# Changelog ## v1.8.00-alpha (2026-06-18) Polishes the mesh AI assistant and Fedimint, on top of all the v1.7.99 features (kept listed below so you can still see what's new). - The off-grid mesh radio no longer posts cryptic identity codes to the shared public channel. Your node was announcing a line starting with "ARCHY:" to the public channel about once a minute, which everyone else on that channel saw as spam; that broadcast has been removed. - You can now use your node's AI assistant straight from a normal chat. Send "!ai " in a direct message to an AI-enabled node and the answer comes right back in the same conversation — whether your message travelled over the internet or the LoRa radio. Before, the reply could be sent on the wrong path and never arrive. - The Mesh AI Assistant panel is easier to set up: pick the Claude model from a dropdown (Haiku, Sonnet, or Opus) instead of typing it, and add specific contacts to an "always allow" list so chosen people can use "!ai" even when the assistant is set to trusted-nodes-only. - Fedimint federations show up in Wallet Settings again. The Fedimint client app wasn't starting because of a configuration error, so the federation your node auto-joins never appeared; the client is fixed and runs again. - In Settings, "App Updates" and "App Registry" now sit directly under your Account section for quicker access. - In Mesh chat, scrolling the conversation no longer also scrolls the contact list behind it. - Mesh direct messages are now private and end-to-end encrypted to the recipient — they're sent as real radio DMs instead of being broadcast on the public channel, so other people on the mesh no longer see them, and the answer arrives intact (even on standard meshcore phone apps). - You can now message standard meshcore apps (like the phone companion) and they can message you — text shows up readable on both sides, and your node's AI answers come back as a private reply rather than on the public channel. - New contacts you hear on the radio are added automatically, so people show up in your Peers list without any extra steps. - "Clear All" now actually removes contacts (rather than hiding them forever); a contact comes back on its own the next time it's in range. Each contact also shows a reachability dot so you can see who's currently reachable. - The Peers list has a search box (with a clear button) to quickly filter your contacts by name, DID, npub, or key. All the v1.7.99-alpha features are included as well: - Your node can now hold Fedimint ecash as well as Cashu, with tabbed Wallet Settings for each and both balances shown side by side on the home wallet card. - You can buy files shared by another node right from their cloud, paying from this node's ecash, your Lightning wallet, on-chain, or by scanning a Lightning QR with any outside wallet. - Your node can act as an AI assistant on the off-grid mesh: peers ask by starting a message with "!ai" and get an answer back over the radio, with a panel to turn it on or off. - You can view your node's 24-word recovery phrase any time from Settings, behind a password (and 2FA) confirmation and a tap-to-show blur. - Setting up a brand-new node is smoother: it waits and retries quietly instead of flashing errors, and shows a gentle "securing your private connection…" status that turns to "ready" on its own. - The NetBird VPN app now logs in (it's served over HTTPS and opens in a browser tab). - Phone remote-control of a node's screen now supports two-finger scrolling inside apps, and external-browser apps open on your phone. - You can choose whether your node shares Bitcoin block headers over the mesh, and your choices are remembered. - Version numbers display cleanly everywhere (no more doubled "v"), and "Back" buttons look and behave consistently across desktop and mobile. - For advanced testing, Settings includes an optional update & app source choice between the usual trusted origin and an experimental peer-to-peer (DHT swarm) mode, with the trusted origin remaining the default. ## v1.7.99-alpha (2026-06-17) - Your node can now hold Fedimint ecash as well as Cashu. Wallet Settings now has tabbed sections for each: keep your list of trusted Cashu mints, or paste a Fedimint invite code to join a federation, and the home wallet card shows both your Cashu and Fedimint balances side by side. A new "Fedimint Client" app in the catalog powers the federation side. - You can now buy files shared by another node, right from their cloud. When you open a peer's paid file you get a simple "Buy this file" picker with several ways to pay — instantly from this node's ecash balance, from your node's own Lightning wallet, on-chain from your node, or by scanning a Lightning QR code with any outside wallet. Once payment settles, the file downloads automatically. - Your node can now act as an AI assistant on the off-grid mesh radio network. If your node has a local AI model available (via Ollama), other people on the mesh can ask it a question by starting their message with "!ai" and get an answer back over the radio — handy where there's no internet. A new Mesh assistant panel lets you turn this on or off and shows whether a local AI model was detected. - You can now view your node's 24-word recovery phrase whenever you need it. Settings has a new "Recovery phrase" option that, after you confirm your password (and 2FA code if you use one), reveals the words behind a tap-to-show blur with a copy button — so you can write them down and store them safely offline. - Setting up a brand-new node is smoother and less alarming. If the node is still starting up while you generate or confirm your recovery phrase, it now quietly waits and retries instead of flashing a scary error, and offers a clear "Try again" button only when something genuinely goes wrong. The final setup screen also shows a gentle "securing your private connection…" status that turns to "ready" on its own, so you can tell the encrypted transport is coming up rather than stuck. - The NetBird VPN app now actually logs in. It was failing to reach its sign-in screen because the dashboard needs a secure (HTTPS) connection that wasn't being provided; the node now serves it over HTTPS and opens it in a browser tab, so the login flow completes. - When you use your phone to remote-control a node's attached screen, two-finger scrolling now works inside apps and panels, not just the main page. And tapping an app that's meant to open in an external browser now hands the link to your phone to open there, instead of trying to open it on the (often unattended) attached display. - You can now choose whether your node shares Bitcoin block headers over the mesh. The Mesh Bitcoin panel has new switches to announce headers to peers and to accept headers from them, and your choices are remembered. - Version numbers now display cleanly everywhere. In a few places the interface was showing a doubled "v" (like "vv1.7.98"); it now always shows a single, tidy version label. - The "Back" buttons throughout the cloud and other detail screens now look and behave consistently on both desktop and mobile, including when browsing another node's files. - For advanced testing, Settings now includes an optional "update & app source" choice between the usual trusted origin and an experimental peer-to-peer (DHT swarm) mode that pulls updates and app content from other nodes first, falling back to the origin automatically. The trusted origin remains the default. ## v1.7.98-alpha (2026-06-16) - Apps that crash now recover on their own. Multi-part apps like Immich and IndeedHub could have one of their pieces stop and stay stopped until the whole node was rebooted; the node now checks every couple of minutes and restarts any crashed piece automatically (while still leaving apps you deliberately stopped alone). - The on-screen kiosk display can no longer slow the whole node down. On machines without a graphics chip the kiosk browser could spin a CPU core at full tilt, starving everything else (including the wallet, which then timed out); it's now capped and uses lighter rendering on those machines. - If an update download fails, you're taken back to the Download button to retry, instead of being stranded on an Install button for an update that didn't actually finish downloading. - Your node's identity is clearer and always visible: Settings now shows your Node DID on every node (it previously only appeared if your browser had cached it) plus your node's npub, both with copy buttons. There's also a terminal tool to cryptographically prove all your node's keys come from your one seed phrase. - The "all nodes over Tor" group chat sends quickly now — the "sending" spinner clears as soon as the reachable nodes have the message, instead of hanging on a slow or offline node. - Message notifications now have a close button and open the relevant chat when tapped. - The encrypted mesh transport (FIPS) turns itself on automatically after setup — no button to press — and connects to peers more reliably (it retries and keeps connections warm), so node-to-node features use the fast path more often instead of falling back to Tor. - Your chat history with other nodes is saved reliably and now encrypted on disk, so it survives restarts and updates and can't be read from a stolen drive (only clearing chat removes it). - Peer media shows a "connecting" loader before a video or audio file plays, and audio errors are accurate instead of blaming File Browser. - The Fedimint app now displays with its proper styling, and the Connected Nodes screen stays compact — it shows a few nodes and scrolls, you can tap a node to jump to it in Federation, or tap Message to open its chat. - App updates can now arrive on their own without waiting for a full system release, so individual apps can be improved and shipped faster. ## v1.7.97-alpha (2026-06-16) - The Bitcoin sync status on the home screen no longer disappears for a moment when it refreshes. If the node was briefly busy, the panel used to vanish and pop back; it now stays put and simply shows "Updating…" until the next reading arrives, while a genuinely stopped node still correctly shows as not running. - Bitcoin sync progress on the home screen now updates more promptly, so the percentage and block height keep pace with the node instead of lagging behind. - The Lightning wallet "connect your wallet" screen loads its details and QR code again across all nodes, instead of failing to fetch them. - Your list of trusted nodes is now clean: the same node no longer appears several times under different names, and removed nodes stay removed. In chat, a node that previously showed up as two separate contacts now appears just once. - Browsing another node's cloud is smoother: music and video files from a peer now preview and play properly (including seeking partway through), and the connection now shows a small badge telling you whether it's using the fast encrypted mesh or the slower Tor network. - Opening "My Folders" in the cloud now shows a clear, friendly message when the file app isn't running, instead of a confusing error. - The Electrum server app opens on its own once it's ready, instead of sometimes leaving a loading spinner stuck on top of the screen. - The Fedimint app now displays with its proper styling and icons, instead of appearing unstyled with a missing image. - The Mempool app now connects to your Bitcoin node whether the node is Bitcoin Core or Bitcoin Knots, instead of only working with one of them. - Nodes start up cleanly after a reboot. On some boots the node's main service was trying to start before its data drive had finished mounting, so it failed and retried about twenty times over roughly five minutes — showing a wall of "Failed to start" messages — before finally coming up. It now waits for the data drive to be ready first, so it starts on the first try. - The background images throughout the interface now load faster — they've been made significantly smaller with no loss of quality. ## v1.7.96-alpha (2026-06-15) - The screen attached to your node now shows the normal Archipelago interface and your dashboard after you sign in, instead of a separate, stripped-down grid of app icons that could appear in its place. That extra screen has been removed so the attached display matches what you see everywhere else. - On a brand-new node, the attached screen now walks through the same welcome and setup steps you'd see on a phone or laptop, and shows the normal sign-in screen once the node is set up — so the on-device display always matches the rest of the interface. - When adding a FIPS network anchor, you can now choose whether it connects over TCP (for a public anchor reached across the internet) or UDP (for one on your local network), instead of it always assuming the local-network option. - Behind the scenes, a new automated two-node test now exercises real node-to-node features — browsing another node's shared files and handling a removed node — against live nodes before each release, so node-to-node problems are caught earlier. ## v1.7.95-alpha (2026-06-15) - Browsing another node's shared files now works over the fast encrypted mesh. Opening a peer's cloud could fail with a generic "Operation failed" message because the request for their file list wasn't permitted over the mesh and came back as "not found" — and it never retried over Tor. The mesh now serves the file list directly, and if a peer can't answer over the mesh the node automatically falls back to Tor instead of giving up. - Nodes you remove from your federation now stay removed. Previously a deleted node could quietly come back the next time you synced with another node that still listed it. Removed nodes are now remembered as removed and won't reappear on their own — only if you add them back yourself. - The app credentials pop-up now appears as a normal centred box with a dimmed background over the whole screen, instead of stretching to fill the entire screen. ## v1.7.94-alpha (2026-06-15) - Your node now joins the private encrypted mesh network on its own. A wrong built-in setting meant nodes were quietly never reaching the shared mesh meeting point, so everything between nodes fell back to the slower Tor network. Every node now connects to the mesh automatically on startup, so node-to-node features like file sharing use the faster encrypted mesh first and only fall back to Tor when a peer is genuinely offline. (Confirmed live: a node with its mesh setting wiped re-connected to the mesh by itself within a second of starting.) - You can now bring the mesh networking software up to the latest stable version straight from the node, with one action — it fetches the new version, checks it's genuine before installing, and restarts the mesh on its own. (Confirmed live end to end: a node on an older build was upgraded to the current stable release and rejoined the mesh automatically.) - The Lightning wallet screen connects again on nodes where it was showing a "failed to fetch" error instead of your balance and channels. The wallet app and the node now talk to each other correctly, and the connection quietly repairs itself if its details drift after a restart. ## v1.7.93-alpha (2026-06-14) - Receiving Bitcoin and Lightning works again on nodes where the Lightning wallet was stuck locked. After some updates the wallet could come back locked with a password the node no longer had, so "generate a receive address" kept failing with a "wallet is locked" message that nothing could clear. The node now detects this and repairs itself automatically. - Each node now secures its Lightning wallet with its own unique, randomly generated password instead of a shared built-in one, and remembers it safely so the wallet unlocks on its own after every restart or update — no more getting stuck locked. - If a wallet is found locked with an unrecoverable password, the node rebuilds it cleanly so Bitcoin and Lightning start working again. (On these early-access nodes the wallet holds no funds, so nothing is lost — a wallet locked with an unknown password was already inaccessible.) - The self-repair was validated end to end on live nodes: a stuck, locked wallet was detected, rebuilt, and came back unlocked on its own, and stayed unlocked across restarts. ## v1.7.92-alpha (2026-06-14) - The Electrum server app no longer flashes a "can't connect, try again" error over its loading screen while it's still catching up. If ElectrumX is building its index or waiting on the Bitcoin node, you now just see the sync progress, and the app opens on its own once it's ready. - Behind the scenes, the reboot-survival test now confirms the whole system is genuinely healthy after a restart — every app reachable, updates not stuck, core services answering — instead of only checking that containers came back, so update-related problems are caught before shipping. - Settings → What's New now lists the notes for every recent release again. The screen had quietly fallen several versions behind, so the last eight releases of changes weren't showing up there — they're all back now, and a release check keeps it from drifting again. ## v1.7.91-alpha (2026-06-14) - Apps you've installed now reliably show their "Open" button again. Some apps — including Jellyfin, BTCPay Server, Fedimint, Gitea and Portainer — were running fine but their launch link sometimes went missing, so there was no way to open them from the home screen. They now open correctly. - Receiving Bitcoin is more dependable: if the wallet's internal connection details drift after a restart, it now repairs them on its own, and any error it does hit is reported clearly instead of as a generic failure or a misleading "wallet locked" message. - Installing Bitcoin now sets itself up correctly without manual help — a security credential that could previously be missing and stop Bitcoin from starting is created automatically before it launches. - The Electrum server app is back on the home screen and can be launched again. - Behind the scenes, the release now runs an expanded automated test suite before shipping, so these kinds of issues are caught earlier. ## v1.7.90-alpha (2026-06-13) - Generating a Bitcoin receive address works again — the wallet now requests the correct address type, fixing the "400 Bad Request" error when creating an address. - In the companion app, the on-screen pointer can now click into apps and type — including the app store search box — instead of clicks and keystrokes not reaching app content. - "Open in a new tab" from the companion app now opens the app in your phone's browser, instead of doing nothing. The normal mobile browser keeps working as before. - The login/credentials pop-up on phones is once again a centered, properly sized window rather than stretching the full height of the screen. - The Electrum server now recovers on its own if its index ever gets corrupted, and shows a clear progress screen (with percent complete and block height) while it builds its index, instead of a blank or broken page. - Software updates are more reliable on slow internet connections — downloads are given much more time to finish before giving up. ## v1.7.89-alpha (2026-06-12) - The AI assistant looks the way it always did again: no extra back button or close button on phones, and the desktop view fills the whole screen without a gap at the bottom. - System updates are much more reliable: updates that previously got stuck partway or failed to install now complete cleanly, and a failed update can no longer block all future updates. - After an update, the system now checks itself correctly on every node type, so working updates are no longer mistakenly undone. - Generating a Bitcoin receive address works again on nodes where a network proxy previously got in the way. - The Lightning wallet now recovers and unlocks itself properly after restarts. ## v1.7.88-alpha (2026-06-12) - AIUI now loads immediately again instead of waiting on a production availability probe and cache-busted iframe URL, restoring the lighter launch behavior from before the regression. - Bitcoin receive now uses LND's GET-based newaddress flow with the native SegWit address type, fixing the `501 Method Not Allowed` response from the previous POST attempt. - Validation pending on the AIUI rollback; the rest of the release train remains unchanged. ## v1.7.87-alpha (2026-06-12) - Bitcoin receive now calls LND's on-chain address endpoint with the correct REST method, and backend failures keep the specific address-generation error instead of collapsing into the generic operation-failed message. - App launch credential interstitials now render as true full-screen overlays, and the launcher loading indicator uses the neutral brand palette instead of a blue spinner. - Validation passed with `git diff --check`, `npm run type-check`, and the focused frontend tests for `bitcoinReceive` and `AppIconGrid`. ## v1.7.86-alpha (2026-06-12) - Fleet now preserves the last known node list, alerts, and selection locally while telemetry refreshes in the background, so the dashboard no longer blanks on tab switches or update scans. - Connected nodes and identities now reuse their last loaded data instead of reloading the visible list every time the user revisits the tab. - The Fleet matrix and detail views now show actual node names and host information instead of raw node id prefixes. - The network map only redraws when its graph data actually changes, which stops the D3 scene from visually resetting on every refresh tick. - Mobile federation and system-update actions now stack full width, and the ElectrumX app health check allows a long startup window so slow sync nodes do not restart mid-index. - Validation passed with `git diff --check`, focused frontend tests, and `npm run type-check`. ## v1.7.85-alpha (2026-06-12) - ElectrumX now runs with less cache pressure and more memory headroom, reducing the restart loop seen during sync catch-up. - Portainer is pinned to `2.19.4` instead of `latest`, avoiding schema-drift restarts from surprise image updates. - LND receive-address creation now asks for a native SegWit address and returns clearer wallet/readiness failures when an address is not available. - Fleet telemetry now carries server name, hostname, and server URL, and the Fleet dashboard shows those names instead of hashed node ids. - Trusted federation peers are still auto-added transitively, but the local node no longer imports itself back into the fleet list. - Validation passed locally for the touched frontend helpers, `git diff --check`, and Rust formatting. ## v1.7.84-alpha (2026-06-11) - Bitcoin trusted-node relay approvals now generate restricted `txrelay` RPC credentials when needed and restart the active Bitcoin backend so bitcoind loads the new `rpcauth` whitelist. - Kiosk mode now includes a browser safe-area path for HDMI displays that crop edges, and self-update refreshes kiosk launcher/systemd files so display fixes ship to existing nodes. The experimental X11 scaling safe-area is opt-in to avoid stretching TV output. - Wi-Fi setup now reports scan errors instead of showing an empty network list, supports retrying scans from the modal, parses escaped `nmcli` SSIDs correctly, and can join open networks without forcing a WPA password. - Bitcoin Core now matches Bitcoin Knots for restricted relay RPC support, including the txrelay secret injection and transaction broadcast whitelist. - The restricted Bitcoin relay whitelist now includes `submitpackage` and `gettxout`, covering newer wallet/package-relay broadcast flows without opening wallet/admin RPC. - The Bitcoin UI companion image is pinned to `1.7.84-alpha` across release metadata and the Quadlet fallback path, avoiding stale `latest` detection during OTA updates. - Container scanning now uses an RAII in-flight guard so timeout and error paths cannot leave the scanner stuck in a permanently busy state. - Validation passed with `cargo fmt`, `cargo check -p archipelago`, `git diff --check`, and focused source review of the relay message/approval path. ## v1.7.83-alpha (2026-06-11) - App launch metadata now derives more consistently from app manifests, with typed launch interfaces and catalog generation updates that keep packaged apps aligned with their runtime ports and launch surfaces. - Revoked or unsupported app surfaces were removed from the catalog and release path, including OnlyOffice and the unvalidated Saleor surface, so the Marketplace no longer exposes apps that cannot be safely supported in this release. - The frontend production build now passes strict TypeScript checks after tightening app details, Web5, cloud refresh, and credential test typing. - Mobile and desktop app surfaces received release polish: improved mobile app layout, safer mesh desktop/tablet scrolling, and the Home system card now routes directly to monitoring. - Bitcoin UI status rendering now avoids false stale/reconnecting states when fresh block snapshots advance, and guards optional DOM updates so the standalone Bitcoin UI is more resilient. - Deploy tooling now excludes local Codex scratch output, archived image-build artifacts, and upload screenshots from target syncs, and bounded optional IndeedHub fixups so a stuck Podman helper cannot hold the deploy. - Validation passed with `npm run type-check`, production `npm run build`, backend `cargo build --release`, catalog/release manifest checks, focused frontend tests, and live `.198` deploy verification through the frontend/service restart phase. ## v1.7.82-alpha (2026-05-22) - Saleor storefront proxying now forwards `X-Forwarded-Host`, fixing Next.js Server Actions requests that compared the browser origin with the internal `storefront-app:3000` upstream host. - Saleor storefront media now routes `/thumbnail/` and `/media/` through the same `9011` proxy to the Saleor API, fixing product image optimizer failures caused by `localhost:8000` media URLs. - The Saleor storefront container receives an explicit internal media origin so rewritten media URLs resolve inside the Podman network without exposing private API ports to browsers. - Validation passed with `cargo fmt --all --check --manifest-path core/Cargo.toml`, `cargo check -p archipelago --manifest-path core/Cargo.toml`, and live checks on `100.114.134.21` for storefront HTML, static assets, GraphQL, media redirects, and optimized product images. ## v1.7.81-alpha (2026-05-21) - Saleor storefront installs now use the prebuilt registry image instead of building the Next.js app on-device, avoiding Podman build failures during stack installation. - Existing Saleor stacks are repaired on adoption by recreating missing storefront containers, forcing the storefront app to bind `0.0.0.0:3000`, and resolving nginx upstreams dynamically after container restarts. - The shipped Saleor storefront image now includes public assets and omits Vercel-only Speed Insights injection, fixing broken static asset responses and the local `/_vercel/speed-insights/script.js` browser warning. - Validation passed with `cargo fmt --all --check --manifest-path core/Cargo.toml`, `cargo check -p archipelago --manifest-path core/Cargo.toml`, and live checks on `100.114.134.21` for `9011` storefront, static assets, and proxied GraphQL. ## v1.7.80-alpha (2026-05-21) - Saleor storefront proxying now falls back to the direct request scheme when no forwarded protocol header is present, fixing direct `http://node:9011` launches that could generate an invalid same-origin GraphQL URL. - The Saleor storefront release path keeps public proxy support intact by still honoring forwarded HTTPS headers for Nginx Proxy Manager domains while repairing local/direct port launches. - Validation passed with `cargo fmt --check` and `cargo check` for the Archipelago backend before release staging. ## v1.7.79-alpha (2026-05-20) - Saleor now installs the official Saleor Storefront as part of the stack, built from the pinned `saleor/storefront` source and served as the customer-facing shop on port `9011`. - Saleor app launches now open the storefront while the admin dashboard remains available on port `9010` with the generated `admin@example.com` credentials shown in Archipelago. - Public Nginx Proxy Manager hosts forwarding to the Saleor storefront also expose same-origin `/graphql/`, so public storefront domains can talk to the local Saleor API without mixed-content or private-LAN reachability failures. - Saleor stack metadata, marketplace descriptions, catalog ports, scanner exclusions, and app-session routing now describe the storefront/dashboard/API split explicitly. ## v1.7.78-alpha (2026-05-20) - Public Nginx Proxy Manager hosts for Saleor now keep browser GraphQL calls same-origin at `/graphql/` and proxy them to the local API on `8000`, fixing `Failed to fetch` when a public domain such as `noderunner.shop` was loaded from devices that cannot reach the node's private LAN/tailnet API address. - Saleor's validated stack changes are now release-ready: dashboard origins on port `9010` are explicitly allowed for dashboard/API calls, preserving the working test-node install path for production nodes. - NetBird launches now stay pinned to the unified dashboard/proxy origin on port `8087` instead of following stale runtime-discovered server URLs on `8086`. - NetBird's local nginx proxy now routes browser API, OAuth, relay, and WebSocket traffic through `host.containers.internal:8086` instead of a hard-coded rootless Podman gateway IP, and includes the upstream `management.ProxyService` gRPC path. - The mobile credentials interstitial now keeps credential lists scrollable and action buttons reachable in both My Apps and the mobile app icon grid. - Android WebView popup windows now hand external popup URLs to the system browser, covering app login/signup flows that open secondary windows. - Validation passed with `git diff --check`, `cargo check -p archipelago`, and the focused `npm test -- src/views/appSession/__tests__/appSessionConfig.test.ts` suite. ## v1.7.77-alpha (2026-05-20) - Saleor first-use now exposes generated credentials through Archipelago instead of leaving users at an unexplained dashboard login: App Details shows copyable `admin@example.com` credentials, and My Apps/mobile icon launches show a pre-launch credentials modal. - Saleor installs now create or repair the `admin@example.com` staff account idempotently after sample data loads, use the correct dashboard mount path, and re-check stack containers after startup so stopped containers are caught. - NetBird embedded login now uses the upstream-compatible IdP signing-key behavior and sends ID tokens from the dashboard to the management API, fixing the post-signup `Unauthenticated` state while preserving the unified local proxy/logout routes. - Transient unnamed Podman helper containers created during app install tasks are hidden from My Apps, so generated names like `eager_keldysh` no longer appear as user applications. - Validation passed with catalog/release JSON checks, `npm run type-check`, and `cargo fmt --all --check --manifest-path core/Cargo.toml`; live checks on `100.114.134.21` confirmed Saleor dashboard/API availability, generated Saleor admin login, NetBird OAuth availability, and NetBird logout redirects. ## v1.7.76-alpha (2026-05-20) - Saleor installs now use dashboard port `9010`, avoiding the existing Portainer `9000` binding on the test node while keeping API `8000`, Mailpit `8025`, and Jaeger `16686` unchanged. - Saleor's Valkey cache no longer bind-mounts `/var/lib/archipelago/saleor-cache`, and the dashboard container has the minimal rootless nginx capabilities it needs to chown cache files, bind port 80 inside the container, and drop workers to the nginx user. - NetBird's browser proxy now sends API, OAuth, relay, WebSocket, and management traffic through the stable host-published server port at `169.254.1.2:8086`, avoiding stale rootless Podman DNS/IPs after `netbird-server` restarts. - Mobile App Store category chips now stay visible above the tab bar, Discover is available on mobile, and category selection updates the page route/query so the selected category is actually shown. - Apps that require a real browser tab now open directly from the app icon tap instead of first entering an in-shell app-session route, including BTCPay, Grafana, Home Assistant, Vaultwarden, Nextcloud, Portainer, OnlyOffice, Tailscale, Uptime Kuma, Gitea, and Nginx Proxy Manager. - Validation passed with catalog JSON checks, `npm run type-check`, `cargo fmt --all --check --manifest-path core/Cargo.toml`, and `cargo check -p archipelago --manifest-path core/Cargo.toml`; live checks on `100.70.96.88` confirmed Saleor dashboard `9010`/API `8000` and NetBird API/OAuth routes survive `netbird-server` restart. ## v1.7.75-alpha (2026-05-19) - Saleor is now published as a recommended commerce app with catalog metadata, icon, direct app-session launch on port `9000`, scanner metadata, image pins, and a full stack installer for dashboard, API, worker, PostgreSQL, Valkey, Mailpit, and Jaeger. - Existing NetBird installs are repaired more aggressively by rewriting unified-origin config, recreating the dashboard/proxy containers, restarting the server, preserving data, and handling exact `/api` and `/oauth2` routes plus dashboard logout redirects through the local proxy. - Desktop dashboard scrolling now hands focus back from the sidebar to the main content when the pointer or wheel moves over the main pane, preventing the sidebar scroll area from trapping wheel input on short screens. - Validation passed with catalog JSON checks, `npm run type-check`, `cargo fmt --all --check --manifest-path core/Cargo.toml`, and `cargo check -p archipelago --manifest-path core/Cargo.toml` before release. ## v1.7.74-alpha (2026-05-19) - App-session right panels now re-focus the iframe after load and when the frame area is activated, so wheel/touch scrolling works immediately after switching tabs or selecting an app on shorter screens. - NetBird now launches through a unified local origin on port `8087` that proxies the dashboard plus `/oauth2`, `/api`, relay, WebSocket, and gRPC routes to `netbird-server`, fixing the embedded login flow that previously ended in `Unauthenticated` or `404 page not found` after logout. - Existing NetBird installs are repaired on adopt/start by rewriting `config.yaml`, `dashboard.env`, and the local nginx proxy config, then creating the missing `netbird-dashboard` and `netbird` proxy containers when needed while preserving NetBird data. - Saleor is still pending and is not included in this release; its registry/installer work remains local until it can be validated separately. - Validation passed with catalog JSON checks, `npm run type-check`, `cargo fmt --all --check --manifest-path core/Cargo.toml`, and `cargo check -p archipelago --manifest-path core/Cargo.toml`. ## v1.7.73-alpha (2026-05-19) - Mobile app launches for iframe-blocked apps now open the direct app URL in a new browser tab immediately instead of landing in a broken in-shell webview that requires a second tap. - Mobile My Apps/Websites tabs now react to route query changes, App Store pages label the mobile view as Discover, mobile filters have safe bottom spacing, and App Store search ignores the current category so searches cover all available apps. - My Apps search now surfaces matching App Store entries when the app is not installed, making it possible to jump directly from a failed My Apps search to the installable app details. - NetBird self-host installs now prefer a `100.x` tailnet/CGNAT address for dashboard, management, relay, STUN, and auth redirect origins when one is present; live repair on `100.89.209.89` updated the existing stack from LAN origins to `100.89.209.89` and restored `netbird-server`. - App-session iframe frames now focus automatically and wrap the iframe in a scroll host so wheel/touch scrolling works in the active right frame without requiring an initial click. ## v1.7.72-alpha (2026-05-19) - Settings What's New now includes the missing release notes for `v1.7.68-alpha` through `v1.7.71-alpha`, so the modal reflects the current OTA history instead of stopping at `v1.7.67-alpha`. - The follow-up release carries the NetBird install fix, Gitea icon polish, mobile app-session fallback updates, and rounder app icon masks from `v1.7.71-alpha` with the Settings modal notes included. - The local Cargo lockfile version metadata is kept in sync with the release bump after the previous release build updated it. ## v1.7.71-alpha (2026-05-19) - NetBird stack installs now pre-create `/var/lib/archipelago/netbird/data` before binding it into `netbird-server`, fixing the failed install/start path seen on `100.70.96.88` where Podman rejected the missing host directory. - NetBird start/restart ordering now starts `netbird-server` before the dashboard container so lifecycle actions bring the control plane up before the UI. - App-session invalid IDs and panel-mode fallbacks now return to `/dashboard/apps`, avoiding the stale `/apps` route that could render a 404. - Mobile launches for apps that block iframes now stay inside the Archipelago app-session fallback instead of automatically opening an external browser tab. - Installed Gitea containers now report the packaged Gitea icon, and app icon masks use a rounder radius on mobile grids, app cards, and detail headers. - Validation passed with `npm run type-check`, focused Vitest app-session/app-grid tests, `cargo fmt --all --check --manifest-path core/Cargo.toml`, and `cargo check -p archipelago --manifest-path core/Cargo.toml`. ## v1.7.70-alpha (2026-05-19) - NetBird is being corrected from the peer/client daemon image to the self-hosted NetBird control-plane stack with a launchable dashboard on port `8087`, a combined management/signal/relay server on `8086`, and STUN on UDP `3478`. - App sessions now always launch local apps through direct host ports and carry an explicit dashboard return target, so closing an iframe returns to the launching dashboard screen instead of falling through to browser history or a 404. - Mobile app launches ignore stale desktop panel state and route into the full app-session webview consistently. - The desktop sidebar now pins the logo/version at the top and controller/online/mode controls at the bottom, with only the navigation section scrolling on shorter screens. - Validation passed with catalog JSON checks, `scripts/image-versions.sh` syntax check, `npm run type-check`, `cargo fmt --all --check --manifest-path core/Cargo.toml`, and `cargo check -p archipelago --manifest-path core/Cargo.toml`. ## v1.7.69-alpha (2026-05-19) - App installs now allow up to 10 minutes for the initial `package.install` RPC to return, matching slow container image pulls and preventing apps from disappearing from My Apps while the backend is still pulling or retrying mirrors. - Live diagnostics on `100.70.96.88` confirmed the Gitea install did not fail; the primary registry pull timed out after 300 seconds, the fallback mirror succeeded, and Gitea came up healthy on `3001` while the frontend had already timed out at 15 seconds. - Gitea and other Docker-image app installs now stay visible during slow registry pulls instead of being marked as failed by the browser before backend install progress can complete. - Gitea is now categorized as a known Data app in My Apps, so a running Gitea container appears with installed apps instead of being filtered into the Websites/Services split. - NetBird `0.71.2` is now available in the app catalog and fallback marketplace data as a recommended networking app using the official `docker.io/netbirdio/netbird:0.71.2` image. - NetBird installs get persistent state under `/var/lib/archipelago/netbird`, `NET_ADMIN`/`NET_RAW`, `/dev/net/tun`, `slirp4netns`, image-version pinning, backend metadata, and health checks through `netbird status`. - The Archipelago terminal now includes `nano` on new disk installs and ISO builds, and self-update installs it on existing nodes if it is missing. - Validation passed with catalog JSON checks, shell syntax checks, `npm run type-check`, `cargo fmt --all --check --manifest-path core/Cargo.toml`, and `cargo check -p archipelago --manifest-path core/Cargo.toml`. ## v1.7.68-alpha (2026-05-19) - BTCPay Server now ships on the official `docker.io/btcpayserver/btcpayserver:2.3.9` image, fixing the plugin catalog crash caused by newer plugin dependency version metadata while preserving existing datadirs and Postgres databases. - BTCPay release and first-boot health checks no longer depend on `curl` inside the container; they use a bash TCP probe that works with the official image out of the box. - Host nginx now serves Nginx Proxy Manager HTTP-01 challenge files before the Archipelago SPA fallback and is marked as the default HTTP/HTTPS virtual host, so public proxy hosts can issue certificates without hijacking local API traffic. - Nginx Proxy Manager first-boot, runtime repair, and container-doctor paths now pre-create the ACME webroot, keep bind mounts owned by the rootless Archipelago user, and sync issued public proxy hosts into host nginx vhosts. - The Nginx Proxy Manager host-nginx sync now skips proxy hosts with missing certificate files and rolls back the generated nginx include if validation fails, preventing a bad certificate path from poisoning later nginx reloads. - App session close buttons now return to the previous dashboard screen when possible and otherwise fall back to My Apps, avoiding the 404 page after closing an app launched from an invalid or stale history entry. - System Update confirmation and mirror modals now teleport to the document body with a full-screen overlay, so they cover the whole app instead of only the right-hand dashboard panel. - Mobile app launches stay inside Archipelago's app-session webview and hide desktop-only new-tab launch affordances, including apps such as Home Assistant that previously looked like they would leave the mobile shell. - Live recovery on `100.70.96.88` upgraded only the `btcpay-server` container to `docker.io/btcpayserver/btcpayserver:2.3.9`, preserved the existing datadir and Postgres database, and confirmed the container is healthy after a pre-upgrade backup. - Public validation confirmed `spay.tx1138.com`/`www` redirect to BTCPay login over HTTPS and `sapien.tx1138.com`/`www` serve the L484 page over HTTPS using the issued Let's Encrypt certificates. ## v1.7.67-alpha (2026-05-18) - Home dashboard status cards now keep the last known good system, VPN, Bitcoin, and FIPS values while route changes or transient RPC failures are in flight, avoiding false "not configured" or "not running" flashes. - Home, Web5 Monitoring, and the Monitoring page headline cards now share the same live system-stat snapshot for CPU, memory, disk, uptime, and load so the visible numbers agree across the UI. - Settings What's New is filled through `v1.7.67-alpha`, including the missing historical `v1.7.44-alpha` through `v1.7.66-alpha` entries. - Bitcoin/Knots/Core shell lifecycle specs now match the Rust app config memory policy: 8 GiB on normal hosts, 4 GiB on low-memory hosts, and pruned Knots uses a larger dbcache on hosts with enough RAM to improve IBD throughput. - ElectrumX/electrs shell lifecycle specs now match the 4 GiB memory policy used by the Rust app config, reducing drift between first boot, reconcile, and app lifecycle paths. - Live assessment of `100.70.96.88` identified the current IBD bottlenecks as CPU/thermal/I/O pressure rather than RAM exhaustion, with follow-up work planned for existing-node swap repair, kiosk Chromium CPU reduction, and reconcile failure cleanup. ## v1.7.66-alpha (2026-05-18) - Nginx Proxy Manager stale-port repair now detects stopped or `Created` Podman records by inspecting `podman ps -a` port metadata, covering records where `podman port nginx-proxy-manager` returns no mapping until start. - Live recovery on `100.70.96.88` removed only the stale Nginx Proxy Manager container record and recreated it with `8081:81`, `8084:80`, and `8444:443`, preserving `/var/lib/archipelago/nginx-proxy-manager` data. - Validation confirmed Nginx Proxy Manager recovered as healthy and responds through direct admin port `8081`, host compatibility port `81`, and `/app/nginx-proxy-manager/`. ## v1.7.65-alpha (2026-05-18) - Orchestrator-backed app starts now run the same pre-start repairs as the legacy Podman path, so Nginx Proxy Manager stale `81:81` container metadata is removed and recreated before the orchestrator tries to start it. - Live diagnostics on `100.70.96.88` confirmed host nginx is healthy while Nginx Proxy Manager has no listeners on `8081`, `8084`, or `8444`, causing host nginx `502` responses for NPM proxy paths. ## v1.7.64-alpha (2026-05-18) - Update apply rate limiting is relaxed for authenticated admins from 2 attempts per 10 minutes to 10 attempts per minute, preventing the System Update page from getting stuck behind `429 Too Many Requests` during legitimate OTA retry/troubleshooting flows. - The corrected backend artifact rebuild protection from `v1.7.63-alpha` remains in place, so this release is built from a fresh Rust backend binary before publishing. ## v1.7.63-alpha (2026-05-18) - Release automation now rebuilds the Rust backend after bumping the version and before hashing release artifacts, preventing OTA manifests from pointing at a stale backend binary. - This corrected release carries the Nginx Proxy Manager stale-port repair in an updated backend binary, so nodes running `1.7.61-alpha` can actually receive and execute the fix. - Validation confirmed the previously published `v1.7.62-alpha` backend artifact still contained `1.7.61-alpha`, explaining why nodes did not advance after applying that update. ## v1.7.62-alpha (2026-05-18) - Nginx Proxy Manager start and restart now repair stale Podman containers that still publish the admin UI on host port `81`, which conflicts with host nginx on updated nodes. - The repair recreates only the stale Nginx Proxy Manager container metadata while preserving `/var/lib/archipelago/nginx-proxy-manager` data and using the current `8081:81`, `8084:80`, and `8444:443` mappings. - Runtime stale-listener cleanup for Nginx Proxy Manager is shared across start and restart paths so rootless port helper leftovers are still cleared before lifecycle retries. - Validation passed with `cargo fmt --all --check --manifest-path core/Cargo.toml` and `cargo check -p archipelago --manifest-path core/Cargo.toml`. ## v1.7.61-alpha (2026-05-18) - Multi-container stack installs now keep their app card in the `Installing` state for up to 20 minutes while dependency containers are being pulled and prepared. - BTCPay Server installs no longer appear to vanish or fail after two minutes while Postgres and NBXplorer are still being created before the primary `btcpay-server` container exists. - The stale-transition escape hatch remains short for start, stop, restart, update, and removal operations, so genuinely wedged lifecycle actions still recover quickly. - Live validation on `100.70.96.88` confirmed BTCPay Server completed installation and responds on port `23000` with the expected HTTP redirect. ## v1.7.60-alpha (2026-05-18) - Meshtastic serial detection now rejects malformed or incomplete handshakes instead of accepting unrelated serial devices as a fallback Meshtastic radio. - Mesh radio auto-detection now skips known non-mesh serial devices such as Sierra Wireless LTE modems and Zooz/Z-Wave sticks, avoiding interference with production peripherals. - Meshtastic config sync now sends `want_config_id` with the correct protobuf wire type, fixing radio-side `ignore malformed toradio` errors and allowing node-info/contact ingestion. - The stable `/dev/mesh-radio` udev rule no longer claims every `ttyACM*` device; it only matches known mesh USB serial adapters and known USB CDC ACM radio vendors. - Live validation on `100.70.96.88` confirmed Archipelago selects `/dev/ttyUSB0`, identifies the Meshtastic node, and refreshes 103 mesh contacts. ## v1.7.59-alpha (2026-05-17) - Mobile app launching now keeps known container apps inside Archipelago's app-session flow instead of forcing desktop-only new-tab behavior on phones. - App sessions on mobile now respect the status-bar safe area so foreground iframe content starts below the device chrome while the fullscreen backdrop remains edge-to-edge. - Prepackaged website launch buttons now resolve their curated website URLs before website-container fallback logic, restoring launches for the L484 sites and adding the Arch Presentation bookmark. - Meshtastic contact discovery now drains the radio config stream through completion and retries config sync when the contact cache is empty, so nearby nodes already known by the radio are more likely to appear in Archipelago. - The Apps page now includes a compact sideload button and modal for installing trusted Docker images with optional title, description, and port mapping metadata. - Sideloaded app title and description metadata now persist through the backend app-config file so refreshed package scans do not collapse custom apps back to generic IDs. - Validation passed with `npm test -- appLauncher`, `npm run build`, `cargo check -p archipelago`, and `cargo fmt --all --check`. ## v1.7.58-alpha (2026-05-17) - Mesh networking now supports Meshtastic radios over the Meshtastic serial API in addition to existing MeshCore Companion USB radios. - The mesh listener now probes preferred and auto-detected serial paths for both MeshCore and Meshtastic firmware, preserving the existing reconnect loop so unplug/replug and firmware hot-swap behavior stays consistent. - Meshtastic text packets are translated into the existing Archipelago mesh frame pipeline, so current RPC handlers, transport routing, message storage, typed-message decoding, and UI state continue to work without a separate frontend path. - Meshtastic node information is surfaced as normal mesh contacts using stable synthetic public keys derived from Meshtastic node numbers, allowing peer refresh and message attribution to reuse existing MeshCore contact handling. - Outbound Archipelago mesh messages can now be sent through Meshtastic as channel text packets using the same command path used by MeshCore channel broadcasts. - Device status now reports the detected firmware family as `meshcore` or `meshtastic` from the shared listener abstraction. - Radio udev rules now include USB CDC ACM serial devices (`ttyACM*`) alongside CP2102, CH340, and FTDI adapters so Meshtastic boards are more likely to appear through the stable `/dev/mesh-radio` symlink. - Host nginx now serves `/assets/*` hashed frontend chunks as immutable static files with a hard 404 on misses instead of falling back to `index.html`, preventing strict MIME errors when a browser has a stale pre-update HTML shell. - The SPA HTML shell and service-worker files now revalidate on every load, reducing stale frontend references after OTA updates. - OTA runtime promotion now installs the bundled `nginx-archipelago.conf` into `/etc/nginx/sites-available/archipelago` and reloads nginx after a successful config test, so frontend cache/fallback fixes reach existing nodes without a manual deploy. - Local validation passed with `cargo check -p archipelago`; live SSH testing against `100.70.96.88` was not completed because temporary public-key authentication was rejected on the target. ## v1.7.57-alpha (2026-05-17) - Nginx Proxy Manager now avoids privileged rootless Podman host port `81`, preferring `8081:81` while host nginx keeps a compatibility proxy on `:81` for stale cached launch buttons. - App installs now allocate ports by checking live host bind availability, falling back to a free high port when preferred ports are already occupied. - Portainer-created launchable containers are separated into a `Websites` tab and launch through their discovered published host port instead of hard-coded app URLs. - Internal BuildKit helper containers such as `buildx_buildkit_default` are hidden from the Apps UI. - Portainer works out of the box on Debian 13/Podman installs by including `catatonit` and by preserving the Podman socket mount as a socket rather than creating it as a directory. ## v1.7.56-alpha (2026-05-15) - Health notifications now clear when an app is no longer unhealthy, including stale alerts for removed containers such as Portainer. - Fresh installs now include the full Wi-Fi userspace stack (`wpasupplicant`, `wireless-regdb`, `iw`, `rfkill`, `polkitd`, `pciutils`, and `usbutils`) so NetworkManager can scan and connect with Intel Wi-Fi cards out of the box. - The installed system now grants the `archipelago` service user explicit NetworkManager PolicyKit access for web-triggered Wi-Fi scans and connection changes. - Wi-Fi connect now replaces stale/partial NetworkManager profiles and creates an explicit WPA-PSK profile with the supplied password, avoiding no-secret retry failures after a failed attempt. - Settings password changes now update the Linux/SSH password through non-interactive sudo, so the web password and SSH password stay in sync when the checkbox is enabled. - Quadlet environment values with spaces or shell metacharacters are quoted consistently, preventing env drift recreate loops for apps like nostr-rs-relay and Grafana. - Boot/bootstrap reconcile avoids restarting running Bitcoin containers while repairing RPC config, preserving IBD progress on active nodes. - Exit code 137 is labeled as SIGKILL instead of assuming OOM, avoiding false OOM alerts for orchestrator-managed recreates. - Container reconcile force-recreates Podman records stuck in `Stopping`, preserving bind-mounted app data while recovering wedged containers automatically. - Container health reporting is honest for running containers: Archipelago surfaces Podman's actual health state instead of marking every running container healthy. - Quadlet reconciliation restarts services when stale health gates, port bindings, network aliases, exec commands, or healthchecks drift from the current manifest. - Bitcoin Knots sync performance improves on fresh installs and updates with 8Gi container memory, a 4Gi dbcache, and full CPU parallelism. - ElectrumX initial indexing gets more headroom: CPU caps are removed, memory is raised to 4Gi, cache is raised to 3Gi, and oversized sends are allowed for heavier wallet/indexing workloads. - Mempool/ElectrumX lifecycle qualification respects pruned/non-archival Bitcoin nodes instead of installing a half-running stack with unhealthy dependencies. - LND wallet/RPC helpers are more tolerant of container-owned files and updated REST port metadata, improving LND lifecycle and wallet-connect flows. - Marketplace/catalog metadata carries richer container config so remote lifecycle tests install apps using the same settings users get from the UI. - The app screensaver no longer activates during media-heavy app sessions such as IndeeHub, Jellyfin, Immich, PhotoPrism, and File Browser; apps can also pause/resume it with media playback messages. - A fresh `1.7.56-alpha` unbundled installer ISO is built from the same primary VPS2 release line for easy download and USB flashing. ## v1.7.55-alpha (2026-05-13) - Container reconcile now force-recreates Podman records stuck in `Stopping`, preserving bind-mounted app data while recovering wedged containers automatically. - `.198` is green after the container-layer hardening pass: focused and broad non-destructive lifecycle audits pass, raw Podman health/state sweep is clean, and direct app probes return healthy responses. - Release-candidate artifacts are staged separately from live update publishing while Gitea artifact hosting is repaired. ## v1.7.54-alpha (2026-05-06) - Existing installs now self-repair nginx backend proxy locations for `/bitcoin-status` and `/api/app-catalog`, including hosts where `sites-enabled/archipelago` is a copied active file instead of a symlink. - LND UI is consistently served on `18083` across first boot, Tor config, companion Quadlet reconciliation, OTA runtime payloads, and ISO scripts; stale companion units/images are rewritten instead of only checking service active state. - OTA frontend tarballs now carry a clean runtime payload with updated scripts, docker UI sources, and canonical nginx config, preventing startup promotion from reintroducing stale host assets. - Release ISO builds now support the primary HTTP app registry when bundling core images, so unbundled media includes File Browser/Cloud support instead of requiring a post-install Marketplace download. - `.116` was live-updated with the new backend and runtime scripts; focused non-destructive lifecycle audit passes for Bitcoin Knots, LND, BTCPay, Mempool, and Grafana. ## v1.7.53-alpha (2026-05-05) - Bitcoin Knots/Core config generation no longer duplicates RPC bind and port settings between `bitcoin.conf` and container command args, fixing `Unable to bind all endpoints for RPC server` startup failures. - Legacy Bitcoin container healthchecks no longer depend on `bitcoin-cli`, which is absent from current Knots images and can wedge Podman healthcheck runners. - Update checks now prefer manifest OTA releases over stale git remotes unless `ARCHIPELAGO_GIT_UPDATES` is explicitly enabled, so installed nodes can see published releases from the VPS mirror. ## v1.7.52-alpha (2026-05-05) - Tailscale now launches the local installed web UI on port `8240` and starts `tailscaled` before `tailscale web`, fixing unreachable installs after container creation. - Grafana install/start/restart now repairs missing rootless host listeners on port `3000`, matching the existing SearXNG, Uptime Kuma, and Gitea recovery path. - Debian 13/Trixie ISO and disk-install paths now force security updates from `trixie-security` during image/install creation so rebuilt release media includes patched base packages. - Broad `.198` lifecycle audit passes with the current qualified app set; known absent blockers remain `electrumx`, `photoprism`, `dwn`, and `ollama`. ## v1.7.49-alpha (2026-04-30) - Bitcoin Knots/Core UI now reports connection, reconnecting, syncing, and error states from a backend status bridge instead of showing a stale "Unable to connect" message while the node is warming up. - ElectrumX UI now exposes indexed height, local Bitcoin height, known headers, status, and progress source so indexing/waiting states are readable during long initial sync. - Added container doctor timer and smoke/lifecycle test coverage for Bitcoin Knots/Core, ElectrumX, Mempool, BTCPay/NBXplorer, and UI surface availability. - Bitcoin Core and Bitcoin Knots are mutually exclusive variants, with a real Bitcoin Core manifest and corrected install conflict handling. - IndeeHub now launches only on direct web UI port `7778`; the broken `/app/indeedhub/` path proxy was removed, and port `7777` remains the Nostr relay. - BTCPay/NBXplorer Postgres environment formatting fixed so installs do not carry malformed connection strings. ## v1.7.48-alpha (2026-04-29) - archipelago.service no longer fails to start with "Failed to set up mount namespacing: /run/containers: No such file or directory" on nodes where /run/containers wasn't pre-created. ExecStartPre now creates it. Existing nodes need a one-time `systemctl edit archipelago` to add the mkdir; ISO installs from this version forward have the fix baked in. ## v1.7.47-alpha (2026-04-29) - Bitcoin Knots/Core sync is now significantly faster. The container now uses every available core for script verification (was capped at 2) and has 8GB of memory instead of 4GB so its 4GB UTXO cache has headroom for the mempool and peer connections. Existing nodes pick up the new limits on next install/update; freshly-installed nodes start at full speed. - ElectrumX initial indexing is faster too. Its CPU cap is removed, container memory is 4GB, and its internal cache is now 3GB (default was 1.2GB). ## v1.7.46-alpha (2026-04-29) - Health monitor no longer pages "Auto-restart failed" for orphaned containers. After a variant switch (bitcoin-core ↔ bitcoin-knots) the previous variant's container could survive uninstall and the health monitor would try restarting it forever. Now skipped silently with a debug log. - Apps no longer disappear from My Apps when an install fails. The card stays visible with state=Stopped so the user can retry or uninstall, with the failure reason surfaced via the new install_progress.message field. - "Downloading…" progress now actually advances during multi-image stack pulls. Was sticking at 20% until all pulls finished; now interpolates 20%→70% based on which image of N has landed. - Pulled four docker.io images (bitcoin, gitea, nextcloud, valkey) into the lfg2025 registries on OVH and tx1138. Removes a docker.io dependency from first-boot installs. - Resilience harness improvements: install-fail entries no longer vanish, install/uninstall/probe cells are timing-tolerant (60s retry on ui_probe and auth_probe), dep snapshots no longer leak companion containers into the dependent app's "new containers" set. ## v1.7.45-alpha (2026-04-29) - Bitcoin RPC auth is durable. The dashboard reliably connects across container restart, image update, and reboot. Was failing on registry-pulled images that shipped a stale baked-in password. - Multi-container apps show real install progress. IndeedHub (7), BTCPay (4), Mempool (3), Immich (3) — bar advances through Preparing → Pulling → Creating → Done instead of sitting at 0% until the very end. - Apps no longer disappear from the dashboard mid-install. The container scanner now respects in-flight installs and updates instead of evicting an entry while its containers are still being created. - IndeedHub installs cleanly on a fresh node. Five missing environment variables fixed; Nostr sign-in works on first install. - Tailscale install no longer fails with "executable not found". Container command was a malformed shell string; now a proper command array. - Removed three catalog entries that hung installs for ten minutes (dwn, endurain, ollama — no source images in our registries). Restored Nextcloud, sourced from docker.io. - Bitcoin Core update path uses the correct image name (was pulling from a non-existent path). - New ISO installs now allocate swap (sized to RAM, capped at 8GB, on the encrypted data partition). Without swap, container image builds and memory spikes were hitting OOM under load. ## v1.7.44-alpha (2026-04-28) 43de3b73 feat(orchestrator): complete container migration and release hardening ce39430b feat(self-update): sync and rebuild UI containers on OTA 72dec5aa fix(lnd-ui): align container port across all specs 83aacdf2 chore(release): archive ISO build recipes, tarball-only releases All notable changes to Archipelago will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] ## [1.3.1] - 2026-03-25 ### Security - All crypto dependencies pinned to exact versions from Cargo.lock (supply chain hardening) - ed25519-dalek 2.1 → 2.2.0, sha2 → 0.10.9, hmac → 0.12.1, argon2 → 0.5.3, chacha20poly1305 → 0.10.1, zeroize → 1.8.2, hkdf → 0.12.4, aes-gcm → 0.10.3 - All container images pinned to exact patch versions (no more floating tags) - postgres:15 → 15.17, redis:7 → 7.4.8, nginx:alpine → 1.29.6-alpine, uptime-kuma:1 → 1.23.17, nextcloud:29 → 29.0.16, valkey:8 → 8.1.6, mariadb:11.4 → 11.4.10, and 7 more - DWN server pinned by SHA256 digest (only has `:main` branch tag) ### Reliability - Nostr relay connections now have 10s timeout — prevents indefinite hangs blocking RPC calls - identity_manager.rs: publish_profile() - nostr_discovery.rs: publish_node_revocation(), verify_revocation(), discover_archipelago_nodes() - marketplace.rs: discover(), publish() ### Infrastructure - CI pipeline added (.github/workflows/ci.yml) — cargo fmt, clippy, tests + frontend type-check, build - Update system now fetches from git.tx1138.com Gitea instance (configurable via ARCHIPELAGO_UPDATE_URL) - Cleaned up stale git branches (app-store, overnight/2026-03-12, overnight/2026-03-13) ## [1.3.0] - 2026-03-19 ### Security #### Pentest Remediation (33 findings, all addressed) - **Critical**: Backend now binds to 127.0.0.1 only — no more direct LAN access to port 5678 - **Critical**: Fixed path traversal in Tor service management that could allow `sudo rm -rf` on arbitrary directories - **Critical**: Fixed unauthenticated file read/delete via DWN recordId path traversal - **High**: Federation peers now require cryptographic signature — unsigned peers rejected - **High**: Login redirect XSS vulnerability fixed with proper URL validation - **High**: Viewer role restricted to read-only node methods (was granting sign/export access) - **High**: Backup restore/verify now validates IDs against path traversal - **High**: Tar archive extraction validates every entry path (prevents tar slip attacks) - **High**: S3 backup endpoints require HTTPS and reject private IP ranges - **Medium**: Remember-me token secret now uses cryptographic random (not machine-id) - **Medium**: Destructive operations (factory reset, onboarding reset) now require password re-verification - **Medium**: Session token rotated after TOTP verification (prevents interception reuse) - **Medium**: Webhook URL validation hardened against IPv6 bypass, DNS rebinding, redirect chains - **Low**: CORS localhost:8100 only included in dev mode - **Low**: CSP `unsafe-inline` removed from `script-src` - **Low**: Content filenames validated against path separators and hidden file prefixes - **Low**: Nostr relay URLs restricted to `wss://` with private IP rejection - **Low**: Onion address validation enforces v3 format (56 base32 chars) - **Low**: Router detection restricted to private IP ranges only #### Nginx Authentication - Fixed session cookie name mismatch (`session_id` → `session`) across all nginx auth checks - LND Connect info endpoint now properly authenticated ### Container Reliability #### Memory Limits (prevents OOM crashes) - All 37 containers in `first-boot-containers.sh` now have `--memory=` limits - Automatic RAM tier detection — reduced limits on 8GB machines - Prevents a single runaway container from crashing the entire system #### Smart Container States - New `exited` state distinguishes crashed containers from intentionally stopped ones - Crashed containers show red "crashed" badge with restart button - Health-aware status: "healthy" (green), "starting up" (yellow spinner), "unhealthy" (orange pulse) - Restart button added next to Stop on running containers #### Crash Recovery Improvements - Boot recovery and health monitor now coordinate via shared flag (no more restart cascade) - User-stopped containers tracked in `user-stopped.json` — survive reboots without auto-restart - Boot recovery uses tiered ordering: databases → core → services → apps → UIs - Health monitor waits for boot recovery to complete before starting checks ### UI Improvements #### Home Dashboard - Wallet card now matches Web5 wallet display - New Transactions modal with full history (incoming/outgoing, amounts, confirmations) - Transactions button in header — switches to "Incoming" badge when pending transactions exist - Dev faucet button (dev mode only) with mutable wallet state - Fixed system stats crash (`cpu_usage_percent` field name mismatch) #### Apps & App Details - Container restart button (icon) next to Stop on all running apps - Exited/crashed containers show "Restart" instead of "Start" with red styling - Removed broken sticky header from Apps page - Health-aware status badges throughout #### Mesh, Cloud, Settings & More - Mesh view overhaul with improved layout - Glass button styling updates across components - New BaseModal and ToggleSwitch components - Updated translations (English + Spanish) - Spotlight search improvements ### Infrastructure #### LND Connect - Tor hidden service now exposes LND REST port (8080) for remote wallet connections - Fixed in ISO build script, deploy script, and live servers #### Dev Environment - Mock backend has mutable wallet state (faucet/send/receive actually change balances) - Testnet stack option auto-starts Podman machine on macOS - Boot mode simulation for testing startup screens ## [1.2.0] - 2026-03-14 ### Fixed #### Crash Loop Resolution - Identified and fixed UFW blocking Podman subnet DNS resolution on .228 - Fixed archy-nbxplorer, btcpay-server, mempool-web, immich crash loops (3500+ restarts) - All 32 containers stable with zero crash loops after fix #### DWN Sync Performance - Made `dwn.sync` endpoint non-blocking (background task with polling) - Added 90-second overall sync timeout to prevent indefinite blocking - Deduplicated peer onion addresses before syncing - Batched message pushes (50/batch) instead of one-at-a-time over Tor - Fixed HTTP handler to process all messages in batch (was only first) #### Backup Reliability - Increased backup.create rate limit from 3/600 to 10/600 for testing - Increased backup.restore rate limit from 2/600 to 5/600 #### Deploy Script - Added `set -eo pipefail` for pipe error detection - Fixed duplicate variable initialization - Fail on missing binary in --both path (was silently ignored) - Added post-deploy health check on .198 ### Added #### Cross-Node Test Suite - US-08: DWN sync tests — 50/50 pass (register, write, sync, query bidirectional) - US-10: Backup/restore tests — 80/80 pass (create, list, verify, delete × 10 × 2 nodes) - US-15: Boot recovery tests — .228 9/9 pass (32/32 containers survive 3 reboots) - `trigger_sync_and_wait()` helper for polling async DWN sync #### did:dht Integration Planning - Architecture document: `docs/did-dht-integration.md` - BEP-44 mutable DHT items, DNS packet encoding, z-base-32 identifiers - Publication/resolution flows, `mainline` crate selection, security notes #### DWN Protocol Definitions - 4 Archipelago DWN protocols documented in `docs/dwn-protocols.md` - Node Identity Announcements (public) - File Sharing Catalog (public) - Federation State (private) - App Deployment Requests (private) - Auto-registration of all 4 protocols on backend startup #### Deploy Script Improvements - `--dry-run` flag shows what would be deployed without executing - Works with all other flags (--live, --both, --frontend-only) #### ISO/First-Boot Improvements - Auto-create swap file on first boot (50% RAM, min 2GB, max 8GB) - Tiered container startup ordering in first-boot script - Tier 1: Databases, Tier 2: Core Services (5s delay), Tier 3: Applications (5s delay) ### Security #### Backend Hardening - Rate limiting on federation endpoints (join 5/60s, invite 10/300s) - DWN message data size limit (10MB max) - Container security: cap-drop ALL, no-new-privileges, per-app memory limits - Input validation: path traversal protection on identity/DID endpoints - Error sanitization: internal paths stripped from error messages ## [1.1.0] - 2026-03-13 ### Added #### Nostr Identity in Onboarding - Auto-generate secp256k1 Nostr keypair during identity creation - Onboarding shows both DID (`did:key:z...`) and Nostr ID (`npub1...`) with copy buttons - Real Ed25519 signature verification in onboarding verify step - Real encrypted backup creation in onboarding backup step #### NIP-07 Iframe Signing - `nostr-provider.js` injected into all proxied iframe apps via nginx `sub_filter` - `window.nostr` interface: `getPublicKey()`, `signEvent()`, `getRelays()` - Signing consent modal with "Remember for this app" option - `node.nostr-sign` RPC endpoint — signs events with node-level Nostr key - NIP-04 and NIP-44 encrypt/decrypt RPC endpoints for iframe apps - noStrudel Nostr client added to marketplace as iframe app #### File Sharing Across Nodes - Content catalog with add/remove/browse over Tor - Three access modes: `free`, `peers_only` (DID-authenticated), `paid` (cashu tokens) - Availability controls: `AllPeers`, `Nobody`, `Specific` (DID allowlist) - Peer Files view in Cloud page for browsing federated peers' shared content - Content download from peers via Tor SOCKS proxy #### DWN Multi-Node Sync - Bidirectional DWN message replication over Tor between federated nodes - Protocol and message sync via `/dwn` HTTP endpoint - DWN sync status in Federation dashboard with "Sync Now" button - DWN management section in Web5 page (protocols, messages, sync targets) #### Node Visualization Map - D3.js force-directed network topology graph - Nodes colored by trust level (green/amber/red), opacity by online status - Self node centered, draggable peer nodes with tooltips - List/Map tab switcher in Federation page with localStorage persistence #### Tor Address Rotation - `tor.rotate-service` RPC: generates new .onion address with 24h transition - Automatic propagation to Nostr relays and federation peers - `tor.cleanup-rotated` for expired transition directories - Per-app Tor toggle (`tor.toggle-app`) to enable/disable Tor per service - Tor management UI in Settings with rotate button and per-app toggles #### Boot Container Recovery - All stopped containers automatically started on backend boot - Fixes clean reboot scenario where PID marker was removed by systemd #### Monitoring & Testing - Federation health check script (cron every 5min, CSV + JSON output) - Uptime monitor with authenticated RPC access - `test-first-install.sh` — 8-check post-install verification - `test-nip07.sh` — 11-check NIP-07 signing validation - `test-tor-rotation.sh` — 10-check Tor rotation lifecycle - `test-integration-full.sh` — 23-check full integration test - `test-failure-recovery.sh` — 5-scenario failure injection + recovery ### Fixed - Health monitor webhook gate no longer blocks auto-restart and notifications - Monitoring alerts now trigger webhook delivery (DiskWarning, ContainerCrash) - Tor hostname reading with `tor-hostnames` readable cache (0700 system Tor dirs) - Tor rotation clears hostname cache before reading new address - Rotation restarts system Tor (not just archy-tor container) - NIP-07 signing uses node-level key (matches `getPublicKey()`) - DWN sync URL uses port 80 (nginx/Tor) instead of 5678 - DWN `/dwn` POST endpoint allows unauthenticated peer sync - DWN message handler supports both single and batch message formats ## [0.8.0-rc1] - 2026-03-11 ### Added #### W3C Identity & Credentials - W3C DID Core v1.0 compliant DID Document generation (`did:key` method) - DID Document verification and cross-node resolution over Tor - JSON-LD Verifiable Credentials (VC Data Model 2.0, Ed25519Signature2020 proofs) - Verifiable Presentation creation with selective disclosure - Credentials management UI at `/dashboard/web5/credentials` #### Decentralized Web Node (DWN) - DWN message store with CRUD, protocol registration, and query interface - DWN HTTP API (`POST /dwn`, `GET /dwn/health`) - Bidirectional peer sync over Tor via SOCKS proxy - DWN management UI in Web5 page with protocol browser #### Multi-Node Federation - Node federation protocol with invite codes (`fed1:` prefix), trust levels, state sync - Federation dashboard at `/dashboard/server/federation` - Federated app deployment to trusted peers over Tor - Architecture documented in `docs/multi-node-architecture.md` #### Decentralized Marketplace - NIP-78 Nostr-based app manifest discovery across relays - Trust scoring (0-100) based on DID verification, relay consensus, federation trust - App manifest publishing with Nostr secp256k1 signing - Community marketplace tab in App Store with trust score badges #### Networking - VPN integration (Tailscale + WireGuard) with keypair generation and status display - Mesh networking via Meshtastic LoRa devices with node discovery - DNS-over-HTTPS configuration (Cloudflare, Google, Quad9, Mullvad, Custom) - WiFi/Ethernet configuration via `nmcli` with scan-and-connect modal - Network interfaces display in Server page #### Hardware Wallet Support - PSBT signing flow (create, QR display, finalize, broadcast) - USB hardware wallet detection (ColdCard, Trezor, Ledger) - Hardware wallet signing UI in LND views #### System Management - System monitoring (CPU, RAM, disk gauges on Dashboard) - Automatic update system with download, apply, rollback, and scheduling - Disk space management with auto-cleanup at 90% usage - Container health monitoring with auto-recovery (max 3 restart attempts) - Crash recovery via PID-file detection and container snapshot restoration - Graceful shutdown with in-flight request draining (5s timeout) #### Backup & Restore - Full backup with tar.gz + ChaCha20-Poly1305 encryption - Backup create, list, verify, restore, delete via RPC - USB drive detection and backup-to-USB - Backup UI in Settings page #### Kiosk Mode - Chromium kiosk with auto-restart and watchdog service - Recovery page at `/recovery` (no auth required) - Kiosk keyboard shortcuts (Ctrl+Shift+R/H/Q) - Systemd services for kiosk and watchdog #### ARM64 Support - Cross-compilation for aarch64 with rustls-tls - All 6 core apps verified with multi-arch images - Parameterized ISO build script (`ARCH=arm64`) - RPi 5 testing guide #### Testing - 236 frontend tests across 17 test files (Vitest) - 124+ backend tests (cargo test) - Playwright visual regression suite (12 pages) - Chaos testing (SIGKILL recovery, concurrent RPC, rapid restarts) - App lifecycle testing and dependency chain verification - 1-week continuous uptime monitoring #### Documentation - Developer guide, API reference (100+ endpoints), app developer SDK guide - 5 Architecture Decision Records (Podman, DID:key, Nostr, Tor, ChaCha20) - Release process, canary deploy, quality baseline documentation ### Changed - Settings sections use `glass-card` instead of `path-option-card` - Web3 card shows "Coming Soon" badges instead of fake data - Network diagnostics moved from Settings to Server page - Removed `core/startos/` (2MB of dead code, zero dependencies) ### Fixed - CSRF protection on all state-changing RPC calls - CORS restricted to same-origin (removed `Access-Control-Allow-Origin: *`) - Nginx security headers (X-Frame-Options, CSP, X-Content-Type-Options) - All 24 silent catch blocks now log in dev mode - Zero `console.log` outside dev gate, zero `any` types ### Security - CSRF token validation on all state-changing endpoints - Same-origin CORS policy - Nginx security headers (SAMEORIGIN, nosniff, CSP, Referrer-Policy) - Container security hardened (readonly root, dropped caps, non-root, no-new-privileges) - Secrets rotation with AES-256-GCM and automatic scheduling ## [0.5.0-beta] - 2026-03-11 ### Added #### Security Hardening - Session inactivity expiry (24h), max 5 concurrent sessions with oldest eviction - Session rotation on password change (invalidates all other sessions) - Container security: `--cap-drop=ALL`, `--security-opt=no-new-privileges:true`, read-only root - Secrets rotation with AES-256-GCM encryption and metadata tracking - Path traversal prevention (nginx regex blocks + client-side sanitizePath) - Cookie-based auth for File Browser (removed token from URLs) - Login rate limiting (5 failures per 60s per IP) - TOTP two-factor authentication with backup codes #### Performance - Backend startup: ~100ms - Frontend bundle: ~105 KB gzipped initial load - WebSocket heartbeat (30s ping/pong) with exponential backoff reconnection - Server-side 5-minute inactivity timeout for stale WebSocket connections - Real-time install progress reporting via WebSocket during container pulls - Connection state machine (connecting/connected/disconnecting/disconnected) #### Apps & Integrations - Pinned all container images to specific versions (no `:latest` tags) - Fedimint and Fedimint Gateway with auto-LND detection - IndeedHub virtual app integration - Expanded read-only root filesystem support (electrs, nostr-relay, ollama) - Dependency chain validation (Bitcoin → Electrs → Mempool, Bitcoin → LND) #### Documentation - Comprehensive user guide (docs/user-guide.md) - Beta release checklist (docs/BETA-RELEASE-CHECKLIST.md) - 72-hour stability test script ### Fixed - Penpot hardcoded secret key replaced with SHA256-derived key - WebSocket reconnection reliability after network interruption ## [0.1.0] - 2026-01-28 ### 🎉 Initial Release The first production release of Archipelago - a next-generation Bitcoin Node OS for macOS. ### Added #### Core Features - **Native Rust Backend** - High-performance async server using Tokio and Hyper - **Modern Vue.js Frontend** - Beautiful glassmorphism UI with Tailwind CSS - **Docker Integration** - Seamless container orchestration via Docker Desktop - **Real-time WebSocket** - Live updates for container status and system events - **Authentication System** - Secure user login and session management #### Bitcoin & Lightning - **Bitcoin Core** - Full node in regtest mode with custom UI - **LND** - Lightning Network Daemon with dedicated interface - **BTCPay Server** - Bitcoin payment processing - **Mempool Explorer** - Blockchain visualization and analytics #### Applications - **Penpot** - Open-source design and prototyping platform - **Endurain** - Self-hosted fitness tracking - **Morphos** - File conversion utility - **Nextcloud** - Cloud storage and file management - **Home Assistant** - Home automation hub - **Grafana** - Metrics and monitoring dashboards - **OnlyOffice** - Document editing suite - **SearXNG** - Privacy-respecting search engine - **Fedimint** - Federated e-cash system #### User Interface - **Onboarding Flow** - Guided setup for new users - **Dashboard** - Real-time system overview - **My Apps** - Alphabetically sorted app management - **Cloud Interface** - File management by type (Documents, Photos, Videos, Music) - **Web5 Explorer** - Decentralized identity and data management - **Settings** - System configuration and preferences - **Custom Launch Pages** - Dedicated UIs for Bitcoin Core and LND #### Technical Features - **Container Runtime Abstraction** - Support for Docker and Podman - **Dynamic Package Discovery** - Automatic detection of running containers - **Health Monitoring** - Container status and health checks - **Data Persistence** - Docker volumes for app data - **Network Isolation** - Secure container networking - **Resource Management** - CPU and memory allocation ### Architecture - **Backend**: Rust + Tokio + Hyper + WebSocket - **Frontend**: Vue 3 + TypeScript + Vite + Pinia - **Styling**: Tailwind CSS + Custom Glassmorphism - **Containers**: Docker Compose + Dockerode API - **Build System**: Cargo + npm + macOS App Bundle ### Known Limitations - Requires Docker Desktop (23.0+) - macOS only (Intel and Apple Silicon) - Single-user mode - No auto-updates (manual download required) - Ollama excluded due to image size - Manual Docker container management ### System Requirements - macOS 10.15 (Catalina) or later - 8GB RAM minimum (16GB recommended) - 20GB free disk space (50GB+ for blockchain data) - Docker Desktop 23.0 or later - Internet connection for initial container downloads ### Installation 1. Download `Archipelago-0.1.0-macOS.dmg` 2. Open the DMG and drag Archipelago to Applications 3. Install Docker Desktop if not already installed 4. Launch Archipelago from Applications 5. Access the UI at http://localhost:8100 ### Security - **Code Signed**: Yes (Developer ID) - **Notarized**: Yes (Apple notarization) - **Sandboxed**: No (requires full disk access for Docker) - **Hardened Runtime**: Yes - **Gatekeeper**: Compatible ### Documentation - README.md - Project overview - BUILD_MACOS.md - Build instructions - DEPLOYMENT_CHECKLIST.md - Release process - docs/ - Detailed documentation ### Credits Built with: - Rust (backend) - Vue.js (frontend) - Docker (containers) - Alpine Linux (inspiration) - Parmanode (Bitcoin scripts) - And many open-source dependencies ### License [Specify your license here] --- ## Version History ### 0.1.0 - 2026-01-28 Initial public release --- ## Future Roadmap See GitHub Issues for planned features: - [ ] Auto-update system - [ ] Multi-user support - [ ] Native container runtime (no Docker Desktop) - [ ] iOS companion app - [ ] Hardware wallet integration - [ ] Tor integration - [ ] VPN/Tailscale support - [ ] Backup/restore functionality - [ ] Mac App Store distribution - [ ] Windows and Linux builds ## Contributing See CONTRIBUTING.md for development setup and guidelines. ## Support - GitHub Issues: Report bugs and request features - Documentation: See `/docs` directory - Community: [Discord/Telegram/Forum link]