Merge branch 'main' of github.com:adlee-was-taken/stegasoo

Minor fixes
Pre-consolidation snapshot: backends, steganalysis, platform presets, and WIP changes
2026-04-04 16:29:34 -04:00 · 2026-04-04 16:29:20 -04:00 · 2026-04-01 18:56:36 -04:00 · 2026-03-24 16:00:30 -04:00 · 2026-03-01 16:27:02 -05:00 · 2026-02-28 11:58:40 -05:00
213 changed files with 56722 additions and 6842 deletions
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -0,0 +1,5 @@
 {
  "enabledPlugins": {
    "church@church": true
  }
 }
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,52 @@
 # Git
 .git
 .gitignore
 # Python
 __pycache__
 *.py[cod]
 *.egg-info
 .eggs
 venv/
 .venv/
 # Instance data (user creates fresh)
 frontends/web/instance/
 frontends/web/certs/
 instance/
 # Test data
 test_data/
 tests/
 # Pi-specific
 rpi/
 *.img
 *.img.xz
 *.img.zst
 *.img.zst.zip
 # Docs
 *.md
 docs/
 # IDE
 .vscode/
 .idea/
 # Misc
 *.log
 *.tmp
 .DS_Store
 # Dev scripts and old files
 scripts/
 old_files/
 *_old
 *_old.*
 *.bak
 *.orig
 # Temp files
 frontends/web/temp_files/
 *.db
--- a/.github/CI_CD_PRIMER.md
+++ b/.github/CI_CD_PRIMER.md
@@ -0,0 +1,228 @@
 # CI/CD Primer for Stegasoo
 ## What is CI/CD?
 **CI** = Continuous Integration
 **CD** = Continuous Deployment
 Think of it as a robot assistant that automatically:
 1. **Tests your code** every time you push
 2. **Checks formatting** so code stays consistent
 3. **Publishes releases** when you tag a version
 ```
 You push code → GitHub runs workflows → You get ✓ or ✗
 ```
 ---
 ## How It Works
 ### The Trigger
 When you `git push` or create a Pull Request, GitHub looks for workflow files in:
 ```
 .github/workflows/*.yml
 ```
 Each `.yml` file defines a workflow - a series of steps to run.
 ### The Runners
 GitHub provides free Linux/Mac/Windows VMs that:
 1. Clone your repo
 2. Set up Python
 3. Run your commands
 4. Report success/failure
 You don't manage servers - GitHub does.
 ---
 ## Your Workflows
 ### 1. `test.yml` - Run Tests on Every Push
 **When it runs:** Every push, every PR
 **What it does:**
 ```
 1. Spins up Ubuntu VM
 2. Installs Python 3.10, 3.11, 3.12
 3. Installs your package + dependencies
 4. Runs pytest
 5. Reports pass/fail
 ```
 **You'll see:** Green ✓ or red ✗ on your commits
 ### 2. `lint.yml` - Check Code Style
 **When it runs:** Every push, every PR
 **What it does:**
 ```
 1. Runs ruff (fast Python linter)
 2. Checks black formatting
 3. Fails if code isn't formatted
 ```
 **Why:** Keeps code consistent, catches common bugs
 ### 3. `release.yml` - Publish to PyPI
 **When it runs:** Only when you create a version tag
 **What it does:**
 ```
 1. Builds the package (wheel + sdist)
 2. Uploads to PyPI
 ```
 **You trigger it by:**
 ```bash
 git tag v2.2.0
 git push origin v2.2.0
 ```
 ---
 ## Day-to-Day Usage
 ### Normal Development
 ```bash
 # Make changes
 git add .
 git commit -m "Add new feature"
 git push
 ```
 Then check GitHub → Actions tab → See if tests pass.
 ### If Tests Fail
 1. Click the failed workflow
 2. Click the failed job
 3. Read the error log
 4. Fix locally, push again
 ### Making a Release
 ```bash
 # 1. Update version in pyproject.toml and constants.py
 # 2. Commit the version bump
 git add .
 git commit -m "Bump version to 2.2.1"
 git push
 # 3. Create and push a tag
 git tag v2.2.1
 git push origin v2.2.1
 # 4. GitHub automatically publishes to PyPI
 ```
 ---
 ## Reading the GitHub UI
 ### Actions Tab
 ```
 Repository → Actions → [List of workflow runs]
 ```
 Each run shows:
 - ✓ Green checkmark = passed
 - ✗ Red X = failed
 - 🟡 Yellow dot = running
 ### Pull Request Checks
 When you open a PR, you'll see:
 ```
 ┌─────────────────────────────────────────┐
 │ All checks have passed                  │
 │ ✓ test (3.10) — 45s                     │
 │ ✓ test (3.11) — 42s                     │
 │ ✓ test (3.12) — 44s                     │
 │ ✓ lint — 12s                            │
 └─────────────────────────────────────────┘
 ```
 ---
 ## Setting Up PyPI Publishing
 For `release.yml` to work, you need to add a PyPI API token:
 ### One-Time Setup
 1. **Create PyPI account** at https://pypi.org/account/register/
 2. **Generate API token:**
   - PyPI → Account Settings → API tokens
   - Create token (scope: entire account or just stegasoo)
   - Copy the token (starts with `pypi-`)
 3. **Add to GitHub:**
   - GitHub repo → Settings → Secrets and variables → Actions
   - New repository secret
   - Name: `PYPI_API_TOKEN`
   - Value: paste the token
 Now `release.yml` can publish automatically.
 ---
 ## Common Scenarios
 ### "Tests pass locally but fail in CI"
 Usually means:
 - Missing dependency in `pyproject.toml`
 - Hardcoded path that doesn't exist in CI
 - Test relies on local file
 ### "Lint is failing"
 Run locally to see/fix:
 ```bash
 # Check issues
 ruff check src/
 # Auto-fix what's possible
 ruff check --fix src/
 # Format code
 black src/
 ```
 ### "I want to skip CI for a commit"
 Add `[skip ci]` to commit message:
 ```bash
 git commit -m "Update README [skip ci]"
 ```
 ---
 ## Costs
 GitHub Actions is **free** for public repos.
 For private repos: 2,000 minutes/month free, then paid.
 ---
 ## Summary
 | Action | What Happens |
 |--------|--------------|
 | `git push` | Tests + lint run automatically |
 | Open PR | Tests must pass before merge |
 | `git tag v*` | Publishes to PyPI |
 | Check results | GitHub → Actions tab |
 That's it! Push code, check for green checkmarks.
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,98 @@
 name: Bug Report
 description: Report a bug or unexpected behavior
 title: "[Bug]: "
 labels: ["bug", "triage"]
 body:
  - type: markdown
    attributes:
      value: |
        Thanks for taking the time to report a bug! Please fill out the form below.
  - type: textarea
    id: description
    attributes:
      label: Bug Description
      description: A clear and concise description of what the bug is.
      placeholder: Describe the bug...
    validations:
      required: true
  - type: textarea
    id: reproduction
    attributes:
      label: Steps to Reproduce
      description: Steps to reproduce the behavior.
      placeholder: |
        1. Run command '...'
        2. Upload image '...'
        3. See error
    validations:
      required: true
  - type: textarea
    id: expected
    attributes:
      label: Expected Behavior
      description: What did you expect to happen?
    validations:
      required: true
  - type: textarea
    id: actual
    attributes:
      label: Actual Behavior
      description: What actually happened?
    validations:
      required: true
  - type: dropdown
    id: interface
    attributes:
      label: Interface
      description: Which interface are you using?
      options:
        - CLI
        - Web UI
        - REST API
        - Python Library
    validations:
      required: true
  - type: input
    id: version
    attributes:
      label: Stegasoo Version
      description: Run `stegasoo --version` or check the web UI footer
      placeholder: "4.0.1"
    validations:
      required: true
  - type: input
    id: python-version
    attributes:
      label: Python Version
      description: Run `python --version`
      placeholder: "3.11.0"
    validations:
      required: true
  - type: input
    id: os
    attributes:
      label: Operating System
      placeholder: "Ubuntu 22.04 / Windows 11 / macOS 14"
    validations:
      required: true
  - type: textarea
    id: logs
    attributes:
      label: Error Logs
      description: Paste any relevant error messages or tracebacks.
      render: shell
  - type: textarea
    id: additional
    attributes:
      label: Additional Context
      description: Add any other context, screenshots, or files here.
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,8 @@
 blank_issues_enabled: true
 contact_links:
  - name: Security Vulnerability
    url: https://github.com/adlee-was-taken/stegasoo/security/advisories/new
    about: Report security vulnerabilities privately
  - name: Documentation
    url: https://github.com/adlee-was-taken/stegasoo#readme
    about: Check the documentation before opening an issue
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -0,0 +1,62 @@
 name: Feature Request
 description: Suggest a new feature or enhancement
 title: "[Feature]: "
 labels: ["enhancement"]
 body:
  - type: markdown
    attributes:
      value: |
        Thanks for suggesting a feature! Please fill out the form below.
  - type: textarea
    id: problem
    attributes:
      label: Problem Statement
      description: Is your feature request related to a problem? Describe it.
      placeholder: I'm always frustrated when...
    validations:
      required: true
  - type: textarea
    id: solution
    attributes:
      label: Proposed Solution
      description: Describe the solution you'd like.
      placeholder: I would like to be able to...
    validations:
      required: true
  - type: textarea
    id: alternatives
    attributes:
      label: Alternatives Considered
      description: Describe any alternative solutions or features you've considered.
  - type: dropdown
    id: interface
    attributes:
      label: Affected Interface(s)
      description: Which interface(s) would this feature affect?
      multiple: true
      options:
        - CLI
        - Web UI
        - REST API
        - Python Library
        - Core Library
  - type: dropdown
    id: priority
    attributes:
      label: Priority
      description: How important is this feature to you?
      options:
        - Nice to have
        - Would improve my workflow
        - Critical for my use case
  - type: textarea
    id: context
    attributes:
      label: Additional Context
      description: Add any other context, mockups, or examples here.
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,46 @@
 ## Description
 <!-- Describe your changes in detail -->
 ## Type of Change
 <!-- Mark the relevant option with an 'x' -->
 - [ ] Bug fix (non-breaking change that fixes an issue)
 - [ ] New feature (non-breaking change that adds functionality)
 - [ ] Breaking change (fix or feature that would cause existing functionality to change)
 - [ ] Documentation update
 - [ ] Refactoring (no functional changes)
 - [ ] CI/CD or build changes
 ## Related Issues
 <!-- Link any related issues here -->
 Fixes #
 ## Testing
 <!-- Describe how you tested your changes -->
 - [ ] I have added tests that prove my fix/feature works
 - [ ] Existing tests pass locally with my changes
 - [ ] I have tested manually (describe below)
 ### Manual Testing Steps
 <!-- If applicable, describe manual testing performed -->
 ## Checklist
 - [ ] My code follows the project's style guidelines
 - [ ] I have performed a self-review of my code
 - [ ] I have commented my code, particularly in hard-to-understand areas
 - [ ] I have updated the documentation accordingly
 - [ ] I have updated CHANGELOG.md (if user-facing changes)
 - [ ] My changes generate no new warnings
 - [ ] Any dependent changes have been merged and published
 ## Screenshots
 <!-- If applicable, add screenshots to help explain your changes -->
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,63 @@
 # Check code style and formatting
 name: Lint
 on:
  push:
    branches: [main, master, develop]
  pull_request:
    branches: [main, master, develop]
 jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      # 1. Get the code
      - name: Checkout code
        uses: actions/checkout@v4
      # 2. Set up Python
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      # 3. Install linting tools
      - name: Install linters
        run: |
          python -m pip install --upgrade pip
          pip install ruff black
      # 4. Run ruff (fast linter - catches bugs and style issues)
      - name: Run ruff
        run: |
          ruff check src/ tests/ frontends/
      # 5. Check black formatting (doesn't modify, just checks)
      - name: Check black formatting
        run: |
          black --check src/ tests/ frontends/
  # Type checking (optional but helpful)
  typecheck:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"
          pip install mypy
      - name: Run mypy
        run: |
          mypy src/stegasoo --ignore-missing-imports
        continue-on-error: true  # Don't fail build on type errors (yet)
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,96 @@
 # Publish to PyPI when a version tag is pushed
 name: Release
 on:
  push:
    tags:
      - 'v*'  # Triggers on v1.0.0, v2.1.0, etc.
 jobs:
  # First, run tests to make sure everything works
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - name: Install system dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y libzbar0
      - name: Install package
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"
      - name: Run tests
        run: pytest
  # Then build and publish
  publish:
    needs: test  # Only run if tests pass
    runs-on: ubuntu-latest
    environment: pypi
    # Required for PyPI trusted publishing (recommended)
    permissions:
      id-token: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - name: Install build tools
        run: |
          python -m pip install --upgrade pip
          pip install build twine
      - name: Build package
        run: python -m build
      - name: Check package
        run: twine check dist/*
      # Option 1: Trusted Publishing (recommended, no token needed)
      # Set this up at: https://pypi.org/manage/project/stegasoo/settings/publishing/
      - name: Publish to PyPI (Trusted Publishing)
        uses: pypa/gh-action-pypi-publish@release/v1
        # No token needed if you configure trusted publishing on PyPI
      # Option 2: API Token (uncomment if not using trusted publishing)
      # - name: Publish to PyPI (API Token)
      #   env:
      #     TWINE_USERNAME: __token__
      #     TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
      #   run: twine upload dist/*
  # Create GitHub Release with changelog
  github-release:
    needs: publish
    runs-on: ubuntu-latest
    permissions:
      contents: write  # Needed to create releases
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Create GitHub Release
        uses: softprops/action-gh-release@v1
        with:
          generate_release_notes: true
          files: |
            dist/*
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -0,0 +1,53 @@
 # Run tests on every push and pull request
 name: Tests
 on:
  push:
    branches: [main, master, develop]
  pull_request:
    branches: [main, master, develop]
 jobs:
  test:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false  # Don't cancel other jobs if one fails
      matrix:
        python-version: ["3.11", "3.12", "3.13"]
    steps:
      # 1. Get the code
      - name: Checkout code
        uses: actions/checkout@v4
      # 2. Set up Python
      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
      # 3. Install system dependencies (for pyzbar QR reading)
      - name: Install system dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y libzbar0
      # 4. Install the package with all dependencies
      - name: Install package
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"
      # 5. Run tests with coverage
      - name: Run tests
        run: |
          pytest --cov=stegasoo --cov-report=xml --cov-report=term-missing
      # 6. Upload coverage report (optional - integrates with codecov.io)
      - name: Upload coverage
        uses: codecov/codecov-action@v4
        if: matrix.python-version == '3.11'  # Only upload once
        with:
          files: ./coverage.xml
          fail_ci_if_error: false  # Don't fail if codecov is down
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,6 @@
 # Embedded repos (AUR packaging)
 aur-cli-upload/
 # Python
 __pycache__/
 *.py[cod]
@@ -35,6 +38,12 @@ old_files/
 *.swp
 *.swo
 # Backup files
 *_old
 *_old.*
 *.bak
 *.orig
 # Testing
 .pytest_cache/
 .coverage
@@ -48,7 +57,7 @@ htmlcov/
 # Environment
 .env
-.env.*
+.env.local
 *.log
 # Distribution
@@ -56,4 +65,46 @@ htmlcov/
 *.spec
 # Output test files.
-*.png
+test_data/*.png
 # Dev scripts (local convenience scripts - except these)
 scripts/*
 !scripts/validate-release.sh
 !scripts/smoke-test.sh
 !scripts/setup-trusted-certs.sh
 !scripts/screenshots.sh
 !scripts/build.sh
 # Web UI auth database and SSL certs
 instance/
 frontends/web/instance/
 frontends/web/certs/
 # Tests (private)
 tests/
 # RPi image build artifacts
 *.img
 *.img.xz
 *.img.zst
 *.img.zst.zip
 rpi/tools/pishrink.sh
 # Temp file storage
 frontends/web/temp_files/
 rpi/config.json
 # Pre-built Pi tarballs and images (release assets, too large for git)
 rpi/*.tar.zst
 rpi/*.tar.zst.zip
 rpi/*.img
 rpi/*.img.zst
 rpi/*.img.zst.zip
 # AUR build artifacts
 aur-upload/
 aur/.SRCINFO
 aur/*.pkg.tar.zst
 # Docker pre-built images and deps (release assets, too large for git)
 docker/*.tar.zst
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,40 @@
 # Pre-commit hooks - run formatting/linting before each commit
 # Install: pip install pre-commit && pre-commit install
 # Manual run: pre-commit run --all-files
 repos:
  # Ruff - fast Python linter (replaces flake8, isort, etc.)
  - repo: https://github.com/astral-sh/ruff-pre-commit
    rev: v0.1.6
    hooks:
      - id: ruff
        args: [--fix]  # Auto-fix what's possible
      - id: ruff-format  # Ruff's formatter (alternative to black)
  # Black - code formatter (comment out if using ruff-format above)
  # - repo: https://github.com/psf/black
  #   rev: 23.11.0
  #   hooks:
  #     - id: black
  # Basic file hygiene
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.5.0
    hooks:
      - id: trailing-whitespace      # Remove trailing spaces
      - id: end-of-file-fixer        # Ensure newline at EOF
      - id: check-yaml               # Validate YAML
      - id: check-toml               # Validate TOML
      - id: check-added-large-files  # Prevent giant files
        args: ['--maxkb=1000']
      - id: check-merge-conflict     # No merge conflict markers
      - id: debug-statements         # No print() or pdb left behind
  # Security checks
  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.6
    hooks:
      - id: bandit
        args: ["-c", "pyproject.toml"]
        additional_dependencies: ["bandit[toml]"]
        exclude: tests/
--- a/.python-version
+++ b/.python-version
@@ -0,0 +1 @@
 3.12
--- a/API.md
+++ b/API.md
@@ -0,0 +1,882 @@
 # Stegasoo REST API Documentation (v4.0.2)
 Complete REST API reference for Stegasoo steganography operations.
 ## Table of Contents
 - [Overview](#overview)
 - [What's New in v4.0.0](#whats-new-in-v400)
 - [Installation](#installation)
 - [Base URL](#base-url)
 - [Endpoints](#endpoints)
  - [GET /](#get--status)
  - [GET /modes](#get-modes)
  - [GET /channel/status](#get-channelstatus)
  - [POST /channel/generate](#post-channelgenerate)
  - [POST /channel/set](#post-channelset)
  - [DELETE /channel](#delete-channel)
  - [POST /generate](#post-generate)
  - [POST /encode](#post-encode-json)
  - [POST /encode/file](#post-encodefile)
  - [POST /encode/multipart](#post-encodemultipart)
  - [POST /decode](#post-decode-json)
  - [POST /decode/multipart](#post-decodemultipart)
  - [POST /compare](#post-compare)
  - [POST /will-fit](#post-will-fit)
  - [POST /image/info](#post-imageinfo)
 - [Channel Keys](#channel-keys)
 - [Data Models](#data-models)
 - [Error Handling](#error-handling)
 - [Code Examples](#code-examples)
 ---
 ## Overview
 The Stegasoo REST API provides programmatic access to all steganography operations:
 - **Generate** credentials (passphrase, PINs, RSA keys)
 - **Encode** messages or files into images (LSB or DCT mode)
 - **Decode** messages or files from images (auto-detects mode)
 - **Channel keys** for deployment/group isolation (v4.0.0)
 - **Analyze** image capacity and compare modes
 The API supports both JSON (base64-encoded images) and multipart form data (direct file uploads).
 ---
 ## What's New in v4.0.0
 Version 4.0.0 adds **channel key** support for deployment/group isolation:
 | Feature | Description |
 |---------|-------------|
 | Channel keys | 256-bit keys that isolate message groups |
 | New endpoints | `/channel/status`, `/channel/generate`, `/channel/set`, `DELETE /channel` |
 | Encode/decode param | `channel_key` parameter on all encode/decode endpoints |
 | Response headers | `X-Stegasoo-Channel-Mode` and `X-Stegasoo-Channel-Fingerprint` |
 **Key benefits:**
 - ✅ Isolate messages between teams, deployments, or groups
 - ✅ Same credentials can't decode messages from different channels
 - ✅ Backward compatible (public mode = no channel key)
 **Breaking change:** v4.0.0 messages (with channel key) cannot be decoded by v3.x installations.
 ---
 ## Installation
 ### From PyPI
 ```bash
 pip install stegasoo[api]
 ```
 ### Running the Server
 **Development:**
 ```bash
 cd frontends/api
 python main.py
 ```
 **Production:**
 ```bash
 uvicorn main:app --host 0.0.0.0 --port 8000 --workers 4
 ```
 **Docker with channel key:**
 ```bash
 STEGASOO_CHANNEL_KEY=XXXX-XXXX-... docker-compose -f docker/docker-compose.yml up api
 ```
 ---
 ## Base URL
 | Environment | URL |
 |-------------|-----|
 | Local Development | `http://localhost:8000` |
 | Docker | `http://localhost:8000` |
 | Production | Configure as needed |
 ---
 ## Endpoints
 ### GET / (Status)
 Check API status and configuration.
 #### Response
 ```json
 {
  "version": "4.0.2",
  "has_argon2": true,
  "has_qrcode_read": true,
  "has_dct": true,
  "max_payload_kb": 500,
  "available_modes": ["lsb", "dct"],
  "dct_features": {
    "output_formats": ["png", "jpeg"],
    "color_modes": ["grayscale", "color"]
  },
  "channel": {
    "mode": "private",
    "configured": true,
    "fingerprint": "ABCD-••••-••••-••••-••••-••••-••••-3456",
    "source": "~/.stegasoo/channel.key"
  },
  "breaking_changes": {
    "v4_channel_key": "Messages encoded with channel key require same key to decode",
    "format_version": 5,
    "backward_compatible": false
  }
 }
 ```
 ---
 ### GET /modes
 Get available embedding modes and channel status.
 #### Response
 ```json
 {
  "lsb": {
    "available": true,
    "name": "Spatial LSB",
    "description": "Embed in pixel LSBs, outputs PNG/BMP",
    "output_format": "PNG (color)",
    "capacity_ratio": "100%"
  },
  "dct": {
    "available": true,
    "name": "DCT Domain",
    "output_formats": ["png", "jpeg"],
    "color_modes": ["grayscale", "color"],
    "capacity_ratio": "~20% of LSB",
    "requires": "scipy"
  },
  "channel": {
    "mode": "private",
    "configured": true,
    "fingerprint": "ABCD-••••-••••-••••-••••-••••-••••-3456"
  }
 }
 ```
 ---
 ### GET /channel/status
 Get current channel key status. **New in v4.0.0.**
 #### Query Parameters
 | Parameter | Type | Default | Description |
 |-----------|------|---------|-------------|
 | `reveal` | boolean | `false` | Include full key in response |
 #### Response
 ```json
 {
  "mode": "private",
  "configured": true,
  "fingerprint": "ABCD-••••-••••-••••-••••-••••-••••-3456",
  "source": "~/.stegasoo/channel.key",
  "key": null
 }
 ```
 With `reveal=true`:
 ```json
 {
  "mode": "private",
  "configured": true,
  "fingerprint": "ABCD-••••-••••-••••-••••-••••-••••-3456",
  "source": "~/.stegasoo/channel.key",
  "key": "ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456"
 }
 ```
 #### cURL Example
 ```bash
 # Show status
 curl http://localhost:8000/channel/status
 # Reveal full key
 curl "http://localhost:8000/channel/status?reveal=true"
 ```
 ---
 ### POST /channel/generate
 Generate a new channel key. **New in v4.0.0.**
 #### Query Parameters
 | Parameter | Type | Default | Description |
 |-----------|------|---------|-------------|
 | `save` | boolean | `false` | Save to user config |
 | `save_project` | boolean | `false` | Save to project config |
 #### Response
 ```json
 {
  "key": "ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456",
  "fingerprint": "ABCD-••••-••••-••••-••••-••••-••••-3456",
  "saved": true,
  "save_location": "~/.stegasoo/channel.key"
 }
 ```
 #### cURL Examples
 ```bash
 # Just generate (don't save)
 curl -X POST http://localhost:8000/channel/generate
 # Generate and save to user config
 curl -X POST "http://localhost:8000/channel/generate?save=true"
 # Generate and save to project config
 curl -X POST "http://localhost:8000/channel/generate?save_project=true"
 ```
 ---
 ### POST /channel/set
 Set/save a channel key to config. **New in v4.0.0.**
 #### Request Body
 ```json
 {
  "key": "ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456",
  "location": "user"
 }
 ```
 | Field | Type | Default | Description |
 |-------|------|---------|-------------|
 | `key` | string | required | Channel key |
 | `location` | string | `"user"` | `"user"` or `"project"` |
 #### Response
 ```json
 {
  "success": true,
  "location": "~/.stegasoo/channel.key",
  "fingerprint": "ABCD-••••-••••-••••-••••-••••-••••-3456"
 }
 ```
 ---
 ### DELETE /channel
 Clear channel key from config. **New in v4.0.0.**
 #### Query Parameters
 | Parameter | Type | Default | Description |
 |-----------|------|---------|-------------|
 | `location` | string | `"user"` | `"user"`, `"project"`, or `"all"` |
 #### Response
 ```json
 {
  "success": true,
  "mode": "public",
  "still_configured": false,
  "remaining_source": null
 }
 ```
 #### cURL Example
 ```bash
 # Clear user config
 curl -X DELETE http://localhost:8000/channel
 # Clear project config
 curl -X DELETE "http://localhost:8000/channel?location=project"
 # Clear all
 curl -X DELETE "http://localhost:8000/channel?location=all"
 ```
 ---
 ### POST /generate
 Generate credentials for encoding/decoding.
 #### Request Body
 ```json
 {
  "use_pin": true,
  "use_rsa": false,
  "pin_length": 6,
  "rsa_bits": 2048,
  "words_per_passphrase": 4
 }
 ```
 #### Response
 ```json
 {
  "passphrase": "abandon ability able about",
  "pin": "847293",
  "rsa_key_pem": null,
  "entropy": {
    "passphrase": 44,
    "pin": 19,
    "rsa": 0,
    "total": 63
  }
 }
 ```
 ---
 ### POST /encode (JSON)
 Encode a text message into an image.
 #### Request Body
 ```json
 {
  "message": "Secret message here",
  "reference_photo_base64": "iVBORw0KGgo...",
  "carrier_image_base64": "iVBORw0KGgo...",
  "passphrase": "apple forest thunder mountain",
  "pin": "123456",
  "rsa_key_base64": null,
  "rsa_password": null,
  "channel_key": null,
  "embed_mode": "lsb",
  "dct_output_format": "png",
  "dct_color_mode": "grayscale"
 }
 ```
 #### Channel Key Parameter (v4.0.0)
 | Value | Effect |
 |-------|--------|
 | `null` | Auto mode - use server-configured key |
 | `""` (empty string) | Public mode - no channel isolation |
 | `"XXXX-XXXX-..."` | Explicit key - use this specific key |
 #### Response
 ```json
 {
  "stego_image_base64": "iVBORw0KGgo...",
  "filename": "a1b2c3d4.png",
  "capacity_used_percent": 12.4,
  "embed_mode": "lsb",
  "output_format": "png",
  "color_mode": "color",
  "channel_mode": "private",
  "channel_fingerprint": "ABCD-••••-••••-••••-••••-••••-••••-3456"
 }
 ```
 ---
 ### POST /encode/file
 Encode a file into an image (JSON with base64).
 Same parameters as `/encode`, plus:
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
 | `file_data_base64` | string | ✓ | Base64-encoded file data |
 | `filename` | string | ✓ | Original filename |
 | `mime_type` | string | | MIME type |
 ---
 ### POST /encode/multipart
 Encode using multipart form data (file uploads).
 #### Form Fields
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
 | `passphrase` | string | ✓ | Passphrase |
 | `reference_photo` | file | ✓ | Reference photo |
 | `carrier` | file | ✓ | Carrier image |
 | `message` | string | * | Text message |
 | `payload_file` | file | * | Binary file to embed |
 | `pin` | string | | Static PIN |
 | `rsa_key` | file | | RSA key (.pem) |
 | `rsa_key_qr` | file | | RSA key (QR code image) |
 | `rsa_password` | string | | RSA key password |
 | `channel_key` | string | | `"auto"` (default), `"none"=public`, or explicit key |
 | `embed_mode` | string | | `"lsb"` or `"dct"` |
 | `dct_output_format` | string | | `"png"` or `"jpeg"` |
 | `dct_color_mode` | string | | `"grayscale"` or `"color"` |
 \* Provide either `message` or `payload_file`
 #### Channel Key in Multipart
 For form data, the channel_key field uses strings:
 | Value | Effect |
 |-------|--------|
 | `"auto"` | Use server config (default) |
 | `"none"` | Public mode |
 | `"XXXX-XXXX-..."` | Explicit key |
 #### Response
 Returns the stego image directly with headers:
 ```http
 HTTP/1.1 200 OK
 Content-Type: image/png
 Content-Disposition: attachment; filename=a1b2c3d4.png
 X-Stegasoo-Capacity-Percent: 12.4
 X-Stegasoo-Embed-Mode: lsb
 X-Stegasoo-Channel-Mode: private
 X-Stegasoo-Channel-Fingerprint: ABCD-••••-...-3456
 X-Stegasoo-Version: 4.0.2
 <binary image data>
 ```
 #### cURL Examples
 ```bash
 # Encode with auto channel key (default)
 curl -X POST http://localhost:8000/encode/multipart \
  -F "passphrase=apple forest thunder mountain" \
  -F "pin=123456" \
  -F "message=Secret message" \
  -F "reference_photo=@reference.jpg" \
  -F "carrier=@carrier.png" \
  --output stego.png
 # Encode with explicit channel key
 curl -X POST http://localhost:8000/encode/multipart \
  -F "passphrase=words here" \
  -F "pin=123456" \
  -F "message=Team message" \
  -F "channel_key=ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456" \
  -F "reference_photo=@reference.jpg" \
  -F "carrier=@carrier.png" \
  --output stego.png
 # Encode in public mode (no channel isolation)
 curl -X POST http://localhost:8000/encode/multipart \
  -F "passphrase=words here" \
  -F "pin=123456" \
  -F "message=Public message" \
  -F "channel_key=none" \
  -F "reference_photo=@reference.jpg" \
  -F "carrier=@carrier.png" \
  --output stego.png
 ```
 ---
 ### POST /decode (JSON)
 Decode a message or file from a stego image.
 #### Request Body
 ```json
 {
  "stego_image_base64": "iVBORw0KGgo...",
  "reference_photo_base64": "iVBORw0KGgo...",
  "passphrase": "apple forest thunder mountain",
  "pin": "123456",
  "rsa_key_base64": null,
  "rsa_password": null,
  "channel_key": null,
  "embed_mode": "auto"
 }
 ```
 #### Response (Text)
 ```json
 {
  "payload_type": "text",
  "message": "Secret message here",
  "file_data_base64": null,
  "filename": null,
  "mime_type": null
 }
 ```
 #### Response (File)
 ```json
 {
  "payload_type": "file",
  "message": null,
  "file_data_base64": "UEsDBBQAAAA...",
  "filename": "document.pdf",
  "mime_type": "application/pdf"
 }
 ```
 ---
 ### POST /decode/multipart
 Decode using multipart form data.
 #### Form Fields
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
 | `passphrase` | string | ✓ | Passphrase |
 | `reference_photo` | file | ✓ | Reference photo |
 | `stego_image` | file | ✓ | Stego image to decode |
 | `pin` | string | | Static PIN |
 | `rsa_key` | file | | RSA key (.pem) |
 | `rsa_key_qr` | file | | RSA key (QR code image) |
 | `rsa_password` | string | | RSA key password |
 | `channel_key` | string | | `"auto"` (default), `"none"=public`, or explicit key |
 | `embed_mode` | string | | `"auto"`, `"lsb"`, or `"dct"` |
 ---
 ## Channel Keys
 ### Overview
 Channel keys provide **deployment/group isolation**. Messages encoded with a channel key can only be decoded with the same key.
 ### Key Format
 ```
 ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456
 └──┘ └──┘ └──┘ └──┘ └──┘ └──┘ └──┘ └──┘
  8 groups of 4 alphanumeric characters (256 bits)
 ```
 ### Storage Locations
 Keys are checked in order:
 | Priority | Location | Best For |
 |----------|----------|----------|
 | 1 | `STEGASOO_CHANNEL_KEY` env var | Docker, CI/CD |
 | 2 | `./config/channel.key` | Project-specific |
 | 3 | `~/.stegasoo/channel.key` | User default |
 ### API Parameter Values
 #### JSON Endpoints (`/encode`, `/decode`)
 | Value | Effect |
 |-------|--------|
 | `null` | Auto - use server config |
 | `""` | Public mode |
 | `"XXXX-..."` | Explicit key |
 #### Multipart Endpoints (`/encode/multipart`, `/decode/multipart`)
 | Value | Effect |
 |-------|--------|
 | `"auto"` | Use server config (default) |
 | `"none"` | Public mode |
 | `"XXXX-..."` | Explicit key |
 ### Workflow Example
 ```bash
 # 1. Generate a channel key for the team
 KEY=$(curl -s -X POST http://localhost:8000/channel/generate | jq -r '.key')
 echo "Team key: $KEY"
 # 2. Distribute to team members (securely!)
 # 3. Each deployment sets the key
 export STEGASOO_CHANNEL_KEY=$KEY
 # 4. Encode - automatically uses server key
 curl -X POST http://localhost:8000/encode/multipart \
  -F "passphrase=team passphrase" \
  -F "pin=123456" \
  -F "message=Team secret" \
  -F "reference_photo=@ref.jpg" \
  -F "carrier=@carrier.png" \
  --output stego.png
 # 5. Decode - automatically uses server key
 curl -X POST http://localhost:8000/decode/multipart \
  -F "passphrase=team passphrase" \
  -F "pin=123456" \
  -F "reference_photo=@ref.jpg" \
  -F "stego_image=@stego.png"
 ```
 ---
 ## Data Models
 ### ChannelStatusResponse
 ```json
 {
  "mode": "private",
  "configured": true,
  "fingerprint": "ABCD-••••-...-3456",
  "source": "~/.stegasoo/channel.key",
  "key": "ABCD-1234-..." 
 }
 ```
 ### EncodeResponse (v4.0.0)
 ```json
 {
  "stego_image_base64": "string",
  "filename": "string",
  "capacity_used_percent": 12.4,
  "embed_mode": "lsb",
  "output_format": "png",
  "color_mode": "color",
  "channel_mode": "private",
  "channel_fingerprint": "ABCD-••••-...-3456"
 }
 ```
 ### DecodeResponse
 ```json
 {
  "payload_type": "text",
  "message": "string",
  "file_data_base64": null,
  "filename": null,
  "mime_type": null
 }
 ```
 ---
 ## Error Handling
 ### HTTP Status Codes
 | Code | Meaning | Use Case |
 |------|---------|----------|
 | 200 | OK | Successful operation |
 | 400 | Bad Request | Invalid input, capacity error, invalid channel key |
 | 401 | Unauthorized | Decryption failed, channel key mismatch |
 | 500 | Internal Error | Unexpected server error |
 | 501 | Not Implemented | Feature unavailable |
 ### Channel Key Errors
 | Status | Error | Cause |
 |--------|-------|-------|
 | 400 | "Invalid channel key format" | Key doesn't match `XXXX-XXXX-...` pattern |
 | 401 | "Message encoded with channel key but none configured" | Need to provide channel key |
 | 401 | "Message encoded without channel key" | Use `channel_key=""` or `"none"` |
 ---
 ## Code Examples
 ### Python
 ```python
 import requests
 BASE_URL = "http://localhost:8000"
 # Check channel status
 status = requests.get(f"{BASE_URL}/channel/status").json()
 print(f"Channel mode: {status['mode']}")
 print(f"Fingerprint: {status.get('fingerprint', 'N/A')}")
 # Generate channel key
 response = requests.post(f"{BASE_URL}/channel/generate?save=true")
 key_info = response.json()
 print(f"Generated: {key_info['fingerprint']}")
 # Encode with channel key (auto from server)
 with open("ref.jpg", "rb") as ref, open("carrier.png", "rb") as carrier:
    response = requests.post(f"{BASE_URL}/encode/multipart", files={
        "reference_photo": ref,
        "carrier": carrier,
    }, data={
        "message": "Team secret",
        "passphrase": "apple forest thunder",
        "pin": "123456",
        # channel_key defaults to "auto" (use server config)
    })
    with open("stego.png", "wb") as f:
        f.write(response.content)
    print(f"Channel mode: {response.headers.get('X-Stegasoo-Channel-Mode')}")
 # Encode with explicit channel key
 with open("ref.jpg", "rb") as ref, open("carrier.png", "rb") as carrier:
    response = requests.post(f"{BASE_URL}/encode/multipart", files={
        "reference_photo": ref,
        "carrier": carrier,
    }, data={
        "message": "Using explicit key",
        "passphrase": "words here",
        "pin": "123456",
        "channel_key": "ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456",
    })
 # Decode
 with open("ref.jpg", "rb") as ref, open("stego.png", "rb") as stego:
    response = requests.post(f"{BASE_URL}/decode/multipart", files={
        "reference_photo": ref,
        "stego_image": stego,
    }, data={
        "passphrase": "apple forest thunder",
        "pin": "123456",
        # channel_key defaults to "auto"
    })
    result = response.json()
    print(f"Decoded: {result.get('message')}")
 ```
 ### JavaScript
 ```javascript
 const axios = require('axios');
 const FormData = require('form-data');
 const fs = require('fs');
 const BASE_URL = 'http://localhost:8000';
 async function main() {
    // Check channel status
    const status = await axios.get(`${BASE_URL}/channel/status`);
    console.log('Channel:', status.data.mode);
    // Encode with auto channel key
    const form = new FormData();
    form.append('passphrase', 'apple forest thunder');
    form.append('pin', '123456');
    form.append('message', 'Secret');
    form.append('reference_photo', fs.createReadStream('ref.jpg'));
    form.append('carrier', fs.createReadStream('carrier.png'));
    // channel_key defaults to "auto" (use server config)
    const response = await axios.post(`${BASE_URL}/encode/multipart`, form, {
        headers: form.getHeaders(),
        responseType: 'arraybuffer'
    });
    fs.writeFileSync('stego.png', response.data);
    console.log('Channel mode:', response.headers['x-stegasoo-channel-mode']);
 }
 main();
 ```
 ### cURL / Bash
 ```bash
 #!/bin/bash
 BASE_URL="http://localhost:8000"
 # Check channel status
 echo "Channel status:"
 curl -s "$BASE_URL/channel/status" | jq .
 # Generate and save channel key
 echo "Generating channel key..."
 curl -s -X POST "$BASE_URL/channel/generate?save=true" | jq .
 # Encode (channel_key defaults to "auto")
 echo "Encoding..."
 curl -s -X POST "$BASE_URL/encode/multipart" \
  -F "passphrase=apple forest thunder" \
  -F "pin=123456" \
  -F "message=Secret message" \
  -F "reference_photo=@ref.jpg" \
  -F "carrier=@carrier.png" \
  --output stego.png
 echo "Encoded to stego.png"
 # Decode
 echo "Decoding..."
 curl -s -X POST "$BASE_URL/decode/multipart" \
  -F "passphrase=apple forest thunder" \
  -F "pin=123456" \
  -F "reference_photo=@ref.jpg" \
  -F "stego_image=@stego.png" | jq .
 ```
 ---
 ## Docker Configuration
 ### docker/docker-compose.yml
 ```yaml
 x-common-env: &common-env
  STEGASOO_CHANNEL_KEY: ${STEGASOO_CHANNEL_KEY:-}
 services:
  api:
    build:
      context: .
      target: api
    ports:
      - "8000:8000"
    environment:
      <<: *common-env
 ```
 ### .env (gitignored)
 ```bash
 STEGASOO_CHANNEL_KEY=ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456
 ```
 ### Generate key for .env
 ```bash
 curl -s -X POST http://localhost:8000/channel/generate | \
  jq -r '"STEGASOO_CHANNEL_KEY=\(.key)"' >> .env
 ```
 ---
 ## See Also
 - [CLI Documentation](CLI.md) - Command-line interface
 - [Web UI Documentation](WEB_UI.md) - Browser interface
 - [README](../README.md) - Project overview
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -0,0 +1,234 @@
 # Changelog
 All notable changes to Stegasoo will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org).
 ## [4.3.0] - 2026-02-27
 ### Added
 - **Audio Steganography** — Hide messages in audio files (WAV, FLAC, MP3, OGG, AAC, M4A)
  - LSB mode: Direct least-significant-bit embedding in audio samples
  - Spread Spectrum mode: Noise-resistant encoding using pseudo-random spreading
  - Automatic format transcoding to WAV for embedding
  - Full CLI support: `stegasoo audio-encode`, `audio-decode`, `audio-info`
  - REST API endpoints: `/audio/encode`, `/audio/decode`, `/audio/info`
  - Web UI: Unified encode/decode pages with carrier type selector (Image/Audio)
 - New `AudioCapacityInfo`, `AudioEmbedStats`, `AudioInfo` model classes
 - Audio-specific exceptions: `AudioError`, `AudioValidationError`, `AudioCapacityError`, `AudioExtractionError`, `AudioTranscodeError`, `UnsupportedAudioFormatError`
 - Subprocess isolation for audio operations (crash protection)
 - `debug.py` module for structured logging across all steganography operations
 ### Changed
 - Encode/Decode web pages now have a "Carrier Type" step to switch between Image and Audio
 - Version bumped to 4.3.0
 ## [4.1.5] - 2026-01-07
 ### Added
 - **Developer Documentation**: Educational comments throughout core modules
  - DCT module: zig-zag diagrams, QIM explanation, Reed-Solomon deep dive
  - LSB module: visual bit embedding examples, ChaCha20 pixel selection
  - Crypto module: multi-factor KDF flow diagrams, Argon2id reasoning
  - CLI module: Click patterns (groups, JSON output, secure input)
  - Web UI module: Flask architecture, subprocess isolation, async jobs
 - **Pi Test Automation**: `rpi/kickoff-pi-test.sh` script
  - One command to flash, wait for boot, setup, and smoke test
  - Self-contained (no dotfile dependencies)
 - **v4.2 Wishlist**: `WISHLIST-4.2.md` for blue-sky ideas (GPU acceleration)
 ### Changed
 - **Pi MOTD Improvements**:
  - Dynamic temperature emoji (ice/cool/fire based on temp)
  - Rocket emoji for service status, globe emoji for URL
  - Shortened Debian boilerplate message
  - Fixed escaped variable syntax in heredoc
 ## [4.1.3] - 2026-01-05
 ### Added
 - **Docker Deployment**: Production-ready containerization
  - `docker-compose.yml` for Web UI (port 5000) and REST API (port 8000)
  - Multi-stage builds with base image for faster rebuilds
  - Health checks, resource limits (768MB), and volume persistence
  - Comprehensive `DOCKER.md` documentation
 - **Raspberry Pi First-Boot Wizard**: Interactive TUI setup experience
  - `gum` TUI toolkit for styled prompts and spinners
  - WiFi configuration, HTTPS setup, channel key generation
  - Overclock presets (Pi 5: 2.8/3.0 GHz with cooling recommendations)
  - Port 443 redirect option for clean HTTPS URLs
  - Styled banners with purple→blue gradient and gold logo
 - **Pi Image Distribution**: Scripts for SD card imaging
  - `sanitize-for-image.sh` removes credentials, SSH keys, user data
  - Soft reset mode for testing without clearing WiFi
  - Auto-validates sanitization before imaging
 - **Unit Tests**: Comprehensive pytest test suite
  - Tests for encode/decode, LSB/DCT modes, channel keys
  - Validation, generation, compression, edge cases
  - 29 tests covering core library functionality
 - **Release Validation**: `scripts/validate-release.sh` for pre-release checks
 - **Custom SSL Documentation**: Guide for replacing certs, Let's Encrypt setup
 ### Changed
 - Pi MOTD shows CPU speed and temperature when overclocked
 - Mobile UI polish and responsive improvements
 - Standardized ASCII banners across all Pi scripts
 - Setup script uses pyenv for Python 3.12 (Pi OS ships 3.13)
 ### Fixed
 - **SSL certificate generation**: Wizard and setup now generate certs when HTTPS enabled
 - DCT decode reliability improvements
 - Fixed `gum --inline` flag compatibility (not supported in all versions)
 - Wizard banner alignment and spacing issues
 - Better error handling in app.py for SSL failures
 ## [4.1.0] - 2026-01-04
 ### Added
 - **Admin Recovery System**: Password reset for locked-out admins
  - Recovery key generated during setup (32-char alphanumeric)
  - Multiple backup options: text file, QR code, stego image
  - QR codes obfuscated (XOR'd with magic header hash)
  - Stego backups hide key in an image using Stegasoo itself
  - CLI: `stegasoo admin recover --db path/to/db`
 - **EXIF Editor**: Full metadata editing in Tools page
  - View all EXIF fields from uploaded image
  - Inline editing of individual fields
  - Clear all metadata with one click
  - Download cleaned image
  - CLI: `stegasoo tools exif image.jpg [--clear] [--set Field=Value]`
 - **Multi-User Support**: Admin can create up to 16 additional users
  - Role-based access control (admin/user)
  - Admin user management page
  - Temp password generation for new users
 - **Saved Channel Keys**: Users can save/manage channel keys in account page
 ### Changed
 - **Architecture**: Consolidated `resolve_channel_key()` to library layer
  - Single source of truth in `src/stegasoo/channel.py`
  - CLI, API, WebUI now use thin wrappers
 - **DCT Pre-Check**: Fail fast with helpful error before expensive encoding
 - **Toast Notifications**: Auto-dismiss after 20 seconds with fade animation
 - `RECOVERY_OBFUSCATION_KEY` constant added to `constants.py`
 ### Fixed
 - DCT payload size error now caught early with clear message
 ## [4.0.2] - 2026-01-02
 ### Added
 - **Web UI Authentication**: Single-admin login with SQLite3 user storage
  - First-run setup wizard for admin account creation
  - Account management page for password changes
  - `@login_required` decorator protects encode/decode/generate routes
  - Argon2id password hashing (lighter 64MB for fast login)
 - **Optional HTTPS**: Auto-generated self-signed certificates for home network deployment
  - Configurable via `STEGASOO_HTTPS_ENABLED` environment variable
  - Certificates stored in `frontends/web/certs/`
 - New environment variables: `STEGASOO_AUTH_ENABLED`, `STEGASOO_HTTPS_ENABLED`, `STEGASOO_HOSTNAME`
 ### Changed
 - PIN entry column widened in encode/decode forms (col-md-4 → col-md-6)
 - Channel options column narrowed (col-md-8 → col-md-6)
 - QR preview panels enlarged for better text readability
 - Consistent font sizing across all preview panel banners (0.7rem filename, 0.6rem data, 0.65rem badges)
 ### Fixed
 - QR preview text too small to read in encode/decode templates
 - Inconsistent label sizes between reference/carrier/stego panels
 ## [4.0.1] - 2025-01-02
 ### Fixed
 - Fixed numpy binary incompatibility on Python 3.10 (jpegio/scipy)
 - Fixed BatchCredentials test failures with missing `reference_photo` parameter
 - Graceful handling when DCT dependencies have version mismatches
 ### Changed
 - Applied `ruff` linter fixes across entire codebase (~400 issues)
 - Applied `black` formatter to all Python files
 - Modernized type hints: `Optional[X]` → `X | None`
 - Updated ruff config to use `[tool.ruff.lint]` section
 - Moved documentation files to repository root
 ### Removed
 - Removed obsolete debug/diagnostic scripts
 - Cleaned up backup files and dev scripts
 ## [4.0.0] - 2024-12-29
 ### Added
 - Refreshed Web UI with modern, snazzy interface
 - Improved user experience across all pages
 ### Changed
 - Major version bump for breaking API changes
 - Simplified passphrase handling (single passphrase instead of day-based)
 - Removed date_str parameter from encoding
 ### Fixed
 - Various bug fixes for Web UI
 - CLI updates and improvements
 ## [3.2.0] - 2024-12-28
 ### Added
 - Big revamp of the encoding system
 - Home and about page improvements
 - UNDER_THE_HOOD.md documentation
 ### Changed
 - Renamed `phrase` → `passphrase` in API
 - Updated Web UI styling
 ## [3.0.2] - 2024-12-27
 ### Added
 - Full experimental DCT steganography support
 - jpegio integration for better JPEG manipulation
 - DCT/LSB mode selector in Web UI
 ## [3.0.0] - 2024-12-25
 ### Added
 - DCT (Discrete Cosine Transform) steganography mode
 - Support for JPEG carriers without quality loss
 - Channel key feature for private messaging
 ### Changed
 - Complete rewrite of steganography engine
 - New hybrid authentication system
 ## [2.0.0] - 2024-12-20
 ### Added
 - Web UI frontend
 - REST API (FastAPI)
 - Batch processing support
 - RSA key authentication option
 ### Changed
 - Migrated to hybrid photo + passphrase + PIN authentication
 ## [1.0.0] - 2024-12-15
 ### Added
 - Initial release
 - LSB steganography
 - AES-256-GCM encryption
 - CLI interface
 - Basic PIN authentication
 [4.3.0]: https://github.com/adlee-was-taken/stegasoo/compare/v4.2.1...v4.3.0
 [4.1.5]: https://github.com/adlee-was-taken/stegasoo/compare/v4.1.3...v4.1.5
 [4.1.3]: https://github.com/adlee-was-taken/stegasoo/compare/v4.1.0...v4.1.3
 [4.1.0]: https://github.com/adlee-was-taken/stegasoo/compare/v4.0.2...v4.1.0
 [4.0.2]: https://github.com/adlee-was-taken/stegasoo/compare/v4.0.1...v4.0.2
 [4.0.1]: https://github.com/adlee-was-taken/stegasoo/compare/v4.0.0...v4.0.1
 [4.0.0]: https://github.com/adlee-was-taken/stegasoo/compare/v3.2.0...v4.0.0
 [3.2.0]: https://github.com/adlee-was-taken/stegasoo/compare/v3.0.2...v3.2.0
 [3.0.2]: https://github.com/adlee-was-taken/stegasoo/compare/v3.0.0...v3.0.2
 [3.0.0]: https://github.com/adlee-was-taken/stegasoo/compare/v2.0.0...v3.0.0
 [2.0.0]: https://github.com/adlee-was-taken/stegasoo/compare/v1.0.0...v2.0.0
 [1.0.0]: https://github.com/adlee-was-taken/stegasoo/releases/tag/v1.0.0
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,114 @@
 # Stegasoo — Claude Code Project Guide
 Stegasoo is a secure steganography toolkit with hybrid photo + passphrase + PIN authentication.
 Version 4.3.0 · Python >=3.11 · MIT License
 ## Quick commands
 ```bash
 pip install -e ".[dev]"                     # Install for development (includes all extras)
 pytest                                       # Run tests (coverage reported automatically)
 black src/ tests/ frontends/                 # Format code
 ruff check src/ tests/ frontends/ --fix      # Lint (auto-fix)
 mypy src/                                    # Type check
 pre-commit run --all-files                   # Run all pre-commit hooks
 PYTHONPATH=src python -m stegasoo.cli        # Run CLI directly without install
 ```
 ## Architecture
 ```
 src/stegasoo/          Core library
  crypto.py              Argon2id / PBKDF2 key derivation + AES-256-GCM encryption
  steganography.py       LSB spatial embedding
  dct_steganography.py   DCT domain embedding (JPEG-safe, needs [dct] extras)
  validation.py          Input validation for all security factors
  constants.py           All magic numbers, crypto params, limits
  models.py              Dataclasses (EncodeResult, DecodeResult, etc.)
  encode.py / decode.py  High-level encode/decode orchestration
  channel.py             Channel key management (v4.0+)
  audio_steganography.py  LSB audio embedding/extraction (v4.3.0)
  spread_steganography.py Spread spectrum audio embedding (v4.3.0)
  audio_utils.py          Audio format detection, validation, transcoding (v4.3.0)
  debug.py                Structured logging for operations (v4.3.0)
  compression.py         Zstandard / zlib / lz4 payload compression
  cli.py                 Click CLI entry point
  generate.py            Credential generation (passphrase, PIN, RSA keys)
  exceptions.py          Exception hierarchy (all inherit StegasooError)
  __init__.py            Public API surface (__all__)
 frontends/web/         Flask web UI  (entry: app.py)
 frontends/api/         FastAPI REST API  (entry: main.py)
 frontends/cli/         CLI extras
 tests/                 Pytest suite
  test_stegasoo.py       Single test file covering core library
 ```
 ### Entry points
 | Interface | Entry point | Install extra |
 |-----------|-------------|---------------|
 | CLI | `stegasoo.cli:main` (`stegasoo` command) | `[cli]` |
 | Web UI | `frontends/web/app.py` | `[web]` |
 | REST API | `frontends/api/main.py` | `[api]` |
 ## Code conventions
 - **Formatter**: Black, 100-char line length
 - **Linter**: Ruff — rules E, F, I, N, W, UP (E501 ignored). N803/N806 suppressed in `dct_steganography.py` for colorspace variable names
 - **Type hints**: Required on all new code. `mypy` with `ignore_missing_imports = true`
 - **Pre-commit hooks**: ruff, ruff-format, trailing-whitespace, end-of-file-fixer, check-yaml, check-toml, check-added-large-files (1MB), check-merge-conflict, debug-statements, bandit (excludes tests/)
 - **Branch naming**: `feature/`, `fix/`, `docs/`, `refactor/`
 - **Commits**: Imperative mood, clear subject line. Include what + why
 ## Security-critical modules
 These files implement the cryptographic and steganographic core. Changes require extra care, thorough test coverage, and careful review:
 - **`crypto.py`** — Argon2id KDF (256 MB / 4 iterations / 4 parallelism) + PBKDF2 fallback (600K iterations) → AES-256-GCM authenticated encryption
 - **`steganography.py`** — LSB spatial embedding/extraction
 - **`dct_steganography.py`** — DCT domain embedding with Reed-Solomon error correction
 - **`validation.py`** — Input validation for all security factors (PIN, passphrase, image, RSA key, channel key)
 - **`constants.py`** — Crypto parameters (salt sizes, iteration counts, Argon2 memory cost, format versions). Do not change these casually — they affect backward compatibility and security margins
 ## Public API
 `src/stegasoo/__init__.py` defines the full public API surface via `__all__`. Any new public function must be:
 1. Imported in `__init__.py`
 2. Added to the `__all__` list
 ## Testing
 - Single test file: `tests/test_stegasoo.py`
 - Requires `pip install -e ".[dev]"` (includes DCT dependencies)
 - Coverage is reported automatically via pytest config (`--cov=stegasoo --cov-report=term-missing`)
 - Run: `pytest` (no extra flags needed)
 ## Worktree workflow
 When working on features or fixes that touch multiple files, prefer using a git worktree for isolation:
 ```bash
 # Claude Code can create worktrees automatically via /worktree or EnterWorktree
 # Manual creation:
 git worktree add .claude/worktrees/<name> -b <branch-name>
 ```
 ### Guidelines for worktree usage
 - **Use worktrees for**: multi-file refactors, experimental changes, anything that might need to be discarded
 - **Worktree location**: `.claude/worktrees/` (gitignored by Claude Code)
 - **Branch from**: always branch from `main` unless working on a version branch (e.g., `4.2`)
 - **Naming**: use the same conventions as branches — `feature/description`, `fix/description`, etc.
 - **Cleanup**: worktrees in `.claude/worktrees/` are ephemeral. Remove with `git worktree remove <path>` when done
 - **Testing in worktrees**: run `pip install -e ".[dev]"` inside the worktree before running tests, since the editable install points to the worktree's source
 - **Merging back**: create a PR from the worktree branch, or merge locally into `main`
 ## Useful context
 - BIP-39 wordlist lives at `src/stegasoo/data/bip39-words.txt` (used for passphrase generation)
 - Docker support: `src/stegasoo/Dockerfile` + `docs/DOCKER_QUICKSTART.md`
 - Raspberry Pi builds: `rpi/` directory
 - AUR packages: `aur/`, `aur-cli/`, `aur-api/`
 - Version is defined in both `pyproject.toml` and `src/stegasoo/__init__.py` — keep them in sync
--- a/CLI.md
+++ b/CLI.md
@@ -0,0 +1,921 @@
 # Stegasoo CLI Documentation (v4.1.0)
 Complete command-line interface reference for Stegasoo steganography operations.
 ## Table of Contents
 - [Installation](#installation)
 - [What's New in v4.1.0](#whats-new-in-v410)
 - [Quick Start](#quick-start)
 - [Commands](#commands)
  - [generate](#generate-command)
  - [encode](#encode-command)
  - [decode](#decode-command)
  - [verify](#verify-command)
  - [channel](#channel-command)
  - [admin](#admin-command)
  - [tools](#tools-command)
  - [info](#info-command)
  - [compare](#compare-command)
  - [modes](#modes-command)
 - [Channel Keys](#channel-keys)
 - [Embedding Modes](#embedding-modes)
 - [Security Factors](#security-factors)
 - [Workflow Examples](#workflow-examples)
 - [Piping & Scripting](#piping--scripting)
 - [Error Handling](#error-handling)
 - [Exit Codes](#exit-codes)
 ---
 ## Installation
 ### From PyPI
 ```bash
 # CLI only
 pip install stegasoo[cli]
 # CLI with DCT support
 pip install stegasoo[cli,dct]
 # With all extras
 pip install stegasoo[all]
 ```
 ### From Source
 ```bash
 git clone https://github.com/example/stegasoo.git
 cd stegasoo
 pip install -e ".[cli,dct]"
 ```
 ### Verify Installation
 ```bash
 stegasoo --version
 stegasoo --help
 # Check DCT support
 python -c "from stegasoo import has_dct_support; print('DCT:', 'available' if has_dct_support() else 'requires scipy')"
 # Check channel key status
 stegasoo channel show
 ```
 ### Man Page
 ```bash
 # Install man page
 sudo mkdir -p /usr/local/share/man/man1
 sudo cp docs/stegasoo.1 /usr/local/share/man/man1/
 sudo mandb
 # View
 man stegasoo
 ```
 ---
 ## What's New in v4.1.0
 Version 4.1.0 adds **admin recovery** and **tools** commands:
 | Feature | Description |
 |---------|-------------|
 | Admin recovery | Reset admin password using recovery key |
 | EXIF tools | View, edit, and strip image metadata |
 | Peek tool | Quick stego detection check |
 | Strip tool | Remove hidden data from images |
 **New commands:**
 - `stegasoo admin recover` - Reset admin password with recovery key
 - `stegasoo tools exif` - View/edit EXIF metadata
 - `stegasoo tools peek` - Check for hidden data
 - `stegasoo tools strip` - Remove stego data from image
 ---
 ## What's New in v4.0.0
 Version 4.0.0 added **channel key** support for deployment/group isolation:
 | Feature | Description |
 |---------|-------------|
 | Channel keys | 256-bit keys that isolate message groups |
 | Deployment isolation | Different deployments can't read each other's messages |
 | CLI management | New `stegasoo channel` command group |
 | Flexible override | Use server config, explicit key, or public mode |
 ---
 ## Quick Start
 ```bash
 # 1. Generate credentials (do this once, memorize results)
 stegasoo generate
 # 2. (Optional) Set up channel key for deployment isolation
 stegasoo channel generate --save
 # 3. Encode a message (uses configured channel key automatically)
 stegasoo encode \
  --ref secret_photo.jpg \
  --carrier meme.png \
  --passphrase "apple forest thunder mountain" \
  --pin 123456 \
  --message "Meet at midnight"
 # 4. Decode a message (uses same channel key)
 stegasoo decode \
  --ref secret_photo.jpg \
  --stego stego_abc123.png \
  --passphrase "apple forest thunder mountain" \
  --pin 123456
 # 5. Decode without channel key (public mode)
 stegasoo decode \
  --ref secret_photo.jpg \
  --stego public_stego.png \
  --passphrase "words here now" \
  --pin 123456 \
  --no-channel
 ```
 ---
 ## Commands
 ### Generate Command
 Generate credentials for encoding/decoding operations.
 #### Synopsis
 ```bash
 stegasoo generate [OPTIONS]
 ```
 #### Options
 | Option | Short | Type | Default | Description |
 |--------|-------|------|---------|-------------|
 | `--pin/--no-pin` | | flag | `--pin` | Generate a PIN |
 | `--rsa/--no-rsa` | | flag | `--no-rsa` | Generate an RSA key |
 | `--pin-length` | | 6-9 | 6 | PIN length in digits |
 | `--rsa-bits` | | choice | 2048 | RSA key size (2048, 3072) |
 | `--words` | | 3-12 | 4 | Words in passphrase |
 | `--output` | `-o` | path | | Save RSA key to file |
 | `--password` | `-p` | string | | Password for RSA key file |
 | `--json` | | flag | | Output as JSON |
 #### Examples
 ```bash
 # Basic generation with PIN (default)
 stegasoo generate
 # Generate with more words for higher security
 stegasoo generate --words 6
 # Generate with RSA key
 stegasoo generate --rsa --rsa-bits 3072
 # Save RSA key to encrypted file
 stegasoo generate --rsa -o mykey.pem -p "mysecretpassword"
 ```
 ---
 ### Encode Command
 Encode a secret message or file into an image.
 #### Synopsis
 ```bash
 stegasoo encode [OPTIONS]
 ```
 #### Options
 | Option | Short | Type | Required | Default | Description |
 |--------|-------|------|----------|---------|-------------|
 | `--ref` | `-r` | path | ✓ | | Reference photo |
 | `--carrier` | `-c` | path | ✓ | | Carrier image |
 | `--passphrase` | `-p` | string | ✓ | | Passphrase |
 | `--message` | `-m` | string | | | Message to encode |
 | `--message-file` | `-f` | path | | | Read message from file |
 | `--embed-file` | `-e` | path | | | Embed a binary file |
 | `--pin` | | string | * | | Static PIN (6-9 digits) |
 | `--key` | `-k` | path | * | | RSA key file |
 | `--key-qr` | | path | * | | RSA key from QR code |
 | `--key-password` | | string | | | RSA key password |
 | `--channel` | | string | | auto | Channel key (v4.0.0) |
 | `--channel-file` | | path | | | Read channel key from file |
 | `--no-channel` | | flag | | | Force public mode |
 | `--output` | `-o` | path | | | Output filename |
 | `--mode` | | choice | | `lsb` | Embedding mode |
 | `--dct-format` | | choice | | `png` | DCT output format |
 | `--dct-color` | | choice | | `grayscale` | DCT color mode |
 | `--quiet` | `-q` | flag | | | Suppress output |
 \* At least one of `--pin`, `--key`, or `--key-qr` is required.
 #### Channel Key Options
 | Option | Effect |
 |--------|--------|
 | *(none)* | Use server-configured key (auto mode) |
 | `--channel KEY` | Use explicit channel key |
 | `--channel auto` | Same as no option |
 | `--channel-file F` | Read channel key from file |
 | `--no-channel` | Force public mode (no isolation) |
 #### Examples
 ```bash
 # Basic encoding (uses server channel key if configured)
 stegasoo encode \
  -r photo.jpg -c meme.png \
  -p "correct horse battery staple" \
  --pin 847293 \
  -m "The package arrives Tuesday"
 # With explicit channel key
 stegasoo encode \
  -r photo.jpg -c meme.png \
  -p "correct horse battery staple" \
  --pin 847293 \
  -m "Secret message" \
  --channel ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456
 # Public mode (no channel isolation)
 stegasoo encode \
  -r photo.jpg -c meme.png \
  -p "correct horse battery staple" \
  --pin 847293 \
  -m "Public message" \
  --no-channel
 # DCT mode for social media
 stegasoo encode \
  -r photo.jpg -c meme.png \
  -p "words here" --pin 847293 \
  -m "Secret" \
  --mode dct --dct-format jpeg
 ```
 ---
 ### Decode Command
 Decode a secret message or file from a stego image.
 #### Synopsis
 ```bash
 stegasoo decode [OPTIONS]
 ```
 #### Options
 | Option | Short | Type | Required | Default | Description |
 |--------|-------|------|----------|---------|-------------|
 | `--ref` | `-r` | path | ✓ | | Reference photo |
 | `--stego` | `-s` | path | ✓ | | Stego image |
 | `--passphrase` | `-p` | string | ✓ | | Passphrase |
 | `--pin` | | string | * | | Static PIN |
 | `--key` | `-k` | path | * | | RSA key file |
 | `--key-qr` | | path | * | | RSA key from QR code |
 | `--key-password` | | string | | | RSA key password |
 | `--channel` | | string | | auto | Channel key (v4.0.0) |
 | `--channel-file` | | path | | | Read channel key from file |
 | `--no-channel` | | flag | | | Force public mode |
 | `--output` | `-o` | path | | | Save output to file |
 | `--mode` | | choice | | `auto` | Extraction mode |
 | `--quiet` | `-q` | flag | | | Minimal output |
 | `--force` | | flag | | | Overwrite existing file |
 #### Examples
 ```bash
 # Basic decoding (uses server channel key)
 stegasoo decode \
  -r photo.jpg -s stego.png \
  -p "correct horse battery staple" \
  --pin 847293
 # With explicit channel key
 stegasoo decode \
  -r photo.jpg -s stego.png \
  -p "words here" --pin 847293 \
  --channel ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456
 # Decode public image (no channel key was used)
 stegasoo decode \
  -r photo.jpg -s stego.png \
  -p "words here" --pin 847293 \
  --no-channel
 # Save to file
 stegasoo decode \
  -r photo.jpg -s stego.png \
  -p "words" --pin 123456 \
  -o decoded.txt
 ```
 ---
 ### Verify Command
 Verify credentials without extracting the message.
 #### Synopsis
 ```bash
 stegasoo verify [OPTIONS]
 ```
 #### Options
 Same as `decode`, minus `--output` and `--force`. Adds `--json` for JSON output.
 #### Examples
 ```bash
 # Quick verification
 stegasoo verify -r photo.jpg -s stego.png -p "phrase" --pin 123456
 # With explicit channel key
 stegasoo verify -r photo.jpg -s stego.png -p "phrase" --pin 123456 \
  --channel ABCD-1234-...
 # JSON output
 stegasoo verify -r photo.jpg -s stego.png -p "phrase" --pin 123456 --json
 ```
 ---
 ### Channel Command
 Manage channel keys for deployment/group isolation.
 #### Subcommands
 | Subcommand | Description |
 |------------|-------------|
 | `generate` | Create a new channel key |
 | `show` | Display current channel key status |
 | `set` | Save a channel key to config |
 | `clear` | Remove channel key from config |
 #### channel generate
 ```bash
 stegasoo channel generate [OPTIONS]
 ```
 | Option | Short | Description |
 |--------|-------|-------------|
 | `--save` | `-s` | Save to user config (~/.stegasoo/channel.key) |
 | `--save-project` | | Save to project config (./config/channel.key) |
 | `--env` | `-e` | Output as environment variable export |
 | `--quiet` | `-q` | Output only the key |
 **Examples:**
 ```bash
 # Just display a new key
 stegasoo channel generate
 # Save to user config
 stegasoo channel generate --save
 # Add to .env file
 stegasoo channel generate --env >> .env
 # For scripts
 KEY=$(stegasoo channel generate -q)
 ```
 #### channel show
 ```bash
 stegasoo channel show [OPTIONS]
 ```
 | Option | Short | Description |
 |--------|-------|-------------|
 | `--reveal` | `-r` | Show full key (not just fingerprint) |
 | `--json` | | Output as JSON |
 **Examples:**
 ```bash
 # Show status (fingerprint only)
 stegasoo channel show
 # Reveal full key
 stegasoo channel show --reveal
 # JSON for scripts
 stegasoo channel show --json
 ```
 **Output:**
 ```
 ─── CHANNEL KEY STATUS ───
    Mode: PRIVATE
    Fingerprint: ABCD-••••-••••-••••-••••-••••-••••-3456
    Source: ~/.stegasoo/channel.key
    Messages require this channel key to decode.
 ```
 #### channel set
 ```bash
 stegasoo channel set [KEY] [OPTIONS]
 ```
 | Option | Short | Description |
 |--------|-------|-------------|
 | `--file` | `-f` | Read key from file |
 | `--project` | `-p` | Save to project config instead of user |
 **Examples:**
 ```bash
 # Set from command line
 stegasoo channel set ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456
 # Set from file
 stegasoo channel set --file channel.key
 # Set in project config
 stegasoo channel set XXXX-... --project
 ```
 #### channel clear
 ```bash
 stegasoo channel clear [OPTIONS]
 ```
 | Option | Short | Description |
 |--------|-------|-------------|
 | `--project` | `-p` | Clear project config |
 | `--all` | | Clear both user and project configs |
 | `--force` | `-f` | Skip confirmation |
 **Examples:**
 ```bash
 # Clear user config (with confirmation)
 stegasoo channel clear
 # Clear project config
 stegasoo channel clear --project
 # Clear all configs without confirmation
 stegasoo channel clear --all --force
 ```
 ---
 ### Info Command
 Show information about an image file.
 ```bash
 stegasoo info IMAGE [OPTIONS]
 ```
 ---
 ### Compare Command
 Compare embedding mode capacities for an image.
 ```bash
 stegasoo compare IMAGE [OPTIONS]
 ```
 ---
 ### Modes Command
 Show available embedding modes and their status.
 ```bash
 stegasoo modes
 ```
 Now also displays channel key status.
 ---
 ### Admin Command
 Manage Web UI admin accounts and recovery.
 #### Subcommands
 | Subcommand | Description |
 |------------|-------------|
 | `recover` | Reset admin password using recovery key |
 #### admin recover
 Reset the admin password for a Web UI database.
 ```bash
 stegasoo admin recover --db PATH [OPTIONS]
 ```
 | Option | Short | Type | Required | Description |
 |--------|-------|------|----------|-------------|
 | `--db` | `-d` | path | ✓ | Path to stegasoo.db file |
 | `--key` | `-k` | string | | Recovery key (prompted if not provided) |
 | `--password` | `-p` | string | | New password (prompted if not provided) |
 **Examples:**
 ```bash
 # Interactive mode (prompts for key and password)
 stegasoo admin recover --db frontends/web/instance/stegasoo.db
 # Non-interactive mode
 stegasoo admin recover \
  --db /path/to/stegasoo.db \
  --key "XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX" \
  --password "NewSecurePassword123"
 ```
 **Recovery process:**
 1. The recovery key is verified against the database hash
 2. If valid, the admin password is reset
 3. User can now log in with the new password
 **Note:** Recovery keys are instance-bound. A key from one database won't work on another.
 ---
 ### Tools Command
 Image utilities and analysis tools.
 #### Subcommands
 | Subcommand | Description |
 |------------|-------------|
 | `exif` | View/edit EXIF metadata |
 | `peek` | Check for hidden data |
 | `strip` | Remove stego data from image |
 #### tools exif
 View and edit EXIF metadata in images.
 ```bash
 stegasoo tools exif IMAGE [OPTIONS]
 ```
 | Option | Type | Description |
 |--------|------|-------------|
 | `--clear` | flag | Remove all EXIF metadata |
 | `--set FIELD=VALUE` | string | Set a specific EXIF field |
 | `--output` / `-o` | path | Output filename (default: overwrites input) |
 | `--json` | flag | Output as JSON |
 **Examples:**
 ```bash
 # View all EXIF data
 stegasoo tools exif photo.jpg
 # View as JSON
 stegasoo tools exif photo.jpg --json
 # Clear all metadata
 stegasoo tools exif photo.jpg --clear -o clean.jpg
 # Set specific fields
 stegasoo tools exif photo.jpg \
  --set "Artist=John Doe" \
  --set "Copyright=2026" \
  -o tagged.jpg
 # Remove GPS data only
 stegasoo tools exif photo.jpg \
  --set "GPSLatitude=" \
  --set "GPSLongitude=" \
  -o no-gps.jpg
 ```
 #### tools peek
 Check if an image contains hidden Stegasoo data.
 ```bash
 stegasoo tools peek IMAGE [OPTIONS]
 ```
 | Option | Type | Description |
 |--------|------|-------------|
 | `--json` | flag | Output as JSON |
 | `--quiet` / `-q` | flag | Exit code only (0=found, 1=not found) |
 **Examples:**
 ```bash
 # Check for hidden data
 stegasoo tools peek suspicious.png
 # Script-friendly check
 if stegasoo tools peek image.png -q; then
  echo "Contains hidden data"
 fi
 ```
 #### tools strip
 Remove hidden stego data from an image (destructive).
 ```bash
 stegasoo tools strip IMAGE [OPTIONS]
 ```
 | Option | Type | Description |
 |--------|------|-------------|
 | `--output` / `-o` | path | Output filename |
 | `--force` / `-f` | flag | Overwrite without confirmation |
 **Examples:**
 ```bash
 # Strip and save to new file
 stegasoo tools strip stego.png -o clean.png
 # Strip in place (with confirmation)
 stegasoo tools strip stego.png
 ```
 ---
 ## Channel Keys
 Channel keys provide **deployment/group isolation** - messages encoded with a channel key can only be decoded by systems with the same key.
 ### Key Format
 ```
 ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456
 └──┘ └──┘ └──┘ └──┘ └──┘ └──┘ └──┘ └──┘
  8 groups of 4 alphanumeric characters (256 bits)
 ```
 ### Storage Locations
 Channel keys are checked in this order:
 | Priority | Location | Best For |
 |----------|----------|----------|
 | 1 | `STEGASOO_CHANNEL_KEY` env var | Docker, CI/CD |
 | 2 | `./config/channel.key` | Project-specific |
 | 3 | `~/.stegasoo/channel.key` | User default |
 ### Modes
 | Mode | Description | CLI Option |
 |------|-------------|------------|
 | **Auto** | Use server-configured key | *(default)* |
 | **Explicit** | Use specific key | `--channel KEY` |
 | **Public** | No channel isolation | `--no-channel` |
 ### Fingerprints
 For security, full keys aren't displayed by default. Instead, a fingerprint is shown:
 ```
 Full key:    ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456
 Fingerprint: ABCD-••••-••••-••••-••••-••••-••••-3456
 ```
 ### Use Cases
 **Team isolation:**
 ```bash
 # Team A
 export STEGASOO_CHANNEL_KEY=AAAA-1111-...
 # Team B  
 export STEGASOO_CHANNEL_KEY=BBBB-2222-...
 # Messages from Team A can only be decoded by Team A
 ```
 **Development vs Production:**
 ```bash
 # Development
 ./config/channel.key contains DEV-KEY-...
 # Production
 STEGASOO_CHANNEL_KEY=PROD-KEY-... in Docker
 # Dev messages can't be decoded in production
 ```
 **Public messages:**
 ```bash
 # Anyone with credentials can decode
 stegasoo encode ... --no-channel
 stegasoo decode ... --no-channel
 ```
 ---
 ## Embedding Modes
 ### LSB Mode (Default)
 ```bash
 stegasoo encode ... --mode lsb
 ```
 | Aspect | Details |
 |--------|---------|
 | **Capacity** | ~375 KB for 1920×1080 |
 | **Output** | PNG only |
 | **Best For** | Maximum capacity |
 ### DCT Mode
 ```bash
 stegasoo encode ... --mode dct --dct-format jpeg --dct-color color
 ```
 | Aspect | Details |
 |--------|---------|
 | **Capacity** | ~65 KB for 1920×1080 |
 | **Output** | PNG or JPEG |
 | **Best For** | Social media, stealth |
 ---
 ## Security Factors
 | Factor | Description | Entropy |
 |--------|-------------|---------|
 | Reference Photo | Shared image | ~80-256 bits |
 | Passphrase | BIP-39 words | ~44 bits (4 words) |
 | Static PIN | Numeric (6-9) | ~20 bits (6 digits) |
 | RSA Key | Shared key file | ~128 bits |
 | Channel Key (v4.0.0) | Deployment isolation | ~256 bits |
 ---
 ## Workflow Examples
 ### Team Setup with Channel Key
 **Initial setup (team lead):**
 ```bash
 # Generate team channel key
 stegasoo channel generate -q > team_channel.key
 # Distribute to team members securely
 # (encrypted email, secure file share, etc.)
 ```
 **Team member setup:**
 ```bash
 # Save received key
 stegasoo channel set --file team_channel.key
 # Verify
 stegasoo channel show
 ```
 **Daily use:**
 ```bash
 # Channel key is used automatically
 stegasoo encode -r ref.jpg -c meme.png -p "phrase" --pin 123456 -m "Team message"
 stegasoo decode -r ref.jpg -s stego.png -p "phrase" --pin 123456
 ```
 ### Docker Deployment
 **docker/docker-compose.yml:**
 ```yaml
 x-common-env: &common-env
  STEGASOO_CHANNEL_KEY: ${STEGASOO_CHANNEL_KEY:-}
 services:
  web:
    environment:
      <<: *common-env
  api:
    environment:
      <<: *common-env
 ```
 **.env (gitignored):**
 ```bash
 STEGASOO_CHANNEL_KEY=ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456
 ```
 ### CI/CD Pipeline
 ```bash
 # Generate key for CI
 CHANNEL_KEY=$(stegasoo channel generate -q)
 # Use in pipeline
 STEGASOO_CHANNEL_KEY=$CHANNEL_KEY stegasoo encode ...
 ```
 ---
 ## Piping & Scripting
 ### Extract channel key for scripts
 ```bash
 # Get just the key
 KEY=$(stegasoo channel show --json | jq -r '.key // empty')
 # Get fingerprint
 FINGERPRINT=$(stegasoo channel show --json | jq -r '.fingerprint // "none"')
 # Check if configured
 if stegasoo channel show --json | jq -e '.configured' > /dev/null; then
  echo "Channel key is configured"
 fi
 ```
 ### Generate and use immediately
 ```bash
 # Generate, save, and use
 stegasoo channel generate --save
 stegasoo encode -r ref.jpg -c carrier.png -p "phrase" --pin 123456 -m "message"
 ```
 ---
 ## Error Handling
 ### Channel Key Errors
 | Error | Cause | Solution |
 |-------|-------|----------|
 | "Invalid channel key format" | Key doesn't match pattern | Use `stegasoo channel generate` |
 | "Message encoded with channel key but none configured" | Missing channel key | Set key or use `--channel` |
 | "Message encoded without channel key" | Used `--no-channel` to encode | Decode with `--no-channel` |
 | "Channel key mismatch" | Wrong key | Verify correct key |
 ### Troubleshooting
 ```bash
 # Check current channel status
 stegasoo channel show
 # Try decoding with explicit key
 stegasoo decode ... --channel XXXX-XXXX-...
 # Try decoding without channel key
 stegasoo decode ... --no-channel
 ```
 ---
 ## Exit Codes
 | Code | Meaning |
 |------|---------|
 | 0 | Success |
 | 1 | General error / decryption failed |
 | 2 | Invalid arguments/options |
 ---
 ## Environment Variables
 | Variable | Description |
 |----------|-------------|
 | `STEGASOO_CHANNEL_KEY` | Channel key for deployment isolation (v4.0.0) |
 | `PYTHONPATH` | Include `src/` for development |
 | `STEGASOO_DEBUG` | Enable debug output (set to `1`) |
 ---
 ## See Also
 - [API Documentation](API.md) - Python API reference
 - [Web UI Documentation](WEB_UI.md) - Browser interface guide
 - [README](../README.md) - Project overview and security model
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,54 @@
 # Code of Conduct
 ## Our Pledge
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
 identity and expression, level of experience, education, socio-economic status,
 nationality, personal appearance, race, religion, or sexual identity
 and orientation.
 We pledge to act and interact in ways that contribute to an open, welcoming,
 diverse, inclusive, and healthy community.
 ## Our Standards
 Examples of behavior that contributes to a positive environment:
 * Using welcoming and inclusive language
 * Being respectful of differing viewpoints and experiences
 * Gracefully accepting constructive criticism
 * Focusing on what is best for the community
 * Showing empathy towards other community members
 Examples of unacceptable behavior:
 * The use of sexualized language or imagery, and sexual attention or advances
 * Trolling, insulting or derogatory comments, and personal or political attacks
 * Public or private harassment
 * Publishing others' private information without explicit permission
 * Other conduct which could reasonably be considered inappropriate
 ## Enforcement Responsibilities
 Project maintainers are responsible for clarifying and enforcing our standards
 of acceptable behavior and will take appropriate and fair corrective action in
 response to any behavior that they deem inappropriate, threatening, offensive,
 or harmful.
 ## Scope
 This Code of Conduct applies within all community spaces, and also applies when
 an individual is officially representing the community in public spaces.
 ## Enforcement
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported to the project maintainers. All complaints will be reviewed and
 investigated promptly and fairly.
 ## Attribution
 This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org),
 version 2.0.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,165 @@
 # Contributing to Stegasoo
 Thank you for your interest in contributing to Stegasoo! This document provides guidelines and information for contributors.
 ## Getting Started
 ### Prerequisites
 - Python 3.10 - 3.12
 - Git
 - Docker (optional, for container testing)
 ### Development Setup
 1. **Clone the repository**
   ```bash
   git clone https://github.com/adlee-was-taken/stegasoo.git
   cd stegasoo
   ```
 2. **Create a virtual environment**
   ```bash
   python -m venv venv
   source venv/bin/activate  # On Windows: venv\Scripts\activate
   ```
 3. **Install development dependencies**
   ```bash
   pip install -e ".[dev]"
   ```
 4. **Install pre-commit hooks**
   ```bash
   pre-commit install
   ```
 ## Development Workflow
 ### Code Style
 We use the following tools to maintain code quality:
 - **Black** - Code formatting (line length: 100)
 - **Ruff** - Linting
 - **MyPy** - Type checking
 Run all checks before committing:
 ```bash
 black src/ tests/ frontends/
 ruff check src/ tests/ frontends/
 mypy src/
 ```
 ### Running Tests
 ```bash
 # Run all tests
 pytest
 # Run with coverage
 pytest --cov=stegasoo --cov-report=term-missing
 # Run specific test file
 pytest tests/test_stegasoo.py
 ```
 ### Type Hints
 All new code should include type hints:
 ```python
 def encode_message(
    message: str,
    carrier_image: bytes,
    passphrase: str,
    pin: str = "",
 ) -> EncodeResult:
    ...
 ```
 ## Making Changes
 ### Branch Naming
 - `feature/description` - New features
 - `fix/description` - Bug fixes
 - `docs/description` - Documentation updates
 - `refactor/description` - Code refactoring
 ### Commit Messages
 Write clear, concise commit messages:
 ```
 Add channel key validation for private messaging
 - Implement validate_channel_key() function
 - Add tests for valid/invalid key formats
 - Update CLI to support --channel-key flag
 ```
 ### Pull Request Process
 1. **Create a feature branch** from `main`
 2. **Make your changes** with appropriate tests
 3. **Ensure all checks pass** (tests, linting, formatting)
 4. **Submit a PR** with a clear description
 5. **Address review feedback** promptly
 ### PR Checklist
 - [ ] Tests added/updated for changes
 - [ ] Documentation updated if needed
 - [ ] CHANGELOG.md updated for user-facing changes
 - [ ] All CI checks passing
 - [ ] No merge conflicts with `main`
 ## Project Structure
 ```
 stegasoo/
 ├── src/stegasoo/       # Core library
 │   ├── crypto.py       # Encryption/decryption
 │   ├── steganography.py # LSB embedding
 │   ├── dct_steganography.py # DCT embedding
 │   └── ...
 ├── frontends/
 │   ├── cli/            # Command-line interface
 │   ├── web/            # Flask web UI
 │   └── api/            # FastAPI REST API
 ├── tests/              # Test suite
 └── examples/           # Usage examples
 ```
 ## Reporting Issues
 ### Bug Reports
 Please include:
 - Python version and OS
 - Stegasoo version (`stegasoo --version`)
 - Minimal reproduction steps
 - Expected vs actual behavior
 - Error messages/tracebacks
 ### Feature Requests
 Please include:
 - Use case description
 - Proposed solution (if any)
 - Alternatives considered
 ## Security
 If you discover a security vulnerability, please see [SECURITY.md](SECURITY.md) for responsible disclosure guidelines. **Do not open a public issue for security vulnerabilities.**
 ## License
 By contributing, you agree that your contributions will be licensed under the MIT License.
 ## Questions?
 Feel free to open a discussion or issue if you have questions about contributing.
 Thank you for helping make Stegasoo better!
--- a/DOCKER.md
+++ b/DOCKER.md
@@ -0,0 +1,156 @@
 # Docker Deployment
 Stegasoo provides Docker images for both the Web UI and REST API.
 ## Quick Start
 ```bash
 # Build and start all services
 docker-compose -f docker/docker-compose.yml up -d
 # Check status
 docker-compose -f docker/docker-compose.yml ps
 ```
 Access:
 - **Web UI**: https://localhost:5000 (HTTPS with self-signed cert)
 - **REST API**: http://localhost:8000
 ## Services
 | Service | Port | Description |
 |---------|------|-------------|
 | `web` | 5000 | Flask Web UI with authentication |
 | `api` | 8000 | FastAPI REST API |
 ## Configuration
 ### Environment Variables
 Create a `.env` file or set these variables:
 ```bash
 # Channel key for private group communication (optional)
 STEGASOO_CHANNEL_KEY=XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX
 # Web UI authentication (default: enabled)
 STEGASOO_AUTH_ENABLED=true
 # HTTPS support (default: enabled, generates self-signed cert)
 STEGASOO_HTTPS_ENABLED=true
 STEGASOO_HOSTNAME=localhost
 # To disable HTTPS:
 # STEGASOO_HTTPS_ENABLED=false
 ```
 ### Volume Mounts
 Persistent data is stored in Docker volumes:
 | Volume | Purpose |
 |--------|---------|
 | `stegasoo-web-data` | User database, session data |
 | `stegasoo-web-certs` | SSL certificates (if HTTPS enabled) |
 ## Building
 ### Standard Build (Recommended)
 Uses a pre-built base image with all dependencies:
 ```bash
 # First time only: build the base image
 docker build -f docker/Dockerfile.base -t stegasoo-base:latest .
 # Build services (fast - only copies app code)
 docker-compose -f docker/docker-compose.yml build
 ```
 ### Full Build (No Base Image)
 If you don't have the base image, the Dockerfile will build all dependencies (slower):
 ```bash
 docker-compose -f docker/docker-compose.yml build
 ```
 ## Commands
 ```bash
 # Start services
 docker-compose -f docker/docker-compose.yml up -d
 # View logs
 docker-compose -f docker/docker-compose.yml logs -f
 # Stop services
 docker-compose -f docker/docker-compose.yml down
 # Rebuild after code changes
 docker-compose -f docker/docker-compose.yml build && docker-compose -f docker/docker-compose.yml up -d
 # Full rebuild (no cache)
 docker-compose -f docker/docker-compose.yml build --no-cache
 ```
 ## Resource Limits
 Each container is configured with:
 - **Memory limit**: 768 MB
 - **Memory reservation**: 384 MB
 This accounts for Argon2id's 256 MB RAM requirement during key derivation.
 ## Health Checks
 Both services include health checks:
 - Interval: 30 seconds
 - Timeout: 10 seconds
 - Start period: 5 seconds
 - Retries: 3
 Check health status:
 ```bash
 docker-compose -f docker/docker-compose.yml ps
 ```
 ## Production Deployment
 For production, consider:
 1. **Enable HTTPS**:
   ```bash
   STEGASOO_HTTPS_ENABLED=true
   STEGASOO_HOSTNAME=your-domain.com
   ```
 2. **Use secrets for channel key**:
   ```bash
   # Don't commit .env files with secrets
   export STEGASOO_CHANNEL_KEY=your-key
   docker-compose -f docker/docker-compose.yml up -d
   ```
 3. **Reverse proxy**: Put behind nginx/traefik for TLS termination
 4. **Backup volumes**:
   ```bash
   docker run --rm -v stegasoo-web-data:/data -v $(pwd):/backup \
     alpine tar czf /backup/stegasoo-backup.tar.gz /data
   ```
 ## Troubleshooting
 ### Container won't start
 ```bash
 # Check logs
 docker-compose -f docker/docker-compose.yml logs web
 docker-compose -f docker/docker-compose.yml logs api
 ```
 ### Out of memory
 Increase Docker's memory allocation or reduce worker count in `docker/Dockerfile`.
 ### Permission errors
 The containers run as non-root user `stego` (UID 1000). Ensure volume permissions match.
--- a/Dockerfile.txt
+++ b/Dockerfile.txt
@@ -1,129 +0,0 @@
 # Stegasoo Docker Image
 # Multi-stage build for smaller image size
 FROM python:3.11-slim as base
 # Set environment variables
 ENV PYTHONDONTWRITEBYTECODE=1
 ENV PYTHONUNBUFFERED=1
 # Install system dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
    gcc \
    libc-dev \
    libffi-dev \
    && rm -rf /var/lib/apt/lists/*
 # ============================================================================
 # Builder stage - install Python packages
 # ============================================================================
 FROM base as builder
 WORKDIR /build
 # Copy package files (including README.md which pyproject.toml references)
 COPY pyproject.toml README.md ./
 COPY src/ src/
 COPY data/ data/
 # Install the package with web extras
 RUN pip install --no-cache-dir ".[web]"
 # ============================================================================
 # Production stage - Web UI
 # ============================================================================
 FROM base as web
 WORKDIR /app
 # Copy installed packages from builder
 COPY --from=builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
 COPY --from=builder /usr/local/bin /usr/local/bin
 # Copy application files
 COPY src/ src/
 COPY data/ data/
 COPY frontends/web/ frontends/web/
 # Create upload directory
 RUN mkdir -p /tmp/stego_uploads
 # Create non-root user
 RUN useradd -m -u 1000 stego && chown -R stego:stego /app /tmp/stego_uploads
 USER stego
 # Set Python path
 ENV PYTHONPATH=/app/src
 # Expose port
 EXPOSE 5000
 # Health check
 HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:5000/')" || exit 1
 # Run with gunicorn
 WORKDIR /app/frontends/web
 CMD ["gunicorn", "--bind", "0.0.0.0:5000", "--workers", "2", "--threads", "4", "--timeout", "60", "app:app"]
 # ============================================================================
 # API stage - REST API
 # ============================================================================
 FROM base as api
 WORKDIR /app
 # Install API extras
 COPY pyproject.toml README.md ./
 COPY src/ src/
 COPY data/ data/
 RUN pip install --no-cache-dir ".[api]"
 # Copy API files
 COPY frontends/api/ frontends/api/
 # Create non-root user
 RUN useradd -m -u 1000 stego && chown -R stego:stego /app
 USER stego
 # Set Python path
 ENV PYTHONPATH=/app/src
 # Expose port
 EXPOSE 8000
 # Health check
 HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/')" || exit 1
 # Run with uvicorn
 WORKDIR /app/frontends/api
 CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]
 # ============================================================================
 # CLI stage - Command line tool
 # ============================================================================
 FROM base as cli
 WORKDIR /app
 # Install CLI extras
 COPY pyproject.toml README.md ./
 COPY src/ src/
 COPY data/ data/
 RUN pip install --no-cache-dir ".[cli]"
 # Copy CLI files
 COPY frontends/cli/ frontends/cli/
 # Create non-root user
 RUN useradd -m -u 1000 stego && chown -R stego:stego /app
 USER stego
 # Set Python path
 ENV PYTHONPATH=/app/src
 # Default to help
 WORKDIR /app/frontends/cli
 ENTRYPOINT ["python", "main.py"]
 CMD ["--help"]
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -0,0 +1,950 @@
 # Stegasoo Installation Guide
 Complete installation instructions for all platforms and deployment methods.
 ## Table of Contents
 - [Requirements](#requirements)
 - [Quick Install](#quick-install)
 - [Installation Methods](#installation-methods)
  - [From Source (Development)](#from-source-development)
  - [From PyPI](#from-pypi)
  - [Docker](#docker)
  - [Docker Compose](#docker-compose)
 - [Optional Dependencies](#optional-dependencies)
 - [Platform-Specific Notes](#platform-specific-notes)
 - [Verification](#verification)
 - [Troubleshooting](#troubleshooting)
 ---
 ## Requirements
 ### Python Version Requirements
 | Python Version | Status | Notes |
 |----------------|--------|-------|
 | 3.10 | ❌ Not Supported | Dropped in v4.2.1 |
 | 3.11 | ✅ Supported | Minimum version |
 | 3.12 | ✅ Supported | Recommended |
 | 3.13 | ✅ Supported | |
 | 3.14 | ✅ Supported | Tested on Arch |
 **Note:** v4.2.1 switched from `jpegio` to `jpeglib` for DCT steganography, enabling Python 3.11-3.14 support.
 ### Minimum Requirements
 | Requirement | Value |
 |-------------|-------|
 | Python | 3.11-3.14 |
 | RAM | 512 MB minimum (256MB for Argon2) |
 | Disk | ~100 MB |
 ### System Dependencies
 **Linux (Debian/Ubuntu):**
 ```bash
 sudo apt-get update
 sudo apt-get install -y \
  python3.12 \
  python3.12-venv \
  python3-pip \
  python3-dev \
  libzbar0 \
  libjpeg-dev \
  build-essential
 ```
 **Linux (Arch):**
 ```bash
 # Use pyenv for Python version management
 curl https://pyenv.run | bash
 pyenv install 3.12
 pyenv local 3.12
 sudo pacman -S zbar libjpeg-turbo base-devel
 ```
 **macOS:**
 ```bash
 brew install python@3.12 zbar jpeg
 xcode-select --install  # For compilation
 ```
 **Windows:**
 - Install Python 3.12 from [python.org](https://python.org)
 - Install Visual Studio Build Tools for compilation
 ---
 ## Quick Install
 ```bash
 # Clone and install everything
 git clone https://github.com/adlee-was-taken/stegasoo.git
 cd stegasoo
 # Create venv with Python 3.12 (critical!)
 python3.12 -m venv venv
 source venv/bin/activate  # Linux/macOS
 # or: venv\Scripts\activate  # Windows
 # Install all dependencies
 pip install -e ".[all]"
 # Verify
 stegasoo --version
 python -c "from stegasoo import has_dct_support; print(f'DCT: {has_dct_support()}')"
 ```
 ---
 ## Installation Methods
 ### From Source (Development)
 Best for development or customization.
 ```bash
 # Clone the repository
 git clone https://github.com/adlee-was-taken/stegasoo.git
 cd stegasoo
 # Create virtual environment with Python 3.12 (recommended)
 python3.12 -m venv venv
 source venv/bin/activate  # Linux/macOS
 # or: venv\Scripts\activate  # Windows
 # Verify Python version
 python -V  # Should show 3.12.x
 # Install core library only
 pip install -e .
 # Install with specific extras
 pip install -e ".[cli]"       # Command-line interface
 pip install -e ".[web]"       # Flask web UI + DCT support
 pip install -e ".[api]"       # FastAPI REST API + DCT support
 pip install -e ".[dct]"       # DCT steganography only
 pip install -e ".[compression]"  # LZ4 compression
 # Install everything
 pip install -e ".[all]"
 # Install with development tools
 pip install -e ".[dev]"
 ```
 ### From PyPI
 ```bash
 # Core only
 pip install stegasoo
 # With extras
 pip install stegasoo[cli]
 pip install stegasoo[web]
 pip install stegasoo[api]
 pip install stegasoo[all]
 ```
 ### Docker
 Build and run individual containers.
 #### Build Images
 ```bash
 # From project root - build all targets
 docker build -t stegasoo-web --target web -f docker/Dockerfile .
 docker build -t stegasoo-api --target api -f docker/Dockerfile .
 docker build -t stegasoo-cli --target cli -f docker/Dockerfile .
 ```
 #### Run Web UI
 ```bash
 docker run -d \
  --name stegasoo-web \
  -p 5000:5000 \
  --memory=768m \
  stegasoo-web
 # Visit http://localhost:5000
 ```
 #### Run REST API
 ```bash
 docker run -d \
  --name stegasoo-api \
  -p 8000:8000 \
  --memory=768m \
  stegasoo-api
 # Docs at http://localhost:8000/docs
 ```
 #### Run CLI
 ```bash
 # Interactive shell
 docker run -it --rm stegasoo-cli /bin/bash
 # Run commands directly
 docker run --rm stegasoo-cli --help
 docker run --rm stegasoo-cli generate --pin --words 4
 # With volume for files
 docker run --rm \
  -v $(pwd)/images:/data \
  stegasoo-cli encode \
    -r /data/ref.jpg \
    -c /data/carrier.png \
    -p "passphrase words here more" \
    --pin 123456 \
    -m "Secret message" \
    -o /data/stego.png
 ```
 ### Docker Compose
 The easiest way to run all services.
 #### Start All Services
 ```bash
 # Start in background
 docker-compose -f docker/docker-compose.yml up -d
 # Start specific service
 docker-compose -f docker/docker-compose.yml up -d web
 docker-compose -f docker/docker-compose.yml up -d api
 # View logs
 docker-compose -f docker/docker-compose.yml logs -f
 # Stop all
 docker-compose -f docker/docker-compose.yml down
 ```
 #### Authentication Configuration (v4.0.2)
 The Web UI supports optional authentication. Configure via environment variables:
 ```bash
 # .env file (create in project root)
 STEGASOO_AUTH_ENABLED=true      # Enable login (default: true)
 STEGASOO_HTTPS_ENABLED=false    # Enable HTTPS (default: false)
 STEGASOO_HOSTNAME=localhost     # Hostname for SSL cert
 STEGASOO_CHANNEL_KEY=           # Optional channel key
 # Then run
 docker-compose -f docker/docker-compose.yml up -d web
 ```
 On first access, you'll be prompted to create an admin account. The database and SSL certs are persisted in Docker volumes.
 #### Services
 | Service | URL | Description |
 |---------|-----|-------------|
 | `web` | http://localhost:5000 | Flask Web UI |
 | `api` | http://localhost:8000 | FastAPI REST API |
 #### Build and Start
 ```bash
 # Build images and start
 docker-compose -f docker/docker-compose.yml up -d --build
 # Force rebuild (no cache)
 docker-compose -f docker/docker-compose.yml build --no-cache
 docker-compose -f docker/docker-compose.yml up -d
 ```
 #### Resource Configuration
 The `docker/docker-compose.yml` includes resource limits:
 ```yaml
 services:
  web:
    deploy:
      resources:
        limits:
          memory: 768M    # For Argon2 + scipy
        reservations:
          memory: 384M
 ```
 Adjust based on your available RAM:
 | Available RAM | Recommended Limit | Workers |
 |---------------|-------------------|---------|
 | 2 GB | 768M | 2 |
 | 4 GB | 1G | 3 |
 | 8 GB+ | 1.5G | 4 |
 ---
 ## Optional Dependencies
 ### DCT Steganography (scipy + jpegio)
 DCT mode enables JPEG-resilient steganography. It's automatically included with `[web]`, `[api]`, and `[all]` extras.
 #### Install via pip
 ```bash
 # scipy is straightforward
 pip install scipy numpy
 # jpegio - MUST use Python 3.12 or earlier!
 pip install jpegio
 # If pip fails, build from source
 pip install cython numpy
 git clone https://github.com/dwgoon/jpegio.git
 cd jpegio
 python setup.py install
 ```
 #### Linux Build Dependencies
 ```bash
 sudo apt-get install -y \
  build-essential \
  python3-dev \
  libjpeg-dev \
  cython3
 ```
 #### macOS Build Dependencies
 ```bash
 brew install jpeg cython
 ```
 #### Verify DCT Support
 ```python
 from stegasoo import has_dct_support
 from stegasoo.dct_steganography import has_jpegio_support
 print(f"DCT support (scipy): {has_dct_support()}")
 print(f"JPEG native (jpegio): {has_jpegio_support()}")
 ```
 Expected output:
 ```
 DCT support (scipy): True
 JPEG native (jpegio): True
 ```
 ### Compression (lz4)
 Optional LZ4 compression for messages:
 ```bash
 pip install lz4
 ```
 ---
 ## Platform-Specific Notes
 ### Linux
 Most straightforward installation. Use your package manager for system dependencies.
 **Ubuntu/Debian:**
 ```bash
 sudo apt-get install python3.12 python3.12-venv python3-dev libzbar0 libjpeg-dev
 python3.12 -m venv venv
 source venv/bin/activate
 pip install stegasoo[all]
 ```
 **Fedora/RHEL:**
 ```bash
 sudo dnf install python3.12 python3-devel zbar libjpeg-devel
 python3.12 -m venv venv
 source venv/bin/activate
 pip install stegasoo[all]
 ```
 **Arch (using pyenv):**
 ```bash
 # Install pyenv
 curl https://pyenv.run | bash
 # Add to ~/.bashrc or ~/.zshrc
 export PATH="$HOME/.pyenv/bin:$PATH"
 eval "$(pyenv init -)"
 # Install Python 3.12
 pyenv install 3.12
 cd ~/Sources/stegasoo
 pyenv local 3.12
 # Create venv and install
 python -m venv venv
 source venv/bin/activate
 pip install stegasoo[all]
 ```
 ### macOS
 ```bash
 # Install Homebrew if needed
 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
 # Install dependencies
 brew install python@3.12 zbar jpeg
 # Create venv
 python3.12 -m venv venv
 source venv/bin/activate
 # Install Stegasoo
 pip install stegasoo[all]
 ```
 **Apple Silicon (M1/M2/M3):**
 jpegio may need native compilation:
 ```bash
 # Ensure you have native Python
 arch -arm64 brew install python@3.12
 arch -arm64 python3.12 -m venv venv
 source venv/bin/activate
 pip install jpegio
 ```
 ### Windows
 Windows users have three options, listed from easiest to most complex:
 #### Option 1: Docker Desktop (Recommended)
 The easiest way to run Stegasoo on Windows. No Python installation needed.
 1. Install [Docker Desktop](https://www.docker.com/products/docker-desktop/)
 2. Enable WSL2 backend when prompted
 3. Clone and run:
 ```powershell
 git clone https://github.com/adlee-was-taken/stegasoo.git
 cd stegasoo
 docker-compose -f docker/docker-compose.yml up -d web
 ```
 Access at http://localhost:5000
 #### Option 2: WSL2 (Windows Subsystem for Linux)
 Run the Linux version natively on Windows.
 ```powershell
 # Install WSL2 with Ubuntu
 wsl --install -d Ubuntu
 # Open Ubuntu terminal, then follow Linux instructions:
 sudo apt-get update
 sudo apt-get install -y python3.12 python3.12-venv libzbar0 libjpeg-dev
 git clone https://github.com/adlee-was-taken/stegasoo.git
 cd stegasoo
 python3.12 -m venv venv
 source venv/bin/activate
 pip install -e ".[all]"
 stegasoo --version
 ```
 #### Option 3: Native Windows (Advanced)
 Native Windows installation requires Visual Studio Build Tools for compiling C extensions.
 1. Install Python 3.11 or 3.12 from [python.org](https://python.org)
 2. Install [Visual Studio Build Tools](https://visualstudio.microsoft.com/visual-cpp-build-tools/) with "Desktop development with C++"
 3. Install from pip:
 ```powershell
 python -m venv venv
 .\venv\Scripts\activate
 pip install stegasoo[cli]  # CLI only (easiest)
 # or
 pip install stegasoo[all]  # Full install (may require additional setup)
 ```
 **Note:** Native Windows installation may have issues with `jpegio` (DCT mode). Docker or WSL2 is recommended for full functionality.
 ### Raspberry Pi
 Stegasoo works on Raspberry Pi 4/5 (4GB+ RAM recommended for Web UI).
 #### Step 1: Install System Dependencies
 ```bash
 sudo apt-get update
 sudo apt-get install -y \
  build-essential \
  git \
  libssl-dev \
  zlib1g-dev \
  libbz2-dev \
  libreadline-dev \
  libsqlite3-dev \
  libncursesw5-dev \
  xz-utils \
  tk-dev \
  libxml2-dev \
  libxmlsec1-dev \
  libffi-dev \
  liblzma-dev \
  libzbar0 \
  libjpeg-dev
 ```
 #### Step 2: Install Python 3.12 via pyenv
 Raspberry Pi OS ships with Python 3.13, which is **not compatible** with jpegio. Install Python 3.12:
 ```bash
 # Install pyenv
 curl https://pyenv.run | bash
 # Add to ~/.bashrc
 echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
 echo '[[ -d $PYENV_ROOT/bin ]] && export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
 echo 'eval "$(pyenv init - bash)"' >> ~/.bashrc
 source ~/.bashrc
 # Install Python 3.12 (takes ~10 minutes on Pi 5)
 pyenv install 3.12
 pyenv global 3.12
 ```
 #### Step 3: Build jpegio for ARM
 The upstream jpegio has x86-specific build flags. Patch and build from source:
 ```bash
 # Clone jpegio
 git clone https://github.com/dwgoon/jpegio.git
 cd jpegio
 # Patch for ARM (removes x86-specific -m64 flag)
 sed -i "s/cargs.append('-m64')/pass  # ARM fix/" setup.py
 # Build and install
 pip install .
 cd ..
 ```
 #### Step 4: Install Stegasoo
 ```bash
 # Clone Stegasoo
 git clone https://github.com/adlee-was-taken/stegasoo.git
 cd stegasoo
 # Create venv with Python 3.12
 ~/.pyenv/versions/3.12.*/bin/python -m venv venv
 source venv/bin/activate
 # Install (jpegio already installed, skip it)
 pip install -e ".[web]" --no-deps
 pip install argon2-cffi cryptography pillow flask gunicorn scipy numpy pyzbar qrcode
 ```
 #### Step 5: Run the Web UI
 ```bash
 cd frontends/web
 # Optional: Enable authentication
 export STEGASOO_AUTH_ENABLED=true
 # Optional: Enable HTTPS for local network security
 export STEGASOO_HTTPS_ENABLED=true
 export STEGASOO_HOSTNAME=raspberrypi.local
 # Start server
 python app.py
 # Access at http://<pi-ip>:5000
 ```
 #### Verify Installation
 ```bash
 python -c "
 import stegasoo
 from stegasoo.dct_steganography import has_jpegio_support
 print(f'Stegasoo: {stegasoo.__version__}')
 print(f'Argon2: {stegasoo.has_argon2()}')
 print(f'DCT: {stegasoo.has_dct_support()}')
 print(f'jpegio: {has_jpegio_support()}')
 "
 # Expected: All True
 ```
 #### Notes
 - **RAM**: Web UI needs ~768MB free for Argon2 + scipy operations
 - **Performance**: Argon2 operations take 3-5 seconds on Pi 5 (vs ~2s on desktop)
 - **Python 3.13**: Not supported due to jpegio C extension incompatibility
 - **First run**: Will prompt you to create an admin account
 - **HTTPS**: Generates self-signed certificate (browsers will warn)
 ---
 ## Custom SSL Certificates
 By default, Stegasoo generates a self-signed certificate for HTTPS. To use your own certificate (e.g., from Let's Encrypt or your organization's CA):
 ### Replace Self-Signed Certificates
 ```bash
 # Stop the service
 sudo systemctl stop stegasoo
 # Backup existing certs (optional)
 mv /opt/stegasoo/frontends/web/certs /opt/stegasoo/frontends/web/certs.bak
 # Create new certs directory
 mkdir -p /opt/stegasoo/frontends/web/certs
 # Copy your certificates (adjust paths as needed)
 cp /path/to/your/certificate.crt /opt/stegasoo/frontends/web/certs/server.crt
 cp /path/to/your/private.key /opt/stegasoo/frontends/web/certs/server.key
 # Set permissions (key must be readable by service user)
 chmod 600 /opt/stegasoo/frontends/web/certs/server.key
 chown -R $(whoami):$(whoami) /opt/stegasoo/frontends/web/certs
 # Start the service
 sudo systemctl start stegasoo
 ```
 ### Generate New Self-Signed Certificate
 If your certificate expires or you need to regenerate:
 ```bash
 # Stop service
 sudo systemctl stop stegasoo
 # Generate new cert with SANs
 CERT_DIR="/opt/stegasoo/frontends/web/certs"
 LOCAL_IP=$(hostname -I | awk '{print $1}')
 HOSTNAME=$(hostname)
 openssl req -x509 -newkey rsa:2048 \
  -keyout "$CERT_DIR/server.key" \
  -out "$CERT_DIR/server.crt" \
  -days 365 -nodes \
  -subj "/O=Stegasoo/CN=$HOSTNAME" \
  -addext "subjectAltName=DNS:$HOSTNAME,DNS:$HOSTNAME.local,DNS:localhost,IP:$LOCAL_IP,IP:127.0.0.1"
 chmod 600 "$CERT_DIR/server.key"
 # Start service
 sudo systemctl start stegasoo
 ```
 ### Let's Encrypt with Certbot
 For publicly accessible servers:
 ```bash
 # Install certbot
 sudo apt install certbot
 # Get certificate (standalone mode)
 sudo certbot certonly --standalone -d yourdomain.com
 # Copy to Stegasoo
 sudo cp /etc/letsencrypt/live/yourdomain.com/fullchain.pem /opt/stegasoo/frontends/web/certs/server.crt
 sudo cp /etc/letsencrypt/live/yourdomain.com/privkey.pem /opt/stegasoo/frontends/web/certs/server.key
 sudo chown $(whoami):$(whoami) /opt/stegasoo/frontends/web/certs/*
 sudo chmod 600 /opt/stegasoo/frontends/web/certs/server.key
 # Restart
 sudo systemctl restart stegasoo
 ```
 **Note:** Set up a cron job or systemd timer to copy renewed certificates and restart Stegasoo.
 ---
 ## Verification
 ### Check Installation
 ```bash
 # CLI version
 stegasoo --version
 # Python import
 python -c "import stegasoo; print(stegasoo.__version__)"
 # Check Python version (must be 3.10-3.12)
 python -V
 ```
 ### Check All Features
 ```python
 #!/usr/bin/env python3
 """Verify Stegasoo installation."""
 import sys
 def check_feature(name, check_fn):
    try:
        result = check_fn()
        status = "✓" if result else "✗"
        print(f"  {status} {name}: {result}")
        return result
    except Exception as e:
        print(f"  ✗ {name}: Error - {e}")
        return False
 print("Stegasoo Installation Check")
 print("=" * 40)
 # Python version check
 py_version = sys.version_info
 print(f"\nPython: {py_version.major}.{py_version.minor}.{py_version.micro}")
 if py_version >= (3, 13):
    print("  ⚠️  WARNING: Python 3.13+ not supported!")
    print("      jpegio will not work. Use Python 3.12.")
 elif py_version >= (3, 10):
    print("  ✓ Python version OK")
 else:
    print("  ✗ Python 3.10+ required")
 # Core
 import stegasoo
 print(f"\nStegasoo Version: {stegasoo.__version__}")
 print("\nCore Features:")
 check_feature("Argon2", lambda: stegasoo.has_argon2())
 check_feature("Pillow", lambda: True)  # Required, would fail import
 print("\nOptional Features:")
 check_feature("DCT (scipy)", stegasoo.has_dct_support)
 try:
    from stegasoo.dct_steganography import has_jpegio_support
    check_feature("JPEG native (jpegio)", has_jpegio_support)
 except ImportError:
    print("  ✗ JPEG native (jpegio): Not installed")
 try:
    import lz4
    check_feature("Compression (lz4)", lambda: True)
 except ImportError:
    print("  - Compression (lz4): Not installed (optional)")
 try:
    import pyzbar
    check_feature("QR codes (pyzbar)", lambda: True)
 except ImportError:
    print("  - QR codes (pyzbar): Not installed (optional)")
 print("\nInterfaces:")
 try:
    import click
    check_feature("CLI", lambda: True)
 except ImportError:
    print("  ✗ CLI: Not installed")
 try:
    import flask
    check_feature("Web UI", lambda: True)
 except ImportError:
    print("  - Web UI: Not installed")
 try:
    import fastapi
    check_feature("REST API", lambda: True)
 except ImportError:
    print("  - REST API: Not installed")
 print("\n" + "=" * 40)
 print("Installation check complete!")
 ```
 Save as `check_install.py` and run:
 ```bash
 python check_install.py
 ```
 ### Test Encoding/Decoding
 ```bash
 # Quick test with CLI
 stegasoo generate --pin --words 4 --json > /tmp/creds.json
 # Create test image
 python -c "
 from PIL import Image
 img = Image.new('RGB', (256, 256), 'blue')
 img.save('/tmp/test_carrier.png')
 img.save('/tmp/test_ref.jpg')
 "
 # Encode
 stegasoo encode \
  -r /tmp/test_ref.jpg \
  -c /tmp/test_carrier.png \
  -p "test phrase words here" \
  --pin 123456 \
  -m "Hello, Stegasoo!" \
  -o /tmp/test_stego.png
 # Decode
 stegasoo decode \
  -r /tmp/test_ref.jpg \
  -s /tmp/test_stego.png \
  -p "test phrase words here" \
  --pin 123456
 ```
 ---
 ## Troubleshooting
 ### Common Issues
 #### "jpegio crashes" / "free(): invalid size" / Core dump
 **This is the #1 issue!** You're using Python 3.13.
 ```bash
 # Check your Python version
 python -V
 # If it shows 3.13, you need to use 3.12
 # Option 1: Use pyenv
 pyenv install 3.12
 pyenv local 3.12
 # Option 2: Use system Python 3.12
 python3.12 -m venv venv
 source venv/bin/activate
 pip install -e ".[all]"
 ```
 #### "No module named 'stegasoo'"
 ```bash
 # Ensure you're in the right environment
 which python
 pip list | grep stegasoo
 # Reinstall
 pip install -e ".[all]"
 ```
 #### "Argon2 not available"
 ```bash
 # Install argon2-cffi
 pip install argon2-cffi
 # On Linux, may need:
 sudo apt-get install libffi-dev
 pip install --force-reinstall argon2-cffi
 ```
 #### "jpegio not available" (not crash, just missing)
 ```bash
 # Install build dependencies first
 sudo apt-get install libjpeg-dev  # Linux
 brew install jpeg                  # macOS
 # Then install jpegio
 pip install cython numpy
 pip install jpegio
 # If still fails, build from source
 git clone https://github.com/dwgoon/jpegio.git
 cd jpegio
 python setup.py install
 ```
 #### "libzbar not found" (QR codes)
 ```bash
 # Linux
 sudo apt-get install libzbar0
 # macOS
 brew install zbar
 # Then reinstall pyzbar
 pip install --force-reinstall pyzbar
 ```
 #### Docker: "Cannot allocate memory"
 Argon2 needs 256MB per operation. Increase container memory:
 ```bash
 # Docker run
 docker run --memory=768m ...
 # Docker Compose - edit docker/docker-compose.yml
 deploy:
  resources:
    limits:
      memory: 768M
 ```
 #### Slow performance
 - **Argon2 is intentionally slow** - This is a security feature
 - Expected encode/decode time: 2-5 seconds
 - DCT mode adds ~1-2 seconds for transforms
 - Large images (10MB+) may take 15-30 seconds
 #### "Carrier image too small"
 - LSB needs ~3 bits per pixel
 - DCT needs ~0.25 bits per pixel
 - For 50KB message: LSB needs ~136K pixels, DCT needs ~1.6M pixels
 - Use larger carrier images or shorter messages
 ### Getting Help
 1. Check the documentation:
   - [README.md](README.md)
   - [CLI.md](CLI.md)
   - [API.md](API.md)
   - [WEB_UI.md](WEB_UI.md)
 2. Check existing issues on GitHub
 3. Open a new issue with:
   - Python version (`python --version`)
   - OS and version
   - Installation method
   - Full error message
   - Steps to reproduce
 ---
 ## Next Steps
 After installation:
 1. **Generate credentials**: `stegasoo generate --pin --words 4`
 2. **Read the CLI docs**: [CLI.md](CLI.md)
 3. **Try the Web UI**: `cd frontends/web && python app.py`
 4. **Explore the API**: `cd frontends/api && python main.py`
 Happy steganography! 🦕
--- a/IdeasScout_PLANS_20260324.md
+++ b/IdeasScout_PLANS_20260324.md
@@ -0,0 +1,294 @@
 # Stegasoo Ideas Scout — Implementation Plans (2026-03-24)
 Baseline: v4.3.0, Python >=3.11, FORMAT_VERSION 5, no existing users (no backward compat constraints).
 ---
 ## Tier 1 — Quick Wins
 ### 1. Platform-Calibrated DCT Presets
 **Description**: `--platform telegram|discord|signal|whatsapp` flag for DCT encode. Bakes in each platform's known recompression parameters. Pre-verifies payload survives before outputting.
 **Implementation approach**:
 - New file `src/stegasoo/platform_presets.py` — `PlatformPreset` dataclass + `PRESETS` dict mapping platform → tuned `quant_step`, `jpeg_quality`, `embed_positions`, `max_dimension`, `recompress_quality`
 - `dct_steganography.py`: `_embed_scipy_dct_safe()` / `_embed_jpegio()` accept optional preset overrides for `QUANT_STEP`, `DEFAULT_EMBED_POSITIONS`, output quality
 - New `pre_verify_survival()` function: encode → re-save at platform quality → extract → pass/fail
 - Thread `platform` param through `encode.py` → `steganography.py` → DCT functions
 - `cli.py`: add `--platform` as `click.Choice` + `--verify/--no-verify` (pre-verification doubles encode time)
 - LSB + `--platform` should error early — LSB data is destroyed by any JPEG recompression
 **Known platform params** (from research):
 | Platform | Quality | Max Dimension | Notes |
 |----------|---------|---------------|-------|
 | Telegram | ~82 | 2560×2560 | ~81KB embeddable |
 | Discord | ~85 | Varies (Nitro) | |
 | Signal | ~80 | Aggressive | |
 | WhatsApp | ~70 | 1600×1600 | Most lossy |
 **Go/No-Go metrics**:
 - >95% payload survival rate per platform at 1KB message size in automated tests
 - Pre-verification correctly predicts real platform behavior (manual validation per platform at least once)
 **Complexity**: **M** — new file + parameter threading through 4-5 functions
 **Risks**: Platform params change without notice. Add version/date stamps to presets and a `stegasoo tools verify-platform` test command.
 ---
 ### 2. Steganalysis Self-Check (`stegasoo check`)
 **Description**: New CLI command running chi-square and RS (Regular-Singular) statistical analysis on stego images. Outputs detectability risk level (low/medium/high).
 **Implementation approach**:
 - New file `src/stegasoo/steganalysis.py`:
  - `chi_square_analysis(image_data) -> float` — chi-square statistic on LSB distribution per channel
  - `rs_analysis(image_data) -> float` — Regular-Singular groups analysis (requires numpy)
  - `assess_risk(chi_p, rs_estimate) -> str` — maps to "low"/"medium"/"high"
  - `check_image(image_data) -> dict` — orchestrator
 - `cli.py`: new `@cli.command("check")` with `IMAGE` arg, `--json`, `--mode lsb|dct|auto`
 - `constants.py`: threshold constants for chi-square p-value and RS boundaries
 - `__init__.py`: export `check_image` in `__all__`
 - Start LSB-only; DCT steganalysis (calibration attack) deferred
 **Go/No-Go metrics**:
 - Clean images → consistently "low risk"
 - Naive sequential LSB → "high risk"
 - Stegasoo LSB at <50% capacity → "low" or "medium"
 **Complexity**: **M** — ~150 lines numpy per test, straightforward CLI integration
 ---
 ### 3. Python 3.13 DCT Cleanup
 **Description**: The `jpegio` → `jpeglib` migration is already done in code. Remaining work: rename stale `jpegio` references and verify on 3.13.
 **Implementation approach**:
 - `dct_steganography.py`: rename `HAS_JPEGIO` → `HAS_JPEGLIB`, `_jpegio_*` functions → `_jpeglib_*`, update constant names (`JPEGIO_MAGIC` → `JPEGLIB_MAGIC`, etc.)
 - Verify `jpeglib.to_jpegio()` compatibility shim — if jpeglib plans to deprecate it, migrate to native API
 - Run full test suite on Python 3.13
 **Go/No-Go metrics**:
 - All DCT tests pass on Python 3.13
 - No deprecation warnings from jpeglib
 **Complexity**: **S** — renaming and verification only
 ---
 ## Tier 2 — Strategic
 ### 4. Content-Adaptive Embedding (S-UNIWARD/WOW-inspired)
 **Description**: Replace uniform-random pixel selection with texture-weighted cost functions. Embed preferentially in busy/textured regions where changes are least detectable. 3-5x harder to detect statistically.
 **Implementation approach**:
 - New file `src/stegasoo/adaptive_cost.py`:
  - `compute_cost_map(image_data) -> np.ndarray` — per-pixel distortion cost via directional high-pass filters (Daubechets wavelet bank / KB filter)
  - `select_pixels_by_cost(cost_map, pixel_key, num_needed) -> list[int]` — weighted sampling, still ChaCha20-seeded for determinism
 - `steganography.py`:
  - `generate_pixel_indices()`: add `cost_map` param, use weighted sampling when provided
  - `_embed_lsb()`: compute cost map when adaptive mode enabled
  - `_extract_lsb()`: must compute identical cost map to find same pixels
 - `dct_steganography.py`: adapt `DEFAULT_EMBED_POSITIONS` per-block based on block texture energy
 - Thread `adaptive: bool` through `encode.py`/`decode.py`
 - `constants.py`: add `EMBED_MODE_ADAPTIVE_LSB`, filter kernels, cost thresholds
 **Go/No-Go metrics**:
 - Chi-square test (Feature 2) shows measurable improvement vs uniform-random
 - **Critical**: cost map computation is deterministic across platforms (quantize to fixed-point integers)
 - Round-trip decode succeeds on Linux x86, Linux ARM, macOS
 **Complexity**: **L** — novel algorithm, cross-platform determinism requirement, touches core embedding
 **Risks**: Floating-point differences in wavelet computation could break extraction. Mitigate with integer quantization. Increases encode/decode time ~2-3x.
 ---
 ### 5. Per-Message Forward Secrecy via HKDF
 **Description**: Derive ephemeral per-message encryption keys using HKDF expansion from the Argon2id root key + random nonce. Compromising one message doesn't reveal others.
 **Implementation approach**:
 - `crypto.py`:
  - Add `from cryptography.hazmat.primitives.kdf.hkdf import HKDFExpand`
  - `derive_message_key(root_key, nonce) -> bytes` — HKDF-Expand with SHA-256
  - `encrypt_message()`: generate 16-byte random nonce, derive per-message key, embed nonce in header
  - `decrypt_message()`: extract nonce, derive same key
  - Also derive pixel selection key via HKDF with different `info` param
 - `constants.py`:
  - Bump `FORMAT_VERSION` to 6
  - `HKDF_INFO_ENCRYPTION = b"stegasoo-v6-encrypt"`, `HKDF_INFO_PIXEL = b"stegasoo-v6-pixel"`
  - `MESSAGE_NONCE_SIZE = 16`
 - Header grows from 66 → 82 bytes: add `message_nonce(16)` field
 - Update `HEADER_OVERHEAD` / `ENCRYPTION_OVERHEAD` in `steganography.py`
 **Go/No-Go metrics**:
 - Two messages with identical credentials produce different ciphertexts and different pixel locations
 - `cryptography` library HKDF works with existing Argon2id output
 **Complexity**: **M** — well-defined crypto change, touches security-critical header format
 ---
 ### 6. PWA Mobile Interface
 **Description**: Convert Flask Web UI to Progressive Web App. Mobile-optimized, installable, offline-capable static pages.
 **Implementation approach**:
 - New files in `frontends/web/static/`: `manifest.json`, `sw.js`, icon set (192×192, 512×512)
 - Base template: add manifest link, theme-color meta, viewport meta, service worker registration
 - `app.py`: serve manifest with correct MIME, add cache headers for static assets
 - Responsive CSS for encode/decode accordion forms
 - Camera capture: `<input type="file" accept="image/*" capture="environment">` for reference photo
 - Service worker caches static assets only — NOT encode/decode API endpoints
 **Go/No-Go metrics**:
 - Lighthouse PWA score >= 90
 - Installable on Android Chrome and iOS Safari
 - Offline: static pages load, encode/decode shows graceful "offline" message
 **Complexity**: **M** — frontend only, no core library changes
 **Risks**: Camera capture requires HTTPS (already supported via `ssl_utils.py`).
 ---
 ## Tier 3 — Moonshot
 ### 7. Plausible Deniability / Dual-Payload Mode
 **Description**: Two independent encrypted payloads in one carrier, each with different credentials. Reveal decoy under coercion; real payload stays hidden.
 **Implementation approach**:
 - New file `src/stegasoo/dual_payload.py`:
  - `encode_dual(message_a, message_b, carrier, creds_a, creds_b)`
  - Partition available pixels into two disjoint pools using different seeds
  - **Critical**: ALL images (single or dual) must fill unused pixel pool with random data so single-payload and dual-payload images are indistinguishable
 - `steganography.py`: `generate_pixel_indices()` gets `exclude_indices` param
 - `decode.py`: each credential set finds a different valid payload; wrong credentials produce garbage
 - CLI + Web UI: dual-payload encode workflow
 **Go/No-Go metrics**:
 - Single-payload and dual-payload images are statistically indistinguishable (chi-square can't differentiate)
 - Each payload decodes independently
 - Wrong credentials for one payload don't reveal other payload's existence
 **Complexity**: **XL** — novel design, halves capacity per payload, challenging UX, needs rigorous security analysis
 **Dependencies**: Feature 2 (validation), Feature 4 (detectability reduction)
 ---
 ## Architectural Improvements
 ### 8. EmbeddingBackend Protocol
 **Description**: Typed plugin interface for all embedding algorithms. Replace if/elif dispatch in `steganography.py` with a registry.
 **Implementation approach**:
 - New package `src/stegasoo/backends/`:
  - `protocol.py` — `EmbeddingBackend(Protocol)` with `embed()`, `extract()`, `calculate_capacity()`, `is_available()`
  - `lsb.py`, `dct.py` — wrap existing functions
  - `registry.py` — `BackendRegistry` mapping mode strings to backends
 - `steganography.py`: `embed_in_image()` / `extract_from_image()` dispatch via registry
 - `__init__.py`: export protocol and `register_backend()`
 **Complexity**: **M** — implement before Features 4 and 7 (they become new backends)
 ---
 ### 9. HKDF Key Separation
 Subsumed by Feature 5. The HKDF expansion provides:
 - Encryption key: `HKDF-Expand(root_key, info="stegasoo-encrypt", nonce)`
 - Pixel selection key: `HKDF-Expand(root_key, info="stegasoo-pixel", nonce)`
 - Future: MAC key, padding key, etc.
 ---
 ### 10. `[core]` Extra with Minimal Deps
 **Description**: Move Pillow to `[image]` extra, base deps = `cryptography` + `argon2-cffi` + `zstandard` only.
 **Complexity**: **S** — but Pillow is used in `crypto.py` for photo hashing (core to security model). Only worth it with a concrete headless use case. **Low priority.**
 ---
 ## Ecosystem Features
 ### 11. Aletheia Integration
 Optional `--engine aletheia` backend for Feature 2's `stegasoo check`. BSD-licensed, provides SPA/RS/WS attacks + ML classifiers. **Complexity: S** (after Feature 2). **Depends on**: Feature 2.
 ### 12. C2PA/AI Provenance Watermarking
 Embed C2PA metadata alongside stego payloads. **Complexity: L** — C2PA is a complex standard. Potentially conflicts with stego goals (adds detectable metadata). Research-heavy.
 ### 13. Signal/Matrix Bot
 Bot that decodes stego images in a channel using configured channel key. **Complexity: M** — integration work, uses existing `decode()` API.
 ### 14. Homebrew Tap + Nix Flake
 Package distribution for macOS/NixOS. **Complexity: S** — packaging only, no code changes.
 ---
 ## Summary Table
 | # | Feature | Tier | Size | Dependencies | Primary Files |
 |---|---------|------|------|-------------|---------------|
 | 1 | Platform DCT Presets | T1 | M | — | new `platform_presets.py`, `dct_steganography.py`, `encode.py`, `cli.py` |
 | 2 | Steganalysis Self-Check | T1 | M | — | new `steganalysis.py`, `cli.py`, `constants.py` |
 | 3 | Python 3.13 DCT Cleanup | T1 | S | — | `dct_steganography.py` |
 | 4 | Content-Adaptive Embedding | T2 | L | numpy, #2 | new `adaptive_cost.py`, `steganography.py`, `constants.py` |
 | 5 | HKDF Forward Secrecy | T2 | M | — | `crypto.py`, `constants.py`, `steganography.py` |
 | 6 | PWA Mobile Interface | T2 | M | — | `frontends/web/` templates + static |
 | 7 | Dual-Payload Mode | T3 | XL | #2, #4 | new `dual_payload.py`, `steganography.py`, `cli.py` |
 | 8 | EmbeddingBackend Protocol | Arch | M | — | new `backends/` package, `steganography.py` |
 | 9 | HKDF Key Separation | Arch | — | Included in #5 | `crypto.py` |
 | 10 | `[core]` Extra | Arch | S | — | `pyproject.toml` |
 | 11 | Aletheia Integration | Eco | S | #2 | `steganalysis.py` |
 | 12 | C2PA Watermarking | Eco | L | — | new module |
 | 13 | Signal/Matrix Bot | Eco | M | — | new `bots/` package |
 | 14 | Homebrew + Nix | Eco | S | — | packaging files only |
 ---
 ## Suggested Roadmap
 ### Phase 1 — Foundations (v4.4.0)
 1. **#3** Python 3.13 DCT Cleanup (S) — unblocks CI on 3.13
 2. **#8** EmbeddingBackend Protocol (M) — architectural cleanup before new embedding work
 3. **#2** Steganalysis Self-Check (M) — validation tooling for everything that follows
 ### Phase 2 — Security & Robustness (v4.5.0)
 4. **#5** HKDF Forward Secrecy (M) — FORMAT_VERSION bump to 6, improved crypto
 5. **#1** Platform-Calibrated DCT Presets (M) — high user value for social media
 6. **#14** Homebrew + Nix (S) — distribution expansion
 ### Phase 3 — Advanced Steganography (v5.0.0)
 7. **#4** Content-Adaptive Embedding (L) — major security improvement
 8. **#6** PWA Mobile Interface (M) — parallel frontend work stream
 ### Phase 4 — Moonshot (v5.x+)
 9. **#7** Dual-Payload Mode (XL) — after #2 and #4 are solid
 10. **#12** C2PA Watermarking (L) — research-heavy
 11. **#13** Signal/Matrix Bot (M) — community-driven
 ---
 ## Additional Ideas (Backlog)
 - **Animated GIF steganography** — LSB in GIF frames, natural multi-media extension
 - **PDF steganography** — whitespace/font metric/embedded image payloads
 - **Batch encode** — `stegasoo batch-encode --dir /photos/` with auto carrier selection (BATCH_* constants suggest this was planned)
 - **Stego identification** — `stegasoo identify image.png` probes for known stego signatures
 - **Per-device credential sync via QR** — channel key as stego image of reference photo
 - **`stegasoo verify`** — decode + confirm message matches expected hash without revealing contents
--- a/21
+++ b/21
@@ -0,0 +1,21 @@
 MIT License
 Copyright (c) 2024-2025 Aaron D. Lee
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/PLAN-4.1.6.md
+++ b/PLAN-4.1.6.md
@@ -0,0 +1,97 @@
 # Stegasoo v4.1.6 Planning
 ## UI Tweaks
 ### 1. Revamp Tron Lines Animation (Carrier/Stego Image)
 **Current state:**
 - 6-8 snake paths, each with 3-5 segments (~24-40 total lines)
 - 2px thick lines
 - 30-60px length per segment
 - Starting points spread across 80% of image area
 - Colors: yellow, cyan, purple, blue with glow
 **Target improvements:**
 - [x] Thinner lines (1px instead of 2px)
 - [x] More numerous (20-40 paths via 5x4 grid, ~60-200 segments total)
 - [x] Better distribution across entire image (grid-based seeding)
 - [x] Shorter segments (12-30px) for denser "circuit board" look
 **Files:**
 - `frontends/web/static/style.css` (~881-979) - `.embed-trace` styling
 - `frontends/web/static/js/stegasoo.js` (~333-390) - `generateEmbedTraces()`
 ---
 ## Tools Page Expansion
 ### Analysis Tools
 - [x] **JPEG Compression Tester** - Preview image at different quality levels (10-100%), show file size delta. Useful for understanding stego survivability.
 - [ ] **LSB Plane Viewer** - Visualize least significant bit plane(s) of RGB channels. Classic stego analysis tool.
 - [ ] **Histogram Viewer** - Color distribution graph per channel. Anomalies can indicate hidden data.
 - [ ] **Image Diff** - Compare two images side-by-side with pixel difference highlighting. Great for original vs stego comparison.
 - [ ] **Noise Analysis** - Chi-square or similar statistical analysis for detecting LSB embedding.
 ### Transform Tools
 - [x] **Rotate/Flip** - 90°/180°/270° rotation, horizontal/vertical flip
 - [ ] **Resize** - Scale with aspect ratio lock, common presets (50%, 25%, etc.)
 - [ ] **Crop** - Basic rectangular crop with preview
 - [x] **Format Convert** - PNG ↔ JPEG ↔ WebP with quality slider
 ### Existing Tools (already done)
 - [x] Capacity Calculator
 - [x] EXIF Viewer
 - [x] EXIF Strip
 - [x] Image Peek (header analysis)
 ### Tools UI/UX Overhaul
 **Final Layout: Office-style Ribbon + Two-Panel**
 ```
 ┌─────────────────────────────────────────────────────────────┐
 │  📏  📋  👁️  📊  ┃  ✂️  🔄  📐  🔀      Image Tools         │ ← Icon toolbar
 ├────────────────────────────────────────┬────────────────────┤
 │  [Format: PNG ▼] [Quality: 85]         │                    │
 ├────────────────────────────────────────┤  Capacity          │
 │                                        │  Calculator        │
 │    ┌────────────────────────────┐     │  ──────────────    │
 │    │                            │     │                    │
 │    │      Drop image here       │     │  Dimensions:       │
 │    │         or click           │     │  1920 × 1080       │
 │    │                            │     │                    │
 │    └────────────────────────────┘     │  LSB Capacity:     │
 │                                        │  245 KB            │
 │           [image.jpg]                  │                    │
 │                                        │  ──────────────    │
 │                                        │  [Clear] [Export]  │
 └────────────────────────────────────────┴────────────────────┘
      Options + dropzone/preview             Results sidebar
 ```
 - Top ribbon: Icon buttons grouped by category (Analyze | Transform)
 - Left panel: Tool options + dropzone/preview (INPUT)
 - Right panel: Tool name + results/metadata + actions (OUTPUT)
 - Flow: Left → Right (input → output)
 **Implementation Tasks:**
 - [x] Move inline CSS to style.css
 - [x] Build icon toolbar ribbon
 - [x] Build two-panel layout structure
 - [x] Migrate existing tools (Capacity, EXIF, Strip)
 - [x] Add new tools (Rotate, Compress, Convert)
 - [ ] Loading spinner on all async operations
 - [ ] Toast notifications instead of alerts
 - [ ] Consistent color coding (green=analysis, amber=transform)
 - [ ] Mobile: stack panels vertically
 ---
 ## CLI Improvements
 ### (Add items here)
 ---
 ## Other UI Tweaks
 ### (Add items here)
--- a/README.md
+++ b/README.md
@@ -1,273 +1,167 @@
 # Stegasoo
-A secure steganography system for hiding encrypted messages in images using hybrid authentication.
+A secure steganography system for hiding encrypted messages in images and audio using hybrid authentication.
-![Python](https://img.shields.io/badge/Python-3.10+-blue)
+[![Tests](https://github.com/adlee-was-taken/stegasoo/actions/workflows/test.yml/badge.svg)](https://github.com/adlee-was-taken/stegasoo/actions/workflows/test.yml)
-![License](https://img.shields.io/badge/License-MIT-green)
+[![Lint](https://github.com/adlee-was-taken/stegasoo/actions/workflows/lint.yml/badge.svg)](https://github.com/adlee-was-taken/stegasoo/actions/workflows/lint.yml)
 ![Python](https://img.shields.io/badge/Python-3.11--3.14-blue)
 [![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
 ![Security](https://img.shields.io/badge/Security-AES--256--GCM-red)
 ## Features
- 🔐 **AES-256-GCM** authenticated encryption
+- **AES-256-GCM** authenticated encryption
- 🧠 **Argon2id** memory-hard key derivation (256MB RAM requirement)
+- **Argon2id** memory-hard key derivation (256MB RAM requirement)
- 🎲 **Pseudo-random pixel selection** defeats steganalysis
+- **Pseudo-random pixel selection** defeats steganalysis
- 📅 **Daily key rotation** with BIP-39 passphrases
+- **Multi-factor authentication**: Reference photo + passphrase + PIN/RSA key
- 🔑 **Multi-factor authentication**: PIN, RSA key, or both
+- **Multiple interfaces**: CLI, Web UI, REST API
- 🖼️ **Reference photo** as "something you have"
+- **File embedding**: Hide any file type (PDF, ZIP, documents)
- 🌐 **Multiple interfaces**: CLI, Web UI, REST API
+- **DCT steganography**: JPEG-resilient embedding for social media
 - **Audio steganography**: Hide messages in WAV, FLAC, MP3, OGG, AAC, M4A files (LSB and Spread Spectrum modes)
 - **Channel keys**: Private group communication channels
-## Installation
+## Embedding Modes
-### From PyPI (coming soon)
+### Image Modes
-```bash
+| Mode | Capacity (1080p) | JPEG Resilient | Best For |
-# Core library only
+|------|------------------|----------------|----------|
-pip install stegasoo
+| **DCT** (default) | ~150 KB | Yes | Social media, messaging apps |
 | **LSB** | ~750 KB | No | Email, direct file transfer |
-# With CLI
+### Audio Modes
 pip install stegasoo[cli]
-# With Web UI
+| Mode | Capacity (5 min WAV) | Noise Resistant | Best For |
-pip install stegasoo[web]
+|------|---------------------|-----------------|----------|
 | **LSB** | ~1.3 MB | No | Direct file transfer |
 | **Spread Spectrum** | ~160 KB | Yes | Shared files, light processing |
-# With REST API
+## Web UI
 pip install stegasoo[api]
-# Everything
+| Home | Encode | Decode | Generate |
-pip install stegasoo[all]
+|:----:|:------:|:------:|:--------:|
-```
+| ![Home](data/WebUI.webp) | ![Encode](data/WebUI_Encode.webp) | ![Decode](data/WebUI_Decode.webp) | ![Generate](data/WebUI_Generate.webp) |
 ### From Source
 ```bash
 git clone https://github.com/example/stegasoo.git
 cd stegasoo
 # Install with all extras
 pip install -e ".[all]"
 ```
 ### Docker
 ```bash
 # Web UI only
 docker-compose up web
 # REST API only
 docker-compose up api
 # Both
 docker-compose up
 ```
 ## Quick Start
-### Python Library
+```bash
-
+# Install (Python 3.10-3.12)
-```python
+pip install -e ".[all]"
 import stegasoo
 # Generate credentials
-creds = stegasoo.generate_credentials(use_pin=True, use_rsa=False)
+stegasoo generate --pin --words 4
 print(f"Today's phrase: {creds.phrases['Monday']}")
 print(f"PIN: {creds.pin}")
 # Encode a message
 with open('secret_photo.jpg', 'rb') as f:
    ref_photo = f.read()
 with open('meme.png', 'rb') as f:
    carrier = f.read()
 result = stegasoo.encode(
    message="Meet at midnight",
    reference_photo=ref_photo,
    carrier_image=carrier,
    day_phrase="apple forest thunder",
    pin="123456"
 )
 with open('stego.png', 'wb') as f:
    f.write(result.stego_image)
 # Decode a message
 message = stegasoo.decode(
    stego_image=result.stego_image,
    reference_photo=ref_photo,
    day_phrase="apple forest thunder",
    pin="123456"
 )
 print(message)  # "Meet at midnight"
 ```
 ### CLI
 ```bash
 # Generate credentials
 stegasoo generate --pin --words 3
 # With RSA key
 stegasoo generate --rsa --rsa-bits 4096 -o mykey.pem -p "secretpassword"
 # Encode
 stegasoo encode \
-  --ref photo.jpg \
+  --ref my_photo.jpg \
-  --carrier meme.png \
+  --carrier meme.jpg \
-  --phrase "apple forest thunder" \
+  --passphrase "apple forest thunder mountain" \
  --pin 123456 \
  --message "Secret message"
 # Decode
 stegasoo decode \
-  --ref photo.jpg \
+  --ref my_photo.jpg \
-  --stego stego.png \
+  --stego stego_image.png \
-  --phrase "apple forest thunder" \
+  --passphrase "apple forest thunder mountain" \
  --pin 123456
 # Pipe-friendly
 echo "secret" | stegasoo encode -r photo.jpg -c meme.png -p "words" --pin 123456 > stego.png
 stegasoo decode -r photo.jpg -s stego.png -p "words" --pin 123456 -q
 ```
-### Web UI
+## Interfaces
-```bash
+| Interface | Start Command | Documentation |
-# Development
+|-----------|---------------|---------------|
-cd frontends/web
+| **CLI** | `stegasoo --help` | [CLI.md](CLI.md) |
-python app.py
+| **Web UI** | `cd frontends/web && python app.py` | [WEB_UI.md](WEB_UI.md) |
-
+| **REST API** | `cd frontends/api && uvicorn main:app` | [API.md](API.md) |
 # Production
 gunicorn --bind 0.0.0.0:5000 app:app
 ```
 Visit http://localhost:5000
 ### REST API
 ```bash
 # Development
 cd frontends/api
 python main.py
 # Production
 uvicorn main:app --host 0.0.0.0 --port 8000
 ```
 API docs at http://localhost:8000/docs
 #### Example API Calls
 ```bash
 # Generate credentials
 curl -X POST http://localhost:8000/generate \
  -H "Content-Type: application/json" \
  -d '{"use_pin": true, "use_rsa": false}'
 # Encode (multipart)
 curl -X POST http://localhost:8000/encode/multipart \
  -F "message=Secret" \
  -F "day_phrase=apple forest thunder" \
  -F "pin=123456" \
  -F "reference_photo=@photo.jpg" \
  -F "carrier=@meme.png" \
  --output stego.png
 # Decode (multipart)
 curl -X POST http://localhost:8000/decode/multipart \
  -F "day_phrase=apple forest thunder" \
  -F "pin=123456" \
  -F "reference_photo=@photo.jpg" \
  -F "stego_image=@stego.png"
 ```
 ## Security Model
 | Component | Entropy | Purpose |
 |-----------|---------|---------|
 | Reference Photo | ~80-256 bits | Something you have |
 | Day Phrase (3 words) | ~33 bits | Something you know (rotates daily) |
 | PIN (6 digits) | ~20 bits | Something you know (static) |
 | RSA Key (2048-bit) | ~128 bits | Something you have |
 | **Combined** | **133-400+ bits** | **Beyond brute force** |
 ### Attack Resistance
 | Attack | Protection |
 |--------|------------|
 | Brute force | 2^133+ combinations |
 | Rainbow tables | Random salt per message |
 | Steganalysis | Random pixel selection |
 | GPU cracking | Argon2id requires 256MB RAM per attempt |
 | Side-channel | Constant-time operations in crypto |
 ## Project Structure
 ```
-stegasoo/
+Reference Photo ──┐
-├── src/stegasoo/           # Core library
+(~80-256 bits)    │
-│   ├── __init__.py         # Public API
+                  ├──► Argon2id KDF ──► AES-256-GCM Key
-│   ├── constants.py        # Configuration
+Passphrase ───────┤    (256MB RAM)
-│   ├── crypto.py           # Encryption/decryption
+(~43-132 bits)    │
-│   ├── steganography.py    # Image embedding
+                  │
-│   ├── keygen.py           # Credential generation
+PIN ──────────────┤
-│   ├── validation.py       # Input validation
+(~20-30 bits)     │
-│   ├── models.py           # Data classes
+                  │
-│   ├── exceptions.py       # Custom exceptions
+RSA Key ──────────┘
-│   └── utils.py            # Utilities
+(optional)
 │
 ├── frontends/
 │   ├── web/                # Flask web UI
 │   ├── cli/                # Command-line interface
 │   └── api/                # FastAPI REST API
 │
 ├── data/
 │   └── bip39-words.txt     # BIP-39 wordlist
 │
 ├── pyproject.toml          # Package configuration
 ├── Dockerfile              # Multi-stage Docker build
 └── docker-compose.yml      # Container orchestration
 ```
-## Configuration
+| Configuration | Entropy | Use Case |
 |--------------|---------|----------|
 | 4-word passphrase + 6-digit PIN | ~153 bits | Standard security |
 | 4-word passphrase + PIN + RSA | ~280+ bits | Maximum security |
-### Environment Variables
+## Requirements
-| Variable | Default | Description |
+| Requirement | Version |
-|----------|---------|-------------|
+|-------------|---------|
-| `FLASK_ENV` | production | Flask environment |
+| Python | 3.10-3.12 |
-| `PYTHONPATH` | - | Include src/ for development |
+| RAM | 512 MB+ |
 ### Limits
 | Limit | Value |
 |-------|-------|
 | Max image size | 4 megapixels |
 | Max message size | 50 KB |
 | Max file upload | 5 MB |
 | PIN length | 6-9 digits |
 | Phrase length | 3-12 words |
 | RSA key sizes | 2048, 3072, 4096 bits |
 ## Development
 ```bash
 # Install dev dependencies
 pip install -e ".[dev]"
 # Run tests
 pytest
-
+black src/ tests/ frontends/
-# Format code
+ruff check src/ tests/ frontends/
 black src/ frontends/
 ruff check src/ frontends/
 # Type checking
 mypy src/
 ```
 ## Docker
 ```bash
 # Quick start (HTTPS enabled by default)
 docker-compose -f docker/docker-compose.yml up -d
 # Access
 # Web UI:   https://localhost:5000  (self-signed cert)
 # REST API: http://localhost:8000
 # Disable HTTPS if needed:
 STEGASOO_HTTPS_ENABLED=false docker-compose -f docker/docker-compose.yml up -d
 ```
 See [DOCKER.md](DOCKER.md) and [docs/DOCKER_QUICKSTART.md](docs/DOCKER_QUICKSTART.md) for full documentation.
 ## Raspberry Pi
 Pre-built SD card images available for Pi 4/5:
 ```bash
 # Flash image (download from GitHub Releases)
 zstdcat stegasoo-rpi-*.img.zst | sudo dd of=/dev/sdX bs=4M status=progress
 # First boot runs interactive setup wizard:
 # - WiFi configuration
 # - HTTPS with port 443
 # - Channel key generation
 # - Optional overclocking
 ```
 See [rpi/README.md](rpi/README.md) for manual installation.
 ## Documentation
 - [INSTALL.md](INSTALL.md) - Installation guide
 - [DOCKER.md](DOCKER.md) - Docker deployment
 - [CLI.md](CLI.md) - Command-line reference
 - [API.md](API.md) - REST API documentation
 - [WEB_UI.md](WEB_UI.md) - Web interface guide
 - [SECURITY.md](SECURITY.md) - Security model details
 - [UNDER_THE_HOOD.md](UNDER_THE_HOOD.md) - Technical deep-dive
 - [CHANGELOG.md](CHANGELOG.md) - Version history
 - [CONTRIBUTING.md](CONTRIBUTING.md) - Contributor guide
 - `man stegasoo` - Man page (install: `sudo cp docs/stegasoo.1 /usr/local/share/man/man1/ && sudo mandb`)
 ## License
-MIT License - Use responsibly.
+MIT License - see [LICENSE](LICENSE). Use responsibly.
-## ⚠️ Disclaimer
+---
-This tool is for educational and legitimate privacy purposes only. Users are responsible for complying with applicable laws in their jurisdiction.
+*This tool is for educational and legitimate privacy purposes. Users are responsible for complying with applicable laws.*
--- a/RELEASE_CHECKLIST.md
+++ b/RELEASE_CHECKLIST.md
@@ -0,0 +1,44 @@
 # Stegasoo Release Checklist
 Pre-release validation checklist. Complete all items before tagging a release.
 ## Code Quality
 - [ ] All tests pass: `./venv/bin/pytest tests/ -v`
 - [ ] No lint errors: `./venv/bin/ruff check src/`
 - [ ] Version bumped in `pyproject.toml`
 - [ ] CHANGELOG.md updated
 ## Pi Image Validation
 - [ ] Fresh Pi OS install with setup.sh works
 - [ ] First-boot wizard completes successfully
 - [ ] MOTD shows correct URL on SSH login
 - [ ] Smoke test passes: `./rpi/smoke-test.sh --443 <PI_IP>`
 - [ ] Encode/decode works on large image (10MB+)
 - [ ] Sanitize script runs cleanly
 - [ ] Image created and compressed
 ## Docker Validation
 - [ ] Base image builds: `docker build -f docker/Dockerfile.base -t stegasoo-base:latest .`
 - [ ] Web image builds: `docker-compose -f docker/docker-compose.yml build web`
 - [ ] Container starts: `docker-compose -f docker/docker-compose.yml up -d web`
 - [ ] Web UI accessible at http://localhost:5000
 - [ ] Encode/decode works in container
 - [ ] Container stops cleanly: `docker-compose -f docker/docker-compose.yml down`
 ## Release Process
 - [ ] Merge feature branch to main
 - [ ] Create annotated tag: `git tag -a vX.Y.Z -m "message"`
 - [ ] Push tag: `git push origin vX.Y.Z`
 - [ ] Create GitHub Release with release notes
 - [ ] Upload Pi image (.img.zst.zip)
 - [ ] Verify download links work
 ## Post-Release
 - [ ] Delete old/obsolete releases if needed
 - [ ] Update any external documentation
 - [ ] Announce release (if applicable)
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -0,0 +1,173 @@
 # v4.3.0 — Audio Steganography
 **Release Date:** 2026-02-27
 ## Highlights
 Stegasoo can now hide messages in audio files! This release adds full audio steganography support with two embedding modes:
 - **LSB (Least Significant Bit)**: Embeds data directly in audio sample LSBs. High capacity, best for direct file transfers.
 - **Spread Spectrum**: Spreads data across audio frequencies using pseudo-random sequences. Lower capacity but more resistant to noise and light processing.
 ## What's New
 ### Audio Steganography
 - Support for WAV, FLAC, MP3, OGG, AAC, and M4A input formats
 - Automatic transcoding to WAV (16-bit PCM) for embedding
 - Same security model: reference photo + passphrase + PIN/RSA + channel key
 - Full CLI, REST API, and Web UI support
 ### Unified Web UI
 - Encode and Decode pages now feature a "Carrier Type" selector
 - Switch between Image and Audio modes without leaving the page
 - Audio capacity display shows LSB and Spread Spectrum capacities
 - Audio preview player on encode result page
 ### New Modules
 - `audio_steganography.py` — LSB audio embedding/extraction
 - `spread_steganography.py` — Spread spectrum embedding/extraction
 - `audio_utils.py` — Audio format detection, validation, transcoding
 - `debug.py` — Structured logging for all operations
 ## Upgrade Notes
 Audio steganography requires `numpy` and `soundfile` packages. Install with:
 ```bash
 pip install stegasoo[audio]
 ```
 For full audio format support (MP3, AAC, etc.), install FFmpeg on your system.
 ---
 ## Stegasoo v4.2.1
 ### API Security
 **API Key Authentication**
 - All protected endpoints require `X-API-Key` header
 - Keys stored hashed (SHA-256) in `~/.stegasoo/api_keys.json`
 - Auth disabled when no keys configured (easy onboarding)
 **TLS Support**
 - Self-signed certificates auto-generated on first run
 - Certs valid for localhost, all local IPs, hostname.local
 - CLI: `stegasoo api tls generate` to pre-generate
 ### CLI Improvements
 **New API Management Commands**
 ```bash
 stegasoo api keys create NAME    # Create new key
 stegasoo api keys list           # List API keys
 stegasoo api tls generate        # Generate TLS cert
 stegasoo api serve               # Start server with TLS
 ```
 **New Image Tools**
 ```bash
 stegasoo tools compress IMG -q 75   # JPEG compression
 stegasoo tools rotate IMG -r 90     # Lossless rotation
 stegasoo tools convert IMG -f png   # Format conversion
 ```
 ### Bug Fixes
 - **DCT rotation**: Portrait photos no longer export rotated 90°
 - **jpegtran**: Removed `-trim` flag that destroyed DCT stego data
 - **CLI encode**: Now outputs JPEG when carrier is JPEG (was always PNG)
 - **Import paths**: Fixed for installed packages (AUR/pip)
 ### Installation
 **AUR (Arch Linux)**
 ```bash
 yay -S stegasoo-git       # Full (Web + API + CLI)
 yay -S stegasoo-cli-git   # CLI only
 ```
 **Docker**
 ```bash
 docker-compose -f docker/docker-compose.yml up -d
 ```
 **Raspberry Pi**
 Flash `stegasoo-rpi-4.2.1.img.zst.zip` to SD card.
 Default login: `admin` / `stegasoo`
 ### Requirements
 - Python 3.11 - 3.14 (dropped 3.10 support)
 ### Release Assets
 | File | Description |
 |------|-------------|
 | `stegasoo-rpi-4.2.1.img.zst.zip` | Raspberry Pi SD card image |
 | `stegasoo-docker-base-4.2.1.tar.zst` | Docker base image |
 | Source code (zip/tar.gz) | Auto-generated |
 ---
 ## Stegasoo v4.2.0
 ### Performance Optimizations
 Major performance improvements for Raspberry Pi and resource-constrained deployments.
 #### DCT Vectorization (~14x faster)
 - Batch DCT processing using `scipy.fft.dctn` with `axes=(1,2)`
 - Processes 500 blocks at once instead of one-by-one
 - Decode time reduced from ~2.6s to ~0.8s on 1MB images
 #### Memory Optimization (50% reduction)
 - Switched from `float64` to `float32` for all DCT operations
 - Peak RAM: 211 MB → 107 MB for encode, 104 MB → 52 MB for decode
 - Critical for Pi 3/4 avoiding swap thrashing
 #### Progress Callbacks for Decode
 - `progress_file` parameter added to `decode()` and extraction functions
 - UI can now show decode progress (phases: loading, extracting, decoding, complete)
 - JSON format: `{"current": 80, "total": 100, "percent": 80.0, "phase": "decoding"}`
 #### Async API Endpoints
 - Encode/decode operations now run in thread pool via `asyncio.to_thread()`
 - API server can handle concurrent requests without blocking
 - Essential for multi-user Pi deployments
 ### Compression
 #### Zstd Default Compression
 - `zstandard` is now a core dependency (always installed)
 - Better compression ratio than zlib for QR code RSA keys
 - New `STEGASOO-ZS:` prefix for zstd, backward compatible with `STEGASOO-Z:` (zlib)
 ### QR Code Generation
 #### CLI Support
 - `stegasoo generate --rsa --qr key.png` - save RSA key as QR image (PNG/JPG)
 - `stegasoo generate --rsa --qr-ascii` - print ASCII QR to terminal
 #### API Support
 - `POST /generate-key-qr` - generate QR from RSA key
 - Supports `png`, `jpg`, and `ascii` output formats
 - Uses zstd compression by default
 ### Other Changes
 - RSA key size capped at 3072 bits (4096 too large for QR codes)
 - File auto-expire increased to 10 minutes
 - Progress bar "candy cane" animation during Argon2 key derivation
 - Optional API service in Pi setup (with security warning)
 ### Summary
 | Metric | v4.1.7 | v4.2.0 | Improvement |
 |--------|--------|--------|-------------|
 | Decode (1MB) | ~2.6s | ~0.8s | **70% faster** |
 | Peak RAM | 211 MB | 107 MB | **50% less** |
 | Concurrent API | No | Yes | check |
 | QR Compression | zlib | zstd | **~15% smaller** |
 ### Full Changelog
 See [CHANGELOG.md](CHANGELOG.md) for complete version history.
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,274 @@
 # Security Policy
 ## Supported Versions
 | Version | Supported          | Notes |
 | ------- | ------------------ | ----- |
 | 4.1.x   | Current Version | What you SHOULD be using. |
 | 4.x.x   | ⚠️ Security fixes only | Upgrade (EOL soon) |
 | <= 3.x.x   | ❌ End of life | |
 ## Reporting a Vulnerability
 **Please do not report security vulnerabilities through public GitHub issues.**
 Instead, please email: **adlee-was-taken@proton.me**
 Include:
 - Description of the vulnerability
 - Steps to reproduce
 - Potential impact
 - Any suggested fixes
 You should receive a response within 48 hours. We'll work with you to understand and address the issue.
 ---
 # Threat Model
 ## What Stegasoo Protects
 Stegasoo is designed to hide the **existence** of a secret message within an ordinary-looking image, protected by multi-factor authentication.
 ### Protection Goals
 | Goal | How It's Achieved |
 |------|-------------------|
 | **Confidentiality** | AES-256-GCM encryption with Argon2id key derivation |
 | **Steganography** | LSB/DCT embedding with pseudo-random pixel/coefficient selection |
 | **Authentication** | Multi-factor: reference photo + passphrase + PIN (or RSA key) |
 | **Integrity** | GCM authentication tag detects tampering |
 ### Security Factors
 Stegasoo combines multiple authentication factors:
 ```
 ┌─────────────────────────────────────────────────────────────────┐
 │                     Key Derivation                              │
 │                                                                 │
 │  Reference Photo ───────┐                                       │
 │  (something you have)   │                                       │
 │                         ├──► Argon2id ──► AES-256 Key           │
 │  Passphrase ────────────┤    (256MB RAM)                        │
 │  (something you know)   │                                       │
 │                         │                                       │
 │  PIN or RSA Key ────────┘                                       │
 │  (second factor)                                                │
 └─────────────────────────────────────────────────────────────────┘
 ```
 ## Changes in v4.0
 ### Removed: Date-Based Key Rotation
 **Previous versions (v3.x and earlier):**
 - Required a date parameter for encode/decode
 - Keys rotated daily based on "day phrase"
 - Users had to remember which date they used
 **Version 4.0:**
 - No date dependency
 - Single passphrase (no rotation)
 - Simpler but slightly reduced entropy per-message
 **Security Impact:** 
 - Minimal - the date only added ~10 bits of entropy
 - Passphrase default increased from 3 to 4 words to compensate (+11 bits)
 - Overall entropy remains similar or higher with 4-word default
 ### Renamed: day_phrase → passphrase
 Terminology change only. No security impact.
 ## What Stegasoo Does NOT Protect Against
 ### 1. Statistical Steganalysis
 **Risk:** Advanced analysis can detect that an image contains hidden data.
 **Reality:** LSB steganography is detectable by:
 - Chi-square analysis
 - RS analysis
 - Machine learning classifiers
 **DCT mode is more resilient** but not undetectable.
 **Mitigation:** Stegasoo uses pseudo-random pixel/coefficient selection, which helps but doesn't eliminate detectability.
 **Recommendation:** Don't rely on Stegasoo if your adversary has:
 - Access to the original carrier image
 - Sophisticated forensic tools
 - Motivation to analyze your specific images
 ### 2. Compromised Endpoints
 **Risk:** If your device is compromised, the attacker can capture credentials.
 **Not protected:**
 - Keyloggers capturing your PIN/passphrase
 - Screen capture of decoded messages
 - Memory scraping during encode/decode
 - Malware on sender or receiver device
 **Recommendation:** Use on trusted devices only.
 ### 3. Reference Photo Exposure
 **Risk:** The reference photo is a critical secret.
 **If leaked:** Attacker only needs to guess/brute-force the passphrase + PIN.
 **Recommendation:**
 - Never share the reference photo
 - Use a unique photo (not posted online)
 - Store securely (encrypted drive, password manager)
 ### 4. Weak Credentials
 **Risk:** Short PINs or common passphrases can be brute-forced.
 | PIN Length | Combinations | Time to Brute Force* |
 |------------|--------------|----------------------|
 | 4 digits   | 10,000       | Seconds              |
 | 6 digits   | 1,000,000    | Minutes              |
 | 8 digits   | 100,000,000  | Hours                |
 | 9 digits   | 1,000,000,000| Days                 |
 *With Argon2 (256MB RAM, 4 iterations), each attempt takes ~1 second, making brute force slow but not impossible for short PINs.
 **Recommendation:**
 - Use 8+ digit PINs
 - Use 4+ word passphrases (v4.0 default)
 - Consider RSA keys for high-security use cases
 ### 5. Image Modification
 **Risk:** Lossy compression destroys hidden data.
 **LSB mode - data is destroyed by:**
 - JPEG compression
 - Resizing
 - Filters/effects
 - Screenshots
 - Social media upload
 **DCT mode - more resilient but not immune:**
 - Survives moderate JPEG recompression
 - May fail with aggressive compression (quality < 70)
 - Still destroyed by resizing, filters, screenshots
 **Recommendation:** 
 - LSB: Always use lossless formats (PNG, BMP), direct transfer
 - DCT: Use for social media, but test with your specific platform
 ### 6. Metadata Leakage
 **Risk:** The stego image itself may reveal information.
 **Potential leaks:**
 - File creation timestamp
 - Camera EXIF data (if carrier has it)
 - File size changes
 **Mitigation:** Stegasoo strips EXIF on output, but timestamps remain.
 ### 7. Traffic Analysis
 **Risk:** The act of sending an image may be suspicious.
 **Not protected:**
 - Network observers seeing you send image files
 - Email metadata showing sender/receiver
 - Frequency analysis of communications
 **Recommendation:** Use alongside normal image-sharing behavior.
 ## Cryptographic Details
 ### Encryption
 | Component | Algorithm | Parameters |
 |-----------|-----------|------------|
 | Key Derivation | Argon2id | 256MB RAM, 4 iterations, 4 parallelism |
 | Fallback KDF | PBKDF2-SHA256 | 600,000 iterations |
 | Encryption | AES-256-GCM | 12-byte IV, 16-byte tag |
 | Photo Hash | SHA-256 | Full image bytes |
 ### Pixel/Coefficient Selection
 Selection key is derived from:
 ```
 selection_key = SHA256(photo_hash || passphrase || pin/rsa_signature)
 ```
 This prevents:
 - Sequential embedding patterns
 - Statistical detection of modified regions
 ### Message Format (v4.0)
 ```
 ┌──────────────────────────────────────────────────────────────────┐
 │ Magic (4B) │ Version (1B) │ Salt (32B) │ IV (12B)                │
 ├──────────────────────────────────────────────────────────────────┤
 │ Encrypted Payload (AES-256-GCM)                                  │
 │ ├── Type (1B): 0x01=text, 0x02=file                              │
 │ ├── Length (4B)                                                  │
 │ ├── Data (variable)                                              │
 │ └── [Filename if file] (variable)                                │
 ├──────────────────────────────────────────────────────────────────┤
 │ GCM Auth Tag (16B)                                               │
 └──────────────────────────────────────────────────────────────────┘
 ```
 **Note:** v4.0 removed the date field from the header, reducing overhead by 10 bytes.
 ## Best Practices
 ### For Maximum Security
 1. **Use RSA keys** instead of PINs for authentication
 2. **Use unique reference photos** not available online
 3. **Use long passphrases** (4+ random words, recommend 6+)
 4. **Transfer via secure channels** (Signal, encrypted email)
 5. **Delete stego images** after message is read
 6. **Keep software updated** for security fixes
 7. **Use DCT mode** for social media sharing
 ### For Casual Privacy
 1. **6-digit PIN** is sufficient for non-adversarial use
 2. **4-word passphrase** provides reasonable security (v4.0 default)
 3. **PNG format** for LSB mode output
 4. **Direct file transfer** (email attachment, AirDrop)
 ## Known Limitations
 | Limitation | Impact | Status |
 |------------|--------|--------|
 | LSB is detectable | Statistical analysis can detect hidden data | By design (tradeoff for capacity) |
 | No forward secrecy | Compromised key decrypts all messages | Use different keys per message for high security |
 | No deniability | Single password = single message | Future: plausible deniability layers |
 | Python 3.13 incompatible | jpegio C extension crashes | Use Python 3.12 or earlier |
 ## Security Audit Status
 This software has **not** been professionally audited. Use at your own risk for sensitive applications.
 If you're a security researcher interested in auditing Stegasoo, please reach out.
 ---
 ## Version History (Security Relevant)
 | Version | Security Changes |
 |---------|------------------|
 | 4.0.0   | Removed date dependency, increased default passphrase to 4 words, added JPEG normalization |
 | 3.2.0   | DCT color mode added |
 | 3.0.0   | Added DCT steganography mode |
 | 2.2.0   | Added compression (no security impact) |
 | 2.1.0   | Upgraded to Argon2id, increased iterations |
 | 2.0.0   | Added RSA key support |
 | 1.0.0   | Initial release |
--- a/SECURITY_AUDIT_PLAN.md
+++ b/SECURITY_AUDIT_PLAN.md
@@ -0,0 +1,284 @@
 # Stegasoo Security Audit Plan
 > **Target Audience**: Developers, security reviewers, and deployment administrators
 > **Scope**: Web UI, REST API, CLI, and cryptographic core
 > **Deployment Model**: Air-gapped / private LAN (primary), Internet-facing (secondary)
 ---
 ## Overview
 Stegasoo is a steganography tool designed for **air-gapped deployments** on private networks. While the primary threat model assumes a trusted local network, this audit plan covers security best practices for both isolated and potentially exposed deployments.
 ### Known Limitations (By Design)
 - **Self-signed certificates**: HTTPS uses self-signed certs; users must add exceptions or deploy their own CA
 - **No rate limiting**: Assumes trusted users on private network
 - **Single-node**: No distributed session store; sessions are per-instance
 - **Air-gap focus**: External security (firewalls, network isolation) is user's responsibility
 ---
 ## 1. Authentication & Authorization
 ### 1.1 Password Security
 - [ ] Passwords hashed with Argon2id (preferred) or PBKDF2 fallback
 - [ ] Minimum password length enforced (8+ characters)
 - [ ] Password not logged or exposed in error messages
 - [ ] Password change requires current password verification
 - [ ] Admin re-authentication required for sensitive operations (channel key export)
 ### 1.2 Session Management
 - [ ] Session tokens are cryptographically random
 - [ ] Session cookies have `HttpOnly` flag
 - [ ] Session cookies have `Secure` flag (when HTTPS enabled)
 - [ ] Session cookies have `SameSite` attribute
 - [ ] Sessions invalidated on logout
 - [ ] Sessions invalidated on password change
 - [ ] Session timeout configured appropriately
 ### 1.3 Authorization
 - [ ] Admin-only routes protected by `@admin_required` decorator
 - [ ] User-only routes protected by `@login_required` decorator
 - [ ] Users cannot access other users' saved channel keys
 - [ ] Users cannot modify other users' accounts
 - [ ] Role escalation not possible through API manipulation
 ---
 ## 2. Cryptographic Implementation
 ### 2.1 Key Derivation
 - [ ] KDF uses Argon2id with appropriate parameters (memory, iterations, parallelism)
 - [ ] PBKDF2 fallback uses sufficient iterations (600,000+)
 - [ ] Salt is cryptographically random and unique per operation
 - [ ] PIN/passphrase combined securely before KDF
 ### 2.2 Encryption
 - [ ] AES-256-GCM used for payload encryption
 - [ ] Nonce/IV is unique per encryption operation
 - [ ] Authentication tag verified before decryption
 - [ ] No padding oracle vulnerabilities
 ### 2.3 Channel Keys
 - [ ] Channel keys are 128-bit (32 hex chars)
 - [ ] Channel key derivation uses HKDF or similar
 - [ ] Channel isolation prevents cross-channel decryption
 - [ ] Fingerprint reveals no information about full key
 ### 2.4 Random Number Generation
 - [ ] All random values use `secrets` module or OS CSPRNG
 - [ ] No use of `random` module for security-sensitive operations
 ---
 ## 3. Input Validation & Injection Prevention
 ### 3.1 Web UI
 - [ ] All user input sanitized before rendering (XSS prevention)
 - [ ] Jinja2 auto-escaping enabled
 - [ ] No `| safe` filter on user-controlled content
 - [ ] Content-Security-Policy header configured
 - [ ] X-Content-Type-Options: nosniff
 ### 3.2 File Uploads
 - [ ] File size limits enforced server-side
 - [ ] File type validation (magic bytes, not just extension)
 - [ ] Uploaded files not executed
 - [ ] Filenames sanitized (path traversal prevention)
 - [ ] Temporary files cleaned up after processing
 ### 3.3 API Inputs
 - [ ] JSON schema validation on API endpoints
 - [ ] Integer overflow checks on size parameters
 - [ ] No SQL injection (parameterized queries only)
 - [ ] No command injection (no shell=True with user input)
 ---
 ## 4. Steganography-Specific Security
 ### 4.1 Carrier Image Handling
 - [ ] Malformed images don't crash the server (PIL/jpegio hardening)
 - [ ] DCT mode subprocess isolation for crash protection
 - [ ] Memory limits on image processing
 - [ ] No arbitrary code execution from image metadata
 ### 4.2 Payload Security
 - [ ] Payload size limits enforced
 - [ ] Encrypted payload indistinguishable from random noise
 - [ ] No metadata leakage in output images
 - [ ] Reference photo required (prevents dictionary attacks)
 ### 4.3 Capacity Reporting
 - [ ] Capacity calculation doesn't leak information about encoding method
 - [ ] Failed decodes don't reveal why (wrong key vs no data vs corrupted)
 ---
 ## 5. Network & Transport Security
 ### 5.1 HTTPS Configuration
 - [ ] TLS 1.2+ only (no SSLv3, TLS 1.0/1.1)
 - [ ] Strong cipher suites configured
 - [ ] Certificate generation uses 2048+ bit RSA or P-256 EC
 - [ ] Private key file permissions restricted (600)
 ### 5.2 Headers
 - [ ] X-Frame-Options: DENY (clickjacking prevention)
 - [ ] X-Content-Type-Options: nosniff
 - [ ] Referrer-Policy: same-origin
 - [ ] Permissions-Policy configured
 ### 5.3 CORS (if applicable)
 - [ ] CORS not enabled (or restricted to specific origins)
 - [ ] Credentials not allowed cross-origin
 ---
 ## 6. Error Handling & Logging
 ### 6.1 Error Messages
 - [ ] Stack traces not exposed to users in production
 - [ ] Error messages don't reveal sensitive paths or config
 - [ ] Failed login doesn't reveal if username exists
 ### 6.2 Logging
 - [ ] Passwords never logged
 - [ ] Channel keys never logged
 - [ ] Passphrases never logged
 - [ ] Log files have appropriate permissions
 - [ ] Sensitive operations logged for audit trail (optional)
 ---
 ## 7. Dependency Security
 ### 7.1 Python Dependencies
 - [ ] All dependencies pinned to specific versions
 - [ ] No known vulnerabilities in dependencies (run `pip-audit` or `safety`)
 - [ ] Dependencies from trusted sources only (PyPI)
 ### 7.2 Frontend Dependencies
 - [ ] All JS/CSS served locally (air-gap ready)
 - [ ] No CDN dependencies
 - [ ] Bootstrap and libraries are official releases
 - [ ] Subresource integrity considered for any external loads
 ---
 ## 8. Deployment Security
 ### 8.1 File Permissions
 - [ ] Database file not world-readable (600 or 640)
 - [ ] SSL certificates/keys not world-readable
 - [ ] Config files with secrets protected
 - [ ] Instance directory not in web root
 ### 8.2 Docker Deployment
 - [ ] Container runs as non-root user
 - [ ] No unnecessary capabilities
 - [ ] Resource limits configured
 - [ ] Health checks don't expose sensitive info
 ### 8.3 Raspberry Pi Deployment
 - [ ] Default passwords changed
 - [ ] SSH key-only authentication (recommended)
 - [ ] Unnecessary services disabled
 - [ ] Firewall configured (UFW/iptables)
 ---
 ## 9. Air-Gap Specific Considerations
 ### 9.1 Network Isolation
 - [ ] Document expected network topology
 - [ ] No phone-home or telemetry
 - [ ] No external API calls
 - [ ] Works fully offline after deployment
 ### 9.2 Key Distribution
 - [ ] QR code export for channel keys (offline transfer)
 - [ ] Print sheet for physical key backup
 - [ ] No cloud sync or external key servers
 ### 9.3 Updates
 - [ ] Document offline update procedure
 - [ ] Signed releases (future consideration)
 - [ ] Checksum verification for downloads
 ---
 ## 10. Penetration Testing Checklist
 ### 10.1 Authentication Attacks
 - [ ] Brute force login (note: no rate limiting by design)
 - [ ] Session fixation
 - [ ] Session hijacking
 - [ ] Password reset flow abuse
 ### 10.2 Injection Attacks
 - [ ] SQL injection on all inputs
 - [ ] XSS (stored, reflected, DOM-based)
 - [ ] Command injection
 - [ ] Path traversal
 - [ ] SSTI (Server-Side Template Injection)
 ### 10.3 Business Logic
 - [ ] Access control bypass
 - [ ] IDOR (Insecure Direct Object Reference)
 - [ ] Race conditions
 - [ ] Integer overflow in capacity calculations
 ### 10.4 Cryptographic Attacks
 - [ ] Known-plaintext attacks on stego output
 - [ ] Timing attacks on password verification
 - [ ] Padding oracle attacks
 - [ ] Key reuse vulnerabilities
 ---
 ## Tools for Automated Testing
 ```bash
 # Dependency vulnerability scan
 pip-audit
 safety check
 # Static analysis
 bandit -r stegasoo/ frontends/
 # Web security scan (if exposed)
 nikto -h https://localhost:5000
 OWASP ZAP (manual)
 # SSL/TLS configuration
 testssl.sh https://localhost:5000
 # Python code quality
 ruff check .
 mypy stegasoo/
 ```
 ---
 ## Audit Schedule
 | Phase | Focus Area | Priority |
 |-------|-----------|----------|
 | Pre-release | Crypto implementation, auth flow | Critical |
 | Post-release | Dependency scan, static analysis | High |
 | Quarterly | Full penetration test | Medium |
 | Ongoing | CVE monitoring for dependencies | High |
 ---
 ## Notes
 - This plan assumes **trusted users on a private network** as the primary deployment model
 - Internet-facing deployments should add rate limiting, fail2ban, and reverse proxy hardening
 - For high-security deployments, consider external security audit by professionals
 ---
 *Last updated: 2026-01-07*
--- a/TODO-4.2.1.md
+++ b/TODO-4.2.1.md
@@ -0,0 +1,54 @@
 # Stegasoo 4.2.1 Plan
 ## Bugs
 - [x] Fix EXIF viewer panel not loading metadata in Web UI
  - Redesigned with card-based grid layout and categories
  - Compact styling for better space usage
 - [x] DCT mode: portrait photos export rotated 90° (EXIF orientation not handled)
  - Added `_apply_exif_orientation()` to apply EXIF rotation before embedding
 - [x] DCT mode: add rotation fallback (try as-is, rotate 90°, retry on failure)
  - Added rotation fallback in `extract_from_dct()` with quick header validation
 - [x] Rotate tool: use jpegtran for lossless JPEG rotation (preserves DCT stego!)
  - Web UI rotate tool now uses jpegtran for JPEGs
  - DCT decode rotation fallback now uses jpegtran for JPEGs
  - Dynamic UI shows "DCT Safe" for JPEGs, warning for other formats
 ## Tools Audit
 - [x] Web UI tools - full shakedown and fixes
  - Compress, Rotate, Strip, EXIF viewer all working
  - Rotate uses jpegtran for lossless JPEG rotation
  - Compact UI styling
 - [x] CLI tools - full shakedown and fixes
  - Fixed encode to output JPEG when carrier is JPEG (was always PNG)
  - Fixed jpegtran -trim flag destroying DCT stego data
  - Added compress, rotate, convert tools (matching Web UI)
  - Rotate uses jpegtran for JPEGs, supports flip-only operations
 ## AUR Packages
 - [x] `stegasoo-cli` - standalone CLI package (no web dependencies)
  - Created aur-cli/PKGBUILD with [cli,dct,compression] extras only
  - No flask/gunicorn/fastapi/uvicorn/pyzbar deps
  - 68MB vs 79MB for full package
 - [x] `stegasoo-api` - REST API package
  - Created aur-api/PKGBUILD with [api,cli,compression] extras
  - Has fastapi/uvicorn, no flask/gunicorn
  - 74MB package size
  - Includes systemd service with TLS
 ## API Auth Work
 - [x] API key authentication (simpler than OAuth2 for personal use)
  - `frontends/api/auth.py` - key generation, hashing, validation
  - Keys stored in `~/.stegasoo/api_keys.json` (hashed)
  - `X-API-Key` header for authentication
  - Auth disabled when no keys configured
 - [x] TLS with self-signed certificates
  - Auto-generates certs on first run
  - CLI: `stegasoo api tls generate`
  - Certs stored in `~/.stegasoo/certs/`
 - [x] CLI commands for API management
  - `stegasoo api keys list/create/delete`
  - `stegasoo api tls generate/info`
  - `stegasoo api serve` (starts with TLS by default)
 ## API Documentation
 - [ ] Postman collection (with environment templates)
--- a/UNDER_THE_HOOD.md
+++ b/UNDER_THE_HOOD.md
@@ -0,0 +1,818 @@
 # Stegasoo Technical Deep Dive: Encoding & Decoding
 A detailed breakdown of how Stegasoo's LSB and DCT steganography modes work under the hood.
 **Version 4.1** - Updated for channel keys and deployment isolation
 ---
 ## Table of Contents
 1. [High-Level Overview](#high-level-overview)
 2. [The Encoding Pipeline](#the-encoding-pipeline)
 3. [The Decoding Pipeline](#the-decoding-pipeline)
 4. [LSB Mode Deep Dive](#lsb-mode-deep-dive)
 5. [DCT Mode Deep Dive](#dct-mode-deep-dive)
 6. [Comparison Table](#comparison-table)
 7. [Security Considerations](#security-considerations)
 ---
 ## High-Level Overview
 ```
 ┌─────────────────────────────────────────────────────────────────────────────┐
 │                           STEGASOO ARCHITECTURE (v4.1)                      │
 ├─────────────────────────────────────────────────────────────────────────────┤
 │                                                                             │
 │   INPUTS                    PROCESSING                      OUTPUT          │
 │   ───────                   ──────────                      ──────          │
 │                                                                             │
 │   Reference Photo ─┐                                                        │
 │   Passphrase ──────┼──► Argon2id KDF ──► AES-256 Key                        │
 │   PIN/RSA Key ─────┤                           │                            │
 │   Channel Key ─────┘  (v4.1)                   ▼                            │
 │   Message/File ────────────────────────► AES-256-GCM ──► Ciphertext         │
 │                                          Encryption            │            │
 │                                                                ▼            │
 │   Carrier Image ───────────────────────────────────────► Embedding ─► Stego │
 │                                                          (LSB/DCT)    Image │
 │                                                                             │
 └─────────────────────────────────────────────────────────────────────────────┘
 ```
 ### v4.0 Changes
 | Change | v3.x | v4.0 |
 |--------|------|------|
 | Authentication | day_phrase + date | passphrase (no date) |
 | Default words | 3 | 4 |
 | Header size | 75 bytes | 65 bytes (no date field) |
 | Python support | 3.10+ | 3.10-3.12 only |
 ### v4.1 Changes
 | Change | v4.0 | v4.1 |
 |--------|------|------|
 | Channel keys | None | 32-byte deployment isolation |
 | Key derivation | passphrase + ref + pin | passphrase + ref + pin + channel |
 | Web auth | Session-based | Session + admin/user roles |
 | Raspberry Pi | Manual setup | First-boot wizard with gum |
 | Docker | Basic | Production-ready compose |
 **Channel Keys** provide deployment isolation - messages encoded on one Stegasoo instance cannot be decoded by another instance with a different channel key, even with the same passphrase/PIN/reference photo.
 ### Module Responsibilities
 | Module | File | Purpose |
 |--------|------|---------|
 | **Crypto** | `crypto.py` | Key derivation (Argon2id), AES-256-GCM encryption/decryption |
 | **Channel** | `channel.py` | Channel key management, deployment isolation (v4.1) |
 | **Steganography** | `steganography.py` | LSB pixel manipulation, capacity calculation |
 | **DCT Steganography** | `dct_steganography.py` | Frequency-domain embedding, jpegio integration |
 | **Compression** | `compression.py` | Optional LZ4 compression of payload |
 | **Validation** | `validation.py` | Input validation, size limits |
 | **Utils** | `utils.py` | Image hashing, format detection |
 ---
 ## The Encoding Pipeline
 ### Step 1: Input Collection & Validation
 ```python
 # validation.py
 def validate_encode_inputs(reference_photo, carrier, message, passphrase, pin, rsa_key):
    # Check image dimensions (max 24 megapixels)
    # Validate PIN format (6-9 digits)
    # Validate passphrase (3-12 words from BIP-39)
    # Check payload size vs carrier capacity
    # Ensure reference != carrier (security)
 ```
 ### Step 2: Reference Photo Processing
 ```python
 # utils.py
 def get_image_hash(image_bytes: bytes) -> bytes:
    """
    Generate deterministic hash from reference photo.
    This is the 'something you have' factor.
    """
    # Resize to 256x256 (normalize different resolutions)
    # Convert to grayscale (normalize color variations)
    # Apply slight blur (reduce JPEG artifact sensitivity)
    # SHA-256 hash of processed pixels
    return hashlib.sha256(processed_pixels).digest()  # 32 bytes
 ```
 **Why process the image?** Minor variations (JPEG recompression, slight crops) in the reference photo between sender and receiver would produce different hashes, breaking decryption. The preprocessing makes the hash more resilient.
 ### Step 3: Key Derivation (Argon2id)
 ```python
 # crypto.py
 def derive_key(reference_hash: bytes, passphrase: str, pin: str, 
               rsa_signature: bytes = None) -> bytes:
    """
    Combine all authentication factors into one AES key.
    v4.0: No date parameter - simplified authentication.
    """
    # Concatenate all factors
    key_material = reference_hash + passphrase.encode() + pin.encode()
    if rsa_signature:
        key_material += rsa_signature
    # Argon2id parameters (memory-hard to resist GPU attacks)
    # - Memory: 256 MB
    # - Iterations: 4
    # - Parallelism: 4
    # - Output: 32 bytes (256 bits)
    key = argon2.hash_password_raw(
        password=key_material,
        salt=random_salt,  # 16 bytes, stored with ciphertext
        time_cost=4,
        memory_cost=262144,  # 256 MB
        parallelism=4,
        hash_len=32,
        type=argon2.Type.ID
    )
    return key  # 32-byte AES-256 key
 ```
 **Why Argon2id?**
 - **Memory-hard**: Requires 256MB RAM per attempt, defeating GPU/ASIC attacks
 - **Time-hard**: ~2-3 seconds per derivation
 - **Side-channel resistant**: ID variant protects against timing attacks
 ### Step 4: Payload Preparation
 ```python
 # compression.py (optional)
 def prepare_payload(data: bytes, filename: str = None) -> bytes:
    """
    Prepare the payload with metadata header.
    """
    # Header format (variable length):
    # [1 byte]  - Flags (compression, file mode, etc.)
    # [4 bytes] - Original data length (big-endian)
    # [2 bytes] - Filename length (if file mode)
    # [N bytes] - Filename (if file mode)
    # [N bytes] - Data (possibly compressed)
    header = struct.pack('>BI', flags, len(data))
    if filename:
        header += struct.pack('>H', len(filename)) + filename.encode()
    # Optional LZ4 compression
    if should_compress(data):
        data = lz4.frame.compress(data)
        flags |= FLAG_COMPRESSED
    return header + data
 ```
 ### Step 5: AES-256-GCM Encryption
 ```python
 # crypto.py
 def encrypt(plaintext: bytes, key: bytes) -> bytes:
    """
    Encrypt payload with AES-256-GCM.
    Returns: salt + nonce + ciphertext + tag
    """
    salt = os.urandom(16)       # Random salt for key derivation
    nonce = os.urandom(12)      # Random nonce for GCM
    cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)
    ciphertext, tag = cipher.encrypt_and_digest(plaintext)
    # Final encrypted blob:
    # [16 bytes] Salt
    # [12 bytes] Nonce  
    # [16 bytes] Auth Tag
    # [N bytes]  Ciphertext
    return salt + nonce + tag + ciphertext
 ```
 **Why GCM?**
 - **Authenticated encryption**: Detects tampering
 - **No padding oracle**: Stream cipher mode
 - **Built-in integrity**: 128-bit authentication tag
 ### Step 6: Stego Header Construction
 ```python
 # steganography.py / dct_steganography.py
 def build_stego_header(encrypted_data: bytes, mode: str) -> bytes:
    """
    Build the header that precedes embedded data.
    v4.0: Simplified header (no date field)
    """
    # Header format:
    # [4 bytes]  - Magic number: "STGO" (v4)
    # [1 byte]   - Version (0x04)
    # [1 byte]   - Mode (0x01=LSB, 0x02=DCT)
    # [4 bytes]  - Payload length
    # [N bytes]  - Encrypted payload
    if mode == 'lsb':
        magic = b'STGO\x04\x01'  # v4, mode 1 (LSB)
    else:
        magic = b'STGO\x04\x02'  # v4, mode 2 (DCT)
    length = struct.pack('>I', len(encrypted_data))
    return magic + length + encrypted_data
 ```
 ### Step 7: Embedding (Mode-Specific)
 This is where LSB and DCT diverge. See detailed sections below.
 ---
 ## The Decoding Pipeline
 ### Step 1: Mode Detection
 ```python
 def detect_mode(stego_image: bytes) -> str:
    """
    Detect which embedding mode was used.
    Checks format and magic bytes.
    """
    img = Image.open(io.BytesIO(stego_image))
    # JPEG images with JPGS magic = DCT mode with jpegio
    if img.format == 'JPEG':
        # Check for jpegio magic
        return 'dct'
    # PNG/BMP: Read first few bytes from LSB
    # Check for STGO or DCTS magic
    magic = extract_header_lsb(stego_image, 6)
    if magic.startswith(b'STGO'):
        mode_byte = magic[5]
        return 'lsb' if mode_byte == 0x01 else 'dct'
    elif magic.startswith(b'DCTS'):
        return 'dct'
    return 'lsb'  # Default fallback
 ```
 ### Step 2: Key Re-derivation
 ```python
 # Same process as encoding
 def derive_key_for_decode(reference_hash, passphrase, pin, rsa_signature=None):
    # Must use SAME parameters as encoding
    # No date parameter in v4.0
    return derive_key(reference_hash, passphrase, pin, rsa_signature)
 ```
 ### Step 3: Data Extraction
 ```python
 def extract_data(stego_image: bytes, mode: str) -> bytes:
    """
    Extract raw bytes from stego image.
    Mode-specific extraction.
    """
    if mode == 'dct':
        return extract_from_dct(stego_image, pixel_key)
    else:
        return extract_from_lsb(stego_image, pixel_key)
 ```
 ### Step 4: Decryption & Payload Recovery
 ```python
 def decrypt_and_recover(encrypted_data: bytes, key: bytes) -> Union[str, bytes]:
    """
    Decrypt and extract original message/file.
    """
    # Parse header
    salt = encrypted_data[:16]
    nonce = encrypted_data[16:28]
    tag = encrypted_data[28:44]
    ciphertext = encrypted_data[44:]
    # Decrypt
    cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)
    plaintext = cipher.decrypt_and_verify(ciphertext, tag)
    # Decompress if needed
    if plaintext[0] & FLAG_COMPRESSED:
        plaintext = lz4.frame.decompress(plaintext[5:])
    # Extract payload
    return parse_payload(plaintext)
 ```
 ---
 ## LSB Mode Deep Dive
 ### How LSB Embedding Works
 LSB (Least Significant Bit) embedding modifies the lowest bit of each color channel in selected pixels.
 ```
 Original Pixel (RGB):
  R: 11010110  G: 01101001  B: 10110100
              ↓         ↓         ↓
              └─────────┴─────────┘
                 3 bits available
 After embedding "101":
  R: 1101011[1]  G: 0110100[0]  B: 1011010[1]
              ↑         ↑         ↑
           modified  modified  modified
 ```
 ### Pixel Selection Algorithm
 ```python
 def select_pixels(carrier_shape, num_bits, seed: bytes) -> List[Tuple[int, int, int]]:
    """
    Generate pseudo-random pixel coordinates.
    Distributes modifications across entire image.
    """
    height, width, channels = carrier_shape
    total_positions = height * width * 3  # RGB channels
    # Use seed to generate reproducible random order
    rng = np.random.RandomState(int.from_bytes(seed[:4], 'big'))
    all_positions = np.arange(total_positions)
    rng.shuffle(all_positions)
    # Convert flat indices to (y, x, channel)
    selected = []
    for idx in all_positions[:num_bits]:
        y = idx // (width * 3)
        x = (idx % (width * 3)) // 3
        c = idx % 3
        selected.append((y, x, c))
    return selected
 ```
 ### Embedding Process
 ```python
 def embed_lsb(carrier: np.ndarray, data: bytes, seed: bytes) -> np.ndarray:
    """
    Embed data using LSB substitution.
    """
    bits = bytes_to_bits(data)
    positions = select_pixels(carrier.shape, len(bits), seed)
    stego = carrier.copy()
    for i, (y, x, c) in enumerate(positions):
        # Clear LSB and set to our bit
        stego[y, x, c] = (stego[y, x, c] & 0xFE) | bits[i]
    return stego
 ```
 ### Capacity Calculation
 ```python
 def calculate_lsb_capacity(width: int, height: int) -> int:
    """
    Calculate maximum payload size for LSB mode.
    """
    total_bits = width * height * 3  # 3 bits per pixel (RGB)
    header_bits = 10 * 8  # 10-byte stego header
    available_bits = total_bits - header_bits
    return available_bits // 8  # Convert to bytes
 ```
 **Example capacities:**
 - 1920×1080: ~770 KB
 - 4000×3000: ~4.5 MB
 - 800×600: ~180 KB
 ---
 ## DCT Mode Deep Dive
 ### How DCT Embedding Works
 DCT (Discrete Cosine Transform) mode embeds data in the frequency-domain coefficients, making it resilient to JPEG compression.
 ```
 Image Block (8×8 pixels)
         ↓
    DCT Transform
         ↓
 DCT Coefficients (8×8)
 ┌────────────────────┐
 │ DC  AC₁ AC₂ AC₃ ...│  ← Lower frequencies (top-left)
 │ AC₄ AC₅ AC₆ ...    │
 │ ...        ...     │  ← Mid frequencies (embed here)
 │ ...            ... │
 │           AC₆₃ ────│  ← Higher frequencies (bottom-right)
 └────────────────────┘
         ↓
   Modify select ACs
         ↓
    IDCT Transform
         ↓
 Modified Image Block
 ```
 ### Coefficient Selection
 ```python
 # dct_steganography.py
 EMBED_POSITIONS = [
    (0, 1), (1, 0), (2, 0), (1, 1), (0, 2), (0, 3), (1, 2), (2, 1), (3, 0),
    (4, 0), (3, 1), (2, 2), (1, 3), (0, 4), (0, 5), (1, 4), (2, 3), (3, 2),
    (4, 1), (5, 0), (5, 1), (4, 2), (3, 3), (2, 4), (1, 5), (0, 6), (0, 7),
    (1, 6), (2, 5), (3, 4), (4, 3), (5, 2), (6, 1), (7, 0),
 ]
 # Use positions 4-20 (mid-frequency, good balance)
 DEFAULT_EMBED_POSITIONS = EMBED_POSITIONS[4:20]  # 16 positions per block
 ```
 **Why mid-frequency?**
 - DC coefficient (0,0): Too visible, contains brightness
 - Low AC: Visible changes, but survives compression
 - Mid AC: Best balance of invisibility + resilience
 - High AC: Invisible but destroyed by compression
 ### Block Processing
 ```python
 def embed_in_block(block: np.ndarray, bits: List[int]) -> np.ndarray:
    """
    Embed bits in a single 8×8 block.
    """
    # Forward DCT
    dct_block = dct_2d(block)
    # Embed using quantization
    for i, pos in enumerate(DEFAULT_EMBED_POSITIONS):
        if i >= len(bits):
            break
        coef = dct_block[pos[0], pos[1]]
        # Quantize and modify LSB
        quantized = round(coef / QUANT_STEP)
        if (quantized % 2) != bits[i]:
            quantized += 1 if coef > 0 else -1
        dct_block[pos[0], pos[1]] = quantized * QUANT_STEP
    # Inverse DCT
    return idct_2d(dct_block)
 ```
 ### jpegio Integration (Native JPEG Output)
 ```python
 def embed_jpegio(data: bytes, carrier_jpeg: bytes, seed: bytes) -> bytes:
    """
    Embed directly in JPEG DCT coefficients using jpegio.
    Preserves JPEG structure perfectly.
    Note: Requires Python 3.12 or earlier (jpegio incompatible with 3.13)
    """
    import jpegio as jio
    # Normalize problematic JPEGs (quality=100 causes crashes)
    carrier_jpeg = normalize_jpeg_for_jpegio(carrier_jpeg)
    # Read existing JPEG coefficients
    jpeg = jio.read(temp_file_from_bytes(carrier_jpeg))
    coef_array = jpeg.coef_arrays[0]  # Y channel
    # Find usable coefficients (magnitude >= 2, non-DC)
    positions = get_usable_positions(coef_array)
    order = generate_order(len(positions), seed)
    # Embed by modifying coefficient LSBs
    bits = bytes_to_bits(data)
    for i, pos_idx in enumerate(order[:len(bits)]):
        row, col = positions[pos_idx]
        coef = coef_array[row, col]
        if (coef & 1) != bits[i]:
            # Flip LSB while preserving sign
            if coef > 0:
                coef_array[row, col] = coef - 1 if (coef & 1) else coef + 1
            else:
                coef_array[row, col] = coef + 1 if (coef & 1) else coef - 1
    # Write modified JPEG
    jio.write(jpeg, output_path)
    return read_bytes(output_path)
 ```
 ### JPEG Normalization (v4.0)
 ```python
 def normalize_jpeg_for_jpegio(image_data: bytes) -> bytes:
    """
    Normalize problematic JPEGs before jpegio processing.
    JPEGs with quality=100 have quantization tables with all values=1,
    which causes jpegio to crash. Re-save at quality 95.
    """
    img = Image.open(io.BytesIO(image_data))
    if img.format != 'JPEG':
        return image_data
    # Check if any quantization table has all values <= 1
    needs_normalization = False
    if hasattr(img, 'quantization'):
        for table in img.quantization.values():
            if max(table) <= 1:
                needs_normalization = True
                break
    if not needs_normalization:
        return image_data
    # Re-save at safe quality
    buffer = io.BytesIO()
    img.save(buffer, format='JPEG', quality=95, subsampling=0)
    return buffer.getvalue()
 ```
 ### DCT Capacity Calculation
 ```python
 def calculate_dct_capacity(width: int, height: int) -> int:
    """
    Calculate maximum payload for DCT mode.
    """
    blocks_x = width // 8
    blocks_y = height // 8
    total_blocks = blocks_x * blocks_y
    bits_per_block = len(DEFAULT_EMBED_POSITIONS)  # 16
    total_bits = total_blocks * bits_per_block
    header_bits = 10 * 8  # Stego header
    available_bits = total_bits - header_bits
    return available_bits // 8
 ```
 **Example capacities:**
 - 1920×1080: ~64 KB
 - 4000×3000: ~375 KB
 - 800×600: ~14 KB
 ### Why DCT Survives JPEG Compression
 ```
 Original JPEG:    Stego JPEG:      Re-compressed:
 DCT coefficients  Modified DCT     Coefficients 
 preserved in      coefficients     re-quantized
 file format       still valid      
      │                 │                │
      ▼                 ▼                ▼
   [DCT] ──────►  [Modified] ──────►  [Still
   [coefs]        [DCT coefs]         Modified!]
 LSB changes survive because they're embedded in 
 the frequency domain, not spatial pixel values.
 ```
 ### DCT Advantages
 | Advantage | Description |
 |-----------|-------------|
 | **JPEG resilient** | Survives social media upload |
 | **Better steganalysis resistance** | Harder to detect statistically |
 | **Natural-looking output** | JPEG artifacts expected |
 ### DCT Limitations
 | Limitation | Description |
 |------------|-------------|
 | **Lower capacity** | ~10% of LSB capacity |
 | **Slower processing** | DCT transforms are compute-intensive |
 | **Requires scipy/jpegio** | Additional dependencies |
 | **Quality-dependent** | Heavy recompression still degrades data |
 | **Python version** | jpegio requires Python 3.12 or earlier |
 ---
 ## Comparison Table
 | Aspect | LSB Mode | DCT Mode |
 |--------|----------|----------|
 | **Capacity (1080p)** | ~770 KB | ~50 KB |
 | **Output Format** | PNG only | PNG or JPEG |
 | **Survives JPEG** | ❌ No | ✅ Yes |
 | **Social Media** | ❌ Broken | ✅ Works |
 | **Processing Speed** | Fast (~0.5s) | Slower (~2s) |
 | **Dependencies** | Pillow, NumPy | + scipy, jpegio |
 | **Color Support** | Full color | Color or Grayscale |
 | **Detection Resistance** | Moderate | Better |
 | **Best For** | Email, cloud storage | Social media, messaging |
 | **Max Tested Image** | 14MB+ | 14MB+ |
 ---
 ## Security Considerations
 ### What Makes Stegasoo Secure?
 ```
 MULTI-FACTOR AUTHENTICATION (v4.0)
 ──────────────────────────────────
 Factor 1: Reference Photo    ─┐
  • 80-256 bits entropy       │
  • "Something you have"      │
                              ├──► Combined entropy: 133-400+ bits
 Factor 2: Passphrase          │    (Beyond brute force)
  • 43-132 bits entropy       │
  • "Something you know"      │
  • 4 words default (v4.0)    │
                              │
 Factor 3: PIN                 │
  • 20-30 bits entropy        │
  • "Something you know"      │
                              │
 Factor 4: RSA Key (optional) ─┘
  • 112-128 bits entropy
  • "Something you have"
 MEMORY-HARD KDF (Argon2id)
 ──────────────────────────
 • 256 MB RAM per attempt
 • ~3 seconds per attempt
 • Defeats GPU/ASIC attacks
 • 10 attempts = 30 seconds, not 0.00001 seconds
 AUTHENTICATED ENCRYPTION (AES-256-GCM)
 ──────────────────────────────────────
 • 256-bit key (unbreakable)
 • Built-in integrity check
 • Detects tampering
 • No padding oracle attacks
 ```
 ### Attack Surface Analysis
 | Attack | LSB Protection | DCT Protection |
 |--------|----------------|----------------|
 | Visual inspection | ✅ Imperceptible | ✅ Imperceptible |
 | File size analysis | ⚠️ PNG larger | ✅ JPEG natural |
 | Histogram analysis | ⚠️ Slight anomalies | ✅ Normal JPEG |
 | Chi-square attack | ⚠️ Detectable at scale | ✅ Resistant |
 | RS steganalysis | ⚠️ Detectable | ✅ Resistant |
 | JPEG recompression | ❌ Destroyed | ✅ Survives |
 ### Threat Model
 **Stegasoo protects against:**
 - ✅ Passive eavesdropping
 - ✅ Casual inspection of images
 - ✅ Basic forensic analysis
 - ✅ Brute force key guessing
 - ✅ JPEG recompression (DCT mode)
 **Stegasoo does NOT protect against:**
 - ⚠️ Targeted forensic analysis with original carrier
 - ⚠️ Nation-state level steganalysis
 - ⚠️ Rubber hose cryptanalysis (coercion)
 - ⚠️ Compromise of reference photo or credentials
 ---
 ## Data Flow Diagrams
 ### Complete Encode Flow (v4.0)
 ```
 ┌──────────────────────────────────────────────────────────────────────────────┐
 │                              ENCODE FLOW (v4.0)                              │
 └──────────────────────────────────────────────────────────────────────────────┘
 User Inputs                    Processing                           Output
 ───────────                    ──────────                           ──────
 Reference Photo ──────┐
                      ├──► get_image_hash() ──► ref_hash (32 bytes)
                      │         │
 Passphrase ───────────┤         ▼
                      ├──► derive_key() ──────► aes_key (32 bytes)
 PIN ──────────────────┤    (Argon2id)               │
                      │                             │
 RSA Key (optional) ───┘                             │
                                                    ▼
 Message/File ──────────► prepare_payload() ──► encrypt() ──► ciphertext
                         (compress, header)    (AES-GCM)         │
                                                                 │
                                                                 ▼
                                                    build_stego_header()
                                                    (magic + length)
                                                                 │
 Carrier Image ─────────────────────────────────────────►  embed()
                                                          │     │
                                              ┌───────────┴─────┴────────────┐
                                              │                              │
                                           LSB Mode                       DCT Mode
                                              │                              │
                                              ▼                              ▼
                                         embed_lsb()                    embed_in_dct()
                                         (pixel LSBs)                 (DCT coefficients)
                                              │                              │
                                              ▼                              ▼
                                          PNG Output                    PNG or JPEG
                                              │                              │
                                              └──────────┬───────────────────┘
                                                         │
                                                         ▼
                                                   Stego Image
                                                   (downloadable)
 ```
 ### Complete Decode Flow (v4.0)
 ```
 ┌──────────────────────────────────────────────────────────────────────────────┐
 │                              DECODE FLOW (v4.0)                               │
 └──────────────────────────────────────────────────────────────────────────────┘
 User Inputs                    Processing                           Output
 ───────────                    ──────────                           ──────
 Reference Photo ──────┐
                      ├──► get_image_hash() ──► ref_hash (32 bytes)
                      │         │
 Passphrase ───────────┤         ▼
                      ├──► derive_key() ──────► aes_key (32 bytes)
 PIN ──────────────────┤    (Argon2id)               │
                      │    (MUST MATCH!)            │
 RSA Key (optional) ───┘                             │
                                                    │
                                                    ▼
 Stego Image ──────────► detect_mode() ──────► extract()
                        (read magic)          │     │
                              │     ┌─────────┴─────┴──────────┐
                              │     │                          │
                              │  LSB Mode                DCT Mode
                              │     │                          │
                              │     ▼                          ▼
                              │  extract_lsb()          extract_from_dct()
                              │     │                          │
                              │     └────────┬─────────────────┘
                              │              │
                              │              ▼
                              │     parse_stego_header()
                              │     (magic, length)
                              │              │
                              │              ▼
                              └────────► decrypt()
                                         (AES-GCM)
                                              │
                                              ▼
                                     decompress()
                                     (if compressed)
                                              │
                                              ▼
                                     extract_payload()
                                     (handle file/text)
                                              │
                                              ▼
                                     Original Message
                                     or File
 ```
 ---
 ## Summary
 **LSB Mode** is simpler, faster, and higher capacity - perfect for controlled channels where images won't be modified.
 **DCT Mode** is more complex but survives real-world image processing - essential for social media and messaging apps.
 Both modes share the same cryptographic foundation (Argon2id + AES-256-GCM) and multi-factor authentication, ensuring security regardless of embedding method.
 The choice comes down to your use case:
 - **Public platform?** → DCT (maximum compatibility)
 - **Private channel?** → LSB (maximum capacity)
 ### v4.0 Simplifications
 - **No more date tracking** - encode/decode anytime without remembering dates
 - **Single passphrase** - no daily rotation to manage
 - **Default 4 words** - better security out of the box
 - **JPEG normalization** - handles quality=100 images automatically
 - **Large image support** - tested with 14MB+ images
--- a/WEB_UI.md
+++ b/WEB_UI.md
--- a/WISHLIST-4.2.md
+++ b/WISHLIST-4.2.md
@@ -0,0 +1,42 @@
 # Stegasoo v4.2 Wishlist
 Blue sky ideas for future development. No timeline - just capturing thoughts.
 ---
 ## Performance
 ### GPU-Accelerated DCT Encoding/Decoding
 - **Idea**: Leverage GPU for JPEG DCT coefficient manipulation
 - **Potential Approaches**:
  - OpenCL/CUDA for parallel DCT operations
  - Raspberry Pi VideoCore IV/VI GPU compute
  - WebGPU for browser-based acceleration
 - **Challenges**:
  - jpegio library is CPU-bound (C extension)
  - Would need custom DCT implementation
  - Memory transfer overhead may negate gains for small images
 - **Research**:
  - libjpeg-turbo uses SIMD but not GPU
  - nvJPEG (NVIDIA) does GPU-accelerated JPEG
  - Could potentially use GPU for the embedding math, not JPEG decode
 ---
 ## Features
 (Add ideas here)
 ---
 ## Infrastructure
 (Add ideas here)
 ---
 ## Notes
 - This is a living document - add ideas anytime
 - Not all ideas will be implemented
 - Feasibility research needed before committing to roadmap
--- a/agentstuff/pyproject.toml
+++ b/agentstuff/pyproject.toml
@@ -0,0 +1,30 @@
 [project]
 name = "sentiment-agent"
 version = "0.1.0"
 description = "AI agent for gathering data and performing sentiment analysis"
 requires-python = ">=3.11"
 dependencies = [
    "claude-agent-sdk",
    "anyio",
    "httpx",
 ]
 [project.optional-dependencies]
 dev = [
    "pytest",
    "ruff",
    "mypy",
 ]
 [project.scripts]
 sentiment-agent = "sentiment_agent.main:main"
 [tool.ruff]
 line-length = 100
 [tool.pytest.ini_options]
 testpaths = ["tests"]
 [tool.mypy]
 python_version = "3.11"
 ignore_missing_imports = true
--- a/agentstuff/sentiment_agent/init.py
+++ b/agentstuff/sentiment_agent/init.py
@@ -0,0 +1,3 @@
 """Sentiment analysis agent powered by Claude Agent SDK."""
 __version__ = "0.1.0"
--- a/agentstuff/sentiment_agent/agent.py
+++ b/agentstuff/sentiment_agent/agent.py
@@ -0,0 +1,115 @@
 """Core sentiment analysis agent using Claude Agent SDK."""
 from __future__ import annotations
 from claude_agent_sdk import (
    AssistantMessage,
    ClaudeAgentOptions,
    ClaudeSDKClient,
    ResultMessage,
    TextBlock,
 )
 from sentiment_agent.config import SafetyConfig
 from sentiment_agent.tools import create_social_tools_server
 SYSTEM_PROMPT = """\
 You are a sentiment analysis agent. Your job is to gather data from multiple \
 platforms and produce a structured, evidence-based sentiment report.
 ## Rules — you MUST follow these
 1. **Budget awareness.** You have a limited API call budget. Call \
 `get_api_budget_status` before starting and after every few tool calls. \
 Stop gathering data when you have <5 calls remaining and begin your analysis.
 2. **Credibility first.** Every tool result includes credibility scores and \
 bot/disinfo flags. You MUST:
   - NEVER quote or cite posts marked `likely_inauthentic` (score < 0.3).
   - Flag posts marked `suspicious` (score 0.3–0.5) with a warning when citing them.
   - Give more weight to `likely_authentic` posts (score ≥ 0.7).
   - If coordination warnings appear (copy-paste campaigns, burst posting), \
     call them out prominently in your report.
 3. **Platform diversity.** Gather from at least 2 different platforms before \
 analyzing. Do not over-index on a single source.
 4. **No fabrication.** Only report on data you actually retrieved. If a tool \
 call fails or returns no results, say so — do not invent data.
 5. **Structured output.** Your final report MUST include these sections:
   - **Data Quality Summary**: platforms queried, posts analyzed vs excluded, \
     coordination warnings
   - **Overall Sentiment**: score (-1.0 to +1.0) and label \
     (very negative / negative / mixed / neutral / positive / very positive)
   - **Platform Breakdown**: sentiment per platform with sample size
   - **Key Themes**: top 3-5 themes with sentiment direction
   - **Credibility Concerns**: any bot networks, disinfo patterns, or \
     coordinated campaigns detected
   - **Notable Quotes**: 3-5 representative quotes (authentic sources only, \
     with credibility score noted)
   - **Confidence Assessment**: how confident you are in the analysis given \
     data quality and volume
 6. **Scope discipline.** Stay focused on the requested topic. Do not expand \
 scope, follow tangents, or analyze adjacent topics unless explicitly asked.
 7. **No side effects.** Do not write files, run commands, or take any action \
 beyond reading data and producing your report.
 """
 async def run_sentiment_analysis(
    topic: str,
    sources: list[str] | None = None,
    config: SafetyConfig | None = None,
 ) -> str:
    """Run the sentiment analysis agent on a given topic.
    Args:
        topic: The topic or subject to analyze sentiment for.
        sources: Optional list of URLs or data sources to analyze.
        config: Safety configuration. Defaults to SafetyConfig.from_env().
    Returns:
        The agent's sentiment analysis report.
    """
    config = config or SafetyConfig.from_env()
    source_instructions = ""
    if sources:
        source_list = "\n".join(f"- {s}" for s in sources)
        source_instructions = f"\n\nAlso analyze these specific sources:\n{source_list}"
    prompt = (
        f"Perform a sentiment analysis on the following topic: {topic}\n\n"
        "Start by calling `get_api_budget_status` to check your budget, then "
        "gather data from multiple platforms (Reddit, Hacker News, Bluesky if "
        "configured, and web search). Pay close attention to credibility scores "
        "and coordination warnings in the results."
        f"{source_instructions}"
    )
    social_server = create_social_tools_server(config)
    options = ClaudeAgentOptions(
        # Only allow read-only tools — no Write/Bash to prevent side effects
        allowed_tools=["WebSearch", "WebFetch", "Read"],
        max_turns=config.max_turns,
        max_budget_usd=config.max_budget_usd,
        mcp_servers={"social": social_server},
        system_prompt=SYSTEM_PROMPT,
    )
    result_text = ""
    async with ClaudeSDKClient(options=options) as client:
        await client.query(prompt)
        async for message in client.receive_response():
            if isinstance(message, AssistantMessage):
                for block in message.content:
                    if isinstance(block, TextBlock):
                        print(block.text, end="", flush=True)
            if isinstance(message, ResultMessage):
                result_text = message.result
    return result_text
--- a/agentstuff/sentiment_agent/clients/init.py
+++ b/agentstuff/sentiment_agent/clients/init.py
@@ -0,0 +1 @@
 """API clients for social media and forum data sources."""
--- a/agentstuff/sentiment_agent/clients/bluesky.py
+++ b/agentstuff/sentiment_agent/clients/bluesky.py
@@ -0,0 +1,166 @@
 """Bluesky client using the AT Protocol API.
 Search requires authentication. Set BLUESKY_HANDLE and BLUESKY_APP_PASSWORD
 env vars. Create an app password at: https://bsky.app/settings/app-passwords
 Thread fetching works without auth via the public API.
 """
 import os
 import httpx
 BSKY_PUBLIC_API = "https://public.api.bsky.app"
 BSKY_AUTH_API = "https://bsky.social"
 async def _get_session() -> dict | None:
    """Authenticate with Bluesky and return session tokens, or None if no creds."""
    handle = os.environ.get("BLUESKY_HANDLE")
    app_password = os.environ.get("BLUESKY_APP_PASSWORD")
    if not handle or not app_password:
        return None
    async with httpx.AsyncClient(timeout=15) as client:
        resp = await client.post(
            f"{BSKY_AUTH_API}/xrpc/com.atproto.server.createSession",
            json={"identifier": handle, "password": app_password},
        )
        resp.raise_for_status()
        return resp.json()
 def _format_post(post_view: dict) -> dict:
    """Extract relevant fields from an AT Protocol post view."""
    post = post_view.get("post", post_view)
    record = post.get("record", {})
    author = post.get("author", {})
    return {
        "text": record.get("text", ""),
        "author_handle": author.get("handle", ""),
        "author_display_name": author.get("displayName", ""),
        "created_at": record.get("createdAt", ""),
        "like_count": post.get("likeCount", 0),
        "repost_count": post.get("repostCount", 0),
        "reply_count": post.get("replyCount", 0),
        "uri": post.get("uri", ""),
        "cid": post.get("cid", ""),
        "url": _uri_to_url(post.get("uri", ""), author.get("handle", "")),
    }
 def _uri_to_url(uri: str, handle: str) -> str:
    """Convert an at:// URI to a bsky.app URL."""
    # at://did:plc:xxx/app.bsky.feed.post/rkey -> https://bsky.app/profile/handle/post/rkey
    if not uri.startswith("at://"):
        return ""
    parts = uri.split("/")
    if len(parts) >= 5:
        rkey = parts[-1]
        return f"https://bsky.app/profile/{handle}/post/{rkey}"
    return ""
 async def search_posts(query: str, limit: int = 25, sort: str = "top") -> list[dict]:
    """Search Bluesky for posts matching a query.
    Requires BLUESKY_HANDLE and BLUESKY_APP_PASSWORD env vars.
    Args:
        query: Search terms.
        limit: Max results (capped at 100).
        sort: "top" (most liked) or "latest" (chronological).
    Returns:
        List of post dicts with: text, author_handle, author_display_name,
        created_at, like_count, repost_count, reply_count, uri, url.
    Raises:
        RuntimeError: If Bluesky credentials are not configured.
    """
    session = await _get_session()
    if not session:
        raise RuntimeError(
            "Bluesky search requires authentication. "
            "Set BLUESKY_HANDLE and BLUESKY_APP_PASSWORD environment variables. "
            "Create an app password at: https://bsky.app/settings/app-passwords"
        )
    async with httpx.AsyncClient(timeout=15) as client:
        resp = await client.get(
            f"{BSKY_AUTH_API}/xrpc/app.bsky.feed.searchPosts",
            params={
                "q": query,
                "limit": min(limit, 100),
                "sort": sort,
            },
            headers={"Authorization": f"Bearer {session['accessJwt']}"},
        )
        resp.raise_for_status()
        data = resp.json()
    return [_format_post(p) for p in data.get("posts", [])]
 async def get_thread(uri: str, depth: int = 6) -> dict:
    """Fetch a Bluesky thread by AT URI or bsky.app URL.
    Args:
        uri: Either an at:// URI or a https://bsky.app/profile/.../post/... URL.
        depth: How many levels of replies to fetch (max 1000).
    Returns:
        Dict with "post" (the root post) and "replies" (list of reply post dicts).
    """
    # Convert bsky.app URL to AT URI if needed
    if uri.startswith("https://bsky.app/"):
        uri = await _resolve_url_to_uri(uri)
    headers = {}
    session = await _get_session()
    if session:
        headers["Authorization"] = f"Bearer {session['accessJwt']}"
    async with httpx.AsyncClient(timeout=15) as client:
        resp = await client.get(
            f"{BSKY_PUBLIC_API}/xrpc/app.bsky.feed.getPostThread",
            params={"uri": uri, "depth": min(depth, 1000)},
            headers=headers,
        )
        resp.raise_for_status()
        data = resp.json()
    thread = data.get("thread", {})
    root_post = _format_post(thread) if "post" in thread else {}
    replies = []
    for reply in thread.get("replies", []):
        if "post" in reply:
            replies.append(_format_post(reply))
            # Include nested replies one level deep
            for nested in reply.get("replies", []):
                if "post" in nested:
                    replies.append(_format_post(nested))
    return {"post": root_post, "replies": replies}
 async def _resolve_url_to_uri(url: str) -> str:
    """Convert a bsky.app URL to an AT URI by resolving the handle."""
    # https://bsky.app/profile/handle.bsky.social/post/rkey
    parts = url.rstrip("/").split("/")
    if len(parts) < 6:
        raise ValueError(f"Invalid Bluesky URL: {url}")
    handle = parts[4]  # profile/{handle}
    rkey = parts[6]  # post/{rkey}
    # Resolve handle to DID
    async with httpx.AsyncClient(timeout=10) as client:
        resp = await client.get(
            f"{BSKY_PUBLIC_API}/xrpc/com.atproto.identity.resolveHandle",
            params={"handle": handle},
        )
        resp.raise_for_status()
        did = resp.json()["did"]
    return f"at://{did}/app.bsky.feed.post/{rkey}"
--- a/agentstuff/sentiment_agent/clients/hackernews.py
+++ b/agentstuff/sentiment_agent/clients/hackernews.py
@@ -0,0 +1,78 @@
 """Hacker News client using the Algolia HN Search API.
 No authentication required. Docs: https://hn.algolia.com/api
 """
 import httpx
 HN_API_BASE = "https://hn.algolia.com/api/v1"
 async def search_stories(query: str, limit: int = 25) -> list[dict]:
    """Search HN for stories matching a query.
    Returns a list of story dicts with: title, url, author, points,
    num_comments, created_at, objectID, story_text.
    """
    async with httpx.AsyncClient(timeout=15) as client:
        resp = await client.get(
            f"{HN_API_BASE}/search",
            params={
                "query": query,
                "tags": "story",
                "hitsPerPage": min(limit, 50),
            },
        )
        resp.raise_for_status()
        data = resp.json()
    results = []
    for hit in data.get("hits", []):
        results.append(
            {
                "title": hit.get("title", ""),
                "url": hit.get("url", ""),
                "author": hit.get("author", ""),
                "points": hit.get("points", 0),
                "num_comments": hit.get("num_comments", 0),
                "created_at": hit.get("created_at", ""),
                "object_id": hit.get("objectID", ""),
                "story_text": hit.get("story_text") or "",
                "hn_url": f"https://news.ycombinator.com/item?id={hit.get('objectID', '')}",
            }
        )
    return results
 async def search_comments(query: str, limit: int = 25) -> list[dict]:
    """Search HN for comments matching a query.
    Returns a list of comment dicts with: comment_text, author, points,
    created_at, story_title, story_url.
    """
    async with httpx.AsyncClient(timeout=15) as client:
        resp = await client.get(
            f"{HN_API_BASE}/search",
            params={
                "query": query,
                "tags": "comment",
                "hitsPerPage": min(limit, 50),
            },
        )
        resp.raise_for_status()
        data = resp.json()
    results = []
    for hit in data.get("hits", []):
        results.append(
            {
                "comment_text": hit.get("comment_text", ""),
                "author": hit.get("author", ""),
                "points": hit.get("points", 0),
                "created_at": hit.get("created_at", ""),
                "story_title": hit.get("story_title", ""),
                "story_url": hit.get("story_url", ""),
                "hn_url": f"https://news.ycombinator.com/item?id={hit.get('objectID', '')}",
            }
        )
    return results
--- a/agentstuff/sentiment_agent/clients/reddit.py
+++ b/agentstuff/sentiment_agent/clients/reddit.py
@@ -0,0 +1,117 @@
 """Reddit client using the public JSON API.
 No authentication required for read-only search. Reddit requires a descriptive
 User-Agent header — requests with generic UAs get 429'd.
 """
 import httpx
 REDDIT_BASE = "https://www.reddit.com"
 USER_AGENT = "sentiment-agent/0.1.0 (research; sentiment analysis tool)"
 async def search_posts(
    query: str,
    subreddit: str = "all",
    sort: str = "relevance",
    time_filter: str = "month",
    limit: int = 25,
 ) -> list[dict]:
    """Search Reddit for posts matching a query.
    Args:
        query: Search terms.
        subreddit: Subreddit to search within, or "all" for site-wide.
        sort: One of "relevance", "hot", "top", "new", "comments".
        time_filter: One of "hour", "day", "week", "month", "year", "all".
        limit: Max results (capped at 100 by Reddit).
    Returns:
        List of post dicts with: title, selftext, author, score,
        num_comments, subreddit, url, permalink, created_utc.
    """
    url = f"{REDDIT_BASE}/r/{subreddit}/search.json"
    async with httpx.AsyncClient(timeout=15, follow_redirects=True) as client:
        resp = await client.get(
            url,
            params={
                "q": query,
                "sort": sort,
                "t": time_filter,
                "limit": min(limit, 100),
                "restrict_sr": "on" if subreddit != "all" else "off",
            },
            headers={"User-Agent": USER_AGENT},
        )
        resp.raise_for_status()
        data = resp.json()
    results = []
    for child in data.get("data", {}).get("children", []):
        post = child.get("data", {})
        results.append(
            {
                "title": post.get("title", ""),
                "selftext": (post.get("selftext") or "")[:2000],
                "author": post.get("author", "[deleted]"),
                "score": post.get("score", 0),
                "upvote_ratio": post.get("upvote_ratio", 0),
                "num_comments": post.get("num_comments", 0),
                "subreddit": post.get("subreddit", ""),
                "url": post.get("url", ""),
                "permalink": f"https://reddit.com{post.get('permalink', '')}",
                "created_utc": post.get("created_utc", 0),
                "is_self": post.get("is_self", False),
            }
        )
    return results
 async def get_post_comments(
    permalink: str,
    sort: str = "top",
    limit: int = 25,
 ) -> list[dict]:
    """Fetch top-level comments for a Reddit post.
    Args:
        permalink: The post's permalink path (e.g., "/r/python/comments/abc123/title/").
        sort: Comment sort order: "top", "best", "new", "controversial".
        limit: Max comments to return.
    Returns:
        List of comment dicts with: body, author, score, created_utc.
    """
    # Strip domain if full URL was passed
    if permalink.startswith("https://"):
        permalink = permalink.replace("https://reddit.com", "")
        permalink = permalink.replace("https://www.reddit.com", "")
    url = f"{REDDIT_BASE}{permalink}.json"
    async with httpx.AsyncClient(timeout=15, follow_redirects=True) as client:
        resp = await client.get(
            url,
            params={"sort": sort, "limit": limit},
            headers={"User-Agent": USER_AGENT},
        )
        resp.raise_for_status()
        data = resp.json()
    # Reddit returns [post_listing, comments_listing]
    if not isinstance(data, list) or len(data) < 2:
        return []
    results = []
    for child in data[1].get("data", {}).get("children", []):
        if child.get("kind") != "t1":
            continue
        comment = child.get("data", {})
        results.append(
            {
                "body": (comment.get("body") or "")[:2000],
                "author": comment.get("author", "[deleted]"),
                "score": comment.get("score", 0),
                "created_utc": comment.get("created_utc", 0),
            }
        )
    return results
--- a/agentstuff/sentiment_agent/config.py
+++ b/agentstuff/sentiment_agent/config.py
@@ -0,0 +1,70 @@
 """Configuration and safety limits for the sentiment agent.
 All guardrails are centralized here so they can be tuned from one place
 or overridden via CLI flags / env vars.
 """
 from __future__ import annotations
 import os
 from dataclasses import dataclass, field
@dataclass(frozen=True)
 class RateLimitConfig:
    """Per-platform rate limiting."""
    requests_per_minute: int = 10
    burst_size: int = 3  # max concurrent requests
    cooldown_after_429: float = 30.0  # seconds to wait after a 429
@dataclass(frozen=True)
 class SafetyConfig:
    """Top-level safety rails for the agent."""
    # --- Agent-level limits ---
    max_turns: int = 20
    max_budget_usd: float = 0.50  # hard cap on Claude API spend per run
    max_total_api_calls: int = 50  # across ALL platforms combined
    max_results_per_call: int = 50  # cap the `limit` param sent to any API
    # --- Per-platform rate limits ---
    bluesky_rate: RateLimitConfig = field(default_factory=lambda: RateLimitConfig(
        requests_per_minute=10, burst_size=2,
    ))
    reddit_rate: RateLimitConfig = field(default_factory=lambda: RateLimitConfig(
        requests_per_minute=10, burst_size=2,
    ))
    hackernews_rate: RateLimitConfig = field(default_factory=lambda: RateLimitConfig(
        requests_per_minute=15, burst_size=3,  # HN Algolia is more generous
    ))
    # --- Content size limits ---
    max_post_text_chars: int = 2000  # truncate individual posts beyond this
    max_total_content_bytes: int = 500_000  # ~500KB total data gathered before agent stops
    # --- Timeout ---
    api_timeout_seconds: float = 15.0
    # --- Credibility thresholds ---
    min_credibility_score: float = 0.3  # posts below this are flagged/excluded
    flag_bot_threshold: float = 0.5  # posts between min and this are flagged but included
    @classmethod
    def from_env(cls) -> SafetyConfig:
        """Build config with env var overrides.
        Env vars: SENTIMENT_MAX_TURNS, SENTIMENT_MAX_BUDGET_USD,
        SENTIMENT_MAX_API_CALLS, SENTIMENT_MIN_CREDIBILITY.
        """
        kwargs: dict = {}
        if v := os.environ.get("SENTIMENT_MAX_TURNS"):
            kwargs["max_turns"] = int(v)
        if v := os.environ.get("SENTIMENT_MAX_BUDGET_USD"):
            kwargs["max_budget_usd"] = float(v)
        if v := os.environ.get("SENTIMENT_MAX_API_CALLS"):
            kwargs["max_total_api_calls"] = int(v)
        if v := os.environ.get("SENTIMENT_MIN_CREDIBILITY"):
            kwargs["min_credibility_score"] = float(v)
        return cls(**kwargs)
--- a/agentstuff/sentiment_agent/credibility.py
+++ b/agentstuff/sentiment_agent/credibility.py
@@ -0,0 +1,398 @@
 """Credibility scoring and bot/disinfo detection.
 Assigns a 0.0–1.0 credibility score to each post based on heuristic signals.
 Posts below the configured threshold are excluded or flagged so they don't
 pollute the sentiment analysis.
 Signals are platform-aware — each platform has different indicators of
 inauthentic behavior.
 """
 from __future__ import annotations
 import re
 from dataclasses import dataclass, field
 from datetime import datetime, timezone
@dataclass
 class CredibilityResult:
    """Credibility assessment for a single post."""
    score: float  # 0.0 (likely bot/disinfo) to 1.0 (likely authentic)
    flags: list[str] = field(default_factory=list)  # human-readable reasons
    is_excluded: bool = False  # below min_credibility_score
    is_flagged: bool = False  # between min and flag threshold
    @property
    def label(self) -> str:
        if self.score >= 0.7:
            return "likely_authentic"
        if self.score >= 0.5:
            return "uncertain"
        if self.score >= 0.3:
            return "suspicious"
        return "likely_inauthentic"
 # --- Shared heuristics ---
 # Common bot patterns in text
 _BOT_TEXT_PATTERNS = [
    # Crypto/scam spam
    re.compile(r"(?i)(dm me|check my bio|link in bio|click here|free giveaway)"),
    re.compile(r"(?i)(join my|subscribe to|follow me for|🔥.*🔥.*🔥)"),
    # Astroturfing phrases
    re.compile(r"(?i)(i (just )?(discovered|found|tried) this (amazing|incredible|awesome))"),
    re.compile(r"(?i)(game.?changer|life.?changing|you won'?t believe)"),
    # Excessive hashtags (5+)
    re.compile(r"(#\w+\s*){5,}"),
    # Walls of emojis (10+ consecutive)
    re.compile(r"[\U0001F300-\U0001FAFF]{10,}"),
    # Repetitive characters (spammy emphasis)
    re.compile(r"(.)\1{9,}"),
 ]
 # Coordinated campaign indicators: identical or near-identical text
 # This is checked at the batch level, not per-post
 def _check_text_patterns(text: str) -> list[str]:
    """Check text against common bot/spam patterns."""
    flags = []
    for pattern in _BOT_TEXT_PATTERNS:
        if pattern.search(text):
            flags.append(f"bot_text_pattern: {pattern.pattern[:60]}")
    if len(text) < 15:
        flags.append("very_short_text")
    return flags
 def _engagement_ratio_score(
    likes: int, reposts: int, replies: int
 ) -> tuple[float, list[str]]:
    """Score based on engagement ratios.
    Authentic posts tend to have a mix of likes, replies, and reposts.
    Bot-amplified posts often have inflated likes with very few replies,
    or massive repost counts with no discussion.
    """
    flags = []
    total = likes + reposts + replies
    if total == 0:
        return 0.5, ["no_engagement"]
    # High repost-to-reply ratio suggests amplification without discussion
    if reposts > 0 and replies == 0 and reposts > 10:
        flags.append(f"high_repost_no_replies: {reposts} reposts, 0 replies")
        return 0.3, flags
    # Extremely high like count with zero replies is suspicious
    if likes > 100 and replies == 0:
        flags.append(f"high_likes_no_replies: {likes} likes, 0 replies")
        return 0.4, flags
    # Normal engagement
    return min(1.0, 0.5 + (replies / max(total, 1)) * 0.5), flags
 # --- Platform-specific scoring ---
 def score_bluesky_post(post: dict) -> CredibilityResult:
    """Score a Bluesky post for credibility."""
    score = 1.0
    flags: list[str] = []
    text = post.get("text", "")
    handle = post.get("author_handle", "")
    display_name = post.get("author_display_name", "")
    likes = post.get("like_count", 0)
    reposts = post.get("repost_count", 0)
    replies = post.get("reply_count", 0)
    # Text pattern checks
    text_flags = _check_text_patterns(text)
    if text_flags:
        score -= 0.15 * len(text_flags)
        flags.extend(text_flags)
    # Handle heuristics
    # Randomly generated handles (long hex/number strings)
    if re.match(r"^[a-f0-9]{8,}\.", handle):
        flags.append(f"random_handle: {handle}")
        score -= 0.3
    # No display name set
    if not display_name or display_name == handle:
        flags.append("no_display_name")
        score -= 0.1
    # Engagement ratio
    eng_score, eng_flags = _engagement_ratio_score(likes, reposts, replies)
    flags.extend(eng_flags)
    score = score * 0.6 + eng_score * 0.4
    return CredibilityResult(score=max(0.0, min(1.0, score)), flags=flags)
 def score_reddit_post(post: dict) -> CredibilityResult:
    """Score a Reddit post for credibility."""
    score = 1.0
    flags: list[str] = []
    text = post.get("selftext", "") or post.get("title", "")
    author = post.get("author", "")
    upvote_ratio = post.get("upvote_ratio", 0.5)
    post_score = post.get("score", 0)
    num_comments = post.get("num_comments", 0)
    # Text patterns
    text_flags = _check_text_patterns(text)
    if text_flags:
        score -= 0.15 * len(text_flags)
        flags.extend(text_flags)
    # Deleted author
    if author in ("[deleted]", "[removed]"):
        flags.append("deleted_author")
        score -= 0.2
    # Suspicious username patterns (random alphanumeric + numbers)
    if re.match(r"^[A-Za-z]+[-_]?\d{4,}$", author):
        flags.append(f"auto_generated_username: {author}")
        score -= 0.15
    # Very controversial ratio (lots of up AND down votes)
    if upvote_ratio < 0.4 and post_score > 0:
        flags.append(f"highly_controversial: {upvote_ratio:.0%} upvote ratio")
        score -= 0.1
    # High score but zero comments = potential vote manipulation
    if post_score > 100 and num_comments == 0:
        flags.append(f"high_score_no_comments: {post_score} score, 0 comments")
        score -= 0.2
    # Low-effort cross-post spam: very short title, external link, no selftext
    if (
        len(post.get("title", "")) < 20
        and not post.get("is_self", True)
        and not post.get("selftext")
    ):
        flags.append("possible_link_spam")
        score -= 0.1
    return CredibilityResult(score=max(0.0, min(1.0, score)), flags=flags)
 def score_reddit_comment(comment: dict) -> CredibilityResult:
    """Score a Reddit comment for credibility."""
    score = 1.0
    flags: list[str] = []
    body = comment.get("body", "")
    author = comment.get("author", "")
    comment_score = comment.get("score", 0)
    text_flags = _check_text_patterns(body)
    if text_flags:
        score -= 0.15 * len(text_flags)
        flags.extend(text_flags)
    if author in ("[deleted]", "[removed]"):
        flags.append("deleted_author")
        score -= 0.2
    if re.match(r"^[A-Za-z]+[-_]?\d{4,}$", author):
        flags.append(f"auto_generated_username: {author}")
        score -= 0.15
    # Heavily downvoted
    if comment_score < -5:
        flags.append(f"heavily_downvoted: {comment_score}")
        score -= 0.15
    return CredibilityResult(score=max(0.0, min(1.0, score)), flags=flags)
 def score_hackernews_post(post: dict) -> CredibilityResult:
    """Score a HN story for credibility.
    HN is generally higher-signal than social media, but we still check
    for low-effort submissions and spammy patterns.
    """
    score = 1.0
    flags: list[str] = []
    title = post.get("title", "")
    text = post.get("story_text", "") or title
    points = post.get("points", 0)
    num_comments = post.get("num_comments", 0)
    text_flags = _check_text_patterns(text)
    if text_flags:
        score -= 0.1 * len(text_flags)
        flags.extend(text_flags)
    # Zero points = the community didn't find it valuable
    if points == 0:
        flags.append("zero_points")
        score -= 0.1
    # HN is generally more credible, start with a bonus
    score = min(1.0, score + 0.1)
    return CredibilityResult(score=max(0.0, min(1.0, score)), flags=flags)
 def score_hackernews_comment(comment: dict) -> CredibilityResult:
    """Score a HN comment for credibility."""
    score = 1.0
    flags: list[str] = []
    text = comment.get("comment_text", "")
    text_flags = _check_text_patterns(text)
    if text_flags:
        score -= 0.1 * len(text_flags)
        flags.extend(text_flags)
    # HN comments are generally higher quality
    score = min(1.0, score + 0.1)
    return CredibilityResult(score=max(0.0, min(1.0, score)), flags=flags)
 # --- Batch-level coordination detection ---
 def detect_coordination(posts: list[dict], text_key: str = "text") -> list[str]:
    """Detect coordinated inauthentic behavior across a batch of posts.
    Looks for:
    - Duplicate or near-duplicate text (copy-paste campaigns)
    - Burst posting (many posts in a very short window)
    - Same talking points with minor variations
    Returns a list of warning strings.
    """
    warnings: list[str] = []
    texts = [p.get(text_key, "") for p in posts if p.get(text_key)]
    if not texts:
        return warnings
    # Exact duplicates
    seen: dict[str, int] = {}
    for t in texts:
        normalized = t.strip().lower()
        seen[normalized] = seen.get(normalized, 0) + 1
    duplicates = {text: count for text, count in seen.items() if count > 1}
    if duplicates:
        total_dupes = sum(duplicates.values())
        warnings.append(
            f"COORDINATION WARNING: {len(duplicates)} duplicate texts found "
            f"({total_dupes} total copies). Possible copy-paste campaign."
        )
    # Near-duplicates: check if many posts share a long common substring
    # (simplified: check if >30% of posts start with the same 50+ chars)
    if len(texts) >= 5:
        prefixes: dict[str, int] = {}
        for t in texts:
            prefix = t.strip().lower()[:80]
            if len(prefix) >= 50:
                prefixes[prefix] = prefixes.get(prefix, 0) + 1
        for prefix, count in prefixes.items():
            if count >= len(texts) * 0.3:
                warnings.append(
                    f"COORDINATION WARNING: {count}/{len(texts)} posts share "
                    f"a common prefix ({prefix[:50]}...). Possible template campaign."
                )
    # Burst detection: if timestamps are available
    timestamps = []
    for p in posts:
        created = p.get("created_at") or p.get("created_utc")
        if isinstance(created, str):
            try:
                timestamps.append(datetime.fromisoformat(created.replace("Z", "+00:00")))
            except (ValueError, TypeError):
                pass
        elif isinstance(created, (int, float)):
            timestamps.append(datetime.fromtimestamp(created, tz=timezone.utc))
    if len(timestamps) >= 5:
        timestamps.sort()
        # Check if >50% of posts landed within a 5-minute window
        window_seconds = 300
        for i in range(len(timestamps) - 2):
            window_end = timestamps[i] + __import__("datetime").timedelta(seconds=window_seconds)
            in_window = sum(1 for t in timestamps if timestamps[i] <= t <= window_end)
            if in_window >= len(timestamps) * 0.5:
                warnings.append(
                    f"COORDINATION WARNING: {in_window}/{len(timestamps)} posts "
                    f"appeared within a 5-minute window. Possible coordinated posting."
                )
                break
    return warnings
 def filter_and_annotate(
    posts: list[dict],
    scorer,
    min_score: float = 0.3,
    flag_threshold: float = 0.5,
 ) -> tuple[list[dict], dict]:
    """Score all posts, filter out low-credibility ones, and annotate the rest.
    Args:
        posts: List of post dicts from any platform.
        scorer: A scoring function (e.g., score_reddit_post).
        min_score: Posts below this are excluded.
        flag_threshold: Posts between min_score and this are flagged.
    Returns:
        Tuple of (filtered_posts, stats_dict).
        Each post in filtered_posts gets a "_credibility" key added.
    """
    filtered = []
    stats = {
        "total": len(posts),
        "excluded": 0,
        "flagged": 0,
        "authentic": 0,
        "excluded_reasons": [],
    }
    for post in posts:
        result = scorer(post)
        result.is_excluded = result.score < min_score
        result.is_flagged = min_score <= result.score < flag_threshold
        if result.is_excluded:
            stats["excluded"] += 1
            stats["excluded_reasons"].append(
                {"score": round(result.score, 2), "flags": result.flags}
            )
            continue
        post["_credibility"] = {
            "score": round(result.score, 2),
            "label": result.label,
            "flags": result.flags,
            "is_flagged": result.is_flagged,
        }
        if result.is_flagged:
            stats["flagged"] += 1
        else:
            stats["authentic"] += 1
        filtered.append(post)
    return filtered, stats
--- a/agentstuff/sentiment_agent/main.py
+++ b/agentstuff/sentiment_agent/main.py
@@ -0,0 +1,66 @@
 """CLI entry point for the sentiment analysis agent."""
 import argparse
 import anyio
 from sentiment_agent.agent import run_sentiment_analysis
 from sentiment_agent.config import SafetyConfig
 async def async_main(args: argparse.Namespace) -> None:
    config = SafetyConfig(
        max_turns=args.max_turns,
        max_budget_usd=args.max_budget,
        max_total_api_calls=args.max_api_calls,
        min_credibility_score=args.min_credibility,
        flag_bot_threshold=args.flag_threshold,
    )
    result = await run_sentiment_analysis(
        topic=args.topic,
        sources=args.sources,
        config=config,
    )
    print("\n" + "=" * 60)
    print("SENTIMENT ANALYSIS REPORT")
    print("=" * 60)
    print(result)
 def main() -> None:
    parser = argparse.ArgumentParser(
        description="Run sentiment analysis on a topic with bot/disinfo detection",
        formatter_class=argparse.ArgumentDefaultsHelpFormatter,
    )
    parser.add_argument("topic", help="The topic to analyze sentiment for")
    parser.add_argument(
        "--sources", nargs="*", help="Specific URLs or sources to also analyze"
    )
    safety = parser.add_argument_group("safety limits")
    safety.add_argument(
        "--max-turns", type=int, default=20, help="Max agent turns"
    )
    safety.add_argument(
        "--max-budget", type=float, default=0.50, help="Max Claude API spend (USD)"
    )
    safety.add_argument(
        "--max-api-calls", type=int, default=50, help="Max total API calls across all platforms"
    )
    credibility = parser.add_argument_group("credibility filtering")
    credibility.add_argument(
        "--min-credibility", type=float, default=0.3,
        help="Posts below this score are excluded (0.0-1.0)",
    )
    credibility.add_argument(
        "--flag-threshold", type=float, default=0.5,
        help="Posts between min and this are flagged but included (0.0-1.0)",
    )
    args = parser.parse_args()
    anyio.run(async_main, args)
 if __name__ == "__main__":
    main()
--- a/agentstuff/sentiment_agent/ratelimit.py
+++ b/agentstuff/sentiment_agent/ratelimit.py
@@ -0,0 +1,169 @@
 """Rate limiter and API call budget tracker.
 Enforces per-platform rate limits and a global call budget so the agent
 can't hammer APIs or run up unbounded costs.
 """
 from __future__ import annotations
 import asyncio
 import time
 from dataclasses import dataclass, field
 from sentiment_agent.config import RateLimitConfig
 class BudgetExhaustedError(Exception):
    """Raised when the global API call budget is spent."""
 class RateLimitExceededError(Exception):
    """Raised when a platform's rate limit is hit and cooldown hasn't elapsed."""
@dataclass
 class _PlatformState:
    """Tracks call timestamps and active request count for one platform."""
    config: RateLimitConfig
    call_timestamps: list[float] = field(default_factory=list)
    active_requests: int = 0
    last_429_at: float = 0.0
 class RateLimiter:
    """Manages rate limiting across all platforms + a global call budget.
    Usage:
        limiter = RateLimiter(max_total_calls=50)
        limiter.register_platform("reddit", RateLimitConfig(...))
        async with limiter.acquire("reddit"):
            await do_reddit_call()
    """
    def __init__(self, max_total_calls: int = 50):
        self._max_total = max_total_calls
        self._total_calls = 0
        self._platforms: dict[str, _PlatformState] = {}
        self._lock = asyncio.Lock()
    @property
    def total_calls(self) -> int:
        return self._total_calls
    @property
    def remaining_calls(self) -> int:
        return max(0, self._max_total - self._total_calls)
    def register_platform(self, name: str, config: RateLimitConfig) -> None:
        self._platforms[name] = _PlatformState(config=config)
    def acquire(self, platform: str) -> _AcquireContext:
        """Context manager that enforces rate limits before allowing a call."""
        return _AcquireContext(self, platform)
    async def _acquire(self, platform: str) -> None:
        async with self._lock:
            if self._total_calls >= self._max_total:
                raise BudgetExhaustedError(
                    f"Global API call budget exhausted ({self._max_total} calls). "
                    "Increase max_total_api_calls in SafetyConfig to allow more."
                )
            state = self._platforms.get(platform)
            if not state:
                raise ValueError(f"Platform '{platform}' not registered with rate limiter")
            now = time.monotonic()
            # Check 429 cooldown
            if state.last_429_at:
                elapsed = now - state.last_429_at
                if elapsed < state.config.cooldown_after_429:
                    remaining = state.config.cooldown_after_429 - elapsed
                    raise RateLimitExceededError(
                        f"Platform '{platform}' is in cooldown after 429. "
                        f"Try again in {remaining:.0f}s."
                    )
                state.last_429_at = 0.0
            # Check burst limit
            if state.active_requests >= state.config.burst_size:
                raise RateLimitExceededError(
                    f"Platform '{platform}' burst limit reached "
                    f"({state.config.burst_size} concurrent). Wait for a request to finish."
                )
            # Check RPM: discard timestamps older than 60s, then check count
            cutoff = now - 60.0
            state.call_timestamps = [t for t in state.call_timestamps if t > cutoff]
            if len(state.call_timestamps) >= state.config.requests_per_minute:
                oldest = state.call_timestamps[0]
                wait_time = 60.0 - (now - oldest)
                raise RateLimitExceededError(
                    f"Platform '{platform}' rate limit: {state.config.requests_per_minute}/min. "
                    f"Try again in {wait_time:.0f}s."
                )
            # All clear — record the call
            state.call_timestamps.append(now)
            state.active_requests += 1
            self._total_calls += 1
    async def _release(self, platform: str) -> None:
        async with self._lock:
            state = self._platforms.get(platform)
            if state:
                state.active_requests = max(0, state.active_requests - 1)
    def record_429(self, platform: str) -> None:
        """Call this when an API returns 429 to trigger cooldown."""
        state = self._platforms.get(platform)
        if state:
            state.last_429_at = time.monotonic()
    def get_stats(self) -> dict:
        """Return current usage stats for logging/reporting."""
        stats: dict = {
            "total_calls": self._total_calls,
            "remaining_calls": self.remaining_calls,
            "platforms": {},
        }
        for name, state in self._platforms.items():
            now = time.monotonic()
            cutoff = now - 60.0
            recent = [t for t in state.call_timestamps if t > cutoff]
            stats["platforms"][name] = {
                "calls_last_60s": len(recent),
                "active_requests": state.active_requests,
                "rpm_limit": state.config.requests_per_minute,
                "in_cooldown": bool(
                    state.last_429_at
                    and (now - state.last_429_at) < state.config.cooldown_after_429
                ),
            }
        return stats
 class _AcquireContext:
    """Async context manager for rate-limited API calls."""
    def __init__(self, limiter: RateLimiter, platform: str):
        self._limiter = limiter
        self._platform = platform
    async def __aenter__(self) -> None:
        await self._limiter._acquire(self._platform)
    async def __aexit__(self, *exc_info) -> None:
        # Check if the call got a 429
        if exc_info[0] is not None:
            import httpx
            exc = exc_info[1]
            if isinstance(exc, httpx.HTTPStatusError) and exc.response.status_code == 429:
                self._limiter.record_429(self._platform)
        await self._limiter._release(self._platform)
--- a/agentstuff/sentiment_agent/tools.py
+++ b/agentstuff/sentiment_agent/tools.py
@@ -0,0 +1,352 @@
 """Custom MCP tools for social media and forum data gathering.
 Each tool wraps an API client, enforces rate limits, runs credibility
 scoring, and returns MCP-formatted results with bot/disinfo annotations.
 """
 from __future__ import annotations
 import json
 import traceback
 from claude_agent_sdk import tool, create_sdk_mcp_server
 from sentiment_agent.clients import bluesky, reddit, hackernews
 from sentiment_agent.config import SafetyConfig
 from sentiment_agent.credibility import (
    detect_coordination,
    filter_and_annotate,
    score_bluesky_post,
    score_hackernews_comment,
    score_hackernews_post,
    score_reddit_comment,
    score_reddit_post,
 )
 from sentiment_agent.ratelimit import BudgetExhaustedError, RateLimiter
 # Module-level state — initialized by create_social_tools_server()
 _limiter: RateLimiter | None = None
 _config: SafetyConfig | None = None
 def _get_limiter() -> RateLimiter:
    if _limiter is None:
        raise RuntimeError("Tools not initialized — call create_social_tools_server() first")
    return _limiter
 def _get_config() -> SafetyConfig:
    if _config is None:
        return SafetyConfig()
    return _config
 def _text_result(text: str) -> dict:
    return {"content": [{"type": "text", "text": text}]}
 def _error_result(error: str) -> dict:
    return {"content": [{"type": "text", "text": f"Error: {error}"}], "isError": True}
 def _clamp_limit(requested: int) -> int:
    """Enforce max results per call."""
    return min(requested, _get_config().max_results_per_call)
 def _format_with_stats(
    posts: list[dict],
    stats: dict,
    coordination_warnings: list[str],
    platform: str,
 ) -> str:
    """Format results with credibility stats prepended."""
    header_parts = [
        f"Platform: {platform}",
        f"Results: {stats['authentic']} authentic, {stats['flagged']} flagged, "
        f"{stats['excluded']} excluded (of {stats['total']} total)",
    ]
    if coordination_warnings:
        header_parts.append("--- COORDINATION ALERTS ---")
        header_parts.extend(coordination_warnings)
        header_parts.append("---")
    limiter = _get_limiter()
    header_parts.append(f"API budget remaining: {limiter.remaining_calls} calls")
    header = "\n".join(header_parts)
    body = json.dumps(posts, indent=2, default=str)
    return f"{header}\n\n{body}"
 # --- Bluesky tools ---
@tool(
    "search_bluesky",
    "Search Bluesky for posts about a topic. Returns posts with text, author, "
    "engagement metrics, credibility scores, and bot/disinfo flags. "
    "Requires BLUESKY_HANDLE and BLUESKY_APP_PASSWORD env vars.",
    {"query": str, "limit": int, "sort": str},
 )
 async def search_bluesky(args: dict) -> dict:
    try:
        limiter = _get_limiter()
        config = _get_config()
        async with limiter.acquire("bluesky"):
            posts = await bluesky.search_posts(
                query=args["query"],
                limit=_clamp_limit(args.get("limit", 25)),
                sort=args.get("sort", "top"),
            )
        if not posts:
            return _text_result(f"No Bluesky posts found for: {args['query']}")
        coordination = detect_coordination(posts, text_key="text")
        filtered, stats = filter_and_annotate(
            posts, score_bluesky_post,
            min_score=config.min_credibility_score,
            flag_threshold=config.flag_bot_threshold,
        )
        return _text_result(_format_with_stats(filtered, stats, coordination, "Bluesky"))
    except BudgetExhaustedError as e:
        return _error_result(str(e))
    except Exception as e:
        return _error_result(f"Bluesky search failed: {e}\n{traceback.format_exc()}")
@tool(
    "get_bluesky_thread",
    "Fetch a Bluesky thread/post and its replies with credibility scoring. "
    "Accepts an at:// URI or https://bsky.app/... URL.",
    {"uri": str, "depth": int},
 )
 async def get_bluesky_thread(args: dict) -> dict:
    try:
        limiter = _get_limiter()
        config = _get_config()
        async with limiter.acquire("bluesky"):
            thread = await bluesky.get_thread(
                uri=args["uri"],
                depth=args.get("depth", 6),
            )
        # Score replies
        if thread.get("replies"):
            coordination = detect_coordination(thread["replies"], text_key="text")
            filtered_replies, stats = filter_and_annotate(
                thread["replies"], score_bluesky_post,
                min_score=config.min_credibility_score,
                flag_threshold=config.flag_bot_threshold,
            )
            thread["replies"] = filtered_replies
            thread["_reply_credibility_stats"] = stats
            thread["_coordination_warnings"] = coordination
        # Score root post
        if thread.get("post"):
            result = score_bluesky_post(thread["post"])
            thread["post"]["_credibility"] = {
                "score": round(result.score, 2),
                "label": result.label,
                "flags": result.flags,
            }
        return _text_result(json.dumps(thread, indent=2, default=str))
    except BudgetExhaustedError as e:
        return _error_result(str(e))
    except Exception as e:
        return _error_result(f"Bluesky thread fetch failed: {e}\n{traceback.format_exc()}")
 # --- Reddit tools ---
@tool(
    "search_reddit",
    "Search Reddit for posts about a topic. Returns posts with credibility scores "
    "and bot/disinfo flags. Posts below the credibility threshold are auto-excluded. "
    "Use subreddit='all' for site-wide or specify a subreddit name.",
    {"query": str, "subreddit": str, "sort": str, "time_filter": str, "limit": int},
 )
 async def search_reddit_tool(args: dict) -> dict:
    try:
        limiter = _get_limiter()
        config = _get_config()
        async with limiter.acquire("reddit"):
            posts = await reddit.search_posts(
                query=args["query"],
                subreddit=args.get("subreddit", "all"),
                sort=args.get("sort", "relevance"),
                time_filter=args.get("time_filter", "month"),
                limit=_clamp_limit(args.get("limit", 25)),
            )
        if not posts:
            return _text_result(f"No Reddit posts found for: {args['query']}")
        coordination = detect_coordination(posts, text_key="title")
        filtered, stats = filter_and_annotate(
            posts, score_reddit_post,
            min_score=config.min_credibility_score,
            flag_threshold=config.flag_bot_threshold,
        )
        return _text_result(_format_with_stats(filtered, stats, coordination, "Reddit"))
    except BudgetExhaustedError as e:
        return _error_result(str(e))
    except Exception as e:
        return _error_result(f"Reddit search failed: {e}\n{traceback.format_exc()}")
@tool(
    "get_reddit_comments",
    "Fetch comments for a Reddit post with credibility scoring. "
    "Pass the permalink path or full URL.",
    {"permalink": str, "sort": str, "limit": int},
 )
 async def get_reddit_comments(args: dict) -> dict:
    try:
        limiter = _get_limiter()
        config = _get_config()
        async with limiter.acquire("reddit"):
            comments = await reddit.get_post_comments(
                permalink=args["permalink"],
                sort=args.get("sort", "top"),
                limit=_clamp_limit(args.get("limit", 25)),
            )
        if not comments:
            return _text_result("No comments found for this post.")
        coordination = detect_coordination(comments, text_key="body")
        filtered, stats = filter_and_annotate(
            comments, score_reddit_comment,
            min_score=config.min_credibility_score,
            flag_threshold=config.flag_bot_threshold,
        )
        return _text_result(_format_with_stats(filtered, stats, coordination, "Reddit Comments"))
    except BudgetExhaustedError as e:
        return _error_result(str(e))
    except Exception as e:
        return _error_result(f"Reddit comments fetch failed: {e}\n{traceback.format_exc()}")
 # --- Hacker News tools ---
@tool(
    "search_hackernews",
    "Search Hacker News for stories with credibility scoring. "
    "No authentication required.",
    {"query": str, "limit": int},
 )
 async def search_hackernews_tool(args: dict) -> dict:
    try:
        limiter = _get_limiter()
        config = _get_config()
        async with limiter.acquire("hackernews"):
            stories = await hackernews.search_stories(
                query=args["query"],
                limit=_clamp_limit(args.get("limit", 25)),
            )
        if not stories:
            return _text_result(f"No HN stories found for: {args['query']}")
        coordination = detect_coordination(stories, text_key="title")
        filtered, stats = filter_and_annotate(
            stories, score_hackernews_post,
            min_score=config.min_credibility_score,
            flag_threshold=config.flag_bot_threshold,
        )
        return _text_result(_format_with_stats(filtered, stats, coordination, "Hacker News"))
    except BudgetExhaustedError as e:
        return _error_result(str(e))
    except Exception as e:
        return _error_result(f"HN search failed: {e}\n{traceback.format_exc()}")
@tool(
    "search_hackernews_comments",
    "Search Hacker News comments for opinions and discussions with credibility scoring.",
    {"query": str, "limit": int},
 )
 async def search_hackernews_comments(args: dict) -> dict:
    try:
        limiter = _get_limiter()
        config = _get_config()
        async with limiter.acquire("hackernews"):
            comments = await hackernews.search_comments(
                query=args["query"],
                limit=_clamp_limit(args.get("limit", 25)),
            )
        if not comments:
            return _text_result(f"No HN comments found for: {args['query']}")
        coordination = detect_coordination(comments, text_key="comment_text")
        filtered, stats = filter_and_annotate(
            comments, score_hackernews_comment,
            min_score=config.min_credibility_score,
            flag_threshold=config.flag_bot_threshold,
        )
        return _text_result(
            _format_with_stats(filtered, stats, coordination, "HN Comments")
        )
    except BudgetExhaustedError as e:
        return _error_result(str(e))
    except Exception as e:
        return _error_result(f"HN comment search failed: {e}\n{traceback.format_exc()}")
 # --- Budget status tool ---
@tool(
    "get_api_budget_status",
    "Check remaining API call budget, rate limit status, and per-platform stats. "
    "Use this before making more API calls to avoid hitting limits.",
    {},
 )
 async def get_api_budget_status(args: dict) -> dict:
    limiter = _get_limiter()
    stats = limiter.get_stats()
    return _text_result(json.dumps(stats, indent=2, default=str))
 # --- Server factory ---
 def create_social_tools_server(config: SafetyConfig | None = None):
    """Create an MCP server with all social media/forum tools.
    Initializes rate limiting and credibility thresholds from config.
    """
    global _limiter, _config
    _config = config or SafetyConfig.from_env()
    _limiter = RateLimiter(max_total_calls=_config.max_total_api_calls)
    _limiter.register_platform("bluesky", _config.bluesky_rate)
    _limiter.register_platform("reddit", _config.reddit_rate)
    _limiter.register_platform("hackernews", _config.hackernews_rate)
    return create_sdk_mcp_server(
        "social-tools",
        tools=[
            search_bluesky,
            get_bluesky_thread,
            search_reddit_tool,
            get_reddit_comments,
            search_hackernews_tool,
            search_hackernews_comments,
            get_api_budget_status,
        ],
    )
--- a/aur-api/.SRCINFO
+++ b/aur-api/.SRCINFO
@@ -0,0 +1,23 @@
 pkgbase = stegasoo-api-git
 	pkgdesc = Stegasoo REST API with TLS and API key authentication
 	pkgver = 4.2.1
 	pkgrel = 1
 	url = https://github.com/adlee-was-taken/stegasoo
 	install = stegasoo-api-git.install
 	arch = x86_64
 	license = MIT
 	makedepends = git
 	makedepends = python
 	makedepends = python-build
 	makedepends = python-hatchling
 	depends = python>=3.11
 	depends = zbar
 	optdepends = libjpeg-turbo: jpegtran for lossless JPEG rotation (DCT-safe)
 	provides = stegasoo-api
 	conflicts = stegasoo-api
 	conflicts = stegasoo
 	conflicts = stegasoo-git
 	source = stegasoo-api-git::git+https://github.com/adlee-was-taken/stegasoo.git#branch=main
 	sha256sums = SKIP
 pkgname = stegasoo-api-git
--- a/aur-api/PKGBUILD
+++ b/aur-api/PKGBUILD
@@ -0,0 +1,109 @@
 # Maintainer: Aaron D. Lee <your-email@example.com>
 pkgname=stegasoo-api-git
 pkgver=4.3.0
 pkgrel=1
 pkgdesc="Stegasoo REST API with TLS and API key authentication"
 arch=('x86_64')
 url="https://github.com/adlee-was-taken/stegasoo"
 license=('MIT')
 # Python 3.11-3.14 supported
 depends=(
    'python>=3.11'
    'zbar'  # QR code reading for RSA key extraction
 )
 makedepends=(
    'git'
    'python'
    'python-build'
    'python-hatchling'
 )
 optdepends=(
    'libjpeg-turbo: jpegtran for lossless JPEG rotation (DCT-safe)'
 )
 provides=('stegasoo-api')
 conflicts=('stegasoo-api' 'stegasoo' 'stegasoo-git')
 install=stegasoo-api-git.install
 source=("${pkgname}::git+https://github.com/adlee-was-taken/stegasoo.git#branch=main")
 sha256sums=('SKIP')
 pkgver() {
    cd "$pkgname"
    git describe --long --tags 2>/dev/null | sed 's/^v//;s/\([^-]*-g\)/r\1/;s/-/./g' || \
    printf "%s.r%s.g%s" "4.3.0" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
 }
 build() {
    cd "$pkgname"
    python -m build --wheel --no-isolation
 }
 package() {
    cd "$pkgname"
    # Detect Python version for site-packages path
    local pyver=$(python -c 'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}")')
    # Install to /opt/stegasoo-api with dedicated venv
    install -dm755 "$pkgdir/opt/stegasoo-api"
    # Create fresh venv in package
    python -m venv "$pkgdir/opt/stegasoo-api/venv"
    # Install the wheel with API + CLI + compression extras
    local wheel=$(ls dist/*.whl | head -1)
    "$pkgdir/opt/stegasoo-api/venv/bin/pip" install --no-cache-dir "${wheel}[api,cli,compression]"
    # Install API frontend (not included in wheel by default)
    local site_packages="$pkgdir/opt/stegasoo-api/venv/lib/python${pyver}/site-packages"
    install -dm755 "$site_packages/frontends/api"
    cp -r frontends/api/*.py "$site_packages/frontends/api/"
    cp -r frontends/__init__.py "$site_packages/frontends/" 2>/dev/null || true
    # Create temp directory for API
    install -dm755 "$site_packages/frontends/api/temp_files"
    # Create config directories
    install -dm755 "$pkgdir/opt/stegasoo-api/config"
    install -dm700 "$pkgdir/opt/stegasoo-api/certs"
    # Fix shebangs - replace build-time paths with installed paths
    find "$pkgdir/opt/stegasoo-api/venv/bin" -type f -exec \
        sed -i "s|$pkgdir/opt/stegasoo-api/venv|/opt/stegasoo-api/venv|g" {} \;
    # Fix pyvenv.cfg
    sed -i "s|$pkgdir||g" "$pkgdir/opt/stegasoo-api/venv/pyvenv.cfg"
    # Create symlink to /usr/bin
    install -dm755 "$pkgdir/usr/bin"
    ln -s /opt/stegasoo-api/venv/bin/stegasoo "$pkgdir/usr/bin/stegasoo"
    # Install license
    install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
    # Install docs
    install -Dm644 README.md "$pkgdir/usr/share/doc/$pkgname/README.md"
    # Install systemd service
    install -Dm644 /dev/stdin "$pkgdir/usr/lib/systemd/system/stegasoo-api.service" <<EOF
 [Unit]
 Description=Stegasoo REST API (HTTPS)
 After=network.target
 [Service]
 Type=simple
 User=stegasoo
 WorkingDirectory=/opt/stegasoo-api/venv/lib/python${pyver}/site-packages/frontends/api
 Environment="PATH=/opt/stegasoo-api/venv/bin"
 Environment="HOME=/opt/stegasoo-api"
 # TLS enabled by default - certs auto-generated on first run
 # Use: stegasoo api tls generate (to pre-generate certs)
 # Use: stegasoo api keys create <name> (to create API keys)
 ExecStart=/opt/stegasoo-api/venv/bin/stegasoo api serve --host 127.0.0.1 --port 8000
 Restart=on-failure
 RestartSec=5
 [Install]
 WantedBy=multi-user.target
 EOF
 }
--- a/aur-api/README.md
+++ b/aur-api/README.md
@@ -0,0 +1,102 @@
 # Stegasoo API AUR Package
 REST API server package for programmatic steganography operations. Includes HTTPS support and API key authentication.
 ## Installation
 ### From AUR (once published)
 ```bash
 yay -S stegasoo-api-git
 # or
 paru -S stegasoo-api-git
 ```
 ### Manual build
 ```bash
 git clone https://aur.archlinux.org/stegasoo-api-git.git
 cd stegasoo-api-git
 makepkg -si
 ```
 ## What Gets Installed
 - `/opt/stegasoo-api/venv/` - Self-contained Python venv with API dependencies
 - `/opt/stegasoo-api/config/` - API key storage
 - `/opt/stegasoo-api/certs/` - TLS certificates
 - `/usr/bin/stegasoo` - CLI executable
 - `/usr/lib/systemd/system/stegasoo-api.service` - Systemd service
 ## Quick Start
 ```bash
 # 1. Create an API key
 sudo -u stegasoo stegasoo api keys create mykey
 # 2. Start the service
 sudo systemctl enable --now stegasoo-api
 # 3. Test the API
 curl -k -H "X-API-Key: YOUR_KEY" https://localhost:8000/
 ```
 ## Service Details
 | Setting | Value |
 |---------|-------|
 | Port | 8000 |
 | Protocol | HTTPS (self-signed cert auto-generated) |
 | API Docs | https://localhost:8000/docs |
 | OpenAPI | https://localhost:8000/openapi.json |
 ## API Key Management
 ```bash
 # List all keys
 stegasoo api keys list
 # Create a new key
 sudo -u stegasoo stegasoo api keys create <name>
 # Revoke a key
 sudo -u stegasoo stegasoo api keys revoke <name>
 ```
 ## TLS Configuration
 ```bash
 # View current certificate info
 stegasoo api tls info
 # Generate new self-signed certificate
 sudo -u stegasoo stegasoo api tls generate
 # Use custom certificates (edit service)
 sudo systemctl edit stegasoo-api
 # Add:
 # [Service]
 # ExecStart=
 # ExecStart=/opt/stegasoo-api/venv/bin/stegasoo api serve \
 #     --host 0.0.0.0 --port 8000 \
 #     --cert /path/to/cert.pem --key /path/to/key.pem
 ```
 ## Manual Run (without systemd)
 ```bash
 # Development mode (auto-reload)
 /opt/stegasoo-api/venv/bin/stegasoo api serve --reload
 # Production mode
 /opt/stegasoo-api/venv/bin/stegasoo api serve --host 0.0.0.0 --port 8000
 ```
 ## For Web UI
 Install the full package instead:
 ```bash
 yay -S stegasoo-git
 ```
 ## Maintainer
 Aaron D. Lee
--- a/aur-api/stegasoo-api-git.install
+++ b/aur-api/stegasoo-api-git.install
@@ -0,0 +1,63 @@
 post_install() {
    # Create stegasoo system user if it doesn't exist
    if ! getent passwd stegasoo >/dev/null; then
        useradd -r -s /usr/bin/nologin -d /opt/stegasoo-api stegasoo
        echo "Created system user 'stegasoo'"
    fi
    # Set ownership of directories
    chown -R stegasoo:stegasoo /opt/stegasoo-api/config 2>/dev/null || true
    chown -R stegasoo:stegasoo /opt/stegasoo-api/certs 2>/dev/null || true
    echo ""
    echo "==============================================="
    echo "  Stegasoo API installed successfully!"
    echo "==============================================="
    echo ""
    echo "-----------------------------------------------"
    echo "  Quick Start"
    echo "-----------------------------------------------"
    echo "  1. Create an API key:"
    echo "     sudo -u stegasoo stegasoo api keys create mykey"
    echo ""
    echo "  2. Start the API server:"
    echo "     sudo systemctl start stegasoo-api"
    echo "     sudo systemctl enable stegasoo-api  # auto-start"
    echo ""
    echo "  3. Access the API:"
    echo "     curl -k -H 'X-API-Key: YOUR_KEY' https://localhost:8000/"
    echo ""
    echo "-----------------------------------------------"
    echo "  Service Details"
    echo "-----------------------------------------------"
    echo "  Port: 8000 (HTTPS by default)"
    echo "  Docs: https://localhost:8000/docs"
    echo "  Status: sudo systemctl status stegasoo-api"
    echo ""
    echo "-----------------------------------------------"
    echo "  Management Commands"
    echo "-----------------------------------------------"
    echo "  stegasoo api keys list       # List API keys"
    echo "  stegasoo api keys create X   # Create new key"
    echo "  stegasoo api tls generate    # Generate TLS certs"
    echo "  stegasoo api tls info        # Show certificate info"
    echo "  stegasoo api serve --help    # Server options"
    echo ""
    echo "==============================================="
    echo ""
 }
 post_upgrade() {
    post_install
 }
 pre_remove() {
    # Stop service if running
    systemctl stop stegasoo-api 2>/dev/null || true
 }
 post_remove() {
    echo "Stegasoo API removed."
    echo "User 'stegasoo' and config in /opt/stegasoo-api were not removed."
    echo "To remove: userdel stegasoo && rm -rf /opt/stegasoo-api"
 }
--- a/aur-api/test-build.sh
+++ b/aur-api/test-build.sh
@@ -0,0 +1,22 @@
 #!/bin/bash
 # Test build the AUR API package locally
 set -e
 cd "$(dirname "$0")"
 echo "=== Cleaning previous builds ==="
 rm -rf stegasoo-api-git pkg src *.pkg.tar.zst *.whl 2>/dev/null || true
 echo "=== Generating .SRCINFO ==="
 makepkg --printsrcinfo > .SRCINFO
 echo "=== Building package ==="
 makepkg -sf
 echo "=== Package built ==="
 ls -la *.pkg.tar.zst
 echo ""
 echo "To install: sudo pacman -U stegasoo-api-git-*.pkg.tar.zst"
 echo "To test:    makepkg -si"
--- a/aur-cli/.SRCINFO
+++ b/aur-cli/.SRCINFO
@@ -0,0 +1,22 @@
 pkgbase = stegasoo-cli-git
 	pkgdesc = Secure steganography CLI with hybrid photo + passphrase + PIN authentication
 	pkgver = 4.2.1
 	pkgrel = 1
 	url = https://github.com/adlee-was-taken/stegasoo
 	install = stegasoo-cli-git.install
 	arch = x86_64
 	license = MIT
 	makedepends = git
 	makedepends = python
 	makedepends = python-build
 	makedepends = python-hatchling
 	depends = python>=3.11
 	optdepends = libjpeg-turbo: jpegtran for lossless JPEG rotation (DCT-safe)
 	provides = stegasoo-cli
 	conflicts = stegasoo-cli
 	conflicts = stegasoo
 	conflicts = stegasoo-git
 	source = stegasoo-cli-git::git+https://github.com/adlee-was-taken/stegasoo.git#branch=main
 	sha256sums = SKIP
 pkgname = stegasoo-cli-git
--- a/aur-cli/PKGBUILD
+++ b/aur-cli/PKGBUILD
@@ -0,0 +1,69 @@
 # Maintainer: Aaron D. Lee <your-email@example.com>
 pkgname=stegasoo-cli-git
 pkgver=4.3.0
 pkgrel=1
 pkgdesc="Secure steganography CLI with hybrid photo + passphrase + PIN authentication"
 arch=('x86_64')
 url="https://github.com/adlee-was-taken/stegasoo"
 license=('MIT')
 # Python 3.11-3.14 supported (uses jpeglib for modern Python compatibility)
 depends=(
    'python>=3.11'
 )
 makedepends=(
    'git'
    'python'
    'python-build'
    'python-hatchling'
 )
 optdepends=(
    'libjpeg-turbo: jpegtran for lossless JPEG rotation (DCT-safe)'
 )
 provides=('stegasoo-cli')
 conflicts=('stegasoo-cli' 'stegasoo' 'stegasoo-git')
 install=stegasoo-cli-git.install
 source=("${pkgname}::git+https://github.com/adlee-was-taken/stegasoo.git#branch=main")
 sha256sums=('SKIP')
 pkgver() {
    cd "$pkgname"
    git describe --long --tags 2>/dev/null | sed 's/^v//;s/\([^-]*-g\)/r\1/;s/-/./g' || \
    printf "%s.r%s.g%s" "4.3.0" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
 }
 build() {
    cd "$pkgname"
    python -m build --wheel --no-isolation
 }
 package() {
    cd "$pkgname"
    # Install to /opt/stegasoo-cli with dedicated venv
    install -dm755 "$pkgdir/opt/stegasoo-cli"
    # Create fresh venv in package
    python -m venv "$pkgdir/opt/stegasoo-cli/venv"
    # Install the wheel with CLI + DCT + compression extras (no web/api)
    local wheel=$(ls dist/*.whl | head -1)
    "$pkgdir/opt/stegasoo-cli/venv/bin/pip" install --no-cache-dir "${wheel}[cli,dct,compression]"
    # Fix shebangs - replace build-time paths with installed paths
    find "$pkgdir/opt/stegasoo-cli/venv/bin" -type f -exec \
        sed -i "s|$pkgdir/opt/stegasoo-cli/venv|/opt/stegasoo-cli/venv|g" {} \;
    # Fix pyvenv.cfg
    sed -i "s|$pkgdir||g" "$pkgdir/opt/stegasoo-cli/venv/pyvenv.cfg"
    # Create symlink to /usr/bin
    install -dm755 "$pkgdir/usr/bin"
    ln -s /opt/stegasoo-cli/venv/bin/stegasoo "$pkgdir/usr/bin/stegasoo"
    # Install license
    install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
    # Install docs
    install -Dm644 README.md "$pkgdir/usr/share/doc/$pkgname/README.md"
 }
--- a/aur-cli/README.md
+++ b/aur-cli/README.md
@@ -0,0 +1,62 @@
 # Stegasoo CLI AUR Package
 Lightweight CLI-only package for steganography operations. No web UI or API server.
 ## Installation
 ### From AUR (once published)
 ```bash
 yay -S stegasoo-cli-git
 # or
 paru -S stegasoo-cli-git
 ```
 ### Manual build
 ```bash
 git clone https://aur.archlinux.org/stegasoo-cli-git.git
 cd stegasoo-cli-git
 makepkg -si
 ```
 ## What Gets Installed
 - `/opt/stegasoo-cli/venv/` - Self-contained Python venv with CLI dependencies only
 - `/usr/bin/stegasoo` - CLI executable
 ## Usage
 ```bash
 # Show all commands
 stegasoo --help
 # Generate credentials (passphrase + PIN)
 stegasoo generate
 stegasoo generate --words 5 --pin-length 8
 # Generate with RSA keys and QR codes
 stegasoo generate --rsa --qr-ascii
 # Encode a message
 stegasoo encode -i carrier.jpg -r reference.jpg -m "secret message" \
    -P "word1 word2 word3 word4" -p 123456
 # Decode a message
 stegasoo decode -i encoded.png -r reference.jpg \
    -P "word1 word2 word3 word4" -p 123456
 # Image tools
 stegasoo tools --help
 stegasoo tools compress image.png
 stegasoo tools rotate image.jpg 90
 ```
 ## For Web UI or REST API
 Install the full package instead:
 ```bash
 yay -S stegasoo-git
 ```
 ## Maintainer
 Aaron D. Lee
--- a/aur-cli/stegasoo-cli-git.install
+++ b/aur-cli/stegasoo-cli-git.install
@@ -0,0 +1,20 @@
 post_install() {
    echo ""
    echo "==============================================="
    echo "  Stegasoo CLI installed successfully!"
    echo "==============================================="
    echo ""
    echo "Usage:"
    echo "  stegasoo --help          # Show all commands"
    echo "  stegasoo generate        # Generate passphrase + PIN"
    echo "  stegasoo encode ...      # Hide data in an image"
    echo "  stegasoo decode ...      # Extract hidden data"
    echo "  stegasoo tools --help    # Image tools (compress, etc.)"
    echo ""
    echo "For web UI or REST API, install stegasoo-git instead."
    echo ""
 }
 post_upgrade() {
    post_install
 }
--- a/aur-cli/test-build.sh
+++ b/aur-cli/test-build.sh
@@ -0,0 +1,22 @@
 #!/bin/bash
 # Test build the AUR CLI package locally
 set -e
 cd "$(dirname "$0")"
 echo "=== Cleaning previous builds ==="
 rm -rf stegasoo-cli-git pkg src *.pkg.tar.zst *.whl 2>/dev/null || true
 echo "=== Generating .SRCINFO ==="
 makepkg --printsrcinfo > .SRCINFO
 echo "=== Building package ==="
 makepkg -sf
 echo "=== Package built ==="
 ls -la *.pkg.tar.zst
 echo ""
 echo "To install: sudo pacman -U stegasoo-cli-git-*.pkg.tar.zst"
 echo "To test:    makepkg -si"
--- a/aur/PKGBUILD
+++ b/aur/PKGBUILD
@@ -0,0 +1,120 @@
 # Maintainer: Aaron D. Lee <your-email@example.com>
 pkgname=stegasoo-git
 pkgver=4.3.0
 pkgrel=1
 pkgdesc="Secure steganography with hybrid photo + passphrase + PIN authentication"
 arch=('x86_64')
 url="https://github.com/adlee-was-taken/stegasoo"
 license=('MIT')
 # Python 3.11-3.14 supported (uses jpeglib for modern Python compatibility)
 depends=(
    'python>=3.11'
    'zbar'  # QR code reading for Web UI
 )
 makedepends=(
    'git'
    'python'
    'python-build'
    'python-hatchling'
 )
 provides=('stegasoo')
 conflicts=('stegasoo')
 install=stegasoo-git.install
 source=("${pkgname}::git+https://github.com/adlee-was-taken/stegasoo.git#branch=main")
 sha256sums=('SKIP')
 pkgver() {
    cd "$pkgname"
    git describe --long --tags 2>/dev/null | sed 's/^v//;s/\([^-]*-g\)/r\1/;s/-/./g' || \
    printf "%s.r%s.g%s" "4.3.0" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
 }
 build() {
    cd "$pkgname"
    python -m build --wheel --no-isolation
 }
 package() {
    cd "$pkgname"
    # Detect Python version for site-packages path
    local pyver=$(python -c 'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}")')
    # Install to /opt/stegasoo with dedicated venv
    install -dm755 "$pkgdir/opt/stegasoo"
    # Create fresh venv in package
    python -m venv "$pkgdir/opt/stegasoo/venv"
    # Install the wheel with all extras
    local wheel=$(ls dist/*.whl | head -1)
    "$pkgdir/opt/stegasoo/venv/bin/pip" install --no-cache-dir "${wheel}[all]"
    # Install frontends (not included in wheel)
    local site_packages="$pkgdir/opt/stegasoo/venv/lib/python${pyver}/site-packages"
    cp -r frontends "$site_packages/"
    # Create writable directories for stegasoo user
    install -dm755 "$pkgdir/opt/stegasoo/venv/var/app-instance"
    install -dm755 "$site_packages/frontends/web/temp_files"
    install -dm755 "$site_packages/frontends/api/temp_files"
    # Fix shebangs - replace build-time paths with installed paths
    find "$pkgdir/opt/stegasoo/venv/bin" -type f -exec \
        sed -i "s|$pkgdir/opt/stegasoo/venv|/opt/stegasoo/venv|g" {} \;
    # Fix pyvenv.cfg
    sed -i "s|$pkgdir||g" "$pkgdir/opt/stegasoo/venv/pyvenv.cfg"
    # Create symlinks to /usr/bin
    install -dm755 "$pkgdir/usr/bin"
    ln -s /opt/stegasoo/venv/bin/stegasoo "$pkgdir/usr/bin/stegasoo"
    # Install license
    install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
    # Install docs
    install -Dm644 README.md "$pkgdir/usr/share/doc/$pkgname/README.md"
    # Install systemd service files
    install -Dm644 /dev/stdin "$pkgdir/usr/lib/systemd/system/stegasoo-web.service" <<EOF
 [Unit]
 Description=Stegasoo Web UI
 After=network.target
 [Service]
 Type=simple
 User=stegasoo
 WorkingDirectory=/opt/stegasoo/venv/lib/python${pyver}/site-packages/frontends/web
 Environment="PATH=/opt/stegasoo/venv/bin"
 ExecStart=/opt/stegasoo/venv/bin/gunicorn -b 127.0.0.1:5000 app:app
 Restart=on-failure
 RestartSec=5
 [Install]
 WantedBy=multi-user.target
 EOF
    install -Dm644 /dev/stdin "$pkgdir/usr/lib/systemd/system/stegasoo-api.service" <<EOF
 [Unit]
 Description=Stegasoo REST API (HTTPS)
 After=network.target
 [Service]
 Type=simple
 User=stegasoo
 WorkingDirectory=/opt/stegasoo/venv/lib/python${pyver}/site-packages/frontends/api
 Environment="PATH=/opt/stegasoo/venv/bin"
 Environment="HOME=/opt/stegasoo"
 # TLS enabled by default - certs auto-generated on first run
 # Use stegasoo api tls generate to pre-generate certs
 # Use stegasoo api keys create <name> to create API keys
 ExecStart=/opt/stegasoo/venv/bin/stegasoo api serve --host 127.0.0.1 --port 8000
 Restart=on-failure
 RestartSec=5
 [Install]
 WantedBy=multi-user.target
 EOF
 }
--- a/aur/README.md
+++ b/aur/README.md
@@ -0,0 +1,90 @@
 # Stegasoo AUR Package
 Full package with CLI, Web UI, and REST API. Supports Python 3.11-3.14.
 ## Installation
 ### From AUR (once published)
 ```bash
 yay -S stegasoo-git
 # or
 paru -S stegasoo-git
 ```
 ### Manual build
 ```bash
 git clone https://aur.archlinux.org/stegasoo-git.git
 cd stegasoo-git
 makepkg -si
 ```
 ## What Gets Installed
 - `/opt/stegasoo/venv/` - Self-contained Python venv with all dependencies
 - `/usr/bin/stegasoo` - CLI symlink
 - `/usr/lib/systemd/system/stegasoo-web.service` - Web UI service (port 5000)
 - `/usr/lib/systemd/system/stegasoo-api.service` - REST API service (port 8000, HTTPS)
 ## Optional Dependencies
 ```bash
 # QR code reading from webcam/images (recommended)
 sudo pacman -S zbar
 ```
 All other dependencies are bundled in the venv.
 ## Usage
 ### CLI
 ```bash
 stegasoo --help
 stegasoo generate                    # Generate passphrase + PIN
 stegasoo generate --rsa --qr-ascii   # With RSA keys and QR codes
 stegasoo encode -i carrier.jpg -r reference.jpg -m "secret" -P "word1 word2 word3 word4" -p 123456
 stegasoo decode -i encoded.png -r reference.jpg -P "word1 word2 word3 word4" -p 123456
 ```
 ### Web UI
 ```bash
 # Start service (user created automatically on install)
 sudo systemctl enable --now stegasoo-web
 # Access at http://localhost:5000
 ```
 ### REST API
 ```bash
 # Create an API key first
 sudo -u stegasoo stegasoo api keys create mykey
 # Start service (HTTPS with auto-generated self-signed cert)
 sudo systemctl enable --now stegasoo-api
 # Access docs at https://localhost:8000/docs
 curl -k -H "X-API-Key: YOUR_KEY" https://localhost:8000/
 ```
 ### HTTPS Configuration
 The API uses HTTPS by default with auto-generated self-signed certificates.
 ```bash
 # View certificate info
 stegasoo api tls info
 # Generate new self-signed cert
 sudo -u stegasoo stegasoo api tls generate
 # Use custom certs (edit service file)
 sudo systemctl edit stegasoo-api
 ```
 ## Alternative Packages
 - `stegasoo-cli-git` - CLI only, minimal dependencies
 - `stegasoo-api-git` - CLI + REST API, no web UI
 ## Maintainer
 Aaron D. Lee
--- a/aur/stegasoo-git.install
+++ b/aur/stegasoo-git.install
@@ -0,0 +1,75 @@
 post_install() {
    # Create stegasoo system user if it doesn't exist
    if ! getent passwd stegasoo >/dev/null; then
        useradd -r -s /usr/bin/nologin -d /opt/stegasoo stegasoo
        echo "Created system user 'stegasoo'"
    fi
    # Set ownership of instance directory for Flask
    chown -R stegasoo:stegasoo /opt/stegasoo/venv/var/app-instance 2>/dev/null || true
    echo ""
    echo "==============================================="
    echo "  Stegasoo installed successfully!"
    echo "==============================================="
    echo ""
    echo "CLI usage:"
    echo "  stegasoo --help"
    echo "  stegasoo generate        # Generate credentials"
    echo "  stegasoo encode          # Encode a message"
    echo "  stegasoo decode          # Decode a message"
    echo ""
    echo "-----------------------------------------------"
    echo "  Web UI Service"
    echo "-----------------------------------------------"
    echo "  Port: 5000 (HTTP)"
    echo "  Start:   sudo systemctl start stegasoo-web"
    echo "  Enable:  sudo systemctl enable stegasoo-web"
    echo "  Status:  sudo systemctl status stegasoo-web"
    echo "  Access:  http://localhost:5000"
    echo ""
    echo "-----------------------------------------------"
    echo "  REST API Service"
    echo "-----------------------------------------------"
    echo "  Port: 8000 (HTTPS by default)"
    echo "  Start:   sudo systemctl start stegasoo-api"
    echo "  Enable:  sudo systemctl enable stegasoo-api"
    echo "  Status:  sudo systemctl status stegasoo-api"
    echo "  Access:  https://localhost:8000"
    echo ""
    echo "-----------------------------------------------"
    echo "  HTTPS Configuration"
    echo "-----------------------------------------------"
    echo "  The API generates self-signed certs on first run."
    echo "  To pre-generate or use custom certificates:"
    echo ""
    echo "  # Generate self-signed certs"
    echo "  sudo -u stegasoo stegasoo api tls generate"
    echo ""
    echo "  # Use custom certs (edit the service file)"
    echo "  sudo systemctl edit stegasoo-api"
    echo "  # Add: ExecStart= with --cert and --key flags"
    echo ""
    echo "  # Create API keys for authentication"
    echo "  sudo -u stegasoo stegasoo api keys create <name>"
    echo ""
    echo "==============================================="
    echo ""
 }
 post_upgrade() {
    post_install
 }
 pre_remove() {
    # Stop services if running
    systemctl stop stegasoo-web 2>/dev/null || true
    systemctl stop stegasoo-api 2>/dev/null || true
 }
 post_remove() {
    # Optionally remove the stegasoo user
    # userdel stegasoo 2>/dev/null || true
    echo "Stegasoo removed. User 'stegasoo' was not removed."
    echo "To remove: userdel stegasoo"
 }
--- a/aur/test-build.sh
+++ b/aur/test-build.sh
@@ -0,0 +1,22 @@
 #!/bin/bash
 # Test build the AUR package locally
 set -e
 cd "$(dirname "$0")"
 echo "=== Cleaning previous builds ==="
 rm -rf stegasoo-git pkg src *.pkg.tar.zst *.whl 2>/dev/null || true
 echo "=== Generating .SRCINFO ==="
 makepkg --printsrcinfo > .SRCINFO
 echo "=== Building package ==="
 makepkg -sf
 echo "=== Package built ==="
 ls -la *.pkg.tar.zst
 echo ""
 echo "To install: sudo pacman -U stegasoo-git-*.pkg.tar.zst"
 echo "To test:    makepkg -si"
--- a/data/WebUI.webp
+++ b/data/WebUI.webp
--- a/data/WebUI_About.webp
+++ b/data/WebUI_About.webp
--- a/data/WebUI_Account.webp
+++ b/data/WebUI_Account.webp
--- a/data/WebUI_Decode.webp
+++ b/data/WebUI_Decode.webp
--- a/data/WebUI_Encode.webp
+++ b/data/WebUI_Encode.webp
--- a/data/WebUI_Generate.webp
+++ b/data/WebUI_Generate.webp
--- a/data/WebUI_Login.webp
+++ b/data/WebUI_Login.webp
--- a/data/WebUI_Recover.webp
+++ b/data/WebUI_Recover.webp
--- a/data/WebUI_Setup.webp
+++ b/data/WebUI_Setup.webp
--- a/data/WebUI_Tools.webp
+++ b/data/WebUI_Tools.webp
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,62 +0,0 @@
 version: '3.8'
 services:
  # ============================================================================
  # Web UI (Flask)
  # ============================================================================
  web:
    build:
      context: .
      target: web
    container_name: stegasoo-web
    ports:
      - "5000:5000"
    environment:
      - FLASK_ENV=production
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 512M  # Argon2 needs 256MB per operation
        reservations:
          memory: 256M
  # ============================================================================
  # REST API (FastAPI)
  # ============================================================================
  api:
    build:
      context: .
      target: api
    container_name: stegasoo-api
    ports:
      - "8000:8000"
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 512M
        reservations:
          memory: 256M
  # ============================================================================
  # Nginx Reverse Proxy (optional, for production)
  # ============================================================================
  # nginx:
  #   image: nginx:alpine
  #   container_name: stegasoo-nginx
  #   ports:
  #     - "80:80"
  #     - "443:443"
  #   volumes:
  #     - ./nginx.conf:/etc/nginx/nginx.conf:ro
  #     - ./certs:/etc/nginx/certs:ro
  #   depends_on:
  #     - web
  #     - api
  #   restart: unless-stopped
 # ============================================================================
 # Development overrides
 # ============================================================================
 # Use: docker-compose -f docker-compose.yml -f docker-compose.dev.yml up
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -0,0 +1,152 @@
 # Stegasoo Docker Image
 # Uses pre-built base image for fast rebuilds
 #
 # First time setup:
 #   docker build -f Dockerfile.base -t stegasoo-base:latest .
 #
 # Then build normally (fast!):
 #   docker-compose build
 #
 # Or if you don't have the base image, this falls back to building deps
 # (slow, but works)
 # ============================================================================
 # ARG to switch between base image and full build
 # ============================================================================
 ARG USE_BASE_IMAGE=true
 # ============================================================================
 # Base stage - use pre-built image if available
 # ============================================================================
 FROM stegasoo-base:latest AS base-prebuilt
 FROM python:3.12-slim AS base-full
 ENV PYTHONDONTWRITEBYTECODE=1
 ENV PYTHONUNBUFFERED=1
 ENV PIP_ROOT_USER_ACTION=ignore
 # Install system dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
    gcc \
    g++ \
    libc-dev \
    libffi-dev \
    libzbar0 \
    libjpeg-dev \
    zlib1g-dev \
    curl \
    openssl \
    && rm -rf /var/lib/apt/lists/*
 # Install ALL dependencies (slow path)
 RUN pip install --no-cache-dir \
    cython numpy scipy>=1.10.0 jpegio>=0.2.0 \
    argon2-cffi>=23.0.0 pillow>=10.0.0 cryptography>=41.0.0 \
    reedsolo>=1.7.0 \
    flask>=3.0.0 gunicorn>=21.0.0 \
    fastapi>=0.100.0 "uvicorn[standard]>=0.20.0" python-multipart>=0.0.6 \
    qrcode>=7.3.0 pyzbar>=0.1.9 click>=8.0.0 lz4>=4.0.0
 # ============================================================================
 # Select which base to use (default: prebuilt)
 # ============================================================================
 FROM base-prebuilt AS base
 # ============================================================================
 # Production stage - Web UI
 # ============================================================================
 FROM base AS web
 WORKDIR /app
 # Install runtime dependencies (curl for healthcheck, openssl for cert generation)
 USER root
 RUN apt-get update && apt-get install -y --no-install-recommends \
    curl openssl \
    && rm -rf /var/lib/apt/lists/*
 # Copy application files (this is all that rebuilds normally!)
 COPY src/ src/
 COPY data/ data/
 COPY frontends/web/ frontends/web/
 # Create upload directory and instance directories (for volumes)
 # temp_files is for multi-worker temp file sharing
 RUN mkdir -p /tmp/stego_uploads /app/frontends/web/instance /app/frontends/web/certs /app/frontends/web/temp_files
 # Copy and set up entrypoint (before switching to non-root user)
 COPY frontends/web/docker-entrypoint.sh /app/frontends/web/
 RUN chmod +x /app/frontends/web/docker-entrypoint.sh
 # Create non-root user
 RUN useradd -m -u 1000 stego && chown -R stego:stego /app /tmp/stego_uploads
 USER stego
 # Set Python path
 ENV PYTHONPATH=/app/src
 # Expose port
 EXPOSE 5000
 # Health check
 HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
    CMD curl -fsk https://localhost:5000/ || curl -fs http://localhost:5000/ || exit 1
 # Run with entrypoint (handles HTTPS/HTTP mode)
 WORKDIR /app/frontends/web
 ENTRYPOINT ["/app/frontends/web/docker-entrypoint.sh"]
 # ============================================================================
 # API stage - REST API
 # ============================================================================
 FROM base AS api
 WORKDIR /app
 # Copy application files
 COPY src/ src/
 COPY data/ data/
 COPY frontends/api/ frontends/api/
 # Create non-root user
 RUN useradd -m -u 1000 stego && chown -R stego:stego /app
 USER stego
 # Set Python path
 ENV PYTHONPATH=/app/src
 # Expose port
 EXPOSE 8000
 # Health check
 HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/')" || exit 1
 # Run with uvicorn
 WORKDIR /app/frontends/api
 CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]
 # ============================================================================
 # CLI stage - Command line tool
 # ============================================================================
 FROM base AS cli
 WORKDIR /app
 # Copy application files
 COPY src/ src/
 COPY data/ data/
 COPY frontends/cli/ frontends/cli/
 # Create non-root user
 RUN useradd -m -u 1000 stego && chown -R stego:stego /app
 USER stego
 # Set Python path
 ENV PYTHONPATH=/app/src
 # Default to help
 WORKDIR /app/frontends/cli
 ENTRYPOINT ["python", "main.py"]
 CMD ["--help"]
--- a/docker/Dockerfile.base
+++ b/docker/Dockerfile.base
@@ -0,0 +1,57 @@
 # Stegasoo Base Image
 # Contains all slow-to-compile dependencies (jpegio, scipy, argon2)
 # Build once: docker build -f Dockerfile.base -t stegasoo-base:latest .
 # Push to registry for team use: docker push yourregistry/stegasoo-base:latest
 FROM python:3.12-slim
 # Set environment variables
 ENV PYTHONDONTWRITEBYTECODE=1
 ENV PYTHONUNBUFFERED=1
 ENV PIP_ROOT_USER_ACTION=ignore
 # Install system dependencies
 # NOTE: g++ is required for jpegio C++ compilation
 # NOTE: libjpeg-dev is required for jpegio
 RUN apt-get update && apt-get install -y --no-install-recommends \
    gcc \
    g++ \
    libc-dev \
    libffi-dev \
    libzbar0 \
    libjpeg-dev \
    zlib1g-dev \
    && rm -rf /var/lib/apt/lists/*
 # Install the slow-to-compile packages
 # These rarely change, so they get cached in this base image
 RUN pip install --no-cache-dir \
    cython \
    numpy \
    scipy>=1.10.0 \
    jpegio>=0.2.0 \
    argon2-cffi>=23.0.0 \
    pillow>=10.0.0 \
    cryptography>=41.0.0 \
    reedsolo>=1.7.0 \
    zstandard>=0.22.0
 # Install web/api framework packages (also stable)
 RUN pip install --no-cache-dir \
    flask>=3.0.0 \
    gunicorn>=21.0.0 \
    fastapi>=0.100.0 \
    "uvicorn[standard]>=0.20.0" \
    python-multipart>=0.0.6 \
    qrcode>=7.3.0 \
    pyzbar>=0.1.9 \
    click>=8.0.0 \
    lz4>=4.0.0
 # Verify key packages work
 RUN python -c "import jpegio; import scipy; import numpy; import zstandard; print('jpegio + scipy + numpy + zstd OK')"
 # Label for tracking
 LABEL org.opencontainers.image.title="Stegasoo Base"
 LABEL org.opencontainers.image.description="Pre-compiled dependencies for Stegasoo"
 LABEL org.opencontainers.image.version="4.2.1"
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -0,0 +1,64 @@
 # Shared environment variables
 x-common-env: &common-env
  STEGASOO_CHANNEL_KEY: ${STEGASOO_CHANNEL_KEY:-}
 services:
  # ============================================================================
  # Web UI (Flask)
  # ============================================================================
  web:
    build:
      context: ..
      dockerfile: docker/Dockerfile
      target: web
    container_name: stegasoo-web
    ports:
      - "5000:5000"
    environment:
      <<: *common-env
      FLASK_ENV: production
      # Authentication (v4.0.2)
      STEGASOO_AUTH_ENABLED: ${STEGASOO_AUTH_ENABLED:-true}
      # HTTPS enabled by default - generates self-signed cert if none provided
      # To disable: STEGASOO_HTTPS_ENABLED=false docker-compose up
      STEGASOO_HTTPS_ENABLED: ${STEGASOO_HTTPS_ENABLED:-true}
      STEGASOO_HOSTNAME: ${STEGASOO_HOSTNAME:-localhost}
    volumes:
      # Persist auth database and SSL certs (v4.0.2)
      - stegasoo-web-data:/app/frontends/web/instance
      - stegasoo-web-certs:/app/frontends/web/certs
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 2048M
        reservations:
          memory: 1024M
  # ============================================================================
  # REST API (FastAPI)
  # ============================================================================
  api:
    build:
      context: ..
      dockerfile: docker/Dockerfile
      target: api
    container_name: stegasoo-api
    ports:
      - "8000:8000"
    environment:
      <<: *common-env
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 2048M
        reservations:
          memory: 1024M
 # Named volumes for persistent data
 volumes:
  stegasoo-web-data:
    driver: local
  stegasoo-web-certs:
    driver: local
--- a/docs/CLAUDE_WORKTREES.md
+++ b/docs/CLAUDE_WORKTREES.md
@@ -0,0 +1,224 @@
 # Using Claude Code with Git Worktrees — A Stegasoo Guide
 ## What is a worktree?
 A git worktree is a second (or third, or fourth...) copy of your repo that shares the same `.git` history but lives in its own folder with its own branch. Think of it like opening the same project in a parallel universe — you can hack on a feature in one worktree while keeping `main` pristine in another.
 Claude Code has built-in worktree support, so you don't need to memorize any git commands.
 ## Why bother?
 - **Safety net**: Your `main` branch stays untouched. If Claude's changes go sideways, just delete the worktree — zero damage.
 - **Easy A/B comparison**: Keep the original code open in one editor tab, Claude's changes in another.
 - **Parallel work**: You can keep working in `main` while Claude tinkers in a worktree.
 - **Clean PRs**: The worktree branch becomes your PR branch with no stray changes mixed in.
 ## The 30-second version
 1. Ask Claude to work in a worktree
 2. Claude creates an isolated copy and works there
 3. When done, you either merge or throw it away
 That's it. Everything below is details.
 ---
 ## How to start a worktree session
 ### Option A: Ask Claude directly
 Just tell Claude you want to work in a worktree:
 ```
 > Let's work in a worktree for this
 > Start a worktree called "dct-refactor"
 > Can you make these changes in an isolated worktree?
 ```
 Claude will use `EnterWorktree` behind the scenes and switch into it automatically.
 ### Option B: Use the slash command
 ```
 > /worktree
 ```
 This drops you into a fresh worktree immediately.
 ### Option C: Tell Claude to launch an agent in a worktree
 If you want Claude to do something in the background without touching your working directory:
 ```
 > Run the tests in a worktree so we don't mess up my local state
 ```
 Claude can spin up a sub-agent with `isolation: "worktree"` — it gets its own copy and reports back.
 ---
 ## Where do worktrees live?
 Claude puts them in:
 ```
 .claude/worktrees/<name>/
 ```
 This directory is inside your repo but ignored by git, so it won't pollute your commits.
 ## What happens inside a worktree?
 The worktree is a full checkout of your repo on a new branch. Claude's working directory switches to it, so all file reads, edits, and commands happen there — not in your main checkout.
 **Important for Stegasoo**: The first thing you (or Claude) should do in a fresh worktree is:
 ```bash
 pip install -e ".[dev]"
 ```
 This points your editable install at the worktree's source code instead of your main checkout. Without this, `pytest` will test the wrong copy of the code.
 ---
 ## Real-world examples
 ### Example 1: Feature work
 ```
 You:    I want to add lz4 as a default compression option. Let's use a worktree.
 Claude: *creates worktree, switches to it*
 Claude: *installs dev deps, makes changes, runs tests*
 Claude: All tests pass. Ready to merge or open a PR.
 You:    Looks good, make a PR.
 Claude: *pushes branch, creates PR*
 ```
 ### Example 2: Risky refactor
 ```
 You:    Refactor the crypto module to split KDF logic into its own file.
        Do it in a worktree so I can review before touching main.
 Claude: *creates worktree "refactor/split-kdf"*
 Claude: *does the refactor, runs tests*
 You:    Hmm, I don't love the approach. Throw it away.
 Claude: *removes worktree — main is untouched*
 ```
 ### Example 3: Investigate a bug without side effects
 ```
 You:    Something's wrong with DCT encoding on large images.
        Can you investigate in a worktree? I've got uncommitted work here.
 Claude: *creates worktree, adds debug logging, runs tests*
 Claude: Found it — the block size calculation overflows at >16MP.
        Here's the fix. Want me to apply it to main?
 ```
 ---
 ## When to use a worktree vs. just editing in place
 | Situation | Worktree? | Why |
 |-----------|-----------|-----|
 | Quick one-file fix | No | Overkill — just edit directly |
 | Multi-file refactor | Yes | Easy to discard if it goes wrong |
 | Touching security-critical code (`crypto.py`, `steganography.py`, etc.) | Yes | Extra safety for sensitive changes |
 | Experimental / "let's try this" work | Yes | Zero-cost throwaway |
 | You have uncommitted changes you don't want to stash | Yes | Worktree won't touch your working tree |
 | Adding a single test | No | Low risk, just do it |
 ---
 ## Cleaning up
 ### If you merged or created a PR
 The worktree served its purpose. Clean up:
 ```bash
 git worktree remove .claude/worktrees/<name>
 ```
 Or ask Claude:
 ```
 > Clean up the worktree
 ```
 ### If you want to throw everything away
 Same command — removing the worktree deletes the directory and its branch reference. Your `main` branch is completely unaffected.
 ### If Claude's session ends
 When a Claude Code session ends while in a worktree, you'll be prompted to keep or remove it. If you keep it, you can resume later:
 ```bash
 cd .claude/worktrees/<name>
 # pick up where you left off
 ```
 ---
 ## Branch naming in worktrees
 Follow the same conventions as the rest of the project:
 | Type | Branch name | Example |
 |------|-------------|---------|
 | Feature | `feature/description` | `feature/batch-progress-bars` |
 | Bug fix | `fix/description` | `fix/dct-overflow-large-images` |
 | Docs | `docs/description` | `docs/api-examples` |
 | Refactor | `refactor/description` | `refactor/split-crypto-module` |
 When Claude creates a worktree automatically, it generates a random branch name. You can rename it before pushing:
 ```bash
 git branch -m <old-name> feature/my-better-name
 ```
 ---
 ## Troubleshooting
 ### "I ran pytest but it's testing the old code"
 You forgot to install in the worktree:
 ```bash
 pip install -e ".[dev]"
 ```
 ### "I can't find my worktree"
 ```bash
 git worktree list
 ```
 This shows all worktrees and their paths.
 ### "I accidentally deleted the worktree folder without removing it from git"
 ```bash
 git worktree prune
 ```
 This cleans up stale worktree references.
 ### "I want to switch back to my main checkout"
 If you're in a Claude Code session that entered a worktree, the session stays in the worktree until it ends. Start a new session to go back to your main checkout, or:
 ```bash
 cd /home/alee/Sources/stegasoo
 ```
 ---
 ## TL;DR
 1. Say "use a worktree" when asking Claude to make changes
 2. Claude works in an isolated copy — your `main` is safe
 3. Merge the good stuff, trash the bad stuff
 4. Never think about it again until next time
--- a/docs/DOCKER_QUICKSTART.md
+++ b/docs/DOCKER_QUICKSTART.md
@@ -0,0 +1,162 @@
 # Docker Quickstart
 Get Stegasoo running in Docker in under 5 minutes.
 ## Build
 ```bash
 # From project root:
 # Build web UI image
 sudo docker build -t stegasoo-web --target web -f docker/Dockerfile .
 # Or build all targets
 sudo docker build -t stegasoo-api --target api -f docker/Dockerfile .
 sudo docker build -t stegasoo-cli --target cli -f docker/Dockerfile .
 # Or use docker-compose
 sudo docker-compose -f docker/docker-compose.yml build
 ```
 ## Run (Basic)
 ```bash
 # HTTP only, no auth
 sudo docker run -d \
  -p 5000:5000 \
  -e STEGASOO_AUTH_ENABLED=false \
  --name stegasoo \
  stegasoo-web
 ```
 Visit http://localhost:5000
 ## Run (Production)
 ```bash
 # HTTPS + Auth + Channel Key
 sudo docker run -d \
  -p 5000:5000 \
  -e STEGASOO_AUTH_ENABLED=true \
  -e STEGASOO_HTTPS_ENABLED=true \
  -e STEGASOO_HOSTNAME=stegasoo.local \
  -e STEGASOO_CHANNEL_KEY=ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456 \
  -v stegasoo-data:/opt/stegasoo/frontends/web/instance \
  -v stegasoo-certs:/opt/stegasoo/frontends/web/certs \
  --name stegasoo \
  stegasoo-web
 ```
 Visit https://localhost:5000 (accept self-signed cert warning)
 ## Environment Variables
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `STEGASOO_AUTH_ENABLED` | `true` | Require login |
 | `STEGASOO_HTTPS_ENABLED` | `false` | Enable HTTPS |
 | `STEGASOO_HOSTNAME` | `localhost` | Hostname for SSL cert |
 | `STEGASOO_CHANNEL_KEY` | *(none)* | Shared channel key (32 alphanumeric chars with dashes) |
 ## Docker Compose
 Create `.env` file in project root:
 ```bash
 STEGASOO_AUTH_ENABLED=true
 STEGASOO_HTTPS_ENABLED=true
 STEGASOO_HOSTNAME=stegasoo.local
 STEGASOO_CHANNEL_KEY=
 ```
 Run:
 ```bash
 sudo docker-compose -f docker/docker-compose.yml up -d web
 ```
 ## Custom SSL Certificates
 ### Use Your Own Certs
 ```bash
 # Stop container
 sudo docker stop stegasoo
 # Copy certs to volume
 sudo docker run --rm -v stegasoo-certs:/certs -v $(pwd):/src alpine \
  sh -c "cp /src/your-cert.crt /certs/server.crt && cp /src/your-key.key /certs/server.key && chmod 600 /certs/server.key"
 # Start container
 sudo docker start stegasoo
 ```
 ### Use mkcert (Local Development)
 ```bash
 # Install mkcert
 brew install mkcert  # macOS
 # or: sudo apt install mkcert  # Debian/Ubuntu
 # Create local CA and certs
 mkcert -install
 mkcert -cert-file server.crt -key-file server.key localhost 127.0.0.1 stegasoo.local
 # Copy to Docker volume (see above)
 ```
 ### Use Let's Encrypt (Public Server)
 ```bash
 # Get cert
 sudo certbot certonly --standalone -d yourdomain.com
 # Copy to Docker volume
 sudo docker run --rm -v stegasoo-certs:/certs alpine \
  sh -c "cp /etc/letsencrypt/live/yourdomain.com/fullchain.pem /certs/server.crt && \
         cp /etc/letsencrypt/live/yourdomain.com/privkey.pem /certs/server.key && \
         chmod 600 /certs/server.key"
 ```
 ## Volumes
 | Volume | Purpose |
 |--------|---------|
 | `stegasoo-data` | User database, settings |
 | `stegasoo-certs` | SSL certificates |
 ## Smoke Test
 ```bash
 # Check container logs
 sudo docker logs stegasoo
 # Test HTTP endpoint
 curl -k https://localhost:5000/health
 # Expected: {"status":"ok","version":"4.1.7",...}
 ```
 ## Troubleshooting
 **Container won't start:**
 ```bash
 sudo docker logs stegasoo
 ```
 **Out of memory:**
 ```bash
 # Argon2 needs 256MB+ per operation
 sudo docker run --memory=768m ...
 ```
 **Certificate errors:**
 ```bash
 # Regenerate self-signed cert
 sudo docker exec stegasoo rm -rf /opt/stegasoo/frontends/web/certs/*
 sudo docker restart stegasoo
 ```
 **Reset everything:**
 ```bash
 sudo docker stop stegasoo && sudo docker rm stegasoo
 sudo docker volume rm stegasoo-data stegasoo-certs
 ```
--- a/docs/TEMPLATES.md
+++ b/docs/TEMPLATES.md
@@ -0,0 +1,361 @@
 # Stegasoo Web Templates Specification
 Quick reference for all Jinja2 templates in `frontends/web/templates/`.
 ## Table of Contents
 - [Layout](#layout)
 - [Auth & Setup](#auth--setup)
 - [Core Features](#core-features)
 - [Tools & Account](#tools--account)
 - [Admin](#admin)
 ---
 ## Layout
 ### `base.html`
 **Purpose:** Master layout template - all pages extend this.
 | Block | Description |
 |-------|-------------|
 | `{% block title %}` | Page title |
 | `{% block content %}` | Main page content |
 | `{% block scripts %}` | Page-specific JS |
 **Key Elements:**
 - `nav.navbar` - Bootstrap 5 navbar with logo, links, auth buttons
 - `div.toast-container` - Flash message toasts (10s auto-dismiss)
 - `main.container` - Content wrapper
 - `footer` - Copyright + version
 **Variables:** `is_authenticated`, `username`, `is_admin`
 ---
 ## Auth & Setup
 ### `login.html`
 **Route:** `/login`
 **Form:** `POST /login`
 - `username` - text input
 - `password` - password input
 - "Forgot password?" link to `/recover`
 **JS:** `static/js/auth.js` - password toggle
 ---
 ### `setup.html`
 **Route:** `/setup` (first-run only)
 **Form:** `POST /setup`
 - `username` - admin username
 - `password` - password (min 8 chars)
 - `password_confirm` - confirmation
 **JS:** Password confirmation validation
 ---
 ### `setup_recovery.html`
 **Route:** `/setup/recovery`
 **Form:** `POST /setup/recovery`
 - `recovery_key` - hidden, pre-generated
 - `action` - "save" or "skip"
 - Checkbox confirmation required for save
 **Features:**
 - Recovery key display (readonly input)
 - Copy to clipboard button
 - QR code image (if available)
 - Download options: text file, QR image
 - Stego backup upload form
 ---
 ### `recover.html`
 **Route:** `/recover`
 **Form:** `POST /recover`
 - `recovery_key` - textarea for key input
 - `new_password` - new password
 - `new_password_confirm` - confirmation
 **Accordion:** "Extract from stego backup"
 - `POST /recover/stego` with `stego_image` + `reference_image`
 - Pre-fills recovery key on success
 ---
 ### `regenerate_recovery.html`
 **Route:** `/account/recovery/regenerate` (admin only)
 **Form:** `POST /account/recovery/regenerate`
 - `recovery_key` - hidden field
 - `action` - "save" or "cancel"
 - Confirmation checkbox
 **Features:**
 - New key display
 - QR code (obfuscated)
 - Download: text, QR, stego backup
 - Warning if replacing existing key
 ---
 ## Core Features
 ### `index.html`
 **Route:** `/`
 **Structure:**
 - Hero section with tagline
 - 3 action cards: Encode, Decode, Generate
 - "How It Works" explainer section
 ---
 ### `generate.html`
 **Route:** `/generate`
 **Form:** `POST /generate`
 - `words` - passphrase word count (3-12)
 - `use_pin` - checkbox
 - `pin_length` - PIN digits (6-9)
 - `use_rsa` - checkbox
 - `rsa_bits` - key size (2048/3072)
 **Output panels:**
 - Passphrase display
 - PIN display (if enabled)
 - RSA key + QR (if enabled)
 - Entropy calculator
 **JS:** `static/js/generate.js`
 ---
 ### `encode.html`
 **Route:** `/encode`
 **Form:** `POST /encode` (multipart)
 - `reference_photo` - file upload (drag-drop zone)
 - `carrier_image` - file upload (drag-drop zone)
 - `mode` - radio: DCT (default) / LSB
 - `dct_format` - PNG / JPEG
 - `dct_color` - Color / Grayscale
 - `payload_type` - radio: Text / File
 - `message` - textarea (if text)
 - `embed_file` - file input (if file)
 - `passphrase` - text input
 - `pin` - text input
 - `rsa_key` / `rsa_key_qr` - file inputs
 - `rsa_key_password` - password
 - `channel_key` - select (saved keys) or manual input
 **Panels:**
 - Reference preview with "Hash Acquired" status
 - Carrier preview with capacity info
 - Character counter for message
 **JS:** `static/js/encode.js`, `static/js/stegasoo.js`
 ---
 ### `encode_result.html`
 **Route:** `/encode/result/<file_id>`
 **Elements:**
 - Success message
 - Stego image preview
 - Download button
 - Share button (Web Share API)
 - Mode/capacity info
 - "Encode Another" link
 **Variables:** `file_id`, `filename`, `mode`, `capacity_used`
 ---
 ### `decode.html`
 **Route:** `/decode`
 **Form:** `POST /decode` (multipart)
 - `reference_photo` - file upload
 - `stego_image` - file upload
 - `passphrase` - text input
 - `pin` - text input
 - `rsa_key` / `rsa_key_qr` - file inputs
 - `rsa_key_password` - password
 - `channel_key` - select or manual
 **Output:**
 - Decoded message display
 - File download (if file payload)
 **JS:** `static/js/decode.js`, `static/js/stegasoo.js`
 ---
 ## Tools & Account
 ### `tools.html`
 **Route:** `/tools`
 **Tabbed interface:**
 | Tab | Endpoint | Description |
 |-----|----------|-------------|
 | Capacity | `POST /api/tools/capacity` | Image capacity analysis |
 | Peek | `POST /api/tools/peek` | Check for Stegasoo header |
 | Strip | `POST /api/tools/strip` | Remove hidden data |
 | EXIF | `POST /api/tools/exif/*` | Metadata viewer/editor |
 **EXIF Editor features:**
 - Upload image → view all EXIF fields
 - Inline editing (click field to edit)
 - "Clear All" button
 - "Save" / "Download" buttons
 **JS:** `static/js/tools.js`
 ---
 ### `account.html`
 **Route:** `/account`
 **Sections:**
 1. **User Info** - Username, role badge, logout link
 2. **Recovery Key** (admin only)
   - Status: Configured / Not Set
   - Generate/Regenerate button
   - Disable button
 3. **Password Change**
   - `current_password`
   - `new_password`
   - `new_password_confirm`
 4. **Saved Channel Keys**
   - List of saved keys with edit/delete
   - "Add Key" form (name + key)
   - Max 10 keys per user
 **Variables:** `username`, `is_admin`, `has_recovery`, `channel_keys`
 ---
 ### `about.html`
 **Route:** `/about`
 **Sections:**
 - Version info + feature badges
 - Security model explanation
 - Channel key QR (if configured)
 - Dependency status table
 - Credits + links
 **Variables:** `version`, `has_dct`, `has_qr_write`, `has_qr_read`, `channel_key`, `channel_qr`
 ---
 ## Admin
 ### `admin/users.html`
 **Route:** `/admin/users`
 **Table columns:** Username | Role | Created | Actions
 **Actions per user:**
 - Reset Password button
 - Delete button (disabled for self)
 **Header:**
 - User count: "X of 16 users"
 - "Add User" button (modal trigger)
 **Modal:** Add User form
 - `username` input
 - `role` select (admin/user)
 - Auto-generated temp password display
 ---
 ### `admin/user_new.html`
 **Route:** `/admin/users/new`
 **Form:** `POST /admin/users/new`
 - `username` - text input
 - `role` - select (user/admin)
 Redirects to `user_created.html` on success.
 ---
 ### `admin/user_created.html`
 **Route:** `/admin/users/created`
 **Display:**
 - Success message
 - Username
 - Temporary password (copy button)
 - "User must change password on first login" notice
 - Back to users link
 ---
 ### `admin/password_reset.html`
 **Route:** `/admin/users/<id>/password-reset`
 **Display:**
 - Success message
 - New temporary password
 - Copy button
 - Back link
 ---
 ## Common Patterns
 ### Drag-Drop Upload Zones
 ```html
 <div class="upload-zone" id="referenceZone">
    <input type="file" name="reference_photo" accept="image/*">
    <div class="preview"></div>
    <div class="status"></div>
 </div>
 ```
 ### Password Toggle
 ```html
 <div class="input-group">
    <input type="password" id="passwordInput">
    <button onclick="togglePassword('passwordInput', this)">
        <i class="bi bi-eye"></i>
    </button>
 </div>
 ```
 ### Toast Flash Messages
 Rendered in `base.html`, auto-dismiss after 10 seconds:
 - `success` → green
 - `warning` → yellow
 - `error` → red
 ---
 ## External JS Files
 | File | Used By |
 |------|---------|
 | `static/js/stegasoo.js` | encode, decode, about |
 | `static/js/auth.js` | login, setup, recover, account |
 | `static/js/generate.js` | generate |
 | `static/js/encode.js` | encode |
 | `static/js/decode.js` | decode |
 | `static/js/tools.js` | tools |
--- a/docs/stegasoo.1
+++ b/docs/stegasoo.1
@@ -0,0 +1,418 @@
 .\" Stegasoo man page
 .\" Generate with: groff -man -Tascii stegasoo.1
 .TH STEGASOO 1 "February 2026" "Stegasoo 4.3.0" "User Commands"
 .SH NAME
 stegasoo \- steganography with hybrid authentication
 .SH SYNOPSIS
 .B stegasoo
 [\fB\-v\fR|\fB\-\-version\fR]
 [\fB\-\-json\fR]
 [\fB\-h\fR|\fB\-\-help\fR]
 .I command
 [\fIargs\fR]
 .SH DESCRIPTION
 .B stegasoo
 hides messages and files in images and audio using PIN + passphrase security.
 It uses LSB (Least Significant Bit) steganography with optional DCT
 (Discrete Cosine Transform) encoding for JPEG resilience, and supports
 audio steganography with LSB and Spread Spectrum modes.
 .PP
 Messages are encrypted using a hybrid authentication scheme that combines
 a reference photo (shared secret), passphrase, and PIN code.
 .SH GLOBAL OPTIONS
 .TP
 .BR \-v ", " \-\-version
 Show version and exit.
 .TP
 .B \-\-json
 Output results as JSON (where supported).
 .TP
 .BR \-h ", " \-\-help
 Show help message and exit.
 .SH COMMANDS
 .SS encode
 Encode a message or file into an image.
 .PP
 .B stegasoo encode
 .I carrier
 .B \-r
 .I reference
 [\fB\-m\fR \fImessage\fR | \fB\-f\fR \fIfile\fR]
 [\fIoptions\fR]
 .TP
 .BR \-r ", " \-\-reference " " \fIPATH\fR
 Reference photo (shared secret). Required.
 .TP
 .BR \-m ", " \-\-message " " \fITEXT\fR
 Message to encode.
 .TP
 .BR \-f ", " \-\-file " " \fIPATH\fR
 File to embed instead of message.
 .TP
 .BR \-o ", " \-\-output " " \fIPATH\fR
 Output image path.
 .TP
 .B \-\-passphrase " " \fITEXT\fR
 Passphrase (recommend 4+ words). Prompts if not provided.
 .TP
 .B \-\-pin " " \fITEXT\fR
 PIN code. Prompts if not provided.
 .TP
 .B \-\-dry\-run
 Show capacity usage without encoding.
 .PP
 .B Examples:
 .nf
    stegasoo encode photo.png -r ref.jpg -m "Secret" --passphrase --pin
    stegasoo encode photo.png -r ref.jpg -f doc.pdf -o encoded.png
 .fi
 .SS decode
 Decode a message or file from an image.
 .PP
 .B stegasoo decode
 .I image
 .B \-r
 .I reference
 [\fIoptions\fR]
 .TP
 .BR \-r ", " \-\-reference " " \fIPATH\fR
 Reference photo (shared secret). Required.
 .TP
 .B \-\-passphrase " " \fITEXT\fR
 Passphrase. Prompts if not provided.
 .TP
 .B \-\-pin " " \fITEXT\fR
 PIN code. Prompts if not provided.
 .TP
 .BR \-o ", " \-\-output " " \fIPATH\fR
 Output path for file payloads.
 .PP
 .B Examples:
 .nf
    stegasoo decode encoded.png -r ref.jpg --passphrase --pin
    stegasoo decode encoded.png -r ref.jpg -o ./extracted/
 .fi
 .SS generate
 Generate random credentials (passphrase + PIN + optional channel key).
 .PP
 .B stegasoo generate
 [\fIoptions\fR]
 .TP
 .B \-\-words " " \fIINTEGER\fR
 Number of words in passphrase (default: 4).
 .TP
 .B \-\-pin\-length " " \fIINTEGER\fR
 PIN length (default: 6).
 .TP
 .B \-\-channel\-key
 Also generate a 256-bit channel key.
 .PP
 .B Examples:
 .nf
    stegasoo generate
    stegasoo generate --words 6 --pin-length 8
    stegasoo generate --channel-key
 .fi
 .SS info
 Show version, features, and system information.
 .PP
 .B stegasoo info
 [\fB\-\-full\fR]
 .TP
 .B \-\-full
 Show full system information (CPU, temperature, disk on Pi).
 .SS batch
 Batch operations on multiple images.
 .PP
 .B stegasoo batch
 .I subcommand
 [\fIargs\fR]
 .TP
 .B batch encode
 Encode message into multiple images.
 .RS
 .PP
 .B stegasoo batch encode
 .I images...
 [\fB\-m\fR \fImessage\fR | \fB\-f\fR \fIfile\fR]
 [\fIoptions\fR]
 .PP
 Options: \fB\-m\fR, \fB\-f\fR, \fB\-o\fR/\fB\-\-output\-dir\fR, \fB\-\-suffix\fR, \fB\-\-passphrase\fR, \fB\-\-pin\fR,
 \fB\-r\fR/\fB\-\-recursive\fR, \fB\-j\fR/\fB\-\-jobs\fR, \fB\-v\fR/\fB\-\-verbose\fR.
 .RE
 .TP
 .B batch decode
 Decode messages from multiple images.
 .RS
 .PP
 .B stegasoo batch decode
 .I images...
 [\fIoptions\fR]
 .PP
 Options: \fB\-o\fR/\fB\-\-output\-dir\fR, \fB\-\-passphrase\fR, \fB\-\-pin\fR, \fB\-r\fR/\fB\-\-recursive\fR,
 \fB\-j\fR/\fB\-\-jobs\fR, \fB\-v\fR/\fB\-\-verbose\fR.
 .RE
 .TP
 .B batch check
 Check capacity of multiple images.
 .RS
 .PP
 .B stegasoo batch check
 .I images...
 [\fB\-r\fR/\fB\-\-recursive\fR]
 .RE
 .SS channel
 Manage channel keys for deployment isolation.
 .PP
 Channel keys bind encode/decode operations to a specific group or deployment.
 Messages encoded with one channel key can only be decoded by systems with
 the same channel key.
 .PP
 .B stegasoo channel
 .I subcommand
 [\fIargs\fR]
 .TP
 .B channel generate
 Generate a new random channel key.
 .RS
 .PP
 Options: \fB\-\-save\fR (project config), \fB\-\-save\-user\fR (user config).
 .RE
 .TP
 .B channel show
 Show the current channel key.
 .RS
 .PP
 Options: \fB\-\-key\fR \fITEXT\fR (show specific key instead).
 .RE
 .TP
 .B channel qr
 Display channel key as QR code.
 .RS
 .PP
 Options: \fB\-\-key\fR \fITEXT\fR, \fB\-\-format\fR [\fIascii\fR|\fIpng\fR], \fB\-o\fR/\fB\-\-output\fR \fIPATH\fR.
 .RE
 .TP
 .B channel status
 Show channel key status and configuration.
 .TP
 .B channel clear
 Remove channel key configuration.
 .RS
 .PP
 Options: \fB\-\-project\fR, \fB\-\-user\fR.
 .RE
 .SS admin
 Web UI administration commands.
 .PP
 .B stegasoo admin
 .I subcommand
 [\fIargs\fR]
 .TP
 .B admin generate\-key
 Generate a new recovery key (for reference only).
 .RS
 .PP
 Options: \fB\-\-qr\fR (show QR code in terminal).
 .RE
 .TP
 .B admin recover
 Reset admin password using recovery key.
 .RS
 .PP
 Options: \fB\-\-db\fR \fIPATH\fR (path to stegasoo.db), \fB\-\-password\fR \fITEXT\fR.
 .RE
 .SS audio\-encode
 Encode a message or file into an audio file.
 .PP
 .B stegasoo audio\-encode
 .I audio
 .B \-r
 .I reference
 [\fB\-m\fR \fImessage\fR | \fB\-f\fR \fIfile\fR]
 [\fIoptions\fR]
 .TP
 .BR \-r ", " \-\-reference " " \fIPATH\fR
 Reference photo (shared secret). Required.
 .TP
 .BR \-m ", " \-\-message " " \fITEXT\fR
 Message to encode.
 .TP
 .BR \-f ", " \-\-file " " \fIPATH\fR
 File to embed instead of message.
 .TP
 .BR \-o ", " \-\-output " " \fIPATH\fR
 Output audio path.
 .TP
 .B \-\-passphrase " " \fITEXT\fR
 Passphrase (recommend 4+ words). Prompts if not provided.
 .TP
 .B \-\-pin " " \fITEXT\fR
 PIN code. Prompts if not provided.
 .TP
 .B \-\-mode " " [\fIlsb\fR|\fIspread\fR]
 Embedding mode: lsb (default) or spread (spread spectrum).
 .PP
 .B Examples:
 .nf
    stegasoo audio-encode song.wav -r ref.jpg -m "Secret" --passphrase --pin
    stegasoo audio-encode podcast.mp3 -r ref.jpg -f doc.pdf --mode spread
 .fi
 .SS audio\-decode
 Decode a message or file from a stego audio file.
 .PP
 .B stegasoo audio\-decode
 .I audio
 .B \-r
 .I reference
 [\fIoptions\fR]
 .TP
 .BR \-r ", " \-\-reference " " \fIPATH\fR
 Reference photo (shared secret). Required.
 .TP
 .B \-\-passphrase " " \fITEXT\fR
 Passphrase. Prompts if not provided.
 .TP
 .B \-\-pin " " \fITEXT\fR
 PIN code. Prompts if not provided.
 .TP
 .BR \-o ", " \-\-output " " \fIPATH\fR
 Output path for file payloads.
 .PP
 .B Examples:
 .nf
    stegasoo audio-decode stego.wav -r ref.jpg --passphrase --pin
    stegasoo audio-decode stego.wav -r ref.jpg -o ./extracted/
 .fi
 .SS audio\-info
 Display audio file information and steganographic capacity.
 .PP
 .B stegasoo audio\-info
 .I audio
 [\fB\-\-json\fR]
 .PP
 Shows format, sample rate, channels, bit depth, duration, and embedding
 capacity for both LSB and Spread Spectrum modes.
 .PP
 .B Examples:
 .nf
    stegasoo audio-info song.wav
    stegasoo audio-info podcast.mp3 --json
 .fi
 .SS tools
 Image security tools.
 .PP
 .B stegasoo tools
 .I subcommand
 [\fIargs\fR]
 .TP
 .B tools capacity
 Show steganography capacity for an image.
 .RS
 .PP
 .B stegasoo tools capacity
 .I image
 [\fB\-\-json\fR]
 .RE
 .TP
 .B tools exif
 View or edit EXIF metadata.
 .RS
 .PP
 .B stegasoo tools exif
 .I image
 [\fB\-\-clear\fR] [\fB\-\-set\fR \fIFIELD=VALUE\fR] [\fB\-o\fR \fIPATH\fR] [\fB\-\-json\fR]
 .RE
 .TP
 .B tools peek
 Check if image contains Stegasoo hidden data.
 .RS
 .PP
 .B stegasoo tools peek
 .I image
 [\fB\-\-json\fR]
 .RE
 .TP
 .B tools strip
 Strip EXIF/metadata from an image.
 .RS
 .PP
 .B stegasoo tools strip
 .I image
 [\fB\-o\fR \fIPATH\fR] [\fB\-\-format\fR [\fIpng\fR|\fIbmp\fR]]
 .RE
 .SH ENVIRONMENT
 .TP
 .B STEGASOO_CHANNEL_KEY
 Channel key for encode/decode operations. Overrides config file settings.
 .TP
 .B STEGASOO_HTTPS_ENABLED
 Enable HTTPS for web UI (Docker/service mode).
 .TP
 .B STEGASOO_HOSTNAME
 Hostname for SSL certificate generation.
 .SH FILES
 .TP
 .I ~/.stegasoo/channel.key
 User's channel key configuration (encrypted).
 .TP
 .I .stegasoo.toml
 Project-level configuration file.
 .TP
 .I frontends/web/instance/stegasoo.db
 Web UI SQLite database (accounts, settings).
 .SH EXAMPLES
 .SS Basic encode/decode workflow
 .nf
 # Generate credentials
 stegasoo generate
 # Encode a secret message
 stegasoo encode vacation.png -r selfie.jpg -m "Meet at noon"
 # Decode the message (on another system with same reference photo)
 stegasoo decode vacation_steg.png -r selfie.jpg
 .fi
 .SS Using channel keys for team isolation
 .nf
 # Generate and save a channel key
 stegasoo channel generate --save-user
 # Share the key with your team
 stegasoo channel qr -o team-key.png
 # Now all encode/decode operations use this channel
 stegasoo encode photo.png -r ref.jpg -m "Team secret"
 .fi
 .SS Batch processing
 .nf
 # Check capacity of all PNGs in a directory
 stegasoo batch check ./photos/*.png
 # Encode same message into multiple images
 stegasoo batch encode ./photos/ -r ref.jpg -m "Secret" -o ./encoded/
 .fi
 .SH SECURITY
 Stegasoo uses multiple layers of security:
 .IP \(bu 2
 Reference photo provides a visual shared secret
 .IP \(bu 2
 Passphrase (recommend 4+ words) for strong encryption
 .IP \(bu 2
 PIN code adds additional entropy
 .IP \(bu 2
 Channel keys isolate different deployments
 .IP \(bu 2
 AES-256 encryption for payload data
 .PP
 For maximum security, share the reference photo out-of-band (in person,
 secure messenger) and use a strong passphrase.
 .SH SEE ALSO
 .BR openssl (1),
 .BR qrencode (1)
 .SH BUGS
 Report bugs at: https://github.com/adlee-was-taken/stegasoo/issues
 .SH AUTHOR
 Written by the Stegasoo contributors.
 .SH COPYRIGHT
 Copyright \(co 2024-2026. MIT License.
--- a/examples/README.md
+++ b/examples/README.md
@@ -0,0 +1,48 @@
 # Stegasoo Examples
 This directory contains example scripts demonstrating how to use Stegasoo.
 ## Prerequisites
 Install Stegasoo first:
 ```bash
 pip install stegasoo
 # Or for development:
 pip install -e ".[all]"
 ```
 ## Examples
 ### basic_usage.py
 Basic encode/decode workflow with a text message.
 ```bash
 python basic_usage.py
 ```
 ### embed_file.py
 Embed and extract files (documents, images, etc.) inside carrier images.
 ```bash
 python embed_file.py
 ```
 ### channel_keys.py
 Use channel keys to create private communication channels for groups.
 ```bash
 python channel_keys.py
 ```
 ## Test Images
 You'll need to provide your own images:
 - `my_secret_photo.png` - Your reference photo (keep this secret!)
 - `carrier.png` - The image that will carry your hidden message
 For testing, you can use any PNG or BMP image. JPEG carriers are supported with DCT mode.
--- a/examples/basic_usage.py
+++ b/examples/basic_usage.py
@@ -0,0 +1,59 @@
 #!/usr/bin/env python3
 """
 Basic Stegasoo Usage Example
 This example demonstrates how to encode and decode a secret message
 using the Stegasoo library.
 """
 from pathlib import Path
 import stegasoo
 def main():
    # Load your images
    # The reference photo is your "key" - keep it secret!
    reference_photo = Path("my_secret_photo.png").read_bytes()
    carrier_image = Path("carrier.png").read_bytes()
    # Your secret message
    message = "This is my secret message!"
    # Your credentials
    passphrase = "correct horse battery staple"  # Use 4+ words
    pin = "123456"  # 6-9 digits
    # === ENCODE ===
    print("Encoding message...")
    result = stegasoo.encode(
        message=message,
        reference_photo=reference_photo,
        carrier_image=carrier_image,
        passphrase=passphrase,
        pin=pin,
    )
    # Save the stego image
    output_path = Path(f"secret_{result.suggested_filename}")
    output_path.write_bytes(result.stego_image)
    print(f"Saved to: {output_path}")
    print(f"Capacity used: {result.capacity_used_percent:.1f}%")
    # === DECODE ===
    print("\nDecoding message...")
    stego_image = output_path.read_bytes()
    decoded = stegasoo.decode(
        stego_image=stego_image,
        reference_photo=reference_photo,
        passphrase=passphrase,
        pin=pin,
    )
    print(f"Decoded message: {decoded.message}")
    print(f"Message type: {decoded.payload_type}")
 if __name__ == "__main__":
    main()
--- a/examples/channel_keys.py
+++ b/examples/channel_keys.py
@@ -0,0 +1,72 @@
 #!/usr/bin/env python3
 """
 Channel Keys Example
 Channel keys allow you to create private communication channels.
 Only people with the same channel key can decode messages.
 """
 from pathlib import Path
 import stegasoo
 from stegasoo.channel import generate_channel_key, get_channel_fingerprint
 def main():
    # Generate a channel key for your group
    channel_key = generate_channel_key()
    fingerprint = get_channel_fingerprint(channel_key)
    print("=== Channel Key Generated ===")
    print(f"Key: {channel_key}")
    print(f"Fingerprint: {fingerprint}")
    print("\nShare this key securely with your group members!")
    print("-" * 40)
    # Load images
    reference_photo = Path("my_secret_photo.png").read_bytes()
    carrier_image = Path("carrier.png").read_bytes()
    # Encode with channel key
    print("\nEncoding message with channel key...")
    result = stegasoo.encode(
        message="Secret group message!",
        reference_photo=reference_photo,
        carrier_image=carrier_image,
        passphrase="correct horse battery staple",
        pin="123456",
        channel_key=channel_key,  # Add the channel key
    )
    stego_data = result.stego_image
    print(f"Encoded successfully!")
    # Decode with correct channel key
    print("\nDecoding with correct channel key...")
    decoded = stegasoo.decode(
        stego_image=stego_data,
        reference_photo=reference_photo,
        passphrase="correct horse battery staple",
        pin="123456",
        channel_key=channel_key,  # Same channel key
    )
    print(f"Message: {decoded.message}")
    # Try to decode with wrong channel key
    print("\nTrying to decode with wrong channel key...")
    wrong_key = generate_channel_key()
    try:
        stegasoo.decode(
            stego_image=stego_data,
            reference_photo=reference_photo,
            passphrase="correct horse battery staple",
            pin="123456",
            channel_key=wrong_key,  # Different channel key
        )
        print("ERROR: Should have failed!")
    except (stegasoo.DecryptionError, stegasoo.ExtractionError):
        print("Correctly rejected - wrong channel key!")
 if __name__ == "__main__":
    main()
--- a/examples/embed_file.py
+++ b/examples/embed_file.py
@@ -0,0 +1,78 @@
 #!/usr/bin/env python3
 """
 File Embedding Example
 This example demonstrates how to embed a file (like a document or image)
 inside a carrier image using Stegasoo.
 """
 from pathlib import Path
 import stegasoo
 from stegasoo.models import FilePayload
 def main():
    # Load images
    reference_photo = Path("my_secret_photo.png").read_bytes()
    carrier_image = Path("carrier.png").read_bytes()
    # Load the file to embed
    secret_file = Path("secret_document.pdf")
    file_data = secret_file.read_bytes()
    # Create a FilePayload
    payload = FilePayload(
        filename=secret_file.name,
        data=file_data,
        mime_type="application/pdf",
    )
    # Credentials
    passphrase = "correct horse battery staple"
    pin = "123456"
    # Check capacity first
    capacity = stegasoo.calculate_capacity(carrier_image)
    print(f"Carrier capacity: {capacity['capacity_bytes']:,} bytes")
    print(f"File size: {len(file_data):,} bytes")
    if len(file_data) > capacity["capacity_bytes"]:
        print("Error: File too large for this carrier!")
        return
    # Encode the file
    print("\nEmbedding file...")
    result = stegasoo.encode(
        file_payload=payload,
        reference_photo=reference_photo,
        carrier_image=carrier_image,
        passphrase=passphrase,
        pin=pin,
    )
    output_path = Path(f"contains_file_{result.suggested_filename}")
    output_path.write_bytes(result.stego_image)
    print(f"Saved to: {output_path}")
    # Decode and extract the file
    print("\nExtracting file...")
    decoded = stegasoo.decode(
        stego_image=output_path.read_bytes(),
        reference_photo=reference_photo,
        passphrase=passphrase,
        pin=pin,
    )
    if decoded.payload_type == "file":
        extracted_path = Path(f"extracted_{decoded.filename}")
        extracted_path.write_bytes(decoded.file_data)
        print(f"Extracted: {extracted_path}")
        print(f"Original filename: {decoded.filename}")
        print(f"MIME type: {decoded.mime_type}")
    else:
        print(f"Unexpected payload type: {decoded.payload_type}")
 if __name__ == "__main__":
    main()
--- a/frontends/API.md
+++ b/frontends/API.md
@@ -1,952 +0,0 @@
 # Stegasoo REST API Documentation
 Complete REST API reference for Stegasoo steganography operations.
 ## Table of Contents
 - [Overview](#overview)
 - [Installation](#installation)
 - [Authentication](#authentication)
 - [Base URL](#base-url)
 - [Endpoints](#endpoints)
  - [GET /](#get--status)
  - [POST /generate](#post-generate)
  - [POST /encode](#post-encode-json)
  - [POST /encode/multipart](#post-encodemultipart)
  - [POST /decode](#post-decode-json)
  - [POST /decode/multipart](#post-decodemultipart)
  - [POST /image/info](#post-imageinfo)
 - [Data Models](#data-models)
 - [Error Handling](#error-handling)
 - [Code Examples](#code-examples)
 - [Rate Limiting](#rate-limiting)
 - [Security Considerations](#security-considerations)
 ---
 ## Overview
 The Stegasoo REST API provides programmatic access to all steganography operations:
 - **Generate** credentials (phrases, PINs, RSA keys)
 - **Encode** messages into images
 - **Decode** messages from images
 - **Analyze** image capacity
 The API supports both JSON (base64-encoded images) and multipart form data (direct file uploads).
 ---
 ## Installation
 ### From PyPI
 ```bash
 pip install stegasoo[api]
 ```
 ### From Source
 ```bash
 git clone https://github.com/example/stegasoo.git
 cd stegasoo
 pip install -e ".[api]"
 ```
 ### Running the Server
 **Development:**
 ```bash
 cd frontends/api
 python main.py
 ```
 **Production:**
 ```bash
 cd frontends/api
 uvicorn main:app --host 0.0.0.0 --port 8000 --workers 4
 ```
 **Docker:**
 ```bash
 docker-compose up api
 ```
 ---
 ## Authentication
 The API currently operates without authentication. For production deployments, implement authentication at the reverse proxy level (nginx, Caddy) or add API key middleware.
 ---
 ## Base URL
 | Environment | URL |
 |-------------|-----|
 | Local Development | `http://localhost:8000` |
 | Docker | `http://localhost:8000` |
 | Production | Configure as needed |
 ---
 ## Endpoints
 ### GET / (Status)
 Check API status and configuration.
 #### Request
 ```http
 GET / HTTP/1.1
 Host: localhost:8000
 ```
 #### Response
 ```json
 {
  "version": "2.0.1",
  "has_argon2": true,
  "day_names": ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Sunday"]
 }
 ```
 #### Response Fields
 | Field | Type | Description |
 |-------|------|-------------|
 | `version` | string | Stegasoo library version |
 | `has_argon2` | boolean | Whether Argon2id is available |
 | `day_names` | array | Day names for phrase mapping |
 #### cURL Example
 ```bash
 curl http://localhost:8000/
 ```
 ---
 ### POST /generate
 Generate credentials for encoding/decoding.
 #### Request
 ```http
 POST /generate HTTP/1.1
 Host: localhost:8000
 Content-Type: application/json
 ```
 #### Request Body
 | Field | Type | Default | Description |
 |-------|------|---------|-------------|
 | `use_pin` | boolean | `true` | Generate a PIN |
 | `use_rsa` | boolean | `false` | Generate an RSA key |
 | `pin_length` | integer | `6` | PIN length (6-9) |
 | `rsa_bits` | integer | `2048` | RSA key size (2048, 3072, 4096) |
 | `words_per_phrase` | integer | `3` | Words per phrase (3-12) |
 #### Response
 ```json
 {
  "phrases": {
    "Monday": "abandon ability able",
    "Tuesday": "actor actress actual",
    "Wednesday": "advice aerobic affair",
    "Thursday": "afraid again age",
    "Friday": "agree ahead aim",
    "Saturday": "airport aisle alarm",
    "Sunday": "album alcohol alert"
  },
  "pin": "847293",
  "rsa_key_pem": null,
  "entropy": {
    "phrase": 33,
    "pin": 19,
    "rsa": 0,
    "total": 52
  }
 }
 ```
 #### Response Fields
 | Field | Type | Description |
 |-------|------|-------------|
 | `phrases` | object | Day-to-phrase mapping |
 | `pin` | string\|null | Generated PIN (if requested) |
 | `rsa_key_pem` | string\|null | PEM-encoded RSA key (if requested) |
 | `entropy.phrase` | integer | Entropy from phrases (bits) |
 | `entropy.pin` | integer | Entropy from PIN (bits) |
 | `entropy.rsa` | integer | Entropy from RSA key (bits) |
 | `entropy.total` | integer | Combined entropy (bits) |
 #### cURL Examples
 **PIN only:**
 ```bash
 curl -X POST http://localhost:8000/generate \
  -H "Content-Type: application/json" \
  -d '{"use_pin": true, "use_rsa": false}'
 ```
 **RSA only:**
 ```bash
 curl -X POST http://localhost:8000/generate \
  -H "Content-Type: application/json" \
  -d '{"use_pin": false, "use_rsa": true, "rsa_bits": 4096}'
 ```
 **Both with custom settings:**
 ```bash
 curl -X POST http://localhost:8000/generate \
  -H "Content-Type: application/json" \
  -d '{
    "use_pin": true,
    "use_rsa": true,
    "pin_length": 9,
    "rsa_bits": 4096,
    "words_per_phrase": 6
  }'
 ```
 ---
 ### POST /encode (JSON)
 Encode a message using base64-encoded images.
 #### Request
 ```http
 POST /encode HTTP/1.1
 Host: localhost:8000
 Content-Type: application/json
 ```
 #### Request Body
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
 | `message` | string | ✓ | Message to encode |
 | `reference_photo_base64` | string | ✓ | Base64-encoded reference photo |
 | `carrier_image_base64` | string | ✓ | Base64-encoded carrier image |
 | `day_phrase` | string | ✓ | Today's passphrase |
 | `pin` | string | * | Static PIN (6-9 digits) |
 | `rsa_key_base64` | string | * | Base64-encoded RSA key PEM |
 | `rsa_password` | string | | Password for RSA key |
 | `date_str` | string | | Date override (YYYY-MM-DD) |
 \* At least one of `pin` or `rsa_key_base64` required.
 #### Response
 ```json
 {
  "stego_image_base64": "iVBORw0KGgo...",
  "filename": "a1b2c3d4_20251227.png",
  "capacity_used_percent": 12.4,
  "date_used": "2025-12-27",
  "day_of_week": "Saturday"
 }
 ```
 #### Response Fields
 | Field | Type | Description |
 |-------|------|-------------|
 | `stego_image_base64` | string | Base64-encoded stego PNG |
 | `filename` | string | Suggested filename |
 | `capacity_used_percent` | float | Percentage of capacity used |
 | `date_used` | string | Date embedded in image (YYYY-MM-DD) |
 | `day_of_week` | string | Day name for passphrase rotation |
 #### cURL Example
 ```bash
 # Prepare base64-encoded images
 REF_B64=$(base64 -w0 reference.jpg)
 CARRIER_B64=$(base64 -w0 carrier.png)
 curl -X POST http://localhost:8000/encode \
  -H "Content-Type: application/json" \
  -d "{
    \"message\": \"Secret message\",
    \"reference_photo_base64\": \"$REF_B64\",
    \"carrier_image_base64\": \"$CARRIER_B64\",
    \"day_phrase\": \"apple forest thunder\",
    \"pin\": \"123456\"
  }" | jq -r '.stego_image_base64' | base64 -d > stego.png
 ```
 ---
 ### POST /encode/multipart
 Encode a message using direct file uploads. Returns the stego image directly.
 #### Request
 ```http
 POST /encode/multipart HTTP/1.1
 Host: localhost:8000
 Content-Type: multipart/form-data; boundary=----FormBoundary
 ------FormBoundary
 Content-Disposition: form-data; name="message"
 Secret message here
 ------FormBoundary
 Content-Disposition: form-data; name="day_phrase"
 apple forest thunder
 ------FormBoundary
 Content-Disposition: form-data; name="pin"
 123456
 ------FormBoundary
 Content-Disposition: form-data; name="reference_photo"; filename="ref.jpg"
 Content-Type: image/jpeg
 <binary image data>
 ------FormBoundary
 Content-Disposition: form-data; name="carrier"; filename="carrier.png"
 Content-Type: image/png
 <binary image data>
 ------FormBoundary--
 ```
 #### Form Fields
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
 | `message` | string | ✓ | Message to encode |
 | `reference_photo` | file | ✓ | Reference photo file |
 | `carrier` | file | ✓ | Carrier image file |
 | `day_phrase` | string | ✓ | Today's passphrase |
 | `pin` | string | * | Static PIN |
 | `rsa_key` | file | * | RSA key file (.pem) |
 | `rsa_password` | string | | Password for RSA key |
 | `date_str` | string | | Date override (YYYY-MM-DD) |
 \* At least one of `pin` or `rsa_key` required.
 #### Response
 Returns the PNG image directly with headers:
 - `Content-Type: image/png`
 - `Content-Disposition: attachment; filename=<generated_filename>.png`
 - `X-Stegasoo-Date: 2025-12-27` (date used for encoding)
 - `X-Stegasoo-Day: Saturday` (day of week for passphrase rotation)
 - `X-Stegasoo-Capacity-Percent: 12.4` (capacity used)
 #### cURL Examples
 **With PIN:**
 ```bash
 curl -X POST http://localhost:8000/encode/multipart \
  -F "message=Secret message" \
  -F "day_phrase=apple forest thunder" \
  -F "pin=123456" \
  -F "reference_photo=@reference.jpg" \
  -F "carrier=@carrier.png" \
  --output stego.png
 ```
 **With RSA key:**
 ```bash
 curl -X POST http://localhost:8000/encode/multipart \
  -F "message=Secret message" \
  -F "day_phrase=apple forest thunder" \
  -F "rsa_key=@mykey.pem" \
  -F "rsa_password=keypassword" \
  -F "reference_photo=@reference.jpg" \
  -F "carrier=@carrier.png" \
  --output stego.png
 ```
 **With both PIN and RSA:**
 ```bash
 curl -X POST http://localhost:8000/encode/multipart \
  -F "message=Maximum security message" \
  -F "day_phrase=apple forest thunder" \
  -F "pin=123456" \
  -F "rsa_key=@mykey.pem" \
  -F "rsa_password=keypassword" \
  -F "reference_photo=@reference.jpg" \
  -F "carrier=@carrier.png" \
  --output stego.png
 ```
 **With custom date:**
 ```bash
 curl -X POST http://localhost:8000/encode/multipart \
  -F "message=Backdated message" \
  -F "day_phrase=monday phrase here" \
  -F "pin=123456" \
  -F "date_str=2025-12-29" \
  -F "reference_photo=@reference.jpg" \
  -F "carrier=@carrier.png" \
  --output stego.png
 ```
 ---
 ### POST /decode (JSON)
 Decode a message using base64-encoded images.
 #### Request
 ```http
 POST /decode HTTP/1.1
 Host: localhost:8000
 Content-Type: application/json
 ```
 #### Request Body
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
 | `stego_image_base64` | string | ✓ | Base64-encoded stego image |
 | `reference_photo_base64` | string | ✓ | Base64-encoded reference photo |
 | `day_phrase` | string | ✓ | Passphrase for encoding day |
 | `pin` | string | * | Static PIN |
 | `rsa_key_base64` | string | * | Base64-encoded RSA key |
 | `rsa_password` | string | | Password for RSA key |
 \* Must match the security factors used during encoding.
 #### Response
 ```json
 {
  "message": "Secret message here"
 }
 ```
 #### cURL Example
 ```bash
 # Prepare base64-encoded images
 STEGO_B64=$(base64 -w0 stego.png)
 REF_B64=$(base64 -w0 reference.jpg)
 curl -X POST http://localhost:8000/decode \
  -H "Content-Type: application/json" \
  -d "{
    \"stego_image_base64\": \"$STEGO_B64\",
    \"reference_photo_base64\": \"$REF_B64\",
    \"day_phrase\": \"apple forest thunder\",
    \"pin\": \"123456\"
  }"
 ```
 ---
 ### POST /decode/multipart
 Decode a message using direct file uploads.
 #### Request
 ```http
 POST /decode/multipart HTTP/1.1
 Host: localhost:8000
 Content-Type: multipart/form-data
 ```
 #### Form Fields
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
 | `stego_image` | file | ✓ | Stego image file |
 | `reference_photo` | file | ✓ | Reference photo file |
 | `day_phrase` | string | ✓ | Passphrase for encoding day |
 | `pin` | string | * | Static PIN |
 | `rsa_key` | file | * | RSA key file |
 | `rsa_password` | string | | Password for RSA key |
 #### Response
 ```json
 {
  "message": "Secret message here"
 }
 ```
 #### cURL Examples
 **With PIN:**
 ```bash
 curl -X POST http://localhost:8000/decode/multipart \
  -F "day_phrase=apple forest thunder" \
  -F "pin=123456" \
  -F "reference_photo=@reference.jpg" \
  -F "stego_image=@stego.png"
 ```
 **With RSA key:**
 ```bash
 curl -X POST http://localhost:8000/decode/multipart \
  -F "day_phrase=apple forest thunder" \
  -F "rsa_key=@mykey.pem" \
  -F "rsa_password=keypassword" \
  -F "reference_photo=@reference.jpg" \
  -F "stego_image=@stego.png"
 ```
 ---
 ### POST /image/info
 Get information about an image's capacity.
 #### Request
 ```http
 POST /image/info HTTP/1.1
 Host: localhost:8000
 Content-Type: multipart/form-data
 ```
 #### Form Fields
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
 | `image` | file | ✓ | Image file to analyze |
 #### Response
 ```json
 {
  "width": 1920,
  "height": 1080,
  "pixels": 2073600,
  "capacity_bytes": 776970,
  "capacity_kb": 758
 }
 ```
 #### Response Fields
 | Field | Type | Description |
 |-------|------|-------------|
 | `width` | integer | Image width in pixels |
 | `height` | integer | Image height in pixels |
 | `pixels` | integer | Total pixel count |
 | `capacity_bytes` | integer | Maximum message capacity (bytes) |
 | `capacity_kb` | integer | Maximum message capacity (KB) |
 #### cURL Example
 ```bash
 curl -X POST http://localhost:8000/image/info \
  -F "image=@myimage.png"
 ```
 ---
 ## Data Models
 ### GenerateRequest
 ```json
 {
  "use_pin": true,
  "use_rsa": false,
  "pin_length": 6,
  "rsa_bits": 2048,
  "words_per_phrase": 3
 }
 ```
 ### GenerateResponse
 ```json
 {
  "phrases": {"Monday": "...", "Tuesday": "...", ...},
  "pin": "123456",
  "rsa_key_pem": "-----BEGIN PRIVATE KEY-----...",
  "entropy": {"phrase": 33, "pin": 19, "rsa": 0, "total": 52}
 }
 ```
 ### EncodeRequest
 ```json
 {
  "message": "string",
  "reference_photo_base64": "string",
  "carrier_image_base64": "string",
  "day_phrase": "string",
  "pin": "string",
  "rsa_key_base64": "string",
  "rsa_password": "string",
  "date_str": "YYYY-MM-DD"
 }
 ```
 ### EncodeResponse
 ```json
 {
  "stego_image_base64": "string",
  "filename": "string",
  "capacity_used_percent": 12.4,
  "date_used": "YYYY-MM-DD",
  "day_of_week": "Saturday"
 }
 ```
 ### DecodeRequest
 ```json
 {
  "stego_image_base64": "string",
  "reference_photo_base64": "string",
  "day_phrase": "string",
  "pin": "string",
  "rsa_key_base64": "string",
  "rsa_password": "string"
 }
 ```
 ### DecodeResponse
 ```json
 {
  "message": "string"
 }
 ```
 ### ImageInfoResponse
 ```json
 {
  "width": 1920,
  "height": 1080,
  "pixels": 2073600,
  "capacity_bytes": 776970,
  "capacity_kb": 758
 }
 ```
 ### ErrorResponse
 ```json
 {
  "error": "ErrorType",
  "detail": "Error description"
 }
 ```
 ---
 ## Error Handling
 ### HTTP Status Codes
 | Code | Meaning | Use Case |
 |------|---------|----------|
 | 200 | OK | Successful operation |
 | 400 | Bad Request | Invalid input, capacity error |
 | 401 | Unauthorized | Decryption failed (wrong credentials) |
 | 500 | Internal Error | Unexpected server error |
 ### Error Response Format
 ```json
 {
  "detail": "Error message describing the problem"
 }
 ```
 ### Common Errors
 | Status | Error | Solution |
 |--------|-------|----------|
 | 400 | "Must enable at least one of use_pin or use_rsa" | Set `use_pin` or `use_rsa` to true |
 | 400 | "rsa_bits must be one of [2048, 3072, 4096]" | Use valid RSA key size |
 | 400 | "Carrier image too small" | Use larger carrier image |
 | 400 | "PIN must be 6-9 digits" | Fix PIN format |
 | 401 | "Decryption failed. Check credentials." | Verify phrase, PIN, ref photo |
 | 400 | "Message too long" | Reduce message size or use larger carrier |
 ---
 ## Code Examples
 ### Python with requests
 ```python
 import base64
 import requests
 BASE_URL = "http://localhost:8000"
 # Generate credentials
 response = requests.post(f"{BASE_URL}/generate", json={
    "use_pin": True,
    "use_rsa": False,
    "words_per_phrase": 3
 })
 creds = response.json()
 print(f"PIN: {creds['pin']}")
 print(f"Monday phrase: {creds['phrases']['Monday']}")
 # Encode using multipart
 with open("reference.jpg", "rb") as ref, open("carrier.png", "rb") as carrier:
    response = requests.post(f"{BASE_URL}/encode/multipart", files={
        "reference_photo": ref,
        "carrier": carrier,
    }, data={
        "message": "Secret message",
        "day_phrase": "apple forest thunder",
        "pin": "123456"
    })
    with open("stego.png", "wb") as f:
        f.write(response.content)
 # Decode using multipart
 with open("reference.jpg", "rb") as ref, open("stego.png", "rb") as stego:
    response = requests.post(f"{BASE_URL}/decode/multipart", files={
        "reference_photo": ref,
        "stego_image": stego,
    }, data={
        "day_phrase": "apple forest thunder",
        "pin": "123456"
    })
    print(f"Decoded: {response.json()['message']}")
 ```
 ### JavaScript/Node.js
 ```javascript
 const FormData = require('form-data');
 const fs = require('fs');
 const axios = require('axios');
 const BASE_URL = 'http://localhost:8000';
 async function encode() {
    const form = new FormData();
    form.append('message', 'Secret message');
    form.append('day_phrase', 'apple forest thunder');
    form.append('pin', '123456');
    form.append('reference_photo', fs.createReadStream('reference.jpg'));
    form.append('carrier', fs.createReadStream('carrier.png'));
    const response = await axios.post(`${BASE_URL}/encode/multipart`, form, {
        headers: form.getHeaders(),
        responseType: 'arraybuffer'
    });
    fs.writeFileSync('stego.png', response.data);
    console.log('Encoded successfully');
 }
 async function decode() {
    const form = new FormData();
    form.append('day_phrase', 'apple forest thunder');
    form.append('pin', '123456');
    form.append('reference_photo', fs.createReadStream('reference.jpg'));
    form.append('stego_image', fs.createReadStream('stego.png'));
    const response = await axios.post(`${BASE_URL}/decode/multipart`, form, {
        headers: form.getHeaders()
    });
    console.log('Decoded:', response.data.message);
 }
 encode().then(decode);
 ```
 ### Go
 ```go
 package main
 import (
    "bytes"
    "encoding/json"
    "fmt"
    "io"
    "mime/multipart"
    "net/http"
    "os"
 )
 func main() {
    // Encode
    body := &bytes.Buffer{}
    writer := multipart.NewWriter(body)
    writer.WriteField("message", "Secret message")
    writer.WriteField("day_phrase", "apple forest thunder")
    writer.WriteField("pin", "123456")
    ref, _ := os.Open("reference.jpg")
    refPart, _ := writer.CreateFormFile("reference_photo", "reference.jpg")
    io.Copy(refPart, ref)
    ref.Close()
    carrier, _ := os.Open("carrier.png")
    carrierPart, _ := writer.CreateFormFile("carrier", "carrier.png")
    io.Copy(carrierPart, carrier)
    carrier.Close()
    writer.Close()
    resp, _ := http.Post(
        "http://localhost:8000/encode/multipart",
        writer.FormDataContentType(),
        body,
    )
    stego, _ := os.Create("stego.png")
    io.Copy(stego, resp.Body)
    stego.Close()
    resp.Body.Close()
    fmt.Println("Encoded successfully")
 }
 ```
 ### Shell Script (Bash)
 ```bash
 #!/bin/bash
 BASE_URL="http://localhost:8000"
 REF_PHOTO="reference.jpg"
 CARRIER="carrier.png"
 PHRASE="apple forest thunder"
 PIN="123456"
 MESSAGE="Secret message"
 # Encode
 echo "Encoding..."
 curl -s -X POST "$BASE_URL/encode/multipart" \
  -F "message=$MESSAGE" \
  -F "day_phrase=$PHRASE" \
  -F "pin=$PIN" \
  -F "reference_photo=@$REF_PHOTO" \
  -F "carrier=@$CARRIER" \
  --output stego.png
 echo "Encoded to stego.png"
 # Decode
 echo "Decoding..."
 DECODED=$(curl -s -X POST "$BASE_URL/decode/multipart" \
  -F "day_phrase=$PHRASE" \
  -F "pin=$PIN" \
  -F "reference_photo=@$REF_PHOTO" \
  -F "stego_image=@stego.png" | jq -r '.message')
 echo "Decoded message: $DECODED"
 ```
 ---
 ## Rate Limiting
 The API does not implement rate limiting by default. For production:
 1. **Reverse Proxy**: Use nginx or Caddy rate limiting
 2. **Application Level**: Add FastAPI middleware
 Example nginx rate limiting:
 ```nginx
 limit_req_zone $binary_remote_addr zone=stegasoo:10m rate=10r/s;
 location /api/ {
    limit_req zone=stegasoo burst=20 nodelay;
    proxy_pass http://localhost:8000/;
 }
 ```
 ---
 ## Security Considerations
 ### In Transit
 - Use HTTPS in production
 - Configure TLS at reverse proxy level
 ### Memory Usage
 - Argon2id requires 256MB RAM per operation
 - Concurrent requests can exhaust memory
 - Limit workers based on available RAM
 ### Input Validation
 The API validates:
 - PIN format (6-9 digits, no leading zero)
 - Message size (max 50KB)
 - Image size (max 5MB file, ~4MP dimensions)
 - RSA key validity
 ### Credential Handling
 - Credentials are never logged
 - No persistent storage of secrets
 - Memory cleared after operations
 ---
 ## Interactive Documentation
 When the API is running, visit:
 - **Swagger UI**: http://localhost:8000/docs
 - **ReDoc**: http://localhost:8000/redoc
 ---
 ## See Also
 - [CLI Documentation](CLI.md) - Command-line interface
 - [Web UI Documentation](WEB_UI.md) - Browser interface
 - [README](README.md) - Project overview
 - Image size (max 5MB file, ~4MP dimensions)
 - RSA key validity
 ### Credential Handling
 - Credentials are never logged
 - No persistent storage of secrets
 - Memory cleared after operations
 ---
 ## Interactive Documentation
 When the API is running, visit:
 - **Swagger UI**: http://localhost:8000/docs
 - **ReDoc**: http://localhost:8000/redoc
 ---
 ## See Also
 - [CLI Documentation](CLI.md) - Command-line interface
 - [Web UI Documentation](WEB_UI.md) - Browser interface
 - [README](README.md) - Project overview
--- a/frontends/CLI.md
+++ b/frontends/CLI.md
@@ -1,634 +0,0 @@
 # Stegasoo CLI Documentation
 Complete command-line interface reference for Stegasoo steganography operations.
 ## Table of Contents
 - [Installation](#installation)
 - [Quick Start](#quick-start)
 - [Commands](#commands)
  - [generate](#generate-command)
  - [encode](#encode-command)
  - [decode](#decode-command)
  - [info](#info-command)
 - [Security Factors](#security-factors)
 - [Workflow Examples](#workflow-examples)
 - [Piping & Scripting](#piping--scripting)
 - [Error Handling](#error-handling)
 - [Exit Codes](#exit-codes)
 ---
 ## Installation
 ### From PyPI
 ```bash
 # CLI only
 pip install stegasoo[cli]
 # With all extras
 pip install stegasoo[all]
 ```
 ### From Source
 ```bash
 git clone https://github.com/example/stegasoo.git
 cd stegasoo
 pip install -e ".[cli]"
 ```
 ### Verify Installation
 ```bash
 stegasoo --version
 stegasoo --help
 ```
 ---
 ## Quick Start
 ```bash
 # 1. Generate credentials (do this once, memorize results)
 stegasoo generate --pin --words 3
 # 2. Encode a message
 stegasoo encode \
  --ref secret_photo.jpg \
  --carrier meme.png \
  --phrase "apple forest thunder" \
  --pin 123456 \
  --message "Meet at midnight"
 # 3. Decode a message
 stegasoo decode \
  --ref secret_photo.jpg \
  --stego stego_abc123_20251227.png \
  --phrase "apple forest thunder" \
  --pin 123456
 ```
 ---
 ## Commands
 ### Generate Command
 Generate credentials for encoding/decoding operations. Creates daily passphrases and optionally a PIN and/or RSA key.
 #### Synopsis
 ```bash
 stegasoo generate [OPTIONS]
 ```
 #### Options
 | Option | Short | Type | Default | Description |
 |--------|-------|------|---------|-------------|
 | `--pin/--no-pin` | | flag | `--pin` | Generate a PIN |
 | `--rsa/--no-rsa` | | flag | `--no-rsa` | Generate an RSA key |
 | `--pin-length` | | 6-9 | 6 | PIN length in digits |
 | `--rsa-bits` | | choice | 2048 | RSA key size (2048, 3072, 4096) |
 | `--words` | | 3-12 | 3 | Words per daily phrase |
 | `--output` | `-o` | path | | Save RSA key to file |
 | `--password` | `-p` | string | | Password for RSA key file |
 | `--json` | | flag | | Output as JSON |
 #### Examples
 **Basic generation with PIN (default):**
 ```bash
 stegasoo generate
 ```
 Output:
 ```
 ════════════════════════════════════════════════════════════
  STEGASOO CREDENTIALS
 ════════════════════════════════════════════════════════════
 ⚠️  MEMORIZE THESE AND CLOSE THIS WINDOW
    Do not screenshot or save to file!
 ─── STATIC PIN ───
    847293
 ─── DAILY PHRASES ───
    Monday    │ abandon ability able
    Tuesday   │ actor actress actual
    Wednesday │ advice aerobic affair
    Thursday  │ afraid again age
    Friday    │ agree ahead aim
    Saturday  │ airport aisle alarm
    Sunday    │ album alcohol alert
 ─── SECURITY ───
    Phrase entropy:  33 bits
    PIN entropy:     19 bits
    Combined:        52 bits
    + photo entropy: 80-256 bits
 ```
 **Generate with RSA key:**
 ```bash
 stegasoo generate --rsa --rsa-bits 4096
 ```
 **Save RSA key to encrypted file:**
 ```bash
 stegasoo generate --rsa -o mykey.pem -p "mysecretpassword"
 ```
 **Maximum security (longer phrases + both factors):**
 ```bash
 stegasoo generate --pin --rsa --words 6 --pin-length 9
 ```
 **JSON output for scripting:**
 ```bash
 stegasoo generate --json | jq '.phrases.Monday'
 ```
 **RSA only (no PIN):**
 ```bash
 stegasoo generate --no-pin --rsa -o key.pem -p "password123"
 ```
 ---
 ### Encode Command
 Encode a secret message into an image using steganography.
 #### Synopsis
 ```bash
 stegasoo encode [OPTIONS]
 ```
 #### Options
 | Option | Short | Type | Required | Description |
 |--------|-------|------|----------|-------------|
 | `--ref` | `-r` | path | ✓ | Reference photo (shared secret) |
 | `--carrier` | `-c` | path | ✓ | Carrier image to hide message in |
 | `--phrase` | `-p` | string | ✓ | Today's passphrase |
 | `--message` | `-m` | string | | Message to encode |
 | `--message-file` | `-f` | path | | Read message from file |
 | `--pin` | | string | * | Static PIN (6-9 digits) |
 | `--key` | `-k` | path | * | RSA key file |
 | `--key-password` | | string | | Password for RSA key |
 | `--output` | `-o` | path | | Output filename |
 | `--date` | | YYYY-MM-DD | | Date override |
 | `--quiet` | `-q` | flag | | Suppress output |
 \* At least one of `--pin` or `--key` is required.
 #### Message Input Methods
 1. **Command line argument:**
   ```bash
   stegasoo encode -r ref.jpg -c carrier.png -p "phrase" --pin 123456 -m "Secret message"
   ```
 2. **From file:**
   ```bash
   stegasoo encode -r ref.jpg -c carrier.png -p "phrase" --pin 123456 -f message.txt
   ```
 3. **From stdin (pipe):**
   ```bash
   echo "Secret message" | stegasoo encode -r ref.jpg -c carrier.png -p "phrase" --pin 123456
   ```
 #### Examples
 **Basic encoding with PIN:**
 ```bash
 stegasoo encode \
  --ref photos/vacation.jpg \
  --carrier memes/funny_cat.png \
  --phrase "correct horse battery" \
  --pin 847293 \
  --message "The package arrives Tuesday"
 ```
 Output:
 ```
 ✓ Encoded successfully!
  Output: a1b2c3d4_20251227.png
  Size: 245,832 bytes
  Capacity used: 12.4%
  Date: 2025-12-27
 ```
 **With RSA key:**
 ```bash
 stegasoo encode \
  -r reference.jpg \
  -c carrier.png \
  -p "apple forest thunder" \
  -k mykey.pem \
  --key-password "secretpassword" \
  -m "Encrypted with RSA"
 ```
 **Both PIN and RSA (maximum security):**
 ```bash
 stegasoo encode \
  -r ref.jpg \
  -c carrier.png \
  -p "word1 word2 word3" \
  --pin 123456 \
  -k mykey.pem \
  --key-password "pass" \
  -m "Double-locked message"
 ```
 **Custom output filename:**
 ```bash
 stegasoo encode \
  -r ref.jpg \
  -c carrier.png \
  -p "phrase words here" \
  --pin 123456 \
  -m "Message" \
  -o holiday_photo.png
 ```
 **Encoding with specific date (for testing):**
 ```bash
 stegasoo encode \
  -r ref.jpg \
  -c carrier.png \
  -p "monday phrase here" \
  --pin 123456 \
  -m "Message" \
  --date 2025-12-29
 ```
 **Long message from file:**
 ```bash
 stegasoo encode \
  -r ref.jpg \
  -c large_image.png \
  -p "phrase" \
  --pin 123456 \
  -f secret_document.txt \
  -o output.png
 ```
 **Quiet mode for scripting:**
 ```bash
 stegasoo encode -r ref.jpg -c carrier.png -p "phrase" --pin 123456 -m "msg" -q -o out.png
 # No output, just creates the file
 ```
 ---
 ### Decode Command
 Decode a secret message from a stego image.
 #### Synopsis
 ```bash
 stegasoo decode [OPTIONS]
 ```
 #### Options
 | Option | Short | Type | Required | Description |
 |--------|-------|------|----------|-------------|
 | `--ref` | `-r` | path | ✓ | Reference photo (same as encoding) |
 | `--stego` | `-s` | path | ✓ | Stego image to decode |
 | `--phrase` | `-p` | string | ✓ | Passphrase for the encoding day |
 | `--pin` | | string | * | Static PIN |
 | `--key` | `-k` | path | * | RSA key file |
 | `--key-password` | | string | | Password for RSA key |
 | `--output` | `-o` | path | | Save message to file |
 | `--quiet` | `-q` | flag | | Output only the message |
 \* Must provide the same security factors used during encoding.
 #### Examples
 **Basic decoding with PIN:**
 ```bash
 stegasoo decode \
  --ref photos/vacation.jpg \
  --stego received_image.png \
  --phrase "correct horse battery" \
  --pin 847293
 ```
 Output:
 ```
 ✓ Decoded successfully!
 The package arrives Tuesday
 ```
 **With RSA key:**
 ```bash
 stegasoo decode \
  -r reference.jpg \
  -s stego_image.png \
  -p "apple forest thunder" \
  -k mykey.pem \
  --key-password "secretpassword"
 ```
 **Save decoded message to file:**
 ```bash
 stegasoo decode \
  -r ref.jpg \
  -s stego.png \
  -p "phrase" \
  --pin 123456 \
  -o decoded_message.txt
 ```
 Output:
 ```
 ✓ Decoded successfully!
  Saved to: decoded_message.txt
 ```
 **Quiet mode (message only):**
 ```bash
 stegasoo decode -r ref.jpg -s stego.png -p "phrase" --pin 123456 -q
 ```
 Output:
 ```
 The package arrives Tuesday
 ```
 **Pipe to another command:**
 ```bash
 stegasoo decode -r ref.jpg -s stego.png -p "phrase" --pin 123456 -q | gpg --decrypt
 ```
 ---
 ### Info Command
 Display information about an image's capacity and embedded date.
 #### Synopsis
 ```bash
 stegasoo info IMAGE
 ```
 #### Arguments
 | Argument | Type | Description |
 |----------|------|-------------|
 | `IMAGE` | path | Path to image file |
 #### Examples
 **Check carrier image capacity:**
 ```bash
 stegasoo info vacation_photo.png
 ```
 Output:
 ```
 Image: vacation_photo.png
  Dimensions:  1920 × 1080
  Pixels:      2,073,600
  Mode:        RGB
  Format:      PNG
  Capacity:    ~776,970 bytes (758 KB)
 ```
 **Check stego image (shows encoding date):**
 ```bash
 stegasoo info stego_a1b2c3d4_20251227.png
 ```
 Output:
 ```
 Image: stego_a1b2c3d4_20251227.png
  Dimensions:  1920 × 1080
  Pixels:      2,073,600
  Mode:        RGB
  Format:      PNG
  Capacity:    ~776,970 bytes (758 KB)
  Embed date:  2025-12-27 (Saturday)
 ```
 ---
 ## Security Factors
 Stegasoo uses multiple authentication factors:
 | Factor | Description | Entropy |
 |--------|-------------|---------|
 | Reference Photo | A photo both parties have | ~80-256 bits |
 | Day Phrase | Changes daily (e.g., 3 BIP-39 words) | ~33 bits (3 words) |
 | Static PIN | Same every day (6-9 digits) | ~20 bits (6 digits) |
 | RSA Key | Shared key file | ~128 bits effective |
 ### Minimum Requirements
 - At least one of PIN or RSA key must be provided
 - Reference photo is always required
 - Day phrase is always required
 ### Security Configurations
 | Configuration | Entropy (excl. photo) | Use Case |
 |--------------|----------------------|----------|
 | 3-word phrase + 6-digit PIN | ~53 bits | Casual use |
 | 6-word phrase + 9-digit PIN | ~96 bits | Standard security |
 | 3-word phrase + RSA 2048 | ~161 bits | File-based auth |
 | 6-word phrase + PIN + RSA | ~224 bits | Maximum security |
 ---
 ## Workflow Examples
 ### Daily Secure Communication
 **Setup (once):**
 ```bash
 # Both parties generate same credentials
 stegasoo generate --pin --words 3
 # Or share RSA key securely
 stegasoo generate --rsa -o shared_key.pem -p "agreedpassword"
 # Securely transfer shared_key.pem to recipient
 ```
 **Sender (daily):**
 ```bash
 # Get today's phrase from your memorized list
 TODAY_PHRASE="monday phrase words"
 # Encode message
 stegasoo encode \
  -r our_shared_photo.jpg \
  -c random_meme.png \
  -p "$TODAY_PHRASE" \
  --pin 847293 \
  -m "Meeting moved to 3pm"
 # Share output image via normal channels (email, chat, etc.)
 ```
 **Recipient (daily):**
 ```bash
 # Use the phrase for the day the message was SENT
 stegasoo decode \
  -r our_shared_photo.jpg \
  -s received_image.png \
  -p "monday phrase words" \
  --pin 847293
 ```
 ### Batch Processing
 **Encode multiple messages:**
 ```bash
 #!/bin/bash
 PHRASE="apple forest thunder"
 PIN="123456"
 REF="reference.jpg"
 for file in messages/*.txt; do
  name=$(basename "$file" .txt)
  stegasoo encode \
    -r "$REF" \
    -c "carriers/${name}.png" \
    -p "$PHRASE" \
    --pin "$PIN" \
    -f "$file" \
    -o "output/${name}_stego.png" \
    -q
  echo "Encoded: $name"
 done
 ```
 ### Archive with Date Preservation
 ```bash
 # Encode with specific date for archival
 stegasoo encode \
  -r ref.jpg \
  -c carrier.png \
  -p "archive phrase words" \
  --pin 123456 \
  -m "Historical record" \
  --date 2025-01-15 \
  -o archive_2025-01-15.png
 ```
 ---
 ## Piping & Scripting
 ### Stdin/Stdout Support
 **Encode from pipe:**
 ```bash
 cat secret.txt | stegasoo encode -r ref.jpg -c carrier.png -p "phrase" --pin 123456 -o out.png
 ```
 **Decode to pipe:**
 ```bash
 stegasoo decode -r ref.jpg -s stego.png -p "phrase" --pin 123456 -q | less
 ```
 **Chain with encryption:**
 ```bash
 # Encode GPG-encrypted content
 gpg -e -r recipient@email.com secret.txt
 cat secret.txt.gpg | base64 | stegasoo encode -r ref.jpg -c carrier.png -p "phrase" --pin 123456
 # Decode and decrypt
 stegasoo decode -r ref.jpg -s stego.png -p "phrase" --pin 123456 -q | base64 -d | gpg -d
 ```
 ### JSON Output for Scripts
 ```bash
 # Get credentials as JSON
 creds=$(stegasoo generate --json)
 # Extract specific fields
 pin=$(echo "$creds" | jq -r '.pin')
 monday=$(echo "$creds" | jq -r '.phrases.Monday')
 entropy=$(echo "$creds" | jq -r '.entropy.total')
 echo "PIN: $pin"
 echo "Monday phrase: $monday"
 echo "Total entropy: $entropy bits"
 ```
 ### Error Handling in Scripts
 ```bash
 #!/bin/bash
 set -e
 if ! stegasoo decode -r ref.jpg -s stego.png -p "phrase" --pin 123456 -q 2>/dev/null; then
  echo "Decryption failed - check credentials"
  exit 1
 fi
 ```
 ---
 ## Error Handling
 ### Common Errors
 | Error | Cause | Solution |
 |-------|-------|----------|
 | "Must provide --pin or --key" | No security factor given | Add `--pin` or `--key` option |
 | "PIN must be 6-9 digits" | Invalid PIN format | Use numeric PIN, 6-9 chars |
 | "PIN cannot start with zero" | Leading zero in PIN | Use PIN starting with 1-9 |
 | "Carrier image too small" | Message exceeds capacity | Use larger carrier image |
 | "Decryption failed" | Wrong credentials | Verify phrase, PIN, ref photo |
 | "RSA key is password-protected" | Missing key password | Add `--key-password` option |
 ### Troubleshooting Decryption Failures
 1. **Check the encoding date:** The filename often contains the date (e.g., `_20251227`)
 2. **Use correct phrase:** The phrase must match the day the message was encoded, not today
 3. **Verify reference photo:** Must be the exact same file, not a resized copy
 4. **Check stego image:** Ensure it wasn't resized, recompressed, or converted
 ---
 ## Exit Codes
 | Code | Meaning |
 |------|---------|
 | 0 | Success |
 | 1 | General error |
 | 2 | Invalid arguments/options |
 ---
 ## Environment Variables
 | Variable | Description |
 |----------|-------------|
 | `PYTHONPATH` | Include `src/` for development |
 ---
 ## See Also
 - [API Documentation](API.md) - REST API reference
 - [Web UI Documentation](WEB_UI.md) - Browser interface guide
 - [README](README.md) - Project overview and security model
--- a/frontends/WEB_UI.md
+++ b/frontends/WEB_UI.md
@@ -1,739 +0,0 @@
 # Stegasoo Web UI Documentation
 Complete guide for the Stegasoo web-based steganography interface.
 ## Table of Contents
 - [Overview](#overview)
 - [Installation & Setup](#installation--setup)
 - [Pages & Features](#pages--features)
  - [Home Page](#home-page)
  - [Generate Credentials](#generate-credentials)
  - [Encode Message](#encode-message)
  - [Decode Message](#decode-message)
  - [About Page](#about-page)
 - [User Interface Guide](#user-interface-guide)
 - [Workflow Examples](#workflow-examples)
 - [Security Features](#security-features)
 - [Configuration](#configuration)
 - [Troubleshooting](#troubleshooting)
 - [Mobile Support](#mobile-support)
 ---
 ## Overview
 The Stegasoo Web UI provides a user-friendly browser-based interface for:
 - **Generating** secure credentials (phrases, PINs, RSA keys)
 - **Encoding** secret messages into images
 - **Decoding** hidden messages from images
 - **Learning** about the security model
 Built with Flask, Bootstrap 5, and a modern dark theme.
 ### Features
 - ✅ Drag-and-drop file uploads
 - ✅ Image previews
 - ✅ Client-side date detection
 - ✅ Native sharing (Web Share API)
 - ✅ Responsive design (mobile-friendly)
 - ✅ Password-protected RSA key downloads
 - ✅ Real-time entropy calculations
 - ✅ Automatic file cleanup
 ---
 ## Installation & Setup
 ### From PyPI
 ```bash
 pip install stegasoo[web]
 ```
 ### From Source
 ```bash
 git clone https://github.com/example/stegasoo.git
 cd stegasoo
 pip install -e ".[web]"
 ```
 ### Running the Server
 **Development:**
 ```bash
 cd frontends/web
 python app.py
 ```
 Server starts at http://localhost:5000
 **Production with Gunicorn:**
 ```bash
 cd frontends/web
 gunicorn --bind 0.0.0.0:5000 --workers 2 --threads 4 --timeout 60 app:app
 ```
 **Docker:**
 ```bash
 docker-compose up web
 ```
 ### First-Time Setup
 1. Navigate to http://localhost:5000
 2. Click "Generate" to create your credentials
 3. **Memorize** your phrases and PIN
 4. Share credentials securely with your communication partner
 ---
 ## Pages & Features
 ### Home Page
 **URL:** `/`
 The landing page introduces Stegasoo and provides quick access to all features.
 #### Main Actions
 | Card | Description | Link |
 |------|-------------|------|
 | **Encode Message** | Hide a secret in an image | `/encode` |
 | **Decode Message** | Extract a hidden message | `/decode` |
 | **Generate Keys** | Create new credentials | `/generate` |
 #### "How It Works" Section
 Explains the three key components:
 1. **Reference Photo** - Shared secret image
 2. **Day Phrase** - Changes daily
 3. **Static PIN** - Same every day
 ---
 ### Generate Credentials
 **URL:** `/generate`
 Create a new set of credentials for steganography operations.
 #### Configuration Options
 | Option | Range | Default | Description |
 |--------|-------|---------|-------------|
 | Words per phrase | 3-12 | 3 | BIP-39 words per daily phrase |
 | Use PIN | on/off | on | Generate a numeric PIN |
 | PIN length | 6-9 | 6 | Digits in the PIN |
 | Use RSA Key | on/off | off | Generate an RSA key pair |
 | RSA key size | 2048/3072/4096 | 2048 | Key size in bits |
 #### Entropy Calculator
 The UI displays real-time entropy calculations:
 ```
 Estimated entropy: ~53 bits
 [==========>                    ] Good for most use cases
 • Reference photo adds ~80-256 bits more
 ```
 #### Generated Output
 After clicking "Generate Credentials":
 **Static PIN** (if enabled):
 ```
 ┌─────────────────────┐
 │      8 4 7 2 9 3    │
 └─────────────────────┘
 Use this 6-digit PIN every day
 ```
 **Daily Phrases:**
 ```
 Day         │ Phrase
 ─────────────────────────────────────────
 Monday      │ abandon ability able
 Tuesday     │ actor actress actual
 Wednesday   │ advice aerobic affair
 Thursday    │ afraid again age
 Friday      │ agree ahead aim
 Saturday    │ airport aisle alarm
 Sunday      │ album alcohol alert
 ```
 **RSA Key** (if enabled):
 - Copy to clipboard button
 - Download as password-protected .pem file
 **Security Summary:**
 ```
 Phrase entropy: 33 bits/phrase
 PIN entropy:    19 bits/PIN
 RSA entropy:    128 bits/RSA
 ─────────────────────────────
 Total:          180 bits
 + reference photo (~80-256 bits) = 260+ bits combined
 ```
 #### RSA Key Download
 1. Click "Download as .pem"
 2. Enter a password (minimum 8 characters)
 3. Click "Download Protected Key"
 4. Save the file securely
 5. Share with your communication partner through a secure channel
 ---
 ### Encode Message
 **URL:** `/encode`
 Hide a secret message inside an image.
 #### Input Fields
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
 | Reference Photo | Image file | ✓ | Your shared secret photo |
 | Carrier Image | Image file | ✓ | Image to hide message in |
 | Secret Message | Text | ✓ | Message to hide (max 50KB) |
 | Day Phrase | Text | ✓ | Today's passphrase |
 | PIN | Number | * | Your static PIN |
 | RSA Key | .pem file | * | Your shared RSA key |
 | RSA Key Password | Password | | Password for encrypted key |
 \* At least one security factor (PIN or RSA Key) required.
 #### Drag-and-Drop Upload
 Both image upload zones support:
 - Click to browse
 - Drag and drop files
 - Instant image preview
 - File name display
 #### Character Counter
 ```
 Message: [                                              ]
         1,234 / 50,000 characters                  2%
 ```
 Shows warning at 80% capacity.
 #### Day Detection
 The page automatically detects your local day of week and updates the label:
 ```
 Saturday's Phrase: [                    ]
 ```
 #### Encoding Process
 1. Fill in all required fields
 2. Click "Encode Message"
 3. Wait for processing (shows spinner)
 4. Redirected to result page
 #### Result Page
 **URL:** `/encode/result/<file_id>`
 After successful encoding:
 ```
 ┌────────────────────────────────────────┐
 │  ✓ Message Encoded Successfully!       │
 │                                        │
 │     📄 a1b2c3d4_20251227.png          │
 │     Your secret message is hidden      │
 │     in this image                      │
 │                                        │
 │     [    Download Image    ]           │
 │     [      Share Image     ]           │
 │                                        │
 │  ⚠️ File expires in 5 minutes.         │
 │     Download or share now.             │
 │                                        │
 │     [ Encode Another Message ]         │
 └────────────────────────────────────────┘
 ```
 **Share Options:**
 1. **Native Share** (mobile/supported browsers):
   - Uses Web Share API
   - Opens system share sheet
   - Can share directly to apps
 2. **Fallback Share** (desktop):
   - Email link
   - Telegram link
   - WhatsApp link
   - Copy link to clipboard
 ---
 ### Decode Message
 **URL:** `/decode`
 Extract a hidden message from a stego image.
 #### Input Fields
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
 | Reference Photo | Image file | ✓ | Same photo used for encoding |
 | Stego Image | Image file | ✓ | Image containing hidden message |
 | Day Phrase | Text | ✓ | Phrase for the **encoding** day |
 | PIN | Number | * | Same PIN used for encoding |
 | RSA Key | .pem file | * | Same RSA key used for encoding |
 | RSA Key Password | Password | | Password for encrypted key |
 \* Must match security factors used during encoding.
 #### Date Detection from Filename
 When you upload a stego image with a date in the filename (e.g., `stego_20251227.png`), the UI:
 1. Extracts the date
 2. Determines the day of week
 3. Updates the phrase label: "Saturday's Phrase"
 This helps you use the correct daily phrase.
 #### Decoding Process
 1. Fill in all required fields
 2. Click "Decode Message"
 3. Wait for processing
 4. View decoded message on same page
 #### Successful Decode
 ```
 ┌────────────────────────────────────────┐
 │  ✓ Message Decrypted Successfully!     │
 │                                        │
 │  Decoded Message:                      │
 │  ┌──────────────────────────────────┐  │
 │  │ Meet at midnight. The package    │  │
 │  │ will be under the bridge.        │  │
 │  └──────────────────────────────────┘  │
 │                                        │
 │     [ Decode Another Message ]         │
 └────────────────────────────────────────┘
 ```
 #### Troubleshooting Tips
 The page includes built-in troubleshooting guidance:
 - ✓ Use the **exact same reference photo** file
 - ✓ Use the phrase for the **encoding day**, not today
 - ✓ Provide the **same security factors** used during encoding
 - ✓ Ensure the stego image hasn't been **resized or recompressed**
 - ✓ If using RSA key, verify the **password is correct**
 ---
 ### About Page
 **URL:** `/about`
 Learn about Stegasoo's security model and best practices.
 #### Sections
 **System Status:**
 - Argon2id availability (vs PBKDF2 fallback)
 - AES-256-GCM encryption status
 **Security Model Table:**
 | Component | Entropy | Purpose |
 |-----------|---------|---------|
 | Reference Photo | ~80-256 bits | Something you have |
 | 3-Word Phrase | ~33 bits | Something you know (daily) |
 | 6-Digit PIN | ~20 bits | Something you know (static) |
 | Date | N/A | Automatic key rotation |
 | **Combined** | **133+ bits** | **Beyond brute force** |
 **Attack Resistance:**
 What attackers can't do:
 - Brute force (2^133 combinations)
 - Use rainbow tables (random salt)
 - Detect hidden data (random pixels)
 - Use GPU farms (256MB RAM per attempt)
 Real threats:
 - Social engineering
 - Physical device access
 - Malware/keyloggers
 - Shoulder surfing
 **Best Practices:**
 Do:
 - Memorize phrases and PIN
 - Use reference photo both parties have
 - Use different carrier images each time
 - Share stego images through normal channels
 Don't:
 - Transmit the reference photo
 - Reuse carrier images
 - Store credentials digitally
 - Resize/recompress stego images
 ---
 ## User Interface Guide
 ### Navigation
 The navbar provides quick access to all pages:
 ```
 [Logo] Stegasoo    Home | Encode | Decode | Generate | About
 ```
 ### Color Scheme
 | Element | Color | Purpose |
 |---------|-------|---------|
 | Background | Dark gradient | Reduce eye strain |
 | Cards | Semi-transparent | Visual hierarchy |
 | Headers | Purple gradient | Brand identity |
 | Success | Green | Positive actions |
 | Warning | Yellow | Caution messages |
 | Error | Red | Error states |
 ### Form Validation
 - Real-time validation feedback
 - Clear error messages in alerts
 - Required field indicators
 - Input constraints (max length, format)
 ### Loading States
 During long operations:
 - Button shows spinner
 - Button text changes (e.g., "Encoding...")
 - Button is disabled to prevent double-submit
 ### Flash Messages
 ```
 ┌──────────────────────────────────────────────┐
 │ ✓ Credentials Generated!              [×]   │
 └──────────────────────────────────────────────┘
 ```
 Types:
 - Success (green) - Operation completed
 - Error (red) - Operation failed
 - Warning (yellow) - Caution needed
 ---
 ## Workflow Examples
 ### First-Time Setup (Both Parties)
 **Party A:**
 1. Go to `/generate`
 2. Configure: PIN ✓, 3 words, 6 digits
 3. Click "Generate Credentials"
 4. **Write down** phrases and PIN on paper
 5. **Memorize** over the next few days
 6. Destroy the paper
 **Share with Party B (in person or secure channel):**
 - The 7 daily phrases
 - The PIN
 - The reference photo file (if not already shared)
 ### Sending a Secret Message
 1. Go to `/encode`
 2. Upload your shared reference photo
 3. Upload any carrier image (meme, vacation photo, etc.)
 4. Type your secret message
 5. Enter today's phrase (check your memory!)
 6. Enter your PIN
 7. Click "Encode Message"
 8. Download or share the resulting image
 9. Send via any channel (email, social media, chat)
 ### Receiving a Secret Message
 1. Receive the stego image through any channel
 2. Go to `/decode`
 3. Upload the same reference photo
 4. Upload the received stego image
 5. Note the date in the filename (e.g., `_20251227`)
 6. Enter the phrase for **that day** (not today!)
 7. Enter the PIN
 8. Click "Decode Message"
 9. Read the secret message
 ### Changing Credentials
 To rotate to new credentials:
 1. Both parties generate new credentials together
 2. Agree on a cutover date
 3. Messages encoded before cutover use old credentials
 4. Messages encoded after cutover use new credentials
 ---
 ## Security Features
 ### Client-Side Security
 | Feature | Implementation |
 |---------|----------------|
 | Local date detection | JavaScript `Date()` object |
 | No credential storage | Nothing saved in browser |
 | Automatic cleanup | Files deleted after 5 minutes |
 | HTTPS support | Configure at server level |
 ### Server-Side Security
 | Feature | Implementation |
 |---------|----------------|
 | Memory-hard KDF | Argon2id (256MB RAM) |
 | Authenticated encryption | AES-256-GCM |
 | Random salt | Per-message salt |
 | Temporary storage | In-memory, auto-expiring |
 | Input validation | All inputs validated |
 | File size limits | 5MB max upload |
 ### File Security
 | Aspect | Protection |
 |--------|------------|
 | Upload location | `/tmp/stego_uploads` (Docker) |
 | Storage duration | 5 minutes maximum |
 | Access control | Random 16-byte file ID |
 | Cleanup | Automatic + manual |
 ---
 ## Configuration
 ### Environment Variables
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `FLASK_ENV` | production | Flask environment |
 | `PYTHONPATH` | - | Include `src/` for development |
 ### Application Limits
 | Limit | Value | Config Location |
 |-------|-------|-----------------|
 | Max file upload | 5 MB | `app.config['MAX_CONTENT_LENGTH']` |
 | File expiry | 5 minutes | `TEMP_FILE_EXPIRY` |
 | Max image pixels | 4 MP | `stegasoo.constants` |
 | Max message size | 50 KB | `stegasoo.constants` |
 | PIN length | 6-9 digits | `stegasoo.constants` |
 ### Production Deployment
 **With Gunicorn:**
 ```bash
 gunicorn \
  --bind 0.0.0.0:5000 \
  --workers 2 \
  --threads 4 \
  --timeout 60 \
  app:app
 ```
 **Worker Calculation:**
 - Each encode/decode uses ~256MB RAM (Argon2)
 - Formula: `workers = (available_RAM - 512MB) / 256MB`
 **With Nginx (reverse proxy):**
 ```nginx
 server {
    listen 80;
    server_name stegasoo.example.com;
    client_max_body_size 10M;
    location / {
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 120s;
    }
 }
 ```
 **With Docker Compose:**
 ```yaml
 services:
  web:
    build:
      context: .
      target: web
    ports:
      - "5000:5000"
    deploy:
      resources:
        limits:
          memory: 512M
        reservations:
          memory: 256M
 ```
 ---
 ## Troubleshooting
 ### Common Issues
 #### "Decryption failed"
 **Causes:**
 - Wrong day phrase
 - Wrong PIN
 - Different reference photo
 - Stego image was modified
 **Solutions:**
 1. Check the date in the stego filename
 2. Use the phrase for that specific day
 3. Verify you're using the original reference photo
 4. Ensure the stego image wasn't resized/recompressed
 #### "Carrier image too small"
 **Cause:** Message too large for carrier capacity
 **Solutions:**
 1. Use a larger carrier image (more pixels)
 2. Shorten the message
 3. Check capacity with `/info` command (CLI)
 #### "You must provide at least a PIN or RSA Key"
 **Cause:** No security factor selected
 **Solution:** Enter a PIN and/or upload an RSA key
 #### Upload fails silently
 **Causes:**
 - File too large (>5MB)
 - Invalid file type
 - Browser issue
 **Solutions:**
 1. Reduce file size
 2. Use PNG, JPG, or BMP formats
 3. Try a different browser
 #### RSA key password error
 **Causes:**
 - Wrong password
 - Unencrypted key with password provided
 - Corrupted key file
 **Solutions:**
 1. Verify the correct password
 2. If key is unencrypted, leave password blank
 3. Re-download or regenerate the key
 ### Browser Compatibility
 | Browser | Status | Notes |
 |---------|--------|-------|
 | Chrome 80+ | ✓ Full | Web Share API supported |
 | Firefox 80+ | ✓ Full | Limited Web Share |
 | Safari 14+ | ✓ Full | Web Share on iOS |
 | Edge 80+ | ✓ Full | Web Share API supported |
 | IE 11 | ✗ None | Not supported |
 ### Performance Issues
 **Slow encoding/decoding:**
 - Normal: Argon2 is intentionally slow (security feature)
 - Expected time: 2-5 seconds per operation
 **High memory usage:**
 - Normal: Argon2 requires 256MB RAM
 - Configure worker count based on available RAM
 ---
 ## Mobile Support
 ### Responsive Design
 The UI adapts to mobile screens:
 - Single-column layout on small screens
 - Touch-friendly buttons (48px minimum)
 - Readable text without zooming
 - Scrollable tables
 ### Mobile-Specific Features
 **Native Sharing:**
 On supported mobile browsers, the "Share Image" button opens the native share sheet, allowing you to share directly to:
 - Messaging apps (iMessage, WhatsApp, Telegram)
 - Social media (Instagram, Twitter)
 - Email
 - Other installed apps
 **Camera Upload:**
 File input accepts camera capture:
 - Take a new photo as reference
 - Capture carrier image directly
 ### PWA Support (Future)
 The web app can be added to home screen on mobile devices for quick access.
 ---
 ## Keyboard Shortcuts
 | Shortcut | Action |
 |----------|--------|
 | `Tab` | Navigate between fields |
 | `Enter` | Submit form (when focused) |
 | `Esc` | Close modal/alert |
 ---
 ## Accessibility
 | Feature | Implementation |
 |---------|----------------|
 | Screen readers | ARIA labels on interactive elements |
 | Keyboard navigation | Full tab support |
 | Color contrast | WCAG AA compliant |
 | Focus indicators | Visible focus rings |
 | Form labels | All inputs labeled |
 ---
 ## See Also
 - [CLI Documentation](CLI.md) - Command-line interface
 - [API Documentation](API.md) - REST API reference
 - [README](README.md) - Project overview
--- a/frontends/init.py
+++ b/frontends/init.py
--- a/frontends/api/init.py
+++ b/frontends/api/init.py
--- a/frontends/api/auth.py
+++ b/frontends/api/auth.py
@@ -0,0 +1,257 @@
 """
 API Key Authentication for Stegasoo REST API.
 Provides simple API key authentication with hashed key storage.
 Keys can be stored in user config (~/.stegasoo/) or project config (./config/).
 Usage:
    from .auth import require_api_key, get_api_key_status
    @app.get("/protected")
    async def protected_endpoint(api_key: str = Depends(require_api_key)):
        return {"status": "authenticated"}
 """
 import hashlib
 import json
 import os
 import secrets
 from pathlib import Path
 from fastapi import HTTPException, Security
 from fastapi.security import APIKeyHeader
 # API key header name
 API_KEY_HEADER = APIKeyHeader(name="X-API-Key", auto_error=False)
 # Config locations
 USER_CONFIG_DIR = Path.home() / ".stegasoo"
 PROJECT_CONFIG_DIR = Path("./config")
 # Key file name
 API_KEYS_FILE = "api_keys.json"
 # Environment variable for API key (alternative to file)
 API_KEY_ENV_VAR = "STEGASOO_API_KEY"
 def _hash_key(key: str) -> str:
    """Hash an API key for storage."""
    return hashlib.sha256(key.encode()).hexdigest()
 def _get_keys_file(location: str = "user") -> Path:
    """Get path to API keys file."""
    if location == "project":
        return PROJECT_CONFIG_DIR / API_KEYS_FILE
    return USER_CONFIG_DIR / API_KEYS_FILE
 def _load_keys(location: str = "user") -> dict:
    """Load API keys from config file."""
    keys_file = _get_keys_file(location)
    if keys_file.exists():
        try:
            with open(keys_file) as f:
                return json.load(f)
        except (OSError, json.JSONDecodeError):
            return {"keys": [], "enabled": True}
    return {"keys": [], "enabled": True}
 def _save_keys(data: dict, location: str = "user") -> None:
    """Save API keys to config file."""
    keys_file = _get_keys_file(location)
    keys_file.parent.mkdir(parents=True, exist_ok=True)
    with open(keys_file, "w") as f:
        json.dump(data, f, indent=2)
    # Secure permissions (owner read/write only)
    os.chmod(keys_file, 0o600)
 def generate_api_key() -> str:
    """Generate a new API key."""
    # Format: stegasoo_XXXX_XXXXXXXXXXXXXXXXXXXXXXXXXXXX
    # 32 bytes = 256 bits of entropy
    random_part = secrets.token_hex(16)
    return f"stegasoo_{random_part[:4]}_{random_part[4:]}"
 def add_api_key(name: str, location: str = "user") -> str:
    """
    Generate and store a new API key.
    Args:
        name: Descriptive name for the key (e.g., "laptop", "automation")
        location: "user" or "project"
    Returns:
        The generated API key (only shown once!)
    """
    key = generate_api_key()
    key_hash = _hash_key(key)
    data = _load_keys(location)
    # Check for duplicate name
    for existing in data["keys"]:
        if existing["name"] == name:
            raise ValueError(f"Key with name '{name}' already exists")
    data["keys"].append(
        {
            "name": name,
            "hash": key_hash,
            "created": __import__("datetime").datetime.now().isoformat(),
        }
    )
    _save_keys(data, location)
    return key
 def remove_api_key(name: str, location: str = "user") -> bool:
    """
    Remove an API key by name.
    Returns:
        True if key was found and removed, False otherwise
    """
    data = _load_keys(location)
    original_count = len(data["keys"])
    data["keys"] = [k for k in data["keys"] if k["name"] != name]
    if len(data["keys"]) < original_count:
        _save_keys(data, location)
        return True
    return False
 def list_api_keys(location: str = "user") -> list[dict]:
    """
    List all API keys (names and creation dates, not actual keys).
    """
    data = _load_keys(location)
    return [{"name": k["name"], "created": k.get("created", "unknown")} for k in data["keys"]]
 def set_auth_enabled(enabled: bool, location: str = "user") -> None:
    """Enable or disable API key authentication."""
    data = _load_keys(location)
    data["enabled"] = enabled
    _save_keys(data, location)
 def is_auth_enabled() -> bool:
    """Check if API key authentication is enabled."""
    # Check project config first, then user config
    for location in ["project", "user"]:
        data = _load_keys(location)
        if "enabled" in data:
            return data["enabled"]
    # Default: enabled if any keys exist
    return bool(get_all_key_hashes())
 def get_all_key_hashes() -> set[str]:
    """Get all valid API key hashes from all sources."""
    hashes = set()
    # Check environment variable first
    env_key = os.environ.get(API_KEY_ENV_VAR)
    if env_key:
        hashes.add(_hash_key(env_key))
    # Check project and user configs
    for location in ["project", "user"]:
        data = _load_keys(location)
        for key_entry in data.get("keys", []):
            if "hash" in key_entry:
                hashes.add(key_entry["hash"])
    return hashes
 def validate_api_key(key: str) -> bool:
    """Validate an API key against stored hashes."""
    if not key:
        return False
    key_hash = _hash_key(key)
    valid_hashes = get_all_key_hashes()
    return key_hash in valid_hashes
 def get_api_key_status() -> dict:
    """Get current API key authentication status."""
    user_keys = list_api_keys("user")
    project_keys = list_api_keys("project")
    env_configured = bool(os.environ.get(API_KEY_ENV_VAR))
    total_keys = len(user_keys) + len(project_keys) + (1 if env_configured else 0)
    return {
        "enabled": is_auth_enabled(),
        "total_keys": total_keys,
        "user_keys": len(user_keys),
        "project_keys": len(project_keys),
        "env_configured": env_configured,
        "keys": {
            "user": user_keys,
            "project": project_keys,
        },
    }
 # FastAPI dependency for API key authentication
 async def require_api_key(api_key: str | None = Security(API_KEY_HEADER)) -> str:
    """
    FastAPI dependency that requires a valid API key.
    Usage:
        @app.get("/protected")
        async def endpoint(key: str = Depends(require_api_key)):
            ...
    """
    # Check if auth is enabled
    if not is_auth_enabled():
        return "auth_disabled"
    # No keys configured = auth disabled
    if not get_all_key_hashes():
        return "no_keys_configured"
    # Validate the provided key
    if not api_key:
        raise HTTPException(
            status_code=401,
            detail="API key required. Provide X-API-Key header.",
            headers={"WWW-Authenticate": "ApiKey"},
        )
    if not validate_api_key(api_key):
        raise HTTPException(
            status_code=403,
            detail="Invalid API key.",
        )
    return api_key
 async def optional_api_key(api_key: str | None = Security(API_KEY_HEADER)) -> str | None:
    """
    FastAPI dependency that optionally validates API key.
    Returns the key if valid, None if not provided or invalid.
    Doesn't raise exceptions - useful for endpoints that work
    with or without auth.
    """
    if api_key and validate_api_key(api_key):
        return api_key
    return None
--- a/frontends/api/main.py
+++ b/frontends/api/main.py
--- a/frontends/cli/init.py
+++ b/frontends/cli/init.py
--- a/frontends/cli/main.py
+++ b/frontends/cli/main.py
--- a/frontends/web/.env.example
+++ b/frontends/web/.env.example
@@ -0,0 +1,16 @@
 # Stegasoo Web UI Configuration
 # Copy this file to .env and customize
 # Authentication (v4.0.2+)
 STEGASOO_AUTH_ENABLED=true
 STEGASOO_HTTPS_ENABLED=false
 STEGASOO_HOSTNAME=localhost
 STEGASOO_PORT=5000
 # Channel Key (format: XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX)
 # Generate with: stegasoo generate --channel-key
 # Leave empty for public mode
 STEGASOO_CHANNEL_KEY=
 # Flask settings
 FLASK_ENV=production
--- a/frontends/web/README_subprocess.md
+++ b/frontends/web/README_subprocess.md
@@ -0,0 +1,62 @@
 # Subprocess Isolation for Stegasoo WebUI
 This update runs encode/decode/compare operations in isolated subprocesses
 to prevent jpegio/scipy crashes from taking down the Flask server.
 ## Files
 - **app.py** - Updated Flask app using subprocess isolation
 - **subprocess_stego.py** - Flask-side wrapper with clean API  
 - **stego_worker.py** - Subprocess script that does actual stegasoo operations
 ## Setup
 1. Place all three files in your `webui/` directory (same level as templates/)
 2. Make sure stego_worker.py is executable (optional):
   ```bash
   chmod +x stego_worker.py
   ```
 3. Run the Flask app:
   ```bash
   python app.py
   ```
 ## How It Works
 Instead of calling stegasoo functions directly in the Flask process:
 ```python
 # OLD (crashes could kill Flask)
 result = encode(...)
 ```
 We now run them in subprocesses:
 ```python
 # NEW (crashes only kill the subprocess)
 result = subprocess_stego.encode(...)
 ```
 If jpegio or scipy crashes due to memory corruption, only the subprocess
 dies. Flask logs the error and continues running. The next request spawns
 a fresh subprocess.
 ## Configuration
 In `app.py`, you can adjust the timeout:
 ```python
 subprocess_stego = SubprocessStego(timeout=180)  # 3 minutes
 ```
 Larger images may need longer timeouts.
 ## Troubleshooting
 If you see "Worker script not found" errors, make sure `stego_worker.py`
 is in the same directory as `app.py`.
 If subprocess operations fail, check the Flask logs for error details.
 The subprocess wrapper captures both stdout and stderr from the worker.
--- a/frontends/web/init.py
+++ b/frontends/web/init.py
--- a/frontends/web/app.py
+++ b/frontends/web/app.py
--- a/frontends/web/auth.py
+++ b/frontends/web/auth.py
@@ -0,0 +1,963 @@
 """
 Stegasoo Authentication Module (v4.1.0)
 Multi-user authentication with role-based access control.
 - Admin user created at first-run setup
 - Admin can create up to 16 additional users
 - Uses Argon2id password hashing
 - Flask sessions for authentication state
 - SQLite3 for user storage
 """
 import functools
 import secrets
 import sqlite3
 import string
 from dataclasses import dataclass
 from pathlib import Path
 from argon2 import PasswordHasher
 from argon2.exceptions import VerifyMismatchError
 from flask import current_app, flash, g, redirect, session, url_for
 # Argon2 password hasher (lighter than stegasoo's 256MB for faster login)
 ph = PasswordHasher(
    time_cost=3,
    memory_cost=65536,  # 64MB
    parallelism=4,
    hash_len=32,
    salt_len=16,
 )
 # Constants
 MAX_USERS = 16  # Plus 1 admin = 17 total
 MAX_CHANNEL_KEYS = 10  # Per user
 ROLE_ADMIN = "admin"
 ROLE_USER = "user"
@dataclass
 class User:
    """User data class."""
    id: int
    username: str
    role: str
    created_at: str
    @property
    def is_admin(self) -> bool:
        return self.role == ROLE_ADMIN
 def get_db_path() -> Path:
    """Get database path in Flask instance folder."""
    instance_path = Path(current_app.instance_path)
    instance_path.mkdir(parents=True, exist_ok=True)
    return instance_path / "stegasoo.db"
 def get_db() -> sqlite3.Connection:
    """Get database connection, cached on Flask g object."""
    if "db" not in g:
        g.db = sqlite3.connect(get_db_path())
        g.db.row_factory = sqlite3.Row
    return g.db
 def close_db(e=None):
    """Close database connection at end of request."""
    db = g.pop("db", None)
    if db is not None:
        db.close()
 def init_db():
    """Initialize database schema with migration support."""
    db = get_db()
    # Check if we need to migrate from old single-user schema
    cursor = db.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='admin_user'")
    has_old_table = cursor.fetchone() is not None
    cursor = db.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='users'")
    has_new_table = cursor.fetchone() is not None
    if has_old_table and not has_new_table:
        # Migrate from old schema
        _migrate_from_single_user(db)
    elif not has_new_table:
        # Fresh install - create new schema
        _create_schema(db)
    else:
        # Existing install - check for new tables (migrations)
        _ensure_channel_keys_table(db)
        _ensure_app_settings_table(db)
 def _create_schema(db: sqlite3.Connection):
    """Create the multi-user schema."""
    db.executescript("""
        CREATE TABLE IF NOT EXISTS users (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            username TEXT NOT NULL UNIQUE,
            password_hash TEXT NOT NULL,
            role TEXT NOT NULL DEFAULT 'user',
            created_at TEXT DEFAULT CURRENT_TIMESTAMP,
            updated_at TEXT DEFAULT CURRENT_TIMESTAMP
        );
        CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
        CREATE INDEX IF NOT EXISTS idx_users_role ON users(role);
        CREATE TABLE IF NOT EXISTS user_channel_keys (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            user_id INTEGER NOT NULL,
            name TEXT NOT NULL,
            channel_key TEXT NOT NULL,
            created_at TEXT DEFAULT CURRENT_TIMESTAMP,
            last_used_at TEXT,
            FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
            UNIQUE(user_id, channel_key)
        );
        CREATE INDEX IF NOT EXISTS idx_channel_keys_user ON user_channel_keys(user_id);
        -- App-level settings (v4.1.0)
        -- Stores recovery key hash and other instance-wide settings
        CREATE TABLE IF NOT EXISTS app_settings (
            key TEXT PRIMARY KEY,
            value TEXT NOT NULL,
            created_at TEXT DEFAULT CURRENT_TIMESTAMP,
            updated_at TEXT DEFAULT CURRENT_TIMESTAMP
        );
    """)
    db.commit()
 def _migrate_from_single_user(db: sqlite3.Connection):
    """Migrate from old single-user admin_user table to multi-user users table."""
    # Create new table
    _create_schema(db)
    # Copy admin user from old table
    old_user = db.execute(
        "SELECT username, password_hash, created_at FROM admin_user WHERE id = 1"
    ).fetchone()
    if old_user:
        db.execute(
            """
            INSERT INTO users (username, password_hash, role, created_at)
            VALUES (?, ?, 'admin', ?)
            """,
            (old_user["username"], old_user["password_hash"], old_user["created_at"]),
        )
        db.commit()
    # Drop old table
    db.execute("DROP TABLE admin_user")
    db.commit()
 def _ensure_channel_keys_table(db: sqlite3.Connection):
    """Ensure user_channel_keys table exists (migration for existing installs)."""
    cursor = db.execute(
        "SELECT name FROM sqlite_master WHERE type='table' AND name='user_channel_keys'"
    )
    if cursor.fetchone() is None:
        db.executescript("""
            CREATE TABLE IF NOT EXISTS user_channel_keys (
                id INTEGER PRIMARY KEY AUTOINCREMENT,
                user_id INTEGER NOT NULL,
                name TEXT NOT NULL,
                channel_key TEXT NOT NULL,
                created_at TEXT DEFAULT CURRENT_TIMESTAMP,
                last_used_at TEXT,
                FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
                UNIQUE(user_id, channel_key)
            );
            CREATE INDEX IF NOT EXISTS idx_channel_keys_user ON user_channel_keys(user_id);
        """)
        db.commit()
 def _ensure_app_settings_table(db: sqlite3.Connection):
    """Ensure app_settings table exists (v4.1.0 migration)."""
    cursor = db.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='app_settings'")
    if cursor.fetchone() is None:
        db.executescript("""
            CREATE TABLE IF NOT EXISTS app_settings (
                key TEXT PRIMARY KEY,
                value TEXT NOT NULL,
                created_at TEXT DEFAULT CURRENT_TIMESTAMP,
                updated_at TEXT DEFAULT CURRENT_TIMESTAMP
            );
        """)
        db.commit()
 # =============================================================================
 # App Settings (v4.1.0)
 # =============================================================================
 def get_app_setting(key: str) -> str | None:
    """Get an app-level setting value."""
    db = get_db()
    row = db.execute("SELECT value FROM app_settings WHERE key = ?", (key,)).fetchone()
    return row["value"] if row else None
 def set_app_setting(key: str, value: str) -> None:
    """Set an app-level setting value."""
    db = get_db()
    db.execute(
        """
        INSERT INTO app_settings (key, value)
        VALUES (?, ?)
        ON CONFLICT(key) DO UPDATE SET value = ?, updated_at = CURRENT_TIMESTAMP
        """,
        (key, value, value),
    )
    db.commit()
 def delete_app_setting(key: str) -> bool:
    """Delete an app-level setting. Returns True if deleted."""
    db = get_db()
    cursor = db.execute("DELETE FROM app_settings WHERE key = ?", (key,))
    db.commit()
    return cursor.rowcount > 0
 # =============================================================================
 # Recovery Key Management (v4.1.0)
 # =============================================================================
 # Setting key for recovery hash
 RECOVERY_KEY_SETTING = "recovery_key_hash"
 def has_recovery_key() -> bool:
    """Check if a recovery key has been configured."""
    return get_app_setting(RECOVERY_KEY_SETTING) is not None
 def get_recovery_key_hash() -> str | None:
    """Get the stored recovery key hash."""
    return get_app_setting(RECOVERY_KEY_SETTING)
 def set_recovery_key_hash(key_hash: str) -> None:
    """Store a recovery key hash."""
    set_app_setting(RECOVERY_KEY_SETTING, key_hash)
 def clear_recovery_key() -> bool:
    """Remove the recovery key. Returns True if removed."""
    return delete_app_setting(RECOVERY_KEY_SETTING)
 def verify_and_reset_admin_password(recovery_key: str, new_password: str) -> tuple[bool, str]:
    """
    Verify recovery key and reset the first admin's password.
    Args:
        recovery_key: User-provided recovery key
        new_password: New password to set
    Returns:
        (success, message) tuple
    """
    from stegasoo.recovery import verify_recovery_key
    stored_hash = get_recovery_key_hash()
    if not stored_hash:
        return False, "No recovery key configured for this instance"
    if not verify_recovery_key(recovery_key, stored_hash):
        return False, "Invalid recovery key"
    # Find first admin user
    db = get_db()
    admin = db.execute(
        "SELECT id, username FROM users WHERE role = 'admin' ORDER BY id LIMIT 1"
    ).fetchone()
    if not admin:
        return False, "No admin user found"
    # Reset password
    new_hash = ph.hash(new_password)
    db.execute(
        "UPDATE users SET password_hash = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?",
        (new_hash, admin["id"]),
    )
    db.commit()
    # Invalidate all sessions for this user
    invalidate_user_sessions(admin["id"])
    return True, f"Password reset for '{admin['username']}'"
 # =============================================================================
 # User Queries
 # =============================================================================
 def any_users_exist() -> bool:
    """Check if any users have been created (for first-run detection)."""
    db = get_db()
    result = db.execute("SELECT 1 FROM users LIMIT 1").fetchone()
    return result is not None
 def user_exists() -> bool:
    """Alias for any_users_exist() for backwards compatibility."""
    return any_users_exist()
 def get_user_count() -> int:
    """Get total number of users."""
    db = get_db()
    result = db.execute("SELECT COUNT(*) FROM users").fetchone()
    return result[0] if result else 0
 def get_non_admin_count() -> int:
    """Get number of non-admin users."""
    db = get_db()
    result = db.execute("SELECT COUNT(*) FROM users WHERE role != 'admin'").fetchone()
    return result[0] if result else 0
 def can_create_user() -> bool:
    """Check if we can create more users (within limit)."""
    return get_non_admin_count() < MAX_USERS
 def get_user_by_id(user_id: int) -> User | None:
    """Get user by ID."""
    db = get_db()
    row = db.execute(
        "SELECT id, username, role, created_at FROM users WHERE id = ?", (user_id,)
    ).fetchone()
    if row:
        return User(
            id=row["id"],
            username=row["username"],
            role=row["role"],
            created_at=row["created_at"],
        )
    return None
 def get_user_by_username(username: str) -> User | None:
    """Get user by username."""
    db = get_db()
    row = db.execute(
        "SELECT id, username, role, created_at FROM users WHERE username = ?",
        (username,),
    ).fetchone()
    if row:
        return User(
            id=row["id"],
            username=row["username"],
            role=row["role"],
            created_at=row["created_at"],
        )
    return None
 def get_all_users() -> list[User]:
    """Get all users, admins first, then by creation date."""
    db = get_db()
    rows = db.execute("""
        SELECT id, username, role, created_at FROM users
        ORDER BY role = 'admin' DESC, created_at ASC
        """).fetchall()
    return [
        User(
            id=row["id"],
            username=row["username"],
            role=row["role"],
            created_at=row["created_at"],
        )
        for row in rows
    ]
 def get_current_user() -> User | None:
    """Get the currently logged-in user from session."""
    user_id = session.get("user_id")
    if user_id:
        return get_user_by_id(user_id)
    return None
 def get_username() -> str:
    """Get current user's username (backwards compatibility)."""
    user = get_current_user()
    return user.username if user else "unknown"
 # =============================================================================
 # Authentication
 # =============================================================================
 def verify_user_password(username: str, password: str) -> User | None:
    """
    Verify password for a user.
    Returns User if valid, None if invalid.
    Also rehashes password if needed.
    """
    db = get_db()
    row = db.execute(
        "SELECT id, username, role, created_at, password_hash FROM users WHERE username = ?",
        (username,),
    ).fetchone()
    if not row:
        return None
    try:
        ph.verify(row["password_hash"], password)
        # Rehash if parameters changed
        if ph.check_needs_rehash(row["password_hash"]):
            new_hash = ph.hash(password)
            db.execute(
                "UPDATE users SET password_hash = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?",
                (new_hash, row["id"]),
            )
            db.commit()
        return User(
            id=row["id"],
            username=row["username"],
            role=row["role"],
            created_at=row["created_at"],
        )
    except VerifyMismatchError:
        return None
 def verify_password(password: str) -> bool:
    """Verify password for current user (backwards compatibility)."""
    user = get_current_user()
    if not user:
        return False
    result = verify_user_password(user.username, password)
    return result is not None
 def is_authenticated() -> bool:
    """Check if current session is authenticated."""
    return session.get("user_id") is not None
 def is_admin() -> bool:
    """Check if current user is an admin."""
    user = get_current_user()
    return user.is_admin if user else False
 def login_user(user: User):
    """Set up session for logged-in user."""
    session["user_id"] = user.id
    session["username"] = user.username
    session["role"] = user.role
    # Legacy compatibility
    session["authenticated"] = True
 def logout_user():
    """Clear session for logout."""
    session.clear()
 # =============================================================================
 # User Management
 # =============================================================================
 def generate_temp_password(length: int = 8) -> str:
    """Generate a random temporary password."""
    alphabet = string.ascii_letters + string.digits
    return "".join(secrets.choice(alphabet) for _ in range(length))
 def validate_username(username: str) -> tuple[bool, str]:
    """
    Validate username format.
    Rules: 3-80 chars, alphanumeric + underscore/hyphen + @/. for email-style
    """
    if not username:
        return False, "Username is required"
    if len(username) < 3:
        return False, "Username must be at least 3 characters"
    if len(username) > 80:
        return False, "Username must be at most 80 characters"
    # Allow: alphanumeric, underscore, hyphen, @, . (for email-style)
    allowed = set(string.ascii_letters + string.digits + "_-@.")
    if not all(c in allowed for c in username):
        return False, "Username can only contain letters, numbers, underscore, hyphen, @ and ."
    # Must start with letter or number
    if username[0] not in string.ascii_letters + string.digits:
        return False, "Username must start with a letter or number"
    return True, ""
 def validate_password(password: str) -> tuple[bool, str]:
    """Validate password requirements."""
    if not password:
        return False, "Password is required"
    if len(password) < 8:
        return False, "Password must be at least 8 characters"
    return True, ""
 def create_user(
    username: str, password: str, role: str = ROLE_USER
 ) -> tuple[bool, str, User | None]:
    """
    Create a new user.
    Returns (success, message, user).
    """
    # Validate username
    valid, msg = validate_username(username)
    if not valid:
        return False, msg, None
    # Validate password
    valid, msg = validate_password(password)
    if not valid:
        return False, msg, None
    # Check if username already exists
    if get_user_by_username(username):
        return False, "Username already exists", None
    # Check user limit (only for non-admin users)
    if role != ROLE_ADMIN and not can_create_user():
        return False, f"Maximum of {MAX_USERS} users reached", None
    # Create user
    password_hash = ph.hash(password)
    db = get_db()
    try:
        cursor = db.execute(
            """
            INSERT INTO users (username, password_hash, role)
            VALUES (?, ?, ?)
            """,
            (username, password_hash, role),
        )
        db.commit()
        user = get_user_by_id(cursor.lastrowid)
        return True, "User created successfully", user
    except sqlite3.IntegrityError:
        return False, "Username already exists", None
 def create_admin_user(username: str, password: str) -> tuple[bool, str]:
    """Create the initial admin user (first-run setup)."""
    if any_users_exist():
        return False, "Admin user already exists"
    success, msg, _ = create_user(username, password, ROLE_ADMIN)
    return success, msg
 def change_password(user_id: int, current_password: str, new_password: str) -> tuple[bool, str]:
    """Change a user's password (requires current password)."""
    user = get_user_by_id(user_id)
    if not user:
        return False, "User not found"
    # Verify current password
    if not verify_user_password(user.username, current_password):
        return False, "Current password is incorrect"
    # Validate new password
    valid, msg = validate_password(new_password)
    if not valid:
        return False, msg
    # Update password
    new_hash = ph.hash(new_password)
    db = get_db()
    db.execute(
        "UPDATE users SET password_hash = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?",
        (new_hash, user_id),
    )
    db.commit()
    return True, "Password changed successfully"
 def reset_user_password(user_id: int, new_password: str) -> tuple[bool, str]:
    """Reset a user's password (admin function, no current password required)."""
    user = get_user_by_id(user_id)
    if not user:
        return False, "User not found"
    # Validate new password
    valid, msg = validate_password(new_password)
    if not valid:
        return False, msg
    # Update password
    new_hash = ph.hash(new_password)
    db = get_db()
    db.execute(
        "UPDATE users SET password_hash = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?",
        (new_hash, user_id),
    )
    db.commit()
    # Invalidate user's sessions
    invalidate_user_sessions(user_id)
    return True, "Password reset successfully"
 def delete_user(user_id: int, current_user_id: int) -> tuple[bool, str]:
    """
    Delete a user.
    Cannot delete yourself or the last admin.
    """
    if user_id == current_user_id:
        return False, "Cannot delete yourself"
    user = get_user_by_id(user_id)
    if not user:
        return False, "User not found"
    # Check if this is the last admin
    if user.role == ROLE_ADMIN:
        db = get_db()
        admin_count = db.execute("SELECT COUNT(*) FROM users WHERE role = 'admin'").fetchone()[0]
        if admin_count <= 1:
            return False, "Cannot delete the last admin"
    # Invalidate user's sessions before deletion
    invalidate_user_sessions(user_id)
    # Delete user
    db = get_db()
    db.execute("DELETE FROM users WHERE id = ?", (user_id,))
    db.commit()
    return True, f"User '{user.username}' deleted"
 def invalidate_user_sessions(user_id: int):
    """
    Invalidate all sessions for a user.
    This is called when a user is deleted or their password is reset.
    Since we use server-side sessions, we increment a "session version"
    that's checked on each request.
    """
    # For Flask's default session (client-side), we can't truly invalidate.
    # But we can add a check - store a "valid_from" timestamp in the DB
    # and compare against session creation time.
    #
    # For now, we'll use a simpler approach: store invalidated user IDs
    # in app config (memory) which gets checked by login_required.
    #
    # This works for single-process deployments (like RPi).
    # For multi-process, would need Redis or DB-backed sessions.
    if "invalidated_users" not in current_app.config:
        current_app.config["invalidated_users"] = set()
    current_app.config["invalidated_users"].add(user_id)
 def is_session_valid() -> bool:
    """Check if current session is still valid (user not deleted/invalidated)."""
    user_id = session.get("user_id")
    if not user_id:
        return False
    # Check if user was invalidated
    invalidated = current_app.config.get("invalidated_users", set())
    if user_id in invalidated:
        return False
    # Check if user still exists
    if not get_user_by_id(user_id):
        return False
    return True
 # =============================================================================
 # Channel Keys
 # =============================================================================
@dataclass
 class ChannelKey:
    """Saved channel key data class."""
    id: int
    user_id: int
    name: str
    channel_key: str
    created_at: str
    last_used_at: str | None
 def get_user_channel_keys(user_id: int) -> list[ChannelKey]:
    """Get all saved channel keys for a user, most recently used first."""
    db = get_db()
    rows = db.execute(
        """
        SELECT id, user_id, name, channel_key, created_at, last_used_at
        FROM user_channel_keys
        WHERE user_id = ?
        ORDER BY last_used_at DESC NULLS LAST, created_at DESC
        """,
        (user_id,),
    ).fetchall()
    return [
        ChannelKey(
            id=row["id"],
            user_id=row["user_id"],
            name=row["name"],
            channel_key=row["channel_key"],
            created_at=row["created_at"],
            last_used_at=row["last_used_at"],
        )
        for row in rows
    ]
 def get_channel_key_by_id(key_id: int, user_id: int) -> ChannelKey | None:
    """Get a specific channel key (ensures user owns it)."""
    db = get_db()
    row = db.execute(
        """
        SELECT id, user_id, name, channel_key, created_at, last_used_at
        FROM user_channel_keys
        WHERE id = ? AND user_id = ?
        """,
        (key_id, user_id),
    ).fetchone()
    if row:
        return ChannelKey(
            id=row["id"],
            user_id=row["user_id"],
            name=row["name"],
            channel_key=row["channel_key"],
            created_at=row["created_at"],
            last_used_at=row["last_used_at"],
        )
    return None
 def get_channel_key_count(user_id: int) -> int:
    """Get count of saved channel keys for a user."""
    db = get_db()
    result = db.execute(
        "SELECT COUNT(*) FROM user_channel_keys WHERE user_id = ?", (user_id,)
    ).fetchone()
    return result[0] if result else 0
 def can_save_channel_key(user_id: int) -> bool:
    """Check if user can save more channel keys (within limit)."""
    return get_channel_key_count(user_id) < MAX_CHANNEL_KEYS
 def save_channel_key(
    user_id: int, name: str, channel_key: str
 ) -> tuple[bool, str, ChannelKey | None]:
    """
    Save a channel key for a user.
    Returns (success, message, key).
    """
    # Validate name
    name = name.strip()
    if not name:
        return False, "Key name is required", None
    if len(name) > 50:
        return False, "Key name must be at most 50 characters", None
    # Validate channel key format (hex string)
    channel_key = channel_key.strip().lower()
    if not channel_key:
        return False, "Channel key is required", None
    if not all(c in "0123456789abcdef" for c in channel_key):
        return False, "Invalid channel key format", None
    # Check limit
    if not can_save_channel_key(user_id):
        return False, f"Maximum of {MAX_CHANNEL_KEYS} saved keys reached", None
    db = get_db()
    try:
        cursor = db.execute(
            """
            INSERT INTO user_channel_keys (user_id, name, channel_key)
            VALUES (?, ?, ?)
            """,
            (user_id, name, channel_key),
        )
        db.commit()
        key = get_channel_key_by_id(cursor.lastrowid, user_id)
        return True, "Channel key saved", key
    except sqlite3.IntegrityError:
        return False, "This channel key is already saved", None
 def update_channel_key_name(key_id: int, user_id: int, new_name: str) -> tuple[bool, str]:
    """Update the name of a saved channel key."""
    new_name = new_name.strip()
    if not new_name:
        return False, "Key name is required"
    if len(new_name) > 50:
        return False, "Key name must be at most 50 characters"
    key = get_channel_key_by_id(key_id, user_id)
    if not key:
        return False, "Channel key not found"
    db = get_db()
    db.execute(
        "UPDATE user_channel_keys SET name = ? WHERE id = ? AND user_id = ?",
        (new_name, key_id, user_id),
    )
    db.commit()
    return True, "Key name updated"
 def update_channel_key_last_used(key_id: int, user_id: int):
    """Update the last_used_at timestamp for a channel key."""
    db = get_db()
    db.execute(
        """
        UPDATE user_channel_keys
        SET last_used_at = CURRENT_TIMESTAMP
        WHERE id = ? AND user_id = ?
        """,
        (key_id, user_id),
    )
    db.commit()
 def delete_channel_key(key_id: int, user_id: int) -> tuple[bool, str]:
    """Delete a saved channel key."""
    key = get_channel_key_by_id(key_id, user_id)
    if not key:
        return False, "Channel key not found"
    db = get_db()
    db.execute(
        "DELETE FROM user_channel_keys WHERE id = ? AND user_id = ?",
        (key_id, user_id),
    )
    db.commit()
    return True, f"Key '{key.name}' deleted"
 # =============================================================================
 # Decorators
 # =============================================================================
 def login_required(f):
    """Decorator to require login for a route."""
    @functools.wraps(f)
    def decorated_function(*args, **kwargs):
        # Check if auth is enabled
        if not current_app.config.get("AUTH_ENABLED", True):
            return f(*args, **kwargs)
        # Check for first-run setup
        if not any_users_exist():
            return redirect(url_for("setup"))
        # Check authentication
        if not is_authenticated():
            return redirect(url_for("login"))
        # Check if session is still valid (user not deleted)
        if not is_session_valid():
            logout_user()
            flash("Your session has expired. Please log in again.", "warning")
            return redirect(url_for("login"))
        return f(*args, **kwargs)
    return decorated_function
 def admin_required(f):
    """Decorator to require admin role for a route."""
    @functools.wraps(f)
    def decorated_function(*args, **kwargs):
        # Check if auth is enabled
        if not current_app.config.get("AUTH_ENABLED", True):
            return f(*args, **kwargs)
        # Check for first-run setup
        if not any_users_exist():
            return redirect(url_for("setup"))
        # Check authentication
        if not is_authenticated():
            return redirect(url_for("login"))
        # Check if session is still valid
        if not is_session_valid():
            logout_user()
            flash("Your session has expired. Please log in again.", "warning")
            return redirect(url_for("login"))
        # Check admin role
        if not is_admin():
            flash("Admin access required", "error")
            return redirect(url_for("index"))
        return f(*args, **kwargs)
    return decorated_function
 # =============================================================================
 # App Initialization
 # =============================================================================
 def init_app(app):
    """Initialize auth module with Flask app."""
    app.teardown_appcontext(close_db)
    with app.app_context():
        init_db()
--- a/frontends/web/dev_run.sh
+++ b/frontends/web/dev_run.sh
@@ -0,0 +1,52 @@
 #!/bin/bash
 # Stegasoo Web Frontend - Development Runner
 # Press 'r' to restart, 'q' to quit (single keypress, no Enter needed)
 cd "$(dirname "$0")"
 PID=""
 cleanup() {
    echo -e "\n\033[33mShutting down...\033[0m"
    [[ -n "$PID" ]] && kill "$PID" 2>/dev/null
    stty sane 2>/dev/null
    exit 0
 }
 trap cleanup SIGINT SIGTERM EXIT
 start_server() {
    clear
    echo -e "\033[36m┌──────────────────────────────────────┐\033[0m"
    echo -e "\033[36m│  Stegasoo Dev Server                 │\033[0m"
    echo -e "\033[36m│  \033[0m[r] restart  [q] quit\033[36m              │\033[0m"
    echo -e "\033[36m└──────────────────────────────────────┘\033[0m"
    pkill -f "python app.py" 2>/dev/null
    sleep 0.3
    python app.py 2>&1 &
    PID=$!
    echo -e "\033[32m✓ Running on http://localhost:5000 (PID: $PID)\033[0m\n"
 }
 start_server
 # Single keypress mode
 stty -echo -icanon time 0 min 0
 while true; do
    key=$(dd bs=1 count=1 2>/dev/null)
    case "$key" in
        r|R) start_server ;;
        q|Q) cleanup ;;
    esac
    # Check if crashed
    if [[ -n "$PID" ]] && ! kill -0 "$PID" 2>/dev/null; then
        echo -e "\033[31m✗ Crashed! Press 'r' to restart\033[0m"
        PID=""
    fi
    sleep 0.1
 done
--- a/frontends/web/docker-entrypoint.sh
+++ b/frontends/web/docker-entrypoint.sh
@@ -0,0 +1,75 @@
 #!/bin/bash
 #
 # Docker entrypoint for Stegasoo Web UI
 # Handles SSL certificate generation and gunicorn startup
 #
 # Supports mkcert for browser-trusted certificates (no warning screen)
 #
 set -e
 CERT_DIR="/app/frontends/web/certs"
 CERT_FILE="$CERT_DIR/cert.pem"
 KEY_FILE="$CERT_DIR/key.pem"
 HOSTNAME="${STEGASOO_HOSTNAME:-localhost}"
 # Generate SSL certificates
 # Priority: 1) Existing certs, 2) mkcert (trusted), 3) openssl (self-signed)
 generate_certs() {
    if [ -f "$CERT_FILE" ] && [ -f "$KEY_FILE" ]; then
        echo "Using existing SSL certificates."
        return
    fi
    mkdir -p "$CERT_DIR"
    # Try mkcert first (creates browser-trusted certs)
    if command -v mkcert &> /dev/null; then
        echo "Generating trusted certificate with mkcert for $HOSTNAME..."
        cd "$CERT_DIR"
        mkcert -key-file key.pem -cert-file cert.pem "$HOSTNAME" localhost 127.0.0.1 ::1
        echo "Trusted certificate generated."
        echo ""
        echo "  To trust on other devices, install the CA cert from:"
        echo "  $(mkcert -CAROOT)/rootCA.pem"
        echo ""
        return
    fi
    # Fallback to self-signed (shows browser warning)
    echo "Generating self-signed SSL certificate for $HOSTNAME..."
    echo "(Install mkcert for browser-trusted certs without warnings)"
    openssl req -x509 -newkey rsa:2048 \
        -keyout "$KEY_FILE" \
        -out "$CERT_FILE" \
        -sha256 -days 365 -nodes \
        -subj "/CN=$HOSTNAME" \
        -addext "subjectAltName=DNS:$HOSTNAME,DNS:localhost,IP:127.0.0.1" \
        2>/dev/null
    echo "Self-signed certificate generated."
 }
 # Start gunicorn with appropriate settings
 if [ "${STEGASOO_HTTPS_ENABLED:-false}" = "true" ]; then
    echo "HTTPS mode enabled"
    generate_certs
    exec gunicorn \
        --bind 0.0.0.0:5000 \
        --workers 2 \
        --threads 4 \
        --timeout 120 \
        --certfile "$CERT_FILE" \
        --keyfile "$KEY_FILE" \
        app:app
 else
    echo "HTTP mode (HTTPS disabled)"
    exec gunicorn \
        --bind 0.0.0.0:5000 \
        --workers 2 \
        --threads 4 \
        --timeout 120 \
        app:app
 fi
--- a/frontends/web/ssl_utils.py
+++ b/frontends/web/ssl_utils.py
@@ -0,0 +1,155 @@
 """
 SSL Certificate Utilities
 Auto-generates self-signed certificates for HTTPS.
 Uses cryptography library (already a dependency).
 """
 import datetime
 import ipaddress
 import socket
 from pathlib import Path
 from cryptography import x509
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.x509.oid import NameOID
 def _get_local_ips() -> list[str]:
    """Get local IP addresses for this machine."""
    ips = []
    try:
        # Get hostname and resolve to IP
        hostname = socket.gethostname()
        for addr_info in socket.getaddrinfo(hostname, None, socket.AF_INET):
            ip = addr_info[4][0]
            if ip not in ips and not ip.startswith("127."):
                ips.append(ip)
    except Exception:
        pass
    # Also try connecting to external to get primary interface IP
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        s.connect(("8.8.8.8", 80))
        ip = s.getsockname()[0]
        if ip not in ips:
            ips.append(ip)
        s.close()
    except Exception:
        pass
    return ips
 def get_cert_paths(base_dir: Path) -> tuple[Path, Path]:
    """Get paths for cert and key files."""
    cert_dir = base_dir / "certs"
    cert_dir.mkdir(parents=True, exist_ok=True)
    return cert_dir / "server.crt", cert_dir / "server.key"
 def certs_exist(base_dir: Path) -> bool:
    """Check if both cert files exist."""
    cert_path, key_path = get_cert_paths(base_dir)
    return cert_path.exists() and key_path.exists()
 def generate_self_signed_cert(
    base_dir: Path,
    hostname: str = "localhost",
    days_valid: int = 365,
 ) -> tuple[Path, Path]:
    """
    Generate self-signed SSL certificate.
    Args:
        base_dir: Base directory for certs folder
        hostname: Server hostname for certificate
        days_valid: Certificate validity in days
    Returns:
        Tuple of (cert_path, key_path)
    """
    cert_path, key_path = get_cert_paths(base_dir)
    # Generate RSA key
    key = rsa.generate_private_key(
        public_exponent=65537,
        key_size=2048,
    )
    # Create certificate
    subject = issuer = x509.Name(
        [
            x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Stegasoo"),
            x509.NameAttribute(NameOID.COMMON_NAME, hostname),
        ]
    )
    # Subject Alternative Names
    san_list = [
        x509.DNSName(hostname),
        x509.DNSName("localhost"),
        x509.IPAddress(ipaddress.IPv4Address("127.0.0.1")),
    ]
    # Add hostname.local for mDNS access
    if not hostname.endswith(".local"):
        san_list.append(x509.DNSName(f"{hostname}.local"))
    # Add the hostname as IP if it looks like one
    try:
        san_list.append(x509.IPAddress(ipaddress.IPv4Address(hostname)))
    except ipaddress.AddressValueError:
        pass
    # Add local network IPs
    for local_ip in _get_local_ips():
        try:
            ip_addr = ipaddress.IPv4Address(local_ip)
            if x509.IPAddress(ip_addr) not in san_list:
                san_list.append(x509.IPAddress(ip_addr))
        except (ipaddress.AddressValueError, ValueError):
            pass
    now = datetime.datetime.now(datetime.UTC)
    cert = (
        x509.CertificateBuilder()
        .subject_name(subject)
        .issuer_name(issuer)
        .public_key(key.public_key())
        .serial_number(x509.random_serial_number())
        .not_valid_before(now)
        .not_valid_after(now + datetime.timedelta(days=days_valid))
        .add_extension(
            x509.SubjectAlternativeName(san_list),
            critical=False,
        )
        .sign(key, hashes.SHA256())
    )
    # Write key file (chmod 600)
    key_path.write_bytes(
        key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.TraditionalOpenSSL,
            encryption_algorithm=serialization.NoEncryption(),
        )
    )
    key_path.chmod(0o600)
    # Write cert file
    cert_path.write_bytes(cert.public_bytes(serialization.Encoding.PEM))
    return cert_path, key_path
 def ensure_certs(base_dir: Path, hostname: str = "localhost") -> tuple[Path, Path]:
    """Ensure certificates exist, generating if needed."""
    if certs_exist(base_dir):
        return get_cert_paths(base_dir)
    print(f"Generating self-signed SSL certificate for {hostname}...")
    return generate_self_signed_cert(base_dir, hostname)
--- a/frontends/web/static/js/auth.js
+++ b/frontends/web/static/js/auth.js
@@ -0,0 +1,142 @@
 /**
 * Stegasoo Authentication Pages JavaScript
 * Handles login, setup, account, and admin user management pages
 */
 const StegasooAuth = {
    // ========================================================================
    // PASSWORD VISIBILITY TOGGLE
    // ========================================================================
    /**
     * Toggle password field visibility
     * @param {string} inputId - ID of the password input
     * @param {HTMLElement} btn - The toggle button element
     */
    togglePassword(inputId, btn) {
        const input = document.getElementById(inputId);
        const icon = btn.querySelector('i');
        if (!input) return;
        if (input.type === 'password') {
            input.type = 'text';
            icon?.classList.replace('bi-eye', 'bi-eye-slash');
        } else {
            input.type = 'password';
            icon?.classList.replace('bi-eye-slash', 'bi-eye');
        }
    },
    // ========================================================================
    // PASSWORD CONFIRMATION VALIDATION
    // ========================================================================
    /**
     * Initialize password confirmation validation on a form
     * @param {string} formId - ID of the form
     * @param {string} passwordId - ID of the password field
     * @param {string} confirmId - ID of the confirmation field
     */
    initPasswordConfirmation(formId, passwordId, confirmId) {
        const form = document.getElementById(formId);
        if (!form) return;
        form.addEventListener('submit', function(e) {
            const password = document.getElementById(passwordId)?.value;
            const confirm = document.getElementById(confirmId)?.value;
            if (password !== confirm) {
                e.preventDefault();
                alert('Passwords do not match');
            }
        });
    },
    // ========================================================================
    // COPY TO CLIPBOARD
    // ========================================================================
    /**
     * Copy field value to clipboard with visual feedback
     * @param {string} fieldId - ID of the input field to copy
     */
    copyField(fieldId) {
        const field = document.getElementById(fieldId);
        if (!field) return;
        field.select();
        navigator.clipboard.writeText(field.value).then(() => {
            const btn = field.nextElementSibling;
            if (!btn) return;
            const originalHTML = btn.innerHTML;
            btn.innerHTML = '<i class="bi bi-check"></i>';
            setTimeout(() => btn.innerHTML = originalHTML, 1000);
        });
    },
    // ========================================================================
    // PASSWORD GENERATION
    // ========================================================================
    /**
     * Generate a random password
     * @param {number} length - Password length (default 8)
     * @returns {string} Generated password
     */
    generatePassword(length = 8) {
        const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
        let password = '';
        for (let i = 0; i < length; i++) {
            password += chars.charAt(Math.floor(Math.random() * chars.length));
        }
        return password;
    },
    /**
     * Regenerate password and update input field
     * @param {string} inputId - ID of the password input
     * @param {number} length - Password length
     */
    regeneratePassword(inputId = 'passwordInput', length = 8) {
        const input = document.getElementById(inputId);
        if (input) {
            input.value = this.generatePassword(length);
        }
    },
    // ========================================================================
    // DELETE CONFIRMATION
    // ========================================================================
    /**
     * Confirm deletion with a prompt
     * @param {string} itemName - Name of item being deleted
     * @param {string} formId - ID of the form to submit if confirmed
     * @returns {boolean} True if confirmed
     */
    confirmDelete(itemName, formId = null) {
        const confirmed = confirm(`Are you sure you want to delete "${itemName}"? This cannot be undone.`);
        if (confirmed && formId) {
            const form = document.getElementById(formId);
            form?.submit();
        }
        return confirmed;
    }
 };
 // Make togglePassword available globally for onclick handlers
 function togglePassword(inputId, btn) {
    StegasooAuth.togglePassword(inputId, btn);
 }
 // Make copyField available globally for onclick handlers
 function copyField(fieldId) {
    StegasooAuth.copyField(fieldId);
 }
 // Make regeneratePassword available globally for onclick handlers
 function regeneratePassword() {
    StegasooAuth.regeneratePassword();
 }
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,3 @@`
							`"""Sentiment analysis agent powered by Claude Agent SDK."""`

							`__version__ = "0.1.0"`
		`@@ -0,0 +1 @@`
							`"""API clients for social media and forum data sources."""`