archy/CHANGELOG.md

Changelog

v1.7.95-alpha (2026-06-15)

• Browsing another node's shared files now works over the fast encrypted mesh. Opening a peer's cloud could fail with a generic "Operation failed" message because the request for their file list wasn't permitted over the mesh and came back as "not found" — and it never retried over Tor. The mesh now serves the file list directly, and if a peer can't answer over the mesh the node automatically falls back to Tor instead of giving up.
• Nodes you remove from your federation now stay removed. Previously a deleted node could quietly come back the next time you synced with another node that still listed it. Removed nodes are now remembered as removed and won't reappear on their own — only if you add them back yourself.
• The app credentials pop-up now appears as a normal centred box with a dimmed background over the whole screen, instead of stretching to fill the entire screen.

v1.7.94-alpha (2026-06-15)

• Your node now joins the private encrypted mesh network on its own. A wrong built-in setting meant nodes were quietly never reaching the shared mesh meeting point, so everything between nodes fell back to the slower Tor network. Every node now connects to the mesh automatically on startup, so node-to-node features like file sharing use the faster encrypted mesh first and only fall back to Tor when a peer is genuinely offline. (Confirmed live: a node with its mesh setting wiped re-connected to the mesh by itself within a second of starting.)
• You can now bring the mesh networking software up to the latest stable version straight from the node, with one action — it fetches the new version, checks it's genuine before installing, and restarts the mesh on its own. (Confirmed live end to end: a node on an older build was upgraded to the current stable release and rejoined the mesh automatically.)
• The Lightning wallet screen connects again on nodes where it was showing a "failed to fetch" error instead of your balance and channels. The wallet app and the node now talk to each other correctly, and the connection quietly repairs itself if its details drift after a restart.

v1.7.93-alpha (2026-06-14)

• Receiving Bitcoin and Lightning works again on nodes where the Lightning wallet was stuck locked. After some updates the wallet could come back locked with a password the node no longer had, so "generate a receive address" kept failing with a "wallet is locked" message that nothing could clear. The node now detects this and repairs itself automatically.
• Each node now secures its Lightning wallet with its own unique, randomly generated password instead of a shared built-in one, and remembers it safely so the wallet unlocks on its own after every restart or update — no more getting stuck locked.
• If a wallet is found locked with an unrecoverable password, the node rebuilds it cleanly so Bitcoin and Lightning start working again. (On these early-access nodes the wallet holds no funds, so nothing is lost — a wallet locked with an unknown password was already inaccessible.)
• The self-repair was validated end to end on live nodes: a stuck, locked wallet was detected, rebuilt, and came back unlocked on its own, and stayed unlocked across restarts.

v1.7.92-alpha (2026-06-14)

• The Electrum server app no longer flashes a "can't connect, try again" error over its loading screen while it's still catching up. If ElectrumX is building its index or waiting on the Bitcoin node, you now just see the sync progress, and the app opens on its own once it's ready.
• Behind the scenes, the reboot-survival test now confirms the whole system is genuinely healthy after a restart — every app reachable, updates not stuck, core services answering — instead of only checking that containers came back, so update-related problems are caught before shipping.
• Settings → What's New now lists the notes for every recent release again. The screen had quietly fallen several versions behind, so the last eight releases of changes weren't showing up there — they're all back now, and a release check keeps it from drifting again.

v1.7.91-alpha (2026-06-14)

• Apps you've installed now reliably show their "Open" button again. Some apps — including Jellyfin, BTCPay Server, Fedimint, Gitea and Portainer — were running fine but their launch link sometimes went missing, so there was no way to open them from the home screen. They now open correctly.
• Receiving Bitcoin is more dependable: if the wallet's internal connection details drift after a restart, it now repairs them on its own, and any error it does hit is reported clearly instead of as a generic failure or a misleading "wallet locked" message.
• Installing Bitcoin now sets itself up correctly without manual help — a security credential that could previously be missing and stop Bitcoin from starting is created automatically before it launches.
• The Electrum server app is back on the home screen and can be launched again.
• Behind the scenes, the release now runs an expanded automated test suite before shipping, so these kinds of issues are caught earlier.

v1.7.90-alpha (2026-06-13)

• Generating a Bitcoin receive address works again — the wallet now requests the correct address type, fixing the "400 Bad Request" error when creating an address.
• In the companion app, the on-screen pointer can now click into apps and type — including the app store search box — instead of clicks and keystrokes not reaching app content.
• "Open in a new tab" from the companion app now opens the app in your phone's browser, instead of doing nothing. The normal mobile browser keeps working as before.
• The login/credentials pop-up on phones is once again a centered, properly sized window rather than stretching the full height of the screen.
• The Electrum server now recovers on its own if its index ever gets corrupted, and shows a clear progress screen (with percent complete and block height) while it builds its index, instead of a blank or broken page.
• Software updates are more reliable on slow internet connections — downloads are given much more time to finish before giving up.

v1.7.89-alpha (2026-06-12)

• The AI assistant looks the way it always did again: no extra back button or close button on phones, and the desktop view fills the whole screen without a gap at the bottom.
• System updates are much more reliable: updates that previously got stuck partway or failed to install now complete cleanly, and a failed update can no longer block all future updates.
• After an update, the system now checks itself correctly on every node type, so working updates are no longer mistakenly undone.
• Generating a Bitcoin receive address works again on nodes where a network proxy previously got in the way.
• The Lightning wallet now recovers and unlocks itself properly after restarts.

v1.7.88-alpha (2026-06-12)

• AIUI now loads immediately again instead of waiting on a production availability probe and cache-busted iframe URL, restoring the lighter launch behavior from before the regression.
• Bitcoin receive now uses LND's GET-based newaddress flow with the native SegWit address type, fixing the 501 Method Not Allowed response from the previous POST attempt.
• Validation pending on the AIUI rollback; the rest of the release train remains unchanged.

v1.7.87-alpha (2026-06-12)

• Bitcoin receive now calls LND's on-chain address endpoint with the correct REST method, and backend failures keep the specific address-generation error instead of collapsing into the generic operation-failed message.
• App launch credential interstitials now render as true full-screen overlays, and the launcher loading indicator uses the neutral brand palette instead of a blue spinner.
• Validation passed with git diff --check, npm run type-check, and the focused frontend tests for bitcoinReceive and AppIconGrid.

v1.7.86-alpha (2026-06-12)

• Fleet now preserves the last known node list, alerts, and selection locally while telemetry refreshes in the background, so the dashboard no longer blanks on tab switches or update scans.
• Connected nodes and identities now reuse their last loaded data instead of reloading the visible list every time the user revisits the tab.
• The Fleet matrix and detail views now show actual node names and host information instead of raw node id prefixes.
• The network map only redraws when its graph data actually changes, which stops the D3 scene from visually resetting on every refresh tick.
• Mobile federation and system-update actions now stack full width, and the ElectrumX app health check allows a long startup window so slow sync nodes do not restart mid-index.
• Validation passed with git diff --check, focused frontend tests, and npm run type-check.

v1.7.85-alpha (2026-06-12)

• ElectrumX now runs with less cache pressure and more memory headroom, reducing the restart loop seen during sync catch-up.
• Portainer is pinned to 2.19.4 instead of latest, avoiding schema-drift restarts from surprise image updates.
• LND receive-address creation now asks for a native SegWit address and returns clearer wallet/readiness failures when an address is not available.
• Fleet telemetry now carries server name, hostname, and server URL, and the Fleet dashboard shows those names instead of hashed node ids.
• Trusted federation peers are still auto-added transitively, but the local node no longer imports itself back into the fleet list.
• Validation passed locally for the touched frontend helpers, git diff --check, and Rust formatting.

v1.7.84-alpha (2026-06-11)

• Bitcoin trusted-node relay approvals now generate restricted txrelay RPC credentials when needed and restart the active Bitcoin backend so bitcoind loads the new rpcauth whitelist.
• Kiosk mode now includes a browser safe-area path for HDMI displays that crop edges, and self-update refreshes kiosk launcher/systemd files so display fixes ship to existing nodes. The experimental X11 scaling safe-area is opt-in to avoid stretching TV output.
• Wi-Fi setup now reports scan errors instead of showing an empty network list, supports retrying scans from the modal, parses escaped nmcli SSIDs correctly, and can join open networks without forcing a WPA password.
• Bitcoin Core now matches Bitcoin Knots for restricted relay RPC support, including the txrelay secret injection and transaction broadcast whitelist.
• The restricted Bitcoin relay whitelist now includes submitpackage and gettxout, covering newer wallet/package-relay broadcast flows without opening wallet/admin RPC.
• The Bitcoin UI companion image is pinned to 1.7.84-alpha across release metadata and the Quadlet fallback path, avoiding stale latest detection during OTA updates.
• Container scanning now uses an RAII in-flight guard so timeout and error paths cannot leave the scanner stuck in a permanently busy state.
• Validation passed with cargo fmt, cargo check -p archipelago, git diff --check, and focused source review of the relay message/approval path.

v1.7.83-alpha (2026-06-11)

• App launch metadata now derives more consistently from app manifests, with typed launch interfaces and catalog generation updates that keep packaged apps aligned with their runtime ports and launch surfaces.
• Revoked or unsupported app surfaces were removed from the catalog and release path, including OnlyOffice and the unvalidated Saleor surface, so the Marketplace no longer exposes apps that cannot be safely supported in this release.
• The frontend production build now passes strict TypeScript checks after tightening app details, Web5, cloud refresh, and credential test typing.
• Mobile and desktop app surfaces received release polish: improved mobile app layout, safer mesh desktop/tablet scrolling, and the Home system card now routes directly to monitoring.
• Bitcoin UI status rendering now avoids false stale/reconnecting states when fresh block snapshots advance, and guards optional DOM updates so the standalone Bitcoin UI is more resilient.
• Deploy tooling now excludes local Codex scratch output, archived image-build artifacts, and upload screenshots from target syncs, and bounded optional IndeedHub fixups so a stuck Podman helper cannot hold the deploy.
• Validation passed with npm run type-check, production npm run build, backend cargo build --release, catalog/release manifest checks, focused frontend tests, and live .198 deploy verification through the frontend/service restart phase.

v1.7.82-alpha (2026-05-22)

• Saleor storefront proxying now forwards X-Forwarded-Host, fixing Next.js Server Actions requests that compared the browser origin with the internal storefront-app:3000 upstream host.
• Saleor storefront media now routes /thumbnail/ and /media/ through the same 9011 proxy to the Saleor API, fixing product image optimizer failures caused by localhost:8000 media URLs.
• The Saleor storefront container receives an explicit internal media origin so rewritten media URLs resolve inside the Podman network without exposing private API ports to browsers.
• Validation passed with cargo fmt --all --check --manifest-path core/Cargo.toml, cargo check -p archipelago --manifest-path core/Cargo.toml, and live checks on 100.114.134.21 for storefront HTML, static assets, GraphQL, media redirects, and optimized product images.

v1.7.81-alpha (2026-05-21)

• Saleor storefront installs now use the prebuilt registry image instead of building the Next.js app on-device, avoiding Podman build failures during stack installation.
• Existing Saleor stacks are repaired on adoption by recreating missing storefront containers, forcing the storefront app to bind 0.0.0.0:3000, and resolving nginx upstreams dynamically after container restarts.
• The shipped Saleor storefront image now includes public assets and omits Vercel-only Speed Insights injection, fixing broken static asset responses and the local /_vercel/speed-insights/script.js browser warning.
• Validation passed with cargo fmt --all --check --manifest-path core/Cargo.toml, cargo check -p archipelago --manifest-path core/Cargo.toml, and live checks on 100.114.134.21 for 9011 storefront, static assets, and proxied GraphQL.

v1.7.80-alpha (2026-05-21)

• Saleor storefront proxying now falls back to the direct request scheme when no forwarded protocol header is present, fixing direct http://node:9011 launches that could generate an invalid same-origin GraphQL URL.
• The Saleor storefront release path keeps public proxy support intact by still honoring forwarded HTTPS headers for Nginx Proxy Manager domains while repairing local/direct port launches.
• Validation passed with cargo fmt --check and cargo check for the Archipelago backend before release staging.

v1.7.79-alpha (2026-05-20)

• Saleor now installs the official Saleor Storefront as part of the stack, built from the pinned saleor/storefront source and served as the customer-facing shop on port 9011.
• Saleor app launches now open the storefront while the admin dashboard remains available on port 9010 with the generated admin@example.com credentials shown in Archipelago.
• Public Nginx Proxy Manager hosts forwarding to the Saleor storefront also expose same-origin /graphql/, so public storefront domains can talk to the local Saleor API without mixed-content or private-LAN reachability failures.
• Saleor stack metadata, marketplace descriptions, catalog ports, scanner exclusions, and app-session routing now describe the storefront/dashboard/API split explicitly.

v1.7.78-alpha (2026-05-20)

• Public Nginx Proxy Manager hosts for Saleor now keep browser GraphQL calls same-origin at /graphql/ and proxy them to the local API on 8000, fixing Failed to fetch when a public domain such as noderunner.shop was loaded from devices that cannot reach the node's private LAN/tailnet API address.
• Saleor's validated stack changes are now release-ready: dashboard origins on port 9010 are explicitly allowed for dashboard/API calls, preserving the working test-node install path for production nodes.
• NetBird launches now stay pinned to the unified dashboard/proxy origin on port 8087 instead of following stale runtime-discovered server URLs on 8086.
• NetBird's local nginx proxy now routes browser API, OAuth, relay, and WebSocket traffic through host.containers.internal:8086 instead of a hard-coded rootless Podman gateway IP, and includes the upstream management.ProxyService gRPC path.
• The mobile credentials interstitial now keeps credential lists scrollable and action buttons reachable in both My Apps and the mobile app icon grid.
• Android WebView popup windows now hand external popup URLs to the system browser, covering app login/signup flows that open secondary windows.
• Validation passed with git diff --check, cargo check -p archipelago, and the focused npm test -- src/views/appSession/__tests__/appSessionConfig.test.ts suite.

v1.7.77-alpha (2026-05-20)

• Saleor first-use now exposes generated credentials through Archipelago instead of leaving users at an unexplained dashboard login: App Details shows copyable admin@example.com credentials, and My Apps/mobile icon launches show a pre-launch credentials modal.
• Saleor installs now create or repair the admin@example.com staff account idempotently after sample data loads, use the correct dashboard mount path, and re-check stack containers after startup so stopped containers are caught.
• NetBird embedded login now uses the upstream-compatible IdP signing-key behavior and sends ID tokens from the dashboard to the management API, fixing the post-signup Unauthenticated state while preserving the unified local proxy/logout routes.
• Transient unnamed Podman helper containers created during app install tasks are hidden from My Apps, so generated names like eager_keldysh no longer appear as user applications.
• Validation passed with catalog/release JSON checks, npm run type-check, and cargo fmt --all --check --manifest-path core/Cargo.toml; live checks on 100.114.134.21 confirmed Saleor dashboard/API availability, generated Saleor admin login, NetBird OAuth availability, and NetBird logout redirects.

v1.7.76-alpha (2026-05-20)

• Saleor installs now use dashboard port 9010, avoiding the existing Portainer 9000 binding on the test node while keeping API 8000, Mailpit 8025, and Jaeger 16686 unchanged.
• Saleor's Valkey cache no longer bind-mounts /var/lib/archipelago/saleor-cache, and the dashboard container has the minimal rootless nginx capabilities it needs to chown cache files, bind port 80 inside the container, and drop workers to the nginx user.
• NetBird's browser proxy now sends API, OAuth, relay, WebSocket, and management traffic through the stable host-published server port at 169.254.1.2:8086, avoiding stale rootless Podman DNS/IPs after netbird-server restarts.
• Mobile App Store category chips now stay visible above the tab bar, Discover is available on mobile, and category selection updates the page route/query so the selected category is actually shown.
• Apps that require a real browser tab now open directly from the app icon tap instead of first entering an in-shell app-session route, including BTCPay, Grafana, Home Assistant, Vaultwarden, Nextcloud, Portainer, OnlyOffice, Tailscale, Uptime Kuma, Gitea, and Nginx Proxy Manager.
• Validation passed with catalog JSON checks, npm run type-check, cargo fmt --all --check --manifest-path core/Cargo.toml, and cargo check -p archipelago --manifest-path core/Cargo.toml; live checks on 100.70.96.88 confirmed Saleor dashboard 9010/API 8000 and NetBird API/OAuth routes survive netbird-server restart.

v1.7.75-alpha (2026-05-19)

• Saleor is now published as a recommended commerce app with catalog metadata, icon, direct app-session launch on port 9000, scanner metadata, image pins, and a full stack installer for dashboard, API, worker, PostgreSQL, Valkey, Mailpit, and Jaeger.
• Existing NetBird installs are repaired more aggressively by rewriting unified-origin config, recreating the dashboard/proxy containers, restarting the server, preserving data, and handling exact /api and /oauth2 routes plus dashboard logout redirects through the local proxy.
• Desktop dashboard scrolling now hands focus back from the sidebar to the main content when the pointer or wheel moves over the main pane, preventing the sidebar scroll area from trapping wheel input on short screens.
• Validation passed with catalog JSON checks, npm run type-check, cargo fmt --all --check --manifest-path core/Cargo.toml, and cargo check -p archipelago --manifest-path core/Cargo.toml before release.

v1.7.74-alpha (2026-05-19)

• App-session right panels now re-focus the iframe after load and when the frame area is activated, so wheel/touch scrolling works immediately after switching tabs or selecting an app on shorter screens.
• NetBird now launches through a unified local origin on port 8087 that proxies the dashboard plus /oauth2, /api, relay, WebSocket, and gRPC routes to netbird-server, fixing the embedded login flow that previously ended in Unauthenticated or 404 page not found after logout.
• Existing NetBird installs are repaired on adopt/start by rewriting config.yaml, dashboard.env, and the local nginx proxy config, then creating the missing netbird-dashboard and netbird proxy containers when needed while preserving NetBird data.
• Saleor is still pending and is not included in this release; its registry/installer work remains local until it can be validated separately.
• Validation passed with catalog JSON checks, npm run type-check, cargo fmt --all --check --manifest-path core/Cargo.toml, and cargo check -p archipelago --manifest-path core/Cargo.toml.

v1.7.73-alpha (2026-05-19)

• Mobile app launches for iframe-blocked apps now open the direct app URL in a new browser tab immediately instead of landing in a broken in-shell webview that requires a second tap.
• Mobile My Apps/Websites tabs now react to route query changes, App Store pages label the mobile view as Discover, mobile filters have safe bottom spacing, and App Store search ignores the current category so searches cover all available apps.
• My Apps search now surfaces matching App Store entries when the app is not installed, making it possible to jump directly from a failed My Apps search to the installable app details.
• NetBird self-host installs now prefer a 100.x tailnet/CGNAT address for dashboard, management, relay, STUN, and auth redirect origins when one is present; live repair on 100.89.209.89 updated the existing stack from LAN origins to 100.89.209.89 and restored netbird-server.
• App-session iframe frames now focus automatically and wrap the iframe in a scroll host so wheel/touch scrolling works in the active right frame without requiring an initial click.

v1.7.72-alpha (2026-05-19)

• Settings What's New now includes the missing release notes for v1.7.68-alpha through v1.7.71-alpha, so the modal reflects the current OTA history instead of stopping at v1.7.67-alpha.
• The follow-up release carries the NetBird install fix, Gitea icon polish, mobile app-session fallback updates, and rounder app icon masks from v1.7.71-alpha with the Settings modal notes included.
• The local Cargo lockfile version metadata is kept in sync with the release bump after the previous release build updated it.

v1.7.71-alpha (2026-05-19)

• NetBird stack installs now pre-create /var/lib/archipelago/netbird/data before binding it into netbird-server, fixing the failed install/start path seen on 100.70.96.88 where Podman rejected the missing host directory.
• NetBird start/restart ordering now starts netbird-server before the dashboard container so lifecycle actions bring the control plane up before the UI.
• App-session invalid IDs and panel-mode fallbacks now return to /dashboard/apps, avoiding the stale /apps route that could render a 404.
• Mobile launches for apps that block iframes now stay inside the Archipelago app-session fallback instead of automatically opening an external browser tab.
• Installed Gitea containers now report the packaged Gitea icon, and app icon masks use a rounder radius on mobile grids, app cards, and detail headers.
• Validation passed with npm run type-check, focused Vitest app-session/app-grid tests, cargo fmt --all --check --manifest-path core/Cargo.toml, and cargo check -p archipelago --manifest-path core/Cargo.toml.

v1.7.70-alpha (2026-05-19)

• NetBird is being corrected from the peer/client daemon image to the self-hosted NetBird control-plane stack with a launchable dashboard on port 8087, a combined management/signal/relay server on 8086, and STUN on UDP 3478.
• App sessions now always launch local apps through direct host ports and carry an explicit dashboard return target, so closing an iframe returns to the launching dashboard screen instead of falling through to browser history or a 404.
• Mobile app launches ignore stale desktop panel state and route into the full app-session webview consistently.
• The desktop sidebar now pins the logo/version at the top and controller/online/mode controls at the bottom, with only the navigation section scrolling on shorter screens.
• Validation passed with catalog JSON checks, scripts/image-versions.sh syntax check, npm run type-check, cargo fmt --all --check --manifest-path core/Cargo.toml, and cargo check -p archipelago --manifest-path core/Cargo.toml.

v1.7.69-alpha (2026-05-19)

• App installs now allow up to 10 minutes for the initial package.install RPC to return, matching slow container image pulls and preventing apps from disappearing from My Apps while the backend is still pulling or retrying mirrors.
• Live diagnostics on 100.70.96.88 confirmed the Gitea install did not fail; the primary registry pull timed out after 300 seconds, the fallback mirror succeeded, and Gitea came up healthy on 3001 while the frontend had already timed out at 15 seconds.
• Gitea and other Docker-image app installs now stay visible during slow registry pulls instead of being marked as failed by the browser before backend install progress can complete.
• Gitea is now categorized as a known Data app in My Apps, so a running Gitea container appears with installed apps instead of being filtered into the Websites/Services split.
• NetBird 0.71.2 is now available in the app catalog and fallback marketplace data as a recommended networking app using the official docker.io/netbirdio/netbird:0.71.2 image.
• NetBird installs get persistent state under /var/lib/archipelago/netbird, NET_ADMIN/NET_RAW, /dev/net/tun, slirp4netns, image-version pinning, backend metadata, and health checks through netbird status.
• The Archipelago terminal now includes nano on new disk installs and ISO builds, and self-update installs it on existing nodes if it is missing.
• Validation passed with catalog JSON checks, shell syntax checks, npm run type-check, cargo fmt --all --check --manifest-path core/Cargo.toml, and cargo check -p archipelago --manifest-path core/Cargo.toml.

v1.7.68-alpha (2026-05-19)

• BTCPay Server now ships on the official docker.io/btcpayserver/btcpayserver:2.3.9 image, fixing the plugin catalog crash caused by newer plugin dependency version metadata while preserving existing datadirs and Postgres databases.
• BTCPay release and first-boot health checks no longer depend on curl inside the container; they use a bash TCP probe that works with the official image out of the box.
• Host nginx now serves Nginx Proxy Manager HTTP-01 challenge files before the Archipelago SPA fallback and is marked as the default HTTP/HTTPS virtual host, so public proxy hosts can issue certificates without hijacking local API traffic.
• Nginx Proxy Manager first-boot, runtime repair, and container-doctor paths now pre-create the ACME webroot, keep bind mounts owned by the rootless Archipelago user, and sync issued public proxy hosts into host nginx vhosts.
• The Nginx Proxy Manager host-nginx sync now skips proxy hosts with missing certificate files and rolls back the generated nginx include if validation fails, preventing a bad certificate path from poisoning later nginx reloads.
• App session close buttons now return to the previous dashboard screen when possible and otherwise fall back to My Apps, avoiding the 404 page after closing an app launched from an invalid or stale history entry.
• System Update confirmation and mirror modals now teleport to the document body with a full-screen overlay, so they cover the whole app instead of only the right-hand dashboard panel.
• Mobile app launches stay inside Archipelago's app-session webview and hide desktop-only new-tab launch affordances, including apps such as Home Assistant that previously looked like they would leave the mobile shell.
• Live recovery on 100.70.96.88 upgraded only the btcpay-server container to docker.io/btcpayserver/btcpayserver:2.3.9, preserved the existing datadir and Postgres database, and confirmed the container is healthy after a pre-upgrade backup.
• Public validation confirmed spay.tx1138.com/www redirect to BTCPay login over HTTPS and sapien.tx1138.com/www serve the L484 page over HTTPS using the issued Let's Encrypt certificates.

v1.7.67-alpha (2026-05-18)

• Home dashboard status cards now keep the last known good system, VPN, Bitcoin, and FIPS values while route changes or transient RPC failures are in flight, avoiding false "not configured" or "not running" flashes.
• Home, Web5 Monitoring, and the Monitoring page headline cards now share the same live system-stat snapshot for CPU, memory, disk, uptime, and load so the visible numbers agree across the UI.
• Settings What's New is filled through v1.7.67-alpha, including the missing historical v1.7.44-alpha through v1.7.66-alpha entries.
• Bitcoin/Knots/Core shell lifecycle specs now match the Rust app config memory policy: 8 GiB on normal hosts, 4 GiB on low-memory hosts, and pruned Knots uses a larger dbcache on hosts with enough RAM to improve IBD throughput.
• ElectrumX/electrs shell lifecycle specs now match the 4 GiB memory policy used by the Rust app config, reducing drift between first boot, reconcile, and app lifecycle paths.
• Live assessment of 100.70.96.88 identified the current IBD bottlenecks as CPU/thermal/I/O pressure rather than RAM exhaustion, with follow-up work planned for existing-node swap repair, kiosk Chromium CPU reduction, and reconcile failure cleanup.

v1.7.66-alpha (2026-05-18)

• Nginx Proxy Manager stale-port repair now detects stopped or Created Podman records by inspecting podman ps -a port metadata, covering records where podman port nginx-proxy-manager returns no mapping until start.
• Live recovery on 100.70.96.88 removed only the stale Nginx Proxy Manager container record and recreated it with 8081:81, 8084:80, and 8444:443, preserving /var/lib/archipelago/nginx-proxy-manager data.
• Validation confirmed Nginx Proxy Manager recovered as healthy and responds through direct admin port 8081, host compatibility port 81, and /app/nginx-proxy-manager/.

v1.7.65-alpha (2026-05-18)

• Orchestrator-backed app starts now run the same pre-start repairs as the legacy Podman path, so Nginx Proxy Manager stale 81:81 container metadata is removed and recreated before the orchestrator tries to start it.
• Live diagnostics on 100.70.96.88 confirmed host nginx is healthy while Nginx Proxy Manager has no listeners on 8081, 8084, or 8444, causing host nginx 502 responses for NPM proxy paths.

v1.7.64-alpha (2026-05-18)

• Update apply rate limiting is relaxed for authenticated admins from 2 attempts per 10 minutes to 10 attempts per minute, preventing the System Update page from getting stuck behind 429 Too Many Requests during legitimate OTA retry/troubleshooting flows.
• The corrected backend artifact rebuild protection from v1.7.63-alpha remains in place, so this release is built from a fresh Rust backend binary before publishing.

v1.7.63-alpha (2026-05-18)

• Release automation now rebuilds the Rust backend after bumping the version and before hashing release artifacts, preventing OTA manifests from pointing at a stale backend binary.
• This corrected release carries the Nginx Proxy Manager stale-port repair in an updated backend binary, so nodes running 1.7.61-alpha can actually receive and execute the fix.
• Validation confirmed the previously published v1.7.62-alpha backend artifact still contained 1.7.61-alpha, explaining why nodes did not advance after applying that update.

v1.7.62-alpha (2026-05-18)

• Nginx Proxy Manager start and restart now repair stale Podman containers that still publish the admin UI on host port 81, which conflicts with host nginx on updated nodes.
• The repair recreates only the stale Nginx Proxy Manager container metadata while preserving /var/lib/archipelago/nginx-proxy-manager data and using the current 8081:81, 8084:80, and 8444:443 mappings.
• Runtime stale-listener cleanup for Nginx Proxy Manager is shared across start and restart paths so rootless port helper leftovers are still cleared before lifecycle retries.
• Validation passed with cargo fmt --all --check --manifest-path core/Cargo.toml and cargo check -p archipelago --manifest-path core/Cargo.toml.

v1.7.61-alpha (2026-05-18)

• Multi-container stack installs now keep their app card in the Installing state for up to 20 minutes while dependency containers are being pulled and prepared.
• BTCPay Server installs no longer appear to vanish or fail after two minutes while Postgres and NBXplorer are still being created before the primary btcpay-server container exists.
• The stale-transition escape hatch remains short for start, stop, restart, update, and removal operations, so genuinely wedged lifecycle actions still recover quickly.
• Live validation on 100.70.96.88 confirmed BTCPay Server completed installation and responds on port 23000 with the expected HTTP redirect.

v1.7.60-alpha (2026-05-18)

• Meshtastic serial detection now rejects malformed or incomplete handshakes instead of accepting unrelated serial devices as a fallback Meshtastic radio.
• Mesh radio auto-detection now skips known non-mesh serial devices such as Sierra Wireless LTE modems and Zooz/Z-Wave sticks, avoiding interference with production peripherals.
• Meshtastic config sync now sends want_config_id with the correct protobuf wire type, fixing radio-side ignore malformed toradio errors and allowing node-info/contact ingestion.
• The stable /dev/mesh-radio udev rule no longer claims every ttyACM* device; it only matches known mesh USB serial adapters and known USB CDC ACM radio vendors.
• Live validation on 100.70.96.88 confirmed Archipelago selects /dev/ttyUSB0, identifies the Meshtastic node, and refreshes 103 mesh contacts.

v1.7.59-alpha (2026-05-17)

• Mobile app launching now keeps known container apps inside Archipelago's app-session flow instead of forcing desktop-only new-tab behavior on phones.
• App sessions on mobile now respect the status-bar safe area so foreground iframe content starts below the device chrome while the fullscreen backdrop remains edge-to-edge.
• Prepackaged website launch buttons now resolve their curated website URLs before website-container fallback logic, restoring launches for the L484 sites and adding the Arch Presentation bookmark.
• Meshtastic contact discovery now drains the radio config stream through completion and retries config sync when the contact cache is empty, so nearby nodes already known by the radio are more likely to appear in Archipelago.
• The Apps page now includes a compact sideload button and modal for installing trusted Docker images with optional title, description, and port mapping metadata.
• Sideloaded app title and description metadata now persist through the backend app-config file so refreshed package scans do not collapse custom apps back to generic IDs.
• Validation passed with npm test -- appLauncher, npm run build, cargo check -p archipelago, and cargo fmt --all --check.

v1.7.58-alpha (2026-05-17)

• Mesh networking now supports Meshtastic radios over the Meshtastic serial API in addition to existing MeshCore Companion USB radios.
• The mesh listener now probes preferred and auto-detected serial paths for both MeshCore and Meshtastic firmware, preserving the existing reconnect loop so unplug/replug and firmware hot-swap behavior stays consistent.
• Meshtastic text packets are translated into the existing Archipelago mesh frame pipeline, so current RPC handlers, transport routing, message storage, typed-message decoding, and UI state continue to work without a separate frontend path.
• Meshtastic node information is surfaced as normal mesh contacts using stable synthetic public keys derived from Meshtastic node numbers, allowing peer refresh and message attribution to reuse existing MeshCore contact handling.
• Outbound Archipelago mesh messages can now be sent through Meshtastic as channel text packets using the same command path used by MeshCore channel broadcasts.
• Device status now reports the detected firmware family as meshcore or meshtastic from the shared listener abstraction.
• Radio udev rules now include USB CDC ACM serial devices (ttyACM*) alongside CP2102, CH340, and FTDI adapters so Meshtastic boards are more likely to appear through the stable /dev/mesh-radio symlink.
• Host nginx now serves /assets/* hashed frontend chunks as immutable static files with a hard 404 on misses instead of falling back to index.html, preventing strict MIME errors when a browser has a stale pre-update HTML shell.
• The SPA HTML shell and service-worker files now revalidate on every load, reducing stale frontend references after OTA updates.
• OTA runtime promotion now installs the bundled nginx-archipelago.conf into /etc/nginx/sites-available/archipelago and reloads nginx after a successful config test, so frontend cache/fallback fixes reach existing nodes without a manual deploy.
• Local validation passed with cargo check -p archipelago; live SSH testing against 100.70.96.88 was not completed because temporary public-key authentication was rejected on the target.

v1.7.57-alpha (2026-05-17)

• Nginx Proxy Manager now avoids privileged rootless Podman host port 81, preferring 8081:81 while host nginx keeps a compatibility proxy on :81 for stale cached launch buttons.
• App installs now allocate ports by checking live host bind availability, falling back to a free high port when preferred ports are already occupied.
• Portainer-created launchable containers are separated into a Websites tab and launch through their discovered published host port instead of hard-coded app URLs.
• Internal BuildKit helper containers such as buildx_buildkit_default are hidden from the Apps UI.
• Portainer works out of the box on Debian 13/Podman installs by including catatonit and by preserving the Podman socket mount as a socket rather than creating it as a directory.

v1.7.56-alpha (2026-05-15)

• Health notifications now clear when an app is no longer unhealthy, including stale alerts for removed containers such as Portainer.
• Fresh installs now include the full Wi-Fi userspace stack (wpasupplicant, wireless-regdb, iw, rfkill, polkitd, pciutils, and usbutils) so NetworkManager can scan and connect with Intel Wi-Fi cards out of the box.
• The installed system now grants the archipelago service user explicit NetworkManager PolicyKit access for web-triggered Wi-Fi scans and connection changes.
• Wi-Fi connect now replaces stale/partial NetworkManager profiles and creates an explicit WPA-PSK profile with the supplied password, avoiding no-secret retry failures after a failed attempt.
• Settings password changes now update the Linux/SSH password through non-interactive sudo, so the web password and SSH password stay in sync when the checkbox is enabled.
• Quadlet environment values with spaces or shell metacharacters are quoted consistently, preventing env drift recreate loops for apps like nostr-rs-relay and Grafana.
• Boot/bootstrap reconcile avoids restarting running Bitcoin containers while repairing RPC config, preserving IBD progress on active nodes.
• Exit code 137 is labeled as SIGKILL instead of assuming OOM, avoiding false OOM alerts for orchestrator-managed recreates.
• Container reconcile force-recreates Podman records stuck in Stopping, preserving bind-mounted app data while recovering wedged containers automatically.
• Container health reporting is honest for running containers: Archipelago surfaces Podman's actual health state instead of marking every running container healthy.
• Quadlet reconciliation restarts services when stale health gates, port bindings, network aliases, exec commands, or healthchecks drift from the current manifest.
• Bitcoin Knots sync performance improves on fresh installs and updates with 8Gi container memory, a 4Gi dbcache, and full CPU parallelism.
• ElectrumX initial indexing gets more headroom: CPU caps are removed, memory is raised to 4Gi, cache is raised to 3Gi, and oversized sends are allowed for heavier wallet/indexing workloads.
• Mempool/ElectrumX lifecycle qualification respects pruned/non-archival Bitcoin nodes instead of installing a half-running stack with unhealthy dependencies.
• LND wallet/RPC helpers are more tolerant of container-owned files and updated REST port metadata, improving LND lifecycle and wallet-connect flows.
• Marketplace/catalog metadata carries richer container config so remote lifecycle tests install apps using the same settings users get from the UI.
• The app screensaver no longer activates during media-heavy app sessions such as IndeeHub, Jellyfin, Immich, PhotoPrism, and File Browser; apps can also pause/resume it with media playback messages.
• A fresh 1.7.56-alpha unbundled installer ISO is built from the same primary VPS2 release line for easy download and USB flashing.

v1.7.55-alpha (2026-05-13)

• Container reconcile now force-recreates Podman records stuck in Stopping, preserving bind-mounted app data while recovering wedged containers automatically.
• .198 is green after the container-layer hardening pass: focused and broad non-destructive lifecycle audits pass, raw Podman health/state sweep is clean, and direct app probes return healthy responses.
• Release-candidate artifacts are staged separately from live update publishing while Gitea artifact hosting is repaired.

v1.7.54-alpha (2026-05-06)

• Existing installs now self-repair nginx backend proxy locations for /bitcoin-status and /api/app-catalog, including hosts where sites-enabled/archipelago is a copied active file instead of a symlink.
• LND UI is consistently served on 18083 across first boot, Tor config, companion Quadlet reconciliation, OTA runtime payloads, and ISO scripts; stale companion units/images are rewritten instead of only checking service active state.
• OTA frontend tarballs now carry a clean runtime payload with updated scripts, docker UI sources, and canonical nginx config, preventing startup promotion from reintroducing stale host assets.
• Release ISO builds now support the primary HTTP app registry when bundling core images, so unbundled media includes File Browser/Cloud support instead of requiring a post-install Marketplace download.
• .116 was live-updated with the new backend and runtime scripts; focused non-destructive lifecycle audit passes for Bitcoin Knots, LND, BTCPay, Mempool, and Grafana.

v1.7.53-alpha (2026-05-05)

• Bitcoin Knots/Core config generation no longer duplicates RPC bind and port settings between bitcoin.conf and container command args, fixing Unable to bind all endpoints for RPC server startup failures.
• Legacy Bitcoin container healthchecks no longer depend on bitcoin-cli, which is absent from current Knots images and can wedge Podman healthcheck runners.
• Update checks now prefer manifest OTA releases over stale git remotes unless ARCHIPELAGO_GIT_UPDATES is explicitly enabled, so installed nodes can see published releases from the VPS mirror.

v1.7.52-alpha (2026-05-05)

• Tailscale now launches the local installed web UI on port 8240 and starts tailscaled before tailscale web, fixing unreachable installs after container creation.
• Grafana install/start/restart now repairs missing rootless host listeners on port 3000, matching the existing SearXNG, Uptime Kuma, and Gitea recovery path.
• Debian 13/Trixie ISO and disk-install paths now force security updates from trixie-security during image/install creation so rebuilt release media includes patched base packages.
• Broad .198 lifecycle audit passes with the current qualified app set; known absent blockers remain electrumx, photoprism, dwn, and ollama.

v1.7.49-alpha (2026-04-30)

• Bitcoin Knots/Core UI now reports connection, reconnecting, syncing, and error states from a backend status bridge instead of showing a stale "Unable to connect" message while the node is warming up.
• ElectrumX UI now exposes indexed height, local Bitcoin height, known headers, status, and progress source so indexing/waiting states are readable during long initial sync.
• Added container doctor timer and smoke/lifecycle test coverage for Bitcoin Knots/Core, ElectrumX, Mempool, BTCPay/NBXplorer, and UI surface availability.
• Bitcoin Core and Bitcoin Knots are mutually exclusive variants, with a real Bitcoin Core manifest and corrected install conflict handling.
• IndeeHub now launches only on direct web UI port 7778; the broken /app/indeedhub/ path proxy was removed, and port 7777 remains the Nostr relay.
• BTCPay/NBXplorer Postgres environment formatting fixed so installs do not carry malformed connection strings.

v1.7.48-alpha (2026-04-29)

• archipelago.service no longer fails to start with "Failed to set up mount namespacing: /run/containers: No such file or directory" on nodes where /run/containers wasn't pre-created. ExecStartPre now creates it. Existing nodes need a one-time systemctl edit archipelago to add the mkdir; ISO installs from this version forward have the fix baked in.

v1.7.47-alpha (2026-04-29)

• Bitcoin Knots/Core sync is now significantly faster. The container now uses every available core for script verification (was capped at 2) and has 8GB of memory instead of 4GB so its 4GB UTXO cache has headroom for the mempool and peer connections. Existing nodes pick up the new limits on next install/update; freshly-installed nodes start at full speed.
• ElectrumX initial indexing is faster too. Its CPU cap is removed, container memory is 4GB, and its internal cache is now 3GB (default was 1.2GB).

v1.7.46-alpha (2026-04-29)

• Health monitor no longer pages "Auto-restart failed" for orphaned containers. After a variant switch (bitcoin-core ↔ bitcoin-knots) the previous variant's container could survive uninstall and the health monitor would try restarting it forever. Now skipped silently with a debug log.
• Apps no longer disappear from My Apps when an install fails. The card stays visible with state=Stopped so the user can retry or uninstall, with the failure reason surfaced via the new install_progress.message field.
• "Downloading…" progress now actually advances during multi-image stack pulls. Was sticking at 20% until all pulls finished; now interpolates 20%→70% based on which image of N has landed.
• Pulled four docker.io images (bitcoin, gitea, nextcloud, valkey) into the lfg2025 registries on OVH and tx1138. Removes a docker.io dependency from first-boot installs.
• Resilience harness improvements: install-fail entries no longer vanish, install/uninstall/probe cells are timing-tolerant (60s retry on ui_probe and auth_probe), dep snapshots no longer leak companion containers into the dependent app's "new containers" set.

v1.7.45-alpha (2026-04-29)

• Bitcoin RPC auth is durable. The dashboard reliably connects across container restart, image update, and reboot. Was failing on registry-pulled images that shipped a stale baked-in password.
• Multi-container apps show real install progress. IndeedHub (7), BTCPay (4), Mempool (3), Immich (3) — bar advances through Preparing → Pulling → Creating → Done instead of sitting at 0% until the very end.
• Apps no longer disappear from the dashboard mid-install. The container scanner now respects in-flight installs and updates instead of evicting an entry while its containers are still being created.
• IndeedHub installs cleanly on a fresh node. Five missing environment variables fixed; Nostr sign-in works on first install.
• Tailscale install no longer fails with "executable not found". Container command was a malformed shell string; now a proper command array.
• Removed three catalog entries that hung installs for ten minutes (dwn, endurain, ollama — no source images in our registries). Restored Nextcloud, sourced from docker.io.
• Bitcoin Core update path uses the correct image name (was pulling from a non-existent path).
• New ISO installs now allocate swap (sized to RAM, capped at 8GB, on the encrypted data partition). Without swap, container image builds and memory spikes were hitting OOM under load.

v1.7.44-alpha (2026-04-28)

43de3b73 feat(orchestrator): complete container migration and release hardening ce39430b feat(self-update): sync and rebuild UI containers on OTA 72dec5aa fix(lnd-ui): align container port across all specs 83aacdf2 chore(release): archive ISO build recipes, tarball-only releases

All notable changes to Archipelago will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

[1.3.1] - 2026-03-25

Security

• All crypto dependencies pinned to exact versions from Cargo.lock (supply chain hardening)
  • ed25519-dalek 2.1 → 2.2.0, sha2 → 0.10.9, hmac → 0.12.1, argon2 → 0.5.3, chacha20poly1305 → 0.10.1, zeroize → 1.8.2, hkdf → 0.12.4, aes-gcm → 0.10.3
• All container images pinned to exact patch versions (no more floating tags)
  • postgres:15 → 15.17, redis:7 → 7.4.8, nginx:alpine → 1.29.6-alpine, uptime-kuma:1 → 1.23.17, nextcloud:29 → 29.0.16, valkey:8 → 8.1.6, mariadb:11.4 → 11.4.10, and 7 more
  • DWN server pinned by SHA256 digest (only has :main branch tag)

Reliability

• Nostr relay connections now have 10s timeout — prevents indefinite hangs blocking RPC calls
  • identity_manager.rs: publish_profile()
  • nostr_discovery.rs: publish_node_revocation(), verify_revocation(), discover_archipelago_nodes()
  • marketplace.rs: discover(), publish()

Infrastructure

• CI pipeline added (.github/workflows/ci.yml) — cargo fmt, clippy, tests + frontend type-check, build
• Update system now fetches from git.tx1138.com Gitea instance (configurable via ARCHIPELAGO_UPDATE_URL)
• Cleaned up stale git branches (app-store, overnight/2026-03-12, overnight/2026-03-13)

[1.3.0] - 2026-03-19

Security

Pentest Remediation (33 findings, all addressed)

• Critical: Backend now binds to 127.0.0.1 only — no more direct LAN access to port 5678
• Critical: Fixed path traversal in Tor service management that could allow sudo rm -rf on arbitrary directories
• Critical: Fixed unauthenticated file read/delete via DWN recordId path traversal
• High: Federation peers now require cryptographic signature — unsigned peers rejected
• High: Login redirect XSS vulnerability fixed with proper URL validation
• High: Viewer role restricted to read-only node methods (was granting sign/export access)
• High: Backup restore/verify now validates IDs against path traversal
• High: Tar archive extraction validates every entry path (prevents tar slip attacks)
• High: S3 backup endpoints require HTTPS and reject private IP ranges
• Medium: Remember-me token secret now uses cryptographic random (not machine-id)
• Medium: Destructive operations (factory reset, onboarding reset) now require password re-verification
• Medium: Session token rotated after TOTP verification (prevents interception reuse)
• Medium: Webhook URL validation hardened against IPv6 bypass, DNS rebinding, redirect chains
• Low: CORS localhost:8100 only included in dev mode
• Low: CSP unsafe-inline removed from script-src
• Low: Content filenames validated against path separators and hidden file prefixes
• Low: Nostr relay URLs restricted to wss:// with private IP rejection
• Low: Onion address validation enforces v3 format (56 base32 chars)
• Low: Router detection restricted to private IP ranges only

Nginx Authentication

• Fixed session cookie name mismatch (session_id → session) across all nginx auth checks
• LND Connect info endpoint now properly authenticated

Container Reliability

Memory Limits (prevents OOM crashes)

• All 37 containers in first-boot-containers.sh now have --memory= limits
• Automatic RAM tier detection — reduced limits on 8GB machines
• Prevents a single runaway container from crashing the entire system

Smart Container States

• New exited state distinguishes crashed containers from intentionally stopped ones
• Crashed containers show red "crashed" badge with restart button
• Health-aware status: "healthy" (green), "starting up" (yellow spinner), "unhealthy" (orange pulse)
• Restart button added next to Stop on running containers

Crash Recovery Improvements

• Boot recovery and health monitor now coordinate via shared flag (no more restart cascade)
• User-stopped containers tracked in user-stopped.json — survive reboots without auto-restart
• Boot recovery uses tiered ordering: databases → core → services → apps → UIs
• Health monitor waits for boot recovery to complete before starting checks

UI Improvements

Home Dashboard

• Wallet card now matches Web5 wallet display
• New Transactions modal with full history (incoming/outgoing, amounts, confirmations)
• Transactions button in header — switches to "Incoming" badge when pending transactions exist
• Dev faucet button (dev mode only) with mutable wallet state
• Fixed system stats crash (cpu_usage_percent field name mismatch)

Apps & App Details

• Container restart button (icon) next to Stop on all running apps
• Exited/crashed containers show "Restart" instead of "Start" with red styling
• Removed broken sticky header from Apps page
• Health-aware status badges throughout

Mesh, Cloud, Settings & More

• Mesh view overhaul with improved layout
• Glass button styling updates across components
• New BaseModal and ToggleSwitch components
• Updated translations (English + Spanish)
• Spotlight search improvements

Infrastructure

LND Connect

• Tor hidden service now exposes LND REST port (8080) for remote wallet connections
• Fixed in ISO build script, deploy script, and live servers

Dev Environment

• Mock backend has mutable wallet state (faucet/send/receive actually change balances)
• Testnet stack option auto-starts Podman machine on macOS
• Boot mode simulation for testing startup screens

[1.2.0] - 2026-03-14

Fixed

Crash Loop Resolution

• Identified and fixed UFW blocking Podman subnet DNS resolution on .228
• Fixed archy-nbxplorer, btcpay-server, mempool-web, immich crash loops (3500+ restarts)
• All 32 containers stable with zero crash loops after fix

DWN Sync Performance

• Made dwn.sync endpoint non-blocking (background task with polling)
• Added 90-second overall sync timeout to prevent indefinite blocking
• Deduplicated peer onion addresses before syncing
• Batched message pushes (50/batch) instead of one-at-a-time over Tor
• Fixed HTTP handler to process all messages in batch (was only first)

Backup Reliability

• Increased backup.create rate limit from 3/600 to 10/600 for testing
• Increased backup.restore rate limit from 2/600 to 5/600

Deploy Script

• Added set -eo pipefail for pipe error detection
• Fixed duplicate variable initialization
• Fail on missing binary in --both path (was silently ignored)
• Added post-deploy health check on .198

Added

Cross-Node Test Suite

• US-08: DWN sync tests — 50/50 pass (register, write, sync, query bidirectional)
• US-10: Backup/restore tests — 80/80 pass (create, list, verify, delete × 10 × 2 nodes)
• US-15: Boot recovery tests — .228 9/9 pass (32/32 containers survive 3 reboots)
• trigger_sync_and_wait() helper for polling async DWN sync

did:dht Integration Planning

• Architecture document: docs/did-dht-integration.md
• BEP-44 mutable DHT items, DNS packet encoding, z-base-32 identifiers
• Publication/resolution flows, mainline crate selection, security notes

DWN Protocol Definitions

• 4 Archipelago DWN protocols documented in docs/dwn-protocols.md
• Node Identity Announcements (public)
• File Sharing Catalog (public)
• Federation State (private)
• App Deployment Requests (private)
• Auto-registration of all 4 protocols on backend startup

Deploy Script Improvements

• --dry-run flag shows what would be deployed without executing
• Works with all other flags (--live, --both, --frontend-only)

ISO/First-Boot Improvements

• Auto-create swap file on first boot (50% RAM, min 2GB, max 8GB)
• Tiered container startup ordering in first-boot script
• Tier 1: Databases, Tier 2: Core Services (5s delay), Tier 3: Applications (5s delay)

Security

Backend Hardening

• Rate limiting on federation endpoints (join 5/60s, invite 10/300s)
• DWN message data size limit (10MB max)
• Container security: cap-drop ALL, no-new-privileges, per-app memory limits
• Input validation: path traversal protection on identity/DID endpoints
• Error sanitization: internal paths stripped from error messages

[1.1.0] - 2026-03-13

Added

Nostr Identity in Onboarding

• Auto-generate secp256k1 Nostr keypair during identity creation
• Onboarding shows both DID (did:key:z...) and Nostr ID (npub1...) with copy buttons
• Real Ed25519 signature verification in onboarding verify step
• Real encrypted backup creation in onboarding backup step

NIP-07 Iframe Signing

• nostr-provider.js injected into all proxied iframe apps via nginx sub_filter
• window.nostr interface: getPublicKey(), signEvent(), getRelays()
• Signing consent modal with "Remember for this app" option
• node.nostr-sign RPC endpoint — signs events with node-level Nostr key
• NIP-04 and NIP-44 encrypt/decrypt RPC endpoints for iframe apps
• noStrudel Nostr client added to marketplace as iframe app

File Sharing Across Nodes

• Content catalog with add/remove/browse over Tor
• Three access modes: free, peers_only (DID-authenticated), paid (cashu tokens)
• Availability controls: AllPeers, Nobody, Specific (DID allowlist)
• Peer Files view in Cloud page for browsing federated peers' shared content
• Content download from peers via Tor SOCKS proxy

DWN Multi-Node Sync

• Bidirectional DWN message replication over Tor between federated nodes
• Protocol and message sync via /dwn HTTP endpoint
• DWN sync status in Federation dashboard with "Sync Now" button
• DWN management section in Web5 page (protocols, messages, sync targets)

Node Visualization Map

• D3.js force-directed network topology graph
• Nodes colored by trust level (green/amber/red), opacity by online status
• Self node centered, draggable peer nodes with tooltips
• List/Map tab switcher in Federation page with localStorage persistence

Tor Address Rotation

• tor.rotate-service RPC: generates new .onion address with 24h transition
• Automatic propagation to Nostr relays and federation peers
• tor.cleanup-rotated for expired transition directories
• Per-app Tor toggle (tor.toggle-app) to enable/disable Tor per service
• Tor management UI in Settings with rotate button and per-app toggles

Boot Container Recovery

• All stopped containers automatically started on backend boot
• Fixes clean reboot scenario where PID marker was removed by systemd

Monitoring & Testing

• Federation health check script (cron every 5min, CSV + JSON output)
• Uptime monitor with authenticated RPC access
• test-first-install.sh — 8-check post-install verification
• test-nip07.sh — 11-check NIP-07 signing validation
• test-tor-rotation.sh — 10-check Tor rotation lifecycle
• test-integration-full.sh — 23-check full integration test
• test-failure-recovery.sh — 5-scenario failure injection + recovery

Fixed

• Health monitor webhook gate no longer blocks auto-restart and notifications
• Monitoring alerts now trigger webhook delivery (DiskWarning, ContainerCrash)
• Tor hostname reading with tor-hostnames readable cache (0700 system Tor dirs)
• Tor rotation clears hostname cache before reading new address
• Rotation restarts system Tor (not just archy-tor container)
• NIP-07 signing uses node-level key (matches getPublicKey())
• DWN sync URL uses port 80 (nginx/Tor) instead of 5678
• DWN /dwn POST endpoint allows unauthenticated peer sync
• DWN message handler supports both single and batch message formats

[0.8.0-rc1] - 2026-03-11

Added

W3C Identity & Credentials

• W3C DID Core v1.0 compliant DID Document generation (did:key method)
• DID Document verification and cross-node resolution over Tor
• JSON-LD Verifiable Credentials (VC Data Model 2.0, Ed25519Signature2020 proofs)
• Verifiable Presentation creation with selective disclosure
• Credentials management UI at /dashboard/web5/credentials

Decentralized Web Node (DWN)

• DWN message store with CRUD, protocol registration, and query interface
• DWN HTTP API (POST /dwn, GET /dwn/health)
• Bidirectional peer sync over Tor via SOCKS proxy
• DWN management UI in Web5 page with protocol browser

Multi-Node Federation

• Node federation protocol with invite codes (fed1: prefix), trust levels, state sync
• Federation dashboard at /dashboard/server/federation
• Federated app deployment to trusted peers over Tor
• Architecture documented in docs/multi-node-architecture.md

Decentralized Marketplace

• NIP-78 Nostr-based app manifest discovery across relays
• Trust scoring (0-100) based on DID verification, relay consensus, federation trust
• App manifest publishing with Nostr secp256k1 signing
• Community marketplace tab in App Store with trust score badges

Networking

• VPN integration (Tailscale + WireGuard) with keypair generation and status display
• Mesh networking via Meshtastic LoRa devices with node discovery
• DNS-over-HTTPS configuration (Cloudflare, Google, Quad9, Mullvad, Custom)
• WiFi/Ethernet configuration via nmcli with scan-and-connect modal
• Network interfaces display in Server page

Hardware Wallet Support

• PSBT signing flow (create, QR display, finalize, broadcast)
• USB hardware wallet detection (ColdCard, Trezor, Ledger)
• Hardware wallet signing UI in LND views

System Management

• System monitoring (CPU, RAM, disk gauges on Dashboard)
• Automatic update system with download, apply, rollback, and scheduling
• Disk space management with auto-cleanup at 90% usage
• Container health monitoring with auto-recovery (max 3 restart attempts)
• Crash recovery via PID-file detection and container snapshot restoration
• Graceful shutdown with in-flight request draining (5s timeout)

Backup & Restore

• Full backup with tar.gz + ChaCha20-Poly1305 encryption
• Backup create, list, verify, restore, delete via RPC
• USB drive detection and backup-to-USB
• Backup UI in Settings page

Kiosk Mode

• Chromium kiosk with auto-restart and watchdog service
• Recovery page at /recovery (no auth required)
• Kiosk keyboard shortcuts (Ctrl+Shift+R/H/Q)
• Systemd services for kiosk and watchdog

ARM64 Support

• Cross-compilation for aarch64 with rustls-tls
• All 6 core apps verified with multi-arch images
• Parameterized ISO build script (ARCH=arm64)
• RPi 5 testing guide

Testing

• 236 frontend tests across 17 test files (Vitest)
• 124+ backend tests (cargo test)
• Playwright visual regression suite (12 pages)
• Chaos testing (SIGKILL recovery, concurrent RPC, rapid restarts)
• App lifecycle testing and dependency chain verification
• 1-week continuous uptime monitoring

Documentation

• Developer guide, API reference (100+ endpoints), app developer SDK guide
• 5 Architecture Decision Records (Podman, DID:key, Nostr, Tor, ChaCha20)
• Release process, canary deploy, quality baseline documentation

Changed

• Settings sections use glass-card instead of path-option-card
• Web3 card shows "Coming Soon" badges instead of fake data
• Network diagnostics moved from Settings to Server page
• Removed core/startos/ (2MB of dead code, zero dependencies)

Fixed

• CSRF protection on all state-changing RPC calls
• CORS restricted to same-origin (removed Access-Control-Allow-Origin: *)
• Nginx security headers (X-Frame-Options, CSP, X-Content-Type-Options)
• All 24 silent catch blocks now log in dev mode
• Zero console.log outside dev gate, zero any types

Security

• CSRF token validation on all state-changing endpoints
• Same-origin CORS policy
• Nginx security headers (SAMEORIGIN, nosniff, CSP, Referrer-Policy)
• Container security hardened (readonly root, dropped caps, non-root, no-new-privileges)
• Secrets rotation with AES-256-GCM and automatic scheduling

[0.5.0-beta] - 2026-03-11

Added

Security Hardening

• Session inactivity expiry (24h), max 5 concurrent sessions with oldest eviction
• Session rotation on password change (invalidates all other sessions)
• Container security: --cap-drop=ALL, --security-opt=no-new-privileges:true, read-only root
• Secrets rotation with AES-256-GCM encryption and metadata tracking
• Path traversal prevention (nginx regex blocks + client-side sanitizePath)
• Cookie-based auth for File Browser (removed token from URLs)
• Login rate limiting (5 failures per 60s per IP)
• TOTP two-factor authentication with backup codes

Performance

• Backend startup: ~100ms
• Frontend bundle: ~105 KB gzipped initial load
• WebSocket heartbeat (30s ping/pong) with exponential backoff reconnection
• Server-side 5-minute inactivity timeout for stale WebSocket connections
• Real-time install progress reporting via WebSocket during container pulls
• Connection state machine (connecting/connected/disconnecting/disconnected)

Apps & Integrations

• Pinned all container images to specific versions (no :latest tags)
• Fedimint and Fedimint Gateway with auto-LND detection
• IndeedHub virtual app integration
• Expanded read-only root filesystem support (electrs, nostr-relay, ollama)
• Dependency chain validation (Bitcoin → Electrs → Mempool, Bitcoin → LND)

Documentation

• Comprehensive user guide (docs/user-guide.md)
• Beta release checklist (docs/BETA-RELEASE-CHECKLIST.md)
• 72-hour stability test script

Fixed

• Penpot hardcoded secret key replaced with SHA256-derived key
• WebSocket reconnection reliability after network interruption

[0.1.0] - 2026-01-28

🎉 Initial Release

The first production release of Archipelago - a next-generation Bitcoin Node OS for macOS.

Added

Core Features

• Native Rust Backend - High-performance async server using Tokio and Hyper
• Modern Vue.js Frontend - Beautiful glassmorphism UI with Tailwind CSS
• Docker Integration - Seamless container orchestration via Docker Desktop
• Real-time WebSocket - Live updates for container status and system events
• Authentication System - Secure user login and session management

Bitcoin & Lightning

• Bitcoin Core - Full node in regtest mode with custom UI
• LND - Lightning Network Daemon with dedicated interface
• BTCPay Server - Bitcoin payment processing
• Mempool Explorer - Blockchain visualization and analytics

Applications

• Penpot - Open-source design and prototyping platform
• Endurain - Self-hosted fitness tracking
• Morphos - File conversion utility
• Nextcloud - Cloud storage and file management
• Home Assistant - Home automation hub
• Grafana - Metrics and monitoring dashboards
• OnlyOffice - Document editing suite
• SearXNG - Privacy-respecting search engine
• Fedimint - Federated e-cash system

User Interface

• Onboarding Flow - Guided setup for new users
• Dashboard - Real-time system overview
• My Apps - Alphabetically sorted app management
• Cloud Interface - File management by type (Documents, Photos, Videos, Music)
• Web5 Explorer - Decentralized identity and data management
• Settings - System configuration and preferences
• Custom Launch Pages - Dedicated UIs for Bitcoin Core and LND

Technical Features

• Container Runtime Abstraction - Support for Docker and Podman
• Dynamic Package Discovery - Automatic detection of running containers
• Health Monitoring - Container status and health checks
• Data Persistence - Docker volumes for app data
• Network Isolation - Secure container networking
• Resource Management - CPU and memory allocation

Architecture

• Backend: Rust + Tokio + Hyper + WebSocket
• Frontend: Vue 3 + TypeScript + Vite + Pinia
• Styling: Tailwind CSS + Custom Glassmorphism
• Containers: Docker Compose + Dockerode API
• Build System: Cargo + npm + macOS App Bundle

Known Limitations

• Requires Docker Desktop (23.0+)
• macOS only (Intel and Apple Silicon)
• Single-user mode
• No auto-updates (manual download required)
• Ollama excluded due to image size
• Manual Docker container management

System Requirements

• macOS 10.15 (Catalina) or later
• 8GB RAM minimum (16GB recommended)
• 20GB free disk space (50GB+ for blockchain data)
• Docker Desktop 23.0 or later
• Internet connection for initial container downloads

Installation

1. Download Archipelago-0.1.0-macOS.dmg
2. Open the DMG and drag Archipelago to Applications
3. Install Docker Desktop if not already installed
4. Launch Archipelago from Applications
5. Access the UI at http://localhost:8100

Security

• Code Signed: Yes (Developer ID)
• Notarized: Yes (Apple notarization)
• Sandboxed: No (requires full disk access for Docker)
• Hardened Runtime: Yes
• Gatekeeper: Compatible

Documentation

• README.md - Project overview
• BUILD_MACOS.md - Build instructions
• DEPLOYMENT_CHECKLIST.md - Release process
• docs/ - Detailed documentation

Credits

Built with:

• Rust (backend)
• Vue.js (frontend)
• Docker (containers)
• Alpine Linux (inspiration)
• Parmanode (Bitcoin scripts)
• And many open-source dependencies

License

[Specify your license here]

---

Version History

0.1.0 - 2026-01-28

Initial public release

---

Future Roadmap

See GitHub Issues for planned features:

• Auto-update system
• Multi-user support
• Native container runtime (no Docker Desktop)
• iOS companion app
• Hardware wallet integration
• Tor integration
• VPN/Tailscale support
• Backup/restore functionality
• Mac App Store distribution
• Windows and Linux builds

Contributing

See CONTRIBUTING.md for development setup and guidelines.

Support

• GitHub Issues: Report bugs and request features
• Documentation: See /docs directory
• Community: [Discord/Telegram/Forum link]