release(v1.7.35-alpha): rootless-netns self-heal + app update button + bitcoin-core 28.4 + Node DID unification

- core/archipelago/src/bootstrap.rs (NEW): embed scripts/container-doctor.sh
  and image-recipe/configs/archipelago-doctor.{service,timer} via
  include_str! and sync to disk + enable the timer on every archipelago
  startup. Idempotent (content-hash compare), dev-box symlink guard keeps
  the git checkout untouched, best-effort (warn-only on failure) so
  bootstrap never blocks server readiness. Wired in main.rs as a
  background tokio task.
- scripts/container-doctor.sh: add fix_rootless_netns_egress(). Detects
  when the rootless-netns has lost its pasta tap (container-to-container
  still works but outbound DNS/TCP fails) via an nsenter probe into
  aardvark-dns; with a two-probe 10s debounce to rule out transients and
  a host-precheck that bails out if the host itself is offline. When the
  rootless-netns is truly broken, does a graceful podman stop --all /
  start --all so pasta + aardvark-dns rebuild the netns from scratch.
  Bitcoin-knots and every other outbound container recover in one cycle.
- core/archipelago/src/update.rs: host_sudo → pub(crate) so bootstrap.rs
  can reuse the existing systemd-run escape hatch.
- apps/bitcoin-core/manifest.yml: bump app version 24.0.0 → 28.4.0 and
  image bitcoin/bitcoin:24.0 → bitcoin/bitcoin:28.4. Resources aligned
  with the real container-specs.sh large-disk tune (4 GiB memory cap,
  cpu_limit: 0 so bitcoind can run -par=auto across every core).
- neode-ui/src/views/apps/AppCard.vue + Apps.vue: add an Update button
  + Updating spinner to every app card that has available-update set.
  Wires through serverStore.updatePackage(id) — the same RPC the detail
  view already calls. common.update / common.updating i18n keys added in
  en.json and es.json.
- core/archipelago/src/identity_manager.rs: add create_from_signing_key()
  that mirrors an existing Ed25519 key as a manager-level identity with
  a deterministic id (`node-<pubkey16>`). Idempotent across restarts,
  gets the hex-SVG master avatar.
- core/archipelago/src/server.rs: the auto-create path on first boot now
  mirrors the node's own signing_key (seed-derived on onboarded installs)
  as a "Node" identity instead of generating a random "Default" keypair.
  Once this ships, the DID on the Web5 DID Status card (via node.did
  RPC), the Node entry on the Identities page (via identity.list), and
  the DID used for peer-to-peer connects (via server_info.pubkey) all
  resolve to the same seed-derived pubkey.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

scripts/container-doctor.sh

@@ -367,7 +367,72 @@ print(' '.join(['\"' + a + '\"' if ' ' in a else a for a in args[2:]]))
     [ ${#fixed_names[@]} -gt 0 ] && return 0 || return 1
 }
 
-# ── Fix 8: Restart stopped core containers ──────────────────
+# ── Fix 8: Rootless netns egress lost ────────────────────────
+# Rootless podman uses pasta to give containers internet egress. If pasta's
+# tap vanishes (host link flap, mount churn), the rootless-netns keeps inter-
+# container traffic working but silently loses outbound. Bitcoin IBD stalls
+# at 0 peers; package pulls fail. The only reliable repair is a stop-all/
+# start-all cycle so pasta + aardvark-dns rebuild the netns from scratch.
+fix_rootless_netns_egress() {
+    local archi_uid
+    archi_uid=$(id -u archipelago 2>/dev/null) || return 1
+
+    # Locate the rootless-netns via aardvark-dns (it lives inside it).
+    local aardvark_pid
+    aardvark_pid=$(pgrep -U "$archi_uid" -f '^/usr/lib/podman/aardvark-dns' 2>/dev/null | head -1)
+    [ -z "$aardvark_pid" ] && return 1   # no rootless network active
+
+    # Host precheck: if the host itself can't reach the internet, no point
+    # cycling containers — this is an upstream problem.
+    if ! timeout 3 bash -c '</dev/tcp/1.1.1.1/443' 2>/dev/null; then
+        return 1
+    fi
+
+    # Probe egress from inside the rootless-netns. One probe is noisy;
+    # require two consecutive failures 10s apart to rule out transients.
+    if timeout 3 nsenter -t "$aardvark_pid" -n bash -c '</dev/tcp/1.1.1.1/443' 2>/dev/null; then
+        return 1   # first probe succeeded
+    fi
+    sleep 10
+    aardvark_pid=$(pgrep -U "$archi_uid" -f '^/usr/lib/podman/aardvark-dns' 2>/dev/null | head -1)
+    [ -z "$aardvark_pid" ] && return 1
+    if timeout 3 nsenter -t "$aardvark_pid" -n bash -c '</dev/tcp/1.1.1.1/443' 2>/dev/null; then
+        return 1   # recovered on its own
+    fi
+
+    log "Rootless-netns egress is broken (host online, container netns unreachable) — cycling"
+
+    local PODMANCMD="sudo -u archipelago XDG_RUNTIME_DIR=/run/user/$archi_uid podman"
+    local running
+    running=$($PODMANCMD ps --format '{{.Names}}' 2>/dev/null)
+    if [ -z "$running" ]; then
+        log "  No running containers to cycle — skipping"
+        return 1
+    fi
+
+    local count
+    count=$(echo "$running" | wc -l)
+    log "  Stopping $count running containers (graceful, 30s)..."
+    $PODMANCMD stop --all --time 30 >/dev/null 2>&1
+    sleep 5
+
+    log "  Starting containers back up..."
+    for c in $running; do
+        $PODMANCMD start "$c" >/dev/null 2>&1 &
+    done
+    wait
+    sleep 5
+
+    aardvark_pid=$(pgrep -U "$archi_uid" -f '^/usr/lib/podman/aardvark-dns' 2>/dev/null | head -1)
+    if [ -n "$aardvark_pid" ] && timeout 3 nsenter -t "$aardvark_pid" -n bash -c '</dev/tcp/1.1.1.1/443' 2>/dev/null; then
+        log "  Rootless-netns egress restored ($count containers cycled)"
+    else
+        log "  WARN: egress still broken after cycle — may need manual intervention"
+    fi
+    return 0
+}
+
+# ── Fix 9: Restart stopped core containers ──────────────────
 # Rootless Podman 4.x restart policies don't auto-restart on crash.
 # This check restarts any exited core containers (tiers 0-2).
 fix_stopped_core_containers() {
@@ -414,6 +479,7 @@ run_fix "tor-permissions"  fix_tor_permissions
 run_fix "searxng"         fix_searxng
 run_fix "bitcoin-txindex" fix_bitcoin_txindex
 run_fix "exit-127"        fix_exit_127
+run_fix "netns-egress"    fix_rootless_netns_egress
 run_fix "stopped-core"    fix_stopped_core_containers
 
 echo ""