feat: architecture review fixes, self-update system, CI pipeline, supply chain hardening

Architecture review (all P0+P1 issues now fixed):
- Add 10s timeout to 6 bare Nostr client.connect() calls
- Pin all 12 crypto deps to exact versions from Cargo.lock
- Pin all 15 floating container image tags to exact patch versions
- Add CI pipeline (cargo fmt + clippy + tests, frontend type-check + build)

Self-update system (git.tx1138.com):
- scripts/self-update.sh: pull, build, install, restart with rollback
- systemd timer checks daily at 3 AM
- update.check RPC does git-based checks when repo is present
- update.git-apply RPC triggers self-update from UI
- Default update URL changed from GitHub to git.tx1138.com
- Git added to ISO package list for fresh installs

Documentation:
- CHANGELOG v1.3.1 with all changes
- README updated (version, update system section)
- BETA-PROGRESS session #6 logged
- architecture-review.html: 4 issues marked FIXED, 8/12 refactoring done

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-25 15:52:26 +00:00
parent 4d1df4a319
commit 207e53144c
19 changed files with 750 additions and 65 deletions

View File

@@ -2,7 +2,7 @@
> **Goal**: Flawless beta that works perfectly on every machine we install it on.
> **Freeze started**: 2026-03-18
> **Last updated**: 2026-03-18
> **Last updated**: 2026-03-25
---
@@ -26,7 +26,7 @@ PHASE 3: Beta Live (public release)
Everything in this phase must pass before we hand it to real users.
### Overall Status: IN PROGRESS (~55%)
### Overall Status: IN PROGRESS (~65%)
| Workstream | Status | Completion | Gate-blocking? |
|------------|--------|------------|----------------|
@@ -40,6 +40,8 @@ Everything in this phase must pass before we hand it to real users.
| 1H. UI Polish & Layout | DONE (batch + What's New) | ~90% | No |
| 1I. WebSocket Reliability | NOT STARTED | 0% | No |
| 1J. Quality Baseline Check | NOT STARTED | 0% | No |
| 1K. Architecture Review Fixes | DONE (4/4 items) | 100% | ~~YES~~ |
| 1L. Update System (git.tx1138.com) | DONE | 100% | No |
### 1A. Critical Bugs
@@ -316,6 +318,7 @@ Starts when we hand ISOs to real users on real hardware we don't control.
| 2026-03-18 | #3 | Updated tracking to reflect completed work — TASK-11 done, TASK-8 9/12, UI batch done | TASK-11, TASK-26-30, TASK-32, TASK-34-36, BUG-33 |
| 2026-03-18 | #4 | Rewrote deploy-tailscale.sh (full deploy with split-mode SSH, rootful migration, containers, infra). Fixed first-boot-containers.sh rootless bugs (subnet, UID mapping, prereqs). Dynamic HTTPS certs. | — |
| 2026-03-18 | #5 | BUG-1 CSRF fix, TASK-8 12/12 done, 7 bugs fixed, Argon2id migration, random BTC RPC, RBAC hardened, What's New history, Bitcoin sync gauge. Tagged v1.2.0-alpha.9. | BUG-1, TASK-8, BUG-20/37/40/41, TASK-31/38 |
| 2026-03-25 | #6 | Architecture review audit: all P0s+P1s verified fixed. Fixed remaining items: Nostr timeouts (6 calls), crypto dep pinning (12 deps), container image pinning (15 images), CI pipeline. Update system wired to git.tx1138.com. Cleaned stale branches. Docs updated. | Architecture review 4/4, CI pipeline |
---