v0.7.0 — productivity & security apps
Pre-releaseProductivity & security apps. Four optional, ENABLE_*-gated apps (off by default), loopback-bound, each keeping its DB/index on ext4 ($HOME/.pocket/<app>), never on the exFAT SD. Clients that speak native/token auth (Bitwarden apps, CalDAV/CardDAV, the Wallabag API, Trilium's ETAPI/sync) use a Cloudflare Access service-token exemption, not the interactive login gate.
- Vaultwarden (
vault.) — Bitwarden-compatible password manager. Upstream ships no standalone binary, so the installer daemonlessly extracts the musl-static binary + version-locked web-vault from the official alpine image pinned by its arm64 manifest digest (each layer sha256-verified), then re-verifies the extracted binary against a self-derived sha256.ROCKET_ADDRESS=127.0.0.1+SIGNUPS_ALLOWED=falseasserted;ADMIN_TOKENunset;ENABLE_DB_WAL=true. See docs/VAULT.md. - Radicale (
dav.) — CalDAV/CardDAV/tasks. Python venv on ext4; bcrypt from a prebuilt aarch64 wheel only (fail-closed, never compiles);hostsforced to loopback + asserted; bcrypt htpasswd seeded off-argv; root-mounted vhost so.well-knowndiscovery works; collection root forced to ext4. The admin panel gains a/davQR connect-card (the QR carries only the URL + username, never the password). See docs/DAV.md. - Trilium (
wiki.) — notes/wiki, from the official first-party arm64 server tarball (bundled Node + prebuilt better-sqlite3, no node-gyp).TRILIUM_NETWORK_HOST=127.0.0.1forced + asserted (default is0.0.0.0); a fail-closed GLIBCXX boot-smoke;document.dbon ext4. See docs/NOTES.md. - Wallabag (
read.) — read-later, from the official bundled tarball (vendor/pre-installed, no composer), reusing php-fpm; SQLite on ext4; admin password fed on stdin (off-argv); upgrades back up the DB before migrations + clear/warm the prod cache. See docs/READLATER.md.
Each new doc carries a prominent Resource & Risk section.
Validated on real arm64 (qemu-aarch64 containers, real pinned artifacts): Trilium GLIBCXX boot + loopback bind, Wallabag fos:user stdin admin-seed + wallabag:install + cache:clear, Radicale bcrypt-wheel install + auth + loopback bind, Vaultwarden extract (binary sha256 exact-match) + run, and caddy validate of all four vhosts. CI gates green (leak-scan, shellcheck, py_compile, install --check).
Pre-release: interfaces may still change before 1.0.
Full changelog: CHANGELOG.md