- Correct off-by-one in UID mapping: container UID N → host UID
(100000 + N - 1), not (100000 + N)
- Deploy script auto-fixes UID ownership on every deploy
- Bitcoin UI nginx uses __BITCOIN_RPC_AUTH__ placeholder injected
from secrets at deploy time
- container rules updated for rootless podman architecture
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The security hardening (NoNewPrivileges, RestrictAddressFamilies,
MemoryDenyWriteExecute, RestrictRealtime, ProtectSystem=strict) all
blocked podman container management via sudo. These are temporarily
disabled until TASK-11 (rootless podman migration) is complete.
Remaining active protections: ProtectSystem=true (/usr, /boot),
ProtectHome=yes, PrivateTmp=yes, PrivateDevices=no (mesh radio).
Also adds TASK-11 to MASTER_PLAN.md for tracking the rootless podman
migration that will allow re-enabling full security hardening.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Y5-01: docs/community-growth-plan.md — 3 growth phases from
dev preview to 10K nodes, tracking via opt-in analytics
- Y5-04: docs/v3-release-checklist.md — prerequisites, release
steps (code freeze, ISO builds, checksums), post-release plan
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Per-container RAM/CPU/disk measurements from .228 baseline.
Three app tiers: Core (2.6GB), Recommended (+880MB), Optional (+2-5GB).
Four hardware tiers with cost estimates.
10K user distribution projection.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Added new dependencies: `adler2`, `crc32fast`, `flate2`, `miniz_oxide`, and `libredox`.
- Updated existing dependencies: `tokio-rustls` to version 0.26.4 and `filetime` to version 0.2.27.
- Removed the `backup.rs` file as it is no longer needed.
- Introduced tests for configuration and credential management.
- Enhanced the `identity` module to generate W3C compliant DID documents.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- x86_64 hardware validated on dev server (E2E-02)
- COMM-04 and FINALDOC-04 superseded by v1.0.0 release
- E2E-04 soak test running (ends Apr 10)
- 158/158 plan items resolved
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Uptime monitor timer running every 5min, 30-day soak test active,
hotfix process documented. 100% uptime so far.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Added no_new_privileges: true, user: 1000, and seccomp_profile: default
to all app manifests. Created community app review checklist.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace sh -c echo with tokio::fs::write for bitcoin.conf generation
- Add client_max_body_size 1m to /rpc/ in both HTTP and HTTPS nginx blocks
- Document full audit findings in docs/security-audit-2026-03-11.md
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Updated npm packages to latest semver-compatible versions. 4 remaining
high-severity vulns are dev-only (serialize-javascript in vite-plugin-pwa
chain). 515/515 tests pass, zero type errors, build clean.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Complete user flow documentation from hardware prep through daily use.
6 parts: hardware, installation, onboarding, dashboard, advanced ops,
and maintenance. Ready for screenshot capture and video production.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
20 issues covering connection, apps, Bitcoin sync, backup, updates,
kiosk mode, network, performance, and emergency recovery. Each with
diagnostic commands and step-by-step solutions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
41 tests passing, type-check and build clean. This becomes the
regression target — counts must only go down.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- TOTP 2FA: full setup/confirm/disable/login flow with Argon2id + ChaCha20-Poly1305
encrypted secret storage, QR code generation, and bcrypt-hashed backup codes
- API key switcher: OAuth vs personal API key toggle in AIUI chat settings with
status indicator, key validation, and help text
- Login progress bar: server startup detection with health check polling, form
disabled until server is ready
- AI quarantine docs: comprehensive HTML page documenting all 6 security layers
- Settings: AI Data Access permission toggles with per-category control
- Alpha hardening plan: 28-task overnight automation plan across 7 phases
(onboarding, login, app install, AIUI, UI polish, security, ISO build)
- Backlog: node discovery spatial map feature for alpha demo
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Added a new method to reset the onboarding state, allowing users to re-initiate the onboarding process.
- Integrated backup creation functionality, enabling users to create encrypted backups of their node identity.
- Updated API endpoints to handle onboarding reset and backup creation requests.
- Enhanced UI components to support the new onboarding reset and backup features, including error handling and user feedback.
- Introduced new dependencies for cryptographic operations and data encoding.
- Upgraded Fedimint version to v0.10.0 in docker-compose.yml and manifest.yml, adding support for the built-in Guardian UI.
- Modified .gitignore to exclude deploy-config.sh script.
- Enhanced onboarding process in AuthManager to persist onboarding state and validate password strength during user setup.
- Updated API to handle onboarding completion and password change requests, ensuring a smoother user experience.
- Improved configuration management to support Nostr discovery and Tor proxy settings, enhancing node identity features.
- Updated BUILD-GUIDE.md to streamline instructions for building the Archipelago Auto-Installer ISO, including prerequisites and post-installation steps.
- Added detailed sections on capturing the live server state and building from source.
- Enhanced Docker and Podman integration in build scripts for improved backend and web UI capture.
- Introduced new app metadata for "IndeedHub" in the Docker package scanner and updated UI components for better installation progress tracking.
- Improved styling and functionality in the Bitcoin UI for a more cohesive user experience.
- Added instructions to README.md for building an ISO from source and flashing it to USB.
- Introduced a new RPC method for package installation, including security checks and container management.
- Updated Docker and Podman integration in build scripts to support both container runtimes.
- Enhanced Nginx configuration for improved timeout settings and WebSocket support.
- Added new app metadata for additional applications in the Docker package scanner.
- Added new entries to .gitignore for build artifacts and macOS output directories to streamline the build process.
- Deleted outdated documentation files: AUTH_LOGIN_FIX.md, AUTBOOT_CONFIGURATION.md, BACKEND_FIXES.md, BACKEND_STARTUP_FIX.md, BITCOIN_CORE_HEADLESS_FIX.md, BITCOIN_CORE_UI_COMPLETE.md, BITCOIN_STANDALONE_UI_COMPLETE.md, BITCOIN_UI_COMPLETE.md, BOOT_SEQUENCE_DIAGRAM.txt, and BUILD_COMMANDS_REFERENCE.txt to declutter the repository and remove unnecessary content.
