diff --git a/.claude/rules/containers.md b/.claude/rules/containers.md
index b756b8aa..2e0e6339 100644
--- a/.claude/rules/containers.md
+++ b/.claude/rules/containers.md
@@ -5,15 +5,46 @@ globs:
   - "**/*podman*"
   - "**/Containerfile"
   - "**/Dockerfile"
+  - "**/first-boot*"
+  - "**/container-doctor*"
 ---
 
-# Container Security Rules (Archipelago)
+# Container Security Rules (Archipelago — Rootless Podman)
 
-- `readonly_root: true` always — containers must not write to their root filesystem
+## Rootless Podman Architecture
+- Podman runs as `archipelago` user (UID 1000), NOT root — never use `sudo podman`
+- UID namespace mapping via subuid: container UID N → host UID (100000 + N)
+- Container images stored in `~/.local/share/containers/storage/` (NOT /var/lib/containers)
+- Container subnet: `10.89.0.0/16` (rootless), not `10.88.0.0/16` (rootful)
+- XDG_RUNTIME_DIR must be `/run/user/1000` — required for podman socket
+- `loginctl enable-linger archipelago` required for containers to survive logout
+
+## Container Security (Non-Negotiable)
 - Drop ALL capabilities, add only what's required (`--cap-drop=ALL --cap-add=...`)
-- Run as non-root user (UID > 1000): `--user 1001:1001`
-- Set `--security-opt=no-new-privileges:true`
-- Pin image versions by SHA256 digest, never use `:latest` tag
+- Set `--security-opt=no-new-privileges:true` on all containers
+- Use `--read-only` + tmpfs where possible (safe apps: searxng, grafana, filebrowser, electrumx, nostr-rs-relay, ollama, indeedhub)
+- Pin image versions — never use `:latest` tag
 - Mount secrets as read-only files, never pass as environment variables when possible
 - Set memory and CPU limits on all containers
-- Use `--network=none` unless network access is required
+- All containers must have `--restart unless-stopped`
+
+## Volume Ownership (Critical for Rootless)
+- Volume directories must be owned by the MAPPED UID, not the container UID
+- Formula: `host_uid = 100000 + container_uid`
+- UID 0 (most apps) → `sudo chown -R 100000:100000 /var/lib/archipelago/{app}`
+- UID 101 (bitcoin) → `sudo chown -R 100101:100101 /var/lib/archipelago/bitcoin`
+- UID 70 (postgres) → `sudo chown -R 100070:100070 /var/lib/archipelago/postgres-*`
+- UID 472 (grafana) → `sudo chown -R 100472:100472 /var/lib/archipelago/grafana`
+- UID 999 (mariadb) → `sudo chown -R 100999:100999 /var/lib/archipelago/mysql-*`
+
+## Systemd Service Requirements
+- `ProtectHome=no` — podman needs `~/.local/share/containers/`
+- `PrivateTmp=no` — podman runtime uses `/tmp/podman-run-1000/`
+- `RestrictNamespaces=` must NOT be set — rootless podman creates user namespaces
+- `SystemCallFilter=` must NOT be set — rootless podman needs clone/unshare
+- UFW `DEFAULT_FORWARD_POLICY="ACCEPT"` — required for LAN access to container ports
+
+## Network Rules
+- Apps needing inter-container DNS: use `--network=archy-net` (bitcoin, lnd, electrumx, mempool, btcpay, fedimint)
+- Standalone apps: default bridge network
+- Tailscale only: `--network=host` + `NET_ADMIN` + `NET_RAW` + `/dev/net/tun`
diff --git a/.claude/skills/podman-doctor/SKILL.md b/.claude/skills/podman-doctor/SKILL.md
index 44d13bc0..38564b70 100644
--- a/.claude/skills/podman-doctor/SKILL.md
+++ b/.claude/skills/podman-doctor/SKILL.md
@@ -4,6 +4,7 @@ description: >
   Comprehensive Podman container diagnostic for Archipelago. Audits all running containers,
   port mappings, network connectivity, health status, restart policies, and config consistency
   across all 4 layers (backend Rust, Podman runtime, Nginx proxy, frontend routing).
+  Handles rootless Podman (user: archipelago, UID 1000, subuid 100000:65536).
   Use when asked to "diagnose containers", "check podman", "why is app not working",
   "container health check", "port not reachable", "audit containers", "podman status",
   or when any container/app is misbehaving.
@@ -12,46 +13,123 @@ allowed-tools: Bash Read Glob Grep
 
 # Podman Doctor — Container Infrastructure Diagnostics
 
-Systematic diagnostic for Archipelago's Podman container stack. Catches port conflicts, network misconfigurations, health failures, missing restart policies, and config drift across all layers.
+Systematic diagnostic for Archipelago's **rootless Podman** container stack. Catches port conflicts, network misconfigurations, health failures, missing restart policies, UID mapping issues, and config drift across all layers.
 
 **SSH command**: `ssh -i ~/.ssh/archipelago-deploy archipelago@192.168.1.228`
 
+> **ROOTLESS PODMAN**: Archipelago runs Podman as the `archipelago` user (UID 1000), NOT root.
+> Never use `sudo podman` — use plain `podman` after SSH'ing in as the `archipelago` user.
+> Container UIDs are mapped via subuid: container UID N → host UID (100000 + N).
+
 If $ARGUMENTS is provided, focus diagnosis on that specific app/container. Otherwise run full audit.
 
 ## Workflow
 
 ### Step 1: Gather Runtime State
 
-Run these on the server:
+Run these on the server (as `archipelago` user — NO sudo):
 
 ```bash
 # All containers with status, ports, networks
-sudo podman ps -a --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}\t{{.Networks}}"
+podman ps -a --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}\t{{.Networks}}"
 
 # Check for port conflicts on known ports
-sudo ss -tlnp | grep -E ":(80|443|3000|4080|5678|8080|8081|8082|8083|8085|8096|8123|8173|8174|8175|8240|8332|8333|8334|8888|9735|10009|11434|23000|50001)\b"
+ss -tlnp | grep -E ":(80|443|3000|4080|5678|8080|8081|8082|8083|8085|8096|8123|8173|8174|8175|8240|8332|8333|8334|8888|9735|10009|11434|23000|50001)\b"
 ```
 
-### Step 2: Check Restart Policies
+### Step 2: Rootless Podman Health Check
+
+Rootless Podman has specific requirements that must be verified:
+
+```bash
+# Verify running as archipelago user (NOT root)
+whoami  # Must be "archipelago"
+id      # Must show uid=1000(archipelago)
+
+# Check XDG_RUNTIME_DIR is set (required for rootless podman socket)
+echo "XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR"  # Must be /run/user/1000
+
+# Verify subuid/subgid mapping exists
+grep archipelago /etc/subuid  # Must show: archipelago:100000:65536
+grep archipelago /etc/subgid  # Must show: archipelago:100000:65536
+
+# Verify user lingering is enabled (keeps user services after logout)
+ls /var/lib/systemd/linger/ | grep archipelago  # Must exist
+
+# Check podman storage is accessible
+podman info --format "{{.Store.GraphRoot}}"  # ~/.local/share/containers/storage
+ls -la ~/.local/share/containers/storage/ 2>/dev/null || echo "ERROR: Storage not accessible"
+
+# Check podman socket
+ls -la /run/user/1000/podman/ 2>/dev/null || echo "WARNING: No podman socket directory"
+```
+
+### Step 3: Check Restart Policies
 
 Every container MUST have `--restart unless-stopped`. This is the #1 cause of downtime after reboots.
 
 ```bash
-for c in $(sudo podman ps -a --format "{{.Names}}"); do
+for c in $(podman ps -a --format "{{.Names}}"); do
   echo -n "$c: "
-  sudo podman inspect "$c" --format "{{.HostConfig.RestartPolicy.Name}}"
+  podman inspect "$c" --format "{{.HostConfig.RestartPolicy.Name}}"
 done
 ```
 
 **Red flag**: `no` or empty = container won't survive reboot.
 
-### Step 3: Verify Port Mapping Consistency
+### Step 4: Volume Ownership Audit (Rootless UID Mapping)
+
+Rootless Podman maps container UIDs via subuid. Volume directories must be owned by the MAPPED UID, not the container UID. Formula: `host_uid = 100000 + container_uid`
+
+```bash
+echo "=== Volume Ownership Check ==="
+
+# Default containers (run as root inside = UID 0 → host UID 100000)
+for dir in lnd fedimint homeassistant jellyfin vaultwarden photoprism ollama filebrowser electrumx btcpay immich; do
+  if [ -d "/var/lib/archipelago/$dir" ]; then
+    owner=$(stat -c '%u:%g' "/var/lib/archipelago/$dir" 2>/dev/null)
+    if [ "$owner" != "100000:100000" ]; then
+      echo "WRONG: /var/lib/archipelago/$dir owned by $owner (should be 100000:100000)"
+    else
+      echo "  OK: $dir → $owner"
+    fi
+  fi
+done
+
+# Bitcoin Knots (container UID 101 → host UID 100101)
+if [ -d "/var/lib/archipelago/bitcoin" ]; then
+  owner=$(stat -c '%u:%g' "/var/lib/archipelago/bitcoin")
+  [ "$owner" != "100101:100101" ] && echo "WRONG: bitcoin owned by $owner (should be 100101:100101)" || echo "  OK: bitcoin → $owner"
+fi
+
+# PostgreSQL (container UID 70 → host UID 100070)
+for dir in /var/lib/archipelago/*-db /var/lib/archipelago/postgres-*; do
+  if [ -d "$dir" ]; then
+    owner=$(stat -c '%u:%g' "$dir")
+    [ "$owner" != "100070:100070" ] && echo "WRONG: $dir owned by $owner (should be 100070:100070)" || echo "  OK: $(basename $dir) → $owner"
+  fi
+done
+
+# Grafana (container UID 472 → host UID 100472)
+if [ -d "/var/lib/archipelago/grafana" ]; then
+  owner=$(stat -c '%u:%g' "/var/lib/archipelago/grafana")
+  [ "$owner" != "100472:100472" ] && echo "WRONG: grafana owned by $owner (should be 100472:100472)" || echo "  OK: grafana → $owner"
+fi
+
+# MariaDB/MySQL (container UID 999 → host UID 100999)
+if [ -d "/var/lib/archipelago/mysql-mempool" ]; then
+  owner=$(stat -c '%u:%g' "/var/lib/archipelago/mysql-mempool")
+  [ "$owner" != "100999:100999" ] && echo "WRONG: mysql-mempool owned by $owner (should be 100999:100999)" || echo "  OK: mysql-mempool → $owner"
+fi
+```
+
+### Step 5: Verify Port Mapping Consistency
 
 Cross-reference these 4 layers — mismatches between ANY two cause "app not loading" bugs:
 
 **Layer 1 — Backend Config (Rust)**: Read `core/archipelago/src/api/rpc/package.rs`, look at `get_app_config()` port mappings.
 
-**Layer 2 — Podman Runtime**: `sudo podman ps --format "{{.Names}}: {{.Ports}}"`
+**Layer 2 — Podman Runtime**: `podman ps --format "{{.Names}}: {{.Ports}}"`
 
 **Layer 3 — Nginx Proxy**: Read these for `/app/{id}/` location blocks:
 - `image-recipe/configs/nginx-archipelago.conf` (HTTP)
@@ -66,77 +144,114 @@ Cross-reference these 4 layers — mismatches between ANY two cause "app not loa
 | Works on port but not /app/ path | Missing nginx location block |
 | Frontend can't find app | PORT_TO_APP_ID missing in appLauncher.ts |
 
-### Step 4: Network Connectivity Audit
+### Step 6: Network Connectivity Audit
 
 ```bash
 # Networks and their containers
-sudo podman network ls
-sudo podman network inspect archy-net 2>/dev/null || echo "WARNING: archy-net missing!"
+podman network ls
+podman network inspect archy-net 2>/dev/null || echo "WARNING: archy-net missing!"
+
+# Check container subnet (rootless uses 10.89.x.x, NOT 10.88.x.x)
+podman network inspect archy-net --format "{{range .Subnets}}{{.Subnet}}{{end}}" 2>/dev/null
 ```
 
-**Must be on archy-net**: bitcoin-knots, lnd, electrs, mempool, btcpay-server, nbxplorer, fedimint, fedimint-gateway, nostr-rs-relay, indeedhub, ollama, open-webui
+**Must be on archy-net**: bitcoin-knots, lnd, electrs/electrumx, mempool, btcpay-server, nbxplorer, fedimint, fedimint-gateway, nostr-rs-relay, indeedhub, ollama, open-webui
 
 **Must NOT be on archy-net**: grafana, nextcloud, filebrowser, vaultwarden, bitcoin-ui, lnd-ui, tailscale (host network)
 
-### Step 5: Health Check Status
+### Step 7: UFW Forward Policy Check
+
+Rootless Podman requires `DEFAULT_FORWARD_POLICY="ACCEPT"` in UFW, otherwise container ports are unreachable from LAN.
+
+```bash
+grep DEFAULT_FORWARD_POLICY /etc/default/ufw
+# Must be "ACCEPT", NOT "DROP"
+# If DROP: containers work locally but NOT from other machines on the network
+```
+
+### Step 8: Systemd Service Sandbox Check
+
+The `archipelago.service` must have specific settings relaxed for rootless Podman:
+
+```bash
+# Check critical settings
+systemctl cat archipelago.service | grep -E "ProtectHome|PrivateTmp|RestrictNamespaces|ReadWritePaths|XDG_RUNTIME_DIR"
+```
+
+**Required settings for rootless Podman**:
+- `ProtectHome=no` — podman stores images in `~/.local/share/containers/`
+- `PrivateTmp=no` or disabled — podman runtime uses `/tmp/podman-run-1000/`
+- `RestrictNamespaces=` must NOT be set — rootless podman needs user namespaces
+- `ReadWritePaths=` must include `/var/lib/archipelago /run/user /tmp`
+- `Environment=XDG_RUNTIME_DIR=/run/user/1000`
+
+### Step 9: Health Check Status
 
 ```bash
 # Containers with health checks — are they passing?
-for c in $(sudo podman ps --format "{{.Names}}"); do
-  health=$(sudo podman inspect "$c" --format "{{.State.Health.Status}}" 2>/dev/null)
+for c in $(podman ps --format "{{.Names}}"); do
+  health=$(podman inspect "$c" --format "{{.State.Health.Status}}" 2>/dev/null)
   if [ -n "$health" ] && [ "$health" != "<no value>" ]; then
     echo "$c: $health"
   fi
 done
 
 # Containers WITHOUT health checks (gap in monitoring)
-for c in $(sudo podman ps --format "{{.Names}}"); do
-  hc=$(sudo podman inspect "$c" --format "{{.Config.Healthcheck}}" 2>/dev/null)
+for c in $(podman ps --format "{{.Names}}"); do
+  hc=$(podman inspect "$c" --format "{{.Config.Healthcheck}}" 2>/dev/null)
   if [ "$hc" = "<nil>" ] || [ -z "$hc" ]; then
     echo "NO HEALTHCHECK: $c"
   fi
 done
 ```
 
-### Step 6: Resource & Failure Analysis
+### Step 10: Resource & Failure Analysis
 
 ```bash
 # Resource usage
-sudo podman stats --no-stream --format "table {{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}\t{{.MemPerc}}"
+podman stats --no-stream --format "table {{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}\t{{.MemPerc}}"
 
 # Recent deaths (last 24h)
-sudo podman events --filter event=died --since 24h 2>/dev/null | tail -20
+podman events --filter event=died --since 24h 2>/dev/null | tail -20
 
 # OOM kills
-sudo podman ps -a --format "{{.Names}}" | while read c; do
-  oom=$(sudo podman inspect "$c" --format "{{.State.OOMKilled}}" 2>/dev/null)
+podman ps -a --format "{{.Names}}" | while read c; do
+  oom=$(podman inspect "$c" --format "{{.State.OOMKilled}}" 2>/dev/null)
   [ "$oom" = "true" ] && echo "OOM KILLED: $c"
 done
 
 # Non-zero exits
-sudo podman ps -a --filter status=exited --format "{{.Names}}\t{{.Status}}"
+podman ps -a --filter status=exited --format "{{.Names}}\t{{.Status}}"
 ```
 
-### Step 7: Systemd Integration
+### Step 11: Systemd Integration
 
 ```bash
 systemctl is-active archipelago nginx
-systemctl list-units --type=service | grep -i podman
+systemctl --user list-units --type=service 2>/dev/null | grep -i podman
 systemctl list-timers --all | grep -i -E "podman|container|archipelago"
 ```
 
-### Step 8: Generate Report
+### Step 12: Generate Report
 
 Produce a structured report:
 
 ```
 ## Container Diagnostic Report
 
+### Rootless Podman Status
+- User: archipelago (UID 1000)
+- Subuid mapping: [OK/MISSING]
+- XDG_RUNTIME_DIR: [OK/MISSING]
+- User linger: [enabled/disabled]
+- UFW forward policy: [ACCEPT/DROP]
+
 ### Summary
 - Total containers: X running, Y stopped, Z unhealthy
 - Port conflicts: [list or "none"]
 - Missing restart policies: [list or "none"]
 - Network issues: [list or "none"]
+- UID mapping issues: [list or "none"]
 - Health check gaps: [list]
 
 ### Critical Issues (fix immediately)
@@ -154,3 +269,7 @@ After diagnosis, suggest running `/podman-fix` for any issues found.
 ## Port Reference
 
 See `references/port-map.md` for the canonical port assignment table across all 4 layers.
+
+## UID Mapping Reference
+
+See `references/uid-mapping.md` for the complete rootless UID mapping table.
diff --git a/.claude/skills/podman-doctor/references/common-failures.md b/.claude/skills/podman-doctor/references/common-failures.md
index 75f2afb0..983a58fc 100644
--- a/.claude/skills/podman-doctor/references/common-failures.md
+++ b/.claude/skills/podman-doctor/references/common-failures.md
@@ -1,15 +1,31 @@
 # Common Podman Failure Patterns
 
+## Rootless Podman Specific Failures
+
+| Error | Cause | Fix |
+|-------|-------|-----|
+| `ERRO[0000] cannot find UID/GID for user` | subuid/subgid not configured | Add `archipelago:100000:65536` to `/etc/subuid` and `/etc/subgid` |
+| `Error: unshare: operation not permitted` | Systemd `RestrictNamespaces` blocks user namespaces | Remove `RestrictNamespaces=` from `archipelago.service` |
+| `Error: could not get runtime: creating runtime` | XDG_RUNTIME_DIR not set or /run/user/1000 missing | Set `Environment=XDG_RUNTIME_DIR=/run/user/1000` in service, ensure `loginctl enable-linger archipelago` |
+| `permission denied` on volume mount | Wrong UID ownership — must use mapped UIDs | `sudo chown -R 100000:100000 /var/lib/archipelago/APP` (see UID mapping table) |
+| `ERRO[0000] rootless containers not supported` | Podman not configured for rootless | Run `podman system migrate`, check `/etc/subuid` |
+| `Error: creating container storage: layer not known` | Corrupted rootless storage | `podman system reset` (destroys all containers — last resort) |
+| `Error: stat /tmp/podman-run-1000/...: no such file` | PrivateTmp=yes in systemd isolates /tmp | Set `PrivateTmp=no` in `archipelago.service` |
+| Container ports unreachable from LAN | UFW DEFAULT_FORWARD_POLICY="DROP" | Change to "ACCEPT" in `/etc/default/ufw`, then `sudo ufw reload` |
+| `Error: error creating network namespace` | Systemd `SystemCallFilter` blocks clone/unshare | Remove `SystemCallFilter=` from `archipelago.service` |
+| Containers lose network after service restart | podman runtime dir in /tmp cleaned | Ensure `PrivateTmp=no` so /tmp/podman-run-1000/ persists |
+
 ## Container Won't Start
 
 | Error | Cause | Fix |
 |-------|-------|-----|
 | `exec format error` | Binary built on wrong arch | Rebuild on the Linux server |
 | `address already in use` | Port conflict | `ss -tlnp \| grep :PORT` to find offender |
-| `permission denied` | Missing capability or read-only root | Check `get_app_capabilities()`, add tmpfs |
+| `permission denied` | Missing capability, wrong UID ownership, or read-only root | Check capabilities, check volume ownership with mapped UID, add tmpfs |
 | `OCI runtime error` | Corrupt container state | `podman rm -f NAME && recreate` |
 | `image not known` | Image not pulled | `podman pull IMAGE:TAG` |
 | `no such network` | Network missing | `podman network create archy-net` |
+| `Error: netavark: ...subnet overlap` | Network CIDR conflict | `podman network rm archy-net && podman network create archy-net` |
 
 ## Container Starts But App Unreachable
 
@@ -20,6 +36,7 @@
 | Port mapped but refused | Container logs | App crashing internally — check logs |
 | Works sometimes | Resources | Check OOM kills, CPU, disk space |
 | 502 Bad Gateway | Nginx→Container | Wrong port in proxy_pass or container restarted |
+| Works locally but not from LAN | UFW forward policy | Set `DEFAULT_FORWARD_POLICY="ACCEPT"` in `/etc/default/ufw` |
 
 ## Container Keeps Dying
 
@@ -29,6 +46,8 @@
 | Dies after minutes | OOM killed | Increase `--memory` limit |
 | Dies when dep restarts | No restart policy | Add `--restart unless-stopped` |
 | Crash loop | Repeated crash | Fix root cause, don't just restart |
+| Exit code 127 | Missing binary in container | Wrong image tag or corrupted image — re-pull |
+| Exit code 137 | Killed by OOM or signal | Check `dmesg` for OOM kill, check `podman inspect` for OOMKilled |
 
 ## Network Issues
 
@@ -37,6 +56,20 @@
 | Can't resolve container names | Not on archy-net | Recreate with `--network=archy-net` |
 | Can't reach internet | DNS missing | Add `--dns 1.1.1.1` |
 | Container-to-container timeout | Different networks | Put both on same network |
+| Bitcoin RPC refused from container | rpcallowip wrong subnet | Use `rpcallowip=0.0.0.0/0` (safe: port mapped, not exposed) |
+| Old containers can't find new network | Subnet changed (rootful→rootless) | Recreate containers on new archy-net (rootless uses 10.89.x.x) |
+
+## Volume Permission Patterns (Rootless UID Mapping)
+
+Formula: **host_uid = 100000 + container_uid**
+
+| Container UID | Host UID | Apps | Data Directory |
+|---|---|---|---|
+| 0 (root) | 100000 | lnd, fedimint, homeassistant, jellyfin, vaultwarden, photoprism, ollama, filebrowser, electrumx, btcpay, immich | `/var/lib/archipelago/{app}` |
+| 70 | 100070 | postgres (btcpay-db, immich-db, penpot-postgres) | `/var/lib/archipelago/postgres-*` |
+| 101 | 100101 | bitcoin-knots | `/var/lib/archipelago/bitcoin` |
+| 472 | 100472 | grafana | `/var/lib/archipelago/grafana` |
+| 999 | 100999 | MariaDB (mysql-mempool) | `/var/lib/archipelago/mysql-mempool` |
 
 ## Capability Reference
 
@@ -47,9 +80,23 @@
 | DAC_OVERRIDE | nextcloud, homeassistant, btcpay | Can't access cross-UID files |
 | FOWNER | bitcoin-knots, lnd, fedimint | Can't modify data dir perms |
 | NET_BIND_SERVICE | nginx-proxy-manager, vaultwarden | Can't bind ports <1024 |
+| NET_ADMIN + NET_RAW | tailscale | Can't create TUN device or manage routes |
 
 ## Read-Only Safe Apps
 
-Only these 8 apps can run with `--read-only`: searxng, grafana, filebrowser, electrs, nostr-rs-relay, ollama, indeedhub
+Only these apps can run with `--read-only` + tmpfs: searxng, grafana, filebrowser, electrumx, mempool-electrs, electrs, nostr-rs-relay, ollama, indeedhub
 
 All others need writable root or will fail silently.
+
+## Systemd Sandbox Requirements for Rootless Podman
+
+These systemd service settings MUST be configured for rootless Podman to work:
+
+| Setting | Required Value | Why |
+|---------|---------------|-----|
+| `ProtectHome=` | `no` | Podman stores images in `~/.local/share/containers/` |
+| `PrivateTmp=` | `no` | Podman runtime lives in `/tmp/podman-run-1000/` |
+| `RestrictNamespaces=` | NOT SET | Rootless podman creates user namespaces |
+| `SystemCallFilter=` | NOT SET | Rootless podman needs clone/unshare syscalls |
+| `ReadWritePaths=` | Include `/var/lib/archipelago /run/user /tmp /etc/containers /var/lib/containers /run/containers` | Volume data + podman runtime paths |
+| `Environment=` | `XDG_RUNTIME_DIR=/run/user/1000` | Podman socket location |
diff --git a/.claude/skills/podman-doctor/references/uid-mapping.md b/.claude/skills/podman-doctor/references/uid-mapping.md
new file mode 100644
index 00000000..a8338720
--- /dev/null
+++ b/.claude/skills/podman-doctor/references/uid-mapping.md
@@ -0,0 +1,93 @@
+# Rootless Podman UID Mapping Reference
+
+## How Rootless UID Mapping Works
+
+When Podman runs as the `archipelago` user (UID 1000), container processes don't run as their "apparent" UID on the host. Instead, Linux user namespaces remap UIDs.
+
+**Mapping formula**: `host_uid = 100000 + container_uid`
+
+This is configured in `/etc/subuid` and `/etc/subgid`:
+```
+archipelago:100000:65536
+```
+
+This means:
+- Container UID 0 (root inside container) → Host UID 100000 (unprivileged on host)
+- Container UID 70 (postgres) → Host UID 100070
+- Container UID 101 (bitcoin) → Host UID 100101
+- etc.
+
+## Why This Matters
+
+Volume directories (bind mounts) on the host must be owned by the **mapped** UID, not the container UID. If Bitcoin runs as UID 101 inside its container, the host directory must be owned by UID 100101.
+
+If ownership is wrong, the container gets `permission denied` when trying to read/write its data.
+
+## Complete UID Mapping Table
+
+| Container UID | Host UID | Containers | Fix Command |
+|---|---|---|---|
+| 0 (root) | 100000 | lnd, fedimint, fedimint-gateway, homeassistant, jellyfin, vaultwarden, photoprism, ollama, filebrowser, electrumx, btcpay-server, nbxplorer, immich, nostr-rs-relay, strfry, nextcloud, searxng, onlyoffice, tailscale, uptime-kuma | `sudo chown -R 100000:100000 /var/lib/archipelago/{app}` |
+| 70 | 100070 | postgres (btcpay-db, immich-db, penpot-postgres) | `sudo chown -R 100070:100070 /var/lib/archipelago/postgres-*` |
+| 101 | 100101 | bitcoin-knots, bitcoin-core | `sudo chown -R 100101:100101 /var/lib/archipelago/bitcoin` |
+| 472 | 100472 | grafana | `sudo chown -R 100472:100472 /var/lib/archipelago/grafana` |
+| 999 | 100999 | MariaDB (mysql-mempool) | `sudo chown -R 100999:100999 /var/lib/archipelago/mysql-mempool` |
+
+## How to Find a Container's UID
+
+If you encounter a new container with permission issues:
+
+```bash
+# Check what user the container runs as
+podman inspect CONTAINER_NAME --format "{{.Config.User}}"
+
+# If empty, it runs as root (UID 0) → host UID 100000
+
+# If it shows a username, find the UID inside the image
+podman run --rm IMAGE_NAME id
+
+# Then calculate: host_uid = 100000 + container_uid
+```
+
+## Fix Script
+
+Run this after any fresh install, migration, or when containers have permission errors:
+
+```bash
+#!/bin/bash
+# Fix all rootless podman volume ownership
+
+# UID 0 → 100000 (most containers)
+for dir in lnd fedimint fedimint-gateway homeassistant jellyfin vaultwarden photoprism \
+           ollama filebrowser electrumx btcpay nbxplorer immich nostr-rs-relay nextcloud \
+           searxng onlyoffice uptime-kuma; do
+  [ -d "/var/lib/archipelago/$dir" ] && sudo chown -R 100000:100000 "/var/lib/archipelago/$dir"
+done
+
+# UID 101 → 100101 (Bitcoin)
+[ -d "/var/lib/archipelago/bitcoin" ] && sudo chown -R 100101:100101 /var/lib/archipelago/bitcoin
+
+# UID 70 → 100070 (PostgreSQL)
+for dir in /var/lib/archipelago/postgres-* /var/lib/archipelago/btcpay-db /var/lib/archipelago/immich-db; do
+  [ -d "$dir" ] && sudo chown -R 100070:100070 "$dir"
+done
+
+# UID 999 → 100999 (MariaDB)
+[ -d "/var/lib/archipelago/mysql-mempool" ] && sudo chown -R 100999:100999 /var/lib/archipelago/mysql-mempool
+
+# UID 472 → 100472 (Grafana)
+[ -d "/var/lib/archipelago/grafana" ] && sudo chown -R 100472:100472 /var/lib/archipelago/grafana
+```
+
+## Rootful vs Rootless Comparison
+
+| Aspect | Rootful (old) | Rootless (current) |
+|--------|---------------|-------------------|
+| Podman command | `sudo podman` | `podman` (as archipelago user) |
+| Container storage | `/var/lib/containers/storage` | `~/.local/share/containers/storage` |
+| Container subnet | `10.88.0.0/16` | `10.89.0.0/16` |
+| Volume ownership | Container UID directly | Mapped UID (100000 + container_uid) |
+| Requires root? | Yes | No (except fixing volume ownership) |
+| XDG_RUNTIME_DIR | Not needed | Required: `/run/user/1000` |
+| User lingering | Not needed | Required: `loginctl enable-linger` |
+| Systemd restrictions | All can be enabled | Must disable: RestrictNamespaces, SystemCallFilter |
diff --git a/.claude/skills/podman-fix/SKILL.md b/.claude/skills/podman-fix/SKILL.md
index e3b3e413..15a4a789 100644
--- a/.claude/skills/podman-fix/SKILL.md
+++ b/.claude/skills/podman-fix/SKILL.md
@@ -2,19 +2,24 @@
 name: podman-fix
 description: >
   Fix Podman container issues on Archipelago — restart failed containers, repair port bindings,
-  fix network connectivity, add missing restart policies, and resolve config drift.
+  fix network connectivity, add missing restart policies, fix rootless UID mapping, and resolve
+  config drift. Handles rootless Podman (user: archipelago, UID 1000, subuid 100000:65536).
   Use when asked to "fix container", "restart app", "fix port mapping", "container not working",
-  "app won't start", "fix podman", "repair container", "container down", or after /podman-doctor
-  identifies issues to fix.
+  "app won't start", "fix podman", "repair container", "container down", "permission denied",
+  or after /podman-doctor identifies issues to fix.
 allowed-tools: Bash Read Edit Write Glob Grep
 ---
 
 # Podman Fix — Container Remediation
 
-Targeted fix workflow for Podman container issues on Archipelago. Given a specific problem (from /podman-doctor or user report), diagnose the root cause and fix it.
+Targeted fix workflow for **rootless Podman** container issues on Archipelago. Given a specific problem (from /podman-doctor or user report), diagnose the root cause and fix it.
 
 **SSH command**: `ssh -i ~/.ssh/archipelago-deploy archipelago@192.168.1.228`
 
+> **ROOTLESS PODMAN**: All `podman` commands run as the `archipelago` user — NO sudo.
+> Only use `sudo` for: chown on volume directories, UFW changes, systemd service edits, nginx reload.
+> Container UIDs are mapped via subuid: container UID N → host UID (100000 + N).
+
 If $ARGUMENTS is provided, fix that specific app/issue. Otherwise ask what needs fixing.
 
 ## Fix Procedures
@@ -23,21 +28,22 @@ If $ARGUMENTS is provided, fix that specific app/issue. Otherwise ask what needs
 
 ```bash
 # Check why it stopped
-sudo podman logs --tail 50 CONTAINER_NAME
-sudo podman inspect CONTAINER_NAME --format "{{.State.ExitCode}} {{.State.Error}}"
+podman logs --tail 50 CONTAINER_NAME
+podman inspect CONTAINER_NAME --format "{{.State.ExitCode}} {{.State.Error}}"
 
 # If clean exit or crash — just restart
-sudo podman start CONTAINER_NAME
+podman start CONTAINER_NAME
 
 # If corrupt state — remove and recreate
-sudo podman rm -f CONTAINER_NAME
+podman rm -f CONTAINER_NAME
 # Then recreate using the install flow (trigger from UI or re-run creation command)
 ```
 
-**If container keeps crashing**: check logs for the actual error. Common causes:
+**If container keeps crashing**, check logs for the actual error. Common causes:
 - Missing config file → check if volume mount has the config
-- Wrong permissions → `chown -R` the data directory
+- Wrong permissions → fix UID mapping (see Fix 8 below)
 - Dependency not ready → start dependency first, wait, then start this container
+- Exit code 127 → missing binary in container image, re-pull the image
 
 ### Fix 2: Missing Restart Policy
 
@@ -45,14 +51,14 @@ The most common uptime killer. Fix for ALL containers at once:
 
 ```bash
 # Fix a single container
-sudo podman update --restart unless-stopped CONTAINER_NAME
+podman update --restart unless-stopped CONTAINER_NAME
 
 # Fix ALL containers that have no restart policy
-for c in $(sudo podman ps -a --format "{{.Names}}"); do
-  policy=$(sudo podman inspect "$c" --format "{{.HostConfig.RestartPolicy.Name}}")
+for c in $(podman ps -a --format "{{.Names}}"); do
+  policy=$(podman inspect "$c" --format "{{.HostConfig.RestartPolicy.Name}}")
   if [ "$policy" = "no" ] || [ -z "$policy" ]; then
     echo "Fixing restart policy for: $c"
-    sudo podman update --restart unless-stopped "$c"
+    podman update --restart unless-stopped "$c"
   fi
 done
 ```
@@ -66,23 +72,24 @@ done
 #### Port conflict (address already in use)
 ```bash
 # Find what's using the port
-sudo ss -tlnp | grep :PORT_NUMBER
+ss -tlnp | grep :PORT_NUMBER
 
 # If it's another container, either change one's port or stop the conflicting one
-sudo podman stop CONFLICTING_CONTAINER
+podman stop CONFLICTING_CONTAINER
 
-# If it's a host process
-sudo kill PID  # or stop the service
+# If it's a host process (e.g., system tor vs container tor)
+sudo systemctl stop tor  # Stop system service if container needs the port
+sudo systemctl disable tor
 ```
 
 #### Port not mapped (container running but port unreachable)
 ```bash
 # Check current port mappings
-sudo podman port CONTAINER_NAME
+podman port CONTAINER_NAME
 
 # Can't add ports to running container — must recreate
-sudo podman stop CONTAINER_NAME
-sudo podman rm CONTAINER_NAME
+podman stop CONTAINER_NAME
+podman rm CONTAINER_NAME
 # Recreate with correct -p flags (use the Rust install flow or manual podman run)
 ```
 
@@ -124,35 +131,51 @@ Edit `neode-ui/src/stores/appLauncher.ts`:
 #### Container not on archy-net (can't resolve other containers)
 ```bash
 # Connect to archy-net without recreating
-sudo podman network connect archy-net CONTAINER_NAME
+podman network connect archy-net CONTAINER_NAME
 
 # Verify
-sudo podman inspect CONTAINER_NAME --format "{{.NetworkSettings.Networks}}"
+podman inspect CONTAINER_NAME --format "{{.NetworkSettings.Networks}}"
 ```
 
 #### archy-net doesn't exist
 ```bash
-sudo podman network create archy-net
+podman network create archy-net
 # Then reconnect all containers that need it
 ```
 
 #### DNS not working inside container
 ```bash
 # Test DNS from inside container
-sudo podman exec CONTAINER_NAME nslookup bitcoin-knots 2>/dev/null || \
-sudo podman exec CONTAINER_NAME ping -c1 bitcoin-knots
+podman exec CONTAINER_NAME nslookup bitcoin-knots 2>/dev/null || \
+podman exec CONTAINER_NAME ping -c1 bitcoin-knots
+
+# If DNS fails, check the container's resolv.conf
+podman exec CONTAINER_NAME cat /etc/resolv.conf
 
 # If DNS fails, recreate container with explicit DNS
 # Add --dns 1.1.1.1 to the podman run command
 ```
 
+#### Container subnet changed (rootful → rootless migration)
+```bash
+# Old rootful subnet: 10.88.0.0/16
+# New rootless subnet: 10.89.0.0/16
+# Bitcoin RPC rpcallowip must be updated if using subnet-specific allowlist
+
+# Check current archy-net subnet
+podman network inspect archy-net --format "{{range .Subnets}}{{.Subnet}}{{end}}"
+
+# If Bitcoin RPC refuses connections from containers:
+# Update bitcoin.conf rpcallowip to 0.0.0.0/0 (safe: only accessible via port mapping)
+```
+
 ### Fix 5: Health Check Issues
 
 #### Add missing health check to running container
 Can't add to running container — must recreate with health check flags:
 ```bash
 # Example for a web app
-sudo podman run ... \
+podman run ... \
   --health-cmd "curl -f http://localhost:PORT/health || exit 1" \
   --health-interval 30s \
   --health-timeout 5s \
@@ -164,10 +187,10 @@ sudo podman run ... \
 #### Fix unhealthy container
 ```bash
 # See what the health check is actually running
-sudo podman inspect CONTAINER_NAME --format "{{.Config.Healthcheck.Test}}"
+podman inspect CONTAINER_NAME --format "{{.Config.Healthcheck.Test}}"
 
 # Run the health check manually to see the error
-sudo podman exec CONTAINER_NAME HEALTH_CHECK_COMMAND
+podman exec CONTAINER_NAME HEALTH_CHECK_COMMAND
 
 # Common fixes:
 # - curl not installed in container → use wget or nc instead
@@ -179,13 +202,10 @@ sudo podman exec CONTAINER_NAME HEALTH_CHECK_COMMAND
 
 ```bash
 # Check what capabilities container has
-sudo podman inspect CONTAINER_NAME --format "{{.HostConfig.CapAdd}}"
+podman inspect CONTAINER_NAME --format "{{.HostConfig.CapAdd}}"
 
 # If missing required caps, must recreate with correct --cap-add flags
 # Refer to the capability reference in /podman-doctor references
-
-# Fix data directory permissions
-sudo chown -R 1000:1000 /var/lib/archipelago/APP_NAME/
 ```
 
 ### Fix 7: Full Config Consistency Fix
@@ -199,12 +219,108 @@ When port map is inconsistent across layers, fix ALL layers:
 5. **Deploy**: `./scripts/deploy-to-target.sh --live`
 6. **Verify**: `curl -I http://192.168.1.228/app/APP_ID/`
 
+### Fix 8: Rootless UID Mapping (Permission Denied on Volumes)
+
+This is the #1 rootless-specific issue. Container UIDs are remapped by user namespaces.
+
+**Formula**: `host_uid = 100000 + container_uid`
+
+```bash
+# Fix UID 0 containers (most apps — run as root inside, mapped to 100000 on host)
+sudo chown -R 100000:100000 /var/lib/archipelago/APP_NAME
+
+# Fix Bitcoin (container UID 101 → host UID 100101)
+sudo chown -R 100101:100101 /var/lib/archipelago/bitcoin
+
+# Fix PostgreSQL (container UID 70 → host UID 100070)
+sudo chown -R 100070:100070 /var/lib/archipelago/postgres-APP_NAME
+
+# Fix Grafana (container UID 472 → host UID 100472)
+sudo chown -R 100472:100472 /var/lib/archipelago/grafana
+
+# Fix MariaDB (container UID 999 → host UID 100999)
+sudo chown -R 100999:100999 /var/lib/archipelago/mysql-mempool
+```
+
+**How to find the right UID for a new container:**
+```bash
+# Check what user the container image runs as
+podman inspect IMAGE_NAME --format "{{.Config.User}}"
+# If empty = root (UID 0) → host UID 100000
+# If number → host UID = 100000 + that number
+# If username → run: podman run --rm IMAGE_NAME id
+```
+
+After fixing ownership, restart the container:
+```bash
+podman restart CONTAINER_NAME
+```
+
+### Fix 9: UFW Forward Policy (LAN Access Broken)
+
+If containers work locally but not from other machines on the network:
+
+```bash
+# Check current policy
+grep DEFAULT_FORWARD_POLICY /etc/default/ufw
+
+# Fix: change DROP to ACCEPT
+sudo sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
+sudo ufw reload
+```
+
+### Fix 10: Systemd Sandbox Too Restrictive
+
+If the Rust backend can't scan/manage containers after a systemd update:
+
+```bash
+# Check what's blocked
+sudo journalctl -u archipelago --since "10 min ago" | grep -i "denied\|permission\|namespace\|syscall"
+
+# The archipelago.service MUST have these for rootless podman:
+# ProtectHome=no
+# PrivateTmp=no (or disabled)
+# RestrictNamespaces= (NOT SET — don't restrict)
+# SystemCallFilter= (NOT SET — don't filter)
+# ReadWritePaths=/var/lib/archipelago /etc/containers /var/lib/containers /run/containers /run/user /tmp
+# Environment=XDG_RUNTIME_DIR=/run/user/1000
+```
+
+Edit the service file:
+```bash
+sudo systemctl edit archipelago.service
+# Add overrides, then:
+sudo systemctl daemon-reload
+sudo systemctl restart archipelago
+```
+
+### Fix 11: Stale Podman Processes
+
+If `podman ps` hangs or is very slow:
+
+```bash
+# Kill stuck podman processes (>10 of them = something is wrong)
+stuck=$(pgrep -c -f "podman ps\|podman stats" 2>/dev/null || echo 0)
+if [ "$stuck" -gt 10 ]; then
+  pkill -f "podman ps\|podman stats"
+  echo "Killed $stuck stuck podman processes"
+fi
+
+# Kill orphaned conmon processes holding ports
+for pid in $(pgrep conmon); do
+  container=$(cat /proc/$pid/cmdline 2>/dev/null | tr '\0' ' ' | grep -oP '(?<=--cid )\S+')
+  if [ -n "$container" ] && ! podman ps -a --format "{{.ID}}" | grep -q "${container:0:12}"; then
+    kill "$pid" 2>/dev/null && echo "Killed orphan conmon $pid"
+  fi
+done
+```
+
 ## After Fixing
 
 Always verify the fix:
 ```bash
 # Container running?
-sudo podman ps --filter name=CONTAINER_NAME
+podman ps --filter name=CONTAINER_NAME
 
 # Port reachable?
 curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:PORT/
@@ -213,7 +329,10 @@ curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:PORT/
 curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1/app/APP_ID/
 
 # Health check passing?
-sudo podman inspect CONTAINER_NAME --format "{{.State.Health.Status}}"
+podman inspect CONTAINER_NAME --format "{{.State.Health.Status}}"
+
+# Volume permissions correct? (rootless check)
+podman exec CONTAINER_NAME ls -la /data/ 2>/dev/null || echo "Check container data path"
 ```
 
 Run `/podman-doctor` again to confirm all issues are resolved.
diff --git a/.claude/skills/podman-uptime/SKILL.md b/.claude/skills/podman-uptime/SKILL.md
index 5b080e56..7142f7d2 100644
--- a/.claude/skills/podman-uptime/SKILL.md
+++ b/.claude/skills/podman-uptime/SKILL.md
@@ -3,7 +3,8 @@ name: podman-uptime
 description: >
   Ensure 100% container uptime on Archipelago. Sets up systemd watchdog timers, verifies
   restart policies, creates health check monitors, and configures auto-recovery for all
-  containers. Use when asked to "ensure uptime", "containers keep dying", "auto-restart",
+  containers. Handles rootless Podman (user: archipelago, UID 1000, subuid 100000:65536).
+  Use when asked to "ensure uptime", "containers keep dying", "auto-restart",
   "watchdog", "container monitoring", "uptime guarantee", "keep containers running",
   "survive reboot", or to harden container reliability.
 allowed-tools: Bash Read Edit Write Glob Grep
@@ -15,6 +16,31 @@ Ensures every Archipelago container survives reboots, recovers from crashes, and
 
 **SSH command**: `ssh -i ~/.ssh/archipelago-deploy archipelago@192.168.1.228`
 
+> **ROOTLESS PODMAN**: All `podman` commands run as the `archipelago` user — NO sudo.
+> Only use `sudo` for: systemd unit files, chown on volumes, UFW changes.
+> The archipelago user runs containers directly via user namespaces.
+
+## Prerequisites for Rootless Uptime
+
+Before setting up uptime infrastructure, verify rootless Podman basics are working:
+
+```bash
+# Must be the archipelago user
+whoami  # archipelago
+
+# User lingering must be enabled (keeps user services running after logout)
+ls /var/lib/systemd/linger/ | grep archipelago || sudo loginctl enable-linger archipelago
+
+# XDG_RUNTIME_DIR must be set
+echo $XDG_RUNTIME_DIR  # /run/user/1000
+
+# Subuid/subgid must be configured
+grep archipelago /etc/subuid  # archipelago:100000:65536
+
+# UFW forward policy must be ACCEPT (for LAN access to containers)
+grep DEFAULT_FORWARD_POLICY /etc/default/ufw  # Must be "ACCEPT"
+```
+
 ## Layer 1: Restart Policies (Survive Reboots)
 
 Every container MUST have `--restart unless-stopped`. This is non-negotiable.
@@ -23,28 +49,31 @@ Every container MUST have `--restart unless-stopped`. This is non-negotiable.
 
 ```bash
 # Audit
-for c in $(sudo podman ps -a --format "{{.Names}}"); do
-  policy=$(sudo podman inspect "$c" --format "{{.HostConfig.RestartPolicy.Name}}")
+for c in $(podman ps -a --format "{{.Names}}"); do
+  policy=$(podman inspect "$c" --format "{{.HostConfig.RestartPolicy.Name}}")
   echo "$c: $policy"
 done
 
 # Fix any with "no" or empty policy
-for c in $(sudo podman ps -a --format "{{.Names}}"); do
-  policy=$(sudo podman inspect "$c" --format "{{.HostConfig.RestartPolicy.Name}}")
+for c in $(podman ps -a --format "{{.Names}}"); do
+  policy=$(podman inspect "$c" --format "{{.HostConfig.RestartPolicy.Name}}")
   if [ "$policy" = "no" ] || [ -z "$policy" ]; then
     echo "Fixing: $c"
-    sudo podman update --restart unless-stopped "$c"
+    podman update --restart unless-stopped "$c"
   fi
 done
 ```
 
 ### Ensure podman auto-starts containers on boot
 
-```bash
-# Enable podman-restart service (restarts containers with restart policy on boot)
-sudo systemctl enable podman-restart.service 2>/dev/null || true
+For rootless Podman, containers with restart policies are auto-started by `podman-restart` as a **user** service:
 
-# If podman-restart doesn't exist, create it
+```bash
+# Enable the rootless podman-restart user service
+systemctl --user enable podman-restart.service 2>/dev/null
+
+# If the user service doesn't exist, create a system-level one
+# (runs as archipelago user via User= directive)
 cat <<'EOF' | sudo tee /etc/systemd/system/podman-restart.service
 [Unit]
 Description=Podman Start All Containers With Restart Policy
@@ -53,8 +82,12 @@ Wants=network-online.target
 
 [Service]
 Type=oneshot
+User=archipelago
+Group=archipelago
+Environment=XDG_RUNTIME_DIR=/run/user/1000
 ExecStart=/usr/bin/podman start --all --filter restart-policy=unless-stopped
 RemainAfterExit=yes
+TimeoutStartSec=300
 
 [Install]
 WantedBy=multi-user.target
@@ -73,27 +106,31 @@ Create a systemd timer that checks container health every 2 minutes and restarts
 ```bash
 cat <<'SCRIPT' | sudo tee /usr/local/bin/archipelago-container-watchdog.sh
 #!/bin/bash
-# Archipelago Container Watchdog
-# Checks all containers and restarts any that are stopped or unhealthy
+# Archipelago Container Watchdog (Rootless Podman)
+# Runs as archipelago user — NO sudo for podman commands
 
 LOG_TAG="container-watchdog"
 
+# Run podman as the archipelago user with correct XDG path
+export XDG_RUNTIME_DIR=/run/user/1000
+PODMAN="/usr/bin/podman"
+
 # Restart any stopped containers that should be running (have restart policy)
-for c in $(sudo podman ps -a --filter status=exited --filter restart-policy=unless-stopped --format "{{.Names}}"); do
+for c in $($PODMAN ps -a --filter status=exited --filter restart-policy=unless-stopped --format "{{.Names}}" 2>/dev/null); do
   logger -t "$LOG_TAG" "Restarting stopped container: $c"
-  sudo podman start "$c" 2>&1 | logger -t "$LOG_TAG"
+  $PODMAN start "$c" 2>&1 | logger -t "$LOG_TAG"
 done
 
 # Restart unhealthy containers
-for c in $(sudo podman ps --filter health=unhealthy --format "{{.Names}}"); do
+for c in $($PODMAN ps --filter health=unhealthy --format "{{.Names}}" 2>/dev/null); do
   logger -t "$LOG_TAG" "Restarting unhealthy container: $c"
-  sudo podman restart "$c" 2>&1 | logger -t "$LOG_TAG"
+  $PODMAN restart "$c" 2>&1 | logger -t "$LOG_TAG"
 done
 
 # Check for containers in "created" state (never started)
-for c in $(sudo podman ps -a --filter status=created --format "{{.Names}}"); do
+for c in $($PODMAN ps -a --filter status=created --format "{{.Names}}" 2>/dev/null); do
   logger -t "$LOG_TAG" "Starting created container: $c"
-  sudo podman start "$c" 2>&1 | logger -t "$LOG_TAG"
+  $PODMAN start "$c" 2>&1 | logger -t "$LOG_TAG"
 done
 SCRIPT
 
@@ -103,7 +140,7 @@ sudo chmod +x /usr/local/bin/archipelago-container-watchdog.sh
 ### Create the systemd timer
 
 ```bash
-# Service unit
+# Service unit — runs as archipelago user for rootless podman
 cat <<'EOF' | sudo tee /etc/systemd/system/archipelago-watchdog.service
 [Unit]
 Description=Archipelago Container Watchdog
@@ -111,6 +148,9 @@ After=podman-restart.service
 
 [Service]
 Type=oneshot
+User=archipelago
+Group=archipelago
+Environment=XDG_RUNTIME_DIR=/run/user/1000
 ExecStart=/usr/local/bin/archipelago-container-watchdog.sh
 EOF
 
@@ -150,17 +190,20 @@ Some containers depend on others. The watchdog handles restarts, but initial boo
 ```bash
 cat <<'SCRIPT' | sudo tee /usr/local/bin/archipelago-ordered-start.sh
 #!/bin/bash
-# Ordered container startup for Archipelago
+# Ordered container startup for Archipelago (Rootless Podman)
+# Runs as archipelago user — NO sudo for podman commands
 # Respects dependency chain: bitcoin → electrs/lnd → mempool/btcpay
 
 LOG_TAG="ordered-start"
+export XDG_RUNTIME_DIR=/run/user/1000
+PODMAN="/usr/bin/podman"
 
 wait_for_container() {
   local name=$1
   local max_wait=${2:-60}
   local waited=0
   while [ $waited -lt $max_wait ]; do
-    status=$(sudo podman inspect "$name" --format "{{.State.Running}}" 2>/dev/null)
+    status=$($PODMAN inspect "$name" --format "{{.State.Running}}" 2>/dev/null)
     if [ "$status" = "true" ]; then
       logger -t "$LOG_TAG" "$name is running"
       return 0
@@ -174,38 +217,45 @@ wait_for_container() {
 
 # Tier 0: Infrastructure
 logger -t "$LOG_TAG" "Starting Tier 0: Infrastructure"
-sudo podman start tailscale 2>/dev/null
+$PODMAN start tailscale 2>/dev/null
 
-# Tier 1: Bitcoin (foundation)
-logger -t "$LOG_TAG" "Starting Tier 1: Bitcoin"
-sudo podman start bitcoin-knots 2>/dev/null
+# Tier 1: Databases (must start before services that depend on them)
+logger -t "$LOG_TAG" "Starting Tier 1: Databases"
+$PODMAN start mempool-db 2>/dev/null
+$PODMAN start btcpay-postgres 2>/dev/null
+$PODMAN start immich_postgres 2>/dev/null
+sleep 5
+
+# Tier 2: Bitcoin (foundation for Lightning and explorers)
+logger -t "$LOG_TAG" "Starting Tier 2: Bitcoin"
+$PODMAN start bitcoin-knots 2>/dev/null
 wait_for_container bitcoin-knots 120
 
-# Tier 2: Bitcoin-dependent services
-logger -t "$LOG_TAG" "Starting Tier 2: Bitcoin-dependent"
-sudo podman start electrs 2>/dev/null
-sudo podman start lnd 2>/dev/null
-wait_for_container electrs 90
+# Tier 3: Bitcoin-dependent services
+logger -t "$LOG_TAG" "Starting Tier 3: Bitcoin-dependent"
+$PODMAN start electrumx 2>/dev/null
+$PODMAN start lnd 2>/dev/null
+wait_for_container electrumx 90
 wait_for_container lnd 90
 
-# Tier 3: Services depending on Tier 2
-logger -t "$LOG_TAG" "Starting Tier 3: Second-order dependencies"
-sudo podman start mempool-db 2>/dev/null
-sleep 5
-sudo podman start mempool 2>/dev/null
-sudo podman start nbxplorer 2>/dev/null
+# Tier 4: Services depending on Tier 3
+logger -t "$LOG_TAG" "Starting Tier 4: Second-order dependencies"
+$PODMAN start mempool 2>/dev/null
+$PODMAN start nbxplorer 2>/dev/null
 sleep 10
-sudo podman start btcpay-server 2>/dev/null
-sudo podman start btcpay-postgres 2>/dev/null
+$PODMAN start btcpay-server 2>/dev/null
+$PODMAN start fedimint 2>/dev/null
+$PODMAN start fedimint-gateway 2>/dev/null
 
-# Tier 4: Independent apps (start all remaining)
-logger -t "$LOG_TAG" "Starting Tier 4: Independent apps"
-sudo podman start --all 2>/dev/null
+# Tier 5: Independent apps (start all remaining)
+logger -t "$LOG_TAG" "Starting Tier 5: Independent apps"
+$PODMAN start --all 2>/dev/null
 
-# Tier 5: UI containers (need parent apps running first)
-logger -t "$LOG_TAG" "Starting Tier 5: UI containers"
-sudo podman start bitcoin-ui 2>/dev/null
-sudo podman start lnd-ui 2>/dev/null
+# Tier 6: UI containers (need parent apps running first)
+logger -t "$LOG_TAG" "Starting Tier 6: UI containers"
+$PODMAN start bitcoin-ui 2>/dev/null
+$PODMAN start lnd-ui 2>/dev/null
+$PODMAN start electrs-ui 2>/dev/null
 
 logger -t "$LOG_TAG" "Startup sequence complete"
 SCRIPT
@@ -216,18 +266,22 @@ sudo chmod +x /usr/local/bin/archipelago-ordered-start.sh
 ### Wire into boot sequence
 
 ```bash
+# Runs as archipelago user for rootless podman
 cat <<'EOF' | sudo tee /etc/systemd/system/archipelago-containers.service
 [Unit]
 Description=Archipelago Ordered Container Startup
-After=network-online.target podman.service
+After=network-online.target
 Wants=network-online.target
 Before=archipelago.service
 
 [Service]
 Type=oneshot
+User=archipelago
+Group=archipelago
+Environment=XDG_RUNTIME_DIR=/run/user/1000
 ExecStart=/usr/local/bin/archipelago-ordered-start.sh
 RemainAfterExit=yes
-TimeoutStartSec=300
+TimeoutStartSec=600
 
 [Install]
 WantedBy=multi-user.target
@@ -237,14 +291,45 @@ sudo systemctl daemon-reload
 sudo systemctl enable archipelago-containers.service
 ```
 
+## Rootless-Specific Uptime Considerations
+
+### Volume ownership survives reboots
+Volume ownership doesn't change on reboot, but if a container image is updated (re-pulled), the new container may run as a different UID. Always verify after image updates:
+
+```bash
+# Quick ownership audit after image pull
+podman inspect CONTAINER_NAME --format "{{.Config.User}}"
+# Then verify: sudo stat -c '%u:%g' /var/lib/archipelago/APP_NAME
+# Formula: host_uid = 100000 + container_uid
+```
+
+### XDG_RUNTIME_DIR on boot
+Rootless Podman requires `/run/user/1000` to exist. This is created by `pam_systemd` when the user logs in, or by `loginctl enable-linger`. If it's missing after boot, containers won't start.
+
+```bash
+# Verify it exists
+ls -la /run/user/1000/ || echo "CRITICAL: /run/user/1000 missing — run: sudo loginctl enable-linger archipelago"
+```
+
+### Systemd sandbox must not block podman
+If the archipelago.service sandbox blocks namespace/syscall operations, the Rust backend can't scan containers. See Fix 10 in /podman-fix.
+
 ## Verification Checklist
 
 After setting up all 3 layers, verify:
 
 ```bash
+echo "=== Rootless Podman Prerequisites ==="
+echo "User: $(whoami)"
+echo "XDG_RUNTIME_DIR: $XDG_RUNTIME_DIR"
+grep archipelago /etc/subuid | head -1
+ls /var/lib/systemd/linger/ | grep archipelago && echo "Linger: enabled" || echo "Linger: DISABLED"
+grep DEFAULT_FORWARD_POLICY /etc/default/ufw
+
+echo ""
 echo "=== Layer 1: Restart Policies ==="
-for c in $(sudo podman ps -a --format "{{.Names}}"); do
-  policy=$(sudo podman inspect "$c" --format "{{.HostConfig.RestartPolicy.Name}}")
+for c in $(podman ps -a --format "{{.Names}}"); do
+  policy=$(podman inspect "$c" --format "{{.HostConfig.RestartPolicy.Name}}")
   echo "  $c: $policy"
 done
 
@@ -261,11 +346,19 @@ sudo systemctl is-enabled archipelago-watchdog.timer 2>/dev/null || echo "watchd
 
 echo ""
 echo "=== Container Health Summary ==="
-total=$(sudo podman ps -a --format "{{.Names}}" | wc -l)
-running=$(sudo podman ps --format "{{.Names}}" | wc -l)
+total=$(podman ps -a --format "{{.Names}}" | wc -l)
+running=$(podman ps --format "{{.Names}}" | wc -l)
 stopped=$((total - running))
-unhealthy=$(sudo podman ps --filter health=unhealthy --format "{{.Names}}" | wc -l)
+unhealthy=$(podman ps --filter health=unhealthy --format "{{.Names}}" | wc -l)
 echo "  Total: $total | Running: $running | Stopped: $stopped | Unhealthy: $unhealthy"
+
+echo ""
+echo "=== Volume Ownership Spot Check ==="
+for dir in bitcoin lnd grafana; do
+  if [ -d "/var/lib/archipelago/$dir" ]; then
+    echo "  $dir: $(stat -c '%u:%g' /var/lib/archipelago/$dir)"
+  fi
+done
 ```
 
 ## Reboot Test
@@ -274,17 +367,20 @@ The ultimate uptime test — reboot the server and verify everything comes back:
 
 ```bash
 # Before reboot: record running containers
-sudo podman ps --format "{{.Names}}" | sort > /tmp/before-reboot.txt
+podman ps --format "{{.Names}}" | sort > /tmp/before-reboot.txt
 
 # Reboot
 sudo reboot
 
 # After reboot (wait ~3 minutes, then SSH back in):
-sudo podman ps --format "{{.Names}}" | sort > /tmp/after-reboot.txt
+podman ps --format "{{.Names}}" | sort > /tmp/after-reboot.txt
 
 # Compare
 diff /tmp/before-reboot.txt /tmp/after-reboot.txt
 # Should show no differences
+
+# Also verify XDG_RUNTIME_DIR survived reboot
+ls /run/user/1000/ || echo "CRITICAL: lingering not working"
 ```
 
 ## Monitoring
@@ -292,18 +388,23 @@ diff /tmp/before-reboot.txt /tmp/after-reboot.txt
 Check uptime status anytime:
 ```bash
 # Quick status
-sudo podman ps -a --format "table {{.Names}}\t{{.Status}}" | sort
+podman ps -a --format "table {{.Names}}\t{{.Status}}" | sort
 
 # Watchdog activity
 sudo journalctl -t container-watchdog --since "24 hours ago" --no-pager
 
 # Container events (starts, stops, deaths)
-sudo podman events --since 24h --filter event=start --filter event=stop --filter event=died 2>/dev/null | tail -30
+podman events --since 24h --filter event=start --filter event=stop --filter event=died 2>/dev/null | tail -30
+
+# Check for permission denied errors (rootless UID mapping issue)
+podman ps -a --filter status=exited --format "{{.Names}}" | while read c; do
+  podman logs --tail 5 "$c" 2>&1 | grep -i "permission denied" && echo "  ^ UID mapping issue in: $c"
+done
 ```
 
 ## Integration
 
-- Run `/podman-doctor` first to identify issues
-- Run `/podman-fix` for specific container repairs
+- Run `/podman-doctor` first to identify issues (includes rootless health checks)
+- Run `/podman-fix` for specific container repairs (includes UID mapping fixes)
 - Run `/podman-uptime` to set up permanent reliability infrastructure
 - Add to ISO build: copy watchdog scripts to `image-recipe/configs/` and enable in first-boot
diff --git a/docs/architecture-review.html b/docs/architecture-review.html
new file mode 100644
index 00000000..2c23e1b9
--- /dev/null
+++ b/docs/architecture-review.html
@@ -0,0 +1,1528 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Archipelago — Architecture Review & Learning Guide</title>
+<style>
+  :root {
+    --bg: #0a0a0f;
+    --surface: #12121a;
+    --surface-2: #1a1a26;
+    --border: rgba(255,255,255,0.08);
+    --border-bright: rgba(255,255,255,0.15);
+    --text: rgba(255,255,255,0.88);
+    --text-muted: rgba(255,255,255,0.55);
+    --accent: #fb923c;
+    --accent-dim: rgba(251,146,60,0.15);
+    --green: #4ade80;
+    --green-dim: rgba(74,222,128,0.12);
+    --red: #ef4444;
+    --red-dim: rgba(239,68,68,0.12);
+    --blue: #3b82f6;
+    --blue-dim: rgba(59,130,246,0.12);
+    --yellow: #facc15;
+    --yellow-dim: rgba(250,204,21,0.12);
+    --purple: #a78bfa;
+    --purple-dim: rgba(167,139,250,0.12);
+    --glass: rgba(255,255,255,0.04);
+    --radius: 12px;
+  }
+
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+
+  body {
+    font-family: 'Inter', -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+    background: var(--bg);
+    color: var(--text);
+    line-height: 1.7;
+    font-size: 16px;
+  }
+
+  /* ─── Navigation ─── */
+  nav {
+    position: fixed;
+    top: 0;
+    left: 0;
+    width: 280px;
+    height: 100vh;
+    background: var(--surface);
+    border-right: 1px solid var(--border);
+    overflow-y: auto;
+    padding: 24px 0;
+    z-index: 100;
+    scrollbar-width: thin;
+    scrollbar-color: var(--border-bright) transparent;
+  }
+
+  nav .logo {
+    padding: 0 24px 20px;
+    border-bottom: 1px solid var(--border);
+    margin-bottom: 16px;
+  }
+
+  nav .logo h1 {
+    font-size: 18px;
+    font-weight: 700;
+    color: var(--accent);
+    letter-spacing: -0.02em;
+  }
+
+  nav .logo p {
+    font-size: 12px;
+    color: var(--text-muted);
+    margin-top: 4px;
+  }
+
+  nav .nav-section {
+    padding: 8px 16px 4px;
+    font-size: 10px;
+    font-weight: 700;
+    text-transform: uppercase;
+    letter-spacing: 0.1em;
+    color: var(--text-muted);
+  }
+
+  nav a {
+    display: block;
+    padding: 6px 24px;
+    color: var(--text-muted);
+    text-decoration: none;
+    font-size: 13px;
+    transition: all 0.2s;
+    border-left: 2px solid transparent;
+  }
+
+  nav a:hover, nav a.active {
+    color: var(--text);
+    background: var(--glass);
+    border-left-color: var(--accent);
+  }
+
+  /* ─── Main Content ─── */
+  main {
+    margin-left: 280px;
+    max-width: 900px;
+    padding: 48px 48px 120px;
+  }
+
+  h2 {
+    font-size: 28px;
+    font-weight: 700;
+    margin: 64px 0 8px;
+    padding-top: 24px;
+    color: var(--text);
+    letter-spacing: -0.02em;
+    border-top: 1px solid var(--border);
+  }
+
+  h2:first-of-type { border-top: none; margin-top: 0; }
+
+  h3 {
+    font-size: 20px;
+    font-weight: 600;
+    margin: 40px 0 12px;
+    color: var(--text);
+  }
+
+  h4 {
+    font-size: 16px;
+    font-weight: 600;
+    margin: 24px 0 8px;
+    color: var(--accent);
+  }
+
+  p { margin: 8px 0 16px; color: var(--text); }
+
+  .subtitle {
+    font-size: 15px;
+    color: var(--text-muted);
+    margin-bottom: 32px;
+  }
+
+  /* ─── Hero ─── */
+  .hero {
+    text-align: center;
+    padding: 48px 0 56px;
+    margin-bottom: 24px;
+  }
+
+  .hero h1 {
+    font-size: 42px;
+    font-weight: 800;
+    background: linear-gradient(135deg, var(--accent), #f59e0b);
+    -webkit-background-clip: text;
+    -webkit-text-fill-color: transparent;
+    letter-spacing: -0.03em;
+  }
+
+  .hero .tagline {
+    font-size: 18px;
+    color: var(--text-muted);
+    margin-top: 12px;
+    max-width: 600px;
+    margin-left: auto;
+    margin-right: auto;
+  }
+
+  .hero .meta {
+    margin-top: 20px;
+    display: flex;
+    gap: 16px;
+    justify-content: center;
+    flex-wrap: wrap;
+  }
+
+  .hero .meta span {
+    font-size: 12px;
+    padding: 4px 12px;
+    border-radius: 999px;
+    border: 1px solid var(--border-bright);
+    color: var(--text-muted);
+  }
+
+  /* ─── Cards ─── */
+  .card {
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: var(--radius);
+    padding: 24px;
+    margin: 16px 0;
+  }
+
+  .card-grid {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(260px, 1fr));
+    gap: 16px;
+    margin: 16px 0;
+  }
+
+  .card-sm {
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: var(--radius);
+    padding: 16px 20px;
+  }
+
+  .card-sm h4 { margin: 0 0 6px; font-size: 14px; }
+  .card-sm p { font-size: 13px; color: var(--text-muted); margin: 0; }
+
+  /* ─── Badges ─── */
+  .badge {
+    display: inline-block;
+    font-size: 11px;
+    font-weight: 600;
+    padding: 2px 10px;
+    border-radius: 999px;
+    text-transform: uppercase;
+    letter-spacing: 0.05em;
+  }
+
+  .badge-green { background: var(--green-dim); color: var(--green); }
+  .badge-red { background: var(--red-dim); color: var(--red); }
+  .badge-yellow { background: var(--yellow-dim); color: var(--yellow); }
+  .badge-blue { background: var(--blue-dim); color: var(--blue); }
+  .badge-purple { background: var(--purple-dim); color: var(--purple); }
+  .badge-accent { background: var(--accent-dim); color: var(--accent); }
+
+  /* ─── Tables ─── */
+  table {
+    width: 100%;
+    border-collapse: collapse;
+    margin: 16px 0;
+    font-size: 14px;
+  }
+
+  th {
+    text-align: left;
+    padding: 10px 14px;
+    background: var(--surface-2);
+    color: var(--text-muted);
+    font-weight: 600;
+    font-size: 12px;
+    text-transform: uppercase;
+    letter-spacing: 0.05em;
+    border-bottom: 1px solid var(--border);
+  }
+
+  td {
+    padding: 10px 14px;
+    border-bottom: 1px solid var(--border);
+    vertical-align: top;
+  }
+
+  tr:hover td { background: var(--glass); }
+
+  /* ─── Code ─── */
+  code {
+    font-family: 'JetBrains Mono', 'Fira Code', monospace;
+    font-size: 13px;
+    background: var(--surface-2);
+    padding: 2px 6px;
+    border-radius: 4px;
+    color: var(--accent);
+  }
+
+  pre {
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: var(--radius);
+    padding: 20px;
+    overflow-x: auto;
+    margin: 16px 0;
+    font-size: 13px;
+    line-height: 1.6;
+  }
+
+  pre code {
+    background: none;
+    padding: 0;
+    color: var(--text);
+  }
+
+  .code-comment { color: var(--text-muted); }
+  .code-keyword { color: var(--purple); }
+  .code-string { color: var(--green); }
+  .code-fn { color: var(--blue); }
+
+  /* ─── Diagrams (ASCII art in pre) ─── */
+  .diagram {
+    background: var(--surface);
+    border: 1px solid var(--border-bright);
+    border-radius: var(--radius);
+    padding: 24px;
+    margin: 20px 0;
+    overflow-x: auto;
+    font-family: 'JetBrains Mono', monospace;
+    font-size: 13px;
+    line-height: 1.5;
+    color: var(--text-muted);
+  }
+
+  .diagram .highlight { color: var(--accent); font-weight: 600; }
+  .diagram .green { color: var(--green); }
+  .diagram .blue { color: var(--blue); }
+  .diagram .red { color: var(--red); }
+  .diagram .purple { color: var(--purple); }
+
+  /* ─── Callouts ─── */
+  .callout {
+    border-radius: var(--radius);
+    padding: 16px 20px;
+    margin: 16px 0;
+    font-size: 14px;
+    border-left: 3px solid;
+  }
+
+  .callout-info { background: var(--blue-dim); border-color: var(--blue); }
+  .callout-warn { background: var(--yellow-dim); border-color: var(--yellow); }
+  .callout-danger { background: var(--red-dim); border-color: var(--red); }
+  .callout-success { background: var(--green-dim); border-color: var(--green); }
+  .callout-learn { background: var(--purple-dim); border-color: var(--purple); }
+
+  .callout strong { display: block; margin-bottom: 4px; }
+
+  /* ─── Score cards ─── */
+  .score-grid {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
+    gap: 12px;
+    margin: 20px 0;
+  }
+
+  .score-card {
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: var(--radius);
+    padding: 16px;
+    text-align: center;
+  }
+
+  .score-card .score {
+    font-size: 32px;
+    font-weight: 800;
+    margin: 4px 0;
+  }
+
+  .score-card .label {
+    font-size: 12px;
+    color: var(--text-muted);
+    text-transform: uppercase;
+    letter-spacing: 0.05em;
+  }
+
+  /* ─── Lists ─── */
+  ul, ol {
+    margin: 8px 0 16px 24px;
+    color: var(--text);
+  }
+
+  li { margin: 4px 0; font-size: 15px; }
+  li code { font-size: 12px; }
+
+  /* ─── Analogy boxes ─── */
+  .analogy {
+    background: var(--purple-dim);
+    border: 1px solid rgba(167,139,250,0.2);
+    border-radius: var(--radius);
+    padding: 20px;
+    margin: 16px 0;
+  }
+
+  .analogy::before {
+    content: 'Real-World Analogy';
+    display: block;
+    font-size: 11px;
+    font-weight: 700;
+    text-transform: uppercase;
+    letter-spacing: 0.08em;
+    color: var(--purple);
+    margin-bottom: 8px;
+  }
+
+  .analogy p { font-size: 14px; color: var(--text); margin: 0; }
+
+  /* ─── Responsive ─── */
+  @media (max-width: 900px) {
+    nav { display: none; }
+    main { margin-left: 0; padding: 24px 20px 80px; }
+    .hero h1 { font-size: 28px; }
+    .card-grid { grid-template-columns: 1fr; }
+    .score-grid { grid-template-columns: repeat(2, 1fr); }
+  }
+
+  /* ─── Smooth scroll ─── */
+  html { scroll-behavior: smooth; }
+
+  /* ─── Separator ─── */
+  hr {
+    border: none;
+    border-top: 1px solid var(--border);
+    margin: 40px 0;
+  }
+
+  .flow-step {
+    display: flex;
+    gap: 16px;
+    margin: 12px 0;
+    align-items: flex-start;
+  }
+
+  .flow-step .num {
+    flex-shrink: 0;
+    width: 28px;
+    height: 28px;
+    border-radius: 50%;
+    background: var(--accent-dim);
+    color: var(--accent);
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    font-size: 13px;
+    font-weight: 700;
+  }
+
+  .flow-step .content { flex: 1; }
+  .flow-step .content strong { color: var(--accent); }
+  .flow-step .content p { margin: 0; font-size: 14px; }
+</style>
+</head>
+<body>
+
+<!-- ═══════════════════════ NAVIGATION ═══════════════════════ -->
+<nav>
+  <div class="logo">
+    <h1>Archipelago</h1>
+    <p>Architecture Review & Guide</p>
+  </div>
+
+  <div class="nav-section">Overview</div>
+  <a href="#what-is-it">What Is Archipelago?</a>
+  <a href="#big-picture">The Big Picture</a>
+  <a href="#how-it-runs">How It Runs on a Machine</a>
+
+  <div class="nav-section">Architecture</div>
+  <a href="#layers">The Four Layers</a>
+  <a href="#rust-backend">Rust Backend</a>
+  <a href="#vue-frontend">Vue.js Frontend</a>
+  <a href="#containers">Container System</a>
+  <a href="#nginx">Nginx Routing</a>
+  <a href="#data-flow">How Data Flows</a>
+
+  <div class="nav-section">Key Concepts</div>
+  <a href="#rpc">RPC: How Frontend Talks to Backend</a>
+  <a href="#state">State Management</a>
+  <a href="#auth">Authentication & Sessions</a>
+  <a href="#security">Security Model</a>
+  <a href="#bitcoin">Bitcoin Integration</a>
+  <a href="#federation">Federation & Multi-Node</a>
+  <a href="#mesh">Mesh Networking</a>
+
+  <div class="nav-section">Build & Deploy</div>
+  <a href="#deploy-system">Deploy System</a>
+  <a href="#iso-build">ISO Build Process</a>
+  <a href="#first-boot">First Boot Sequence</a>
+
+  <div class="nav-section">Code Review</div>
+  <a href="#scores">Quality Scores</a>
+  <a href="#whats-good">What's Done Well</a>
+  <a href="#whats-wrong">What Needs Fixing</a>
+  <a href="#refactor-plan">Refactoring Priorities</a>
+  <a href="#tech-debt">Technical Debt Map</a>
+
+  <div class="nav-section">Learning Path</div>
+  <a href="#learning">Recommended Study Order</a>
+  <a href="#glossary">Glossary</a>
+</nav>
+
+<!-- ═══════════════════════ MAIN CONTENT ═══════════════════════ -->
+<main>
+
+<!-- ─── Hero ─── -->
+<div class="hero">
+  <h1>Archipelago</h1>
+  <p class="tagline">A complete architecture review and learning guide for the Bitcoin Node OS — explained so anyone can understand it.</p>
+  <div class="meta">
+    <span>Rust + Vue 3 + Podman</span>
+    <span>~46,000 lines of Rust</span>
+    <span>~12,000 lines of TypeScript</span>
+    <span>~100 shell scripts</span>
+    <span>v0.1.0-alpha</span>
+  </div>
+</div>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="what-is-it">What Is Archipelago?</h2>
+
+<p>Archipelago (nicknamed "Archy") is a <strong>personal server operating system</strong> focused on Bitcoin. You download an ISO file, flash it to a USB drive, install it on any computer, and it gives you:</p>
+
+<ul>
+  <li>A <strong>full Bitcoin node</strong> — you verify your own transactions, no trust in anyone else</li>
+  <li>A <strong>Lightning Network node</strong> — fast, cheap Bitcoin payments</li>
+  <li>A <strong>web dashboard</strong> — manage everything from your phone or laptop browser</li>
+  <li>An <strong>app marketplace</strong> — install apps like Nextcloud, Jellyfin, Vaultwarden with one click</li>
+  <li><strong>Privacy by default</strong> — Tor routing, encrypted secrets, no telemetry</li>
+</ul>
+
+<div class="analogy">
+  <p>Think of it like an iPhone for servers. Apple gives you a phone with an App Store where you install apps. Archipelago gives you a server with a Marketplace where you install self-hosted apps. The difference? <em>You</em> own and control everything — your data never leaves your machine.</p>
+</div>
+
+<p>Similar projects exist (Umbrel, Start9, RaspiBlitz), but Archipelago is built from scratch with production-grade security and a custom Rust backend instead of Node.js.</p>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="big-picture">The Big Picture</h2>
+
+<p>Before diving into code, understand the <strong>four layers</strong> of the system and how they stack:</p>
+
+<div class="diagram">
+<span class="highlight">┌──────────────────────────────────────────────────────┐</span>
+<span class="highlight">│                   YOUR BROWSER                       │</span>
+<span class="highlight">│         (Vue.js Single Page Application)             │</span>
+<span class="highlight">└──────────────────────┬───────────────────────────────┘</span>
+                       │ HTTP requests (fetch API)
+<span class="blue">┌──────────────────────┴───────────────────────────────┐</span>
+<span class="blue">│                    NGINX                              │</span>
+<span class="blue">│   Reverse proxy — routes traffic to the right place  │</span>
+<span class="blue">│   /rpc/v1 → backend   /app/bitcoin/ → container     │</span>
+<span class="blue">└──────────────────────┬───────────────────────────────┘</span>
+                       │ Internal HTTP (port 5678)
+<span class="green">┌──────────────────────┴───────────────────────────────┐</span>
+<span class="green">│                 RUST BACKEND                          │</span>
+<span class="green">│   The brain — handles auth, app installs, Bitcoin    │</span>
+<span class="green">│   RPC, mesh networking, federation, health checks    │</span>
+<span class="green">└──────────────────────┬───────────────────────────────┘</span>
+                       │ Podman commands (CLI)
+<span class="purple">┌──────────────────────┴───────────────────────────────┐</span>
+<span class="purple">│              PODMAN CONTAINERS                        │</span>
+<span class="purple">│   Bitcoin Core, LND, Mempool, Nextcloud, etc.        │</span>
+<span class="purple">│   Each app runs isolated in its own container         │</span>
+<span class="purple">└──────────────────────────────────────────────────────┘</span>
+
+<span class="red">┌──────────────────────────────────────────────────────┐</span>
+<span class="red">│              DEBIAN 12 (Linux OS)                     │</span>
+<span class="red">│   The foundation — systemd, firewall, filesystem     │</span>
+<span class="red">└──────────────────────────────────────────────────────┘</span>
+</div>
+
+<div class="callout callout-learn">
+  <strong>Key Concept: Separation of Concerns</strong>
+  Each layer has ONE job. The browser shows things. Nginx routes traffic. Rust makes decisions. Podman runs apps. This makes the system easier to understand, test, and fix — if the UI breaks, you know the problem is in the Vue code, not the Rust code.
+</div>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="how-it-runs">How It Runs on a Machine</h2>
+
+<p>When you install Archipelago on a computer and power it on, here's what happens in order:</p>
+
+<div class="flow-step"><div class="num">1</div><div class="content"><p><strong>Linux boots</strong> — Debian 12 starts up, loads drivers, mounts disks</p></div></div>
+<div class="flow-step"><div class="num">2</div><div class="content"><p><strong>systemd starts services</strong> — A program called <code>systemd</code> reads <code>archipelago.service</code> and launches the Rust backend</p></div></div>
+<div class="flow-step"><div class="num">3</div><div class="content"><p><strong>Rust backend initializes</strong> — Loads config, creates/loads encryption keys, starts the HTTP server on port 5678</p></div></div>
+<div class="flow-step"><div class="num">4</div><div class="content"><p><strong>Health monitor starts</strong> — Checks which containers are running, restarts crashed ones, reports readiness</p></div></div>
+<div class="flow-step"><div class="num">5</div><div class="content"><p><strong>Nginx starts</strong> — Listens on port 80 (HTTP) and routes all incoming traffic</p></div></div>
+<div class="flow-step"><div class="num">6</div><div class="content"><p><strong>Containers start</strong> — Bitcoin, LND, and other apps start in priority order (Bitcoin first, then things that depend on it)</p></div></div>
+<div class="flow-step"><div class="num">7</div><div class="content"><p><strong>Ready!</strong> — You open a browser, go to your server's IP address, and see the dashboard</p></div></div>
+
+<div class="analogy">
+  <p>It's like starting a restaurant. First the building opens (Linux). Then the manager arrives (Rust backend). They check if all kitchen stations are ready (health monitor). The front door opens (Nginx). The cooks start preparing (containers). Customers can now order (you open the web UI).</p>
+</div>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="layers">The Four Layers — Detailed</h2>
+
+<h3 id="rust-backend">Layer 1: The Rust Backend (The Brain)</h3>
+
+<p>This is the most important piece. It's written in <strong>Rust</strong> — a programming language known for speed and safety. The backend is the "brain" that controls everything.</p>
+
+<div class="callout callout-learn">
+  <strong>Why Rust?</strong>
+  Rust prevents entire categories of bugs (memory leaks, crashes, race conditions) at compile time. For a server that manages Bitcoin wallets and runs 24/7, this matters. A crash could mean lost money. Rust makes crashes nearly impossible.
+</div>
+
+<h4>How the code is organized</h4>
+<p>The Rust code lives in <code>core/</code> and is split into 5 separate packages (called "crates"):</p>
+
+<table>
+  <tr><th>Crate</th><th>What It Does</th><th>Size</th><th>Analogy</th></tr>
+  <tr>
+    <td><code>archipelago</code></td>
+    <td>The main program. Contains all the API endpoints, authentication, identity management, federation, mesh networking</td>
+    <td>~12,000 lines</td>
+    <td>The restaurant manager — coordinates everything</td>
+  </tr>
+  <tr>
+    <td><code>container</code></td>
+    <td>Talks to Podman to create, start, stop, and monitor containers</td>
+    <td>~2,000 lines</td>
+    <td>The kitchen manager — controls the cook stations</td>
+  </tr>
+  <tr>
+    <td><code>security</code></td>
+    <td>Encrypts secrets, generates security profiles, verifies container images</td>
+    <td>~500 lines</td>
+    <td>The security guard — locks doors, checks IDs</td>
+  </tr>
+  <tr>
+    <td><code>performance</code></td>
+    <td>Monitors CPU, memory, and disk usage</td>
+    <td>~300 lines</td>
+    <td>The meter reader — watches resource gauges</td>
+  </tr>
+  <tr>
+    <td><code>parmanode</code></td>
+    <td>Compatibility layer for migrating from an older project</td>
+    <td>~600 lines</td>
+    <td>A translation book — speaks the old language</td>
+  </tr>
+</table>
+
+<h4>Key files you should know</h4>
+
+<table>
+  <tr><th>File</th><th>What It Does</th><th>Lines</th></tr>
+  <tr><td><code>main.rs</code></td><td>The entry point — starts the server, registers signal handlers</td><td>~200</td></tr>
+  <tr><td><code>server.rs</code></td><td>Wires everything together — creates the HTTP server, connects components</td><td>~500</td></tr>
+  <tr><td><code>api/rpc/mod.rs</code></td><td>The traffic cop — receives API calls and sends them to the right handler</td><td>~1,000</td></tr>
+  <tr><td><code>api/rpc/package.rs</code></td><td>The app installer — handles installing, starting, stopping containers</td><td>~1,770</td></tr>
+  <tr><td><code>session.rs</code></td><td>Login management — creates sessions, validates tokens, persists to disk</td><td>~790</td></tr>
+  <tr><td><code>health_monitor.rs</code></td><td>Watches containers, restarts crashed ones, reports system health</td><td>~710</td></tr>
+  <tr><td><code>federation.rs</code></td><td>Multi-node communication — syncs state between trusted Archipelago nodes</td><td>~810</td></tr>
+  <tr><td><code>credentials.rs</code></td><td>Verifiable credentials — W3C standard digital identity proofs</td><td>~800</td></tr>
+</table>
+
+<h4>How the backend handles a request</h4>
+
+<div class="diagram">
+Browser sends: POST /rpc/v1
+Body: { <span class="string">"method"</span>: <span class="string">"package.install"</span>, <span class="string">"params"</span>: { <span class="string">"id"</span>: <span class="string">"bitcoin-knots"</span> } }
+
+<span class="highlight">Step 1:</span> Nginx receives it on port 80, forwards to port 5678
+<span class="highlight">Step 2:</span> Rust HTTP server (Hyper) receives the raw bytes
+<span class="highlight">Step 3:</span> <span class="blue">mod.rs</span> parses the JSON, extracts the method name
+<span class="highlight">Step 4:</span> <span class="blue">mod.rs</span> checks the CSRF token (security check)
+<span class="highlight">Step 5:</span> <span class="blue">mod.rs</span> checks the session cookie (are you logged in?)
+<span class="highlight">Step 6:</span> <span class="blue">mod.rs</span> routes to <span class="green">package.rs</span> based on method name
+<span class="highlight">Step 7:</span> <span class="green">package.rs</span> validates the app ID, checks dependencies
+<span class="highlight">Step 8:</span> <span class="green">package.rs</span> tells Podman to pull the container image
+<span class="highlight">Step 9:</span> <span class="green">package.rs</span> creates and starts the container
+<span class="highlight">Step 10:</span> Response sent back: { <span class="string">"result"</span>: { <span class="string">"state"</span>: <span class="string">"installing"</span> } }
+</div>
+
+<hr>
+
+<h3 id="vue-frontend">Layer 2: The Vue.js Frontend (The Face)</h3>
+
+<p>The frontend is what you see in the browser. It's built with <strong>Vue 3</strong> — a JavaScript framework for building interactive web pages — and <strong>TypeScript</strong> — JavaScript with type safety.</p>
+
+<div class="callout callout-learn">
+  <strong>What is a Single Page Application (SPA)?</strong>
+  Instead of loading a new HTML page every time you click something (like old websites), an SPA loads once and then dynamically updates the page content. When you click "Marketplace" in Archipelago, it doesn't load a new page — it swaps out the content area. This makes it feel fast and smooth, like a native app.
+</div>
+
+<h4>Frontend file structure</h4>
+<pre><code>neode-ui/src/
+├── <span class="code-keyword">api/</span>              <span class="code-comment">← How the frontend talks to the backend</span>
+│   ├── rpc-client.ts    <span class="code-comment">← Makes API calls (fetch + retry + auth)</span>
+│   ├── container-client.ts <span class="code-comment">← Container-specific API helpers</span>
+│   └── websocket.ts     <span class="code-comment">← Real-time updates (push, not poll)</span>
+├── <span class="code-keyword">views/</span>            <span class="code-comment">← Full pages (one per route)</span>
+│   ├── Dashboard.vue    <span class="code-comment">← Main dashboard with sidebar</span>
+│   ├── Marketplace.vue  <span class="code-comment">← App store for installing containers</span>
+│   ├── Settings.vue     <span class="code-comment">← System settings</span>
+│   ├── Web5.vue         <span class="code-comment">← Decentralized identity management</span>
+│   ├── Mesh.vue         <span class="code-comment">← LoRa mesh radio interface</span>
+│   └── Login.vue        <span class="code-comment">← Login page</span>
+├── <span class="code-keyword">components/</span>       <span class="code-comment">← Reusable UI pieces</span>
+│   ├── BootScreen.vue   <span class="code-comment">← Startup loading animation</span>
+│   ├── SplashScreen.vue <span class="code-comment">← Welcome/intro screen</span>
+│   └── SpotlightSearch.vue <span class="code-comment">← Command palette (Cmd+K)</span>
+├── <span class="code-keyword">stores/</span>           <span class="code-comment">← State management (Pinia)</span>
+│   ├── app.ts           <span class="code-comment">← Core app state (auth, server data)</span>
+│   ├── container.ts     <span class="code-comment">← Container states &amp; lifecycle</span>
+│   ├── mesh.ts          <span class="code-comment">← Mesh networking state</span>
+│   └── appLauncher.ts   <span class="code-comment">← App launching &amp; iframe management</span>
+├── <span class="code-keyword">composables/</span>      <span class="code-comment">← Reusable logic (like React hooks)</span>
+│   ├── useToast.ts      <span class="code-comment">← Notification popups</span>
+│   └── useAudioPlayer.ts <span class="code-comment">← Sound effects</span>
+├── <span class="code-keyword">types/</span>            <span class="code-comment">← TypeScript type definitions</span>
+│   └── api.ts           <span class="code-comment">← Shapes of data from the backend</span>
+├── <span class="code-keyword">router/</span>           <span class="code-comment">← URL → page mapping</span>
+└── style.css            <span class="code-comment">← All global styles (glassmorphism theme)</span></code></pre>
+
+<h4>How a Vue component works</h4>
+<p>Every <code>.vue</code> file has three sections:</p>
+
+<pre><code><span class="code-comment">&lt;!-- 1. THE LOGIC (TypeScript) --&gt;</span>
+<span class="code-keyword">&lt;script setup lang="ts"&gt;</span>
+<span class="code-keyword">import</span> { ref, onMounted } <span class="code-keyword">from</span> <span class="code-string">'vue'</span>
+<span class="code-keyword">import</span> { rpcClient } <span class="code-keyword">from</span> <span class="code-string">'@/api/rpc-client'</span>
+
+<span class="code-comment">// "ref" is a reactive variable — when it changes, the UI updates automatically</span>
+<span class="code-keyword">const</span> apps = <span class="code-fn">ref</span>([])
+<span class="code-keyword">const</span> loading = <span class="code-fn">ref</span>(<span class="code-keyword">true</span>)
+
+<span class="code-comment">// "onMounted" runs when the component first appears on screen</span>
+<span class="code-fn">onMounted</span>(<span class="code-keyword">async</span> () => {
+  apps.value = <span class="code-keyword">await</span> rpcClient.<span class="code-fn">getMarketplace</span>()
+  loading.value = <span class="code-keyword">false</span>
+})
+<span class="code-keyword">&lt;/script&gt;</span>
+
+<span class="code-comment">&lt;!-- 2. THE TEMPLATE (HTML with Vue directives) --&gt;</span>
+<span class="code-keyword">&lt;template&gt;</span>
+  &lt;div v-if="loading"&gt;Loading...&lt;/div&gt;
+  &lt;div v-else v-for="app in apps" class="glass-card"&gt;
+    {{ app.name }}
+  &lt;/div&gt;
+<span class="code-keyword">&lt;/template&gt;</span>
+
+<span class="code-comment">&lt;!-- 3. THE STYLES (CSS, scoped to this component) --&gt;</span>
+<span class="code-keyword">&lt;style scoped&gt;</span>
+  <span class="code-comment">/* Styles here only affect THIS component */</span>
+<span class="code-keyword">&lt;/style&gt;</span></code></pre>
+
+<div class="analogy">
+  <p>A Vue component is like a LEGO brick. Each brick (component) has its own shape (template), color (styles), and moving parts (script). You snap them together to build the full UI. The <code>&lt;Dashboard&gt;</code> component contains <code>&lt;Sidebar&gt;</code>, which contains <code>&lt;NavItem&gt;</code> components — just like nesting LEGO bricks.</p>
+</div>
+
+<hr>
+
+<h3 id="containers">Layer 3: The Container System (The Apps)</h3>
+
+<p>Containers are how Archipelago runs apps like Bitcoin Core, Lightning, Nextcloud, etc. Each app runs in its own isolated "box" called a container.</p>
+
+<div class="callout callout-learn">
+  <strong>What is a Container?</strong>
+  A container is like a lightweight virtual machine. It has its own filesystem, its own network, and its own processes — but it shares the host's Linux kernel, so it's much faster than a full VM. Think of it as an apartment in a building — each apartment has its own walls and locks, but they all share the same building infrastructure.
+</div>
+
+<p>Archipelago uses <strong>Podman</strong> instead of Docker. They're nearly identical, but Podman runs without root privileges (more secure) and doesn't need a background daemon.</p>
+
+<h4>Container security rules</h4>
+<p>Every container in Archipelago follows strict security rules:</p>
+
+<table>
+  <tr><th>Rule</th><th>What It Means</th><th>Why</th></tr>
+  <tr>
+    <td><code>--cap-drop=ALL</code></td>
+    <td>Remove all Linux capabilities (super-powers)</td>
+    <td>A hacked container can't do anything dangerous</td>
+  </tr>
+  <tr>
+    <td><code>--cap-add=CHOWN</code></td>
+    <td>Give back only the specific powers needed</td>
+    <td>Minimum privilege — only what's necessary</td>
+  </tr>
+  <tr>
+    <td><code>readonly_root: true</code></td>
+    <td>Container can't modify its own program files</td>
+    <td>Prevents malware from modifying the app</td>
+  </tr>
+  <tr>
+    <td><code>--user 1001:1001</code></td>
+    <td>Run as non-root user</td>
+    <td>Even if exploited, can't access system files</td>
+  </tr>
+  <tr>
+    <td><code>no-new-privileges</code></td>
+    <td>Can't escalate to higher permissions</td>
+    <td>Prevents privilege escalation attacks</td>
+  </tr>
+</table>
+
+<h4>Container startup order (tiers)</h4>
+<div class="diagram">
+<span class="green">Tier 1: Foundation</span> (start first, other apps depend on these)
+  ├── Bitcoin Core/Knots    <span class="code-comment">← The blockchain</span>
+  ├── MySQL/PostgreSQL      <span class="code-comment">← Databases</span>
+  └── Redis                 <span class="code-comment">← Cache</span>
+
+<span class="blue">Tier 2: Core Services</span> (need Tier 1 to be running)
+  ├── LND (Lightning)       <span class="code-comment">← Needs Bitcoin</span>
+  ├── ElectrumX             <span class="code-comment">← Needs Bitcoin</span>
+  ├── Mempool               <span class="code-comment">← Needs Bitcoin + ElectrumX</span>
+  └── BTCPay Server         <span class="code-comment">← Needs Bitcoin + LND</span>
+
+<span class="purple">Tier 3: Applications</span> (independent or need Tier 2)
+  ├── Nextcloud, Jellyfin   <span class="code-comment">← File storage, media</span>
+  ├── Vaultwarden           <span class="code-comment">← Password manager</span>
+  ├── Home Assistant        <span class="code-comment">← Smart home</span>
+  └── Grafana               <span class="code-comment">← Monitoring dashboards</span>
+</div>
+
+<hr>
+
+<h3 id="nginx">Layer 4: Nginx (The Traffic Cop)</h3>
+
+<p><strong>Nginx</strong> (pronounced "engine-X") is a web server that sits between the internet and everything else. Every single request goes through it first.</p>
+
+<div class="analogy">
+  <p>Nginx is like the receptionist at a hospital. You walk in and say what you need. "I need the API" — they send you to the Rust backend. "I need the Bitcoin app" — they send you to the Bitcoin container. "I need the website" — they hand you the static files. Without the receptionist, you'd be wandering the hallways lost.</p>
+</div>
+
+<h4>How Nginx routes traffic</h4>
+<table>
+  <tr><th>URL Pattern</th><th>Goes To</th><th>Why</th></tr>
+  <tr><td><code>/rpc/v1</code></td><td>Rust backend (:5678)</td><td>All API calls</td></tr>
+  <tr><td><code>/health</code></td><td>Rust backend (:5678)</td><td>Health checks (no auth needed)</td></tr>
+  <tr><td><code>/app/bitcoin-ui/</code></td><td>Bitcoin container (:8334)</td><td>Bitcoin web interface</td></tr>
+  <tr><td><code>/app/mempool/</code></td><td>Mempool container (:4080)</td><td>Mempool explorer</td></tr>
+  <tr><td><code>/app/filebrowser/</code></td><td>FileBrowser container (:8083)</td><td>File manager</td></tr>
+  <tr><td><code>/aiui/</code></td><td>Static files on disk</td><td>AI chat interface</td></tr>
+  <tr><td><code>/</code> (everything else)</td><td>Vue.js SPA files on disk</td><td>The main dashboard</td></tr>
+</table>
+
+<p>Nginx also handles <strong>rate limiting</strong> (blocking too many requests), <strong>security headers</strong> (preventing attacks), and <strong>WebSocket upgrades</strong> (for real-time updates).</p>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="data-flow">How Data Flows Through the System</h2>
+
+<p>Let's trace what happens when you click "Install Bitcoin" in the UI:</p>
+
+<div class="card">
+<div class="flow-step"><div class="num">1</div><div class="content"><p><strong>You click the Install button</strong> in <code>Marketplace.vue</code>. Vue calls the Pinia store action <code>installPackage('bitcoin-knots')</code></p></div></div>
+<div class="flow-step"><div class="num">2</div><div class="content"><p><strong>The store calls the RPC client:</strong> <code>rpcClient.installPackage('bitcoin-knots', 'docker.io/bitcoin/knots:28')</code></p></div></div>
+<div class="flow-step"><div class="num">3</div><div class="content"><p><strong>RPC client sends HTTP POST</strong> to <code>/rpc/v1</code> with a session cookie and CSRF token for security</p></div></div>
+<div class="flow-step"><div class="num">4</div><div class="content"><p><strong>Nginx receives the request</strong> on port 80, checks rate limits, forwards to the Rust backend on port 5678</p></div></div>
+<div class="flow-step"><div class="num">5</div><div class="content"><p><strong>Rust backend validates</strong> — checks your session is valid, CSRF token matches, app ID is safe (no shell injection characters)</p></div></div>
+<div class="flow-step"><div class="num">6</div><div class="content"><p><strong>Rust checks dependencies</strong> — if you're installing LND, it checks Bitcoin is already running</p></div></div>
+<div class="flow-step"><div class="num">7</div><div class="content"><p><strong>Rust tells Podman to pull the image</strong> — <code>podman pull docker.io/bitcoin/knots:28</code> (downloads the app)</p></div></div>
+<div class="flow-step"><div class="num">8</div><div class="content"><p><strong>Rust creates and starts the container</strong> with all security flags (cap-drop, readonly root, etc.)</p></div></div>
+<div class="flow-step"><div class="num">9</div><div class="content"><p><strong>Backend sends a WebSocket update</strong> — the frontend receives a "state changed" event in real time</p></div></div>
+<div class="flow-step"><div class="num">10</div><div class="content"><p><strong>Vue reactively updates the UI</strong> — the Marketplace card changes from "Install" to "Running" with no page reload</p></div></div>
+</div>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="rpc">RPC: How Frontend Talks to Backend</h2>
+
+<p><strong>RPC</strong> stands for Remote Procedure Call. It's a way for the frontend to tell the backend "do something" — like calling a function on a remote computer.</p>
+
+<div class="callout callout-learn">
+  <strong>RPC vs REST</strong>
+  Most web APIs use REST (different URLs for different things: <code>GET /users</code>, <code>POST /users</code>, <code>DELETE /users/5</code>). Archipelago uses RPC instead — every request goes to the same URL (<code>/rpc/v1</code>) and the <em>method name</em> says what to do. It's like having one phone number for a building, and you say who you want to talk to.
+</div>
+
+<p>The frontend has a class called <code>RPCClient</code> (in <code>rpc-client.ts</code>) with ~70 methods. Each method maps to a backend function:</p>
+
+<table>
+  <tr><th>Frontend Method</th><th>Backend Handler</th><th>What It Does</th></tr>
+  <tr><td><code>rpcClient.login(password)</code></td><td><code>auth.login</code></td><td>Log in with password</td></tr>
+  <tr><td><code>rpcClient.getServerInfo()</code></td><td><code>system.info</code></td><td>Get server name, version, uptime</td></tr>
+  <tr><td><code>rpcClient.installPackage(id, image)</code></td><td><code>package.install</code></td><td>Install a container app</td></tr>
+  <tr><td><code>rpcClient.getBitcoinInfo()</code></td><td><code>bitcoin.info</code></td><td>Get blockchain sync %, block height</td></tr>
+  <tr><td><code>rpcClient.sendMeshMessage(text)</code></td><td><code>mesh.send</code></td><td>Send a message over LoRa radio</td></tr>
+</table>
+
+<h4>Built-in resilience</h4>
+<p>The RPC client has built-in protections:</p>
+<ul>
+  <li><strong>Auto-retry</strong> — if a request fails (502/503), it waits and tries again (up to 3 times)</li>
+  <li><strong>Timeout</strong> — if the backend doesn't respond in 30 seconds, the request fails instead of hanging forever</li>
+  <li><strong>Session expiry</strong> — if you get a 401 (unauthorized), it redirects to the login page</li>
+  <li><strong>CSRF protection</strong> — every request includes a security token to prevent cross-site attacks</li>
+</ul>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="state">State Management</h2>
+
+<p><strong>State</strong> is the data your app is currently working with: is the user logged in? What apps are installed? Is Bitcoin synced? This data needs to be shared between components.</p>
+
+<div class="callout callout-learn">
+  <strong>What is Pinia?</strong>
+  Pinia is Vue's state management library. Instead of each component keeping its own data (which leads to chaos), you put shared data in a "store" — a central place that any component can read from and write to. When the store changes, every component that uses it updates automatically.
+</div>
+
+<p>Archipelago has <strong>15 Pinia stores</strong>:</p>
+
+<div class="card-grid">
+  <div class="card-sm">
+    <h4><code>app.ts</code> <span class="badge badge-yellow">god store</span></h4>
+    <p>Auth, WebSocket, server data, package management — does too much (see refactoring section)</p>
+  </div>
+  <div class="card-sm">
+    <h4><code>container.ts</code> <span class="badge badge-green">good</span></h4>
+    <p>Container lifecycle — running, stopped, installing states</p>
+  </div>
+  <div class="card-sm">
+    <h4><code>mesh.ts</code> <span class="badge badge-blue">okay</span></h4>
+    <p>LoRa radio state — device, peers, messages, channels</p>
+  </div>
+  <div class="card-sm">
+    <h4><code>appLauncher.ts</code> <span class="badge badge-blue">okay</span></h4>
+    <p>App iframe management, Nostr consent, port mapping</p>
+  </div>
+  <div class="card-sm">
+    <h4><code>spotlight.ts</code> <span class="badge badge-green">good</span></h4>
+    <p>Command palette (Cmd+K) — search, help modal</p>
+  </div>
+  <div class="card-sm">
+    <h4><code>goals.ts</code> <span class="badge badge-green">good</span></h4>
+    <p>Gamified goal/quest tracking state machine</p>
+  </div>
+</div>
+
+<h4>WebSocket: real-time updates</h4>
+<p>Instead of the frontend asking "has anything changed?" every second (polling), the backend <em>pushes</em> updates to the frontend through a WebSocket — a persistent, two-way connection.</p>
+
+<div class="diagram">
+<span class="green">Traditional polling (slow, wasteful):</span>
+  Frontend: "Anything new?" → Backend: "No"     (every 1 second)
+  Frontend: "Anything new?" → Backend: "No"
+  Frontend: "Anything new?" → Backend: "Yes! Bitcoin synced!"
+
+<span class="blue">WebSocket (fast, efficient):</span>
+  Frontend ←→ Backend: persistent connection
+  Backend: "Bitcoin synced!" → Frontend instantly updates
+  Backend: "New container started!" → Frontend instantly updates
+</div>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="auth">Authentication & Sessions</h2>
+
+<p>When you log in, the backend creates a <strong>session</strong> — a temporary "you're allowed in" token. Here's how it works:</p>
+
+<div class="flow-step"><div class="num">1</div><div class="content"><p><strong>You enter your password</strong> on the login page</p></div></div>
+<div class="flow-step"><div class="num">2</div><div class="content"><p><strong>Backend hashes it with bcrypt</strong> — a one-way function that makes it impossible to reverse</p></div></div>
+<div class="flow-step"><div class="num">3</div><div class="content"><p><strong>Backend compares the hash</strong> to the stored hash (never compares raw passwords)</p></div></div>
+<div class="flow-step"><div class="num">4</div><div class="content"><p><strong>Backend creates a session</strong> — generates a random 256-bit token using a cryptographically secure random number generator</p></div></div>
+<div class="flow-step"><div class="num">5</div><div class="content"><p><strong>Session ID sent as a cookie</strong> — the browser stores it and sends it with every request</p></div></div>
+<div class="flow-step"><div class="num">6</div><div class="content"><p><strong>CSRF token also sent</strong> — a second token that prevents cross-site request forgery attacks</p></div></div>
+
+<div class="callout callout-info">
+  <strong>Why two tokens?</strong>
+  The session cookie proves you're logged in. The CSRF token proves the request came from YOUR browser tab, not a malicious website that tricked your browser into sending a request. Both must match for any request to succeed.
+</div>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="security">Security Model</h2>
+
+<p>Archipelago is a defense-in-depth system — multiple layers of security so that if one fails, others still protect you.</p>
+
+<div class="card">
+<table>
+  <tr><th>Layer</th><th>Protection</th><th>Against What</th></tr>
+  <tr>
+    <td><span class="badge badge-red">OS</span></td>
+    <td>UFW firewall, AppArmor profiles</td>
+    <td>Network attacks, process escape</td>
+  </tr>
+  <tr>
+    <td><span class="badge badge-accent">Nginx</span></td>
+    <td>Rate limiting, security headers, HSTS</td>
+    <td>DDoS, XSS, clickjacking</td>
+  </tr>
+  <tr>
+    <td><span class="badge badge-green">Backend</span></td>
+    <td>CSRF validation, session auth, input sanitization</td>
+    <td>CSRF, injection, unauthorized access</td>
+  </tr>
+  <tr>
+    <td><span class="badge badge-purple">Containers</span></td>
+    <td>Capability dropping, readonly root, non-root user</td>
+    <td>Container escape, privilege escalation</td>
+  </tr>
+  <tr>
+    <td><span class="badge badge-blue">Crypto</span></td>
+    <td>ChaCha20-Poly1305 encryption, Argon2 key derivation, ed25519 signatures</td>
+    <td>Data theft, key compromise, impersonation</td>
+  </tr>
+  <tr>
+    <td><span class="badge badge-yellow">Network</span></td>
+    <td>Tor routing, onion services</td>
+    <td>Traffic analysis, IP exposure</td>
+  </tr>
+</table>
+</div>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="bitcoin">Bitcoin Integration</h2>
+
+<p>Bitcoin is the heart of Archipelago. The backend communicates with Bitcoin Core/Knots using <strong>JSON-RPC</strong> — the same protocol Bitcoin has used since 2009.</p>
+
+<div class="callout callout-warn">
+  <strong>Critical Rule: Never Use Floating Point for Bitcoin</strong>
+  Bitcoin amounts are always in <strong>satoshis</strong> (1 BTC = 100,000,000 sats) as <strong>integers</strong>. Using floating point (decimals) causes rounding errors. 0.1 + 0.2 ≠ 0.3 in floating point. When you're dealing with money, that's unacceptable. Archipelago uses <code>u64</code> in Rust and <code>BigInt</code> in TypeScript for all Bitcoin amounts.
+</div>
+
+<h4>Bitcoin RPC examples</h4>
+<pre><code><span class="code-comment">// The backend calls Bitcoin Core like this:</span>
+<span class="code-fn">bitcoin_rpc</span>(<span class="code-string">"getblockchaininfo"</span>)   <span class="code-comment">→ sync progress, block height</span>
+<span class="code-fn">bitcoin_rpc</span>(<span class="code-string">"getnetworkinfo"</span>)      <span class="code-comment">→ peer count, version</span>
+<span class="code-fn">bitcoin_rpc</span>(<span class="code-string">"getmempoolinfo"</span>)      <span class="code-comment">→ unconfirmed transaction count</span>
+<span class="code-fn">bitcoin_rpc</span>(<span class="code-string">"estimatesmartfee"</span>, 6) <span class="code-comment">→ fee estimate for 6-block confirmation</span></code></pre>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="federation">Federation & Multi-Node</h2>
+
+<p>Multiple Archipelago nodes can form a <strong>federation</strong> — a trusted network of servers that sync data, share state, and communicate privately.</p>
+
+<div class="diagram">
+<span class="highlight">Your Node (.228)</span> ←── Tor ──→ <span class="blue">Friend's Node</span>
+       │                              │
+       └──── Tor ──→ <span class="green">Office Node</span> ←── Tor ──┘
+
+Each node has:
+  • <span class="purple">Ed25519 identity key</span> (cryptographic identity)
+  • <span class="blue">DID</span> (Decentralized Identifier — like a username that can't be taken away)
+  • <span class="green">Onion address</span> (Tor hidden service — no IP address exposed)
+  • <span class="highlight">DWN</span> (Decentralized Web Node — stores and syncs data)
+</div>
+
+<p>Nodes discover each other through <strong>Nostr relays</strong> (publish presence, but never onion addresses — those are exchanged privately via encrypted DMs).</p>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="mesh">Mesh Networking</h2>
+
+<p>Archipelago can communicate over <strong>LoRa radio</strong> — no internet needed. A small radio device plugs into the server's USB port and sends messages up to 10+ km using the Meshtastic/Meshcore protocol.</p>
+
+<div class="analogy">
+  <p>Imagine walkie-talkies that can send text messages. Each radio can relay messages for others, so even if two radios can't reach each other directly, they can communicate through intermediate radios. That's mesh networking — no cell towers, no ISPs, no internet required.</p>
+</div>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="deploy-system">Deploy System</h2>
+
+<p>The deploy script (<code>scripts/deploy-to-target.sh</code>) is how code gets from your development laptop to the live server. It's a 1,570-line shell script that automates everything:</p>
+
+<div class="flow-step"><div class="num">1</div><div class="content"><p><strong>Pre-flight checks</strong> — verifies SSH connectivity, checks git state, warns about uncommitted changes</p></div></div>
+<div class="flow-step"><div class="num">2</div><div class="content"><p><strong>Frontend build</strong> — runs <code>npm run build</code> to compile Vue/TypeScript into static files</p></div></div>
+<div class="flow-step"><div class="num">3</div><div class="content"><p><strong>Upload frontend</strong> — rsyncs built files to <code>/opt/archipelago/web-ui/</code> on the server</p></div></div>
+<div class="flow-step"><div class="num">4</div><div class="content"><p><strong>Upload Rust source</strong> — rsyncs <code>core/</code> to the server (builds ON the server, not macOS)</p></div></div>
+<div class="flow-step"><div class="num">5</div><div class="content"><p><strong>Build on server</strong> — runs <code>cargo build --release</code> on the Linux server</p></div></div>
+<div class="flow-step"><div class="num">6</div><div class="content"><p><strong>Sync configs</strong> — copies nginx config, systemd service from <code>image-recipe/configs/</code></p></div></div>
+<div class="flow-step"><div class="num">7</div><div class="content"><p><strong>Restart services</strong> — reloads nginx, restarts the Rust backend via systemd</p></div></div>
+<div class="flow-step"><div class="num">8</div><div class="content"><p><strong>Health check</strong> — pings <code>/health</code> endpoint to verify everything came back up</p></div></div>
+<div class="flow-step"><div class="num">9</div><div class="content"><p><strong>Deploy manifest</strong> — writes a JSON file recording the commit, timestamp, and deploy status</p></div></div>
+
+<div class="callout callout-warn">
+  <strong>Why build on the server?</strong>
+  Rust compiles to machine code specific to the CPU architecture. If you compile on macOS (ARM/x86) and copy the binary to a Linux server, it won't run — you get an "Exec format error". The deploy script sends the <em>source code</em> and compiles on the target machine.
+</div>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="iso-build">ISO Build Process</h2>
+
+<p>The ISO build creates the installer that users flash to USB. It's a 1,775-line script that:</p>
+
+<ol>
+  <li>Downloads a Debian 12 Live ISO as the base</li>
+  <li>Creates a Docker container to build a custom root filesystem</li>
+  <li>Installs Podman, Nginx, and all system dependencies</li>
+  <li>Captures running container images from the live dev server</li>
+  <li>Bundles the frontend files, backend binary, and configs</li>
+  <li>Writes a first-boot script that sets everything up on install</li>
+  <li>Packages everything into a bootable ISO file</li>
+</ol>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="first-boot">First Boot Sequence</h2>
+
+<p>When someone installs the ISO and boots for the first time, <code>first-boot-containers.sh</code> runs automatically and:</p>
+
+<ol>
+  <li>Generates unique credentials for this installation (Bitcoin RPC password, database passwords)</li>
+  <li>Sets up swap space based on available RAM</li>
+  <li>Creates the <code>archy-net</code> container network for inter-container communication</li>
+  <li>Starts 30+ containers in tiered order (databases first, then Bitcoin, then everything else)</li>
+  <li>Runs health checks on critical containers</li>
+  <li>Configures Tor hidden services</li>
+</ol>
+
+<!-- ══════════════════════════════════════════════════════════════ -->
+<!-- ═══════════════ ARCHITECTURE REVIEW SECTION ═══════════════ -->
+<!-- ══════════════════════════════════════════════════════════════ -->
+
+<h2 id="scores">Quality Scores</h2>
+
+<p>After reviewing ~46,000 lines of Rust, ~12,000 lines of TypeScript, and ~100 shell scripts, here are the quality scores:</p>
+
+<div class="score-grid">
+  <div class="score-card">
+    <div class="label">Rust Error Handling</div>
+    <div class="score" style="color: var(--green)">A</div>
+    <p style="font-size:12px;color:var(--text-muted)">Zero unwrap/panic in prod code</p>
+  </div>
+  <div class="score-card">
+    <div class="label">TypeScript Safety</div>
+    <div class="score" style="color: var(--green)">A</div>
+    <p style="font-size:12px;color:var(--text-muted)">Strict mode, zero <code>any</code> types</p>
+  </div>
+  <div class="score-card">
+    <div class="label">Security</div>
+    <div class="score" style="color: var(--green)">A-</div>
+    <p style="font-size:12px;color:var(--text-muted)">Defense in depth, minor gaps</p>
+  </div>
+  <div class="score-card">
+    <div class="label">Frontend Architecture</div>
+    <div class="score" style="color: var(--green)">A-</div>
+    <p style="font-size:12px;color:var(--text-muted)">Well-organized, 1 god store</p>
+  </div>
+  <div class="score-card">
+    <div class="label">Backend Modularity</div>
+    <div class="score" style="color: var(--yellow)">B+</div>
+    <p style="font-size:12px;color:var(--text-muted)">Good separation, large files</p>
+  </div>
+  <div class="score-card">
+    <div class="label">Container Security</div>
+    <div class="score" style="color: var(--green)">A</div>
+    <p style="font-size:12px;color:var(--text-muted)">Cap-drop, readonly, non-root</p>
+  </div>
+  <div class="score-card">
+    <div class="label">Script Modularity</div>
+    <div class="score" style="color: var(--red)">C+</div>
+    <p style="font-size:12px;color:var(--text-muted)">Monolithic, no shared library</p>
+  </div>
+  <div class="score-card">
+    <div class="label">Test Coverage</div>
+    <div class="score" style="color: var(--red)">D</div>
+    <p style="font-size:12px;color:var(--text-muted)">No automated tests</p>
+  </div>
+  <div class="score-card">
+    <div class="label">CI/CD</div>
+    <div class="score" style="color: var(--red)">D</div>
+    <p style="font-size:12px;color:var(--text-muted)">Build only, no test gating</p>
+  </div>
+  <div class="score-card">
+    <div class="label">Documentation</div>
+    <div class="score" style="color: var(--yellow)">B</div>
+    <p style="font-size:12px;color:var(--text-muted)">Good docs, gaps in API ref</p>
+  </div>
+  <div class="score-card">
+    <div class="label">Dependency Hygiene</div>
+    <div class="score" style="color: var(--yellow)">B-</div>
+    <p style="font-size:12px;color:var(--text-muted)">Floating crypto versions</p>
+  </div>
+  <div class="score-card">
+    <div class="label">Deploy Safety</div>
+    <div class="score" style="color: var(--green)">A-</div>
+    <p style="font-size:12px;color:var(--text-muted)">Rollback, manifests, health checks</p>
+  </div>
+</div>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="whats-good">What's Done Well</h2>
+
+<div class="card">
+<h4>Rust: Exceptional Error Discipline</h4>
+<p>Zero <code>unwrap()</code> or <code>panic!()</code> in production code (only 2 <code>expect()</code> in startup code). Every fallible operation uses the <code>?</code> operator to propagate errors gracefully. This is rare even in professional Rust codebases.</p>
+
+<h4>Input Validation is Thorough</h4>
+<p>App IDs validated against a strict character whitelist. Docker image names checked for shell injection characters. All external input sanitized at the boundary.</p>
+
+<h4>TypeScript Strict Mode Actually Used</h4>
+<p>All 5 strictest compiler flags enabled. Zero <code>any</code> types across 12,000+ lines. Every function has proper types. This prevents entire categories of bugs.</p>
+
+<h4>Container Security is Production-Grade</h4>
+<p>Every container drops all capabilities and adds back only what's needed. Read-only root filesystems. Non-root users. No-new-privileges. This is better than most commercial container platforms.</p>
+
+<h4>WebSocket Resilience</h4>
+<p>Auto-reconnection with exponential backoff, visibility change detection (handles tab switching), network online/offline detection. The real-time connection is very robust.</p>
+
+<h4>Composables Well-Factored</h4>
+<p>11 Vue composables, each focused on one concern (toasts, audio, keyboard, onboarding). Clean, reusable, properly scoped.</p>
+
+<h4>Deploy Safety Features</h4>
+<p>Rollback backups before deployment, deploy manifests tracking what was deployed, health checks after deployment, progress bars with ETAs.</p>
+</div>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="whats-wrong">What Needs Fixing</h2>
+
+<h3>Critical Issues <span class="badge badge-red">fix now</span></h3>
+
+<div class="card">
+<h4>1. package.rs is 1,770 lines — a "god file"</h4>
+<p><strong>What:</strong> <code>core/archipelago/src/api/rpc/package.rs</code> handles ALL container operations: install, start, stop, configure ports, configure volumes, configure environment variables, dependency checking, image validation, progress streaming.</p>
+<p><strong>Why it's bad:</strong> You can't change one thing without risking breaking something else. It's impossible to test in isolation. Any new app requires modifying this massive file.</p>
+<p><strong>Fix:</strong> Split into <code>app_config.rs</code> (port/volume/env definitions), <code>app_lifecycle.rs</code> (install/start/stop), <code>app_validation.rs</code> (input checks, dependency verification).</p>
+</div>
+
+<div class="card">
+<h4>2. Web5.vue is 3,901 lines — a "god component"</h4>
+<p><strong>What:</strong> One Vue file contains 17 different sections: DID management, wallet, Nostr relays, credentials, voting, P2P peers, storage, profiles, marketplace, goals, data explorer, and more.</p>
+<p><strong>Why it's bad:</strong> Loading one massive component is slow. Changes to the voting section could break the wallet section. Impossible to reuse any section independently.</p>
+<p><strong>Fix:</strong> Split into 5+ sub-views under <code>/dashboard/web5/</code> with their own routes.</p>
+</div>
+
+<div class="card">
+<h4>3. No automated tests</h4>
+<p><strong>What:</strong> Zero unit tests in the Rust backend. No integration tests. No end-to-end tests that run automatically. The only "test" is deploying and checking manually.</p>
+<p><strong>Why it's bad:</strong> Every change could break something, and you won't know until a user reports it. As the codebase grows, confidence in changes decreases.</p>
+<p><strong>Fix:</strong> Start with tests for the most critical paths: session validation, input sanitization, container lifecycle. Add CI that runs tests on every push.</p>
+</div>
+
+<div class="card">
+<h4>4. useAppStore is a "god store" with 8+ responsibilities</h4>
+<p><strong>What:</strong> One Pinia store handles: auth state, WebSocket connection, server data, package install/uninstall, server restart/shutdown, marketplace data, metrics, loading states.</p>
+<p><strong>Why it's bad:</strong> Every component that imports this store gets ALL of its complexity. Hard to track where state changes come from. Testing any one concern requires mocking everything else.</p>
+<p><strong>Fix:</strong> Split into <code>auth.ts</code>, <code>server.ts</code>, <code>realtime.ts</code>, keep <code>app.ts</code> as a thin data store only.</p>
+</div>
+
+<h3>High Priority <span class="badge badge-yellow">fix soon</span></h3>
+
+<div class="card">
+<h4>5. Cryptographic dependency versions not pinned exactly</h4>
+<p><strong>What:</strong> <code>zeroize = "1.7"</code>, <code>chacha20poly1305 = "0.10"</code>, <code>ed25519-dalek = "2.1"</code> use floating versions.</p>
+<p><strong>Why it's bad:</strong> A minor version bump in a crypto library could introduce a vulnerability or behavioral change. The project's own rules require exact pinning for crypto deps.</p>
+<p><strong>Fix:</strong> Pin to exact versions: <code>"1.7.0"</code>, <code>"0.10.1"</code>, <code>"2.1.1"</code>.</p>
+</div>
+
+<div class="card">
+<h4>6. No frontend-backend type synchronization</h4>
+<p><strong>What:</strong> TypeScript types in <code>types/api.ts</code> are manually maintained copies of Rust structs. If the backend changes a field name, the frontend doesn't know until runtime.</p>
+<p><strong>Why it's bad:</strong> Types can drift apart silently. A backend developer renames <code>sync_progress</code> to <code>syncProgress</code> and the frontend breaks in production.</p>
+<p><strong>Fix:</strong> Generate TypeScript types from Rust structs (using <code>ts-rs</code> or a JSON Schema).</p>
+</div>
+
+<div class="card">
+<h4>7. Container metadata duplicated in 3 places</h4>
+<p><strong>What:</strong> App configuration (ports, volumes, env vars) exists in: <code>package.rs</code> (RPC handler), <code>docker_packages.rs</code> (metadata reader), <code>health_monitor.rs</code> (startup tiers).</p>
+<p><strong>Why it's bad:</strong> Adding a new app means updating 3 files. If you forget one, the app partially works but something is wrong.</p>
+<p><strong>Fix:</strong> Single app config source (manifest YAML or a shared Rust module) that all three consumers read from.</p>
+</div>
+
+<div class="card">
+<h4>8. Deploy and ISO build scripts are 1,500+ lines each</h4>
+<p><strong>What:</strong> Two monolithic shell scripts handle dozens of responsibilities each, with duplicated utility functions across 15+ scripts.</p>
+<p><strong>Why it's bad:</strong> Hard to review, hard to debug, hard to modify. One wrong change can break the entire deploy pipeline. No shared library means the same health-check loop is copy-pasted in 8 places.</p>
+<p><strong>Fix:</strong> Extract shared functions into <code>scripts/lib/common.sh</code>. Split deploy into modules: <code>deploy-frontend.sh</code>, <code>deploy-backend.sh</code>, <code>sync-configs.sh</code>, <code>health-checks.sh</code>.</p>
+</div>
+
+<h3>Medium Priority <span class="badge badge-blue">improve over time</span></h3>
+
+<div class="card">
+<h4>9. App integration requires updates in 6+ locations</h4>
+<p><strong>What:</strong> Adding a new app to Archipelago requires manual changes in: manifest YAML, <code>package.rs</code> (backend config), <code>docker_packages.rs</code> (metadata), nginx config (routing), <code>Marketplace.vue</code> (frontend listing), <code>appLauncher.ts</code> (port mapping), <code>first-boot-containers.sh</code> (first boot), <code>build-auto-installer-iso.sh</code> (ISO capture).</p>
+<p><strong>Fix:</strong> Move toward a single manifest file per app that drives all of these automatically.</p>
+</div>
+
+<div class="card">
+<h4>10. No CI/CD pipeline</h4>
+<p><strong>What:</strong> One GitHub Action builds a macOS binary. No tests run. No linting. No deploy automation.</p>
+<p><strong>Fix:</strong> Add CI that runs <code>cargo clippy</code>, <code>cargo test</code>, <code>npm run type-check</code>, and <code>npm run lint</code> on every push.</p>
+</div>
+
+<div class="card">
+<h4>11. Session persistence uses blocking I/O</h4>
+<p><strong>What:</strong> On startup, <code>session.rs</code> reads <code>sessions.json</code> using synchronous (blocking) file I/O in an async context.</p>
+<p><strong>Fix:</strong> Use <code>tokio::fs::read_to_string</code> for non-blocking I/O at startup.</p>
+</div>
+
+<div class="card">
+<h4>12. Inconsistent loading state patterns in frontend</h4>
+<p><strong>What:</strong> Some components use <code>loading</code>, others <code>isLoading</code>, others <code>loadingApps</code>. No shared composable.</p>
+<p><strong>Fix:</strong> Create a <code>useAsyncState</code> composable that standardizes loading/error/data patterns.</p>
+</div>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="refactor-plan">Refactoring Priorities</h2>
+
+<p>Ordered by impact — what to fix first for the biggest improvement:</p>
+
+<table>
+  <tr><th>#</th><th>Task</th><th>Impact</th><th>Effort</th><th>Priority</th></tr>
+  <tr>
+    <td>1</td>
+    <td>Split <code>package.rs</code> into 3-4 focused files</td>
+    <td><span class="badge badge-red">high</span></td>
+    <td>2-3 days</td>
+    <td><span class="badge badge-red">P0</span></td>
+  </tr>
+  <tr>
+    <td>2</td>
+    <td>Split <code>useAppStore</code> into auth/server/realtime</td>
+    <td><span class="badge badge-red">high</span></td>
+    <td>2 days</td>
+    <td><span class="badge badge-red">P0</span></td>
+  </tr>
+  <tr>
+    <td>3</td>
+    <td>Add CI pipeline (clippy + type-check + basic tests)</td>
+    <td><span class="badge badge-red">high</span></td>
+    <td>1 day</td>
+    <td><span class="badge badge-red">P0</span></td>
+  </tr>
+  <tr>
+    <td>4</td>
+    <td>Split <code>Web5.vue</code> into sub-views</td>
+    <td><span class="badge badge-yellow">medium</span></td>
+    <td>3 days</td>
+    <td><span class="badge badge-yellow">P1</span></td>
+  </tr>
+  <tr>
+    <td>5</td>
+    <td>Pin all crypto dependency versions exactly</td>
+    <td><span class="badge badge-yellow">medium</span></td>
+    <td>1 hour</td>
+    <td><span class="badge badge-yellow">P1</span></td>
+  </tr>
+  <tr>
+    <td>6</td>
+    <td>Extract shared shell library (<code>lib/common.sh</code>)</td>
+    <td><span class="badge badge-yellow">medium</span></td>
+    <td>1 day</td>
+    <td><span class="badge badge-yellow">P1</span></td>
+  </tr>
+  <tr>
+    <td>7</td>
+    <td>Consolidate container metadata to single source</td>
+    <td><span class="badge badge-yellow">medium</span></td>
+    <td>2 days</td>
+    <td><span class="badge badge-yellow">P1</span></td>
+  </tr>
+  <tr>
+    <td>8</td>
+    <td>Generate TypeScript types from Rust structs</td>
+    <td><span class="badge badge-yellow">medium</span></td>
+    <td>1 day</td>
+    <td><span class="badge badge-blue">P2</span></td>
+  </tr>
+  <tr>
+    <td>9</td>
+    <td>Split deploy script into modules</td>
+    <td><span class="badge badge-blue">low</span></td>
+    <td>2 days</td>
+    <td><span class="badge badge-blue">P2</span></td>
+  </tr>
+  <tr>
+    <td>10</td>
+    <td>Add unit tests for critical paths (session, validation)</td>
+    <td><span class="badge badge-red">high</span></td>
+    <td>3 days</td>
+    <td><span class="badge badge-blue">P2</span></td>
+  </tr>
+  <tr>
+    <td>11</td>
+    <td>Create <code>useAsyncState</code> composable for frontend</td>
+    <td><span class="badge badge-blue">low</span></td>
+    <td>4 hours</td>
+    <td><span class="badge badge-purple">P3</span></td>
+  </tr>
+  <tr>
+    <td>12</td>
+    <td>Split large Vue components (SplashScreen, Mesh, Settings)</td>
+    <td><span class="badge badge-blue">low</span></td>
+    <td>2 days</td>
+    <td><span class="badge badge-purple">P3</span></td>
+  </tr>
+</table>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="tech-debt">Technical Debt Map</h2>
+
+<p>A visual summary of where debt lives in the codebase:</p>
+
+<div class="diagram">
+<span class="highlight">BACKEND (Rust)</span>
+  <span class="red">██████████</span> package.rs (1,770 lines — god file)
+  <span class="red">████████</span>   rpc/mod.rs (999 lines — giant match dispatcher)
+  <span class="red">████████</span>   lnd.rs (996 lines — could split)
+  <span class="yellow">██████</span>     mesh.rs, identity.rs, federation.rs (800+ lines each)
+  <span class="green">████</span>       session.rs, health_monitor.rs (700+ lines, acceptable)
+  <span class="green">██</span>         container crate (2,000 lines — well-scoped)
+  <span class="green">█</span>          security, performance crates (clean)
+
+<span class="highlight">FRONTEND (Vue + TS)</span>
+  <span class="red">████████████</span> Web5.vue (3,901 lines — god component)
+  <span class="red">██████████</span>   Dashboard.vue (1,803 lines)
+  <span class="red">████████</span>     Mesh.vue, Settings.vue (1,500+ lines each)
+  <span class="yellow">██████</span>       useAppStore (317 lines — god store)
+  <span class="green">████</span>         rpc-client.ts (708 lines — well-designed)
+  <span class="green">██</span>           Composables (clean, focused)
+  <span class="green">█</span>            Type safety (excellent)
+
+<span class="highlight">SCRIPTS (Shell)</span>
+  <span class="red">████████████</span> deploy-to-target.sh (1,570 lines)
+  <span class="red">████████████</span> build-auto-installer-iso.sh (1,775 lines)
+  <span class="yellow">██████</span>       first-boot-containers.sh (739 lines)
+  <span class="yellow">████</span>         No shared library (8+ duplicated functions)
+  <span class="green">██</span>           Test scripts (well-organized)
+
+<span class="highlight">ARCHITECTURE</span>
+  <span class="red">████████</span>     No automated tests (0% coverage)
+  <span class="red">██████</span>       No CI/CD test gating
+  <span class="yellow">████</span>         Manual type sync (Rust ↔ TypeScript)
+  <span class="yellow">████</span>         App integration requires 6+ file changes
+  <span class="green">██</span>           Security model (strong defense-in-depth)
+  <span class="green">██</span>           Deploy safety (rollback, manifests)
+
+<span class="code-comment">Legend: <span class="red">██</span> Critical  <span class="yellow">██</span> Needs attention  <span class="green">██</span> Good</span>
+</div>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="learning">Recommended Learning Path</h2>
+
+<p>If you want to understand this codebase deeply and become proficient in all the technologies, study in this order:</p>
+
+<div class="card">
+<h4>Phase 1: Foundations (Weeks 1-4)</h4>
+<ol>
+  <li><strong>Linux basics</strong> — commands, file permissions, processes, systemd</li>
+  <li><strong>Git</strong> — branches, commits, diffs, rebasing</li>
+  <li><strong>HTML/CSS/JavaScript</strong> — the building blocks of web UIs</li>
+  <li><strong>TypeScript</strong> — JavaScript with type safety (read the official handbook)</li>
+</ol>
+</div>
+
+<div class="card">
+<h4>Phase 2: Frontend (Weeks 5-8)</h4>
+<ol>
+  <li><strong>Vue 3 Composition API</strong> — <code>ref</code>, <code>computed</code>, <code>watch</code>, <code>onMounted</code></li>
+  <li><strong>Pinia</strong> — state management (read <code>stores/container.ts</code> as a good example)</li>
+  <li><strong>Vue Router</strong> — URL-to-component mapping</li>
+  <li><strong>Tailwind CSS</strong> — utility-first CSS framework</li>
+  <li><strong>Vite</strong> — the build tool that bundles everything</li>
+</ol>
+</div>
+
+<div class="card">
+<h4>Phase 3: Backend (Weeks 9-14)</h4>
+<ol>
+  <li><strong>Rust basics</strong> — ownership, borrowing, lifetimes, pattern matching (read "The Rust Book")</li>
+  <li><strong>Async Rust with Tokio</strong> — <code>async/await</code>, futures, <code>tokio::spawn</code></li>
+  <li><strong>Hyper</strong> — the HTTP server library (read <code>server.rs</code>)</li>
+  <li><strong>Serde</strong> — JSON serialization/deserialization</li>
+  <li><strong>Error handling</strong> — <code>anyhow</code>, <code>thiserror</code>, the <code>?</code> operator</li>
+</ol>
+</div>
+
+<div class="card">
+<h4>Phase 4: Infrastructure (Weeks 15-18)</h4>
+<ol>
+  <li><strong>Containers</strong> — Docker/Podman concepts (images, containers, volumes, networks)</li>
+  <li><strong>Nginx</strong> — reverse proxy, location blocks, upstream servers</li>
+  <li><strong>Shell scripting</strong> — bash/zsh, <code>set -e</code>, functions, trap</li>
+  <li><strong>systemd</strong> — service management, unit files, journalctl</li>
+  <li><strong>Networking</strong> — TCP/IP, DNS, ports, firewalls (UFW)</li>
+</ol>
+</div>
+
+<div class="card">
+<h4>Phase 5: Bitcoin & Crypto (Weeks 19-24)</h4>
+<ol>
+  <li><strong>Bitcoin protocol</strong> — blocks, transactions, UTXOs, mining (read "Mastering Bitcoin")</li>
+  <li><strong>Lightning Network</strong> — payment channels, routing, invoices</li>
+  <li><strong>Cryptography</strong> — hashing, symmetric/asymmetric encryption, digital signatures</li>
+  <li><strong>Tor</strong> — onion routing, hidden services, SOCKS5 proxy</li>
+  <li><strong>Nostr</strong> — decentralized messaging protocol, NIPs</li>
+  <li><strong>DIDs</strong> — Decentralized Identifiers, Verifiable Credentials</li>
+</ol>
+</div>
+
+<div class="callout callout-success">
+  <strong>Recommended first files to read</strong>
+  <ol>
+    <li><code>neode-ui/src/stores/container.ts</code> — Clean, well-structured Pinia store (312 lines)</li>
+    <li><code>neode-ui/src/api/rpc-client.ts</code> — Well-designed API client with retry logic</li>
+    <li><code>core/archipelago/src/session.rs</code> — Auth flow in Rust with crypto</li>
+    <li><code>core/container/src/podman_client.rs</code> — How Rust talks to Podman</li>
+    <li><code>image-recipe/configs/nginx-archipelago.conf</code> — The full routing map</li>
+  </ol>
+</div>
+
+<!-- ══════════════════════════════════════════════════════ -->
+<h2 id="glossary">Glossary</h2>
+
+<table>
+  <tr><th>Term</th><th>What It Means</th></tr>
+  <tr><td><strong>API</strong></td><td>Application Programming Interface — a defined way for two programs to talk to each other</td></tr>
+  <tr><td><strong>Async/Await</strong></td><td>A way to write code that waits for slow things (network, disk) without blocking other work</td></tr>
+  <tr><td><strong>Backend</strong></td><td>The server-side code that runs on the machine (not visible to users)</td></tr>
+  <tr><td><strong>Container</strong></td><td>An isolated environment for running an app, like a lightweight virtual machine</td></tr>
+  <tr><td><strong>Composable</strong></td><td>A reusable piece of logic in Vue (similar to React hooks)</td></tr>
+  <tr><td><strong>CSRF</strong></td><td>Cross-Site Request Forgery — an attack where a malicious site tricks your browser into sending requests</td></tr>
+  <tr><td><strong>Crate</strong></td><td>A Rust package (like npm package for JavaScript)</td></tr>
+  <tr><td><strong>DID</strong></td><td>Decentralized Identifier — a self-owned digital identity (no central authority controls it)</td></tr>
+  <tr><td><strong>DWN</strong></td><td>Decentralized Web Node — personal data storage that syncs across your devices</td></tr>
+  <tr><td><strong>Frontend</strong></td><td>The browser-side code that users see and interact with</td></tr>
+  <tr><td><strong>ISO</strong></td><td>A disk image file — like a digital copy of an installation CD</td></tr>
+  <tr><td><strong>JWT</strong></td><td>JSON Web Token — a compact way to pass verified identity between systems</td></tr>
+  <tr><td><strong>LoRa</strong></td><td>Long Range radio — low-power wireless communication over several kilometers</td></tr>
+  <tr><td><strong>Nginx</strong></td><td>A web server that also works as a reverse proxy (routes traffic to the right service)</td></tr>
+  <tr><td><strong>Nostr</strong></td><td>A decentralized messaging protocol using public/private key pairs</td></tr>
+  <tr><td><strong>Onion Service</strong></td><td>A Tor hidden service — a server accessible only through the Tor network (no IP address)</td></tr>
+  <tr><td><strong>Pinia</strong></td><td>Vue's official state management library (successor to Vuex)</td></tr>
+  <tr><td><strong>Podman</strong></td><td>A container runtime like Docker, but rootless (more secure)</td></tr>
+  <tr><td><strong>RPC</strong></td><td>Remote Procedure Call — calling a function on another computer over the network</td></tr>
+  <tr><td><strong>Reactive</strong></td><td>Data that automatically updates the UI when it changes (core Vue concept)</td></tr>
+  <tr><td><strong>Reverse Proxy</strong></td><td>A server that sits between clients and backend servers, forwarding requests</td></tr>
+  <tr><td><strong>Rust</strong></td><td>A systems programming language focused on safety and performance</td></tr>
+  <tr><td><strong>SPA</strong></td><td>Single Page Application — a web app that loads once and dynamically updates content</td></tr>
+  <tr><td><strong>Satoshi (sat)</strong></td><td>The smallest unit of Bitcoin. 1 BTC = 100,000,000 sats</td></tr>
+  <tr><td><strong>systemd</strong></td><td>Linux's service manager — starts, stops, and monitors background services</td></tr>
+  <tr><td><strong>Tokio</strong></td><td>Rust's async runtime — handles thousands of concurrent operations efficiently</td></tr>
+  <tr><td><strong>Tor</strong></td><td>The Onion Router — anonymizes internet traffic by routing through multiple relays</td></tr>
+  <tr><td><strong>TypeScript</strong></td><td>JavaScript with static types — catches bugs at compile time instead of runtime</td></tr>
+  <tr><td><strong>Vue 3</strong></td><td>A JavaScript framework for building reactive user interfaces</td></tr>
+  <tr><td><strong>WebSocket</strong></td><td>A persistent, two-way connection between browser and server for real-time data</td></tr>
+</table>
+
+<hr>
+<p style="text-align:center;color:var(--text-muted);font-size:13px;margin-top:48px;">
+  Architecture Review — Archipelago v0.1.0-alpha — Generated 2026-03-18<br>
+  ~46,000 lines Rust &middot; ~12,000 lines TypeScript &middot; ~100 shell scripts
+</p>
+
+</main>
+
+<script>
+// Highlight active nav link on scroll
+const sections = document.querySelectorAll('h2[id], h3[id]');
+const navLinks = document.querySelectorAll('nav a');
+
+function updateActiveNav() {
+  let current = '';
+  sections.forEach(section => {
+    const rect = section.getBoundingClientRect();
+    if (rect.top <= 100) current = section.id;
+  });
+  navLinks.forEach(link => {
+    link.classList.toggle('active', link.getAttribute('href') === '#' + current);
+  });
+}
+
+window.addEventListener('scroll', updateActiveNav, { passive: true });
+updateActiveNav();
+</script>
+</body>
+</html>
diff --git a/neode-ui/dev-dist/sw.js b/neode-ui/dev-dist/sw.js
index b3b53078..713ca6bd 100644
--- a/neode-ui/dev-dist/sw.js
+++ b/neode-ui/dev-dist/sw.js
@@ -82,7 +82,7 @@ define(['./workbox-21a80088'], (function (workbox) { 'use strict';
     "revision": "3ca0b8505b4bec776b69afdba2768812"
   }, {
     "url": "index.html",
-    "revision": "0.a4nevj6csc4"
+    "revision": "0.2lte02eatlc"
   }], {});
   workbox.cleanupOutdatedCaches();
   workbox.registerRoute(new workbox.NavigationRoute(workbox.createHandlerBoundToURL("index.html"), {