- kernel/lifecycle.js: ctx.loadScripts now loads in array order (sequential),
so a feature can list a base file before files that augment it. Strictly
safer than the previous parallel load.
- Extract the module-level schema/retention data (the BACKUP_* maps + the
retention-preset detector, 83 lines) out of backup-page.js into a new
backup-schema.js, loaded first. Verbatim move — no logic change. First slice
of the backup decomposition (god-file: 2553 -> 2470 lines).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Introduces kernel/services.js (window.LP.services): an additive, typed,
LAZY view onto the existing cross-cutting singletons — tasks{bus,refresh,
route}, live, auth, data, notify, theme, modal, router. It constructs
nothing (pure getters onto the live globals), so there's no double-init and
the globals stay authoritative. MountContext now injects it as ctx.services.
Slot names/globals were verified against the real code (workflow map): the
design doc's §4 list was wrong in several places — no window.taskManager
(client slot dropped), tasks.route lives on tasksManager.router, auth has no
status(), DataLoader isn't a window prop (lexical fallback), modal/router are
split surfaces (grouped/bound objects).
Migrated the 4 cross-cutting refs in the feature modules onto ctx.services
(admin: router.adminCategoryFromPath + tasks.refresh; backup: tasks.refresh;
app-detail: router.appPath). Page-owned controllers stay feature-globals.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Themes are already modular via folder discovery (GET /api/themes/list scans
themes/<name>/). This brings the SAME model to pages:
- backend/routes/features.js: public GET /api/features/list scans
frontend/features/<id>/feature.json and returns the page manifest. The
Node process reads its own bind-mounted /app/frontend — no runFileOp /
regen / source-array plumbing needed (sidesteps the shell-generator gotchas).
- features/<id>/feature.json: each page now self-describes (id, routes,
module, handler, navId, nav, order). 6 real features + 3 redirect-only
(config/peers/ssh) so behaviour is preserved exactly.
- kernel loadManifest() prefers /api/features/list, falls back to the static
features/manifest.dev.json when the endpoint isn't up yet.
Result: dropping a features/<id>/ folder registers a page; deleting it
removes it — zero central edits, exactly like dropping a theme folder.
(Backend route needs a Node restart to activate; the static-manifest
fallback keeps everything working until then.)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
The kernel now loads each feature's self-registering index.js from the
manifest (new 'module' field) before building routes, so index.html no
longer hardcodes a per-feature <script> list — one of the four registries
the modularization targets is now gone. Adding a page = drop a
features/<id>/ folder + a manifest entry; no index.html edit.
loadScript is idempotent and non-fatal: a module that 404s or fails to
register leaves its route on the legacy handler. Manifest-load failure
still falls back to the built-in route table.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
AppTabbedManager.initialize() re-runs on every /app navigation (its
'initialized' flag is never set true), and setupURLMonitoring() /
setupTaskEventListeners() add window listeners (popstate, taskCreated/
Completed/Updated) unguarded — so each app-detail visit stacked another
listener set. Bind them once via a _listenersWired flag (mirrors the
existing _watchdogStarted guard). Pre-existing leak surfaced by the
feature-migration review.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
features/admin/index.js owns all /admin* sub-routes (overview, config/<cat>,
system[/sub], tools/ssh-access, tools/peers). mount() parses the category and
delegates to the system-loader configManager singleton's renderConfig();
unmount() stops AdminSystem's live SSE sub + 30s interval, drops the
admin-overview task-refresh registration, and nulls the per-visit
sub-controllers (adminOverview/adminSystem/sshPage/peersPage) while leaving
configManager intact. Legacy /config /ssh /peers redirect handlers unchanged.
With this, every WebUI page now routes through the feature-module kernel;
the legacy handleX() methods remain only as fallbacks.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
- features/apps/index.js (/apps*) and features/app-detail/index.js (/app*)
as two features; /apps* registered first so wildcard precedence holds.
Both drive the system-loader-pre-initialized singletons (appsManager /
appTabbedManager) via .initialize(), mirroring the legacy handlers exactly
(incl. app-detail's legacy ?app=/?=name parsing + ?tab=/?config= rewrite).
- kernel/lifecycle.js: ctx.nav(path, addToHistory) so app-detail's empty-name
redirect matches navigate('/apps', false) exactly.
unmount is a no-op for both (shared singletons); the app-tabbed-manager
listener-rebind leak is pre-existing and handled in a follow-up.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Two more pages on the feature-module contract (specs produced + adversarially
verified by workflow):
- features/dashboard/index.js: landing page; mount() folds in the data-reload
that used to be a navigate() special-case (now deleted from spa.js, so it
fires exactly once). No controller class — uses the eager dashboard.js globals.
- features/tasks/index.js: re-inits the system-loader tasksManager singleton;
unmount() clears the 30s auto-refresh interval + open log streams WITHOUT
stopping the shared SSE bus or nulling the singleton.
Verifier fixes applied: deleted the duplicate dashboard reload in navigate();
dropped a dead detachDashboardLive() call; fixed an invalid try{}while(false)
in the tasks unmount.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Introduces the kernel lifecycle and migrates the first real page to the
feature-module contract:
- kernel/lifecycle.js: MountContext (loadScripts/loadFragment/setContent
+ an AbortController/unsub teardown ledger so mounts can't leak
listeners or live streams).
- features/backup/index.js: Backup Center as a self-contained module
(LP.features.register with mount/unmount); heavy backup-page.js stays
lazy-loaded on first mount.
- spa.js: routes whose feature has a registered mount() are driven
through the kernel; everything else still uses its legacy handleX().
navigate() unmounts the current feature first. Both fall back to the
legacy handler if a module is missing or mount throws.
Strangler step: /backup now flows manifest -> registry -> mount/unmount.
The other pages are untouched. handleBackup remains as the fallback.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
First slice of the per-module CSS strategy: introduce
shared/css/tokens.css as the always-present, theme-agnostic base token
layer, loaded before all other stylesheets.
- Defines --font-mono (ui-monospace stack). Several feature sheets used
var(--font-mono, monospace) with no definition, falling back to bare
monospace; this unifies them with the richer stack used elsewhere.
- Hoists the --page-* identity hues out of css/admin.css so they belong
to the base layer rather than the admin stylesheet. Values unchanged.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
LibrePortalSPAClean now builds its route table from window.LP.features
(features/manifest.dev.json) instead of the hardcoded setupRoutes() Map.
Manifest order is preserved so findRouteHandler()'s wildcard precedence
(/apps* before /app*) is unchanged. All-or-nothing fallback to the
built-in table if the manifest is missing/empty or names an unknown
handler, so routing is never left half-wired.
Rendering is unchanged — handlers still do the work; only the routing
source moved.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Adds the foundation of the feature-module architecture
(docs/frontend-modularization.md) as inert, additive code:
- kernel/feature-registry.js: window.LP.features — runtime register(),
manifest loader, route-table + nav builders.
- features/manifest.dev.json: hand-committed manifest mirroring spa.js
setupRoutes() exactly (route -> handler + navId).
- index.html loads the kernel before spa.js.
Zero behaviour change: nothing consults the registry yet. Phase 0b flips
routing to be registry-driven with the spa.js Map as fallback.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Remove the "Paste a public key…" line (the section description already
explains it) and stretch the Login / Add-a-key cards to equal height
(.ssh-cols align-items: start -> stretch).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
The `libreportal verify` task showed its raw command and no icon. Add its
formatCommandForUser pattern ("LibrePortal - Verify System"), a 🛡️ type icon,
a formatActionTitle entry, and include it in isLibrePortalSystemTask so it shows
the LibrePortal logo like other system tasks.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
The System header used a cpu icon while the sidebar (and the Dashboard's System
card) use the activity-pulse icon. Swap the header to the same activity pulse so
System reads consistently everywhere.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Wrap both the OS and CPU logos in a 36x36 rounded icon tile with a subtle
background — same treatment as the backup app-list tiles — at a uniform
size, with the logo centred inside.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Renames the Admin landing to "Dashboard" in both the page title and the sidebar
label, and adds a leading header icon (the grid icon, matching the Backup
dashboard) via the shared .page-header-icon-slot. System gets a cpu icon in its
header too. The slot styles come from the globally-loaded backup.css, so no new
CSS is needed.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Both sections are light on content, so a two-column grid uses the space better
than full-width stacking. Wrapped them in .ssh-cols (1fr 1fr, stacks under
640px); Authorized keys stays full width below.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
The Intel/AMD logos are wide wordmarks that sat in a square 24x24 box, so
the actual mark rendered only a few px tall and looked invisible. Crop each
viewBox to the wordmark and size the CPU icon by height with auto width so
it shows at a legible scale. Bump the OS distro icon from 18 to 22px.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Reverts the solid fills (too heavy) back to the translucent hue tint but keeps
white text — white on a tint-over-dark-card reads cleanly on nebula, which the
old coloured text didn't. Hues restored to the brighter originals. Verify now
gets its own green token (--page-verify) per the usual verify=green convention,
and Backups takes the blue.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Replace the hand-drawn distro marks with the official artwork (Simple
Icons, brand-coloured, bundled locally — no external calls) for
Debian/Ubuntu/Fedora/Arch + a generic Linux fallback. Add Intel/AMD logos
under /icons/cpu/ and show the vendor logo beside the CPU, with the model
string stripped of trademark noise (Intel(R) Core(TM), ®/™, "CPU") since
the logo conveys the vendor — e.g. "Core i5-8250U @ 1.60GHz".
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
The translucent tinted buttons washed out against nebula's glassy aurora
background. Switch .admin-action-btn to a solid fill with white text (the bg can
no longer bleed through) and deepen the --page-* hues enough for white-text
contrast. Hover uses brightness() so it's theme-agnostic.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Bundle a small set of distro marks (Debian/Ubuntu/Fedora/Arch) plus a
generic Linux/Tux fallback under /icons/os/, and show the icon next to the
OS value, keyed off the cleaned distro name. Locally bundled — no external
calls — and unknown distros fall back to the generic glyph.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Introduces per-area identity hues as reusable tokens (--page-updates/backups/
ssh/system + -rgb companions) and a generic .admin-action-btn that takes its
colour from --page set on the card. The Overview buttons now read in their
area's hue — Updates blue, Backups emerald, SSH violet, System amber — with the
icon following via currentColor; "Update now" is the filled (primary) variant.
The tokens are the foundation to extend each area's identity (page headers,
accents) going forward, not just these buttons.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
The admin ops/health board now lives at /admin/dashboard (adminPath
('overview') emits it; the topbar Admin link points there). Bare /admin
still resolves to the same board — no redirect, both paths render it.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Update/Verify (refresh, shield-check), Manage backups (archive), Manage SSH
(key), View system stats (activity). Icons inherit the button's text colour —
no per-button colour, so the footer stays calm; the icon plus the card's status
dot do the distinguishing.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
System is live stats, not configuration, so it shouldn't live under
/admin/config. adminPath('system') now emits /admin/system; the path
parser locates 'system' positionally; all nav targets, breadcrumbs and the
dashboard disk-card link point at /admin/system{,/storage,/metric/<k>}.
adminCategoryFromPath already resolves /admin/<x> to that category, so
ConfigManager still mounts AdminSystem unchanged.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
The "View/Open storage breakdown" links in the System storage summary were
plain text links; restyle them as the same accent pill CTA (icon + label)
used on the Disk metric page.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
"Live · binary ring backed" meant nothing to a user; show a per-metric
sentence describing what the chart is (e.g. "Root-filesystem usage over
time.") instead.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Move the Disk page's "View storage breakdown" button beneath the time-range
picker (actions stack in a column, right-aligned) instead of beside it.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
The plain text link read as unstyled; give it the same pill shape as the
Reclaim Space button (icon + label) in the accent colour, so it looks
intentional without borrowing Reclaim's caution-orange.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Add a "View storage breakdown →" button on the Disk metric page (disk
only) that opens /admin/config/system/storage — keeps the trend page and
the breakdown page focused but a click apart, instead of merging them.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
The "LibrePortal X GB" sublabel under the disk percentage read as clutter;
remove it. The % and the coloured LibrePortal portion of the ring stay.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
The System-page storage ring is an overview, so showing individual app
(compose-project) names was wrong — it now shows a single "Applications"
slice totalling all apps, alongside Images and Build cache. The per-app
breakdown stays on the full Storage page.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Replace the disk gauge's concentric inner ring with a single ring whose
leading portion is coloured to mark the LibrePortal share of the disk
(one ring: total disk used overall, LibrePortal highlighted within it).
On the full-screen Disk metric page, add a flat reference line marking
LibrePortal's current share alongside the disk-usage trend. The gauge
gains a `segment` option; the chart line is a "now" value (no historical
LP series yet), so it's flat across the range.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
- Disk gauge (System page) gains an inner ring for the LibrePortal slice of
the disk, so it shows total disk used AND how much of that is us.
- System-page storage summary now shows the full LibrePortal breakdown
(apps + images + build cache), not just the Docker engine categories.
- Fix the chart colours: Images use the Reclaim orange, build cache the
deeper red (warm = reclaimable overhead), apps a cool palette.
- Images list: dark container, Clear All / Select all moved into the section
head (count text dropped), each image shows its app's icon.
- Storage by app restyled to the same Tasks-style list (app icons,
expandable folders), minus the selection controls.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Post-task UI refresh was scattered: every page added its own taskCompleted
listener and hard-coded which actions it cared about, so it was easy to add a
task and forget the refresh (stale UI), with no single place to see the wiring.
Adds TaskRefreshCoordinator (window.taskRefresh): one listener, with dedupe
(the SSE bus + synthetic fallbacks double-fire) and opt-in debounce (bursts
coalesce; per-task handlers run every time). Components now register a refresh
entry; window.taskRefresh.table() is the introspectable "what reloads when" map.
Migrated onto it: apps (install/uninstall/tool/config_update lifecycle +
restore/update/rebuild state), backups (backup/restore/delete), the update
badge, and the admin overview integrity badge. Gaps closed: restore/update/
rebuild now repaint app+service data. (start/stop/restart intentionally omitted —
no live status surface to refresh today; revisit if a running/stopped badge is
added. Storage reclaim/image-rm keep their own in-page refresh.)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
config_update re-deploys apps (ports, subdomains, Open URLs, routing) but the
WebUI only unlocked the nav on completion — leaving stale URLs/routing until a
manual reload. apps-manager now refreshes apps + services and repaints the
current view when a config_update task completes, via a reusable
refreshAppsAndView() helper (also the basis for the upcoming task-refresh
registry).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Replace the frontpage liquid-fill disk circle with a real donut split into
Apps · Docker · Other · Free, keeping disk % used in the centre. Apps come
from the per-app generator (root-device bytes), Docker from system df; both
are clamped within "used" so skew can't overflow. Live disk ticks redraw it,
and the card now clicks through to the full Storage breakdown.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
The trends grid lost its disk chart; add it back as a 6th card plotting
root-filesystem % over time, alongside CPU/Memory/Network/Load/Swap. The
'disk' history series and metric-detail entry already existed, so the
expand-to-detail flow works unchanged.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Replaces the read-only "Largest images" top-10 table with a Tasks-style list of
ALL Docker images, with select-one / select-multiple / clear-all removal that
mirrors the Tasks page UX (row checkboxes, master select-all, a button that
morphs Clear All ↔ Delete Selected (N), an eo confirm modal).
Deletion routes through the task system, NOT a new web API: a new
`libreportal system image rm [--force] <ids>` CLI subcommand (validates each
ref, loops runFileOp docker image rm, reports a tally) is invoked via the
system_image_rm task action — same pattern as Reclaim. The web backend change
is read-only (uncap the existing /storage image list). In-use images are
skipped by default with an opt-in "force-remove" toggle (warned). The page
stays put, toasts, and refreshes on the task's completion event.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Put everything back in a single donut instead of an app-only one: a slice
per app plus Docker's images and build cache, with one legend listing them
all. Colours run continuously so app and Docker slices stay distinct, and
the Docker cards below reuse the same colours. The per-folder app
drill-down table stays. This is the "all the data, with app usage added"
view that was asked for.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
The Storage page now leads with on-disk usage by app: the headline donut
is split by app (each a coloured slice, total app data in the centre),
and the "Storage by app" table is its legend — swatch + bar colours match
the slices, rows expand to the per-folder breakdown. Docker's engine
figures (images + build cache) drop to a secondary section below. This is
the integration that was asked for; the donut is your data, not Docker's
overhead.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Like named volumes, a container's writable layer is a near-zero scratch
number for LibrePortal (app data lives in bind mounts, shown per-app), so
sitting it next to per-app storage just confused things. Remove the
"Containers" slice/card and its backend summation, and reframe the Docker
breakdown as "Docker engine" overhead (images + build cache) — clearly
separate from your app data.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Extend the app-storage generator to record every bind mount's size and
in-container path, grouped into a per-app folder list. The "Storage by
app" rows are now expandable: click an app to see where its space goes
(e.g. /var/lib/mysql vs /data), with external-drive folders flagged.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
LibrePortal apps keep data in bind mounts, so Docker named-volume
accounting is always ~empty and just reads as a confusing "0 B". Now that
per-app on-disk usage covers the real "what's filling my disk" question,
remove volumes end to end: the donut slice, category card, "Largest
volumes" table and the System-page count, plus the backend's volume
summation and top_volumes payload. Reclaim copy no longer references
volumes (it reassures about app data instead).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Docker only tracks where an app's data lives (its bind mounts), not how
big a bind-mounted host dir is — so named-volume accounting reads ~0 for
LibrePortal, whose app data lives in bind mounts. Add a generator that
reads each app's mount map from `docker inspect` and `du`s the directories
(via runFileOp, so it runs as the data-owning user and isn't blocked by
rootless UID mapping). `du -x` keeps each measurement on its own
filesystem, so data on a separate disk is reported as a distinct
"external" total. The generator self-throttles to ~10 min since du is
heavier than the per-minute metrics. Surfaced as a "Storage by app"
section on the Storage page.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
Adds per-file integrity attestation on top of the existing signed-tarball
release flow. make_release now generates a SHA256SUMS manifest over the shipped
tree and (when a key is configured) signs it, riding both inside the release
tarball so they land in the install tree with no extra download.
lpVerifyInstall (scripts/source/verify.sh) re-hashes the install tree against
that manifest and verifies the manifest's minisign signature against the
root-owned footprint pubkey, yielding states: verified / modified / tampered /
unsigned / unverifiable / development. webuiSystemVerify writes verify_status.json
(throttled daily, force on demand, also after each update apply), surfaced as an
Integrity line + "Verify now" button on the Admin → Overview Updates card and a
row in the update details panel. `libreportal verify` exposes the same check on
the CLI.
Honest framing: this is a self-check (run by the software it verifies), so red
fires only for genuine modified/tampered states; the badge tooltip points to
out-of-band `minisign -Vm` for an independent guarantee.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>