wip: iroh

fix gha sccache
support for sccache
2026-03-27 02:41:53 +00:00 · 2025-08-31 15:43:34 -06:00 · 2025-08-29 13:32:12 -06:00 · 2025-08-29 13:07:29 -06:00 · 2025-08-29 11:59:36 -06:00 · 2025-08-29 11:48:31 -06:00
1031 changed files with 32407 additions and 50968 deletions
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -1,5 +0,0 @@
 {
  "attribution": {
    "commit": ""
  }
 }
--- a/.github/actions/setup-build/action.yml
+++ b/.github/actions/setup-build/action.yml
@@ -1,81 +0,0 @@
 name: Setup Build Environment
 description: Common build environment setup steps
 inputs:
  nodejs-version:
    description: Node.js version
    required: true
  setup-python:
    description: Set up Python
    required: false
    default: "false"
  setup-docker:
    description: Set up Docker QEMU and Buildx
    required: false
    default: "true"
  setup-sccache:
    description: Configure sccache for GitHub Actions
    required: false
    default: "true"
  free-space:
    description: Remove unnecessary packages to free disk space
    required: false
    default: "true"
 runs:
  using: composite
  steps:
    - name: Free disk space
      if: inputs.free-space == 'true'
      shell: bash
      run: |
        sudo apt-get remove --purge -y azure-cli || true
        sudo apt-get remove --purge -y firefox || true
        sudo apt-get remove --purge -y ghc-* || true
        sudo apt-get remove --purge -y google-cloud-sdk || true
        sudo apt-get remove --purge -y google-chrome-stable || true
        sudo apt-get remove --purge -y powershell || true
        sudo apt-get remove --purge -y php* || true
        sudo apt-get remove --purge -y ruby* || true
        sudo apt-get remove --purge -y mono-* || true
        sudo apt-get autoremove -y
        sudo apt-get clean
        sudo rm -rf /usr/lib/jvm
        sudo rm -rf /usr/local/.ghcup
        sudo rm -rf /usr/local/lib/android
        sudo rm -rf /usr/share/dotnet
        sudo rm -rf /usr/share/swift
        sudo rm -rf "$AGENT_TOOLSDIRECTORY"
    # BuildJet runners lack /opt/hostedtoolcache, which setup-python and setup-qemu expect
    - name: Ensure hostedtoolcache exists
      shell: bash
      run: sudo mkdir -p /opt/hostedtoolcache && sudo chown $USER:$USER /opt/hostedtoolcache
    - name: Set up Python
      if: inputs.setup-python == 'true'
      uses: actions/setup-python@v5
      with:
        python-version: "3.x"
    - uses: actions/setup-node@v4
      with:
        node-version: ${{ inputs.nodejs-version }}
        cache: npm
        cache-dependency-path: "**/package-lock.json"
    - name: Set up Docker QEMU
      if: inputs.setup-docker == 'true'
      uses: docker/setup-qemu-action@v3
    - name: Set up Docker Buildx
      if: inputs.setup-docker == 'true'
      uses: docker/setup-buildx-action@v3
    - name: Configure sccache
      if: inputs.setup-sccache == 'true'
      uses: actions/github-script@v7
      with:
        script: |
          core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
          core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
--- a/.github/workflows/start-cli.yaml
+++ b/.github/workflows/start-cli.yaml
@@ -1,88 +0,0 @@
 name: start-cli
 on:
  workflow_call:
  workflow_dispatch:
    inputs:
      environment:
        type: choice
        description: Environment
        options:
          - NONE
          - dev
          - unstable
          - dev-unstable
      runner:
        type: choice
        description: Runner
        options:
          - standard
          - fast
      arch:
        type: choice
        description: Architecture
        options:
          - ALL
          - x86_64
          - x86_64-apple
          - aarch64
          - aarch64-apple
          - riscv64
  push:
    branches:
      - master
      - next/*
  pull_request:
    branches:
      - master
      - next/*
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
  cancel-in-progress: true
 env:
  NODEJS_VERSION: "24.11.0"
  ENVIRONMENT: '${{ fromJson(format(''["{0}", ""]'', github.event.inputs.environment || ''dev''))[github.event.inputs.environment == ''NONE''] }}'
 jobs:
  compile:
    name: Build Debian Package
    if: github.event.pull_request.draft != true
    strategy:
      fail-fast: true
      matrix:
        triple: >-
          ${{
            fromJson('{
              "x86_64": ["x86_64-unknown-linux-musl"],
              "x86_64-apple": ["x86_64-apple-darwin"],
              "aarch64": ["aarch64-unknown-linux-musl"],
              "x86_64-apple": ["aarch64-apple-darwin"],
              "riscv64": ["riscv64gc-unknown-linux-musl"],
              "ALL": ["x86_64-unknown-linux-musl", "x86_64-apple-darwin", "aarch64-unknown-linux-musl", "aarch64-apple-darwin", "riscv64gc-unknown-linux-musl"]
            }')[github.event.inputs.platform || 'ALL']
          }}
    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
    steps:
      - name: Mount tmpfs
        if: ${{ github.event.inputs.runner == 'fast' }}
        run: sudo mount -t tmpfs tmpfs .
      - uses: actions/checkout@v4
        with:
          submodules: recursive
      - uses: ./.github/actions/setup-build
        with:
          nodejs-version: ${{ env.NODEJS_VERSION }}
      - name: Make
        run: TARGET=${{ matrix.triple }} make cli
        env:
          PLATFORM: ${{ matrix.arch }}
          SCCACHE_GHA_ENABLED: on
          SCCACHE_GHA_VERSION: 0
      - uses: actions/upload-artifact@v4
        with:
          name: start-cli_${{ matrix.triple }}
          path: core/target/${{ matrix.triple }}/release/start-cli
--- a/.github/workflows/start-registry.yaml
+++ b/.github/workflows/start-registry.yaml
@@ -1,173 +0,0 @@
 name: start-registry
 on:
  workflow_call:
  workflow_dispatch:
    inputs:
      environment:
        type: choice
        description: Environment
        options:
          - NONE
          - dev
          - unstable
          - dev-unstable
      runner:
        type: choice
        description: Runner
        options:
          - standard
          - fast
      arch:
        type: choice
        description: Architecture
        options:
          - ALL
          - x86_64
          - aarch64
          - riscv64
  push:
    branches:
      - master
      - next/*
  pull_request:
    branches:
      - master
      - next/*
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
  cancel-in-progress: true
 env:
  NODEJS_VERSION: "24.11.0"
  ENVIRONMENT: '${{ fromJson(format(''["{0}", ""]'', github.event.inputs.environment || ''dev''))[github.event.inputs.environment == ''NONE''] }}'
 jobs:
  compile:
    name: Build Debian Package
    if: github.event.pull_request.draft != true
    strategy:
      fail-fast: true
      matrix:
        arch: >-
          ${{
            fromJson('{
              "x86_64": ["x86_64"],
              "aarch64": ["aarch64"],
              "riscv64": ["riscv64"],
              "ALL": ["x86_64", "aarch64", "riscv64"]
            }')[github.event.inputs.platform || 'ALL']
          }}
    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
    steps:
      - name: Mount tmpfs
        if: ${{ github.event.inputs.runner == 'fast' }}
        run: sudo mount -t tmpfs tmpfs .
      - uses: actions/checkout@v4
        with:
          submodules: recursive
      - uses: ./.github/actions/setup-build
        with:
          nodejs-version: ${{ env.NODEJS_VERSION }}
      - name: Make
        run: make registry-deb
        env:
          PLATFORM: ${{ matrix.arch }}
          SCCACHE_GHA_ENABLED: on
          SCCACHE_GHA_VERSION: 0
      - uses: actions/upload-artifact@v4
        with:
          name: start-registry_${{ matrix.arch }}.deb
          path: results/start-registry-*_${{ matrix.arch }}.deb
  create-image:
    name: Create Docker Image
    needs: [compile]
    permissions:
      contents: read
      packages: write
    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
    steps:
      - name: Cleaning up unnecessary files
        run: |
          sudo apt-get remove --purge -y google-chrome-stable firefox mono-devel
          sudo apt-get autoremove -y
          sudo apt-get clean
      - run: |
          sudo mount -t tmpfs tmpfs .
        if: ${{ github.event.inputs.runner == 'fast' }}
      - name: Set up docker QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: "Login to GitHub Container Registry"
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{github.actor}}
          password: ${{secrets.GITHUB_TOKEN}}
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/Start9Labs/startos-registry
          tags: |
            type=raw,value=${{ github.ref_name }}
      - name: Download debian package
        uses: actions/download-artifact@v4
        with:
          pattern: start-registry_*.deb
      - name: Map matrix.arch to docker platform
        run: |
          platforms=""
          for deb in *.deb; do
            filename=$(basename "$deb" .deb)
            arch="${filename#*_}"
            case "$arch" in
              x86_64)
                platform="linux/amd64"
                ;;
              aarch64)
                platform="linux/arm64"
                ;;
              riscv64)
                platform="linux/riscv64"
                ;;
              *)
                echo "Unknown architecture: $arch" >&2
                exit 1
                ;;
            esac
            if [ -z "$platforms" ]; then
              platforms="$platform"
            else
              platforms="$platforms,$platform"
            fi
          done
          echo "DOCKER_PLATFORM=$platforms" >> "$GITHUB_ENV"
      - run: |
          cat | docker buildx build --platform "$DOCKER_PLATFORM" --push -t ${{ steps.meta.outputs.tags }} -f - . << 'EOF'
          FROM debian:trixie
          ADD *.deb .
          RUN apt-get install -y ./*_$(uname -m).deb && rm *.deb
          VOLUME /var/lib/startos
          ENV RUST_LOG=startos=debug
          ENTRYPOINT ["start-registryd"]
          EOF
--- a/.github/workflows/start-tunnel.yaml
+++ b/.github/workflows/start-tunnel.yaml
@@ -1,84 +0,0 @@
 name: start-tunnel
 on:
  workflow_call:
  workflow_dispatch:
    inputs:
      environment:
        type: choice
        description: Environment
        options:
          - NONE
          - dev
          - unstable
          - dev-unstable
      runner:
        type: choice
        description: Runner
        options:
          - standard
          - fast
      arch:
        type: choice
        description: Architecture
        options:
          - ALL
          - x86_64
          - aarch64
          - riscv64
  push:
    branches:
      - master
      - next/*
  pull_request:
    branches:
      - master
      - next/*
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
  cancel-in-progress: true
 env:
  NODEJS_VERSION: "24.11.0"
  ENVIRONMENT: '${{ fromJson(format(''["{0}", ""]'', github.event.inputs.environment || ''dev''))[github.event.inputs.environment == ''NONE''] }}'
 jobs:
  compile:
    name: Build Debian Package
    if: github.event.pull_request.draft != true
    strategy:
      fail-fast: true
      matrix:
        arch: >-
          ${{
            fromJson('{
              "x86_64": ["x86_64"],
              "aarch64": ["aarch64"],
              "riscv64": ["riscv64"],
              "ALL": ["x86_64", "aarch64", "riscv64"]
            }')[github.event.inputs.platform || 'ALL']
          }}
    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
    steps:
      - name: Mount tmpfs
        if: ${{ github.event.inputs.runner == 'fast' }}
        run: sudo mount -t tmpfs tmpfs .
      - uses: actions/checkout@v4
        with:
          submodules: recursive
      - uses: ./.github/actions/setup-build
        with:
          nodejs-version: ${{ env.NODEJS_VERSION }}
      - name: Make
        run: make tunnel-deb
        env:
          PLATFORM: ${{ matrix.arch }}
          SCCACHE_GHA_ENABLED: on
          SCCACHE_GHA_VERSION: 0
      - uses: actions/upload-artifact@v4
        with:
          name: start-tunnel_${{ matrix.arch }}.deb
          path: results/start-tunnel-*_${{ matrix.arch }}.deb
--- a/.github/workflows/startos-iso.yaml
+++ b/.github/workflows/startos-iso.yaml
@@ -27,8 +27,7 @@ on:
          - x86_64-nonfree
          - aarch64
          - aarch64-nonfree
-          # - raspberrypi
+          - raspberrypi
          - riscv64
      deploy:
        type: choice
        description: Deploy
@@ -45,18 +44,13 @@ on:
      - master
      - next/*
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
  cancel-in-progress: true
 env:
-  NODEJS_VERSION: "24.11.0"
+  NODEJS_VERSION: "22.17.1"
  ENVIRONMENT: '${{ fromJson(format(''["{0}", ""]'', github.event.inputs.environment || ''dev''))[github.event.inputs.environment == ''NONE''] }}'
 jobs:
  compile:
    name: Compile Base Binaries
    if: github.event.pull_request.draft != true
    strategy:
      fail-fast: true
      matrix:
@@ -68,39 +62,43 @@ jobs:
              "aarch64": ["aarch64"],
              "aarch64-nonfree": ["aarch64"],
              "raspberrypi": ["aarch64"],
-              "riscv64": ["riscv64"],
+              "ALL": ["x86_64", "aarch64"]
              "ALL": ["x86_64", "aarch64", "riscv64"]
            }')[github.event.inputs.platform || 'ALL']
          }}
-    runs-on: >-
+    runs-on: ${{ fromJson('["ubuntu-22.04", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
      ${{
        fromJson(
          format(
            '["{0}", "{1}"]',
            fromJson('{
              "x86_64": "ubuntu-latest",
              "aarch64": "ubuntu-24.04-arm",
              "riscv64": "ubuntu-latest"
            }')[matrix.arch],
            fromJson('{
              "x86_64": "buildjet-32vcpu-ubuntu-2204",
              "aarch64": "buildjet-32vcpu-ubuntu-2204-arm",
              "riscv64": "buildjet-32vcpu-ubuntu-2204"
            }')[matrix.arch]
          )
        )[github.event.inputs.runner == 'fast']
      }}
    steps:
-      - name: Mount tmpfs
+      - run: |
          sudo mount -t tmpfs tmpfs .
        if: ${{ github.event.inputs.runner == 'fast' }}
-        run: sudo mount -t tmpfs tmpfs .
+
      - uses: actions/checkout@v4
        with:
          submodules: recursive
-      - uses: ./.github/actions/setup-build
+
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
-          nodejs-version: ${{ env.NODEJS_VERSION }}
+          python-version: "3.x"
-          setup-python: "true"
+
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODEJS_VERSION }}
      - name: Set up docker QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up system dependencies
        run: sudo apt-get update && sudo apt-get install -y qemu-user-static systemd-container squashfuse
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Configure sccache
        uses: actions/github-script@v7
        with:
          script: |
            core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
            core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
      - name: Make
        run: make ARCH=${{ matrix.arch }} compiled-${{ matrix.arch }}.tar
@@ -118,14 +116,13 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
        # TODO: re-add "raspberrypi" to the platform list below
        platform: >-
          ${{
            fromJson(
              format(
                '[
                  ["{0}"],
-                  ["x86_64", "x86_64-nonfree", "aarch64", "aarch64-nonfree", "riscv64"]
+                  ["x86_64", "x86_64-nonfree", "aarch64", "aarch64-nonfree", "raspberrypi"]
                ]',
                github.event.inputs.platform || 'ALL'
              )
@@ -135,22 +132,13 @@ jobs:
      ${{
        fromJson(
          format(
-            '["{0}", "{1}"]',
+            '["ubuntu-22.04", "{0}"]',
            fromJson('{
              "x86_64": "ubuntu-latest",
              "x86_64-nonfree": "ubuntu-latest",
              "aarch64": "ubuntu-24.04-arm",
              "aarch64-nonfree": "ubuntu-24.04-arm",
              "raspberrypi": "ubuntu-24.04-arm",
              "riscv64": "ubuntu-24.04-arm",
            }')[matrix.platform],
            fromJson('{
              "x86_64": "buildjet-8vcpu-ubuntu-2204",
              "x86_64-nonfree": "buildjet-8vcpu-ubuntu-2204",
              "aarch64": "buildjet-8vcpu-ubuntu-2204-arm",
              "aarch64-nonfree": "buildjet-8vcpu-ubuntu-2204-arm",
              "raspberrypi": "buildjet-8vcpu-ubuntu-2204-arm",
              "riscv64": "buildjet-8vcpu-ubuntu-2204",
            }')[matrix.platform]
          )
        )[github.event.inputs.runner == 'fast']
@@ -164,42 +152,39 @@ jobs:
            "aarch64": "aarch64",
            "aarch64-nonfree": "aarch64",
            "raspberrypi": "aarch64",
            "riscv64": "riscv64",
          }')[matrix.platform]
        }}
    steps:
      - name: Free space
-        run: |
+        run: rm -rf /opt/hostedtoolcache*
          sudo apt-get remove --purge -y azure-cli || true
          sudo apt-get remove --purge -y firefox || true
          sudo apt-get remove --purge -y ghc-* || true
          sudo apt-get remove --purge -y google-cloud-sdk || true
          sudo apt-get remove --purge -y google-chrome-stable || true
          sudo apt-get remove --purge -y powershell || true
          sudo apt-get remove --purge -y php* || true
          sudo apt-get remove --purge -y ruby* || true
          sudo apt-get remove --purge -y mono-* || true
          sudo apt-get autoremove -y
          sudo apt-get clean
          sudo rm -rf /usr/lib/jvm               # All JDKs
          sudo rm -rf /usr/local/.ghcup          # Haskell toolchain
          sudo rm -rf /usr/local/lib/android     # Android SDK/NDK, emulator
          sudo rm -rf /usr/share/dotnet          # .NET SDKs
          sudo rm -rf /usr/share/swift           # Swift toolchain (if present)
          sudo rm -rf "$AGENT_TOOLSDIRECTORY"    # Pre-cached tool cache (Go, Node, etc.)
        if: ${{ github.event.inputs.runner != 'fast' }}
      # BuildJet runners lack /opt/hostedtoolcache, which setup-qemu expects
      - name: Ensure hostedtoolcache exists
        run: sudo mkdir -p /opt/hostedtoolcache && sudo chown $USER:$USER /opt/hostedtoolcache
      - name: Set up docker QEMU
        uses: docker/setup-qemu-action@v3
      - uses: actions/checkout@v4
        with:
          submodules: recursive
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.x"
      - name: Install dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y qemu-user-static
          wget https://deb.debian.org/debian/pool/main/d/debspawn/debspawn_0.6.2-1_all.deb
          sha256sum ./debspawn_0.6.2-1_all.deb | grep 37ef27458cb1e35e8bce4d4f639b06b4b3866fc0b9191ec6b9bd157afd06a817
          sudo apt-get install -y ./debspawn_0.6.2-1_all.deb
      - name: Configure debspawn
        run: |
          sudo mkdir -p /etc/debspawn/
          echo "AllowUnsafePermissions=true" | sudo tee /etc/debspawn/global.toml
          sudo mkdir -p /var/tmp/debspawn
      - run: sudo mount -t tmpfs tmpfs /var/tmp/debspawn
        if: ${{ github.event.inputs.runner == 'fast' && (matrix.platform == 'x86_64' || matrix.platform == 'x86_64-nonfree') }}
      - name: Download compiled artifacts
        uses: actions/download-artifact@v4
        with:
@@ -212,19 +197,22 @@ jobs:
        run: |
          mkdir -p web/node_modules
          mkdir -p web/dist/raw
-          mkdir -p core/bindings
+          mkdir -p core/startos/bindings
          mkdir -p sdk/base/lib/osBindings
          mkdir -p container-runtime/node_modules
          mkdir -p container-runtime/dist
          mkdir -p container-runtime/dist/node_modules
          mkdir -p core/startos/bindings
          mkdir -p sdk/dist
          mkdir -p sdk/baseDist
          mkdir -p patch-db/client/node_modules
          mkdir -p patch-db/client/dist
          mkdir -p web/.angular
          mkdir -p web/dist/raw/ui
          mkdir -p web/dist/raw/install-wizard
          mkdir -p web/dist/raw/setup-wizard
          mkdir -p web/dist/static/ui
          mkdir -p web/dist/static/install-wizard
          mkdir -p web/dist/static/setup-wizard
          PLATFORM=${{ matrix.platform }} make -t compiled-${{ env.ARCH }}.tar
@@ -254,3 +242,40 @@ jobs:
          name: ${{ matrix.platform }}.img
          path: results/*.img
        if: ${{ matrix.platform == 'raspberrypi' }}
      - name: Upload OTA to registry
        run: >-
          PLATFORM=${{ matrix.platform }} make upload-ota TARGET="${{
            fromJson('{
              "alpha": "alpha-registry-x.start9.com",
              "beta": "beta-registry.start9.com",
            }')[github.event.inputs.deploy]
          }}" KEY="${{
            fromJson(
              format('{{
                "alpha": "{0}",
                "beta": "{1}",
              }}', secrets.ALPHA_INDEX_KEY, secrets.BETA_INDEX_KEY)
            )[github.event.inputs.deploy]
          }}"
        if: ${{ github.event.inputs.deploy != '' && github.event.inputs.deploy != 'NONE' }}
  index:
    if: ${{ github.event.inputs.deploy != '' && github.event.inputs.deploy != 'NONE' }}
    needs: [image]
    runs-on: ubuntu-22.04
    steps:
      - run: >-
          curl "https://${{
            fromJson('{
              "alpha": "alpha-registry-x.start9.com",
              "beta": "beta-registry.start9.com",
            }')[github.event.inputs.deploy]
          }}:8443/resync.cgi?key=${{
            fromJson(
              format('{{
                "alpha": "{0}",
                "beta": "{1}",
              }}', secrets.ALPHA_INDEX_KEY, secrets.BETA_INDEX_KEY)
            )[github.event.inputs.deploy]
          }}"
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -10,29 +10,22 @@ on:
      - master
      - next/*
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
  cancel-in-progress: true
 env:
-  NODEJS_VERSION: "24.11.0"
+  NODEJS_VERSION: "22.17.1"
  ENVIRONMENT: dev-unstable
 jobs:
  test:
    name: Run Automated Tests
-    if: github.event.pull_request.draft != true
+    runs-on: ubuntu-22.04
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          submodules: recursive
-      - uses: ./.github/actions/setup-build
+
      - uses: actions/setup-node@v4
        with:
-          nodejs-version: ${{ env.NODEJS_VERSION }}
+          node-version: ${{ env.NODEJS_VERSION }}
          free-space: "false"
          setup-docker: "false"
          setup-sccache: "false"
      - name: Build And Run Tests
        run: make test
--- a/.gitignore
+++ b/.gitignore
@@ -1,24 +1,28 @@
 .DS_Store
 .idea
-*.img
+/*.img
-*.img.gz
+/*.img.gz
-*.img.xz
+/*.img.xz
-*.zip
+/*-raspios-bullseye-arm64-lite.img
 /*-raspios-bullseye-arm64-lite.zip
 /product_key.txt
 /*_product_key.txt
 .vscode/settings.json
 deploy_web.sh
 deploy_web.sh
 secrets.db
 .vscode/
-/build/env/*.txt
+/cargo-deps/**/*
-*.deb
+/PLATFORM.txt
 /ENVIRONMENT.txt
 /GIT_HASH.txt
 /VERSION.txt
 /*.deb
 /target
-*.squashfs
+/*.squashfs
 /results
 /dpkg-workdir
 /compiled.tar
 /compiled-*.tar
-/build/lib/firmware
+/firmware
-tmp
+/tmp
 web/.i18n-checked
 agents/USER.md
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,146 +0,0 @@
 # CLAUDE.md
 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
 ## Project Overview
 StartOS is an open-source Linux distribution for running personal servers. It manages discovery, installation, network configuration, backups, and health monitoring of self-hosted services.
 **Tech Stack:**
 - Backend: Rust (async/Tokio, Axum web framework)
 - Frontend: Angular 20 + TypeScript + TaigaUI
 - Container runtime: Node.js/TypeScript with LXC
 - Database/State: Patch-DB (git submodule) - storage layer with reactive frontend sync
 - API: JSON-RPC via rpc-toolkit (see `agents/rpc-toolkit.md`)
 - Auth: Password + session cookie, public/private key signatures, local authcookie (see `core/src/middleware/auth/`)
 ## Build & Development
 See [CONTRIBUTING.md](CONTRIBUTING.md) for:
 - Environment setup and requirements
 - Build commands and make targets
 - Testing and formatting commands
 - Environment variables
 **Quick reference:**
 ```bash
 . ./devmode.sh                            # Enable dev mode
 make update-startbox REMOTE=start9@<ip>   # Fastest iteration (binary + UI)
 make test-core                            # Run Rust tests
 ```
 ## Architecture
 ### Core (`/core`)
 The Rust backend daemon. Main binaries:
 - `startbox` - Main daemon (runs as `startd`)
 - `start-cli` - CLI interface
 - `start-container` - Runs inside LXC containers; communicates with host and manages subcontainers
 - `registrybox` - Registry daemon
 - `tunnelbox` - VPN/tunnel daemon
 **Key modules:**
 - `src/context/` - Context types (RpcContext, CliContext, InitContext, DiagnosticContext)
 - `src/service/` - Service lifecycle management with actor pattern (`service_actor.rs`)
 - `src/db/model/` - Patch-DB models (`public.rs` synced to frontend, `private.rs` backend-only)
 - `src/net/` - Networking (DNS, ACME, WiFi, Tor via Arti, WireGuard)
 - `src/s9pk/` - S9PK package format (merkle archive)
 - `src/registry/` - Package registry management
 **RPC Pattern:** See `agents/rpc-toolkit.md`
 ### Web (`/web`)
 Angular projects sharing common code:
 - `projects/ui/` - Main admin interface
 - `projects/setup-wizard/` - Initial setup
 - `projects/start-tunnel/` - VPN management UI
 - `projects/shared/` - Common library (API clients, components)
 - `projects/marketplace/` - Service discovery
 **Development:**
 ```bash
 cd web
 npm ci
 npm run start:ui        # Dev server with mocks
 npm run build:ui        # Production build
 npm run check           # Type check all projects
 ```
 ### Container Runtime (`/container-runtime`)
 Node.js runtime that manages service containers via RPC. See `RPCSpec.md` for protocol.
 **Container Architecture:**
 ```
 LXC Container (uniform base for all services)
 └── systemd
    └── container-runtime.service
        └── Loads /usr/lib/startos/package/index.js (from s9pk javascript.squashfs)
            └── Package JS launches subcontainers (from images in s9pk)
 ```
 The container runtime communicates with the host via JSON-RPC over Unix socket. Package JavaScript must export functions conforming to the `ABI` type defined in `sdk/base/lib/types.ts`.
 **`/media/startos/` directory (mounted by host into container):**
 | Path | Description |
 |------|-------------|
 | `volumes/<name>/` | Package data volumes (id-mapped, persistent) |
 | `assets/` | Read-only assets from s9pk `assets.squashfs` |
 | `images/<name>/` | Container images (squashfs, used for subcontainers) |
 | `images/<name>.env` | Environment variables for image |
 | `images/<name>.json` | Image metadata |
 | `backup/` | Backup mount point (mounted during backup operations) |
 | `rpc/service.sock` | RPC socket (container runtime listens here) |
 | `rpc/host.sock` | Host RPC socket (for effects callbacks to host) |
 **S9PK Structure:** See `agents/s9pk-structure.md`
 ### SDK (`/sdk`)
 TypeScript SDK for packaging services (`@start9labs/start-sdk`).
 - `base/` - Core types, ABI definitions, effects interface (`@start9labs/start-sdk-base`)
 - `package/` - Full SDK for package developers, re-exports base
 ### Patch-DB (`/patch-db`)
 Git submodule providing diff-based state synchronization. Changes to `db/model/public.rs` automatically sync to the frontend.
 **Key patterns:**
 - `db.peek().await` - Get a read-only snapshot of the database state
 - `db.mutate(|db| { ... }).await` - Apply mutations atomically, returns `MutateResult`
 - `#[derive(HasModel)]` - Derive macro for types stored in the database, generates typed accessors
 **Generated accessor types** (from `HasModel` derive):
 - `as_field()` - Immutable reference: `&Model<T>`
 - `as_field_mut()` - Mutable reference: `&mut Model<T>`
 - `into_field()` - Owned value: `Model<T>`
 **`Model<T>` APIs** (from `db/prelude.rs`):
 - `.de()` - Deserialize to `T`
 - `.ser(&value)` - Serialize from `T`
 - `.mutate(|v| ...)` - Deserialize, mutate, reserialize
 - For maps: `.keys()`, `.as_idx(&key)`, `.as_idx_mut(&key)`, `.insert()`, `.remove()`, `.contains_key()`
 ## Supplementary Documentation
 The `agents/` directory contains detailed documentation for AI assistants:
 - `TODO.md` - Pending tasks for AI agents (check this first, remove items when completed)
 - `USER.md` - Current user identifier (gitignored, see below)
 - `rpc-toolkit.md` - JSON-RPC patterns and handler configuration
 - `core-rust-patterns.md` - Common utilities and patterns for Rust code in `/core` (guard pattern, mount guards, etc.)
 - `s9pk-structure.md` - S9PK package format structure
 - `i18n-patterns.md` - Internationalization key conventions and usage in `/core`
 ### Session Startup
 On startup:
 1. **Check for `agents/USER.md`** - If it doesn't exist, prompt the user for their name/identifier and create it. This file is gitignored since it varies per developer.
 2. **Check `agents/TODO.md` for relevant tasks** - Show TODOs that either:
   - Have no `@username` tag (relevant to everyone)
   - Are tagged with the current user's identifier
   Skip TODOs tagged with a different user.
 3. **Ask "What would you like to do today?"** - Offer options for each relevant TODO item, plus "Something else" for other requests.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -11,190 +11,123 @@ This guide is for contributing to the StartOS. If you are interested in packagin
 ```bash
 /
-├── assets/              # Screenshots for README
+├── assets/
-├── build/               # Auxiliary files and scripts for deployed images
+├── container-runtime/
-├── container-runtime/   # Node.js program managing package containers
+├── core/
-├── core/                # Rust backend: API, daemon (startd), CLI (start-cli)
+├── build/
-├── debian/              # Debian package maintainer scripts
+├── debian/
-├── image-recipe/        # Scripts for building StartOS images
+├── web/
-├── patch-db/            # (submodule) Diff-based data store for frontend sync
+├── image-recipe/
-├── sdk/                 # TypeScript SDK for building StartOS packages
+├── patch-db
-└── web/                 # Web UIs (Angular)
+└── sdk/
 ```
-See component READMEs for details:
+#### assets
- [`core`](core/README.md)
+
- [`web`](web/README.md)
+screenshots for the StartOS README
- [`build`](build/README.md)
+
- [`patch-db`](https://github.com/Start9Labs/patch-db)
+#### container-runtime
 A NodeJS program that dynamically loads maintainer scripts and communicates with the OS to manage packages
 #### core
 An API, daemon (startd), and CLI (start-cli) that together provide the core functionality of StartOS.
 #### build
 Auxiliary files and scripts to include in deployed StartOS images
 #### debian
 Maintainer scripts for the StartOS Debian package
 #### web
 Web UIs served under various conditions and used to interact with StartOS APIs.
 #### image-recipe
 Scripts for building StartOS images
 #### patch-db (submodule)
 A diff based data store used to synchronize data between the web interfaces and server.
 #### sdk
 A typescript sdk for building start-os packages
 ## Environment Setup
 #### Clone the StartOS repository
 ```sh
 git clone https://github.com/Start9Labs/start-os.git --recurse-submodules
 cd start-os
 ```
-### Development Mode
+#### Continue to your project of interest for additional instructions:
-For faster iteration during development:
+- [`core`](core/README.md)
-
+- [`web-interfaces`](web-interfaces/README.md)
-```sh
+- [`build`](build/README.md)
-. ./devmode.sh
+- [`patch-db`](https://github.com/Start9Labs/patch-db)
 ```
 This sets `ENVIRONMENT=dev` and `GIT_BRANCH_AS_HASH=1` to prevent rebuilds on every commit.
 ## Building
-All builds can be performed on any operating system that can run Docker.
+This project uses [GNU Make](https://www.gnu.org/software/make/) to build its components. To build any specific component, simply run `make <TARGET>` replacing `<TARGET>` with the name of the target you'd like to build
 This project uses [GNU Make](https://www.gnu.org/software/make/) to build its components.
 ### Requirements
 - [GNU Make](https://www.gnu.org/software/make/)
- [Docker](https://docs.docker.com/get-docker/) or [Podman](https://podman.io/)
+- [Docker](https://docs.docker.com/get-docker/)
 - [NodeJS v20.16.0](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm)
- [Rust](https://rustup.rs/) (nightly for formatting)
+- [sed](https://www.gnu.org/software/sed/)
- [sed](https://www.gnu.org/software/sed/), [grep](https://www.gnu.org/software/grep/), [awk](https://www.gnu.org/software/gawk/)
+- [grep](https://www.gnu.org/software/grep/)
 - [awk](https://www.gnu.org/software/gawk/)
 - [jq](https://jqlang.github.io/jq/)
- [gzip](https://www.gnu.org/software/gzip/), [brotli](https://github.com/google/brotli)
+- [gzip](https://www.gnu.org/software/gzip/)
 - [brotli](https://github.com/google/brotli)
-### Environment Variables
+### Environment variables
-| Variable | Description |
+- `PLATFORM`: which platform you would like to build for. Must be one of `x86_64`, `x86_64-nonfree`, `aarch64`, `aarch64-nonfree`, `raspberrypi`
-|----------|-------------|
+  - NOTE: `nonfree` images are for including `nonfree` firmware packages in the built ISO
-| `PLATFORM` | Target platform: `x86_64`, `x86_64-nonfree`, `aarch64`, `aarch64-nonfree`, `riscv64`, `raspberrypi` |
+- `ENVIRONMENT`: a hyphen separated set of feature flags to enable
-| `ENVIRONMENT` | Hyphen-separated feature flags (see below) |
+  - `dev`: enables password ssh (INSECURE!) and does not compress frontends
-| `PROFILE` | Build profile: `release` (default) or `dev` |
+  - `unstable`: enables assertions that will cause errors on unexpected inconsistencies that are undesirable in production use either for performance or reliability reasons
-| `GIT_BRANCH_AS_HASH` | Set to `1` to use git branch name as version hash (avoids rebuilds) |
+  - `docker`: use `docker` instead of `podman`
 - `GIT_BRANCH_AS_HASH`: set to `1` to use the current git branch name as the git hash so that the project does not need to be rebuilt on each commit
-**ENVIRONMENT flags:**
+### Useful Make Targets
 - `dev` - Enables password SSH before setup, skips frontend compression
 - `unstable` - Enables assertions and debugging with performance penalty
 - `console` - Enables tokio-console for async debugging
 **Platform notes:**
 - `-nonfree` variants include proprietary firmware and drivers
 - `raspberrypi` includes non-free components by necessity
 - Platform is remembered between builds if not specified
 ### Make Targets
 #### Building
 | Target | Description |
 |--------|-------------|
 | `iso` | Create full `.iso` image (not for raspberrypi) |
 | `img` | Create full `.img` image (raspberrypi only) |
 | `deb` | Build Debian package |
 | `all` | Build all Rust binaries |
 | `uis` | Build all web UIs |
 | `ui` | Build main UI only |
 | `ts-bindings` | Generate TypeScript bindings from Rust types |
 #### Deploying to Device
 For devices on the same network:
 | Target | Description |
 |--------|-------------|
 | `update-startbox REMOTE=start9@<ip>` | Deploy binary + UI only (fastest) |
 | `update-deb REMOTE=start9@<ip>` | Deploy full Debian package |
 | `update REMOTE=start9@<ip>` | OTA-style update |
 | `reflash REMOTE=start9@<ip>` | Reflash as if using live ISO |
 | `update-overlay REMOTE=start9@<ip>` | Deploy to in-memory overlay (reverts on reboot) |
 For devices on different networks (uses [magic-wormhole](https://github.com/magic-wormhole/magic-wormhole)):
 | Target | Description |
 |--------|-------------|
 | `wormhole` | Send startbox binary |
 | `wormhole-deb` | Send Debian package |
 | `wormhole-squashfs` | Send squashfs image |
 #### Other
 | Target | Description |
 |--------|-------------|
 | `format` | Run code formatting (Rust nightly required) |
 | `test` | Run all automated tests |
 | `test-core` | Run Rust tests |
 | `test-sdk` | Run SDK tests |
 | `test-container-runtime` | Run container runtime tests |
 | `clean` | Delete all compiled artifacts |
 ## Testing
 ```bash
 make test                    # All tests
 make test-core               # Rust tests (via ./core/run-tests.sh)
 make test-sdk                # SDK tests
 make test-container-runtime  # Container runtime tests
 # Run specific Rust test
 cd core && cargo test <test_name> --features=test
 ```
 ## Code Formatting
 ```bash
 # Rust (requires nightly)
 make format
 # TypeScript/HTML/SCSS (web)
 cd web && npm run format
 ```
 ## Code Style Guidelines
 ### Formatting
 Run the formatters before committing. Configuration is handled by `rustfmt.toml` (Rust) and prettier configs (TypeScript).
 ### Documentation & Comments
 **Rust:**
 - Add doc comments (`///`) to public APIs, structs, and non-obvious functions
 - Use `//` comments sparingly for complex logic that isn't self-evident
 - Prefer self-documenting code (clear naming, small functions) over comments
 **TypeScript:**
 - Document exported functions and complex types with JSDoc
 - Keep comments focused on "why" rather than "what"
 **General:**
 - Don't add comments that just restate the code
 - Update or remove comments when code changes
 - TODOs should include context: `// TODO(username): reason`
 ### Commit Messages
 Use [Conventional Commits](https://www.conventionalcommits.org/):
 ```
 <type>(<scope>): <description>
 [optional body]
 [optional footer]
 ```
 **Types:**
 - `feat` - New feature
 - `fix` - Bug fix
 - `docs` - Documentation only
 - `style` - Formatting, no code change
 - `refactor` - Code change that neither fixes a bug nor adds a feature
 - `test` - Adding or updating tests
 - `chore` - Build process, dependencies, etc.
 **Examples:**
 ```
 feat(web): add dark mode toggle
 fix(core): resolve race condition in service startup
 docs: update CONTRIBUTING.md with style guidelines
 refactor(sdk): simplify package validation logic
 ```
 - `iso`: Create a full `.iso` image
  - Only possible from Debian
  - Not available for `PLATFORM=raspberrypi`
  - Additional Requirements:
    - [debspawn](https://github.com/lkhq/debspawn)
 - `img`: Create a full `.img` image
  - Only possible from Debian
  - Only available for `PLATFORM=raspberrypi`
  - Additional Requirements:
    - [debspawn](https://github.com/lkhq/debspawn)
 - `format`: Run automatic code formatting for the project
  - Additional Requirements:
    - [rust](https://rustup.rs/)
 - `test`: Run automated tests for the project
  - Additional Requirements:
    - [rust](https://rustup.rs/)
 - `update`: Deploy the current working project to a device over ssh as if through an over-the-air update
  - Requires an argument `REMOTE` which is the ssh address of the device, i.e. `start9@192.168.122.2`
 - `reflash`: Deploy the current working project to a device over ssh as if using a live `iso` image to reflash it
  - Requires an argument `REMOTE` which is the ssh address of the device, i.e. `start9@192.168.122.2`
 - `update-overlay`: Deploy the current working project to a device over ssh to the in-memory overlay without restarting it
  - WARNING: changes will be reverted after the device is rebooted
  - WARNING: changes to `init` will not take effect as the device is already initialized
  - Requires an argument `REMOTE` which is the ssh address of the device, i.e. `start9@192.168.122.2`
 - `wormhole`: Deploy the `startbox` to a device using [magic-wormhole](https://github.com/magic-wormhole/magic-wormhole)
  - When the build it complete will emit a command to paste into the shell of the device to upgrade it
  - Additional Requirements:
    - [magic-wormhole](https://github.com/magic-wormhole/magic-wormhole)
 - `clean`: Delete all compiled artifacts
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -25,9 +25,9 @@ docker buildx create --use
 curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh # proceed with default installation
 curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/master/install.sh | bash
 source ~/.bashrc
-nvm install 24
+nvm install 22
-nvm use 24
+nvm use 22
-nvm alias default 24 # this prevents your machine from reverting back to another version
+nvm alias default 22 # this prevents your machine from reverting back to another version
 ```
 ## Cloning the repository
--- a/250
+++ b/250
@@ -1,44 +1,39 @@
 ls-files = $(shell git ls-files --cached --others --exclude-standard $1) 
 PROFILE = release
-PLATFORM_FILE := $(shell ./build/env/check-platform.sh)
+PLATFORM_FILE := $(shell ./check-platform.sh)
-ENVIRONMENT_FILE := $(shell ./build/env/check-environment.sh)
+ENVIRONMENT_FILE := $(shell ./check-environment.sh)
-GIT_HASH_FILE := $(shell ./build/env/check-git-hash.sh)
+GIT_HASH_FILE := $(shell ./check-git-hash.sh)
-VERSION_FILE := $(shell ./build/env/check-version.sh)
+VERSION_FILE := $(shell ./check-version.sh)
-BASENAME := $(shell PROJECT=startos ./build/env/basename.sh)
+BASENAME := $(shell ./basename.sh)
-PLATFORM := $(shell if [ -f $(PLATFORM_FILE) ]; then cat $(PLATFORM_FILE); else echo unknown; fi)
+PLATFORM := $(shell if [ -f ./PLATFORM.txt ]; then cat ./PLATFORM.txt; else echo unknown; fi)
 ARCH := $(shell if [ "$(PLATFORM)" = "raspberrypi" ]; then echo aarch64; else echo $(PLATFORM) | sed 's/-nonfree$$//g'; fi)
 RUST_ARCH := $(shell if [ "$(ARCH)" = "riscv64" ]; then echo riscv64gc; else echo $(ARCH); fi)
 REGISTRY_BASENAME := $(shell PROJECT=start-registry PLATFORM=$(ARCH) ./build/env/basename.sh)
 TUNNEL_BASENAME := $(shell PROJECT=start-tunnel PLATFORM=$(ARCH) ./build/env/basename.sh)
 IMAGE_TYPE=$(shell if [ "$(PLATFORM)" = raspberrypi ]; then echo img; else echo iso; fi)
-WEB_UIS := web/dist/raw/ui/index.html web/dist/raw/setup-wizard/index.html
+WEB_UIS := web/dist/raw/ui/index.html web/dist/raw/setup-wizard/index.html web/dist/raw/install-wizard/index.html
-COMPRESSED_WEB_UIS := web/dist/static/ui/index.html web/dist/static/setup-wizard/index.html
+COMPRESSED_WEB_UIS := web/dist/static/ui/index.html web/dist/static/setup-wizard/index.html web/dist/static/install-wizard/index.html
-FIRMWARE_ROMS := build/lib/firmware/$(PLATFORM) $(shell jq --raw-output '.[] | select(.platform[] | contains("$(PLATFORM)")) | "./build/lib/firmware/$(PLATFORM)/" + .id + ".rom.gz"' build/lib/firmware.json)
+FIRMWARE_ROMS := ./firmware/$(PLATFORM) $(shell jq --raw-output '.[] | select(.platform[] | contains("$(PLATFORM)")) | "./firmware/$(PLATFORM)/" + .id + ".rom.gz"' build/lib/firmware.json)
-BUILD_SRC := $(call ls-files, build/lib) build/lib/depends build/lib/conflicts $(FIRMWARE_ROMS)
+BUILD_SRC := $(call ls-files, build) build/lib/depends build/lib/conflicts $(FIRMWARE_ROMS)
-IMAGE_RECIPE_SRC := $(call ls-files, build/image-recipe/)
+DEBIAN_SRC := $(call ls-files, debian/)
-STARTD_SRC := core/startd.service $(BUILD_SRC)
+IMAGE_RECIPE_SRC := $(call ls-files, image-recipe/)
 STARTD_SRC := core/startos/startd.service $(BUILD_SRC)
 CORE_SRC := $(call ls-files, core) $(shell git ls-files --recurse-submodules patch-db) $(GIT_HASH_FILE)
 WEB_SHARED_SRC := $(call ls-files, web/projects/shared) $(call ls-files, web/projects/marketplace) $(shell ls -p web/ | grep -v / | sed 's/^/web\//g') web/node_modules/.package-lock.json web/config.json patch-db/client/dist/index.js sdk/baseDist/package.json web/patchdb-ui-seed.json sdk/dist/package.json
 WEB_UI_SRC := $(call ls-files, web/projects/ui)
 WEB_SETUP_WIZARD_SRC := $(call ls-files, web/projects/setup-wizard)
-WEB_START_TUNNEL_SRC := $(call ls-files, web/projects/start-tunnel)
+WEB_INSTALL_WIZARD_SRC := $(call ls-files, web/projects/install-wizard)
 PATCH_DB_CLIENT_SRC := $(shell git ls-files --recurse-submodules patch-db/client)
 GZIP_BIN := $(shell which pigz || which gzip)
 TAR_BIN := $(shell which gtar || which tar)
-COMPILED_TARGETS := core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox core/target/$(RUST_ARCH)-unknown-linux-musl/release/start-container container-runtime/rootfs.$(ARCH).squashfs
+COMPILED_TARGETS := core/target/$(ARCH)-unknown-linux-musl/$(PROFILE)/startbox core/target/$(ARCH)-unknown-linux-musl/release/containerbox container-runtime/rootfs.$(ARCH).squashfs
-STARTOS_TARGETS := $(STARTD_SRC) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE) $(VERSION_FILE) $(COMPILED_TARGETS) target/$(RUST_ARCH)-unknown-linux-musl/release/startos-backup-fs $(PLATFORM_FILE) \
+ALL_TARGETS := $(STARTD_SRC) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE) $(VERSION_FILE) $(COMPILED_TARGETS) cargo-deps/$(ARCH)-unknown-linux-musl/release/startos-backup-fs $(PLATFORM_FILE) \
 	$(shell if [ "$(PLATFORM)" = "raspberrypi" ]; then \
-		echo target/aarch64-unknown-linux-musl/release/pi-beep; \
+		echo cargo-deps/aarch64-unknown-linux-musl/release/pi-beep; \
 	fi) \
 	$(shell /bin/bash -c 'if [[ "${ENVIRONMENT}" =~ (^|-)unstable($$|-) ]]; then \
-		echo target/$(RUST_ARCH)-unknown-linux-musl/release/flamegraph; \
+		echo cargo-deps/$(ARCH)-unknown-linux-musl/release/tokio-console; \
-	fi') \
+		echo cargo-deps/$(ARCH)-unknown-linux-musl/release/flamegraph; \
 	$(shell /bin/bash -c 'if [[ "${ENVIRONMENT}" =~ (^|-)console($$|-) ]]; then \
 		echo target/$(RUST_ARCH)-unknown-linux-musl/release/tokio-console; \
 	fi')
-REGISTRY_TARGETS := core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/registrybox core/start-registryd.service
+REBUILD_TYPES = 1
 TUNNEL_TARGETS := core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox core/start-tunneld.service
 ifeq ($(REMOTE),)
 	mkdir = mkdir -p $1
@@ -61,18 +56,18 @@ endif
 .DELETE_ON_ERROR:
-.PHONY: all metadata install clean format install-cli cli uis ui reflash deb $(IMAGE_TYPE) squashfs wormhole wormhole-deb test test-core test-sdk test-container-runtime registry install-registry tunnel install-tunnel ts-bindings
+.PHONY: all metadata install clean format cli uis ui reflash deb $(IMAGE_TYPE) squashfs wormhole wormhole-deb test test-core test-sdk test-container-runtime registry
-all: $(STARTOS_TARGETS)
+all: $(ALL_TARGETS)
 touch:
-	touch $(STARTOS_TARGETS)
+	touch $(ALL_TARGETS)
 metadata: $(VERSION_FILE) $(PLATFORM_FILE) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE)
 clean:
 	rm -rf core/target
-	rm -rf core/bindings
+	rm -rf core/startos/bindings
 	rm -rf web/.angular
 	rm -f web/config.json
 	rm -rf web/node_modules
@@ -80,7 +75,7 @@ clean:
 	rm -rf patch-db/client/node_modules
 	rm -rf patch-db/client/dist
 	rm -rf patch-db/target
-	rm -rf target
+	rm -rf cargo-deps
 	rm -rf dpkg-workdir
 	rm -rf image-recipe/deb
 	rm -rf results
@@ -88,8 +83,14 @@ clean:
 	rm -rf container-runtime/dist
 	rm -rf container-runtime/node_modules
 	rm -f container-runtime/*.squashfs
 	if [ -d container-runtime/tmp/combined ] && mountpoint container-runtime/tmp/combined; then sudo umount container-runtime/tmp/combined; fi
 	if [ -d container-runtime/tmp/lower ] && mountpoint container-runtime/tmp/lower; then sudo umount container-runtime/tmp/lower; fi
 	rm -rf container-runtime/tmp
 	(cd sdk && make clean)
-	rm -f env/*.txt
+	rm -f ENVIRONMENT.txt
 	rm -f PLATFORM.txt
 	rm -f GIT_HASH.txt
 	rm -f VERSION.txt
 format:
 	cd core && cargo +nightly fmt
@@ -105,84 +106,47 @@ test-sdk: $(call ls-files, sdk) sdk/base/lib/osBindings/index.ts
 test-container-runtime: container-runtime/node_modules/.package-lock.json $(call ls-files, container-runtime/src) container-runtime/package.json container-runtime/tsconfig.json 
 	cd container-runtime && npm test
-install-cli: $(GIT_HASH_FILE)
+cli:
-	./core/build/build-cli.sh --install
+	./core/install-cli.sh
-cli: $(GIT_HASH_FILE)
+registry:
-	./core/build/build-cli.sh
+	./core/build-registrybox.sh
-registry: core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/registrybox
+tunnel:
-
+	./core/build-tunnelbox.sh
 install-registry: $(REGISTRY_TARGETS)
 	$(call mkdir,$(DESTDIR)/usr/bin)
 	$(call cp,core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/registrybox,$(DESTDIR)/usr/bin/start-registrybox)
 	$(call ln,/usr/bin/start-registrybox,$(DESTDIR)/usr/bin/start-registryd)
 	$(call ln,/usr/bin/start-registrybox,$(DESTDIR)/usr/bin/start-registry)
 	$(call mkdir,$(DESTDIR)/lib/systemd/system)
 	$(call cp,core/start-registryd.service,$(DESTDIR)/lib/systemd/system/start-registryd.service)
 core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/registrybox: $(CORE_SRC) $(ENVIRONMENT_FILE)
 	ARCH=$(ARCH) PROFILE=$(PROFILE) ./core/build/build-registrybox.sh
 tunnel: core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox
 install-tunnel: core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox core/start-tunneld.service
 	$(call mkdir,$(DESTDIR)/usr/bin)
 	$(call cp,core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox,$(DESTDIR)/usr/bin/start-tunnelbox)
 	$(call ln,/usr/bin/start-tunnelbox,$(DESTDIR)/usr/bin/start-tunneld)
 	$(call ln,/usr/bin/start-tunnelbox,$(DESTDIR)/usr/bin/start-tunnel)
 	$(call mkdir,$(DESTDIR)/lib/systemd/system)
 	$(call cp,core/start-tunneld.service,$(DESTDIR)/lib/systemd/system/start-tunneld.service)
 	$(call mkdir,$(DESTDIR)/usr/lib/startos/scripts)
 	$(call cp,build/lib/scripts/forward-port,$(DESTDIR)/usr/lib/startos/scripts/forward-port)
 core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox: $(CORE_SRC) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE) web/dist/static/start-tunnel/index.html
 	ARCH=$(ARCH) PROFILE=$(PROFILE) ./core/build/build-tunnelbox.sh
 deb: results/$(BASENAME).deb
-results/$(BASENAME).deb: debian/dpkg-build.sh $(call ls-files,debian/startos) $(STARTOS_TARGETS)
+debian/control: build/lib/depends build/lib/conflicts
-	PLATFORM=$(PLATFORM) REQUIRES=debian ./build/os-compat/run-compat.sh ./debian/dpkg-build.sh
+	./debuild/control.sh
-registry-deb: results/$(REGISTRY_BASENAME).deb
+results/$(BASENAME).deb: dpkg-build.sh $(DEBIAN_SRC) $(ALL_TARGETS)
-
+	PLATFORM=$(PLATFORM) REQUIRES=debian ./build/os-compat/run-compat.sh ./dpkg-build.sh
 results/$(REGISTRY_BASENAME).deb: debian/dpkg-build.sh $(call ls-files,debian/start-registry) $(REGISTRY_TARGETS)
 	PROJECT=start-registry PLATFORM=$(ARCH) REQUIRES=debian ./build/os-compat/run-compat.sh ./debian/dpkg-build.sh
 tunnel-deb: results/$(TUNNEL_BASENAME).deb
 results/$(TUNNEL_BASENAME).deb: debian/dpkg-build.sh $(call ls-files,debian/start-tunnel) $(TUNNEL_TARGETS) build/lib/scripts/forward-port
 	PROJECT=start-tunnel PLATFORM=$(ARCH) REQUIRES=debian DEPENDS=wireguard-tools,iptables,conntrack ./build/os-compat/run-compat.sh ./debian/dpkg-build.sh
 $(IMAGE_TYPE): results/$(BASENAME).$(IMAGE_TYPE)
 squashfs: results/$(BASENAME).squashfs
 results/$(BASENAME).$(IMAGE_TYPE) results/$(BASENAME).squashfs: $(IMAGE_RECIPE_SRC) results/$(BASENAME).deb
-	ARCH=$(ARCH) ./build/image-recipe/run-local-build.sh "results/$(BASENAME).deb"
+	REQUIRES=debian ./build/os-compat/run-compat.sh ./image-recipe/run-local-build.sh "results/$(BASENAME).deb"
 # For creating os images. DO NOT USE
-install: $(STARTOS_TARGETS)
+install: $(ALL_TARGETS) 
 	$(call mkdir,$(DESTDIR)/usr/bin)
 	$(call mkdir,$(DESTDIR)/usr/sbin)
-	$(call cp,core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox,$(DESTDIR)/usr/bin/startbox)
+	$(call cp,core/target/$(ARCH)-unknown-linux-musl/$(PROFILE)/startbox,$(DESTDIR)/usr/bin/startbox)
 	$(call ln,/usr/bin/startbox,$(DESTDIR)/usr/bin/startd)
 	$(call ln,/usr/bin/startbox,$(DESTDIR)/usr/bin/start-cli)
-	if [ "$(PLATFORM)" = "raspberrypi" ]; then $(call cp,target/aarch64-unknown-linux-musl/release/pi-beep,$(DESTDIR)/usr/bin/pi-beep); fi
+	if [ "$(PLATFORM)" = "raspberrypi" ]; then $(call cp,cargo-deps/aarch64-unknown-linux-musl/release/pi-beep,$(DESTDIR)/usr/bin/pi-beep); fi
 	if /bin/bash -c '[[ "${ENVIRONMENT}" =~ (^|-)unstable($$|-) ]]'; then \
-		$(call cp,target/$(RUST_ARCH)-unknown-linux-musl/release/flamegraph,$(DESTDIR)/usr/bin/flamegraph); \
+		$(call cp,cargo-deps/$(ARCH)-unknown-linux-musl/release/tokio-console,$(DESTDIR)/usr/bin/tokio-console); \
 		$(call cp,cargo-deps/$(ARCH)-unknown-linux-musl/release/flamegraph,$(DESTDIR)/usr/bin/flamegraph); \
 	fi
-	if /bin/bash -c '[[ "${ENVIRONMENT}" =~ (^|-)console($$|-) ]]'; then \
+	$(call cp,cargo-deps/$(ARCH)-unknown-linux-musl/release/startos-backup-fs,$(DESTDIR)/usr/bin/startos-backup-fs)
 		$(call cp,target/$(RUST_ARCH)-unknown-linux-musl/release/tokio-console,$(DESTDIR)/usr/bin/tokio-console); \
 	fi
 	$(call cp,target/$(RUST_ARCH)-unknown-linux-musl/release/startos-backup-fs,$(DESTDIR)/usr/bin/startos-backup-fs)
 	$(call ln,/usr/bin/startos-backup-fs,$(DESTDIR)/usr/sbin/mount.backup-fs)
 	$(call mkdir,$(DESTDIR)/lib/systemd/system)
-	$(call cp,core/startd.service,$(DESTDIR)/lib/systemd/system/startd.service)
+	$(call cp,core/startos/startd.service,$(DESTDIR)/lib/systemd/system/startd.service)
 	$(call mkdir,$(DESTDIR)/usr/lib)
 	$(call rm,$(DESTDIR)/usr/lib/startos)
@@ -190,24 +154,26 @@ install: $(STARTOS_TARGETS)
 	$(call mkdir,$(DESTDIR)/usr/lib/startos/container-runtime)
 	$(call cp,container-runtime/rootfs.$(ARCH).squashfs,$(DESTDIR)/usr/lib/startos/container-runtime/rootfs.squashfs)
-	$(call cp,build/env/PLATFORM.txt,$(DESTDIR)/usr/lib/startos/PLATFORM.txt)
+	$(call cp,PLATFORM.txt,$(DESTDIR)/usr/lib/startos/PLATFORM.txt)
-	$(call cp,build/env/ENVIRONMENT.txt,$(DESTDIR)/usr/lib/startos/ENVIRONMENT.txt)
+	$(call cp,ENVIRONMENT.txt,$(DESTDIR)/usr/lib/startos/ENVIRONMENT.txt)
-	$(call cp,build/env/GIT_HASH.txt,$(DESTDIR)/usr/lib/startos/GIT_HASH.txt)
+	$(call cp,GIT_HASH.txt,$(DESTDIR)/usr/lib/startos/GIT_HASH.txt)
-	$(call cp,build/env/VERSION.txt,$(DESTDIR)/usr/lib/startos/VERSION.txt)
+	$(call cp,VERSION.txt,$(DESTDIR)/usr/lib/startos/VERSION.txt)
-update-overlay: $(STARTOS_TARGETS)
+	$(call cp,firmware/$(PLATFORM),$(DESTDIR)/usr/lib/startos/firmware)
 update-overlay: $(ALL_TARGETS)
 	@echo "\033[33m!!! THIS WILL ONLY REFLASH YOUR DEVICE IN MEMORY !!!\033[0m"
 	@echo "\033[33mALL CHANGES WILL BE REVERTED IF YOU RESTART THE DEVICE\033[0m"
 	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
-	@if [ "`ssh $(REMOTE) 'cat /usr/lib/startos/VERSION.txt'`" != "`cat $(VERSION_FILE)`" ]; then >&2 echo "StartOS requires migrations: update-overlay is unavailable." && false; fi
+	@if [ "`ssh $(REMOTE) 'cat /usr/lib/startos/VERSION.txt'`" != "`cat ./VERSION.txt`" ]; then >&2 echo "StartOS requires migrations: update-overlay is unavailable." && false; fi
 	$(call ssh,"sudo systemctl stop startd")
 	$(MAKE) install REMOTE=$(REMOTE) SSHPASS=$(SSHPASS) PLATFORM=$(PLATFORM)
 	$(call ssh,"sudo systemctl start startd")
-wormhole: core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox
+wormhole: core/target/$(ARCH)-unknown-linux-musl/$(PROFILE)/startbox
 	@echo "Paste the following command into the shell of your StartOS server:"
 	@echo
-	@wormhole send core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox 2>&1 | awk -Winteractive '/wormhole receive/ { printf "sudo /usr/lib/startos/scripts/chroot-and-upgrade \"cd /usr/bin && rm startbox && wormhole receive --accept-file %s && chmod +x startbox\"\n", $$3 }'
+	@wormhole send core/target/$(ARCH)-unknown-linux-musl/$(PROFILE)/startbox 2>&1 | awk -Winteractive '/wormhole receive/ { printf "sudo /usr/lib/startos/scripts/chroot-and-upgrade \"cd /usr/bin && rm startbox && wormhole receive --accept-file %s && chmod +x startbox\"\n", $$3 }'
 wormhole-deb: results/$(BASENAME).deb
 	@echo "Paste the following command into the shell of your StartOS server:"
@@ -219,18 +185,18 @@ wormhole-squashfs: results/$(BASENAME).squashfs
 	$(eval SQFS_SIZE := $(shell du -s --bytes results/$(BASENAME).squashfs | awk '{print $$1}'))
 	@echo "Paste the following command into the shell of your StartOS server:"
 	@echo
-	@wormhole send results/$(BASENAME).squashfs 2>&1 | awk -Winteractive '/wormhole receive/ { printf "sudo sh -c '"'"'/usr/lib/startos/scripts/prune-images $(SQFS_SIZE) && /usr/lib/startos/scripts/prune-boot && cd /media/startos/images && wormhole receive --accept-file %s && CHECKSUM=$(SQFS_SUM) /usr/lib/startos/scripts/upgrade ./$(BASENAME).squashfs'"'"'\n", $$3 }'
+	@wormhole send results/$(BASENAME).squashfs 2>&1 | awk -Winteractive '/wormhole receive/ { printf "sudo sh -c '"'"'/usr/lib/startos/scripts/prune-images $(SQFS_SIZE) && /usr/lib/startos/scripts/prune-boot && cd /media/startos/images && wormhole receive --accept-file %s && CHECKSUM=$(SQFS_SUM) /usr/lib/startos/scripts/use-img ./$(BASENAME).squashfs'"'"'\n", $$3 }'
-update: $(STARTOS_TARGETS)
+update: $(ALL_TARGETS)
 	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
 	$(call ssh,'sudo /usr/lib/startos/scripts/chroot-and-upgrade --create')
 	$(MAKE) install REMOTE=$(REMOTE) SSHPASS=$(SSHPASS) DESTDIR=/media/startos/next PLATFORM=$(PLATFORM)
 	$(call ssh,'sudo /media/startos/next/usr/lib/startos/scripts/chroot-and-upgrade --no-sync "apt-get install -y $(shell cat ./build/lib/depends)"')
-update-startbox: core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox # only update binary (faster than full update)
+update-startbox: core/target/$(ARCH)-unknown-linux-musl/$(PROFILE)/startbox # only update binary (faster than full update)
 	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
 	$(call ssh,'sudo /usr/lib/startos/scripts/chroot-and-upgrade --create')
-	$(call cp,core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox,/media/startos/next/usr/bin/startbox)
+	$(call cp,core/target/$(ARCH)-unknown-linux-musl/$(PROFILE)/startbox,/media/startos/next/usr/bin/startbox)
 	$(call ssh,'sudo /media/startos/next/usr/lib/startos/scripts/chroot-and-upgrade --no-sync true')
 update-deb: results/$(BASENAME).deb # better than update, but only available from debian
@@ -247,9 +213,9 @@ update-squashfs: results/$(BASENAME).squashfs
 	$(call ssh,'/usr/lib/startos/scripts/prune-images $(SQFS_SIZE)')
 	$(call ssh,'/usr/lib/startos/scripts/prune-boot')
 	$(call cp,results/$(BASENAME).squashfs,/media/startos/images/next.rootfs)
-	$(call ssh,'sudo CHECKSUM=$(SQFS_SUM) /usr/lib/startos/scripts/upgrade /media/startos/images/next.rootfs')
+	$(call ssh,'sudo CHECKSUM=$(SQFS_SUM) /usr/lib/startos/scripts/use-img /media/startos/images/next.rootfs')
-emulate-reflash: $(STARTOS_TARGETS)
+emulate-reflash: $(ALL_TARGETS)
 	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
 	$(call ssh,'sudo /usr/lib/startos/scripts/chroot-and-upgrade --create')
 	$(MAKE) install REMOTE=$(REMOTE) SSHPASS=$(SSHPASS) DESTDIR=/media/startos/next PLATFORM=$(PLATFORM)
@@ -257,7 +223,7 @@ emulate-reflash: $(STARTOS_TARGETS)
 	$(call ssh,'sudo /media/startos/next/usr/lib/startos/scripts/chroot-and-upgrade --no-sync "apt-get install -y $(shell cat ./build/lib/depends)"')
 upload-ota: results/$(BASENAME).squashfs
-	TARGET=$(TARGET) KEY=$(KEY) ./build/upload-ota.sh
+	TARGET=$(TARGET) KEY=$(KEY) ./upload-ota.sh
 container-runtime/debian.$(ARCH).squashfs: ./container-runtime/download-base-image.sh
 	ARCH=$(ARCH) ./container-runtime/download-base-image.sh
@@ -270,16 +236,17 @@ container-runtime/node_modules/.package-lock.json: container-runtime/package-loc
 	npm --prefix container-runtime ci
 	touch container-runtime/node_modules/.package-lock.json
-ts-bindings: core/bindings/index.ts
+sdk/base/lib/osBindings/index.ts: $(shell if [ "$(REBUILD_TYPES)" -ne 0 ]; then echo core/startos/bindings/index.ts; fi)
 	mkdir -p sdk/base/lib/osBindings
-	rsync -ac --delete core/bindings/ sdk/base/lib/osBindings/
+	rsync -ac --delete core/startos/bindings/ sdk/base/lib/osBindings/
 	touch sdk/base/lib/osBindings/index.ts
-core/bindings/index.ts: $(call ls-files, core) $(ENVIRONMENT_FILE)
+core/startos/bindings/index.ts: $(call ls-files, core) $(ENVIRONMENT_FILE)
-	rm -rf core/bindings
+	rm -rf core/startos/bindings
-	./core/build/build-ts.sh
+	./core/build-ts.sh
-	ls core/bindings/*.ts | sed 's/core\/bindings\/\([^.]*\)\.ts/export { \1 } from ".\/\1";/g' | grep -v '"./index"' | tee core/bindings/index.ts
+	ls core/startos/bindings/*.ts | sed 's/core\/startos\/bindings\/\([^.]*\)\.ts/export { \1 } from ".\/\1";/g' | grep -v '"./index"' | tee core/startos/bindings/index.ts
-	npm --prefix sdk exec -- prettier --config ./sdk/base/package.json -w ./core/bindings/*.ts
+	npm --prefix sdk exec -- prettier --config ./sdk/base/package.json -w ./core/startos/bindings/*.ts
-	touch core/bindings/index.ts
+	touch core/startos/bindings/index.ts
 sdk/dist/package.json sdk/baseDist/package.json: $(call ls-files, sdk) sdk/base/lib/osBindings/index.ts
 	(cd sdk && make bundle)
@@ -294,22 +261,22 @@ container-runtime/dist/node_modules/.package-lock.json container-runtime/dist/pa
 	./container-runtime/install-dist-deps.sh
 	touch container-runtime/dist/node_modules/.package-lock.json
-container-runtime/rootfs.$(ARCH).squashfs: container-runtime/debian.$(ARCH).squashfs container-runtime/container-runtime.service container-runtime/update-image.sh container-runtime/update-image-local.sh container-runtime/deb-install.sh container-runtime/dist/index.js container-runtime/dist/node_modules/.package-lock.json core/target/$(RUST_ARCH)-unknown-linux-musl/release/start-container
+container-runtime/rootfs.$(ARCH).squashfs: container-runtime/debian.$(ARCH).squashfs container-runtime/container-runtime.service container-runtime/update-image.sh container-runtime/deb-install.sh container-runtime/dist/index.js container-runtime/dist/node_modules/.package-lock.json core/target/$(ARCH)-unknown-linux-musl/release/containerbox
-	ARCH=$(ARCH) ./container-runtime/update-image-local.sh
+	ARCH=$(ARCH) REQUIRES=linux ./build/os-compat/run-compat.sh ./container-runtime/update-image.sh
-build/lib/depends build/lib/conflicts: $(ENVIRONMENT_FILE) $(PLATFORM_FILE) $(shell ls build/dpkg-deps/*)
+build/lib/depends build/lib/conflicts: build/dpkg-deps/*
-	PLATFORM=$(PLATFORM) ARCH=$(ARCH) build/dpkg-deps/generate.sh
+	build/dpkg-deps/generate.sh
-$(FIRMWARE_ROMS): build/lib/firmware.json ./build/download-firmware.sh $(PLATFORM_FILE)
+$(FIRMWARE_ROMS): build/lib/firmware.json download-firmware.sh $(PLATFORM_FILE)
-	./build/download-firmware.sh $(PLATFORM)
+	./download-firmware.sh $(PLATFORM)
-core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox: $(CORE_SRC) $(COMPRESSED_WEB_UIS) web/patchdb-ui-seed.json $(ENVIRONMENT_FILE)
+core/target/$(ARCH)-unknown-linux-musl/$(PROFILE)/startbox: $(CORE_SRC) $(COMPRESSED_WEB_UIS) web/patchdb-ui-seed.json $(ENVIRONMENT_FILE)
-	ARCH=$(ARCH) PROFILE=$(PROFILE) ./core/build/build-startbox.sh
+	ARCH=$(ARCH) PROFILE=$(PROFILE) ./core/build-startbox.sh
-	touch core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/startbox
+	touch core/target/$(ARCH)-unknown-linux-musl/$(PROFILE)/startbox
-core/target/$(RUST_ARCH)-unknown-linux-musl/release/start-container: $(CORE_SRC) $(ENVIRONMENT_FILE)
+core/target/$(ARCH)-unknown-linux-musl/release/containerbox: $(CORE_SRC) $(ENVIRONMENT_FILE)
-	ARCH=$(ARCH) ./core/build/build-start-container.sh
+	ARCH=$(ARCH) ./core/build-containerbox.sh
-	touch core/target/$(RUST_ARCH)-unknown-linux-musl/release/start-container
+	touch core/target/$(ARCH)-unknown-linux-musl/release/containerbox
 web/package-lock.json: web/package.json sdk/baseDist/package.json
 	npm --prefix web i
@@ -324,27 +291,23 @@ web/.angular/.updated: patch-db/client/dist/index.js sdk/baseDist/package.json w
 	mkdir -p web/.angular
 	touch web/.angular/.updated
-web/.i18n-checked: $(WEB_SHARED_SRC) $(WEB_UI_SRC) $(WEB_SETUP_WIZARD_SRC) $(WEB_START_TUNNEL_SRC)
+web/dist/raw/ui/index.html: $(WEB_UI_SRC) $(WEB_SHARED_SRC) web/.angular/.updated
 	npm --prefix web run check:i18n
 	touch web/.i18n-checked
 web/dist/raw/ui/index.html: $(WEB_UI_SRC) $(WEB_SHARED_SRC) web/.angular/.updated web/.i18n-checked
 	npm --prefix web run build:ui
 	touch web/dist/raw/ui/index.html
-web/dist/raw/setup-wizard/index.html: $(WEB_SETUP_WIZARD_SRC) $(WEB_SHARED_SRC) web/.angular/.updated web/.i18n-checked
+web/dist/raw/setup-wizard/index.html: $(WEB_SETUP_WIZARD_SRC) $(WEB_SHARED_SRC) web/.angular/.updated
 	npm --prefix web run build:setup
 	touch web/dist/raw/setup-wizard/index.html
-web/dist/raw/start-tunnel/index.html: $(WEB_START_TUNNEL_SRC) $(WEB_SHARED_SRC) web/.angular/.updated web/.i18n-checked
+web/dist/raw/install-wizard/index.html: $(WEB_INSTALL_WIZARD_SRC) $(WEB_SHARED_SRC) web/.angular/.updated
-	npm --prefix web run build:tunnel
+	npm --prefix web run build:install
-	touch web/dist/raw/start-tunnel/index.html
+	touch web/dist/raw/install-wizard/index.html
-web/dist/static/%/index.html: web/dist/raw/%/index.html
+$(COMPRESSED_WEB_UIS): $(WEB_UIS) $(ENVIRONMENT_FILE)
-	./web/compress-uis.sh $*
+	./compress-uis.sh
-web/config.json: $(GIT_HASH_FILE) $(ENVIRONMENT_FILE) web/config-sample.json web/update-config.sh
+web/config.json: $(GIT_HASH_FILE) web/config-sample.json
-	./web/update-config.sh	
+	jq '.useMocks = false' web/config-sample.json | jq '.gitHash = "$(shell cat GIT_HASH.txt)"' > web/config.json
 patch-db/client/node_modules/.package-lock.json: patch-db/client/package.json
 	npm --prefix patch-db/client ci
@@ -365,17 +328,14 @@ uis: $(WEB_UIS)
 # this is a convenience step to build the UI
 ui: web/dist/raw/ui
-target/aarch64-unknown-linux-musl/release/pi-beep: ./build/build-cargo-dep.sh
+cargo-deps/aarch64-unknown-linux-musl/release/pi-beep:
-	ARCH=aarch64 ./build/build-cargo-dep.sh pi-beep
+	ARCH=aarch64 ./build-cargo-dep.sh pi-beep
-target/$(RUST_ARCH)-unknown-linux-musl/release/tokio-console: ./build/build-cargo-dep.sh
+cargo-deps/$(ARCH)-unknown-linux-musl/release/tokio-console:
-	ARCH=$(ARCH) ./build/build-cargo-dep.sh tokio-console
+	ARCH=$(ARCH) PREINSTALL="apk add musl-dev pkgconfig" ./build-cargo-dep.sh tokio-console
 	touch $@
-target/$(RUST_ARCH)-unknown-linux-musl/release/startos-backup-fs: ./build/build-cargo-dep.sh
+cargo-deps/$(ARCH)-unknown-linux-musl/release/startos-backup-fs:
-	ARCH=$(ARCH) ./build/build-cargo-dep.sh --git https://github.com/Start9Labs/start-fs.git startos-backup-fs
+	ARCH=$(ARCH) PREINSTALL="apk add fuse3 fuse3-dev fuse3-static musl-dev pkgconfig" ./build-cargo-dep.sh --git https://github.com/Start9Labs/start-fs.git startos-backup-fs
 	touch $@
-target/$(RUST_ARCH)-unknown-linux-musl/release/flamegraph: ./build/build-cargo-dep.sh
+cargo-deps/$(ARCH)-unknown-linux-musl/release/flamegraph:
-	ARCH=$(ARCH) ./build/build-cargo-dep.sh flamegraph
+	ARCH=$(ARCH) PREINSTALL="apk add musl-dev pkgconfig" ./build-cargo-dep.sh flamegraph
 	touch $@
--- a/agents/TODO.md
+++ b/agents/TODO.md
@@ -1,9 +0,0 @@
 # AI Agent TODOs
 Pending tasks for AI agents. Remove items when completed.
 ## Unreviewed CLAUDE.md Sections
 - [ ] Architecture - Web (`/web`) - @MattDHill
--- a/agents/VERSION_BUMP.md
+++ b/agents/VERSION_BUMP.md
@@ -1,201 +0,0 @@
 # StartOS Version Bump Guide
 This document explains how to bump the StartOS version across the entire codebase.
 ## Overview
 When bumping from version `X.Y.Z-alpha.N` to `X.Y.Z-alpha.N+1`, you need to update files in multiple locations across the repository. The `// VERSION_BUMP` comment markers indicate where changes are needed.
 ## Files to Update
 ### 1. Core Rust Crate Version
 **File: `core/Cargo.toml`**
 Update the version string (line ~18):
 ```toml
 version = "0.4.0-alpha.15" # VERSION_BUMP
 ```
 **File: `core/Cargo.lock`**
 This file is auto-generated. After updating `Cargo.toml`, run:
 ```bash
 cd core
 cargo check
 ```
 This will update the version in `Cargo.lock` automatically.
 ### 2. Create New Version Migration Module
 **File: `core/src/version/vX_Y_Z_alpha_N+1.rs`**
 Create a new version file by copying the previous version and updating:
 ```rust
 use exver::{PreReleaseSegment, VersionRange};
 use super::v0_3_5::V0_3_0_COMPAT;
 use super::{VersionT, v0_4_0_alpha_14};  // Update to previous version
 use crate::prelude::*;
 lazy_static::lazy_static! {
    static ref V0_4_0_alpha_15: exver::Version = exver::Version::new(
        [0, 4, 0],
        [PreReleaseSegment::String("alpha".into()), 15.into()]  // Update number
    );
 }
 #[derive(Clone, Copy, Debug, Default)]
 pub struct Version;
 impl VersionT for Version {
    type Previous = v0_4_0_alpha_14::Version;  // Update to previous version
    type PreUpRes = ();
    async fn pre_up(self) -> Result<Self::PreUpRes, Error> {
        Ok(())
    }
    fn semver(self) -> exver::Version {
        V0_4_0_alpha_15.clone()  // Update version name
    }
    fn compat(self) -> &'static VersionRange {
        &V0_3_0_COMPAT
    }
    #[instrument(skip_all)]
    fn up(self, _db: &mut Value, _: Self::PreUpRes) -> Result<Value, Error> {
        // Add migration logic here if needed
        Ok(Value::Null)
    }
    fn down(self, _db: &mut Value) -> Result<(), Error> {
        // Add rollback logic here if needed
        Ok(())
    }
 }
 ```
 ### 3. Update Version Module Registry
 **File: `core/src/version/mod.rs`**
 Make changes in **5 locations**:
 #### Location 1: Module Declaration (~line 57)
 Add the new module after the previous version:
 ```rust
 mod v0_4_0_alpha_14;
 mod v0_4_0_alpha_15;  // Add this
 ```
 #### Location 2: Current Type Alias (~line 59)
 Update the `Current` type and move the `// VERSION_BUMP` comment:
 ```rust
 pub type Current = v0_4_0_alpha_15::Version; // VERSION_BUMP
 ```
 #### Location 3: Version Enum (~line 175)
 Remove `// VERSION_BUMP` from the previous version, add new variant, add comment:
 ```rust
    V0_4_0_alpha_14(Wrapper<v0_4_0_alpha_14::Version>),
    V0_4_0_alpha_15(Wrapper<v0_4_0_alpha_15::Version>), // VERSION_BUMP
    Other(exver::Version),
 ```
 #### Location 4: as_version_t() Match (~line 233)
 Remove `// VERSION_BUMP`, add new match arm, add comment:
 ```rust
            Self::V0_4_0_alpha_14(v) => DynVersion(Box::new(v.0)),
            Self::V0_4_0_alpha_15(v) => DynVersion(Box::new(v.0)), // VERSION_BUMP
            Self::Other(v) => {
 ```
 #### Location 5: as_exver() Match (~line 284, inside #[cfg(test)])
 Remove `// VERSION_BUMP`, add new match arm, add comment:
 ```rust
            Version::V0_4_0_alpha_14(Wrapper(x)) => x.semver(),
            Version::V0_4_0_alpha_15(Wrapper(x)) => x.semver(), // VERSION_BUMP
            Version::Other(x) => x.clone(),
 ```
 ### 4. SDK TypeScript Version
 **File: `sdk/package/lib/StartSdk.ts`**
 Update the OSVersion constant (~line 64):
 ```typescript
 export const OSVersion = testTypeVersion("0.4.0-alpha.15");
 ```
 ### 5. Web UI Package Version
 **File: `web/package.json`**
 Update the version field:
 ```json
 {
  "name": "startos-ui",
  "version": "0.4.0-alpha.15",
  ...
 }
 ```
 **File: `web/package-lock.json`**
 This file is auto-generated, but it's faster to update manually. Find all instances of "startos-ui" and update the version field.
 ## Verification Step
 ```
 make
 ```
 ## VERSION_BUMP Comment Pattern
 The `// VERSION_BUMP` comment serves as a marker for where to make changes next time:
 - Always **remove** it from the old location
 - **Add** the new version entry
 - **Move** the comment to mark the new location
 This pattern helps you quickly find all the places that need updating in the next version bump.
 ## Summary Checklist
 - [ ] Update `core/Cargo.toml` version
 - [ ] Create new `core/src/version/vX_Y_Z_alpha_N+1.rs` file
 - [ ] Update `core/src/version/mod.rs` in 5 locations
 - [ ] Run `cargo check` to update `core/Cargo.lock`
 - [ ] Update `sdk/package/lib/StartSdk.ts` OSVersion
 - [ ] Update `web/package.json` and `web/package-lock.json` version
 - [ ] Verify all changes compile/build successfully
 ## Migration Logic
 The `up()` and `down()` methods in the version file handle database migrations:
 - **up()**: Migrates the database from the previous version to this version
 - **down()**: Rolls back from this version to the previous version
 - **pre_up()**: Runs before migration, useful for pre-migration checks or data gathering
 If no migration is needed, return `Ok(Value::Null)` for `up()` and `Ok(())` for `down()`.
 For complex migrations, you may need to:
 1. Update `type PreUpRes` to pass data between `pre_up()` and `up()`
 2. Implement database transformations in the `up()` method
 3. Implement reverse transformations in `down()` for rollback support
--- a/agents/core-rust-patterns.md
+++ b/agents/core-rust-patterns.md
@@ -1,249 +0,0 @@
 # Utilities & Patterns
 This document covers common utilities and patterns used throughout the StartOS codebase.
 ## Util Module (`core/src/util/`)
 The `util` module contains reusable utilities. Key submodules:
 | Module | Purpose |
 |--------|---------|
 | `actor/` | Actor pattern implementation for concurrent state management |
 | `collections/` | Custom collection types |
 | `crypto.rs` | Cryptographic utilities (encryption, hashing) |
 | `future.rs` | Future/async utilities |
 | `io.rs` | File I/O helpers (create_file, canonicalize, etc.) |
 | `iter.rs` | Iterator extensions |
 | `net.rs` | Network utilities |
 | `rpc.rs` | RPC helpers |
 | `rpc_client.rs` | RPC client utilities |
 | `serde.rs` | Serialization helpers (Base64, display/fromstr, etc.) |
 | `sync.rs` | Synchronization primitives (SyncMutex, etc.) |
 ## Command Invocation (`Invoke` trait)
 The `Invoke` trait provides a clean way to run external commands with error handling:
 ```rust
 use crate::util::Invoke;
 // Simple invocation
 tokio::process::Command::new("ls")
    .arg("-la")
    .invoke(ErrorKind::Filesystem)
    .await?;
 // With timeout
 tokio::process::Command::new("slow-command")
    .timeout(Some(Duration::from_secs(30)))
    .invoke(ErrorKind::Timeout)
    .await?;
 // With input
 let mut input = Cursor::new(b"input data");
 tokio::process::Command::new("cat")
    .input(Some(&mut input))
    .invoke(ErrorKind::Filesystem)
    .await?;
 // Piped commands
 tokio::process::Command::new("cat")
    .arg("file.txt")
    .pipe(&mut tokio::process::Command::new("grep").arg("pattern"))
    .invoke(ErrorKind::Filesystem)
    .await?;
 ```
 ## Guard Pattern
 Guards ensure cleanup happens when they go out of scope.
 ### `GeneralGuard` / `GeneralBoxedGuard`
 For arbitrary cleanup actions:
 ```rust
 use crate::util::GeneralGuard;
 let guard = GeneralGuard::new(|| {
    println!("Cleanup runs on drop");
 });
 // Do work...
 // Explicit drop with action
 guard.drop();
 // Or skip the action
 // guard.drop_without_action();
 ```
 ### `FileLock`
 File-based locking with automatic unlock:
 ```rust
 use crate::util::FileLock;
 let lock = FileLock::new("/path/to/lockfile", true).await?;  // blocking=true
 // Lock held until dropped or explicitly unlocked
 lock.unlock().await?;
 ```
 ## Mount Guard Pattern (`core/src/disk/mount/guard.rs`)
 RAII guards for filesystem mounts. Ensures filesystems are unmounted when guards are dropped.
 ### `MountGuard`
 Basic mount guard:
 ```rust
 use crate::disk::mount::guard::MountGuard;
 use crate::disk::mount::filesystem::{MountType, ReadOnly};
 let guard = MountGuard::mount(&filesystem, "/mnt/target", ReadOnly).await?;
 // Use the mounted filesystem at guard.path()
 do_something(guard.path()).await?;
 // Explicit unmount (or auto-unmounts on drop)
 guard.unmount(false).await?;  // false = don't delete mountpoint
 ```
 ### `TmpMountGuard`
 Reference-counted temporary mount (mounts to `/media/startos/tmp/`):
 ```rust
 use crate::disk::mount::guard::TmpMountGuard;
 use crate::disk::mount::filesystem::ReadOnly;
 // Multiple clones share the same mount
 let guard1 = TmpMountGuard::mount(&filesystem, ReadOnly).await?;
 let guard2 = guard1.clone();
 // Mount stays alive while any guard exists
 // Auto-unmounts when last guard is dropped
 ```
 ### `GenericMountGuard` trait
 All mount guards implement this trait:
 ```rust
 pub trait GenericMountGuard: std::fmt::Debug + Send + Sync + 'static {
    fn path(&self) -> &Path;
    fn unmount(self) -> impl Future<Output = Result<(), Error>> + Send;
 }
 ```
 ### `SubPath`
 Wraps a mount guard to point to a subdirectory:
 ```rust
 use crate::disk::mount::guard::SubPath;
 let mount = TmpMountGuard::mount(&filesystem, ReadOnly).await?;
 let subdir = SubPath::new(mount, "data/subdir");
 // subdir.path() returns the full path including subdirectory
 ```
 ## FileSystem Implementations (`core/src/disk/mount/filesystem/`)
 Various filesystem types that can be mounted:
 | Type | Description |
 |------|-------------|
 | `bind.rs` | Bind mounts |
 | `block_dev.rs` | Block device mounts |
 | `cifs.rs` | CIFS/SMB network shares |
 | `ecryptfs.rs` | Encrypted filesystem |
 | `efivarfs.rs` | EFI variables |
 | `httpdirfs.rs` | HTTP directory as filesystem |
 | `idmapped.rs` | ID-mapped mounts |
 | `label.rs` | Mount by label |
 | `loop_dev.rs` | Loop device mounts |
 | `overlayfs.rs` | Overlay filesystem |
 ## Other Useful Utilities
 ### `Apply` / `ApplyRef` traits
 Fluent method chaining:
 ```rust
 use crate::util::Apply;
 let result = some_value
    .apply(|v| transform(v))
    .apply(|v| another_transform(v));
 ```
 ### `Container<T>`
 Async-safe optional container:
 ```rust
 use crate::util::Container;
 let container = Container::new(None);
 container.set(value).await;
 let taken = container.take().await;
 ```
 ### `HashWriter<H, W>`
 Write data while computing hash:
 ```rust
 use crate::util::HashWriter;
 use sha2::Sha256;
 let writer = HashWriter::new(Sha256::new(), file);
 // Write data...
 let (hasher, file) = writer.finish();
 let hash = hasher.finalize();
 ```
 ### `Never` type
 Uninhabited type for impossible cases:
 ```rust
 use crate::util::Never;
 fn impossible() -> Never {
    // This function can never return
 }
 let never: Never = impossible();
 never.absurd::<String>()  // Can convert to any type
 ```
 ### `MaybeOwned<'a, T>`
 Either borrowed or owned data:
 ```rust
 use crate::util::MaybeOwned;
 fn accept_either(data: MaybeOwned<'_, String>) {
    // Use &*data to access the value
 }
 accept_either(MaybeOwned::from(&existing_string));
 accept_either(MaybeOwned::from(owned_string));
 ```
 ### `new_guid()`
 Generate a random GUID:
 ```rust
 use crate::util::new_guid;
 let guid = new_guid();  // Returns InternedString
 ```
--- a/agents/i18n-patterns.md
+++ b/agents/i18n-patterns.md
@@ -1,100 +0,0 @@
 # i18n Patterns in `core/`
 ## Library & Setup
 **Crate:** [`rust-i18n`](https://crates.io/crates/rust-i18n) v3.1.5 (`core/Cargo.toml`)
 **Initialization** (`core/src/lib.rs:3`):
 ```rust
 rust_i18n::i18n!("locales", fallback = ["en_US"]);
 ```
 This macro scans `core/locales/` at compile time and embeds all translations as constants.
 **Prelude re-export** (`core/src/prelude.rs:4`):
 ```rust
 pub use rust_i18n::t;
 ```
 Most modules import `t!` via the prelude.
 ## Translation File
 **Location:** `core/locales/i18n.yaml`
 **Format:** YAML v2 (~755 keys)
 **Supported languages:** `en_US`, `de_DE`, `es_ES`, `fr_FR`, `pl_PL`
 **Entry structure:**
 ```yaml
 namespace.sub.key-name:
  en_US: "English text with %{param}"
  de_DE: "German text with %{param}"
  # ...
 ```
 ## Using `t!()`
 ```rust
 // Simple key
 t!("error.unknown")
 // With parameter interpolation (%{name} in YAML)
 t!("bins.deprecated.renamed", old = old_name, new = new_name)
 ```
 ## Key Naming Conventions
 Keys use **dot-separated hierarchical namespaces** with **kebab-case** for multi-word segments:
 ```
 <module>.<submodule>.<descriptive-name>
 ```
 Examples:
 - `error.incorrect-password` — error kind label
 - `bins.start-init.updating-firmware` — startup phase message
 - `backup.bulk.complete-title` — backup notification title
 - `help.arg.acme-contact` — CLI help text for an argument
 - `context.diagnostic.starting-diagnostic-ui` — diagnostic context status
 ### Top-Level Namespaces
 | Namespace | Purpose |
 |-----------|---------|
 | `error.*` | `ErrorKind` display strings (see `src/error.rs`) |
 | `bins.*` | CLI binary messages (deprecated, start-init, startd, etc.) |
 | `init.*` | Initialization phase labels |
 | `setup.*` | First-run setup messages |
 | `context.*` | Context startup messages (diagnostic, setup, CLI) |
 | `service.*` | Service lifecycle messages |
 | `backup.*` | Backup/restore operation messages |
 | `registry.*` | Package registry messages |
 | `net.*` | Network-related messages |
 | `middleware.*` | Request middleware messages (auth, etc.) |
 | `disk.*` | Disk operation messages |
 | `lxc.*` | Container management messages |
 | `system.*` | System monitoring/metrics messages |
 | `notifications.*` | User-facing notification messages |
 | `update.*` | OS update messages |
 | `util.*` | Utility messages (TUI, RPC) |
 | `ssh.*` | SSH operation messages |
 | `shutdown.*` | Shutdown-related messages |
 | `logs.*` | Log-related messages |
 | `auth.*` | Authentication messages |
 | `help.*` | CLI help text (`help.arg.<arg-name>`) |
 | `about.*` | CLI command descriptions |
 ## Locale Selection
 `core/src/bins/mod.rs:15-36` — `set_locale_from_env()`:
 1. Reads `LANG` environment variable
 2. Strips `.UTF-8` suffix
 3. Exact-matches against available locales, falls back to language-prefix match (e.g. `en_GB` matches `en_US`)
 ## Adding New Keys
 1. Add the key to `core/locales/i18n.yaml` with all 5 language translations
 2. Use the `t!("your.key.name")` macro in Rust code
 3. Follow existing namespace conventions — match the module path where the key is used
 4. Use kebab-case for multi-word segments
 5. Translations are validated at compile time
--- a/agents/rpc-toolkit.md
+++ b/agents/rpc-toolkit.md
@@ -1,226 +0,0 @@
 # rpc-toolkit
 StartOS uses [rpc-toolkit](https://github.com/Start9Labs/rpc-toolkit) for its JSON-RPC API. This document covers the patterns used in this codebase.
 ## Overview
 The API is JSON-RPC (not REST). All endpoints are RPC methods organized in a hierarchical command structure.
 ## Handler Functions
 There are four types of handler functions, chosen based on the function's characteristics:
 ### `from_fn_async` - Async handlers
 For standard async functions. Most handlers use this.
 ```rust
 pub async fn my_handler(ctx: RpcContext, params: MyParams) -> Result<MyResponse, Error> {
    // Can use .await
 }
 from_fn_async(my_handler)
 ```
 ### `from_fn_async_local` - Non-thread-safe async handlers
 For async functions that are not `Send` (cannot be safely moved between threads). Use when working with non-thread-safe types.
 ```rust
 pub async fn cli_download(ctx: CliContext, params: Params) -> Result<(), Error> {
    // Non-Send async operations
 }
 from_fn_async_local(cli_download)
 ```
 ### `from_fn_blocking` - Sync blocking handlers
 For synchronous functions that perform blocking I/O or long computations.
 ```rust
 pub fn query_dns(ctx: RpcContext, params: DnsParams) -> Result<DnsResponse, Error> {
    // Blocking operations (file I/O, DNS lookup, etc.)
 }
 from_fn_blocking(query_dns)
 ```
 ### `from_fn` - Sync non-blocking handlers
 For pure functions or quick synchronous operations with no I/O.
 ```rust
 pub fn echo(ctx: RpcContext, params: EchoParams) -> Result<String, Error> {
    Ok(params.message)
 }
 from_fn(echo)
 ```
 ## ParentHandler
 Groups related RPC methods into a hierarchy:
 ```rust
 use rpc_toolkit::{Context, HandlerExt, ParentHandler, from_fn_async};
 pub fn my_api<C: Context>() -> ParentHandler<C> {
    ParentHandler::new()
        .subcommand("list", from_fn_async(list_handler).with_call_remote::<CliContext>())
        .subcommand("create", from_fn_async(create_handler).with_call_remote::<CliContext>())
 }
 ```
 ## Handler Extensions
 Chain methods to configure handler behavior.
 **Ordering rules:**
 1. `with_about()` must come AFTER other CLI modifiers (`no_display()`, `with_custom_display_fn()`, etc.)
 2. `with_call_remote()` must be the LAST adapter in the chain
 | Method | Purpose |
 |--------|---------|
 | `.with_metadata("key", Value)` | Attach metadata for middleware |
 | `.no_cli()` | RPC-only, not available via CLI |
 | `.no_display()` | No CLI output |
 | `.with_display_serializable()` | Default JSON/YAML output for CLI |
 | `.with_custom_display_fn(\|_, res\| ...)` | Custom CLI output formatting |
 | `.with_about("about.description")` | Add help text (i18n key) - **after CLI modifiers** |
 | `.with_call_remote::<CliContext>()` | Enable CLI to call remotely - **must be last** |
 ### Correct ordering example:
 ```rust
 from_fn_async(my_handler)
    .with_metadata("sync_db", Value::Bool(true))  // metadata early
    .no_display()                                  // CLI modifier
    .with_about("about.my-handler")                // after CLI modifiers
    .with_call_remote::<CliContext>()              // always last
 ```
 ## Metadata by Middleware
 Metadata tags are processed by different middleware. Group them logically:
 ### Auth Middleware (`middleware/auth/mod.rs`)
 | Metadata | Default | Description |
 |----------|---------|-------------|
 | `authenticated` | `true` | Whether endpoint requires authentication. Set to `false` for public endpoints. |
 ### Session Auth Middleware (`middleware/auth/session.rs`)
 | Metadata | Default | Description |
 |----------|---------|-------------|
 | `login` | `false` | Special handling for login endpoints (rate limiting, cookie setting) |
 | `get_session` | `false` | Inject session ID into params as `__Auth_session` |
 ### Signature Auth Middleware (`middleware/auth/signature.rs`)
 | Metadata | Default | Description |
 |----------|---------|-------------|
 | `get_signer` | `false` | Inject signer public key into params as `__Auth_signer` |
 ### Registry Auth (extends Signature Auth)
 | Metadata | Default | Description |
 |----------|---------|-------------|
 | `admin` | `false` | Require admin privileges (signer must be in admin list) |
 | `get_device_info` | `false` | Inject device info header for hardware filtering |
 ### Database Middleware (`middleware/db.rs`)
 | Metadata | Default | Description |
 |----------|---------|-------------|
 | `sync_db` | `false` | Sync database after mutation, add `X-Patch-Sequence` header |
 ## Context Types
 Different contexts for different execution environments:
 - `RpcContext` - Web/RPC requests with full service access
 - `CliContext` - CLI operations, calls remote RPC
 - `InitContext` - During system initialization
 - `DiagnosticContext` - Diagnostic/recovery mode
 - `RegistryContext` - Registry daemon context
 - `EffectContext` - Service effects context (container-to-host calls)
 ## Parameter Structs
 Parameters use derive macros for JSON-RPC, CLI parsing, and TypeScript generation:
 ```rust
 #[derive(Deserialize, Serialize, Parser, TS)]
 #[serde(rename_all = "camelCase")]  // JSON-RPC uses camelCase
 #[command(rename_all = "kebab-case")]  // CLI uses kebab-case
 #[ts(export)]  // Generate TypeScript types
 pub struct MyParams {
    pub package_id: PackageId,
 }
 ```
 ### Middleware Injection
 Auth middleware can inject values into params using special field names:
 ```rust
 #[derive(Deserialize, Serialize, Parser, TS)]
 pub struct MyParams {
    #[ts(skip)]
    #[serde(rename = "__Auth_session")]  // Injected by session auth
    session: InternedString,
    #[ts(skip)]
    #[serde(rename = "__Auth_signer")]   // Injected by signature auth
    signer: AnyVerifyingKey,
    #[ts(skip)]
    #[serde(rename = "__Auth_userAgent")] // Injected during login
    user_agent: Option<String>,
 }
 ```
 ## Common Patterns
 ### Adding a New RPC Endpoint
 1. Define params struct with `Deserialize, Serialize, Parser, TS`
 2. Choose handler type based on sync/async and thread-safety
 3. Write handler function taking `(Context, Params) -> Result<Response, Error>`
 4. Add to parent handler with appropriate extensions (display modifiers before `with_about`)
 5. TypeScript types auto-generated via `make ts-bindings`
 ### Public (Unauthenticated) Endpoint
 ```rust
 from_fn_async(get_info)
    .with_metadata("authenticated", Value::Bool(false))
    .with_display_serializable()
    .with_about("about.get-info")
    .with_call_remote::<CliContext>()  // last
 ```
 ### Mutating Endpoint with DB Sync
 ```rust
 from_fn_async(update_config)
    .with_metadata("sync_db", Value::Bool(true))
    .no_display()
    .with_about("about.update-config")
    .with_call_remote::<CliContext>()  // last
 ```
 ### Session-Aware Endpoint
 ```rust
 from_fn_async(logout)
    .with_metadata("get_session", Value::Bool(true))
    .no_display()
    .with_about("about.logout")
    .with_call_remote::<CliContext>()  // last
 ```
 ## File Locations
 - Handler definitions: Throughout `core/src/` modules
 - Main API tree: `core/src/lib.rs` (`main_api()`, `server()`, `package()`)
 - Auth middleware: `core/src/middleware/auth/`
 - DB middleware: `core/src/middleware/db.rs`
 - Context types: `core/src/context/`
--- a/agents/s9pk-structure.md
+++ b/agents/s9pk-structure.md
@@ -1,122 +0,0 @@
 # S9PK Package Format
 S9PK is the package format for StartOS services. Version 2 uses a merkle archive structure for efficient downloading and cryptographic verification.
 ## File Format
 S9PK files begin with a 3-byte header: `0x3b 0x3b 0x02` (magic bytes + version 2).
 The archive is cryptographically signed using Ed25519 with prehashed content (SHA-512 over blake3 merkle root hash).
 ## Archive Structure
 ```
 /
 ├── manifest.json           # Package metadata (required)
 ├── icon.<ext>              # Package icon - any image/* format (required)
 ├── LICENSE.md              # License text (required)
 ├── dependencies/           # Dependency metadata (optional)
 │   └── <package-id>/
 │       ├── metadata.json   # DependencyMetadata
 │       └── icon.<ext>      # Dependency icon
 ├── javascript.squashfs     # Package JavaScript code (required)
 ├── assets.squashfs         # Static assets (optional, legacy: assets/ directory)
 └── images/                 # Container images by architecture
    └── <arch>/             # e.g., x86_64, aarch64, riscv64
        ├── <image-id>.squashfs  # Container filesystem
        ├── <image-id>.json      # Image metadata
        └── <image-id>.env       # Environment variables
 ```
 ## Components
 ### manifest.json
 The package manifest contains all metadata:
 | Field | Type | Description |
 |-------|------|-------------|
 | `id` | string | Package identifier (e.g., `bitcoind`) |
 | `title` | string | Display name |
 | `version` | string | Extended version string |
 | `satisfies` | string[] | Version ranges this version satisfies |
 | `releaseNotes` | string/object | Release notes (localized) |
 | `canMigrateTo` | string | Version range for forward migration |
 | `canMigrateFrom` | string | Version range for backward migration |
 | `license` | string | License type |
 | `wrapperRepo` | string | StartOS wrapper repository URL |
 | `upstreamRepo` | string | Upstream project URL |
 | `supportSite` | string | Support site URL |
 | `marketingSite` | string | Marketing site URL |
 | `donationUrl` | string? | Optional donation URL |
 | `docsUrl` | string? | Optional documentation URL |
 | `description` | object | Short and long descriptions (localized) |
 | `images` | object | Image configurations by image ID |
 | `volumes` | string[] | Volume IDs for persistent data |
 | `alerts` | object | User alerts for lifecycle events |
 | `dependencies` | object | Package dependencies |
 | `hardwareRequirements` | object | Hardware requirements (arch, RAM, devices) |
 | `hardwareAcceleration` | boolean | Whether package uses hardware acceleration |
 | `gitHash` | string? | Git commit hash |
 | `osVersion` | string | Minimum StartOS version |
 | `sdkVersion` | string? | SDK version used to build |
 ### javascript.squashfs
 Contains the package JavaScript that implements the `ABI` interface from `@start9labs/start-sdk-base`. This code runs in the container runtime and manages the package lifecycle.
 The squashfs is mounted at `/usr/lib/startos/package/` and the runtime loads `index.js`.
 ### images/
 Container images organized by architecture:
 - **`<image-id>.squashfs`** - Container root filesystem
 - **`<image-id>.json`** - Image metadata (entrypoint, user, workdir, etc.)
 - **`<image-id>.env`** - Environment variables for the container
 Images are built from Docker/Podman and converted to squashfs. The `ImageConfig` in manifest specifies:
 - `arch` - Supported architectures
 - `emulateMissingAs` - Fallback architecture for emulation
 - `nvidiaContainer` - Whether to enable NVIDIA container support
 ### assets.squashfs
 Static assets accessible to the package, mounted read-only at `/media/startos/assets/` in the container.
 ### dependencies/
 Metadata for dependencies displayed in the UI:
 - `metadata.json` - Just title for now
 - `icon.<ext>` - Icon for the dependency
 ## Merkle Archive
 The S9PK uses a merkle tree structure where each file and directory has a blake3 hash. This enables:
 1. **Partial downloads** - Download and verify individual files
 2. **Integrity verification** - Verify any subset of the archive
 3. **Efficient updates** - Only download changed portions
 4. **DOS protection** - Size limits enforced before downloading content
 Files are sorted by priority for streaming (manifest first, then icon, license, dependencies, javascript, assets, images).
 ## Building S9PK
 Use `start-cli s9pk pack` to build packages:
 ```bash
 start-cli s9pk pack <manifest-path> -o <output.s9pk>
 ```
 Images can be sourced from:
 - Docker/Podman build (`--docker-build`)
 - Existing Docker tag (`--docker-tag`)
 - Pre-built squashfs files
 ## Related Code
 - `core/src/s9pk/v2/mod.rs` - S9pk struct and serialization
 - `core/src/s9pk/v2/manifest.rs` - Manifest types
 - `core/src/s9pk/v2/pack.rs` - Packing logic
 - `core/src/s9pk/merkle_archive/` - Merkle archive implementation
--- a/build/env/basename.sh
+++ b/build/env/basename.sh
@@ -1,7 +1,5 @@
 #!/bin/bash
 PROJECT=${PROJECT:-"startos"}
 cd "$(dirname "${BASH_SOURCE[0]}")"
 PLATFORM="$(if [ -f ./PLATFORM.txt ]; then cat ./PLATFORM.txt; else echo unknown; fi)"
@@ -18,4 +16,4 @@ if [ -n "$STARTOS_ENV" ]; then
  VERSION_FULL="$VERSION_FULL~${STARTOS_ENV}"
 fi
-echo -n "${PROJECT}-${VERSION_FULL}_${PLATFORM}"
+echo -n "startos-${VERSION_FULL}_${PLATFORM}"
--- a/build-cargo-dep.sh
+++ b/build-cargo-dep.sh
@@ -0,0 +1,34 @@
 #!/bin/bash
 set -e
 shopt -s expand_aliases
 if [ "$0" != "./build-cargo-dep.sh" ]; then
 	>&2 echo "Must be run from start-os directory"
 	exit 1
 fi
 USE_TTY=
 if tty -s; then
 	USE_TTY="-it"
 fi
 if [ -z "$ARCH" ]; then
 	ARCH=$(uname -m)
 fi
 DOCKER_PLATFORM="linux/${ARCH}"
 if [ "$ARCH" = aarch64 ] || [ "$ARCH" = arm64 ]; then
 	DOCKER_PLATFORM="linux/arm64"
 elif [ "$ARCH" = x86_64 ]; then
 	DOCKER_PLATFORM="linux/amd64"
 fi
 mkdir -p cargo-deps
 alias 'rust-musl-builder'='docker run $USE_TTY --platform=${DOCKER_PLATFORM} --rm -e "RUSTFLAGS=$RUSTFLAGS" -v "$HOME/.cargo/registry":/root/.cargo/registry -v "$(pwd)"/cargo-deps:/home/rust/src -w /home/rust/src -P rust:alpine'
 PREINSTALL=${PREINSTALL:-true}
 rust-musl-builder sh -c "$PREINSTALL && cargo install $* --target-dir /home/rust/src --target=$ARCH-unknown-linux-musl"
 sudo chown -R $USER cargo-deps
 sudo chown -R $USER ~/.cargo
--- a/build/README.md
+++ b/build/README.md
--- a/build/build-cargo-dep.sh
+++ b/build/build-cargo-dep.sh
@@ -1,26 +0,0 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")/.."
 set -e
 shopt -s expand_aliases
 if [ -z "$ARCH" ]; then
 	ARCH=$(uname -m)
 fi
 RUST_ARCH="$ARCH"
 if [ "$ARCH" = "riscv64" ]; then
  RUST_ARCH="riscv64gc"
 fi
 mkdir -p target
 source core/build/builder-alias.sh
 RUSTFLAGS="-C target-feature=+crt-static"
 rust-zig-builder cargo-zigbuild install $* --target-dir /workdir/target/ --target=$RUST_ARCH-unknown-linux-musl
 if [ "$(ls -nd "target/$RUST_ARCH-unknown-linux-musl/release/${!#}" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "chown -R $UID:$UID target && chown -R $UID:$UID  /usr/local/cargo"
 fi
--- a/build/dpkg-deps/depends
+++ b/build/dpkg-deps/depends
@@ -3,25 +3,22 @@ avahi-utils
 b3sum
 bash-completion
 beep
 binfmt-support
 bmon
 btrfs-progs
 ca-certificates
 cifs-utils
 conntrack
 cryptsetup
 curl
 dnsutils
 dmidecode
 dnsutils
 dosfstools
 e2fsprogs
 ecryptfs-utils
 equivs
 exfatprogs
 flashrom
 fuse3
 grub-common
 grub-efi
 htop
 httpdirfs
 iotop
@@ -44,9 +41,9 @@ nvme-cli
 nyx
 openssh-server
 podman
 postgresql
 psmisc
 qemu-guest-agent
 qemu-user-static
 rfkill
 rsync
 samba-common-bin
--- a/build/dpkg-deps/generate.sh
+++ b/build/dpkg-deps/generate.sh
@@ -5,18 +5,11 @@ set -e
 cd "$(dirname "${BASH_SOURCE[0]}")"
 IFS="-" read -ra FEATURES <<< "$ENVIRONMENT"
 FEATURES+=("${ARCH}")
 if [ "$ARCH" != "$PLATFORM" ]; then
    FEATURES+=("${PLATFORM}")
 fi
 if [[ "$PLATFORM" =~ -nonfree$ ]]; then
    FEATURES+=("nonfree")
 fi
 feature_file_checker='
 /^#/ { next }
-/^\+ [a-z0-9.-]+$/ { next }
+/^\+ [a-z0-9-]+$/ { next }
-/^- [a-z0-9.-]+$/ { next }
+/^- [a-z0-9-]+$/ { next }
 { exit 1 }
 '
@@ -37,8 +30,8 @@ for type in conflicts depends; do
        for feature in ${FEATURES[@]}; do
            file="$feature.$type"
            if [ -f $file ]; then
-                if grep "^- $pkg$" $file > /dev/null; then
+                if grep "^- $pkg$" $file; then
-                    SKIP=yes
+                    SKIP=1
                fi
            fi
        done
--- a/build/dpkg-deps/nonfree.depends
+++ b/build/dpkg-deps/nonfree.depends
@@ -1,10 +0,0 @@
 + firmware-amd-graphics
 + firmware-atheros
 + firmware-brcm80211
 + firmware-iwlwifi
 + firmware-libertas
 + firmware-misc-nonfree
 + firmware-realtek
 + nvidia-container-toolkit
 # + nvidia-driver
 # + nvidia-kernel-dkms
--- a/build/dpkg-deps/raspberrypi.depends
+++ b/build/dpkg-deps/raspberrypi.depends
@@ -1,10 +0,0 @@
 - grub-efi
 + parted
 + raspberrypi-net-mods
 + raspberrypi-sys-mods
 + raspi-config
 + raspi-firmware
 + raspi-utils
 + rpi-eeprom
 + rpi-update
 + rpi.gpio-common
--- a/build/dpkg-deps/x86_64.depends
+++ b/build/dpkg-deps/x86_64.depends
@@ -1 +0,0 @@
 + grub-pc-bin
--- a/build/image-recipe/Dockerfile
+++ b/build/image-recipe/Dockerfile
@@ -1,35 +0,0 @@
 ARG SUITE=trixie
 FROM debian:${SUITE}
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update && \
    apt-get install -yq \
    live-build \
    procps \
    binfmt-support \
    qemu-utils \
    qemu-user-static \
    xorriso \
    isolinux \
    ca-certificates \
    curl \
    wget \
    gpg \
    git \
    fdisk \
    dosfstools \
    e2fsprogs \
    squashfs-tools \
    rsync \
    b3sum \
    dpkg-dev
 COPY binary_grub-efi.patch /root/binary_grub-efi.patch
 RUN patch /usr/lib/live/build/binary_grub-efi < /root/binary_grub-efi.patch && rm /root/binary_grub-efi.patch
 RUN echo 'retry_connrefused = on' > /etc/wgetrc && \
    echo 'tries = 100' >> /etc/wgetrc
 WORKDIR /root
--- a/build/image-recipe/binary_grub-efi.patch
+++ b/build/image-recipe/binary_grub-efi.patch
@@ -1,47 +0,0 @@
 --- /usr/lib/live/build/binary_grub-efi	2024-05-25 05:22:52.000000000 -0600
 +++ binary_grub-efi	2025-10-16 13:04:32.338740922 -0600
@@ -54,6 +54,8 @@
 	armhf)
 		Check_package chroot /usr/lib/grub/arm-efi/configfile.mod grub-efi-arm-bin
 		;;
 +	riscv64)
 +		Check_package chroot /usr/lib/grub/riscv64-efi/configfile.mod grub-efi-riscv64-bin
 esac
 Check_package chroot /usr/bin/grub-mkimage grub-common
 Check_package chroot /usr/bin/mcopy mtools
@@ -136,7 +138,7 @@
 esac
 # Cleanup files that we generate
 -rm -rf binary/boot/efi.img binary/boot/grub/i386-efi/ binary/boot/grub/x86_64-efi binary/boot/grub/arm64-efi binary/boot/grub/arm-efi
 +rm -rf binary/boot/efi.img binary/boot/grub/i386-efi/ binary/boot/grub/x86_64-efi binary/boot/grub/arm64-efi binary/boot/grub/arm-efi binary/boot/grub/riscv64-efi
 # This is workaround till both efi-image and grub-cpmodules are put into a binary package
 case "${LB_BUILD_WITH_CHROOT}" in
@@ -243,6 +245,10 @@
 		gen_efi_boot_img "arm-efi" "arm" "debian-live/arm"
 		PATH="\${PRE_EFI_IMAGE_PATH}"
 		;;
 +	riscv64)
 +		gen_efi_boot_img "riscv64-efi" "riscv64" "debian-live/riscv64"
 +		PATH="\${PRE_EFI_IMAGE_PATH}"
 +		;;
 esac
@@ -324,6 +330,7 @@
 rm -f chroot/grub-efi-temp/bootnetx64.efi
 rm -f chroot/grub-efi-temp/bootnetaa64.efi
 rm -f chroot/grub-efi-temp/bootnetarm.efi
 +rm -f chroot/grub-efi-temp/bootnetriscv64.efi
 mkdir -p binary
 cp -a chroot/grub-efi-temp/* binary/
@@ -331,6 +338,7 @@
 rm -rf chroot/grub-efi-temp-i386-efi
 rm -rf chroot/grub-efi-temp-arm64-efi
 rm -rf chroot/grub-efi-temp-arm-efi
 +rm -rf chroot/grub-efi-temp-riscv64-efi
 rm -rf chroot/grub-efi-temp-cfg
 rm -rf chroot/grub-efi-temp
--- a/build/image-recipe/build.sh
+++ b/build/image-recipe/build.sh
@@ -1,449 +0,0 @@
 #!/bin/bash
 set -e
 MAX_IMG_LEN=$((4 * 1024 * 1024 * 1024)) # 4GB
 echo "==== StartOS Image Build ===="
 echo "Building for architecture: $IB_TARGET_ARCH"
 SOURCE_DIR="$(realpath $(dirname "${BASH_SOURCE[0]}"))"
 base_dir="$(pwd	-P)"
 prep_results_dir="$base_dir/images-prep"
 RESULTS_DIR="$base_dir/results"
 echo "Saving results in: $RESULTS_DIR"
 DEB_PATH="$base_dir/$1"
 VERSION="$(dpkg-deb --fsys-tarfile $DEB_PATH | tar --to-stdout -xvf - ./usr/lib/startos/VERSION.txt)"
 GIT_HASH="$(dpkg-deb --fsys-tarfile $DEB_PATH | tar --to-stdout -xvf - ./usr/lib/startos/GIT_HASH.txt)"
 if [[ "$GIT_HASH" =~ ^@ ]]; then
  GIT_HASH="unknown"
 else
  GIT_HASH="$(echo -n "$GIT_HASH" |  head -c 7)"
 fi
 IB_OS_ENV="$(dpkg-deb --fsys-tarfile $DEB_PATH | tar --to-stdout -xvf - ./usr/lib/startos/ENVIRONMENT.txt)"
 IB_TARGET_PLATFORM="$(dpkg-deb --fsys-tarfile $DEB_PATH | tar --to-stdout -xvf - ./usr/lib/startos/PLATFORM.txt)"
 VERSION_FULL="${VERSION}-${GIT_HASH}"
 if [ -n "$IB_OS_ENV" ]; then
  VERSION_FULL="$VERSION_FULL~${IB_OS_ENV}"
 fi
 IMAGE_BASENAME=startos-${VERSION_FULL}_${IB_TARGET_PLATFORM}
 BOOTLOADERS=grub-efi
 if [ "$IB_TARGET_PLATFORM" = "x86_64" ] || [ "$IB_TARGET_PLATFORM" = "x86_64-nonfree" ]; then
 	IB_TARGET_ARCH=amd64
 	QEMU_ARCH=x86_64
 	BOOTLOADERS=grub-efi,syslinux
 elif [ "$IB_TARGET_PLATFORM" = "aarch64" ] || [ "$IB_TARGET_PLATFORM" = "aarch64-nonfree" ] || [ "$IB_TARGET_PLATFORM" = "raspberrypi" ]  || [ "$IB_TARGET_PLATFORM" = "rockchip64" ]; then
 	IB_TARGET_ARCH=arm64
 	QEMU_ARCH=aarch64
 elif [ "$IB_TARGET_PLATFORM" = "riscv64" ]; then
 	IB_TARGET_ARCH=riscv64
 	QEMU_ARCH=riscv64
 else
 	IB_TARGET_ARCH="$IB_TARGET_PLATFORM"
 	QEMU_ARCH="$IB_TARGET_PLATFORM"
 fi
 QEMU_ARGS=()
 if [ "$QEMU_ARCH" != $(uname -m) ]; then
 	QEMU_ARGS+=(--bootstrap-qemu-arch ${IB_TARGET_ARCH})
 	QEMU_ARGS+=(--bootstrap-qemu-static /usr/bin/qemu-${QEMU_ARCH}-static)
 fi
 mkdir -p $prep_results_dir
 cd $prep_results_dir
 NON_FREE=
 if [[ "${IB_TARGET_PLATFORM}" =~ -nonfree$ ]] || [ "${IB_TARGET_PLATFORM}" = "raspberrypi" ]; then
 	NON_FREE=1
 fi
 IMAGE_TYPE=iso
 if [ "${IB_TARGET_PLATFORM}" = "raspberrypi" ] || [ "${IB_TARGET_PLATFORM}" = "rockchip64" ]; then
 	IMAGE_TYPE=img
 fi
 ARCHIVE_AREAS="main contrib"
 if [ "$NON_FREE" = 1 ]; then
 	if [ "$IB_SUITE" = "bullseye" ]; then
 		ARCHIVE_AREAS="$ARCHIVE_AREAS non-free"
 	else
 		ARCHIVE_AREAS="$ARCHIVE_AREAS non-free non-free-firmware"
 	fi
 fi
 PLATFORM_CONFIG_EXTRAS=()
 if [ "${IB_TARGET_PLATFORM}" = "raspberrypi" ]; then
 	PLATFORM_CONFIG_EXTRAS+=( --firmware-binary false )
 	PLATFORM_CONFIG_EXTRAS+=( --firmware-chroot false )
 	RPI_KERNEL_VERSION=6.12.47+rpt
 	PLATFORM_CONFIG_EXTRAS+=( --linux-packages linux-image-$RPI_KERNEL_VERSION )
 	PLATFORM_CONFIG_EXTRAS+=( --linux-flavours "rpi-v8 rpi-2712" )
 elif [ "${IB_TARGET_PLATFORM}" = "rockchip64" ]; then
 	PLATFORM_CONFIG_EXTRAS+=( --linux-flavours rockchip64 )
 elif [ "${IB_TARGET_ARCH}" = "riscv64" ]; then
 	PLATFORM_CONFIG_EXTRAS+=( --uefi-secure-boot=disable )
 fi
 cat > /etc/wgetrc << EOF
 retry_connrefused = on
 tries = 100
 EOF
 lb config \
 	--iso-application "StartOS v${VERSION_FULL} ${IB_TARGET_ARCH}" \
 	--iso-volume "StartOS v${VERSION} ${IB_TARGET_ARCH}" \
 	--iso-preparer "START9 LABS; HTTPS://START9.COM" \
 	--iso-publisher "START9 LABS; HTTPS://START9.COM" \
 	--backports true \
 	--bootappend-live "boot=live noautologin" \
 	--bootloaders $BOOTLOADERS \
 	--cache false \
 	--mirror-bootstrap "https://deb.debian.org/debian/" \
 	--mirror-chroot "https://deb.debian.org/debian/" \
 	--mirror-chroot-security "https://security.debian.org/debian-security" \
 	-d ${IB_SUITE} \
 	-a ${IB_TARGET_ARCH} \
 	${QEMU_ARGS[@]} \
 	--archive-areas "${ARCHIVE_AREAS}" \
 	${PLATFORM_CONFIG_EXTRAS[@]}
 # Overlays
 mkdir -p config/packages.chroot/
 cp $RESULTS_DIR/$IMAGE_BASENAME.deb config/packages.chroot/
 dpkg-name config/packages.chroot/*.deb
 mkdir -p config/includes.chroot/etc
 echo start > config/includes.chroot/etc/hostname
 cat > config/includes.chroot/etc/hosts << EOT
 127.0.0.1       localhost start
 ::1             localhost start ip6-localhost ip6-loopback
 ff02::1         ip6-allnodes
 ff02::2         ip6-allrouters
 EOT
 if [ "${IB_TARGET_PLATFORM}" = "raspberrypi" ]; then
 	mkdir -p config/includes.chroot
 	git clone --depth=1 --branch=stable https://github.com/raspberrypi/rpi-firmware.git config/includes.chroot/boot
 	rm -rf config/includes.chroot/boot/.git config/includes.chroot/boot/modules
 	rsync -rLp $SOURCE_DIR/raspberrypi/squashfs/ config/includes.chroot/
 fi
 # Bootloaders
 rm -rf config/bootloaders
 cp -r /usr/share/live/build/bootloaders config/bootloaders
 cat > config/bootloaders/syslinux/syslinux.cfg << EOF
 include menu.cfg
 default vesamenu.c32
 prompt 0
 timeout 50
 EOF
 cat > config/bootloaders/isolinux/isolinux.cfg << EOF
 include menu.cfg
 default vesamenu.c32
 prompt 0
 timeout 50
 EOF
 # Extract splash.png from the deb package
 dpkg-deb --fsys-tarfile $DEB_PATH | tar --to-stdout -xf - ./usr/lib/startos/splash.png > /tmp/splash.png
 cp /tmp/splash.png config/bootloaders/syslinux_common/splash.png
 cp /tmp/splash.png config/bootloaders/isolinux/splash.png
 cp /tmp/splash.png config/bootloaders/grub-pc/splash.png
 rm /tmp/splash.png
 sed -i -e '2i set timeout=5' config/bootloaders/grub-pc/config.cfg
 # Archives
 mkdir -p config/archives
 if [ "${IB_TARGET_PLATFORM}" = "raspberrypi" ]; then
 	curl -fsSL https://archive.raspberrypi.com/debian/raspberrypi.gpg.key | gpg --dearmor -o config/archives/raspi.key
 	echo "deb [arch=${IB_TARGET_ARCH} signed-by=/etc/apt/trusted.gpg.d/raspi.key.gpg] https://archive.raspberrypi.com/debian/ ${IB_SUITE} main" > config/archives/raspi.list
 fi
 if [ "${IB_TARGET_PLATFORM}" = "rockchip64" ]; then
 	curl -fsSL https://apt.armbian.com/armbian.key | gpg --dearmor -o config/archives/armbian.key
 	echo "deb https://apt.armbian.com/ ${IB_SUITE} main" > config/archives/armbian.list
 fi
 if [ "$NON_FREE" = 1 ]; then
 	curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | gpg --dearmor -o config/archives/nvidia-container-toolkit.key
 	curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list \
 		| sed 's#deb https://#deb [signed-by=/etc/apt/trusted.gpg.d/nvidia-container-toolkit.key.gpg] https://#g' \
 		> config/archives/nvidia-container-toolkit.list
 fi
 cat > config/archives/backports.pref <<-EOF
 Package: linux-image-*
 Pin: release n=${IB_SUITE}-backports
 Pin-Priority: 500
 Package: linux-headers-*
 Pin: release n=${IB_SUITE}-backports
 Pin-Priority: 500
 Package: *nvidia*
 Pin: release n=${IB_SUITE}-backports
 Pin-Priority: 500
 EOF
 # Hooks
 cat > config/hooks/normal/9000-install-startos.hook.chroot << EOF
 #!/bin/bash
 set -e
 if [ "${NON_FREE}" = "1" ] && [ "${IB_TARGET_PLATFORM}" != "raspberrypi" ]; then
    # install a specific NVIDIA driver version
    # ---------------- configuration ----------------
    NVIDIA_DRIVER_VERSION="\${NVIDIA_DRIVER_VERSION:-580.119.02}"
    BASE_URL="https://download.nvidia.com/XFree86/Linux-${QEMU_ARCH}"
    echo "[nvidia-hook] Using NVIDIA driver: \${NVIDIA_DRIVER_VERSION}" >&2
    # ---------------- kernel version ----------------
    # Determine target kernel version from newest /boot/vmlinuz-* in the chroot.
    KVER="\$(
        ls -1t /boot/vmlinuz-* 2>/dev/null \
            | head -n1 \
            | sed 's|.*/vmlinuz-||'
    )"
    if [ -z "\${KVER}" ]; then
        echo "[nvidia-hook] ERROR: no /boot/vmlinuz-* found; cannot determine kernel version" >&2
        exit 1
    fi
    echo "[nvidia-hook] Target kernel version: \${KVER}" >&2
    # Ensure kernel headers are present
 	TEMP_APT_DEPS=(build-essential)
    if [ ! -e "/lib/modules/\${KVER}/build" ]; then
 		TEMP_APT_DEPS+=(linux-headers-\${KVER})
    fi
    echo "[nvidia-hook] Installing build dependencies" >&2
 	/usr/lib/startos/scripts/install-equivs <<-EOF
 	Package: nvidia-depends
 	Version: \${NVIDIA_DRIVER_VERSION}
 	Section: unknown
 	Priority: optional
 	Depends: \${dep_list="\$(IFS=', '; echo "\${TEMP_APT_DEPS[*]}")"}
 	EOF
    # ---------------- download and run installer ----------------
    RUN_NAME="NVIDIA-Linux-${QEMU_ARCH}-\${NVIDIA_DRIVER_VERSION}.run"
    RUN_PATH="/root/\${RUN_NAME}"
    RUN_URL="\${BASE_URL}/\${NVIDIA_DRIVER_VERSION}/\${RUN_NAME}"
    echo "[nvidia-hook] Downloading \${RUN_URL}" >&2
    wget -O "\${RUN_PATH}" "\${RUN_URL}"
    chmod +x "\${RUN_PATH}"
    echo "[nvidia-hook] Running NVIDIA installer for kernel \${KVER}" >&2
    sh "\${RUN_PATH}" \
        --silent \
        --kernel-name="\${KVER}" \
        --no-x-check \
        --no-nouveau-check \
        --no-runlevel-check
    # Rebuild module metadata
    echo "[nvidia-hook] Running depmod for \${KVER}" >&2
    depmod -a "\${KVER}"
    echo "[nvidia-hook] NVIDIA \${NVIDIA_DRIVER_VERSION} installation complete for kernel \${KVER}" >&2
    echo "[nvidia-hook] Removing build dependencies..." >&2
 	apt-get purge -y nvidia-depends
 	apt-get autoremove -y
    echo "[nvidia-hook] Removed build dependencies." >&2
 fi
 cp /etc/resolv.conf /etc/resolv.conf.bak
 if [ "${IB_SUITE}" = trixie ] && [ "${IB_TARGET_ARCH}" != riscv64 ]; then
    echo 'deb https://deb.debian.org/debian/ bookworm main' > /etc/apt/sources.list.d/bookworm.list
    apt-get update
    apt-get install -y postgresql-15
    rm /etc/apt/sources.list.d/bookworm.list
    apt-get update
    systemctl mask postgresql
 fi
 if [ "${IB_TARGET_PLATFORM}" = "raspberrypi" ]; then
    ln -sf /usr/bin/pi-beep /usr/local/bin/beep
    KERNEL_VERSION=${RPI_KERNEL_VERSION} sh /boot/config.sh > /boot/config.txt
    mkinitramfs -c gzip -o /boot/initrd.img-${RPI_KERNEL_VERSION}-rpi-v8 ${RPI_KERNEL_VERSION}-rpi-v8
    mkinitramfs -c gzip -o /boot/initrd.img-${RPI_KERNEL_VERSION}-rpi-2712 ${RPI_KERNEL_VERSION}-rpi-2712
 fi
 useradd --shell /bin/bash -G startos -m start9
 echo start9:embassy | chpasswd
 usermod -aG sudo start9
 usermod -aG systemd-journal start9
 echo "start9 ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee "/etc/sudoers.d/010_start9-nopasswd"
 if [ "${IB_TARGET_PLATFORM}" != "raspberrypi" ]; then
    /usr/lib/startos/scripts/enable-kiosk
 fi
 if ! [[ "${IB_OS_ENV}" =~ (^|-)dev($|-) ]]; then
    passwd -l start9
 fi
 EOF
 SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(date '+%s')}"
 if lb bootstrap; then
 	true
 else
 	EXIT=$?
 	cat ./chroot/debootstrap/debootstrap.log
 	exit $EXIT
 fi
 lb chroot
 lb installer
 lb binary_chroot
 lb chroot_prep install all mode-apt-install-binary mode-archives-chroot
 mv chroot/chroot/etc/resolv.conf.bak chroot/chroot/etc/resolv.conf
 lb binary_rootfs
 cp $prep_results_dir/binary/live/filesystem.squashfs $RESULTS_DIR/$IMAGE_BASENAME.squashfs
 if [ "${IMAGE_TYPE}" = iso ]; then
 	lb binary_manifest
 	lb binary_package-lists
 	lb binary_linux-image
 	lb binary_memtest
 	lb binary_grub-legacy
 	lb binary_grub-pc
 	lb binary_grub_cfg
 	lb binary_syslinux
 	lb binary_disk
 	lb binary_loadlin
 	lb binary_win32-loader
 	lb binary_includes
 	lb binary_grub-efi
 	lb binary_hooks
 	lb binary_checksums
 	find binary -newermt "$(date -d@${SOURCE_DATE_EPOCH} '+%Y-%m-%d %H:%M:%S')" -printf "%y %p\n" -exec touch '{}' -d@${SOURCE_DATE_EPOCH} --no-dereference ';' > binary.modified_timestamps
 	lb binary_iso
 	lb binary_onie
 	lb binary_netboot
 	lb binary_tar
 	lb binary_hdd
 	lb binary_zsync
 	lb chroot_prep remove all mode-archives-chroot
 	lb source
 	mv $prep_results_dir/live-image-${IB_TARGET_ARCH}.hybrid.iso $RESULTS_DIR/$IMAGE_BASENAME.iso
 elif [ "${IMAGE_TYPE}" = img ]; then
 	SECTOR_LEN=512
 	BOOT_START=$((1024 * 1024)) # 1MiB
 	BOOT_LEN=$((512 * 1024 * 1024)) # 512MiB
 	BOOT_END=$((BOOT_START + BOOT_LEN - 1))
 	ROOT_START=$((BOOT_END + 1))
 	ROOT_LEN=$((MAX_IMG_LEN - ROOT_START))
 	ROOT_END=$((MAX_IMG_LEN - 1))
 	TARGET_NAME=$prep_results_dir/${IMAGE_BASENAME}.img
 	truncate -s $MAX_IMG_LEN $TARGET_NAME
 	sfdisk $TARGET_NAME <<-EOF
 		label: dos
 		label-id: 0xcb15ae4d
 		unit: sectors
 		sector-size: 512
 		${TARGET_NAME}1 : start=$((BOOT_START / SECTOR_LEN)), size=$((BOOT_LEN / SECTOR_LEN)), type=c, bootable
 		${TARGET_NAME}2 : start=$((ROOT_START / SECTOR_LEN)), size=$((ROOT_LEN / SECTOR_LEN)), type=83
 	EOF
 	BOOT_DEV=$(losetup --show -f --offset $BOOT_START --sizelimit $BOOT_LEN $TARGET_NAME)
 	ROOT_DEV=$(losetup --show -f --offset $ROOT_START --sizelimit $ROOT_LEN $TARGET_NAME)
 	mkfs.vfat -F32 $BOOT_DEV
 	mkfs.ext4 $ROOT_DEV
 	TMPDIR=$(mktemp -d)
 	mkdir -p $TMPDIR/boot $TMPDIR/root
 	mount $ROOT_DEV $TMPDIR/root
 	mount $BOOT_DEV $TMPDIR/boot
 	unsquashfs -n -f -d $TMPDIR $prep_results_dir/binary/live/filesystem.squashfs boot
 	mkdir $TMPDIR/root/images $TMPDIR/root/config
 	B3SUM=$(b3sum $prep_results_dir/binary/live/filesystem.squashfs | head -c 16)
 	cp $prep_results_dir/binary/live/filesystem.squashfs $TMPDIR/root/images/$B3SUM.rootfs
 	ln -rsf $TMPDIR/root/images/$B3SUM.rootfs $TMPDIR/root/config/current.rootfs
 	mkdir -p $TMPDIR/next $TMPDIR/lower $TMPDIR/root/config/work $TMPDIR/root/config/overlay
 	mount $TMPDIR/root/config/current.rootfs $TMPDIR/lower
 	mount -t overlay -o lowerdir=$TMPDIR/lower,workdir=$TMPDIR/root/config/work,upperdir=$TMPDIR/root/config/overlay overlay $TMPDIR/next
 	if [ "${IB_TARGET_PLATFORM}" = "raspberrypi" ]; then
 		sed -i 's| boot=startos| boot=startos init=/usr/lib/startos/scripts/init_resize\.sh|' $TMPDIR/boot/cmdline.txt
 		rsync -a $SOURCE_DIR/raspberrypi/img/ $TMPDIR/next/
 	fi
 	umount $TMPDIR/next
 	umount $TMPDIR/lower
 	umount $TMPDIR/boot
 	umount $TMPDIR/root
 	e2fsck -fy $ROOT_DEV
 	resize2fs -M $ROOT_DEV
 	BLOCK_COUNT=$(dumpe2fs -h $ROOT_DEV | awk '/^Block count:/ { print $3 }')
 	BLOCK_SIZE=$(dumpe2fs -h $ROOT_DEV | awk '/^Block size:/ { print $3 }')
 	ROOT_LEN=$((BLOCK_COUNT * BLOCK_SIZE))
 	losetup -d $ROOT_DEV
 	losetup -d $BOOT_DEV
 	# Recreate partition 2 with the new size using sfdisk
 	sfdisk $TARGET_NAME <<-EOF
 		label: dos
 		label-id: 0xcb15ae4d
 		unit: sectors
 		sector-size: 512
 		${TARGET_NAME}1 : start=$((BOOT_START / SECTOR_LEN)), size=$((BOOT_LEN / SECTOR_LEN)), type=c, bootable
 		${TARGET_NAME}2 : start=$((ROOT_START / SECTOR_LEN)), size=$((ROOT_LEN / SECTOR_LEN)), type=83
 	EOF
 	TARGET_SIZE=$((ROOT_START + ROOT_LEN))
 	truncate -s $TARGET_SIZE $TARGET_NAME
 	mv $TARGET_NAME $RESULTS_DIR/$IMAGE_BASENAME.img
 fi
 chown $IB_UID:$IB_UID $RESULTS_DIR/$IMAGE_BASENAME.*
--- a/build/image-recipe/raspberrypi/squashfs/boot/config.sh
+++ b/build/image-recipe/raspberrypi/squashfs/boot/config.sh
@@ -1,46 +0,0 @@
 #!/bin/sh
 cat << EOF
 # Enable audio (loads snd_bcm2835)
 dtparam=audio=on
 # Automatically load overlays for detected cameras
 camera_auto_detect=1
 # Automatically load overlays for detected DSI displays
 display_auto_detect=1
 # Enable DRM VC4 V3D driver
 dtoverlay=vc4-kms-v3d
 max_framebuffers=2
 # Run in 64-bit mode
 arm_64bit=1
 # Disable compensation for displays with overscan
 disable_overscan=1
 [cm4]
 # Enable host mode on the 2711 built-in XHCI USB controller.
 # This line should be removed if the legacy DWC2 controller is required
 # (e.g. for USB device mode) or if USB support is not required.
 otg_mode=1
 [all]
 [pi4]
 # Run as fast as firmware / board allows
 arm_boost=1
 kernel=vmlinuz-${KERNEL_VERSION}-rpi-v8
 initramfs initrd.img-${KERNEL_VERSION}-rpi-v8 followkernel
 [pi5]
 kernel=vmlinuz-${KERNEL_VERSION}-rpi-2712
 initramfs initrd.img-${KERNEL_VERSION}-rpi-2712 followkernel
 [all]
 gpu_mem=16
 dtoverlay=pwm-2chan,disable-bt
 EOF
--- a/build/image-recipe/run-local-build.sh
+++ b/build/image-recipe/run-local-build.sh
@@ -1,35 +0,0 @@
 #!/bin/bash
 set -e
 cd "$(dirname "${BASH_SOURCE[0]}")/../.."
 BASEDIR="$(pwd -P)"
 SUITE=trixie
 USE_TTY=
 if tty -s; then
  USE_TTY="-it"
 fi
 dockerfile_hash=$(sha256sum ${BASEDIR}/build/image-recipe/Dockerfile | head -c 7)
 docker_img_name="start9/build-iso:${SUITE}-${dockerfile_hash}"
 platform=linux/${ARCH}
 case $ARCH in
 	x86_64)
 		platform=linux/amd64;;
 	aarch64)
 		platform=linux/arm64;;
 esac
 if ! docker run --rm --platform=$platform "${docker_img_name}" true 2> /dev/null; then
 	docker buildx build --load --platform=$platform --build-arg=SUITE=${SUITE} -t "${docker_img_name}" ./build/image-recipe
 fi
 docker run $USE_TTY --rm --platform=$platform --privileged -v "$(pwd)/build/image-recipe:/root/image-recipe" -v "$(pwd)/results:/root/results" \
 	-e IB_SUITE="$SUITE" \
 	-e IB_UID="$UID" \
 	-e IB_INCLUDE \
 	"${docker_img_name}" /root/image-recipe/build.sh $@
--- a/build/lib/grub-theme/theme.txt
+++ b/build/lib/grub-theme/theme.txt
@@ -1,51 +0,0 @@
 desktop-image: "../splash.png"
 title-color: "#ffffff"
 title-font: "Unifont Regular 16"
 title-text: "StartOS Boot Menu with GRUB"
 message-font: "Unifont Regular 16"
 terminal-font: "Unifont Regular 16"
 #help bar at the bottom
 + label {
        top = 100%-50
        left = 0
        width = 100%
        height = 20
        text = "@KEYMAP_SHORT@"
        align = "center"
        color = "#ffffff"
        font = "Unifont Regular 16"
 }
 #boot menu
 + boot_menu {
        left = 10%
        width = 80%
        top = 52%
        height = 48%-80
        item_color = "#a8a8a8"
        item_font = "Unifont Regular 16"
        selected_item_color= "#ffffff"
        selected_item_font = "Unifont Regular 16"
        item_height = 16
        item_padding = 0
        item_spacing = 4
        icon_width = 0
        icon_heigh = 0
        item_icon_space = 0
 }
 #progress bar
 + progress_bar {
        id = "__timeout__"
        left = 15%
        top = 100%-80
        height = 16
        width = 70%
        font = "Unifont Regular 16"
        text_color = "#000000"
        fg_color = "#ffffff"
        bg_color = "#a8a8a8"
        border_color = "#ffffff"
        text = "@TIMEOUT_NOTIFICATION_LONG@"
 }
--- a/build/lib/motd
+++ b/build/lib/motd
@@ -1,123 +1,34 @@
 #!/bin/sh
 printf "\n"
 printf "Welcome to\n"
 cat << "ASCII"
-parse_essential_db_info() {
+           ███████        
-    DB_DUMP="/tmp/startos_db.json"
+         █    █    █      
       █     █ █     █    
      █     █   █     █   
      █    █     █    █   
       █  █       █  █    
         █         █      
           ███████        
-    if command -v start-cli >/dev/null 2>&1; then
+    _____     __ ___  __  __
-        timeout 30 start-cli db dump > "$DB_DUMP" 2>/dev/null || return 1
+   (_  |  /\ |__) |  /  \(_
-    else
+   __) | /  \|  \ |  \__/__)
-        return 1
+ASCII
-    fi
+printf "                            v$(cat /usr/lib/startos/VERSION.txt)\n\n"
-
+printf "   %s (%s %s)\n" "$(uname -o)" "$(uname -r)" "$(uname -m)"
-    if command -v jq >/dev/null 2>&1 && [ -f "$DB_DUMP" ]; then
+printf "   Git Hash: $(cat /usr/lib/startos/GIT_HASH.txt)"
-        HOSTNAME=$(jq -r '.value.serverInfo.hostname // "unknown"' "$DB_DUMP" 2>/dev/null)
+if [ -n "$(cat /usr/lib/startos/ENVIRONMENT.txt)" ]; then
-        VERSION=$(jq -r '.value.serverInfo.version // "unknown"' "$DB_DUMP" 2>/dev/null)
+    printf " ~ $(cat /usr/lib/startos/ENVIRONMENT.txt)\n"
        RAM_BYTES=$(jq -r '.value.serverInfo.ram // 0' "$DB_DUMP" 2>/dev/null)
        WAN_IP=$(jq -r '.value.serverInfo.network.gateways[].ipInfo.wanIp // "unknown"' "$DB_DUMP" 2>/dev/null | head -1)
        NTP_SYNCED=$(jq -r '.value.serverInfo.ntpSynced // false' "$DB_DUMP" 2>/dev/null)
        if [ "$RAM_BYTES" != "0" ] && [ "$RAM_BYTES" != "null" ]; then
            RAM_GB=$(echo "scale=1; $RAM_BYTES / 1073741824" | bc 2>/dev/null || echo "unknown")
        else
            RAM_GB="unknown"
        fi
        RUNNING_SERVICES=$(jq -r '[.value.packageData[] | select(.statusInfo.started != null)] | length' "$DB_DUMP" 2>/dev/null)
        TOTAL_SERVICES=$(jq -r '.value.packageData | length' "$DB_DUMP" 2>/dev/null)
        rm -f "$DB_DUMP"
        return 0
    else
        rm -f "$DB_DUMP" 2>/dev/null
        return 1
    fi
 }
 DB_INFO_AVAILABLE=0
 if parse_essential_db_info; then
    DB_INFO_AVAILABLE=1
 fi
 if [ "$DB_INFO_AVAILABLE" -eq 1 ] && [ "$VERSION" != "unknown" ]; then
    version_display="v$VERSION"
 else
-    version_display="v$(cat /usr/lib/startos/VERSION.txt 2>/dev/null || echo 'unknown')"
+    printf "\n"
 fi
-printf "\n\033[1;37m    ▄▄▀▀▀▀▀▄▄\033[0m\n"
+printf "\n"
-printf "\033[1;37m  ▄▀    ▄    ▀▄      ▄▄▄▄▄  ▄▄▄▄▄▄▄    ▄      ▄▄▄▄▄   ▄▄▄▄▄▄▄ \033[1;31m▄██████▄ ▄██████\033[0m\n"
+printf " * Documentation:  https://docs.start9.com\n"
-printf "\033[1;37m █     █ █     █    █          █      █ █     █    ▀▄    █    \033[1;31m██    ██ ██     \033[0m\n"
+printf " * Management:     https://%s.local\n" "$(hostname)"
-printf "\033[1;37m█     █   █     █   ▀▄▄▄▄      █     █   █    █ ▄▄▄▀     █    \033[1;31m██    ██ ▀█████▄\033[0m\n"
+printf " * Support:        https://start9.com/contact\n"
-printf "\033[1;37m█    █     █    █        █     █    █     █   █  ▀▄      █    \033[1;31m██    ██      ██\033[0m\n"
+printf " * Source Code:    https://github.com/Start9Labs/start-os\n"
-printf "\033[1;37m █  █       █  █    ▄▄▄▄▄▀     █   █       █  █    ▀▄    █    \033[1;31m▀██████▀ ██████▀\033[0m\n"
+printf " * License:        MIT\n"
-printf "\033[1;37m   █         █\033[0m\n"
+printf "\n"
 printf "\033[1;37m     ▀▀▄▄▄▀▀                                                  $version_display\033[0m\n\n"
 uptime_str=$(uptime | awk -F'up ' '{print $2}' | awk -F',' '{print $1}' | sed 's/^ *//')
 if [ "$DB_INFO_AVAILABLE" -eq 1 ] && [ "$RAM_GB" != "unknown" ]; then
    memory_used=$(free -m | awk 'NR==2{printf "%.0fMB", $3}')
    memory_display="$memory_used / ${RAM_GB}GB"
 else
    memory_display=$(free -m | awk 'NR==2{printf "%.0fMB / %.0fMB", $3, $2}')
 fi
 root_usage=$(df -h / | awk 'NR==2{printf "%s (%s free)", $5, $4}')
 if [ -d "/media/startos/data/package-data" ]; then
    data_usage=$(df -h /media/startos/data/package-data | awk 'NR==2{printf "%s (%s free)", $5, $4}')
 else
    data_usage="N/A"
 fi
 if [ "$DB_INFO_AVAILABLE" -eq 1 ]; then
    services_text="$RUNNING_SERVICES/$TOTAL_SERVICES running"
 else
    services_text="Unknown"
 fi
 local_ip=$(ip route get 1.1.1.1 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="src") print $(i+1)}' | head -1)
 if [ -z "$local_ip" ]; then local_ip="N/A"; fi
 if [ "$DB_INFO_AVAILABLE" -eq 1 ] && [ "$WAN_IP" != "unknown" ]; then
    wan_ip="$WAN_IP"
 else
    wan_ip="N/A"
 fi
 printf "    \033[1;37m┌─ SYSTEM STATUS ───────────────────────────────────────────────────┐\033[0m\n"
 printf "    \033[1;37m│\033[0m %-8s  \033[0;33m%-22s\033[0m %-8s \033[0;33m%-23s\033[0m \033[1;37m│\033[0m\n" "Uptime:" "$uptime_str" "Memory:" "$memory_display"
 printf "    \033[1;37m│\033[0m %-8s  \033[0;33m%-22s\033[0m %-8s \033[0;33m%-23s\033[0m \033[1;37m│\033[0m\n" "Root:" "$root_usage" "Data:" "$data_usage"
 if [ "$DB_INFO_AVAILABLE" -eq 1 ]; then
    if [ "$RUNNING_SERVICES" -eq "$TOTAL_SERVICES" ] && [ "$TOTAL_SERVICES" -gt 0 ]; then
        printf "    \033[1;37m│\033[0m %-8s \033[0;32m%-22s\033[0m %-8s \033[0;33m%-23s\033[0m \033[1;37m│\033[0m\n" "Services:" "$services_text" "WAN:" "$wan_ip"
    elif [ "$RUNNING_SERVICES" -gt 0 ]; then
        printf "    \033[1;37m│\033[0m %-8s \033[0;33m%-22s\033[0m %-8s \033[0;33m%-23s\033[0m \033[1;37m│\033[0m\n" "Services:" "$services_text" "WAN:" "$wan_ip"
    else
        printf "    \033[1;37m│\033[0m %-8s \033[0;31m%-22s\033[0m %-8s \033[0;33m%-23s\033[0m \033[1;37m│\033[0m\n" "Services:" "$services_text" "WAN:" "$wan_ip"
    fi
 else
    printf "    \033[1;37m│\033[0m %-8s \033[0;37m%-22s\033[0m %-8s \033[0;33m%-23s\033[0m \033[1;37m│\033[0m\n" "Services:" "$services_text" "WAN:" "$wan_ip"
 fi
 if [ "$DB_INFO_AVAILABLE" -eq 1 ] && [ "$NTP_SYNCED" = "true" ]; then
    printf "    \033[1;37m│\033[0m %-8s  \033[0;33m%-22s\033[0m %-8s \033[0;32m%-23s\033[0m \033[1;37m│\033[0m\n" "Local:" "$local_ip" "NTP:" "Synced"
 elif [ "$DB_INFO_AVAILABLE" -eq 1 ] && [ "$NTP_SYNCED" = "false" ]; then
    printf "    \033[1;37m│\033[0m %-8s  \033[0;33m%-22s\033[0m %-8s \033[0;31m%-23s\033[0m \033[1;37m│\033[0m\n" "Local:" "$local_ip" "NTP:" "Not Synced"
 else
    printf "    \033[1;37m│\033[0m %-8s  \033[0;33m%-22s\033[0m %-8s \033[0;37m%-23s\033[0m \033[1;37m│\033[0m\n" "Local:" "$local_ip" "NTP:" "Unknown"
 fi
 printf "    \033[1;37m└───────────────────────────────────────────────────────────────────┘\033[0m"
 if [ "$DB_INFO_AVAILABLE" -eq 1 ] && [ "$HOSTNAME" != "unknown" ]; then
    web_url="https://$HOSTNAME.local"
 else
    web_url="https://$(hostname).local"
 fi
 printf "\n    \033[1;37m┌──────────────────────────────────────────────────── QUICK ACCESS ─┐\033[0m\n"
 printf "    \033[1;37m│\033[0m Web Interface: \033[0;36m%-50s\033[0m \033[1;37m│\033[0m\n" "$web_url"
 printf "    \033[1;37m│\033[0m Documentation: \033[0;36m%-50s\033[0m \033[1;37m│\033[0m\n" "https://staging.docs.start9.com"
 printf "    \033[1;37m│\033[0m Support:       \033[0;36m%-50s\033[0m \033[1;37m│\033[0m\n" "https://start9.com/contact"
 printf "    \033[1;37m└───────────────────────────────────────────────────────────────────┘\033[0m\n\n"
--- a/build/lib/scripts/chroot-and-upgrade
+++ b/build/lib/scripts/chroot-and-upgrade
@@ -10,24 +10,24 @@ fi
 POSITIONAL_ARGS=()
 while [[ $# -gt 0 ]]; do
-    case $1 in
+  case $1 in
-      --no-sync)
+    --no-sync)
-          NO_SYNC=1
+      NO_SYNC=1
-          shift
+      shift
-          ;;
+      ;;
-      --create)
+    --create)
-          ONLY_CREATE=1
+      ONLY_CREATE=1
-          shift
+      shift
-          ;;
+      ;;
-      -*|--*)
+    -*|--*)
-          echo "Unknown option $1"
+      echo "Unknown option $1"
-          exit 1
+      exit 1
-          ;;
+      ;;
-      *)
+    *)
-          POSITIONAL_ARGS+=("$1") # save positional arg
+      POSITIONAL_ARGS+=("$1") # save positional arg
-          shift # past argument
+      shift # past argument
-          ;;
+      ;;
-    esac
+  esac
 done
 set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
@@ -35,7 +35,7 @@ set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
 if [ -z "$NO_SYNC" ]; then
    echo 'Syncing...'
    umount -R /media/startos/next 2> /dev/null
-    umount /media/startos/upper 2> /dev/null
+    umount -R /media/startos/upper 2> /dev/null
    rm -rf /media/startos/upper /media/startos/next
    mkdir /media/startos/upper
    mount -t tmpfs tmpfs /media/startos/upper
@@ -43,6 +43,8 @@ if [ -z "$NO_SYNC" ]; then
    mount -t overlay \
 		  -olowerdir=/media/startos/current,upperdir=/media/startos/upper/data,workdir=/media/startos/upper/work \
 		  overlay /media/startos/next
    mkdir -p /media/startos/next/media/startos/root
    mount --bind /media/startos/root /media/startos/next/media/startos/root
 fi
 if [ -n "$ONLY_CREATE" ]; then
@@ -54,18 +56,12 @@ mkdir -p /media/startos/next/dev
 mkdir -p /media/startos/next/sys
 mkdir -p /media/startos/next/proc
 mkdir -p /media/startos/next/boot
 mkdir -p /media/startos/next/media/startos/root
 mount --bind /run /media/startos/next/run
 mount --bind /tmp /media/startos/next/tmp
 mount --bind /dev /media/startos/next/dev
 mount --bind /sys /media/startos/next/sys
 mount --bind /proc /media/startos/next/proc
 mount --bind /boot /media/startos/next/boot
 mount --bind /media/startos/root /media/startos/next/media/startos/root
 if mountpoint /sys/firmware/efi/efivars 2>&1 > /dev/null; then
  mount --bind /sys/firmware/efi/efivars /media/startos/next/sys/firmware/efi/efivars
 fi
 if [ -z "$*" ]; then
    chroot /media/startos/next
@@ -75,10 +71,6 @@ else
    CHROOT_RES=$?
 fi
 if mountpoint /media/startos/next/sys/firmware/efi/efivars 2>&1 > /dev/null; then
  umount /media/startos/next/sys/firmware/efi/efivars 
 fi
 umount /media/startos/next/run
 umount /media/startos/next/tmp
 umount /media/startos/next/dev
@@ -95,12 +87,11 @@ if [ "$CHROOT_RES" -eq 0 ]; then
    echo 'Upgrading...'
    rm -f /media/startos/images/next.squashfs
    if ! time mksquashfs /media/startos/next /media/startos/images/next.squashfs -b 4096 -comp gzip; then
-        umount -l /media/startos/next
+      umount -R /media/startos/next
-        umount -l /media/startos/upper
+      umount -R /media/startos/upper
-        rm -rf /media/startos/upper /media/startos/next
+      rm -rf /media/startos/upper /media/startos/next
-        exit 1
+      exit 1
    fi
    hash=$(b3sum /media/startos/images/next.squashfs | head -c 32)
    mv /media/startos/images/next.squashfs /media/startos/images/${hash}.rootfs
@@ -111,6 +102,6 @@ if [ "$CHROOT_RES" -eq 0 ]; then
    reboot
 fi
-umount /media/startos/next
+umount -R /media/startos/next
-umount /media/startos/upper
+umount -R /media/startos/upper
 rm -rf /media/startos/upper /media/startos/next
--- a/build/lib/scripts/enable-kiosk
+++ b/build/lib/scripts/enable-kiosk
@@ -64,11 +64,9 @@ user_pref("messaging-system.rsexperimentloader.enabled", false);
 user_pref("network.allow-experiments", false);
 user_pref("network.captive-portal-service.enabled", false);
 user_pref("network.connectivity-service.enabled", false);
-user_pref("network.proxy.socks", "10.0.3.1");
+user_pref("network.proxy.autoconfig_url", "file:///usr/lib/startos/proxy.pac");
 user_pref("network.proxy.socks_port", 9050);
 user_pref("network.proxy.socks_version", 5);
 user_pref("network.proxy.socks_remote_dns", true);
-user_pref("network.proxy.type", 1);
+user_pref("network.proxy.type", 2);
 user_pref("privacy.resistFingerprinting", true);
 //Enable letterboxing if we want the window size sent to the server to snap to common resolutions:
 //user_pref("privacy.resistFingerprinting.letterboxing", true);
--- a/build/lib/scripts/forward-port
+++ b/build/lib/scripts/forward-port
@@ -1,55 +1,26 @@
 #!/bin/bash
-if [ -z "$sip" ] || [ -z "$dip" ] || [ -z "$dprefix" ] || [ -z "$sport" ] || [ -z "$dport" ]; then
+if [ -z "$iiface" ] || [ -z "$oiface" ] || [ -z "$sip" ] || [ -z "$dip" ] || [ -z "$sport" ] || [ -z "$dport" ]; then
    >&2 echo 'missing required env var'
    exit 1
 fi
-NAME="F$(echo "$sip:$sport -> $dip/$dprefix:$dport" | sha256sum | head -c 15)"
+kind="-A"
 for kind in INPUT FORWARD ACCEPT; do
    if ! iptables -C $kind -j "${NAME}_${kind}" 2> /dev/null; then
        iptables -N "${NAME}_${kind}" 2> /dev/null
        iptables -A $kind -j "${NAME}_${kind}"
    fi
 done
 for kind in PREROUTING INPUT OUTPUT POSTROUTING; do
    if ! iptables -t nat -C $kind -j "${NAME}_${kind}" 2> /dev/null; then
        iptables -t nat -N "${NAME}_${kind}" 2> /dev/null
        iptables -t nat -A $kind -j "${NAME}_${kind}"
    fi
 done
 err=0
 trap 'err=1' ERR
 for kind in INPUT FORWARD ACCEPT; do
    iptables -F "${NAME}_${kind}" 2> /dev/null
 done
 for kind in PREROUTING INPUT OUTPUT POSTROUTING; do
    iptables -t nat -F "${NAME}_${kind}" 2> /dev/null
 done
 if [ "$UNDO" = 1 ]; then
-    conntrack -D -p tcp -d $sip --dport $sport || true # conntrack returns exit 1 if no connections are active
+    kind="-D"
    conntrack -D -p udp -d $sip --dport $sport || true # conntrack returns exit 1 if no connections are active
    exit $err
 fi
-# DNAT: rewrite destination for incoming packets (external traffic)
+iptables -t nat "$kind" POSTROUTING -o $iiface -j MASQUERADE
-iptables -t nat -A ${NAME}_PREROUTING -d "$sip" -p tcp --dport "$sport" -j DNAT --to-destination "$dip:$dport"
+iptables -t nat "$kind" PREROUTING -i $iiface -p tcp --dport $sport -j DNAT --to-destination $dip:$dport
-iptables -t nat -A ${NAME}_PREROUTING -d "$sip" -p udp --dport "$sport" -j DNAT --to-destination "$dip:$dport"
+iptables -t nat "$kind" PREROUTING -i $iiface -p udp --dport $sport -j DNAT --to-destination $dip:$dport
 iptables -t nat "$kind" PREROUTING -i $oiface -s $dip/24 -d $sip -p tcp --dport $sport -j DNAT --to-destination $dip:$dport
 iptables -t nat "$kind" PREROUTING -i $oiface -s $dip/24 -d $sip -p udp --dport $sport -j DNAT --to-destination $dip:$dport
 iptables -t nat "$kind" POSTROUTING -o $oiface -s $dip/24 -d $dip/32 -p tcp --dport $dport -j SNAT --to-source $sip:$sport
 iptables -t nat "$kind" POSTROUTING -o $oiface -s $dip/24 -d $dip/32 -p udp --dport $dport -j SNAT --to-source $sip:$sport
 # DNAT: rewrite destination for locally-originated packets (hairpin from host itself)
 iptables -t nat -A ${NAME}_OUTPUT -d "$sip" -p tcp --dport "$sport" -j DNAT --to-destination "$dip:$dport"
 iptables -t nat -A ${NAME}_OUTPUT -d "$sip" -p udp --dport "$sport" -j DNAT --to-destination "$dip:$dport"
-# MASQUERADE: rewrite source for all forwarded traffic to the destination
+iptables -t nat "$kind" PREROUTING -i $iiface -s $sip/32 -d $sip -p tcp --dport $sport -j DNAT --to-destination $dip:$dport
-# This ensures responses are routed back through the host regardless of source IP
+iptables -t nat "$kind" PREROUTING -i $iiface -s $sip/32 -d $sip -p udp --dport $sport -j DNAT --to-destination $dip:$dport
-iptables -t nat -A ${NAME}_POSTROUTING -d "$dip" -p tcp --dport "$dport" -j MASQUERADE
+iptables -t nat "$kind" POSTROUTING -o $oiface -s $sip/32 -d $dip/32 -p tcp --dport $dport -j SNAT --to-source $sip:$sport
-iptables -t nat -A ${NAME}_POSTROUTING -d "$dip" -p udp --dport "$dport" -j MASQUERADE
+iptables -t nat "$kind" POSTROUTING -o $oiface -s $sip/32 -d $dip/32 -p udp --dport $dport -j SNAT --to-source $sip:$sport
 # Allow new connections to be forwarded to the destination
 iptables -A ${NAME}_FORWARD -d $dip -p tcp --dport $dport -m state --state NEW -j ACCEPT
 iptables -A ${NAME}_FORWARD -d $dip -p udp --dport $dport -m state --state NEW -j ACCEPT
 exit $err
--- a/build/lib/scripts/install-equivs
+++ b/build/lib/scripts/install-equivs
@@ -1,20 +0,0 @@
 #!/bin/bash
 export DEBIAN_FRONTEND=noninteractive
 export DEBCONF_NONINTERACTIVE_SEEN=true
 TMP_DIR=$(mktemp -d)
 (
    set -e
    cd $TMP_DIR
    cat > control.equivs
    equivs-build control.equivs
    apt-get install -y ./*.deb < /dev/null
 )
 rm -rf $TMP_DIR
 echo Install complete. >&2
 exit 0
--- a/build/lib/scripts/prune-images
+++ b/build/lib/scripts/prune-images
@@ -29,13 +29,10 @@ if [ -z "$needed" ]; then
    exit 1
 fi
 MARGIN=${MARGIN:-1073741824}
 target=$((needed + MARGIN))
 if [ -h /media/startos/config/current.rootfs ] && [ -e /media/startos/config/current.rootfs ]; then
    echo 'Pruning...'
    current="$(readlink -f /media/startos/config/current.rootfs)"
-    while [[ "$(df -B1 --output=avail --sync /media/startos/images | tail -n1)" -lt "$target" ]]; do
+    while [[ "$(df -B1 --output=avail --sync /media/startos/images | tail -n1)" -lt "$needed" ]]; do
        to_prune="$(ls -t1 /media/startos/images/*.rootfs /media/startos/images/*.squashfs 2> /dev/null | grep -v "$current" | tail -n1)"
        if [ -e "$to_prune" ]; then
            echo "  Pruning $to_prune"
--- a/build/lib/scripts/startos-initramfs-module
+++ b/build/lib/scripts/startos-initramfs-module
@@ -83,7 +83,6 @@ local_mount_root()
 	if [ -d "$image" ]; then
 		mount -r --bind $image /lower
 	elif [ -f "$image" ]; then
 		modprobe loop
 		modprobe squashfs
 		mount -r $image /lower
 	else
--- a/build/lib/scripts/tor-check
+++ b/build/lib/scripts/tor-check
@@ -1,64 +1,36 @@
 #!/bin/bash
-# --- Config ---
+fail=$(printf " [\033[31m fail \033[0m]")
-# Colors (using printf to ensure compatibility)
+pass=$(printf " [\033[32m pass \033[0m]")
 GRAY=$(printf '\033[90m')
 GREEN=$(printf '\033[32m')
 RED=$(printf '\033[31m')
 NC=$(printf '\033[0m') # No Color
 # Proxies to test
 proxies=(
    "Host Tor|127.0.1.1:9050"
    "Startd Tor|10.0.3.1:9050"
 )
 # Default URLs
 onion_list=(
    "The Tor Project|http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion"
    "Start9|http://privacy34kn4ez3y3nijweec6w4g54i3g54sdv7r5mr6soma3w4begyd.onion"
    "Mempool|http://mempoolhqx4isw62xs7abwphsq7ldayuidyx2v2oethdhhj6mlo2r6ad.onion"
    "DuckDuckGo|https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion"
    "Brave Search|https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion"
 )
-# Load custom list
+# Check if ~/.startos/tor-check.list exists and read its contents if available
-[ -f ~/.startos/tor-check.list ] && readarray -t custom_list < <(grep -v '^#' ~/.startos/tor-check.list) && onion_list+=("${custom_list[@]}")
+if [ -f ~/.startos/tor-check.list ]; then
-
+    while IFS= read -r line; do
-# --- Functions ---
+        # Check if the line starts with a #
-print_line() { printf "${GRAY}────────────────────────────────────────${NC}\n"; }
+        if [[ ! "$line" =~ ^# ]]; then
-
+            onion_list+=("$line")
 # --- Main ---
 echo "Testing Onion Connections..."
 for proxy_info in "${proxies[@]}"; do
    proxy_name="${proxy_info%%|*}"
    proxy_addr="${proxy_info#*|}"
    print_line
    printf "${GRAY}Proxy: %s (%s)${NC}\n" "$proxy_name" "$proxy_addr"
    for data in "${onion_list[@]}"; do
        name="${data%%|*}"
        url="${data#*|}"
        # Capture verbose output + http code.
        # --no-progress-meter: Suppresses the "0 0 0" stats but keeps -v output
        output=$(curl -v --no-progress-meter --max-time 15 --socks5-hostname "$proxy_addr" "$url" 2>&1)
        exit_code=$?
        if [ $exit_code -eq 0 ]; then
            printf "  ${GREEN}[pass]${NC} %s (%s)\n" "$name" "$url"
        else
            printf "  ${RED}[fail]${NC} %s (%s)\n" "$name" "$url"
            printf "         ${RED}↳ Curl Error %s${NC}\n" "$exit_code"
            # Print the last 4 lines of verbose log to show the specific handshake error
            # We look for lines starting with '*' or '>' or '<' to filter out junk if any remains
            echo "$output" | tail -n 4 | sed "s/^/         ${GRAY}/"
        fi
-    done
+    done < ~/.startos/tor-check.list
 fi
 echo "Testing connection to Onion Pages ..."
 for data in "${onion_list[@]}"; do
    name="${data%%|*}"
    url="${data#*|}"
    if curl --socks5-hostname localhost:9050 "$url" > /dev/null 2>&1; then
        echo " ${pass}: $name ($url) "
    else
        echo " ${fail}: $name ($url) "
    fi
 done
-print_line
+
-# Reset color just in case
+echo
-printf "${NC}"
+echo "Done."
--- a/build/lib/scripts/upgrade
+++ b/build/lib/scripts/upgrade
@@ -1,82 +0,0 @@
 #!/bin/bash
 set -e
 SOURCE_DIR="$(dirname $(realpath "${BASH_SOURCE[0]}"))"
 if [ "$UID" -ne 0 ]; then
    >&2 echo 'Must be run as root'
    exit 1
 fi
 if ! [ -f "$1" ]; then
    >&2 echo "usage: $0 <SQUASHFS>"
    exit 1
 fi
 echo 'Upgrading...'
 hash=$(b3sum $1 | head -c 32)
 if [ -n "$2" ] && [ "$hash" != "$CHECKSUM" ]; then
    >&2 echo 'Checksum mismatch'
    exit 2
 fi
 unsquashfs -f -d / $1 boot
 umount -R /media/startos/next 2> /dev/null || true
 umount /media/startos/upper 2> /dev/null || true
 umount /media/startos/lower 2> /dev/null || true
 mkdir -p /media/startos/upper
 mount -t tmpfs tmpfs /media/startos/upper
 mkdir -p /media/startos/lower /media/startos/upper/data /media/startos/upper/work /media/startos/next
 mount $1 /media/startos/lower
 mount -t overlay \
      -olowerdir=/media/startos/lower,upperdir=/media/startos/upper/data,workdir=/media/startos/upper/work \
 	    overlay /media/startos/next
 mkdir -p /media/startos/next/run
 mkdir -p /media/startos/next/dev
 mkdir -p /media/startos/next/sys
 mkdir -p /media/startos/next/proc
 mkdir -p /media/startos/next/boot
 mkdir -p /media/startos/next/media/startos/root
 mount --bind /run /media/startos/next/run
 mount --bind /tmp /media/startos/next/tmp
 mount --bind /dev /media/startos/next/dev
 mount --bind /sys /media/startos/next/sys
 mount --bind /proc /media/startos/next/proc
 mount --bind /boot /media/startos/next/boot
 mount --bind /media/startos/root /media/startos/next/media/startos/root
 if mountpoint /boot/efi 2>&1 > /dev/null; then
    mkdir -p /media/startos/next/boot/efi
    mount --bind /boot/efi /media/startos/next/boot/efi
 fi
 if mountpoint /sys/firmware/efi/efivars 2>&1 > /dev/null; then
    mount --bind /sys/firmware/efi/efivars /media/startos/next/sys/firmware/efi/efivars
 fi
 chroot /media/startos/next bash -e << "EOF"
 if [ -f /boot/grub/grub.cfg ]; then
    grub-install /dev/$(eval $(lsblk -o MOUNTPOINT,PKNAME -P | grep 'MOUNTPOINT="/media/startos/root"') && echo $PKNAME)
    update-grub
 fi
 EOF
 sync
 umount -Rl /media/startos/next
 umount /media/startos/upper
 umount /media/startos/lower
 mv $1 /media/startos/images/${hash}.rootfs
 ln -rsf /media/startos/images/${hash}.rootfs /media/startos/config/current.rootfs
 sync
 echo 'System upgrade complete. Reboot to apply changes...'
--- a/build/lib/scripts/use-img
+++ b/build/lib/scripts/use-img
@@ -0,0 +1,61 @@
 #!/bin/bash
 set -e
 if [ "$UID" -ne 0 ]; then
    >&2 echo 'Must be run as root'
    exit 1
 fi
 if [ -z "$1" ]; then
    >&2 echo "usage: $0 <SQUASHFS>"
    exit 1
 fi
 VERSION=$(unsquashfs -cat $1 /usr/lib/startos/VERSION.txt)
 GIT_HASH=$(unsquashfs -cat $1 /usr/lib/startos/GIT_HASH.txt)
 B3SUM=$(b3sum $1 | head -c 32)
 if [ -n "$CHECKSUM" ] && [ "$CHECKSUM" != "$B3SUM" ]; then
    >&2 echo "CHECKSUM MISMATCH"
    exit 2
 fi
 mv $1 /media/startos/images/${B3SUM}.rootfs
 ln -rsf /media/startos/images/${B3SUM}.rootfs /media/startos/config/current.rootfs
 unsquashfs -n -f -d / /media/startos/images/${B3SUM}.rootfs boot
 umount -R /media/startos/next 2> /dev/null || true
 umount -R /media/startos/lower 2> /dev/null || true
 umount -R /media/startos/upper 2> /dev/null || true
 rm -rf /media/startos/lower /media/startos/upper /media/startos/next
 mkdir /media/startos/upper
 mount -t tmpfs tmpfs /media/startos/upper
 mkdir -p /media/startos/lower /media/startos/upper/data /media/startos/upper/work /media/startos/next
 mount /media/startos/images/${B3SUM}.rootfs /media/startos/lower
 mount -t overlay \
  -olowerdir=/media/startos/lower,upperdir=/media/startos/upper/data,workdir=/media/startos/upper/work \
  overlay /media/startos/next
 mkdir -p /media/startos/next/media/startos/root
 mount --bind /media/startos/root /media/startos/next/media/startos/root
 mkdir -p /media/startos/next/dev
 mkdir -p /media/startos/next/sys
 mkdir -p /media/startos/next/proc
 mkdir -p /media/startos/next/boot
 mount --bind /dev /media/startos/next/dev
 mount --bind /sys /media/startos/next/sys
 mount --bind /proc /media/startos/next/proc
 mount --bind /boot /media/startos/next/boot
 chroot /media/startos/next update-grub2
 umount -R /media/startos/next
 umount -R /media/startos/upper
 umount -R /media/startos/lower
 rm -rf /media/startos/lower /media/startos/upper /media/startos/next
 sync
 reboot
--- a/build/os-compat/buildenv.Dockerfile
+++ b/build/os-compat/buildenv.Dockerfile
@@ -1,4 +1,4 @@
-FROM debian:trixie
+FROM debian:bookworm
 RUN apt-get update && \
    apt-get install -y \
@@ -12,14 +12,45 @@ RUN apt-get update && \
    jq \
    gzip \
    brotli \
    qemu-user-static \
    binfmt-support \
    squashfs-tools \
    git \
    debspawn \
    rsync \
    b3sum \
    fuse-overlayfs \
    sudo \
-    nodejs
+    systemd \
    systemd-container \
    systemd-sysv \
    dbus \
    dbus-user-session
 RUN systemctl mask \
    systemd-firstboot.service \
    systemd-udevd.service \
    getty@tty1.service \
    console-getty.service
 RUN git config --global --add safe.directory /root/start-os
 RUN mkdir -p /etc/debspawn && \
    echo "AllowUnsafePermissions=true" > /etc/debspawn/global.toml
 ENV NVM_DIR=~/.nvm
 ENV NODE_VERSION=22
 RUN mkdir -p $NVM_DIR && \
    curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/master/install.sh | bash && \
    . $NVM_DIR/nvm.sh \
    nvm install $NODE_VERSION && \
    nvm use $NODE_VERSION && \
    nvm alias default $NODE_VERSION && \
    ln -s $(which node) /usr/bin/node && \
    ln -s $(which npm) /usr/bin/npm
 RUN mkdir -p /root/start-os
 WORKDIR /root/start-os
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 ENTRYPOINT [ "/docker-entrypoint.sh" ]
--- a/build/os-compat/docker-entrypoint.sh
+++ b/build/os-compat/docker-entrypoint.sh
@@ -0,0 +1,3 @@
 #!/bin/bash
 exec /lib/systemd/systemd --unit=multi-user.target --show-status=false --log-target=journal
--- a/build/os-compat/run-compat.sh
+++ b/build/os-compat/run-compat.sh
@@ -1,30 +1,27 @@
 #!/bin/bash
 pwd=$(pwd)
 cd "$(dirname "${BASH_SOURCE[0]}")/../.."
 set -e
 rel_pwd="${pwd#"$(pwd)"}"
 COMPAT_ARCH=$(uname -m)
 platform=linux/$COMPAT_ARCH
 case $COMPAT_ARCH in
    x86_64)
        platform=linux/amd64;;
    aarch64)
        platform=linux/arm64;;
 esac
 if [ "$FORCE_COMPAT" = 1 ] || ( [ "$REQUIRES" = "linux" ] && [ "$(uname -s)" != "Linux" ] ) || ( [ "$REQUIRES" = "debian" ] && ! which dpkg > /dev/null ); then
    project_pwd="$(cd "$(dirname "${BASH_SOURCE[0]}")"/../.. && pwd)/"
    pwd="$(pwd)/"
    if ! [[ "$pwd" = "$project_pwd"* ]]; then
        >&2 echo "Must be run from start-os project dir"
        exit 1
    fi
    rel_pwd="${pwd#"$project_pwd"}"
    SYSTEMD_TTY="-P"
    USE_TTY=
    if tty -s; then
        USE_TTY="-it"
        SYSTEMD_TTY="-t"
    fi
-    docker run $USE_TTY --platform=$platform -eARCH -eENVIRONMENT -ePLATFORM -eGIT_BRANCH_AS_HASH -ePROJECT -eDEPENDS -eCONFLICTS -w "/root/start-os${rel_pwd}" --rm -v "$(pwd):/root/start-os" start9/build-env $@
+    docker run -d --rm --name os-compat --privileged --security-opt apparmor=unconfined -v "${project_pwd}:/root/start-os" -v /lib/modules:/lib/modules:ro start9/build-env
    while ! docker exec os-compat systemctl is-active --quiet multi-user.target 2> /dev/null; do sleep .5; done
    docker exec -eARCH -eENVIRONMENT -ePLATFORM -eGIT_BRANCH_AS_HASH $USE_TTY -w "/root/start-os${rel_pwd}" os-compat $@
    code=$?
    docker stop os-compat
    exit $code
 else 
    exec $@
-fi
+fi
--- a/build/raspberrypi/make-image.sh
+++ b/build/raspberrypi/make-image.sh
@@ -0,0 +1,87 @@
 #!/bin/bash
 set -e
 function partition_for () {
    if [[ "$1" =~ [0-9]+$ ]]; then
        echo "$1p$2"
    else
        echo "$1$2"
    fi
 }
 VERSION=$(cat VERSION.txt)
 ENVIRONMENT=$(cat ENVIRONMENT.txt)
 GIT_HASH=$(cat GIT_HASH.txt | head -c 7)
 DATE=$(date +%Y%m%d)
 ROOT_PART_END=7217792
 VERSION_FULL="$VERSION-$GIT_HASH"
 if [ -n "$ENVIRONMENT" ]; then
  VERSION_FULL="$VERSION_FULL~$ENVIRONMENT"
 fi
 TARGET_NAME=startos-${VERSION_FULL}-${DATE}_raspberrypi.img
 TARGET_SIZE=$[($ROOT_PART_END+1)*512]
 rm -f $TARGET_NAME
 truncate -s $TARGET_SIZE $TARGET_NAME
 (
    echo o
    echo x
    echo i
    echo "0xcb15ae4d"
    echo r
    echo n
    echo p
    echo 1
    echo 2048
    echo 526335
    echo t
    echo c
    echo n
    echo p
    echo 2
    echo 526336
    echo $ROOT_PART_END
    echo a
    echo 1
    echo w
 ) | fdisk $TARGET_NAME
 OUTPUT_DEVICE=$(sudo losetup --show -fP $TARGET_NAME)
 sudo mkfs.ext4 `partition_for ${OUTPUT_DEVICE} 2`
 sudo mkfs.vfat `partition_for ${OUTPUT_DEVICE} 1`
 TMPDIR=$(mktemp -d)
 sudo mount `partition_for ${OUTPUT_DEVICE} 2` $TMPDIR
 sudo mkdir $TMPDIR/boot
 sudo mount `partition_for ${OUTPUT_DEVICE} 1` $TMPDIR/boot
 sudo unsquashfs -f -d $TMPDIR startos.raspberrypi.squashfs
 REAL_GIT_HASH=$(cat $TMPDIR/usr/lib/startos/GIT_HASH.txt)
 REAL_VERSION=$(cat $TMPDIR/usr/lib/startos/VERSION.txt)
 REAL_ENVIRONMENT=$(cat $TMPDIR/usr/lib/startos/ENVIRONMENT.txt)
 sudo sed -i 's| boot=startos| init=/usr/lib/startos/scripts/init_resize\.sh|' $TMPDIR/boot/cmdline.txt
 sudo cp ./build/raspberrypi/fstab $TMPDIR/etc/
 sudo cp ./build/raspberrypi/init_resize.sh $TMPDIR/usr/lib/startos/scripts/init_resize.sh
 sudo umount $TMPDIR/boot
 sudo umount $TMPDIR
 sudo losetup -d $OUTPUT_DEVICE
 if [ "$ALLOW_VERSION_MISMATCH" != 1 ]; then
    if [ "$(cat GIT_HASH.txt)" != "$REAL_GIT_HASH" ]; then
        >&2 echo "startos.raspberrypi.squashfs GIT_HASH.txt mismatch"
        >&2 echo "expected $REAL_GIT_HASH (dpkg) found $(cat GIT_HASH.txt) (repo)"
        exit 1
    fi
    if [ "$(cat VERSION.txt)" != "$REAL_VERSION" ]; then
        >&2 echo "startos.raspberrypi.squashfs VERSION.txt mismatch"
        exit 1
    fi
    if [ "$(cat ENVIRONMENT.txt)" != "$REAL_ENVIRONMENT" ]; then
        >&2 echo "startos.raspberrypi.squashfs ENVIRONMENT.txt mismatch"
        exit 1
    fi
 fi
--- a/build/upload-ota.sh
+++ b/build/upload-ota.sh
@@ -1,142 +0,0 @@
 #!/bin/bash
 if [ -z "$VERSION" ]; then
    >&2 echo '$VERSION required'
    exit 2
 fi
 set -e
 if [ "$SKIP_DL" != "1" ]; then
    if [ "$SKIP_CLEAN" != "1" ]; then
        rm -rf ~/Downloads/v$VERSION
        mkdir ~/Downloads/v$VERSION
        cd ~/Downloads/v$VERSION
    fi
    if [ -n "$RUN_ID" ]; then
        for arch in aarch64 aarch64-nonfree riscv64 x86_64 x86_64-nonfree; do
            while ! gh run download -R Start9Labs/start-os $RUN_ID -n $arch.squashfs -D $(pwd); do sleep 1; done
        done
        for arch in aarch64 aarch64-nonfree riscv64 x86_64 x86_64-nonfree; do
            while ! gh run download -R Start9Labs/start-os $RUN_ID -n $arch.iso -D $(pwd); do sleep 1; done
        done
    fi
    if [ -n "$ST_RUN_ID" ]; then
        for arch in aarch64 riscv64 x86_64; do
            while ! gh run download -R Start9Labs/start-os $ST_RUN_ID -n start-tunnel_$arch.deb -D $(pwd); do sleep 1; done
    done
    fi
    if [ -n "$CLI_RUN_ID" ]; then
        for arch in aarch64 riscv64 x86_64; do
            for os in linux macos; do
                pair=${arch}-${os}
                if [ "${pair}" = "riscv64-linux" ]; then
                    target=riscv64gc-unknown-linux-musl
                elif [ "${pair}" = "riscv64-macos" ]; then
                    continue
                elif [ "${os}" = "linux" ]; then
                    target="${arch}-unknown-linux-musl"
                elif [ "${os}" = "macos" ]; then
                    target="${arch}-apple-darwin"
                fi
                while ! gh run download -R Start9Labs/start-os $CLI_RUN_ID -n start-cli_$target -D $(pwd); do sleep 1; done
                mv start-cli "start-cli_${pair}"
            done
        done
    fi
 else
    cd ~/Downloads/v$VERSION
 fi
 start-cli --registry=https://alpha-registry-x.start9.com registry os version add $VERSION "v$VERSION" '' ">=0.3.5 <=$VERSION"
 if [ "$SKIP_UL" = "2" ]; then
    exit 2
 elif [ "$SKIP_UL" != "1" ]; then
    for file in *.deb start-cli_*; do
        gh release upload -R Start9Labs/start-os v$VERSION $file
    done
    for file in *.iso *.squashfs; do
        s3cmd put -P $file s3://startos-images/v$VERSION/$file
    done
 fi
 if [ "$SKIP_INDEX" != "1" ]; then
    for arch in aarch64 aarch64-nonfree riscv64 x86_64 x86_64-nonfree; do
        for file in *_$arch.squashfs *_$arch.iso; do
            start-cli --registry=https://alpha-registry-x.start9.com registry os asset add --platform=$arch --version=$VERSION $file https://startos-images.nyc3.cdn.digitaloceanspaces.com/v$VERSION/$file
        done
    done
 fi
 for file in *.iso *.squashfs *.deb start-cli_*; do
    gpg -u 7CFFDA41CA66056A --detach-sign --armor -o "${file}.asc" "$file"
 done
 gpg --export -a 7CFFDA41CA66056A > dr-bonez.key.asc
 tar -czvf signatures.tar.gz *.asc
 gh release upload -R Start9Labs/start-os v$VERSION signatures.tar.gz
 cat << EOF
 # ISO Downloads
 - [x86_64/AMD64](https://startos-images.nyc3.cdn.digitaloceanspaces.com/v$VERSION/$(ls *_x86_64-nonfree.iso))
 - [x86_64/AMD64-slim (FOSS-only)](https://startos-images.nyc3.cdn.digitaloceanspaces.com/v$VERSION/$(ls *_x86_64.iso) "Without proprietary software or drivers")
 - [aarch64/ARM64](https://startos-images.nyc3.cdn.digitaloceanspaces.com/v$VERSION/$(ls *_aarch64-nonfree.iso))
 - [aarch64/ARM64-slim (FOSS-Only)](https://startos-images.nyc3.cdn.digitaloceanspaces.com/v$VERSION/$(ls *_aarch64.iso) "Without proprietary software or drivers")
 - [RISCV64 (RVA23)](https://startos-images.nyc3.cdn.digitaloceanspaces.com/v$VERSION/$(ls *_riscv64.iso))
 EOF
 cat << 'EOF'
 # StartOS Checksums
 ## SHA-256
 ```
 EOF
 sha256sum *.iso *.squashfs
 cat << 'EOF'
 ```
 ## BLAKE-3
 ```
 EOF
 b3sum *.iso *.squashfs
 cat << 'EOF'
 ```
 # Start-Tunnel Checksums
 ## SHA-256
 ```
 EOF
 sha256sum start-tunnel*.deb
 cat << 'EOF'
 ```
 ## BLAKE-3
 ```
 EOF
 b3sum start-tunnel*.deb
 cat << 'EOF'
 ```
 # start-cli Checksums
 ## SHA-256
 ```
 EOF
 sha256sum start-cli_*
 cat << 'EOF'
 ```
 ## BLAKE-3
 ```
 EOF
 b3sum start-cli_*
 cat << 'EOF'
 ```
 EOF
--- a/build/env/check-environment.sh
+++ b/build/env/check-environment.sh
@@ -1,10 +1,8 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")"
 if ! [ -f ./ENVIRONMENT.txt ] || [ "$(cat ./ENVIRONMENT.txt)" != "$ENVIRONMENT" ]; then
    >&2 echo "Updating ENVIRONMENT.txt to \"$ENVIRONMENT\""
    echo -n "$ENVIRONMENT" > ./ENVIRONMENT.txt
 fi
-echo -n ./build/env/ENVIRONMENT.txt
+echo -n ./ENVIRONMENT.txt
--- a/build/env/check-git-hash.sh
+++ b/build/env/check-git-hash.sh
@@ -1,7 +1,5 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")"
 if [ "$GIT_BRANCH_AS_HASH" != 1 ]; then
    GIT_HASH="$(git rev-parse HEAD)$(if ! git diff-index --quiet HEAD --; then echo '-modified'; fi)"
 else
@@ -13,4 +11,4 @@ if ! [ -f ./GIT_HASH.txt ] || [ "$(cat ./GIT_HASH.txt)" != "$GIT_HASH" ]; then
    echo -n "$GIT_HASH" > ./GIT_HASH.txt
 fi
-echo -n ./build/env/GIT_HASH.txt
+echo -n ./GIT_HASH.txt
--- a/build/env/check-platform.sh
+++ b/build/env/check-platform.sh
@@ -1,10 +1,8 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")"
 if ! [ -f ./PLATFORM.txt ] || [ "$(cat ./PLATFORM.txt)" != "$PLATFORM" ] && [ -n "$PLATFORM" ]; then
    >&2 echo "Updating PLATFORM.txt to \"$PLATFORM\""
    echo -n "$PLATFORM" > ./PLATFORM.txt
 fi
-echo -n ./build/env/PLATFORM.txt
+echo -n ./PLATFORM.txt
--- a/build/env/check-version.sh
+++ b/build/env/check-version.sh
@@ -1,8 +1,6 @@
 #!/bin/bash
-cd "$(dirname "${BASH_SOURCE[0]}")"
+FE_VERSION="$(cat web/package.json | grep '"version"' | sed 's/[ \t]*"version":[ \t]*"\([^"]*\)",/\1/')"
 FE_VERSION="$(cat ../../web/package.json | grep '"version"' | sed 's/[ \t]*"version":[ \t]*"\([^"]*\)",/\1/')"
 # TODO: Validate other version sources - backend/Cargo.toml, backend/src/version/mod.rs
@@ -12,4 +10,4 @@ if ! [ -f ./VERSION.txt ] || [ "$(cat ./VERSION.txt)" != "$VERSION" ]; then
    echo -n "$VERSION" > ./VERSION.txt
 fi
-echo -n ./build/env/VERSION.txt
+echo -n ./VERSION.txt
--- a/web/compress-uis.sh
+++ b/web/compress-uis.sh
@@ -4,17 +4,13 @@ cd "$(dirname "${BASH_SOURCE[0]}")"
 set -e
-STATIC_DIR=dist/static/$1
+rm -rf web/dist/static
 RAW_DIR=dist/raw/$1
 mkdir -p $STATIC_DIR
 rm -rf $STATIC_DIR
 if ! [[ "$ENVIRONMENT" =~ (^|-)dev($|-) ]]; then
-    find $RAW_DIR -type f -not -name '*.gz' -and -not -name '*.br' | xargs -n 1 -P 0 gzip -kf
+    find web/dist/raw -type f -not -name '*.gz' -and -not -name '*.br' | xargs -n 1 -P 0 gzip -kf
-    find $RAW_DIR -type f -not -name '*.gz' -and -not -name '*.br' | xargs -n 1 -P 0 brotli -kf
+    find web/dist/raw -type f -not -name '*.gz' -and -not -name '*.br' | xargs -n 1 -P 0 brotli -kf
-    for file in $(find $RAW_DIR -type f -not -name '*.gz' -and -not -name '*.br'); do
+    for file in $(find web/dist/raw -type f -not -name '*.gz' -and -not -name '*.br'); do
        raw_size=$(du  $file | awk '{print $1 * 512}')
        gz_size=$(du  $file.gz | awk '{print $1 * 512}')
        br_size=$(du  $file.br | awk '{print $1 * 512}')
@@ -27,5 +23,4 @@ if ! [[ "$ENVIRONMENT" =~ (^|-)dev($|-) ]]; then
    done
 fi
-
+cp -r web/dist/raw web/dist/static
 cp -r $RAW_DIR $STATIC_DIR
--- a/container-runtime/RPCSpec.md
+++ b/container-runtime/RPCSpec.md
@@ -1,21 +1,16 @@
-# Container RPC Server Specification
+# Container RPC SERVER Specification
 The container runtime exposes a JSON-RPC server over a Unix socket at `/media/startos/rpc/service.sock`.
 ## Methods
 ### init
-Initialize the runtime and system.
+initialize runtime (mount `/proc`, `/sys`, `/dev`, and `/run` to each image in `/media/images`)
-#### params
+called after os has mounted js and images to the container
-```ts
+#### args
-{
+
-  id: string,
+`[]`
  kind: "install" | "update" | "restore" | null,
 }
 ```
 #### response
@@ -23,16 +18,11 @@ Initialize the runtime and system.
 ### exit
-Shutdown runtime and optionally run exit hooks for a target version.
+shutdown runtime
-#### params
+#### args
-```ts
+`[]`
 {
  id: string,
  target: string | null,  // ExtendedVersion or VersionRange
 }
 ```
 #### response
@@ -40,11 +30,11 @@ Shutdown runtime and optionally run exit hooks for a target version.
 ### start
-Run main method if not already running.
+run main method if not already running
-#### params
+#### args
-None
+`[]`
 #### response
@@ -52,11 +42,11 @@ None
 ### stop
-Stop main method by sending SIGTERM to child processes, and SIGKILL after timeout.
+stop main method by sending SIGTERM to child processes, and SIGKILL after timeout
-#### params
+#### args
-None
+`{ timeout: millis }`
 #### response
@@ -64,16 +54,15 @@ None
 ### execute
-Run a specific package procedure.
+run a specific package procedure
-#### params
+#### args
 ```ts
 {
-  id: string,           // event ID
+    procedure: JsonPath,
-  procedure: string,    // JSON path (e.g., "/backup/create", "/actions/{name}/run")
+    input: any,
-  input: any,
+    timeout: millis,
  timeout: number | null,
 }
 ```
@@ -83,64 +72,18 @@ Run a specific package procedure.
 ### sandbox
-Run a specific package procedure in sandbox mode. Same interface as `execute`.
+run a specific package procedure in sandbox mode
-UNIMPLEMENTED: this feature is planned but does not exist
+#### args
 #### params
 ```ts
 {
-  id: string,
+    procedure: JsonPath,
-  procedure: string,
+    input: any,
-  input: any,
+    timeout: millis,
  timeout: number | null,
 }
 ```
 #### response
 `any`
 ### callback
 Handle a callback from an effect.
 #### params
 ```ts
 {
  id: number,
  args: any[],
 }
 ```
 #### response
 `null` (no response sent)
 ### eval
 Evaluate a script in the runtime context. Used for debugging.
 #### params
 ```ts
 {
  script: string,
 }
 ```
 #### response
 `any`
 ## Procedures
 The `execute` and `sandbox` methods route to procedures based on the `procedure` path:
 | Procedure | Description |
 |-----------|-------------|
 | `/backup/create` | Create a backup |
 | `/actions/{name}/getInput` | Get input spec for an action |
 | `/actions/{name}/run` | Run an action with input |
--- a/container-runtime/container-runtime.service
+++ b/container-runtime/container-runtime.service
@@ -4,7 +4,6 @@ OnFailure=container-runtime-failure.service
 [Service]
 Type=simple
 Environment=RUST_LOG=startos=debug
 ExecStart=/usr/bin/node --experimental-detect-module --trace-warnings --unhandled-rejections=warn /usr/lib/startos/init/index.js
 Restart=no
--- a/container-runtime/deb-install.sh
+++ b/container-runtime/deb-install.sh
@@ -2,10 +2,17 @@
 set -e
-apt-get update
+mkdir -p /run/systemd/resolve
-apt-get install -y curl rsync qemu-user-static nodejs
+echo "nameserver 8.8.8.8" > /run/systemd/resolve/stub-resolv.conf
 apt-get update
 apt-get install -y curl rsync qemu-user-static
 curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
 source ~/.bashrc
 nvm install 22
 ln -s $(which node) /usr/bin/node
 sed -i '/\(^\|#\)DNSStubListener=/c\DNSStubListener=no' /etc/systemd/resolved.conf
 sed -i '/\(^\|#\)Storage=/c\Storage=persistent' /etc/systemd/journald.conf
 sed -i '/\(^\|#\)Compress=/c\Compress=yes' /etc/systemd/journald.conf
 sed -i '/\(^\|#\)SystemMaxUse=/c\SystemMaxUse=1G' /etc/systemd/journald.conf
@@ -13,4 +20,4 @@ sed -i '/\(^\|#\)ForwardToSyslog=/c\ForwardToSyslog=no' /etc/systemd/journald.co
 systemctl enable container-runtime.service
-echo "nameserver 10.0.3.1" > /etc/resolv.conf
+rm -rf /run/systemd
--- a/container-runtime/download-base-image.sh
+++ b/container-runtime/download-base-image.sh
@@ -3,7 +3,7 @@ cd "$(dirname "${BASH_SOURCE[0]}")"
 set -e
 DISTRO=debian
-VERSION=trixie
+VERSION=bookworm
 ARCH=${ARCH:-$(uname -m)}
 FLAVOR=default
--- a/container-runtime/mkcontainer.sh
+++ b/container-runtime/mkcontainer.sh
@@ -0,0 +1,28 @@
 #!/bin/bash
 set -e
 IMAGE=$1
 if [ -z "$IMAGE" ]; then
    >&2 echo "usage: $0 <image id>"
    exit 1
 fi
 if ! [ -d "/media/images/$IMAGE" ]; then
    >&2 echo "image does not exist"
    exit 1
 fi
 container=$(mktemp -d)
 mkdir -p $container/rootfs $container/upper $container/work
 mount -t overlay -olowerdir=/media/images/$IMAGE,upperdir=$container/upper,workdir=$container/work overlay $container/rootfs
 rootfs=$container/rootfs
 for special in dev sys proc run; do
    mkdir -p $rootfs/$special
    mount --bind /$special $rootfs/$special
 done
 echo $rootfs
--- a/container-runtime/package-lock.json
+++ b/container-runtime/package-lock.json
@@ -38,7 +38,7 @@
    },
    "../sdk/dist": {
      "name": "@start9labs/start-sdk",
-      "version": "0.4.0-beta.48",
+      "version": "0.4.0-beta.36",
      "license": "MIT",
      "dependencies": {
        "@iarna/toml": "^3.0.0",
@@ -110,7 +110,6 @@
      "integrity": "sha512-l+lkXCHS6tQEc5oUpK28xBOZ6+HwaH7YwoYQbLFiYb4nS2/l1tKnZEtEWkD0GuiYdvArf9qBS0XlQGXzPMsNqQ==",
      "dev": true,
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "@ampproject/remapping": "^2.2.0",
        "@babel/code-frame": "^7.26.2",
@@ -1201,7 +1200,6 @@
      "dev": true,
      "hasInstallScript": true,
      "license": "Apache-2.0",
      "peer": true,
      "dependencies": {
        "@swc/counter": "^0.1.3",
        "@swc/types": "^0.1.17"
@@ -2145,7 +2143,6 @@
        }
      ],
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "caniuse-lite": "^1.0.30001688",
        "electron-to-chromium": "^1.5.73",
@@ -3993,7 +3990,6 @@
      "integrity": "sha512-NIy3oAFp9shda19hy4HK0HRTWKtPJmGdnvywu01nOqNC2vZg+Z+fvJDxpMQA88eb2I9EcafcdjYgsDthnYTvGw==",
      "dev": true,
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "@jest/core": "^29.7.0",
        "@jest/types": "^29.6.3",
@@ -6560,7 +6556,6 @@
      "integrity": "sha512-84MVSjMEHP+FQRPy3pX9sTVV/INIex71s9TL2Gm5FG/WG1SqXeKyZ0k7/blY/4FdOzI12CBy1vGc4og/eus0fw==",
      "dev": true,
      "license": "Apache-2.0",
      "peer": true,
      "bin": {
        "tsc": "bin/tsc",
        "tsserver": "bin/tsserver"
--- a/container-runtime/rmcontainer.sh
+++ b/container-runtime/rmcontainer.sh
@@ -0,0 +1,12 @@
 #!/bin/bash
 set -e
 rootfs=$1
 if [ -z "$rootfs" ]; then
    >&2 echo "usage: $0 <container rootfs path>"
    exit 1
 fi
 umount --recursive $rootfs
 rm -rf $rootfs/..
--- a/container-runtime/src/Adapters/EffectCreator.ts
+++ b/container-runtime/src/Adapters/EffectCreator.ts
@@ -178,13 +178,6 @@ export function makeEffects(context: EffectContext): Effects {
        T.Effects["getInstalledPackages"]
      >
    },
    getServiceManifest(
      ...[options]: Parameters<T.Effects["getServiceManifest"]>
    ) {
      return rpcRound("get-service-manifest", options) as ReturnType<
        T.Effects["getServiceManifest"]
      >
    },
    subcontainer: {
      createFs(options: { imageId: string; name: string }) {
        return rpcRound("subcontainer.create-fs", options) as ReturnType<
@@ -296,7 +289,6 @@ export function makeEffects(context: EffectContext): Effects {
    getStatus(...[o]: Parameters<T.Effects["getStatus"]>) {
      return rpcRound("get-status", o) as ReturnType<T.Effects["getStatus"]>
    },
    /// DEPRECATED
    setMainStatus(o: { status: "running" | "stopped" }): Promise<null> {
      return rpcRound("set-main-status", o) as ReturnType<
        T.Effects["setHealth"]
@@ -319,7 +311,6 @@ export function makeEffects(context: EffectContext): Effects {
  }
  if (context.callbacks?.onLeaveContext)
    self.onLeaveContext(() => {
      self.constRetry = undefined
      self.isInContext = false
      self.onLeaveContext = () => {
        console.warn(
--- a/container-runtime/src/Adapters/RpcListener.ts
+++ b/container-runtime/src/Adapters/RpcListener.ts
@@ -146,7 +146,6 @@ const handleRpc = (id: IdType, result: Promise<RpcResult>) =>
 const hasId = object({ id: idType }).test
 export class RpcListener {
  shouldExit = false
  unixSocketServer = net.createServer(async (server) => {})
  private _system: System | undefined
  private callbacks: CallbackHolder | undefined
@@ -159,8 +158,6 @@ export class RpcListener {
    this.unixSocketServer.listen(SOCKET_PATH)
    console.log("Listening on %s", SOCKET_PATH)
    this.unixSocketServer.on("connection", (s) => {
      let id: IdType = null
      const captureId = <X>(x: X) => {
@@ -211,11 +208,6 @@ export class RpcListener {
                  .catch(mapError)
                  .then(logData("response"))
                  .then(writeDataToSocket)
                  .then((_) => {
                    if (this.shouldExit) {
                      process.exit(0)
                    }
                  })
                  .catch((e) => {
                    console.error(`Major error in socket handling: ${e}`)
                    console.debug(`Data in: ${a.toString()}`)
@@ -292,13 +284,10 @@ export class RpcListener {
        )
      })
      .when(stopType, async ({ id }) => {
        this.callbacks?.removeChild("main")
        return handleRpc(
          id,
-          this.system.stop().then((result) => {
+          this.system.stop().then((result) => ({ result })),
            this.callbacks?.removeChild("main")
            return { result }
          }),
        )
      })
      .when(exitType, async ({ id, params }) => {
@@ -319,7 +308,6 @@ export class RpcListener {
                }),
                target,
              )
              this.shouldExit = true
            }
          })().then((result) => ({ result })),
        )
--- a/container-runtime/src/Adapters/Systems/SystemForEmbassy/DockerProcedureContainer.ts
+++ b/container-runtime/src/Adapters/Systems/SystemForEmbassy/DockerProcedureContainer.ts
@@ -118,7 +118,7 @@ export class DockerProcedureContainer extends Drop {
              subpath: volumeMount.path,
              readonly: volumeMount.readonly,
              volumeId: volumeMount["volume-id"],
-              idmap: [],
+              filetype: "directory",
            },
          })
        } else if (volumeMount.type === "backup") {
--- a/container-runtime/src/Adapters/Systems/SystemForEmbassy/MainLoop.ts
+++ b/container-runtime/src/Adapters/Systems/SystemForEmbassy/MainLoop.ts
@@ -10,6 +10,7 @@ import { SDKManifest } from "@start9labs/start-sdk/base/lib/types"
 import { SubContainerRc } from "@start9labs/start-sdk/package/lib/util/SubContainer"
 const EMBASSY_HEALTH_INTERVAL = 15 * 1000
 const EMBASSY_PROPERTIES_LOOP = 30 * 1000
 /**
 * We wanted something to represent what the main loop is doing, and
 * in this case it used to run the properties, health, and the docker/ js main.
@@ -119,7 +120,6 @@ export class MainLoop {
            ? {
                preferredExternalPort: lanConf.external,
                alpn: { specified: ["http/1.1"] },
                addXForwardedHeaders: false,
              }
            : null,
        })
@@ -133,7 +133,7 @@ export class MainLoop {
    delete this.mainEvent
    delete this.healthLoops
    await main?.daemon
-      .term()
+      .stop()
      .catch((e: unknown) => console.error(`Main loop error`, utils.asError(e)))
    this.effects.setMainStatus({ status: "stopped" })
    if (healthLoops) healthLoops.forEach((x) => clearInterval(x.interval))
--- a/container-runtime/src/Adapters/Systems/SystemForEmbassy/index.ts
+++ b/container-runtime/src/Adapters/Systems/SystemForEmbassy/index.ts
@@ -50,7 +50,6 @@ import {
  transformOldConfigToNew,
 } from "./transformConfigSpec"
 import { partialDiff } from "@start9labs/start-sdk/base/lib/util"
 import { Volume } from "@start9labs/start-sdk/package/lib/util/Volume"
 type Optional<A> = A | undefined | null
 function todo(): never {
@@ -62,14 +61,14 @@ export const EMBASSY_JS_LOCATION = "/usr/lib/startos/package/embassy.js"
 const configFile = FileHelper.json(
  {
-    base: new Volume("embassy"),
+    volumeId: "embassy",
    subpath: "config.json",
  },
  matches.any,
 )
 const dependsOnFile = FileHelper.json(
  {
-    base: new Volume("embassy"),
+    volumeId: "embassy",
    subpath: "dependsOn.json",
  },
  dictionary([string, array(string)]),
@@ -288,6 +287,7 @@ function convertProperties(
  }
 }
 const DEFAULT_REGISTRY = "https://registry.start9.com"
 export class SystemForEmbassy implements System {
  private version: ExtendedVersion
  currentRunning: MainLoop | undefined
@@ -331,10 +331,6 @@ export class SystemForEmbassy implements System {
    ) {
      this.version.upstream.prerelease = ["alpha"]
    }
    if (this.manifest.id === "nostr") {
      this.manifest.id = "nostr-rs-relay"
    }
  }
  async init(
@@ -460,7 +456,6 @@ export class SystemForEmbassy implements System {
          addSsl = {
            preferredExternalPort: lanPortNum,
            alpn: { specified: [] },
            addXForwardedHeaders: false,
          }
        }
        return [
@@ -893,6 +888,7 @@ export class SystemForEmbassy implements System {
    effects: Effects,
    timeoutMs: number | null,
  ): Promise<PropertiesReturn> {
    // TODO BLU-J set the properties ever so often
    const setConfigValue = this.manifest.properties
    if (!setConfigValue) throw new Error("There is no properties")
    if (setConfigValue.type === "docker") {
@@ -1047,7 +1043,7 @@ export class SystemForEmbassy implements System {
        volumeId: "embassy",
        subpath: null,
        readonly: true,
-        idmap: [],
+        filetype: "directory",
      },
    })
    configFile
@@ -1195,7 +1191,7 @@ async function updateConfig(
            volumeId: "embassy",
            subpath: null,
            readonly: true,
-            idmap: [],
+            filetype: "directory",
          },
        })
        const remoteConfig = configFile
@@ -1245,11 +1241,11 @@ async function updateConfig(
            : catchFn(
                () =>
                  (specValue.target === "lan-address"
-                    ? filled.addressInfo!.filter({ kind: "mdns" }) ||
+                    ? filled.addressInfo!.localHostnames[0] ||
-                      filled.addressInfo!.onion
+                      filled.addressInfo!.onionHostnames[0]
-                    : filled.addressInfo!.onion ||
+                    : filled.addressInfo!.onionHostnames[0] ||
-                      filled.addressInfo!.filter({ kind: "mdns" })
+                      filled.addressInfo!.localHostnames[0]
-                  ).hostnames[0].hostname.value,
+                  ).hostname.value,
              ) || ""
        mutConfigValue[key] = url
      }
--- a/container-runtime/src/Adapters/Systems/SystemForStartOs.ts
+++ b/container-runtime/src/Adapters/Systems/SystemForStartOs.ts
@@ -68,18 +68,22 @@ export class SystemForStartOs implements System {
    try {
      if (this.runningMain || this.starting) return
      this.starting = true
-      effects.constRetry = utils.once(() => {
+      effects.constRetry = utils.once(() => effects.restart())
        console.debug(".const() triggered")
        effects.restart()
      })
      let mainOnTerm: () => Promise<void> | undefined
      const started = async (onTerm: () => Promise<void>) => {
        await effects.setMainStatus({ status: "running" })
        mainOnTerm = onTerm
        return null
      }
      const daemons = await (
        await this.abi.main({
          effects,
          started,
        })
      ).build()
      this.runningMain = {
        stop: async () => {
          if (mainOnTerm) await mainOnTerm()
          await daemons.term()
        },
      }
--- a/container-runtime/src/index.ts
+++ b/container-runtime/src/index.ts
@@ -7,12 +7,6 @@ const getDependencies: AllGetDependencies = {
  system: getSystem,
 }
 for (let s of ["SIGTERM", "SIGINT", "SIGHUP"]) {
  process.on(s, (s) => {
    console.log(`Caught ${s}`)
  })
 }
 new RpcListener(getDependencies)
 /**
--- a/container-runtime/update-image-local.sh
+++ b/container-runtime/update-image-local.sh
@@ -1,21 +0,0 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")/.."
 USE_TTY=
 if tty -s; then
  USE_TTY="-it"
 fi
 DOCKER_PLATFORM=linux/${ARCH}
 case $ARCH in
    x86_64)
        DOCKER_PLATFORM=linux/amd64;;
    aarch64)
        DOCKER_PLATFORM=linux/arm64;;
 esac
 docker run --rm $USE_TTY --platform=$DOCKER_PLATFORM -eARCH --privileged -v "$(pwd):/root/start-os" start9/build-env /root/start-os/container-runtime/update-image.sh
 if [ "$(ls -nd "rootfs.${ARCH}.squashfs" | awk '{ print $3 }')" != "$UID" ]; then
  docker run --rm $USE_TTY -v "$(pwd):/root/start-os" start9/build-env chown -R $UID:$UID /root/start-os/container-runtime
 fi
--- a/container-runtime/update-image.sh
+++ b/container-runtime/update-image.sh
@@ -4,39 +4,56 @@ cd "$(dirname "${BASH_SOURCE[0]}")"
 set -e
-RUST_ARCH="$ARCH"
+if mountpoint -q tmp/combined; then sudo umount -R tmp/combined; fi
-if [ "$ARCH" = "riscv64" ]; then
+if mountpoint -q tmp/lower; then sudo umount tmp/lower; fi
-  RUST_ARCH="riscv64gc"
+sudo rm -rf tmp
 mkdir -p tmp/lower tmp/upper tmp/work tmp/combined
 if which squashfuse > /dev/null; then
    sudo squashfuse debian.${ARCH}.squashfs tmp/lower
 else
    sudo mount debian.${ARCH}.squashfs tmp/lower
 fi
 if which fuse-overlayfs > /dev/null; then
    sudo fuse-overlayfs -olowerdir=tmp/lower,upperdir=tmp/upper,workdir=tmp/work overlay tmp/combined
 else
    sudo mount -t overlay -olowerdir=tmp/lower,upperdir=tmp/upper,workdir=tmp/work overlay tmp/combined
 fi
-mount -t tmpfs tmpfs /tmp
+QEMU=
-mkdir -p /tmp/lower /tmp/upper /tmp/work /tmp/combined
+if [ "$ARCH" != "$(uname -m)" ]; then
-mount -o loop debian.${ARCH}.squashfs /tmp/lower
+    QEMU=/usr/bin/qemu-${ARCH}-static
-mount -t overlay -olowerdir=/tmp/lower,upperdir=/tmp/upper,workdir=/tmp/work overlay /tmp/combined
+    if ! which qemu-$ARCH-static > /dev/null; then
        >&2 echo qemu-user-static is required for cross-platform builds
        sudo umount tmp/combined
        sudo umount tmp/lower
        sudo rm -rf tmp
        exit 1
    fi
    sudo cp $(which qemu-$ARCH-static) tmp/combined${QEMU}
 fi
-mkdir -p /tmp/combined/usr/lib/startos/
+sudo mkdir -p tmp/combined/usr/lib/startos/
-rsync -a --copy-unsafe-links --info=progress2 dist/ /tmp/combined/usr/lib/startos/init/
+sudo rsync -a --copy-unsafe-links dist/ tmp/combined/usr/lib/startos/init/
-chown -R 0:0 /tmp/combined/usr/lib/startos/
+sudo chown -R 0:0 tmp/combined/usr/lib/startos/
-cp container-runtime.service /tmp/combined/lib/systemd/system/container-runtime.service
+sudo cp container-runtime.service tmp/combined/lib/systemd/system/container-runtime.service
-chown 0:0 /tmp/combined/lib/systemd/system/container-runtime.service
+sudo chown 0:0 tmp/combined/lib/systemd/system/container-runtime.service
-cp container-runtime-failure.service /tmp/combined/lib/systemd/system/container-runtime-failure.service
+sudo cp container-runtime-failure.service tmp/combined/lib/systemd/system/container-runtime-failure.service
-chown 0:0 /tmp/combined/lib/systemd/system/container-runtime-failure.service
+sudo chown 0:0 tmp/combined/lib/systemd/system/container-runtime-failure.service
-cp ../core/target/${RUST_ARCH}-unknown-linux-musl/release/start-container /tmp/combined/usr/bin/start-container
+sudo cp ../core/target/$ARCH-unknown-linux-musl/release/containerbox tmp/combined/usr/bin/start-container
-echo -e '#!/bin/bash\nexec start-container "$@"' > /tmp/combined/usr/bin/start-cli # TODO: remove
+echo -e '#!/bin/bash\nexec start-container $@' | sudo tee tmp/combined/usr/bin/start-cli # TODO: remove
-chmod +x /tmp/combined/usr/bin/start-cli
+sudo chmod +x tmp/combined/usr/bin/start-cli
-chown 0:0 /tmp/combined/usr/bin/start-container
+sudo chown 0:0 tmp/combined/usr/bin/start-container
-echo container-runtime | sha256sum | head -c 32 | cat - <(echo) > /tmp/combined/etc/machine-id
+echo container-runtime | sha256sum | head -c 32 | cat - <(echo) | sudo tee tmp/combined/etc/machine-id
-rm -f /tmp/combined/etc/resolv.conf
+cat deb-install.sh | sudo systemd-nspawn --console=pipe -D tmp/combined $QEMU /bin/bash
-cp /etc/resolv.conf /tmp/combined/etc/resolv.conf
+sudo truncate -s 0 tmp/combined/etc/machine-id
-for fs in proc sys dev; do
+
-    mount --bind /$fs /tmp/combined/$fs
+if [ -n "$QEMU" ]; then
-done
+    sudo rm tmp/combined${QEMU}
-cat deb-install.sh | chroot /tmp/combined /bin/bash
+fi
 for fs in proc sys dev; do
    umount /tmp/combined/$fs
 done
 truncate -s 0 /tmp/combined/etc/machine-id
 rm -f rootfs.${ARCH}.squashfs
 mkdir -p ../build/lib/container-runtime
-mksquashfs /tmp/combined rootfs.${ARCH}.squashfs
+sudo mksquashfs tmp/combined rootfs.${ARCH}.squashfs
 sudo umount tmp/combined
 sudo umount tmp/lower
 sudo rm -rf tmp
--- a/core/.gitignore
+++ b/core/.gitignore
@@ -8,4 +8,4 @@ secrets.db
 .env
 .editorconfig
 proptest-regressions/**/*
-/bindings/*
+/startos/bindings/*
--- a/core/Cargo.lock
+++ b/core/Cargo.lock
--- a/core/Cargo.toml
+++ b/core/Cargo.toml
@@ -1,292 +1,3 @@
-[package]
+[workspace]
 authors = ["Aiden McClelland <me@drbonez.dev>"]
 description = "The core of StartOS"
 documentation = "https://docs.rs/start-os"
 edition = "2024"
 keywords = [
  "bitcoin",
  "full-node",
  "lightning",
  "privacy",
  "raspberry-pi",
  "self-hosted",
 ]
 license = "MIT"
 name = "start-os"
 readme = "README.md"
 repository = "https://github.com/Start9Labs/start-os"
 version = "0.4.0-alpha.19" # VERSION_BUMP
-[lib]
+members = ["helpers", "models", "startos"]
 name = "startos"
 path = "src/lib.rs"
 [[bin]]
 name = "startbox"
 path = "src/main/startbox.rs"
 [[bin]]
 name = "start-cli"
 path = "src/main/start-cli.rs"
 [[bin]]
 name = "start-container"
 path = "src/main/start-container.rs"
 [[bin]]
 name = "registrybox"
 path = "src/main/registrybox.rs"
 [[bin]]
 name = "tunnelbox"
 path = "src/main/tunnelbox.rs"
 [features]
 arti = [
  "arti-client",
  "safelog",
  "tor-cell",
  "tor-hscrypto",
  "tor-hsservice",
  "tor-keymgr",
  "tor-llcrypto",
  "tor-proto",
  "tor-rtcompat",
 ]
 beta = []
 console = ["console-subscriber", "tokio/tracing"]
 default = []
 dev = []
 test = []
 unstable = ["backtrace-on-stack-overflow"]
 [dependencies]
 aes = { version = "0.7.5", features = ["ctr"] }
 arti-client = { version = "0.33", features = [
  "compression",
  "ephemeral-keystore",
  "experimental-api",
  "onion-service-client",
  "onion-service-service",
  "rustls",
  "static",
  "tokio",
 ], default-features = false, git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
 async-acme = { version = "0.6.0", git = "https://github.com/dr-bonez/async-acme.git", features = [
  "use_rustls",
  "use_tokio",
 ] }
 async-compression = { version = "0.4.32", features = [
  "brotli",
  "gzip",
  "tokio",
  "zstd",
 ] }
 async-stream = "0.3.5"
 async-trait = "0.1.74"
 axum = { version = "0.8.4", features = ["ws", "http2"] }
 backtrace-on-stack-overflow = { version = "0.3.0", optional = true }
 base32 = "0.5.0"
 base64 = "0.22.1"
 base64ct = "1.6.0"
 basic-cookies = "0.1.4"
 blake3 = { version = "1.5.0", features = ["mmap", "rayon"] }
 bytes = "1"
 chrono = { version = "0.4.31", features = ["serde"] }
 clap = { version = "4.4.12", features = ["string"] }
 color-eyre = "0.6.2"
 console = "0.16.2"
 console-subscriber = { version = "0.5.0", optional = true }
 const_format = "0.2.34"
 cookie = "0.18.0"
 cookie_store = "0.22.0"
 curve25519-dalek = "4.1.3"
 der = { version = "0.7.9", features = ["derive", "pem"] }
 digest = "0.10.7"
 divrem = "1.0.0"
 dns-lookup = "3.0.1"
 ed25519 = { version = "2.2.3", features = ["alloc", "pem", "pkcs8"] }
 ed25519-dalek = { version = "2.2.0", features = [
  "digest",
  "hazmat",
  "pkcs8",
  "rand_core",
  "serde",
  "zeroize",
 ] }
 ed25519-dalek-v1 = { package = "ed25519-dalek", version = "1" }
 exver = { version = "0.2.0", git = "https://github.com/Start9Labs/exver-rs.git", features = [
  "serde",
 ] }
 fd-lock-rs = "0.1.4"
 form_urlencoded = "1.2.1"
 futures = "0.3.28"
 gpt = "4.1.0"
 hex = "0.4.3"
 hickory-server = { version = "0.25.2", features = ["resolver"] }
 hmac = "0.12.1"
 http = "1.0.0"
 http-body-util = "0.1"
 hyper = { version = "1.5", features = ["http1", "http2", "server"] }
 hyper-util = { version = "0.1.10", features = [
  "http1",
  "http2",
  "server",
  "server-auto",
  "server-graceful",
  "service",
  "tokio",
 ] }
 id-pool = { version = "0.2.2", default-features = false, features = [
  "serde",
  "u16",
 ] }
 iddqd = "0.3.14"
 imbl = { version = "6", features = ["serde", "small-chunks"] }
 imbl-value = { version = "0.4.3", features = ["ts-rs"] }
 include_dir = { version = "0.7.3", features = ["metadata"] }
 indexmap = { version = "2.0.2", features = ["serde"] }
 indicatif = { version = "0.18.3", features = ["tokio"] }
 inotify = "0.11.0"
 integer-encoding = { version = "4.0.0", features = ["tokio_async"] }
 ipnet = { version = "2.8.0", features = ["serde"] }
 isocountry = "0.3.2"
 itertools = "0.14.0"
 jaq-core = "0.10.1"
 jaq-std = "0.10.0"
 josekit = "0.10.3"
 jsonpath_lib = { git = "https://github.com/Start9Labs/jsonpath.git" }
 lazy_async_pool = "0.3.3"
 lazy_format = "2.0"
 lazy_static = "1.4.0"
 lettre = { version = "0.11.18", default-features = false, features = [
  "aws-lc-rs",
  "builder",
  "hostname",
  "pool",
  "rustls-platform-verifier",
  "smtp-transport",
  "tokio1-rustls",
 ] }
 libc = "0.2.149"
 log = "0.4.20"
 mbrman = "0.6.0"
 miette = { version = "7.6.0", features = ["fancy"] }
 mio = "1"
 new_mime_guess = "4"
 nix = { version = "0.30.1", features = [
  "fs",
  "hostname",
  "mount",
  "net",
  "process",
  "sched",
  "signal",
  "user",
 ] }
 nom = "8.0.0"
 num = "0.4.1"
 num_cpus = "1.16.0"
 num_enum = "0.7.0"
 once_cell = "1.19.0"
 openssh-keys = "0.6.2"
 openssl = { version = "0.10.57", features = ["vendored"] }
 p256 = { version = "0.13.2", features = ["pem"] }
 patch-db = { version = "*", path = "../patch-db/patch-db", features = [
  "trace",
 ] }
 pbkdf2 = "0.12.2"
 pin-project = "1.1.3"
 pkcs8 = { version = "0.10.2", features = ["std"] }
 prettytable-rs = "0.10.0"
 proptest = "1.3.1"
 proptest-derive = "0.7.0"
 qrcode = "0.14.1"
 r3bl_tui = "0.7.6"
 rand = "0.9.2"
 regex = "1.10.2"
 reqwest = { version = "0.12.25", features = [
  "json",
  "socks",
  "stream",
  "http2",
 ] }
 reqwest_cookie_store = "0.9.0"
 rpassword = "7.2.0"
 rust-argon2 = "3.0.0"
 rust-i18n = "3.1.5"
 rpc-toolkit = { git = "https://github.com/Start9Labs/rpc-toolkit.git" }
 safelog = { version = "0.4.8", git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
 semver = { version = "1.0.20", features = ["serde"] }
 serde = { version = "1.0", features = ["derive", "rc"] }
 serde_cbor = { package = "ciborium", version = "0.2.1" }
 serde_json = "1.0"
 serde_toml = { package = "toml", version = "0.9.9+spec-1.0.0" }
 serde_yaml = { package = "serde_yml", version = "0.0.12" }
 sha-crypt = "0.5.0"
 sha2 = "0.10.2"
 signal-hook = "0.3.17"
 socket2 = { version = "0.6.0", features = ["all"] }
 socks5-impl = { version = "0.7.2", features = ["client", "server"] }
 sqlx = { version = "0.8.6", features = [
  "postgres",
  "runtime-tokio-rustls",
 ], default-features = false }
 sscanf = "0.4.1"
 ssh-key = { version = "0.6.2", features = ["ed25519"] }
 tar = "0.4.40"
 termion = "4.0.5"
 textwrap = "0.16.1"
 thiserror = "2.0.12"
 tokio = { version = "1.38.1", features = ["full"] }
 tokio-rustls = "0.26.4"
 tokio-stream = { version = "0.1.14", features = ["io-util", "net", "sync"] }
 tokio-tar = { git = "https://github.com/dr-bonez/tokio-tar.git" }
 tokio-tungstenite = { version = "0.26.2", features = ["native-tls", "url"] }
 tokio-util = { version = "0.7.9", features = ["io"] }
 tor-cell = { version = "0.33", git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
 tor-hscrypto = { version = "0.33", features = [
  "full",
 ], git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
 tor-hsservice = { version = "0.33", git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
 tor-keymgr = { version = "0.33", features = [
  "ephemeral-keystore",
 ], git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
 tor-llcrypto = { version = "0.33", features = [
  "full",
 ], git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
 tor-proto = { version = "0.33", git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
 tor-rtcompat = { version = "0.33", features = [
  "rustls",
  "tokio",
 ], git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
 torut = "0.2.1"
 tower-service = "0.3.3"
 tracing = "0.1.39"
 tracing-error = "0.2.0"
 tracing-journald = "0.3.0"
 tracing-subscriber = { version = "=0.3.19", features = ["env-filter"] }
 ts-rs = "9.0.1"
 typed-builder = "0.23.2"
 url = { version = "2.4.1", features = ["serde"] }
 uuid = { version = "1.4.1", features = ["v4"] }
 visit-rs = "0.1.1"
 x25519-dalek = { version = "2.0.1", features = ["static_secrets"] }
 zbus = "5.1.1"
 hashing-serializer = "0.1.1"
 [target.'cfg(target_os = "linux")'.dependencies]
 procfs = "0.18.0"
 pty-process = "0.5.1"
 [profile.test]
 opt-level = 3
 [profile.dev]
 opt-level = 3
 [profile.dev.package.backtrace]
 opt-level = 3
 [profile.dev.package.sqlx-macros]
 opt-level = 3
--- a/core/Cross.toml
+++ b/core/Cross.toml
@@ -1,2 +0,0 @@
 [build]
 pre-build = ["apt-get update && apt-get install -y rsync"]
--- a/core/build-cli.sh
+++ b/core/build-cli.sh
@@ -0,0 +1,54 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")"
 set -ea
 shopt -s expand_aliases
 if [ -z "$ARCH" ]; then
 	ARCH=$(uname -m)
 fi
 if [ "$ARCH" = "arm64" ]; then
  ARCH="aarch64"
 fi
 if [ -z "$KERNEL_NAME" ]; then
 	KERNEL_NAME=$(uname -s)
 fi
 if [ -z "$TARGET" ]; then
 	if [ "$KERNEL_NAME" = "Linux" ]; then
 		TARGET="$ARCH-unknown-linux-musl"
 	elif [ "$KERNEL_NAME" = "Darwin" ]; then
 		TARGET="$ARCH-apple-darwin"
 	else
 		>&2 echo "unknown kernel $KERNEL_NAME"
 		exit 1
 	fi
 fi
 USE_TTY=
 if tty -s; then
 	USE_TTY="-it"
 fi
 cd ..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 if [[ "${ENVIRONMENT}" =~ (^|-)unstable($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 if which zig > /dev/null && [ "$ENFORCE_USE_DOCKER" != 1 ]; do
 	echo "FEATURES=\"$FEATURES\""
 	echo "RUSTFLAGS=\"$RUSTFLAGS\""
 	RUSTFLAGS=$RUSTFLAGS sh -c "cd core && cargo zigbuild --release --no-default-features --features cli,$FEATURES --locked --bin start-cli --target=$TARGET"
 else
 	alias 'rust-zig-builder'='docker run $USE_TTY --rm -e "RUSTFLAGS=$RUSTFLAGS" -v "$HOME/.cargo/registry":/root/.cargo/registry -v "$HOME/.cargo/git":/root/.cargo/git -v "$(pwd)":/home/rust/src -w /home/rust/src -P messense/cargo-zigbuild'
 	RUSTFLAGS=$RUSTFLAGS rust-zig-builder sh -c "cd core && cargo zigbuild --release --no-default-features --features cli,$FEATURES --locked --bin start-cli --target=$TARGET"
 	if [ "$(ls -nd core/target/$TARGET/release/start-cli | awk '{ print $3 }')" != "$UID" ]; then
 		rust-zig-builder sh -c "cd core && chown -R $UID:$UID target && chown -R $UID:$UID /root/.cargo"
 	fi
 fi
--- a/core/build-containerbox.sh
+++ b/core/build-containerbox.sh
@@ -0,0 +1,36 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")"
 set -ea
 shopt -s expand_aliases
 if [ -z "$ARCH" ]; then
 	ARCH=$(uname -m)
 fi
 if [ "$ARCH" = "arm64" ]; then
  ARCH="aarch64"
 fi
 USE_TTY=
 if tty -s; then
 	USE_TTY="-it"
 fi
 cd ..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 if [[ "${ENVIRONMENT}" =~ (^|-)unstable($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 source ./core/builder-alias.sh
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-musl-builder sh -c "cd core && cargo build --release --no-default-features --features cli-container,$FEATURES --locked --bin containerbox --target=$ARCH-unknown-linux-musl"
 if [ "$(ls -nd core/target/$ARCH-unknown-linux-musl/release/containerbox | awk '{ print $3 }')" != "$UID" ]; then
 	rust-musl-builder sh -c "cd core && chown -R $UID:$UID target && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/build-registrybox.sh
+++ b/core/build-registrybox.sh
@@ -0,0 +1,36 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")"
 set -ea
 shopt -s expand_aliases
 if [ -z "$ARCH" ]; then
 	ARCH=$(uname -m)
 fi
 if [ "$ARCH" = "arm64" ]; then
  ARCH="aarch64"
 fi
 USE_TTY=
 if tty -s; then
 	USE_TTY="-it"
 fi
 cd ..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 if [[ "${ENVIRONMENT}" =~ (^|-)unstable($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 source ./core/builder-alias.sh
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-musl-builder sh -c "cd core && cargo build --release --no-default-features --features cli-registry,registry,$FEATURES --locked --bin registrybox --target=$ARCH-unknown-linux-musl"
 if [ "$(ls -nd core/target/$ARCH-unknown-linux-musl/release/registrybox | awk '{ print $3 }')" != "$UID" ]; then
 	rust-musl-builder sh -c "cd core && chown -R $UID:$UID target && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/build-startbox.sh
+++ b/core/build-startbox.sh
@@ -0,0 +1,41 @@
 #!/bin/bash
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
 fi
 cd "$(dirname "${BASH_SOURCE[0]}")"
 set -ea
 shopt -s expand_aliases
 if [ -z "$ARCH" ]; then
 	ARCH=$(uname -m)
 fi
 if [ "$ARCH" = "arm64" ]; then
  ARCH="aarch64"
 fi
 USE_TTY=
 if tty -s; then
 	USE_TTY="-it"
 fi
 cd ..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 if [[ "${ENVIRONMENT}" =~ (^|-)unstable($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 source ./core/builder-alias.sh
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-musl-builder sh -c "cd core && cargo build $BUILD_FLAGS --no-default-features --features cli,startd,$FEATURES --locked --bin startbox --target=$ARCH-unknown-linux-musl"
 if [ "$(ls -nd core/target/$ARCH-unknown-linux-musl/${PROFILE}/startbox | awk '{ print $3 }')" != "$UID" ]; then
 	rust-musl-builder sh -c "cd core && chown -R $UID:$UID target && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/build-ts.sh
+++ b/core/build-ts.sh
@@ -0,0 +1,36 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")"
 set -ea
 shopt -s expand_aliases
 if [ -z "$ARCH" ]; then
 	ARCH=$(uname -m)
 fi
 if [ "$ARCH" = "arm64" ]; then
  ARCH="aarch64"
 fi
 USE_TTY=
 if tty -s; then
 	USE_TTY="-it"
 fi
 cd ..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 if [[ "${ENVIRONMENT}" =~ (^|-)unstable($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 source ./core/builder-alias.sh
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-musl-builder sh -c "cd core && cargo test --release --features=test,$FEATURES 'export_bindings_' && chown \$UID:\$UID startos/bindings"
 if [ "$(ls -nd core/startos/bindings | awk '{ print $3 }')" != "$UID" ]; then
 	rust-musl-builder sh -c "cd core && chown -R $UID:$UID startos/bindings && chown -R $UID:$UID target && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/build-tunnelbox.sh
+++ b/core/build-tunnelbox.sh
@@ -0,0 +1,36 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")"
 set -ea
 shopt -s expand_aliases
 if [ -z "$ARCH" ]; then
 	ARCH=$(uname -m)
 fi
 if [ "$ARCH" = "arm64" ]; then
  ARCH="aarch64"
 fi
 USE_TTY=
 if tty -s; then
 	USE_TTY="-it"
 fi
 cd ..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 if [[ "${ENVIRONMENT}" =~ (^|-)unstable($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 source ./core/builder-alias.sh
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-musl-builder sh -c "cd core && cargo build --release --no-default-features --features cli-tunnel,tunnel,$FEATURES --locked --bin tunnelbox --target=$ARCH-unknown-linux-musl"
 if [ "$(ls -nd core/target/$ARCH-unknown-linux-musl/release/tunnelbox | awk '{ print $3 }')" != "$UID" ]; then
 	rust-musl-builder sh -c "cd core && chown -R $UID:$UID target && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/build/build-cli.sh
+++ b/core/build/build-cli.sh
@@ -1,79 +0,0 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")"
 source ./builder-alias.sh
 set -ea
 INSTALL=false
 while [[ $# -gt 0 ]]; do
  case $1 in
    --install)
      INSTALL=true
      shift
      ;;
    *)
      >&2 echo "Unknown option: $1"
      exit 1
      ;;
  esac
 done
 shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
 else
  if [ "$PROFILE" != "debug" ]; then
    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
    PROFILE=debug
  fi
 fi
 if [ -z "${ARCH:-}" ]; then
  ARCH=$(uname -m)
 fi
 if [ "$ARCH" = "arm64" ]; then
  ARCH="aarch64"
 fi
 RUST_ARCH="$ARCH"
 if [ "$ARCH" = "riscv64" ]; then
  RUST_ARCH="riscv64gc"
 fi
 if [ -z "${KERNEL_NAME:-}" ]; then
  KERNEL_NAME=$(uname -s)
 fi
 if [ -z "${TARGET:-}" ]; then
  if [ "$KERNEL_NAME" = "Linux" ]; then
    TARGET="$RUST_ARCH-unknown-linux-musl"
  elif [ "$KERNEL_NAME" = "Darwin" ]; then
    TARGET="$RUST_ARCH-apple-darwin"
  else
    >&2 echo "unknown kernel $KERNEL_NAME"
    exit 1
  fi
 fi
 cd ../..
 FEATURES="$(echo "${ENVIRONMENT:-}" | sed 's/-/,/g')"
 RUSTFLAGS=""
 if [[ "${ENVIRONMENT:-}" =~ (^|-)console($|-) ]]; then
  RUSTFLAGS="--cfg tokio_unstable"
 fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=$FEATURES --locked --bin start-cli --target=$TARGET
 if [ "$(ls -nd "core/target/$TARGET/$PROFILE/start-cli" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "cd core && chown -R $UID:$UID target && chown -R $UID:$UID  /usr/local/cargo"
 fi
 if [ "$INSTALL" = "true" ]; then
  cp "core/target/$TARGET/$PROFILE/start-cli" ~/.cargo/bin/start-cli
 fi
--- a/core/build/build-registrybox.sh
+++ b/core/build/build-registrybox.sh
@@ -1,46 +0,0 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")"
 source ./builder-alias.sh
 set -ea
 shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
 else
  if [ "$PROFILE" != "debug"]; then
    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
    PROFILE=debug
  fi
 fi
 if [ -z "$ARCH" ]; then
 	ARCH=$(uname -m)
 fi
 if [ "$ARCH" = "arm64" ]; then
  ARCH="aarch64"
 fi
 RUST_ARCH="$ARCH"
 if [ "$ARCH" = "riscv64" ]; then
  RUST_ARCH="riscv64gc"
 fi
 cd ../..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=$FEATURES --locked --bin registrybox --target=$RUST_ARCH-unknown-linux-musl
 if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/registrybox" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID  /usr/local/cargo"
 fi
--- a/core/build/build-start-container.sh
+++ b/core/build/build-start-container.sh
@@ -1,46 +0,0 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")"
 source ./builder-alias.sh
 set -ea
 shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
 else
  if [ "$PROFILE" != "debug"]; then
    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
    PROFILE=debug
  fi
 fi
 if [ -z "$ARCH" ]; then
 	ARCH=$(uname -m)
 fi
 if [ "$ARCH" = "arm64" ]; then
  ARCH="aarch64"
 fi
 RUST_ARCH="$ARCH"
 if [ "$ARCH" = "riscv64" ]; then
  RUST_ARCH="riscv64gc"
 fi
 cd ../..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=$FEATURES --locked --bin start-container --target=$RUST_ARCH-unknown-linux-musl
 if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/start-container" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /usr/local/cargo"
 fi
--- a/core/build/build-startbox.sh
+++ b/core/build/build-startbox.sh
@@ -1,46 +0,0 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")"
 source ./builder-alias.sh
 set -ea
 shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
 else
  if [ "$PROFILE" != "debug"]; then
    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
    PROFILE=debug
  fi
 fi
 if [ -z "$ARCH" ]; then
 	ARCH=$(uname -m)
 fi
 if [ "$ARCH" = "arm64" ]; then
  ARCH="aarch64"
 fi
 RUST_ARCH="$ARCH"
 if [ "$ARCH" = "riscv64" ]; then
  RUST_ARCH="riscv64gc"
 fi
 cd ../..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=$FEATURES --locked --bin startbox --target=$RUST_ARCH-unknown-linux-musl
 if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/startbox" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID  /usr/local/cargo"
 fi
--- a/core/build/build-ts.sh
+++ b/core/build/build-ts.sh
@@ -1,44 +0,0 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")"
 source ./builder-alias.sh
 set -ea
 shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
 else
  if [ "$PROFILE" != "debug"]; then
    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
    PROFILE=debug
  fi
 fi
 if [ -z "$ARCH" ]; then
 	ARCH=$(uname -m)
 fi
 if [ "$ARCH" = "arm64" ]; then
 	ARCH="aarch64"
 fi
 RUST_ARCH="$ARCH"
 if [ "$ARCH" = "riscv64" ]; then
 	RUST_ARCH="riscv64gc"
 fi
 cd ../..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo test --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features test,$FEATURES --locked 'export_bindings_'
 if [ "$(ls -nd "core/bindings" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID core/bindings && chown -R $UID:$UID  /usr/local/cargo"
 fi
--- a/core/build/build-tunnelbox.sh
+++ b/core/build/build-tunnelbox.sh
@@ -1,46 +0,0 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")"
 source ./builder-alias.sh
 set -ea
 shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
 else
  if [ "$PROFILE" != "debug"]; then
    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
    PROFILE=debug
  fi
 fi
 if [ -z "$ARCH" ]; then
 	ARCH=$(uname -m)
 fi
 if [ "$ARCH" = "arm64" ]; then
  ARCH="aarch64"
 fi
 RUST_ARCH="$ARCH"
 if [ "$ARCH" = "riscv64" ]; then
  RUST_ARCH="riscv64gc"
 fi
 cd ../..
 FEATURES="$(echo $ENVIRONMENT | sed 's/-/,/g')"
 RUSTFLAGS=""
 if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
 rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=$FEATURES --locked --bin tunnelbox --target=$RUST_ARCH-unknown-linux-musl
 if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/tunnelbox" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID  /usr/local/cargo"
 fi
--- a/core/build/builder-alias.sh
+++ b/core/build/builder-alias.sh
@@ -1,8 +0,0 @@
 #!/bin/bash
 USE_TTY=
 if tty -s; then
  USE_TTY="-it"
 fi
 alias 'rust-zig-builder'='docker run '"$USE_TTY"' --rm -e "RUSTFLAGS=$RUSTFLAGS" -e "PKG_CONFIG_SYSROOT_DIR=/opt/sysroot/$ARCH" -e PKG_CONFIG_PATH="" -e PKG_CONFIG_LIBDIR="/opt/sysroot/$ARCH/usr/lib/pkgconfig" -e "AWS_LC_SYS_CMAKE_TOOLCHAIN_FILE_riscv64gc_unknown_linux_musl=/root/cmake-overrides/toolchain-riscv64-musl-clang.cmake" -e SCCACHE_GHA_ENABLED -e SCCACHE_GHA_VERSION -e ACTIONS_RESULTS_URL -e ACTIONS_RUNTIME_TOKEN -v "$HOME/.cargo/registry":/usr/local/cargo/registry -v "$HOME/.cargo/git":/usr/local/cargo/git -v "$HOME/.cache/sccache":/root/.cache/sccache -v "$HOME/.cache/cargo-zigbuild:/root/.cache/cargo-zigbuild" -v "$(pwd)":/workdir -w /workdir start9/cargo-zigbuild'
--- a/core/builder-alias.sh
+++ b/core/builder-alias.sh
@@ -0,0 +1,3 @@
 #!/bin/bash
 alias 'rust-musl-builder'='docker run $USE_TTY --rm -e "RUSTFLAGS=$RUSTFLAGS" -e SCCACHE_GHA_ENABLED -e SCCACHE_GHA_VERSION -e ACTIONS_RESULTS_URL -e ACTIONS_RUNTIME_TOKEN -v "$HOME/.cargo/registry":/root/.cargo/registry -v "$HOME/.cargo/git":/root/.cargo/git -v "$HOME/.cache/sccache":/root/.cache/sccache -v "$(pwd)":/home/rust/src -w /home/rust/src -P start9/rust-musl-cross:$ARCH-musl'
--- a/core/helpers/Cargo.toml
+++ b/core/helpers/Cargo.toml
@@ -0,0 +1,19 @@
 [package]
 name = "helpers"
 version = "0.1.0"
 edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 [dependencies]
 color-eyre = "0.6.2"
 futures = "0.3.28"
 lazy_async_pool = "0.3.3"
 models = { path = "../models" }
 pin-project = "1.1.3"
 rpc-toolkit = { git = "https://github.com/Start9Labs/rpc-toolkit.git", branch = "master" }
 serde = { version = "1.0", features = ["derive", "rc"] }
 serde_json = "1.0"
 tokio = { version = "1", features = ["full"] }
 tokio-stream = { version = "0.1.14", features = ["io-util", "sync"] }
 tracing = "0.1.39"
--- a/core/helpers/src/byte_replacement_reader.rs
+++ b/core/helpers/src/byte_replacement_reader.rs
@@ -0,0 +1,31 @@
 use std::task::Poll;
 use tokio::io::{AsyncRead, ReadBuf};
 #[pin_project::pin_project]
 pub struct ByteReplacementReader<R> {
    pub replace: u8,
    pub with: u8,
    #[pin]
    pub inner: R,
 }
 impl<R: AsyncRead> AsyncRead for ByteReplacementReader<R> {
    fn poll_read(
        self: std::pin::Pin<&mut Self>,
        cx: &mut std::task::Context<'_>,
        buf: &mut ReadBuf<'_>,
    ) -> std::task::Poll<std::io::Result<()>> {
        let this = self.project();
        match this.inner.poll_read(cx, buf) {
            Poll::Ready(Ok(())) => {
                for idx in 0..buf.filled().len() {
                    if buf.filled()[idx] == *this.replace {
                        buf.filled_mut()[idx] = *this.with;
                    }
                }
                Poll::Ready(Ok(()))
            }
            a => a,
        }
    }
 }
--- a/core/helpers/src/lib.rs
+++ b/core/helpers/src/lib.rs
@@ -0,0 +1,262 @@
 use std::future::Future;
 use std::ops::{Deref, DerefMut};
 use std::path::{Path, PathBuf};
 use std::time::Duration;
 use color_eyre::eyre::{eyre, Context, Error};
 use futures::future::BoxFuture;
 use futures::FutureExt;
 use models::ResultExt;
 use tokio::fs::File;
 use tokio::sync::oneshot;
 use tokio::task::{JoinError, JoinHandle, LocalSet};
 mod byte_replacement_reader;
 mod rsync;
 mod script_dir;
 pub use byte_replacement_reader::*;
 pub use rsync::*;
 pub use script_dir::*;
 pub fn const_true() -> bool {
    true
 }
 pub fn to_tmp_path(path: impl AsRef<Path>) -> Result<PathBuf, Error> {
    let path = path.as_ref();
    if let (Some(parent), Some(file_name)) =
        (path.parent(), path.file_name().and_then(|f| f.to_str()))
    {
        Ok(parent.join(format!(".{}.tmp", file_name)))
    } else {
        Err(eyre!("invalid path: {}", path.display()))
    }
 }
 pub async fn canonicalize(
    path: impl AsRef<Path> + Send + Sync,
    create_parent: bool,
 ) -> Result<PathBuf, Error> {
    fn create_canonical_folder<'a>(
        path: impl AsRef<Path> + Send + Sync + 'a,
    ) -> BoxFuture<'a, Result<PathBuf, Error>> {
        async move {
            let path = canonicalize(path, true).await?;
            tokio::fs::create_dir(&path)
                .await
                .with_context(|| path.display().to_string())?;
            Ok(path)
        }
        .boxed()
    }
    let path = path.as_ref();
    if tokio::fs::metadata(path).await.is_err() {
        let parent = path.parent().unwrap_or(Path::new("."));
        if let Some(file_name) = path.file_name() {
            if create_parent && tokio::fs::metadata(parent).await.is_err() {
                return Ok(create_canonical_folder(parent).await?.join(file_name));
            } else {
                return Ok(tokio::fs::canonicalize(parent)
                    .await
                    .with_context(|| parent.display().to_string())?
                    .join(file_name));
            }
        }
    }
    tokio::fs::canonicalize(&path)
        .await
        .with_context(|| path.display().to_string())
 }
 #[pin_project::pin_project(PinnedDrop)]
 pub struct NonDetachingJoinHandle<T>(#[pin] JoinHandle<T>);
 impl<T> NonDetachingJoinHandle<T> {
    pub async fn wait_for_abort(self) -> Result<T, JoinError> {
        self.abort();
        self.await
    }
 }
 impl<T> From<JoinHandle<T>> for NonDetachingJoinHandle<T> {
    fn from(t: JoinHandle<T>) -> Self {
        NonDetachingJoinHandle(t)
    }
 }
 impl<T> Deref for NonDetachingJoinHandle<T> {
    type Target = JoinHandle<T>;
    fn deref(&self) -> &Self::Target {
        &self.0
    }
 }
 impl<T> DerefMut for NonDetachingJoinHandle<T> {
    fn deref_mut(&mut self) -> &mut Self::Target {
        &mut self.0
    }
 }
 #[pin_project::pinned_drop]
 impl<T> PinnedDrop for NonDetachingJoinHandle<T> {
    fn drop(self: std::pin::Pin<&mut Self>) {
        let this = self.project();
        this.0.into_ref().get_ref().abort()
    }
 }
 impl<T> Future for NonDetachingJoinHandle<T> {
    type Output = Result<T, JoinError>;
    fn poll(
        self: std::pin::Pin<&mut Self>,
        cx: &mut std::task::Context<'_>,
    ) -> std::task::Poll<Self::Output> {
        let this = self.project();
        this.0.poll(cx)
    }
 }
 pub struct AtomicFile {
    tmp_path: PathBuf,
    path: PathBuf,
    file: Option<File>,
 }
 impl AtomicFile {
    pub async fn new(
        path: impl AsRef<Path> + Send + Sync,
        tmp_path: Option<impl AsRef<Path> + Send + Sync>,
    ) -> Result<Self, Error> {
        let path = canonicalize(&path, true).await?;
        let tmp_path = if let Some(tmp_path) = tmp_path {
            canonicalize(&tmp_path, true).await?
        } else {
            to_tmp_path(&path)?
        };
        let file = File::create(&tmp_path)
            .await
            .with_context(|| tmp_path.display().to_string())?;
        Ok(Self {
            tmp_path,
            path,
            file: Some(file),
        })
    }
    pub async fn rollback(mut self) -> Result<(), Error> {
        drop(self.file.take());
        tokio::fs::remove_file(&self.tmp_path)
            .await
            .with_context(|| format!("rm {}", self.tmp_path.display()))?;
        Ok(())
    }
    pub async fn save(mut self) -> Result<(), Error> {
        use tokio::io::AsyncWriteExt;
        if let Some(file) = self.file.as_mut() {
            file.flush().await?;
            file.shutdown().await?;
            file.sync_all().await?;
        }
        drop(self.file.take());
        tokio::fs::rename(&self.tmp_path, &self.path)
            .await
            .with_context(|| {
                format!("mv {} -> {}", self.tmp_path.display(), self.path.display())
            })?;
        Ok(())
    }
 }
 impl std::ops::Deref for AtomicFile {
    type Target = File;
    fn deref(&self) -> &Self::Target {
        self.file.as_ref().unwrap()
    }
 }
 impl std::ops::DerefMut for AtomicFile {
    fn deref_mut(&mut self) -> &mut Self::Target {
        self.file.as_mut().unwrap()
    }
 }
 impl Drop for AtomicFile {
    fn drop(&mut self) {
        if let Some(file) = self.file.take() {
            drop(file);
            let path = std::mem::take(&mut self.tmp_path);
            tokio::spawn(async move { tokio::fs::remove_file(path).await.log_err() });
        }
    }
 }
 pub struct TimedResource<T: 'static + Send> {
    handle: NonDetachingJoinHandle<Option<T>>,
    ready: oneshot::Sender<()>,
 }
 impl<T: 'static + Send> TimedResource<T> {
    pub fn new(resource: T, timer: Duration) -> Self {
        let (send, recv) = oneshot::channel();
        let handle = tokio::spawn(async move {
            tokio::select! {
                _ = tokio::time::sleep(timer) => {
                    drop(resource);
                    None
                },
                _ = recv => Some(resource),
            }
        });
        Self {
            handle: handle.into(),
            ready: send,
        }
    }
    pub fn new_with_destructor<
        Fn: FnOnce(T) -> Fut + Send + 'static,
        Fut: Future<Output = ()> + Send,
    >(
        resource: T,
        timer: Duration,
        destructor: Fn,
    ) -> Self {
        let (send, recv) = oneshot::channel();
        let handle = tokio::spawn(async move {
            tokio::select! {
                _ = tokio::time::sleep(timer) => {
                    destructor(resource).await;
                    None
                },
                _ = recv => Some(resource),
            }
        });
        Self {
            handle: handle.into(),
            ready: send,
        }
    }
    pub async fn get(self) -> Option<T> {
        let _ = self.ready.send(());
        self.handle.await.unwrap()
    }
    pub fn is_timed_out(&self) -> bool {
        self.ready.is_closed()
    }
 }
 pub async fn spawn_local<
    T: 'static + Send,
    F: FnOnce() -> Fut + Send + 'static,
    Fut: Future<Output = T> + 'static,
 >(
    fut: F,
 ) -> NonDetachingJoinHandle<T> {
    let (send, recv) = tokio::sync::oneshot::channel();
    std::thread::spawn(move || {
        tokio::runtime::Builder::new_current_thread()
            .enable_all()
            .build()
            .unwrap()
            .block_on(async move {
                let set = LocalSet::new();
                send.send(set.spawn_local(fut()).into())
                    .unwrap_or_else(|_| unreachable!());
                set.await
            })
    });
    recv.await.unwrap()
 }
--- a/core/helpers/src/os_api.rs
+++ b/core/helpers/src/os_api.rs
@@ -0,0 +1,82 @@
 use std::sync::Arc;
 use color_eyre::Report;
 use models::InterfaceId;
 use models::PackageId;
 use serde_json::Value;
 use tokio::sync::mpsc;
 pub struct RuntimeDropped;
 pub struct Callback {
    id: Arc<String>,
    sender: mpsc::UnboundedSender<(Arc<String>, Vec<Value>)>,
 }
 impl Callback {
    pub fn new(id: String, sender: mpsc::UnboundedSender<(Arc<String>, Vec<Value>)>) -> Self {
        Self {
            id: Arc::new(id),
            sender,
        }
    }
    pub fn is_listening(&self) -> bool {
        self.sender.is_closed()
    }
    pub fn call(&self, args: Vec<Value>) -> Result<(), RuntimeDropped> {
        self.sender
            .send((self.id.clone(), args))
            .map_err(|_| RuntimeDropped)
    }
 }
 #[derive(serde::Deserialize, serde::Serialize, Debug, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct AddressSchemaOnion {
    pub id: InterfaceId,
    pub external_port: u16,
 }
 #[derive(serde::Deserialize, serde::Serialize, Debug, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct AddressSchemaLocal {
    pub id: InterfaceId,
    pub external_port: u16,
 }
 #[derive(serde::Deserialize, serde::Serialize, Debug, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct Address(pub String);
 #[derive(serde::Deserialize, serde::Serialize, Debug, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct Domain;
 #[derive(serde::Deserialize, serde::Serialize, Debug, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct Name;
 #[async_trait::async_trait]
 #[allow(unused_variables)]
 pub trait OsApi: Send + Sync + 'static {
    async fn get_service_config(
        &self,
        id: PackageId,
        path: &str,
        callback: Option<Callback>,
    ) -> Result<Vec<Value>, Report>;
    async fn bind_local(
        &self,
        internal_port: u16,
        address_schema: AddressSchemaLocal,
    ) -> Result<Address, Report>;
    async fn bind_onion(
        &self,
        internal_port: u16,
        address_schema: AddressSchemaOnion,
    ) -> Result<Address, Report>;
    async fn unbind_local(&self, id: InterfaceId, external: u16) -> Result<(), Report>;
    async fn unbind_onion(&self, id: InterfaceId, external: u16) -> Result<(), Report>;
    fn set_started(&self) -> Result<(), Report>;
    async fn restart(&self) -> Result<(), Report>;
    async fn start(&self) -> Result<(), Report>;
    async fn stop(&self) -> Result<(), Report>;
 }
--- a/core/helpers/src/rsync.rs
+++ b/core/helpers/src/rsync.rs
@@ -2,15 +2,13 @@ use std::path::Path;
 use color_eyre::eyre::eyre;
 use futures::StreamExt;
 use models::{Error, ErrorKind};
 use tokio::io::{AsyncBufReadExt, AsyncReadExt, BufReader};
 use tokio::process::{Child, Command};
 use tokio::sync::watch;
 use tokio_stream::wrappers::WatchStream;
-use crate::util::future::NonDetachingJoinHandle;
+use crate::{const_true, ByteReplacementReader, NonDetachingJoinHandle};
 use crate::util::io::ByteReplacementReader;
 use crate::util::serde::const_true;
 use crate::{Error, ErrorKind};
 #[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
 #[serde(rename_all = "camelCase")]
@@ -87,7 +85,7 @@ impl Rsync {
                return Err(Error::new(
                    eyre!("rsync command stdout is none"),
                    ErrorKind::Filesystem,
-                ));
+                ))
            }
            Some(a) => a,
        };
@@ -96,7 +94,7 @@ impl Rsync {
                return Err(Error::new(
                    eyre!("rsync command stderr is none"),
                    ErrorKind::Filesystem,
-                ));
+                ))
            }
            Some(a) => a,
        };
@@ -145,7 +143,7 @@ impl Rsync {
                return Err(Error::new(
                    eyre!("rsync stderr error: {}", err),
                    ErrorKind::Filesystem,
-                ));
+                ))
            }
            Ok(a) => a?,
        };
--- a/core/helpers/src/script_dir.rs
+++ b/core/helpers/src/script_dir.rs
@@ -0,0 +1,17 @@
 use std::path::{Path, PathBuf};
 use models::{PackageId, VersionString};
 pub const PKG_SCRIPT_DIR: &str = "package-data/scripts";
 pub fn script_dir<P: AsRef<Path>>(
    datadir: P,
    pkg_id: &PackageId,
    version: &VersionString,
 ) -> PathBuf {
    datadir
        .as_ref()
        .join(&*PKG_SCRIPT_DIR)
        .join(pkg_id)
        .join(version.as_str())
 }
--- a/core/install-cli.sh
+++ b/core/install-cli.sh
@@ -0,0 +1,19 @@
 #!/bin/bash
 cd "$(dirname "${BASH_SOURCE[0]}")"
 set -ea
 shopt -s expand_aliases
 web="../web/dist/static"
 [ -d "$web" ] || mkdir -p "$web"
 if [ -z "$PLATFORM" ]; then
  PLATFORM=$(uname -m)
 fi
 if [ "$PLATFORM" = "arm64" ]; then
  PLATFORM="aarch64"
 fi
 cargo install --path=./startos --no-default-features --features=cli,docker --bin start-cli --locked
--- a/core/locales/i18n.yaml
+++ b/core/locales/i18n.yaml
--- a/core/models/Cargo.toml
+++ b/core/models/Cargo.toml
@@ -0,0 +1,40 @@
 [package]
 name = "models"
 version = "0.1.0"
 edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 [dependencies]
 arti-client = { version = "0.33", default-features = false, git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit" }
 axum = "0.8.4"
 base64 = "0.22.1"
 color-eyre = "0.6.2"
 ed25519-dalek = { version = "2.0.0", features = ["serde"] }
 gpt = "4.1.0"
 lazy_static = "1.4"
 lettre = { version = "0.11", default-features = false }
 mbrman = "0.6.0"
 exver = { version = "0.2.0", git = "https://github.com/Start9Labs/exver-rs.git", features = [
  "serde",
 ] }
 ipnet = "2.8.0"
 num_enum = "0.7.1"
 openssl = { version = "0.10.57", features = ["vendored"] }
 patch-db = { version = "*", path = "../../patch-db/patch-db", features = [
  "trace",
 ] }
 rand = "0.9.1"
 regex = "1.10.2"
 reqwest = "0.12"
 rpc-toolkit = { git = "https://github.com/Start9Labs/rpc-toolkit.git", branch = "master" }
 rustls = "0.23"
 serde = { version = "1.0", features = ["derive", "rc"] }
 serde_json = "1.0"
 ssh-key = "0.6.2"
 ts-rs = "9"
 thiserror = "2.0"
 tokio = { version = "1", features = ["full"] }
 tracing = "0.1.39"
 yasi = { version = "0.1.6", features = ["serde", "ts-rs"] }
 zbus = "5"
--- a/core/models/bindings/ServiceInterfaceId.ts
+++ b/core/models/bindings/ServiceInterfaceId.ts
@@ -1,3 +1,3 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-export type Base64 = string
+export type ServiceInterfaceId = string;
--- a/core/models/src/clap.rs
+++ b/core/models/src/clap.rs
--- a/core/models/src/data_url.rs
+++ b/core/models/src/data_url.rs
@@ -1,41 +1,41 @@
 use std::borrow::Cow;
 use std::path::Path;
 use std::str::FromStr;
 use base64::Engine;
 use color_eyre::eyre::eyre;
 use imbl_value::InternedString;
 use reqwest::header::CONTENT_TYPE;
 use serde::{Deserialize, Serialize};
 use tokio::io::{AsyncRead, AsyncReadExt};
 use ts_rs::TS;
 use yasi::InternedString;
-use crate::util::mime::{mime, unmime};
+use crate::{mime, Error, ErrorKind, ResultExt};
 use crate::{Error, ErrorKind, ResultExt};
-#[derive(Clone, TS, PartialEq, Eq)]
+#[derive(Clone, TS)]
 #[ts(type = "string")]
 pub struct DataUrl<'a> {
-    pub mime: InternedString,
+    mime: InternedString,
-    pub data: Cow<'a, [u8]>,
+    data: Cow<'a, [u8]>,
 }
 impl<'a> DataUrl<'a> {
    pub const DEFAULT_MIME: &'static str = "application/octet-stream";
    pub const MAX_SIZE: u64 = 100 * 1024;
-    fn to_string(&self) -> String {
+    // data:{mime};base64,{data}
    pub fn to_string(&self) -> String {
        use std::fmt::Write;
-        let mut res = String::with_capacity(self.len());
+        let mut res = String::with_capacity(self.data_url_len_without_mime() + self.mime.len());
-        write!(&mut res, "{self}").unwrap();
+        let _ = write!(res, "data:{};base64,", self.mime);
        base64::engine::general_purpose::STANDARD.encode_string(&self.data, &mut res);
        res
    }
-    fn len_without_mime(&self) -> usize {
+    fn data_url_len_without_mime(&self) -> usize {
        5 + 8 + (4 * self.data.len() / 3) + 3
    }
-    pub fn len(&self) -> usize {
+    pub fn data_url_len(&self) -> usize {
-        self.len_without_mime() + self.mime.len()
+        self.data_url_len_without_mime() + self.mime.len()
    }
    pub fn from_slice(mime: &str, data: &'a [u8]) -> Self {
@@ -44,10 +44,6 @@ impl<'a> DataUrl<'a> {
            data: Cow::Borrowed(data),
        }
    }
    pub fn canonical_ext(&self) -> Option<&'static str> {
        unmime(&self.mime)
    }
 }
 impl DataUrl<'static> {
    pub async fn from_reader(
@@ -113,57 +109,12 @@ impl DataUrl<'static> {
    }
 }
 impl<'a> std::fmt::Display for DataUrl<'a> {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(
            f,
            "data:{};base64,{}",
            self.mime,
            base64::display::Base64Display::new(
                &*self.data,
                &base64::engine::general_purpose::STANDARD
            )
        )
    }
 }
 impl<'a> std::fmt::Debug for DataUrl<'a> {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        std::fmt::Display::fmt(self, f)
+        f.write_str(&self.to_string())
    }
 }
 #[derive(Debug)]
 pub struct DataUrlParseError;
 impl std::fmt::Display for DataUrlParseError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "invalid base64 url")
    }
 }
 impl std::error::Error for DataUrlParseError {}
 impl From<DataUrlParseError> for Error {
    fn from(e: DataUrlParseError) -> Self {
        Error::new(e, ErrorKind::ParseUrl)
    }
 }
 impl FromStr for DataUrl<'static> {
    type Err = DataUrlParseError;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        s.strip_prefix("data:")
            .and_then(|v| v.split_once(";base64,"))
            .and_then(|(mime, data)| {
                Some(DataUrl {
                    mime: InternedString::intern(mime),
                    data: Cow::Owned(
                        base64::engine::general_purpose::STANDARD
                            .decode(data)
                            .ok()?,
                    ),
                })
            })
            .ok_or(DataUrlParseError)
    }
 }
 impl<'de> Deserialize<'de> for DataUrl<'static> {
    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
    where
@@ -179,9 +130,21 @@ impl<'de> Deserialize<'de> for DataUrl<'static> {
            where
                E: serde::de::Error,
            {
-                v.parse().map_err(|_| {
+                v.strip_prefix("data:")
-                    E::invalid_value(serde::de::Unexpected::Str(v), &"a valid base64 data url")
+                    .and_then(|v| v.split_once(";base64,"))
-                })
+                    .and_then(|(mime, data)| {
                        Some(DataUrl {
                            mime: InternedString::intern(mime),
                            data: Cow::Owned(
                                base64::engine::general_purpose::STANDARD
                                    .decode(data)
                                    .ok()?,
                            ),
                        })
                    })
                    .ok_or_else(|| {
                        E::invalid_value(serde::de::Unexpected::Str(v), &"a valid base64 data url")
                    })
            }
        }
        deserializer.deserialize_any(Visitor)
@@ -205,6 +168,6 @@ fn doesnt_reallocate() {
            mime: InternedString::intern("png"),
            data: Cow::Borrowed(&random[..i]),
        };
-        assert_eq!(icon.to_string().capacity(), icon.len());
+        assert_eq!(icon.to_string().capacity(), icon.data_url_len());
    }
 }
--- a/core/models/src/errors.rs
+++ b/core/models/src/errors.rs
@@ -1,22 +1,18 @@
 use std::fmt::{Debug, Display};
 use axum::http::StatusCode;
 use axum::http::uri::InvalidUri;
 use axum::http::StatusCode;
 use color_eyre::eyre::eyre;
 use num_enum::TryFromPrimitive;
-use patch_db::Value;
+use patch_db::Revision;
 use rpc_toolkit::reqwest;
 use rpc_toolkit::yajrc::{
-    INVALID_PARAMS_ERROR, INVALID_REQUEST_ERROR, METHOD_NOT_FOUND_ERROR, PARSE_ERROR, RpcError,
+    RpcError, INVALID_PARAMS_ERROR, INVALID_REQUEST_ERROR, METHOD_NOT_FOUND_ERROR, PARSE_ERROR,
 };
 use rust_i18n::t;
 use serde::{Deserialize, Serialize};
 use tokio::task::JoinHandle;
 use tokio_rustls::rustls;
 use ts_rs::TS;
 use crate::InvalidId;
 use crate::prelude::to_value;
 #[derive(Debug, Clone, Copy, PartialEq, Eq, TryFromPrimitive)]
 #[repr(i32)]
@@ -99,146 +95,129 @@ pub enum ErrorKind {
    InstallFailed = 76,
    UpdateFailed = 77,
    Smtp = 78,
    SetSysInfo = 79,
 }
 impl ErrorKind {
-    pub fn as_str(&self) -> String {
+    pub fn as_str(&self) -> &'static str {
        use ErrorKind::*;
        match self {
-            Unknown => t!("error.unknown"),
+            Unknown => "Unknown Error",
-            Filesystem => t!("error.filesystem"),
+            Filesystem => "Filesystem I/O Error",
-            Docker => t!("error.docker"),
+            Docker => "Docker Error",
-            ConfigSpecViolation => t!("error.config-spec-violation"),
+            ConfigSpecViolation => "Config Spec Violation",
-            ConfigRulesViolation => t!("error.config-rules-violation"),
+            ConfigRulesViolation => "Config Rules Violation",
-            NotFound => t!("error.not-found"),
+            NotFound => "Not Found",
-            IncorrectPassword => t!("error.incorrect-password"),
+            IncorrectPassword => "Incorrect Password",
-            VersionIncompatible => t!("error.version-incompatible"),
+            VersionIncompatible => "Version Incompatible",
-            Network => t!("error.network"),
+            Network => "Network Error",
-            Registry => t!("error.registry"),
+            Registry => "Registry Error",
-            Serialization => t!("error.serialization"),
+            Serialization => "Serialization Error",
-            Deserialization => t!("error.deserialization"),
+            Deserialization => "Deserialization Error",
-            Utf8 => t!("error.utf8"),
+            Utf8 => "UTF-8 Parse Error",
-            ParseVersion => t!("error.parse-version"),
+            ParseVersion => "Version Parsing Error",
-            IncorrectDisk => t!("error.incorrect-disk"),
+            IncorrectDisk => "Incorrect Disk",
-            // Nginx => t!("error.nginx"),
+            // Nginx => "Nginx Error",
-            Dependency => t!("error.dependency"),
+            Dependency => "Dependency Error",
-            ParseS9pk => t!("error.parse-s9pk"),
+            ParseS9pk => "S9PK Parsing Error",
-            ParseUrl => t!("error.parse-url"),
+            ParseUrl => "URL Parsing Error",
-            DiskNotAvailable => t!("error.disk-not-available"),
+            DiskNotAvailable => "Disk Not Available",
-            BlockDevice => t!("error.block-device"),
+            BlockDevice => "Block Device Error",
-            InvalidOnionAddress => t!("error.invalid-onion-address"),
+            InvalidOnionAddress => "Invalid Onion Address",
-            Pack => t!("error.pack"),
+            Pack => "Pack Error",
-            ValidateS9pk => t!("error.validate-s9pk"),
+            ValidateS9pk => "S9PK Validation Error",
-            DiskCorrupted => t!("error.disk-corrupted"), // Remove
+            DiskCorrupted => "Disk Corrupted", // Remove
-            Tor => t!("error.tor"),
+            Tor => "Tor Daemon Error",
-            ConfigGen => t!("error.config-gen"),
+            ConfigGen => "Config Generation Error",
-            ParseNumber => t!("error.parse-number"),
+            ParseNumber => "Number Parsing Error",
-            Database => t!("error.database"),
+            Database => "Database Error",
-            InvalidId => t!("error.invalid-id"),
+            InvalidId => "Invalid ID",
-            InvalidSignature => t!("error.invalid-signature"),
+            InvalidSignature => "Invalid Signature",
-            Backup => t!("error.backup"),
+            Backup => "Backup Error",
-            Restore => t!("error.restore"),
+            Restore => "Restore Error",
-            Authorization => t!("error.authorization"),
+            Authorization => "Unauthorized",
-            AutoConfigure => t!("error.auto-configure"),
+            AutoConfigure => "Auto-Configure Error",
-            Action => t!("error.action"),
+            Action => "Action Failed",
-            RateLimited => t!("error.rate-limited"),
+            RateLimited => "Rate Limited",
-            InvalidRequest => t!("error.invalid-request"),
+            InvalidRequest => "Invalid Request",
-            MigrationFailed => t!("error.migration-failed"),
+            MigrationFailed => "Migration Failed",
-            Uninitialized => t!("error.uninitialized"),
+            Uninitialized => "Uninitialized",
-            ParseNetAddress => t!("error.parse-net-address"),
+            ParseNetAddress => "Net Address Parsing Error",
-            ParseSshKey => t!("error.parse-ssh-key"),
+            ParseSshKey => "SSH Key Parsing Error",
-            SoundError => t!("error.sound-error"),
+            SoundError => "Sound Interface Error",
-            ParseTimestamp => t!("error.parse-timestamp"),
+            ParseTimestamp => "Timestamp Parsing Error",
-            ParseSysInfo => t!("error.parse-sys-info"),
+            ParseSysInfo => "System Info Parsing Error",
-            Wifi => t!("error.wifi"),
+            Wifi => "WiFi Internal Error",
-            Journald => t!("error.journald"),
+            Journald => "Journald Error",
-            DiskManagement => t!("error.disk-management"),
+            DiskManagement => "Disk Management Error",
-            OpenSsl => t!("error.openssl"),
+            OpenSsl => "OpenSSL Internal Error",
-            PasswordHashGeneration => t!("error.password-hash-generation"),
+            PasswordHashGeneration => "Password Hash Generation Error",
-            DiagnosticMode => t!("error.diagnostic-mode"),
+            DiagnosticMode => "Server is in Diagnostic Mode",
-            ParseDbField => t!("error.parse-db-field"),
+            ParseDbField => "Database Field Parse Error",
-            Duplicate => t!("error.duplicate"),
+            Duplicate => "Duplication Error",
-            MultipleErrors => t!("error.multiple-errors"),
+            MultipleErrors => "Multiple Errors",
-            Incoherent => t!("error.incoherent"),
+            Incoherent => "Incoherent",
-            InvalidBackupTargetId => t!("error.invalid-backup-target-id"),
+            InvalidBackupTargetId => "Invalid Backup Target ID",
-            ProductKeyMismatch => t!("error.product-key-mismatch"),
+            ProductKeyMismatch => "Incompatible Product Keys",
-            LanPortConflict => t!("error.lan-port-conflict"),
+            LanPortConflict => "Incompatible LAN Port Configuration",
-            Javascript => t!("error.javascript"),
+            Javascript => "Javascript Engine Error",
-            Pem => t!("error.pem"),
+            Pem => "PEM Encoding Error",
-            TLSInit => t!("error.tls-init"),
+            TLSInit => "TLS Backend Initialization Error",
-            Ascii => t!("error.ascii"),
+            Ascii => "ASCII Parse Error",
-            MissingHeader => t!("error.missing-header"),
+            MissingHeader => "Missing Header",
-            Grub => t!("error.grub"),
+            Grub => "Grub Error",
-            Systemd => t!("error.systemd"),
+            Systemd => "Systemd Error",
-            OpenSsh => t!("error.openssh"),
+            OpenSsh => "OpenSSH Error",
-            Zram => t!("error.zram"),
+            Zram => "Zram Error",
-            Lshw => t!("error.lshw"),
+            Lshw => "LSHW Error",
-            CpuSettings => t!("error.cpu-settings"),
+            CpuSettings => "CPU Settings Error",
-            Firmware => t!("error.firmware"),
+            Firmware => "Firmware Error",
-            Timeout => t!("error.timeout"),
+            Timeout => "Timeout Error",
-            Lxc => t!("error.lxc"),
+            Lxc => "LXC Error",
-            Cancelled => t!("error.cancelled"),
+            Cancelled => "Cancelled",
-            Git => t!("error.git"),
+            Git => "Git Error",
-            DBus => t!("error.dbus"),
+            DBus => "DBus Error",
-            InstallFailed => t!("error.install-failed"),
+            InstallFailed => "Install Failed",
-            UpdateFailed => t!("error.update-failed"),
+            UpdateFailed => "Update Failed",
-            Smtp => t!("error.smtp"),
+            Smtp => "SMTP Error",
            SetSysInfo => t!("error.set-sys-info"),
        }
        .to_string()
    }
 }
 impl Display for ErrorKind {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(f, "{}", &self.as_str())
+        write!(f, "{}", self.as_str())
    }
 }
 #[derive(Debug)]
 pub struct Error {
    pub source: color_eyre::eyre::Error,
    pub debug: Option<color_eyre::eyre::Error>,
    pub kind: ErrorKind,
-    pub info: Value,
+    pub revision: Option<Revision>,
    pub task: Option<JoinHandle<()>>,
 }
 impl Display for Error {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(f, "{}: {:#}", &self.kind.as_str(), self.source)
+        write!(f, "{}: {}", self.kind.as_str(), self.source)
    }
 }
 impl Debug for Error {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(
            f,
            "{}: {:?}",
            &self.kind.as_str(),
            self.debug.as_ref().unwrap_or(&self.source)
        )
    }
 }
 impl Error {
-    pub fn new<E: Into<color_eyre::eyre::Error> + std::fmt::Debug + 'static>(
+    pub fn new<E: Into<color_eyre::eyre::Error>>(source: E, kind: ErrorKind) -> Self {
        source: E,
        kind: ErrorKind,
    ) -> Self {
        let debug = (std::any::TypeId::of::<E>()
            == std::any::TypeId::of::<color_eyre::eyre::Error>())
        .then(|| eyre!("{source:?}"));
        Error {
            source: source.into(),
            debug,
            kind,
-            info: Value::Null,
+            revision: None,
            task: None,
        }
    }
    pub fn clone_output(&self) -> Self {
        Error {
-            source: eyre!("{}", self.source),
+            source: ErrorData {
-            debug: self.debug.as_ref().map(|e| eyre!("{e}")),
+                details: format!("{}", self.source),
                debug: format!("{:?}", self.source),
            }
            .into(),
            kind: self.kind,
-            info: self.info.clone(),
+            revision: self.revision.clone(),
            task: None,
        }
    }
@@ -246,10 +225,6 @@ impl Error {
        self.task = Some(task);
        self
    }
    pub fn with_info(mut self, info: Value) -> Self {
        self.info = info;
        self
    }
    pub async fn wait(mut self) -> Self {
        if let Some(task) = &mut self.task {
            task.await.log_err();
@@ -370,17 +345,11 @@ impl From<reqwest::Error> for Error {
        Error::new(e, kind)
    }
 }
 #[cfg(feature = "arti")]
 impl From<arti_client::Error> for Error {
    fn from(e: arti_client::Error) -> Self {
        Error::new(e, ErrorKind::Tor)
    }
 }
 impl From<torut::control::ConnError> for Error {
    fn from(e: torut::control::ConnError) -> Self {
        Error::new(e, ErrorKind::Tor)
    }
 }
 impl From<zbus::Error> for Error {
    fn from(e: zbus::Error) -> Self {
        Error::new(e, ErrorKind::DBus)
@@ -391,6 +360,18 @@ impl From<rustls::Error> for Error {
        Error::new(e, ErrorKind::OpenSsl)
    }
 }
 impl From<patch_db::value::Error> for Error {
    fn from(value: patch_db::value::Error) -> Self {
        match value.kind {
            patch_db::value::ErrorKind::Serialization => {
                Error::new(value.source, ErrorKind::Serialization)
            }
            patch_db::value::ErrorKind::Deserialization => {
                Error::new(value.source, ErrorKind::Deserialization)
            }
        }
    }
 }
 impl From<lettre::error::Error> for Error {
    fn from(e: lettre::error::Error) -> Self {
        Error::new(e, ErrorKind::Smtp)
@@ -406,30 +387,11 @@ impl From<lettre::address::AddressError> for Error {
        Error::new(e, ErrorKind::Smtp)
    }
 }
 impl From<hyper::Error> for Error {
    fn from(e: hyper::Error) -> Self {
        Error::new(e, ErrorKind::Network)
    }
 }
 impl From<patch_db::value::Error> for Error {
    fn from(value: patch_db::value::Error) -> Self {
        match value.kind {
            patch_db::value::ErrorKind::Serialization => {
                Error::new(value.source, ErrorKind::Serialization)
            }
            patch_db::value::ErrorKind::Deserialization => {
                Error::new(value.source, ErrorKind::Deserialization)
            }
        }
    }
 }
-#[derive(Clone, Deserialize, Serialize, TS)]
+#[derive(Clone, Deserialize, Serialize)]
 pub struct ErrorData {
    pub details: String,
    pub debug: String,
    #[serde(default)]
    pub info: Value,
 }
 impl Display for ErrorData {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
@@ -447,7 +409,6 @@ impl From<Error> for ErrorData {
        Self {
            details: value.to_string(),
            debug: format!("{:?}", value),
            info: value.info,
        }
    }
 }
@@ -478,31 +439,40 @@ impl From<&RpcError> for ErrorData {
                        .or_else(|| d.as_str().map(|s| s.to_owned()))
                })
                .unwrap_or_else(|| value.message.clone().into_owned()),
            info: to_value(
                &value
                    .data
                    .as_ref()
                    .and_then(|d| d.as_object().and_then(|d| d.get("info"))),
            )
            .unwrap_or_default(),
        }
    }
 }
 impl From<Error> for RpcError {
    fn from(e: Error) -> Self {
-        let kind = e.kind;
+        let mut data_object = serde_json::Map::with_capacity(3);
-        let data = ErrorData::from(e);
+        data_object.insert("details".to_owned(), format!("{}", e.source).into());
-        RpcError {
+        data_object.insert("debug".to_owned(), format!("{:?}", e.source).into());
-            code: kind as i32,
+        data_object.insert(
-            message: kind.as_str().into(),
+            "revision".to_owned(),
-            data: Some(match serde_json::to_value(&data) {
+            match serde_json::to_value(&e.revision) {
                Ok(a) => a,
                Err(e) => {
-                    tracing::warn!("Error serializing ErrorData object: {}", e);
+                    tracing::warn!("Error serializing revision for Error object: {}", e);
                    serde_json::Value::Null
                }
-            }),
+            },
        );
        RpcError {
            code: e.kind as i32,
            message: e.kind.as_str().into(),
            data: Some(
                match serde_json::to_value(&ErrorData {
                    details: format!("{}", e.source),
                    debug: format!("{:?}", e.source),
                }) {
                    Ok(a) => a,
                    Err(e) => {
                        tracing::warn!("Error serializing revision for Error object: {}", e);
                        serde_json::Value::Null
                    }
                },
            ),
        }
    }
 }
@@ -586,26 +556,26 @@ where
 impl<T, E> ResultExt<T, E> for Result<T, E>
 where
    color_eyre::eyre::Error: From<E>,
    E: std::fmt::Debug + 'static,
 {
    fn with_kind(self, kind: ErrorKind) -> Result<T, Error> {
-        self.map_err(|e| Error::new(e, kind))
+        self.map_err(|e| Error {
            source: e.into(),
            kind,
            revision: None,
            task: None,
        })
    }
    fn with_ctx<F: FnOnce(&E) -> (ErrorKind, D), D: Display>(self, f: F) -> Result<T, Error> {
        self.map_err(|e| {
            let (kind, ctx) = f(&e);
            let debug = (std::any::TypeId::of::<E>()
                == std::any::TypeId::of::<color_eyre::eyre::Error>())
            .then(|| eyre!("{ctx}: {e:?}"));
            let source = color_eyre::eyre::Error::from(e);
-            let with_ctx = format!("{ctx}: {source}");
+            let ctx = format!("{}: {}", ctx, source);
-            let source = source.wrap_err(with_ctx);
+            let source = source.wrap_err(ctx);
            Error {
                kind,
                source,
-                debug,
+                revision: None,
                info: Value::Null,
                task: None,
            }
        })
@@ -625,24 +595,25 @@ where
 }
 impl<T> ResultExt<T, Error> for Result<T, Error> {
    fn with_kind(self, kind: ErrorKind) -> Result<T, Error> {
-        self.map_err(|e| Error { kind, ..e })
+        self.map_err(|e| Error {
            source: e.source,
            kind,
            revision: e.revision,
            task: e.task,
        })
    }
    fn with_ctx<F: FnOnce(&Error) -> (ErrorKind, D), D: Display>(self, f: F) -> Result<T, Error> {
        self.map_err(|e| {
            let (kind, ctx) = f(&e);
            let source = e.source;
-            let with_ctx = format!("{ctx}: {source}");
+            let ctx = format!("{}: {}", ctx, source);
-            let source = source.wrap_err(with_ctx);
+            let source = source.wrap_err(ctx);
            let debug = e.debug.map(|e| {
                let with_ctx = format!("{ctx}: {e}");
                e.wrap_err(with_ctx)
            });
            Error {
                kind,
                source,
-                debug,
+                revision: e.revision,
-                ..e
+                task: e.task,
            }
        })
    }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Aiden McClelland	2191707b94	wip: iroh	2025-08-31 15:43:34 -06:00
Aiden McClelland	63a4bba19a	fix gha sccache	2025-08-29 13:32:12 -06:00
Aiden McClelland	d64b80987c	support for sccache	2025-08-29 13:07:29 -06:00
Aiden McClelland	fbea3c56e6	clean up logs	2025-08-29 11:59:36 -06:00
Aiden McClelland	58b6b5c4ea	Merge branch 'feature/proxies' of github.com:Start9Labs/start-os into feature/proxies	2025-08-29 11:48:31 -06:00
Aiden McClelland	369e559518	fix file_stream and remove non-terminating test	2025-08-29 11:48:30 -06:00
Alex Inkin	ca39ffb9eb	refactor: fix multiple comments (#3013 ) * refactor: fix multiple comments * styling changes, add documentation to sidebar * translations for dns page * refactor: subtle colors * rearrange service page --------- Co-authored-by: Matt Hill <mattnine@protonmail.com>	2025-08-29 11:37:34 -06:00
Aiden McClelland	8163db7ac3	socks5 proxy working	2025-08-29 11:19:30 -06:00
Aiden McClelland	b3b031ed47	wip: debugging tor	2025-08-27 15:10:54 -06:00
Matt Hill	c5fa09c4d4	handle wh file uploads	2025-08-27 10:06:39 -06:00
Alex Inkin	b7438ef155	refactor: refactor forms components and remove legacy Taiga UI package (#3012 )	2025-08-27 09:57:49 -06:00
Matt Hill	2a27716e29	remove unnecessary truthy check	2025-08-26 22:16:57 -06:00
Matt Hill	7a94086d45	move status column in service list	2025-08-26 13:59:16 -06:00
Matt Hill	ec72fb4bfd	fix showing dns records	2025-08-26 13:08:24 -06:00
Matt Hill	9eaaa85625	implement toggling gateways for service interface	2025-08-26 12:29:14 -06:00
Aiden McClelland	f876cd796e	Merge branch 'feature/proxies' of github.com:Start9Labs/start-os into feature/proxies	2025-08-26 12:13:41 -06:00
Aiden McClelland	9fe9608560	misc fixes	2025-08-26 12:13:39 -06:00
Matt Hill	303f6a55ac	Merge branch 'feature/proxies' of github.com:Start9Labs/start-os into feature/proxies	2025-08-26 11:37:12 -06:00
Aiden McClelland	ff686d3c52	Merge branch 'feature/proxies' of github.com:Start9Labs/start-os into feature/proxies	2025-08-25 19:29:52 -06:00
Aiden McClelland	f4cf94acd2	fix dns	2025-08-25 19:29:39 -06:00
Matt Hill	0709a5c242	reason instead of description	2025-08-24 10:24:48 -06:00
Matt Hill	701db35ca3	remove logs	2025-08-24 09:41:58 -06:00
Matt Hill	57bdc400b4	honor hidden form values	2025-08-24 09:40:24 -06:00
Matt Hill	611e19da26	placeholder for empty service interfaces table	2025-08-24 08:54:44 -06:00
Matt Hill	0e9b9fce3e	simple renaming	2025-08-24 08:46:12 -06:00
Aiden McClelland	d6d91822cc	coukd work	2025-08-22 08:53:38 -06:00
Aiden McClelland	5bee2cef96	fix deadlock	2025-08-21 18:40:53 -06:00
Aiden McClelland	359146f02c	wip	2025-08-20 14:46:15 -06:00
Matt Hill	d564471825	more translations	2025-08-20 11:45:17 -06:00
Alex Inkin	931505ff08	fix: refactor legacy components (#3010 ) * fix: comments * fix: refactor legacy components * remove default again --------- Co-authored-by: Matt Hill <mattnine@protonmail.com>	2025-08-19 08:13:36 -06:00
Alex Inkin	0709ea65d7	fix: comments (#3009 ) * fix: comments * undo default --------- Co-authored-by: Matt Hill <mattnine@protonmail.com>	2025-08-19 08:10:14 -06:00
Aiden McClelland	75a20ae5c5	it builds	2025-08-18 18:12:03 -06:00
Matt Hill	aaf2361909	add missing translations	2025-08-18 15:16:43 -06:00
Matt Hill	17c4f3a1e8	fix dns form	2025-08-17 09:01:09 -06:00
Matt Hill	a0a2c20b08	fix all types	2025-08-16 23:14:19 -06:00
Aiden McClelland	f7f0b7dc1a	revert to ts-rs v9	2025-08-16 22:33:53 -06:00
Aiden McClelland	d06c443c7d	clean up tech debt, bump dependencies	2025-08-15 18:32:27 -06:00
Aiden McClelland	7094d1d939	update types	2025-08-15 18:05:52 -06:00
Aiden McClelland	8f573386c6	with todos	2025-08-15 16:07:23 -06:00
Matt Hill	bfc88a2225	fix sort functions for public and private domains	2025-08-13 14:28:53 -06:00
Matt Hill	d5bb537368	dns	2025-08-13 13:27:05 -06:00
Matt Hill	3abae65b22	better icon for restart tor	2025-08-13 10:54:07 -06:00
Matt Hill	3848e8f2df	restart tor instead of reset	2025-08-13 10:53:46 -06:00
Matt Hill	63323faa97	nix StartOS domains, implement public and private domains at interface scope	2025-08-11 23:01:31 -06:00
Matt Hill	e8b7a35d43	public domain, max width, descriptions for dns	2025-08-11 10:03:35 -06:00
waterplea	da9a1b99d9	fix: dns testing	2025-08-11 13:50:58 +07:00
Matt Hill	68780ccbdd	forms for adding domain, rework things based on new ideas	2025-08-10 23:33:05 -06:00
Aiden McClelland	022f7134be	wip: start-tunnel & fix build	2025-08-09 21:57:32 -06:00
Matt Hill	b4491a3f39	only translations left	2025-08-09 09:29:47 -06:00
waterplea	29ddfad9d7	fix: address comments	2025-08-09 17:45:31 +07:00
Matt Hill	86a24ec067	domains preferred	2025-08-08 21:00:32 -06:00
Matt Hill	35ace3997b	MVP of service interface page	2025-08-08 20:57:16 -06:00
Aiden McClelland	4f24658d33	fix unnecessary export	2025-08-08 11:12:11 -06:00
Aiden McClelland	3a84cc97fe	comments	2025-08-07 17:21:09 -06:00
Aiden McClelland	3845550e90	best address logic	2025-08-07 17:15:23 -06:00
Matt Hill	4d5ff1a97b	start sorting addresses	2025-08-07 13:47:27 -06:00
Matt Hill	b864816033	better placeholder for no addresses	2025-08-07 09:08:41 -06:00
Matt Hill	2762076683	minor	2025-08-07 09:03:54 -06:00
Matt Hill	8796e41ea0	merge	2025-08-07 08:18:47 -06:00
waterplea	8edb7429f5	refactor: styles for interfaces page	2025-08-07 18:53:35 +07:00
Matt Hill	5109efcee2	different options for clearnet domains	2025-08-06 18:45:41 -06:00
Matt Hill	177232ab28	start service interface page, WIP	2025-08-06 17:55:21 -06:00
Aiden McClelland	d6dfaf8feb	domains api + migration	2025-08-06 14:29:35 -06:00
Aiden McClelland	ea12251a7e	add ip util to sdk	2025-08-06 11:14:41 -06:00
waterplea	b35a89da29	refactor: add file control to form service	2025-08-06 19:07:21 +07:00
Matt Hill	d8d1009417	domains mostly finished	2025-08-05 17:29:48 -06:00
Aiden McClelland	3835562200	fix fe types	2025-08-05 17:14:17 -06:00
Aiden McClelland	0d227e62dc	Merge branch 'feature/proxies' of github.com:Start9Labs/start-os into feature/proxies	2025-08-05 17:07:27 -06:00
Aiden McClelland	10af26116d	refactor public/private gateways	2025-08-05 17:07:25 -06:00
Matt Hill	f8b03ea917	certificate authorities	2025-08-05 13:03:04 -06:00
Matt Hill	4a2777c52f	domains and acme refactor	2025-08-05 09:29:04 -06:00
waterplea	86dbf26253	refactor: gateways page	2025-08-05 17:39:48 +07:00
waterplea	32999fc55f	refactor: domains page	2025-08-04 19:34:57 +07:00
Matt Hill	ea2b1f5920	edit instead of chnage acme and change gateway	2025-08-01 22:59:10 -06:00
Matt Hill	716ed64aa8	show and test dns	2025-07-31 19:57:04 -06:00
Matt Hill	f23659f4ea	dont show hidden actions	2025-07-31 13:42:43 -06:00
Matt Hill	daf584b33e	add domains and gateways, remove routers, fix docs links	2025-07-30 15:33:13 -06:00
Aiden McClelland	e6b7390a61	wip start-tunneld	2025-07-24 18:33:55 -06:00
Aiden McClelland	84f554269f	proxy -> tunnel, implement backend apis	2025-07-23 15:44:57 -06:00
Matt Hill	21adce5c5d	fix file type	2025-07-22 17:07:20 -06:00
Aiden McClelland	d3e7e37f59	backend changes	2025-07-22 16:48:16 -06:00
Matt Hill	4d9709eb1c	add support for inbound proxies	2025-07-22 16:40:31 -06:00
		`@@ -0,0 +1,3 @@`
							`#!/bin/bash`

							`exec /lib/systemd/systemd --unit=multi-user.target --show-status=false --log-target=journal`
		`@@ -1,2 +0,0 @@`
			`[build]`
			`pre-build = ["apt-get update && apt-get install -y rsync"]`
		`@@ -0,0 +1,3 @@`
							`#!/bin/bash`

							`alias 'rust-musl-builder'='docker run $USE_TTY --rm -e "RUSTFLAGS=$RUSTFLAGS" -e SCCACHE_GHA_ENABLED -e SCCACHE_GHA_VERSION -e ACTIONS_RESULTS_URL -e ACTIONS_RUNTIME_TOKEN -v "$HOME/.cargo/registry":/root/.cargo/registry -v "$HOME/.cargo/git":/root/.cargo/git -v "$HOME/.cache/sccache":/root/.cache/sccache -v "$(pwd)":/home/rust/src -w /home/rust/src -P start9/rust-musl-cross:$ARCH-musl'`
`@@ -1,3 +1,3 @@`
	`// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.`	`// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.`

	`export type Base64 = string`	`export type ServiceInterfaceId = string;`