fix: WebSocket reconnect state refresh, listener leak fixes, pin container images

- F4: Fetch fresh server state after WebSocket reconnect
- F5: Guard message polling timer with auth check, stop on logout
- F6: Remove NIP-07 listener in appLauncher close()
- F7: Initialize audio player once to prevent listener stacking
- S3: Pin all container images to specific versions, create image-versions.sh

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

scripts/first-boot-containers.sh

@@ -11,6 +11,9 @@ LOG="/var/log/archipelago-first-boot.log"
 DOCKER=podman
 command -v podman >/dev/null 2>&1 || DOCKER=docker
 
+# Source pinned image versions (single source of truth)
+source /opt/archipelago/image-versions.sh 2>/dev/null || true
+
 # Must run as root for podman
 [ "$(id -u)" -eq 0 ] || { echo "Must run as root" >&2; exit 1; }
 
@@ -252,7 +255,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -qE 'bitcoin-knots|arch
     --security-opt no-new-privileges:true \
     -p 8332:8332 -p 8333:8333 \
     -v /var/lib/archipelago/bitcoin:/home/bitcoin/.bitcoin \
-    docker.io/bitcoinknots/bitcoin:latest \
+    "${BITCOIN_KNOTS_IMAGE:-docker.io/bitcoinknots/bitcoin:v28.1}" \
     -server=1 $BTC_EXTRA_ARGS \
     -rpcallowip=0.0.0.0/0 -rpcbind=0.0.0.0:8332 \
     -proxy=host.containers.internal:9050 -listen=1 -bind=0.0.0.0:8333 \
@@ -339,16 +342,16 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q electrs-ui; then
     log "Starting ElectrumX UI from pre-built image..."
     $DOCKER run -d --name archy-electrs-ui --network host --restart unless-stopped \
       --health-cmd="curl -sf http://localhost:80/ || exit 1" --health-interval=30s --health-timeout=5s --health-retries=3 \
-      localhost/electrs-ui:latest 2>>"$LOG" || \
+      localhost/electrs-ui:local 2>>"$LOG" || \
     $DOCKER run -d --name archy-electrs-ui --network host --restart unless-stopped \
       --health-cmd="curl -sf http://localhost:80/ || exit 1" --health-interval=30s --health-timeout=5s --health-retries=3 \
-      electrs-ui:latest 2>>"$LOG" || true
+      electrs-ui:local 2>>"$LOG" || true
   elif [ -d /opt/archipelago/docker/electrs-ui ]; then
     log "Building and starting ElectrumX UI from source..."
-    $DOCKER build -t electrs-ui:latest /opt/archipelago/docker/electrs-ui 2>>"$LOG" && \
+    $DOCKER build -t electrs-ui:local /opt/archipelago/docker/electrs-ui 2>>"$LOG" && \
     $DOCKER run -d --name archy-electrs-ui --network host --restart unless-stopped \
       --health-cmd="curl -sf http://localhost:80/ || exit 1" --health-interval=30s --health-timeout=5s --health-retries=3 \
-      electrs-ui:latest 2>>"$LOG" || true
+      electrs-ui:local 2>>"$LOG" || true
   else
     log "ElectrumX UI: no image or source found, skipping"
   fi
@@ -583,7 +586,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q photoprism; then
     --security-opt no-new-privileges:true \
     -p 2342:2342 -v /var/lib/archipelago/photoprism:/photoprism/storage \
     -e PHOTOPRISM_ADMIN_PASSWORD=archipelago -e PHOTOPRISM_DEFAULT_LOCALE=en \
-    docker.io/photoprism/photoprism:latest 2>>"$LOG" || true
+    "${PHOTOPRISM_IMAGE:-docker.io/photoprism/photoprism:240915}" 2>>"$LOG" || true
 fi
 if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q ollama; then
   log "Creating Ollama..."
@@ -594,7 +597,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q ollama; then
     --cap-drop ALL --security-opt no-new-privileges:true \
     --read-only --tmpfs /tmp:rw,noexec,nosuid,size=256m --tmpfs /run:rw,noexec,nosuid,size=64m \
     -p 11434:11434 -v /var/lib/archipelago/ollama:/root/.ollama \
-    docker.io/ollama/ollama:latest 2>>"$LOG" || true
+    "${OLLAMA_IMAGE:-docker.io/ollama/ollama:0.5.4}" 2>>"$LOG" || true
 fi
 if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q vaultwarden; then
   log "Creating Vaultwarden..."
@@ -626,7 +629,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q searxng; then
     --cap-drop ALL --security-opt no-new-privileges:true \
     --read-only --tmpfs /tmp:rw,noexec,nosuid,size=256m --tmpfs /run:rw,noexec,nosuid,size=64m \
     -p 8888:8080 \
-    docker.io/searxng/searxng:latest 2>>"$LOG" || true
+    "${SEARXNG_IMAGE:-docker.io/searxng/searxng:2024.11.17}" 2>>"$LOG" || true
 fi
 if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q onlyoffice; then
   log "Creating OnlyOffice..."
@@ -658,7 +661,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q nginx-proxy-manager;
     -p 81:81 -p 8084:80 -p 8443:443 \
     -v /var/lib/archipelago/nginx-proxy-manager/data:/data \
     -v /var/lib/archipelago/nginx-proxy-manager/letsencrypt:/etc/letsencrypt \
-    docker.io/jc21/nginx-proxy-manager:latest 2>>"$LOG" || true
+    "${NPM_IMAGE:-docker.io/jc21/nginx-proxy-manager:2}" 2>>"$LOG" || true
 fi
 if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q portainer; then
   log "Creating Portainer..."
@@ -772,7 +775,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q penpot-frontend; the
       -e PENPOT_OBJECTS_STORAGE_BACKEND=fs \
       -e PENPOT_OBJECTS_STORAGE_FS_DIRECTORY=/opt/data/assets \
       -e PENPOT_FLAGS=disable-email-verification enable-smtp enable-prepl-server disable-secure-session-cookies \
-      docker.io/penpotapp/backend:latest 2>>"$LOG" || true
+      "${PENPOT_BACKEND_IMAGE:-docker.io/penpotapp/backend:2.4.2}" 2>>"$LOG" || true
     sleep 5
   fi
   if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q penpot-exporter; then
@@ -782,7 +785,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q penpot-frontend; the
       -e PENPOT_SECRET_KEY=archipelago-penpot-secret-key-change-in-production \
       -e PENPOT_PUBLIC_URI=http://penpot-frontend:8080 \
       -e PENPOT_REDIS_URI=redis://penpot-valkey/0 \
-      docker.io/penpotapp/exporter:latest 2>>"$LOG" || true
+      "${PENPOT_EXPORTER_IMAGE:-docker.io/penpotapp/exporter:2.4.2}" 2>>"$LOG" || true
     sleep 2
   fi
   if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q penpot-frontend; then
@@ -792,7 +795,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q penpot-frontend; the
       -p 9001:8080 -v /var/lib/archipelago/penpot-assets:/opt/data/assets \
       -e PENPOT_PUBLIC_URI="http://${TARGET_IP}:9001" \
       -e PENPOT_FLAGS=disable-email-verification enable-smtp enable-prepl-server disable-secure-session-cookies \
-      docker.io/penpotapp/frontend:latest 2>>"$LOG" || true
+      "${PENPOT_FRONTEND_IMAGE:-docker.io/penpotapp/frontend:2.4.2}" 2>>"$LOG" || true
   fi
 fi
 
@@ -806,7 +809,7 @@ if $DOCKER images --format '{{.Repository}}:{{.Tag}}' 2>/dev/null | grep -q 'nos
       --health-cmd="curl -sf http://localhost:8080/ || exit 1" --health-interval=30s --health-timeout=5s --health-retries=3 \
       --memory=$(mem_limit nostr-rs-relay) \
       -p 7047:7047 -v /var/lib/archipelago/nostr-rs-relay:/data \
-      scsibug/nostr-rs-relay:latest 2>>"$LOG" || true
+      "${NOSTR_RS_RELAY_IMAGE:-docker.io/scsibug/nostr-rs-relay:0.9.0}" 2>>"$LOG" || true
   fi
 fi
 if $DOCKER images --format '{{.Repository}}:{{.Tag}}' 2>/dev/null | grep -q 'strfry'; then
@@ -817,7 +820,7 @@ if $DOCKER images --format '{{.Repository}}:{{.Tag}}' 2>/dev/null | grep -q 'str
       --health-cmd="curl -sf http://localhost:7777/ || exit 1" --health-interval=30s --health-timeout=5s --health-retries=3 \
       --memory=$(mem_limit strfry) \
       -p 7777:7777 -v /var/lib/archipelago/strfry:/data \
-      hoytech/strfry:latest 2>>"$LOG" || true
+      "${STRFRY_IMAGE:-docker.io/pluja/strfry:latest}" 2>>"$LOG" || true
   fi
 fi
 
@@ -826,10 +829,10 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q indeedhub; then
   INDEEDHUB_IMAGE=""
   # Try local image first (pre-built or loaded from ISO)
   if $DOCKER images --format '{{.Repository}}:{{.Tag}}' 2>/dev/null | grep -q 'localhost/indeedhub'; then
-    INDEEDHUB_IMAGE="localhost/indeedhub:latest"
+    INDEEDHUB_IMAGE="localhost/indeedhub:local"
   # Try registry image
-  elif $DOCKER pull git.tx1138.com/lfg2025/indeedhub:latest 2>>"$LOG"; then
-    INDEEDHUB_IMAGE="git.tx1138.com/lfg2025/indeedhub:latest"
+  elif $DOCKER pull git.tx1138.com/lfg2025/indeedhub:local 2>>"$LOG"; then
+    INDEEDHUB_IMAGE="git.tx1138.com/lfg2025/indeedhub:local"
   fi
   if [ -n "$INDEEDHUB_IMAGE" ]; then
     log "Creating Indeehub from $INDEEDHUB_IMAGE..."
@@ -871,13 +874,13 @@ for ui in bitcoin-ui lnd-ui; do
     $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped --memory=$(mem_limit "$CONTAINER_NAME") $NET_ARG "$IMG" 2>>"$LOG" || true
   elif [ -d "/opt/archipelago/docker/$ui" ]; then
     log "Building $ui from source (/opt/archipelago/docker/$ui)..."
-    if $DOCKER build -t "$ui:latest" "/opt/archipelago/docker/$ui" 2>>"$LOG"; then
-      $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped --memory=$(mem_limit "$CONTAINER_NAME") $NET_ARG "$ui:latest" 2>>"$LOG" || true
+    if $DOCKER build -t "$ui:local" "/opt/archipelago/docker/$ui" 2>>"$LOG"; then
+      $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped --memory=$(mem_limit "$CONTAINER_NAME") $NET_ARG "$ui:local" 2>>"$LOG" || true
     fi
   elif [ -d "/home/archipelago/archy/docker/$ui" ]; then
     log "Building $ui from source (/home/archipelago/archy/docker/$ui)..."
-    if $DOCKER build -t "$ui:latest" "/home/archipelago/archy/docker/$ui" 2>>"$LOG"; then
-      $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped --memory=$(mem_limit "$CONTAINER_NAME") $NET_ARG "$ui:latest" 2>>"$LOG" || true
+    if $DOCKER build -t "$ui:local" "/home/archipelago/archy/docker/$ui" 2>>"$LOG"; then
+      $DOCKER run -d --name "$CONTAINER_NAME" $PORT_ARG --restart unless-stopped --memory=$(mem_limit "$CONTAINER_NAME") $NET_ARG "$ui:local" 2>>"$LOG" || true
     fi
   else
     log "$ui: no image or source found, skipping"