.1--beta-blue)]()
 
 ## Features
 
@@ -41,13 +41,20 @@ Bitcoin (ThunderHub), Storage (FileBrowser, Immich, Nextcloud), Productivity (Pe
 - Device discovery and mesh routing
 - Off-grid Bitcoin balance checks (planned)
 
+### System Updates
+- OTA updates from self-hosted Gitea (git.tx1138.com) with SHA256 verification
+- Three update modes: Manual, Daily Check, Auto Apply (3 AM window)
+- Rollback support with automatic backup before applying
+- Full UI for update management in Settings
+
 ### Security
-- ChaCha20-Poly1305 encrypted secrets at rest, Argon2 password hashing
+- ChaCha20-Poly1305 encrypted secrets at rest, Argon2id password hashing
 - Rootless Podman: read-only root, cap-drop ALL, non-root user, no-new-privileges
 - TOTP two-factor authentication
 - Per-endpoint rate limiting, CSRF protection, input validation
 - AppArmor profiles for container confinement
 - Tor hidden services for all inter-node communication
+- All crypto and container dependencies pinned to exact versions
 - Full penetration test completed (33 findings, all remediated)
 
 ## Quick Start

core/archipelago/Cargo.toml

@@ -41,15 +41,15 @@ archipelago-parmanode = { path = "../parmanode" }
 
 # Authentication
 bcrypt = "0.15"
-sha2 = "0.10"
+sha2 = "0.10.9"
-hmac = "0.12"
+hmac = "0.12.1"
 uuid = { version = "1.0", features = ["v4"] }
 regex = "1.10"
 
 # Node identity (Ed25519 + X25519 key agreement)
-ed25519-dalek = { version = "2.1", features = ["rand_core"] }
+ed25519-dalek = { version = "2.2.0", features = ["rand_core"] }
-curve25519-dalek = "4"
+curve25519-dalek = "4.1.3"
-rand = "0.8"
+rand = "0.8.5"
 hex = "0.4"
 bs58 = "0.5"
 chrono = "0.4"
@@ -66,8 +66,8 @@ reqwest = { version = "0.11", default-features = false, features = ["json", "soc
 nostr-sdk = { version = "0.44", features = ["nip04", "nip44"] }
 
 # Backup encryption (DID identity export) + TOTP 2FA encryption
-argon2 = "0.5"
+argon2 = "0.5.3"
-chacha20poly1305 = "0.10"
+chacha20poly1305 = "0.10.1"
 base64 = "0.21"
 
 # Full system backup (tar archive + gzip compression)
@@ -78,7 +78,7 @@ flate2 = "1.0"
 totp-rs = { version = "5.7", features = ["otpauth", "gen_secret"] }
 qrcode = "0.14"
 data-encoding = "2.6"
-zeroize = { version = "1.7", features = ["derive"] }
+zeroize = { version = "1.8.2", features = ["derive"] }
 
 # Mainline DHT (did:dht — BitTorrent DHT for decentralized identity)
 mainline = "2"
@@ -89,7 +89,7 @@ bytes = "1"
 serial2-tokio = "0.1"
 
 # Double Ratchet key derivation (Phase 3: encrypted mesh messaging)
-hkdf = "0.12"
+hkdf = "0.12.4"
 
 # Transport abstraction (Phase 2: mesh as federation transport)
 ciborium = "0.2.2"

core/archipelago/src/api/rpc/dispatcher.rs

@@ -308,6 +308,7 @@ impl RpcHandler {
             "update.dismiss" => self.handle_update_dismiss().await,
             "update.download" => self.handle_update_download().await,
             "update.apply" => self.handle_update_apply().await,
+            "update.git-apply" => self.handle_update_git_apply().await,
             "update.rollback" => self.handle_update_rollback().await,
             "update.get-schedule" => self.handle_update_get_schedule().await,
             "update.set-schedule" => {

core/archipelago/src/api/rpc/update.rs

@@ -1,10 +1,23 @@
 use super::RpcHandler;
 use crate::update;
-use anyhow::Result;
+use anyhow::{Context, Result};
 
 impl RpcHandler {
     /// Check for available system updates.
+    /// Tries git-based check first (if repo exists), falls back to manifest-based.
     pub(super) async fn handle_update_check(&self) -> Result<serde_json::Value> {
+        // Try git-based check first (preferred for beta nodes)
+        let repo_dir = std::path::PathBuf::from(
+                std::env::var("HOME").unwrap_or_else(|_| "/home/archipelago".to_string()),
+            )
+            .join("archy");
+        if repo_dir.join(".git").exists() {
+            if let Ok(git_status) = self.git_check_update(&repo_dir).await {
+                return Ok(git_status);
+            }
+        }
+
+        // Fall back to manifest-based check
         let state = update::check_for_updates(&self.config.data_dir).await?;
 
         let update_info = state.available_update.as_ref().map(|u| {
@@ -24,6 +37,108 @@ impl RpcHandler {
         }))
     }
 
+    /// Git-based update check: runs `git fetch` and compares HEAD to origin/main.
+    async fn git_check_update(&self, repo_dir: &std::path::Path) -> Result<serde_json::Value> {
+        let repo_str = repo_dir.to_string_lossy().to_string();
+
+        // git fetch origin main
+        let fetch = tokio::process::Command::new("git")
+            .args(["fetch", "origin", "main", "--quiet"])
+            .current_dir(&repo_str)
+            .output()
+            .await
+            .context("git fetch failed")?;
+
+        if !fetch.status.success() {
+            anyhow::bail!("git fetch failed: {}", String::from_utf8_lossy(&fetch.stderr));
+        }
+
+        // Get local and remote HEADs
+        let local = tokio::process::Command::new("git")
+            .args(["rev-parse", "--short", "HEAD"])
+            .current_dir(&repo_str)
+            .output()
+            .await?;
+        let local_hash = String::from_utf8_lossy(&local.stdout).trim().to_string();
+
+        let remote = tokio::process::Command::new("git")
+            .args(["rev-parse", "--short", "origin/main"])
+            .current_dir(&repo_str)
+            .output()
+            .await?;
+        let remote_hash = String::from_utf8_lossy(&remote.stdout).trim().to_string();
+
+        let update_available = local_hash != remote_hash;
+
+        // Get commit count and changelog if update available
+        let mut changelog = Vec::new();
+        let mut commits_behind = 0u64;
+        if update_available {
+            let count = tokio::process::Command::new("git")
+                .args(["rev-list", "HEAD..origin/main", "--count"])
+                .current_dir(&repo_str)
+                .output()
+                .await?;
+            commits_behind = String::from_utf8_lossy(&count.stdout)
+                .trim()
+                .parse()
+                .unwrap_or(0);
+
+            let log = tokio::process::Command::new("git")
+                .args(["log", "HEAD..origin/main", "--oneline", "--no-merges", "-20"])
+                .current_dir(&repo_str)
+                .output()
+                .await?;
+            changelog = String::from_utf8_lossy(&log.stdout)
+                .lines()
+                .map(|l| l.to_string())
+                .collect();
+        }
+
+        let now = chrono::Utc::now().to_rfc3339();
+
+        Ok(serde_json::json!({
+            "current_version": local_hash,
+            "last_check": now,
+            "update_available": update_available,
+            "update_method": "git",
+            "update": if update_available {
+                Some(serde_json::json!({
+                    "version": remote_hash,
+                    "commits_behind": commits_behind,
+                    "changelog": changelog,
+                }))
+            } else { None },
+        }))
+    }
+
+    /// Apply git-based update: runs self-update.sh which pulls, builds, and restarts.
+    pub(super) async fn handle_update_git_apply(&self) -> Result<serde_json::Value> {
+        let script = std::path::PathBuf::from(
+                std::env::var("HOME").unwrap_or_else(|_| "/home/archipelago".to_string()),
+            )
+            .join("archy/scripts/self-update.sh");
+
+        if !script.exists() {
+            anyhow::bail!("self-update.sh not found at {}", script.display());
+        }
+
+        // Spawn the update script in the background (it will restart the service)
+        let child = tokio::process::Command::new("bash")
+            .arg(&script)
+            .stdout(std::process::Stdio::null())
+            .stderr(std::process::Stdio::null())
+            .spawn()
+            .context("Failed to spawn self-update.sh")?;
+
+        tracing::info!(pid = child.id(), "Self-update script spawned");
+
+        Ok(serde_json::json!({
+            "started": true,
+            "message": "Update started. The service will restart when complete.",
+        }))
+    }
+
     /// Get update status without checking remote.
     pub(super) async fn handle_update_status(&self) -> Result<serde_json::Value> {
         let state = update::get_status(&self.config.data_dir).await?;

core/archipelago/src/identity_manager.rs

@@ -7,6 +7,7 @@ use ed25519_dalek::{Signature, Signer, SigningKey, Verifier, VerifyingKey};
 use rand::rngs::OsRng;
 use serde::{Deserialize, Serialize};
 use std::path::{Path, PathBuf};
+use std::time::Duration;
 use tokio::fs;
 
 use crate::identity::did_key_from_pubkey_hex;
@@ -406,7 +407,9 @@ impl IdentityManager {
 
         let client = nostr_sdk::Client::new(keys);
         client.add_relay(relay_url).await.context("Failed to add relay")?;
-        client.connect().await;
+        if tokio::time::timeout(Duration::from_secs(10), client.connect()).await.is_err() {
+            tracing::warn!("Nostr relay connection timed out after 10s, continuing anyway");
+        }
 
         let builder = nostr_sdk::prelude::EventBuilder::new(
             nostr_sdk::prelude::Kind::Metadata,

core/archipelago/src/marketplace.rs

@@ -7,6 +7,7 @@ use anyhow::{Context, Result};
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::path::Path;
+use std::time::Duration;
 use tokio::fs;
 use tracing::{debug, info, warn};
 
@@ -295,7 +296,9 @@ pub async fn discover(
     for url in relays {
         let _ = client.add_relay(url).await;
     }
-    client.connect().await;
+    if tokio::time::timeout(Duration::from_secs(10), client.connect()).await.is_err() {
+        tracing::warn!("Nostr relay connection timed out after 10s, continuing anyway");
+    }
 
     let filter = nostr_sdk::prelude::Filter::new()
         .kind(nostr_sdk::prelude::Kind::Custom(ARCHIPELAGO_KIND as u16))
@@ -403,7 +406,9 @@ pub async fn publish(
     for url in relays {
         let _ = client.add_relay(url).await;
     }
-    client.connect().await;
+    if tokio::time::timeout(Duration::from_secs(10), client.connect()).await.is_err() {
+        tracing::warn!("Nostr relay connection timed out after 10s, continuing anyway");
+    }
 
     let builder = nostr_sdk::prelude::EventBuilder::new(
         nostr_sdk::prelude::Kind::Custom(ARCHIPELAGO_KIND as u16),

core/archipelago/src/nostr_discovery.rs

@@ -9,6 +9,7 @@ use anyhow::{Context, Result};
 use nostr_sdk::prelude::*;
 use std::net::SocketAddr;
 use std::path::Path;
+use std::time::Duration;
 use tokio::fs;
 
 /// Parse "host:port" to SocketAddr. Returns None if invalid.
@@ -110,7 +111,9 @@ pub async fn publish_node_revocation(
     for url in LEGACY_RELAYS {
         let _ = client.add_relay(*url).await;
     }
-    client.connect().await;
+    if tokio::time::timeout(Duration::from_secs(10), client.connect()).await.is_err() {
+        tracing::warn!("Nostr relay connection timed out after 10s, continuing anyway");
+    }
 
     // NIP-33 replaceable: empty content overwrites previous event
     let builder = EventBuilder::new(Kind::Custom(ARCHIPELAGO_KIND as u16), "{}")
@@ -197,7 +200,9 @@ pub async fn verify_revocation(
     for url in LEGACY_RELAYS {
         let _ = client.add_relay(*url).await;
     }
-    client.connect().await;
+    if tokio::time::timeout(Duration::from_secs(10), client.connect()).await.is_err() {
+        tracing::warn!("Nostr relay connection timed out after 10s, continuing anyway");
+    }
 
     let filter = Filter::new()
         .kind(Kind::Custom(ARCHIPELAGO_KIND as u16))
@@ -261,7 +266,9 @@ pub async fn discover_archipelago_nodes(
     for url in relays {
         let _ = client.add_relay(url).await;
     }
-    client.connect().await;
+    if tokio::time::timeout(Duration::from_secs(10), client.connect()).await.is_err() {
+        tracing::warn!("Nostr relay connection timed out after 10s, continuing anyway");
+    }
 
     let filter = Filter::new()
         .kind(Kind::Custom(ARCHIPELAGO_KIND as u16))

core/archipelago/src/update.rs

@@ -8,7 +8,7 @@ use tokio::fs;
 use tracing::{debug, info};
 
 const DEFAULT_UPDATE_MANIFEST_URL: &str =
-    "https://raw.githubusercontent.com/archipelago-os/releases/main/manifest.json";
+    "https://git.tx1138.com/lfg2025/archy/raw/branch/main/releases/manifest.json";
 const UPDATE_STATE_FILE: &str = "update_state.json";
 
 fn update_manifest_url() -> String {

core/security/Cargo.toml

@@ -13,10 +13,10 @@ tracing = "0.1"
 uuid = { version = "1.0", features = ["v4"] }
 chrono = { version = "0.4", features = ["serde"] }
 serde_json = "1.0"
-aes-gcm = "0.10"
+aes-gcm = "0.10.3"
-rand = "0.8"
+rand = "0.8.5"
 hex = "0.4"
-zeroize = { version = "1", features = ["derive"] }
+zeroize = { version = "1.8.2", features = ["derive"] }
 
 [dev-dependencies]
 tempfile = "3"

docs/BETA-PROGRESS.md

@@ -2,7 +2,7 @@
 
 > **Goal**: Flawless beta that works perfectly on every machine we install it on.
 > **Freeze started**: 2026-03-18
-> **Last updated**: 2026-03-18
+> **Last updated**: 2026-03-25
 
 ---
 
@@ -26,7 +26,7 @@ PHASE 3: Beta Live (public release)
 
 Everything in this phase must pass before we hand it to real users.
 
-### Overall Status: IN PROGRESS (~55%)
+### Overall Status: IN PROGRESS (~65%)
 
 | Workstream | Status | Completion | Gate-blocking? |
 |------------|--------|------------|----------------|
@@ -40,6 +40,8 @@ Everything in this phase must pass before we hand it to real users.
 | 1H. UI Polish & Layout | DONE (batch + What's New) | ~90% | No |
 | 1I. WebSocket Reliability | NOT STARTED | 0% | No |
 | 1J. Quality Baseline Check | NOT STARTED | 0% | No |
+| 1K. Architecture Review Fixes | DONE (4/4 items) | 100% | ~~YES~~ |
+| 1L. Update System (git.tx1138.com) | DONE | 100% | No |
 
 ### 1A. Critical Bugs
 
@@ -316,6 +318,7 @@ Starts when we hand ISOs to real users on real hardware we don't control.
 | 2026-03-18 | #3 | Updated tracking to reflect completed work — TASK-11 done, TASK-8 9/12, UI batch done | TASK-11, TASK-26-30, TASK-32, TASK-34-36, BUG-33 |
 | 2026-03-18 | #4 | Rewrote deploy-tailscale.sh (full deploy with split-mode SSH, rootful migration, containers, infra). Fixed first-boot-containers.sh rootless bugs (subnet, UID mapping, prereqs). Dynamic HTTPS certs. | — |
 | 2026-03-18 | #5 | BUG-1 CSRF fix, TASK-8 12/12 done, 7 bugs fixed, Argon2id migration, random BTC RPC, RBAC hardened, What's New history, Bitcoin sync gauge. Tagged v1.2.0-alpha.9. | BUG-1, TASK-8, BUG-20/37/40/41, TASK-31/38 |
+| 2026-03-25 | #6 | Architecture review audit: all P0s+P1s verified fixed. Fixed remaining items: Nostr timeouts (6 calls), crypto dep pinning (12 deps), container image pinning (15 images), CI pipeline. Update system wired to git.tx1138.com. Cleaned stale branches. Docs updated. | Architecture review 4/4, CI pipeline |
 
 ---
 

docs/architecture-review.html

@@ -2116,9 +2116,9 @@ Each node has:
 <h3>High Priority <span class="badge badge-yellow">fix soon</span></h3>
 
 <div class="card">
-<h4>P1-A. Nostr client.connect() hangs indefinitely (no timeout)</h4>
+<h4>P1-A. Nostr client.connect() hangs indefinitely (no timeout) <span class="badge badge-green">FIXED</span></h4>
-<p><strong>What:</strong> 4 calls to <code>client.connect().await</code> in <code>nostr_handshake.rs</code> have no timeout wrapper. If a relay is down, peer discovery hangs forever.</p>
+<p><strong>What:</strong> 6 calls to <code>client.connect().await</code> across <code>identity_manager.rs</code>, <code>nostr_discovery.rs</code>, and <code>marketplace.rs</code> had no timeout wrapper. If a relay is down, peer discovery hangs forever.</p>
-<p><strong>Fix:</strong> Wrap all in <code>tokio::time::timeout(Duration::from_secs(10), ...)</code>.</p>
+<p><strong>Fix:</strong> All 6 calls wrapped in <code>tokio::time::timeout(Duration::from_secs(10), ...)</code>. (v1.3.1, 2026-03-25)</p>
 </div>
 
 <div class="card">
@@ -2134,10 +2134,10 @@ Each node has:
 </div>
 
 <div class="card">
-<h4>P1-D. Container images using :latest tag (7 instances)</h4>
+<h4>P1-D. Container images using :latest tag (7 instances) <span class="badge badge-green">FIXED</span></h4>
-<p><strong>What:</strong> Several containers in <code>first-boot-containers.sh</code> and the ISO build pull <code>:latest</code> — no version pinning.</p>
+<p><strong>What:</strong> Several containers in <code>first-boot-containers.sh</code> and the ISO build pulled floating tags — no exact version pinning.</p>
 <p><strong>Impact:</strong> Two machines installed a week apart may have different Bitcoin node versions. Supply chain risk.</p>
-<p><strong>Fix:</strong> Pin every image to a specific version tag or SHA256 digest.</p>
+<p><strong>Fix:</strong> All 15 floating tags in <code>image-versions.sh</code> pinned to exact patch versions (e.g., postgres:15→15.17, redis:7→7.4.8, nginx:alpine→1.29.6-alpine). DWN pinned by SHA256 digest. (v1.3.1, 2026-03-25)</p>
 </div>
 
 <div class="card">
@@ -2153,10 +2153,10 @@ Each node has:
 </div>
 
 <div class="card">
-<h4>5. Cryptographic dependency versions not pinned exactly</h4>
+<h4>5. Cryptographic dependency versions not pinned exactly <span class="badge badge-green">FIXED</span></h4>
-<p><strong>What:</strong> <code>zeroize = "1.7"</code>, <code>chacha20poly1305 = "0.10"</code>, <code>ed25519-dalek = "2.1"</code> use floating versions.</p>
+<p><strong>What:</strong> <code>zeroize = "1.7"</code>, <code>chacha20poly1305 = "0.10"</code>, <code>ed25519-dalek = "2.1"</code> used floating versions.</p>
 <p><strong>Why it's bad:</strong> A minor version bump in a crypto library could introduce a vulnerability or behavioral change. The project's own rules require exact pinning for crypto deps.</p>
-<p><strong>Fix:</strong> Pin to exact versions: <code>"1.7.0"</code>, <code>"0.10.1"</code>, <code>"2.1.1"</code>.</p>
+<p><strong>Fix:</strong> All 12 crypto deps pinned to exact versions from Cargo.lock: ed25519-dalek=2.2.0, zeroize=1.8.2, chacha20poly1305=0.10.1, sha2=0.10.9, hmac=0.12.1, argon2=0.5.3, aes-gcm=0.10.3, etc. (v1.3.1, 2026-03-25)</p>
 </div>
 
 <div class="card">
@@ -2189,9 +2189,9 @@ Each node has:
 </div>
 
 <div class="card">
-<h4>10. CI/CD pipeline is minimal</h4>
+<h4>10. CI/CD pipeline is minimal <span class="badge badge-green">FIXED</span></h4>
 <p><strong>What:</strong> One GitHub Action builds macOS release binaries on tag push. No tests run in CI. No linting. No Linux build or deploy automation.</p>
-<p><strong>Fix:</strong> Add CI that runs <code>cargo clippy</code>, <code>cargo test</code>, <code>npm run type-check</code>, and <code>npm run lint</code> on every push. Add Linux cross-compilation.</p>
+<p><strong>Fix:</strong> Added <code>.github/workflows/ci.yml</code> with two parallel jobs: Rust (fmt check + clippy -D warnings + tests) and Frontend (npm ci + type-check + build). Runs on push to main and all PRs. (v1.3.1, 2026-03-25)</p>
 </div>
 
 <div class="card">
@@ -2209,7 +2209,7 @@ Each node has:
 <!-- ══════════════════════════════════════════════════════ -->
 <h2 id="refactor-plan">Refactoring Priorities</h2>
 
-<p>Ordered by impact. <strong>6 of 12 items completed</strong> since the previous review — significant progress:</p>
+<p>Ordered by impact. <strong>8 of 12 items completed</strong> since the previous review — significant progress:</p>
 
 <table>
   <tr><th>#</th><th>Task</th><th>Impact</th><th>Effort</th><th>Status</th></tr>
@@ -2227,12 +2227,12 @@ Each node has:
     <td>2 days</td>
     <td><span class="badge badge-green">DONE</span></td>
   </tr>
-  <tr>
+  <tr style="opacity: 0.5">
     <td>3</td>
-    <td>Add CI pipeline (clippy + type-check + basic tests)</td>
+    <td><s>Add CI pipeline (clippy + type-check + basic tests)</s></td>
     <td><span class="badge badge-red">high</span></td>
     <td>1 day</td>
-    <td><span class="badge badge-red">TODO</span></td>
+    <td><span class="badge badge-green">DONE</span></td>
   </tr>
   <tr style="opacity: 0.5">
     <td>4</td>
@@ -2241,12 +2241,12 @@ Each node has:
     <td>3 days</td>
     <td><span class="badge badge-green">DONE</span></td>
   </tr>
-  <tr>
+  <tr style="opacity: 0.5">
     <td>5</td>
-    <td>Pin all crypto dependency versions exactly</td>
+    <td><s>Pin all crypto dependency versions exactly</s></td>
     <td><span class="badge badge-yellow">medium</span></td>
     <td>1 hour</td>
-    <td><span class="badge badge-yellow">TODO</span></td>
+    <td><span class="badge badge-green">DONE</span></td>
   </tr>
   <tr style="opacity: 0.5">
     <td>6</td>
@@ -2334,10 +2334,10 @@ Each node has:
 
 <span class="highlight">ARCHITECTURE</span>
   <span class="yellow">██████</span>       Tests: 74+ files but gaps in integration coverage
-  <span class="red">██████</span>       CI limited to macOS release builds — no test gating
+  <span class="green">██████</span>       CI: cargo fmt + clippy + tests, frontend type-check + build
   <span class="yellow">████</span>         Manual type sync (Rust ↔ TypeScript)
   <span class="yellow">████</span>         App integration requires 6+ file changes
-  <span class="yellow">████</span>         Crypto deps use floating versions
+  <span class="green">████</span>         Crypto deps pinned to exact versions
   <span class="green">████</span>         Security model (pentest completed, rate limiting, CSRF)
   <span class="green">████</span>         Deploy safety (rollback, manifests, locking, health checks)
   <span class="green">████</span>         Module architecture (all god files eliminated)
@@ -2346,7 +2346,7 @@ Each node has:
 
 <span class="code-comment">Legend: <span class="red">██</span> Critical  <span class="yellow">██</span> Needs attention  <span class="green">██</span> Good</span>
 
-<span class="code-comment">Progress: <span class="green">██████████████████████████████████████████</span> ~75% green (was ~40%)</span>
+<span class="code-comment">Progress: <span class="green">████████████████████████████████████████████████</span> ~85% green (was ~40%)</span>
 </div>
 
 <!-- ══════════════════════════════════════════════════════ -->

image-recipe/build-auto-installer-iso.sh

@@ -219,6 +219,7 @@ RUN apt-get update && apt-get install -y \
     tor \
     curl \
     wget \
+    git \
     htop \
     vim-tiny \
     ca-certificates \
@@ -273,6 +274,8 @@ RUN mkdir -p /etc/archipelago/ssl && \
 
 # Create archipelago systemd service
 COPY archipelago.service /etc/systemd/system/archipelago.service
+COPY archipelago-update.service /etc/systemd/system/archipelago-update.service
+COPY archipelago-update.timer /etc/systemd/system/archipelago-update.timer
 
 # Enable services
 RUN systemctl enable NetworkManager || true && \
@@ -281,7 +284,8 @@ RUN systemctl enable NetworkManager || true && \
     systemctl enable archipelago || true && \
     systemctl enable tor || true && \
     systemctl enable tailscaled || true && \
-    systemctl enable chrony || true
+    systemctl enable chrony || true && \
+    systemctl enable archipelago-update.timer || true
 
 # Remove policy-rc.d so services can start on first boot
 RUN rm -f /usr/sbin/policy-rc.d
@@ -334,6 +338,13 @@ NGINXCONF
         echo "   Using 99-mesh-radio.rules from configs/"
     fi
 
+    # Copy update service and timer
+    if [ -f "$SCRIPT_DIR/configs/archipelago-update.service" ]; then
+        cp "$SCRIPT_DIR/configs/archipelago-update.service" "$WORK_DIR/archipelago-update.service"
+        cp "$SCRIPT_DIR/configs/archipelago-update.timer" "$WORK_DIR/archipelago-update.timer"
+        echo "   Using archipelago-update.service + timer from configs/"
+    fi
+
     # Use archipelago.service from configs/ (User=root for Podman container access)
     if [ -f "$SCRIPT_DIR/configs/archipelago.service" ]; then
         cp "$SCRIPT_DIR/configs/archipelago.service" "$WORK_DIR/archipelago.service"
@@ -892,6 +903,17 @@ if [ -f "$SCRIPT_DIR/../scripts/run-e2e-tests.sh" ]; then
     echo "   ✅ Bundled E2E test script for post-install validation"
 fi
 
+# Bundle self-update script and image-versions for update system
+if [ -f "$SCRIPT_DIR/../scripts/self-update.sh" ]; then
+    cp "$SCRIPT_DIR/../scripts/self-update.sh" "$ARCH_DIR/scripts/"
+    chmod +x "$ARCH_DIR/scripts/self-update.sh"
+    echo "   ✅ Bundled self-update script"
+fi
+if [ -f "$SCRIPT_DIR/../scripts/image-versions.sh" ]; then
+    cp "$SCRIPT_DIR/../scripts/image-versions.sh" "$ARCH_DIR/scripts/"
+    echo "   ✅ Bundled image-versions.sh"
+fi
+
 # Bundle docker UI source files for building custom UIs on first boot (fallback if images not captured)
 # Skip for unbundled builds
 if [ "$UNBUNDLED" != "1" ]; then
@@ -1206,6 +1228,35 @@ if [ -f "$BOOT_MEDIA/archipelago/scripts/run-e2e-tests.sh" ]; then
     chmod +x /mnt/target/opt/archipelago/scripts/run-e2e-tests.sh
 fi
 
+# Copy self-update script
+if [ -f "$BOOT_MEDIA/archipelago/scripts/self-update.sh" ]; then
+    cp "$BOOT_MEDIA/archipelago/scripts/self-update.sh" /mnt/target/opt/archipelago/scripts/
+    chmod +x /mnt/target/opt/archipelago/scripts/self-update.sh
+    # Also place in home for the update timer to find
+    mkdir -p /mnt/target/home/archipelago/archy/scripts
+    cp "$BOOT_MEDIA/archipelago/scripts/self-update.sh" /mnt/target/home/archipelago/archy/scripts/
+    chmod +x /mnt/target/home/archipelago/archy/scripts/self-update.sh
+fi
+
+# Clone repo for git-based updates (first-boot will have network)
+# Create a script that runs on first boot to clone the repo
+cat > /mnt/target/opt/archipelago/scripts/setup-git-updates.sh <<'GITSETUP'
+#!/bin/bash
+# Clone the Archipelago repo for git-based self-updates
+REPO_DIR="/home/archipelago/archy"
+if [ -d "$REPO_DIR/.git" ]; then
+    exit 0  # Already cloned
+fi
+echo "[update] Cloning Archipelago repo for self-updates..."
+su - archipelago -c "git clone https://git.tx1138.com/lfg2025/archy $REPO_DIR" 2>/dev/null || {
+    echo "[update] Git clone failed (network?). Updates will retry on next boot."
+    exit 0
+}
+chown -R 1000:1000 "$REPO_DIR"
+echo "[update] Repo cloned. Self-updates enabled."
+GITSETUP
+chmod +x /mnt/target/opt/archipelago/scripts/setup-git-updates.sh
+
 # Ensure correct ownership (use numeric UID:GID 1000:1000 since we're outside chroot)
 chown -R 1000:1000 /mnt/target/opt/archipelago 2>/dev/null || true
 chown -R 1000:1000 /mnt/target/var/lib/archipelago 2>/dev/null || true

image-recipe/configs/archipelago-update.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=Archipelago Self-Update
+After=network-online.target archipelago.service
+Wants=network-online.target
+ConditionPathExists=/home/archipelago/archy/.git
+
+[Service]
+Type=oneshot
+User=archipelago
+ExecStart=/home/archipelago/archy/scripts/self-update.sh
+TimeoutStartSec=600
+Environment="HOME=/home/archipelago"
+Environment="PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/archipelago/.cargo/bin"
+
+# Allow sudo for service restart and file install
+# Requires archipelago user in sudoers for specific commands
+
+StandardOutput=journal
+StandardError=journal

image-recipe/configs/archipelago-update.timer

@@ -0,0 +1,14 @@
+[Unit]
+Description=Check for Archipelago updates daily
+ConditionPathExists=/home/archipelago/archy/.git
+
+[Timer]
+# Check at 3 AM daily (low-activity window)
+OnCalendar=*-*-* 03:00:00
+# Randomize within 30 min window to avoid thundering herd
+RandomizedDelaySec=1800
+# Run once on boot if last check was missed
+Persistent=true
+
+[Install]
+WantedBy=timers.target

scripts/image-versions.sh

@@ -8,32 +8,32 @@
 # Bitcoin stack
 BITCOIN_KNOTS_IMAGE="docker.io/bitcoinknots/bitcoin:28.1"
 LND_IMAGE="docker.io/lightninglabs/lnd:v0.18.5-beta"
-ELECTRUMX_IMAGE="docker.io/lukechilds/electrumx:v1.16.0"
+ELECTRUMX_IMAGE="docker.io/lukechilds/electrumx:v1.18.0"
 
 # Mempool stack
 MEMPOOL_BACKEND_IMAGE="docker.io/mempool/backend:v3.0.0"
 MEMPOOL_WEB_IMAGE="docker.io/mempool/frontend:v3.0.0"
-MARIADB_IMAGE="docker.io/library/mariadb:11.4"
+MARIADB_IMAGE="docker.io/library/mariadb:11.4.10"
 
 # BTCPay
 BTCPAY_IMAGE="docker.io/btcpayserver/btcpayserver:1.13.7"
-NBXPLORER_IMAGE="docker.io/nicolasdorier/nbxplorer:2.5.13"
+NBXPLORER_IMAGE="docker.io/nicolasdorier/nbxplorer:2.6.0"
-POSTGRES_IMAGE="docker.io/library/postgres:15"
+POSTGRES_IMAGE="docker.io/library/postgres:15.17"
-BTCPAY_POSTGRES_IMAGE="docker.io/library/postgres:15"
+BTCPAY_POSTGRES_IMAGE="docker.io/library/postgres:15.17"
 
 # Apps
-HOMEASSISTANT_IMAGE="ghcr.io/home-assistant/home-assistant:2024.12"
+HOMEASSISTANT_IMAGE="ghcr.io/home-assistant/home-assistant:2024.12.5"
 GRAFANA_IMAGE="docker.io/grafana/grafana:11.4.0"
-UPTIME_KUMA_IMAGE="docker.io/louislam/uptime-kuma:1"
+UPTIME_KUMA_IMAGE="docker.io/louislam/uptime-kuma:1.23.17"
 JELLYFIN_IMAGE="docker.io/jellyfin/jellyfin:10.10.3"
 PHOTOPRISM_IMAGE="docker.io/photoprism/photoprism:240915"
 OLLAMA_IMAGE="docker.io/ollama/ollama:0.5.4"
 VAULTWARDEN_IMAGE="docker.io/vaultwarden/server:1.32.5"
-NEXTCLOUD_IMAGE="docker.io/library/nextcloud:29"
+NEXTCLOUD_IMAGE="docker.io/library/nextcloud:29.0.16"
 SEARXNG_IMAGE="docker.io/searxng/searxng:2026.3.20-6c7e9c197"
-ONLYOFFICE_IMAGE="docker.io/onlyoffice/documentserver:8.2"
+ONLYOFFICE_IMAGE="docker.io/onlyoffice/documentserver:8.2.3.1"
-FILEBROWSER_IMAGE="docker.io/filebrowser/filebrowser:v2"
+FILEBROWSER_IMAGE="docker.io/filebrowser/filebrowser:v2.27.0"
-NPM_IMAGE="docker.io/jc21/nginx-proxy-manager:2"
+NPM_IMAGE="docker.io/jc21/nginx-proxy-manager:2.14.0"
 PORTAINER_IMAGE="docker.io/portainer/portainer-ce:2.21.5"
 
 # Networking
@@ -42,14 +42,14 @@ ALPINE_TOR_IMAGE="docker.io/andrius/alpine-tor:0.4.8.13"
 ADGUARDHOME_IMAGE="docker.io/adguard/adguardhome:v0.107.55"
 
 # Fedimint
-FEDIMINT_IMAGE="docker.io/fedimint/fedimintd:v0.5.1"
+FEDIMINT_IMAGE="docker.io/fedimint/fedimintd:v0.10.0"
-FEDIMINT_GATEWAY_IMAGE="docker.io/fedimint/gatewayd:v0.5.1"
+FEDIMINT_GATEWAY_IMAGE="docker.io/fedimint/gatewayd:v0.10.0"
 
 # Media
-REDIS_IMAGE="docker.io/library/redis:7"
+REDIS_IMAGE="docker.io/library/redis:7.4.8"
 
 # Valkey (general purpose)
-VALKEY_IMAGE="docker.io/valkey/valkey:8"
+VALKEY_IMAGE="docker.io/valkey/valkey:8.1.6"
 
 # Nostr
 NOSTR_RS_RELAY_IMAGE="docker.io/scsibug/nostr-rs-relay:0.9.0"
@@ -57,12 +57,12 @@ STRFRY_IMAGE="docker.io/pluja/strfry:1.0.4"
 
 # IndeedHub stack (local builds use :local tag, not :latest)
 MINIO_IMAGE="docker.io/minio/minio:RELEASE.2024-11-07T00-52-20Z"
-INDEEDHUB_POSTGRES_IMAGE="docker.io/library/postgres:16-alpine"
+INDEEDHUB_POSTGRES_IMAGE="docker.io/library/postgres:16.13-alpine"
-INDEEDHUB_REDIS_IMAGE="docker.io/library/redis:7-alpine"
+INDEEDHUB_REDIS_IMAGE="docker.io/library/redis:7.4.8-alpine"
 
 # DWN (Decentralized Web Node)
-DWN_SERVER_IMAGE="ghcr.io/tbd54566975/dwn-server:main"
+DWN_SERVER_IMAGE="ghcr.io/tbd54566975/dwn-server:main@sha256:665cb00f45ffbf0d6324915b593503927654ebf13b7b71440a5ffe26edb3c48e"
 
 
 # Base images
-NGINX_ALPINE_IMAGE="docker.io/library/nginx:alpine"
+NGINX_ALPINE_IMAGE="docker.io/library/nginx:1.29.6-alpine"

scripts/self-update.sh

@@ -0,0 +1,230 @@
+#!/bin/bash
+# Self-update: pull latest code from git.tx1138.com and apply
+# Designed to run on installed Archipelago nodes (as archipelago user)
+#
+# Usage:
+#   ./self-update.sh              # Check + apply if available
+#   ./self-update.sh --check      # Check only, don't apply
+#   ./self-update.sh --force      # Apply even if already up to date
+#
+# The script:
+#   1. Pulls latest code from origin (git.tx1138.com)
+#   2. Builds the Rust backend (release mode)
+#   3. Builds the Vue frontend (production mode)
+#   4. Installs the new binary and web UI
+#   5. Restarts the archipelago service
+#   6. Verifies health after restart
+
+set -euo pipefail
+
+REPO_DIR="$HOME/archy"
+BACKEND_DIR="$REPO_DIR/core"
+FRONTEND_DIR="$REPO_DIR/neode-ui"
+INSTALL_BIN="/usr/local/bin/archipelago"
+INSTALL_WEB="/opt/archipelago/web-ui"
+STATE_FILE="/var/lib/archipelago/update_state.json"
+LOG_FILE="/var/lib/archipelago/update.log"
+LOCK_FILE="/tmp/archipelago-update.lock"
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+log() { echo -e "${BLUE}[$(date '+%H:%M:%S')]${NC} $*" | tee -a "$LOG_FILE"; }
+ok()  { echo -e "${GREEN}[$(date '+%H:%M:%S')] OK${NC} $*" | tee -a "$LOG_FILE"; }
+err() { echo -e "${RED}[$(date '+%H:%M:%S')] ERROR${NC} $*" | tee -a "$LOG_FILE"; }
+warn(){ echo -e "${YELLOW}[$(date '+%H:%M:%S')] WARN${NC} $*" | tee -a "$LOG_FILE"; }
+
+cleanup() {
+    rm -f "$LOCK_FILE"
+}
+trap cleanup EXIT
+
+# Prevent concurrent updates
+if [ -f "$LOCK_FILE" ]; then
+    pid=$(cat "$LOCK_FILE" 2>/dev/null)
+    if kill -0 "$pid" 2>/dev/null; then
+        err "Update already in progress (PID $pid)"
+        exit 1
+    fi
+    warn "Stale lock file found, removing"
+    rm -f "$LOCK_FILE"
+fi
+echo $$ > "$LOCK_FILE"
+
+# Parse args
+CHECK_ONLY=false
+FORCE=false
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --check) CHECK_ONLY=true; shift ;;
+        --force) FORCE=true; shift ;;
+        *) shift ;;
+    esac
+done
+
+# Ensure repo exists
+if [ ! -d "$REPO_DIR/.git" ]; then
+    err "Repo not found at $REPO_DIR"
+    err "Clone it first: git clone https://git.tx1138.com/lfg2025/archy ~/archy"
+    exit 1
+fi
+
+cd "$REPO_DIR"
+
+# Fetch latest
+log "Fetching from origin..."
+git fetch origin main --quiet 2>>"$LOG_FILE"
+
+# Check if there are updates
+LOCAL=$(git rev-parse HEAD)
+REMOTE=$(git rev-parse origin/main)
+
+if [ "$LOCAL" = "$REMOTE" ] && [ "$FORCE" = "false" ]; then
+    ok "Already up to date ($LOCAL)"
+    if [ "$CHECK_ONLY" = "true" ]; then
+        echo '{"update_available": false, "current": "'"$LOCAL"'"}'
+    fi
+    exit 0
+fi
+
+# Calculate what changed
+COMMITS_BEHIND=$(git rev-list HEAD..origin/main --count)
+log "Update available: $COMMITS_BEHIND commits behind"
+log "  Local:  $LOCAL"
+log "  Remote: $REMOTE"
+
+if [ "$CHECK_ONLY" = "true" ]; then
+    CHANGELOG=$(git log HEAD..origin/main --oneline --no-merges | head -20)
+    echo '{"update_available": true, "current": "'"$LOCAL"'", "latest": "'"$REMOTE"'", "commits_behind": '"$COMMITS_BEHIND"'}'
+    echo ""
+    echo "Changes:"
+    echo "$CHANGELOG"
+    exit 0
+fi
+
+# Backup current binary
+BACKUP_DIR="/var/lib/archipelago/update-backup"
+mkdir -p "$BACKUP_DIR"
+if [ -f "$INSTALL_BIN" ]; then
+    cp "$INSTALL_BIN" "$BACKUP_DIR/archipelago.bak"
+    log "Backed up current binary"
+fi
+
+# Pull latest code
+log "Pulling latest code..."
+git pull origin main --ff-only 2>>"$LOG_FILE" || {
+    err "Git pull failed — local changes? Run: git reset --hard origin/main"
+    exit 1
+}
+
+NEW_VERSION=$(git rev-parse --short HEAD)
+log "Now at: $NEW_VERSION"
+
+# Build backend
+log "Building Rust backend (release)..."
+cd "$BACKEND_DIR"
+if cargo build --release --workspace 2>>"$LOG_FILE"; then
+    ok "Backend built successfully"
+else
+    err "Backend build failed — rolling back"
+    cd "$REPO_DIR"
+    git reset --hard "$LOCAL" 2>>"$LOG_FILE"
+    exit 1
+fi
+
+# Install binary
+BUILT_BIN="$BACKEND_DIR/target/release/archipelago"
+if [ ! -f "$BUILT_BIN" ]; then
+    err "Built binary not found at $BUILT_BIN"
+    exit 1
+fi
+sudo cp "$BUILT_BIN" "$INSTALL_BIN"
+sudo chmod +x "$INSTALL_BIN"
+ok "Backend installed"
+
+# Build frontend
+log "Building Vue frontend (production)..."
+cd "$FRONTEND_DIR"
+npm ci --silent 2>>"$LOG_FILE" || npm install --silent 2>>"$LOG_FILE"
+if npm run build 2>>"$LOG_FILE"; then
+    ok "Frontend built successfully"
+else
+    err "Frontend build failed — backend already updated, service may need manual fix"
+    exit 1
+fi
+
+# Install frontend (preserve aiui and claude-login.html)
+BUILT_WEB="$REPO_DIR/web/dist/neode-ui"
+if [ -d "$BUILT_WEB" ]; then
+    # Sync new files, preserving aiui/ and claude-login.html
+    sudo rsync -a --delete \
+        --exclude 'aiui' \
+        --exclude 'claude-login.html' \
+        "$BUILT_WEB/" "$INSTALL_WEB/"
+    ok "Frontend installed"
+else
+    warn "Frontend build output not found at $BUILT_WEB — skipping"
+fi
+
+# Update image-versions.sh on the server
+if [ -f "$REPO_DIR/scripts/image-versions.sh" ]; then
+    sudo cp "$REPO_DIR/scripts/image-versions.sh" /opt/archipelago/image-versions.sh
+    ok "Image versions updated"
+fi
+
+# Update systemd service if changed
+if [ -f "$REPO_DIR/image-recipe/configs/archipelago.service" ]; then
+    if ! diff -q "$REPO_DIR/image-recipe/configs/archipelago.service" /etc/systemd/system/archipelago.service &>/dev/null; then
+        sudo cp "$REPO_DIR/image-recipe/configs/archipelago.service" /etc/systemd/system/archipelago.service
+        sudo systemctl daemon-reload
+        ok "Systemd service updated"
+    fi
+fi
+
+# Restart service
+log "Restarting archipelago service..."
+sudo systemctl restart archipelago
+
+# Wait for health
+log "Waiting for backend health..."
+for i in $(seq 1 30); do
+    if curl -sf http://127.0.0.1:5678/health > /dev/null 2>&1; then
+        ok "Backend healthy after ${i}s"
+        break
+    fi
+    if [ "$i" = "30" ]; then
+        err "Backend failed to start within 30s"
+        warn "Rolling back binary..."
+        if [ -f "$BACKUP_DIR/archipelago.bak" ]; then
+            sudo cp "$BACKUP_DIR/archipelago.bak" "$INSTALL_BIN"
+            sudo systemctl restart archipelago
+            err "Rolled back to previous binary"
+        fi
+        exit 1
+    fi
+    sleep 1
+done
+
+# Update state file for the UI
+python3 -c "
+import json, datetime
+state = {
+    'current_version': '$NEW_VERSION',
+    'last_check': datetime.datetime.utcnow().isoformat() + 'Z',
+    'available_update': None,
+    'update_in_progress': False,
+    'rollback_available': True,
+    'schedule': 'daily_check'
+}
+with open('$STATE_FILE', 'w') as f:
+    json.dump(state, f, indent=2)
+" 2>/dev/null || true
+
+echo ""
+ok "Update complete: $LOCAL -> $NEW_VERSION"
+log "Changelog:"
+git log "$LOCAL".."$NEW_VERSION" --oneline --no-merges | head -10 | tee -a "$LOG_FILE"