fix: bulletproof mesh serial connection — PrivateDevices, auto-detect fallback, backoff

Root cause: systemd PrivateDevices=yes hid /dev/ttyUSB* from the service,
preventing .198 from connecting to its Heltec V3 after the security hardening.

Changes:
- Set PrivateDevices=no in systemd service (serial access needs physical devices;
  other hardening layers remain: NoNewPrivileges, ProtectSystem, RestrictNamespaces)
- Add SupplementaryGroups=dialout for explicit serial permissions
- Add fallback auto-detect when configured serial path fails to open
- Add exponential backoff on reconnect (5s→60s cap) to reduce log spam
- Add pre-open device existence check with actionable error messages
- Add udev rule (99-mesh-radio.rules) for stable /dev/mesh-radio symlink
- Add /dev/mesh-radio to serial candidate list (checked first)
- Add Connect button per detected device in Mesh UI
- Deploy udev rule to both servers and ISO build
- Fix FEDI_HASH unbound variable in deploy script
- Fix deploy binary step to handle hung service stop gracefully

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

scripts/deploy-to-target.sh

@@ -312,6 +312,24 @@ if [ "$BOTH" = true ]; then
         ' 2>/dev/null || true
     fi
 
+    # Deploy udev rule for mesh radio to 198
+    UDEV_RULE="$PROJECT_DIR/image-recipe/configs/99-mesh-radio.rules"
+    if [ -f "$UDEV_RULE" ]; then
+        echo "   Syncing udev rule to 198..."
+        scp $SSH_OPTS "$UDEV_RULE" "$TARGET_198:/tmp/99-mesh-radio.rules" 2>/dev/null || true
+        ssh $SSH_OPTS "$TARGET_198" '
+            if ! diff -q /tmp/99-mesh-radio.rules /etc/udev/rules.d/99-mesh-radio.rules >/dev/null 2>&1; then
+              sudo cp /tmp/99-mesh-radio.rules /etc/udev/rules.d/99-mesh-radio.rules
+              sudo udevadm control --reload-rules
+              sudo udevadm trigger --subsystem-match=tty
+              echo "   Mesh radio udev rule installed"
+            else
+              echo "   Mesh radio udev rule unchanged"
+            fi
+            rm -f /tmp/99-mesh-radio.rules
+        ' 2>/dev/null || true
+    fi
+
     # Dev mode + FileBrowser on 198
     ssh $SSH_OPTS "$TARGET_198" '
         # Dev mode
@@ -425,7 +443,7 @@ if [ "$LIVE" = true ]; then
         echo "   Skipping backend deploy (--frontend-only)"
     elif ssh $SSH_OPTS "$TARGET_HOST" "[ -f $TARGET_DIR/core/target/release/archipelago ]" 2>/dev/null; then
         progress "Deploying backend binary"
-        ssh $SSH_OPTS "$TARGET_HOST" "sudo systemctl stop archipelago"
+        ssh $SSH_OPTS "$TARGET_HOST" 'sudo systemctl stop archipelago --no-block 2>/dev/null; sleep 2; sudo kill -9 $(pgrep -x archipelago) 2>/dev/null; sleep 1; true'
         ssh $SSH_OPTS "$TARGET_HOST" "sudo cp $TARGET_DIR/core/target/release/archipelago /usr/local/bin/"
     fi
 
@@ -511,6 +529,23 @@ if [ "$LIVE" = true ]; then
       ' 2>/dev/null || true
     fi
 
+    # Deploy udev rule for mesh radio stable naming (/dev/mesh-radio)
+    UDEV_RULE="$PROJECT_DIR/image-recipe/configs/99-mesh-radio.rules"
+    if [ -f "$UDEV_RULE" ]; then
+      scp $SSH_OPTS "$UDEV_RULE" "$TARGET_HOST:/tmp/99-mesh-radio.rules" 2>/dev/null || true
+      ssh $SSH_OPTS "$TARGET_HOST" '
+        if ! diff -q /tmp/99-mesh-radio.rules /etc/udev/rules.d/99-mesh-radio.rules >/dev/null 2>&1; then
+          sudo cp /tmp/99-mesh-radio.rules /etc/udev/rules.d/99-mesh-radio.rules
+          sudo udevadm control --reload-rules
+          sudo udevadm trigger --subsystem-match=tty
+          echo "   Mesh radio udev rule installed"
+        else
+          echo "   Mesh radio udev rule unchanged"
+        fi
+        rm -f /tmp/99-mesh-radio.rules
+      ' 2>/dev/null || true
+    fi
+
     # Deploy Claude API proxy (auto-install if missing)
     progress "Setting up Claude API proxy"
     ssh $SSH_OPTS "$TARGET_HOST" '
@@ -782,7 +817,7 @@ MANIFEST_EOF
     ' 2>/dev/null)
     eval "$DB_PASSWORDS"
     # Fallback if hash not available
-    if [ -z "$FEDI_HASH" ]; then
+    if [ -z "${FEDI_HASH:-}" ]; then
         FEDI_HASH='$2y$10$t9YjjxkiktrlYvjajB/zgOMDnSNVg4HqrbDqh47u7Jf42whNdxNqC'
     fi