lfg2025/archy
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases 33 Wiki Activity

Compare commits

base: lfg2025:v1.7.10-alpha
Branches Tags
lfg2025:main lfg2025:dev-iso lfg2025:jay-containers
lfg2025:v1.7.89-alpha lfg2025:v1.7.68-alpha lfg2025:v1.7.50-alpha lfg2025:v1.7.49-alpha lfg2025:v1.7.48-alpha lfg2025:v1.7.47-alpha lfg2025:v1.7.46-alpha lfg2025:v1.7.45-alpha lfg2025:v1.7.44-alpha lfg2025:v1.7.43-alpha lfg2025:v1.7.42-alpha lfg2025:v1.7.41-alpha lfg2025:v1.7.40-alpha lfg2025:v1.7.39-alpha lfg2025:v1.7.38-alpha lfg2025:v1.7.37-alpha lfg2025:v1.7.36-alpha lfg2025:v1.7.35-alpha lfg2025:v1.7.34-alpha lfg2025:v1.7.33-alpha lfg2025:v1.7.32-alpha lfg2025:v1.7.31-alpha lfg2025:v1.7.30-alpha lfg2025:v1.7.29-alpha lfg2025:v1.7.28-alpha lfg2025:v1.7.27-alpha lfg2025:v1.7.26-alpha lfg2025:v1.7.25-alpha lfg2025:v1.7.24-alpha lfg2025:v1.7.23-alpha lfg2025:v1.7.22-alpha lfg2025:v1.7.21-alpha lfg2025:v1.7.20-alpha lfg2025:v1.7.19-alpha lfg2025:v1.7.18-alpha lfg2025:v1.7.17-alpha lfg2025:v1.7.16-alpha lfg2025:v1.7.15-alpha lfg2025:v1.7.14-alpha lfg2025:v1.7.13-alpha lfg2025:v1.7.12-alpha lfg2025:v1.7.11-alpha lfg2025:v1.7.10-alpha lfg2025:v1.7.9-alpha lfg2025:v1.7.8-alpha lfg2025:v1.7.7-alpha lfg2025:v1.7.6-alpha lfg2025:v1.7.5-alpha lfg2025:v1.7.4-alpha lfg2025:v1.7.3-alpha lfg2025:v1.7.2-alpha lfg2025:v1.7.1-alpha lfg2025:v1.7.0-alpha lfg2025:v1.3.4 lfg2025:v1.3.3 lfg2025:v1.3.2 lfg2025:v1.2.0-alpha.8 lfg2025:v1.2.0-alpha.7 lfg2025:v1.2.0-alpha.6 lfg2025:v1.2.0-alpha.5 lfg2025:v1.2.0-alpha.4 lfg2025:v1.2.0-alpha.3 lfg2025:v1.2.0-alpha.2 lfg2025:v1.2.0-alpha.1
...
compare: lfg2025:v1.7.17-alpha
Branches Tags
lfg2025:main lfg2025:dev-iso lfg2025:jay-containers
lfg2025:v1.7.89-alpha lfg2025:v1.7.68-alpha lfg2025:v1.7.50-alpha lfg2025:v1.7.49-alpha lfg2025:v1.7.48-alpha lfg2025:v1.7.47-alpha lfg2025:v1.7.46-alpha lfg2025:v1.7.45-alpha lfg2025:v1.7.44-alpha lfg2025:v1.7.43-alpha lfg2025:v1.7.42-alpha lfg2025:v1.7.41-alpha lfg2025:v1.7.40-alpha lfg2025:v1.7.39-alpha lfg2025:v1.7.38-alpha lfg2025:v1.7.37-alpha lfg2025:v1.7.36-alpha lfg2025:v1.7.35-alpha lfg2025:v1.7.34-alpha lfg2025:v1.7.33-alpha lfg2025:v1.7.32-alpha lfg2025:v1.7.31-alpha lfg2025:v1.7.30-alpha lfg2025:v1.7.29-alpha lfg2025:v1.7.28-alpha lfg2025:v1.7.27-alpha lfg2025:v1.7.26-alpha lfg2025:v1.7.25-alpha lfg2025:v1.7.24-alpha lfg2025:v1.7.23-alpha lfg2025:v1.7.22-alpha lfg2025:v1.7.21-alpha lfg2025:v1.7.20-alpha lfg2025:v1.7.19-alpha lfg2025:v1.7.18-alpha lfg2025:v1.7.17-alpha lfg2025:v1.7.16-alpha lfg2025:v1.7.15-alpha lfg2025:v1.7.14-alpha lfg2025:v1.7.13-alpha lfg2025:v1.7.12-alpha lfg2025:v1.7.11-alpha lfg2025:v1.7.10-alpha lfg2025:v1.7.9-alpha lfg2025:v1.7.8-alpha lfg2025:v1.7.7-alpha lfg2025:v1.7.6-alpha lfg2025:v1.7.5-alpha lfg2025:v1.7.4-alpha lfg2025:v1.7.3-alpha lfg2025:v1.7.2-alpha lfg2025:v1.7.1-alpha lfg2025:v1.7.0-alpha lfg2025:v1.3.4 lfg2025:v1.3.3 lfg2025:v1.3.2 lfg2025:v1.2.0-alpha.8 lfg2025:v1.2.0-alpha.7 lfg2025:v1.2.0-alpha.6 lfg2025:v1.2.0-alpha.5 lfg2025:v1.2.0-alpha.4 lfg2025:v1.2.0-alpha.3 lfg2025:v1.2.0-alpha.2 lfg2025:v1.2.0-alpha.1

7 Commits
v1.7.10-al ... v1.7.17-al

Author SHA1 Message Date
Dorian
4706dd16e7 release(v1.7.17-alpha): cancel download + stall detection
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 21m0s
Details 
Add Cancel Download button + stall detection so a wedged download can
be recovered instead of leaving the UI stuck on a frozen progress bar.

Backend:
- update.rs: DOWNLOAD_CANCEL AtomicBool + DOWNLOAD_PROGRESS_AT AtomicU64
- download loop checks cancel between chunks and during retry backoff
  (500ms slices instead of one exponential sleep, so Cancel wakes fast)
- cancel_download() wipes staging + clears update_in_progress
- update.status exposes download_progress.stalled (30s no-progress)
- RPC: update.cancel-download + dispatcher entry

Frontend:
- SystemUpdate.vue: Cancel Download button, amber stall styling,
  stalled copy, cancel-download confirm branch in modal
- i18n keys (en + es) for cancel/stall flow
- v1.7.17-alpha What's New block in AccountInfoSection

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-20 19:10:34 -04:00
Dorian
3cbfcabedf release(v1.7.16-alpha): bidirectional + transitive federation, no self-peering
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 23m32s
Details 
Federation join flow now notifies the inviter with the joiner's name and
immediately bumps state so the Federation UI reloads without a manual
Sync click. Accepting an invite that points back at the local node is
rejected up front (DID/pubkey/onion match). After a peer joins, we spawn
a transitive sync that pulls the new peer's federated peer hints so all
nodes in the federation learn about each other as Observer entries.
Federation.vue polls every 5s while mounted.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-20 18:12:02 -04:00
Dorian
0fad7ee431 release(v1.7.15-alpha): bulletproof downloads — resume, retry, real progress
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 26m29s
Details 
download_update
  Each component download is now resumable via HTTP Range requests
  (Range: bytes=N-) and retried up to 6 times with exponential
  backoff (5/15/30/60/120/180s). On a dropped connection the next
  attempt picks up at the last written byte offset instead of
  restarting at zero. Streams via reqwest::Response::chunk() to the
  staging file so a 160 MB frontend tarball doesn't sit in RAM. SHA
  is verified over the complete file at the end of each component;
  mismatch nukes the staged file and restarts from scratch.

Real download progress counters
  New AtomicU64 globals DOWNLOAD_BYTES/DOWNLOAD_TOTAL are updated
  from the chunk loop. update.status exposes them as
  download_progress.{bytes_downloaded, total_bytes, active}. The
  SystemUpdate.vue progress bar now polls update.status every
  second instead of incrementing a fake random counter — and
  crucially, if the user navigates away and back, the component
  picks up the in-progress download from the backend atomics
  immediately.

Update-check retries
  handle_update_check now retries the manifest fetch up to 3 times
  with a 5s gap if the first try hits a transport error, so a
  momentary gitea hiccup doesn't make a node report "up to date"
  when there actually is a new release. Tight 10s connect timeout
  per attempt keeps the total bounded.

Artefacts:
  archipelago                                      1070c87f…c081c162b  40584792
  archipelago-frontend-1.7.15-alpha.tar.gz         8e630eba…63fd43f   162078068

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-20 17:17:58 -04:00
Dorian
923c404678 release(v1.7.14-alpha): install overlay + FIPS real fix + AIUI restore
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 10m10s
Details 
Install UX
  SystemUpdate.vue now shows a full-screen overlay after apply: the
  BitcoinFaceAscii logo, a target-version label, an indeterminate
  progress stripe (solid orange; solid green on ready), and an
  elapsed-time readout. Polls /health every 1.5s and auto-reloads
  once the backend reports the new version. 3-min stall → "Reload
  now" button. Download UI also shows a spinner + "Finishing
  download — verifying checksum…" while the fake bar sits at 95%.

FIPS reconnect — for real this time
  New fips.reconnect RPC does stop → start → wait 20s → re-poll →
  classify. Classification buckets: connected / daemon_down /
  no_seed_key / no_outbound_udp_or_anchor_down / peers_but_no_anchor,
  each with a plain-language hint surfaced verbatim by the Reconnect
  button. The real reason nodes like .198/.253 couldn't reach the
  anchor: identity::write_fips_key_from_seed was writing fips_key.pub
  as a bech32 npub TEXT file, but upstream fips expects 32 raw
  bytes. The daemon silently authenticated with garbage. Fix:
  PublicKey::to_bytes() → raw 32 bytes, and new
  fips::config::normalize_pub_file migrates legacy files by decoding
  the npub and rewriting in place. fips.reconnect also re-installs
  the config + healed keys to /etc/fips before restarting.

AIUI preservation + restore
  apply_update was wiping /opt/archipelago/web-ui/aiui because the
  Vue build doesn't include it — every OTA lost the Claude sidebar.
  The preserve block now copies aiui/ + archipelago-companion.apk
  from the old web-ui into the staging dir before the swap, and
  prefers new-tar versions if present. To restore it on the three
  nodes that already lost it (.116/.198/.253), this release bundles
  the 85 MB aiui build into the frontend tarball. Frontend component
  size is now ~155 MB.

Download / install timeouts
  Backend download client timeout 1800s → 3600s (1 h). Larger
  tarball + slow gitea raw throughput put us above the old cap.
  Frontend update.download rpc timeout 30 min → 65 min to match.
  package.install rpc timeout 15 min → 45 min — IndeedHub pulls
  6 images and was timing out mid-install.

UI nit
  "Rollback to Previous" → "Rollback Available".

App-catalog proxy already landed in v1.7.13.

Artefacts:
  archipelago                                      725e18e6…3c525e6   40462288
  archipelago-frontend-1.7.14-alpha.tar.gz         c35284be…ff2c16   162077052 (+aiui)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-20 16:40:25 -04:00
Dorian
30a26f94f7 release(v1.7.13-alpha): proxy app catalog server-side (CORS + CSP fix)
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 9m54s
Details 
The Discover / Marketplace page fetched the app catalog directly from
git.tx1138.com/lfg2025/app-catalog/raw/.../catalog.json in the
browser. Two blockers hit the fleet simultaneously: (1) tx1138's
Gitea doesn't emit Access-Control-Allow-Origin so the HTTPS fetch
got CORS-blocked; (2) the HTTP IP-port fallback
(http://23.182.128.160:3000/...) falls outside the node's
`connect-src` CSP. Users saw the hardcoded fallback instead of the
live catalog.

Backend: new authenticated GET /api/app-catalog handler uses reqwest
to pull catalog.json server-side (15s timeout) and returns it with
application/json + 1h Cache-Control. Tries the HTTPS URL first,
HTTP IP-port second.

Frontend: curatedApps.ts now calls /api/app-catalog (same-origin,
no CORS/CSP) with credentials included so the session cookie
authenticates the proxy. Baked /catalog.json stays as the last
resort.

Artefacts:
  archipelago                                      0aaf7262…b979f22c  40371192
  archipelago-frontend-1.7.13-alpha.tar.gz         27505811…efc6f4142 76982505

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-20 15:43:45 -04:00
Dorian
26d6eddb1c release(v1.7.12-alpha): bump on top of working-OTA 1.7.11
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 11m2s
Details 
Version-only bump. Sits above v1.7.11-alpha which user has verified
runs the full Install Update pipeline end-to-end (check → download
→ install → auto-restart). Freshly-installed nodes from the 1.7.11
ISO will see 1.7.12 as their first OTA target.

Frontend tarball byte-identical to v1.7.11 (same sha).

Artefacts:
  archipelago                                      247f65c2…54f40df9  40385472
  archipelago-frontend-1.7.12-alpha.tar.gz         0644a436…54f58    76983846 (reused)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-20 14:39:07 -04:00
Dorian
c9f6697f02 release(v1.7.11-alpha): OTA proof bump on top of namespace-escape apply
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 11m14s
Details 
Version-only bump. Frontend tarball byte-identical to v1.7.10. First
OTA-testable release where the running backend (v1.7.10) has the
host_sudo/systemd-run apply fix — clicking Install Update should
walk through check → download → install → auto-restart with no
manual intervention.

Artefacts:
  archipelago                                      cf003f62…65465f  40378752
  archipelago-frontend-1.7.11-alpha.tar.gz         0644a436…54f58   76983846 (reused)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-20 14:03:36 -04:00
37 changed files with 1307 additions and 149 deletions
Expand all files Collapse all files

2
core/Cargo.lock generated
View File

@@ -80,7 +80,7 @@ checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
[[package]]
name = "archipelago"
version = "1.7.10-alpha"
version = "1.7.17-alpha"
dependencies = [
"anyhow",
"archipelago-container",

2
core/archipelago/Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "archipelago"
version = "1.7.10-alpha"
version = "1.7.17-alpha"
edition = "2021"
description = "Archipelago Bitcoin Node OS - Native backend"
authors = ["Archipelago Team"]

59
core/archipelago/src/api/handler/mod.rs
View File

@@ -113,6 +113,53 @@ impl ApiHandler {
}
}
/// Server-side fetch of the upstream app catalog so the browser can
/// load it without fighting CORS (git.tx1138.com emits no ACAO) or
/// CSP (the fallback IP-port URL isn't in `connect-src`). Tries the
/// upstream URLs in the same order the frontend used, returns the
/// first 2xx response. 15s total timeout.
async fn handle_app_catalog_proxy() -> Result<Response<hyper::Body>> {
const UPSTREAMS: &[&str] = &[
"https://git.tx1138.com/lfg2025/app-catalog/raw/branch/main/catalog.json",
"http://23.182.128.160:3000/lfg2025/app-catalog/raw/branch/main/catalog.json",
];
let client = match reqwest::Client::builder()
.timeout(std::time::Duration::from_secs(15))
.build()
{
Ok(c) => c,
Err(e) => {
return Ok(build_response(
hyper::StatusCode::INTERNAL_SERVER_ERROR,
"text/plain",
hyper::Body::from(format!("client build failed: {}", e)),
));
}
};
for url in UPSTREAMS {
match client.get(*url).send().await {
Ok(resp) if resp.status().is_success() => {
if let Ok(bytes) = resp.bytes().await {
return Ok(Response::builder()
.status(hyper::StatusCode::OK)
.header("Content-Type", "application/json")
.header("Cache-Control", "public, max-age=3600")
.body(hyper::Body::from(bytes))
.unwrap_or_else(|_| {
Response::new(hyper::Body::from("proxy response build failed"))
}));
}
}
_ => continue,
}
}
Ok(build_response(
hyper::StatusCode::BAD_GATEWAY,
"text/plain",
hyper::Body::from("all upstream catalog URLs failed"),
))
}
/// Build a 401 Unauthorized JSON response.
fn unauthorized() -> Response<hyper::Body> {
let body = serde_json::json!({ "error": "Unauthorized" });
@@ -352,6 +399,18 @@ impl ApiHandler {
// Electrs status — unauthenticated (read-only sync status)
(Method::GET, "/electrs-status") => Self::handle_electrs_status().await,
// App-catalog proxy — fetches catalog.json from the configured
// upstream URLs server-side so the browser doesn't hit CORS
// (git.tx1138.com has no ACAO header) or CSP (IP-port upstream
// falls outside `connect-src`). Session-authenticated so only
// the logged-in node owner can spin up fetches.
(Method::GET, "/api/app-catalog") => {
if !self.is_authenticated(&headers).await {
return Ok(Self::unauthorized());
}
Self::handle_app_catalog_proxy().await
}
// LND connect info — nginx validates session cookie (presence check),
// backend is bound to 127.0.0.1 so only nginx can reach it.
// No backend auth check here because the LND UI iframe fetches this

2
core/archipelago/src/api/rpc/dispatcher.rs
View File

@@ -413,12 +413,14 @@ impl RpcHandler {
"fips.apply-update" => self.handle_fips_apply_update().await,
"fips.install" => self.handle_fips_install().await,
"fips.restart" => self.handle_fips_restart().await,
"fips.reconnect" => self.handle_fips_reconnect().await,
// System updates
"update.check" => self.handle_update_check().await,
"update.status" => self.handle_update_status().await,
"update.dismiss" => self.handle_update_dismiss().await,
"update.download" => self.handle_update_download().await,
"update.cancel-download" => self.handle_update_cancel_download().await,
"update.apply" => self.handle_update_apply().await,
"update.git-apply" => self.handle_update_git_apply().await,
"update.rollback" => self.handle_update_rollback().await,

75
core/archipelago/src/api/rpc/federation/handlers.rs
View File

@@ -79,6 +79,7 @@ impl RpcHandler {
let local_did = identity::did_key_from_pubkey_hex(&data.server_info.pubkey)?;
let local_onion = data.server_info.tor_address.clone().unwrap_or_default();
let local_pubkey = data.server_info.pubkey.clone();
let local_name = data.server_info.name.clone();
let identity_dir = self.config.data_dir.join("identity");
let node_identity = identity::NodeIdentity::load_or_create(&identity_dir).await?;
@@ -90,6 +91,7 @@ impl RpcHandler {
&local_onion,
&local_pubkey,
local_fips_npub.as_deref(),
local_name.as_deref(),
|data| node_identity.sign(data),
)
.await?;
@@ -447,6 +449,38 @@ impl RpcHandler {
.get("fips_npub")
.and_then(|v| v.as_str())
.map(|s| s.to_string());
// Optional, unsigned: peer's display name. Display-only — identity
// claims are anchored on the signed did/pubkey below.
let incoming_name = params
.get("name")
.and_then(|v| v.as_str())
.map(|s| s.to_string());
// Reject self-peering. If somehow our own did / onion / pubkey
// comes back at us (misconfigured invite, gossip loop), adding
// the entry causes sync loops where the node syncs with itself
// forever. Drop it quietly — no useful recovery path.
let (own_data, _) = self.state_manager.get_snapshot().await;
let own_did_result =
identity::did_key_from_pubkey_hex(&own_data.server_info.pubkey).ok();
let own_onion_trim = own_data
.server_info
.tor_address
.as_deref()
.unwrap_or("")
.trim_end_matches(".onion")
.to_string();
let incoming_onion_trim = onion.trim_end_matches(".onion");
if own_did_result.as_deref() == Some(did)
|| pubkey == own_data.server_info.pubkey
|| (!own_onion_trim.is_empty() && own_onion_trim == incoming_onion_trim)
{
tracing::warn!(
peer_did = %did,
"Rejected peer-joined: inbound identity matches this node"
);
anyhow::bail!("Refusing to peer with self");
}
// Verify ed25519 signature to prevent federation spoofing (H2 security fix)
let signature = params.get("signature").and_then(|v| v.as_str());
@@ -471,11 +505,12 @@ impl RpcHandler {
let nodes = federation::load_nodes(&self.config.data_dir).await?;
if let Some(existing) = nodes.iter().find(|n| n.did == did) {
// If already known but missing onion/pubkey/fips_npub, update them
// If already known but missing onion/pubkey/fips_npub/name, update them
let needs_onion = existing.onion.is_empty();
let needs_pubkey = existing.pubkey.is_empty();
let needs_fips = existing.fips_npub.is_none() && fips_npub.is_some();
if needs_onion || needs_pubkey || needs_fips {
let needs_name = existing.name.is_none() && incoming_name.is_some();
if needs_onion || needs_pubkey || needs_fips || needs_name {
let mut updated = existing.clone();
if needs_onion && !onion.is_empty() {
updated.onion = onion.to_string();
@@ -486,6 +521,9 @@ impl RpcHandler {
if needs_fips {
updated.fips_npub = fips_npub.clone();
}
if needs_name {
updated.name = incoming_name.clone();
}
updated.last_seen = Some(chrono::Utc::now().to_rfc3339());
federation::update_node(&self.config.data_dir, &updated).await?;
info!(peer_did = %did, peer_onion = %onion, "Updated existing peer with fresh identity fields");
@@ -497,7 +535,7 @@ impl RpcHandler {
did: did.to_string(),
pubkey: pubkey.to_string(),
onion: onion.to_string(),
name: None,
name: incoming_name.clone(),
trust_level: TrustLevel::Trusted,
added_at: chrono::Utc::now().to_rfc3339(),
last_seen: None,
@@ -512,9 +550,38 @@ impl RpcHandler {
// Mirror into mesh state so the inbound peer is addressable from
// the chat UI without waiting for the next mesh restart.
self.register_federation_peer_in_mesh(pubkey, did, None)
self.register_federation_peer_in_mesh(pubkey, did, incoming_name.as_deref())
.await;
// Bump the data-model revision so any Federation view with an
// open WebSocket reloads its node list without waiting for the
// user to click Sync.
let (data, _) = self.state_manager.get_snapshot().await;
self.state_manager.update_data(data).await;
// Transitive discovery: spawn a task that pulls the new peer's
// state (its own federated peers end up as Observer entries on
// our side) so after a join every existing peer in our list is
// aware of the newcomer via the next pair of syncs, without the
// user clicking anything. Best-effort; errors are logged only.
let data_dir = self.config.data_dir.clone();
let new_peer_did = did.to_string();
tokio::spawn(async move {
tokio::time::sleep(std::time::Duration::from_secs(2)).await;
if let Err(e) = crate::federation::sync_with_peer_by_did(
&data_dir,
&new_peer_did,
)
.await
{
tracing::debug!(
peer_did = %new_peer_did,
error = %e,
"Transitive sync on peer-joined failed (non-fatal)"
);
}
});
Ok(serde_json::json!({ "accepted": true }))
}

85
core/archipelago/src/api/rpc/fips.rs
View File

@@ -44,4 +44,89 @@ impl RpcHandler {
fips::service::restart(fips::SERVICE_UNIT).await?;
Ok(serde_json::json!({ "restarted": true }))
}
/// Full reconnect: stop the daemon, bring it back, wait for the DHT
/// bootstrap window, poll the identity-cache + peer list, and
/// classify what recovered (or didn't) so the UI can explain it to
/// the user instead of showing a generic failure.
///
/// Runtime: ~20s. Needs an RPC timeout ≥ 45s on the client.
pub(super) async fn handle_fips_reconnect(&self) -> Result<serde_json::Value> {
let identity_dir = fips::identity_dir_from(&self.config.data_dir);
let before = fips::FipsStatus::query(&identity_dir).await;
// Heal the pre-fix bech32-text fips_key.pub → 32-raw-bytes
// mismatch. The daemon silently authenticates with a garbage
// pubkey when the .pub file is 63-char text, which looks like
// "anchor unreachable" to the user even though the real fault
// was an identity malformed on the node itself. Re-install the
// config + keys so /etc/fips gets the healed .pub.
let key_src = identity_dir.join("fips_key");
let pub_src = identity_dir.join("fips_key.pub");
if key_src.exists() {
let _ = fips::config::normalize_pub_file(&key_src, &pub_src).await;
// Re-install refreshes /etc/fips/fips.pub from the healed
// source. No-op if nothing changed.
let _ = fips::config::install(&identity_dir).await;
}
// Clean stop+start rather than `restart`, so a daemon that
// fails to come back up surfaces as service_active=false
// instead of quietly sticking with the old process.
let _ = fips::service::stop(fips::SERVICE_UNIT).await;
tokio::time::sleep(std::time::Duration::from_millis(800)).await;
fips::service::activate(fips::SERVICE_UNIT).await?;
// Anchor bootstrap window: poll the status every ~3s for up to
// 20s. Bail as soon as the anchor is connected.
let mut last_status: Option<fips::FipsStatus> = None;
let deadline = std::time::Instant::now() + std::time::Duration::from_secs(20);
loop {
tokio::time::sleep(std::time::Duration::from_secs(3)).await;
let s = fips::FipsStatus::query(&identity_dir).await;
if s.anchor_connected {
last_status = Some(s);
break;
}
last_status = Some(s);
if std::time::Instant::now() >= deadline {
break;
}
}
let after = last_status.unwrap_or_else(|| before.clone());
let recovered = after.anchor_connected && !before.anchor_connected;
let likely_cause = if after.anchor_connected {
"connected"
} else if !after.service_active {
"daemon_down"
} else if !after.key_present {
"no_seed_key"
} else if after.authenticated_peer_count == 0 {
// Daemon is up with a key but hasn't authenticated any
// peers — almost always outbound UDP/8668 dropped by the
// local firewall/router, or the anchor itself being down.
"no_outbound_udp_or_anchor_down"
} else {
"peers_but_no_anchor"
};
let hint = match likely_cause {
"connected" => "Anchor is reachable.",
"daemon_down" => "The FIPS daemon didn't come back up — check archipelago-fips.service.",
"no_seed_key" => "No seed-derived FIPS key on disk. Re-run the onboarding unlock step.",
"no_outbound_udp_or_anchor_down" =>
"Daemon is running but no peers handshook. Your router / ISP might be blocking outbound UDP 8668, or the anchor (fips.v0l.io) could be down.",
"peers_but_no_anchor" =>
"Mesh has peers but the anchor hasn't been seen yet. Give it a minute and re-check.",
_ => "",
};
Ok(serde_json::json!({
"recovered": recovered,
"likely_cause": likely_cause,
"hint": hint,
"before": before,
"after": after,
}))
}
}

2
core/archipelago/src/api/rpc/handshake.rs
View File

@@ -282,6 +282,7 @@ impl RpcHandler {
let local_fips_npub = crate::identity::fips_npub(&identity_dir2)
.await
.unwrap_or(None);
let local_name = data.server_info.name.clone();
match crate::federation::accept_invite(
&self.config.data_dir,
invite_code,
@@ -289,6 +290,7 @@ impl RpcHandler {
&local_onion,
&local_pubkey,
local_fips_npub.as_deref(),
local_name.as_deref(),
|bytes| node_identity.sign(bytes),
)
.await

46
core/archipelago/src/api/rpc/update.rs
View File

@@ -157,6 +157,37 @@ impl RpcHandler {
/// Get update status without checking remote.
pub(super) async fn handle_update_status(&self) -> Result<serde_json::Value> {
let state = update::get_status(&self.config.data_dir).await?;
// Expose live download progress so the UI can resume the
// progress bar after navigation instead of showing the fake
// creep again. An RPC poll every ~1s during download drives a
// real progress indicator that survives route changes.
let downloaded = update::DOWNLOAD_BYTES
.load(std::sync::atomic::Ordering::Relaxed);
let total = update::DOWNLOAD_TOTAL
.load(std::sync::atomic::Ordering::Relaxed);
let active = total > 0 && downloaded < total;
let completed = total > 0 && downloaded >= total;
// Stall detection: if the progress-at timestamp hasn't advanced
// for 30+ seconds while active, the download is wedged (usually
// HTTP stream silently dropped and reqwest is waiting out its
// read timeout). The UI uses this to surface a Cancel button
// with explanatory copy.
let stalled = if active {
let last_at = update::DOWNLOAD_PROGRESS_AT
.load(std::sync::atomic::Ordering::Relaxed);
if last_at > 0 {
let now = std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.map(|d| d.as_millis() as u64)
.unwrap_or(0);
now.saturating_sub(last_at) > 30_000
} else {
false
}
} else {
false
};
Ok(serde_json::json!({
"current_version": state.current_version,
@@ -164,6 +195,14 @@ impl RpcHandler {
"update_available": state.available_update.is_some(),
"update_in_progress": state.update_in_progress,
"rollback_available": state.rollback_available,
"download_progress": if active || completed {
Some(serde_json::json!({
"bytes_downloaded": downloaded,
"total_bytes": total,
"active": active,
"stalled": stalled,
}))
} else { None },
}))
}
@@ -183,6 +222,13 @@ impl RpcHandler {
}))
}
/// Cancel an in-flight or stuck download. Clears the live counters
/// and staging dir so the UI returns to the "Download Update" state.
pub(super) async fn handle_update_cancel_download(&self) -> Result<serde_json::Value> {
update::cancel_download(&self.config.data_dir).await?;
Ok(serde_json::json!({ "canceled": true }))
}
/// Apply the staged update.
pub(super) async fn handle_update_apply(&self) -> Result<serde_json::Value> {
update::apply_update(&self.config.data_dir).await?;

31
core/archipelago/src/federation/invites.rs
View File

@@ -121,6 +121,7 @@ pub async fn accept_invite(
local_onion: &str,
local_pubkey: &str,
local_fips_npub: Option<&str>,
local_name: Option<&str>,
sign_fn: impl FnOnce(&[u8]) -> String,
) -> Result<FederatedNode> {
let ParsedInvite {
@@ -131,6 +132,20 @@ pub async fn accept_invite(
fips_npub,
} = parse_invite(code)?;
// Refuse self-peering. If the invite's did / onion / pubkey matches
// our own, adding it pollutes the federation list with a node that
// sees itself as its own peer and causes sync loops. The user
// almost certainly pasted the wrong invite.
if did == local_did || pubkey == local_pubkey || {
let a = onion.trim_end_matches(".onion");
let b = local_onion.trim_end_matches(".onion");
!a.is_empty() && a == b
} {
anyhow::bail!(
"Refusing to federate with self — invite points at this node's own did / onion / pubkey"
);
}
// Make accept idempotent: drop any existing entry that conflicts with
// this invite — same DID (same node, refreshing the link), same onion
// (node rotated identity but kept its hidden service), or same pubkey
@@ -190,6 +205,7 @@ pub async fn accept_invite(
local_onion,
local_pubkey,
local_fips_npub,
local_name,
sign_fn,
)
.await;
@@ -201,20 +217,22 @@ pub async fn accept_invite(
/// Prefers FIPS (if the remote advertised an npub in their invite) and
/// falls back to Tor. Signs the message with our ed25519 key so the
/// remote peer can verify authenticity regardless of transport.
async fn notify_join(
pub(crate) async fn notify_join(
remote_onion: &str,
remote_fips_npub: Option<&str>,
local_did: &str,
local_onion: &str,
local_pubkey: &str,
local_fips_npub: Option<&str>,
local_name: Option<&str>,
sign_fn: impl FnOnce(&[u8]) -> String,
) -> Result<()> {
// Sign the canonical message: "peer-joined:{did}:{onion}:{pubkey}"
// Signature domain intentionally unchanged — fips_npub is carried
// as an unsigned informational field. The FIPS daemon's own Noise
// handshake authenticates the actual transport session, so a
// stripped/substituted npub here merely downgrades the path to Tor.
// Signature domain intentionally unchanged — fips_npub + name are
// carried as unsigned informational fields. Name is display-only
// (any identity claim is anchored on the signed did/pubkey); the
// FIPS daemon's own Noise handshake authenticates the transport
// session regardless of the advertised npub.
let sign_data = format!("peer-joined:{}:{}:{}", local_did, local_onion, local_pubkey);
let signature = sign_fn(sign_data.as_bytes());
@@ -227,6 +245,9 @@ async fn notify_join(
if let Some(npub) = local_fips_npub {
params["fips_npub"] = serde_json::Value::String(npub.to_string());
}
if let Some(name) = local_name {
params["name"] = serde_json::Value::String(name.to_string());
}
let body = serde_json::json!({
"method": "federation.peer-joined",

2
core/archipelago/src/federation/mod.rs
View File

@@ -17,5 +17,5 @@ pub use storage::{
add_node, fips_npub_for_onion, load_nodes, record_peer_transport, remove_node, save_nodes,
set_trust_level, update_node,
};
pub use sync::{build_local_state, deploy_to_peer, sync_with_peer};
pub use sync::{build_local_state, deploy_to_peer, sync_with_peer, sync_with_peer_by_did};
pub use types::{AppStatus, FederatedNode, NodeStateSnapshot, TrustLevel};

24
core/archipelago/src/federation/sync.rs
View File

@@ -82,6 +82,30 @@ pub async fn sync_with_peer(
Ok(state)
}
/// Convenience wrapper: look up a federated peer by DID, derive our
/// own local_did / signing context from the node identity on disk, and
/// call sync_with_peer. Used by transitive-discovery code paths where
/// the caller only knows the peer's DID (e.g. the peer-joined RPC's
/// follow-up task).
pub async fn sync_with_peer_by_did(
data_dir: &Path,
peer_did: &str,
) -> Result<NodeStateSnapshot> {
let nodes = super::storage::load_nodes(data_dir).await?;
let peer = nodes
.into_iter()
.find(|n| n.did == peer_did)
.ok_or_else(|| anyhow::anyhow!("Unknown federation peer: {}", peer_did))?;
let identity_dir = data_dir.join("identity");
let node_identity =
crate::identity::NodeIdentity::load_or_create(&identity_dir).await?;
let local_pubkey_hex = node_identity.pubkey_hex();
let local_did = crate::identity::did_key_from_pubkey_hex(&local_pubkey_hex)?;
sync_with_peer(data_dir, &peer, &local_did, |data| node_identity.sign(data)).await
}
/// Merge peers advertised by a Trusted federated node into our own
/// federation list. New peers are added at `Observer` trust (not
/// Trusted — that requires a direct invite). Existing peers get their

54
core/archipelago/src/fips/config.rs
View File

@@ -78,11 +78,65 @@ pub async fn install(identity_dir: &Path) -> Result<()> {
install_result?;
sudo_install_file(&src_key, DAEMON_KEY_PATH, "0600").await?;
// Heal a legacy fips_key.pub that was written as bech32 npub text
// (pre-fix identity::write_fips_key_from_seed did this). Upstream
// fips expects 32 raw bytes; a text file silently passes through
// and then the daemon can't identify itself to peers. This
// rewrites the source file in place with the correct binary form
// derived from fips_key before staging it to /etc/fips/fips.pub.
normalize_pub_file(&src_key, &src_pub).await?;
sudo_install_file(&src_pub, DAEMON_PUB_PATH, "0644").await?;
Ok(())
}
/// Ensure `fips_key.pub` is 32 raw bytes. If it's a bech32 npub text
/// file (from the pre-fix writer), decode it and rewrite in place. If
/// the file is missing or its content doesn't match either format,
/// re-derive the public key from `fips_key` and write that.
pub async fn normalize_pub_file(key_path: &Path, pub_path: &Path) -> Result<()> {
// Happy path: already 32 raw bytes.
if let Ok(bytes) = tokio::fs::read(pub_path).await {
if bytes.len() == 32 {
return Ok(());
}
// bech32 npub text from the pre-fix writer: decode in place.
if let Ok(s) = std::str::from_utf8(&bytes) {
let trimmed = s.trim();
if trimmed.starts_with("npub1") {
if let Ok(pk) = nostr_sdk::PublicKey::parse(trimmed) {
let raw: [u8; 32] = pk.to_bytes();
tokio::fs::write(pub_path, raw)
.await
.context("rewriting fips_key.pub as 32 raw bytes")?;
tracing::info!(
"Migrated legacy bech32 fips_key.pub to raw-byte form at {}",
pub_path.display()
);
return Ok(());
}
}
}
}
// Fallback: no pub file, or unreadable format. Re-derive from the
// private key file (already validated by load_fips_keys).
let secret_bytes = tokio::fs::read(key_path)
.await
.with_context(|| format!("read {} to derive public", key_path.display()))?;
let text = std::str::from_utf8(&secret_bytes)
.context("fips_key is not UTF-8 — can't derive public")?;
let secret = nostr_sdk::SecretKey::parse(text.trim())
.context("fips_key not parseable as bech32 nsec")?;
let keys = nostr_sdk::Keys::new(secret);
let raw: [u8; 32] = keys.public_key().to_bytes();
tokio::fs::write(pub_path, raw)
.await
.context("writing re-derived fips_key.pub")?;
tracing::info!("Re-derived fips_key.pub from fips_key");
Ok(())
}
async fn sudo_install_dir(path: &str) -> Result<()> {
let out = Command::new("sudo")
.args(["install", "-d", "-m", "0755", path])

14
core/archipelago/src/identity.rs
View File

@@ -219,14 +219,22 @@ async fn write_fips_key_from_seed(
.await
.context("Failed to set FIPS key permissions")?;
}
let npub = keys.public_key().to_bech32().unwrap_or_default();
fs::write(&pub_path, format!("{npub}\n"))
// Upstream fips daemon expects 32 raw bytes in /etc/fips/fips.pub —
// not a bech32 npub string. Writing the bech32 form here meant the
// installed .pub file was a 63-char text file the daemon parsed as
// 63 raw bytes of garbage, so it couldn't identify itself to peers
// and the anchor never handshook. Write the raw public-key bytes
// (PublicKey::to_bytes returns a [u8; 32]) so the daemon reads
// them directly.
let raw_pub: [u8; 32] = keys.public_key().to_bytes();
fs::write(&pub_path, raw_pub)
.await
.context("Failed to write FIPS public key")?;
let npub_for_log = keys.public_key().to_bech32().unwrap_or_default();
tracing::info!(
"Derived FIPS mesh key from seed (npub: {}...)",
npub.chars().take(20).collect::<String>()
npub_for_log.chars().take(20).collect::<String>()
);
Ok(())
}

382
core/archipelago/src/update.rs
View File

@@ -4,9 +4,38 @@ use anyhow::{Context, Result};
use chrono::Timelike;
use serde::{Deserialize, Serialize};
use std::path::Path;
use std::sync::atomic::{AtomicBool, AtomicU64, Ordering};
use tokio::fs;
use tracing::{debug, info};
/// Live download progress counters. Updated by download_component_resumable
/// as bytes arrive and read by the update.status RPC so the UI can show
/// a real progress bar instead of a fake creep. Global because the
/// download runs in one place at a time; no need for per-handler state.
pub static DOWNLOAD_BYTES: AtomicU64 = AtomicU64::new(0);
pub static DOWNLOAD_TOTAL: AtomicU64 = AtomicU64::new(0);
/// Set true to ask the in-flight download loop to bail out at the next
/// chunk boundary. Read via `is_canceled`; reset at the start of every
/// `download_update` run. Also flipped by the `cancel_download` RPC.
pub static DOWNLOAD_CANCEL: AtomicBool = AtomicBool::new(false);
/// Monotonic ms timestamp of the last time DOWNLOAD_BYTES advanced.
/// Lets `update.status` flag a download as "stalled" when no bytes have
/// arrived for a while, so the UI can offer a Cancel button with more
/// confidence than "looks stuck at 0%".
pub static DOWNLOAD_PROGRESS_AT: AtomicU64 = AtomicU64::new(0);
fn now_ms() -> u64 {
use std::time::{SystemTime, UNIX_EPOCH};
SystemTime::now()
.duration_since(UNIX_EPOCH)
.map(|d| d.as_millis() as u64)
.unwrap_or(0)
}
fn is_canceled() -> bool {
DOWNLOAD_CANCEL.load(Ordering::Relaxed)
}
const DEFAULT_UPDATE_MANIFEST_URL: &str =
"https://git.tx1138.com/lfg2025/archy/raw/branch/main/releases/manifest.json";
const UPDATE_STATE_FILE: &str = "update_state.json";
@@ -111,36 +140,57 @@ pub async fn check_for_updates(data_dir: &Path) -> Result<UpdateState> {
let mut state = load_state(data_dir).await?;
info!("Checking for updates...");
// 45s total budget, and we retry up to 3 times so a momentary
// gitea hiccup doesn't make the node report "up to date" when an
// update actually exists. Short per-attempt timeout keeps the RPC
// responsive in the common case.
let client = reqwest::Client::builder()
.timeout(std::time::Duration::from_secs(15))
.connect_timeout(std::time::Duration::from_secs(10))
.build()
.context("Failed to create HTTP client")?;
let manifest_url = update_manifest_url();
match client.get(&manifest_url).send().await {
Ok(resp) if resp.status().is_success() => {
let manifest: UpdateManifest = resp
.json()
.await
.context("Failed to parse update manifest")?;
if manifest.version != state.current_version {
info!(
current = %state.current_version,
available = %manifest.version,
"Update available"
);
state.available_update = Some(manifest);
} else {
debug!("Already on latest version: {}", state.current_version);
state.available_update = None;
let mut last_err: Option<String> = None;
let mut handled = false;
for attempt in 1..=3u8 {
if attempt > 1 {
tokio::time::sleep(std::time::Duration::from_secs(5)).await;
}
match client.get(&manifest_url).send().await {
Ok(resp) if resp.status().is_success() => {
match resp.json::<UpdateManifest>().await {
Ok(manifest) => {
if manifest.version != state.current_version {
info!(
current = %state.current_version,
available = %manifest.version,
"Update available"
);
state.available_update = Some(manifest);
} else {
debug!("Already on latest version: {}", state.current_version);
state.available_update = None;
}
handled = true;
break;
}
Err(e) => {
last_err = Some(format!("parse: {}", e));
}
}
}
Ok(resp) => {
last_err = Some(format!("HTTP {}", resp.status()));
}
Err(e) => {
last_err = Some(e.to_string());
}
}
Ok(resp) => {
debug!("Update check returned status: {}", resp.status());
}
Err(e) => {
debug!("Update check failed (offline?): {}", e);
}
if !handled {
if let Some(e) = last_err {
debug!("Update check failed after retries: {}", e);
}
}
@@ -163,6 +213,14 @@ pub async fn dismiss_update(data_dir: &Path) -> Result<()> {
/// Download update components to a staging directory.
/// Verifies SHA256 hash for each component.
///
/// Robustness: each component download is **resumable** via HTTP Range
/// requests and retried up to 6 times with exponential backoff. When
/// gitea drops the connection mid-stream (happens regularly at slow
/// raw-file throughput), the next attempt picks up where the previous
/// one left off instead of restarting from byte zero. SHA256 is
/// verified over the complete file at the end of each component, so a
/// partially-corrupt resume still fails cleanly.
pub async fn download_update(data_dir: &Path) -> Result<DownloadProgress> {
let state = load_state(data_dir).await?;
let manifest = state
@@ -176,7 +234,9 @@ pub async fn download_update(data_dir: &Path) -> Result<DownloadProgress> {
.context("Failed to create staging dir")?;
let client = reqwest::Client::builder()
.timeout(std::time::Duration::from_secs(1800))
// Per-request budget; each attempt gets the full hour. A retry
// restarts the budget cleanly.
.timeout(std::time::Duration::from_secs(3600))
.connect_timeout(std::time::Duration::from_secs(30))
.build()
.context("Failed to create HTTP client")?;
@@ -184,49 +244,28 @@ pub async fn download_update(data_dir: &Path) -> Result<DownloadProgress> {
let mut downloaded = 0u64;
let total_bytes: u64 = manifest.components.iter().map(|c| c.size_bytes).sum();
// Clear any stale cancel flag from a prior aborted run, then seed
// the live counters so polls during the handshake show the right
// denominator immediately instead of 0/0 → NaN%.
DOWNLOAD_CANCEL.store(false, Ordering::Relaxed);
DOWNLOAD_TOTAL.store(total_bytes, Ordering::Relaxed);
DOWNLOAD_BYTES.store(0, Ordering::Relaxed);
DOWNLOAD_PROGRESS_AT.store(now_ms(), Ordering::Relaxed);
for component in &manifest.components {
if is_canceled() {
DOWNLOAD_TOTAL.store(0, Ordering::Relaxed);
DOWNLOAD_BYTES.store(0, Ordering::Relaxed);
anyhow::bail!("Download canceled");
}
info!(name = %component.name, url = %component.download_url, "Downloading component");
let resp = client
.get(&component.download_url)
.send()
.await
.with_context(|| format!("Failed to download {}", component.name))?;
if !resp.status().is_success() {
anyhow::bail!(
"Download failed for {}: HTTP {}",
component.name,
resp.status()
);
}
let bytes = resp
.bytes()
.await
.with_context(|| format!("Failed to read {}", component.name))?;
// Verify SHA256
use sha2::{Digest, Sha256};
let hash = hex::encode(Sha256::digest(&bytes));
if hash != component.sha256 {
anyhow::bail!(
"SHA256 mismatch for {}: expected {}, got {}",
component.name,
component.sha256,
hash
);
}
let dest = staging_dir.join(&component.name);
fs::write(&dest, &bytes)
.await
.with_context(|| format!("Failed to write {}", component.name))?;
download_component_resumable(&client, component, &dest, downloaded).await?;
downloaded += component.size_bytes;
DOWNLOAD_BYTES.store(downloaded, Ordering::Relaxed);
info!(
name = %component.name,
bytes = bytes.len(),
bytes = component.size_bytes,
"Component downloaded and verified"
);
}
@@ -244,6 +283,214 @@ pub async fn download_update(data_dir: &Path) -> Result<DownloadProgress> {
})
}
/// Download a single component to `dest`, resuming from the end of
/// any existing partial file via a Range request. Retries up to 6
/// times with exponential backoff (5s, 15s, 30s, 60s, 120s, 180s).
/// Verifies the SHA256 over the full file at the end.
async fn download_component_resumable(
client: &reqwest::Client,
component: &ComponentUpdate,
dest: &Path,
prior_total: u64,
) -> Result<()> {
use sha2::{Digest, Sha256};
use tokio::io::AsyncWriteExt;
const MAX_ATTEMPTS: u32 = 6;
const BACKOFFS: [u64; 5] = [5, 15, 30, 60, 120];
let mut last_err: Option<anyhow::Error> = None;
for attempt in 1..=MAX_ATTEMPTS {
let existing_len = match tokio::fs::metadata(dest).await {
Ok(m) => m.len(),
Err(_) => 0,
};
if existing_len >= component.size_bytes {
// File is already complete — break out and go verify.
break;
}
if attempt > 1 {
let delay = BACKOFFS[(attempt as usize - 2).min(BACKOFFS.len() - 1)];
tracing::warn!(
name = %component.name,
attempt,
resume_at = existing_len,
"Retrying download in {}s (previous error: {})",
delay,
last_err.as_ref().map(|e| e.to_string()).unwrap_or_default()
);
// Sleep in 500ms slices so a Cancel during backoff wakes
// promptly instead of waiting out the full exponential window.
let slices = delay * 2;
for _ in 0..slices {
if is_canceled() {
anyhow::bail!("Download canceled");
}
tokio::time::sleep(std::time::Duration::from_millis(500)).await;
}
}
if is_canceled() {
anyhow::bail!("Download canceled");
}
let mut req = client.get(&component.download_url);
if existing_len > 0 {
req = req.header("Range", format!("bytes={}-", existing_len));
}
let resp = match req.send().await {
Ok(r) => r,
Err(e) => {
last_err = Some(anyhow::anyhow!(e));
continue;
}
};
let status = resp.status();
// 200 OK on a fresh start, 206 Partial Content on a resume
// that the server honoured. Anything else is a problem.
let is_resume = existing_len > 0 && status == reqwest::StatusCode::PARTIAL_CONTENT;
let is_fresh = existing_len == 0 && status.is_success();
let server_ignored_range = existing_len > 0 && status == reqwest::StatusCode::OK;
if !is_resume && !is_fresh && !server_ignored_range {
last_err = Some(anyhow::anyhow!(
"HTTP {} for {} (resume offset {})",
status,
component.name,
existing_len
));
continue;
}
// If the server ignored Range (returned 200 with the full
// body), wipe the partial file and start over.
let mut file = if server_ignored_range {
let _ = tokio::fs::remove_file(dest).await;
tokio::fs::OpenOptions::new()
.create(true)
.write(true)
.truncate(true)
.open(dest)
.await
.context("open staging file")?
} else if is_resume {
tokio::fs::OpenOptions::new()
.append(true)
.open(dest)
.await
.context("open staging file for append")?
} else {
tokio::fs::OpenOptions::new()
.create(true)
.write(true)
.truncate(true)
.open(dest)
.await
.context("open staging file")?
};
let mut resp = resp;
let mut stream_err = false;
let mut on_disk = existing_len;
let mut canceled = false;
loop {
if is_canceled() {
canceled = true;
break;
}
match resp.chunk().await {
Ok(Some(bytes)) => {
if let Err(e) = file.write_all(&bytes).await {
last_err = Some(anyhow::anyhow!(e).context("writing chunk"));
stream_err = true;
break;
}
on_disk += bytes.len() as u64;
DOWNLOAD_BYTES.store(
prior_total + on_disk.min(component.size_bytes),
Ordering::Relaxed,
);
DOWNLOAD_PROGRESS_AT.store(now_ms(), Ordering::Relaxed);
}
Ok(None) => break, // stream ended cleanly
Err(e) => {
last_err = Some(anyhow::anyhow!(e).context("reading chunk"));
stream_err = true;
break;
}
}
}
if canceled {
let _ = file.flush().await;
drop(file);
DOWNLOAD_TOTAL.store(0, Ordering::Relaxed);
DOWNLOAD_BYTES.store(0, Ordering::Relaxed);
anyhow::bail!("Download canceled");
}
let _ = file.flush().await;
let _ = file.sync_all().await;
drop(file);
if stream_err {
continue;
}
// Stream ended cleanly. If we've got the expected size, verify
// the SHA and succeed. Otherwise loop to resume from the new
// offset on the next attempt.
let final_len = tokio::fs::metadata(dest)
.await
.map(|m| m.len())
.unwrap_or(0);
if final_len < component.size_bytes {
last_err = Some(anyhow::anyhow!(
"download truncated: got {} of {} bytes",
final_len,
component.size_bytes
));
continue;
}
// Full file — verify hash.
let bytes = tokio::fs::read(dest)
.await
.context("read staging file for hash check")?;
let hash = hex::encode(Sha256::digest(&bytes));
if hash == component.sha256 {
return Ok(());
}
// SHA mismatch — the file on disk is garbage. Nuke it and
// start over from scratch on the next attempt.
let _ = tokio::fs::remove_file(dest).await;
last_err = Some(anyhow::anyhow!(
"SHA256 mismatch for {}: expected {}, got {}",
component.name,
component.sha256,
hash
));
}
Err(last_err.unwrap_or_else(|| anyhow::anyhow!("download failed without a captured error")))
}
/// Cancel an in-flight download. Sets the cancellation flag so the
/// download loop bails out at the next chunk or backoff boundary, then
/// zeros the live counters and wipes the staging directory so the UI
/// sees "no active download" immediately and the next attempt starts
/// clean. Safe to call even when no download is running.
pub async fn cancel_download(data_dir: &Path) -> Result<()> {
DOWNLOAD_CANCEL.store(true, Ordering::Relaxed);
DOWNLOAD_BYTES.store(0, Ordering::Relaxed);
DOWNLOAD_TOTAL.store(0, Ordering::Relaxed);
let staging = data_dir.join("update-staging");
if staging.exists() {
let _ = tokio::fs::remove_dir_all(&staging).await;
}
// Clear the "downloaded, ready to apply" marker too — a canceled
// download is not a staged update.
if let Ok(mut state) = load_state(data_dir).await {
if state.update_in_progress {
state.update_in_progress = false;
let _ = save_state(data_dir, &state).await;
}
}
Ok(())
}
/// Run a command as root, but *outside* the archipelago service's
/// restricted mount namespace.
///
@@ -369,6 +616,21 @@ pub async fn apply_update(data_dir: &Path) -> Result<()> {
])
.await;
// Preserve paths that are installed outside the Vue build
// (baked in by the ISO or sibling installers) and so
// aren't in the new tarball. Without this copy, every OTA
// wipes them — notably aiui/ (Claude Code sidebar) and
// the companion APK. `cp -a` preserves mode/ownership.
for preserved in ["aiui", "archipelago-companion.apk"] {
let src = format!("{}/{}", web_ui, preserved);
let dst = format!("{}/{}", staging_new, preserved);
// Only preserve the old copy if the new tarball
// doesn't already ship a fresher one.
if Path::new(&src).exists() && !Path::new(&dst).exists() {
let _ = host_sudo(&["cp", "-a", &src, &dst]).await;
}
}
// Swap: mv current web-ui aside, then mv new into place.
if Path::new(web_ui).exists() {
let mv_old = host_sudo(&["mv", web_ui, &staging_old])

6
neode-ui/src/api/rpc-client.ts
View File

@@ -525,7 +525,11 @@ class RPCClient {
return this.call({
method: 'package.install',
params: { id, 'marketplace-url': marketplaceUrl, version },
timeout: 900000, // 15 min — multi-GB stacks (IndeedHub, Bitcoin, Penpot) take time
// 45 min — IndeedHub is 6 images and gitea raw-file throughput is
// ~70 KB/s per image; 15 min was short enough to kill the install
// mid-pull and land the user on a "didn't work" screen while the
// backend kept working in the background.
timeout: 2700000,
})
}

20
neode-ui/src/locales/en.json
View File

@@ -666,7 +666,7 @@
"applyUpdate": "Install Update",
"checkForUpdates": "Check for Updates",
"checking": "Checking...",
"rollback": "Rollback to Previous",
"rollback": "Rollback Available",
"backToSettings": "Back to Settings",
"percentComplete": "{percent}% complete",
"applyWarning": "Installing components and restarting services. Do not power off.",
@@ -685,10 +685,26 @@
"rollbackSuccess": "Rolled back to previous version. Service will restart.",
"rollbackFailed": "Rollback failed.",
"pullAndRebuild": "Pull & Rebuild",
"finishingDownload": "Finishing download — verifying checksum…",
"overlayApplying": "Installing update…",
"overlayRestarting": "Restarting server…",
"overlayReconnecting": "Reconnecting to the new version…",
"overlayReady": "Update installed — reloading…",
"overlayStalled": "Taking longer than expected",
"overlayTarget": "Installing v{version}",
"overlayReloadNow": "Reload now",
"gitMethodHint": "This node builds from source. Update will git-pull, rebuild the backend and UI, then restart — takes a few minutes.",
"gitApplyTitle": "Pull & Rebuild?",
"gitApplyMessage": "Archipelago will pull the latest code, rebuild, and restart. This can take several minutes and the UI will be briefly unavailable.",
"gitApplyStarted": "Update started. The backend will rebuild and restart — this can take a few minutes."
"gitApplyStarted": "Update started. The backend will rebuild and restart — this can take a few minutes.",
"cancelDownload": "Cancel Download",
"cancelingDownload": "Canceling…",
"cancelDownloadTitle": "Cancel Download?",
"cancelDownloadConfirm": "This will stop the current download and discard the partial file. You can start again from scratch afterwards.",
"cancelDownloadButton": "Cancel Download",
"cancelDownloadSuccess": "Download canceled. You can try again.",
"cancelDownloadFailed": "Failed to cancel download.",
"downloadStalled": "Download appears stuck — try Cancel and start again."
},
"kiosk": {
"pressEsc": "Press ESC to exit",

22
neode-ui/src/locales/es.json
View File

@@ -665,7 +665,7 @@
"applyUpdate": "Instalar actualizaci\u00f3n",
"checkForUpdates": "Buscar actualizaciones",
"checking": "Verificando...",
"rollback": "Revertir a la versi\u00f3n anterior",
"rollback": "Rollback disponible",
"backToSettings": "Volver a configuraci\u00f3n",
"percentComplete": "{percent}% completado",
"applyWarning": "Instalando componentes y reiniciando servicios. No apague el equipo.",
@@ -684,10 +684,26 @@
"rollbackSuccess": "Se revirti\u00f3 a la versi\u00f3n anterior. El servicio se reiniciar\u00e1.",
"rollbackFailed": "Error al revertir.",
"pullAndRebuild": "Pull y Recompilar",
"gitMethodHint": "Este nodo compila desde el c\u00f3digo fuente. La actualizaci\u00f3n har\u00e1 git-pull, recompilar\u00e1 y reiniciar\u00e1 — tarda unos minutos.",
"finishingDownload": "Terminando descarga \u2014 verificando checksum\u2026",
"overlayApplying": "Instalando actualizaci\u00f3n\u2026",
"overlayRestarting": "Reiniciando servidor\u2026",
"overlayReconnecting": "Reconectando a la nueva versi\u00f3n\u2026",
"overlayReady": "Actualizaci\u00f3n instalada \u2014 recargando\u2026",
"overlayStalled": "Tardando m\u00e1s de lo esperado",
"overlayTarget": "Instalando v{version}",
"overlayReloadNow": "Recargar ahora",
"gitMethodHint": "Este nodo compila desde el c\u00f3digo fuente. La actualizaci\u00f3n har\u00e1 git-pull, recompilar\u00e1 y reiniciar\u00e1 \u2014 tarda unos minutos.",
"gitApplyTitle": "\u00bfPull y Recompilar?",
"gitApplyMessage": "Archipelago descargar\u00e1 el c\u00f3digo m\u00e1s reciente, lo compilar\u00e1 y reiniciar\u00e1. Puede tardar varios minutos y la UI estar\u00e1 brevemente no disponible.",
"gitApplyStarted": "Actualizaci\u00f3n iniciada. El backend se recompilar\u00e1 y reiniciar\u00e1 puede tardar unos minutos."
"gitApplyStarted": "Actualizaci\u00f3n iniciada. El backend se recompilar\u00e1 y reiniciar\u00e1 \u2014 puede tardar unos minutos.",
"cancelDownload": "Cancelar descarga",
"cancelingDownload": "Cancelando\u2026",
"cancelDownloadTitle": "\u00bfCancelar descarga?",
"cancelDownloadConfirm": "Esto detendr\u00e1 la descarga actual y descartar\u00e1 el archivo parcial. Podr\u00e1s volver a empezar desde cero.",
"cancelDownloadButton": "Cancelar descarga",
"cancelDownloadSuccess": "Descarga cancelada. Puedes intentarlo de nuevo.",
"cancelDownloadFailed": "No se pudo cancelar la descarga.",
"downloadStalled": "La descarga parece atascada \u2014 prueba a cancelar y volver a empezar."
},
"kiosk": {
"pressEsc": "Presione ESC para salir",

15
neode-ui/src/views/Federation.vue
View File

@@ -142,7 +142,7 @@
</template>
<script setup lang="ts">
import { ref, computed, onMounted } from 'vue'
import { ref, computed, onMounted, onUnmounted } from 'vue'
import { rpcClient } from '@/api/rpc-client'
import { useTransportStore } from '@/stores/transport'
import { useAppStore } from '@/stores/app'
@@ -537,6 +537,8 @@ async function rotateDid(password: string) {
}
}
let autoRefreshTimer: ReturnType<typeof setInterval> | null = null
onMounted(async () => {
loadNodes()
loadDwnStatus()
@@ -549,5 +551,16 @@ onMounted(async () => {
} catch {
// Self DID not available
}
autoRefreshTimer = setInterval(() => {
loadNodes()
loadPendingRequests()
}, 5000)
})
onUnmounted(() => {
if (autoRefreshTimer) {
clearInterval(autoRefreshTimer)
autoRefreshTimer = null
}
})
</script>

323
neode-ui/src/views/SystemUpdate.vue
View File

@@ -109,11 +109,31 @@
<h2 class="text-lg font-semibold text-white mb-4">{{ t('systemUpdate.downloading') }}</h2>
<div class="w-full h-3 bg-white/10 rounded-full overflow-hidden mb-2">
<div
class="h-full bg-orange-400 rounded-full transition-all duration-500"
class="h-full rounded-full transition-all duration-500"
:class="downloadStalled ? 'bg-amber-400' : 'bg-orange-400'"
:style="{ width: downloadPercentFormatted + '%' }"
></div>
</div>
<p class="text-xs text-white/60">{{ t('systemUpdate.percentComplete', { percent: downloadPercentFormatted }) }}</p>
<div class="flex items-center justify-between gap-3 flex-wrap">
<div class="flex items-center gap-2 min-w-0">
<div v-if="downloadFinishing && !downloadStalled" class="w-3 h-3 border-2 border-orange-400 border-t-transparent rounded-full animate-spin shrink-0"></div>
<p class="text-xs" :class="downloadStalled ? 'text-amber-300' : 'text-white/60'">
{{ downloadStalled
? t('systemUpdate.downloadStalled')
: downloadFinishing
? t('systemUpdate.finishingDownload')
: t('systemUpdate.percentComplete', { percent: downloadPercentFormatted }) }}
</p>
</div>
<button
@click="requestCancelDownload"
:disabled="cancelingDownload"
class="glass-button rounded-lg px-4 py-1.5 text-xs font-medium disabled:opacity-40 shrink-0"
:class="downloadStalled ? 'bg-amber-500/20 border-amber-400/40 text-amber-200' : ''"
>
{{ cancelingDownload ? t('systemUpdate.cancelingDownload') : t('systemUpdate.cancelDownload') }}
</button>
</div>
</div>
<!-- Applying -->
@@ -176,6 +196,67 @@
</div>
</div>
<!-- Install progress overlay covers the UI while the backend
swaps files, restarts, and comes back up on the new version.
Auto-reloads the page as soon as /health reports the target
version. Styled to match the screensaver (ASCII logo, full-
screen black). -->
<Teleport to="body">
<Transition name="fade">
<div
v-if="installing"
class="fixed inset-0 z-[3000] bg-black flex flex-col items-center justify-center overflow-hidden"
>
<!-- Centered ASCII logo same asset used by the screensaver -->
<div class="install-overlay-ascii">
<BitcoinFaceAscii />
</div>
<!-- Status text + progress bar underneath -->
<div class="mt-8 w-[min(520px,80vw)] text-center">
<h2 class="text-xl font-semibold text-white mb-1">
{{ installStage === 'applying' ? t('systemUpdate.overlayApplying')
: installStage === 'restarting' ? t('systemUpdate.overlayRestarting')
: installStage === 'reconnecting' ? t('systemUpdate.overlayReconnecting')
: installStage === 'ready' ? t('systemUpdate.overlayReady')
: t('systemUpdate.overlayStalled') }}
</h2>
<p v-if="installTargetVersion" class="text-sm text-white/60 mb-4">
{{ t('systemUpdate.overlayTarget', { version: installTargetVersion }) }}
</p>
<!-- Animated bar: indeterminate stripe while working; full
orange when ready; steady at 50% (paused look) when
stalled so it reads as "something needs the user". -->
<div class="w-full h-2 bg-white/10 rounded-full overflow-hidden mb-3 relative">
<div
v-if="installStage === 'ready'"
class="absolute inset-0 bg-green-400"
></div>
<div
v-else-if="installStage === 'stalled'"
class="absolute inset-y-0 left-0 w-1/2 bg-orange-400/60"
></div>
<div
v-else
class="absolute inset-y-0 w-1/3 bg-orange-400 rounded-full install-overlay-bar-anim"
></div>
</div>
<p class="text-xs text-white/40">{{ installElapsedLabel }}</p>
<button
v-if="installStage === 'stalled'"
@click="reloadNow"
class="mt-5 glass-button rounded-lg px-5 py-2 text-sm font-medium bg-orange-500/20 border-orange-400/30"
>
{{ t('systemUpdate.overlayReloadNow') }}
</button>
</div>
</div>
</Transition>
</Teleport>
<!-- Confirmation modal -->
<Transition name="fade">
<div v-if="confirmAction" class="fixed inset-0 z-50 flex items-center justify-center bg-black/10 backdrop-blur-md" @click.self="cancelConfirm">
@@ -185,14 +266,18 @@
? t('systemUpdate.rollbackTitle')
: confirmAction === 'git-apply'
? t('systemUpdate.gitApplyTitle')
: t('systemUpdate.applyTitle') }}
: confirmAction === 'cancel-download'
? t('systemUpdate.cancelDownloadTitle')
: t('systemUpdate.applyTitle') }}
</h3>
<p class="text-sm text-white/70 mb-6">
{{ confirmAction === 'rollback'
? t('systemUpdate.rollbackMessage')
: confirmAction === 'git-apply'
? t('systemUpdate.gitApplyMessage')
: t('systemUpdate.applyMessage') }}
: confirmAction === 'cancel-download'
? t('systemUpdate.cancelDownloadConfirm')
: t('systemUpdate.applyMessage') }}
</p>
<div class="flex gap-3 justify-end">
<button @click="cancelConfirm" class="glass-button rounded-lg px-4 py-2 text-sm font-medium">
@@ -201,13 +286,15 @@
<button
@click="executeConfirm"
class="glass-button rounded-lg px-4 py-2 text-sm font-medium"
:class="confirmAction === 'rollback' ? 'bg-red-500/20 border-red-400/30' : 'bg-orange-500/20 border-orange-400/30'"
:class="(confirmAction === 'rollback' || confirmAction === 'cancel-download') ? 'bg-red-500/20 border-red-400/30' : 'bg-orange-500/20 border-orange-400/30'"
>
{{ confirmAction === 'rollback'
? t('systemUpdate.rollbackButton')
: confirmAction === 'git-apply'
? t('systemUpdate.pullAndRebuild')
: t('systemUpdate.applyNow') }}
: confirmAction === 'cancel-download'
? t('systemUpdate.cancelDownloadButton')
: t('systemUpdate.applyNow') }}
</button>
</div>
</div>
@@ -221,6 +308,7 @@ import { ref, computed, onMounted } from 'vue'
import { useI18n } from 'vue-i18n'
import { RouterLink } from 'vue-router'
import { rpcClient } from '@/api/rpc-client'
import BitcoinFaceAscii from '@/views/discover/BitcoinFaceAscii.vue'
interface UpdateDetail {
version: string
@@ -244,7 +332,9 @@ const loading = ref(false)
const downloading = ref(false)
const downloaded = ref(false)
const applying = ref(false)
const confirmAction = ref<'apply' | 'git-apply' | 'rollback' | null>(null)
const cancelingDownload = ref(false)
const downloadStalled = ref(false)
const confirmAction = ref<'apply' | 'git-apply' | 'rollback' | 'cancel-download' | null>(null)
const currentVersion = ref('0.0.0')
const lastCheck = ref<string | null>(null)
const updateInfo = ref<UpdateDetail | null>(null)
@@ -256,6 +346,104 @@ const statusIsError = ref(false)
const downloadPercent = ref(0)
const downloadPercentFormatted = computed(() => downloadPercent.value.toFixed(2))
// Poll the backend for the real bytes_downloaded / total_bytes so the
// progress bar tracks actual download state (and survives route
// changes). Returns true if a download is currently in progress.
async function pollDownloadProgress(): Promise<boolean> {
try {
const res = await rpcClient.call<{
download_progress?: {
bytes_downloaded: number
total_bytes: number
active: boolean
stalled?: boolean
} | null
}>({ method: 'update.status' })
const p = res.download_progress
if (p && p.total_bytes > 0) {
downloadPercent.value = Math.min(100, (p.bytes_downloaded / p.total_bytes) * 100)
downloadStalled.value = !!p.stalled
return p.active
}
downloadStalled.value = false
return false
} catch {
return false
}
}
// Shown next to the progress bar when the fake increment has maxed out
// at 95% but the real RPC hasn't returned yet — lets the user know the
// UI hasn't frozen while SHA verification and disk writes finish.
const downloadFinishing = computed(() => downloading.value && downloadPercent.value >= 95)
// Install overlay state — drives the full-screen progress modal shown
// while the backend swaps files, restarts, and comes back up on the
// new version. The overlay polls /health and auto-reloads the browser
// as soon as the backend reports the target version, so the user
// doesn't need to manually refresh.
type InstallStage = 'applying' | 'restarting' | 'reconnecting' | 'ready' | 'stalled'
const installing = ref(false)
const installStage = ref<InstallStage>('applying')
const installTargetVersion = ref<string | null>(null)
const installStartedAt = ref<number>(0)
const installElapsedSec = ref(0)
let installPollTimer: ReturnType<typeof setInterval> | null = null
let installElapsedTimer: ReturnType<typeof setInterval> | null = null
const installElapsedLabel = computed(() => {
const s = installElapsedSec.value
if (s < 60) return `Elapsed: ${s}s`
return `Elapsed: ${Math.floor(s / 60)}m${s % 60 < 10 ? '0' : ''}${s % 60}s`
})
function startInstallOverlay(targetVersion: string) {
installing.value = true
installStage.value = 'applying'
installTargetVersion.value = targetVersion
installStartedAt.value = Date.now()
installElapsedSec.value = 0
// Tick an elapsed counter once per second for the UI.
installElapsedTimer = setInterval(() => {
installElapsedSec.value = Math.floor((Date.now() - installStartedAt.value) / 1000)
// Stop polling after 3 min — surface the manual reload button.
if (installElapsedSec.value >= 180 && installStage.value !== 'ready') {
installStage.value = 'stalled'
}
}, 1000)
// Start polling /health after a short delay — the backend restarts 2s
// after replying to update.apply, so an immediate poll would see the
// old backend and conclude nothing happened.
setTimeout(() => {
installStage.value = 'restarting'
installPollTimer = setInterval(pollHealth, 1500)
}, 2500)
}
async function pollHealth() {
if (installStage.value === 'ready' || installStage.value === 'stalled') return
try {
const res = await fetch('/health', { signal: AbortSignal.timeout(2000) })
if (!res.ok) throw new Error(`health ${res.status}`)
const data = await res.json() as { version?: string }
if (data.version && data.version === installTargetVersion.value) {
installStage.value = 'ready'
if (installPollTimer) { clearInterval(installPollTimer); installPollTimer = null }
// Brief pause so the user sees the "Ready" state before the reload.
setTimeout(() => { window.location.reload() }, 1200)
} else {
// Backend is up but still reporting the old version — frontend
// and backend are mid-swap. Signal to the user.
installStage.value = 'reconnecting'
}
} catch {
// Fetch fails while the server is mid-restart. Stay in 'restarting'.
}
}
function reloadNow() { window.location.reload() }
// Cleanup if the component is torn down mid-install (unlikely but safe).
import { onBeforeUnmount } from 'vue'
onBeforeUnmount(() => {
if (installPollTimer) clearInterval(installPollTimer)
if (installElapsedTimer) clearInterval(installElapsedTimer)
})
const lastCheckDisplay = computed(() => {
if (!lastCheck.value) return t('common.never')
try {
@@ -345,21 +533,19 @@ async function downloadUpdate() {
downloadPercent.value = 0
statusMessage.value = ''
// Simulate incremental progress while waiting for the RPC. Capped at
// 95% so the bar never shows >100% before the real completion jumps it
// to 100 — previously the random increment could overshoot.
const progressInterval = setInterval(() => {
if (downloadPercent.value < 95) {
downloadPercent.value = Math.min(95, downloadPercent.value + Math.random() * 3)
}
}, 500)
// Poll the backend's real byte counter every second instead of
// faking progress. The backend exposes bytes_downloaded/total_bytes
// via update.status, updated per chunk. This also means the bar
// resumes correctly after navigating away and back — no more
// "95% for some time" mystery.
const progressInterval = setInterval(() => { void pollDownloadProgress() }, 1000)
try {
const res = await rpcClient.call<{
total_bytes: number
downloaded_bytes: number
components_downloaded: number
}>({ method: 'update.download', timeout: 1_800_000 })
}>({ method: 'update.download', timeout: 3_900_000 })
downloadPercent.value = 100
downloaded.value = true
const sizeMB = (res.downloaded_bytes / 1_048_576).toFixed(1)
@@ -385,6 +571,10 @@ function requestRollback() {
confirmAction.value = 'rollback'
}
function requestCancelDownload() {
confirmAction.value = 'cancel-download'
}
function cancelConfirm() {
confirmAction.value = null
}
@@ -395,40 +585,69 @@ async function executeConfirm() {
if (action === 'apply') {
await applyUpdate()
} else if (action === 'git-apply') {
await applyUpdateGit()
await applyUpdateGitWithOverlay()
} else if (action === 'rollback') {
await rollbackUpdate()
} else if (action === 'cancel-download') {
await cancelDownload()
}
}
async function applyUpdateGit() {
applying.value = true
statusMessage.value = ''
async function cancelDownload() {
cancelingDownload.value = true
try {
await rpcClient.call({ method: 'update.git-apply', timeout: 900_000 })
showStatus(t('systemUpdate.gitApplyStarted'))
updateInfo.value = null
await rpcClient.call({ method: 'update.cancel-download' })
downloading.value = false
downloaded.value = false
downloadPercent.value = 0
downloadStalled.value = false
showStatus(t('systemUpdate.cancelDownloadSuccess'))
} catch (e) {
showStatus(t('systemUpdate.applyFailed'), true)
if (import.meta.env.DEV) console.warn('Git apply failed', e)
showStatus(t('systemUpdate.cancelDownloadFailed'), true)
if (import.meta.env.DEV) console.warn('Cancel download failed', e)
} finally {
applying.value = false
cancelingDownload.value = false
}
}
async function applyUpdate() {
applying.value = true
statusMessage.value = ''
const target = updateInfo.value?.version || null
try {
await rpcClient.call({ method: 'update.apply', timeout: 300_000 })
showStatus(t('systemUpdate.applySuccess'))
updateInfo.value = null
downloaded.value = false
await loadStatus()
// Apply succeeded. Backend scheduled a restart 2s after returning;
// show the full-screen overlay while we wait for the new backend
// to report the target version, then auto-reload.
applying.value = false
if (target) {
startInstallOverlay(target)
} else {
// No target version known (legacy path) — fall back to the old
// flash-and-reload behaviour.
showStatus(t('systemUpdate.applySuccess'))
setTimeout(() => window.location.reload(), 3000)
}
} catch (e) {
showStatus(t('systemUpdate.applyFailed'), true)
if (import.meta.env.DEV) console.warn('Apply failed', e)
} finally {
applying.value = false
}
}
async function applyUpdateGitWithOverlay() {
// Git-apply (dev path) also restarts the service — reuse the overlay
// so the UX matches the manifest path. Target version isn't known up
// front for git-apply; we just wait for a version change on /health.
applying.value = true
statusMessage.value = ''
try {
await rpcClient.call({ method: 'update.git-apply', timeout: 900_000 })
applying.value = false
startInstallOverlay(updateInfo.value?.version || currentVersion.value)
} catch (e) {
showStatus(t('systemUpdate.applyFailed'), true)
if (import.meta.env.DEV) console.warn('Git apply failed', e)
applying.value = false
}
}
@@ -465,7 +684,45 @@ async function setSchedule(value: ScheduleValue) {
}
}
onMounted(() => {
Promise.all([loadStatus(), loadSchedule(), checkForUpdates()])
onMounted(async () => {
await Promise.all([loadStatus(), loadSchedule(), checkForUpdates()])
// If a download was already running when the user navigated here
// (or refreshed), pick up the progress bar where it is and keep
// polling until the backend reports done. No RPC call to start the
// download — the backend's already running it.
const active = await pollDownloadProgress()
if (active) {
downloading.value = true
const resumeInterval = setInterval(async () => {
const stillActive = await pollDownloadProgress()
if (!stillActive) {
clearInterval(resumeInterval)
downloading.value = false
downloaded.value = true
}
}, 1000)
}
})
</script>
<style scoped>
/* Centered ASCII logo — clamped so the overlay doesn't blow out on
narrow viewports. :deep so the rule reaches BitcoinFaceAscii's
inner <pre>. */
.install-overlay-ascii :deep(pre) {
font-size: clamp(6px, 1.2vw, 12px);
line-height: 1.1;
color: rgba(255, 255, 255, 0.85);
margin: 0;
}
/* Indeterminate progress stripe that slides left-to-right. */
.install-overlay-bar-anim {
animation: installBarSlide 1.8s ease-in-out infinite;
}
@keyframes installBarSlide {
0% { transform: translateX(-100%); }
50% { transform: translateX(120%); }
100% { transform: translateX(300%); }
}
</style>

14
neode-ui/src/views/discover/curatedApps.ts
View File

@@ -22,13 +22,13 @@ let cachedCatalog: AppCatalog | null = null
let catalogFetchedAt = 0
const CATALOG_TTL = 60 * 60 * 1000 // 1 hour cache
/** Remote catalog URLs tried in order. First success wins. */
/** Catalog URLs tried in order. First success wins.
* Primary is the backend proxy (`/api/app-catalog`) — server-side fetch
* bypasses CORS on git.tx1138.com and CSP restrictions on the IP-port
* fallback. If the backend is offline (mid-restart etc.) we fall back
* to the static copy baked into the frontend build. */
const CATALOG_URLS = [
// Primary: git.tx1138.com raw file (HTTPS, dynamic, updated without frontend rebuild)
'https://git.tx1138.com/lfg2025/app-catalog/raw/branch/main/catalog.json',
// Fallback: direct IP (HTTP, only works if CSP allows http://$host:*)
'http://23.182.128.160:3000/lfg2025/app-catalog/raw/branch/main/catalog.json',
// Last resort: local static file (baked into frontend build)
'/api/app-catalog',
'/catalog.json',
]
@@ -40,7 +40,7 @@ export async function fetchAppCatalog(): Promise<AppCatalog | null> {
for (const url of CATALOG_URLS) {
try {
const res = await fetch(url, { signal: AbortSignal.timeout(5000) })
const res = await fetch(url, { credentials: 'include', signal: AbortSignal.timeout(20000) })
if (!res.ok) continue
const data = await res.json() as AppCatalog
if (!data.apps?.length) continue

32
neode-ui/src/views/server/FipsNetworkCard.vue
View File

@@ -180,21 +180,31 @@ async function installAndActivate() {
}
}
// Restart the FIPS daemon to kick it back onto the public anchor. Stale
// identity-cache entries are the usual cause of "not reached"; systemctl
// restart clears them and re-runs the bootstrap handshake.
// Restart the FIPS daemon and wait for the anchor bootstrap window.
// The backend runs a proper recovery sequence (stop → start → wait →
// classify) and returns a structured diagnostic we can show the user
// instead of a generic "still unreachable".
async function reconnectAnchor() {
reconnecting.value = true
try {
await rpcClient.call({ method: 'fips.restart', timeout: 45_000 })
// Give the daemon a few seconds to come back and re-populate its
// identity cache before we re-query status.
await new Promise((resolve) => setTimeout(resolve, 5000))
await loadStatus()
if (status.value.anchor_connected) {
flash('Anchor reconnected')
const res = await rpcClient.call<{
recovered: boolean
likely_cause: string
hint: string
after: FipsStatus
}>({ method: 'fips.reconnect', timeout: 60_000 })
// Update the card with the post-reconnect status returned by the
// backend — avoids an extra status fetch race.
status.value = { ...status.value, ...res.after }
if (res.recovered) {
flash('Anchor reconnected.')
} else if (res.likely_cause === 'connected') {
// Already connected, not a "recovery" per se.
flash('Anchor is reachable.')
} else {
flash('FIPS restarted — anchor still reporting unreachable. Check network / firewall.', true)
// Surface the backend's diagnostic hint verbatim — it's been
// written for the fleet reader.
flash(res.hint || 'Reconnect finished but anchor is still unreachable.', true)
}
} catch (e: unknown) {
const msg = e instanceof Error ? e.message : String(e)

213
neode-ui/src/views/settings/AccountInfoSection.vue
View File

@@ -180,6 +180,219 @@ init()
</button>
</div>
<div class="overflow-y-auto flex-1 min-h-0 space-y-6 pr-1">
<!-- v1.7.17-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.17-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>When a download gets stuck, you can now cancel it. A new Cancel Download button sits next to the progress bar it stops the transfer, clears the partial file, and returns you to a clean state so you can retry. No more staring at a frozen bar with no way to recover.</p>
<p>Downloads that stall for 30 seconds or more now say so. The progress bar turns amber and shows 'Download appears stuck — try Cancel and start again' instead of just sitting silently at whatever percent it reached.</p>
<p>Canceling is fast. It no longer has to wait out the retry timer the download bails within half a second, so you're not stuck watching a stuck screen while you wait to unstick it.</p>
</div>
</div>
<!-- v1.7.16-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.16-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>Federation is now bidirectional and instant. When someone joins using your invite code, their node appears on your Federation page automatically — no need for the inviter to click Sync or wait for the next poll. Names and node details populate within seconds of the handshake finishing.</p>
<p>New nodes can no longer federate with themselves. Accepting an invite that points back at the local node (by DID, public key, or onion address) is rejected up front, so self-peering no longer clutters the node list with a duplicate card.</p>
<p>Transitive discovery: if nodes A and B are already federated and node C joins A, all three nodes now learn about each other. The new peer is pulled in as an Observer entry on existing federation members, so you can promote to Trusted with one click instead of trading a second invite code.</p>
<p>The Federation page auto-refreshes every five seconds while it's open. Status changes, new peers, and incoming join requests surface on their own clicking Sync remains available for an on-demand pull.</p>
</div>
</div>
<!-- v1.7.15-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.15-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>Updates survive network hiccups. Downloads now resume from exactly where a dropped connection left off, and retry up to 6 times with increasing gaps between attempts, instead of restarting from byte zero or giving up.</p>
<p>The download progress bar now shows real progress. Instead of a fake number that creeps to 95% and freezes, you see the actual bytes arriving, and it continues to update correctly even if you navigate away and come back.</p>
<p>Update check itself retries on slow responses. If git.tx1138.com is momentarily overloaded, the node tries three times with a five-second wait between attempts before concluding you're up to date.</p>
</div>
</div>
<!-- v1.7.14-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.14-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>Installing an update now shows a full-screen progress overlay with the Archipelago logo, a status message, and an animated bar. The page reloads itself automatically once the new version is up — no manual refresh. If something stalls, a 'Reload now' button appears after a few minutes.</p>
<p>Download progress no longer looks frozen near the end. The bar pauses at 95% with a 'Finishing download verifying checksum' message and spinner while the last bytes arrive and are hashed.</p>
<p>FIPS Reconnect now genuinely tries to fix the anchor. It runs a proper recovery sequence (stop → start → wait for the bootstrap window → check peers) and tells you the likely reason it's still unreachable corrupt identity key, seed not unlocked, network blocking UDP, or the anchor server being down instead of a generic 'try again'.</p>
<p>Healed a latent FIPS identity bug: the public-key file was being written in text form (an 'npub1…' string) on some nodes, which the daemon couldn't parse and silently authenticated with a garbage key. The Reconnect button now rewrites the file in the correct binary format and re-installs the config before restarting — nodes stuck with no peers for 'no reason' should come back online.</p>
<p>AIUI (Claude sidebar) is back. The installer now ships AIUI in the frontend bundle and preserves it across future updates — it was being wiped on every OTA because it lived outside the Vue build.</p>
<p>Installing a big app (IndeedHub, Bitcoin, Penpot) no longer gives up early and shows 'didn't work' while the download is still running in the background. The client waits up to 45 minutes for the install pipeline to finish.</p>
<p>'Rollback to Previous' is now labelled 'Rollback Available' clearer that it's a choice you have, not a status you're stuck with.</p>
</div>
</div>
<!-- v1.7.13-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.13-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>App catalog now loads reliably. Before, the Marketplace / Discover page couldn't fetch the catalog of apps because the upstream host wasn't sending the right CORS headers and the node's security policy didn't allow the fallback URL either. The node now fetches the catalog server-side and serves it same-origin to the browser no more blank app lists.</p>
</div>
</div>
<!-- v1.7.12-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.12-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>Nothing new version bump so freshly-installed nodes (from the 1.7.11 ISO) have something to OTA down, confirming the end-to-end update pipeline out of the box.</p>
</div>
</div>
<!-- v1.7.11-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.11-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>OTA proof release first version where Install Update should run clean from the UI with no manual steps. Click it and watch the sidebar flip to 1.7.11-alpha on its own.</p>
</div>
</div>
<!-- v1.7.10-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.10-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>Install Update actually applies now. The installer had to write into system folders that the backend service was sandboxed out of every earlier 'Failed to apply update' was a layer of that onion. Fixed by running the file swaps in a separate system context.</p>
<p>FIPS status on the Home and Server pages now reflects whether the public anchor is reachable. You'll see 'Active · N peers' (green) when healthy or 'No anchor' (orange) when the network is blocking the bootstrap — same signal as the full FIPS card.</p>
<p>Pasting an https://… URL into the profile picture or banner now previews correctly. Before, if the URL failed to load, the UI would silently blank out instead of showing your initial as a placeholder.</p>
<p>Uploaded profile pictures under 64 KB are now embedded directly in your Nostr profile (as a data URL), so any Nostr client can see them — not just ones routing over Tor. Larger uploads keep the onion URL for now, with a hint to paste a public URL for wider visibility.</p>
</div>
</div>
<!-- v1.7.9-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.9-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>OTA verification release — nothing new to see. Click Install Update, grab a coffee, and watch the sidebar flip to 1.7.9-alpha on its own. If this one works end to end, the pipeline is solid and future updates will flow the same way.</p>
</div>
</div>
<!-- v1.7.8-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.8-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>Install Update finally works end-to-end over the air. The installer was trying to overwrite the running backend binary with a tool that fails on in-use files (ETXTBSY) — swapped it for an atomic rename, which the kernel allows on a live executable. Every previous 'Failed to apply update' attempt was this one root cause.</p>
</div>
</div>
<!-- v1.7.7-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.7-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>Over-the-air update test — no feature changes, just a version bump so your node can walk through the whole update flow end-to-end using the new robust installer. Safe to apply; nothing to do afterwards.</p>
</div>
</div>
<!-- v1.7.6-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.6-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>Install Update is now more robust. Each install gets its own uniquely-named staging folder and then moves files into place — the previous version had a small cleanup step that could hit a transient filesystem hiccup and bail out halfway. You'll also still see a rollback folder after a successful install.</p>
<p>Dev-box OTA: nodes that build archipelago from source can now opt into the standard Download Install flow instead of Pull &amp; Rebuild, by setting ARCHIPELAGO_UPDATE_URL in the service environment. Useful when the dev machine has a checked-out repo but you want to test the regular update path.</p>
</div>
</div>
<!-- v1.7.5-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.5-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>Over-the-air update test no feature changes, just a fresh version number so your node can walk through the whole update flow end-to-end: check, download, install, auto-restart. Safe to apply; nothing to do afterwards.</p>
</div>
</div>
<!-- v1.7.4-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.4-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>Install Update actually installs now. Before, the final step extracted the new UI into the wrong folder and bailed with 'Failed to apply update' your node ended up backing up cleanly but never swapping in the new files. Fixed.</p>
<p>Download progress no longer overshoots 100%. You'll see the bar climb smoothly to 95% and then jump to 100% when the download actually finishes.</p>
</div>
</div>
<!-- v1.7.3-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.3-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>The version number in the sidebar now always matches the actual running version — no more lying to you about being on an older release after an update.</p>
<p>FIPS Mesh card on the server page: cleaner layout on desktop (no more awkward gaps), and a one-click Reconnect button when the public anchor is unreachable — it restarts the FIPS daemon so it can re-bootstrap from the anchor.</p>
<p>Profile pictures now show correctly in the identity list and editor. Before, uploaded images silently failed to render because the URL was only reachable over Tor; the UI now rewrites them to a local path while keeping the external URL for other Nostr clients.</p>
<p>Identity rows now show your Display Name first (from your Nostr profile) with the internal identity name beside it in parentheses, so you see the name other people will see — not just the one you picked when creating it.</p>
</div>
</div>
<!-- v1.7.2-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.2-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>Install Update now actually installs. Before, the button would back up your current version then fail with 'Failed to apply update' because the installer couldn't write into system folders.</p>
<p>The button's also been renamed to 'Install Update' (previously 'Apply Update') and the node restarts itself a moment after you click it — no more manual restart step.</p>
<p>Your existing identities now show the generated avatar instead of just their initials — same look as freshly created ones.</p>
<p>Everything from 1.7.0-alpha and 1.7.1-alpha carries over (default avatars on creation, one-click Save publishes to Nostr relays, public blob URLs for profile pictures, 30-minute download window, VPN peer restore on reboot, reconciler-only-repairs, filebrowser fix).</p>
</div>
</div>
<!-- v1.7.1-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.1-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>Over-the-air update test — same features as 1.7.0, just a fresh version number so your node can try the new download-and-apply flow end-to-end. Safe to apply; nothing to do afterwards.</p>
</div>
</div>
<!-- v1.7.0-alpha -->
<div>
<div class="flex items-center gap-2 mb-3">
<span class="text-xs font-mono px-2 py-0.5 rounded bg-orange-500/20 text-orange-300">v1.7.0-alpha</span>
<span class="text-xs text-white/40">Apr 20, 2026</span>
</div>
<div class="space-y-3 text-sm text-white/80 pl-3 border-l border-white/10">
<p>Every identity now gets a personal avatar the moment it's created. Your main node identity gets a distinctive hexagonal-network icon; other identities get a colourful generated pattern unique to each one.</p>
<p>Profile editor: upload a profile picture and a banner, then tap Save your Nostr profile now goes out to the relays in one step. No more 'Save' vs 'Save &amp; Publish' confusion.</p>
<p>Profile pictures and banners you upload are now reachable by other Nostr clients across the network not just your own browser. Anyone who sees your profile on a relay can load the image.</p>
<p>Update downloads on slow connections no longer cut out right at the end. The client waits up to 30 minutes for each component instead of giving up after 15 seconds.</p>
<p>When you move a node to a new version without going through Check for Updates (for example via a reinstall or manual copy), it now reports the new version correctly instead of endlessly saying 'update available'.</p>
<p>Your VPN peers come back automatically after a reboot. No more rescanning QR codes on your phone or laptop.</p>
<p>Fresh installs stay lean only File Browser is included out of the box. Other apps wait in the Marketplace until you pick them.</p>
<p>File Browser stops rebooting itself every few hours the housekeeper now leaves it alone once it's healthy.</p>
<p>One-click 'Pull &amp; Rebuild' button works for nodes that update from source (the development path), not just the standard download path.</p>
<p>The download progress number is now clean (like 45.23%) instead of 45.270894%.</p>
</div>
</div>
<!-- v1.3.5 -->
<div>
<div class="flex items-center gap-2 mb-3">

31
releases/manifest.json
View File

@@ -1,28 +1,27 @@
{
"version": "1.7.10-alpha",
"version": "1.7.17-alpha",
"release_date": "2026-04-20",
"changelog": [
"Install Update actually applies now. The installer had to write into system folders that the backend service was sandboxed out of — every earlier 'Failed to apply update' was a layer of that onion. Fixed by running the file swaps in a separate system context.",
"FIPS status on the Home and Server pages now reflects whether the public anchor is reachable. You'll see 'Active · N peers' (green) when healthy or 'No anchor' (orange) when the network is blocking the bootstrap — same signal as the full FIPS card.",
"Pasting an https://… URL into the profile picture or banner now previews correctly. Before, if the URL failed to load, the UI would silently blank out instead of showing your initial as a placeholder.",
"Uploaded profile pictures under 64 KB are now embedded directly in your Nostr profile (as a data URL), so any Nostr client can see them — not just ones routing over Tor. Larger uploads keep the onion URL for now, with a hint to paste a public URL for wider visibility."
"When a download gets stuck, you can now cancel it. A new Cancel Download button sits next to the progress bar — it stops the transfer, clears the partial file, and returns you to a clean state so you can retry. No more staring at a frozen bar with no way to recover.",
"Downloads that stall for 30 seconds or more now say so. The progress bar turns amber and shows 'Download appears stuck — try Cancel and start again' instead of just sitting silently at whatever percent it reached.",
"Canceling is fast. It no longer has to wait out the retry timer — the download bails within half a second, so you're not stuck watching a stuck screen while you wait to unstick it."
],
"components": [
{
"name": "archipelago",
"current_version": "1.7.9-alpha",
"new_version": "1.7.10-alpha",
"download_url": "https://git.tx1138.com/lfg2025/archy/raw/branch/main/releases/v1.7.10-alpha/archipelago",
"sha256": "4a77c704b5c1ac0b424ccfc7ed123c50e2708764ac2b4916af534e80382aa6f8",
"size_bytes": 40379696
"current_version": "1.7.16-alpha",
"new_version": "1.7.17-alpha",
"download_url": "https://git.tx1138.com/lfg2025/archy/raw/branch/main/releases/v1.7.17-alpha/archipelago",
"sha256": "57020053d8c587feb9e4761ca66dd3fac43edafe0e8198c399e7ca4246e7752d",
"size_bytes": 40649896
},
{
"name": "archipelago-frontend-1.7.10-alpha.tar.gz",
"current_version": "1.7.9-alpha",
"new_version": "1.7.10-alpha",
"download_url": "https://git.tx1138.com/lfg2025/archy/raw/branch/main/releases/v1.7.10-alpha/archipelago-frontend-1.7.10-alpha.tar.gz",
"sha256": "0644a43611309031efbb9b235a3602f0828f709fcaec0047543d96e1cbd54f58",
"size_bytes": 76983846
"name": "archipelago-frontend-1.7.17-alpha.tar.gz",
"current_version": "1.7.16-alpha",
"new_version": "1.7.17-alpha",
"download_url": "https://git.tx1138.com/lfg2025/archy/raw/branch/main/releases/v1.7.17-alpha/archipelago-frontend-1.7.17-alpha.tar.gz",
"sha256": "59679f6d45c11f44ffb5dbd060ffca00022789aa830e731640bcb41be07d7a93",
"size_bytes": 162083786
}
]
}

BIN
releases/v1.7.11-alpha/archipelago Executable file
View File

Binary file not shown.

BIN
releases/v1.7.11-alpha/archipelago-frontend-1.7.11-alpha.tar.gz Normal file
View File

Binary file not shown.

BIN
releases/v1.7.12-alpha/archipelago Executable file
View File

Binary file not shown.

BIN
releases/v1.7.12-alpha/archipelago-frontend-1.7.12-alpha.tar.gz Normal file
View File

Binary file not shown.

BIN
releases/v1.7.13-alpha/archipelago Executable file
View File

Binary file not shown.

BIN
releases/v1.7.13-alpha/archipelago-frontend-1.7.13-alpha.tar.gz Normal file
View File

Binary file not shown.

BIN
releases/v1.7.14-alpha/archipelago Executable file
View File

Binary file not shown.

BIN
releases/v1.7.14-alpha/archipelago-frontend-1.7.14-alpha.tar.gz Normal file
View File

Binary file not shown.

BIN
releases/v1.7.15-alpha/archipelago Executable file
View File

Binary file not shown.

BIN
releases/v1.7.15-alpha/archipelago-frontend-1.7.15-alpha.tar.gz Normal file
View File

Binary file not shown.

BIN
releases/v1.7.16-alpha/archipelago Executable file
View File

Binary file not shown.

BIN
releases/v1.7.16-alpha/archipelago-frontend-1.7.16-alpha.tar.gz Normal file
View File

Binary file not shown.

BIN
releases/v1.7.17-alpha/archipelago Executable file
View File

Binary file not shown.

BIN
releases/v1.7.17-alpha/archipelago-frontend-1.7.17-alpha.tar.gz Normal file
View File

Binary file not shown.