minor bugfixes for alpha.14 (#3058 )

* overwrite AllowedIPs in wg config mute UnknownCA errors * fix upgrade issues * allow start9 user to access journal * alpha.15 * sort actions lexicographically and show desc in marketplace details * add registry package download cli command --------- Co-authored-by: Matt Hill <mattnine@protonmail.com>
More FE fixes (#3056 )
2026-03-30 20:14:49 +00:00 · 2025-11-26 16:23:08 -07:00 · 2025-11-25 23:43:19 +00:00 · 2025-11-21 11:30:21 -07:00 · 2025-11-20 10:53:23 -07:00 · 2025-11-20 01:05:50 -07:00
116 changed files with 2049 additions and 1209 deletions
--- a/.github/workflows/start-tunnel.yaml
+++ b/.github/workflows/start-tunnel.yaml
@@ -0,0 +1,100 @@
 name: Start-Tunnel
 on:
  workflow_call:
  workflow_dispatch:
    inputs:
      environment:
        type: choice
        description: Environment
        options:
          - NONE
          - dev
          - unstable
          - dev-unstable
      runner:
        type: choice
        description: Runner
        options:
          - standard
          - fast
      arch:
        type: choice
        description: Architecture
        options:
          - ALL
          - x86_64
          - aarch64
          - riscv64
  push:
    branches:
      - master
      - next/*
  pull_request:
    branches:
      - master
      - next/*
 env:
  NODEJS_VERSION: "24.11.0"
  ENVIRONMENT: '${{ fromJson(format(''["{0}", ""]'', github.event.inputs.environment || ''dev''))[github.event.inputs.environment == ''NONE''] }}'
 jobs:
  compile:
    name: Build Debian Package
    strategy:
      fail-fast: true
      matrix:
        arch: >-
          ${{
            fromJson('{
              "x86_64": ["x86_64"],
              "aarch64": ["aarch64"],
              "riscv64": ["riscv64"],
              "ALL": ["x86_64", "aarch64", "riscv64"]
            }')[github.event.inputs.platform || 'ALL']
          }}
    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
    steps:
      - name: Cleaning up unnecessary files
        run: |
          sudo apt-get remove --purge -y google-chrome-stable firefox mono-devel
          sudo apt-get autoremove -y
          sudo apt-get clean
      - run: |
          sudo mount -t tmpfs tmpfs .
        if: ${{ github.event.inputs.runner == 'fast' }}
      - uses: actions/checkout@v4
        with:
          submodules: recursive
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODEJS_VERSION }}
      - name: Set up docker QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Configure sccache
        uses: actions/github-script@v7
        with:
          script: |
            core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
            core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
      - name: Make
        run: make tunnel-deb
        env:
          PLATFORM: ${{ matrix.arch }}
          SCCACHE_GHA_ENABLED: on
          SCCACHE_GHA_VERSION: 0
      - uses: actions/upload-artifact@v4
        with:
          name: start-tunnel_${{ matrix.arch }}.deb
          path: results/start-tunnel-*_${{ matrix.arch }}.deb
--- a/.github/workflows/startos-iso.yaml
+++ b/.github/workflows/startos-iso.yaml
@@ -67,8 +67,13 @@ jobs:
              "ALL": ["x86_64", "aarch64"]
            }')[github.event.inputs.platform || 'ALL']
          }}
-    runs-on: ${{ fromJson('["ubuntu-22.04", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
+    runs-on: ${{ fromJson('["ubuntu-latest", "buildjet-32vcpu-ubuntu-2204"]')[github.event.inputs.runner == 'fast'] }}
    steps:
      - name: Cleaning up unnecessary files
        run: |
          sudo apt-get remove --purge -y google-chrome-stable firefox mono-devel
          sudo apt-get autoremove -y
          sudo apt-get clean
      - run: |
          sudo mount -t tmpfs tmpfs .
        if: ${{ github.event.inputs.runner == 'fast' }}
@@ -102,12 +107,6 @@ jobs:
            core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
            core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
      - name: Use Beta Toolchain
        run: rustup default beta
      - name: Setup Cross
        run: cargo install cross --git https://github.com/cross-rs/cross
      - name: Make
        run: make ARCH=${{ matrix.arch }} compiled-${{ matrix.arch }}.tar
        env:
@@ -140,7 +139,7 @@ jobs:
      ${{
        fromJson(
          format(
-            '["ubuntu-22.04", "{0}"]',
+            '["ubuntu-latest", "{0}"]',
            fromJson('{
              "x86_64": "buildjet-8vcpu-ubuntu-2204",
              "x86_64-nonfree": "buildjet-8vcpu-ubuntu-2204",
@@ -273,7 +272,7 @@ jobs:
  index:
    if: ${{ github.event.inputs.deploy != '' && github.event.inputs.deploy != 'NONE' }}
    needs: [image]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    steps:
      - run: >-
          curl "https://${{
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -17,7 +17,7 @@ env:
 jobs:
  test:
    name: Run Automated Tests
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -27,11 +27,5 @@ jobs:
        with:
          node-version: ${{ env.NODEJS_VERSION }}
      - name: Use Beta Toolchain
        run: rustup default beta
      - name: Setup Cross
        run: cargo install cross --git https://github.com/cross-rs/cross
      - name: Build And Run Tests
        run: make test
--- a/12
+++ b/12
@@ -40,7 +40,6 @@ STARTOS_TARGETS := $(STARTD_SRC) $(ENVIRONMENT_FILE) $(GIT_HASH_FILE) $(VERSION_
 	fi')
 REGISTRY_TARGETS := core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/registrybox core/startos/start-registryd.service
 TUNNEL_TARGETS := core/target/$(RUST_ARCH)-unknown-linux-musl/$(PROFILE)/tunnelbox core/startos/start-tunneld.service
 REBUILD_TYPES = 1
 ifeq ($(REMOTE),)
 	mkdir = mkdir -p $1
@@ -63,7 +62,7 @@ endif
 .DELETE_ON_ERROR:
-.PHONY: all metadata install clean format cli uis ui reflash deb $(IMAGE_TYPE) squashfs wormhole wormhole-deb test test-core test-sdk test-container-runtime registry install-registry tunnel install-tunnel
+.PHONY: all metadata install clean format cli uis ui reflash deb $(IMAGE_TYPE) squashfs wormhole wormhole-deb test test-core test-sdk test-container-runtime registry install-registry tunnel install-tunnel ts-bindings
 all: $(STARTOS_TARGETS)
@@ -160,7 +159,7 @@ results/$(REGISTRY_BASENAME).deb: dpkg-build.sh $(call ls-files,debian/start-reg
 tunnel-deb: results/$(TUNNEL_BASENAME).deb
 results/$(TUNNEL_BASENAME).deb: dpkg-build.sh $(call ls-files,debian/start-tunnel) $(TUNNEL_TARGETS)
-	PROJECT=start-tunnel PLATFORM=$(ARCH) REQUIRES=debian DEPENDS=wireguard-tools,iptables ./build/os-compat/run-compat.sh ./dpkg-build.sh
+	PROJECT=start-tunnel PLATFORM=$(ARCH) REQUIRES=debian DEPENDS=wireguard-tools,iptables,conntrack ./build/os-compat/run-compat.sh ./dpkg-build.sh
 $(IMAGE_TYPE): results/$(BASENAME).$(IMAGE_TYPE)
@@ -226,7 +225,7 @@ wormhole-squashfs: results/$(BASENAME).squashfs
 	$(eval SQFS_SIZE := $(shell du -s --bytes results/$(BASENAME).squashfs | awk '{print $$1}'))
 	@echo "Paste the following command into the shell of your StartOS server:"
 	@echo
-	@wormhole send results/$(BASENAME).squashfs 2>&1 | awk -Winteractive '/wormhole receive/ { printf "sudo sh -c '"'"'/usr/lib/startos/scripts/prune-images $(SQFS_SIZE) && /usr/lib/startos/scripts/prune-boot && cd /media/startos/images && wormhole receive --accept-file %s && CHECKSUM=$(SQFS_SUM) /usr/lib/startos/scripts/use-img ./$(BASENAME).squashfs'"'"'\n", $$3 }'
+	@wormhole send results/$(BASENAME).squashfs 2>&1 | awk -Winteractive '/wormhole receive/ { printf "sudo sh -c '"'"'/usr/lib/startos/scripts/prune-images $(SQFS_SIZE) && /usr/lib/startos/scripts/prune-boot && cd /media/startos/images && wormhole receive --accept-file %s && CHECKSUM=$(SQFS_SUM) /usr/lib/startos/scripts/upgrade ./$(BASENAME).squashfs'"'"'\n", $$3 }'
 update: $(STARTOS_TARGETS)
 	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
@@ -254,7 +253,7 @@ update-squashfs: results/$(BASENAME).squashfs
 	$(call ssh,'/usr/lib/startos/scripts/prune-images $(SQFS_SIZE)')
 	$(call ssh,'/usr/lib/startos/scripts/prune-boot')
 	$(call cp,results/$(BASENAME).squashfs,/media/startos/images/next.rootfs)
-	$(call ssh,'sudo CHECKSUM=$(SQFS_SUM) /usr/lib/startos/scripts/use-img /media/startos/images/next.rootfs')
+	$(call ssh,'sudo CHECKSUM=$(SQFS_SUM) /usr/lib/startos/scripts/upgrade /media/startos/images/next.rootfs')
 emulate-reflash: $(STARTOS_TARGETS)
 	@if [ -z "$(REMOTE)" ]; then >&2 echo "Must specify REMOTE" && false; fi
@@ -277,10 +276,9 @@ container-runtime/node_modules/.package-lock.json: container-runtime/package-loc
 	npm --prefix container-runtime ci
 	touch container-runtime/node_modules/.package-lock.json
-sdk/base/lib/osBindings/index.ts: $(shell if [ "$(REBUILD_TYPES)" -ne 0 ]; then echo core/startos/bindings/index.ts; fi)
+ts-bindings: core/startos/bindings/index.ts
 	mkdir -p sdk/base/lib/osBindings
 	rsync -ac --delete core/startos/bindings/ sdk/base/lib/osBindings/
 	touch sdk/base/lib/osBindings/index.ts
 core/startos/bindings/index.ts: $(call ls-files, core) $(ENVIRONMENT_FILE)
 	rm -rf core/startos/bindings
--- a/START-TUNNEL.md
+++ b/START-TUNNEL.md
@@ -1,26 +1,18 @@
 # StartTunnel
-A self-hosted Wiregaurd VPN optimized for creating VLANs and reverse tunneling to personal servers.
+A self-hosted WireGuard VPN optimized for creating VLANs and reverse tunneling to personal servers.
-You can think of StartTunnel as "virtual router in the cloud"
+You can think of StartTunnel as "virtual router in the cloud".
-Use it for private, remote access, to self-hosted services running on a personal server, or to expose self-hosted services to the public Internet without revealing the host server's IP address.
+Use it for private remote access to self-hosted services running on a personal server, or to expose self-hosted services to the public Internet without revealing the host server's IP address.
-## Installation
+## Features
-1.  Rent a low cost VPS. For most use cases, the cheapest option should be enough.
+- **Create Subnets**: Each subnet creates a private, virtual local area network (VLAN), similar to the LAN created by a home router.
-    - It must have a dedicated public IP address.
+- **Add Devices**: When you add a device (server, phone, laptop) to a subnet, it receives a LAN IP address on that subnet as well as a unique WireGuard config that must be copied, downloaded, or scanned into the device.
    - For (CPU), memory (RAM), and storage (disk), choose the minimum spec.
    - For transfer (bandwidth), it depends on (1) your use case and (2) your home Internet's _upload_ speed. Even if you intend to serve large files or stream content from your server, there is no reason to pay for speeds that exceed your home Internet's upload speed.
-1.  Provision the VPS with the latest version of Debian.
+- **Forward Ports**: Forwarding a port creates a "reverse tunnel", exposing a specific port on a specific device to the public Internet.
 1.  Access the VPS via SSH.
 1.  Install StartTunnel:
        @TODO
 ## Features
@@ -30,6 +22,32 @@ Use it for private, remote access, to self-hosted services running on a personal
 - **Forward Ports**: Forwarding a port creates a "reverse tunnel", exposing a specific port on a specific device to the public Internet.
 ## Installation
 1.  Rent a low cost VPS. For most use cases, the cheapest option should be enough.
    - It must have a dedicated public IP address.
    - For compute (CPU), memory (RAM), and storage (disk), choose the minimum spec.
    - For transfer (bandwidth), it depends on (1) your use case and (2) your home Internet's _upload_ speed. Even if you intend to serve large files or stream content from your server, there is no reason to pay for speeds that exceed your home Internet's upload speed.
 1.  Provision the VPS with the latest version of Debian.
 1.  Access the VPS via SSH.
 1.  Install StartTunnel:
 ```sh
 TMP_DIR=$(mktemp -d) && (cd $TMP_DIR && wget https://github.com/Start9Labs/start-os/releases/download/v0.4.0-alpha.12/start-tunnel-0.4.0-alpha.12-unknown.dev_$(uname -m).deb && apt-get install -y ./start-tunnel-0.4.0-alpha.12-unknown.dev_$(uname -m).deb) && rm -rf $TMP_DIR && systemctl start start-tunneld && echo "Installation Succeeded"
 ```
 5. [Initialize the web interface](#web-interface) (recommended)
 ## Updating
 ```sh
 TMP_DIR=$(mktemp -d) && (cd $TMP_DIR && wget https://github.com/Start9Labs/start-os/releases/download/v0.4.0-alpha.12/start-tunnel-0.4.0-alpha.12-unknown.dev_$(uname -m).deb && apt-get install --reinstall -y ./start-tunnel-0.4.0-alpha.12-unknown.dev_$(uname -m).deb) && rm -rf $TMP_DIR && systemctl daemon-reload && systemctl restart start-tunneld && echo "Update Succeeded"
 ```
 ## CLI
 By default, StartTunnel is managed via the `start-tunnel` command line interface, which is self-documented.
@@ -52,8 +70,8 @@ If you choose to enable the web interface (recommended in most cases), StartTunn
 1.  Select whether to autogenerate a self-signed certificate or provide your own certificate and key. If you choose to autogenerate, you will be asked to list all IP addresses and domains for which to sign the certificate. For example, if you intend to access your StartTunnel web UI at a domain, include the domain in the list.
-1.  You will receive a success message that the webserver is running at the chosen IP:port, as well as your SSL certificate and an autogenerated UI password.
+1.  You will receive a success message with 3 pieces of information:
-1.  If not already, trust the certificate in your system keychain and/or browser.
+    - <https://IP:port>: the URL where you can reach your personal web interface.
-
+    - Password: an autogenerated password for your interface. If you lose/forget it, you can reset using the CLI.
-1.  If you lose/forget your password, you can reset it using the CLI.
+    - Root Certificate Authority: the Root CA of your StartTunnel instance. If not already, trust it in your browser or system keychain.
--- a/agents/VERSION_BUMP.md
+++ b/agents/VERSION_BUMP.md
@@ -0,0 +1,201 @@
 # StartOS Version Bump Guide
 This document explains how to bump the StartOS version across the entire codebase.
 ## Overview
 When bumping from version `X.Y.Z-alpha.N` to `X.Y.Z-alpha.N+1`, you need to update files in multiple locations across the repository. The `// VERSION_BUMP` comment markers indicate where changes are needed.
 ## Files to Update
 ### 1. Core Rust Crate Version
 **File: `core/startos/Cargo.toml`**
 Update the version string (line ~18):
 ```toml
 version = "0.4.0-alpha.15" # VERSION_BUMP
 ```
 **File: `core/Cargo.lock`**
 This file is auto-generated. After updating `Cargo.toml`, run:
 ```bash
 cd core
 cargo check
 ```
 This will update the version in `Cargo.lock` automatically.
 ### 2. Create New Version Migration Module
 **File: `core/startos/src/version/vX_Y_Z_alpha_N+1.rs`**
 Create a new version file by copying the previous version and updating:
 ```rust
 use exver::{PreReleaseSegment, VersionRange};
 use super::v0_3_5::V0_3_0_COMPAT;
 use super::{VersionT, v0_4_0_alpha_14};  // Update to previous version
 use crate::prelude::*;
 lazy_static::lazy_static! {
    static ref V0_4_0_alpha_15: exver::Version = exver::Version::new(
        [0, 4, 0],
        [PreReleaseSegment::String("alpha".into()), 15.into()]  // Update number
    );
 }
 #[derive(Clone, Copy, Debug, Default)]
 pub struct Version;
 impl VersionT for Version {
    type Previous = v0_4_0_alpha_14::Version;  // Update to previous version
    type PreUpRes = ();
    async fn pre_up(self) -> Result<Self::PreUpRes, Error> {
        Ok(())
    }
    fn semver(self) -> exver::Version {
        V0_4_0_alpha_15.clone()  // Update version name
    }
    fn compat(self) -> &'static VersionRange {
        &V0_3_0_COMPAT
    }
    #[instrument(skip_all)]
    fn up(self, _db: &mut Value, _: Self::PreUpRes) -> Result<Value, Error> {
        // Add migration logic here if needed
        Ok(Value::Null)
    }
    fn down(self, _db: &mut Value) -> Result<(), Error> {
        // Add rollback logic here if needed
        Ok(())
    }
 }
 ```
 ### 3. Update Version Module Registry
 **File: `core/startos/src/version/mod.rs`**
 Make changes in **5 locations**:
 #### Location 1: Module Declaration (~line 57)
 Add the new module after the previous version:
 ```rust
 mod v0_4_0_alpha_14;
 mod v0_4_0_alpha_15;  // Add this
 ```
 #### Location 2: Current Type Alias (~line 59)
 Update the `Current` type and move the `// VERSION_BUMP` comment:
 ```rust
 pub type Current = v0_4_0_alpha_15::Version; // VERSION_BUMP
 ```
 #### Location 3: Version Enum (~line 175)
 Remove `// VERSION_BUMP` from the previous version, add new variant, add comment:
 ```rust
    V0_4_0_alpha_14(Wrapper<v0_4_0_alpha_14::Version>),
    V0_4_0_alpha_15(Wrapper<v0_4_0_alpha_15::Version>), // VERSION_BUMP
    Other(exver::Version),
 ```
 #### Location 4: as_version_t() Match (~line 233)
 Remove `// VERSION_BUMP`, add new match arm, add comment:
 ```rust
            Self::V0_4_0_alpha_14(v) => DynVersion(Box::new(v.0)),
            Self::V0_4_0_alpha_15(v) => DynVersion(Box::new(v.0)), // VERSION_BUMP
            Self::Other(v) => {
 ```
 #### Location 5: as_exver() Match (~line 284, inside #[cfg(test)])
 Remove `// VERSION_BUMP`, add new match arm, add comment:
 ```rust
            Version::V0_4_0_alpha_14(Wrapper(x)) => x.semver(),
            Version::V0_4_0_alpha_15(Wrapper(x)) => x.semver(), // VERSION_BUMP
            Version::Other(x) => x.clone(),
 ```
 ### 4. SDK TypeScript Version
 **File: `sdk/package/lib/StartSdk.ts`**
 Update the OSVersion constant (~line 64):
 ```typescript
 export const OSVersion = testTypeVersion("0.4.0-alpha.15");
 ```
 ### 5. Web UI Package Version
 **File: `web/package.json`**
 Update the version field:
 ```json
 {
  "name": "startos-ui",
  "version": "0.4.0-alpha.15",
  ...
 }
 ```
 **File: `web/package-lock.json`**
 This file is auto-generated, but it's faster to update manually. Find all instances of "startos-ui" and update the version field.
 ## Verification Step
 ```
 make
 ```
 ## VERSION_BUMP Comment Pattern
 The `// VERSION_BUMP` comment serves as a marker for where to make changes next time:
 - Always **remove** it from the old location
 - **Add** the new version entry
 - **Move** the comment to mark the new location
 This pattern helps you quickly find all the places that need updating in the next version bump.
 ## Summary Checklist
 - [ ] Update `core/startos/Cargo.toml` version
 - [ ] Create new `core/startos/src/version/vX_Y_Z_alpha_N+1.rs` file
 - [ ] Update `core/startos/src/version/mod.rs` in 5 locations
 - [ ] Run `cargo check` to update `core/Cargo.lock`
 - [ ] Update `sdk/package/lib/StartSdk.ts` OSVersion
 - [ ] Update `web/package.json` and `web/package-lock.json` version
 - [ ] Verify all changes compile/build successfully
 ## Migration Logic
 The `up()` and `down()` methods in the version file handle database migrations:
 - **up()**: Migrates the database from the previous version to this version
 - **down()**: Rolls back from this version to the previous version
 - **pre_up()**: Runs before migration, useful for pre-migration checks or data gathering
 If no migration is needed, return `Ok(Value::Null)` for `up()` and `Ok(())` for `down()`.
 For complex migrations, you may need to:
 1. Update `type PreUpRes` to pass data between `pre_up()` and `up()`
 2. Implement database transformations in the `up()` method
 3. Implement reverse transformations in `down()` for rollback support
--- a/build/dpkg-deps/depends
+++ b/build/dpkg-deps/depends
@@ -7,6 +7,7 @@ bmon
 btrfs-progs
 ca-certificates
 cifs-utils
 conntrack
 cryptsetup
 curl
 dmidecode
@@ -19,7 +20,6 @@ flashrom
 fuse3
 grub-common
 grub-efi
 grub2-common
 htop
 httpdirfs
 iotop
--- a/build/dpkg-deps/raspberrypi.depends
+++ b/build/dpkg-deps/raspberrypi.depends
@@ -1,6 +1,4 @@
 - grub-common
 - grub-efi
 - grub2-common
 + parted
 + raspberrypi-net-mods
 + raspberrypi-sys-mods
--- a/build/lib/scripts/chroot-and-upgrade
+++ b/build/lib/scripts/chroot-and-upgrade
@@ -10,24 +10,24 @@ fi
 POSITIONAL_ARGS=()
 while [[ $# -gt 0 ]]; do
-  case $1 in
+    case $1 in
-    --no-sync)
+      --no-sync)
-      NO_SYNC=1
+          NO_SYNC=1
-      shift
+          shift
-      ;;
+          ;;
-    --create)
+      --create)
-      ONLY_CREATE=1
+          ONLY_CREATE=1
-      shift
+          shift
-      ;;
+          ;;
-    -*|--*)
+      -*|--*)
-      echo "Unknown option $1"
+          echo "Unknown option $1"
-      exit 1
+          exit 1
-      ;;
+          ;;
-    *)
+      *)
-      POSITIONAL_ARGS+=("$1") # save positional arg
+          POSITIONAL_ARGS+=("$1") # save positional arg
-      shift # past argument
+          shift # past argument
-      ;;
+          ;;
-  esac
+    esac
 done
 set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
@@ -35,7 +35,7 @@ set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
 if [ -z "$NO_SYNC" ]; then
    echo 'Syncing...'
    umount -R /media/startos/next 2> /dev/null
-    umount -R /media/startos/upper 2> /dev/null
+    umount /media/startos/upper 2> /dev/null
    rm -rf /media/startos/upper /media/startos/next
    mkdir /media/startos/upper
    mount -t tmpfs tmpfs /media/startos/upper
@@ -43,8 +43,6 @@ if [ -z "$NO_SYNC" ]; then
    mount -t overlay \
 		  -olowerdir=/media/startos/current,upperdir=/media/startos/upper/data,workdir=/media/startos/upper/work \
 		  overlay /media/startos/next
    mkdir -p /media/startos/next/media/startos/root
    mount --bind /media/startos/root /media/startos/next/media/startos/root
 fi
 if [ -n "$ONLY_CREATE" ]; then
@@ -56,12 +54,18 @@ mkdir -p /media/startos/next/dev
 mkdir -p /media/startos/next/sys
 mkdir -p /media/startos/next/proc
 mkdir -p /media/startos/next/boot
 mkdir -p /media/startos/next/media/startos/root
 mount --bind /run /media/startos/next/run
 mount --bind /tmp /media/startos/next/tmp
 mount --bind /dev /media/startos/next/dev
 mount --bind /sys /media/startos/next/sys
 mount --bind /proc /media/startos/next/proc
 mount --bind /boot /media/startos/next/boot
 mount --bind /media/startos/root /media/startos/next/media/startos/root
 if mountpoint /sys/firmware/efi/efivars 2> /dev/null; then
  mount --bind /sys/firmware/efi/efivars /media/startos/next/sys/firmware/efi/efivars
 fi
 if [ -z "$*" ]; then
    chroot /media/startos/next
@@ -71,6 +75,10 @@ else
    CHROOT_RES=$?
 fi
 if mountpoint /media/startos/next/sys/firmware/efi/efivars 2> /dev/null; then
  umount /media/startos/next/sys/firmware/efi/efivars 
 fi
 umount /media/startos/next/run
 umount /media/startos/next/tmp
 umount /media/startos/next/dev
@@ -87,11 +95,12 @@ if [ "$CHROOT_RES" -eq 0 ]; then
    echo 'Upgrading...'
    rm -f /media/startos/images/next.squashfs
    if ! time mksquashfs /media/startos/next /media/startos/images/next.squashfs -b 4096 -comp gzip; then
-      umount -R /media/startos/next
+        umount -l /media/startos/next
-      umount -R /media/startos/upper
+        umount -l /media/startos/upper
-      rm -rf /media/startos/upper /media/startos/next
+        rm -rf /media/startos/upper /media/startos/next
-      exit 1
+        exit 1
    fi
    hash=$(b3sum /media/startos/images/next.squashfs | head -c 32)
    mv /media/startos/images/next.squashfs /media/startos/images/${hash}.rootfs
@@ -103,5 +112,5 @@ if [ "$CHROOT_RES" -eq 0 ]; then
 fi
 umount -R /media/startos/next
-umount -R /media/startos/upper
+umount /media/startos/upper
 rm -rf /media/startos/upper /media/startos/next
--- a/build/lib/scripts/forward-port
+++ b/build/lib/scripts/forward-port
@@ -5,34 +5,25 @@ if [ -z "$sip" ] || [ -z "$dip" ] || [ -z "$sport" ] || [ -z "$dport" ]; then
    exit 1
 fi
-# Helper function to check if a rule exists
+rule_exists() {
 nat_rule_exists() {
    iptables -t nat -C "$@" 2>/dev/null
 }
-# Helper function to add or delete a rule idempotently
+apply_rule() {
-# Usage: apply_rule [add|del] <iptables args...>
+    if [ "$UNDO" = "1" ]; then
 apply_nat_rule() {
    local action="$1"
    shift
    if [ "$action" = "add" ]; then
        # Only add if rule doesn't exist
        if ! rule_exists "$@"; then
            iptables -t nat -A "$@"
        fi
    elif [ "$action" = "del" ]; then
        if rule_exists "$@"; then
            iptables -t nat -D "$@"
        fi
    else
        if ! rule_exists "$@"; then
            iptables -t nat -A "$@"
        fi
    fi
 }
-if [ "$UNDO" = 1 ]; then
+apply_rule PREROUTING -p tcp -d $sip --dport $sport -j DNAT --to-destination $dip:$dport
-    action="del"
+apply_rule OUTPUT -p tcp -d $sip --dport $sport -j DNAT --to-destination $dip:$dport
 else
    action="add"
 fi
-apply_nat_rule "$action" PREROUTING -p tcp -d $sip --dport $sport -j DNAT --to-destination $dip:$dport
+if [ "$UNDO" = 1 ]; then
-apply_nat_rule "$action" OUTPUT -p tcp -d $sip --dport $sport -j DNAT --to-destination $dip:$dport
+    conntrack -D -p tcp -d $sip --dport $sport || true # conntrack returns exit 1 if no connections are active
 fi
--- a/build/lib/scripts/upgrade
+++ b/build/lib/scripts/upgrade
@@ -0,0 +1,82 @@
 #!/bin/bash
 set -e
 SOURCE_DIR="$(dirname $(realpath "${BASH_SOURCE[0]}"))"
 if [ "$UID" -ne 0 ]; then
    >&2 echo 'Must be run as root'
    exit 1
 fi
 if ! [ -f "$1" ]; then
    >&2 echo "usage: $0 <SQUASHFS>"
    exit 1
 fi
 echo 'Upgrading...'
 hash=$(b3sum $1 | head -c 32)
 if [ -n "$2" ] && [ "$hash" != "$CHECKSUM" ]; then
    >&2 echo 'Checksum mismatch'
    exit 2
 fi
 unsquashfs -f -d / $1 boot
 umount -R /media/startos/next 2> /dev/null || true
 umount /media/startos/upper 2> /dev/null || true
 umount /media/startos/lower 2> /dev/null || true
 mkdir -p /media/startos/upper
 mount -t tmpfs tmpfs /media/startos/upper
 mkdir -p /media/startos/lower /media/startos/upper/data /media/startos/upper/work /media/startos/next
 mount $1 /media/startos/lower
 mount -t overlay \
      -olowerdir=/media/startos/lower,upperdir=/media/startos/upper/data,workdir=/media/startos/upper/work \
 	    overlay /media/startos/next
 mkdir -p /media/startos/next/run
 mkdir -p /media/startos/next/dev
 mkdir -p /media/startos/next/sys
 mkdir -p /media/startos/next/proc
 mkdir -p /media/startos/next/boot
 mkdir -p /media/startos/next/media/startos/root
 mount --bind /run /media/startos/next/run
 mount --bind /tmp /media/startos/next/tmp
 mount --bind /dev /media/startos/next/dev
 mount --bind /sys /media/startos/next/sys
 mount --bind /proc /media/startos/next/proc
 mount --bind /boot /media/startos/next/boot
 mount --bind /media/startos/root /media/startos/next/media/startos/root
 if mountpoint /boot/efi 2> /dev/null; then
    mkdir -p /media/startos/next/boot/efi
    mount --bind /boot/efi /media/startos/next/boot/efi
 fi
 if mountpoint /sys/firmware/efi/efivars 2> /dev/null; then
    mount --bind /sys/firmware/efi/efivars /media/startos/next/sys/firmware/efi/efivars
 fi
 chroot /media/startos/next bash -e << "EOF"
 if [ -f /boot/grub/grub.cfg ]; then
    grub-install /dev/$(eval $(lsblk -o MOUNTPOINT,PKNAME -P | grep 'MOUNTPOINT="/media/startos/root"') && echo $PKNAME)
    update-grub
 fi
 EOF
 sync
 umount -Rl /media/startos/next
 umount /media/startos/upper
 umount /media/startos/lower
 mv $1 /media/startos/images/${hash}.rootfs
 ln -rsf /media/startos/images/${hash}.rootfs /media/startos/config/current.rootfs
 sync
 echo 'System upgrade complete. Reboot to apply changes...'
--- a/build/lib/scripts/use-img
+++ b/build/lib/scripts/use-img
@@ -1,61 +0,0 @@
 #!/bin/bash
 set -e
 if [ "$UID" -ne 0 ]; then
    >&2 echo 'Must be run as root'
    exit 1
 fi
 if [ -z "$1" ]; then
    >&2 echo "usage: $0 <SQUASHFS>"
    exit 1
 fi
 VERSION=$(unsquashfs -cat $1 /usr/lib/startos/VERSION.txt)
 GIT_HASH=$(unsquashfs -cat $1 /usr/lib/startos/GIT_HASH.txt)
 B3SUM=$(b3sum $1 | head -c 32)
 if [ -n "$CHECKSUM" ] && [ "$CHECKSUM" != "$B3SUM" ]; then
    >&2 echo "CHECKSUM MISMATCH"
    exit 2
 fi
 mv $1 /media/startos/images/${B3SUM}.rootfs
 ln -rsf /media/startos/images/${B3SUM}.rootfs /media/startos/config/current.rootfs
 unsquashfs -n -f -d / /media/startos/images/${B3SUM}.rootfs boot
 umount -R /media/startos/next 2> /dev/null || true
 umount -R /media/startos/lower 2> /dev/null || true
 umount -R /media/startos/upper 2> /dev/null || true
 rm -rf /media/startos/lower /media/startos/upper /media/startos/next
 mkdir /media/startos/upper
 mount -t tmpfs tmpfs /media/startos/upper
 mkdir -p /media/startos/lower /media/startos/upper/data /media/startos/upper/work /media/startos/next
 mount /media/startos/images/${B3SUM}.rootfs /media/startos/lower
 mount -t overlay \
  -olowerdir=/media/startos/lower,upperdir=/media/startos/upper/data,workdir=/media/startos/upper/work \
  overlay /media/startos/next
 mkdir -p /media/startos/next/media/startos/root
 mount --bind /media/startos/root /media/startos/next/media/startos/root
 mkdir -p /media/startos/next/dev
 mkdir -p /media/startos/next/sys
 mkdir -p /media/startos/next/proc
 mkdir -p /media/startos/next/boot
 mount --bind /dev /media/startos/next/dev
 mount --bind /sys /media/startos/next/sys
 mount --bind /proc /media/startos/next/proc
 mount --bind /boot /media/startos/next/boot
 chroot /media/startos/next update-grub2
 umount -R /media/startos/next
 umount -R /media/startos/upper
 umount -R /media/startos/lower
 rm -rf /media/startos/lower /media/startos/upper /media/startos/next
 sync
 reboot
--- a/container-runtime/package-lock.json
+++ b/container-runtime/package-lock.json
@@ -38,7 +38,7 @@
    },
    "../sdk/dist": {
      "name": "@start9labs/start-sdk",
-      "version": "0.4.0-beta.42",
+      "version": "0.4.0-beta.44",
      "license": "MIT",
      "dependencies": {
        "@iarna/toml": "^3.0.0",
--- a/container-runtime/src/Adapters/RpcListener.ts
+++ b/container-runtime/src/Adapters/RpcListener.ts
@@ -158,6 +158,8 @@ export class RpcListener {
    this.unixSocketServer.listen(SOCKET_PATH)
    console.log("Listening on %s", SOCKET_PATH)
    this.unixSocketServer.on("connection", (s) => {
      let id: IdType = null
      const captureId = <X>(x: X) => {
--- a/container-runtime/update-image.sh
+++ b/container-runtime/update-image.sh
@@ -9,7 +9,7 @@ if [ "$ARCH" = "riscv64" ]; then
  RUST_ARCH="riscv64gc"
 fi
-if mountpoint -q tmp/combined; then sudo umount -R tmp/combined; fi
+if mountpoint -q tmp/combined; then sudo umount -l tmp/combined; fi
 if mountpoint -q tmp/lower; then sudo umount tmp/lower; fi
 sudo rm -rf tmp
 mkdir -p tmp/lower tmp/upper tmp/work tmp/combined
--- a/core/Cargo.lock
+++ b/core/Cargo.lock
@@ -3458,7 +3458,7 @@ dependencies = [
 "lazy_async_pool",
 "models",
 "pin-project",
- "rpc-toolkit",
+ "rpc-toolkit 0.3.2 (git+https://github.com/Start9Labs/rpc-toolkit.git?branch=master)",
 "serde",
 "serde_json",
 "tokio",
@@ -4835,7 +4835,7 @@ dependencies = [
 "rand 0.9.2",
 "regex",
 "reqwest",
- "rpc-toolkit",
+ "rpc-toolkit 0.3.2 (git+https://github.com/Start9Labs/rpc-toolkit.git?branch=master)",
 "rustls 0.23.35",
 "serde",
 "serde_json",
@@ -6744,6 +6744,34 @@ dependencies = [
 "yajrc",
 ]
 [[package]]
 name = "rpc-toolkit"
 version = "0.3.2"
 source = "git+https://github.com/Start9Labs/rpc-toolkit.git?rev=068db90#068db905ee38a7da97cc4a43b806409204e73723"
 dependencies = [
 "async-stream",
 "async-trait",
 "axum 0.8.6",
 "clap",
 "futures",
 "http",
 "http-body-util",
 "imbl-value 0.4.3 (registry+https://github.com/rust-lang/crates.io-index)",
 "itertools 0.14.0",
 "lazy_format",
 "lazy_static",
 "openssl",
 "pin-project",
 "reqwest",
 "serde",
 "serde_json",
 "thiserror 2.0.17",
 "tokio",
 "tokio-stream",
 "url",
 "yajrc",
 ]
 [[package]]
 name = "rsa"
 version = "0.9.8"
@@ -7880,7 +7908,7 @@ dependencies = [
 [[package]]
 name = "start-os"
-version = "0.4.0-alpha.12"
+version = "0.4.0-alpha.15"
 dependencies = [
 "aes 0.7.5",
 "arti-client",
@@ -7888,7 +7916,6 @@ dependencies = [
 "async-compression",
 "async-stream",
 "async-trait",
 "aws-lc-sys",
 "axum 0.8.6",
 "backtrace-on-stack-overflow",
 "barrage",
@@ -7981,7 +8008,7 @@ dependencies = [
 "reqwest",
 "reqwest_cookie_store",
 "rpassword",
- "rpc-toolkit",
+ "rpc-toolkit 0.3.2 (git+https://github.com/Start9Labs/rpc-toolkit.git?rev=068db90)",
 "rust-argon2",
 "safelog",
 "semver",
--- a/core/build-cli.sh
+++ b/core/build-cli.sh
@@ -2,12 +2,19 @@
 cd "$(dirname "${BASH_SOURCE[0]}")"
 source ./builder-alias.sh
 set -ea
 shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
 else
  if [ "$PROFILE" != "debug"]; then
    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
    PROFILE=debug
  fi
 fi
 if [ -z "${ARCH:-}" ]; then
@@ -18,15 +25,20 @@ if [ "$ARCH" = "arm64" ]; then
  ARCH="aarch64"
 fi
 RUST_ARCH="$ARCH"
 if [ "$ARCH" = "riscv64" ]; then
  RUST_ARCH="riscv64gc"
 fi
 if [ -z "${KERNEL_NAME:-}" ]; then
  KERNEL_NAME=$(uname -s)
 fi
 if [ -z "${TARGET:-}" ]; then
  if [ "$KERNEL_NAME" = "Linux" ]; then
-    TARGET="$ARCH-unknown-linux-musl"
+    TARGET="$RUST_ARCH-unknown-linux-musl"
  elif [ "$KERNEL_NAME" = "Darwin" ]; then
-    TARGET="$ARCH-apple-darwin"
+    TARGET="$RUST_ARCH-apple-darwin"
  else
    >&2 echo "unknown kernel $KERNEL_NAME"
    exit 1
@@ -53,4 +65,7 @@ fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
-cross build --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features $FEATURE_ARGS --locked --bin start-cli --target=$TARGET
+rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features $FEATURE_ARGS --locked --bin start-cli --target=$TARGET
 if [ "$(ls -nd "core/target/$TARGET/$PROFILE/start-cli" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "cd core && chown -R $UID:$UID target && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/build-containerbox.sh
+++ b/core/build-containerbox.sh
@@ -2,12 +2,19 @@
 cd "$(dirname "${BASH_SOURCE[0]}")"
 source ./builder-alias.sh
 set -ea
 shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
 else
  if [ "$PROFILE" != "debug"]; then
    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
    PROFILE=debug
  fi
 fi
 if [ -z "$ARCH" ]; then
@@ -33,4 +40,7 @@ fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
-cross build --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli-container,$FEATURES --locked --bin containerbox --target=$RUST_ARCH-unknown-linux-musl
+rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli-container,$FEATURES --locked --bin containerbox --target=$RUST_ARCH-unknown-linux-musl
 if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/containerbox" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/build-registrybox.sh
+++ b/core/build-registrybox.sh
@@ -2,12 +2,19 @@
 cd "$(dirname "${BASH_SOURCE[0]}")"
 source ./builder-alias.sh
 set -ea
 shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
 else
  if [ "$PROFILE" != "debug"]; then
    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
    PROFILE=debug
  fi
 fi
 if [ -z "$ARCH" ]; then
@@ -33,4 +40,7 @@ fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
-cross build --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli-registry,registry,$FEATURES --locked --bin registrybox --target=$RUST_ARCH-unknown-linux-musl
+rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli-registry,registry,$FEATURES --locked --bin registrybox --target=$RUST_ARCH-unknown-linux-musl
 if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/registrybox" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/build-startbox.sh
+++ b/core/build-startbox.sh
@@ -2,12 +2,19 @@
 cd "$(dirname "${BASH_SOURCE[0]}")"
 source ./builder-alias.sh
 set -ea
 shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
 else
  if [ "$PROFILE" != "debug"]; then
    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
    PROFILE=debug
  fi
 fi
 if [ -z "$ARCH" ]; then
@@ -33,4 +40,7 @@ fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
-cross build --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli,startd,$FEATURES --locked --bin startbox --target=$RUST_ARCH-unknown-linux-musl
+rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli,startd,$FEATURES --locked --bin startbox --target=$RUST_ARCH-unknown-linux-musl
 if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/startbox" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/build-ts.sh
+++ b/core/build-ts.sh
@@ -2,12 +2,19 @@
 cd "$(dirname "${BASH_SOURCE[0]}")"
 source ./builder-alias.sh
 set -ea
 shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
 else
  if [ "$PROFILE" != "debug"]; then
    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
    PROFILE=debug
  fi
 fi
 if [ -z "$ARCH" ]; then
@@ -31,4 +38,7 @@ if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
 fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
-cross test --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features test,$FEATURES --locked 'export_bindings_'
+rust-zig-builder cargo test --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features test,$FEATURES --locked 'export_bindings_'
 if [ "$(ls -nd "core/startos/bindings" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID core/startos/bindings && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/build-tunnelbox.sh
+++ b/core/build-tunnelbox.sh
@@ -2,12 +2,19 @@
 cd "$(dirname "${BASH_SOURCE[0]}")"
 source ./builder-alias.sh
 set -ea
 shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
 else
  if [ "$PROFILE" != "debug"]; then
    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
    PROFILE=debug
  fi
 fi
 if [ -z "$ARCH" ]; then
@@ -33,4 +40,7 @@ fi
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
-cross build --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli-tunnel,tunnel,$FEATURES --locked --bin tunnelbox --target=$RUST_ARCH-unknown-linux-musl
+rust-zig-builder cargo zigbuild --manifest-path=./core/Cargo.toml $BUILD_FLAGS --no-default-features --features cli-tunnel,tunnel,$FEATURES --locked --bin tunnelbox --target=$RUST_ARCH-unknown-linux-musl
 if [ "$(ls -nd "core/target/$RUST_ARCH-unknown-linux-musl/$PROFILE/tunnelbox" | awk '{ print $3 }')" != "$UID" ]; then
  rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /root/.cargo"
 fi
--- a/core/builder-alias.sh
+++ b/core/builder-alias.sh
@@ -1,3 +1,8 @@
 #!/bin/bash
-alias 'rust-musl-builder'='docker run $USE_TTY --rm -e "RUSTFLAGS=$RUSTFLAGS" -e SCCACHE_GHA_ENABLED -e SCCACHE_GHA_VERSION -e ACTIONS_RESULTS_URL -e ACTIONS_RUNTIME_TOKEN -v "$HOME/.cargo/registry":/root/.cargo/registry -v "$HOME/.cargo/git":/root/.cargo/git -v "$HOME/.cache/sccache":/root/.cache/sccache -v "$(pwd)":/home/rust/src -w /home/rust/src -P start9/rust-musl-cross:$ARCH-musl'
+USE_TTY=
 if tty -s; then
  USE_TTY="-it"
 fi
 alias 'rust-zig-builder'='docker run '"$USE_TTY"' --rm -e "RUSTFLAGS=$RUSTFLAGS" -e "AWS_LC_SYS_CMAKE_TOOLCHAIN_FILE_riscv64gc_unknown_linux_musl=/root/cmake-overrides/toolchain-riscv64-musl-clang.cmake" -e SCCACHE_GHA_ENABLED -e SCCACHE_GHA_VERSION -e ACTIONS_RESULTS_URL -e ACTIONS_RUNTIME_TOKEN -v "$HOME/.cargo/registry":/usr/local/cargo/registry -v "$HOME/.cargo/git":/root/.cargo/git -v "$HOME/.cache/sccache":/root/.cache/sccache -v "$(pwd)":/workdir -w /workdir -P start9/cargo-zigbuild'
--- a/core/run-tests.sh
+++ b/core/run-tests.sh
@@ -2,12 +2,19 @@
 cd "$(dirname "${BASH_SOURCE[0]}")"
 source ./builder-alias.sh
 set -ea
 shopt -s expand_aliases
 PROFILE=${PROFILE:-release}
 if [ "${PROFILE}" = "release" ]; then
 	BUILD_FLAGS="--release"
 else
  if [ "$PROFILE" != "debug"]; then
    >&2 echo "Unknown profile $PROFILE: falling back to debug..."
    PROFILE=debug
  fi
 fi
 if [ -z "$ARCH" ]; then
@@ -31,8 +38,8 @@ if [[ "${ENVIRONMENT}" =~ (^|-)console($|-) ]]; then
 	RUSTFLAGS="--cfg tokio_unstable"
 fi
 source ./core/builder-alias.sh
 echo "FEATURES=\"$FEATURES\""
 echo "RUSTFLAGS=\"$RUSTFLAGS\""
-cross test --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=test,$FEATURES --workspace --locked --target=$ARCH-unknown-linux-musl -- --skip export_bindings_
+rust-zig-builder cargo test --manifest-path=./core/Cargo.toml $BUILD_FLAGS --features=test,$FEATURES --workspace --locked -- --skip export_bindings_
 rust-zig-builder sh -c "chown -R $UID:$UID core/target && chown -R $UID:$UID /root/.cargo"
--- a/core/startos/Cargo.toml
+++ b/core/startos/Cargo.toml
@@ -15,7 +15,7 @@ license = "MIT"
 name = "start-os"
 readme = "README.md"
 repository = "https://github.com/Start9Labs/start-os"
-version = "0.4.0-alpha.12" # VERSION_BUMP
+version = "0.4.0-alpha.15" # VERSION_BUMP
 [lib]
 name = "startos"
@@ -93,7 +93,6 @@ async-compression = { version = "0.4.32", features = [
 ] }
 async-stream = "0.3.5"
 async-trait = "0.1.74"
 aws-lc-sys = { version = "0.32", features = ["bindgen"] }
 axum = { version = "0.8.4", features = ["ws"] }
 backtrace-on-stack-overflow = { version = "0.3.0", optional = true }
 barrage = "0.2.3"
@@ -223,7 +222,7 @@ regex = "1.10.2"
 reqwest = { version = "0.12.4", features = ["json", "socks", "stream"] }
 reqwest_cookie_store = "0.8.0"
 rpassword = "7.2.0"
-rpc-toolkit = { git = "https://github.com/Start9Labs/rpc-toolkit.git", branch = "master" }
+rpc-toolkit = { git = "https://github.com/Start9Labs/rpc-toolkit.git", rev = "068db90" }
 rust-argon2 = "2.0.0"
 safelog = { version = "0.4.8", git = "https://github.com/Start9Labs/arti.git", branch = "patch/disable-exit", optional = true }
 semver = { version = "1.0.20", features = ["serde"] }
@@ -252,7 +251,7 @@ termion = "4.0.5"
 textwrap = "0.16.1"
 thiserror = "2.0.12"
 tokio = { version = "1.38.1", features = ["full"] }
-tokio-rustls = "0.26.0"
+tokio-rustls = "0.26.4"
 tokio-stream = { version = "0.1.14", features = ["io-util", "net", "sync"] }
 tokio-tar = { git = "https://github.com/dr-bonez/tokio-tar.git" }
 tokio-tungstenite = { version = "0.26.2", features = ["native-tls", "url"] }
--- a/core/startos/src/bins/tunnel.rs
+++ b/core/startos/src/bins/tunnel.rs
@@ -22,7 +22,7 @@ use crate::tunnel::tunnel_router;
 use crate::tunnel::web::TunnelCertHandler;
 use crate::util::logger::LOGGER;
-#[derive(Clone, Copy, PartialEq, Eq, PartialOrd, Ord)]
+#[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord)]
 enum WebserverListener {
    Http,
    Https(SocketAddr),
--- a/core/startos/src/db/model/public.rs
+++ b/core/startos/src/db/model/public.rs
@@ -260,11 +260,7 @@ impl NetworkInterfaceInfo {
    }
    pub fn secure(&self) -> bool {
-        self.secure.unwrap_or_else(|| {
+        self.secure.unwrap_or(false)
            self.ip_info.as_ref().map_or(false, |ip_info| {
                ip_info.device_type == Some(NetworkInterfaceType::Wireguard)
            }) && !self.public()
        })
    }
 }
--- a/core/startos/src/disk/mount/util.rs
+++ b/core/startos/src/disk/mount/util.rs
@@ -48,7 +48,6 @@ pub async fn bind<P0: AsRef<Path>, P1: AsRef<Path>>(
 pub async fn unmount<P: AsRef<Path>>(mountpoint: P, lazy: bool) -> Result<(), Error> {
    tracing::debug!("Unmounting {}.", mountpoint.as_ref().display());
    let mut cmd = tokio::process::Command::new("umount");
    cmd.arg("-R");
    if lazy {
        cmd.arg("-l");
    }
--- a/core/startos/src/disk/util.rs
+++ b/core/startos/src/disk/util.rs
@@ -280,6 +280,9 @@ pub async fn list(os: &OsPartitionInfo) -> Result<Vec<DiskInfo>, Error> {
    .try_fold(
        BTreeMap::<PathBuf, DiskIndex>::new(),
        |mut disks, dir_entry| async move {
            if dir_entry.file_type().await?.is_dir() {
                return Ok(disks);
            }
            if let Some(disk_path) = dir_entry.path().file_name().and_then(|s| s.to_str()) {
                let (disk_path, part_path) = if let Some(end) = PARTITION_REGEX.find(disk_path) {
                    (
--- a/core/startos/src/install/mod.rs
+++ b/core/startos/src/install/mod.rs
@@ -29,6 +29,7 @@ use crate::registry::context::{RegistryContext, RegistryUrlParams};
 use crate::registry::package::get::GetPackageResponse;
 use crate::rpc_continuations::{Guid, RpcContinuation};
 use crate::s9pk::manifest::PackageId;
 use crate::s9pk::v2::SIG_CONTEXT;
 use crate::upload::upload;
 use crate::util::Never;
 use crate::util::io::open_file;
@@ -154,6 +155,8 @@ pub async fn install(
        })?
        .s9pk;
    asset.validate(SIG_CONTEXT, asset.all_signers())?;
    let progress_tracker = FullProgressTracker::new();
    let download_progress = progress_tracker.add_phase("Downloading".into(), Some(100));
    let download = ctx
--- a/core/startos/src/lxc/mod.rs
+++ b/core/startos/src/lxc/mod.rs
@@ -366,6 +366,7 @@ impl LxcContainer {
            }
            tokio::time::sleep(Duration::from_millis(100)).await;
        }
        tracing::info!("Connected to socket in {:?}", started.elapsed());
        Ok(UnixRpcClient::new(sock_path))
    }
 }
--- a/core/startos/src/net/acme.rs
+++ b/core/startos/src/net/acme.rs
@@ -26,6 +26,7 @@ use crate::context::{CliContext, RpcContext};
 use crate::db::model::Database;
 use crate::db::model::public::AcmeSettings;
 use crate::db::{DbAccess, DbAccessByKey, DbAccessMut};
 use crate::net::ssl::should_use_cert;
 use crate::net::tls::{SingleCertResolver, TlsHandler};
 use crate::net::web_server::Accept;
 use crate::prelude::*;
@@ -63,20 +64,27 @@ where
                .and_then(|p| p.as_idx(JsonKey::new_ref(san_info)))
            {
                let cert = cert.de().log_err()?;
-                return Some(
+                if cert
-                    CertifiedKey::from_der(
+                    .fullchain
-                        cert.fullchain
+                    .get(0)
-                            .into_iter()
+                    .and_then(|c| should_use_cert(&c.0).log_err())
-                            .map(|c| Ok(CertificateDer::from(c.to_der()?)))
+                    .unwrap_or(false)
-                            .collect::<Result<_, Error>>()
+                {
-                            .log_err()?,
+                    return Some(
-                        PrivateKeyDer::from(PrivatePkcs8KeyDer::from(
+                        CertifiedKey::from_der(
-                            cert.key.0.private_key_to_pkcs8().log_err()?,
+                            cert.fullchain
-                        )),
+                                .into_iter()
-                        &*self.crypto_provider,
+                                .map(|c| Ok(CertificateDer::from(c.to_der()?)))
-                    )
+                                .collect::<Result<_, Error>>()
-                    .log_err()?,
+                                .log_err()?,
-                );
+                            PrivateKeyDer::from(PrivatePkcs8KeyDer::from(
                                cert.key.0.private_key_to_pkcs8().log_err()?,
                            )),
                            &*self.crypto_provider,
                        )
                        .log_err()?,
                    );
                }
            }
            if !self.in_progress.send_if_modified(|x| {
@@ -307,6 +315,16 @@ where
            return Ok(None);
        };
        let cert = cert.de()?;
        if !cert
            .fullchain
            .get(0)
            .map(|c| should_use_cert(&c.0))
            .transpose()
            .map_err(Error::from)?
            .unwrap_or(false)
        {
            return Ok(None);
        }
        Ok(Some((
            String::from_utf8(
                cert.key
--- a/core/startos/src/net/forward.rs
+++ b/core/startos/src/net/forward.rs
@@ -437,7 +437,8 @@ impl InterfaceForwardState {
        for mut entry in self.state.iter_mut() {
            entry.gc(ip_info, &self.port_forward).await?;
        }
-        Ok(())
+
        self.port_forward.gc().await
    }
 }
@@ -537,7 +538,6 @@ impl InterfacePortForwardController {
                    _ = ip_info.changed() => {
                        interfaces = ip_info.read();
                        state.sync(&interfaces).await.log_err();
                        state.port_forward.gc().await.log_err();
                    }
                }
            }
--- a/core/startos/src/net/gateway.rs
+++ b/core/startos/src/net/gateway.rs
@@ -1,5 +1,6 @@
 use std::any::Any;
 use std::collections::{BTreeMap, BTreeSet, HashMap};
 use std::fmt;
 use std::future::Future;
 use std::net::{IpAddr, Ipv4Addr, SocketAddr, SocketAddrV6};
 use std::sync::{Arc, Weak};
@@ -130,7 +131,6 @@ async fn list_interfaces(
 }
 #[derive(Debug, Clone, Deserialize, Serialize, Parser, TS)]
 #[ts(export)]
 struct NetworkInterfaceSetPublicParams {
    gateway: GatewayId,
    public: Option<bool>,
@@ -147,7 +147,6 @@ async fn set_public(
 }
 #[derive(Debug, Clone, Deserialize, Serialize, Parser, TS)]
 #[ts(export)]
 struct UnsetPublicParams {
    gateway: GatewayId,
 }
@@ -163,7 +162,6 @@ async fn unset_public(
 }
 #[derive(Debug, Clone, Deserialize, Serialize, Parser, TS)]
 #[ts(export)]
 struct ForgetGatewayParams {
    gateway: GatewayId,
 }
@@ -176,7 +174,6 @@ async fn forget_iface(
 }
 #[derive(Debug, Clone, Deserialize, Serialize, Parser, TS)]
 #[ts(export)]
 struct RenameGatewayParams {
    id: GatewayId,
    name: InternedString,
@@ -404,6 +401,12 @@ async fn watcher(
 ) {
    loop {
        let res: Result<(), Error> = async {
            Command::new("systemctl")
                .arg("start")
                .arg("NetworkManager")
                .invoke(ErrorKind::Network)
                .await?;
            let connection = Connection::system().await?;
            let netman_proxy = NetworkManagerProxy::new(&connection).await?;
@@ -436,6 +439,11 @@ async fn watcher(
                until
                    .run(async {
                        let devices = netman_proxy.all_devices().await?;
                        ensure_code!(
                            !devices.is_empty(),
                            ErrorKind::Network,
                            "NetworkManager returned no devices. Trying again..."
                        );
                        let mut ifaces = BTreeSet::new();
                        let mut jobs = Vec::new();
                        for device in devices {
@@ -1538,6 +1546,14 @@ pub struct NetworkInterfaceListenerAcceptMetadata<B: Bind> {
    pub inner: <B::Accept as Accept>::Metadata,
    pub info: GatewayInfo,
 }
 impl<B: Bind> fmt::Debug for NetworkInterfaceListenerAcceptMetadata<B> {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_struct("NetworkInterfaceListenerAcceptMetadata")
            .field("inner", &self.inner)
            .field("info", &self.info)
            .finish()
    }
 }
 impl<B: Bind> Clone for NetworkInterfaceListenerAcceptMetadata<B>
 where
    <B::Accept as Accept>::Metadata: Clone,
@@ -1614,3 +1630,39 @@ where
        Self::new(Some(Either::Left(listener)))
    }
 }
 #[test]
 fn test_filter() {
    use crate::net::host::binding::NetInfo;
    let wg1 = "wg1".parse::<GatewayId>().unwrap();
    assert!(!InterfaceFilter::filter(
        &AndFilter(
            NetInfo {
                private_disabled: [wg1.clone()].into_iter().collect(),
                public_enabled: Default::default(),
                assigned_port: None,
                assigned_ssl_port: None,
            },
            AndFilter(IdFilter(wg1.clone()), PublicFilter { public: false }),
        )
        .into_dyn(),
        &wg1,
        &NetworkInterfaceInfo {
            name: None,
            public: None,
            secure: None,
            ip_info: Some(Arc::new(IpInfo {
                name: "".into(),
                scope_id: 3,
                device_type: Some(NetworkInterfaceType::Wireguard),
                subnets: ["10.59.0.2/24".parse::<IpNet>().unwrap()]
                    .into_iter()
                    .collect(),
                lan_ip: Default::default(),
                wan_ip: None,
                ntp_servers: Default::default(),
                dns_servers: Default::default(),
            })),
        },
    ));
 }
--- a/core/startos/src/net/ssl.rs
+++ b/core/startos/src/net/ssl.rs
@@ -19,7 +19,7 @@ use openssl::x509::extension::{
    AuthorityKeyIdentifier, BasicConstraints, KeyUsage, SubjectAlternativeName,
    SubjectKeyIdentifier,
 };
-use openssl::x509::{X509, X509Builder, X509NameBuilder};
+use openssl::x509::{X509, X509Builder, X509NameBuilder, X509Ref};
 use openssl::*;
 use patch_db::HasModel;
 use serde::{Deserialize, Serialize};
@@ -48,6 +48,17 @@ pub fn gen_nistp256() -> Result<PKey<Private>, ErrorStack> {
    )?)?)
 }
 pub fn should_use_cert(cert: &X509Ref) -> Result<bool, ErrorStack> {
    Ok(cert
        .not_before()
        .compare(Asn1Time::days_from_now(0)?.as_ref())?
        == Ordering::Less
        && cert
            .not_after()
            .compare(Asn1Time::days_from_now(30)?.as_ref())?
            == Ordering::Greater)
 }
 #[derive(Debug, Deserialize, Serialize, HasModel)]
 #[model = "Model<Self>"]
 #[serde(rename_all = "camelCase")]
@@ -83,30 +94,8 @@ impl Model<CertStore> {
            .map(|m| m.de())
            .transpose()?
        {
-            if cert_data
+            if should_use_cert(&cert_data.certs.ed25519)?
-                .certs
+                && should_use_cert(&cert_data.certs.nistp256)?
                .ed25519
                .not_before()
                .compare(Asn1Time::days_from_now(0)?.as_ref())?
                == Ordering::Less
                && cert_data
                    .certs
                    .ed25519
                    .not_after()
                    .compare(Asn1Time::days_from_now(30)?.as_ref())?
                    == Ordering::Greater
                && cert_data
                    .certs
                    .nistp256
                    .not_before()
                    .compare(Asn1Time::days_from_now(0)?.as_ref())?
                    == Ordering::Less
                && cert_data
                    .certs
                    .nistp256
                    .not_after()
                    .compare(Asn1Time::days_from_now(30)?.as_ref())?
                    == Ordering::Greater
            {
                return Ok(FullchainCertData {
                    root: self.as_root_cert().de()?.0,
@@ -251,12 +240,16 @@ impl CertPair {
    }
 }
-pub async fn root_ca_start_time() -> Result<SystemTime, Error> {
+pub async fn root_ca_start_time() -> SystemTime {
-    Ok(if check_time_is_synchronized().await? {
+    if check_time_is_synchronized()
        .await
        .log_err()
        .unwrap_or(false)
    {
        SystemTime::now()
    } else {
        *SOURCE_DATE
-    })
+    }
 }
 const EC_CURVE_NAME: nid::Nid = nid::Nid::X9_62_PRIME256V1;
--- a/core/startos/src/net/tls.rs
+++ b/core/startos/src/net/tls.rs
@@ -217,10 +217,15 @@ where
                                .write_all(&buffered)
                                .await
                                .with_kind(ErrorKind::Network)?;
-                            return Ok(Some((
+                            let stream = match mid.into_stream(Arc::new(cfg)).await {
-                                metadata,
+                                Ok(stream) => Box::pin(stream) as AcceptStream,
-                                Box::pin(mid.into_stream(Arc::new(cfg)).await?) as AcceptStream,
+                                Err(e) => {
-                            )));
+                                    tracing::trace!("Error completing TLS handshake: {e}");
                                    tracing::trace!("{e:?}");
                                    return Ok(None);
                                }
                            };
                            return Ok(Some((metadata, stream)));
                        }
                        Ok(None)
--- a/core/startos/src/net/tor/ctor.rs
+++ b/core/startos/src/net/tor/ctor.rs
@@ -649,16 +649,6 @@ async fn torctl(
            .invoke(ErrorKind::Tor)
            .await?;
        let logs = journalctl(
            LogSource::Unit(SYSTEMD_UNIT),
            Some(0),
            None,
            Some("0"),
            false,
            true,
        )
        .await?;
        let mut tcp_stream = None;
        for _ in 0..60 {
            if let Ok(conn) = TcpStream::connect(tor_control).await {
@@ -720,7 +710,7 @@ async fn torctl(
                ErrorKind::Tor,
            ));
        }
-        Ok((connection, logs))
+        Ok(connection)
    };
    let pre_handler = async {
        while let Some(command) = recv.recv().await {
@@ -745,7 +735,7 @@ async fn torctl(
        Ok(())
    };
-    let (mut connection, mut logs) = tokio::select! {
+    let mut connection = tokio::select! {
        res = bootstrap => res?,
        res = pre_handler => return res,
    };
@@ -851,45 +841,59 @@ async fn torctl(
        Ok(())
    };
    let log_parser = async {
-        while let Some(log) = logs.try_next().await? {
+        loop {
-            for (regex, severity) in &*LOG_REGEXES {
+            let mut logs = journalctl(
-                if regex.is_match(&log.message) {
+                LogSource::Unit(SYSTEMD_UNIT),
-                    let (check, wipe_state) = match severity {
+                Some(0),
-                        ErrorLogSeverity::Fatal { wipe_state } => (false, *wipe_state),
+                None,
-                        ErrorLogSeverity::Unknown { wipe_state } => (true, *wipe_state),
+                Some("0"),
-                    };
+                false,
-                    let addr = hck_key.public().get_onion_address().to_string();
+                true,
-                    if !check
+            )
-                        || TcpStream::connect(tor_socks)
+            .await?;
-                            .map_err(|e| Error::new(e, ErrorKind::Tor))
+            while let Some(log) = logs.try_next().await? {
-                            .and_then(|mut tor_socks| async move {
+                for (regex, severity) in &*LOG_REGEXES {
-                                tokio::time::timeout(
+                    if regex.is_match(&log.message) {
-                                    Duration::from_secs(30),
+                        let (check, wipe_state) = match severity {
-                                    socks5_impl::client::connect(&mut tor_socks, (addr, 80), None)
+                            ErrorLogSeverity::Fatal { wipe_state } => (false, *wipe_state),
-                                        .map_err(|e| Error::new(e, ErrorKind::Tor)),
+                            ErrorLogSeverity::Unknown { wipe_state } => (true, *wipe_state),
-                                )
+                        };
                        let addr = hck_key.public().get_onion_address().to_string();
                        if !check
                            || TcpStream::connect(tor_socks)
                                .map_err(|e| Error::new(e, ErrorKind::Tor))
-                                .await?
+                                .and_then(|mut tor_socks| async move {
-                            })
+                                    tokio::time::timeout(
-                            .await
+                                        Duration::from_secs(30),
-                            .with_ctx(|_| (ErrorKind::Tor, "Tor is confirmed to be down"))
+                                        socks5_impl::client::connect(
-                            .log_err()
+                                            &mut tor_socks,
-                            .is_some()
+                                            (addr, 80),
-                    {
+                                            None,
-                        if wipe_state {
+                                        )
-                            Command::new("systemctl")
+                                        .map_err(|e| Error::new(e, ErrorKind::Tor)),
-                                .arg("stop")
+                                    )
-                                .arg("tor")
+                                    .map_err(|e| Error::new(e, ErrorKind::Tor))
-                                .invoke(ErrorKind::Tor)
+                                    .await?
-                                .await?;
+                                })
-                            tokio::fs::remove_dir_all("/var/lib/tor").await?;
+                                .await
                                .with_ctx(|_| (ErrorKind::Tor, "Tor is confirmed to be down"))
                                .log_err()
                                .is_some()
                        {
                            if wipe_state {
                                Command::new("systemctl")
                                    .arg("stop")
                                    .arg("tor")
                                    .invoke(ErrorKind::Tor)
                                    .await?;
                                tokio::fs::remove_dir_all("/var/lib/tor").await?;
                            }
                            return Err(Error::new(eyre!("{}", log.message), ErrorKind::Tor));
                        }
                        return Err(Error::new(eyre!("{}", log.message), ErrorKind::Tor));
                    }
                }
            }
        }
        Err(Error::new(eyre!("Log stream terminated"), ErrorKind::Tor))
    };
    let health_checker = async {
        let mut last_success = Instant::now();
@@ -959,20 +963,23 @@ impl TorControl {
            _thread: tokio::spawn(async move {
                let wipe_state = AtomicBool::new(false);
                let mut health_timeout = Duration::from_secs(STARTING_HEALTH_TIMEOUT);
-                while let Err(e) = torctl(
+                loop {
-                    tor_control,
+                    if let Err(e) = torctl(
-                    tor_socks,
+                        tor_control,
-                    &mut recv,
+                        tor_socks,
-                    &mut thread_services,
+                        &mut recv,
-                    &wipe_state,
+                        &mut thread_services,
-                    &mut health_timeout,
+                        &wipe_state,
-                )
+                        &mut health_timeout,
-                .await
+                    )
-                {
+                    .await
-                    tracing::error!("{e}: Restarting tor");
+                    {
-                    tracing::debug!("{e:?}");
+                        tracing::error!("TorControl : {e}");
                        tracing::debug!("{e:?}");
                    }
                    tracing::info!("Restarting Tor");
                    tokio::time::sleep(Duration::from_secs(1)).await;
                }
                tracing::info!("TorControl is shut down.")
            })
            .into(),
            send,
--- a/core/startos/src/net/tunnel.rs
+++ b/core/startos/src/net/tunnel.rs
@@ -39,6 +39,23 @@ pub struct AddTunnelParams {
    public: bool,
 }
 fn sanitize_config(config: &str) -> String {
    let mut res = String::with_capacity(config.len());
    for line in config.lines() {
        if line
            .trim()
            .strip_prefix("AllowedIPs")
            .map_or(false, |l| l.trim().starts_with("="))
        {
            res.push_str("AllowedIPs = 0.0.0.0/0, ::/0");
        } else {
            res.push_str(line);
        }
        res.push('\n');
    }
    res
 }
 pub async fn add_tunnel(
    ctx: RpcContext,
    AddTunnelParams {
@@ -86,7 +103,7 @@ pub async fn add_tunnel(
    let tmpdir = TmpDir::new().await?;
    let conf = tmpdir.join(&iface).with_extension("conf");
-    write_file_atomic(&conf, &config).await?;
+    write_file_atomic(&conf, &sanitize_config(&config)).await?;
    Command::new("nmcli")
        .arg("connection")
        .arg("import")
--- a/core/startos/src/net/vhost.rs
+++ b/core/startos/src/net/vhost.rs
@@ -1,5 +1,6 @@
 use std::any::Any;
 use std::collections::{BTreeMap, BTreeSet};
 use std::fmt;
 use std::net::{IpAddr, SocketAddr};
 use std::sync::{Arc, Weak};
 use std::task::{Poll, ready};
@@ -41,6 +42,7 @@ use crate::net::tls::{
 use crate::net::web_server::{Accept, AcceptStream, ExtractVisitor, TcpMetadata, extract};
 use crate::prelude::*;
 use crate::util::collections::EqSet;
 use crate::util::future::WeakFuture;
 use crate::util::serde::{HandlerExtSerde, MaybeUtf8String, display_serializable};
 use crate::util::sync::{SyncMutex, Watch};
@@ -134,7 +136,6 @@ impl VHostController {
    pub fn dump_table(
        &self,
    ) -> BTreeMap<JsonKey<u16>, BTreeMap<JsonKey<Option<InternedString>>, EqSet<String>>> {
        let ip_info = self.interfaces.watcher.ip_info();
        self.servers.peek(|s| {
            s.iter()
                .map(|(k, v)| {
@@ -187,7 +188,7 @@ pub trait VHostTarget<A: Accept>: std::fmt::Debug + Eq {
        hello: &'a ClientHello<'a>,
        metadata: &'a <A as Accept>::Metadata,
    ) -> impl Future<Output = Option<(ServerConfig, Self::PreprocessRes)>> + Send + 'a;
-    fn handle_stream(&self, stream: AcceptStream, prev: Self::PreprocessRes);
+    fn handle_stream(&self, stream: AcceptStream, prev: Self::PreprocessRes, rc: Weak<()>);
 }
 pub trait DynVHostTargetT<A: Accept>: std::fmt::Debug + Any {
@@ -199,7 +200,7 @@ pub trait DynVHostTargetT<A: Accept>: std::fmt::Debug + Any {
        hello: &'a ClientHello<'a>,
        metadata: &'a <A as Accept>::Metadata,
    ) -> BoxFuture<'a, Option<(ServerConfig, Box<dyn Any + Send>)>>;
-    fn handle_stream(&self, stream: AcceptStream, prev: Box<dyn Any + Send>);
+    fn handle_stream(&self, stream: AcceptStream, prev: Box<dyn Any + Send>, rc: Weak<()>);
    fn eq(&self, other: &dyn DynVHostTargetT<A>) -> bool;
 }
 impl<A: Accept, T: VHostTarget<A> + 'static> DynVHostTargetT<A> for T {
@@ -219,9 +220,9 @@ impl<A: Accept, T: VHostTarget<A> + 'static> DynVHostTargetT<A> for T {
            .map(|o| o.map(|(cfg, res)| (cfg, Box::new(res) as Box<dyn Any + Send>)))
            .boxed()
    }
-    fn handle_stream(&self, stream: AcceptStream, prev: Box<dyn Any + Send>) {
+    fn handle_stream(&self, stream: AcceptStream, prev: Box<dyn Any + Send>, rc: Weak<()>) {
        if let Ok(prev) = prev.downcast() {
-            VHostTarget::handle_stream(self, stream, *prev);
+            VHostTarget::handle_stream(self, stream, *prev, rc);
        }
    }
    fn eq(&self, other: &dyn DynVHostTargetT<A>) -> bool {
@@ -251,21 +252,27 @@ impl<A: Accept + 'static> PartialEq for DynVHostTarget<A> {
    }
 }
 impl<A: Accept + 'static> Eq for DynVHostTarget<A> {}
-struct Preprocessed<A: Accept>(DynVHostTarget<A>, Box<dyn Any + Send>);
+struct Preprocessed<A: Accept>(DynVHostTarget<A>, Weak<()>, Box<dyn Any + Send>);
 impl<A: Accept> fmt::Debug for Preprocessed<A> {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        (self.0).0.fmt(f)
    }
 }
 impl<A: Accept + 'static> DynVHostTarget<A> {
    async fn into_preprocessed(
        self,
        rc: Weak<()>,
        prev: ServerConfig,
        hello: &ClientHello<'_>,
        metadata: &<A as Accept>::Metadata,
    ) -> Option<(ServerConfig, Preprocessed<A>)> {
        let (cfg, res) = self.0.preprocess(prev, hello, metadata).await?;
-        Some((cfg, Preprocessed(self, res)))
+        Some((cfg, Preprocessed(self, rc, res)))
    }
 }
 impl<A: Accept + 'static> Preprocessed<A> {
    fn finish(self, stream: AcceptStream) {
-        (self.0).0.handle_stream(stream, self.1);
+        (self.0).0.handle_stream(stream, self.2, self.1);
    }
 }
@@ -279,6 +286,7 @@ pub struct ProxyTarget {
 impl PartialEq for ProxyTarget {
    fn eq(&self, other: &Self) -> bool {
        self.filter == other.filter
            && self.acme == other.acme
            && self.addr == other.addr
            && self.connect_ssl.as_ref().map(Arc::as_ptr)
                == other.connect_ssl.as_ref().map(Arc::as_ptr)
@@ -294,6 +302,9 @@ where
    type PreprocessRes = AcceptStream;
    fn filter(&self, metadata: &<A as Accept>::Metadata) -> bool {
        let info = extract::<GatewayInfo, _>(metadata);
        if info.is_none() {
            tracing::warn!("No GatewayInfo on metadata");
        }
        info.as_ref()
            .map_or(true, |i| self.filter.filter(&i.id, &i.info))
    }
@@ -304,7 +315,7 @@ where
        &'a self,
        mut prev: ServerConfig,
        hello: &'a ClientHello<'a>,
-        metadata: &'a <A as Accept>::Metadata,
+        _: &'a <A as Accept>::Metadata,
    ) -> Option<(ServerConfig, Self::PreprocessRes)> {
        let tcp_stream = TcpStream::connect(self.addr)
            .await
@@ -345,8 +356,10 @@ where
        }
        Some((prev, Box::pin(tcp_stream)))
    }
-    fn handle_stream(&self, mut stream: AcceptStream, mut prev: Self::PreprocessRes) {
+    fn handle_stream(&self, mut stream: AcceptStream, mut prev: Self::PreprocessRes, rc: Weak<()>) {
-        tokio::spawn(async move { tokio::io::copy_bidirectional(&mut stream, &mut prev).await });
+        tokio::spawn(async move {
            WeakFuture::new(rc, tokio::io::copy_bidirectional(&mut stream, &mut prev)).await
        });
    }
 }
@@ -436,16 +449,16 @@ where
            return Some(prev);
        }
-        let target = self.0.peek(|m| {
+        let (target, rc) = self.0.peek(|m| {
            m.get(&hello.server_name().map(InternedString::from))
                .into_iter()
                .flatten()
                .filter(|(_, rc)| rc.strong_count() > 0)
                .find(|(t, _)| t.0.filter(metadata))
-                .map(|(e, _)| e.clone())
+                .map(|(t, rc)| (t.clone(), rc.clone()))
        })?;
-        let (prev, store) = target.into_preprocessed(prev, hello, metadata).await?;
+        let (prev, store) = target.into_preprocessed(rc, prev, hello, metadata).await?;
        self.1 = Some(store);
@@ -480,6 +493,14 @@ struct VHostListenerMetadata<A: Accept> {
    inner: TlsMetadata<A::Metadata>,
    preprocessed: Preprocessed<A>,
 }
 impl<A: Accept> fmt::Debug for VHostListenerMetadata<A> {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_struct("VHostListenerMetadata")
            .field("inner", &self.inner)
            .field("preprocessed", &self.preprocessed)
            .finish()
    }
 }
 impl<M, A> Accept for VHostListener<M, A>
 where
    for<'a> M: HasModel<Model = Model<M>>
@@ -637,6 +658,7 @@ impl<A: Accept> VHostServer<A> {
                changed = true;
                Arc::new(())
            };
            targets.retain(|_, rc| rc.strong_count() > 0);
            targets.insert(target, Arc::downgrade(&rc));
            writable.insert(hostname, targets);
            res = Ok(rc);
--- a/core/startos/src/net/web_server.rs
+++ b/core/startos/src/net/web_server.rs
@@ -1,3 +1,4 @@
 use core::fmt;
 use std::any::Any;
 use std::collections::BTreeMap;
 use std::future::Future;
@@ -68,7 +69,7 @@ pub fn extract<
    metadata: &M,
 ) -> Option<T> {
    let mut visitor = ExtractVisitor(None);
-    visitor.visit(metadata);
+    metadata.visit(&mut visitor);
    visitor.0
 }
@@ -84,7 +85,7 @@ impl<V: MetadataVisitor> Visit<V> for TcpMetadata {
 }
 pub trait Accept {
-    type Metadata;
+    type Metadata: fmt::Debug;
    fn poll_accept(
        &mut self,
        cx: &mut std::task::Context<'_>,
@@ -144,7 +145,7 @@ where
    }
 }
-#[derive(Clone, VisitFields)]
+#[derive(Debug, Clone, VisitFields)]
 pub struct MapListenerMetadata<K, M> {
    pub inner: M,
    pub key: K,
@@ -162,7 +163,7 @@ where
 impl<K, A> Accept for BTreeMap<K, A>
 where
-    K: Clone,
+    K: Clone + fmt::Debug,
    A: Accept,
 {
    type Metadata = MapListenerMetadata<K, A::Metadata>;
@@ -218,40 +219,38 @@ trait DynAcceptT: Send + Sync {
    fn poll_accept(
        &mut self,
        cx: &mut std::task::Context<'_>,
-    ) -> Poll<
+    ) -> Poll<Result<(DynMetadata, AcceptStream), Error>>;
        Result<
            (
                Box<dyn for<'a> Visit<ExtensionVisitor<'a>> + Send + Sync>,
                AcceptStream,
            ),
            Error,
        >,
    >;
 }
 impl<A> DynAcceptT for A
 where
    A: Accept + Send + Sync,
-    for<'a> <A as Accept>::Metadata: Visit<ExtensionVisitor<'a>> + Send + Sync + 'static,
+    <A as Accept>::Metadata: DynMetadataT + 'static,
 {
    fn poll_accept(
        &mut self,
        cx: &mut std::task::Context<'_>,
-    ) -> Poll<
+    ) -> Poll<Result<(DynMetadata, AcceptStream), Error>> {
        Result<
            (
                Box<dyn for<'a> Visit<ExtensionVisitor<'a>> + Send + Sync>,
                AcceptStream,
            ),
            Error,
        >,
    > {
        let (metadata, stream) = ready!(Accept::poll_accept(self, cx)?);
-        Poll::Ready(Ok((Box::new(metadata), stream)))
+        Poll::Ready(Ok((DynMetadata(Box::new(metadata)), stream)))
    }
 }
 pub struct DynAccept(Box<dyn DynAcceptT>);
 trait DynMetadataT: for<'a> Visit<ExtensionVisitor<'a>> + fmt::Debug + Send + Sync {}
 impl<T> DynMetadataT for T where for<'a> T: Visit<ExtensionVisitor<'a>> + fmt::Debug + Send + Sync {}
 #[derive(Debug)]
 pub struct DynMetadata(Box<dyn DynMetadataT>);
 impl<'a> Visit<ExtensionVisitor<'a>> for DynMetadata {
    fn visit(
        &self,
        visitor: &mut ExtensionVisitor<'a>,
    ) -> <ExtensionVisitor<'a> as Visitor>::Result {
        self.0.visit(visitor)
    }
 }
 impl Accept for DynAccept {
-    type Metadata = Box<dyn for<'a> Visit<ExtensionVisitor<'a>> + Send + Sync>;
+    type Metadata = DynMetadata;
    fn poll_accept(
        &mut self,
        cx: &mut std::task::Context<'_>,
@@ -325,7 +324,7 @@ impl Acceptor<Vec<DynAccept>> {
 }
 impl<K> Acceptor<BTreeMap<K, TcpListener>>
 where
-    K: Ord + Clone + Send + Sync + 'static,
+    K: Ord + Clone + fmt::Debug + Send + Sync + 'static,
 {
    pub async fn bind_map(
        listen: impl IntoIterator<Item = (K, SocketAddr)>,
@@ -347,7 +346,7 @@ where
 }
 impl<K> Acceptor<BTreeMap<K, DynAccept>>
 where
-    K: Ord + Clone + Send + Sync + 'static,
+    K: Ord + Clone + fmt::Debug + Send + Sync + 'static,
 {
    pub async fn bind_map_dyn(
        listen: impl IntoIterator<Item = (K, SocketAddr)>,
--- a/core/startos/src/os_install/mod.rs
+++ b/core/startos/src/os_install/mod.rs
@@ -356,7 +356,10 @@ pub async fn execute<C: Context>(
    let mut install = Command::new("chroot");
    install.arg(overlay.path()).arg("grub-install");
    if tokio::fs::metadata("/sys/firmware/efi").await.is_err() {
-        install.arg("--target=i386-pc");
+        match ARCH {
            "x86_64" => install.arg("--target=i386-pc"),
            _ => &mut install,
        };
    } else {
        match ARCH {
            "x86_64" => install.arg("--target=x86_64-efi"),
@@ -372,7 +375,7 @@ pub async fn execute<C: Context>(
    Command::new("chroot")
        .arg(overlay.path())
-        .arg("update-grub2")
+        .arg("update-grub")
        .invoke(crate::ErrorKind::Grub)
        .await?;
    dev.unmount(false).await?;
--- a/core/startos/src/progress.rs
+++ b/core/startos/src/progress.rs
@@ -353,7 +353,7 @@ impl FullProgressTracker {
        }
    }
    pub fn progress_bar_task(&self, name: &str) -> NonDetachingJoinHandle<()> {
-        let mut stream = self.stream(None);
+        let mut stream = self.stream(Some(Duration::from_millis(200)));
        let mut bar = PhasedProgressBar::new(name);
        tokio::spawn(async move {
            while let Some(progress) = stream.next().await {
--- a/core/startos/src/registry/asset.rs
+++ b/core/startos/src/registry/asset.rs
@@ -1,4 +1,5 @@
 use std::collections::HashMap;
 use std::path::Path;
 use std::sync::Arc;
 use chrono::{DateTime, Utc};
@@ -84,6 +85,26 @@ impl RegistryAsset<MerkleArchiveCommitment> {
        )
        .await
    }
    pub async fn download_to(
        &self,
        path: impl AsRef<Path>,
        client: Client,
        progress: PhaseProgressTrackerHandle,
    ) -> Result<
        (
            S9pk<Section<Arc<BufferedHttpSource>>>,
            Arc<BufferedHttpSource>,
        ),
        Error,
    > {
        let source = Arc::new(
            BufferedHttpSource::with_path(path, client, self.url.clone(), progress).await?,
        );
        Ok((
            S9pk::deserialize(&source, Some(&self.commitment)).await?,
            source,
        ))
    }
 }
 pub struct BufferedHttpSource {
@@ -91,6 +112,19 @@ pub struct BufferedHttpSource {
    file: UploadingFile,
 }
 impl BufferedHttpSource {
    pub async fn with_path(
        path: impl AsRef<Path>,
        client: Client,
        url: Url,
        progress: PhaseProgressTrackerHandle,
    ) -> Result<Self, Error> {
        let (mut handle, file) = UploadingFile::with_path(path, progress).await?;
        let response = client.get(url).send().await?;
        Ok(Self {
            _download: tokio::spawn(async move { handle.download(response).await }).into(),
            file,
        })
    }
    pub async fn new(
        client: Client,
        url: Url,
@@ -103,6 +137,9 @@ impl BufferedHttpSource {
            file,
        })
    }
    pub async fn wait_for_buffered(&self) -> Result<(), Error> {
        self.file.wait_for_complete().await
    }
 }
 impl ArchiveSource for BufferedHttpSource {
    type FetchReader = <UploadingFile as ArchiveSource>::FetchReader;
--- a/core/startos/src/registry/package/get.rs
+++ b/core/startos/src/registry/package/get.rs
@@ -1,19 +1,27 @@
 use std::collections::{BTreeMap, BTreeSet};
 use std::path::{Path, PathBuf};
 use clap::{Parser, ValueEnum};
 use exver::{ExtendedVersion, VersionRange};
-use imbl_value::InternedString;
+use helpers::to_tmp_path;
 use imbl_value::{InternedString, json};
 use itertools::Itertools;
 use models::PackageId;
 use serde::{Deserialize, Serialize};
 use ts_rs::TS;
 use crate::context::CliContext;
 use crate::prelude::*;
 use crate::progress::{FullProgressTracker, ProgressUnits};
 use crate::registry::context::RegistryContext;
 use crate::registry::device_info::DeviceInfo;
 use crate::registry::package::index::{PackageIndex, PackageVersionInfo};
 use crate::s9pk::merkle_archive::source::ArchiveSource;
 use crate::s9pk::v2::SIG_CONTEXT;
 use crate::util::VersionString;
 use crate::util::io::TrackingIO;
 use crate::util::serde::{WithIoFormat, display_serializable};
 use crate::util::tui::choose;
 #[derive(
    Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord, Deserialize, Serialize, TS, ValueEnum,
@@ -352,8 +360,7 @@ pub fn display_package_info(
    info: Value,
 ) -> Result<(), Error> {
    if let Some(format) = params.format {
-        display_serializable(format, info);
+        return display_serializable(format, info);
        return Ok(());
    }
    if let Some(_) = params.rest.id {
@@ -387,3 +394,90 @@ pub fn display_package_info(
    }
    Ok(())
 }
 #[derive(Debug, Deserialize, Serialize, TS, Parser)]
 #[serde(rename_all = "camelCase")]
 pub struct CliDownloadParams {
    pub id: PackageId,
    #[arg(long, short = 'v')]
    #[ts(type = "string | null")]
    pub target_version: Option<VersionRange>,
    #[arg(short, long)]
    pub dest: Option<PathBuf>,
 }
 pub async fn cli_download(
    ctx: CliContext,
    CliDownloadParams {
        ref id,
        target_version,
        dest,
    }: CliDownloadParams,
 ) -> Result<(), Error> {
    let progress_tracker = FullProgressTracker::new();
    let mut fetching_progress = progress_tracker.add_phase("Fetching".into(), Some(1));
    let download_progress = progress_tracker.add_phase("Downloading".into(), Some(100));
    let mut verify_progress = progress_tracker.add_phase("Verifying".into(), Some(10));
    let progress = progress_tracker.progress_bar_task("Downloading S9PK...");
    fetching_progress.start();
    let mut res: GetPackageResponse = from_value(
        ctx.call_remote::<RegistryContext>(
            "package.get",
            json!({
                "id": &id,
                "targetVersion": &target_version,
            }),
        )
        .await?,
    )?;
    let PackageVersionInfo { s9pk, .. } = match res.best.len() {
        0 => {
            return Err(Error::new(
                eyre!(
                    "Could not find a version of {id} that satisfies {}",
                    target_version.unwrap_or(VersionRange::Any)
                ),
                ErrorKind::NotFound,
            ));
        }
        1 => res.best.pop_first().unwrap().1,
        _ => {
            let choices = res.best.keys().cloned().collect::<Vec<_>>();
            let version = choose(
                &format!("Multiple flavors of {id} available. Choose a version to download:"),
                &choices,
            )
            .await?;
            res.best.remove(version).unwrap()
        }
    };
    s9pk.validate(SIG_CONTEXT, s9pk.all_signers())?;
    fetching_progress.complete();
    let dest = dest.unwrap_or_else(|| Path::new(".").join(id).with_extension("s9pk"));
    let dest_tmp = to_tmp_path(&dest).with_kind(ErrorKind::Filesystem)?;
    let (mut parsed, source) = s9pk
        .download_to(&dest_tmp, ctx.client.clone(), download_progress)
        .await?;
    if let Some(size) = source.size().await {
        verify_progress.set_total(size);
    }
    verify_progress.set_units(Some(ProgressUnits::Bytes));
    let mut progress_sink = verify_progress.writer(tokio::io::sink());
    parsed
        .serialize(&mut TrackingIO::new(0, &mut progress_sink), true)
        .await?;
    progress_sink.into_inner().1.complete();
    source.wait_for_buffered().await?;
    tokio::fs::rename(dest_tmp, dest).await?;
    progress_tracker.complete();
    progress.await.unwrap();
    println!("Download Complete");
    Ok(())
 }
--- a/core/startos/src/registry/package/mod.rs
+++ b/core/startos/src/registry/package/mod.rs
@@ -1,4 +1,4 @@
-use rpc_toolkit::{Context, HandlerExt, ParentHandler, from_fn_async};
+use rpc_toolkit::{Context, HandlerExt, ParentHandler, from_fn_async, from_fn_async_local};
 use crate::context::CliContext;
 use crate::prelude::*;
@@ -54,6 +54,12 @@ pub fn package_api<C: Context>() -> ParentHandler<C> {
                .with_about("List installation candidate package(s)")
                .with_call_remote::<CliContext>(),
        )
        .subcommand(
            "download",
            from_fn_async_local(get::cli_download)
                .no_display()
                .with_about("Download an s9pk"),
        )
        .subcommand(
            "category",
            category::category_api::<C>()
--- a/core/startos/src/service/effects/subcontainer/sync.rs
+++ b/core/startos/src/service/effects/subcontainer/sync.rs
@@ -106,7 +106,9 @@ pub struct ExecParams {
    #[arg(long)]
    pty_size: Option<TermSize>,
    #[arg(short, long)]
-    env: Option<PathBuf>,
+    env: Vec<String>,
    #[arg(long)]
    env_file: Option<PathBuf>,
    #[arg(short, long)]
    workdir: Option<PathBuf>,
    #[arg(short, long)]
@@ -119,6 +121,7 @@ impl ExecParams {
    fn exec(&self) -> Result<(), Error> {
        let ExecParams {
            env,
            env_file,
            workdir,
            user,
            chroot,
@@ -131,14 +134,15 @@ impl ExecParams {
                ErrorKind::InvalidRequest,
            ));
        };
-        let env_string = if let Some(env) = &env {
+        let env_string = if let Some(env_file) = &env_file {
-            std::fs::read_to_string(env)
+            std::fs::read_to_string(env_file)
                .with_ctx(|_| (ErrorKind::Filesystem, lazy_format!("read {env:?}")))?
        } else {
            Default::default()
        };
        let env = env_string
            .lines()
            .chain(env.iter().map(|l| l.as_str()))
            .map(|l| l.trim())
            .filter_map(|l| l.split_once("="))
            .collect::<BTreeMap<_, _>>();
@@ -150,31 +154,39 @@ impl ExecParams {
            cmd.env(k, v);
        }
-        if let Some(uid) = user.as_deref().and_then(|u| u.parse::<u32>().ok()) {
+        if let Some((uid, gid)) =
-            cmd.uid(uid);
+            if let Some(uid) = user.as_deref().and_then(|u| u.parse::<u32>().ok()) {
-        } else if let Some(user) = user {
+                Some((uid, uid))
-            let passwd = std::fs::read_to_string("/etc/passwd")
+            } else if let Some(user) = user {
-                .with_ctx(|_| (ErrorKind::Filesystem, "read /etc/passwd"));
+                let passwd = std::fs::read_to_string("/etc/passwd")
-            if passwd.is_err() && user == "root" {
+                    .with_ctx(|_| (ErrorKind::Filesystem, "read /etc/passwd"));
-                cmd.uid(0);
+                Some(if passwd.is_err() && user == "root" {
-                cmd.gid(0);
+                    (0, 0)
                } else {
                    let (uid, gid) = passwd?
                        .lines()
                        .find_map(|l| {
                            let mut split = l.trim().split(":");
                            if user != split.next()? {
                                return None;
                            }
                            split.next(); // throw away x
                            Some((split.next()?.parse().ok()?, split.next()?.parse().ok()?))
                            // uid gid
                        })
                        .or_not_found(lazy_format!("{user} in /etc/passwd"))?;
                    (uid, gid)
                })
            } else {
-                let (uid, gid) = passwd?
+                None
                    .lines()
                    .find_map(|l| {
                        let mut split = l.trim().split(":");
                        if user != split.next()? {
                            return None;
                        }
                        split.next(); // throw away x
                        Some((split.next()?.parse().ok()?, split.next()?.parse().ok()?))
                        // uid gid
                    })
                    .or_not_found(lazy_format!("{user} in /etc/passwd"))?;
                cmd.uid(uid);
                cmd.gid(gid);
            }
-        };
+        {
            std::os::unix::fs::chown("/proc/self/fd/0", Some(uid), Some(gid)).log_err();
            std::os::unix::fs::chown("/proc/self/fd/1", Some(uid), Some(gid)).log_err();
            std::os::unix::fs::chown("/proc/self/fd/2", Some(uid), Some(gid)).log_err();
            cmd.uid(uid);
            cmd.gid(gid);
        }
        if let Some(workdir) = workdir {
            cmd.current_dir(workdir);
        } else {
@@ -191,6 +203,7 @@ pub fn launch(
        force_stderr_tty,
        pty_size,
        env,
        env_file,
        workdir,
        user,
        chroot,
@@ -286,8 +299,11 @@ pub fn launch(
        let (pty, pts) = pty_process::open().with_kind(ErrorKind::Filesystem)?;
        let mut cmd = pty_process::Command::new("/usr/bin/start-container");
        cmd = cmd.arg("subcontainer").arg("launch-init");
-        if let Some(env) = env {
+        for env in env {
-            cmd = cmd.arg("--env").arg(env);
+            cmd = cmd.arg("-e").arg(env)
        }
        if let Some(env_file) = env_file {
            cmd = cmd.arg("--env-file").arg(env_file);
        }
        if let Some(workdir) = workdir {
            cmd = cmd.arg("--workdir").arg(workdir);
@@ -341,8 +357,11 @@ pub fn launch(
    } else {
        let mut cmd = StdCommand::new("/usr/bin/start-container");
        cmd.arg("subcontainer").arg("launch-init");
-        if let Some(env) = env {
+        for env in env {
-            cmd.arg("--env").arg(env);
+            cmd.arg("-e").arg(env);
        }
        if let Some(env_file) = env_file {
            cmd.arg("--env-file").arg(env_file);
        }
        if let Some(workdir) = workdir {
            cmd.arg("--workdir").arg(workdir);
@@ -433,6 +452,7 @@ pub fn exec(
        force_stderr_tty,
        pty_size,
        env,
        env_file,
        workdir,
        user,
        chroot,
@@ -536,8 +556,11 @@ pub fn exec(
        let (pty, pts) = pty_process::open().with_kind(ErrorKind::Filesystem)?;
        let mut cmd = pty_process::Command::new("/usr/bin/start-container");
        cmd = cmd.arg("subcontainer").arg("exec-command");
-        if let Some(env) = env {
+        for env in env {
-            cmd = cmd.arg("--env").arg(env);
+            cmd = cmd.arg("-e").arg(env);
        }
        if let Some(env_file) = env_file {
            cmd = cmd.arg("--env-file").arg(env_file);
        }
        if let Some(workdir) = workdir {
            cmd = cmd.arg("--workdir").arg(workdir);
@@ -591,8 +614,11 @@ pub fn exec(
    } else {
        let mut cmd = StdCommand::new("/usr/bin/start-container");
        cmd.arg("subcontainer").arg("exec-command");
-        if let Some(env) = env {
+        for env in env {
-            cmd.arg("--env").arg(env);
+            cmd.arg("-e").arg(env);
        }
        if let Some(env_file) = env_file {
            cmd.arg("--env-file").arg(env_file);
        }
        if let Some(workdir) = workdir {
            cmd.arg("--workdir").arg(workdir);
--- a/core/startos/src/service/mod.rs
+++ b/core/startos/src/service/mod.rs
@@ -725,6 +725,8 @@ pub struct AttachParams {
    name: Option<InternedString>,
    #[ts(type = "string | null")]
    image_id: Option<ImageId>,
    #[ts(type = "string | null")]
    user: Option<InternedString>,
 }
 pub async fn attach(
    ctx: RpcContext,
@@ -738,6 +740,7 @@ pub async fn attach(
        subcontainer,
        image_id,
        name,
        user,
    }: AttachParams,
 ) -> Result<Guid, Error> {
    let (container_id, subcontainer_id, image_id, workdir, root_command) = {
@@ -814,9 +817,26 @@ pub async fn attach(
            .join("etc")
            .join("passwd");
-        let root_command = get_passwd_root_command(passwd).await;
+        let image_meta = serde_json::from_str::<Value>(
            &tokio::fs::read_to_string(
                root_dir
                    .join("media/startos/images/")
                    .join(&image_id)
                    .with_extension("json"),
            )
            .await?,
        )
        .with_kind(ErrorKind::Deserialization)?;
-        let workdir = attach_workdir(&image_id, &root_dir).await?;
+        let root_command = get_passwd_command(
            passwd,
            user.as_deref()
                .or_else(|| image_meta["user"].as_str())
                .unwrap_or("root"),
        )
        .await;
        let workdir = image_meta["workdir"].as_str().map(|s| s.to_owned());
        if subcontainer_ids.len() > 1 {
            let subcontainer_ids = subcontainer_ids
@@ -849,6 +869,7 @@ pub async fn attach(
        pty_size: Option<TermSize>,
        image_id: ImageId,
        workdir: Option<String>,
        user: Option<InternedString>,
        root_command: &RootCommand,
    ) -> Result<(), Error> {
        use axum::extract::ws::Message;
@@ -864,13 +885,17 @@ pub async fn attach(
            .arg("start-container")
            .arg("subcontainer")
            .arg("exec")
-            .arg("--env")
+            .arg("--env-file")
            .arg(
                Path::new("/media/startos/images")
                    .join(image_id)
                    .with_extension("env"),
            );
        if let Some(user) = user {
            cmd.arg("--user").arg(&*user);
        }
        if let Some(workdir) = workdir {
            cmd.arg("--workdir").arg(workdir);
        }
@@ -1032,6 +1057,7 @@ pub async fn attach(
                        pty_size,
                        image_id,
                        workdir,
                        user,
                        &root_command,
                    )
                    .await
@@ -1051,19 +1077,46 @@ pub async fn attach(
    Ok(guid)
 }
-async fn attach_workdir(image_id: &ImageId, root_dir: &Path) -> Result<Option<String>, Error> {
+#[derive(Deserialize, Serialize, TS)]
-    let path_str = root_dir.join("media/startos/images/");
+#[serde(rename_all = "camelCase")]
-
+pub struct ListSubcontainersParams {
-    let mut subcontainer_json =
+    pub id: PackageId,
        tokio::fs::File::open(path_str.join(image_id).with_extension("json")).await?;
    let mut contents = vec![];
    subcontainer_json.read_to_end(&mut contents).await?;
    let subcontainer_json: serde_json::Value =
        serde_json::from_slice(&contents).with_kind(ErrorKind::Filesystem)?;
    Ok(subcontainer_json["workdir"].as_str().map(|x| x.to_string()))
 }
-async fn get_passwd_root_command(etc_passwd_path: PathBuf) -> RootCommand {
+#[derive(Clone, Debug, Serialize, Deserialize, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SubcontainerInfo {
    pub name: InternedString,
    pub image_id: ImageId,
 }
 pub async fn list_subcontainers(
    ctx: RpcContext,
    ListSubcontainersParams { id }: ListSubcontainersParams,
 ) -> Result<BTreeMap<Guid, SubcontainerInfo>, Error> {
    let service = ctx.services.get(&id).await;
    let service_ref = service.as_ref().or_not_found(&id)?;
    let container = &service_ref.seed.persistent_container;
    let subcontainers = container.subcontainers.lock().await;
    let result: BTreeMap<Guid, SubcontainerInfo> = subcontainers
        .iter()
        .map(|(guid, subcontainer)| {
            (
                guid.clone(),
                SubcontainerInfo {
                    name: subcontainer.name.clone(),
                    image_id: subcontainer.image_id.clone(),
                },
            )
        })
        .collect();
    Ok(result)
 }
 async fn get_passwd_command(etc_passwd_path: PathBuf, user: &str) -> RootCommand {
    async {
        let mut file = tokio::fs::File::open(etc_passwd_path).await?;
@@ -1074,8 +1127,8 @@ async fn get_passwd_root_command(etc_passwd_path: PathBuf) -> RootCommand {
        for line in contents.split('\n') {
            let line_information = line.split(':').collect::<Vec<_>>();
-            if let (Some(&"root"), Some(shell)) =
+            if let (Some(&u), Some(shell)) = (line_information.first(), line_information.last())
-                (line_information.first(), line_information.last())
+                && u == user
            {
                return Ok(shell.to_string());
            }
@@ -1106,6 +1159,8 @@ pub struct CliAttachParams {
    #[arg(long, short)]
    name: Option<InternedString>,
    #[arg(long, short)]
    user: Option<InternedString>,
    #[arg(long, short)]
    image_id: Option<ImageId>,
 }
 #[instrument[skip_all]]
@@ -1147,6 +1202,7 @@ pub async fn cli_attach(
                    "subcontainer": params.subcontainer,
                    "imageId": params.image_id,
                    "name": params.name,
                    "user": params.user,
                }),
            )
            .await?,
--- a/core/startos/src/service/persistent_container.rs
+++ b/core/startos/src/service/persistent_container.rs
@@ -43,7 +43,7 @@ use crate::util::rpc_client::UnixRpcClient;
 use crate::volume::data_dir;
 use crate::{ARCH, DATA_DIR, PACKAGE_DATA};
-const RPC_CONNECT_TIMEOUT: Duration = Duration::from_secs(10);
+const RPC_CONNECT_TIMEOUT: Duration = Duration::from_secs(30);
 #[derive(Debug)]
 pub struct ServiceState {
--- a/core/startos/src/service/service_map.rs
+++ b/core/startos/src/service/service_map.rs
@@ -117,6 +117,8 @@ impl ServiceMap {
        match Service::load(ctx, id, disposition).await {
            Ok(s) => *service = s.into(),
            Err(e) => {
                tracing::error!("Error loading service: {e}");
                tracing::debug!("{e:?}");
                let e = ErrorData::from(e);
                ctx.db
                    .mutate(|db| {
--- a/core/startos/src/setup.rs
+++ b/core/startos/src/setup.rs
@@ -499,7 +499,7 @@ async fn fresh_setup(
        ..
    }: SetupExecuteProgress,
 ) -> Result<(SetupResult, RpcContext), Error> {
-    let account = AccountInfo::new(start_os_password, root_ca_start_time().await?)?;
+    let account = AccountInfo::new(start_os_password, root_ca_start_time().await)?;
    let db = ctx.db().await?;
    let kiosk = Some(kiosk.unwrap_or(true)).filter(|_| &*PLATFORM != "raspberrypi");
    sync_kiosk(kiosk).await?;
--- a/core/startos/src/tunnel/api.rs
+++ b/core/startos/src/tunnel/api.rs
@@ -353,6 +353,7 @@ pub async fn show_config(
    Ok(client
        .client_config(
            ip,
            subnet,
            wg.as_key().de()?.verifying_key(),
            (wan_addr, wg.as_port().de()?).into(),
        )
--- a/core/startos/src/tunnel/auth.rs
+++ b/core/startos/src/tunnel/auth.rs
@@ -3,7 +3,7 @@ use imbl::HashMap;
 use imbl_value::InternedString;
 use itertools::Itertools;
 use patch_db::HasModel;
-use rpc_toolkit::{Context, HandlerArgs, HandlerExt, ParentHandler, from_fn_async};
+use rpc_toolkit::{Context, Empty, HandlerArgs, HandlerExt, ParentHandler, from_fn_async};
 use serde::{Deserialize, Serialize};
 use ts_rs::TS;
@@ -113,27 +113,12 @@ impl AuthContext for TunnelContext {
 #[derive(Clone, Debug, Deserialize, Serialize, HasModel, TS, Parser)]
 #[serde(rename_all = "camelCase")]
 #[model = "Model<Self>"]
 #[ts(export)]
 pub struct SignerInfo {
    pub name: InternedString,
 }
 pub fn auth_api<C: Context>() -> ParentHandler<C> {
-    ParentHandler::new()
+    crate::auth::auth::<C, TunnelContext>()
        .subcommand(
            "login",
            from_fn_async(crate::auth::login_impl::<TunnelContext>)
                .with_metadata("login", Value::Bool(true))
                .no_cli(),
        )
        .subcommand(
            "logout",
            from_fn_async(crate::auth::logout::<TunnelContext>)
                .with_metadata("get_session", Value::Bool(true))
                .no_display()
                .with_about("Log out of current auth session")
                .with_call_remote::<CliContext>(),
        )
        .subcommand("set-password", from_fn_async(set_password_rpc).no_cli())
        .subcommand(
            "set-password",
@@ -173,19 +158,15 @@ pub fn auth_api<C: Context>() -> ParentHandler<C> {
                        .with_display_serializable()
                        .with_custom_display_fn(|HandlerArgs { params, .. }, res| {
                            use prettytable::*;
                            if let Some(format) = params.format {
                                return display_serializable(format, res);
                            }
                            let mut table = Table::new();
                            table.add_row(row![bc => "NAME", "KEY"]);
                            for (key, info) in res {
                                table.add_row(row![info.name, key]);
                            }
                            table.print_tty(false)?;
                            Ok(())
                        })
                        .with_about("List authorized keys")
@@ -194,7 +175,7 @@ pub fn auth_api<C: Context>() -> ParentHandler<C> {
        )
 }
-#[derive(Debug, Deserialize, Serialize, Parser)]
+#[derive(Debug, Deserialize, Serialize, Parser, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct AddKeyParams {
    pub name: InternedString,
@@ -216,7 +197,7 @@ pub async fn add_key(
        .result
 }
-#[derive(Debug, Deserialize, Serialize, Parser)]
+#[derive(Debug, Deserialize, Serialize, Parser, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct RemoveKeyParams {
    pub key: AnyVerifyingKey,
@@ -240,7 +221,7 @@ pub async fn list_keys(ctx: TunnelContext) -> Result<HashMap<AnyVerifyingKey, Si
    ctx.db.peek().await.into_auth_pubkeys().de()
 }
-#[derive(Debug, Clone, Deserialize, Serialize)]
+#[derive(Debug, Clone, Deserialize, Serialize, TS)]
 pub struct SetPasswordParams {
    pub password: String,
 }
@@ -293,14 +274,7 @@ pub async fn set_password_cli(
    Ok(())
 }
-pub async fn reset_password(
+pub async fn reset_password(ctx: CliContext) -> Result<(), Error> {
    HandlerArgs {
        context,
        parent_method,
        method,
        ..
    }: HandlerArgs<CliContext>,
 ) -> Result<(), Error> {
    println!("Generating a random password...");
    let params = SetPasswordParams {
        password: base32::encode(
@@ -309,11 +283,7 @@ pub async fn reset_password(
        ),
    };
-    context
+    ctx.call_remote::<TunnelContext>("auth.set-password", to_value(&params)?)
        .call_remote::<TunnelContext>(
            &parent_method.iter().chain(method.iter()).join("."),
            to_value(&params)?,
        )
        .await?;
    println!("Your new password is:");
--- a/core/startos/src/tunnel/client.conf.template
+++ b/core/startos/src/tunnel/client.conf.template
@@ -7,6 +7,6 @@ PrivateKey = {privkey}
 [Peer]
 PublicKey = {server_pubkey}
 PresharedKey = {psk}
-AllowedIPs = 0.0.0.0/0,::/0
+AllowedIPs = {subnet}
 Endpoint = {server_addr}
 PersistentKeepalive = 25
--- a/core/startos/src/tunnel/web.rs
+++ b/core/startos/src/tunnel/web.rs
@@ -1,9 +1,8 @@
 use std::collections::VecDeque;
-use std::net::{IpAddr, Ipv6Addr, SocketAddr};
+use std::net::{IpAddr, SocketAddr};
 use std::sync::Arc;
 use clap::Parser;
 use hickory_client::proto::rr::rdata::cert;
 use imbl_value::{InternedString, json};
 use itertools::Itertools;
 use openssl::pkey::{PKey, Private};
@@ -12,7 +11,6 @@ use rpc_toolkit::{
    Context, Empty, HandlerArgs, HandlerExt, ParentHandler, from_fn_async, from_fn_async_local,
 };
 use serde::{Deserialize, Serialize};
 use tokio::io::{AsyncBufReadExt, BufReader};
 use tokio_rustls::rustls::ServerConfig;
 use tokio_rustls::rustls::crypto::CryptoProvider;
 use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
@@ -20,7 +18,8 @@ use tokio_rustls::rustls::server::ClientHello;
 use ts_rs::TS;
 use crate::context::CliContext;
-use crate::net::ssl::SANInfo;
+use crate::hostname::Hostname;
 use crate::net::ssl::{SANInfo, root_ca_start_time};
 use crate::net::tls::TlsHandler;
 use crate::net::web_server::Accept;
 use crate::prelude::*;
@@ -134,7 +133,7 @@ pub fn web_api<C: Context>() -> ParentHandler<C> {
        .subcommand(
            "generate-certificate",
            from_fn_async(generate_certificate)
-                .with_about("Generate a self signed certificaet to use for the webserver")
+                .with_about("Generate a certificate to use for the webserver")
                .with_call_remote::<CliContext>(),
        )
        .subcommand(
@@ -286,11 +285,21 @@ pub struct GenerateCertParams {
 pub async fn generate_certificate(
    ctx: TunnelContext,
    GenerateCertParams { subject }: GenerateCertParams,
-) -> Result<Pem<X509>, Error> {
+) -> Result<Pem<Vec<X509>>, Error> {
    let saninfo = SANInfo::new(&subject.into_iter().collect());
    let root_key = crate::net::ssl::generate_key()?;
    let root_cert = crate::net::ssl::make_root_cert(
        &root_key,
        &Hostname("start-tunnel".into()),
        root_ca_start_time().await,
    )?;
    let int_key = crate::net::ssl::generate_key()?;
    let int_cert = crate::net::ssl::make_int_cert((&root_key, &root_cert), &int_key)?;
    let key = crate::net::ssl::generate_key()?;
-    let cert = crate::net::ssl::make_self_signed((&key, &saninfo))?;
+    let cert = crate::net::ssl::make_leaf_cert((&int_key, &int_cert), (&key, &saninfo))?;
    let chain = Pem(vec![cert, int_cert, root_cert]);
    ctx.db
        .mutate(|db| {
@@ -298,13 +307,13 @@ pub async fn generate_certificate(
                .as_certificate_mut()
                .ser(&Some(TunnelCertData {
                    key: Pem(key),
-                    cert: Pem(vec![cert.clone()]),
+                    cert: chain.clone(),
                }))
        })
        .await
        .result?;
-    Ok(Pem(cert))
+    Ok(chain)
 }
 pub async fn get_certificate(ctx: TunnelContext) -> Result<Option<Pem<Vec<X509>>>, Error> {
@@ -501,8 +510,12 @@ pub async fn init_web(ctx: CliContext) -> Result<(), Error> {
                let cert = from_value::<Pem<Vec<X509>>>(
                    ctx.call_remote::<TunnelContext>("web.get-certificate", json!({}))
                        .await?,
-                )?;
+                )?
-                println!("📝 SSL Certificate:");
+                .0
                .pop()
                .map(Pem)
                .or_not_found("certificate in chain")?;
                println!("📝 Root SSL Certificate:");
                print!("{cert}");
                println!(concat!(
@@ -594,7 +607,7 @@ pub async fn init_web(ctx: CliContext) -> Result<(), Error> {
                impl std::fmt::Display for Choice {
                    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
                        match self {
-                            Self::Generate => write!(f, "Generate a Self Signed Certificate"),
+                            Self::Generate => write!(f, "Generate an SSL certificate"),
                            Self::Provide => write!(f, "Provide your own certificate and key"),
                        }
                    }
@@ -602,7 +615,7 @@ pub async fn init_web(ctx: CliContext) -> Result<(), Error> {
                let options = vec![Choice::Generate, Choice::Provide];
                let choice = choose(
                    concat!(
-                        "Select whether to autogenerate a self-signed SSL certificate ",
+                        "Select whether to generate an SSL certificate ",
                        "or provide your own certificate and key:"
                    ),
                    &options,
--- a/core/startos/src/tunnel/wg.rs
+++ b/core/startos/src/tunnel/wg.rs
@@ -170,12 +170,14 @@ impl WgConfig {
    pub fn client_config(
        self,
        addr: Ipv4Addr,
        subnet: Ipv4Net,
        server_pubkey: Base64<PublicKey>,
        server_addr: SocketAddr,
    ) -> ClientConfig {
        ClientConfig {
            client_config: self,
            client_addr: addr,
            subnet,
            server_pubkey,
            server_addr,
        }
@@ -213,6 +215,7 @@ where
 pub struct ClientConfig {
    client_config: WgConfig,
    client_addr: Ipv4Addr,
    subnet: Ipv4Net,
    #[serde(deserialize_with = "deserialize_verifying_key")]
    server_pubkey: Base64<PublicKey>,
    server_addr: SocketAddr,
@@ -226,6 +229,7 @@ impl std::fmt::Display for ClientConfig {
            privkey = self.client_config.key.to_padded_string(),
            psk = self.client_config.psk.to_padded_string(),
            addr = self.client_addr,
            subnet = self.subnet,
            server_pubkey = self.server_pubkey.to_padded_string(),
            server_addr = self.server_addr,
        )
--- a/core/startos/src/update/mod.rs
+++ b/core/startos/src/update/mod.rs
@@ -19,12 +19,6 @@ use ts_rs::TS;
 use crate::PLATFORM;
 use crate::context::{CliContext, RpcContext};
 use crate::disk::mount::filesystem::MountType;
 use crate::disk::mount::filesystem::bind::Bind;
 use crate::disk::mount::filesystem::block_dev::BlockDev;
 use crate::disk::mount::filesystem::efivarfs::EfiVarFs;
 use crate::disk::mount::filesystem::overlayfs::OverlayGuard;
 use crate::disk::mount::guard::{GenericMountGuard, MountGuard, TmpMountGuard};
 use crate::notifications::{NotificationLevel, notify};
 use crate::prelude::*;
 use crate::progress::{
@@ -275,7 +269,6 @@ async fn maybe_do_update(
    download_phase.set_total(asset.commitment.size);
    download_phase.set_units(Some(ProgressUnits::Bytes));
    let reverify_phase = progress.add_phase("Reverifying File".into(), Some(10));
    let sync_boot_phase = progress.add_phase("Syncing Boot Files".into(), Some(1));
    let finalize_phase = progress.add_phase("Finalizing Update".into(), Some(1));
    let start_progress = progress.snapshot();
@@ -331,7 +324,6 @@ async fn maybe_do_update(
                prune_phase,
                download_phase,
                reverify_phase,
                sync_boot_phase,
                finalize_phase,
            },
        )
@@ -388,7 +380,6 @@ struct UpdateProgressHandles {
    prune_phase: PhaseProgressTrackerHandle,
    download_phase: PhaseProgressTrackerHandle,
    reverify_phase: PhaseProgressTrackerHandle,
    sync_boot_phase: PhaseProgressTrackerHandle,
    finalize_phase: PhaseProgressTrackerHandle,
 }
@@ -401,7 +392,6 @@ async fn do_update(
        mut prune_phase,
        mut download_phase,
        mut reverify_phase,
        mut sync_boot_phase,
        mut finalize_phase,
    }: UpdateProgressHandles,
 ) -> Result<(), Error> {
@@ -416,9 +406,7 @@ async fn do_update(
    prune_phase.complete();
    download_phase.start();
-    let path = Path::new("/media/startos/images")
+    let path = Path::new("/media/startos/images/next.squashfs");
        .join(hex::encode(&asset.commitment.hash[..16]))
        .with_extension("rootfs");
    let mut dst = AtomicFile::new(&path, None::<&Path>)
        .await
        .with_kind(ErrorKind::Filesystem)?;
@@ -438,92 +426,24 @@ async fn do_update(
    dst.save().await.with_kind(ErrorKind::Filesystem)?;
    reverify_phase.complete();
-    sync_boot_phase.start();
+    finalize_phase.start();
    Command::new("unsquashfs")
        .arg("-n")
        .arg("-f")
        .arg("-d")
        .arg("/")
        .arg(&path)
-        .arg("boot")
+        .arg("/usr/lib/startos/scripts/upgrade")
        .invoke(crate::ErrorKind::Filesystem)
        .await?;
    if &*PLATFORM != "raspberrypi" {
        let mountpoint = "/media/startos/next";
        let root_guard = OverlayGuard::mount(
            TmpMountGuard::mount(&BlockDev::new(&path), MountType::ReadOnly).await?,
            mountpoint,
        )
        .await?;
        let startos = MountGuard::mount(
            &Bind::new("/media/startos/root"),
            root_guard.path().join("media/startos/root"),
            MountType::ReadOnly,
        )
        .await?;
        let boot_guard = MountGuard::mount(
            &Bind::new("/boot"),
            root_guard.path().join("boot"),
            MountType::ReadWrite,
        )
        .await?;
        let dev = MountGuard::mount(
            &Bind::new("/dev"),
            root_guard.path().join("dev"),
            MountType::ReadWrite,
        )
        .await?;
        let proc = MountGuard::mount(
            &Bind::new("/proc"),
            root_guard.path().join("proc"),
            MountType::ReadWrite,
        )
        .await?;
        let sys = MountGuard::mount(
            &Bind::new("/sys"),
            root_guard.path().join("sys"),
            MountType::ReadWrite,
        )
        .await?;
        let efivarfs = if tokio::fs::metadata("/sys/firmware/efi").await.is_ok() {
            Some(
                MountGuard::mount(
                    &EfiVarFs,
                    root_guard.path().join("sys/firmware/efi/efivars"),
                    MountType::ReadWrite,
                )
                .await?,
            )
        } else {
            None
        };
-        Command::new("chroot")
+    let checksum = hex::encode(&asset.commitment.hash[..16]);
            .arg(root_guard.path())
            .arg("update-grub2")
            .invoke(ErrorKind::Grub)
            .await?;
-        if let Some(efivarfs) = efivarfs {
+    Command::new("/usr/lib/startos/scripts/upgrade")
-            efivarfs.unmount(false).await?;
+        .env("CHECKSUM", &checksum)
        }
        sys.unmount(false).await?;
        proc.unmount(false).await?;
        dev.unmount(false).await?;
        boot_guard.unmount(false).await?;
        startos.unmount(false).await?;
        root_guard.unmount(false).await?;
    }
    sync_boot_phase.complete();
    finalize_phase.start();
    Command::new("ln")
        .arg("-rsf")
        .arg(&path)
-        .arg("/media/startos/config/current.rootfs")
+        .invoke(ErrorKind::Grub)
        .invoke(crate::ErrorKind::Filesystem)
        .await?;
    Command::new("sync").invoke(ErrorKind::Filesystem).await?;
    finalize_phase.complete();
    progress.complete();
--- a/core/startos/src/upload.rs
+++ b/core/startos/src/upload.rs
@@ -1,4 +1,5 @@
 use std::io::SeekFrom;
 use std::path::Path;
 use std::pin::Pin;
 use std::sync::Arc;
 use std::task::Poll;
@@ -56,6 +57,7 @@ struct Progress {
    tracker: PhaseProgressTrackerHandle,
    expected_size: Option<u64>,
    written: u64,
    complete: bool,
    error: Option<Error>,
 }
 impl Progress {
@@ -111,9 +113,7 @@ impl Progress {
    }
    async fn ready(watch: &mut watch::Receiver<Self>) -> Result<(), Error> {
        match &*watch
-            .wait_for(|progress| {
+            .wait_for(|progress| progress.error.is_some() || progress.complete)
                progress.error.is_some() || Some(progress.written) == progress.expected_size
            })
            .await
            .map_err(|_| {
                Error::new(
@@ -126,8 +126,9 @@ impl Progress {
        }
    }
    fn complete(&mut self) -> bool {
        let mut changed = !self.complete;
        self.tracker.complete();
-        match self {
+        changed |= match self {
            Self {
                expected_size: Some(size),
                written,
@@ -165,18 +166,21 @@ impl Progress {
                true
            }
            _ => false,
-        }
+        };
        self.complete = true;
        changed
    }
 }
 #[derive(Clone)]
 pub struct UploadingFile {
-    tmp_dir: Arc<TmpDir>,
+    tmp_dir: Option<Arc<TmpDir>>,
    file: MultiCursorFile,
    progress: watch::Receiver<Progress>,
 }
 impl UploadingFile {
-    pub async fn new(
+    pub async fn with_path(
        path: impl AsRef<Path>,
        mut progress: PhaseProgressTrackerHandle,
    ) -> Result<(UploadHandle, Self), Error> {
        progress.set_units(Some(ProgressUnits::Bytes));
@@ -185,25 +189,35 @@ impl UploadingFile {
            expected_size: None,
            written: 0,
            error: None,
            complete: false,
        });
-        let tmp_dir = Arc::new(TmpDir::new().await?);
+        let file = create_file(path).await?;
        let file = create_file(tmp_dir.join("upload.tmp")).await?;
        let uploading = Self {
-            tmp_dir: tmp_dir.clone(),
+            tmp_dir: None,
            file: MultiCursorFile::open(&file).await?,
            progress: progress.1,
        };
        Ok((
            UploadHandle {
-                tmp_dir,
+                tmp_dir: None,
                file,
                progress: progress.0,
            },
            uploading,
        ))
    }
    pub async fn new(progress: PhaseProgressTrackerHandle) -> Result<(UploadHandle, Self), Error> {
        let tmp_dir = Arc::new(TmpDir::new().await?);
        let (mut handle, mut file) = Self::with_path(tmp_dir.join("upload.tmp"), progress).await?;
        handle.tmp_dir = Some(tmp_dir.clone());
        file.tmp_dir = Some(tmp_dir);
        Ok((handle, file))
    }
    pub async fn wait_for_complete(&self) -> Result<(), Error> {
        Progress::ready(&mut self.progress.clone()).await
    }
    pub async fn delete(self) -> Result<(), Error> {
-        if let Ok(tmp_dir) = Arc::try_unwrap(self.tmp_dir) {
+        if let Some(Ok(tmp_dir)) = self.tmp_dir.map(Arc::try_unwrap) {
            tmp_dir.delete().await?;
        }
        Ok(())
@@ -234,7 +248,7 @@ impl ArchiveSource for UploadingFile {
 #[pin_project::pin_project(project = UploadingFileReaderProjection)]
 pub struct UploadingFileReader {
-    tmp_dir: Arc<TmpDir>,
+    tmp_dir: Option<Arc<TmpDir>>,
    position: u64,
    to_seek: Option<SeekFrom>,
    #[pin]
@@ -330,7 +344,7 @@ impl AsyncSeek for UploadingFileReader {
 #[pin_project::pin_project(PinnedDrop)]
 pub struct UploadHandle {
-    tmp_dir: Arc<TmpDir>,
+    tmp_dir: Option<Arc<TmpDir>>,
    #[pin]
    file: File,
    progress: watch::Sender<Progress>,
@@ -377,6 +391,9 @@ impl UploadHandle {
                break;
            }
        }
        if let Err(e) = self.file.sync_all().await {
            self.progress.send_if_modified(|p| p.handle_error(&e));
        }
    }
 }
 #[pin_project::pinned_drop]
--- a/core/startos/src/util/future.rs
+++ b/core/startos/src/util/future.rs
@@ -1,11 +1,10 @@
 use std::pin::Pin;
 use std::sync::Weak;
 use std::task::{Context, Poll};
 use axum::middleware::FromFn;
 use futures::future::{BoxFuture, FusedFuture, abortable, pending};
 use futures::stream::{AbortHandle, Abortable, BoxStream};
 use futures::{Future, FutureExt, Stream, StreamExt};
 use rpc_toolkit::from_fn_blocking;
 use tokio::sync::watch;
 use tokio::task::LocalSet;
@@ -201,3 +200,26 @@ async fn test_cancellable() {
    handle.cancel_and_wait().await;
    assert!(weak.strong_count() == 0);
 }
 #[pin_project::pin_project]
 pub struct WeakFuture<Fut> {
    rc: Weak<()>,
    #[pin]
    fut: Fut,
 }
 impl<Fut> WeakFuture<Fut> {
    pub fn new(rc: Weak<()>, fut: Fut) -> Self {
        Self { rc, fut }
    }
 }
 impl<Fut: Future> Future for WeakFuture<Fut> {
    type Output = Option<Fut::Output>;
    fn poll(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
        let this = self.project();
        if this.rc.strong_count() > 0 {
            this.fut.poll(cx).map(Some)
        } else {
            Poll::Ready(None)
        }
    }
 }
--- a/core/startos/src/util/mod.rs
+++ b/core/startos/src/util/mod.rs
@@ -49,7 +49,7 @@ pub mod net;
 pub mod rpc;
 pub mod rpc_client;
 pub mod serde;
-//pub mod squashfs;
+// pub mod squashfs;
 pub mod sync;
 pub mod tui;
--- a/core/startos/src/util/squashfs.rs
+++ b/core/startos/src/util/squashfs.rs
@@ -98,8 +98,7 @@ impl<W: Write> Visit<SquashfsSerializer<W>> for Superblock {
 #[pin_project::pin_project]
 pub struct MetadataBlocksWriter<W> {
-    input: [u8; 8192],
+    input: PartialBuffer<[u8; 8192]>,
    size: usize,
    size_addr: Option<u64>,
    output: PartialBuffer<[u8; 8192]>,
    output_flushed: usize,
@@ -123,25 +122,29 @@ enum WriteState {
    WritingSizeHeader(u16),
    WritingOutput(Box<Self>),
    EncodingInput,
    FinishingCompression,
    WritingFinalSizeHeader(u64, u64),
    SeekingToEnd(u64),
 }
 fn poll_seek_helper<W: AsyncSeek>(
-    writer: std::pin::Pin<&mut W>,
+    mut writer: std::pin::Pin<&mut W>,
    seek_state: &mut SeekState,
    cx: &mut std::task::Context<'_>,
    pos: u64,
 ) -> std::task::Poll<std::io::Result<u64>> {
    match *seek_state {
        SeekState::Idle => {
-            writer.start_seek(std::io::SeekFrom::Start(pos))?;
+            writer.as_mut().start_seek(std::io::SeekFrom::Start(pos))?;
            *seek_state = SeekState::Seeking(pos);
-            Poll::Pending
+            match writer.as_mut().poll_complete(cx)? {
                Poll::Ready(result) => {
                    *seek_state = SeekState::Idle;
                    Poll::Ready(Ok(result))
                }
                Poll::Pending => Poll::Pending,
            }
        }
        SeekState::Seeking(target) if target == pos => {
-            let result = ready!(writer.poll_complete(cx))?;
+            let result = ready!(writer.as_mut().poll_complete(cx))?;
            *seek_state = SeekState::Idle;
            Poll::Ready(Ok(result))
        }
@@ -151,35 +154,53 @@ fn poll_seek_helper<W: AsyncSeek>(
                pos,
                old_target
            );
-            writer.start_seek(std::io::SeekFrom::Start(pos))?;
+            writer.as_mut().start_seek(std::io::SeekFrom::Start(pos))?;
            *seek_state = SeekState::Seeking(pos);
-            Poll::Pending
+            match writer.as_mut().poll_complete(cx)? {
                Poll::Ready(result) => {
                    *seek_state = SeekState::Idle;
                    Poll::Ready(Ok(result))
                }
                Poll::Pending => Poll::Pending,
            }
        }
        SeekState::GettingPosition => {
            tracing::warn!(
                "poll_seek({}) called while getting stream position, canceling",
                pos
            );
-            writer.start_seek(std::io::SeekFrom::Start(pos))?;
+            writer.as_mut().start_seek(std::io::SeekFrom::Start(pos))?;
            *seek_state = SeekState::Seeking(pos);
-            Poll::Pending
+            match writer.as_mut().poll_complete(cx)? {
                Poll::Ready(result) => {
                    *seek_state = SeekState::Idle;
                    Poll::Ready(Ok(result))
                }
                Poll::Pending => Poll::Pending,
            }
        }
    }
 }
 fn poll_stream_position_helper<W: AsyncSeek>(
-    writer: std::pin::Pin<&mut W>,
+    mut writer: std::pin::Pin<&mut W>,
    seek_state: &mut SeekState,
    cx: &mut std::task::Context<'_>,
 ) -> std::task::Poll<std::io::Result<u64>> {
    match *seek_state {
        SeekState::Idle => {
-            writer.start_seek(std::io::SeekFrom::Current(0))?;
+            writer.as_mut().start_seek(std::io::SeekFrom::Current(0))?;
            *seek_state = SeekState::GettingPosition;
-            Poll::Pending
+            match writer.as_mut().poll_complete(cx)? {
                Poll::Ready(result) => {
                    *seek_state = SeekState::Idle;
                    Poll::Ready(Ok(result))
                }
                Poll::Pending => Poll::Pending,
            }
        }
        SeekState::GettingPosition => {
-            let result = ready!(writer.poll_complete(cx))?;
+            let result = ready!(writer.as_mut().poll_complete(cx))?;
            *seek_state = SeekState::Idle;
            Poll::Ready(Ok(result))
        }
@@ -188,18 +209,22 @@ fn poll_stream_position_helper<W: AsyncSeek>(
                "poll_stream_position called while seeking to {}, canceling",
                target
            );
-            writer.start_seek(std::io::SeekFrom::Current(0))?;
+            writer.as_mut().start_seek(std::io::SeekFrom::Current(0))?;
            *seek_state = SeekState::GettingPosition;
-            Poll::Pending
+            match writer.as_mut().poll_complete(cx)? {
                Poll::Ready(result) => {
                    *seek_state = SeekState::Idle;
                    Poll::Ready(Ok(result))
                }
                Poll::Pending => Poll::Pending,
            }
        }
    }
 }
 impl<W: Write + Seek> Write for MetadataBlocksWriter<W> {
    fn write(&mut self, buf: &[u8]) -> std::io::Result<usize> {
-        let n = buf.len().min(self.input.len() - self.size);
+        let n = self.input.copy_unwritten_from(&mut PartialBuffer::new(buf));
        self.input[self.size..self.size + n].copy_from_slice(&buf[..n]);
        self.size += n;
        if n < buf.len() {
            self.flush()?;
        }
@@ -207,9 +232,9 @@ impl<W: Write + Seek> Write for MetadataBlocksWriter<W> {
    }
    fn flush(&mut self) -> std::io::Result<()> {
        loop {
-            match self.write_state {
+            match &self.write_state {
                WriteState::Idle => {
-                    if self.size == 0 {
+                    if self.input.written().is_empty() {
                        return Ok(());
                    }
                    self.write_state = WriteState::WritingSizeHeader(0);
@@ -218,12 +243,12 @@ impl<W: Write + Seek> Write for MetadataBlocksWriter<W> {
                WriteState::WritingSizeHeader(size) => {
                    let done = if let Some(size_addr) = self.size_addr {
                        self.writer.seek(SeekFrom::Start(size_addr))?;
-                        Some(size_addr + size as u64)
+                        Some(size_addr + 2 + *size as u64)
                    } else {
                        self.size_addr = Some(self.writer.stream_position()?);
                        None
                    };
-                    self.output.unwritten_mut()[..2].copy_from_slice(&u16::to_le_bytes(size)[..]);
+                    self.output.unwritten_mut()[..2].copy_from_slice(&u16::to_le_bytes(*size)[..]);
                    self.output.advance(2);
                    self.write_state =
                        WriteState::WritingOutput(Box::new(if let Some(end) = done {
@@ -242,80 +267,33 @@ impl<W: Write + Seek> Write for MetadataBlocksWriter<W> {
                    } else {
                        self.output.reset();
                        self.output_flushed = 0;
-                        self.write_state = *next;
+                        self.write_state = *next.clone();
                    }
                }
                WriteState::EncodingInput => {
                    let encoder = self.zstd.get_or_insert_with(|| ZstdEncoder::new(22));
-                    let mut input = PartialBuffer::new(&self.input[..self.size]);
+                    encoder.encode(
-                    while !self.output.unwritten().is_empty() && !input.unwritten().is_empty() {
+                        &mut PartialBuffer::new(&self.input.written()),
-                        encoder.encode(&mut input, &mut self.output)?;
+                        &mut self.output,
-                    }
+                    )?;
-                    while !encoder.flush(&mut self.output)? {}
+                    let compressed = if !encoder.finish(&mut self.output)? {
-                    while !encoder.finish(&mut self.output)? {}
+                        std::mem::swap(&mut self.output, &mut self.input);
-                    if !self.output.unwritten().is_empty() {
+                        false
-                        let mut input =
+                    } else {
-                            PartialBuffer::new(&self.input[self.input_flushed..self.size]);
+                        true
-                        encoder.encode(&mut input, &mut self.output)?;
+                    };
-                        self.input_flushed += input.written().len();
+                    self.zstd = None;
-                    }
+                    self.input.reset();
-                    self.write_state = WriteState::WritingOutput(Box::new());
+                    self.write_state =
-                    continue;
+                        WriteState::WritingOutput(Box::new(WriteState::WritingSizeHeader(
-                }
+                            self.output.written().len() as u16
-
+                                | if compressed { 0 } else { 0x8000 },
-                WriteState::FinishingCompression => {
+                        )));
                    if !self.output.unwritten().is_empty() {
                        if self.zstd.as_mut().unwrap().finish(&mut self.output)? {
                            self.zstd = None;
                        }
                    }
                    if self.output.written().len() > self.output_flushed {
                        self.write_state = WriteState::WritingOutput;
                        continue;
                    }
                    if self.zstd.is_none() && self.output.written().len() == self.output_flushed {
                        self.output_flushed = 0;
                        self.output.reset();
                        let end_addr = self.writer.stream_position()?;
                        let size_addr = self.size_addr.ok_or_else(|| {
                            std::io::Error::new(
                                std::io::ErrorKind::InvalidData,
                                "size_addr not set when finishing compression",
                            )
                        })?;
                        self.write_state = WriteState::WritingFinalSizeHeader(size_addr, end_addr);
                        continue;
                    }
                    return Ok(());
                }
                WriteState::WritingFinalSizeHeader(size_addr, end_addr) => {
                    if self.output.written().len() > self.output_flushed {
                        let n = self
                            .writer
                            .write(&self.output.written()[self.output_flushed..])?;
                        self.output_flushed += n;
                        continue;
                    }
                    self.writer.seek(std::io::SeekFrom::Start(size_addr))?;
                    self.output.unwritten_mut()[..2]
                        .copy_from_slice(&((end_addr - size_addr - 2) as u16).to_le_bytes());
                    self.output.advance(2);
                    let n = self.writer.write(&self.output.written())?;
                    self.output_flushed = n;
                    if n == 2 {
                        self.output_flushed = 0;
                        self.output.reset();
                        self.write_state = WriteState::SeekingToEnd(end_addr);
                    }
                    continue;
                }
                WriteState::SeekingToEnd(end_addr) => {
-                    self.writer.seek(std::io::SeekFrom::Start(end_addr))?;
+                    self.writer.seek(std::io::SeekFrom::Start(*end_addr))?;
                    self.input_flushed = 0;
                    self.size = 0;
                    self.size_addr = None;
                    self.write_state = WriteState::Idle;
                    return Ok(());
@@ -332,11 +310,9 @@ impl<W: AsyncWrite + AsyncSeek> AsyncWrite for MetadataBlocksWriter<W> {
        buf: &[u8],
    ) -> std::task::Poll<std::io::Result<usize>> {
        let this = self.as_mut().project();
-        let n = buf.len().min(this.input.len() - *this.size);
+        let n = this.input.copy_unwritten_from(&mut PartialBuffer::new(buf));
        this.input[*this.size..*this.size + n].copy_from_slice(&buf[..n]);
        *this.size += n;
        if n < buf.len() {
-            ready!(self.poll_flush(cx)?);
+            ready!(self.poll_flush(cx))?;
        }
        Poll::Ready(Ok(n))
    }
@@ -347,115 +323,76 @@ impl<W: AsyncWrite + AsyncSeek> AsyncWrite for MetadataBlocksWriter<W> {
    ) -> std::task::Poll<std::io::Result<()>> {
        loop {
            let mut this = self.as_mut().project();
-            match *this.write_state {
+            match this.write_state.clone() {
                WriteState::Idle => {
-                    if *this.size == 0 {
+                    if this.input.written().is_empty() {
                        return Poll::Ready(Ok(()));
                    }
-                    if this.size_addr.is_none() {
+                    *this.write_state = WriteState::WritingSizeHeader(0);
                }
                WriteState::WritingSizeHeader(size) => {
                    let done = if let Some(size_addr) = *this.size_addr {
                        ready!(poll_seek_helper(
                            this.writer.as_mut(),
                            this.seek_state,
                            cx,
                            size_addr
                        ))?;
                        Some(size_addr + 2 + size as u64)
                    } else {
                        let pos = ready!(poll_stream_position_helper(
                            this.writer.as_mut(),
                            this.seek_state,
                            cx
                        ))?;
                        *this.size_addr = Some(pos);
-                        this.output.unwritten_mut()[..2].copy_from_slice(&[0; 2]);
+                        None
-                        this.output.advance(2);
+                    };
-                    }
+                    this.output.unwritten_mut()[..2]
-                    *this.write_state = WriteState::WritingOutput;
+                        .copy_from_slice(&u16::to_le_bytes(size)[..]);
-                    continue;
+                    this.output.advance(2);
-                }
+                    *this.write_state = WriteState::WritingOutput(Box::new(if let Some(end) = done {
-
+                        WriteState::SeekingToEnd(end)
                WriteState::WritingOutput => {
                    if this.output.written().len() > *this.output_flushed {
                        let n = ready!(
                            this.writer
                                .as_mut()
                                .poll_write(cx, &this.output.written()[*this.output_flushed..])
                        )?;
                        *this.output_flushed += n;
                        continue;
                    }
                    if this.output.written().len() == *this.output_flushed {
                        *this.output_flushed = 0;
                        this.output.reset();
                    }
                    if *this.input_flushed < *this.size {
                        if !this.output.unwritten().is_empty() {
                            let mut input =
                                PartialBuffer::new(&this.input[*this.input_flushed..*this.size]);
                            this.zstd
                                .get_or_insert_with(|| ZstdEncoder::new(22))
                                .encode(&mut input, this.output)?;
                            *this.input_flushed += input.written().len();
                        }
                        continue;
                    } else {
-                        if !this.output.unwritten().is_empty() {
+                        WriteState::EncodingInput
-                            if this.zstd.as_mut().unwrap().finish(this.output)? {
+                    }));
                                *this.zstd = None;
                            }
                            continue;
                        }
                        if this.zstd.is_none()
                            && this.output.written().len() == *this.output_flushed
                        {
                            *this.output_flushed = 0;
                            this.output.reset();
                            if let Some(size_addr) = *this.size_addr {
                                let end_addr = ready!(poll_stream_position_helper(
                                    this.writer.as_mut(),
                                    this.seek_state,
                                    cx
                                ))?;
                                *this.write_state =
                                    WriteState::WritingFinalSizeHeader(size_addr, end_addr);
                                ready!(poll_seek_helper(
                                    this.writer.as_mut(),
                                    this.seek_state,
                                    cx,
                                    size_addr
                                ))?;
                                this.output.unwritten_mut()[..2].copy_from_slice(
                                    &((end_addr - size_addr - 2) as u16).to_le_bytes(),
                                );
                                this.output.advance(2);
                                continue;
                            }
                        }
                    }
                    return Poll::Ready(Ok(()));
                }
-                WriteState::WritingSizeHeader(_size_addr) => {
+                WriteState::WritingOutput(next) => {
-                    *this.write_state = WriteState::WritingOutput;
+                    if this.output.written().len() > *this.output_flushed {
-                    continue;
+                        let n = ready!(this
                            .writer
                            .as_mut()
                            .poll_write(cx, &this.output.written()[*this.output_flushed..]))?;
                        *this.output_flushed += n;
                    } else {
                        this.output.reset();
                        *this.output_flushed = 0;
                        *this.write_state = *next;
                    }
                }
                WriteState::EncodingInput => {
-                    *this.write_state = WriteState::WritingOutput;
+                    let encoder = this.zstd.get_or_insert_with(|| ZstdEncoder::new(22));
-                    continue;
+                    encoder.encode(
-                }
+                        &mut PartialBuffer::new(this.input.written()),
-
+                        this.output,
-                WriteState::FinishingCompression => {
+                    )?;
-                    *this.write_state = WriteState::WritingOutput;
+                    let compressed = if !encoder.finish(this.output)? {
-                    continue;
+                        std::mem::swap(this.output, this.input);
-                }
+                        false
-
+                    } else {
-                WriteState::WritingFinalSizeHeader(_size_addr, end_addr) => {
+                        true
-                    if this.output.written().len() > *this.output_flushed {
+                    };
-                        let n = ready!(
+                    *this.zstd = None;
-                            this.writer
+                    this.input.reset();
-                                .as_mut()
+                    *this.write_state = WriteState::WritingOutput(Box::new(
-                                .poll_write(cx, &this.output.written()[*this.output_flushed..])
+                        WriteState::WritingSizeHeader(
-                        )?;
+                            this.output.written().len() as u16
-                        *this.output_flushed += n;
+                                | if compressed { 0 } else { 0x8000 },
-                        continue;
+                        ),
-                    }
+                    ));
                    *this.output_flushed = 0;
                    this.output.reset();
                    *this.write_state = WriteState::SeekingToEnd(end_addr);
                    continue;
                }
                WriteState::SeekingToEnd(end_addr) => {
@@ -466,8 +403,6 @@ impl<W: AsyncWrite + AsyncSeek> AsyncWrite for MetadataBlocksWriter<W> {
                        end_addr
                    ))?;
                    *this.size_addr = None;
                    *this.input_flushed = 0;
                    *this.size = 0;
                    *this.write_state = WriteState::Idle;
                    return Poll::Ready(Ok(()));
                }
@@ -486,11 +421,9 @@ impl<W: AsyncWrite + AsyncSeek> AsyncWrite for MetadataBlocksWriter<W> {
 impl<W> MetadataBlocksWriter<W> {
    pub fn new(writer: W) -> Self {
        Self {
-            input: [0; 8192],
+            input: PartialBuffer::new([0; 8192]),
            input_flushed: 0,
            size: 0,
            size_addr: None,
-            output: PartialBuffer::new([0; 4096]),
+            output: PartialBuffer::new([0; 8192]),
            output_flushed: 0,
            zstd: None,
            seek_state: SeekState::Idle,
@@ -507,11 +440,10 @@ use tokio::io::AsyncRead;
 pub struct MetadataBlocksReader<R> {
    #[pin]
    reader: R,
-    size_buf: [u8; 2],
+    size_buf: PartialBuffer<[u8; 2]>,
-    size_bytes_read: usize,
+    compressed: PartialBuffer<[u8; 8192]>,
    compressed: [u8; 8192],
    compressed_size: usize,
-    compressed_pos: usize,
+    is_compressed: bool,
    output: PartialBuffer<[u8; 8192]>,
    output_pos: usize,
    zstd: Option<ZstdDecoder>,
@@ -531,11 +463,10 @@ impl<R> MetadataBlocksReader<R> {
    pub fn new(reader: R) -> Self {
        Self {
            reader,
-            size_buf: [0; 2],
+            size_buf: PartialBuffer::new([0; 2]),
-            size_bytes_read: 0,
+            compressed: PartialBuffer::new([0; 8192]),
            compressed: [0; 8192],
            compressed_size: 0,
-            compressed_pos: 0,
+            is_compressed: false,
            output: PartialBuffer::new([0; 8192]),
            output_pos: 0,
            zstd: None,
@@ -551,11 +482,9 @@ impl<R: Read> Read for MetadataBlocksReader<R> {
        loop {
            match self.state {
                ReadState::ReadingSize => {
-                    let n = self
+                    let n = self.reader.read(self.size_buf.unwritten_mut())?;
                        .reader
                        .read(&mut self.size_buf[self.size_bytes_read..])?;
                    if n == 0 {
-                        if self.size_bytes_read == 0 {
+                        if self.size_buf.written().is_empty() {
                            self.state = ReadState::Eof;
                            return Ok(0);
                        } else {
@@ -566,56 +495,57 @@ impl<R: Read> Read for MetadataBlocksReader<R> {
                        }
                    }
-                    self.size_bytes_read += n;
+                    self.size_buf.advance(n);
-                    if self.size_bytes_read < 2 {
+
                    if self.size_buf.written().len() < 2 {
                        continue;
                    }
-                    let size_header = u16::from_le_bytes(self.size_buf);
+                    let size_header = u16::from_le_bytes([
-                    let is_compressed = (size_header & 0x8000) == 0;
+                        self.size_buf.written()[0],
-                    let size = (size_header & 0x7FFF) as usize;
+                        self.size_buf.written()[1],
                    ]);
                    self.is_compressed = (size_header & 0x8000) == 0;
                    self.compressed_size = (size_header & 0x7FFF) as usize;
-                    if !is_compressed {
+                    if self.compressed_size == 0 || self.compressed_size > 8192 {
                        return Err(std::io::Error::new(
                            std::io::ErrorKind::InvalidData,
-                            "Uncompressed metadata blocks not supported",
+                            format!("Invalid metadata block size: {}", self.compressed_size),
                        ));
                    }
-                    if size == 0 || size > 8192 {
+                    self.compressed.reset();
-                        return Err(std::io::Error::new(
+                    self.size_buf.reset();
                            std::io::ErrorKind::InvalidData,
                            format!("Invalid metadata block size: {}", size),
                        ));
                    }
                    self.compressed_size = size;
                    self.compressed_pos = 0;
                    self.size_bytes_read = 0;
                    self.state = ReadState::ReadingData;
                    continue;
                }
                ReadState::ReadingData => {
-                    let n = self
+                    let n = self.reader.read(self.compressed.unwritten_mut())?;
                        .reader
                        .read(&mut self.compressed[self.compressed_pos..self.compressed_size])?;
                    if n == 0 {
                        return Err(std::io::Error::new(
                            std::io::ErrorKind::UnexpectedEof,
-                            "Unexpected EOF reading compressed data",
+                            "Unexpected EOF reading data",
                        ));
                    }
-                    self.compressed_pos += n;
+                    self.compressed.advance(n);
-                    if self.compressed_pos < self.compressed_size {
+
                    if !self.compressed.unwritten().is_empty() {
                        continue;
                    }
                    self.zstd = Some(ZstdDecoder::new());
                    self.output_pos = 0;
                    self.output.reset();
-                    self.state = ReadState::Decompressing;
+                    if self.is_compressed {
                        self.zstd = Some(ZstdDecoder::new());
                        self.state = ReadState::Decompressing;
                    } else {
                        self.output
                            .copy_unwritten_from(&mut PartialBuffer::new(self.compressed.written()));
                        self.state = ReadState::Outputting;
                    }
                    continue;
                }
@@ -625,7 +555,7 @@ impl<R: Read> Read for MetadataBlocksReader<R> {
                        continue;
                    }
-                    let mut input = PartialBuffer::new(&self.compressed[..self.compressed_size]);
+                    let mut input = PartialBuffer::new(self.compressed.written());
                    let decoder = self.zstd.as_mut().unwrap();
                    if decoder.decode(&mut input, &mut self.output)? {
@@ -676,13 +606,13 @@ impl<R: AsyncRead> AsyncRead for MetadataBlocksReader<R> {
            match *this.state {
                ReadState::ReadingSize => {
-                    let mut read_buf =
+                    let mut read_buf = tokio::io::ReadBuf::new(this.size_buf.unwritten_mut());
-                        tokio::io::ReadBuf::new(&mut this.size_buf[*this.size_bytes_read..]);
+                    let before = read_buf.filled().len();
                    ready!(this.reader.as_mut().poll_read(cx, &mut read_buf))?;
                    let n = read_buf.filled().len() - before;
                    let n = read_buf.filled().len();
                    if n == 0 {
-                        if *this.size_bytes_read == 0 {
+                        if this.size_buf.written().is_empty() {
                            *this.state = ReadState::Eof;
                            return Poll::Ready(Ok(()));
                        } else {
@@ -693,22 +623,16 @@ impl<R: AsyncRead> AsyncRead for MetadataBlocksReader<R> {
                        }
                    }
-                    *this.size_bytes_read += n;
+                    this.size_buf.advance(n);
-                    if *this.size_bytes_read < 2 {
+
                    if this.size_buf.written().len() < 2 {
                        continue;
                    }
-                    let size_header = u16::from_le_bytes(*this.size_buf);
+                    let size_header = u16::from_le_bytes(*this.size_buf.written());
-                    let is_compressed = (size_header & 0x8000) == 0;
+                    *this.is_compressed = (size_header & 0x8000) == 0;
                    let size = (size_header & 0x7FFF) as usize;
                    if !is_compressed {
                        return Poll::Ready(Err(std::io::Error::new(
                            std::io::ErrorKind::InvalidData,
                            "Uncompressed metadata blocks not supported",
                        )));
                    }
                    if size == 0 || size > 8192 {
                        return Poll::Ready(Err(std::io::Error::new(
                            std::io::ErrorKind::InvalidData,
@@ -716,36 +640,42 @@ impl<R: AsyncRead> AsyncRead for MetadataBlocksReader<R> {
                        )));
                    }
-                    *this.compressed_size = size;
+                    this.compressed.reset();
-                    *this.compressed_pos = 0;
+                    this.compressed.reserve(size);
-                    *this.size_bytes_read = 0;
+                    this.size_buf.reset();
                    *this.state = ReadState::ReadingData;
                    continue;
                }
                ReadState::ReadingData => {
-                    let mut read_buf = tokio::io::ReadBuf::new(
+                    let mut read_buf = tokio::io::ReadBuf::new(this.compressed.unwritten_mut());
-                        &mut this.compressed[*this.compressed_pos..*this.compressed_size],
+                    let before = read_buf.filled().len();
                    );
                    ready!(this.reader.as_mut().poll_read(cx, &mut read_buf))?;
                    let n = read_buf.filled().len() - before;
                    let n = read_buf.filled().len();
                    if n == 0 {
                        return Poll::Ready(Err(std::io::Error::new(
                            std::io::ErrorKind::UnexpectedEof,
-                            "Unexpected EOF reading compressed data",
+                            "Unexpected EOF reading data",
                        )));
                    }
-                    *this.compressed_pos += n;
+                    this.compressed.advance(n);
-                    if *this.compressed_pos < *this.compressed_size {
+
                    if !this.compressed.unwritten().is_empty() {
                        continue;
                    }
                    *this.zstd = Some(ZstdDecoder::new());
                    *this.output_pos = 0;
                    this.output.reset();
-                    *this.state = ReadState::Decompressing;
+                    if *this.is_compressed {
                        *this.zstd = Some(ZstdDecoder::new());
                        *this.state = ReadState::Decompressing;
                    } else {
                        this.output
                            .copy_unwritten_from(&mut PartialBuffer::new(this.compressed.written()));
                        *this.state = ReadState::Outputting;
                    }
                    continue;
                }
@@ -755,7 +685,7 @@ impl<R: AsyncRead> AsyncRead for MetadataBlocksReader<R> {
                        continue;
                    }
-                    let mut input = PartialBuffer::new(&this.compressed[..*this.compressed_size]);
+                    let mut input = PartialBuffer::new(this.compressed.written());
                    let decoder = this.zstd.as_mut().unwrap();
                    if decoder.decode(&mut input, this.output)? {
--- a/core/startos/src/version/mod.rs
+++ b/core/startos/src/version/mod.rs
@@ -52,8 +52,11 @@ mod v0_4_0_alpha_9;
 mod v0_4_0_alpha_10;
 mod v0_4_0_alpha_11;
 mod v0_4_0_alpha_12;
 mod v0_4_0_alpha_13;
 mod v0_4_0_alpha_14;
 mod v0_4_0_alpha_15;
-pub type Current = v0_4_0_alpha_12::Version; // VERSION_BUMP
+pub type Current = v0_4_0_alpha_15::Version; // VERSION_BUMP
 impl Current {
    #[instrument(skip(self, db))]
@@ -167,7 +170,10 @@ enum Version {
    V0_4_0_alpha_9(Wrapper<v0_4_0_alpha_9::Version>),
    V0_4_0_alpha_10(Wrapper<v0_4_0_alpha_10::Version>),
    V0_4_0_alpha_11(Wrapper<v0_4_0_alpha_11::Version>),
-    V0_4_0_alpha_12(Wrapper<v0_4_0_alpha_12::Version>), // VERSION_BUMP
+    V0_4_0_alpha_12(Wrapper<v0_4_0_alpha_12::Version>),
    V0_4_0_alpha_13(Wrapper<v0_4_0_alpha_13::Version>),
    V0_4_0_alpha_14(Wrapper<v0_4_0_alpha_14::Version>),
    V0_4_0_alpha_15(Wrapper<v0_4_0_alpha_15::Version>), // VERSION_BUMP
    Other(exver::Version),
 }
@@ -222,7 +228,10 @@ impl Version {
            Self::V0_4_0_alpha_9(v) => DynVersion(Box::new(v.0)),
            Self::V0_4_0_alpha_10(v) => DynVersion(Box::new(v.0)),
            Self::V0_4_0_alpha_11(v) => DynVersion(Box::new(v.0)),
-            Self::V0_4_0_alpha_12(v) => DynVersion(Box::new(v.0)), // VERSION_BUMP
+            Self::V0_4_0_alpha_12(v) => DynVersion(Box::new(v.0)),
            Self::V0_4_0_alpha_13(v) => DynVersion(Box::new(v.0)),
            Self::V0_4_0_alpha_14(v) => DynVersion(Box::new(v.0)),
            Self::V0_4_0_alpha_15(v) => DynVersion(Box::new(v.0)), // VERSION_BUMP
            Self::Other(v) => {
                return Err(Error::new(
                    eyre!("unknown version {v}"),
@@ -269,7 +278,10 @@ impl Version {
            Version::V0_4_0_alpha_9(Wrapper(x)) => x.semver(),
            Version::V0_4_0_alpha_10(Wrapper(x)) => x.semver(),
            Version::V0_4_0_alpha_11(Wrapper(x)) => x.semver(),
-            Version::V0_4_0_alpha_12(Wrapper(x)) => x.semver(), // VERSION_BUMP
+            Version::V0_4_0_alpha_12(Wrapper(x)) => x.semver(),
            Version::V0_4_0_alpha_13(Wrapper(x)) => x.semver(),
            Version::V0_4_0_alpha_14(Wrapper(x)) => x.semver(),
            Version::V0_4_0_alpha_15(Wrapper(x)) => x.semver(), // VERSION_BUMP
            Version::Other(x) => x.clone(),
        }
    }
--- a/core/startos/src/version/v0_4_0_alpha_12.rs
+++ b/core/startos/src/version/v0_4_0_alpha_12.rs
@@ -4,7 +4,7 @@ use exver::{PreReleaseSegment, VersionRange};
 use imbl_value::InternedString;
 use super::v0_3_5::V0_3_0_COMPAT;
-use super::{VersionT, v0_4_0_alpha_11};
+use super::{v0_4_0_alpha_11, VersionT};
 use crate::net::tor::TorSecretKey;
 use crate::prelude::*;
@@ -75,7 +75,10 @@ impl VersionT for Version {
        }
        fix_host(&mut db["public"]["serverInfo"]["network"]["host"])?;
-        db["private"]["keyStore"]["localCerts"] = db["private"]["keyStore"]["local_certs"].clone();
+        if db["private"]["keyStore"]["localCerts"].is_null() {
            db["private"]["keyStore"]["localCerts"] =
                db["private"]["keyStore"]["local_certs"].clone();
        }
        Ok(Value::Null)
    }
--- a/core/startos/src/version/v0_4_0_alpha_13.rs
+++ b/core/startos/src/version/v0_4_0_alpha_13.rs
@@ -0,0 +1,37 @@
 use exver::{PreReleaseSegment, VersionRange};
 use super::v0_3_5::V0_3_0_COMPAT;
 use super::{VersionT, v0_4_0_alpha_12};
 use crate::prelude::*;
 lazy_static::lazy_static! {
    static ref V0_4_0_alpha_13: exver::Version = exver::Version::new(
        [0, 4, 0],
        [PreReleaseSegment::String("alpha".into()), 13.into()]
    );
 }
 #[derive(Clone, Copy, Debug, Default)]
 pub struct Version;
 impl VersionT for Version {
    type Previous = v0_4_0_alpha_12::Version;
    type PreUpRes = ();
    async fn pre_up(self) -> Result<Self::PreUpRes, Error> {
        Ok(())
    }
    fn semver(self) -> exver::Version {
        V0_4_0_alpha_13.clone()
    }
    fn compat(self) -> &'static VersionRange {
        &V0_3_0_COMPAT
    }
    #[instrument(skip_all)]
    fn up(self, _db: &mut Value, _: Self::PreUpRes) -> Result<Value, Error> {
        Ok(Value::Null)
    }
    fn down(self, _db: &mut Value) -> Result<(), Error> {
        Ok(())
    }
 }
--- a/core/startos/src/version/v0_4_0_alpha_14.rs
+++ b/core/startos/src/version/v0_4_0_alpha_14.rs
@@ -0,0 +1,37 @@
 use exver::{PreReleaseSegment, VersionRange};
 use super::v0_3_5::V0_3_0_COMPAT;
 use super::{VersionT, v0_4_0_alpha_13};
 use crate::prelude::*;
 lazy_static::lazy_static! {
    static ref V0_4_0_alpha_14: exver::Version = exver::Version::new(
        [0, 4, 0],
        [PreReleaseSegment::String("alpha".into()), 14.into()]
    );
 }
 #[derive(Clone, Copy, Debug, Default)]
 pub struct Version;
 impl VersionT for Version {
    type Previous = v0_4_0_alpha_13::Version;
    type PreUpRes = ();
    async fn pre_up(self) -> Result<Self::PreUpRes, Error> {
        Ok(())
    }
    fn semver(self) -> exver::Version {
        V0_4_0_alpha_14.clone()
    }
    fn compat(self) -> &'static VersionRange {
        &V0_3_0_COMPAT
    }
    #[instrument(skip_all)]
    fn up(self, _db: &mut Value, _: Self::PreUpRes) -> Result<Value, Error> {
        Ok(Value::Null)
    }
    fn down(self, _db: &mut Value) -> Result<(), Error> {
        Ok(())
    }
 }
--- a/core/startos/src/version/v0_4_0_alpha_15.rs
+++ b/core/startos/src/version/v0_4_0_alpha_15.rs
@@ -0,0 +1,37 @@
 use exver::{PreReleaseSegment, VersionRange};
 use super::v0_3_5::V0_3_0_COMPAT;
 use super::{VersionT, v0_4_0_alpha_14};
 use crate::prelude::*;
 lazy_static::lazy_static! {
    static ref V0_4_0_alpha_15: exver::Version = exver::Version::new(
        [0, 4, 0],
        [PreReleaseSegment::String("alpha".into()), 15.into()]
    );
 }
 #[derive(Clone, Copy, Debug, Default)]
 pub struct Version;
 impl VersionT for Version {
    type Previous = v0_4_0_alpha_14::Version;
    type PreUpRes = ();
    async fn pre_up(self) -> Result<Self::PreUpRes, Error> {
        Ok(())
    }
    fn semver(self) -> exver::Version {
        V0_4_0_alpha_15.clone()
    }
    fn compat(self) -> &'static VersionRange {
        &V0_3_0_COMPAT
    }
    #[instrument(skip_all)]
    fn up(self, _db: &mut Value, _: Self::PreUpRes) -> Result<Value, Error> {
        Ok(Value::Null)
    }
    fn down(self, _db: &mut Value) -> Result<(), Error> {
        Ok(())
    }
 }
--- a/debian/startos/postinst
+++ b/debian/startos/postinst
@@ -122,7 +122,6 @@ ln -sf /usr/lib/startos/scripts/wireguard-vps-proxy-setup /usr/bin/wireguard-vps
 echo "fs.inotify.max_user_watches=1048576" > /etc/sysctl.d/97-startos.conf
 locale-gen en_US.UTF-8
 dpkg-reconfigure --frontend noninteractive locales
 if ! getent group | grep '^startos:'; then
--- a/dpkg-build.sh
+++ b/dpkg-build.sh
@@ -63,7 +63,7 @@ find . -type f -not -path "./DEBIAN/*" -exec md5sum {} \; | sort -k 2 | sed 's/\
 cd ../..
 cd dpkg-workdir
-dpkg-deb --root-owner-group -b $BASENAME
+dpkg-deb --root-owner-group -Zzstd -b $BASENAME
 mkdir -p ../results
 mv $BASENAME.deb ../results/$BASENAME.deb
 rm -rf $BASENAME
--- a/image-recipe/build.sh
+++ b/image-recipe/build.sh
@@ -205,6 +205,7 @@ fi
 useradd --shell /bin/bash -G startos -m start9
 echo start9:embassy | chpasswd
 usermod -aG sudo start9
 usermod -aG systemd-journal start9
 echo "start9 ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee "/etc/sudoers.d/010_start9-nopasswd"
--- a/image-recipe/run-local-build.sh
+++ b/image-recipe/run-local-build.sh
@@ -7,6 +7,11 @@ BASEDIR="$(pwd -P)"
 SUITE=trixie
 USE_TTY=
 if tty -s; then
  USE_TTY="-it"
 fi
 dockerfile_hash=$(sha256sum ${BASEDIR}/image-recipe/Dockerfile | head -c 7)
 docker_img_name="startos_build:${SUITE}-${dockerfile_hash}"
--- a/sdk/base/lib/osBindings/ForgetGatewayParams.ts
+++ b/sdk/base/lib/osBindings/ForgetGatewayParams.ts
@@ -1,4 +0,0 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { GatewayId } from "./GatewayId"
 export type ForgetGatewayParams = { gateway: GatewayId }
--- a/sdk/base/lib/osBindings/NetworkInterfaceSetPublicParams.ts
+++ b/sdk/base/lib/osBindings/NetworkInterfaceSetPublicParams.ts
@@ -1,7 +0,0 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { GatewayId } from "./GatewayId"
 export type NetworkInterfaceSetPublicParams = {
  gateway: GatewayId
  public: boolean | null
 }
--- a/sdk/base/lib/osBindings/RenameGatewayParams.ts
+++ b/sdk/base/lib/osBindings/RenameGatewayParams.ts
@@ -1,4 +0,0 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { GatewayId } from "./GatewayId"
 export type RenameGatewayParams = { id: GatewayId; name: string }
--- a/sdk/base/lib/osBindings/SignerInfo.ts
+++ b/sdk/base/lib/osBindings/SignerInfo.ts
@@ -1,3 +1,9 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { AnyVerifyingKey } from "./AnyVerifyingKey"
 import type { ContactInfo } from "./ContactInfo"
-export type SignerInfo = { name: string }
+export type SignerInfo = {
  name: string
  contact: Array<ContactInfo>
  keys: Array<AnyVerifyingKey>
 }
--- a/sdk/base/lib/osBindings/UnsetPublicParams.ts
+++ b/sdk/base/lib/osBindings/UnsetPublicParams.ts
@@ -1,4 +0,0 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { GatewayId } from "./GatewayId"
 export type UnsetPublicParams = { gateway: GatewayId }
--- a/sdk/base/lib/osBindings/index.ts
+++ b/sdk/base/lib/osBindings/index.ts
@@ -76,7 +76,6 @@ export { EventId } from "./EventId"
 export { ExportActionParams } from "./ExportActionParams"
 export { ExportServiceInterfaceParams } from "./ExportServiceInterfaceParams"
 export { FileType } from "./FileType"
 export { ForgetGatewayParams } from "./ForgetGatewayParams"
 export { FullIndex } from "./FullIndex"
 export { FullProgress } from "./FullProgress"
 export { GatewayId } from "./GatewayId"
@@ -143,7 +142,6 @@ export { NamedProgress } from "./NamedProgress"
 export { NetInfo } from "./NetInfo"
 export { NetworkInfo } from "./NetworkInfo"
 export { NetworkInterfaceInfo } from "./NetworkInterfaceInfo"
 export { NetworkInterfaceSetPublicParams } from "./NetworkInterfaceSetPublicParams"
 export { NetworkInterfaceType } from "./NetworkInterfaceType"
 export { OnionHostname } from "./OnionHostname"
 export { OsIndex } from "./OsIndex"
@@ -175,7 +173,6 @@ export { RemovePackageFromCategoryParams } from "./RemovePackageFromCategoryPara
 export { RemovePackageParams } from "./RemovePackageParams"
 export { RemoveTunnelParams } from "./RemoveTunnelParams"
 export { RemoveVersionParams } from "./RemoveVersionParams"
 export { RenameGatewayParams } from "./RenameGatewayParams"
 export { ReplayId } from "./ReplayId"
 export { RequestCommitment } from "./RequestCommitment"
 export { RunActionParams } from "./RunActionParams"
@@ -211,7 +208,6 @@ export { TaskSeverity } from "./TaskSeverity"
 export { TaskTrigger } from "./TaskTrigger"
 export { Task } from "./Task"
 export { TestSmtpParams } from "./TestSmtpParams"
 export { UnsetPublicParams } from "./UnsetPublicParams"
 export { UpdatingState } from "./UpdatingState"
 export { VerifyCifsParams } from "./VerifyCifsParams"
 export { VersionSignerParams } from "./VersionSignerParams"
--- a/sdk/base/lib/util/getServiceInterface.ts
+++ b/sdk/base/lib/util/getServiceInterface.ts
@@ -3,7 +3,7 @@ import { knownProtocols } from "../interfaces/Host"
 import { AddressInfo, Host, Hostname, HostnameInfo } from "../types"
 import { Effects } from "../Effects"
 import { DropGenerator, DropPromise } from "./Drop"
-import { IPV6_LINK_LOCAL } from "./ip"
+import { IpAddress, IPV6_LINK_LOCAL } from "./ip"
 export type UrlString = string
 export type HostId = string
@@ -17,7 +17,15 @@ export const getHostname = (url: string): Hostname | null => {
  return last
 }
-type FilterKinds = "onion" | "local" | "domain" | "ip" | "ipv4" | "ipv6"
+type FilterKinds =
  | "onion"
  | "local"
  | "domain"
  | "ip"
  | "ipv4"
  | "ipv6"
  | "localhost"
  | "link-local"
 export type Filter = {
  visibility?: "public" | "private"
  kind?: FilterKinds | FilterKinds[]
@@ -72,6 +80,12 @@ type FilterReturnTy<F extends Filter> = F extends {
          : Exclude<HostnameInfo, FilterReturnTy<E>>
        : HostnameInfo
 const defaultFilter = {
  exclude: {
    kind: ["localhost", "link-local"] as ("localhost" | "link-local")[],
  },
 }
 type Formats = "hostname-info" | "urlstring" | "url"
 type FormatReturnTy<
  F extends Filter,
@@ -92,8 +106,11 @@ export type Filled = {
    sslUrl: UrlString | null
  }
-  filter: <F extends Filter, Format extends Formats = "urlstring">(
+  filter: <
-    filter: F,
+    F extends Filter = typeof defaultFilter,
    Format extends Formats = "urlstring",
  >(
    filter?: F,
    format?: Format,
  ) => FormatReturnTy<F, Format>[]
@@ -215,7 +232,13 @@ function filterRec(
            h.kind === "ip" &&
            h.hostname.kind === "domain") ||
          (kind.has("ipv4") && h.kind === "ip" && h.hostname.kind === "ipv4") ||
-          (kind.has("ipv6") && h.kind === "ip" && h.hostname.kind === "ipv6")),
+          (kind.has("ipv6") && h.kind === "ip" && h.hostname.kind === "ipv6") ||
          (kind.has("localhost") &&
            ["localhost", "127.0.0.1", "[::1]"].includes(h.hostname.value)) ||
          (kind.has("link-local") &&
            h.kind === "ip" &&
            h.hostname.kind === "ipv6" &&
            IPV6_LINK_LOCAL.contains(IpAddress.parse(h.hostname.value)))),
    )
  }
@@ -239,11 +262,14 @@ export const filledAddress = (
    ...addressInfo,
    hostnames,
    toUrls,
-    filter: <F extends Filter, Format extends Formats = "urlstring">(
+    filter: <
-      filter: F,
+      F extends Filter = typeof defaultFilter,
      Format extends Formats = "urlstring",
    >(
      filter?: F,
      format?: Format,
    ) => {
-      const filtered = filterRec(hostnames, filter, false)
+      const filtered = filterRec(hostnames, filter ?? defaultFilter, false)
      let res: FormatReturnTy<F, Format>[] = filtered as any
      if (format === "hostname-info") return res
      const urls = filtered.flatMap(toUrlArray)
--- a/sdk/package/lib/StartSdk.ts
+++ b/sdk/package/lib/StartSdk.ts
@@ -61,7 +61,7 @@ import {
 } from "../../base/lib/inits"
 import { DropGenerator } from "../../base/lib/util/Drop"
-export const OSVersion = testTypeVersion("0.4.0-alpha.12")
+export const OSVersion = testTypeVersion("0.4.0-alpha.15")
 // prettier-ignore
 type AnyNeverCond<T extends any[], Then, Else> = 
--- a/sdk/package/lib/mainFn/CommandController.ts
+++ b/sdk/package/lib/mainFn/CommandController.ts
@@ -77,10 +77,14 @@ export class CommandController<
        if (exec.runAsInit) {
          childProcess = await subcontainer!.launch(commands, {
            env: exec.env,
            user: exec.user,
            cwd: exec.cwd,
          })
        } else {
          childProcess = await subcontainer!.spawn(commands, {
            env: exec.env,
            user: exec.user,
            cwd: exec.cwd,
            stdio: exec.onStdout || exec.onStderr ? "pipe" : "inherit",
          })
        }
--- a/sdk/package/lib/util/SubContainer.ts
+++ b/sdk/package/lib/util/SubContainer.ts
@@ -410,12 +410,17 @@ export class SubContainerOwned<
      workdir = options.cwd
      delete options.cwd
    }
    if (options?.env) {
      for (let [k, v] of Object.entries(options.env)) {
        extra.push(`--env=${k}=${v}`)
      }
    }
    const child = cp.spawn(
      "start-container",
      [
        "subcontainer",
        "exec",
-        `--env=/media/startos/images/${this.imageId}.env`,
+        `--env-file=/media/startos/images/${this.imageId}.env`,
        `--user=${user}`,
        `--workdir=${workdir}`,
        ...extra,
@@ -530,6 +535,11 @@ export class SubContainerOwned<
      workdir = options.cwd
      delete options.cwd
    }
    if (options?.env) {
      for (let [k, v] of Object.entries(options.env)) {
        extra.push(`--env=${k}=${v}`)
      }
    }
    await this.killLeader()
    this.leaderExited = false
    this.leader = cp.spawn(
@@ -537,7 +547,7 @@ export class SubContainerOwned<
      [
        "subcontainer",
        "launch",
-        `--env=/media/startos/images/${this.imageId}.env`,
+        `--env-file=/media/startos/images/${this.imageId}.env`,
        `--user=${user}`,
        `--workdir=${workdir}`,
        ...extra,
@@ -574,12 +584,17 @@ export class SubContainerOwned<
      workdir = options.cwd
      delete options.cwd
    }
    if (options?.env) {
      for (let [k, v] of Object.entries(options.env)) {
        extra.push(`--env=${k}=${v}`)
      }
    }
    return cp.spawn(
      "start-container",
      [
        "subcontainer",
        "exec",
-        `--env=/media/startos/images/${this.imageId}.env`,
+        `--env-file=/media/startos/images/${this.imageId}.env`,
        `--user=${user}`,
        `--workdir=${workdir}`,
        ...extra,
--- a/sdk/package/package-lock.json
+++ b/sdk/package/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "@start9labs/start-sdk",
-  "version": "0.4.0-beta.42",
+  "version": "0.4.0-beta.44",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@start9labs/start-sdk",
-      "version": "0.4.0-beta.42",
+      "version": "0.4.0-beta.44",
      "license": "MIT",
      "dependencies": {
        "@iarna/toml": "^3.0.0",
@@ -98,6 +98,7 @@
      "integrity": "sha512-i1SLeK+DzNnQ3LL/CswPCa/E5u4lh1k6IAEphON8F+cXt0t9euTshDru0q7/IqMa1PMPz5RnHuHscF8/ZJsStg==",
      "dev": true,
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "@ampproject/remapping": "^2.2.0",
        "@babel/code-frame": "^7.26.0",
@@ -1643,6 +1644,7 @@
      "integrity": "sha512-XC70cRZVElFHfIUB40FgZOBbgJYFKKMa5nb9lxcwYstFG/Mi+/Y0bGS+rs6Dmhmkpq4pnNiLiuZAbc02YCOnmA==",
      "dev": true,
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "undici-types": "~6.20.0"
      }
@@ -1944,6 +1946,7 @@
        }
      ],
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "caniuse-lite": "^1.0.30001669",
        "electron-to-chromium": "^1.5.41",
@@ -3053,6 +3056,7 @@
      "integrity": "sha512-NIy3oAFp9shda19hy4HK0HRTWKtPJmGdnvywu01nOqNC2vZg+Z+fvJDxpMQA88eb2I9EcafcdjYgsDthnYTvGw==",
      "dev": true,
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "@jest/core": "^29.7.0",
        "@jest/types": "^29.6.3",
@@ -4157,6 +4161,7 @@
      "integrity": "sha512-n7chtCbEoGYRwZZ0i/O3t1cPr6o+d9Xx4Zwy2LYfzv0vjchMBU0tO+qYYyvZloBPcgRgzYvALzGWHe609JjEpg==",
      "dev": true,
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "commander": "^10.0.0",
        "source-map-generator": "0.8.0"
@@ -4833,6 +4838,7 @@
      "integrity": "sha512-f0FFpIdcHgn8zcPSbf1dRevwt047YMnaiJM3u2w2RewrB+fob/zePZcrOyQoLMMO7aBIddLcQIEK5dYjkLnGrQ==",
      "dev": true,
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "@cspotcode/source-map-support": "^0.8.0",
        "@tsconfig/node10": "^1.0.7",
@@ -4953,6 +4959,7 @@
      "integrity": "sha512-84MVSjMEHP+FQRPy3pX9sTVV/INIex71s9TL2Gm5FG/WG1SqXeKyZ0k7/blY/4FdOzI12CBy1vGc4og/eus0fw==",
      "dev": true,
      "license": "Apache-2.0",
      "peer": true,
      "bin": {
        "tsc": "bin/tsc",
        "tsserver": "bin/tsserver"
--- a/sdk/package/package.json
+++ b/sdk/package/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@start9labs/start-sdk",
-  "version": "0.4.0-beta.42",
+  "version": "0.4.0-beta.44",
  "description": "Software development kit to facilitate packaging services for StartOS",
  "main": "./package/lib/index.js",
  "types": "./package/lib/index.d.ts",
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "startos-ui",
-  "version": "0.4.0-alpha.12",
+  "version": "0.4.0-alpha.15",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "startos-ui",
-      "version": "0.4.0-alpha.12",
+      "version": "0.4.0-alpha.15",
      "license": "MIT",
      "dependencies": {
        "@angular/animations": "^20.3.0",
@@ -25,18 +25,18 @@
        "@noble/hashes": "^1.4.0",
        "@start9labs/argon2": "^0.3.0",
        "@start9labs/start-sdk": "file:../sdk/baseDist",
-        "@taiga-ui/addon-charts": "4.55.0",
+        "@taiga-ui/addon-charts": "4.62.0",
-        "@taiga-ui/addon-commerce": "4.55.0",
+        "@taiga-ui/addon-commerce": "4.62.0",
-        "@taiga-ui/addon-mobile": "4.55.0",
+        "@taiga-ui/addon-mobile": "4.62.0",
-        "@taiga-ui/addon-table": "4.55.0",
+        "@taiga-ui/addon-table": "4.62.0",
-        "@taiga-ui/cdk": "4.55.0",
+        "@taiga-ui/cdk": "4.62.0",
-        "@taiga-ui/core": "4.55.0",
+        "@taiga-ui/core": "4.62.0",
        "@taiga-ui/dompurify": "4.1.11",
        "@taiga-ui/event-plugins": "4.7.0",
-        "@taiga-ui/experimental": "4.55.0",
+        "@taiga-ui/experimental": "4.62.0",
-        "@taiga-ui/icons": "4.55.0",
+        "@taiga-ui/icons": "4.62.0",
-        "@taiga-ui/kit": "4.55.0",
+        "@taiga-ui/kit": "4.62.0",
-        "@taiga-ui/layout": "4.55.0",
+        "@taiga-ui/layout": "4.62.0",
        "@taiga-ui/polymorpheus": "4.9.0",
        "ansi-to-html": "^0.7.2",
        "base64-js": "^1.5.1",
@@ -3950,9 +3950,9 @@
      "link": true
    },
    "node_modules/@taiga-ui/addon-charts": {
-      "version": "4.55.0",
+      "version": "4.62.0",
-      "resolved": "https://registry.npmjs.org/@taiga-ui/addon-charts/-/addon-charts-4.55.0.tgz",
+      "resolved": "https://registry.npmjs.org/@taiga-ui/addon-charts/-/addon-charts-4.62.0.tgz",
-      "integrity": "sha512-Rwgcc7NaLm75GsHYhqbO4jgNhD1bGbA7Kk0sNFE+Tgz9+V3ARXMuBw7C3cU9UxLSFnOsXz9RYLosmZ3jAVlyuQ==",
+      "integrity": "sha512-tCysUpzEHwRhK/p9hopkt0Jw4jcgA2cF8CYK8mDntghC+fNLnqCVUcrqFIC5plGabAo00WMEz+X+KyGvwvKaVg==",
      "license": "Apache-2.0",
      "dependencies": {
        "tslib": ">=2.8.1"
@@ -3961,15 +3961,15 @@
        "@angular/common": ">=16.0.0",
        "@angular/core": ">=16.0.0",
        "@ng-web-apis/common": "^4.12.0",
-        "@taiga-ui/cdk": "^4.55.0",
+        "@taiga-ui/cdk": "^4.62.0",
-        "@taiga-ui/core": "^4.55.0",
+        "@taiga-ui/core": "^4.62.0",
        "@taiga-ui/polymorpheus": "^4.9.0"
      }
    },
    "node_modules/@taiga-ui/addon-commerce": {
-      "version": "4.55.0",
+      "version": "4.62.0",
-      "resolved": "https://registry.npmjs.org/@taiga-ui/addon-commerce/-/addon-commerce-4.55.0.tgz",
+      "resolved": "https://registry.npmjs.org/@taiga-ui/addon-commerce/-/addon-commerce-4.62.0.tgz",
-      "integrity": "sha512-eOOBkIJSsagtRkpRZ04xlL8ePIP01d4Xo264zSTg2SRxD6vwR/7/QJlf9108BvIJv/jfTpmFukLwSB9LazqmCw==",
+      "integrity": "sha512-J4+bdHeDe2d7Uh8NNObLl4LzBhWLCdzxNHXPac1bMGB+3gX751Htc9px37FkVZlQGnxQATCbxAVXj7Zjveq/QQ==",
      "license": "Apache-2.0",
      "peer": true,
      "dependencies": {
@@ -3979,22 +3979,22 @@
        "@angular/common": ">=16.0.0",
        "@angular/core": ">=16.0.0",
        "@angular/forms": ">=16.0.0",
-        "@maskito/angular": "^3.10.3",
+        "@maskito/angular": "^3.11.1",
-        "@maskito/core": "^3.10.3",
+        "@maskito/core": "^3.11.1",
-        "@maskito/kit": "^3.10.3",
+        "@maskito/kit": "^3.11.1",
        "@ng-web-apis/common": "^4.12.0",
-        "@taiga-ui/cdk": "^4.55.0",
+        "@taiga-ui/cdk": "^4.62.0",
-        "@taiga-ui/core": "^4.55.0",
+        "@taiga-ui/core": "^4.62.0",
-        "@taiga-ui/i18n": "^4.55.0",
+        "@taiga-ui/i18n": "^4.62.0",
-        "@taiga-ui/kit": "^4.55.0",
+        "@taiga-ui/kit": "^4.62.0",
        "@taiga-ui/polymorpheus": "^4.9.0",
        "rxjs": ">=7.0.0"
      }
    },
    "node_modules/@taiga-ui/addon-mobile": {
-      "version": "4.55.0",
+      "version": "4.62.0",
-      "resolved": "https://registry.npmjs.org/@taiga-ui/addon-mobile/-/addon-mobile-4.55.0.tgz",
+      "resolved": "https://registry.npmjs.org/@taiga-ui/addon-mobile/-/addon-mobile-4.62.0.tgz",
-      "integrity": "sha512-NQRozVKcXLs9/rd/s1yI7T5rIokzwHQ5IN/c3NLBUEka1iKUr1ZTch+g9CHJf8GTVB0uAwWKNCgX5LxtiSI5zg==",
+      "integrity": "sha512-seIBG4utgLq2xDJu+YDzksOsVi/V6vsTbm2bljgM1fIBZInbhqk95YOIFZDU9JXT1/vIShcqetavg1vHD1wdkQ==",
      "license": "Apache-2.0",
      "dependencies": {
        "tslib": ">=2.8.1"
@@ -4004,18 +4004,18 @@
        "@angular/common": ">=16.0.0",
        "@angular/core": ">=16.0.0",
        "@ng-web-apis/common": "^4.12.0",
-        "@taiga-ui/cdk": "^4.55.0",
+        "@taiga-ui/cdk": "^4.62.0",
-        "@taiga-ui/core": "^4.55.0",
+        "@taiga-ui/core": "^4.62.0",
-        "@taiga-ui/kit": "^4.55.0",
+        "@taiga-ui/kit": "^4.62.0",
-        "@taiga-ui/layout": "^4.55.0",
+        "@taiga-ui/layout": "^4.62.0",
        "@taiga-ui/polymorpheus": "^4.9.0",
        "rxjs": ">=7.0.0"
      }
    },
    "node_modules/@taiga-ui/addon-table": {
-      "version": "4.55.0",
+      "version": "4.62.0",
-      "resolved": "https://registry.npmjs.org/@taiga-ui/addon-table/-/addon-table-4.55.0.tgz",
+      "resolved": "https://registry.npmjs.org/@taiga-ui/addon-table/-/addon-table-4.62.0.tgz",
-      "integrity": "sha512-K5qpOS0UQLDqruJXPNDic8scCRvO3oAN/ZCPQ9XOGDrcvydvo4AKUwjKRPj+pZ/z0ulxbwAAruFFFCvRNnbzaA==",
+      "integrity": "sha512-0rolnsO1puYwUK17si5OOpzFxiziS6/OSbpLOSKrVrMkCgsWCoNDvpgPIwtwS5Mq3iF5cwLfUPbDQM8saG7wxQ==",
      "license": "Apache-2.0",
      "dependencies": {
        "tslib": ">=2.8.1"
@@ -4024,18 +4024,18 @@
        "@angular/common": ">=16.0.0",
        "@angular/core": ">=16.0.0",
        "@ng-web-apis/intersection-observer": "^4.12.0",
-        "@taiga-ui/cdk": "^4.55.0",
+        "@taiga-ui/cdk": "^4.62.0",
-        "@taiga-ui/core": "^4.55.0",
+        "@taiga-ui/core": "^4.62.0",
-        "@taiga-ui/i18n": "^4.55.0",
+        "@taiga-ui/i18n": "^4.62.0",
-        "@taiga-ui/kit": "^4.55.0",
+        "@taiga-ui/kit": "^4.62.0",
        "@taiga-ui/polymorpheus": "^4.9.0",
        "rxjs": ">=7.0.0"
      }
    },
    "node_modules/@taiga-ui/cdk": {
-      "version": "4.55.0",
+      "version": "4.62.0",
-      "resolved": "https://registry.npmjs.org/@taiga-ui/cdk/-/cdk-4.55.0.tgz",
+      "resolved": "https://registry.npmjs.org/@taiga-ui/cdk/-/cdk-4.62.0.tgz",
-      "integrity": "sha512-vA5nGyx+YIHR1xZeq5D9gSqTRQg74qhe1AOt5FlqFOC0P4LvmLkNg3De7AeahXALNSeRz/DYcqI7WuGo6xpcLQ==",
+      "integrity": "sha512-KWPXEbCHtRp7aIet1L3PySdXpo5Aay4L/36jDzjiFZ/bcbuD2cY/3S2l68zpgv6ZksZA94DuCuaamSEwQIAtPw==",
      "license": "Apache-2.0",
      "peer": true,
      "dependencies": {
@@ -4065,9 +4065,9 @@
      }
    },
    "node_modules/@taiga-ui/core": {
-      "version": "4.55.0",
+      "version": "4.62.0",
-      "resolved": "https://registry.npmjs.org/@taiga-ui/core/-/core-4.55.0.tgz",
+      "resolved": "https://registry.npmjs.org/@taiga-ui/core/-/core-4.62.0.tgz",
-      "integrity": "sha512-Z2ATVNmEAlHEk2cgs/tnS6qZML87IchkPDeRl6HQfBT2fjYVjh1oCzXL07t86Lv6tpvkllyUVqoBCTSvDXs9kA==",
+      "integrity": "sha512-PQW10hFH50g8PgnJpPa/ZrGMWljhIsBHad/utvalmlv8wXQY24i8T1BjrGIOFPOjzs20NEwLOICHf7KdZUtiuA==",
      "license": "Apache-2.0",
      "peer": true,
      "dependencies": {
@@ -4082,9 +4082,9 @@
        "@angular/router": ">=16.0.0",
        "@ng-web-apis/common": "^4.12.0",
        "@ng-web-apis/mutation-observer": "^4.12.0",
-        "@taiga-ui/cdk": "^4.55.0",
+        "@taiga-ui/cdk": "^4.62.0",
        "@taiga-ui/event-plugins": "^4.7.0",
-        "@taiga-ui/i18n": "^4.55.0",
+        "@taiga-ui/i18n": "^4.62.0",
        "@taiga-ui/polymorpheus": "^4.9.0",
        "rxjs": ">=7.0.0"
      }
@@ -4120,9 +4120,9 @@
      }
    },
    "node_modules/@taiga-ui/experimental": {
-      "version": "4.55.0",
+      "version": "4.62.0",
-      "resolved": "https://registry.npmjs.org/@taiga-ui/experimental/-/experimental-4.55.0.tgz",
+      "resolved": "https://registry.npmjs.org/@taiga-ui/experimental/-/experimental-4.62.0.tgz",
-      "integrity": "sha512-3zq2BTl+fE/N/tEr74TzWbyzT5OoS9YEApKobJehKivW5XxZmF/MDRWp45kSe4jDtVbJ2ueI0Jn8h0BDNykkcg==",
+      "integrity": "sha512-EiL5wJ+9LSf0BfZcFX6ioCavLfx26v0BCOUXh52Rtczp85Uh2qTDt2feM0oBDB+0Kj74/+wqqiKi+s3B8ZV3WA==",
      "license": "Apache-2.0",
      "dependencies": {
        "tslib": ">=2.8.1"
@@ -4130,19 +4130,19 @@
      "peerDependencies": {
        "@angular/common": ">=16.0.0",
        "@angular/core": ">=16.0.0",
-        "@taiga-ui/addon-commerce": "^4.55.0",
+        "@taiga-ui/addon-commerce": "^4.62.0",
-        "@taiga-ui/cdk": "^4.55.0",
+        "@taiga-ui/cdk": "^4.62.0",
-        "@taiga-ui/core": "^4.55.0",
+        "@taiga-ui/core": "^4.62.0",
-        "@taiga-ui/kit": "^4.55.0",
+        "@taiga-ui/kit": "^4.62.0",
-        "@taiga-ui/layout": "^4.55.0",
+        "@taiga-ui/layout": "^4.62.0",
        "@taiga-ui/polymorpheus": "^4.9.0",
        "rxjs": ">=7.0.0"
      }
    },
    "node_modules/@taiga-ui/i18n": {
-      "version": "4.59.0",
+      "version": "4.62.0",
-      "resolved": "https://registry.npmjs.org/@taiga-ui/i18n/-/i18n-4.59.0.tgz",
+      "resolved": "https://registry.npmjs.org/@taiga-ui/i18n/-/i18n-4.62.0.tgz",
-      "integrity": "sha512-IxPzqkORJlSqagvUdmqBL9fuvfRm/Ca/W/bCDEK2GN/4QtSZ0yFzAyQdWduoIJubqyEPMXRbXZGc7WBtDgAMIQ==",
+      "integrity": "sha512-84hD1nI26EAYd5RUhFKxbg+8WKYhc0GBHyf8wfi15xuwaT6oh2gbJx7pNTlGN3klH4CeDB9HF998tkhieevqQw==",
      "license": "Apache-2.0",
      "peer": true,
      "dependencies": {
@@ -4155,18 +4155,18 @@
      }
    },
    "node_modules/@taiga-ui/icons": {
-      "version": "4.55.0",
+      "version": "4.62.0",
-      "resolved": "https://registry.npmjs.org/@taiga-ui/icons/-/icons-4.55.0.tgz",
+      "resolved": "https://registry.npmjs.org/@taiga-ui/icons/-/icons-4.62.0.tgz",
-      "integrity": "sha512-sYqSG9wgUcwHBrDRnMhLCMEkvAAw/SZrvvq0jdY2oWGmKwAj/6WBt+wA+jnFkDDKEZ7mjzdPIQffpVaUjSwsiw==",
+      "integrity": "sha512-vD+bJk3Wot/+NcbdPwAJGBnqXG6T1OJVeg2IkaEE6DBixwdwDpukZWiV9asXyXiJkyEpG2Ar7SASvdCYZEVlxw==",
      "license": "Apache-2.0",
      "dependencies": {
        "tslib": "^2.3.0"
      }
    },
    "node_modules/@taiga-ui/kit": {
-      "version": "4.55.0",
+      "version": "4.62.0",
-      "resolved": "https://registry.npmjs.org/@taiga-ui/kit/-/kit-4.55.0.tgz",
+      "resolved": "https://registry.npmjs.org/@taiga-ui/kit/-/kit-4.62.0.tgz",
-      "integrity": "sha512-xTvi7viI+wI2ifPv2bsf8prhYWWS4g1lbx059jXV3f5Cttc0Xg6DEb6xpaQOf4loBkcrP2FzkA4njACUuiouzw==",
+      "integrity": "sha512-tdEaXJTks1PZQJAwMiVQTZrtCpaLIYV6T9VdVPZUKAJXq7K6J2kcD0oIISjwE9rqgLVwqytMZrwHx1nSRzkb/A==",
      "license": "Apache-2.0",
      "peer": true,
      "dependencies": {
@@ -4177,25 +4177,25 @@
        "@angular/core": ">=16.0.0",
        "@angular/forms": ">=16.0.0",
        "@angular/router": ">=16.0.0",
-        "@maskito/angular": "^3.10.3",
+        "@maskito/angular": "^3.11.1",
-        "@maskito/core": "^3.10.3",
+        "@maskito/core": "^3.11.1",
-        "@maskito/kit": "^3.10.3",
+        "@maskito/kit": "^3.11.1",
-        "@maskito/phone": "^3.10.3",
+        "@maskito/phone": "^3.11.1",
        "@ng-web-apis/common": "^4.12.0",
        "@ng-web-apis/intersection-observer": "^4.12.0",
        "@ng-web-apis/mutation-observer": "^4.12.0",
        "@ng-web-apis/resize-observer": "^4.12.0",
-        "@taiga-ui/cdk": "^4.55.0",
+        "@taiga-ui/cdk": "^4.62.0",
-        "@taiga-ui/core": "^4.55.0",
+        "@taiga-ui/core": "^4.62.0",
-        "@taiga-ui/i18n": "^4.55.0",
+        "@taiga-ui/i18n": "^4.62.0",
        "@taiga-ui/polymorpheus": "^4.9.0",
        "rxjs": ">=7.0.0"
      }
    },
    "node_modules/@taiga-ui/layout": {
-      "version": "4.55.0",
+      "version": "4.62.0",
-      "resolved": "https://registry.npmjs.org/@taiga-ui/layout/-/layout-4.55.0.tgz",
+      "resolved": "https://registry.npmjs.org/@taiga-ui/layout/-/layout-4.62.0.tgz",
-      "integrity": "sha512-C+e4gudZwjIc46VITil5vySas1FPpfe+D4uwLRggJOTuUosZlZHBuc51v91wCCc0pL0Xfu+TD0s8W9kRd1sQHA==",
+      "integrity": "sha512-xd8eLLeR5FE3RhnVMGl1QlC3JXXJLsLAAASpBf9DQsTt+YBBl8BQt/cXGbBcJecC2mJLZlS6zytSkMTHY7VAhw==",
      "license": "Apache-2.0",
      "peer": true,
      "dependencies": {
@@ -4204,9 +4204,9 @@
      "peerDependencies": {
        "@angular/common": ">=16.0.0",
        "@angular/core": ">=16.0.0",
-        "@taiga-ui/cdk": "^4.55.0",
+        "@taiga-ui/cdk": "^4.62.0",
-        "@taiga-ui/core": "^4.55.0",
+        "@taiga-ui/core": "^4.62.0",
-        "@taiga-ui/kit": "^4.55.0",
+        "@taiga-ui/kit": "^4.62.0",
        "@taiga-ui/polymorpheus": "^4.9.0",
        "rxjs": ">=7.0.0"
      }
--- a/web/package.json
+++ b/web/package.json
@@ -1,6 +1,6 @@
 {
  "name": "startos-ui",
-  "version": "0.4.0-alpha.12",
+  "version": "0.4.0-alpha.15",
  "author": "Start9 Labs, Inc",
  "homepage": "https://start9.com/",
  "license": "MIT",
@@ -49,18 +49,18 @@
    "@noble/hashes": "^1.4.0",
    "@start9labs/argon2": "^0.3.0",
    "@start9labs/start-sdk": "file:../sdk/baseDist",
-    "@taiga-ui/addon-charts": "4.55.0",
+    "@taiga-ui/addon-charts": "4.62.0",
-    "@taiga-ui/addon-commerce": "4.55.0",
+    "@taiga-ui/addon-commerce": "4.62.0",
-    "@taiga-ui/addon-mobile": "4.55.0",
+    "@taiga-ui/addon-mobile": "4.62.0",
-    "@taiga-ui/addon-table": "4.55.0",
+    "@taiga-ui/addon-table": "4.62.0",
-    "@taiga-ui/cdk": "4.55.0",
+    "@taiga-ui/cdk": "4.62.0",
-    "@taiga-ui/core": "4.55.0",
+    "@taiga-ui/core": "4.62.0",
    "@taiga-ui/dompurify": "4.1.11",
    "@taiga-ui/event-plugins": "4.7.0",
-    "@taiga-ui/experimental": "4.55.0",
+    "@taiga-ui/experimental": "4.62.0",
-    "@taiga-ui/icons": "4.55.0",
+    "@taiga-ui/icons": "4.62.0",
-    "@taiga-ui/kit": "4.55.0",
+    "@taiga-ui/kit": "4.62.0",
-    "@taiga-ui/layout": "4.55.0",
+    "@taiga-ui/layout": "4.62.0",
    "@taiga-ui/polymorpheus": "4.9.0",
    "ansi-to-html": "^0.7.2",
    "base64-js": "^1.5.1",
--- a/web/projects/install-wizard/src/app/app.component.ts
+++ b/web/projects/install-wizard/src/app/app.component.ts
@@ -59,7 +59,9 @@ export class AppComponent {
            await this.api.reboot()
            this.dialogs
              .open(
-                'Please wait 1-2 minutes, then refresh this page to access the StartOS setup wizard.',
+                window.location.host === 'localhost'
                  ? 'Please wait 1-2 minutes for your server to restart'
                  : 'Please wait 1-2 minutes, then refresh this page to access the StartOS setup wizard.',
                {
                  label: 'Rebooting',
                  size: 's',
--- a/web/projects/marketplace/src/pages/show/about.component.ts
+++ b/web/projects/marketplace/src/pages/show/about.component.ts
@@ -70,6 +70,7 @@ import { MarketplaceItemComponent } from './item.component'
    <div class="background-border box-shadow-lg shadow-color-light">
      <div class="box-container">
        <h2 class="additional-detail-title">{{ 'Description' | i18n }}</h2>
        <p [innerHTML]="pkg().description.long"></p>
      </div>
    </div>
--- a/web/projects/marketplace/src/pages/show/dependencies/dependency-item.component.ts
+++ b/web/projects/marketplace/src/pages/show/dependencies/dependency-item.component.ts
@@ -10,7 +10,12 @@ import { MarketplacePkgBase } from '../../../types'
  selector: 'marketplace-dep-item',
  template: `
    <div class="outer-container">
-      <tui-avatar class="dep-img" size="l" [src]="getImage(dep.key)" />
+      <tui-avatar
        appearance="action-grayscale"
        class="dep-img"
        size="l"
        [src]="getImage(dep.key)"
      />
      <div>
        <tui-line-clamp [linesLimit]="2" [content]="titleContent" />
        <ng-template #titleContent>
--- a/web/projects/marketplace/src/pages/show/flavors.component.ts
+++ b/web/projects/marketplace/src/pages/show/flavors.component.ts
@@ -21,7 +21,10 @@ import { MarketplacePkg } from '../../types'
            [queryParams]="{ id: pkg.id, flavor: pkg.flavor }"
            queryParamsHandling="merge"
          >
-            <tui-avatar [src]="pkg.icon | trustUrl" />
+            <tui-avatar
              appearance="action-grayscale"
              [src]="pkg.icon | trustUrl"
            />
            <span tuiTitle>
              {{ pkg.title }}
              <span tuiSubtitle>{{ pkg.version }}</span>
--- a/web/projects/setup-wizard/src/app/components/documentation.component.ts
+++ b/web/projects/setup-wizard/src/app/components/documentation.component.ts
@@ -39,7 +39,9 @@ import { DocsLinkDirective } from '@start9labs/shared'
        "
          >
            <div>
-              <h3 style="color: #f8546a; font-weight: bold">Important!</h3>
+              <h2 style="font-variant-caps: all-small-caps">
                Root Certificate Authority
              </h2>
              <p>
                Download your server's Root CA and
                <a
@@ -47,7 +49,7 @@ import { DocsLinkDirective } from '@start9labs/shared'
                  path="/user-manual/trust-ca.html"
                  style="color: #6866cc; font-weight: bold; text-decoration: none"
                >
-                  follow the instructions
+                  follow instructions
                </a>
                to establish a secure connection with your server.
              </p>
@@ -84,15 +86,15 @@ import { DocsLinkDirective } from '@start9labs/shared'
        "
          >
            <h2 style="font-variant-caps: all-small-caps">
-              Access from home (LAN)
+              Permanent Local Address
            </h2>
            <p>
-              Visit the address below when you are connected to the same WiFi or
+              You must be connected to the same Local Area Network (LAN) as your
-              Local Area Network (LAN) as your server.
+              server to access this address.
            </p>
            <p
              style="
-            padding: 16px;
+            padding: 16px 0;
            font-weight: bold;
            font-size: 1.1rem;
            overflow: auto;
@@ -100,33 +102,6 @@ import { DocsLinkDirective } from '@start9labs/shared'
            >
              <code id="lan-addr"></code>
            </p>
            <h2 style="font-variant-caps: all-small-caps">
              Access on the go (Tor)
            </h2>
            <p>Visit the address below when you are away from home.</p>
            <p>
              <span style="font-weight: bold">Note:</span>
              This address will only work from a Tor-enabled browser.
              <a
                docsLink
                path="/user-manual/connecting-remotely/tor.html"
                style="color: #6866cc; font-weight: bold; text-decoration: none"
              >
                Follow the instructions
              </a>
              to get setup.
            </p>
            <p
              style="
            padding: 16px;
            font-weight: bold;
            font-size: 1.1rem;
            overflow: auto;
          "
            >
              <code id="tor-addr"></code>
            </p>
          </section>
        </div>
      </body>
--- a/web/projects/setup-wizard/src/app/pages/success.page.ts
+++ b/web/projects/setup-wizard/src/app/pages/success.page.ts
@@ -7,7 +7,7 @@ import {
  DOCUMENT,
 } from '@angular/core'
 import { DownloadHTMLService, ErrorService } from '@start9labs/shared'
-import { TuiButton, TuiIcon, TuiSurface } from '@taiga-ui/core'
+import { TuiButton, TuiIcon, TuiLoader, TuiSurface } from '@taiga-ui/core'
 import { TuiCardLarge } from '@taiga-ui/layout'
 import { DocumentationComponent } from 'src/app/components/documentation.component'
 import { MatrixComponent } from 'src/app/components/matrix.component'
@@ -31,10 +31,16 @@ import { StateService } from 'src/app/services/state.service'
          <h3>You can now safely unplug your old StartOS data drive</h3>
        }
        <h3>
          http://start.local was for setup purposes only. It will no longer
          work.
        </h3>
        <button tuiCardLarge tuiSurface="floating" (click)="download()">
          <strong class="caps">Download address info</strong>
          <span>
-            start.local was for setup purposes only. It will no longer work.
+            For future reference, this file contains your server's permanent
            local address, as well as its Root Certificate Authority (Root CA).
          </span>
          <strong class="caps">
            Download
@@ -48,17 +54,18 @@ import { StateService } from 'src/app/services/state.service'
          target="_blank"
          [attr.href]="disableLogin ? null : lanAddress"
        >
          <strong class="caps">Trust your Root CA</strong>
          <span>
            In the new tab, follow instructions to trust your server's Root CA
            and log in.
          </span>
          <strong class="caps">
-            Open
+            Open Local Address
            <tui-icon icon="@tui.external-link" />
          </strong>
        </a>
        <app-documentation hidden [lanAddress]="lanAddress" />
      } @else {
        <tui-loader />
      }
    </section>
  `,
@@ -97,6 +104,10 @@ import { StateService } from 'src/app/services/state.service'
      opacity: var(--tui-disabled-opacity);
      pointer-events: none;
    }
    h3 {
      text-align: left;
    }
  `,
  imports: [
    TuiCardLarge,
@@ -105,6 +116,7 @@ import { StateService } from 'src/app/services/state.service'
    TuiSurface,
    MatrixComponent,
    DocumentationComponent,
    TuiLoader,
  ],
 })
 export default class SuccessPage implements AfterViewInit {
@@ -117,7 +129,6 @@ export default class SuccessPage implements AfterViewInit {
  readonly stateService = inject(StateService)
  torAddresses?: string[]
  lanAddress?: string
  cert?: string
  disableLogin = this.stateService.setupType === 'fresh'
@@ -127,10 +138,8 @@ export default class SuccessPage implements AfterViewInit {
  }
  download() {
    const torElem = this.document.getElementById('tor-addr')
    const lanElem = this.document.getElementById('lan-addr')
    if (torElem) torElem.innerHTML = this.torAddresses?.join('\n') || ''
    if (lanElem) lanElem.innerHTML = this.lanAddress || ''
    this.document
@@ -155,9 +164,6 @@ export default class SuccessPage implements AfterViewInit {
    try {
      const ret = await this.api.complete()
      if (!this.stateService.kiosk) {
        this.torAddresses = ret.torAddresses.map(a =>
          a.replace(/^https:/, 'http:'),
        )
        this.lanAddress = ret.lanAddress.replace(/^https:/, 'http:')
        this.cert = ret.rootCa
--- a/web/projects/shared/src/i18n/dictionaries/de.ts
+++ b/web/projects/shared/src/i18n/dictionaries/de.ts
@@ -484,7 +484,7 @@ export default {
  512: 'Der Kiosk-Modus ist auf diesem Gerät nicht verfügbar',
  513: 'Aktivieren',
  514: 'Deaktivieren',
-  515: 'Du verwendest derzeit einen Kiosk. Wenn du den Kiosk-Modus deaktivierst, wird die Verbindung zum Kiosk getrennt.',
+  515: 'Diese Änderung wird nach dem nächsten Neustart wirksam',
  516: 'Empfohlen',
  517: 'Möchten Sie diese Aufgabe wirklich verwerfen?',
  518: 'Verwerfen',
--- a/web/projects/shared/src/i18n/dictionaries/en.ts
+++ b/web/projects/shared/src/i18n/dictionaries/en.ts
@@ -483,7 +483,7 @@ export const ENGLISH = {
  'Kiosk Mode is unavailable on this device': 512,
  'Enable': 513,
  'Disable': 514,
-  'You are currently using a kiosk. Disabling Kiosk Mode will result in the kiosk disconnecting.': 515,
+  'This change will take effect after the next boot': 515,
  'Recommended': 516, // as in, we recommend this
  'Are you sure you want to dismiss this task?': 517,
  'Dismiss': 518, // as in, dismiss or delete a task
--- a/web/projects/shared/src/i18n/dictionaries/es.ts
+++ b/web/projects/shared/src/i18n/dictionaries/es.ts
@@ -484,7 +484,7 @@ export default {
  512: 'El modo quiosco no está disponible en este dispositivo',
  513: 'Activar',
  514: 'Desactivar',
-  515: 'Actualmente estás utilizando un quiosco. Desactivar el modo quiosco provocará su desconexión.',
+  515: 'Este cambio tendrá efecto después del próximo inicio',
  516: 'Recomendado',
  517: '¿Estás seguro de que deseas descartar esta tarea?',
  518: 'Descartar',
--- a/web/projects/shared/src/i18n/dictionaries/fr.ts
+++ b/web/projects/shared/src/i18n/dictionaries/fr.ts
@@ -484,7 +484,7 @@ export default {
  512: 'Le mode kiosque n’est pas disponible sur cet appareil',
  513: 'Activer',
  514: 'Désactiver',
-  515: 'Vous utilisez actuellement un kiosque. Désactiver le mode kiosque entraînera sa déconnexion.',
+  515: 'Ce changement va prendre effet après le prochain démarrage',
  516: 'Recommandé',
  517: 'Êtes-vous sûr de vouloir ignorer cette tâche ?',
  518: 'Ignorer',
--- a/web/projects/shared/src/i18n/dictionaries/pl.ts
+++ b/web/projects/shared/src/i18n/dictionaries/pl.ts
@@ -484,7 +484,7 @@ export default {
  512: 'Tryb kiosku jest niedostępny na tym urządzeniu',
  513: 'Włącz',
  514: 'Wyłącz',
-  515: 'Obecnie używasz kiosku. Wyłączenie trybu kiosku spowoduje jego rozłączenie.',
+  515: 'Ta zmiana zacznie obowiązywać po następnym uruchomieniu',
  516: 'Zalecane',
  517: 'Czy na pewno chcesz odrzucić to zadanie?',
  518: 'Odrzuć',
--- a/web/projects/shared/src/i18n/i18n.pipe.ts
+++ b/web/projects/shared/src/i18n/i18n.pipe.ts
@@ -10,7 +10,7 @@ import { I18N, i18nKey } from './i18n.providers'
 export class i18nPipe implements PipeTransform {
  private readonly i18n = inject(I18N)
-  transform(englishKey: i18nKey | null | undefined): string {
+  transform(englishKey: i18nKey | null | undefined | ''): string {
    englishKey = englishKey || ('' as i18nKey)
    return this.i18n()?.[ENGLISH[englishKey]] || englishKey
--- a/web/projects/start-tunnel/src/app/routes/home/routes/devices/utils.ts
+++ b/web/projects/start-tunnel/src/app/routes/home/routes/devices/utils.ts
@@ -56,7 +56,7 @@ export function getIp({ clients, range }: MappedSubnet) {
  const net = IpNet.parse(range)
  const last = net.broadcast()
-  for (let ip = net.add(1); ip.cmp(last) === -1; ip.add(1)) {
+  for (let ip = net.add(1); ip.cmp(last) === -1; ip = ip.add(1)) {
    if (!clients[ip.address]) {
      return ip.address
    }
--- a/web/projects/ui/src/app/routes/portal/components/form/controls/select.component.ts
+++ b/web/projects/ui/src/app/routes/portal/components/form/controls/select.component.ts
@@ -40,7 +40,9 @@ import { HintPipe } from '../pipes/hint.pipe'
          [(ngModel)]="selected"
        />
      }
-      <tui-data-list-wrapper *tuiTextfieldDropdown new [items]="items" />
+      @if (!mobile) {
        <tui-data-list-wrapper *tuiTextfieldDropdown new [items]="items" />
      }
      @if (spec | hint; as hint) {
        <tui-icon [tuiTooltip]="hint" />
      }
--- a/web/projects/ui/src/app/routes/portal/components/interfaces/addresses/actions.component.ts
+++ b/web/projects/ui/src/app/routes/portal/components/interfaces/addresses/actions.component.ts
@@ -17,6 +17,7 @@ import {
  tuiButtonOptionsProvider,
  TuiDataList,
  TuiDropdown,
  TuiIcon,
  TuiTextfield,
 } from '@taiga-ui/core'
 import { PolymorpheusComponent } from '@taiga-ui/polymorpheus'
@@ -27,13 +28,9 @@ import { InterfaceComponent } from '../interface.component'
  selector: 'td[actions]',
  template: `
    <div class="desktop">
-      <button
+      <button tuiIconButton appearance="flat-grayscale" (click)="viewDetails()">
        tuiIconButton
        appearance="flat-grayscale"
        iconStart="@tui.info"
        (click)="viewDetails()"
      >
        {{ 'Address details' | i18n }}
        <tui-icon class="info" icon="@tui.info" background="@tui.info-filled" />
      </button>
      @if (interface.value()?.type === 'ui') {
        <a
@@ -113,6 +110,19 @@ import { InterfaceComponent } from '../interface.component'
      white-space: nowrap;
    }
    :host-context(.uncommon-hidden) .desktop {
      height: 0;
      visibility: hidden;
    }
    .info {
      background: var(--tui-status-info);
      &::after {
        mask-size: 1.5rem;
      }
    }
    .mobile {
      display: none;
    }
@@ -127,7 +137,14 @@ import { InterfaceComponent } from '../interface.component'
      }
    }
  `,
-  imports: [TuiButton, TuiDropdown, TuiDataList, i18nPipe, TuiTextfield],
+  imports: [
    TuiButton,
    TuiDropdown,
    TuiDataList,
    i18nPipe,
    TuiTextfield,
    TuiIcon,
  ],
  providers: [tuiButtonOptionsProvider({ appearance: 'icon' })],
  changeDetection: ChangeDetectionStrategy.OnPush,
 })
--- a/web/projects/ui/src/app/routes/portal/components/interfaces/addresses/addresses.component.ts
+++ b/web/projects/ui/src/app/routes/portal/components/interfaces/addresses/addresses.component.ts
@@ -1,7 +1,8 @@
 import { ChangeDetectionStrategy, Component, input } from '@angular/core'
 import { i18nPipe } from '@start9labs/shared'
 import { TuiButton } from '@taiga-ui/core'
 import { TuiAccordion } from '@taiga-ui/experimental'
-import { TuiSkeleton } from '@taiga-ui/kit'
+import { TuiElasticContainer, TuiSkeleton } from '@taiga-ui/kit'
 import { PlaceholderComponent } from 'src/app/routes/portal/components/placeholder.component'
 import { TableComponent } from 'src/app/routes/portal/components/table.component'
@@ -12,91 +13,79 @@ import { InterfaceAddressItemComponent } from './item.component'
  selector: 'section[addresses]',
  template: `
    <header>{{ 'Addresses' | i18n }}</header>
-    <table [appTable]="['Type', 'Access', 'Gateway', 'URL', null]">
+    <tui-elastic-container>
-      @for (address of addresses()?.common; track $index) {
+      <table [appTable]="['Type', 'Access', 'Gateway', 'URL', null]">
-        <tr [address]="address" [isRunning]="isRunning()"></tr>
+        @for (address of addresses()?.common; track $index) {
-      } @empty {
+          <tr [address]="address" [isRunning]="isRunning()"></tr>
-        @if (addresses()) {
+        } @empty {
-          <tr>
+          @if (addresses()) {
            <td colspan="5">
              <app-placeholder icon="@tui.list-x">
                {{ 'No addresses' | i18n }}
              </app-placeholder>
            </td>
          </tr>
        } @else {
          @for (_ of [0, 1]; track $index) {
            <tr>
-              <td colspan="6">
+              <td colspan="5">
-                <div [tuiSkeleton]="true">{{ 'Loading' | i18n }}</div>
+                <app-placeholder icon="@tui.list-x">
                  {{ 'No addresses' | i18n }}
                </app-placeholder>
              </td>
            </tr>
          } @else {
            @for (_ of [0, 1]; track $index) {
              <tr>
                <td colspan="6">
                  <div [tuiSkeleton]="true">{{ 'Loading' | i18n }}</div>
                </td>
              </tr>
            }
          }
        }
-      }
+        <tbody [class.uncommon-hidden]="!uncommon">
-    </table>
+          @if (addresses()?.uncommon?.length && uncommon) {
-    @if (addresses()?.uncommon?.length) {
+            <tr [style.background]="'var(--tui-background-neutral-1)'">
-      <tui-accordion>
+              <td colspan="5"></td>
-        <tui-expand>
+            </tr>
          <hr />
          <table class="g-table">
            @for (address of addresses()?.uncommon; track $index) {
              <tr [address]="address" [isRunning]="isRunning()"></tr>
            }
          </table>
        </tui-expand>
        <button
          appearance="secondary-grayscale"
          iconEnd=""
          [(tuiAccordion)]="uncommon"
        >
          @if (uncommon) {
            Hide uncommon
          } @else {
            Show uncommon
          }
-        </button>
+          @for (address of addresses()?.uncommon; track $index) {
-      </tui-accordion>
+            <tr [address]="address" [isRunning]="isRunning()"></tr>
-    }
+          }
        </tbody>
        @if (addresses()?.uncommon?.length) {
          <caption [style.caption-side]="'bottom'">
            <button
              tuiButton
              size="m"
              appearance="secondary-grayscale"
              (click)="uncommon = !uncommon"
            >
              @if (uncommon) {
                Hide uncommon
              } @else {
                Show uncommon
              }
            </button>
          </caption>
        }
      </table>
    </tui-elastic-container>
  `,
  styles: `
-    tui-accordion {
+    .g-table:has(caption) {
-      border-radius: 0;
+      border-bottom-left-radius: 0;
      border-bottom-right-radius: 0;
    }
-    [tuiAccordion],
+    [tuiButton] {
-    tui-expand {
+      width: 100%;
-      box-shadow: none;
+      border-top-left-radius: 0;
-      padding: 0;
+      border-top-right-radius: 0;
    }
    [tuiAccordion] {
      justify-content: center;
      height: 3rem;
      border-radius: 0 0 var(--tui-radius-m) var(--tui-radius-m) !important;
    }
    hr {
      margin: 0;
      height: 0.25rem;
      border-radius: 1rem;
    }
    :host-context(tui-root._mobile) {
      [tuiAccordion] {
        margin: 0.5rem 0;
        border-radius: var(--tui-radius-m) !important;
      }
    }
  `,
  host: { class: 'g-card' },
  imports: [
    TuiSkeleton,
    TuiButton,
    TableComponent,
    PlaceholderComponent,
    i18nPipe,
    InterfaceAddressItemComponent,
-    TuiAccordion,
+    TuiElasticContainer,
    TuiSkeleton,
  ],
  changeDetection: ChangeDetectionStrategy.OnPush,
 })
--- a/web/projects/ui/src/app/routes/portal/components/interfaces/addresses/item.component.ts
+++ b/web/projects/ui/src/app/routes/portal/components/interfaces/addresses/item.component.ts
@@ -8,27 +8,31 @@ import { TuiBadge } from '@taiga-ui/kit'
  selector: 'tr[address]',
  template: `
    @if (address(); as address) {
      <td>{{ address.type }}</td>
      <td>
-        @if (address.access === 'public') {
+        <div class="wrapper">{{ address.type }}</div>
-          <tui-badge size="s" appearance="primary-success">
+      </td>
-            {{ 'public' | i18n }}
+      <td>
-          </tui-badge>
+        <div class="wrapper">
-        } @else if (address.access === 'private') {
+          @if (address.access === 'public') {
-          <tui-badge size="s" appearance="primary-destructive">
+            <tui-badge size="s" appearance="primary-success">
-            {{ 'private' | i18n }}
+              {{ 'public' | i18n }}
-          </tui-badge>
+            </tui-badge>
-        } @else {
+          } @else if (address.access === 'private') {
-          -
+            <tui-badge size="s" appearance="primary-destructive">
-        }
+              {{ 'private' | i18n }}
            </tui-badge>
          } @else {
            -
          }
        </div>
      </td>
      <td [style.order]="-1">
-        <div [title]="address.gatewayName">
+        <div class="wrapper" [title]="address.gatewayName">
          {{ address.gatewayName || '-' }}
        </div>
      </td>
      <td>
-        <div [title]="address.url">{{ address.url }}</div>
+        <div class="wrapper" [title]="address.url">{{ address.url }}</div>
      </td>
      <td
        actions
@@ -48,6 +52,18 @@ import { TuiBadge } from '@taiga-ui/kit'
      }
    }
    :host-context(.uncommon-hidden) {
      .wrapper {
        height: 0;
        visibility: hidden;
      }
      td {
        padding-block: 0;
        border: hidden;
      }
    }
    div {
      white-space: normal;
      word-break: break-all;
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Aiden McClelland	24eb27f005	minor bugfixes for alpha.14 (#3058 ) * overwrite AllowedIPs in wg config mute UnknownCA errors * fix upgrade issues * allow start9 user to access journal * alpha.15 * sort actions lexicographically and show desc in marketplace details * add registry package download cli command --------- Co-authored-by: Matt Hill <mattnine@protonmail.com>	2025-11-26 16:23:08 -07:00
Matt Hill	009d76ea35	More FE fixes (#3056 ) * tell user to restart server after kiosk chnage * remove unused import * dont show tor address on server setup * chore: address comments * revert mock * chore: remove uptime block on mobile * utiliser le futur proche * chore: comments * don't show loading on authorities tab * chore: fix mobile unions --------- Co-authored-by: waterplea <alexander@inkin.ru> Co-authored-by: Aiden McClelland <3732071+dr-bonez@users.noreply.github.com>	2025-11-25 23:43:19 +00:00
Aiden McClelland	6e8a425eb1	overwrite AllowedIPs in wg config (#3055 ) mute UnknownCA errors	2025-11-21 11:30:21 -07:00
Aiden McClelland	66188d791b	fix start-tunnel artifact upload	2025-11-20 10:53:23 -07:00
Aiden McClelland	015ff02d71	fix build	2025-11-20 01:05:50 -07:00
Aiden McClelland	10bfaf5415	fix start-tunnel build	2025-11-20 00:30:33 -07:00
Aiden McClelland	e3e0b85e0c	Bugfix/alpha.13 (#3053 ) * bugfixes for alpha.13 * minor fixes * version bump * start-tunnel workflow * sdk beta 44 * defaultFilter * fix reset-password on tunnel auth * explicitly rebuild types * fix typo * ubuntu-latest runner * add cleanup steps * fix env on attach	2025-11-19 22:48:49 -07:00
Matt Hill	ad0632892e	Various (#3051 ) * tell user to restart server after kiosk chnage * remove unused import * dont show tor address on server setup * chore: address comments * revert mock * chore: remove uptime block on mobile * utiliser le futur proche --------- Co-authored-by: waterplea <alexander@inkin.ru> Co-authored-by: Aiden McClelland <3732071+dr-bonez@users.noreply.github.com>	2025-11-19 10:35:07 -07:00
Aiden McClelland	f26791ba39	fix raspi fsck	2025-11-17 12:17:58 -07:00
Aiden McClelland	2fbaaebf44	Bugfixes for alpha.12 (#3049 ) * squashfs-wip * sdk fixes * misc fixes * bump sdk * Include StartTunnel installation command Added installation instructions for StartTunnel. * CA instead of leaf for StartTunnel (#3046) * updated docs for CA instead of cert * generate ca instead of self-signed in start-tunnel * Fix formatting in START-TUNNEL.md installation instructions * Fix formatting in START-TUNNEL.md * fix infinite loop * add success message to install * hide loopback and bridge gateways --------- Co-authored-by: Aiden McClelland <me@drbonez.dev> Co-authored-by: Aiden McClelland <3732071+dr-bonez@users.noreply.github.com> * prevent gateways from getting stuck empty * fix set-password * misc networking fixes * build and efi fixes * efi fixes * alpha.13 * remove cross * fix tests * provide path to upgrade * fix networkmanager issues * remove squashfs before creating --------- Co-authored-by: Matt Hill <MattDHill@users.noreply.github.com>	2025-11-15 22:33:03 -07:00
StuPleb	edb916338c	minor typos and grammar (#3047 ) * minor typos and grammar * added missing word - compute	2025-11-14 12:48:41 -07:00
Aiden McClelland	f7e947d37d	Fix installation command for StartTunnel (#3048 )	2025-11-14 12:42:05 -07:00
Aiden McClelland	a9e3d1ed75	Revise StartTunnel installation and update commands Updated installation and update instructions for StartTunnel.	2025-11-14 12:39:53 -07:00
Matt Hill	ce97827c42	CA instead of leaf for StartTunnel (#3046 ) * updated docs for CA instead of cert * generate ca instead of self-signed in start-tunnel * Fix formatting in START-TUNNEL.md installation instructions * Fix formatting in START-TUNNEL.md * fix infinite loop * add success message to install * hide loopback and bridge gateways --------- Co-authored-by: Aiden McClelland <me@drbonez.dev> Co-authored-by: Aiden McClelland <3732071+dr-bonez@users.noreply.github.com>	2025-11-10 14:15:58 -07:00
Aiden McClelland	3efec07338	Include StartTunnel installation command Added installation instructions for StartTunnel.	2025-11-07 20:00:31 +00:00