Build tooling improvements for 4.1.4

- Rename flash-pi.sh → flash-stock-img.sh for clarity
- Add 16GB partition sizing option (faster imaging)
- Disable Pi OS auto-expand to preserve partition size
- Add pip-audit security check to release validation
- Add config.json.example, gitignore actual config

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.gitignore

@@ -84,3 +84,4 @@ pishrink.sh
 
 # Temp file storage
 frontends/web/temp_files/
+rpi/config.json

PLAN-4.1.4.md

@@ -2,9 +2,9 @@
 
 ## Build / Deploy
 - [ ] Pre-built Python 3.12 venv tarball for Pi (skip 20+ min compile)
-- [ ] Fixed partition sizing in flash script (8-16GB rootfs for faster imaging)
+- [x] Fixed partition sizing in flash script (16GB rootfs for faster imaging)
-- [ ] Rename `flash-pi.sh` → `flash-stock-img.sh` for clarity
+- [x] Rename `flash-pi.sh` → `flash-stock-img.sh` for clarity
-- [ ] pip-audit integration in release validation
+- [x] pip-audit integration in release validation
 
 ## Features
 - [ ] QR channel key sharing (needs UI thought - avoid crowding encode/decode pages)

rpi/config.json.example

@@ -0,0 +1,12 @@
+{
+  "hostname": "stegasoo",
+  "username": "admin",
+  "password": "stegasoo",
+  "wifiSSID": "YourNetworkName",
+  "wifiPassword": "YourWiFiPassword",
+  "wifiCountry": "US",
+  "locale": "en_US.UTF-8",
+  "keyboardLayout": "us",
+  "timezone": "America/New_York",
+  "enableSSH": true
+}

rpi/flash-stock-img.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # Flash Raspberry Pi image with headless config (Trixie/Bookworm compatible)
-# Usage: ./flash-pi.sh <image.img.xz> <device>
+# Usage: ./flash-stock-img.sh <image.img.xz> <device>
 # Reads settings from config.json in same directory
 #
 # Uses the same firstrun.sh approach as rpi-imager for compatibility
@@ -103,13 +103,66 @@ sleep 1
 # ============================================================================
 if [ -b "${DEVICE}1" ]; then
     BOOT_PART="${DEVICE}1"
+    ROOT_PART="${DEVICE}2"
 elif [ -b "${DEVICE}p1" ]; then
     BOOT_PART="${DEVICE}p1"
+    ROOT_PART="${DEVICE}p2"
 else
     echo "Error: Could not find boot partition"
     exit 1
 fi
 
+# ============================================================================
+# Resize rootfs to 16GB (faster imaging)
+# ============================================================================
+echo
+read -p "Resize rootfs to 16GB for faster imaging? [Y/n] " resize_confirm
+if [[ ! "$resize_confirm" =~ ^[Nn]$ ]]; then
+    echo "Resizing rootfs partition to 16GB..."
+
+    # Get boot partition end
+    BOOT_END=$(sudo parted -s "$DEVICE" unit s print | grep "^ 1" | awk '{print $3}' | tr -d 's')
+
+    # Calculate 16GB in sectors (512 byte sectors)
+    # 16GB = 16 * 1024 * 1024 * 1024 / 512 = 33554432 sectors
+    ROOT_SIZE_SECTORS=33554432
+    ROOT_END=$((BOOT_END + ROOT_SIZE_SECTORS))
+
+    # Delete and recreate partition 2 with fixed size
+    sudo parted -s "$DEVICE" rm 2
+    sudo parted -s "$DEVICE" mkpart primary ext4 $((BOOT_END + 1))s ${ROOT_END}s
+
+    # Refresh partition table
+    sudo partprobe "$DEVICE"
+    sleep 1
+
+    # Check and resize filesystem
+    echo "Checking filesystem..."
+    sudo e2fsck -f -y "$ROOT_PART" 2>/dev/null || true
+
+    echo "Resizing filesystem to fit partition..."
+    sudo resize2fs "$ROOT_PART"
+
+    # Disable Pi OS auto-expand on first boot
+    echo "Disabling auto-expand..."
+    TEMP_ROOT=$(mktemp -d)
+    sudo mount "$ROOT_PART" "$TEMP_ROOT"
+
+    # Remove resize2fs_once service if it exists
+    sudo rm -f "$TEMP_ROOT/etc/init.d/resize2fs_once"
+    sudo rm -f "$TEMP_ROOT/etc/rc3.d/S01resize2fs_once"
+
+    # Disable the systemd resize service
+    sudo rm -f "$TEMP_ROOT/etc/systemd/system/multi-user.target.wants/rpi-resizerootfs.service"
+
+    # Remove init= parameter from cmdline.txt on boot partition (handled later)
+
+    sudo umount "$TEMP_ROOT"
+    rmdir "$TEMP_ROOT"
+
+    echo "  Rootfs resized to 16GB (auto-expand disabled)"
+fi
+
 MOUNT_DIR=$(mktemp -d)
 
 # ============================================================================
@@ -213,8 +266,8 @@ sudo chmod +x "$MOUNT_DIR/firstrun.sh"
 echo "Updating cmdline.txt..."
 CMDLINE="$MOUNT_DIR/cmdline.txt"
 if [ -f "$CMDLINE" ]; then
-    # Read current cmdline, strip any existing systemd.run, append new one
+    # Read current cmdline, strip existing systemd.run and init= (auto-expand)
-    CURRENT=$(cat "$CMDLINE" | tr -d '\n' | sed 's| systemd.run.*||g')
+    CURRENT=$(cat "$CMDLINE" | tr -d '\n' | sed 's| systemd.run.*||g' | sed 's| init=[^ ]*||g')
     echo "$CURRENT systemd.run=/boot/firmware/firstrun.sh systemd.run_success_action=reboot systemd.unit=kernel-command-line.target" | sudo tee "$CMDLINE" > /dev/null
     echo "  cmdline.txt updated"
 fi

scripts/validate-release.sh

@@ -120,7 +120,34 @@ else
 fi
 
 # =============================================================================
-# 2. Unit Tests (if they exist)
+# 2. Security Audit
+# =============================================================================
+section "Security Audit"
+
+# pip-audit for known vulnerabilities
+if command -v ./venv/bin/pip-audit &> /dev/null; then
+    echo -n "Running pip-audit... "
+    if ./venv/bin/pip-audit --quiet 2>/dev/null; then
+        pass "No known vulnerabilities"
+    else
+        fail "pip-audit found vulnerabilities (run: ./venv/bin/pip-audit)"
+    fi
+else
+    echo -n "Installing pip-audit... "
+    if ./venv/bin/pip install pip-audit --quiet 2>/dev/null; then
+        echo -n "Running pip-audit... "
+        if ./venv/bin/pip-audit --quiet 2>/dev/null; then
+            pass "No known vulnerabilities"
+        else
+            fail "pip-audit found vulnerabilities (run: ./venv/bin/pip-audit)"
+        fi
+    else
+        skip "Could not install pip-audit"
+    fi
+fi
+
+# =============================================================================
+# 3. Unit Tests (if they exist)
 # =============================================================================
 section "Unit Tests"
 
@@ -136,7 +163,7 @@ else
 fi
 
 # =============================================================================
-# 3. Import Tests
+# 4. Import Tests
 # =============================================================================
 section "Import Tests"
 
@@ -165,7 +192,7 @@ else
 fi
 
 # =============================================================================
-# 4. Encode/Decode Sanity Test
+# 5. Encode/Decode Sanity Test
 # =============================================================================
 section "Encode/Decode Test"
 
@@ -205,7 +232,7 @@ else
 fi
 
 # =============================================================================
-# 5. Docker Build & Test (optional)
+# 6. Docker Build & Test (optional)
 # =============================================================================
 if $INCLUDE_DOCKER; then
     section "Docker"
@@ -248,7 +275,7 @@ else
 fi
 
 # =============================================================================
-# 6. Pi Smoke Test (optional)
+# 7. Pi Smoke Test (optional)
 # =============================================================================
 if $INCLUDE_PI; then
     section "Pi Smoke Test"