security+feat: v1.3.0 — pentest remediation, container reliability, UI overhaul

Security (33 pentest findings addressed):
- CRITICAL: backend binds 127.0.0.1, path traversal in tor.rs/dwn fixed
- HIGH: federation requires signatures, XSS login redirect, RBAC viewer restricted
- HIGH: tar slip prevention, S3 SSRF validation, backup ID validation
- MEDIUM: remember-me random secret, TOTP session rotation, password re-auth
- LOW: CSP unsafe-inline removed, CORS dev-only, onion/webhook validation

Container reliability:
- Memory limits on all 37 containers (OOM prevention)
- Exited vs stopped state distinction with health-aware status badges
- Crash recovery coordination (no more restart cascade)
- User-stopped tracking survives reboots
- Tiered boot recovery (databases → core → services → apps)

UI:
- Wallet TransactionsModal, health-aware app status badges
- Restart button on containers, exited/crashed red state
- Mesh view overhaul, glass button updates, BaseModal/ToggleSwitch
- Apps sticky header removed, dev faucet, mutable mock wallet

Infrastructure:
- LND REST port 8080 exposed over Tor (LND Connect fix)
- Nginx cookie_session fix, deploy script Tor config updated
- Dev environment: podman auto-start, boot mode simulation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

scripts/dev-start.sh

@@ -156,24 +156,38 @@ case $choice in
         fi
 
         if [ -z "$RUNTIME" ]; then
-            echo ""
-            echo "No working container runtime detected."
-            echo ""
             if command -v podman &>/dev/null; then
-                echo "Podman is installed but the machine isn't running:"
-                echo "  podman machine start"
+                echo "   Podman machine not running — starting it..."
+                if ! podman machine ls --format '{{.Name}}' 2>/dev/null | grep -q .; then
+                    echo "   No Podman machine found — initializing..."
+                    podman machine init
+                fi
+                podman machine start
+                if podman ps &>/dev/null; then
+                    if command -v podman-compose &>/dev/null; then
+                        RUNTIME="podman"
+                        COMPOSE="podman-compose"
+                    else
+                        RUNTIME="podman"
+                        COMPOSE="podman compose"
+                    fi
+                else
+                    echo "   Failed to start Podman machine."
+                    exit 1
+                fi
             elif command -v docker &>/dev/null; then
+                echo ""
                 echo "Docker is installed but the daemon isn't running."
                 echo "Start Docker Desktop and try again."
+                exit 1
             else
-                echo "Install Docker Desktop or Podman:"
-                echo "  brew install --cask docker"
-                echo "  # or"
+                echo ""
+                echo "No container runtime found. Install one:"
                 echo "  brew install podman podman-compose"
-                echo "  podman machine init && podman machine start"
+                echo "  # or"
+                echo "  brew install --cask docker"
+                exit 1
             fi
-            echo ""
-            exit 1
         fi
 
         echo "   Using: $RUNTIME"