release(v1.7.11-alpha): OTA proof bump on top of namespace-escape apply

Version-only bump. Frontend tarball byte-identical to v1.7.10. First
OTA-testable release where the running backend (v1.7.10) has the
host_sudo/systemd-run apply fix — clicking Install Update should
walk through check → download → install → auto-restart with no
manual intervention.

Artefacts:
  archipelago                                      cf003f62…65465f  40378752
  archipelago-frontend-1.7.11-alpha.tar.gz         0644a436…54f58   76983846 (reused)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

core/Cargo.lock

@@ -80,7 +80,7 @@ checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
 
 [[package]]
 name = "archipelago"
-version = "1.7.4-alpha"
+version = "1.7.11-alpha"
 dependencies = [
  "anyhow",
  "archipelago-container",

core/archipelago/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "archipelago"
-version = "1.7.4-alpha"
+version = "1.7.11-alpha"
 edition = "2021"
 description = "Archipelago Bitcoin Node OS - Native backend"
 authors = ["Archipelago Team"]

core/archipelago/src/api/rpc/update.rs

@@ -6,12 +6,18 @@ impl RpcHandler {
     /// Check for available system updates.
     /// Tries git-based check first (if repo exists), falls back to manifest-based.
     pub(super) async fn handle_update_check(&self) -> Result<serde_json::Value> {
-        // Try git-based check first (preferred for beta nodes)
+        // Manifest override: when ARCHIPELAGO_UPDATE_URL is explicitly set,
+        // the operator wants OTA via manifest — typically a dev box where
+        // ~/archy/.git exists but isn't the intended update surface.
+        // Without this short-circuit the dev box always advertises "Pull
+        // & Rebuild" and can never exercise the manifest OTA path.
+        let manifest_override = std::env::var("ARCHIPELAGO_UPDATE_URL").is_ok();
+
         let repo_dir = std::path::PathBuf::from(
             std::env::var("HOME").unwrap_or_else(|_| "/home/archipelago".to_string()),
         )
         .join("archy");
-        if repo_dir.join(".git").exists() {
+        if !manifest_override && repo_dir.join(".git").exists() {
             if let Ok(git_status) = self.git_check_update(&repo_dir).await {
                 return Ok(git_status);
             }

core/archipelago/src/update.rs

@@ -244,6 +244,32 @@ pub async fn download_update(data_dir: &Path) -> Result<DownloadProgress> {
     })
 }
 
+/// Run a command as root, but *outside* the archipelago service's
+/// restricted mount namespace.
+///
+/// archipelago.service uses `ProtectSystem=strict`, which makes `/opt`
+/// and `/usr` read-only inside the service — and sudo inherits the
+/// namespace, so `sudo mv /opt/archipelago/...` fails with EROFS even
+/// though sudo itself is root. `systemd-run --wait` spawns a transient
+/// service unit that inherits systemd's default protections (i.e. none
+/// of ours), escaping the namespace.
+async fn host_sudo(args: &[&str]) -> Result<std::process::ExitStatus> {
+    let mut full: Vec<&str> = vec![
+        "systemd-run",
+        "--wait",
+        "--quiet",
+        "--collect",
+        "--pipe",
+        "--",
+    ];
+    full.extend_from_slice(args);
+    tokio::process::Command::new("sudo")
+        .args(&full)
+        .status()
+        .await
+        .context("sudo systemd-run spawn failed")
+}
+
 /// Apply a downloaded update. Backs up current binaries, replaces with staged versions.
 pub async fn apply_update(data_dir: &Path) -> Result<()> {
     let staging_dir = data_dir.join("update-staging");
@@ -277,27 +303,25 @@ pub async fn apply_update(data_dir: &Path) -> Result<()> {
 
         match name.as_str() {
             "archipelago" => {
-                // /usr/local/bin is root-owned; archipelago user can't
-                // fs::copy into it directly. Use sudo install which handles
-                // the copy, mode, and ownership atomically.
-                let status = tokio::process::Command::new("sudo")
-                    .args([
-                        "install",
-                        "-m",
-                        "0755",
-                        "-o",
-                        "root",
-                        "-g",
-                        "root",
-                        &src.to_string_lossy(),
-                        "/usr/local/bin/archipelago",
-                    ])
-                    .status()
+                // Two namespace gotchas this block works around:
+                //   1. We're running FROM /usr/local/bin/archipelago, so
+                //      `install`/`cp` (O_TRUNC + write) fail with ETXTBSY.
+                //      Use `mv`, which is atomic rename() and tolerates a
+                //      busy destination.
+                //   2. archipelago.service sets ProtectSystem=strict, so
+                //      even `sudo mv` into /usr/local/bin/ fails EROFS —
+                //      sudo inherits the service's mount namespace. Route
+                //      the rename through systemd-run so it runs in a
+                //      transient unit with default protections.
+                let staged = src.to_string_lossy().to_string();
+                let _ = host_sudo(&["chmod", "0755", &staged]).await;
+                let _ = host_sudo(&["chown", "root:root", &staged]).await;
+                let status = host_sudo(&["mv", &staged, "/usr/local/bin/archipelago"])
                     .await
-                    .with_context(|| format!("Failed to spawn install for {}", name))?;
+                    .with_context(|| format!("Failed to spawn mv for {}", name))?;
                 if !status.success() {
                     anyhow::bail!(
-                        "sudo install failed for {} (exit {:?})",
+                        "mv into /usr/local/bin failed for {} (exit {:?})",
                         name,
                         status.code()
                     );
@@ -305,60 +329,78 @@ pub async fn apply_update(data_dir: &Path) -> Result<()> {
                 info!(name = %name, "Backend binary applied");
             }
             _ if name.contains("frontend") && name.ends_with(".tar.gz") => {
-                // The tarball contents are the *inside* of web-ui/ — root
-                // entries are `./test-aiui.html`, `./assets/`, etc. Extract
-                // into a sibling staging dir, then swap atomically so
-                // nginx never sees a half-written tree.
-                let new_dir = "/opt/archipelago/web-ui.new";
+                // Tarball contents are the *inside* of web-ui/ (root entries
+                // `./test-aiui.html`, `./assets/`, ...). Extract into a
+                // uniquely-named staging dir, then mv into place. No `rm
+                // -rf` pre-cleanup — that's what hit transient EROFS on
+                // .198 and aborted the apply mid-flight.
+                let ts = chrono::Utc::now().timestamp_millis();
+                let staging_new = format!("/opt/archipelago/web-ui.new.{}", ts);
+                let staging_old = format!("/opt/archipelago/web-ui.old.{}", ts);
+                let web_ui = "/opt/archipelago/web-ui";
                 let backup_path = "/opt/archipelago/web-ui.bak";
-                // Wipe any previous attempt's staging / backup dirs.
-                let _ = tokio::process::Command::new("sudo")
-                    .args(["rm", "-rf", new_dir, backup_path])
-                    .status()
-                    .await;
-                let mk = tokio::process::Command::new("sudo")
-                    .args(["mkdir", "-p", new_dir])
-                    .status()
+
+                // All sudo calls that touch /opt/archipelago go through
+                // host_sudo so they see a normal root mount namespace.
+                let mk = host_sudo(&["mkdir", "-p", &staging_new])
                     .await
                     .context("Failed to create frontend staging dir")?;
                 if !mk.success() {
-                    anyhow::bail!("mkdir {} failed", new_dir);
+                    anyhow::bail!("mkdir {} failed", staging_new);
                 }
-                // Extract INTO the staging dir — tar's ./ entries land at
-                // the right place (web-ui.new/assets/... etc.).
-                let status = tokio::process::Command::new("sudo")
-                    .args(["tar", "-xzf", &src.to_string_lossy(), "-C", new_dir])
-                    .status()
-                    .await
-                    .with_context(|| format!("Failed to extract {}", name))?;
-                if !status.success() {
+                let extract = host_sudo(&[
+                    "tar",
+                    "-xzf",
+                    &src.to_string_lossy(),
+                    "-C",
+                    &staging_new,
+                ])
+                .await
+                .with_context(|| format!("Failed to extract {}", name))?;
+                if !extract.success() {
+                    let _ = host_sudo(&["rm", "-rf", &staging_new]).await;
                     anyhow::bail!("tar extraction failed for {}", name);
                 }
-                // Ownership: match what first-boot + the ISO expect.
-                let _ = tokio::process::Command::new("sudo")
-                    .args(["chown", "-R", "archipelago:archipelago", new_dir])
-                    .status()
-                    .await;
-                // Atomic-ish swap: move old aside, new into place.
-                let web_ui = "/opt/archipelago/web-ui";
+                let _ = host_sudo(&[
+                    "chown",
+                    "-R",
+                    "archipelago:archipelago",
+                    &staging_new,
+                ])
+                .await;
+
+                // Swap: mv current web-ui aside, then mv new into place.
                 if Path::new(web_ui).exists() {
-                    let mv_old = tokio::process::Command::new("sudo")
-                        .args(["mv", web_ui, backup_path])
-                        .status()
+                    let mv_old = host_sudo(&["mv", web_ui, &staging_old])
                         .await
                         .context("Failed to rotate old web-ui")?;
                     if !mv_old.success() {
                         anyhow::bail!("failed to move old web-ui aside");
                     }
                 }
-                let mv_new = tokio::process::Command::new("sudo")
-                    .args(["mv", new_dir, web_ui])
-                    .status()
+                let mv_new = host_sudo(&["mv", &staging_new, web_ui])
                     .await
                     .context("Failed to swap new web-ui into place")?;
                 if !mv_new.success() {
+                    if Path::new(&staging_old).exists() {
+                        let _ = host_sudo(&["mv", &staging_old, web_ui]).await;
+                    }
                     anyhow::bail!("failed to move new web-ui into place");
                 }
+
+                // Rotate previous rollback aside and install this apply's
+                // old copy as the new rollback.
+                if Path::new(&staging_old).exists() {
+                    if Path::new(backup_path).exists() {
+                        let _ = host_sudo(&[
+                            "mv",
+                            backup_path,
+                            &format!("{}.{}", backup_path, ts),
+                        ])
+                        .await;
+                    }
+                    let _ = host_sudo(&["mv", &staging_old, backup_path]).await;
+                }
                 info!(name = %name, "Frontend archive extracted to /opt/archipelago/web-ui");
             }
             _ => {
@@ -388,10 +430,10 @@ pub async fn apply_update(data_dir: &Path) -> Result<()> {
     // starting the new process — it would deadlock otherwise.
     tokio::spawn(async {
         tokio::time::sleep(std::time::Duration::from_secs(2)).await;
-        let _ = tokio::process::Command::new("sudo")
-            .args(["systemctl", "--no-block", "restart", "archipelago"])
-            .status()
-            .await;
+        // systemctl talks to PID 1 over D-Bus — doesn't need the host
+        // mount namespace, but routing through host_sudo keeps the
+        // apply flow's sudo calls uniform.
+        let _ = host_sudo(&["systemctl", "--no-block", "restart", "archipelago"]).await;
     });
 
     Ok(())

neode-ui/src/views/Home.vue

@@ -317,26 +317,35 @@ const torConnected = computed(() => {
 })
 const vpnStatus = ref({ connected: false, provider: '' })
 const vpnConnected = computed(() => vpnStatus.value.connected || (!!packages.value['tailscale'] && packages.value['tailscale'].state === PackageState.Running))
-const fipsStatus = ref<{ installed: boolean; service_active: boolean; key_present: boolean } | null>(null)
+const fipsStatus = ref<{ installed: boolean; service_active: boolean; key_present: boolean; anchor_connected?: boolean; authenticated_peer_count?: number } | null>(null)
 const fipsDotClass = computed(() => {
   const s = fipsStatus.value
   if (!s || !s.installed) return 'bg-white/40'
-  if (s.service_active) return 'bg-green-400'
-  return 'bg-white/40'
+  if (!s.service_active) return 'bg-white/40'
+  // Active but no anchor = degraded, not fully green
+  if (s.anchor_connected === false) return 'bg-orange-400'
+  return 'bg-green-400'
 })
 const fipsTextClass = computed(() => {
   const s = fipsStatus.value
   if (!s || !s.installed) return 'text-white/40'
-  if (s.service_active) return 'text-green-400'
-  return 'text-white/40'
+  if (!s.service_active) return 'text-white/40'
+  if (s.anchor_connected === false) return 'text-orange-400'
+  return 'text-green-400'
 })
 const fipsStatusLabel = computed(() => {
   const s = fipsStatus.value
   if (!s) return '…'
   if (!s.installed) return 'Not installed'
-  if (s.service_active) return 'Active'
-  if (!s.key_present) return 'Awaiting seed'
-  return 'Inactive'
+  if (!s.service_active) {
+    if (!s.key_present) return 'Awaiting seed'
+    return 'Inactive'
+  }
+  // Service is active — reflect anchor reachability in the label so the
+  // Home and Server rows flip in sync with the FIPS card.
+  if (s.anchor_connected === false) return 'No anchor'
+  const peers = s.authenticated_peer_count ?? 0
+  return peers === 1 ? 'Active · 1 peer' : `Active · ${peers} peers`
 })
 const bitcoinSyncDisplay = computed(() => {
   if (!systemStats.bitcoinAvailable) return 'Not running'

neode-ui/src/views/Server.vue

@@ -420,25 +420,31 @@ const networkData = ref({
 })
 
 // FIPS status row for the Local Network card. Full FIPS card lives below.
-const fipsSummary = ref<{ installed: boolean; service_active: boolean; key_present: boolean } | null>(null)
+const fipsSummary = ref<{ installed: boolean; service_active: boolean; key_present: boolean; anchor_connected?: boolean; authenticated_peer_count?: number } | null>(null)
 const fipsRowLabel = computed(() => {
   const s = fipsSummary.value
   if (!s) return '…'
   if (!s.installed) return 'Not installed'
-  // Service-active wins even on legacy nodes with no seed-derived key.
-  if (s.service_active) return 'Active'
-  if (!s.key_present) return 'Awaiting seed'
-  return 'Inactive'
+  if (!s.service_active) {
+    if (!s.key_present) return 'Awaiting seed'
+    return 'Inactive'
+  }
+  // Service is active — reflect anchor reachability so the row flips in
+  // sync with the full FIPS card below.
+  if (s.anchor_connected === false) return 'No anchor'
+  const peers = s.authenticated_peer_count ?? 0
+  return peers === 1 ? 'Active · 1 peer' : `Active · ${peers} peers`
 })
 const fipsRowTextClass = computed(() => {
   const s = fipsSummary.value
   if (!s || !s.installed) return 'text-white/40'
-  if (s.service_active) return 'text-green-400'
-  return 'text-white/60'
+  if (!s.service_active) return 'text-white/60'
+  if (s.anchor_connected === false) return 'text-orange-400'
+  return 'text-green-400'
 })
 async function loadFipsSummary() {
   try {
-    fipsSummary.value = await rpcClient.call<{ installed: boolean; service_active: boolean; key_present: boolean }>({ method: 'fips.status' })
+    fipsSummary.value = await rpcClient.call<{ installed: boolean; service_active: boolean; key_present: boolean; anchor_connected?: boolean; authenticated_peer_count?: number }>({ method: 'fips.status' })
   } catch { /* backend too old */ }
 }
 

neode-ui/src/views/web5/Web5Identities.vue

@@ -68,8 +68,13 @@
       >
         <!-- Avatar -->
         <button @click="openProfileEditor(identity)" class="relative flex-shrink-0 w-10 h-10 rounded-full overflow-hidden group" title="Edit profile">
-          <img v-if="identity.profile?.picture" :src="displayableUrl(identity.profile.picture)" class="w-full h-full object-cover" @error="($event.target as HTMLImageElement).style.display = 'none'" />
-          <div v-if="!identity.profile?.picture" class="w-full h-full flex items-center justify-center" :class="{
+          <img
+            v-if="identity.profile?.picture && !listPictureFailed[identity.id]"
+            :src="displayableUrl(identity.profile.picture)"
+            class="w-full h-full object-cover"
+            @error="() => { listPictureFailed[identity.id] = true }"
+          />
+          <div v-if="!identity.profile?.picture || listPictureFailed[identity.id]" class="w-full h-full flex items-center justify-center" :class="{
             'bg-blue-500/20': identity.purpose === 'personal',
             'bg-orange-500/20': identity.purpose === 'business',
             'bg-purple-500/20': identity.purpose === 'anonymous',
@@ -302,8 +307,14 @@
     <div class="glass-card p-6 w-full max-w-2xl mx-4 max-h-[90vh] overflow-y-auto" role="dialog" aria-modal="true" aria-labelledby="profile-editor-title">
       <div class="flex items-center gap-3 mb-5">
         <div class="relative w-16 h-16 rounded-full overflow-hidden bg-white/10 shrink-0">
-          <img v-if="profileForm.picture" :src="displayableUrl(profileForm.picture)" class="w-full h-full object-cover" @error="($event.target as HTMLImageElement).style.display = 'none'" />
-          <div v-else class="w-full h-full flex items-center justify-center">
+          <img
+            v-if="profileForm.picture && !editorPictureFailed"
+            :src="displayableUrl(profileForm.picture)"
+            class="w-full h-full object-cover"
+            @error="editorPictureFailed = true"
+            @load="editorPictureFailed = false"
+          />
+          <div v-if="!profileForm.picture || editorPictureFailed" class="w-full h-full flex items-center justify-center">
             <span class="text-2xl font-bold text-white/40">{{ profileEditorIdentity.name.charAt(0).toUpperCase() }}</span>
           </div>
         </div>
@@ -368,7 +379,7 @@
 </template>
 
 <script setup lang="ts">
-import { ref } from 'vue'
+import { reactive, ref, watch } from 'vue'
 import { useI18n } from 'vue-i18n'
 import { rpcClient } from '@/api/rpc-client'
 import { safeClipboardWrite } from './utils'
@@ -409,6 +420,18 @@ const profilePublishing = ref(false)
 const avatarUploading = ref(false)
 const bannerUploading = ref(false)
 
+// Track image load failures so the UI can fall back to the initial/
+// identicon placeholder instead of showing a blank square. Pasted URLs
+// that 404 (or point at an onion the local browser can't reach) were
+// previously silently hidden by a display:none handler that left the
+// fallback unrendered.
+const editorPictureFailed = ref(false)
+const listPictureFailed = reactive<Record<string, boolean>>({})
+
+// Reset the failure flag when the URL changes so a freshly pasted URL
+// gets re-tried (the watcher fires once the form reacts).
+watch(() => profileForm.value.picture, () => { editorPictureFailed.value = false })
+
 // The backend returns onion-based public URLs for uploaded profile
 // pictures (so they're fetchable by external Nostr clients), but the
 // local browser session isn't Tor-routed and can't resolve .onion hosts.
@@ -423,10 +446,12 @@ function displayableUrl(url: string | null | undefined): string {
   return url
 }
 
-// Upload to the node's blob store and drop the returned public URL into
-// the profile field. The /api/blob endpoint marks these blobs public, so
-// the URL served back (`public_url`, onion-rooted when Tor is up) is
-// reachable by external Nostr clients fetching kind:0 metadata.
+// Upload to the node's blob store and drop a URL into the profile field.
+// For small images (≤64KB) we inline the bytes as a data URL so external
+// Nostr clients can render the picture without needing to reach a tor
+// onion. Larger uploads fall back to the onion-rooted public_url.
+const INLINE_MAX = 64 * 1024
+
 async function uploadAsset(ev: Event, field: 'picture' | 'banner') {
   const input = ev.target as HTMLInputElement
   const file = input?.files?.[0]
@@ -436,6 +461,14 @@ async function uploadAsset(ev: Event, field: 'picture' | 'banner') {
   profileError.value = ''
   try {
     const buf = await file.arrayBuffer()
+    // Inline small images as a data URL — universally fetchable by any
+    // Nostr client and bypasses the "only reachable over Tor" limitation.
+    if (buf.byteLength <= INLINE_MAX) {
+      const mime = file.type || 'image/png'
+      const b64 = btoa(Array.from(new Uint8Array(buf), (b) => String.fromCharCode(b)).join(''))
+      profileForm.value[field] = `data:${mime};base64,${b64}`
+      return
+    }
     const resp = await fetch('/api/blob', {
       method: 'POST',
       credentials: 'include',
@@ -451,6 +484,11 @@ async function uploadAsset(ev: Event, field: 'picture' | 'banner') {
     const url = public_url || self_test_url
     if (!url) throw new Error('blob API returned no URL')
     profileForm.value[field] = url
+    // Heads-up for large uploads: onion URLs only render on Tor-routed
+    // clients. Not an error, but worth telling the user.
+    if (url.includes('.onion/')) {
+      profileError.value = 'Large image stored on this node. Pasting a public https://… URL is recommended for Nostr visibility.'
+    }
   } catch (e: unknown) {
     profileError.value = e instanceof Error ? e.message : `${field} upload failed`
   } finally {

releases/manifest.json

@@ -1,26 +1,25 @@
 {
-  "version": "1.7.4-alpha",
+  "version": "1.7.11-alpha",
   "release_date": "2026-04-20",
   "changelog": [
-    "Install Update actually installs now. Before, the final step extracted the new UI into the wrong folder and bailed with 'Failed to apply update' — your node ended up backing up cleanly but never swapping in the new files. Fixed.",
-    "Download progress no longer overshoots 100%. You'll see the bar climb smoothly to 95% and then jump to 100% when the download actually finishes."
+    "OTA proof release — first version where Install Update should run clean from the UI with no manual steps. Click it and watch the sidebar flip to 1.7.11-alpha on its own."
   ],
   "components": [
     {
       "name": "archipelago",
-      "current_version": "1.7.3-alpha",
-      "new_version": "1.7.4-alpha",
-      "download_url": "https://git.tx1138.com/lfg2025/archy/raw/branch/main/releases/v1.7.4-alpha/archipelago",
-      "sha256": "a14ad7e4dbcb8f74377d44a4bd5e600b285481df3b30c08f8bea2cd17e2a2be3",
-      "size_bytes": 40361984
+      "current_version": "1.7.10-alpha",
+      "new_version": "1.7.11-alpha",
+      "download_url": "https://git.tx1138.com/lfg2025/archy/raw/branch/main/releases/v1.7.11-alpha/archipelago",
+      "sha256": "cf003f622a0848b24b85c1034e08acda6abcb0123b5595c51b5a80040f65465f",
+      "size_bytes": 40378752
     },
     {
-      "name": "archipelago-frontend-1.7.4-alpha.tar.gz",
-      "current_version": "1.7.3-alpha",
-      "new_version": "1.7.4-alpha",
-      "download_url": "https://git.tx1138.com/lfg2025/archy/raw/branch/main/releases/v1.7.4-alpha/archipelago-frontend-1.7.4-alpha.tar.gz",
-      "sha256": "4fb796643cc9dc8469078ca3392f7cc5541071f6849979922b3259e5f20172e9",
-      "size_bytes": 76984615
+      "name": "archipelago-frontend-1.7.11-alpha.tar.gz",
+      "current_version": "1.7.10-alpha",
+      "new_version": "1.7.11-alpha",
+      "download_url": "https://git.tx1138.com/lfg2025/archy/raw/branch/main/releases/v1.7.11-alpha/archipelago-frontend-1.7.11-alpha.tar.gz",
+      "sha256": "0644a43611309031efbb9b235a3602f0828f709fcaec0047543d96e1cbd54f58",
+      "size_bytes": 76983846
     }
   ]
 }