security+feat: v1.3.0 — pentest remediation, container reliability, UI overhaul

Security (33 pentest findings addressed):
- CRITICAL: backend binds 127.0.0.1, path traversal in tor.rs/dwn fixed
- HIGH: federation requires signatures, XSS login redirect, RBAC viewer restricted
- HIGH: tar slip prevention, S3 SSRF validation, backup ID validation
- MEDIUM: remember-me random secret, TOTP session rotation, password re-auth
- LOW: CSP unsafe-inline removed, CORS dev-only, onion/webhook validation

Container reliability:
- Memory limits on all 37 containers (OOM prevention)
- Exited vs stopped state distinction with health-aware status badges
- Crash recovery coordination (no more restart cascade)
- User-stopped tracking survives reboots
- Tiered boot recovery (databases → core → services → apps)

UI:
- Wallet TransactionsModal, health-aware app status badges
- Restart button on containers, exited/crashed red state
- Mesh view overhaul, glass button updates, BaseModal/ToggleSwitch
- Apps sticky header removed, dev faucet, mutable mock wallet

Infrastructure:
- LND REST port 8080 exposed over Tor (LND Connect fix)
- Nginx cookie_session fix, deploy script Tor config updated
- Dev environment: podman auto-start, boot mode simulation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

scripts/setup-https-dev.sh

@@ -21,13 +21,38 @@ chmod 755 "$SSL_DIR"
 
 # Generate self-signed cert if missing (valid 365 days)
 # SAN includes common dev IPs so cert works when accessing via IP
+# Build dynamic SAN with all node IPs (LAN + Tailscale + loopback)
+SAN_IPS="DNS:archipelago.local,DNS:localhost,IP:127.0.0.1"
+# Add all IPv4 addresses on this machine (LAN, Tailscale, etc.)
+for ip in $(hostname -I 2>/dev/null | tr ' ' '\n' | grep -E '^[0-9]+\.' | grep -v '^127\.'); do
+    SAN_IPS="$SAN_IPS,IP:$ip"
+done
+# Always include common LAN IPs as fallback
+for ip in 192.168.1.228 192.168.1.198 10.0.0.1; do
+    echo "$SAN_IPS" | grep -q "$ip" || SAN_IPS="$SAN_IPS,IP:$ip"
+done
+
+# Regenerate cert if missing OR if current cert doesn't include this node's primary IP
+REGEN=false
 if [ ! -f "$CERT" ] || [ ! -f "$KEY" ]; then
+    REGEN=true
+else
+    # Check if cert has this node's primary IP
+    MY_IP=$(hostname -I 2>/dev/null | awk '{print $1}')
+    if [ -n "$MY_IP" ] && ! openssl x509 -in "$CERT" -noout -text 2>/dev/null | grep -q "$MY_IP"; then
+        echo "   Certificate missing this node's IP ($MY_IP) — regenerating..."
+        REGEN=true
+    fi
+fi
+
+if [ "$REGEN" = true ]; then
     echo "Generating self-signed certificate for PWA (HTTPS)..."
+    echo "   SAN: $SAN_IPS"
     openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
         -keyout "$KEY" \
         -out "$CERT" \
         -subj "/CN=archipelago.local/O=Archipelago/C=US" \
-        -addext "subjectAltName=DNS:archipelago.local,DNS:localhost,IP:127.0.0.1,IP:192.168.1.228,IP:192.168.1.198,IP:10.0.0.1"
+        -addext "subjectAltName=$SAN_IPS"
     chmod 644 "$CERT"
     chmod 600 "$KEY"
     echo "   Certificate created at $CERT"
@@ -74,8 +99,9 @@ fi
 if grep -q "listen 443 ssl" "$NGINX_CFG" 2>/dev/null; then
     echo "HTTPS already configured in nginx."
     nginx -t 2>/dev/null && systemctl reload nginx
+    MY_IP=$(hostname -I 2>/dev/null | awk '{print $1}')
     echo ""
-    echo "PWA: Use https://192.168.1.228 (not http) - accept cert once, then Install app."
+    echo "PWA: Use https://${MY_IP:-192.168.1.228} (not http) - accept cert once, then Install app."
     exit 0
 fi
 
@@ -250,4 +276,5 @@ echo "Added HTTPS (port 443) to nginx config."
 # Test and reload
 nginx -t && systemctl reload nginx
 echo ""
-echo "HTTPS enabled. PWA install: https://192.168.1.228 (accept the certificate warning once, then Install app)."
+MY_IP=$(hostname -I 2>/dev/null | awk '{print $1}')
+echo "HTTPS enabled. PWA install: https://${MY_IP:-192.168.1.228} (accept the certificate warning once, then Install app)."