Remove instance/ from tracking, fix ruff lint errors

Security: - Remove instance/.secret_key and instance/stegasoo.db from git - Add instance/ to .gitignore (was only ignoring frontends/web/instance/) Lint fixes: - Remove unused imports in temp_storage.py (os, shutil) - Sort imports and fix f-string placeholders in cli.py 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rename Pi tarball to stegasoo-rpi-runtime-env-arm64.tar.zst
2026-01-07 14:28:07 -05:00 · 2026-01-07 01:21:43 -05:00 · 2026-01-07 01:17:25 -05:00 · 2026-01-07 01:08:54 -05:00 · 2026-01-07 01:01:24 -05:00 · 2026-01-07 00:58:55 -05:00
101 changed files with 16303 additions and 5444 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,53 @@
+# Git
+.git
+.gitignore
+
+# Python
+__pycache__
+*.py[cod]
+*.egg-info
+.eggs
+venv/
+.venv/
+
+# Instance data (user creates fresh)
+frontends/web/instance/
+frontends/web/certs/
+instance/
+
+# Test data
+test_data/
+tests/
+
+# Pi-specific
+rpi/
+*.img
+*.img.xz
+*.img.zst
+*.img.zst.zip
+pishrink.sh
+
+# Docs
+*.md
+docs/
+
+# IDE
+.vscode/
+.idea/
+
+# Misc
+*.log
+*.tmp
+.DS_Store
+
+# Dev scripts and old files
+scripts/
+old_files/
+*_old
+*_old.*
+*.bak
+*.orig
+
+# Temp files
+frontends/web/temp_files/
+*.db
--- a/.gitignore
+++ b/.gitignore
@@ -54,7 +54,7 @@ htmlcov/

 # Environment
 .env
-.env.*
+.env.local
 *.log

 # Distribution
@@ -64,12 +64,32 @@ htmlcov/
 # Output test files.
 test_data/*.png

-# Dev scripts (local convenience scripts)
-build.sh
-rbld_containers.sh
-quick_web.sh
-project_stats.sh
+# Dev scripts (local convenience scripts - except validate-release.sh)
+scripts/*
+!scripts/validate-release.sh

 # Web UI auth database and SSL certs
+instance/
 frontends/web/instance/
 frontends/web/certs/
+
+# Tests (private)
+tests/
+
+# RPi image build artifacts
+*.img
+*.img.xz
+*.img.zst
+pishrink.sh
+*.img.zst.zip
+
+# Temp file storage
+frontends/web/temp_files/
+rpi/config.json
+
+# Pre-built Pi tarballs and images (release assets, too large for git)
+rpi/*.tar.zst
+rpi/*.tar.zst.zip
+rpi/*.img
+rpi/*.img.zst
+rpi/*.img.zst.zip
--- a/.python-version
+++ b/.python-version
@@ -1 +1 @@
-3.12.0
+3.12
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,97 @@ All notable changes to Stegasoo will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org).

+## [4.1.5] - 2026-01-07
+
+### Added
+- **Developer Documentation**: Educational comments throughout core modules
+  - DCT module: zig-zag diagrams, QIM explanation, Reed-Solomon deep dive
+  - LSB module: visual bit embedding examples, ChaCha20 pixel selection
+  - Crypto module: multi-factor KDF flow diagrams, Argon2id reasoning
+  - CLI module: Click patterns (groups, JSON output, secure input)
+  - Web UI module: Flask architecture, subprocess isolation, async jobs
+- **Pi Test Automation**: `rpi/kickoff-pi-test.sh` script
+  - One command to flash, wait for boot, setup, and smoke test
+  - Self-contained (no dotfile dependencies)
+- **v4.2 Wishlist**: `WISHLIST-4.2.md` for blue-sky ideas (GPU acceleration)
+
+### Changed
+- **Pi MOTD Improvements**:
+  - Dynamic temperature emoji (ice/cool/fire based on temp)
+  - Rocket emoji for service status, globe emoji for URL
+  - Shortened Debian boilerplate message
+  - Fixed escaped variable syntax in heredoc
+
+## [4.1.3] - 2026-01-05
+
+### Added
+- **Docker Deployment**: Production-ready containerization
+  - `docker-compose.yml` for Web UI (port 5000) and REST API (port 8000)
+  - Multi-stage builds with base image for faster rebuilds
+  - Health checks, resource limits (768MB), and volume persistence
+  - Comprehensive `DOCKER.md` documentation
+- **Raspberry Pi First-Boot Wizard**: Interactive TUI setup experience
+  - `gum` TUI toolkit for styled prompts and spinners
+  - WiFi configuration, HTTPS setup, channel key generation
+  - Overclock presets (Pi 5: 2.8/3.0 GHz with cooling recommendations)
+  - Port 443 redirect option for clean HTTPS URLs
+  - Styled banners with purple→blue gradient and gold logo
+- **Pi Image Distribution**: Scripts for SD card imaging
+  - `sanitize-for-image.sh` removes credentials, SSH keys, user data
+  - Soft reset mode for testing without clearing WiFi
+  - Auto-validates sanitization before imaging
+- **Unit Tests**: Comprehensive pytest test suite
+  - Tests for encode/decode, LSB/DCT modes, channel keys
+  - Validation, generation, compression, edge cases
+  - 29 tests covering core library functionality
+- **Release Validation**: `scripts/validate-release.sh` for pre-release checks
+- **Custom SSL Documentation**: Guide for replacing certs, Let's Encrypt setup
+
+### Changed
+- Pi MOTD shows CPU speed and temperature when overclocked
+- Mobile UI polish and responsive improvements
+- Standardized ASCII banners across all Pi scripts
+- Setup script uses pyenv for Python 3.12 (Pi OS ships 3.13)
+
+### Fixed
+- **SSL certificate generation**: Wizard and setup now generate certs when HTTPS enabled
+- DCT decode reliability improvements
+- Fixed `gum --inline` flag compatibility (not supported in all versions)
+- Wizard banner alignment and spacing issues
+- Better error handling in app.py for SSL failures
+
+## [4.1.0] - 2026-01-04
+
+### Added
+- **Admin Recovery System**: Password reset for locked-out admins
+  - Recovery key generated during setup (32-char alphanumeric)
+  - Multiple backup options: text file, QR code, stego image
+  - QR codes obfuscated (XOR'd with magic header hash)
+  - Stego backups hide key in an image using Stegasoo itself
+  - CLI: `stegasoo admin recover --db path/to/db`
+- **EXIF Editor**: Full metadata editing in Tools page
+  - View all EXIF fields from uploaded image
+  - Inline editing of individual fields
+  - Clear all metadata with one click
+  - Download cleaned image
+  - CLI: `stegasoo tools exif image.jpg [--clear] [--set Field=Value]`
+- **Multi-User Support**: Admin can create up to 16 additional users
+  - Role-based access control (admin/user)
+  - Admin user management page
+  - Temp password generation for new users
+- **Saved Channel Keys**: Users can save/manage channel keys in account page
+
+### Changed
+- **Architecture**: Consolidated `resolve_channel_key()` to library layer
+  - Single source of truth in `src/stegasoo/channel.py`
+  - CLI, API, WebUI now use thin wrappers
+- **DCT Pre-Check**: Fail fast with helpful error before expensive encoding
+- **Toast Notifications**: Auto-dismiss after 20 seconds with fade animation
+- `RECOVERY_OBFUSCATION_KEY` constant added to `constants.py`
+
+### Fixed
+- DCT payload size error now caught early with clear message
+
 ## [4.0.2] - 2026-01-02

 ### Added
@@ -110,6 +201,9 @@ and this project adheres to [Semantic Versioning](https://semver.org).
 - CLI interface
 - Basic PIN authentication

+[4.1.5]: https://github.com/adlee-was-taken/stegasoo/compare/v4.1.3...v4.1.5
+[4.1.3]: https://github.com/adlee-was-taken/stegasoo/compare/v4.1.0...v4.1.3
+[4.1.0]: https://github.com/adlee-was-taken/stegasoo/compare/v4.0.2...v4.1.0
 [4.0.2]: https://github.com/adlee-was-taken/stegasoo/compare/v4.0.1...v4.0.2
 [4.0.1]: https://github.com/adlee-was-taken/stegasoo/compare/v4.0.0...v4.0.1
 [4.0.0]: https://github.com/adlee-was-taken/stegasoo/compare/v3.2.0...v4.0.0
--- a/CLI.md
+++ b/CLI.md
@@ -1,11 +1,11 @@
-# Stegasoo CLI Documentation (v4.0.2)
+# Stegasoo CLI Documentation (v4.1.0)

 Complete command-line interface reference for Stegasoo steganography operations.

 ## Table of Contents

 - [Installation](#installation)
- [What's New in v4.0.0](#whats-new-in-v400)
+- [What's New in v4.1.0](#whats-new-in-v410)
 - [Quick Start](#quick-start)
 - [Commands](#commands)
  - [generate](#generate-command)
@@ -13,10 +13,11 @@ Complete command-line interface reference for Stegasoo steganography operations.
  - [decode](#decode-command)
  - [verify](#verify-command)
  - [channel](#channel-command)
+  - [admin](#admin-command)
+  - [tools](#tools-command)
  - [info](#info-command)
  - [compare](#compare-command)
  - [modes](#modes-command)
-  - [strip-metadata](#strip-metadata-command)
 - [Channel Keys](#channel-keys)
 - [Embedding Modes](#embedding-modes)
 - [Security Factors](#security-factors)
@@ -65,9 +66,28 @@ stegasoo channel show

 ---

+## What's New in v4.1.0
+
+Version 4.1.0 adds **admin recovery** and **tools** commands:
+
+| Feature | Description |
+|---------|-------------|
+| Admin recovery | Reset admin password using recovery key |
+| EXIF tools | View, edit, and strip image metadata |
+| Peek tool | Quick stego detection check |
+| Strip tool | Remove hidden data from images |
+
+**New commands:**
+- `stegasoo admin recover` - Reset admin password with recovery key
+- `stegasoo tools exif` - View/edit EXIF metadata
+- `stegasoo tools peek` - Check for hidden data
+- `stegasoo tools strip` - Remove stego data from image
+
+---
+
 ## What's New in v4.0.0

-Version 4.0.0 adds **channel key** support for deployment/group isolation:
+Version 4.0.0 added **channel key** support for deployment/group isolation:

 | Feature | Description |
 |---------|-------------|
@@ -76,14 +96,6 @@ Version 4.0.0 adds **channel key** support for deployment/group isolation:
 | CLI management | New `stegasoo channel` command group |
 | Flexible override | Use server config, explicit key, or public mode |

-**Key benefits:**
- ✅ Isolate messages between teams, deployments, or groups
- ✅ Same credentials can't decode messages from different channels
- ✅ Backward compatible (public mode = no channel key)
- ✅ Easy key distribution via environment variables or config files
-
-**Breaking change:** v4.0.0 messages (with channel key) cannot be decoded by v3.x installations.
-
 ---

 ## Quick Start
@@ -495,12 +507,150 @@ Now also displays channel key status.

 ---

-### Strip-Metadata Command
+### Admin Command

-Remove all metadata from an image.
+Manage Web UI admin accounts and recovery.
+
+#### Subcommands
+
+| Subcommand | Description |
+|------------|-------------|
+| `recover` | Reset admin password using recovery key |
+
+#### admin recover
+
+Reset the admin password for a Web UI database.

 ```bash
-stegasoo strip-metadata IMAGE [OPTIONS]
+stegasoo admin recover --db PATH [OPTIONS]
+```
+
+| Option | Short | Type | Required | Description |
+|--------|-------|------|----------|-------------|
+| `--db` | `-d` | path | ✓ | Path to stegasoo.db file |
+| `--key` | `-k` | string | | Recovery key (prompted if not provided) |
+| `--password` | `-p` | string | | New password (prompted if not provided) |
+
+**Examples:**
+
+```bash
+# Interactive mode (prompts for key and password)
+stegasoo admin recover --db frontends/web/instance/stegasoo.db
+
+# Non-interactive mode
+stegasoo admin recover \
+  --db /path/to/stegasoo.db \
+  --key "XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX" \
+  --password "NewSecurePassword123"
+```
+
+**Recovery process:**
+1. The recovery key is verified against the database hash
+2. If valid, the admin password is reset
+3. User can now log in with the new password
+
+**Note:** Recovery keys are instance-bound. A key from one database won't work on another.
+
+---
+
+### Tools Command
+
+Image utilities and analysis tools.
+
+#### Subcommands
+
+| Subcommand | Description |
+|------------|-------------|
+| `exif` | View/edit EXIF metadata |
+| `peek` | Check for hidden data |
+| `strip` | Remove stego data from image |
+
+#### tools exif
+
+View and edit EXIF metadata in images.
+
+```bash
+stegasoo tools exif IMAGE [OPTIONS]
+```
+
+| Option | Type | Description |
+|--------|------|-------------|
+| `--clear` | flag | Remove all EXIF metadata |
+| `--set FIELD=VALUE` | string | Set a specific EXIF field |
+| `--output` / `-o` | path | Output filename (default: overwrites input) |
+| `--json` | flag | Output as JSON |
+
+**Examples:**
+
+```bash
+# View all EXIF data
+stegasoo tools exif photo.jpg
+
+# View as JSON
+stegasoo tools exif photo.jpg --json
+
+# Clear all metadata
+stegasoo tools exif photo.jpg --clear -o clean.jpg
+
+# Set specific fields
+stegasoo tools exif photo.jpg \
+  --set "Artist=John Doe" \
+  --set "Copyright=2026" \
+  -o tagged.jpg
+
+# Remove GPS data only
+stegasoo tools exif photo.jpg \
+  --set "GPSLatitude=" \
+  --set "GPSLongitude=" \
+  -o no-gps.jpg
+```
+
+#### tools peek
+
+Check if an image contains hidden Stegasoo data.
+
+```bash
+stegasoo tools peek IMAGE [OPTIONS]
+```
+
+| Option | Type | Description |
+|--------|------|-------------|
+| `--json` | flag | Output as JSON |
+| `--quiet` / `-q` | flag | Exit code only (0=found, 1=not found) |
+
+**Examples:**
+
+```bash
+# Check for hidden data
+stegasoo tools peek suspicious.png
+
+# Script-friendly check
+if stegasoo tools peek image.png -q; then
+  echo "Contains hidden data"
+fi
+```
+
+#### tools strip
+
+Remove hidden stego data from an image (destructive).
+
+```bash
+stegasoo tools strip IMAGE [OPTIONS]
+```
+
+| Option | Type | Description |
+|--------|------|-------------|
+| `--output` / `-o` | path | Output filename |
+| `--force` / `-f` | flag | Overwrite without confirmation |
+
+**Examples:**
+
+```bash
+# Strip and save to new file
+stegasoo tools strip stego.png -o clean.png
+
+# Strip in place (with confirmation)
+stegasoo tools strip stego.png
 ```

 ---
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -6,7 +6,7 @@ Thank you for your interest in contributing to Stegasoo! This document provides

 ### Prerequisites

- Python 3.10 or higher
+- Python 3.10 - 3.12
 - Git
 - Docker (optional, for container testing)

--- a/DOCKER.md
+++ b/DOCKER.md
@@ -0,0 +1,153 @@
+# Docker Deployment
+
+Stegasoo provides Docker images for both the Web UI and REST API.
+
+## Quick Start
+
+```bash
+# Build and start all services
+docker-compose up -d
+
+# Check status
+docker-compose ps
+```
+
+Access:
+- **Web UI**: http://localhost:5000
+- **REST API**: http://localhost:8000
+
+## Services
+
+| Service | Port | Description |
+|---------|------|-------------|
+| `web` | 5000 | Flask Web UI with authentication |
+| `api` | 8000 | FastAPI REST API |
+
+## Configuration
+
+### Environment Variables
+
+Create a `.env` file or set these variables:
+
+```bash
+# Channel key for private group communication (optional)
+STEGASOO_CHANNEL_KEY=XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX
+
+# Web UI authentication (default: enabled)
+STEGASOO_AUTH_ENABLED=true
+
+# HTTPS support (default: disabled)
+STEGASOO_HTTPS_ENABLED=false
+STEGASOO_HOSTNAME=localhost
+```
+
+### Volume Mounts
+
+Persistent data is stored in Docker volumes:
+
+| Volume | Purpose |
+|--------|---------|
+| `stegasoo-web-data` | User database, session data |
+| `stegasoo-web-certs` | SSL certificates (if HTTPS enabled) |
+
+## Building
+
+### Standard Build (Recommended)
+
+Uses a pre-built base image with all dependencies:
+
+```bash
+# First time only: build the base image
+docker build -f Dockerfile.base -t stegasoo-base:latest .
+
+# Build services (fast - only copies app code)
+docker-compose build
+```
+
+### Full Build (No Base Image)
+
+If you don't have the base image, the Dockerfile will build all dependencies (slower):
+
+```bash
+docker-compose build
+```
+
+## Commands
+
+```bash
+# Start services
+docker-compose up -d
+
+# View logs
+docker-compose logs -f
+
+# Stop services
+docker-compose down
+
+# Rebuild after code changes
+docker-compose build && docker-compose up -d
+
+# Full rebuild (no cache)
+docker-compose build --no-cache
+```
+
+## Resource Limits
+
+Each container is configured with:
+- **Memory limit**: 768 MB
+- **Memory reservation**: 384 MB
+
+This accounts for Argon2id's 256 MB RAM requirement during key derivation.
+
+## Health Checks
+
+Both services include health checks:
+- Interval: 30 seconds
+- Timeout: 10 seconds
+- Start period: 5 seconds
+- Retries: 3
+
+Check health status:
+```bash
+docker-compose ps
+```
+
+## Production Deployment
+
+For production, consider:
+
+1. **Enable HTTPS**:
+   ```bash
+   STEGASOO_HTTPS_ENABLED=true
+   STEGASOO_HOSTNAME=your-domain.com
+   ```
+
+2. **Use secrets for channel key**:
+   ```bash
+   # Don't commit .env files with secrets
+   export STEGASOO_CHANNEL_KEY=your-key
+   docker-compose up -d
+   ```
+
+3. **Reverse proxy**: Put behind nginx/traefik for TLS termination
+
+4. **Backup volumes**:
+   ```bash
+   docker run --rm -v stegasoo-web-data:/data -v $(pwd):/backup \
+     alpine tar czf /backup/stegasoo-backup.tar.gz /data
+   ```
+
+## Troubleshooting
+
+### Container won't start
+```bash
+# Check logs
+docker-compose logs web
+docker-compose logs api
+```
+
+### Out of memory
+Increase Docker's memory allocation or reduce worker count in Dockerfile.
+
+### Permission errors
+The containers run as non-root user `stego` (UID 1000). Ensure volume permissions match.
--- a/5
+++ b/5
@@ -62,8 +62,9 @@ COPY src/ src/
 COPY data/ data/
 COPY frontends/web/ frontends/web/

-# Create upload directory
-RUN mkdir -p /tmp/stego_uploads
+# Create upload directory and instance directories (for volumes)
+# temp_files is for multi-worker temp file sharing
+RUN mkdir -p /tmp/stego_uploads /app/frontends/web/instance /app/frontends/web/certs /app/frontends/web/temp_files

 # Create non-root user
 RUN useradd -m -u 1000 stego && chown -R stego:stego /app /tmp/stego_uploads
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -435,24 +435,85 @@ pip install stegasoo[all]

 ### Raspberry Pi

-Stegasoo works on Raspberry Pi 4 (2GB+ RAM recommended):
+Stegasoo works on Raspberry Pi 4/5 (4GB+ RAM recommended for Web UI).
+
+#### Step 1: Install System Dependencies

 ```bash
-# System dependencies
-sudo apt-get install python3-dev libzbar0 libjpeg-dev
-
-# Create venv with Python 3.12 (if available, or 3.11)
-python3 -m venv venv
-source venv/bin/activate
-
-# Install (may take a while to compile)
-pip install stegasoo[cli]
-
-# For web/api, ensure enough RAM
-pip install stegasoo[web]  # Needs ~768MB free
+sudo apt-get update
+sudo apt-get install -y \
+  build-essential \
+  git \
+  libssl-dev \
+  zlib1g-dev \
+  libbz2-dev \
+  libreadline-dev \
+  libsqlite3-dev \
+  libncursesw5-dev \
+  xz-utils \
+  tk-dev \
+  libxml2-dev \
+  libxmlsec1-dev \
+  libffi-dev \
+  liblzma-dev \
+  libzbar0 \
+  libjpeg-dev
 ```

-**Running the Web UI on Pi:**
+#### Step 2: Install Python 3.12 via pyenv
+
+Raspberry Pi OS ships with Python 3.13, which is **not compatible** with jpegio. Install Python 3.12:
+
+```bash
+# Install pyenv
+curl https://pyenv.run | bash
+
+# Add to ~/.bashrc
+echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
+echo '[[ -d $PYENV_ROOT/bin ]] && export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
+echo 'eval "$(pyenv init - bash)"' >> ~/.bashrc
+source ~/.bashrc
+
+# Install Python 3.12 (takes ~10 minutes on Pi 5)
+pyenv install 3.12
+pyenv global 3.12
+```
+
+#### Step 3: Build jpegio for ARM
+
+The upstream jpegio has x86-specific build flags. Patch and build from source:
+
+```bash
+# Clone jpegio
+git clone https://github.com/dwgoon/jpegio.git
+cd jpegio
+
+# Patch for ARM (removes x86-specific -m64 flag)
+sed -i "s/cargs.append('-m64')/pass  # ARM fix/" setup.py
+
+# Build and install
+pip install .
+cd ..
+```
+
+#### Step 4: Install Stegasoo
+
+```bash
+# Clone Stegasoo
+git clone https://github.com/adlee-was-taken/stegasoo.git
+cd stegasoo
+
+# Create venv with Python 3.12
+~/.pyenv/versions/3.12.*/bin/python -m venv venv
+source venv/bin/activate
+
+# Install (jpegio already installed, skip it)
+pip install -e ".[web]" --no-deps
+pip install argon2-cffi cryptography pillow flask gunicorn scipy numpy pyzbar qrcode
+```
+
+#### Step 5: Run the Web UI
+
 ```bash
 cd frontends/web

@@ -465,12 +526,109 @@ export STEGASOO_HOSTNAME=raspberrypi.local

 # Start server
 python app.py
+# Access at http://<pi-ip>:5000
 ```

-**Notes:**
- Argon2 operations will be slower on Pi due to memory-hardness
- First run will prompt you to create an admin account
- HTTPS generates a self-signed certificate (browsers will warn)
+#### Verify Installation
+
+```bash
+python -c "
+import stegasoo
+from stegasoo.dct_steganography import has_jpegio_support
+print(f'Stegasoo: {stegasoo.__version__}')
+print(f'Argon2: {stegasoo.has_argon2()}')
+print(f'DCT: {stegasoo.has_dct_support()}')
+print(f'jpegio: {has_jpegio_support()}')
+"
+# Expected: All True
+```
+
+#### Notes
+
+- **RAM**: Web UI needs ~768MB free for Argon2 + scipy operations
+- **Performance**: Argon2 operations take 3-5 seconds on Pi 5 (vs ~2s on desktop)
+- **Python 3.13**: Not supported due to jpegio C extension incompatibility
+- **First run**: Will prompt you to create an admin account
+- **HTTPS**: Generates self-signed certificate (browsers will warn)
+
+---
+
+## Custom SSL Certificates
+
+By default, Stegasoo generates a self-signed certificate for HTTPS. To use your own certificate (e.g., from Let's Encrypt or your organization's CA):
+
+### Replace Self-Signed Certificates
+
+```bash
+# Stop the service
+sudo systemctl stop stegasoo
+
+# Backup existing certs (optional)
+mv /opt/stegasoo/frontends/web/certs /opt/stegasoo/frontends/web/certs.bak
+
+# Create new certs directory
+mkdir -p /opt/stegasoo/frontends/web/certs
+
+# Copy your certificates (adjust paths as needed)
+cp /path/to/your/certificate.crt /opt/stegasoo/frontends/web/certs/server.crt
+cp /path/to/your/private.key /opt/stegasoo/frontends/web/certs/server.key
+
+# Set permissions (key must be readable by service user)
+chmod 600 /opt/stegasoo/frontends/web/certs/server.key
+chown -R $(whoami):$(whoami) /opt/stegasoo/frontends/web/certs
+
+# Start the service
+sudo systemctl start stegasoo
+```
+
+### Generate New Self-Signed Certificate
+
+If your certificate expires or you need to regenerate:
+
+```bash
+# Stop service
+sudo systemctl stop stegasoo
+
+# Generate new cert with SANs
+CERT_DIR="/opt/stegasoo/frontends/web/certs"
+LOCAL_IP=$(hostname -I | awk '{print $1}')
+HOSTNAME=$(hostname)
+
+openssl req -x509 -newkey rsa:2048 \
+  -keyout "$CERT_DIR/server.key" \
+  -out "$CERT_DIR/server.crt" \
+  -days 365 -nodes \
+  -subj "/O=Stegasoo/CN=$HOSTNAME" \
+  -addext "subjectAltName=DNS:$HOSTNAME,DNS:$HOSTNAME.local,DNS:localhost,IP:$LOCAL_IP,IP:127.0.0.1"
+
+chmod 600 "$CERT_DIR/server.key"
+
+# Start service
+sudo systemctl start stegasoo
+```
+
+### Let's Encrypt with Certbot
+
+For publicly accessible servers:
+
+```bash
+# Install certbot
+sudo apt install certbot
+
+# Get certificate (standalone mode)
+sudo certbot certonly --standalone -d yourdomain.com
+
+# Copy to Stegasoo
+sudo cp /etc/letsencrypt/live/yourdomain.com/fullchain.pem /opt/stegasoo/frontends/web/certs/server.crt
+sudo cp /etc/letsencrypt/live/yourdomain.com/privkey.pem /opt/stegasoo/frontends/web/certs/server.key
+sudo chown $(whoami):$(whoami) /opt/stegasoo/frontends/web/certs/*
+sudo chmod 600 /opt/stegasoo/frontends/web/certs/server.key
+
+# Restart
+sudo systemctl restart stegasoo
+```
+
+**Note:** Set up a cron job or systemd timer to copy renewed certificates and restart Stegasoo.

 ---

--- a/README.md
+++ b/README.md
@@ -102,9 +102,40 @@ black src/ tests/ frontends/
 ruff check src/ tests/ frontends/
 ```

+## Docker
+
+```bash
+# Quick start
+docker-compose up -d
+
+# Access
+# Web UI:   http://localhost:5000
+# REST API: http://localhost:8000
+```
+
+See [DOCKER.md](DOCKER.md) for full documentation.
+
+## Raspberry Pi
+
+Pre-built SD card images available for Pi 4/5:
+
+```bash
+# Flash image (download from GitHub Releases)
+zstdcat stegasoo-rpi-*.img.zst | sudo dd of=/dev/sdX bs=4M status=progress
+
+# First boot runs interactive setup wizard:
+# - WiFi configuration
+# - HTTPS with port 443
+# - Channel key generation
+# - Optional overclocking
+```
+
+See [rpi/README.md](rpi/README.md) for manual installation.
+
 ## Documentation

 - [INSTALL.md](INSTALL.md) - Installation guide
+- [DOCKER.md](DOCKER.md) - Docker deployment
 - [CLI.md](CLI.md) - Command-line reference
 - [API.md](API.md) - REST API documentation
 - [WEB_UI.md](WEB_UI.md) - Web interface guide
--- a/RELEASE_CHECKLIST.md
+++ b/RELEASE_CHECKLIST.md
@@ -0,0 +1,44 @@
+# Stegasoo Release Checklist
+
+Pre-release validation checklist. Complete all items before tagging a release.
+
+## Code Quality
+
+- [ ] All tests pass: `./venv/bin/pytest tests/ -v`
+- [ ] No lint errors: `./venv/bin/ruff check src/`
+- [ ] Version bumped in `pyproject.toml`
+- [ ] CHANGELOG.md updated
+
+## Pi Image Validation
+
+- [ ] Fresh Pi OS install with setup.sh works
+- [ ] First-boot wizard completes successfully
+- [ ] MOTD shows correct URL on SSH login
+- [ ] Smoke test passes: `./rpi/smoke-test.sh --443 <PI_IP>`
+- [ ] Encode/decode works on large image (10MB+)
+- [ ] Sanitize script runs cleanly
+- [ ] Image created and compressed
+
+## Docker Validation
+
+- [ ] Base image builds: `docker build -f Dockerfile.base -t stegasoo-base:latest .`
+- [ ] Web image builds: `docker-compose build web`
+- [ ] Container starts: `docker-compose up -d web`
+- [ ] Web UI accessible at http://localhost:5000
+- [ ] Encode/decode works in container
+- [ ] Container stops cleanly: `docker-compose down`
+
+## Release Process
+
+- [ ] Merge feature branch to main
+- [ ] Create annotated tag: `git tag -a vX.Y.Z -m "message"`
+- [ ] Push tag: `git push origin vX.Y.Z`
+- [ ] Create GitHub Release with release notes
+- [ ] Upload Pi image (.img.zst.zip)
+- [ ] Verify download links work
+
+## Post-Release
+
+- [ ] Delete old/obsolete releases if needed
+- [ ] Update any external documentation
+- [ ] Announce release (if applicable)
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -0,0 +1,47 @@
+## Stegasoo v4.1.5
+
+### Developer Experience
+- **Educational Code Comments**: Core modules now include detailed explanations
+  - DCT: zig-zag coefficient diagrams, QIM embedding math, Reed-Solomon "Voyager" reference
+  - LSB: visual bit manipulation examples, ChaCha20 pixel selection
+  - Crypto: multi-factor KDF flow diagrams, Argon2id memory-hardness reasoning
+  - CLI/Web: architectural patterns for future contributors
+
+### Raspberry Pi Improvements
+- **Streamlined Image Creation**: `pull-image.sh` now handles everything
+  - Auto-resizes rootfs to exactly 16GB (consistent images from any SD card)
+  - Disables Pi OS auto-expand
+  - Compresses with zstd
+  - Optional .zst.zip wrapper for GitHub releases
+- **16GB Minimum**: Pre-built images are now 16GB (was variable)
+- **Host Requirements**: `rpi/host-requirements.txt` documents all dependencies
+- **Test Automation**: `kickoff-pi-test.sh` for one-command flash+test cycles
+
+### MOTD Polish
+- Dynamic temperature emoji (ice/cool/fire based on CPU temp)
+- Rocket emoji for service status
+- Cleaner formatting
+
+### Raspberry Pi Image
+Download `stegasoo-rpi-4.1.5.img.zst.zip` from Releases.
+
+```bash
+# Flash (auto-detects SD card)
+sudo ./rpi/flash-image.sh stegasoo-rpi-4.1.5.img.zst.zip
+
+# Or manual
+zstdcat stegasoo-rpi-4.1.5.img.zst | sudo dd of=/dev/sdX bs=4M status=progress
+```
+
+Default login: `admin` / `stegasoo`
+
+First boot runs the setup wizard for WiFi, HTTPS, and channel key configuration.
+
+### Docker
+```bash
+docker-compose up -d web  # Web UI on :5000
+docker-compose up -d api  # REST API on :8000
+```
+
+### Full Changelog
+See [CHANGELOG.md](CHANGELOG.md) for complete version history.
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,16 +4,16 @@

 | Version | Supported          | Notes |
 | ------- | ------------------ | ----- |
-| 4.x.x   | ✅ Active | Current release |
-| 3.x.x   | ⚠️ Security fixes only | Upgrade recommended |
-| 2.x.x   | ❌ End of life | |
-| 1.x.x   | ❌ End of life | |
+| 4.1.x   | Current Version | What you SHOULD be using. |
+| 4.x.x   | ⚠️ Security fixes only | Upgrade (EOL soon) |
+| <= 3.x.x   | ❌ End of life | |
+

 ## Reporting a Vulnerability

 **Please do not report security vulnerabilities through public GitHub issues.**

-Instead, please email: **security@example.com** (replace with your email)
+Instead, please email: **adlee-was-taken@proton.me**

 Include:
 - Description of the vulnerability
--- a/UNDER_THE_HOOD.md
+++ b/UNDER_THE_HOOD.md
@@ -2,7 +2,7 @@

 A detailed breakdown of how Stegasoo's LSB and DCT steganography modes work under the hood.

-**Version 4.0** - Updated for simplified authentication (no date dependency)
+**Version 4.1** - Updated for channel keys and deployment isolation

 ---

@@ -22,7 +22,7 @@ A detailed breakdown of how Stegasoo's LSB and DCT steganography modes work unde

 ```
 ┌─────────────────────────────────────────────────────────────────────────────┐
-│                           STEGASOO ARCHITECTURE (v4.0)                       │
+│                           STEGASOO ARCHITECTURE (v4.1)                      │
 ├─────────────────────────────────────────────────────────────────────────────┤
 │                                                                             │
 │   INPUTS                    PROCESSING                      OUTPUT          │
@@ -30,12 +30,12 @@ A detailed breakdown of how Stegasoo's LSB and DCT steganography modes work unde
 │                                                                             │
 │   Reference Photo ─┐                                                        │
 │   Passphrase ──────┼──► Argon2id KDF ──► AES-256 Key                        │
-│   PIN/RSA Key ─────┘                           │                            │
-│                                                ▼                            │
+│   PIN/RSA Key ─────┤                           │                            │
+│   Channel Key ─────┘  (v4.1)                   ▼                            │
 │   Message/File ────────────────────────► AES-256-GCM ──► Ciphertext         │
 │                                          Encryption            │            │
 │                                                                ▼            │
-│   Carrier Image ───────────────────────────────────────► Embedding ──► Stego│
+│   Carrier Image ───────────────────────────────────────► Embedding ─► Stego │
 │                                                          (LSB/DCT)    Image │
 │                                                                             │
 └─────────────────────────────────────────────────────────────────────────────┘
@@ -50,11 +50,24 @@ A detailed breakdown of how Stegasoo's LSB and DCT steganography modes work unde
 | Header size | 75 bytes | 65 bytes (no date field) |
 | Python support | 3.10+ | 3.10-3.12 only |

+### v4.1 Changes
+
+| Change | v4.0 | v4.1 |
+|--------|------|------|
+| Channel keys | None | 32-byte deployment isolation |
+| Key derivation | passphrase + ref + pin | passphrase + ref + pin + channel |
+| Web auth | Session-based | Session + admin/user roles |
+| Raspberry Pi | Manual setup | First-boot wizard with gum |
+| Docker | Basic | Production-ready compose |
+
+**Channel Keys** provide deployment isolation - messages encoded on one Stegasoo instance cannot be decoded by another instance with a different channel key, even with the same passphrase/PIN/reference photo.
+
 ### Module Responsibilities

 | Module | File | Purpose |
 |--------|------|---------|
 | **Crypto** | `crypto.py` | Key derivation (Argon2id), AES-256-GCM encryption/decryption |
+| **Channel** | `channel.py` | Channel key management, deployment isolation (v4.1) |
 | **Steganography** | `steganography.py` | LSB pixel manipulation, capacity calculation |
 | **DCT Steganography** | `dct_steganography.py` | Frequency-domain embedding, jpegio integration |
 | **Compression** | `compression.py` | Optional LZ4 compression of payload |
@@ -793,8 +806,8 @@ Stego Image ──────────► detect_mode() ──────
 Both modes share the same cryptographic foundation (Argon2id + AES-256-GCM) and multi-factor authentication, ensuring security regardless of embedding method.

 The choice comes down to your use case:
- **Private channel?** → LSB (maximum capacity)
 - **Public platform?** → DCT (maximum compatibility)
+- **Private channel?** → LSB (maximum capacity)

 ### v4.0 Simplifications

--- a/WEB_UI.md
+++ b/WEB_UI.md
@@ -1,18 +1,22 @@
-# Stegasoo Web UI Documentation (v4.0.2)
+# Stegasoo Web UI Documentation (v4.1.0)

 Complete guide for the Stegasoo web-based steganography interface.

 ## Table of Contents

 - [Overview](#overview)
- [What's New in v4.0.2](#whats-new-in-v402)
+- [What's New in v4.1.0](#whats-new-in-v410)
 - [Authentication & HTTPS](#authentication--https)
+- [Admin Recovery](#admin-recovery)
+- [Multi-User Support](#multi-user-support)
 - [Installation & Setup](#installation--setup)
 - [Pages & Features](#pages--features)
  - [Home Page](#home-page)
  - [Generate Credentials](#generate-credentials)
  - [Encode Message](#encode-message)
  - [Decode Message](#decode-message)
+  - [Tools Page](#tools-page)
+  - [Account Page](#account-page)
  - [About Page](#about-page)
 - [Embedding Modes](#embedding-modes)
  - [DCT Mode (Default)](#dct-mode-default)
@@ -54,9 +58,29 @@ Built with Flask, Bootstrap 5, and a modern dark theme.

 ---

+## What's New in v4.1.0
+
+Version 4.1.0 adds admin recovery, multi-user support, and new tools:
+
+| Feature | Description |
+|---------|-------------|
+| **Admin Recovery** | Password reset using secure recovery key |
+| **Multi-User Support** | Up to 16 users with role-based access |
+| **EXIF Editor** | View, edit, and strip image metadata |
+| **Saved Channel Keys** | Users can save/manage channel keys in account |
+| **Toast Improvements** | Auto-dismiss after 20 seconds with fade |
+
+**Key benefits:**
+- ✅ Never get locked out - recovery key backup options
+- ✅ Share access with team members (admin/user roles)
+- ✅ Full EXIF metadata control in Tools page
+- ✅ Persistent channel key storage per user
+
+---
+
 ## What's New in v4.0.2

-Version 4.0.2 adds authentication and HTTPS support for secure home network deployment:
+Version 4.0.2 added authentication and HTTPS support:

 | Feature | Description |
 |---------|-------------|
@@ -64,14 +88,6 @@ Version 4.0.2 adds authentication and HTTPS support for secure home network depl
 | **First-run setup** | Wizard to create admin account on first access |
 | **Account management** | Change password page |
 | **Optional HTTPS** | Auto-generated self-signed certificates |
-| **UI improvements** | Larger QR previews, consistent panel styling |
-
-**Key benefits:**
- ✅ Secure your Web UI with username/password
- ✅ No manual database setup - automatic on first run
- ✅ HTTPS with auto-generated certs for home networks
- ✅ Configurable via environment variables
- ✅ Improved readability of QR preview panels

 ---

@@ -135,6 +151,19 @@ On first run with HTTPS enabled:

 **Note:** Browsers will show a security warning for self-signed certificates. This is expected for home network use.

+**Tip:** To avoid browser warnings, use [mkcert](https://github.com/FiloSottile/mkcert) to generate locally-trusted certificates:
+
+```bash
+# Install mkcert and create local CA (one-time)
+mkcert -install
+
+# Generate trusted certs for your Pi
+mkcert -key-file key.pem -cert-file cert.pem stegasoo.local localhost 127.0.0.1 YOUR_PI_IP
+
+# Copy to certs directory
+mv key.pem cert.pem frontends/web/certs/
+```
+
 ### Disabling Authentication

 For development or trusted networks:
@@ -169,6 +198,133 @@ services:

 ---

+## Admin Recovery
+
+### Overview
+
+If you forget your admin password, the recovery key is the ONLY way to reset it. Generate and save your recovery key immediately after setup.
+
+### Recovery Key Format
+
+```
+XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX
+└──────────────────────────────────────┘
+  32 alphanumeric characters (8 groups of 4)
+```
+
+### Backup Options
+
+The recovery key can be saved in multiple ways:
+
+| Method | Description | Security Level |
+|--------|-------------|----------------|
+| **Text file** | Plain text download | Low - store securely |
+| **QR code** | Obfuscated PNG image | Medium - XOR'd with magic hash |
+| **Stego image** | Hidden in carrier image | High - requires original image |
+
+### Generating a Recovery Key
+
+**During first-run setup:**
+1. Complete the admin account wizard
+2. You'll be prompted to save your recovery key
+3. Choose backup method(s)
+4. Confirm you've saved the key
+
+**From Account page (admin only):**
+1. Navigate to `/account`
+2. Click "Generate Recovery Key" (or "Regenerate" if one exists)
+3. Save using your preferred method
+4. Check the confirmation box
+5. Click "Save New Key"
+
+### QR Code Obfuscation
+
+QR codes are not plain text - they're XOR'd with a fixed obfuscation key derived from Stegasoo's magic headers. This prevents casual scanning from revealing the key.
+
+### Stego Backup
+
+Hide your recovery key inside an image using Stegasoo itself:
+
+1. Upload a carrier image (JPG/PNG, 50KB-2MB)
+2. Click the "Stego" button
+3. Download the stego image
+4. **Important:** Keep the original carrier image - you'll need it for extraction
+
+### Recovering Your Password
+
+**URL:** `/recover`
+
+1. Navigate to the login page
+2. Click "Forgot password?"
+3. **Option A:** Enter recovery key directly
+4. **Option B:** Extract from stego backup:
+   - Expand "Extract from stego backup"
+   - Upload your stego backup image
+   - Upload the original carrier/reference image
+   - Click "Extract Key"
+5. Enter and confirm your new password
+6. Click "Reset Password"
+
+### CLI Recovery
+
+For locked-out scenarios where you can't access the web UI:
+
+```bash
+stegasoo admin recover --db frontends/web/instance/stegasoo.db
+```
+
+You'll be prompted for your recovery key and new password.
+
+### Important Notes
+
+- Recovery keys are instance-bound (tied to the specific database)
+- Regenerating a key invalidates the previous one
+- Store backups in a secure, separate location
+- Without a recovery key, the only option is to delete the database and reconfigure
+
+---
+
+## Multi-User Support
+
+### Overview
+
+Admins can create up to 16 additional users with role-based access control.
+
+### Roles
+
+| Role | Permissions |
+|------|-------------|
+| **Admin** | Full access: encode, decode, generate, tools, user management, recovery |
+| **User** | Standard access: encode, decode, generate, account settings |
+
+### User Management
+
+**URL:** `/admin/users` (admin only)
+
+#### Creating Users
+
+1. Click "Add User"
+2. Enter username
+3. Select role (admin/user)
+4. A temporary password is generated
+5. Share the temporary password securely with the new user
+6. User must change password on first login
+
+#### Managing Users
+
+- View all users and their roles
+- Reset user passwords (generates new temp password)
+- Change user roles
+- Delete users (except yourself)
+
+### User Limits
+
+- Maximum 16 users total (including admin)
+- At least one admin must exist
+- Users can't delete or demote the last admin
+
+---
+
 ## Installation & Setup

 ### From PyPI
@@ -536,6 +692,83 @@ If decryption fails:

 ---

+### Tools Page
+
+**URL:** `/tools`
+
+The Tools page provides utilities for image analysis and manipulation.
+
+#### EXIF Editor
+
+View and edit image metadata (EXIF data).
+
+**Features:**
+- View all EXIF fields from uploaded image
+- Inline editing of individual fields
+- Clear all metadata with one click
+- Download cleaned image
+
+**Usage:**
+1. Upload an image (JPG recommended - richest EXIF data)
+2. View all metadata fields in a table
+3. Click any field to edit its value
+4. Click "Save" to apply changes
+5. Use "Clear All" to strip all metadata
+6. Download the modified image
+
+**Common EXIF fields:**
+| Field | Description |
+|-------|-------------|
+| Make/Model | Camera manufacturer and model |
+| DateTime | When the photo was taken |
+| GPSLatitude/GPSLongitude | Location coordinates |
+| Software | Editing software used |
+| Artist | Photographer name |
+
+**Privacy tip:** Always strip EXIF data before sharing images publicly to remove location and device information.
+
+#### Peek (Stego Detection)
+
+Quickly check if an image contains hidden data.
+
+#### Strip Metadata
+
+Remove all metadata from an image in one click.
+
+---
+
+### Account Page
+
+**URL:** `/account`
+
+Manage your account settings and preferences.
+
+#### Password Change
+
+1. Enter current password
+2. Enter new password (minimum 8 characters)
+3. Confirm new password
+4. Click "Change Password"
+
+#### Saved Channel Keys (v4.1.0)
+
+Users can save frequently-used channel keys for quick access:
+
+1. Click "Add Channel Key"
+2. Enter a name/label for the key
+3. Paste the channel key
+4. Click "Save"
+
+Saved keys appear in a dropdown during encode/decode operations.
+
+#### Recovery Key Management (Admin only)
+
+- View recovery key status (configured/not configured)
+- Generate or regenerate recovery key
+- Download backup options (text, QR, stego)
+
+---
+
 ### About Page

 **URL:** `/about`
@@ -543,10 +776,10 @@ If decryption fails:
 Information about the Stegasoo project, security model, and credits.

 Includes:
- Version information (v3.3.0)
- Recent UI improvements
+- Version information (v4.1.0)
+- Feature highlights
 - Security model overview
- Dependency status (Argon2, QR code support)
+- Dependency status (Argon2, scipy/DCT, QR code support)

 ---

--- a/WISHLIST-4.2.md
+++ b/WISHLIST-4.2.md
@@ -0,0 +1,42 @@
+# Stegasoo v4.2 Wishlist
+
+Blue sky ideas for future development. No timeline - just capturing thoughts.
+
+---
+
+## Performance
+
+### GPU-Accelerated DCT Encoding/Decoding
+- **Idea**: Leverage GPU for JPEG DCT coefficient manipulation
+- **Potential Approaches**:
+  - OpenCL/CUDA for parallel DCT operations
+  - Raspberry Pi VideoCore IV/VI GPU compute
+  - WebGPU for browser-based acceleration
+- **Challenges**:
+  - jpegio library is CPU-bound (C extension)
+  - Would need custom DCT implementation
+  - Memory transfer overhead may negate gains for small images
+- **Research**:
+  - libjpeg-turbo uses SIMD but not GPU
+  - nvJPEG (NVIDIA) does GPU-accelerated JPEG
+  - Could potentially use GPU for the embedding math, not JPEG decode
+
+---
+
+## Features
+
+(Add ideas here)
+
+---
+
+## Infrastructure
+
+(Add ideas here)
+
+---
+
+## Notes
+
+- This is a living document - add ideas anytime
+- Not all ideas will be implemented
+- Feasibility research needed before committing to roadmap
--- a/check_scipy.py
+++ b/check_scipy.py
@@ -1,170 +0,0 @@
-#!/usr/bin/env python3
-"""
-Diagnostic script to check for scipy/numpy issues.
-Run this BEFORE starting the web app.
-
-Usage:
-    python check_scipy.py
-"""
-
-import sys
-print(f"Python version: {sys.version}")
-print()
-
-# Check numpy
-try:
-    import numpy as np
-    print(f"NumPy version: {np.__version__}")
-    print(f"NumPy config:")
-    np.show_config()
-except ImportError as e:
-    print(f"NumPy not installed: {e}")
-except Exception as e:
-    print(f"NumPy error: {e}")
-
-print()
-print("-" * 50)
-print()
-
-# Check scipy
-try:
-    import scipy
-    print(f"SciPy version: {scipy.__version__}")
-except ImportError as e:
-    print(f"SciPy not installed: {e}")
-
-print()
-
-# Check PIL
-try:
-    from PIL import Image
-    print(f"Pillow version: {Image.__version__}")
-except ImportError as e:
-    print(f"Pillow not installed: {e}")
-
-print()
-print("-" * 50)
-print()
-
-# Test scipy DCT directly
-print("Testing scipy DCT...")
-try:
-    from scipy.fftpack import dct, idct
-    import numpy as np
-
-    # Create test array
-    test = np.random.rand(8, 8).astype(np.float64)
-    print(f"Input array shape: {test.shape}, dtype: {test.dtype}")
-
-    # Test 1D DCT
-    row = test[0, :]
-    result = dct(row, norm='ortho')
-    print(f"1D DCT result shape: {result.shape}, dtype: {result.dtype}")
-
-    # Test 2D DCT (the potentially problematic operation)
-    result2d = dct(dct(test.T, norm='ortho').T, norm='ortho')
-    print(f"2D DCT result shape: {result2d.shape}, dtype: {result2d.dtype}")
-
-    # Test inverse
-    recovered = idct(idct(result2d.T, norm='ortho').T, norm='ortho')
-    error = np.max(np.abs(test - recovered))
-    print(f"Round-trip error: {error}")
-
-    if error < 1e-10:
-        print("✓ scipy DCT working correctly")
-    else:
-        print("⚠ scipy DCT has precision issues")
-
-except Exception as e:
-    print(f"✗ scipy DCT failed: {e}")
-    import traceback
-    traceback.print_exc()
-
-print()
-print("-" * 50)
-print()
-
-# Test with larger array (more like real image processing)
-print("Testing with larger arrays (512x512)...")
-try:
-    from scipy.fftpack import dct, idct
-    import numpy as np
-    import gc
-
-    # Simulate processing many 8x8 blocks
-    large_array = np.random.rand(512, 512).astype(np.float64)
-    print(f"Large array shape: {large_array.shape}, size: {large_array.nbytes} bytes")
-
-    count = 0
-    for y in range(0, 512, 8):
-        for x in range(0, 512, 8):
-            block = large_array[y:y+8, x:x+8].copy()
-            dct_block = dct(dct(block.T, norm='ortho').T, norm='ortho')
-            recovered = idct(idct(dct_block.T, norm='ortho').T, norm='ortho')
-            large_array[y:y+8, x:x+8] = recovered
-            count += 1
-
-    print(f"Processed {count} blocks successfully")
-
-    del large_array
-    gc.collect()
-
-    print("✓ Large array processing completed")
-
-except Exception as e:
-    print(f"✗ Large array processing failed: {e}")
-    import traceback
-    traceback.print_exc()
-
-print()
-print("-" * 50)
-print()
-
-# Test PIL with large image
-print("Testing PIL with large image...")
-try:
-    from PIL import Image
-    import io
-
-    # Create a large test image
-    img = Image.new('RGB', (4000, 3000), color=(128, 128, 128))
-
-    # Save to bytes
-    buffer = io.BytesIO()
-    img.save(buffer, format='PNG')
-    img_bytes = buffer.getvalue()
-    print(f"Test image size: {len(img_bytes)} bytes")
-
-    # Re-open and process
-    buffer2 = io.BytesIO(img_bytes)
-    img2 = Image.open(buffer2)
-    print(f"Re-opened image: {img2.size}, mode: {img2.mode}")
-
-    # Convert to numpy array
-    import numpy as np
-    arr = np.array(img2)
-    print(f"NumPy array: {arr.shape}, dtype: {arr.dtype}")
-
-    # Clean up
-    img.close()
-    img2.close()
-    buffer.close()
-    buffer2.close()
-    del arr
-    gc.collect()
-
-    print("✓ PIL large image test completed")
-
-except Exception as e:
-    print(f"✗ PIL test failed: {e}")
-    import traceback
-    traceback.print_exc()
-
-print()
-print("=" * 50)
-print("Diagnostics complete")
-print()
-print("If no errors above but web app still crashes, try:")
-print("1. pip install --upgrade scipy numpy pillow")
-print("2. pip install scipy==1.11.4 numpy==1.26.4  # Known stable versions")
-print("3. Check if using conda vs pip (mixing can cause issues)")
--- a/data/WebUI.webp
+++ b/data/WebUI.webp
--- a/data/WebUI_About.webp
+++ b/data/WebUI_About.webp
--- a/data/WebUI_Account.webp
+++ b/data/WebUI_Account.webp
--- a/data/WebUI_Decode.webp
+++ b/data/WebUI_Decode.webp
--- a/data/WebUI_Encode.webp
+++ b/data/WebUI_Encode.webp
--- a/data/WebUI_Generate.webp
+++ b/data/WebUI_Generate.webp
--- a/data/WebUI_Login.webp
+++ b/data/WebUI_Login.webp
--- a/data/WebUI_Setup.webp
+++ b/data/WebUI_Setup.webp
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,5 +1,3 @@
-version: '3.8'
-
 # Shared environment variables
 x-common-env: &common-env
  STEGASOO_CHANNEL_KEY: ${STEGASOO_CHANNEL_KEY:-}
@@ -30,9 +28,9 @@ services:
    deploy:
      resources:
        limits:
-          memory: 768M
+          memory: 2048M
        reservations:
-          memory: 384M
+          memory: 1024M

  # ============================================================================
  # REST API (FastAPI)
@@ -50,9 +48,9 @@ services:
    deploy:
      resources:
        limits:
-          memory: 768M
+          memory: 2048M
        reservations:
-          memory: 384M
+          memory: 1024M

 # Named volumes for persistent data
 volumes:
--- a/docs/TEMPLATES.md
+++ b/docs/TEMPLATES.md
@@ -0,0 +1,361 @@
+# Stegasoo Web Templates Specification
+
+Quick reference for all Jinja2 templates in `frontends/web/templates/`.
+
+## Table of Contents
+
+- [Layout](#layout)
+- [Auth & Setup](#auth--setup)
+- [Core Features](#core-features)
+- [Tools & Account](#tools--account)
+- [Admin](#admin)
+
+---
+
+## Layout
+
+### `base.html`
+**Purpose:** Master layout template - all pages extend this.
+
+| Block | Description |
+|-------|-------------|
+| `{% block title %}` | Page title |
+| `{% block content %}` | Main page content |
+| `{% block scripts %}` | Page-specific JS |
+
+**Key Elements:**
+- `nav.navbar` - Bootstrap 5 navbar with logo, links, auth buttons
+- `div.toast-container` - Flash message toasts (10s auto-dismiss)
+- `main.container` - Content wrapper
+- `footer` - Copyright + version
+
+**Variables:** `is_authenticated`, `username`, `is_admin`
+
+---
+
+## Auth & Setup
+
+### `login.html`
+**Route:** `/login`
+
+**Form:** `POST /login`
+- `username` - text input
+- `password` - password input
+- "Forgot password?" link to `/recover`
+
+**JS:** `static/js/auth.js` - password toggle
+
+---
+
+### `setup.html`
+**Route:** `/setup` (first-run only)
+
+**Form:** `POST /setup`
+- `username` - admin username
+- `password` - password (min 8 chars)
+- `password_confirm` - confirmation
+
+**JS:** Password confirmation validation
+
+---
+
+### `setup_recovery.html`
+**Route:** `/setup/recovery`
+
+**Form:** `POST /setup/recovery`
+- `recovery_key` - hidden, pre-generated
+- `action` - "save" or "skip"
+- Checkbox confirmation required for save
+
+**Features:**
+- Recovery key display (readonly input)
+- Copy to clipboard button
+- QR code image (if available)
+- Download options: text file, QR image
+- Stego backup upload form
+
+---
+
+### `recover.html`
+**Route:** `/recover`
+
+**Form:** `POST /recover`
+- `recovery_key` - textarea for key input
+- `new_password` - new password
+- `new_password_confirm` - confirmation
+
+**Accordion:** "Extract from stego backup"
+- `POST /recover/stego` with `stego_image` + `reference_image`
+- Pre-fills recovery key on success
+
+---
+
+### `regenerate_recovery.html`
+**Route:** `/account/recovery/regenerate` (admin only)
+
+**Form:** `POST /account/recovery/regenerate`
+- `recovery_key` - hidden field
+- `action` - "save" or "cancel"
+- Confirmation checkbox
+
+**Features:**
+- New key display
+- QR code (obfuscated)
+- Download: text, QR, stego backup
+- Warning if replacing existing key
+
+---
+
+## Core Features
+
+### `index.html`
+**Route:** `/`
+
+**Structure:**
+- Hero section with tagline
+- 3 action cards: Encode, Decode, Generate
+- "How It Works" explainer section
+
+---
+
+### `generate.html`
+**Route:** `/generate`
+
+**Form:** `POST /generate`
+- `words` - passphrase word count (3-12)
+- `use_pin` - checkbox
+- `pin_length` - PIN digits (6-9)
+- `use_rsa` - checkbox
+- `rsa_bits` - key size (2048/3072/4096)
+
+**Output panels:**
+- Passphrase display
+- PIN display (if enabled)
+- RSA key + QR (if enabled)
+- Entropy calculator
+
+**JS:** `static/js/generate.js`
+
+---
+
+### `encode.html`
+**Route:** `/encode`
+
+**Form:** `POST /encode` (multipart)
+- `reference_photo` - file upload (drag-drop zone)
+- `carrier_image` - file upload (drag-drop zone)
+- `mode` - radio: DCT (default) / LSB
+- `dct_format` - PNG / JPEG
+- `dct_color` - Color / Grayscale
+- `payload_type` - radio: Text / File
+- `message` - textarea (if text)
+- `embed_file` - file input (if file)
+- `passphrase` - text input
+- `pin` - text input
+- `rsa_key` / `rsa_key_qr` - file inputs
+- `rsa_key_password` - password
+- `channel_key` - select (saved keys) or manual input
+
+**Panels:**
+- Reference preview with "Hash Acquired" status
+- Carrier preview with capacity info
+- Character counter for message
+
+**JS:** `static/js/encode.js`, `static/js/stegasoo.js`
+
+---
+
+### `encode_result.html`
+**Route:** `/encode/result/<file_id>`
+
+**Elements:**
+- Success message
+- Stego image preview
+- Download button
+- Share button (Web Share API)
+- Mode/capacity info
+- "Encode Another" link
+
+**Variables:** `file_id`, `filename`, `mode`, `capacity_used`
+
+---
+
+### `decode.html`
+**Route:** `/decode`
+
+**Form:** `POST /decode` (multipart)
+- `reference_photo` - file upload
+- `stego_image` - file upload
+- `passphrase` - text input
+- `pin` - text input
+- `rsa_key` / `rsa_key_qr` - file inputs
+- `rsa_key_password` - password
+- `channel_key` - select or manual
+
+**Output:**
+- Decoded message display
+- File download (if file payload)
+
+**JS:** `static/js/decode.js`, `static/js/stegasoo.js`
+
+---
+
+## Tools & Account
+
+### `tools.html`
+**Route:** `/tools`
+
+**Tabbed interface:**
+
+| Tab | Endpoint | Description |
+|-----|----------|-------------|
+| Capacity | `POST /api/tools/capacity` | Image capacity analysis |
+| Peek | `POST /api/tools/peek` | Check for Stegasoo header |
+| Strip | `POST /api/tools/strip` | Remove hidden data |
+| EXIF | `POST /api/tools/exif/*` | Metadata viewer/editor |
+
+**EXIF Editor features:**
+- Upload image → view all EXIF fields
+- Inline editing (click field to edit)
+- "Clear All" button
+- "Save" / "Download" buttons
+
+**JS:** `static/js/tools.js`
+
+---
+
+### `account.html`
+**Route:** `/account`
+
+**Sections:**
+
+1. **User Info** - Username, role badge, logout link
+
+2. **Recovery Key** (admin only)
+   - Status: Configured / Not Set
+   - Generate/Regenerate button
+   - Disable button
+
+3. **Password Change**
+   - `current_password`
+   - `new_password`
+   - `new_password_confirm`
+
+4. **Saved Channel Keys**
+   - List of saved keys with edit/delete
+   - "Add Key" form (name + key)
+   - Max 10 keys per user
+
+**Variables:** `username`, `is_admin`, `has_recovery`, `channel_keys`
+
+---
+
+### `about.html`
+**Route:** `/about`
+
+**Sections:**
+- Version info + feature badges
+- Security model explanation
+- Channel key QR (if configured)
+- Dependency status table
+- Credits + links
+
+**Variables:** `version`, `has_dct`, `has_qr_write`, `has_qr_read`, `channel_key`, `channel_qr`
+
+---
+
+## Admin
+
+### `admin/users.html`
+**Route:** `/admin/users`
+
+**Table columns:** Username | Role | Created | Actions
+
+**Actions per user:**
+- Reset Password button
+- Delete button (disabled for self)
+
+**Header:**
+- User count: "X of 16 users"
+- "Add User" button (modal trigger)
+
+**Modal:** Add User form
+- `username` input
+- `role` select (admin/user)
+- Auto-generated temp password display
+
+---
+
+### `admin/user_new.html`
+**Route:** `/admin/users/new`
+
+**Form:** `POST /admin/users/new`
+- `username` - text input
+- `role` - select (user/admin)
+
+Redirects to `user_created.html` on success.
+
+---
+
+### `admin/user_created.html`
+**Route:** `/admin/users/created`
+
+**Display:**
+- Success message
+- Username
+- Temporary password (copy button)
+- "User must change password on first login" notice
+- Back to users link
+
+---
+
+### `admin/password_reset.html`
+**Route:** `/admin/users/<id>/password-reset`
+
+**Display:**
+- Success message
+- New temporary password
+- Copy button
+- Back link
+
+---
+
+## Common Patterns
+
+### Drag-Drop Upload Zones
+```html
+<div class="upload-zone" id="referenceZone">
+    <input type="file" name="reference_photo" accept="image/*">
+    <div class="preview"></div>
+    <div class="status"></div>
+</div>
+```
+
+### Password Toggle
+```html
+<div class="input-group">
+    <input type="password" id="passwordInput">
+    <button onclick="togglePassword('passwordInput', this)">
+        <i class="bi bi-eye"></i>
+    </button>
+</div>
+```
+
+### Toast Flash Messages
+Rendered in `base.html`, auto-dismiss after 10 seconds:
+- `success` → green
+- `warning` → yellow
+- `error` → red
+
+---
+
+## External JS Files
+
+| File | Used By |
+|------|---------|
+| `static/js/stegasoo.js` | encode, decode, about |
+| `static/js/auth.js` | login, setup, recover, account |
+| `static/js/generate.js` | generate |
+| `static/js/encode.js` | encode |
+| `static/js/decode.js` | decode |
+| `static/js/tools.js` | tools |
--- a/frontends/api/API_UPDATE_SUMMARY_V3.2.0.md
+++ b/frontends/api/API_UPDATE_SUMMARY_V3.2.0.md
@@ -1,500 +0,0 @@
-# API Update Summary for v3.2.0
-
-## Overview
-
-The FastAPI REST API has been updated to align with Stegasoo v3.2.0's breaking changes:
-1. **Removed date dependency** - No `date_str` field in requests
-2. **Renamed day_phrase → passphrase** - Updated all request/response models
-3. **Updated generation** - Now generates single passphrase instead of daily phrases
-
-## Breaking Changes
-
-### Request Model Changes
-
-#### 1. EncodeRequest & EncodeFileRequest
-
-**Before (v3.1.0):**
-```python
-class EncodeRequest(BaseModel):
-    message: str
-    reference_photo_base64: str
-    carrier_image_base64: str
-    day_phrase: str  # ← Changed to passphrase
-    pin: str = ""
-    rsa_key_base64: Optional[str] = None
-    rsa_password: Optional[str] = None
-    date_str: Optional[str] = None  # ← REMOVED
-    embed_mode: EmbedModeType = "lsb"
-```
-
-**After (v3.2.0):**
-```python
-class EncodeRequest(BaseModel):
-    message: str
-    reference_photo_base64: str
-    carrier_image_base64: str
-    passphrase: str = Field(description="Passphrase (v3.2.0: renamed from day_phrase)")
-    pin: str = ""
-    rsa_key_base64: Optional[str] = None
-    rsa_password: Optional[str] = None
-    # date_str removed in v3.2.0
-    embed_mode: EmbedModeType = "lsb"
-    dct_output_format: DctOutputFormatType = "png"
-    dct_color_mode: DctColorModeType = "grayscale"
-```
-
-#### 2. DecodeRequest
-
-**Before (v3.1.0):**
-```python
-class DecodeRequest(BaseModel):
-    stego_image_base64: str
-    reference_photo_base64: str
-    day_phrase: str  # ← Changed to passphrase
-    pin: str = ""
-    rsa_key_base64: Optional[str] = None
-    rsa_password: Optional[str] = None
-    embed_mode: ExtractModeType = "auto"
-```
-
-**After (v3.2.0):**
-```python
-class DecodeRequest(BaseModel):
-    stego_image_base64: str
-    reference_photo_base64: str
-    passphrase: str = Field(description="Passphrase (v3.2.0: renamed from day_phrase)")
-    pin: str = ""
-    rsa_key_base64: Optional[str] = None
-    rsa_password: Optional[str] = None
-    embed_mode: ExtractModeType = "auto"
-```
-
-#### 3. GenerateRequest
-
-**Before (v3.1.0):**
-```python
-class GenerateRequest(BaseModel):
-    use_pin: bool = True
-    use_rsa: bool = False
-    pin_length: int = Field(default=6, ge=MIN_PIN_LENGTH, le=MAX_PIN_LENGTH)
-    rsa_bits: int = Field(default=2048)
-    words_per_phrase: int = Field(default=3, ge=MIN_PHRASE_WORDS, le=MAX_PHRASE_WORDS)
-```
-
-**After (v3.2.0):**
-```python
-class GenerateRequest(BaseModel):
-    use_pin: bool = True
-    use_rsa: bool = False
-    pin_length: int = Field(default=6, ge=MIN_PIN_LENGTH, le=MAX_PIN_LENGTH)
-    rsa_bits: int = Field(default=2048)
-    words_per_passphrase: int = Field(
-        default=DEFAULT_PASSPHRASE_WORDS,  # = 4, was 3
-        ge=MIN_PASSPHRASE_WORDS,
-        le=MAX_PASSPHRASE_WORDS,
-        description="Words per passphrase (v3.2.0: default increased to 4)"
-    )
-```
-
-### Response Model Changes
-
-#### 1. GenerateResponse
-
-**Before (v3.1.0):**
-```python
-class GenerateResponse(BaseModel):
-    phrases: dict[str, str]  # Monday -> phrase, Tuesday -> phrase, etc.
-    pin: Optional[str] = None
-    rsa_key_pem: Optional[str] = None
-    entropy: dict[str, int]
-```
-
-**After (v3.2.0):**
-```python
-class GenerateResponse(BaseModel):
-    passphrase: str = Field(description="Single passphrase (v3.2.0: no daily rotation)")
-    pin: Optional[str] = None
-    rsa_key_pem: Optional[str] = None
-    entropy: dict[str, int]
-    # Legacy field for compatibility
-    phrases: Optional[dict[str, str]] = Field(
-        default=None,
-        description="Deprecated: Use 'passphrase' instead"
-    )
-```
-
-#### 2. EncodeResponse
-
-**Before (v3.1.0):**
-```python
-class EncodeResponse(BaseModel):
-    stego_image_base64: str
-    filename: str
-    capacity_used_percent: float
-    date_used: str
-    day_of_week: str
-    embed_mode: str
-    output_format: str = "png"
-    color_mode: str = "color"
-```
-
-**After (v3.2.0):**
-```python
-class EncodeResponse(BaseModel):
-    stego_image_base64: str
-    filename: str
-    capacity_used_percent: float
-    embed_mode: str
-    output_format: str = "png"
-    color_mode: str = "color"
-    # Legacy fields (no longer used in crypto)
-    date_used: Optional[str] = Field(
-        default=None,
-        description="Deprecated: Date no longer used in v3.2.0"
-    )
-    day_of_week: Optional[str] = Field(
-        default=None,
-        description="Deprecated: Date no longer used in v3.2.0"
-    )
-```
-
-### Endpoint Changes
-
-#### 1. POST /encode
-
-**Before (v3.1.0):**
-```json
-{
-  "message": "Secret message",
-  "reference_photo_base64": "...",
-  "carrier_image_base64": "...",
-  "day_phrase": "apple forest thunder",
-  "date_str": "2025-01-15",
-  "pin": "123456",
-  "embed_mode": "lsb"
-}
-```
-
-**After (v3.2.0):**
-```json
-{
-  "message": "Secret message",
-  "reference_photo_base64": "...",
-  "carrier_image_base64": "...",
-  "passphrase": "apple forest thunder mountain",
-  "pin": "123456",
-  "embed_mode": "lsb"
-}
-```
-
-#### 2. POST /decode
-
-**Before (v3.1.0):**
-```json
-{
-  "stego_image_base64": "...",
-  "reference_photo_base64": "...",
-  "day_phrase": "apple forest thunder",
-  "pin": "123456",
-  "embed_mode": "auto"
-}
-```
-
-**After (v3.2.0):**
-```json
-{
-  "stego_image_base64": "...",
-  "reference_photo_base64": "...",
-  "passphrase": "apple forest thunder mountain",
-  "pin": "123456",
-  "embed_mode": "auto"
-}
-```
-
-#### 3. POST /generate
-
-**Response Before (v3.1.0):**
-```json
-{
-  "phrases": {
-    "Monday": "apple forest thunder",
-    "Tuesday": "banana river lightning",
-    ...
-  },
-  "pin": "123456",
-  "rsa_key_pem": null,
-  "entropy": {
-    "phrase": 33,
-    "pin": 20,
-    "rsa": 0,
-    "total": 53
-  }
-}
-```
-
-**Response After (v3.2.0):**
-```json
-{
-  "passphrase": "apple forest thunder mountain",
-  "pin": "123456",
-  "rsa_key_pem": null,
-  "entropy": {
-    "passphrase": 44,
-    "pin": 20,
-    "rsa": 0,
-    "total": 64
-  },
-  "phrases": null
-}
-```
-
-#### 4. POST /encode/multipart
-
-**Form Fields Before (v3.1.0):**
- `day_phrase` (required)
- `date_str` (optional)
- `reference_photo` (file)
- `carrier` (file)
- ...
-
-**Form Fields After (v3.2.0):**
- `passphrase` (required) ← renamed from day_phrase
- `reference_photo` (file)
- `carrier` (file)
- ... (date_str removed)
-
-**Response Headers Before (v3.1.0):**
-```
-X-Stegasoo-Date: 2025-01-15
-X-Stegasoo-Day: Wednesday
-X-Stegasoo-Capacity-Percent: 25.5
-X-Stegasoo-Embed-Mode: lsb
-```
-
-**Response Headers After (v3.2.0):**
-```
-X-Stegasoo-Capacity-Percent: 25.5
-X-Stegasoo-Embed-Mode: lsb
-X-Stegasoo-Output-Format: png
-X-Stegasoo-Color-Mode: color
-X-Stegasoo-Version: 3.2.0
-```
-
-### New Status Endpoint Information
-
-#### GET /
-
-**Added to response:**
-```json
-{
-  "version": "3.2.0",
-  ...
-  "breaking_changes": {
-    "date_removed": "No date_str parameter needed - encode/decode anytime",
-    "passphrase_renamed": "day_phrase → passphrase (single passphrase, no daily rotation)",
-    "format_version": 4,
-    "backward_compatible": false
-  }
-}
-```
-
-## Migration Guide for API Clients
-
-### 1. Update Request Bodies
-
-**Find and replace in client code:**
-```javascript
-// Before
-{
-  day_phrase: "apple forest thunder",
-  date_str: "2025-01-15"
-}
-
-// After
-{
-  passphrase: "apple forest thunder mountain"
-}
-```
-
-### 2. Update Response Handling
-
-**Before:**
-```javascript
-const response = await fetch('/encode', {
-  method: 'POST',
-  body: JSON.stringify({
-    message: "secret",
-    day_phrase: "words",
-    date_str: "2025-01-15",
-    ...
-  })
-});
-
-const data = await response.json();
-console.log(data.date_used);  // "2025-01-15"
-console.log(data.day_of_week);  // "Wednesday"
-```
-
-**After:**
-```javascript
-const response = await fetch('/encode', {
-  method: 'POST',
-  body: JSON.stringify({
-    message: "secret",
-    passphrase: "longer words here now",
-    // date_str removed
-    ...
-  })
-});
-
-const data = await response.json();
-// date_used and day_of_week are null in v3.2.0
-```
-
-### 3. Update Generate Endpoint Usage
-
-**Before:**
-```javascript
-const creds = await fetch('/generate', {
-  method: 'POST',
-  body: JSON.stringify({ use_pin: true })
-}).then(r => r.json());
-
-// Use Monday's phrase
-const mondayPhrase = creds.phrases['Monday'];
-```
-
-**After:**
-```javascript
-const creds = await fetch('/generate', {
-  method: 'POST',
-  body: JSON.stringify({ use_pin: true })
-}).then(r => r.json());
-
-// Use single passphrase
-const passphrase = creds.passphrase;
-```
-
-### 4. Update Multipart Requests
-
-**Before (JavaScript fetch):**
-```javascript
-const formData = new FormData();
-formData.append('day_phrase', 'apple forest thunder');
-formData.append('date_str', '2025-01-15');
-formData.append('reference_photo', refPhotoFile);
-formData.append('carrier', carrierFile);
-formData.append('message', 'secret');
-formData.append('pin', '123456');
-
-const response = await fetch('/encode/multipart', {
-  method: 'POST',
-  body: formData
-});
-```
-
-**After (JavaScript fetch):**
-```javascript
-const formData = new FormData();
-formData.append('passphrase', 'apple forest thunder mountain');
-// date_str removed
-formData.append('reference_photo', refPhotoFile);
-formData.append('carrier', carrierFile);
-formData.append('message', 'secret');
-formData.append('pin', '123456');
-
-const response = await fetch('/encode/multipart', {
-  method: 'POST',
-  body: formData
-});
-```
-
-## Testing Checklist
-
-### Endpoints to Test
-
- [ ] GET / - Returns v3.2.0 with breaking_changes info
- [ ] GET /modes - Returns mode information
- [ ] POST /generate - Returns single passphrase
- [ ] POST /encode - Works without date_str
- [ ] POST /encode/file - Works without date_str
- [ ] POST /decode - Works without date_str
- [ ] POST /encode/multipart - Accepts passphrase instead of day_phrase
- [ ] POST /decode/multipart - Accepts passphrase instead of day_phrase
- [ ] POST /compare - Still works
- [ ] POST /will-fit - Still works
- [ ] POST /image/info - Still works
- [ ] POST /extract-key-from-qr - Still works
-
-### Validation Tests
-
- [ ] Reject requests with `day_phrase` field (should get validation error)
- [ ] Reject requests with `date_str` field (should be ignored or error)
- [ ] Accept requests with `passphrase` field
- [ ] Generate response includes `passphrase` field
- [ ] Generate response has `phrases` as null
- [ ] Encode response has `date_used` and `day_of_week` as null
- [ ] Multipart encode works with new field names
- [ ] Response headers updated correctly
-
-## OpenAPI/Swagger Documentation
-
-The FastAPI auto-generated documentation (/docs and /redoc) will automatically reflect the changes:
-
-1. **Models updated** - Request/response schemas show new field names
-2. **Descriptions updated** - Field descriptions mention v3.2.0 changes
-3. **Examples updated** - Interactive API explorer uses new field names
-
-Users can browse to `/docs` to see the updated API specification.
-
-## Backward Compatibility
-
-**Breaking Change:** API v3.2.0 is NOT backward compatible with v3.1.0
-
-Clients using the old API will encounter:
-1. **Validation errors** - Missing required `passphrase` field
-2. **Unexpected responses** - `phrases` field will be null
-3. **Changed behavior** - Date fields no longer populated
-
-### Migration Timeline Recommendation
-
-1. **Deploy v3.2.0 API** to staging
-2. **Update client applications** to use new field names
-3. **Test thoroughly** with staging API
-4. **Deploy v3.2.0 API** to production
-5. **Notify users** of breaking changes
-
-Alternatively, run v3.1.0 and v3.2.0 APIs side-by-side on different paths:
- `/api/v3.1/` - Old API
- `/api/v3.2/` - New API
-
-## Constants Updates
-
-Used in validation:
-```python
-from stegasoo.constants import (
-    MIN_PASSPHRASE_WORDS,  # = 3
-    MAX_PASSPHRASE_WORDS,  # = 12
-    DEFAULT_PASSPHRASE_WORDS,  # = 4 (increased from 3)
-)
-```
-
-## Error Messages
-
-All error messages updated:
- "day_phrase is required" → "passphrase is required"
- References to "phrase" now mean "passphrase"
-
-## Implementation Status
-
-✅ All request models updated
-✅ All response models updated
-✅ All endpoints updated
-✅ Multipart endpoints updated
-✅ Status endpoint shows breaking changes
-✅ Constants imported correctly
-✅ Error handling updated
-✅ No references to day_phrase in user-facing text
-✅ No date_str parameters accepted
-
-Ready for deployment!
--- a/frontends/api/main.py
+++ b/frontends/api/main.py
@@ -49,7 +49,6 @@ from stegasoo import (
    generate_credentials,
    get_channel_status,
    has_argon2,
-    has_channel_key,
    has_dct_support,
    set_channel_key,
    validate_channel_key,
@@ -406,11 +405,7 @@ def _resolve_channel_key(channel_key: str | None) -> str | None:
    """
    Resolve channel key from API parameter.

-    Args:
-        channel_key: API parameter value
-            - None: Use server-configured key (auto mode)
-            - "": Public mode (no channel key)
-            - "XXXX-...": Explicit key
+    Wrapper around library's resolve_channel_key with HTTP exception handling.

    Returns:
        Resolved channel key to pass to encode/decode
@@ -418,44 +413,27 @@ def _resolve_channel_key(channel_key: str | None) -> str | None:
    Raises:
        HTTPException: If key format is invalid
    """
-    if channel_key is None:
-        # Auto mode - use server config
-        return None
+    from stegasoo.channel import resolve_channel_key

-    if channel_key == "":
-        # Public mode
-        return ""
-
-    # Explicit key - validate format
-    if not validate_channel_key(channel_key):
-        raise HTTPException(
-            400, "Invalid channel key format. Expected: XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX"
-        )
-
-    return channel_key
+    try:
+        return resolve_channel_key(channel_key)
+    except (ValueError, FileNotFoundError) as e:
+        raise HTTPException(400, str(e))


 def _get_channel_info(channel_key: str | None) -> tuple[str, str | None]:
    """
    Get channel mode and fingerprint for response.

+    Uses library's get_channel_response_info for consistent formatting.
+
    Returns:
        (mode, fingerprint) tuple
    """
-    if channel_key == "":
-        return "public", None
+    from stegasoo.channel import get_channel_response_info

-    if channel_key is not None:
-        # Explicit key
-        fingerprint = f"{channel_key[:4]}-••••-••••-••••-••••-••••-••••-{channel_key[-4:]}"
-        return "private", fingerprint
-
-    # Auto mode - check server config
-    if has_channel_key():
-        status = get_channel_status()
-        return "private", status.get("fingerprint")
-
-    return "public", None
+    info = get_channel_response_info(channel_key)
+    return info["mode"], info.get("fingerprint")


 # ============================================================================
--- a/frontends/cli/main.py
+++ b/frontends/cli/main.py
@@ -24,11 +24,31 @@ Usage:
    stegasoo channel [SUBCOMMAND]
 """

+import json
 import sys
+import tempfile
+import threading
+import time
+import uuid
 from pathlib import Path

 import click

+# Rich progress bar (optional)
+try:
+    from rich.progress import (
+        BarColumn,
+        Progress,
+        SpinnerColumn,
+        TaskProgressColumn,
+        TextColumn,
+        TimeElapsedColumn,
+    )
+
+    HAS_RICH = True
+except ImportError:
+    HAS_RICH = False
+
 # Add parent to path for development
 sys.path.insert(0, str(Path(__file__).parent.parent.parent / "src"))

@@ -168,37 +188,25 @@ def resolve_channel_key_option(
    """
    Resolve channel key from CLI options.

+    Wrapper around library's resolve_channel_key with Click exception handling.
+
    Returns:
        None: Use server-configured key (auto mode)
        "": Public mode (no channel key)
        str: Explicit channel key
    """
-    if no_channel:
-        return ""  # Public mode
+    from stegasoo.channel import resolve_channel_key

-    if channel_file:
-        # Load from file
-        path = Path(channel_file)
-        if not path.exists():
-            raise click.ClickException(f"Channel key file not found: {channel_file}")
-        key = path.read_text().strip()
-        if not validate_channel_key(key):
-            raise click.ClickException(f"Invalid channel key format in file: {channel_file}")
-        return key
-
-    if channel:
-        if channel.lower() == "auto":
-            return None  # Use server config
-        # Explicit key provided
-        if not validate_channel_key(channel):
-            raise click.ClickException(
-                "Invalid channel key format. Expected: XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX\n"
-                "Generate a new key with: stegasoo channel generate"
+    try:
+        return resolve_channel_key(
+            value=channel,
+            file_path=channel_file,
+            no_channel=no_channel,
        )
-        return channel
-
-    # Default: use server-configured key (auto mode)
-    return None
+    except FileNotFoundError as e:
+        raise click.ClickException(str(e))
+    except ValueError as e:
+        raise click.ClickException(str(e))


 def format_channel_status_line(quiet: bool = False) -> str | None:
@@ -610,6 +618,73 @@ def channel_clear(project, clear_all, force):
        click.echo("  Mode is now: PUBLIC")


+# ============================================================================
+# PROGRESS BAR UTILITIES (v4.1.2)
+# ============================================================================
+
+
+def _generate_progress_job_id() -> str:
+    """Generate a unique job ID for progress tracking."""
+    return str(uuid.uuid4())[:8]
+
+
+def _get_progress_file_path(job_id: str) -> str:
+    """Get the progress file path for a job ID."""
+    return str(Path(tempfile.gettempdir()) / f"stegasoo_progress_{job_id}.json")
+
+
+def _read_progress(job_id: str) -> dict | None:
+    """Read progress from file for a job ID."""
+    progress_file = _get_progress_file_path(job_id)
+    try:
+        with open(progress_file) as f:
+            return json.load(f)
+    except (FileNotFoundError, json.JSONDecodeError):
+        return None
+
+
+def _cleanup_progress_file(job_id: str) -> None:
+    """Remove progress file for a completed job."""
+    progress_file = _get_progress_file_path(job_id)
+    try:
+        Path(progress_file).unlink(missing_ok=True)
+    except Exception:
+        pass
+
+
+def _run_encode_with_progress(encode_func, encode_kwargs: dict, progress_file: str) -> tuple:
+    """
+    Run encode in a thread and return result.
+
+    Returns:
+        (success, result_or_error)
+    """
+    result_holder = {"result": None, "error": None}
+
+    def run():
+        try:
+            result_holder["result"] = encode_func(**encode_kwargs, progress_file=progress_file)
+        except Exception as e:
+            result_holder["error"] = e
+
+    thread = threading.Thread(target=run)
+    thread.start()
+    return thread, result_holder
+
+
+def _format_phase(phase: str) -> str:
+    """Format phase name for display."""
+    phases = {
+        "starting": "Starting",
+        "initializing": "Initializing",
+        "embedding": "Embedding",
+        "saving": "Saving",
+        "finalizing": "Finalizing",
+        "complete": "Complete",
+    }
+    return phases.get(phase, phase.capitalize())
+
+
 # ============================================================================
 # ENCODE COMMAND
 # ============================================================================
@@ -654,6 +729,7 @@ def channel_clear(project, clear_all, force):
    help="DCT color mode: grayscale (default) or color (preserves original colors)",
 )
@click.option("--quiet", "-q", is_flag=True, help="Suppress output except errors")
+@click.option("--progress", is_flag=True, help="Show progress bar (requires rich)")
 def encode_cmd(
    ref,
    carrier,
@@ -673,6 +749,7 @@ def encode_cmd(
    dct_output_format,
    dct_color_mode,
    quiet,
+    progress,
 ):
    """
    Encode a secret message or file into an image.
@@ -820,19 +897,63 @@ def encode_cmd(
                click.echo(channel_status)

        # v4.0.0: Include channel_key parameter
-        result = encode(
-            message=payload,
-            reference_photo=ref_photo,
-            carrier_image=carrier_image,
-            passphrase=passphrase,
-            pin=pin or "",
-            rsa_key_data=rsa_key_data,
-            rsa_password=effective_key_password,
-            embed_mode=embed_mode,
-            dct_output_format=dct_output_format,
-            dct_color_mode=dct_color_mode,
-            channel_key=resolved_channel_key,
+        # v4.1.2: Progress bar support
+        encode_kwargs = {
+            "message": payload,
+            "reference_photo": ref_photo,
+            "carrier_image": carrier_image,
+            "passphrase": passphrase,
+            "pin": pin or "",
+            "rsa_key_data": rsa_key_data,
+            "rsa_password": effective_key_password,
+            "embed_mode": embed_mode,
+            "dct_output_format": dct_output_format,
+            "dct_color_mode": dct_color_mode,
+            "channel_key": resolved_channel_key,
+        }
+
+        if progress and HAS_RICH:
+            # Run with progress bar
+            job_id = _generate_progress_job_id()
+            progress_file = _get_progress_file_path(job_id)
+
+            thread, result_holder = _run_encode_with_progress(encode, encode_kwargs, progress_file)
+
+            with Progress(
+                SpinnerColumn(),
+                TextColumn("[progress.description]{task.description}"),
+                BarColumn(),
+                TaskProgressColumn(),
+                TimeElapsedColumn(),
+                transient=True,
+            ) as progress_bar:
+                task = progress_bar.add_task("Encoding...", total=100)
+
+                while thread.is_alive():
+                    prog = _read_progress(job_id)
+                    if prog:
+                        percent = prog.get("percent", 0)
+                        phase = _format_phase(prog.get("phase", "processing"))
+                        progress_bar.update(task, completed=percent, description=f"{phase}...")
+                    time.sleep(0.1)
+
+                # Final update
+                progress_bar.update(task, completed=100, description="Complete!")
+
+            _cleanup_progress_file(job_id)
+
+            if result_holder["error"]:
+                raise result_holder["error"]
+            result = result_holder["result"]
+
+        elif progress and not HAS_RICH:
+            click.secho(
+                "Warning: --progress requires 'rich' package. Install with: pip install rich",
+                fg="yellow",
            )
+            result = encode(**encode_kwargs)
+        else:
+            result = encode(**encode_kwargs)

        # Determine output path
        if output:
--- a/frontends/web/.env.example
+++ b/frontends/web/.env.example
@@ -0,0 +1,16 @@
+# Stegasoo Web UI Configuration
+# Copy this file to .env and customize
+
+# Authentication (v4.0.2+)
+STEGASOO_AUTH_ENABLED=true
+STEGASOO_HTTPS_ENABLED=false
+STEGASOO_HOSTNAME=localhost
+STEGASOO_PORT=5000
+
+# Channel Key (format: XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX)
+# Generate with: stegasoo generate --channel-key
+# Leave empty for public mode
+STEGASOO_CHANNEL_KEY=
+
+# Flask settings
+FLASK_ENV=production
--- a/frontends/web/WEB_FRONTEND_UPDATE_SUMMARY_V3.2.0.md
+++ b/frontends/web/WEB_FRONTEND_UPDATE_SUMMARY_V3.2.0.md
@@ -1,426 +0,0 @@
-# Web Frontend Update Summary for v3.2.0
-
-## Overview
-
-The Flask web frontend has been updated to align with Stegasoo v3.2.0's breaking changes:
-1. **Removed date dependency** - No date selection or tracking in UI
-2. **Renamed day_phrase → passphrase** - Updated all forms and templates
-3. **Increased default words** - From 3 to 4 for better security
-
-## Key Changes
-
-### 1. Form Parameter Changes
-
-#### Generate Page
-
-**Before (v3.1.0):**
-```python
-words_per_phrase = int(request.form.get('words_per_phrase', 3))
-# Generated daily phrases for all days of the week
-```
-
-**After (v3.2.0):**
-```python
-words_per_passphrase = int(request.form.get('words_per_passphrase', 4))
-# Generates single passphrase
-```
-
-**Template variables changed:**
- `phrases` → `passphrase` (single string instead of dict)
- `words_per_phrase` → `words_per_passphrase`
- `phrase_entropy` → `passphrase_entropy`
- Removed `days` variable (no longer needed)
-
-#### Encode Page
-
-**Before (v3.1.0):**
-```python
-day_phrase = request.form.get('day_phrase', '')
-client_date = request.form.get('client_date', '').strip()
-day_of_week = get_today_day()  # Used in template
-
-encode_result = encode(
-    ...,
-    day_phrase=day_phrase,
-    date_str=date_str,
-    ...
-)
-```
-
-**After (v3.2.0):**
-```python
-passphrase = request.form.get('passphrase', '')
-# No client_date or day_of_week needed
-
-encode_result = encode(
-    ...,
-    passphrase=passphrase,  # Renamed
-    # date_str removed
-    ...
-)
-```
-
-#### Decode Page
-
-**Before (v3.1.0):**
-```python
-day_phrase = request.form.get('day_phrase', '')
-stego_date = request.form.get('stego_date', '').strip()
-
-decode_result = decode(
-    ...,
-    day_phrase=day_phrase,
-    date_str=stego_date if stego_date else None,
-    ...
-)
-```
-
-**After (v3.2.0):**
-```python
-passphrase = request.form.get('passphrase', '')
-# No stego_date needed
-
-decode_result = decode(
-    ...,
-    passphrase=passphrase,  # Renamed
-    # date_str removed
-    ...
-)
-```
-
-### 2. Template Context Updates
-
-**inject_globals() changes:**
-
-**Added:**
-```python
-'min_passphrase_words': MIN_PASSPHRASE_WORDS,
-'recommended_passphrase_words': RECOMMENDED_PASSPHRASE_WORDS,
-'default_passphrase_words': DEFAULT_PASSPHRASE_WORDS,
-```
-
-**Used for:**
- Showing passphrase length requirements
- Default values in generate form
- Validation messages
-
-### 3. Validation Updates
-
-**Added passphrase validation:**
-```python
-from stegasoo import validate_passphrase
-
-# In encode_page()
-result = validate_passphrase(passphrase)
-if not result.is_valid:
-    flash(result.error_message, 'error')
-    return ...
-
-# Show warning if passphrase is short
-if result.warning:
-    flash(result.warning, 'warning')
-```
-
-### 4. Error Message Updates
-
-**Before:**
-```python
-flash('Day phrase is required', 'error')
-flash('Decryption failed. Check your phrase, PIN...', 'error')
-```
-
-**After:**
-```python
-flash('Passphrase is required', 'error')
-flash('Decryption failed. Check your passphrase, PIN...', 'error')
-```
-
-## Template Changes Needed
-
-These Flask routes will need corresponding template updates:
-
-### generate.html
-
-**Changes needed:**
-```html
-<!-- Before -->
-<label for="words_per_phrase">Words per phrase</label>
-<input type="number" name="words_per_phrase" value="3">
-
-{% if generated %}
-  <h3>Daily Phrases</h3>
-  {% for day in days %}
-    <tr>
-      <td>{{ day }}</td>
-      <td>{{ phrases[day] }}</td>
-    </tr>
-  {% endfor %}
-{% endif %}
-
-<!-- After -->
-<label for="words_per_passphrase">Words per passphrase</label>
-<input type="number" name="words_per_passphrase" value="{{ default_passphrase_words }}">
-
-{% if generated %}
-  <h3>Passphrase</h3>
-  <div class="passphrase-display">
-    <code>{{ passphrase }}</code>
-    <p class="help-text">Use this passphrase to encode and decode messages (no date needed!)</p>
-  </div>
-{% endif %}
-```
-
-**Entropy display:**
-```html
-<!-- Before -->
-<li>Phrase entropy: {{ phrase_entropy }} bits</li>
-
-<!-- After -->
-<li>Passphrase entropy: {{ passphrase_entropy }} bits ({{ words_per_passphrase }} words)</li>
-```
-
-### encode.html
-
-**Changes needed:**
-```html
-<!-- Before -->
-<label for="day_phrase">Day Phrase</label>
-<input type="text" name="day_phrase" required>
-
-<label for="client_date">Encoding Date (Optional)</label>
-<input type="date" name="client_date">
-<p class="help-text">Defaults to today: {{ day_of_week }}</p>
-
-<!-- After -->
-<label for="passphrase">Passphrase</label>
-<input type="text" name="passphrase" required 
-       placeholder="Enter at least {{ recommended_passphrase_words }} words">
-<p class="help-text">
-  v3.2.0: No date needed! Use your passphrase anytime.
-</p>
-```
-
-### decode.html
-
-**Changes needed:**
-```html
-<!-- Before -->
-<label for="day_phrase">Day Phrase</label>
-<input type="text" name="day_phrase" required>
-
-<label for="stego_date">Encoding Date</label>
-<input type="date" name="stego_date" id="stego_date">
-<p class="help-text">Will be auto-detected from filename if possible</p>
-
-<script>
-// Auto-detect date from filename
-stegoInput.addEventListener('change', function() {
-  const filename = this.files[0]?.name || '';
-  const dateMatch = filename.match(/_(\d{4})(\d{2})(\d{2})/);
-  if (dateMatch) {
-    document.getElementById('stego_date').value = 
-      `${dateMatch[1]}-${dateMatch[2]}-${dateMatch[3]}`;
-  }
-});
-</script>
-
-<!-- After -->
-<label for="passphrase">Passphrase</label>
-<input type="text" name="passphrase" required 
-       placeholder="Enter your passphrase">
-<p class="help-text">
-  v3.2.0: No date needed to decode!
-</p>
-
-<!-- Remove date detection script -->
-```
-
-### index.html
-
-**Changes needed:**
-```html
-<!-- Before -->
-<p>Generate daily passphrases and security credentials</p>
-<p>Hide messages using day-specific phrases</p>
-
-<!-- After -->
-<p>Generate passphrases and security credentials</p>
-<p>v3.2.0: Simplified - no more daily rotation!</p>
-```
-
-### about.html
-
-**Add v3.2.0 section:**
-```html
-<h2>Version 3.2.0 Changes</h2>
-<ul>
-  <li><strong>No date dependency</strong> - Encode and decode anytime without tracking dates</li>
-  <li><strong>Single passphrase</strong> - No more daily rotation, just remember one strong passphrase</li>
-  <li><strong>Better security</strong> - Default passphrase length increased to 4 words</li>
-  <li><strong>Asynchronous ready</strong> - Perfect for dead drops and delayed delivery</li>
-</ul>
-```
-
-## JavaScript Changes Needed
-
-### Remove date-related code:
-
-```javascript
-// REMOVE THIS (date detection from filename)
-function detectDateFromFilename(filename) {
-  const match = filename.match(/_(\d{4})(\d{2})(\d{2})/);
-  if (match) {
-    return `${match[1]}-${match[2]}-${match[3]}`;
-  }
-  return null;
-}
-
-// REMOVE THIS (day-of-week display)
-function updateDayOfWeek() {
-  const dateInput = document.getElementById('client_date');
-  const dayDisplay = document.getElementById('day_display');
-  // ...
-}
-```
-
-### Update validation:
-
-```javascript
-// Before
-const dayPhrase = document.getElementById('day_phrase').value;
-if (!dayPhrase || dayPhrase.trim().length === 0) {
-  alert('Day phrase is required');
-  return false;
-}
-
-// After
-const passphrase = document.getElementById('passphrase').value;
-if (!passphrase || passphrase.trim().length === 0) {
-  alert('Passphrase is required');
-  return false;
-}
-
-// Add word count validation
-const words = passphrase.trim().split(/\s+/);
-if (words.length < {{ min_passphrase_words }}) {
-  alert(`Passphrase should have at least {{ recommended_passphrase_words }} words`);
-  return false;
-}
-```
-
-## CSS Updates
-
-Add styling for passphrase warnings:
-
-```css
-.passphrase-display {
-  background: #f5f5f5;
-  padding: 15px;
-  border-radius: 5px;
-  margin: 10px 0;
-}
-
-.passphrase-display code {
-  font-size: 1.2em;
-  color: #2c3e50;
-  word-break: break-word;
-}
-
-.help-text.v3-2-0 {
-  color: #3498db;
-  font-weight: bold;
-}
-
-.flash.warning {
-  background-color: #fff3cd;
-  border-left: 4px solid #ffc107;
-  color: #856404;
-}
-```
-
-## Migration Notes for Users
-
-Add to templates:
-
-```html
-<div class="alert alert-info">
-  <h4>⚠️ v3.2.0 Breaking Changes</h4>
-  <p>If you have messages encoded with v3.1.0:</p>
-  <ul>
-    <li>They cannot be decoded with v3.2.0</li>
-    <li>You need the original v3.1.0 installation to decode them</li>
-    <li>After decoding, you can re-encode with v3.2.0</li>
-  </ul>
-</div>
-```
-
-## Form Field Summary
-
-### Changed Field Names
-
-| Old Name (v3.1.0) | New Name (v3.2.0) | Type |
-|-------------------|-------------------|------|
-| `day_phrase` | `passphrase` | text input |
-| `words_per_phrase` | `words_per_passphrase` | number input |
-| `client_date` | (removed) | date input |
-| `stego_date` | (removed) | date input |
-
-### New Validation Attributes
-
-```html
-<input type="text" name="passphrase" 
-       required
-       minlength="{{ min_passphrase_words * 4 }}"
-       placeholder="Enter at least {{ recommended_passphrase_words }} words"
-       pattern="^\s*\S+(\s+\S+){3,}.*$"
-       title="Please enter at least 4 words">
-```
-
-## Testing Checklist
-
- [ ] Generate page creates single passphrase
- [ ] Generate page shows correct entropy (4 words = 44 bits)
- [ ] Generate page doesn't show day names
- [ ] Encode page accepts passphrase (not day_phrase)
- [ ] Encode page doesn't have date selection
- [ ] Encode page shows v3.2.0 help text
- [ ] Decode page accepts passphrase
- [ ] Decode page doesn't have date input
- [ ] Decode page doesn't auto-detect date from filename
- [ ] Error messages say "passphrase" not "day phrase"
- [ ] Validation shows warnings for short passphrases
- [ ] QR code functionality still works
- [ ] DCT mode options still work
- [ ] All flash messages updated
-
-## Implementation Status
-
-✅ Flask routes updated
-✅ Form parameter names changed
-✅ Function calls updated
-✅ Validation added for passphrases
-✅ Error messages updated
-✅ Template context updated
-⏳ Templates need updating (generate.html, encode.html, decode.html, index.html, about.html)
-⏳ JavaScript needs updating
-⏳ CSS styling for v3.2.0 features
-
-## Quick Reference
-
-**To test the Flask app:**
-```bash
-cd frontends/web
-python app.py
-# Visit http://localhost:5000
-```
-
-**Key user-facing changes:**
-1. Generate: Shows one passphrase, not 7 daily phrases
-2. Encode: No date selection, just passphrase
-3. Decode: No date needed, just passphrase
-
-**Benefits to highlight:**
- ✅ Simpler UI (fewer fields)
- ✅ No date tracking needed
- ✅ Encode today, decode anytime
- ✅ Perfect for asynchronous communications
--- a/frontends/web/app.py
+++ b/frontends/web/app.py
--- a/frontends/web/auth.py
+++ b/frontends/web/auth.py
@@ -1,17 +1,24 @@
 """
-Stegasoo Authentication Module
+Stegasoo Authentication Module (v4.1.0)

-Single-admin authentication with Argon2 password hashing.
-Uses Flask sessions for authentication state and SQLite3 for storage.
+Multi-user authentication with role-based access control.
+- Admin user created at first-run setup
+- Admin can create up to 16 additional users
+- Uses Argon2id password hashing
+- Flask sessions for authentication state
+- SQLite3 for user storage
 """

 import functools
+import secrets
 import sqlite3
+import string
+from dataclasses import dataclass
 from pathlib import Path

 from argon2 import PasswordHasher
 from argon2.exceptions import VerifyMismatchError
-from flask import current_app, g, redirect, session, url_for
+from flask import current_app, flash, g, redirect, session, url_for

 # Argon2 password hasher (lighter than stegasoo's 256MB for faster login)
 ph = PasswordHasher(
@@ -22,6 +29,26 @@ ph = PasswordHasher(
    salt_len=16,
 )

+# Constants
+MAX_USERS = 16  # Plus 1 admin = 17 total
+MAX_CHANNEL_KEYS = 10  # Per user
+ROLE_ADMIN = "admin"
+ROLE_USER = "user"
+
+
+@dataclass
+class User:
+    """User data class."""
+
+    id: int
+    username: str
+    role: str
+    created_at: str
+
+    @property
+    def is_admin(self) -> bool:
+        return self.role == ROLE_ADMIN
+

 def get_db_path() -> Path:
    """Get database path in Flask instance folder."""
@@ -46,13 +73,65 @@ def close_db(e=None):


 def init_db():
-    """Initialize database schema."""
+    """Initialize database schema with migration support."""
    db = get_db()
+
+    # Check if we need to migrate from old single-user schema
+    cursor = db.execute(
+        "SELECT name FROM sqlite_master WHERE type='table' AND name='admin_user'"
+    )
+    has_old_table = cursor.fetchone() is not None
+
+    cursor = db.execute(
+        "SELECT name FROM sqlite_master WHERE type='table' AND name='users'"
+    )
+    has_new_table = cursor.fetchone() is not None
+
+    if has_old_table and not has_new_table:
+        # Migrate from old schema
+        _migrate_from_single_user(db)
+    elif not has_new_table:
+        # Fresh install - create new schema
+        _create_schema(db)
+    else:
+        # Existing install - check for new tables (migrations)
+        _ensure_channel_keys_table(db)
+        _ensure_app_settings_table(db)
+
+
+def _create_schema(db: sqlite3.Connection):
+    """Create the multi-user schema."""
    db.executescript("""
-        CREATE TABLE IF NOT EXISTS admin_user (
-            id INTEGER PRIMARY KEY CHECK (id = 1),
-            username TEXT NOT NULL DEFAULT 'admin',
+        CREATE TABLE IF NOT EXISTS users (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            username TEXT NOT NULL UNIQUE,
            password_hash TEXT NOT NULL,
+            role TEXT NOT NULL DEFAULT 'user',
+            created_at TEXT DEFAULT CURRENT_TIMESTAMP,
+            updated_at TEXT DEFAULT CURRENT_TIMESTAMP
+        );
+
+        CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
+        CREATE INDEX IF NOT EXISTS idx_users_role ON users(role);
+
+        CREATE TABLE IF NOT EXISTS user_channel_keys (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            user_id INTEGER NOT NULL,
+            name TEXT NOT NULL,
+            channel_key TEXT NOT NULL,
+            created_at TEXT DEFAULT CURRENT_TIMESTAMP,
+            last_used_at TEXT,
+            FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
+            UNIQUE(user_id, channel_key)
+        );
+
+        CREATE INDEX IF NOT EXISTS idx_channel_keys_user ON user_channel_keys(user_id);
+
+        -- App-level settings (v4.1.0)
+        -- Stores recovery key hash and other instance-wide settings
+        CREATE TABLE IF NOT EXISTS app_settings (
+            key TEXT PRIMARY KEY,
+            value TEXT NOT NULL,
            created_at TEXT DEFAULT CURRENT_TIMESTAMP,
            updated_at TEXT DEFAULT CURRENT_TIMESTAMP
        );
@@ -60,76 +139,770 @@ def init_db():
    db.commit()


-def user_exists() -> bool:
-    """Check if admin user has been created."""
+def _migrate_from_single_user(db: sqlite3.Connection):
+    """Migrate from old single-user admin_user table to multi-user users table."""
+    # Create new table
+    _create_schema(db)
+
+    # Copy admin user from old table
+    old_user = db.execute(
+        "SELECT username, password_hash, created_at FROM admin_user WHERE id = 1"
+    ).fetchone()
+
+    if old_user:
+        db.execute(
+            """
+            INSERT INTO users (username, password_hash, role, created_at)
+            VALUES (?, ?, 'admin', ?)
+            """,
+            (old_user["username"], old_user["password_hash"], old_user["created_at"]),
+        )
+        db.commit()
+
+    # Drop old table
+    db.execute("DROP TABLE admin_user")
+    db.commit()
+
+
+def _ensure_channel_keys_table(db: sqlite3.Connection):
+    """Ensure user_channel_keys table exists (migration for existing installs)."""
+    cursor = db.execute(
+        "SELECT name FROM sqlite_master WHERE type='table' AND name='user_channel_keys'"
+    )
+    if cursor.fetchone() is None:
+        db.executescript("""
+            CREATE TABLE IF NOT EXISTS user_channel_keys (
+                id INTEGER PRIMARY KEY AUTOINCREMENT,
+                user_id INTEGER NOT NULL,
+                name TEXT NOT NULL,
+                channel_key TEXT NOT NULL,
+                created_at TEXT DEFAULT CURRENT_TIMESTAMP,
+                last_used_at TEXT,
+                FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
+                UNIQUE(user_id, channel_key)
+            );
+
+            CREATE INDEX IF NOT EXISTS idx_channel_keys_user ON user_channel_keys(user_id);
+        """)
+        db.commit()
+
+
+def _ensure_app_settings_table(db: sqlite3.Connection):
+    """Ensure app_settings table exists (v4.1.0 migration)."""
+    cursor = db.execute(
+        "SELECT name FROM sqlite_master WHERE type='table' AND name='app_settings'"
+    )
+    if cursor.fetchone() is None:
+        db.executescript("""
+            CREATE TABLE IF NOT EXISTS app_settings (
+                key TEXT PRIMARY KEY,
+                value TEXT NOT NULL,
+                created_at TEXT DEFAULT CURRENT_TIMESTAMP,
+                updated_at TEXT DEFAULT CURRENT_TIMESTAMP
+            );
+        """)
+        db.commit()
+
+
+# =============================================================================
+# App Settings (v4.1.0)
+# =============================================================================
+
+
+def get_app_setting(key: str) -> str | None:
+    """Get an app-level setting value."""
    db = get_db()
-    result = db.execute("SELECT 1 FROM admin_user WHERE id = 1").fetchone()
-    return result is not None
+    row = db.execute(
+        "SELECT value FROM app_settings WHERE key = ?", (key,)
+    ).fetchone()
+    return row["value"] if row else None


-def create_user(username: str, password: str):
-    """Create admin user (first-run setup)."""
-    if user_exists():
-        raise ValueError("Admin user already exists")
-
-    password_hash = ph.hash(password)
+def set_app_setting(key: str, value: str) -> None:
+    """Set an app-level setting value."""
    db = get_db()
    db.execute(
-        "INSERT INTO admin_user (id, username, password_hash) VALUES (1, ?, ?)",
-        (username, password_hash),
+        """
+        INSERT INTO app_settings (key, value)
+        VALUES (?, ?)
+        ON CONFLICT(key) DO UPDATE SET value = ?, updated_at = CURRENT_TIMESTAMP
+        """,
+        (key, value, value),
    )
    db.commit()


+def delete_app_setting(key: str) -> bool:
+    """Delete an app-level setting. Returns True if deleted."""
+    db = get_db()
+    cursor = db.execute("DELETE FROM app_settings WHERE key = ?", (key,))
+    db.commit()
+    return cursor.rowcount > 0
+
+
+# =============================================================================
+# Recovery Key Management (v4.1.0)
+# =============================================================================
+
+
+# Setting key for recovery hash
+RECOVERY_KEY_SETTING = "recovery_key_hash"
+
+
+def has_recovery_key() -> bool:
+    """Check if a recovery key has been configured."""
+    return get_app_setting(RECOVERY_KEY_SETTING) is not None
+
+
+def get_recovery_key_hash() -> str | None:
+    """Get the stored recovery key hash."""
+    return get_app_setting(RECOVERY_KEY_SETTING)
+
+
+def set_recovery_key_hash(key_hash: str) -> None:
+    """Store a recovery key hash."""
+    set_app_setting(RECOVERY_KEY_SETTING, key_hash)
+
+
+def clear_recovery_key() -> bool:
+    """Remove the recovery key. Returns True if removed."""
+    return delete_app_setting(RECOVERY_KEY_SETTING)
+
+
+def verify_and_reset_admin_password(recovery_key: str, new_password: str) -> tuple[bool, str]:
+    """
+    Verify recovery key and reset the first admin's password.
+
+    Args:
+        recovery_key: User-provided recovery key
+        new_password: New password to set
+
+    Returns:
+        (success, message) tuple
+    """
+    from stegasoo.recovery import verify_recovery_key
+
+    stored_hash = get_recovery_key_hash()
+    if not stored_hash:
+        return False, "No recovery key configured for this instance"
+
+    if not verify_recovery_key(recovery_key, stored_hash):
+        return False, "Invalid recovery key"
+
+    # Find first admin user
+    db = get_db()
+    admin = db.execute(
+        "SELECT id, username FROM users WHERE role = 'admin' ORDER BY id LIMIT 1"
+    ).fetchone()
+
+    if not admin:
+        return False, "No admin user found"
+
+    # Reset password
+    new_hash = ph.hash(new_password)
+    db.execute(
+        "UPDATE users SET password_hash = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?",
+        (new_hash, admin["id"]),
+    )
+    db.commit()
+
+    # Invalidate all sessions for this user
+    invalidate_user_sessions(admin["id"])
+
+    return True, f"Password reset for '{admin['username']}'"
+
+
+# =============================================================================
+# User Queries
+# =============================================================================
+
+
+def any_users_exist() -> bool:
+    """Check if any users have been created (for first-run detection)."""
+    db = get_db()
+    result = db.execute("SELECT 1 FROM users LIMIT 1").fetchone()
+    return result is not None
+
+
+def user_exists() -> bool:
+    """Alias for any_users_exist() for backwards compatibility."""
+    return any_users_exist()
+
+
+def get_user_count() -> int:
+    """Get total number of users."""
+    db = get_db()
+    result = db.execute("SELECT COUNT(*) FROM users").fetchone()
+    return result[0] if result else 0
+
+
+def get_non_admin_count() -> int:
+    """Get number of non-admin users."""
+    db = get_db()
+    result = db.execute("SELECT COUNT(*) FROM users WHERE role != 'admin'").fetchone()
+    return result[0] if result else 0
+
+
+def can_create_user() -> bool:
+    """Check if we can create more users (within limit)."""
+    return get_non_admin_count() < MAX_USERS
+
+
+def get_user_by_id(user_id: int) -> User | None:
+    """Get user by ID."""
+    db = get_db()
+    row = db.execute(
+        "SELECT id, username, role, created_at FROM users WHERE id = ?", (user_id,)
+    ).fetchone()
+    if row:
+        return User(
+            id=row["id"],
+            username=row["username"],
+            role=row["role"],
+            created_at=row["created_at"],
+        )
+    return None
+
+
+def get_user_by_username(username: str) -> User | None:
+    """Get user by username."""
+    db = get_db()
+    row = db.execute(
+        "SELECT id, username, role, created_at FROM users WHERE username = ?",
+        (username,),
+    ).fetchone()
+    if row:
+        return User(
+            id=row["id"],
+            username=row["username"],
+            role=row["role"],
+            created_at=row["created_at"],
+        )
+    return None
+
+
+def get_all_users() -> list[User]:
+    """Get all users, admins first, then by creation date."""
+    db = get_db()
+    rows = db.execute(
+        """
+        SELECT id, username, role, created_at FROM users
+        ORDER BY role = 'admin' DESC, created_at ASC
+        """
+    ).fetchall()
+    return [
+        User(
+            id=row["id"],
+            username=row["username"],
+            role=row["role"],
+            created_at=row["created_at"],
+        )
+        for row in rows
+    ]
+
+
+def get_current_user() -> User | None:
+    """Get the currently logged-in user from session."""
+    user_id = session.get("user_id")
+    if user_id:
+        return get_user_by_id(user_id)
+    return None
+
+
 def get_username() -> str:
-    """Get the admin username."""
-    db = get_db()
-    row = db.execute("SELECT username FROM admin_user WHERE id = 1").fetchone()
-    return row["username"] if row else "admin"
+    """Get current user's username (backwards compatibility)."""
+    user = get_current_user()
+    return user.username if user else "unknown"


-def verify_password(password: str) -> bool:
-    """Verify password against stored hash."""
+# =============================================================================
+# Authentication
+# =============================================================================
+
+
+def verify_user_password(username: str, password: str) -> User | None:
+    """
+    Verify password for a user.
+
+    Returns User if valid, None if invalid.
+    Also rehashes password if needed.
+    """
    db = get_db()
-    row = db.execute("SELECT password_hash FROM admin_user WHERE id = 1").fetchone()
+    row = db.execute(
+        "SELECT id, username, role, created_at, password_hash FROM users WHERE username = ?",
+        (username,),
+    ).fetchone()
+
    if not row:
-        return False
+        return None
+
    try:
        ph.verify(row["password_hash"], password)
+
        # Rehash if parameters changed
        if ph.check_needs_rehash(row["password_hash"]):
            new_hash = ph.hash(password)
            db.execute(
-                "UPDATE admin_user SET password_hash = ?, updated_at = CURRENT_TIMESTAMP WHERE id = 1",
-                (new_hash,),
+                "UPDATE users SET password_hash = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?",
+                (new_hash, row["id"]),
            )
            db.commit()
-        return True
+
+        return User(
+            id=row["id"],
+            username=row["username"],
+            role=row["role"],
+            created_at=row["created_at"],
+        )
    except VerifyMismatchError:
+        return None
+
+
+def verify_password(password: str) -> bool:
+    """Verify password for current user (backwards compatibility)."""
+    user = get_current_user()
+    if not user:
        return False
-
-
-def change_password(current_password: str, new_password: str) -> tuple[bool, str]:
-    """Change admin password. Returns (success, message)."""
-    if not verify_password(current_password):
-        return False, "Current password is incorrect"
-
-    if len(new_password) < 8:
-        return False, "New password must be at least 8 characters"
-
-    new_hash = ph.hash(new_password)
-    db = get_db()
-    db.execute(
-        "UPDATE admin_user SET password_hash = ?, updated_at = CURRENT_TIMESTAMP WHERE id = 1",
-        (new_hash,),
-    )
-    db.commit()
-    return True, "Password changed successfully"
+    result = verify_user_password(user.username, password)
+    return result is not None


 def is_authenticated() -> bool:
    """Check if current session is authenticated."""
-    return session.get("authenticated", False)
+    return session.get("user_id") is not None
+
+
+def is_admin() -> bool:
+    """Check if current user is an admin."""
+    user = get_current_user()
+    return user.is_admin if user else False
+
+
+def login_user(user: User):
+    """Set up session for logged-in user."""
+    session["user_id"] = user.id
+    session["username"] = user.username
+    session["role"] = user.role
+    # Legacy compatibility
+    session["authenticated"] = True
+
+
+def logout_user():
+    """Clear session for logout."""
+    session.clear()
+
+
+# =============================================================================
+# User Management
+# =============================================================================
+
+
+def generate_temp_password(length: int = 8) -> str:
+    """Generate a random temporary password."""
+    alphabet = string.ascii_letters + string.digits
+    return "".join(secrets.choice(alphabet) for _ in range(length))
+
+
+def validate_username(username: str) -> tuple[bool, str]:
+    """
+    Validate username format.
+
+    Rules: 3-80 chars, alphanumeric + underscore/hyphen + @/. for email-style
+    """
+    if not username:
+        return False, "Username is required"
+
+    if len(username) < 3:
+        return False, "Username must be at least 3 characters"
+
+    if len(username) > 80:
+        return False, "Username must be at most 80 characters"
+
+    # Allow: alphanumeric, underscore, hyphen, @, . (for email-style)
+    allowed = set(string.ascii_letters + string.digits + "_-@.")
+    if not all(c in allowed for c in username):
+        return False, "Username can only contain letters, numbers, underscore, hyphen, @ and ."
+
+    # Must start with letter or number
+    if username[0] not in string.ascii_letters + string.digits:
+        return False, "Username must start with a letter or number"
+
+    return True, ""
+
+
+def validate_password(password: str) -> tuple[bool, str]:
+    """Validate password requirements."""
+    if not password:
+        return False, "Password is required"
+
+    if len(password) < 8:
+        return False, "Password must be at least 8 characters"
+
+    return True, ""
+
+
+def create_user(
+    username: str, password: str, role: str = ROLE_USER
+) -> tuple[bool, str, User | None]:
+    """
+    Create a new user.
+
+    Returns (success, message, user).
+    """
+    # Validate username
+    valid, msg = validate_username(username)
+    if not valid:
+        return False, msg, None
+
+    # Validate password
+    valid, msg = validate_password(password)
+    if not valid:
+        return False, msg, None
+
+    # Check if username already exists
+    if get_user_by_username(username):
+        return False, "Username already exists", None
+
+    # Check user limit (only for non-admin users)
+    if role != ROLE_ADMIN and not can_create_user():
+        return False, f"Maximum of {MAX_USERS} users reached", None
+
+    # Create user
+    password_hash = ph.hash(password)
+    db = get_db()
+
+    try:
+        cursor = db.execute(
+            """
+            INSERT INTO users (username, password_hash, role)
+            VALUES (?, ?, ?)
+            """,
+            (username, password_hash, role),
+        )
+        db.commit()
+
+        user = get_user_by_id(cursor.lastrowid)
+        return True, "User created successfully", user
+    except sqlite3.IntegrityError:
+        return False, "Username already exists", None
+
+
+def create_admin_user(username: str, password: str) -> tuple[bool, str]:
+    """Create the initial admin user (first-run setup)."""
+    if any_users_exist():
+        return False, "Admin user already exists"
+
+    success, msg, _ = create_user(username, password, ROLE_ADMIN)
+    return success, msg
+
+
+def change_password(
+    user_id: int, current_password: str, new_password: str
+) -> tuple[bool, str]:
+    """Change a user's password (requires current password)."""
+    user = get_user_by_id(user_id)
+    if not user:
+        return False, "User not found"
+
+    # Verify current password
+    if not verify_user_password(user.username, current_password):
+        return False, "Current password is incorrect"
+
+    # Validate new password
+    valid, msg = validate_password(new_password)
+    if not valid:
+        return False, msg
+
+    # Update password
+    new_hash = ph.hash(new_password)
+    db = get_db()
+    db.execute(
+        "UPDATE users SET password_hash = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?",
+        (new_hash, user_id),
+    )
+    db.commit()
+
+    return True, "Password changed successfully"
+
+
+def reset_user_password(user_id: int, new_password: str) -> tuple[bool, str]:
+    """Reset a user's password (admin function, no current password required)."""
+    user = get_user_by_id(user_id)
+    if not user:
+        return False, "User not found"
+
+    # Validate new password
+    valid, msg = validate_password(new_password)
+    if not valid:
+        return False, msg
+
+    # Update password
+    new_hash = ph.hash(new_password)
+    db = get_db()
+    db.execute(
+        "UPDATE users SET password_hash = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?",
+        (new_hash, user_id),
+    )
+    db.commit()
+
+    # Invalidate user's sessions
+    invalidate_user_sessions(user_id)
+
+    return True, "Password reset successfully"
+
+
+def delete_user(user_id: int, current_user_id: int) -> tuple[bool, str]:
+    """
+    Delete a user.
+
+    Cannot delete yourself or the last admin.
+    """
+    if user_id == current_user_id:
+        return False, "Cannot delete yourself"
+
+    user = get_user_by_id(user_id)
+    if not user:
+        return False, "User not found"
+
+    # Check if this is the last admin
+    if user.role == ROLE_ADMIN:
+        db = get_db()
+        admin_count = db.execute(
+            "SELECT COUNT(*) FROM users WHERE role = 'admin'"
+        ).fetchone()[0]
+        if admin_count <= 1:
+            return False, "Cannot delete the last admin"
+
+    # Invalidate user's sessions before deletion
+    invalidate_user_sessions(user_id)
+
+    # Delete user
+    db = get_db()
+    db.execute("DELETE FROM users WHERE id = ?", (user_id,))
+    db.commit()
+
+    return True, f"User '{user.username}' deleted"
+
+
+def invalidate_user_sessions(user_id: int):
+    """
+    Invalidate all sessions for a user.
+
+    This is called when a user is deleted or their password is reset.
+    Since we use server-side sessions, we increment a "session version"
+    that's checked on each request.
+    """
+    # For Flask's default session (client-side), we can't truly invalidate.
+    # But we can add a check - store a "valid_from" timestamp in the DB
+    # and compare against session creation time.
+    #
+    # For now, we'll use a simpler approach: store invalidated user IDs
+    # in app config (memory) which gets checked by login_required.
+    #
+    # This works for single-process deployments (like RPi).
+    # For multi-process, would need Redis or DB-backed sessions.
+
+    if "invalidated_users" not in current_app.config:
+        current_app.config["invalidated_users"] = set()
+
+    current_app.config["invalidated_users"].add(user_id)
+
+
+def is_session_valid() -> bool:
+    """Check if current session is still valid (user not deleted/invalidated)."""
+    user_id = session.get("user_id")
+    if not user_id:
+        return False
+
+    # Check if user was invalidated
+    invalidated = current_app.config.get("invalidated_users", set())
+    if user_id in invalidated:
+        return False
+
+    # Check if user still exists
+    if not get_user_by_id(user_id):
+        return False
+
+    return True
+
+
+# =============================================================================
+# Channel Keys
+# =============================================================================
+
+
+@dataclass
+class ChannelKey:
+    """Saved channel key data class."""
+
+    id: int
+    user_id: int
+    name: str
+    channel_key: str
+    created_at: str
+    last_used_at: str | None
+
+
+def get_user_channel_keys(user_id: int) -> list[ChannelKey]:
+    """Get all saved channel keys for a user, most recently used first."""
+    db = get_db()
+    rows = db.execute(
+        """
+        SELECT id, user_id, name, channel_key, created_at, last_used_at
+        FROM user_channel_keys
+        WHERE user_id = ?
+        ORDER BY last_used_at DESC NULLS LAST, created_at DESC
+        """,
+        (user_id,),
+    ).fetchall()
+    return [
+        ChannelKey(
+            id=row["id"],
+            user_id=row["user_id"],
+            name=row["name"],
+            channel_key=row["channel_key"],
+            created_at=row["created_at"],
+            last_used_at=row["last_used_at"],
+        )
+        for row in rows
+    ]
+
+
+def get_channel_key_by_id(key_id: int, user_id: int) -> ChannelKey | None:
+    """Get a specific channel key (ensures user owns it)."""
+    db = get_db()
+    row = db.execute(
+        """
+        SELECT id, user_id, name, channel_key, created_at, last_used_at
+        FROM user_channel_keys
+        WHERE id = ? AND user_id = ?
+        """,
+        (key_id, user_id),
+    ).fetchone()
+    if row:
+        return ChannelKey(
+            id=row["id"],
+            user_id=row["user_id"],
+            name=row["name"],
+            channel_key=row["channel_key"],
+            created_at=row["created_at"],
+            last_used_at=row["last_used_at"],
+        )
+    return None
+
+
+def get_channel_key_count(user_id: int) -> int:
+    """Get count of saved channel keys for a user."""
+    db = get_db()
+    result = db.execute(
+        "SELECT COUNT(*) FROM user_channel_keys WHERE user_id = ?", (user_id,)
+    ).fetchone()
+    return result[0] if result else 0
+
+
+def can_save_channel_key(user_id: int) -> bool:
+    """Check if user can save more channel keys (within limit)."""
+    return get_channel_key_count(user_id) < MAX_CHANNEL_KEYS
+
+
+def save_channel_key(
+    user_id: int, name: str, channel_key: str
+) -> tuple[bool, str, ChannelKey | None]:
+    """
+    Save a channel key for a user.
+
+    Returns (success, message, key).
+    """
+    # Validate name
+    name = name.strip()
+    if not name:
+        return False, "Key name is required", None
+    if len(name) > 50:
+        return False, "Key name must be at most 50 characters", None
+
+    # Validate channel key format (hex string)
+    channel_key = channel_key.strip().lower()
+    if not channel_key:
+        return False, "Channel key is required", None
+    if not all(c in "0123456789abcdef" for c in channel_key):
+        return False, "Invalid channel key format", None
+
+    # Check limit
+    if not can_save_channel_key(user_id):
+        return False, f"Maximum of {MAX_CHANNEL_KEYS} saved keys reached", None
+
+    db = get_db()
+    try:
+        cursor = db.execute(
+            """
+            INSERT INTO user_channel_keys (user_id, name, channel_key)
+            VALUES (?, ?, ?)
+            """,
+            (user_id, name, channel_key),
+        )
+        db.commit()
+
+        key = get_channel_key_by_id(cursor.lastrowid, user_id)
+        return True, "Channel key saved", key
+    except sqlite3.IntegrityError:
+        return False, "This channel key is already saved", None
+
+
+def update_channel_key_name(
+    key_id: int, user_id: int, new_name: str
+) -> tuple[bool, str]:
+    """Update the name of a saved channel key."""
+    new_name = new_name.strip()
+    if not new_name:
+        return False, "Key name is required"
+    if len(new_name) > 50:
+        return False, "Key name must be at most 50 characters"
+
+    key = get_channel_key_by_id(key_id, user_id)
+    if not key:
+        return False, "Channel key not found"
+
+    db = get_db()
+    db.execute(
+        "UPDATE user_channel_keys SET name = ? WHERE id = ? AND user_id = ?",
+        (new_name, key_id, user_id),
+    )
+    db.commit()
+    return True, "Key name updated"
+
+
+def update_channel_key_last_used(key_id: int, user_id: int):
+    """Update the last_used_at timestamp for a channel key."""
+    db = get_db()
+    db.execute(
+        """
+        UPDATE user_channel_keys
+        SET last_used_at = CURRENT_TIMESTAMP
+        WHERE id = ? AND user_id = ?
+        """,
+        (key_id, user_id),
+    )
+    db.commit()
+
+
+def delete_channel_key(key_id: int, user_id: int) -> tuple[bool, str]:
+    """Delete a saved channel key."""
+    key = get_channel_key_by_id(key_id, user_id)
+    if not key:
+        return False, "Channel key not found"
+
+    db = get_db()
+    db.execute(
+        "DELETE FROM user_channel_keys WHERE id = ? AND user_id = ?",
+        (key_id, user_id),
+    )
+    db.commit()
+    return True, f"Key '{key.name}' deleted"
+
+
+# =============================================================================
+# Decorators
+# =============================================================================


 def login_required(f):
@@ -142,18 +915,62 @@ def login_required(f):
            return f(*args, **kwargs)

        # Check for first-run setup
-        if not user_exists():
+        if not any_users_exist():
            return redirect(url_for("setup"))

        # Check authentication
        if not is_authenticated():
            return redirect(url_for("login"))

+        # Check if session is still valid (user not deleted)
+        if not is_session_valid():
+            logout_user()
+            flash("Your session has expired. Please log in again.", "warning")
+            return redirect(url_for("login"))
+
        return f(*args, **kwargs)

    return decorated_function


+def admin_required(f):
+    """Decorator to require admin role for a route."""
+
+    @functools.wraps(f)
+    def decorated_function(*args, **kwargs):
+        # Check if auth is enabled
+        if not current_app.config.get("AUTH_ENABLED", True):
+            return f(*args, **kwargs)
+
+        # Check for first-run setup
+        if not any_users_exist():
+            return redirect(url_for("setup"))
+
+        # Check authentication
+        if not is_authenticated():
+            return redirect(url_for("login"))
+
+        # Check if session is still valid
+        if not is_session_valid():
+            logout_user()
+            flash("Your session has expired. Please log in again.", "warning")
+            return redirect(url_for("login"))
+
+        # Check admin role
+        if not is_admin():
+            flash("Admin access required", "error")
+            return redirect(url_for("index"))
+
+        return f(*args, **kwargs)
+
+    return decorated_function
+
+
+# =============================================================================
+# App Initialization
+# =============================================================================
+
+
 def init_app(app):
    """Initialize auth module with Flask app."""
    app.teardown_appcontext(close_db)
--- a/frontends/web/ssl_utils.py
+++ b/frontends/web/ssl_utils.py
@@ -7,6 +7,7 @@ Uses cryptography library (already a dependency).

 import datetime
 import ipaddress
+import socket
 from pathlib import Path

 from cryptography import x509
@@ -15,6 +16,33 @@ from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.x509.oid import NameOID


+def _get_local_ips() -> list[str]:
+    """Get local IP addresses for this machine."""
+    ips = []
+    try:
+        # Get hostname and resolve to IP
+        hostname = socket.gethostname()
+        for addr_info in socket.getaddrinfo(hostname, None, socket.AF_INET):
+            ip = addr_info[4][0]
+            if ip not in ips and not ip.startswith("127."):
+                ips.append(ip)
+    except Exception:
+        pass
+
+    # Also try connecting to external to get primary interface IP
+    try:
+        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+        s.connect(("8.8.8.8", 80))
+        ip = s.getsockname()[0]
+        if ip not in ips:
+            ips.append(ip)
+        s.close()
+    except Exception:
+        pass
+
+    return ips
+
+
 def get_cert_paths(base_dir: Path) -> tuple[Path, Path]:
    """Get paths for cert and key files."""
    cert_dir = base_dir / "certs"
@@ -64,12 +92,26 @@ def generate_self_signed_cert(
        x509.DNSName("localhost"),
        x509.IPAddress(ipaddress.IPv4Address("127.0.0.1")),
    ]
+
+    # Add hostname.local for mDNS access
+    if not hostname.endswith(".local"):
+        san_list.append(x509.DNSName(f"{hostname}.local"))
+
    # Add the hostname as IP if it looks like one
    try:
        san_list.append(x509.IPAddress(ipaddress.IPv4Address(hostname)))
    except ipaddress.AddressValueError:
        pass

+    # Add local network IPs
+    for local_ip in _get_local_ips():
+        try:
+            ip_addr = ipaddress.IPv4Address(local_ip)
+            if x509.IPAddress(ip_addr) not in san_list:
+                san_list.append(x509.IPAddress(ip_addr))
+        except (ipaddress.AddressValueError, ValueError):
+            pass
+
    now = datetime.datetime.now(datetime.timezone.utc)
    cert = (
        x509.CertificateBuilder()
--- a/frontends/web/static/js/auth.js
+++ b/frontends/web/static/js/auth.js
@@ -0,0 +1,142 @@
+/**
+ * Stegasoo Authentication Pages JavaScript
+ * Handles login, setup, account, and admin user management pages
+ */
+
+const StegasooAuth = {
+
+    // ========================================================================
+    // PASSWORD VISIBILITY TOGGLE
+    // ========================================================================
+
+    /**
+     * Toggle password field visibility
+     * @param {string} inputId - ID of the password input
+     * @param {HTMLElement} btn - The toggle button element
+     */
+    togglePassword(inputId, btn) {
+        const input = document.getElementById(inputId);
+        const icon = btn.querySelector('i');
+        if (!input) return;
+
+        if (input.type === 'password') {
+            input.type = 'text';
+            icon?.classList.replace('bi-eye', 'bi-eye-slash');
+        } else {
+            input.type = 'password';
+            icon?.classList.replace('bi-eye-slash', 'bi-eye');
+        }
+    },
+
+    // ========================================================================
+    // PASSWORD CONFIRMATION VALIDATION
+    // ========================================================================
+
+    /**
+     * Initialize password confirmation validation on a form
+     * @param {string} formId - ID of the form
+     * @param {string} passwordId - ID of the password field
+     * @param {string} confirmId - ID of the confirmation field
+     */
+    initPasswordConfirmation(formId, passwordId, confirmId) {
+        const form = document.getElementById(formId);
+        if (!form) return;
+
+        form.addEventListener('submit', function(e) {
+            const password = document.getElementById(passwordId)?.value;
+            const confirm = document.getElementById(confirmId)?.value;
+
+            if (password !== confirm) {
+                e.preventDefault();
+                alert('Passwords do not match');
+            }
+        });
+    },
+
+    // ========================================================================
+    // COPY TO CLIPBOARD
+    // ========================================================================
+
+    /**
+     * Copy field value to clipboard with visual feedback
+     * @param {string} fieldId - ID of the input field to copy
+     */
+    copyField(fieldId) {
+        const field = document.getElementById(fieldId);
+        if (!field) return;
+
+        field.select();
+        navigator.clipboard.writeText(field.value).then(() => {
+            const btn = field.nextElementSibling;
+            if (!btn) return;
+
+            const originalHTML = btn.innerHTML;
+            btn.innerHTML = '<i class="bi bi-check"></i>';
+            setTimeout(() => btn.innerHTML = originalHTML, 1000);
+        });
+    },
+
+    // ========================================================================
+    // PASSWORD GENERATION
+    // ========================================================================
+
+    /**
+     * Generate a random password
+     * @param {number} length - Password length (default 8)
+     * @returns {string} Generated password
+     */
+    generatePassword(length = 8) {
+        const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
+        let password = '';
+        for (let i = 0; i < length; i++) {
+            password += chars.charAt(Math.floor(Math.random() * chars.length));
+        }
+        return password;
+    },
+
+    /**
+     * Regenerate password and update input field
+     * @param {string} inputId - ID of the password input
+     * @param {number} length - Password length
+     */
+    regeneratePassword(inputId = 'passwordInput', length = 8) {
+        const input = document.getElementById(inputId);
+        if (input) {
+            input.value = this.generatePassword(length);
+        }
+    },
+
+    // ========================================================================
+    // DELETE CONFIRMATION
+    // ========================================================================
+
+    /**
+     * Confirm deletion with a prompt
+     * @param {string} itemName - Name of item being deleted
+     * @param {string} formId - ID of the form to submit if confirmed
+     * @returns {boolean} True if confirmed
+     */
+    confirmDelete(itemName, formId = null) {
+        const confirmed = confirm(`Are you sure you want to delete "${itemName}"? This cannot be undone.`);
+        if (confirmed && formId) {
+            const form = document.getElementById(formId);
+            form?.submit();
+        }
+        return confirmed;
+    }
+};
+
+// Make togglePassword available globally for onclick handlers
+function togglePassword(inputId, btn) {
+    StegasooAuth.togglePassword(inputId, btn);
+}
+
+// Make copyField available globally for onclick handlers
+function copyField(fieldId) {
+    StegasooAuth.copyField(fieldId);
+}
+
+// Make regeneratePassword available globally for onclick handlers
+function regeneratePassword() {
+    StegasooAuth.regeneratePassword();
+}
--- a/frontends/web/static/js/generate.js
+++ b/frontends/web/static/js/generate.js
@@ -0,0 +1,279 @@
+/**
+ * Stegasoo Generate Page JavaScript
+ * Handles credential generation form and display
+ */
+
+const StegasooGenerate = {
+
+    // ========================================================================
+    // FORM CONTROLS
+    // ========================================================================
+
+    /**
+     * Initialize the words range slider
+     */
+    initWordsSlider() {
+        const wordsRange = document.getElementById('wordsRange');
+        const wordsValue = document.getElementById('wordsValue');
+
+        wordsRange?.addEventListener('input', function() {
+            const bits = this.value * 11;
+            wordsValue.textContent = `${this.value} words (~${bits} bits)`;
+        });
+    },
+
+    /**
+     * Initialize PIN/RSA option toggles
+     */
+    initOptionToggles() {
+        const usePinCheck = document.getElementById('usePinCheck');
+        const useRsaCheck = document.getElementById('useRsaCheck');
+        const pinOptions = document.getElementById('pinOptions');
+        const rsaOptions = document.getElementById('rsaOptions');
+        const rsaQrWarning = document.getElementById('rsaQrWarning');
+        const rsaBitsSelect = document.getElementById('rsaBitsSelect');
+
+        usePinCheck?.addEventListener('change', function() {
+            pinOptions?.classList.toggle('d-none', !this.checked);
+        });
+
+        useRsaCheck?.addEventListener('change', function() {
+            rsaOptions?.classList.toggle('d-none', !this.checked);
+        });
+
+        // RSA key size QR warning (>3072 bits)
+        rsaBitsSelect?.addEventListener('change', function() {
+            rsaQrWarning?.classList.toggle('d-none', parseInt(this.value) <= 3072);
+        });
+    },
+
+    // ========================================================================
+    // CREDENTIAL VISIBILITY
+    // ========================================================================
+
+    pinHidden: false,
+    passphraseHidden: false,
+
+    /**
+     * Toggle PIN visibility
+     */
+    togglePinVisibility() {
+        const pinDigits = document.getElementById('pinDigits');
+        const icon = document.getElementById('pinToggleIcon');
+        const text = document.getElementById('pinToggleText');
+
+        this.pinHidden = !this.pinHidden;
+        pinDigits?.classList.toggle('blurred', this.pinHidden);
+
+        if (icon) icon.className = this.pinHidden ? 'bi bi-eye' : 'bi bi-eye-slash';
+        if (text) text.textContent = this.pinHidden ? 'Show' : 'Hide';
+    },
+
+    /**
+     * Toggle passphrase visibility
+     */
+    togglePassphraseVisibility() {
+        const display = document.getElementById('passphraseDisplay');
+        const icon = document.getElementById('passphraseToggleIcon');
+        const text = document.getElementById('passphraseToggleText');
+
+        this.passphraseHidden = !this.passphraseHidden;
+        display?.classList.toggle('blurred', this.passphraseHidden);
+
+        if (icon) icon.className = this.passphraseHidden ? 'bi bi-eye' : 'bi bi-eye-slash';
+        if (text) text.textContent = this.passphraseHidden ? 'Show' : 'Hide';
+    },
+
+    // ========================================================================
+    // MEMORY AID STORY GENERATION
+    // ========================================================================
+
+    currentStoryTemplate: 0,
+
+    /**
+     * Story templates organized by word count (3-12 words supported)
+     */
+    storyTemplates: {
+        3: [
+            w => `The ${w[0]} ${w[1]} ${w[2]}.`,
+            w => `${w[0]} loves ${w[1]} and ${w[2]}.`,
+            w => `A ${w[0]} found a ${w[1]} near the ${w[2]}.`,
+            w => `${w[0]}, ${w[1]}, ${w[2]} — never forget.`,
+            w => `The ${w[0]} hid the ${w[1]} under the ${w[2]}.`,
+        ],
+        4: [
+            w => `${w[0]} and ${w[1]} discovered a ${w[2]} made of ${w[3]}.`,
+            w => `The ${w[0]} ${w[1]} ate ${w[2]} for ${w[3]}.`,
+            w => `In the ${w[0]}, a ${w[1]} met a ${w[2]} carrying ${w[3]}.`,
+            w => `${w[0]} said "${w[1]}" while holding a ${w[2]} ${w[3]}.`,
+            w => `The secret: ${w[0]}, ${w[1]}, ${w[2]}, ${w[3]}.`,
+        ],
+        5: [
+            w => `${w[0]} traveled to ${w[1]} seeking the ${w[2]} of ${w[3]} and ${w[4]}.`,
+            w => `The ${w[0]} ${w[1]} lived in a ${w[2]} house with ${w[3]} ${w[4]}.`,
+            w => `"${w[0]}!" shouted ${w[1]} as the ${w[2]} ${w[3]} flew toward ${w[4]}.`,
+            w => `Captain ${w[0]} sailed the ${w[1]} ${w[2]} searching for ${w[3]} ${w[4]}.`,
+            w => `In ${w[0]} kingdom, ${w[1]} guards protected the ${w[2]} ${w[3]} ${w[4]}.`,
+        ],
+        6: [
+            w => `${w[0]} met ${w[1]} at the ${w[2]}. Together they found ${w[3]}, ${w[4]}, and ${w[5]}.`,
+            w => `The ${w[0]} ${w[1]} wore a ${w[2]} hat while eating ${w[3]} ${w[4]} ${w[5]}.`,
+            w => `Detective ${w[0]} found ${w[1]} ${w[2]} near the ${w[3]} ${w[4]} ${w[5]}.`,
+            w => `In the ${w[0]} ${w[1]}, a ${w[2]} ${w[3]} sang about ${w[4]} ${w[5]}.`,
+            w => `Chef ${w[0]} combined ${w[1]}, ${w[2]}, ${w[3]}, ${w[4]}, and ${w[5]}.`,
+        ],
+        7: [
+            w => `${w[0]} and ${w[1]} walked through the ${w[2]} ${w[3]} to find the ${w[4]} ${w[5]} ${w[6]}.`,
+            w => `The ${w[0]} professor studied ${w[1]} ${w[2]} while drinking ${w[3]} ${w[4]} with ${w[5]} ${w[6]}.`,
+            w => `"${w[0]} ${w[1]}!" yelled ${w[2]} as ${w[3]} ${w[4]} attacked the ${w[5]} ${w[6]}.`,
+            w => `In ${w[0]}, King ${w[1]} decreed that ${w[2]} ${w[3]} must honor ${w[4]} ${w[5]} ${w[6]}.`,
+        ],
+        8: [
+            w => `${w[0]} ${w[1]} and ${w[2]} ${w[3]} met at the ${w[4]} ${w[5]} to discuss ${w[6]} ${w[7]}.`,
+            w => `The ${w[0]} ${w[1]} ${w[2]} traveled from ${w[3]} to ${w[4]} carrying ${w[5]} ${w[6]} ${w[7]}.`,
+            w => `${w[0]} discovered that ${w[1]} ${w[2]} plus ${w[3]} ${w[4]} equals ${w[5]} ${w[6]} ${w[7]}.`,
+        ],
+        9: [
+            w => `${w[0]} ${w[1]} ${w[2]} watched as ${w[3]} ${w[4]} ${w[5]} danced with ${w[6]} ${w[7]} ${w[8]}.`,
+            w => `In the ${w[0]} ${w[1]} ${w[2]}, three friends — ${w[3]}, ${w[4]}, ${w[5]} — found ${w[6]} ${w[7]} ${w[8]}.`,
+            w => `The recipe: ${w[0]}, ${w[1]}, ${w[2]}, ${w[3]}, ${w[4]}, ${w[5]}, ${w[6]}, ${w[7]}, ${w[8]}.`,
+        ],
+        10: [
+            w => `${w[0]} ${w[1]} told ${w[2]} ${w[3]} about the ${w[4]} ${w[5]} ${w[6]} hidden in ${w[7]} ${w[8]} ${w[9]}.`,
+            w => `The ${w[0]} ${w[1]} ${w[2]} ${w[3]} ${w[4]} lived beside ${w[5]} ${w[6]} ${w[7]} ${w[8]} ${w[9]}.`,
+        ],
+        11: [
+            w => `${w[0]} ${w[1]} ${w[2]} and ${w[3]} ${w[4]} ${w[5]} discovered ${w[6]} ${w[7]} ${w[8]} ${w[9]} ${w[10]}.`,
+            w => `In ${w[0]} ${w[1]}, the ${w[2]} ${w[3]} ${w[4]} sang of ${w[5]} ${w[6]} ${w[7]} ${w[8]} ${w[9]} ${w[10]}.`,
+        ],
+        12: [
+            w => `${w[0]} ${w[1]} ${w[2]} met ${w[3]} ${w[4]} ${w[5]} at the ${w[6]} ${w[7]} ${w[8]} ${w[9]} ${w[10]} ${w[11]}.`,
+            w => `The twelve treasures: ${w[0]}, ${w[1]}, ${w[2]}, ${w[3]}, ${w[4]}, ${w[5]}, ${w[6]}, ${w[7]}, ${w[8]}, ${w[9]}, ${w[10]}, ${w[11]}.`,
+        ],
+    },
+
+    /**
+     * Wrap word in highlight span
+     */
+    hl(word) {
+        return `<span class="passphrase-word">${word}</span>`;
+    },
+
+    /**
+     * Generate a memory story for given words
+     * @param {string[]} words - Array of passphrase words
+     * @param {number|null} idx - Template index (null for current)
+     * @returns {string} HTML story
+     */
+    generateStory(words, idx = null) {
+        const count = words.length;
+        if (count === 0) return '';
+
+        // Clamp to supported range (3-12)
+        const templateKey = Math.max(3, Math.min(12, count));
+        const templates = this.storyTemplates[templateKey];
+
+        if (!templates || templates.length === 0) {
+            // Fallback: just list the words
+            return words.map(w => this.hl(w)).join(' &mdash; ');
+        }
+
+        const templateIdx = (idx ?? this.currentStoryTemplate) % templates.length;
+        // Apply highlighting to words
+        const highlighted = words.map(w => this.hl(w));
+        return templates[templateIdx](highlighted);
+    },
+
+    /**
+     * Toggle memory aid visibility
+     * @param {string[]} words - Passphrase words array
+     */
+    toggleMemoryAid(words) {
+        const container = document.getElementById('memoryAidContainer');
+        const icon = document.getElementById('memoryAidIcon');
+        const text = document.getElementById('memoryAidText');
+
+        const isHidden = container?.classList.contains('d-none');
+        container?.classList.toggle('d-none', !isHidden);
+
+        if (icon) icon.className = isHidden ? 'bi bi-lightbulb-fill' : 'bi bi-lightbulb';
+        if (text) text.textContent = isHidden ? 'Hide Aid' : 'Memory Aid';
+
+        if (isHidden) {
+            document.getElementById('memoryStory').innerHTML = this.generateStory(words);
+        }
+    },
+
+    /**
+     * Regenerate story with next template
+     * @param {string[]} words - Passphrase words array
+     */
+    regenerateStory(words) {
+        const count = words.length;
+        const templateKey = Math.max(3, Math.min(12, count));
+        const templates = this.storyTemplates[templateKey] || [];
+        this.currentStoryTemplate = (this.currentStoryTemplate + 1) % Math.max(1, templates.length);
+        document.getElementById('memoryStory').innerHTML = this.generateStory(words, this.currentStoryTemplate);
+    },
+
+    // ========================================================================
+    // QR CODE PRINTING
+    // ========================================================================
+
+    /**
+     * Print QR code in new window
+     */
+    printQrCode() {
+        const qrImg = document.getElementById('qrCodeImage');
+        if (!qrImg) return;
+
+        const printWindow = window.open('', '_blank');
+        printWindow.document.write(`<!DOCTYPE html>
+<html>
+<head>
+    <title>QR Code</title>
+    <style>
+        body { display: flex; flex-direction: column; align-items: center; justify-content: center; min-height: 100vh; margin: 0; }
+        img { max-width: 400px; }
+    </style>
+</head>
+<body>
+    <img src="${qrImg.src}" alt="QR Code">
+    <script>window.onload = function() { window.print(); }<\/script>
+</body>
+</html>`);
+        printWindow.document.close();
+    },
+
+    // ========================================================================
+    // INITIALIZATION
+    // ========================================================================
+
+    /**
+     * Initialize generate form page
+     */
+    initForm() {
+        this.initWordsSlider();
+        this.initOptionToggles();
+    }
+};
+
+// Global function wrappers for onclick handlers
+function togglePinVisibility() {
+    StegasooGenerate.togglePinVisibility();
+}
+
+function togglePassphraseVisibility() {
+    StegasooGenerate.togglePassphraseVisibility();
+}
+
+function printQrCode() {
+    StegasooGenerate.printQrCode();
+}
+
+// Auto-init form controls
+document.addEventListener('DOMContentLoaded', () => {
+    if (document.querySelector('[data-page="generate"]')) {
+        StegasooGenerate.initForm();
+    }
+});
--- a/frontends/web/static/js/stegasoo.js
+++ b/frontends/web/static/js/stegasoo.js
@@ -99,6 +99,23 @@ const Stegasoo = {
                    }
                });
            }
+
+            // Make preview clickable to replace file
+            if (preview) {
+                preview.style.cursor = 'pointer';
+                preview.addEventListener('click', (e) => {
+                    e.stopPropagation();
+                    input.click();
+                });
+            }
+
+            // Make entire zone clickable (in case label/preview don't cover it)
+            zone.addEventListener('click', (e) => {
+                // Only trigger if not clicking directly on the input
+                if (e.target !== input) {
+                    input.click();
+                }
+            });
        });
    },
    
@@ -119,7 +136,11 @@ const Stegasoo = {
                if (isScanContainer || isPixelContainer) {
                    labelEl.classList.add('d-none');
                } else {
-                    labelEl.innerHTML = '<i class="bi bi-check-circle text-success me-1"></i>' + file.name;
+                    labelEl.textContent = '';
+                    const icon = document.createElement('i');
+                    icon.className = 'bi bi-check-circle text-success me-1';
+                    labelEl.appendChild(icon);
+                    labelEl.appendChild(document.createTextNode(file.name));
                }
            }
            
@@ -580,6 +601,17 @@ const Stegasoo = {
                        <span>No QR code detected</span>
                    `;
                }
+
+                // Reset after delay so user can try again
+                setTimeout(() => {
+                    container.classList.remove('error');
+                    container.classList.add('d-none');
+                    label?.classList.remove('d-none');
+                    // Clear the file input so same file can be re-selected
+                    input.value = '';
+                    // Remove loader
+                    if (loader) loader.remove();
+                }, 2000);
            });
        });
    },
@@ -761,18 +793,43 @@ const Stegasoo = {
        const customInputId = config.customInputId || 'channelCustomInput';
        const keyInputId = config.keyInputId || 'channelKeyInput';
        const generateBtnId = config.generateBtnId;
+        const serverInfoId = config.serverInfoId || 'channelServerInfo';

        const select = document.getElementById(selectId);
        const customInput = document.getElementById(customInputId);
        const keyInput = document.getElementById(keyInputId);
        const generateBtn = generateBtnId ? document.getElementById(generateBtnId) : null;
+        const serverInfo = document.getElementById(serverInfoId);

-        // Show/hide custom input based on selection
+        // Show/hide custom input and server info based on selection
        const updateVisibility = () => {
-            const isCustom = select?.value === 'custom';
+            const value = select?.value;
+            const isCustom = value === 'custom';
+            const isPublic = value === 'none';
+            const isAuto = value === 'auto';
+
+            // Custom input visibility
            customInput?.classList.toggle('d-none', !isCustom);
            if (isCustom && keyInput) {
                keyInput.focus();
+                // Pulse highlight effect
+                customInput?.classList.add('channel-highlight');
+                setTimeout(() => customInput?.classList.remove('channel-highlight'), 400);
+            }
+
+            // Server info: show for auto, hide for custom, show "no key" for public
+            if (serverInfo) {
+                if (isAuto) {
+                    serverInfo.innerHTML = '<i class="bi bi-shield-lock me-1"></i>Server: <code>' + (serverInfo.dataset.fingerprint || '••••-••••-···-••••-••••') + '</code>';
+                    serverInfo.className = 'small text-success mt-2';
+                    serverInfo.classList.remove('d-none');
+                } else if (isPublic) {
+                    serverInfo.innerHTML = '<i class="bi bi-globe me-1"></i>No channel key will be used';
+                    serverInfo.className = 'small text-muted mt-2';
+                    serverInfo.classList.remove('d-none');
+                } else {
+                    serverInfo.classList.add('d-none');
+                }
            }
        };

@@ -815,6 +872,14 @@ const Stegasoo = {
            // Set the select value to the actual key for form submission
            select.value = keyInput.value;
        }
+
+        // Track saved key usage (fire-and-forget)
+        const selectedOption = select?.selectedOptions?.[0];
+        const keyId = selectedOption?.dataset?.keyId;
+        if (keyId) {
+            fetch(`/api/channel/keys/${keyId}/use`, { method: 'POST' }).catch(() => {});
+        }
+
        return true;
    },
    
@@ -851,6 +916,574 @@ const Stegasoo = {
        });
    },
    
+    // ========================================================================
+    // ASYNC ENCODE WITH PROGRESS (v4.1.2)
+    // ========================================================================
+
+    /**
+     * Submit encode form asynchronously with progress tracking
+     * @param {HTMLFormElement} form - The encode form
+     * @param {HTMLElement} btn - The submit button
+     */
+    async submitEncodeAsync(form, btn) {
+        const formData = new FormData(form);
+        formData.append('async', 'true');
+
+        // Show progress modal
+        this.showProgressModal('Encoding');
+
+        try {
+            // Start encode job
+            const response = await fetch('/encode', {
+                method: 'POST',
+                body: formData,
+            });
+
+            if (!response.ok) {
+                throw new Error('Failed to start encode');
+            }
+
+            const result = await response.json();
+
+            if (result.error) {
+                throw new Error(result.error);
+            }
+
+            const jobId = result.job_id;
+
+            // Poll for progress
+            await this.pollEncodeProgress(jobId);
+
+        } catch (error) {
+            this.hideProgressModal();
+            alert('Encode failed: ' + error.message);
+            btn.disabled = false;
+            btn.innerHTML = '<i class="bi bi-lock-fill me-2"></i>Encode';
+        }
+    },
+
+    /**
+     * Poll encode progress until complete
+     * @param {string} jobId - The job ID
+     */
+    async pollEncodeProgress(jobId) {
+        const progressBar = document.getElementById('progressBar');
+        const progressText = document.getElementById('progressText');
+        const phaseText = document.getElementById('progressPhase');
+
+        const poll = async () => {
+            try {
+                // Check status first
+                const statusResponse = await fetch(`/encode/status/${jobId}`);
+                const statusData = await statusResponse.json();
+
+                if (statusData.status === 'complete') {
+                    // Done - redirect to result
+                    this.updateProgress(100, 'Complete!');
+                    setTimeout(() => {
+                        window.location.href = `/encode/result/${statusData.file_id}`;
+                    }, 500);
+                    return;
+                }
+
+                if (statusData.status === 'error') {
+                    throw new Error(statusData.error || 'Encode failed');
+                }
+
+                // Get progress
+                const progressResponse = await fetch(`/encode/progress/${jobId}`);
+                const progressData = await progressResponse.json();
+
+                const percent = progressData.percent || 0;
+                const phase = progressData.phase || 'processing';
+
+                this.updateProgress(percent, this.formatPhase(phase));
+
+                // Continue polling
+                setTimeout(poll, 500);
+
+            } catch (error) {
+                this.hideProgressModal();
+                alert('Encode failed: ' + error.message);
+            }
+        };
+
+        await poll();
+    },
+
+    /**
+     * Format phase name for display
+     */
+    formatPhase(phase) {
+        const phases = {
+            'starting': 'Starting...',
+            'initializing': 'Initializing...',
+            'embedding': 'Embedding data...',
+            'saving': 'Saving image...',
+            'finalizing': 'Finalizing...',
+            'complete': 'Complete!',
+        };
+        return phases[phase] || phase;
+    },
+
+    /**
+     * Show progress modal
+     */
+    showProgressModal(operation = 'Processing') {
+        // Create modal if doesn't exist
+        let modal = document.getElementById('progressModal');
+        if (!modal) {
+            modal = document.createElement('div');
+            modal.id = 'progressModal';
+            modal.className = 'modal fade';
+            modal.setAttribute('data-bs-backdrop', 'static');
+            modal.setAttribute('data-bs-keyboard', 'false');
+            modal.innerHTML = `
+                <div class="modal-dialog modal-dialog-centered">
+                    <div class="modal-content bg-dark text-light">
+                        <div class="modal-body p-4">
+                            <h5 class="mb-3" id="progressTitle">${operation}...</h5>
+                            <div class="progress mb-2" style="height: 24px;">
+                                <div id="progressBar" class="progress-bar progress-bar-striped progress-bar-animated bg-success"
+                                     role="progressbar" style="width: 0%"></div>
+                            </div>
+                            <div class="d-flex justify-content-between text-muted small">
+                                <span id="progressPhase">Initializing...</span>
+                                <span id="progressText">0%</span>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            `;
+            document.body.appendChild(modal);
+        }
+
+        // Reset progress
+        this.updateProgress(0, 'Initializing...');
+
+        // Show modal
+        const bsModal = new bootstrap.Modal(modal);
+        bsModal.show();
+    },
+
+    /**
+     * Hide progress modal
+     */
+    hideProgressModal() {
+        const modal = document.getElementById('progressModal');
+        if (modal) {
+            const bsModal = bootstrap.Modal.getInstance(modal);
+            bsModal?.hide();
+        }
+    },
+
+    /**
+     * Update progress bar and text
+     */
+    updateProgress(percent, phase) {
+        const progressBar = document.getElementById('progressBar');
+        const progressText = document.getElementById('progressText');
+        const phaseText = document.getElementById('progressPhase');
+
+        if (progressBar) progressBar.style.width = percent + '%';
+        if (progressText) progressText.textContent = Math.round(percent) + '%';
+        if (phaseText) phaseText.textContent = phase;
+    },
+
+    // ========================================================================
+    // ASYNC DECODE WITH PROGRESS (v4.1.5)
+    // ========================================================================
+
+    /**
+     * Submit decode form asynchronously with progress tracking
+     * @param {HTMLFormElement} form - The decode form
+     * @param {HTMLElement} btn - The submit button
+     */
+    async submitDecodeAsync(form, btn) {
+        const formData = new FormData(form);
+        formData.append('async', 'true');
+
+        // Show progress modal
+        this.showProgressModal('Decoding');
+
+        try {
+            // Start decode job
+            const response = await fetch('/decode', {
+                method: 'POST',
+                body: formData,
+            });
+
+            if (!response.ok) {
+                throw new Error('Failed to start decode');
+            }
+
+            const result = await response.json();
+
+            if (result.error) {
+                throw new Error(result.error);
+            }
+
+            const jobId = result.job_id;
+
+            // Poll for progress
+            await this.pollDecodeProgress(jobId);
+
+        } catch (error) {
+            this.hideProgressModal();
+            alert('Decode failed: ' + error.message);
+            btn.disabled = false;
+            btn.innerHTML = '<i class="bi bi-unlock-fill me-2"></i>Decode';
+        }
+    },
+
+    /**
+     * Poll decode progress until complete
+     * @param {string} jobId - The job ID
+     */
+    async pollDecodeProgress(jobId) {
+        const poll = async () => {
+            try {
+                // Check status first
+                const statusResponse = await fetch(`/decode/status/${jobId}`);
+                const statusData = await statusResponse.json();
+
+                if (statusData.status === 'complete') {
+                    // Done - redirect to result page
+                    this.updateProgress(100, 'Complete!');
+                    setTimeout(() => {
+                        window.location.href = `/decode/result/${jobId}`;
+                    }, 500);
+                    return;
+                }
+
+                if (statusData.status === 'error') {
+                    // Handle specific error types
+                    const errorType = statusData.error_type;
+                    let errorMsg = statusData.error || 'Decode failed';
+
+                    if (errorType === 'DecryptionError' || errorMsg.toLowerCase().includes('decrypt')) {
+                        errorMsg = 'Wrong credentials. Double-check your reference photo, passphrase, PIN, and channel key.';
+                    }
+
+                    throw new Error(errorMsg);
+                }
+
+                // Get progress
+                const progressResponse = await fetch(`/decode/progress/${jobId}`);
+                const progressData = await progressResponse.json();
+
+                const percent = progressData.percent || 0;
+                const phase = progressData.phase || 'processing';
+
+                this.updateProgress(percent, this.formatDecodePhase(phase));
+
+                // Continue polling
+                setTimeout(poll, 500);
+
+            } catch (error) {
+                this.hideProgressModal();
+                alert(error.message);
+            }
+        };
+
+        await poll();
+    },
+
+    /**
+     * Format decode phase name for display
+     */
+    formatDecodePhase(phase) {
+        const phases = {
+            'starting': 'Starting...',
+            'reading': 'Reading image...',
+            'extracting': 'Extracting data...',
+            'decrypting': 'Decrypting...',
+            'verifying': 'Verifying...',
+            'finalizing': 'Finalizing...',
+            'complete': 'Complete!',
+        };
+        return phases[phase] || phase;
+    },
+
+    // ========================================================================
+    // WEBCAM QR SCANNING (v4.1.5)
+    // ========================================================================
+
+    /**
+     * Active scanner instance
+     */
+    _qrScanner: null,
+    _qrScannerModal: null,
+    _qrScannerCallback: null,
+
+    /**
+     * Show webcam QR scanner modal
+     * @param {Function} onSuccess - Callback with decoded QR text
+     * @param {string} title - Modal title
+     */
+    showQrScanner(onSuccess, title = 'Scan QR Code') {
+        this._qrScannerCallback = onSuccess;
+
+        // Create modal if doesn't exist
+        let modal = document.getElementById('qrScannerModal');
+        if (!modal) {
+            modal = document.createElement('div');
+            modal.id = 'qrScannerModal';
+            modal.className = 'modal fade';
+            modal.innerHTML = `
+                <div class="modal-dialog modal-dialog-centered">
+                    <div class="modal-content bg-dark text-light">
+                        <div class="modal-header border-secondary">
+                            <h5 class="modal-title">
+                                <i class="bi bi-camera-video me-2"></i>
+                                <span id="qrScannerTitle">${title}</span>
+                            </h5>
+                            <button type="button" class="btn-close btn-close-white" data-bs-dismiss="modal"></button>
+                        </div>
+                        <div class="modal-body p-0">
+                            <div id="qrScannerReader" style="width: 100%;"></div>
+                            <div id="qrScannerStatus" class="text-center py-3 text-muted">
+                                <i class="bi bi-qr-code-scan me-2"></i>
+                                Point camera at QR code
+                            </div>
+                        </div>
+                        <div class="modal-footer border-secondary">
+                            <button type="button" class="btn btn-primary" id="qrCaptureBtn">
+                                <i class="bi bi-camera me-1"></i>Capture
+                            </button>
+                            <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
+                        </div>
+                    </div>
+                </div>
+            `;
+            document.body.appendChild(modal);
+
+            // Clean up scanner when modal hides
+            modal.addEventListener('hidden.bs.modal', () => {
+                this.stopQrScanner();
+            });
+
+            // Manual capture button
+            modal.querySelector('#qrCaptureBtn')?.addEventListener('click', () => {
+                this.captureQrFrame();
+            });
+        }
+
+        // Update title
+        const titleEl = modal.querySelector('#qrScannerTitle');
+        if (titleEl) titleEl.textContent = title;
+
+        // Reset status
+        const statusEl = modal.querySelector('#qrScannerStatus');
+        if (statusEl) {
+            statusEl.innerHTML = '<i class="bi bi-qr-code-scan me-2"></i>Point camera at QR code';
+            statusEl.className = 'text-center py-3 text-muted';
+        }
+
+        // Show modal
+        this._qrScannerModal = new bootstrap.Modal(modal);
+        this._qrScannerModal.show();
+
+        // Start scanner after modal is shown
+        modal.addEventListener('shown.bs.modal', () => {
+            this.startQrScanner();
+        }, { once: true });
+    },
+
+    /**
+     * Start the QR scanner
+     */
+    startQrScanner() {
+        const readerEl = document.getElementById('qrScannerReader');
+        if (!readerEl) return;
+
+        // Check if Html5Qrcode is available
+        if (typeof Html5Qrcode === 'undefined') {
+            console.error('Html5Qrcode library not loaded');
+            const statusEl = document.getElementById('qrScannerStatus');
+            if (statusEl) {
+                statusEl.innerHTML = '<i class="bi bi-exclamation-triangle text-warning me-2"></i>QR scanner not available';
+            }
+            return;
+        }
+
+        this._qrScanner = new Html5Qrcode('qrScannerReader');
+
+        const config = {
+            fps: 10,
+            qrbox: { width: 250, height: 250 },
+            aspectRatio: 1.0,
+        };
+
+        this._qrScanner.start(
+            { facingMode: 'environment' }, // Prefer back camera
+            config,
+            (decodedText, decodedResult) => {
+                // QR code detected
+                this.onQrCodeDetected(decodedText);
+            },
+            (errorMessage) => {
+                // Scan error (ignore, keep scanning)
+            }
+        ).catch((err) => {
+            console.error('Failed to start scanner:', err);
+            const statusEl = document.getElementById('qrScannerStatus');
+            if (statusEl) {
+                if (err.toString().includes('Permission')) {
+                    statusEl.innerHTML = '<i class="bi bi-camera-video-off text-danger me-2"></i>Camera permission denied';
+                } else {
+                    statusEl.innerHTML = '<i class="bi bi-exclamation-triangle text-warning me-2"></i>Could not access camera';
+                }
+                statusEl.className = 'text-center py-3';
+            }
+        });
+    },
+
+    /**
+     * Capture a frame with countdown and try to decode
+     */
+    captureQrFrame() {
+        const statusEl = document.getElementById('qrScannerStatus');
+        const captureBtn = document.getElementById('qrCaptureBtn');
+        if (!statusEl || !this._qrScanner) return;
+
+        // Disable button during countdown
+        if (captureBtn) captureBtn.disabled = true;
+
+        let count = 3;
+        const countdown = () => {
+            if (count > 0) {
+                statusEl.innerHTML = `<i class="bi bi-camera me-2"></i><span style="font-size: 1.5rem; font-weight: bold;">${count}</span>`;
+                statusEl.className = 'text-center py-3 text-warning';
+                count--;
+                setTimeout(countdown, 1000);
+            } else {
+                // Capture!
+                statusEl.innerHTML = '<i class="bi bi-hourglass-split me-2"></i>Analyzing...';
+                statusEl.className = 'text-center py-3 text-info';
+
+                // Get video element and capture frame
+                const video = document.querySelector('#qrScannerReader video');
+                if (video) {
+                    const canvas = document.createElement('canvas');
+                    canvas.width = video.videoWidth;
+                    canvas.height = video.videoHeight;
+                    const ctx = canvas.getContext('2d');
+                    ctx.drawImage(video, 0, 0);
+
+                    // Stop the scanner before file scan (prevents conflicts)
+                    const scanner = this._qrScanner;
+                    scanner.stop().then(() => {
+                        canvas.toBlob((blob) => {
+                            const file = new File([blob], 'capture.png', { type: 'image/png' });
+                            scanner.scanFile(file, true)
+                                .then((decodedText) => {
+                                    this.onQrCodeDetected(decodedText);
+                                })
+                                .catch((err) => {
+                                    statusEl.innerHTML = '<i class="bi bi-x-circle text-danger me-2"></i>No QR code found. Try again.';
+                                    statusEl.className = 'text-center py-3 text-danger';
+                                    if (captureBtn) captureBtn.disabled = false;
+                                    // Restart the scanner
+                                    this.startQrScanner();
+                                });
+                        }, 'image/png');
+                    }).catch(() => {
+                        statusEl.innerHTML = '<i class="bi bi-x-circle text-danger me-2"></i>Scanner error';
+                        statusEl.className = 'text-center py-3 text-danger';
+                        if (captureBtn) captureBtn.disabled = false;
+                    });
+                } else {
+                    statusEl.innerHTML = '<i class="bi bi-x-circle text-danger me-2"></i>Camera not ready';
+                    statusEl.className = 'text-center py-3 text-danger';
+                    if (captureBtn) captureBtn.disabled = false;
+                }
+            }
+        };
+        countdown();
+    },
+
+    /**
+     * Stop the QR scanner
+     */
+    stopQrScanner() {
+        if (this._qrScanner) {
+            this._qrScanner.stop().then(() => {
+                this._qrScanner.clear();
+                this._qrScanner = null;
+            }).catch((err) => {
+                console.log('Scanner stop error:', err);
+            });
+        }
+    },
+
+    /**
+     * Handle detected QR code
+     * @param {string} text - Decoded QR text
+     */
+    onQrCodeDetected(text) {
+        // Update status
+        const statusEl = document.getElementById('qrScannerStatus');
+        if (statusEl) {
+            statusEl.innerHTML = '<i class="bi bi-check-circle text-success me-2"></i>QR code detected!';
+            statusEl.className = 'text-center py-3 text-success';
+        }
+
+        // Close modal after brief delay
+        setTimeout(() => {
+            this._qrScannerModal?.hide();
+
+            // Call callback
+            if (this._qrScannerCallback) {
+                this._qrScannerCallback(text);
+            }
+        }, 500);
+    },
+
+    /**
+     * Add camera scan button to an input field
+     * @param {string} inputId - ID of the input field
+     * @param {string} title - Modal title
+     * @param {Function} validator - Optional validation function for scanned text
+     */
+    addCameraScanButton(inputId, title = 'Scan QR Code', validator = null) {
+        const input = document.getElementById(inputId);
+        if (!input) return;
+
+        // Create button
+        const btn = document.createElement('button');
+        btn.type = 'button';
+        btn.className = 'btn btn-outline-secondary';
+        btn.innerHTML = '<i class="bi bi-camera"></i>';
+        btn.title = 'Scan QR code with camera';
+
+        btn.addEventListener('click', () => {
+            this.showQrScanner((text) => {
+                // Validate if validator provided
+                if (validator && !validator(text)) {
+                    alert('Invalid QR code format');
+                    return;
+                }
+                // Set input value
+                input.value = text;
+                // Trigger input event for formatting
+                input.dispatchEvent(new Event('input', { bubbles: true }));
+            }, title);
+        });
+
+        // Wrap input in input-group if not already
+        const parent = input.parentElement;
+        if (!parent.classList.contains('input-group')) {
+            const wrapper = document.createElement('div');
+            wrapper.className = 'input-group';
+            parent.insertBefore(wrapper, input);
+            wrapper.appendChild(input);
+            wrapper.appendChild(btn);
+        } else {
+            parent.appendChild(btn);
+        }
+    },
+
    // ========================================================================
    // INITIALIZATION HELPERS
    // ========================================================================
@@ -872,18 +1505,56 @@ const Stegasoo = {
            generateBtnId: 'channelKeyGenerate'
        });

-        // Form submission with channel key validation
+        // Webcam QR scanning for channel key (v4.1.5)
+        document.getElementById('channelKeyScan')?.addEventListener('click', () => {
+            this.showQrScanner((text) => {
+                const input = document.getElementById('channelKeyInput');
+                if (input) {
+                    const clean = text.replace(/[^A-Za-z0-9]/g, '').toUpperCase();
+                    input.value = clean.length === 32 ? clean.match(/.{4}/g).join('-') : text.toUpperCase();
+                    input.dispatchEvent(new Event('input', { bubbles: true }));
+                }
+            }, 'Scan Channel Key');
+        });
+
+        // Webcam QR scanning for RSA key (v4.1.5)
+        document.getElementById('rsaQrWebcam')?.addEventListener('click', () => {
+            this.showQrScanner((text) => {
+                // Check for raw PEM or compressed format (STEGASOO-Z: prefix)
+                const isRawPem = text.includes('-----BEGIN') && text.includes('KEY-----');
+                const isCompressed = text.startsWith('STEGASOO-Z:');
+                if (isRawPem || isCompressed) {
+                    // Valid RSA key data scanned
+                    document.getElementById('rsaKeyPem').value = text;
+                    // Show success in drop zone
+                    const dropZone = document.getElementById('qrDropZone');
+                    const label = dropZone?.querySelector('.drop-zone-label');
+                    if (label) {
+                        label.innerHTML = '<i class="bi bi-check-circle text-success fs-4 d-block mb-1"></i><span class="text-success small">RSA Key scanned successfully</span>';
+                    }
+                } else {
+                    alert('QR code does not contain a valid RSA key');
+                }
+            }, 'Scan RSA Key QR');
+        });
+
+        // Form submission with async progress tracking (v4.1.2)
        const form = document.getElementById('encodeForm');
        const btn = document.getElementById('encodeBtn');
        form?.addEventListener('submit', (e) => {
-            if (!this.validateChannelKeyOnSubmit(form, 'channelSelect', 'channelKeyInput')) {
            e.preventDefault();
+
+            if (!this.validateChannelKeyOnSubmit(form, 'channelSelect', 'channelKeyInput')) {
                return false;
            }
+
            if (btn) {
                btn.disabled = true;
-                btn.innerHTML = '<span class="spinner-border spinner-border-sm me-2"></span>Encoding...';
+                btn.innerHTML = '<span class="spinner-border spinner-border-sm me-2"></span>Starting...';
            }
+
+            // Use async submission with progress tracking
+            this.submitEncodeAsync(form, btn);
        });
    },
    
@@ -892,7 +1563,7 @@ const Stegasoo = {
        this.initRsaMethodToggle();
        this.initDropZones();
        this.initClipboardPaste(['input[name="stego_image"]', 'input[name="reference_photo"]']);
-        this.initQrCropAnimation('rsaKeyQrInput');
+        this.initQrCropAnimation('rsaQrInput');
        this.initCollapseChevrons();
        this.initPassphraseFontResize();
        
@@ -900,22 +1571,60 @@ const Stegasoo = {
        this.initChannelKey({
            selectId: 'channelSelectDec',
            customInputId: 'channelCustomInputDec',
-            keyInputId: 'channelKeyInputDec'
+            keyInputId: 'channelKeyInputDec',
+            serverInfoId: 'channelServerInfoDec'
        });

-        // Form submission with channel key validation and mode display
+        // Webcam QR scanning for channel key (v4.1.5)
+        document.getElementById('channelKeyScanDec')?.addEventListener('click', () => {
+            this.showQrScanner((text) => {
+                const input = document.getElementById('channelKeyInputDec');
+                if (input) {
+                    const clean = text.replace(/[^A-Za-z0-9]/g, '').toUpperCase();
+                    input.value = clean.length === 32 ? clean.match(/.{4}/g).join('-') : text.toUpperCase();
+                    input.dispatchEvent(new Event('input', { bubbles: true }));
+                }
+            }, 'Scan Channel Key');
+        });
+
+        // Webcam QR scanning for RSA key (v4.1.5)
+        document.getElementById('rsaQrWebcam')?.addEventListener('click', () => {
+            this.showQrScanner((text) => {
+                // Check for raw PEM or compressed format (STEGASOO-Z: prefix)
+                const isRawPem = text.includes('-----BEGIN') && text.includes('KEY-----');
+                const isCompressed = text.startsWith('STEGASOO-Z:');
+                if (isRawPem || isCompressed) {
+                    // Valid RSA key data scanned
+                    document.getElementById('rsaKeyPem').value = text;
+                    // Show success in drop zone
+                    const dropZone = document.getElementById('qrDropZone');
+                    const label = dropZone?.querySelector('.drop-zone-label');
+                    if (label) {
+                        label.innerHTML = '<i class="bi bi-check-circle text-success fs-4 d-block mb-1"></i><span class="text-success small">RSA Key scanned successfully</span>';
+                    }
+                } else {
+                    alert('QR code does not contain a valid RSA key');
+                }
+            }, 'Scan RSA Key QR');
+        });
+
+        // Form submission with async progress tracking (v4.1.5)
        const form = document.getElementById('decodeForm');
        const btn = document.getElementById('decodeBtn');
        form?.addEventListener('submit', (e) => {
-            if (!this.validateChannelKeyOnSubmit(form, 'channelSelectDec', 'channelKeyInputDec')) {
            e.preventDefault();
+
+            if (!this.validateChannelKeyOnSubmit(form, 'channelSelectDec', 'channelKeyInputDec')) {
                return false;
            }
-            const selectedMode = document.querySelector('input[name="embed_mode"]:checked')?.value || 'auto';
+
            if (btn) {
                btn.disabled = true;
-                btn.innerHTML = `<span class="spinner-border spinner-border-sm me-2"></span>Decoding (${selectedMode.toUpperCase()})...`;
+                btn.innerHTML = '<span class="spinner-border spinner-border-sm me-2"></span>Starting...';
            }
+
+            // Use async submission with progress tracking
+            this.submitDecodeAsync(form, btn);
        });
    },
    
--- a/frontends/web/static/style.css
+++ b/frontends/web/static/style.css
@@ -6,8 +6,8 @@
   CSS Variables
   ---------------------------------------------------------------------------- */
 :root {
-    --gradient-start: #667eea;
-    --gradient-end: #764ba2;
+    --gradient-start: #4a2860;
+    --gradient-end: #5570d4;
    --bg-dark-1: #1a1a2e;
    --bg-dark-2: #16213e;
    --bg-dark-3: #0f3460;
@@ -16,6 +16,7 @@
    --overlay-dark: rgba(0, 0, 0, 0.3);
    --overlay-light: rgba(255, 255, 255, 0.05);
    --day-highlight: #E3FF54; /* Bright yellow/green for day of week */
+    --header-gold: #fee862; /* Halfway between light straw and 24k gold */
 }

 /* ----------------------------------------------------------------------------
@@ -140,6 +141,67 @@ body {
    border-bottom: none;
 }

+.card-header h5 {
+    color: var(--header-gold);
+    text-shadow: 0 1px 2px rgba(0, 0, 0, 0.33);
+}
+
+.title-gold {
+    color: var(--header-gold);
+    text-shadow: 0 2px 6px rgba(0, 0, 0, 0.55);
+}
+
+/* Two-choice toggle buttons - gradient-matched colors + equal width */
+.btn-group .btn-outline-primary,
+.btn-group .btn-outline-secondary {
+    flex: 1 1 0;
+    transition: all 0.2s ease;
+}
+.btn-group .btn-outline-primary:hover,
+.btn-group .btn-outline-secondary:hover {
+    background-color: rgba(255, 255, 255, 0.08);
+}
+
+/* Channel key highlight pulse */
+.channel-highlight {
+    animation: channel-pulse 0.4s ease;
+}
+@keyframes channel-pulse {
+    0% { box-shadow: 0 0 0 0 rgba(254, 232, 98, 0); }
+    20% { box-shadow: 0 0 9px 1px rgba(254, 232, 98, 0.19); }
+    40% { box-shadow: 0 0 9px 1px rgba(254, 232, 98, 0.19); }
+    100% { box-shadow: 0 0 0 0 rgba(254, 232, 98, 0); }
+}
+.btn-group .btn-outline-primary:first-of-type,
+.btn-group .btn-outline-secondary:first-of-type {
+    color: #6b4d8a;
+    border-color: #6b4d8a;
+    border-right: 1px dashed rgba(255, 255, 255, 0.2);
+}
+.btn-group .btn-outline-primary:last-of-type,
+.btn-group .btn-outline-secondary:last-of-type {
+    color: #4a62a8;
+    border-color: #4a62a8;
+}
+.btn-group .btn-check:checked + .btn-outline-primary:first-of-type,
+.btn-group .btn-check:checked + .btn-outline-secondary:first-of-type {
+    background-color: #6b4d8a;
+    border-color: #6b4d8a;
+    color: #fff;
+}
+.btn-group .btn-check:checked + .btn-outline-primary:last-of-type,
+.btn-group .btn-check:checked + .btn-outline-secondary:last-of-type {
+    background-color: #4a62a8;
+    border-color: #4a62a8;
+    color: #fff;
+}
+
+/* Override small warning text to use header gold */
+.text-warning.small {
+    color: var(--header-gold) !important;
+    text-shadow: 0 1px 2px rgba(0, 0, 0, 0.33);
+}
+
 .card-link .card-header.text-center {
    padding-top: 0.5rem !important;
    padding-bottom: 0.5rem !important;
@@ -443,10 +505,10 @@ footer {
 /* Enhance the gradient on hover for dramatic effect */
 .card-link:hover .card-header.text-center {
    background: linear-gradient(135deg,
-        var(--gradient-start) 0%, 
-        #5a67d8 20%, 
-        var(--gradient-end) 80%, 
-        #8a2be2 100%);
+        #3d2050 0%,
+        var(--gradient-start) 30%,
+        var(--gradient-end) 70%,
+        #6680e0 100%);
    box-shadow: inset 0 0 20px rgba(255, 215, 0, 0.1);
 }

@@ -489,7 +551,7 @@ footer {

 .card-link:hover .feature-card {
    transform: translateY(-5px);
-    box-shadow: 0 10px 40px rgba(102, 126, 234, 0.3);
+    box-shadow: 0 10px 40px rgba(74, 40, 96, 0.4);
 }

 /* ----------------------------------------------------------------------------
@@ -1380,3 +1442,260 @@ footer {
    padding: 0.35rem 0.75rem;
    background: rgba(0, 0, 0, 0.1);
 }
+
+/* ============================================================================
+   MOBILE RESPONSIVE IMPROVEMENTS
+   ============================================================================ */
+
+/* Mobile-specific drop zone improvements */
+@media (max-width: 768px) {
+    /* Larger drop zones on mobile for easier touch targets */
+    .drop-zone {
+        padding: 2rem 1.5rem;
+        min-height: 140px;
+    }
+
+    /* Larger touch target for upload icons */
+    .drop-zone-label i {
+        font-size: 2.5rem !important;
+    }
+
+    /* Touch feedback - active state */
+    .drop-zone:active {
+        border-color: var(--gradient-start);
+        background: rgba(102, 126, 234, 0.15);
+        transform: scale(0.98);
+    }
+
+    /* Mode buttons - stack vertically on very small screens */
+    .d-flex.gap-2:has(.mode-btn) {
+        flex-direction: column;
+    }
+
+    .mode-btn {
+        padding: 1rem;
+        min-height: 56px; /* iOS touch target minimum */
+    }
+
+    /* Full-width primary buttons */
+    .btn-primary.btn-lg {
+        padding: 1rem 1.5rem;
+        font-size: 1.1rem;
+        min-height: 56px;
+    }
+
+    /* Security factor boxes - more padding for touch */
+    .security-box {
+        padding: 1.25rem;
+    }
+
+    /* Form controls - larger for touch */
+    .form-control,
+    .form-select {
+        padding: 0.75rem 1rem;
+        font-size: 1rem;
+        min-height: 48px;
+    }
+
+    /* Input groups - consistent sizing */
+    .input-group .form-control {
+        min-height: 48px;
+    }
+
+    .input-group .btn {
+        min-width: 48px;
+        padding: 0.75rem;
+    }
+
+    /* Password toggle button - easier to tap */
+    [data-toggle-password] {
+        min-width: 52px;
+    }
+
+    /* PIN input - larger on mobile */
+    .pin-input-container .form-control {
+        font-size: 1.4rem;
+        letter-spacing: 4px;
+        padding: 0.875rem 1rem;
+    }
+
+    /* Passphrase input - comfortable mobile size */
+    .passphrase-input {
+        font-size: 1rem !important;
+        padding: 0.875rem 1rem !important;
+    }
+
+    /* Card headers - compact on mobile */
+    .card-header h5 {
+        font-size: 1.1rem;
+    }
+
+    /* Alert info panel - readable text */
+    .alert.small {
+        font-size: 0.9rem;
+    }
+
+    /* Bottom info icons - larger tap targets */
+    .row.text-center .col-4 {
+        padding: 0.5rem;
+    }
+
+    .row.text-center .col-4 i {
+        font-size: 2rem !important;
+    }
+
+    /* Capacity panel badges - easier to read */
+    #capacityPanel .badge {
+        font-size: 0.8rem;
+        padding: 0.4rem 0.6rem;
+    }
+
+    /* Payload type toggle - full width buttons */
+    .btn-group[role="group"] {
+        flex-direction: row;
+    }
+
+    .btn-group .btn {
+        padding: 0.75rem 0.5rem;
+        font-size: 0.95rem;
+    }
+
+    /* Textarea - comfortable height */
+    textarea.form-control {
+        min-height: 120px;
+    }
+
+    /* Channel select - full width */
+    #channelSelect {
+        font-size: 1rem;
+    }
+}
+
+/* Very small screens (iPhone SE, etc.) */
+@media (max-width: 375px) {
+    .drop-zone {
+        padding: 1.5rem 1rem;
+    }
+
+    .mode-btn {
+        padding: 0.875rem;
+        font-size: 0.9rem;
+    }
+
+    .mode-btn .text-muted {
+        display: none; /* Hide secondary text on tiny screens */
+    }
+
+    .card-header h5 {
+        font-size: 1rem;
+    }
+
+    /* Stack security factor row */
+    .row:has(.security-box) > .col-md-6 {
+        margin-bottom: 1rem;
+    }
+}
+
+/* Touch device optimizations */
+@media (hover: none) and (pointer: coarse) {
+    /* Remove hover effects that don't work on touch */
+    .btn-primary:hover {
+        transform: none;
+    }
+
+    .feature-card:hover {
+        transform: none;
+    }
+
+    .card-link:hover .feature-card {
+        transform: none;
+    }
+
+    /* Add active states instead */
+    .btn-primary:active {
+        transform: scale(0.98);
+        box-shadow: 0 2px 10px rgba(102, 126, 234, 0.3);
+    }
+
+    .feature-card:active {
+        transform: scale(0.98);
+    }
+
+    /* Drop zone active feedback */
+    .drop-zone:active {
+        border-color: var(--gradient-start);
+        background: rgba(102, 126, 234, 0.1);
+    }
+
+    /* Mode button active state */
+    .mode-btn:active {
+        background: rgba(255, 255, 255, 0.12);
+        border-color: var(--gradient-start);
+    }
+}
+
+/* Camera hint for mobile - shows on file inputs */
+@media (max-width: 768px) {
+    .drop-zone-label span.text-muted {
+        display: block;
+    }
+
+    /* Add camera icon hint on mobile */
+    .drop-zone-label::after {
+        content: "Tap to take photo or choose file";
+        display: block;
+        font-size: 0.75rem;
+        color: rgba(255, 255, 255, 0.4);
+        margin-top: 0.5rem;
+    }
+
+    /* Hide the default text and show mobile version */
+    .drop-zone-label > span.text-muted {
+        display: none;
+    }
+}
+
+/* Navbar mobile adjustments */
+@media (max-width: 768px) {
+    .navbar {
+        padding: 0.5rem 1rem;
+    }
+
+    .navbar-brand img {
+        height: 32px;
+    }
+
+    /* Sticky header shouldn't eat too much space */
+    .navbar.sticky-top {
+        position: relative; /* Don't stick on mobile - saves screen space */
+    }
+}
+
+/* Results page mobile adjustments */
+@media (max-width: 768px) {
+    /* Download button - full width on mobile */
+    .btn-success.btn-lg,
+    a.btn-success.btn-lg {
+        width: 100%;
+        padding: 1rem;
+        font-size: 1.1rem;
+    }
+
+    /* QR codes - appropriate sizing */
+    .qr-scan-container {
+        max-width: 280px;
+        margin: 0 auto;
+    }
+
+    /* Message display - readable on mobile */
+    .alert-message {
+        font-size: 0.9rem;
+        padding: 1rem;
+        word-break: break-word;
+    }
+
+    /* Result icon - slightly smaller on mobile */
+    .result-icon {
+        font-size: 3rem;
+    }
+}
--- a/frontends/web/stegasoo_users.db
+++ b/frontends/web/stegasoo_users.db
--- a/frontends/web/stego_worker.py
+++ b/frontends/web/stego_worker.py
@@ -111,6 +111,7 @@ def encode_operation(params: dict) -> dict:
        dct_output_format=params.get("dct_output_format", "png"),
        dct_color_mode=params.get("dct_color_mode", "color"),
        channel_key=resolved_channel_key,  # v4.0.0
+        progress_file=params.get("progress_file"),  # v4.1.2
    )

    # Build stats dict if available
@@ -135,14 +136,33 @@ def encode_operation(params: dict) -> dict:
    }


+def _write_decode_progress(progress_file: str | None, percent: int, phase: str) -> None:
+    """Write decode progress to file."""
+    if not progress_file:
+        return
+    try:
+        import json
+        with open(progress_file, "w") as f:
+            json.dump({"percent": percent, "phase": phase}, f)
+    except Exception:
+        pass  # Best effort
+
+
 def decode_operation(params: dict) -> dict:
    """Handle decode operation."""
    from stegasoo import decode

+    progress_file = params.get("progress_file")
+
+    # Progress: starting
+    _write_decode_progress(progress_file, 5, "reading")
+
    # Decode base64 inputs
    stego_data = base64.b64decode(params["stego_b64"])
    reference_data = base64.b64decode(params["reference_b64"])

+    _write_decode_progress(progress_file, 15, "reading")
+
    # Optional RSA key
    rsa_key_data = None
    if params.get("rsa_key_b64"):
@@ -151,6 +171,8 @@ def decode_operation(params: dict) -> dict:
    # Resolve channel key (v4.0.0)
    resolved_channel_key = _resolve_channel_key(params.get("channel_key", "auto"))

+    _write_decode_progress(progress_file, 25, "extracting")
+
    # Call decode with correct parameter names
    result = decode(
        stego_image=stego_data,
@@ -163,6 +185,8 @@ def decode_operation(params: dict) -> dict:
        channel_key=resolved_channel_key,  # v4.0.0
    )

+    _write_decode_progress(progress_file, 90, "finalizing")
+
    if result.is_file:
        return {
            "success": True,
--- a/frontends/web/subprocess_stego.py
+++ b/frontends/web/subprocess_stego.py
@@ -47,6 +47,8 @@ import base64
 import json
 import subprocess
 import sys
+import tempfile
+import uuid
 from dataclasses import dataclass
 from pathlib import Path
 from typing import Any
@@ -233,6 +235,8 @@ class SubprocessStego:
        # Channel key (v4.0.0)
        channel_key: str | None = "auto",
        timeout: int | None = None,
+        # Progress file (v4.1.2)
+        progress_file: str | None = None,
    ) -> EncodeResult:
        """
        Encode a message or file into an image.
@@ -268,6 +272,7 @@ class SubprocessStego:
            "dct_output_format": dct_output_format,
            "dct_color_mode": dct_color_mode,
            "channel_key": channel_key,  # v4.0.0
+            "progress_file": progress_file,  # v4.1.2
        }

        if file_data:
@@ -309,6 +314,8 @@ class SubprocessStego:
        # Channel key (v4.0.0)
        channel_key: str | None = "auto",
        timeout: int | None = None,
+        # Progress tracking (v4.1.5)
+        progress_file: str | None = None,
    ) -> DecodeResult:
        """
        Decode a message or file from a stego image.
@@ -323,6 +330,7 @@ class SubprocessStego:
            embed_mode: 'auto', 'lsb', or 'dct'
            channel_key: 'auto' (server config), 'none' (public), or explicit key (v4.0.0)
            timeout: Operation timeout in seconds
+            progress_file: Path to write progress updates (v4.1.5)

        Returns:
            DecodeResult with message or file_data on success
@@ -335,6 +343,7 @@ class SubprocessStego:
            "pin": pin,
            "embed_mode": embed_mode,
            "channel_key": channel_key,  # v4.0.0
+            "progress_file": progress_file,  # v4.1.5
        }

        if rsa_key_data:
@@ -496,3 +505,42 @@ def get_subprocess_stego() -> SubprocessStego:
    if _default_stego is None:
        _default_stego = SubprocessStego()
    return _default_stego
+
+
+# =============================================================================
+# Progress File Utilities (v4.1.2)
+# =============================================================================
+
+
+def generate_job_id() -> str:
+    """Generate a unique job ID for tracking encode/decode operations."""
+    return str(uuid.uuid4())[:8]
+
+
+def get_progress_file_path(job_id: str) -> str:
+    """Get the progress file path for a job ID."""
+    return str(Path(tempfile.gettempdir()) / f"stegasoo_progress_{job_id}.json")
+
+
+def read_progress(job_id: str) -> dict | None:
+    """
+    Read progress from file for a job ID.
+
+    Returns:
+        Progress dict with current, total, percent, phase, or None if not found
+    """
+    progress_file = get_progress_file_path(job_id)
+    try:
+        with open(progress_file) as f:
+            return json.load(f)
+    except (FileNotFoundError, json.JSONDecodeError):
+        return None
+
+
+def cleanup_progress_file(job_id: str) -> None:
+    """Remove progress file for a completed job."""
+    progress_file = get_progress_file_path(job_id)
+    try:
+        Path(progress_file).unlink(missing_ok=True)
+    except Exception:
+        pass
--- a/frontends/web/temp_storage.py
+++ b/frontends/web/temp_storage.py
@@ -0,0 +1,212 @@
+"""
+File-based Temporary Storage
+
+Stores temp files on disk instead of in-memory dict.
+This allows multiple Gunicorn workers to share temp files
+and survives service restarts within the expiry window.
+
+Files are stored in a temp directory with:
+- {file_id}.data - The actual file data
+- {file_id}.json - Metadata (filename, timestamp, mime_type, etc.)
+
+IMPORTANT: This module ONLY manages files in the temp_files/ directory.
+It does NOT touch instance/ (auth database) or any other directories.
+"""
+
+import json
+import time
+from pathlib import Path
+from threading import Lock
+
+# Default temp directory (can be overridden)
+DEFAULT_TEMP_DIR = Path(__file__).parent / "temp_files"
+
+# Lock for thread-safe operations
+_lock = Lock()
+
+# Module-level temp directory (set on init)
+_temp_dir: Path = DEFAULT_TEMP_DIR
+
+
+def init(temp_dir: Path | str | None = None):
+    """Initialize temp storage with optional custom directory."""
+    global _temp_dir
+    _temp_dir = Path(temp_dir) if temp_dir else DEFAULT_TEMP_DIR
+    _temp_dir.mkdir(parents=True, exist_ok=True)
+
+
+def _data_path(file_id: str) -> Path:
+    """Get path for file data."""
+    return _temp_dir / f"{file_id}.data"
+
+
+def _meta_path(file_id: str) -> Path:
+    """Get path for file metadata."""
+    return _temp_dir / f"{file_id}.json"
+
+
+def _thumb_path(thumb_id: str) -> Path:
+    """Get path for thumbnail data."""
+    return _temp_dir / f"{thumb_id}.thumb"
+
+
+def save_temp_file(file_id: str, data: bytes, metadata: dict) -> None:
+    """
+    Save a temp file with its metadata.
+
+    Args:
+        file_id: Unique identifier for the file
+        data: File contents as bytes
+        metadata: Dict with filename, mime_type, timestamp, etc.
+    """
+    init()  # Ensure directory exists
+
+    with _lock:
+        # Add timestamp if not present
+        if "timestamp" not in metadata:
+            metadata["timestamp"] = time.time()
+
+        # Write data file
+        _data_path(file_id).write_bytes(data)
+
+        # Write metadata
+        _meta_path(file_id).write_text(json.dumps(metadata))
+
+
+def get_temp_file(file_id: str) -> dict | None:
+    """
+    Get a temp file and its metadata.
+
+    Returns:
+        Dict with 'data' (bytes) and all metadata fields, or None if not found.
+    """
+    init()
+
+    data_file = _data_path(file_id)
+    meta_file = _meta_path(file_id)
+
+    if not data_file.exists() or not meta_file.exists():
+        return None
+
+    try:
+        data = data_file.read_bytes()
+        metadata = json.loads(meta_file.read_text())
+        return {"data": data, **metadata}
+    except (OSError, json.JSONDecodeError):
+        return None
+
+
+def has_temp_file(file_id: str) -> bool:
+    """Check if a temp file exists."""
+    init()
+    return _data_path(file_id).exists() and _meta_path(file_id).exists()
+
+
+def delete_temp_file(file_id: str) -> None:
+    """Delete a temp file and its metadata."""
+    init()
+
+    with _lock:
+        _data_path(file_id).unlink(missing_ok=True)
+        _meta_path(file_id).unlink(missing_ok=True)
+
+
+def save_thumbnail(thumb_id: str, data: bytes) -> None:
+    """Save a thumbnail."""
+    init()
+
+    with _lock:
+        _thumb_path(thumb_id).write_bytes(data)
+
+
+def get_thumbnail(thumb_id: str) -> bytes | None:
+    """Get thumbnail data."""
+    init()
+
+    thumb_file = _thumb_path(thumb_id)
+    if not thumb_file.exists():
+        return None
+
+    try:
+        return thumb_file.read_bytes()
+    except OSError:
+        return None
+
+
+def delete_thumbnail(thumb_id: str) -> None:
+    """Delete a thumbnail."""
+    init()
+
+    with _lock:
+        _thumb_path(thumb_id).unlink(missing_ok=True)
+
+
+def cleanup_expired(max_age_seconds: float) -> int:
+    """
+    Delete expired temp files.
+
+    Args:
+        max_age_seconds: Maximum age in seconds before expiry
+
+    Returns:
+        Number of files deleted
+    """
+    init()
+
+    now = time.time()
+    deleted = 0
+
+    with _lock:
+        # Find all metadata files
+        for meta_file in _temp_dir.glob("*.json"):
+            try:
+                metadata = json.loads(meta_file.read_text())
+                timestamp = metadata.get("timestamp", 0)
+
+                if now - timestamp > max_age_seconds:
+                    file_id = meta_file.stem
+                    _data_path(file_id).unlink(missing_ok=True)
+                    meta_file.unlink(missing_ok=True)
+                    # Also delete thumbnail if exists
+                    _thumb_path(f"{file_id}_thumb").unlink(missing_ok=True)
+                    deleted += 1
+            except (OSError, json.JSONDecodeError):
+                # Remove corrupted files
+                meta_file.unlink(missing_ok=True)
+                deleted += 1
+
+    return deleted
+
+
+def cleanup_all() -> int:
+    """
+    Delete all temp files. Call on service start/stop.
+
+    Returns:
+        Number of files deleted
+    """
+    init()
+
+    deleted = 0
+
+    with _lock:
+        for f in _temp_dir.iterdir():
+            if f.is_file():
+                f.unlink(missing_ok=True)
+                deleted += 1
+
+    return deleted
+
+
+def get_stats() -> dict:
+    """Get temp storage statistics."""
+    init()
+
+    files = list(_temp_dir.glob("*.data"))
+    total_size = sum(f.stat().st_size for f in files if f.exists())
+
+    return {
+        "file_count": len(files),
+        "total_size_bytes": total_size,
+        "temp_dir": str(_temp_dir),
+    }
--- a/frontends/web/templates/about.html
+++ b/frontends/web/templates/about.html
@@ -65,7 +65,7 @@
                            <li class="mb-2">
                                <i class="bi bi-check-circle text-success me-2"></i>
                                <strong>Channel Keys</strong>
-                                <span class="badge bg-info ms-1">v4.0</span>
+                                <span class="badge bg-info ms-1">v4.1</span>
                                <br><small class="text-muted">Group/deployment isolation</small>
                            </li>
                        </ul>
@@ -100,6 +100,7 @@
                                    <li><strong>Output:</strong> JPEG or PNG</li>
                                    <li><strong>Color:</strong> Color or grayscale</li>
                                    <li><strong>Speed:</strong> ~2s</li>
+                                    <li><strong>Error Correction:</strong> Reed-Solomon</li>
                                </ul>
                                <hr>
                                <div class="small">
@@ -250,7 +251,7 @@
            <div class="card-header">
                <h5 class="mb-0">
                    <i class="bi bi-broadcast me-2"></i>Channel Keys
-                    <span class="badge bg-info ms-2">v4.0</span>
+                    <span class="badge bg-info ms-2">v4.1</span>
                </h5>
            </div>
            <div class="card-body">
@@ -316,19 +317,58 @@
                </div>
                
                {% if channel_configured %}
-                <div class="alert alert-success mt-3 mb-0">
+                <div class="alert alert-success mt-3 mb-3">
                    <i class="bi bi-shield-lock me-2"></i>
                    <strong>This server has a channel key configured:</strong>
                    <code class="ms-2">{{ channel_fingerprint }}</code>
                    <span class="text-muted ms-2">({{ channel_source }})</span>
                </div>
                {% else %}
-                <div class="alert alert-info mt-3 mb-0">
+                <div class="alert alert-info mt-3 mb-3">
                    <i class="bi bi-info-circle me-2"></i>
                    This server is running in <strong>public mode</strong>.
                    Set <code>STEGASOO_CHANNEL_KEY</code> to enable server-wide channel isolation.
                </div>
                {% endif %}
+
+                <!-- Channel Key QR Generator (Admin only) -->
+                {% if is_admin %}
+                <div class="card bg-dark border-secondary">
+                    <div class="card-header">
+                        <i class="bi bi-qr-code me-2"></i>Share Channel Key via QR
+                        <span class="badge bg-warning text-dark ms-2"><i class="bi bi-shield-check me-1"></i>Admin</span>
+                    </div>
+                    <div class="card-body">
+                        <p class="small text-muted mb-3">Generate a QR code to share a channel key with others.</p>
+                        <div class="row g-2 align-items-end">
+                            <div class="col-md-8">
+                                <label class="form-label small">Channel Key</label>
+                                <div class="input-group">
+                                    <input type="text" class="form-control font-monospace" id="channelKeyQrInput"
+                                           placeholder="Enter or generate a key">
+                                    <button class="btn btn-outline-secondary" type="button" id="channelKeyQrGenerate"
+                                            title="Generate random key">
+                                        <i class="bi bi-shuffle"></i>
+                                    </button>
+                                </div>
+                            </div>
+                            <div class="col-md-4">
+                                <button class="btn btn-primary w-100" type="button" id="channelKeyQrShow">
+                                    <i class="bi bi-qr-code me-1"></i>Show QR
+                                </button>
+                            </div>
+                        </div>
+                        <div class="text-center mt-3 d-none" id="channelKeyQrContainer">
+                            <canvas id="channelKeyQrCanvas" class="bg-white p-2 rounded"></canvas>
+                            <div class="mt-2">
+                                <button class="btn btn-sm btn-outline-secondary" type="button" id="channelKeyQrDownload">
+                                    <i class="bi bi-download me-1"></i>Download PNG
+                                </button>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+                {% endif %}
            </div>
        </div>
        
@@ -338,22 +378,42 @@
                <h5 class="mb-0"><i class="bi bi-clock-history me-2"></i>Version History</h5>
            </div>
            <div class="card-body">
-                <div class="table-responsive">
-                    <table class="table table-dark table-sm small">
-                        <thead>
-                            <tr>
-                                <th>Version</th>
-                                <th>Changes</th>
-                            </tr>
-                        </thead>
+                <!-- Current Version - Prominent -->
+                <div class="alert alert-success mb-4">
+                    <div class="d-flex align-items-center">
+                        <span class="badge bg-success fs-6 me-3">v4.1.2</span>
+                        <div>
+                            <strong>Progress bars</strong> for encode operations,
+                            <strong>mobile-responsive polish</strong>,
+                            DCT decode bug fix, release validation script
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Previous Versions - Accordion -->
+                <div class="accordion" id="versionAccordion">
+                    <div class="accordion-item bg-dark">
+                        <h2 class="accordion-header">
+                            <button class="accordion-button collapsed bg-dark text-light py-2" type="button"
+                                    data-bs-toggle="collapse" data-bs-target="#olderVersions">
+                                <i class="bi bi-archive me-2"></i>Previous Versions
+                            </button>
+                        </h2>
+                        <div id="olderVersions" class="accordion-collapse collapse" data-bs-parent="#versionAccordion">
+                            <div class="accordion-body p-0">
+                                <table class="table table-dark table-sm small mb-0">
                                    <tbody>
+                                        <tr>
+                                            <td width="80"><strong>4.1.1</strong></td>
+                                            <td>DCT RS format stability, Docker cleanup, first-boot wizard</td>
+                                        </tr>
+                                        <tr>
+                                            <td><strong>4.1.0</strong></td>
+                                            <td>Reed-Solomon error correction for DCT, majority voting headers</td>
+                                        </tr>
                                        <tr>
                                            <td><strong>4.0.0</strong></td>
-                                <td>
-                                    <strong>Channel keys</strong> for group/deployment isolation,
-                                    DCT default, simplified auth, passphrase replaces day_phrase, 
-                                    4-word default, JPEG fix, large image support, subprocess isolation, Python 3.10-3.12
-                                </td>
+                                            <td>Channel keys, DCT default, subprocess isolation</td>
                                        </tr>
                                        <tr>
                                            <td>3.2.0</td>
@@ -364,16 +424,8 @@
                                            <td>DCT mode, JPEG output, color preservation</td>
                                        </tr>
                                        <tr>
-                                <td>2.2.0</td>
-                                <td>QR code RSA key import/export</td>
-                            </tr>
-                            <tr>
-                                <td>2.1.0</td>
-                                <td>File embedding, compression</td>
-                            </tr>
-                            <tr>
-                                <td>2.0.0</td>
-                                <td>Web UI, REST API, RSA keys</td>
+                                            <td>2.x</td>
+                                            <td>Web UI, REST API, RSA keys, QR codes, file embedding</td>
                                        </tr>
                                        <tr>
                                            <td>1.0.0</td>
@@ -384,6 +436,9 @@
                            </div>
                        </div>
                    </div>
+                </div>
+            </div>
+        </div>
        
        <div class="card mb-4">
            <div class="card-header">
@@ -469,28 +524,76 @@
                <h5 class="mb-0"><i class="bi bi-speedometer2 me-2"></i>Limits &amp; Specs</h5>
            </div>
            <div class="card-body">
-                <table class="table table-dark table-striped small">
+                <!-- Key Specs - Always Visible -->
+                <div class="row text-center mb-4">
+                    <div class="col-6 col-md-4 col-lg-2 mb-3">
+                        <div class="p-3 bg-dark rounded h-100">
+                            <i class="bi bi-file-earmark text-primary fs-3 d-block mb-2"></i>
+                            <div class="small text-muted">Max Payload</div>
+                            <strong>{{ max_payload_kb }} KB</strong>
+                        </div>
+                    </div>
+                    <div class="col-6 col-md-4 col-lg-2 mb-3">
+                        <div class="p-3 bg-dark rounded h-100">
+                            <i class="bi bi-image text-info fs-3 d-block mb-2"></i>
+                            <div class="small text-muted">Max Carrier</div>
+                            <strong>24 MP</strong>
+                        </div>
+                    </div>
+                    <div class="col-6 col-md-4 col-lg-2 mb-3">
+                        <div class="p-3 bg-dark rounded h-100">
+                            <i class="bi bi-soundwave text-warning fs-3 d-block mb-2"></i>
+                            <div class="small text-muted">DCT Capacity</div>
+                            <strong>~75 KB/MP</strong>
+                        </div>
+                    </div>
+                    <div class="col-6 col-md-4 col-lg-2 mb-3">
+                        <div class="p-3 bg-dark rounded h-100">
+                            <i class="bi bi-grid-3x3 text-success fs-3 d-block mb-2"></i>
+                            <div class="small text-muted">LSB Capacity</div>
+                            <strong>~375 KB/MP</strong>
+                        </div>
+                    </div>
+                    <div class="col-6 col-md-4 col-lg-2 mb-3">
+                        <div class="p-3 bg-dark rounded h-100">
+                            <i class="bi bi-shield-check text-danger fs-3 d-block mb-2"></i>
+                            <div class="small text-muted">Encryption</div>
+                            <strong>AES-256</strong>
+                        </div>
+                    </div>
+                    <div class="col-6 col-md-4 col-lg-2 mb-3">
+                        <div class="p-3 bg-dark rounded h-100">
+                            <i class="bi bi-bandaid text-info fs-3 d-block mb-2"></i>
+                            <div class="small text-muted">DCT ECC</div>
+                            <strong>RS Code</strong>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Error Correction Detail -->
+                <div class="alert alert-info small mb-4">
+                    <i class="bi bi-info-circle me-2"></i>
+                    <strong>Reed-Solomon Error Correction:</strong> DCT mode corrects up to 16 byte errors per 223-byte chunk.
+                    Handles problematic carrier images with uniform areas that cause unstable DCT coefficients.
+                </div>
+
+                <!-- More Specs - Accordion -->
+                <div class="accordion" id="specsAccordion">
+                    <div class="accordion-item bg-dark">
+                        <h2 class="accordion-header">
+                            <button class="accordion-button collapsed bg-dark text-light py-2" type="button"
+                                    data-bs-toggle="collapse" data-bs-target="#moreSpecs">
+                                <i class="bi bi-list-ul me-2"></i>More Specifications
+                            </button>
+                        </h2>
+                        <div id="moreSpecs" class="accordion-collapse collapse" data-bs-parent="#specsAccordion">
+                            <div class="accordion-body p-0">
+                                <table class="table table-dark table-striped small mb-0">
                                    <tbody>
                                        <tr>
                                            <td><i class="bi bi-file-text me-2"></i>Max text</td>
                                            <td><strong>2M characters</strong></td>
                                        </tr>
-                        <tr>
-                            <td><i class="bi bi-file-earmark me-2"></i>Max file</td>
-                            <td><strong>{{ max_payload_kb }} KB</strong></td>
-                        </tr>
-                        <tr>
-                            <td><i class="bi bi-image me-2"></i>Max carrier</td>
-                            <td><strong>24 MP</strong> (~6000x4000)</td>
-                        </tr>
-                        <tr>
-                            <td><i class="bi bi-soundwave me-2"></i>DCT capacity</td>
-                            <td><strong>~75 KB/MP</strong></td>
-                        </tr>
-                        <tr>
-                            <td><i class="bi bi-grid-3x3 me-2"></i>LSB capacity</td>
-                            <td><strong>~375 KB/MP</strong></td>
-                        </tr>
                                        <tr>
                                            <td><i class="bi bi-upload me-2"></i>Max upload</td>
                                            <td><strong>30 MB</strong></td>
@@ -517,13 +620,77 @@
                                        </tr>
                                        <tr>
                                            <td><i class="bi bi-box me-2"></i>Built with</td>
-                            <td>Flask, Pillow, NumPy, SciPy, jpegio, cryptography, argon2-cffi</td>
+                                            <td>Flask, Pillow, NumPy, SciPy, jpegio, reedsolo, cryptography, argon2-cffi</td>
                                        </tr>
                                    </tbody>
                                </table>
                            </div>
                        </div>
+                    </div>
+                </div>
+            </div>
+        </div>
        
    </div>
 </div>
 {% endblock %}
+
+{% block scripts %}
+<!-- QR Code library for channel key sharing -->
+<script src="https://cdn.jsdelivr.net/npm/qrcode@1.5.3/build/qrcode.min.js"></script>
+<script src="{{ url_for('static', filename='js/stegasoo.js') }}"></script>
+<script>
+document.addEventListener('DOMContentLoaded', function() {
+    const input = document.getElementById('channelKeyQrInput');
+    const generateBtn = document.getElementById('channelKeyQrGenerate');
+    const showBtn = document.getElementById('channelKeyQrShow');
+    const container = document.getElementById('channelKeyQrContainer');
+    const canvas = document.getElementById('channelKeyQrCanvas');
+    const downloadBtn = document.getElementById('channelKeyQrDownload');
+
+    // Generate random key
+    generateBtn?.addEventListener('click', function() {
+        if (input && typeof Stegasoo !== 'undefined') {
+            input.value = Stegasoo.generateChannelKey();
+        }
+    });
+
+    // Show QR code
+    showBtn?.addEventListener('click', function() {
+        const key = input?.value?.trim().replace(/-/g, '');
+        if (!key || key.length !== 32) {
+            alert('Please enter a valid 32-character channel key');
+            return;
+        }
+
+        // Format key with dashes for QR
+        const formatted = key.match(/.{4}/g)?.join('-') || key;
+
+        // Generate QR code
+        if (typeof QRCode !== 'undefined' && canvas) {
+            QRCode.toCanvas(canvas, formatted, {
+                width: 200,
+                margin: 2,
+                color: { dark: '#000', light: '#fff' }
+            }, function(error) {
+                if (error) {
+                    console.error('QR generation error:', error);
+                    return;
+                }
+                container?.classList.remove('d-none');
+            });
+        }
+    });
+
+    // Download QR as PNG
+    downloadBtn?.addEventListener('click', function() {
+        if (canvas) {
+            const link = document.createElement('a');
+            link.download = 'stegasoo-channel-key.png';
+            link.href = canvas.toDataURL('image/png');
+            link.click();
+        }
+    });
+});
+</script>
+{% endblock %}
--- a/frontends/web/templates/account.html
+++ b/frontends/web/templates/account.html
@@ -12,8 +12,60 @@
            <div class="card-body">
                <p class="text-muted mb-4">
                    Logged in as <strong>{{ username }}</strong>
+                    {% if is_admin %}
+                    <span class="badge bg-warning text-dark ms-2">
+                        <i class="bi bi-shield-check me-1"></i>Admin
+                    </span>
+                    {% endif %}
                </p>

+                {% if is_admin %}
+                <div class="mb-4">
+                    <a href="{{ url_for('admin_users') }}" class="btn btn-outline-primary w-100">
+                        <i class="bi bi-people me-2"></i>Manage Users
+                    </a>
+                </div>
+
+                <!-- Recovery Key Management (Admin only) -->
+                <div class="card bg-dark mb-4">
+                    <div class="card-body py-3">
+                        <div class="d-flex justify-content-between align-items-center">
+                            <div>
+                                <i class="bi bi-shield-lock me-2"></i>
+                                <strong>Recovery Key</strong>
+                                {% if has_recovery %}
+                                <span class="badge bg-success ms-2">Configured</span>
+                                {% else %}
+                                <span class="badge bg-secondary ms-2">Not Set</span>
+                                {% endif %}
+                            </div>
+                            <div class="btn-group btn-group-sm">
+                                <a href="{{ url_for('regenerate_recovery') }}" class="btn btn-outline-warning"
+                                   onclick="return confirm('Generate a new recovery key? This will invalidate any existing key.')">
+                                    <i class="bi bi-arrow-repeat me-1"></i>
+                                    {{ 'Regenerate' if has_recovery else 'Generate' }}
+                                </a>
+                                {% if has_recovery %}
+                                <form method="POST" action="{{ url_for('disable_recovery') }}" style="display:inline;">
+                                    <button type="submit" class="btn btn-outline-danger"
+                                            onclick="return confirm('Disable recovery? If you forget your password, you will NOT be able to recover your account.')">
+                                        <i class="bi bi-x-lg"></i>
+                                    </button>
+                                </form>
+                                {% endif %}
+                            </div>
+                        </div>
+                        <small class="text-muted d-block mt-2">
+                            {% if has_recovery %}
+                            Allows password reset if you're locked out.
+                            {% else %}
+                            No recovery option - most secure, but no password reset possible.
+                            {% endif %}
+                        </small>
+                    </div>
+                </div>
+                {% endif %}
+
                <h6 class="text-muted mb-3">Change Password</h6>

                <form method="POST" action="{{ url_for('account') }}" id="accountForm">
@@ -65,38 +117,222 @@
                    </button>
                </form>

-                <hr class="my-4">
+            </div>
+        </div>

+        <!-- Saved Channel Keys Section -->
+        <div class="card mt-4">
+            <div class="card-header d-flex justify-content-between align-items-center">
+                <h5 class="mb-0"><i class="bi bi-key-fill me-2"></i>Saved Channel Keys</h5>
+                <span class="badge bg-secondary">{{ channel_keys|length }} / {{ max_channel_keys }}</span>
+            </div>
+            <div class="card-body">
+                {% if channel_keys %}
+                <div class="list-group list-group-flush mb-3">
+                    {% for key in channel_keys %}
+                    <div class="list-group-item d-flex justify-content-between align-items-center px-0">
+                        <div>
+                            <strong>{{ key.name }}</strong>
+                            <br>
+                            <code class="small text-muted">{{ key.channel_key[:4] }}...{{ key.channel_key[-4:] }}</code>
+                            {% if key.last_used_at %}
+                            <span class="text-muted small ms-2">Last used: {{ key.last_used_at[:10] }}</span>
+                            {% endif %}
+                        </div>
+                        <div class="btn-group btn-group-sm">
+                            {% if is_admin %}
+                            <button type="button" class="btn btn-outline-info"
+                                    onclick="showKeyQr('{{ key.channel_key }}', '{{ key.name }}')"
+                                    title="Show QR Code">
+                                <i class="bi bi-qr-code"></i>
+                            </button>
+                            {% endif %}
+                            <button type="button" class="btn btn-outline-secondary"
+                                    onclick="renameKey({{ key.id }}, '{{ key.name }}')"
+                                    title="Rename">
+                                <i class="bi bi-pencil"></i>
+                            </button>
+                            <form method="POST" action="{{ url_for('account_delete_key', key_id=key.id) }}"
+                                  style="display:inline;"
+                                  onsubmit="return confirm('Delete key &quot;{{ key.name }}&quot;?')">
+                                <button type="submit" class="btn btn-outline-danger" title="Delete">
+                                    <i class="bi bi-trash"></i>
+                                </button>
+                            </form>
+                        </div>
+                    </div>
+                    {% endfor %}
+                </div>
+                {% else %}
+                <p class="text-muted mb-3">No saved channel keys. Save keys for quick access on encode/decode pages.</p>
+                {% endif %}
+
+                {% if can_save_key %}
+                <hr>
+                <h6 class="text-muted mb-3">Add New Key</h6>
+                <form method="POST" action="{{ url_for('account_save_key') }}">
+                    <div class="row g-2 mb-2">
+                        <div class="col-5">
+                            <input type="text" name="key_name" class="form-control form-control-sm"
+                                   placeholder="Key name" required maxlength="50">
+                        </div>
+                        <div class="col-7">
+                            <div class="input-group input-group-sm">
+                                <input type="text" name="channel_key" id="channelKeyInput"
+                                       class="form-control font-monospace"
+                                       placeholder="XXXX-XXXX-..." required
+                                       pattern="[A-Za-z0-9]{4}(-[A-Za-z0-9]{4}){7}">
+                                <button type="button" class="btn btn-outline-secondary" id="scanChannelKeyBtn"
+                                        title="Scan QR code with camera">
+                                    <i class="bi bi-camera"></i>
+                                </button>
+                            </div>
+                        </div>
+                    </div>
+                    <button type="submit" class="btn btn-sm btn-outline-primary">
+                        <i class="bi bi-plus-lg me-1"></i>Save Key
+                    </button>
+                </form>
+                {% else %}
+                <div class="alert alert-info mb-0 small">
+                    <i class="bi bi-info-circle me-1"></i>
+                    Maximum of {{ max_channel_keys }} keys reached. Delete a key to add more.
+                </div>
+                {% endif %}
+            </div>
+        </div>
+
+        <!-- Logout -->
+        <div class="mt-4">
            <a href="{{ url_for('logout') }}" class="btn btn-outline-danger w-100">
                <i class="bi bi-box-arrow-left me-2"></i>Logout
            </a>
        </div>
    </div>
 </div>
+
+<!-- Rename Modal -->
+<div class="modal fade" id="renameModal" tabindex="-1">
+    <div class="modal-dialog modal-sm">
+        <div class="modal-content">
+            <form method="POST" id="renameForm">
+                <div class="modal-header">
+                    <h6 class="modal-title">Rename Key</h6>
+                    <button type="button" class="btn-close" data-bs-dismiss="modal"></button>
                </div>
+                <div class="modal-body">
+                    <input type="text" name="new_name" class="form-control" id="renameInput"
+                           required maxlength="50">
+                </div>
+                <div class="modal-footer">
+                    <button type="button" class="btn btn-sm btn-secondary" data-bs-dismiss="modal">Cancel</button>
+                    <button type="submit" class="btn btn-sm btn-primary">Rename</button>
+                </div>
+            </form>
+        </div>
+    </div>
+</div>
+
+{% if is_admin %}
+<!-- QR Code Modal (Admin only) -->
+<div class="modal fade" id="qrModal" tabindex="-1">
+    <div class="modal-dialog modal-sm">
+        <div class="modal-content">
+            <div class="modal-header">
+                <h6 class="modal-title"><i class="bi bi-qr-code me-2"></i><span id="qrKeyName">Channel Key</span></h6>
+                <button type="button" class="btn-close" data-bs-dismiss="modal"></button>
+            </div>
+            <div class="modal-body text-center">
+                <canvas id="qrCanvas" class="bg-white p-2 rounded"></canvas>
+                <div class="mt-2">
+                    <code class="small" id="qrKeyDisplay"></code>
+                </div>
+            </div>
+            <div class="modal-footer justify-content-center">
+                <button type="button" class="btn btn-sm btn-outline-secondary" id="qrDownload">
+                    <i class="bi bi-download me-1"></i>Download PNG
+                </button>
+            </div>
+        </div>
+    </div>
+</div>
+{% endif %}
 {% endblock %}

 {% block scripts %}
+<script src="{{ url_for('static', filename='js/auth.js') }}"></script>
+<script src="{{ url_for('static', filename='js/stegasoo.js') }}"></script>
+{% if is_admin %}
+<script src="https://cdn.jsdelivr.net/npm/qrcode@1.5.3/build/qrcode.min.js"></script>
+{% endif %}
 <script>
-function togglePassword(inputId, btn) {
-    const input = document.getElementById(inputId);
-    const icon = btn.querySelector('i');
-    if (input.type === 'password') {
-        input.type = 'text';
-        icon.classList.replace('bi-eye', 'bi-eye-slash');
+StegasooAuth.initPasswordConfirmation('accountForm', 'newPasswordInput', 'newPasswordConfirmInput');
+
+// Webcam QR scanning for channel key input (v4.1.5)
+document.getElementById('scanChannelKeyBtn')?.addEventListener('click', function() {
+    Stegasoo.showQrScanner((text) => {
+        const input = document.getElementById('channelKeyInput');
+        if (input) {
+            // Clean and format the key
+            const clean = text.replace(/[^A-Za-z0-9]/g, '').toUpperCase();
+            if (clean.length === 32) {
+                input.value = clean.match(/.{4}/g).join('-');
            } else {
-        input.type = 'password';
-        icon.classList.replace('bi-eye-slash', 'bi-eye');
+                input.value = text.toUpperCase();
+            }
+        }
+    }, 'Scan Channel Key');
+});
+
+// Format channel key input as user types
+document.getElementById('channelKeyInput')?.addEventListener('input', function() {
+    Stegasoo.formatChannelKeyInput(this);
+});
+
+function renameKey(keyId, currentName) {
+    document.getElementById('renameInput').value = currentName;
+    document.getElementById('renameForm').action = '/account/keys/' + keyId + '/rename';
+    new bootstrap.Modal(document.getElementById('renameModal')).show();
+}
+
+{% if is_admin %}
+function showKeyQr(channelKey, keyName) {
+    // Format key with dashes if not already
+    const clean = channelKey.replace(/-/g, '').toUpperCase();
+    const formatted = clean.match(/.{4}/g)?.join('-') || clean;
+
+    // Update modal content
+    document.getElementById('qrKeyName').textContent = keyName;
+    document.getElementById('qrKeyDisplay').textContent = formatted;
+
+    // Generate QR code
+    const canvas = document.getElementById('qrCanvas');
+    if (typeof QRCode !== 'undefined' && canvas) {
+        QRCode.toCanvas(canvas, formatted, {
+            width: 200,
+            margin: 2,
+            color: { dark: '#000', light: '#fff' }
+        }, function(error) {
+            if (error) {
+                console.error('QR generation error:', error);
+                return;
+            }
+            new bootstrap.Modal(document.getElementById('qrModal')).show();
+        });
    }
 }

-document.getElementById('accountForm')?.addEventListener('submit', function(e) {
-    const newPass = document.getElementById('newPasswordInput').value;
-    const confirm = document.getElementById('newPasswordConfirmInput').value;
-    if (newPass !== confirm) {
-        e.preventDefault();
-        alert('New passwords do not match');
+// Download QR as PNG
+document.getElementById('qrDownload')?.addEventListener('click', function() {
+    const canvas = document.getElementById('qrCanvas');
+    const keyName = document.getElementById('qrKeyName').textContent;
+    if (canvas) {
+        const link = document.createElement('a');
+        link.download = 'stegasoo-channel-key-' + keyName.toLowerCase().replace(/\s+/g, '-') + '.png';
+        link.href = canvas.toDataURL('image/png');
+        link.click();
    }
 });
+{% endif %}
 </script>
 {% endblock %}
--- a/frontends/web/templates/admin/password_reset.html
+++ b/frontends/web/templates/admin/password_reset.html
@@ -0,0 +1,50 @@
+{% extends "base.html" %}
+
+{% block title %}Password Reset - Stegasoo{% endblock %}
+
+{% block content %}
+<div class="row justify-content-center">
+    <div class="col-md-6 col-lg-5">
+        <div class="card border-warning">
+            <div class="card-header bg-warning text-dark">
+                <i class="bi bi-key fs-4 me-2"></i>
+                <span class="fs-5">Password Reset</span>
+            </div>
+            <div class="card-body">
+                <div class="alert alert-warning">
+                    <i class="bi bi-exclamation-triangle me-2"></i>
+                    <strong>Important:</strong> This password will only be shown once.
+                    Make sure to share it with <strong>{{ username }}</strong> securely.
+                </div>
+
+                <p class="text-muted">
+                    The user's sessions have been invalidated. They will need to log in
+                    again with the new password.
+                </p>
+
+                <div class="mb-4">
+                    <label class="form-label text-muted small">New Password for {{ username }}</label>
+                    <div class="input-group">
+                        <input type="text" class="form-control form-control-lg font-monospace"
+                               value="{{ password }}" readonly id="passwordField">
+                        <button class="btn btn-outline-secondary" type="button"
+                                onclick="copyField('passwordField')" title="Copy password">
+                            <i class="bi bi-clipboard"></i>
+                        </button>
+                    </div>
+                </div>
+
+                <div class="d-grid">
+                    <a href="{{ url_for('admin_users') }}" class="btn btn-primary">
+                        <i class="bi bi-arrow-left me-2"></i>Back to Users
+                    </a>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+{% endblock %}
+
+{% block scripts %}
+<script src="{{ url_for('static', filename='js/auth.js') }}"></script>
+{% endblock %}
--- a/frontends/web/templates/admin/user_created.html
+++ b/frontends/web/templates/admin/user_created.html
@@ -0,0 +1,60 @@
+{% extends "base.html" %}
+
+{% block title %}User Created - Stegasoo{% endblock %}
+
+{% block content %}
+<div class="row justify-content-center">
+    <div class="col-md-6 col-lg-5">
+        <div class="card border-success">
+            <div class="card-header bg-success text-white">
+                <i class="bi bi-check-circle fs-4 me-2"></i>
+                <span class="fs-5">User Created Successfully</span>
+            </div>
+            <div class="card-body">
+                <div class="alert alert-warning">
+                    <i class="bi bi-exclamation-triangle me-2"></i>
+                    <strong>Important:</strong> This password will only be shown once.
+                    Make sure to share it with the user securely.
+                </div>
+
+                <div class="mb-3">
+                    <label class="form-label text-muted small">Username</label>
+                    <div class="input-group">
+                        <input type="text" class="form-control form-control-lg font-monospace"
+                               value="{{ username }}" readonly id="usernameField">
+                        <button class="btn btn-outline-secondary" type="button"
+                                onclick="copyField('usernameField')" title="Copy username">
+                            <i class="bi bi-clipboard"></i>
+                        </button>
+                    </div>
+                </div>
+
+                <div class="mb-4">
+                    <label class="form-label text-muted small">Password</label>
+                    <div class="input-group">
+                        <input type="text" class="form-control form-control-lg font-monospace"
+                               value="{{ password }}" readonly id="passwordField">
+                        <button class="btn btn-outline-secondary" type="button"
+                                onclick="copyField('passwordField')" title="Copy password">
+                            <i class="bi bi-clipboard"></i>
+                        </button>
+                    </div>
+                </div>
+
+                <div class="d-grid gap-2">
+                    <a href="{{ url_for('admin_user_new') }}" class="btn btn-primary">
+                        <i class="bi bi-person-plus me-2"></i>Add Another User
+                    </a>
+                    <a href="{{ url_for('admin_users') }}" class="btn btn-outline-secondary">
+                        <i class="bi bi-arrow-left me-2"></i>Back to Users
+                    </a>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+{% endblock %}
+
+{% block scripts %}
+<script src="{{ url_for('static', filename='js/auth.js') }}"></script>
+{% endblock %}
--- a/frontends/web/templates/admin/user_new.html
+++ b/frontends/web/templates/admin/user_new.html
@@ -0,0 +1,166 @@
+{% extends "base.html" %}
+
+{% block title %}Add User - Stegasoo{% endblock %}
+
+{% block content %}
+<div class="row justify-content-center">
+    <div class="col-md-6 col-lg-5">
+        <div class="card">
+            <div class="card-header">
+                <i class="bi bi-person-plus fs-4 me-2"></i>
+                <span class="fs-5">Add New User</span>
+            </div>
+            <div class="card-body">
+                <form id="createUserForm">
+                    <div class="mb-3">
+                        <label class="form-label">
+                            <i class="bi bi-person me-1"></i> Username
+                        </label>
+                        <input type="text" name="username" id="usernameInput" class="form-control"
+                               placeholder="e.g., john_doe or john@example.com"
+                               pattern="[a-zA-Z0-9][a-zA-Z0-9_\-@.]{2,79}"
+                               title="3-80 characters, letters/numbers/underscore/hyphen/@/."
+                               required autofocus>
+                        <div class="form-text">
+                            Letters, numbers, underscore, hyphen, @ and . allowed.
+                        </div>
+                    </div>
+
+                    <div class="mb-4">
+                        <label class="form-label">
+                            <i class="bi bi-key me-1"></i> Password
+                        </label>
+                        <div class="input-group">
+                            <input type="text" name="password" id="passwordInput"
+                                   class="form-control" value="{{ temp_password }}"
+                                   minlength="8" required>
+                            <button class="btn btn-outline-secondary" type="button"
+                                    onclick="regeneratePassword()" title="Generate new password">
+                                <i class="bi bi-arrow-repeat"></i>
+                            </button>
+                        </div>
+                        <div class="form-text">
+                            Auto-generated password. You can edit or regenerate it.
+                        </div>
+                    </div>
+
+                    <div id="errorAlert" class="alert alert-danger d-none"></div>
+
+                    <div class="d-flex gap-2">
+                        <button type="submit" class="btn btn-primary flex-grow-1" id="createBtn">
+                            <i class="bi bi-person-check me-2"></i>Create User
+                        </button>
+                        <a href="{{ url_for('admin_users') }}" class="btn btn-outline-secondary">
+                            Cancel
+                        </a>
+                    </div>
+                </form>
+            </div>
+        </div>
+    </div>
+</div>
+
+<!-- Success Modal -->
+<div class="modal fade" id="successModal" tabindex="-1" data-bs-backdrop="static">
+    <div class="modal-dialog modal-dialog-centered">
+        <div class="modal-content border-success">
+            <div class="modal-header bg-success text-white">
+                <h5 class="modal-title">
+                    <i class="bi bi-check-circle me-2"></i>User Created
+                </h5>
+            </div>
+            <div class="modal-body">
+                <div class="alert alert-warning mb-3 py-2">
+                    <i class="bi bi-exclamation-triangle me-1"></i>
+                    Password shown once. Copy it now.
+                </div>
+
+                <div class="row mb-3">
+                    <div class="col-6">
+                        <label class="form-label text-muted small mb-1">Username</label>
+                        <div class="input-group">
+                            <input type="text" class="form-control font-monospace"
+                                   id="createdUsername" readonly>
+                            <button class="btn btn-outline-secondary" type="button"
+                                    onclick="copyField('createdUsername')" title="Copy">
+                                <i class="bi bi-clipboard"></i>
+                            </button>
+                        </div>
+                    </div>
+                    <div class="col-6">
+                        <label class="form-label text-muted small mb-1">Password</label>
+                        <div class="input-group">
+                            <input type="text" class="form-control font-monospace"
+                                   id="createdPassword" readonly>
+                            <button class="btn btn-outline-secondary" type="button"
+                                    onclick="copyField('createdPassword')" title="Copy">
+                                <i class="bi bi-clipboard"></i>
+                            </button>
+                        </div>
+                    </div>
+                </div>
+
+                <div class="d-flex justify-content-end gap-2">
+                    <button type="button" class="btn btn-primary" onclick="addAnother()">
+                        <i class="bi bi-person-plus me-1"></i>Add Another
+                    </button>
+                    <a href="{{ url_for('admin_users') }}" class="btn btn-outline-secondary">
+                        Done
+                    </a>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+{% endblock %}
+
+{% block scripts %}
+<script src="{{ url_for('static', filename='js/auth.js') }}"></script>
+<script>
+const form = document.getElementById('createUserForm');
+const errorAlert = document.getElementById('errorAlert');
+const createBtn = document.getElementById('createBtn');
+const successModal = new bootstrap.Modal(document.getElementById('successModal'));
+
+form.addEventListener('submit', async function(e) {
+    e.preventDefault();
+    errorAlert.classList.add('d-none');
+    createBtn.disabled = true;
+    createBtn.innerHTML = '<span class="spinner-border spinner-border-sm me-2"></span>Creating...';
+
+    const formData = new FormData(form);
+
+    try {
+        const response = await fetch('{{ url_for("admin_user_new") }}', {
+            method: 'POST',
+            body: formData,
+            headers: { 'X-Requested-With': 'XMLHttpRequest' }
+        });
+
+        const data = await response.json();
+
+        if (data.success) {
+            document.getElementById('createdUsername').value = data.username;
+            document.getElementById('createdPassword').value = data.password;
+            successModal.show();
+        } else {
+            errorAlert.textContent = data.error;
+            errorAlert.classList.remove('d-none');
+        }
+    } catch (err) {
+        errorAlert.textContent = 'An error occurred. Please try again.';
+        errorAlert.classList.remove('d-none');
+    }
+
+    createBtn.disabled = false;
+    createBtn.innerHTML = '<i class="bi bi-person-check me-2"></i>Create User';
+});
+
+function addAnother() {
+    successModal.hide();
+    document.getElementById('usernameInput').value = '';
+    regeneratePassword();
+    document.getElementById('usernameInput').focus();
+}
+</script>
+{% endblock %}
--- a/frontends/web/templates/admin/users.html
+++ b/frontends/web/templates/admin/users.html
@@ -0,0 +1,95 @@
+{% extends "base.html" %}
+
+{% block title %}Manage Users - Stegasoo{% endblock %}
+
+{% block content %}
+<div class="row justify-content-center">
+    <div class="col-md-10 col-lg-8">
+        <div class="card">
+            <div class="card-header d-flex justify-content-between align-items-center">
+                <div>
+                    <i class="bi bi-people fs-4 me-2"></i>
+                    <span class="fs-5">User Management</span>
+                </div>
+                <div class="text-muted small">
+                    {{ user_count }} / {{ max_users }} users
+                </div>
+            </div>
+            <div class="card-body">
+                {% if can_create %}
+                <div class="mb-4">
+                    <a href="{{ url_for('admin_user_new') }}" class="btn btn-primary">
+                        <i class="bi bi-person-plus me-2"></i>Add User
+                    </a>
+                </div>
+                {% else %}
+                <div class="alert alert-warning mb-4">
+                    <i class="bi bi-exclamation-triangle me-2"></i>
+                    Maximum of {{ max_users }} users reached.
+                </div>
+                {% endif %}
+
+                <div class="table-responsive">
+                    <table class="table table-hover mb-0">
+                        <thead>
+                            <tr>
+                                <th>Username</th>
+                                <th>Role</th>
+                                <th>Created</th>
+                                <th class="text-end">Actions</th>
+                            </tr>
+                        </thead>
+                        <tbody>
+                            {% for user in users %}
+                            <tr>
+                                <td>
+                                    <i class="bi bi-person me-2"></i>
+                                    {{ user.username }}
+                                    {% if user.id == current_user.id %}
+                                    <span class="badge bg-info ms-2">You</span>
+                                    {% endif %}
+                                </td>
+                                <td>
+                                    {% if user.is_admin %}
+                                    <span class="badge bg-warning text-dark">
+                                        <i class="bi bi-shield-check me-1"></i>Admin
+                                    </span>
+                                    {% else %}
+                                    <span class="badge bg-secondary">User</span>
+                                    {% endif %}
+                                </td>
+                                <td class="text-muted small">
+                                    {{ user.created_at[:10] if user.created_at else 'Unknown' }}
+                                </td>
+                                <td class="text-end">
+                                    {% if user.id != current_user.id %}
+                                    <form method="POST" action="{{ url_for('admin_user_reset_password', user_id=user.id) }}"
+                                          class="d-inline" onsubmit="return confirm('Reset password for {{ user.username }}?')">
+                                        <button type="submit" class="btn btn-sm btn-outline-warning" title="Reset Password">
+                                            <i class="bi bi-key"></i>
+                                        </button>
+                                    </form>
+                                    <form method="POST" action="{{ url_for('admin_user_delete', user_id=user.id) }}"
+                                          class="d-inline" onsubmit="return confirm('Delete user {{ user.username }}? This cannot be undone.')">
+                                        <button type="submit" class="btn btn-sm btn-outline-danger" title="Delete User">
+                                            <i class="bi bi-trash"></i>
+                                        </button>
+                                    </form>
+                                    {% else %}
+                                    <span class="text-muted small">-</span>
+                                    {% endif %}
+                                </td>
+                            </tr>
+                            {% endfor %}
+                        </tbody>
+                    </table>
+                </div>
+            </div>
+            <div class="card-footer text-muted small">
+                <i class="bi bi-info-circle me-1"></i>
+                Admins can add up to {{ max_users }} regular users.
+            </div>
+        </div>
+    </div>
+</div>
+{% endblock %}
--- a/frontends/web/templates/base.html
+++ b/frontends/web/templates/base.html
@@ -14,7 +14,10 @@
        <div class="container">
            <a class="navbar-brand d-flex align-items-center" href="/">
                <img src="{{ url_for('static', filename='logo.svg') }}" alt="Stegasoo" height="36" class="me-2">
-                <span class="fw-bold">Stegasoo</span>
+                <span style="position: relative; display: inline-block; margin-top: -14px;">
+                    <span class="fw-bold title-gold">Stegasoo</span>
+                    <span class="badge bg-success" style="position: absolute; font-size: 0.45rem; bottom: -8px; right: 6px;">v4.1</span>
+                </span>
            </a>
            <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNav">
                <span class="navbar-toggler-icon"></span>
@@ -38,6 +41,9 @@
                    <li class="nav-item">
                        <a class="nav-link" href="/about"><i class="bi bi-info-circle me-1"></i> About</a>
                    </li>
+                    <li class="nav-item">
+                        <a class="nav-link" href="/tools"><i class="bi bi-tools me-1"></i> Tools</a>
+                    </li>
                    {% if auth_enabled %}
                        {% if is_authenticated %}
                        <li class="nav-item dropdown">
@@ -46,6 +52,9 @@
                            </a>
                            <ul class="dropdown-menu dropdown-menu-end dropdown-menu-dark">
                                <li><a class="dropdown-item" href="/account"><i class="bi bi-gear me-2"></i>Account</a></li>
+                                {% if is_admin %}
+                                <li><a class="dropdown-item" href="/admin/users"><i class="bi bi-people me-2"></i>Users</a></li>
+                                {% endif %}
                                <li><hr class="dropdown-divider"></li>
                                <li><a class="dropdown-item" href="/logout"><i class="bi bi-box-arrow-left me-2"></i>Logout</a></li>
                            </ul>
@@ -62,17 +71,22 @@
    </nav>

    <main class="container py-5">
+        <!-- Toast notifications container -->
+        <div class="toast-container position-fixed end-0 p-3" style="z-index: 1100; top: 70px;">
            {% with messages = get_flashed_messages(with_categories=true) %}
-            {% if messages %}
                {% for category, message in messages %}
-                    <div class="alert alert-{{ 'danger' if category == 'error' else ('warning' if category == 'warning' else 'success') }} alert-dismissible fade show" role="alert">
+                    <div class="toast show align-items-center text-bg-{{ 'danger' if category == 'error' else ('warning' if category == 'warning' else 'success') }} border-0 fade" role="alert" data-bs-autohide="true" data-bs-delay="10000">
+                        <div class="d-flex">
+                            <div class="toast-body">
                                <i class="bi bi-{{ 'exclamation-triangle' if category == 'error' else ('exclamation-circle' if category == 'warning' else 'check-circle') }} me-2"></i>
                                {{ message }}
-                        <button type="button" class="btn-close" data-bs-dismiss="alert"></button>
+                            </div>
+                            <button type="button" class="btn-close btn-close-white me-2 m-auto" data-bs-dismiss="toast"></button>
+                        </div>
                    </div>
                {% endfor %}
-            {% endif %}
            {% endwith %}
+        </div>

        {% block content %}{% endblock %}
    </main>
@@ -87,6 +101,12 @@
    </footer>

    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>
+    <!-- QR Code scanning library (v4.1.5) -->
+    <script src="https://unpkg.com/html5-qrcode@2.3.8/html5-qrcode.min.js"></script>
+    <script>
+    // Initialize toasts (auto-hide after delay)
+    document.querySelectorAll('.toast').forEach(el => new bootstrap.Toast(el));
+    </script>
    {% block scripts %}{% endblock %}
 </body>
 </html>
--- a/frontends/web/templates/decode.html
+++ b/frontends/web/templates/decode.html
@@ -4,6 +4,74 @@

 {% block content %}
 <style>
+/* Accordion styling */
+.step-accordion .accordion-button {
+    background: rgba(30, 40, 50, 0.6);
+    color: #fff;
+    padding: 0.75rem 1rem;
+    border-left: 3px solid transparent;
+    transition: all 0.3s ease;
+}
+.step-accordion .accordion-button:not(.collapsed) {
+    background: linear-gradient(90deg, rgba(99, 179, 237, 0.15) 0%, rgba(40, 50, 60, 0.8) 40%, rgba(40, 50, 60, 0.8) 100%);
+    color: #fff;
+    box-shadow: inset 0 1px 0 rgba(99, 179, 237, 0.1);
+    border-left: 3px solid rgba(99, 179, 237, 0.6);
+}
+.step-accordion .accordion-button::after {
+    filter: invert(1);
+}
+.step-accordion .accordion-body {
+    background: rgba(30, 40, 50, 0.4);
+    padding: 1rem;
+}
+.step-accordion .accordion-item {
+    border-color: rgba(255,255,255,0.1);
+    background: transparent;
+}
+.step-accordion .accordion-item:first-child .accordion-button {
+    border-radius: 0;
+}
+.step-accordion .accordion-item:last-child .accordion-button.collapsed {
+    border-radius: 0;
+}
+.step-summary {
+    font-size: 0.8rem;
+    color: rgba(255,255,255,0.5);
+    margin-left: auto;
+    padding-right: 1rem;
+    white-space: nowrap;
+    overflow: hidden;
+    text-overflow: ellipsis;
+    max-width: 50%;
+}
+.step-summary.has-content {
+    color: rgba(99, 179, 237, 0.8);
+}
+.step-title {
+    display: flex;
+    align-items: center;
+    gap: 0.5rem;
+}
+.step-number {
+    background: rgba(246, 173, 85, 0.2);
+    color: #f6ad55;
+    width: 1.5rem;
+    height: 1.5rem;
+    border-radius: 50%;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    font-size: 0.75rem;
+    font-weight: bold;
+    border: 1px solid rgba(246, 173, 85, 0.3);
+}
+.step-number.complete {
+    background: rgba(72, 187, 120, 0.2);
+    color: #48bb78;
+    border-color: rgba(72, 187, 120, 0.3);
+}
+
 /* Glowing passphrase input */
 .passphrase-input {
    background: rgba(30, 40, 50, 0.8) !important;
@@ -13,20 +81,17 @@
    font-size: 1.1rem;
    letter-spacing: 0.5px;
    padding: 12px 16px;
-    transition: border-color 0.3s ease, box-shadow 0.3s ease, background 0.3s ease;
+    transition: border-color 0.3s ease, box-shadow 0.3s ease;
 }
-
 .passphrase-input:focus {
    border-color: rgba(99, 179, 237, 0.8) !important;
-    box-shadow: 0 0 20px rgba(99, 179, 237, 0.4), 0 0 40px rgba(99, 179, 237, 0.2) !important;
-    background: rgba(30, 40, 50, 0.95) !important;
+    box-shadow: 0 0 20px rgba(99, 179, 237, 0.4) !important;
 }
-
 .passphrase-input::placeholder {
    color: rgba(99, 179, 237, 0.4);
 }

-/* Glowing PIN input */
+/* PIN input */
 .pin-input-container .form-control {
    background: rgba(30, 40, 50, 0.8) !important;
    border: 2px solid rgba(246, 173, 85, 0.3) !important;
@@ -35,18 +100,10 @@
    font-size: 1.2rem;
    letter-spacing: 3px;
    text-align: center;
-    transition: all 0.3s ease;
 }
-
 .pin-input-container .form-control:focus {
    border-color: rgba(246, 173, 85, 0.8) !important;
-    box-shadow: 0 0 20px rgba(246, 173, 85, 0.4), 0 0 40px rgba(246, 173, 85, 0.2) !important;
-    background: rgba(30, 40, 50, 0.95) !important;
-}
-
-.pin-input-container .form-control::placeholder {
-    color: rgba(246, 173, 85, 0.4);
-    letter-spacing: 1px;
+    box-shadow: 0 0 20px rgba(246, 173, 85, 0.4) !important;
 }

 /* QR Crop Animation */
@@ -55,8 +112,12 @@
    overflow: hidden;
    border-radius: 8px;
    background: rgba(0, 0, 0, 0.3);
+    width: 100%;
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    min-height: 120px;
 }
-
 .qr-crop-container img {
    display: block;
    max-height: 180px;
@@ -65,15 +126,10 @@
    margin: 0 auto;
    transition: all 0.6s cubic-bezier(0.4, 0, 0.2, 1);
 }
-
-.qr-crop-container .qr-original {
-    opacity: 1;
-}
-
+.qr-crop-container .qr-original { opacity: 1; }
 .qr-crop-container .qr-cropped {
    position: absolute;
-    top: 50%;
-    left: 50%;
+    top: 50%; left: 50%;
    transform: translate(-50%, -50%) scale(0.3);
    opacity: 0;
    max-height: 160px;
@@ -81,30 +137,15 @@
    min-height: 140px;
    object-fit: contain;
 }
-
 .qr-crop-container.scan-complete .qr-original {
    opacity: 0;
    transform: scale(1.1);
    filter: blur(4px);
 }
-
 .qr-crop-container.scan-complete .qr-cropped {
    opacity: 1;
    transform: translate(-50%, -50%) scale(1);
 }
-
-.qr-crop-container .crop-badge {
-    position: absolute;
-    bottom: 4px;
-    right: 4px;
-    font-size: 0.65rem;
-    opacity: 0;
-    transition: opacity 0.3s ease 0.4s;
-}
-
-.qr-crop-container.scan-complete .crop-badge {
-    opacity: 1;
-}
 </style>

 <div class="row justify-content-center">
@@ -113,20 +154,18 @@
            <div class="card-header">
                <h5 class="mb-0"><i class="bi bi-unlock-fill me-2"></i>Decode Secret Message or File</h5>
            </div>
-            <div class="card-body">
+            <div class="card-body {% if not decoded_message and not decoded_file %}p-0{% endif %}">
                {% if decoded_message %}
                <!-- Text Message Result -->
                <div class="alert alert-success">
                    <h6><i class="bi bi-check-circle me-2"></i>Message Decrypted Successfully!</h6>
                </div>

-                <label class="form-label text-muted">Decoded Message:</label>
-                <div class="alert-message p-3 rounded bg-dark border border-secondary mb-2" id="decodedContent" style="white-space: pre-wrap;">{{ decoded_message }}</div>
-                <div class="d-flex justify-content-end mb-3">
-                    <button class="btn btn-sm btn-outline-light" onclick="navigator.clipboard.writeText(document.getElementById('decodedContent').innerText).then(() => { this.innerHTML = '<i class=\'bi bi-check\'></i> Copied!'; setTimeout(() => this.innerHTML = '<i class=\'bi bi-clipboard\'></i> Copy', 2000); }).catch(() => alert('Failed to copy'))">
-                        <i class="bi bi-clipboard"></i> Copy
-                    </button>
-                </div>
+                <label class="form-label text-muted">Decoded Message: <small class="text-secondary">(click to copy)</small></label>
+                <div class="alert-message p-3 rounded bg-dark border border-secondary mb-3" id="decodedContent" style="white-space: pre-wrap; cursor: pointer; transition: border-color 0.2s;"
+                     onclick="navigator.clipboard.writeText(this.innerText).then(() => { this.style.borderColor = '#198754'; this.dataset.origText = this.innerHTML; this.innerHTML = '<i class=\'bi bi-check-circle text-success\'></i> Copied to clipboard!'; setTimeout(() => { this.innerHTML = this.dataset.origText; this.style.borderColor = ''; }, 1500); }).catch(() => alert('Failed to copy'))"
+                     onmouseover="this.style.borderColor = '#6c757d'"
+                     onmouseout="this.style.borderColor = ''">{{ decoded_message }}</div>

                <a href="/decode" class="btn btn-outline-light w-100">
                    <i class="bi bi-arrow-repeat me-2"></i>Decode Another
@@ -163,46 +202,48 @@
                {% else %}
                <!-- Decode Form -->
                <form method="POST" enctype="multipart/form-data" id="decodeForm">
+
+                    <div class="accordion step-accordion" id="decodeAccordion">
+
+                        <!-- ================================================================
+                             STEP 1: IMAGES & MODE
+                             ================================================================ -->
+                        <div class="accordion-item">
+                            <h2 class="accordion-header">
+                                <button class="accordion-button" type="button" data-bs-toggle="collapse" data-bs-target="#stepImages">
+                                    <span class="step-title">
+                                        <span class="step-number" id="stepImagesNumber">1</span>
+                                        <i class="bi bi-images me-1"></i> Images & Mode
+                                    </span>
+                                    <span class="step-summary" id="stepImagesSummary">Select reference & stego</span>
+                                </button>
+                            </h2>
+                            <div id="stepImages" class="accordion-collapse collapse show" data-bs-parent="#decodeAccordion">
+                                <div class="accordion-body">
+
                                    <div class="row">
                                        <div class="col-md-6 mb-3">
                                            <label class="form-label">
                                                <i class="bi bi-image me-1"></i> Reference Photo
                                            </label>
                                            <div class="drop-zone scan-container" id="refDropZone">
-                                <input type="file" name="reference_photo" accept="image/*" required>
+                                                <input type="file" name="reference_photo" accept="image/*" required id="refPhotoInput">
                                                <div class="drop-zone-label">
                                                    <i class="bi bi-cloud-arrow-up fs-3 d-block mb-2 text-muted"></i>
-                                    <span class="text-muted">Drop image or click to browse</span>
+                                                    <span class="text-muted">Drop image or click</span>
                                                </div>
                                                <img class="drop-zone-preview d-none" id="refPreview">
-                                <!-- Scan overlay elements -->
-                                <div class="scan-overlay">
-                                    <div class="scan-grid"></div>
-                                    <div class="scan-line"></div>
-                                </div>
-                                <!-- Corner brackets (shown after scan) -->
+                                                <div class="scan-overlay"><div class="scan-grid"></div><div class="scan-line"></div></div>
                                                <div class="scan-corners">
-                                    <div class="scan-corner tl"></div>
-                                    <div class="scan-corner tr"></div>
-                                    <div class="scan-corner bl"></div>
-                                    <div class="scan-corner br"></div>
+                                                    <div class="scan-corner tl"></div><div class="scan-corner tr"></div>
+                                                    <div class="scan-corner bl"></div><div class="scan-corner br"></div>
                                                </div>
-                                <!-- Data panel (shown after scan) -->
                                                <div class="scan-data-panel">
-                                    <div class="scan-data-filename">
-                                        <i class="bi bi-check-circle-fill"></i>
-                                        <span id="refFileName">image.jpg</span>
-                                    </div>
-                                    <div class="scan-data-row">
-                                        <span class="scan-status-badge">Hash Acquired</span>
-                                        <span class="scan-data-value" id="refFileSize">--</span>
-                                    </div>
-                                    <div class="scan-hash-preview" id="refHashPreview">SHA256: ················</div>
+                                                    <div class="scan-data-filename"><i class="bi bi-check-circle-fill"></i><span id="refFileName">image.jpg</span></div>
+                                                    <div class="scan-data-row"><span class="scan-status-badge">Hash Acquired</span><span class="scan-data-value" id="refFileSize">--</span></div>
                                                </div>
                                            </div>
-                            <div class="form-text">
-                                The same reference photo used for encoding
-                            </div>
+                                            <div class="form-text">Same reference photo used for encoding</div>
                                        </div>

                                        <div class="col-md-6 mb-3">
@@ -210,124 +251,85 @@
                                                <i class="bi bi-file-earmark-image me-1"></i> Stego Image
                                            </label>
                                            <div class="drop-zone pixel-container" id="stegoDropZone">
-                                <input type="file" name="stego_image" accept="image/*" required>
+                                                <input type="file" name="stego_image" accept="image/*" required id="stegoInput">
                                                <div class="drop-zone-label">
                                                    <i class="bi bi-cloud-arrow-up fs-3 d-block mb-2 text-muted"></i>
-                                    <span class="text-muted">Drop image or click to browse</span>
+                                                    <span class="text-muted">Drop image or click</span>
                                                </div>
                                                <img class="drop-zone-preview d-none" id="stegoPreview">
-                                <!-- Pixel blocks overlay - populated by JS -->
                                                <div class="pixel-blocks"></div>
-                                <!-- Pixel scan line -->
                                                <div class="pixel-scan-line"></div>
-                                <!-- Corner brackets -->
                                                <div class="pixel-corners">
-                                    <div class="pixel-corner tl"></div>
-                                    <div class="pixel-corner tr"></div>
-                                    <div class="pixel-corner bl"></div>
-                                    <div class="pixel-corner br"></div>
+                                                    <div class="pixel-corner tl"></div><div class="pixel-corner tr"></div>
+                                                    <div class="pixel-corner bl"></div><div class="pixel-corner br"></div>
                                                </div>
-                                <!-- Data panel -->
                                                <div class="pixel-data-panel">
-                                    <div class="pixel-data-filename">
-                                        <i class="bi bi-check-circle-fill"></i>
-                                        <span id="stegoFileName">image.png</span>
+                                                    <div class="pixel-data-filename"><i class="bi bi-check-circle-fill"></i><span id="stegoFileName">image.png</span></div>
+                                                    <div class="pixel-data-row"><span class="pixel-status-badge">Stego Loaded</span><span class="pixel-data-value" id="stegoFileSize">--</span></div>
+                                                    <div class="pixel-dimensions" id="stegoDims">-- x -- px</div>
                                                </div>
-                                    <div class="pixel-data-row">
-                                        <span class="pixel-status-badge">Stego Loaded</span>
-                                        <span class="pixel-data-value" id="stegoFileSize">--</span>
                                            </div>
-                                    <div class="pixel-dimensions" id="stegoDims">-- × -- px</div>
+                                            <div class="form-text">Image containing the hidden message</div>
                                        </div>
                                    </div>
+
+                                    <!-- Extraction Mode -->
+                                    <label class="form-label"><i class="bi bi-cpu me-1"></i> Extraction Mode</label>
+                                    <div class="d-flex gap-2 mb-2">
+                                        <label class="mode-btn flex-fill active" id="autoModeCard" for="modeAuto">
+                                            <input class="form-check-input" type="radio" name="embed_mode" id="modeAuto" value="auto" checked>
+                                            <i class="bi bi-magic text-success ms-2"></i>
+                                            <span class="ms-2"><strong>Auto</strong> <span class="text-muted d-none d-sm-inline">· Try both</span></span>
+                                        </label>
+                                        <label class="mode-btn flex-fill" id="lsbModeCard" for="modeLsb">
+                                            <input class="form-check-input" type="radio" name="embed_mode" id="modeLsb" value="lsb">
+                                            <i class="bi bi-grid-3x3-gap text-primary ms-2"></i>
+                                            <span class="ms-2"><strong>LSB</strong> <span class="text-muted d-none d-sm-inline">· Email</span></span>
+                                        </label>
+                                        <label class="mode-btn flex-fill {% if not has_dct %}opacity-50{% endif %}" id="dctModeCard" for="modeDct">
+                                            <input class="form-check-input" type="radio" name="embed_mode" id="modeDct" value="dct" {% if not has_dct %}disabled{% endif %}>
+                                            <i class="bi bi-soundwave text-warning ms-2"></i>
+                                            <span class="ms-2"><strong>DCT</strong> <span class="text-muted d-none d-sm-inline">· Social</span></span>
+                                        </label>
+                                    </div>
                                    <div class="form-text">
-                                The image containing the hidden message/file
+                                        <i class="bi bi-lightbulb me-1"></i><strong>Auto</strong> tries LSB first, then DCT.
+                                    </div>
+
                                </div>
                            </div>
                        </div>

-                    <div class="mb-3">
-                        <label class="form-label">
-                            <i class="bi bi-chat-quote me-1"></i> Passphrase
-                        </label>
-                        <input type="text" name="passphrase" id="passphraseInput" class="form-control passphrase-input" 
-                               placeholder="e.g., correct horse battery staple" required>
-                        <div class="form-text">
-                            The passphrase used during encoding (typically 4 words)
-                        </div>
-                    </div>
-                    
-                    <hr class="my-4">
-                    
-                    <h6 class="text-muted mb-3">
-                        SECURITY FACTORS 
-                        <span class="text-warning small">(provide same factors used during encoding)</span>
-                    </h6>
-                    
-                    <div class="mb-3">
-                      <div class="security-box">
-                        <label class="form-label">
-                            <i class="bi bi-file-earmark-lock me-1"></i> RSA Key
-                        </label>
-
-                        <!-- RSA Input Method Toggle -->
-                        <div class="btn-group w-100 mb-2" role="group">
-                            <input type="radio" class="btn-check" name="rsa_input_method" id="rsaMethodFile" value="file" checked>
-                            <label class="btn btn-outline-secondary btn-sm" for="rsaMethodFile">
-                                <i class="bi bi-file-earmark me-1"></i>.pem File
-                            </label>
-
-                            <input type="radio" class="btn-check" name="rsa_input_method" id="rsaMethodQr" value="qr">
-                            <label class="btn btn-outline-secondary btn-sm" for="rsaMethodQr">
-                                <i class="bi bi-qr-code me-1"></i>QR Code
-                            </label>
-                        </div>
-
-                        <!-- .pem File Input -->
-                        <div id="rsaFileSection">
-                            <input type="file" name="rsa_key" class="form-control form-control-sm" id="rsaKeyInput" accept=".pem,.key,application/x-pem-file">
-                        </div>
-
-                        <!-- QR Code Input -->
-                        <div id="rsaQrSection" class="d-none">
-                            <div class="drop-zone p-3" id="qrDropZone">
-                                <input type="file" name="rsa_key_qr" accept="image/*" id="rsaKeyQrInput">
-                                <div class="drop-zone-label text-center">
-                                    <i class="bi bi-qr-code-scan fs-4 d-block text-muted mb-1"></i>
-                                    <span class="text-muted small">Drop QR image or click to browse</span>
-                                </div>
-                                <!-- Crop animation container -->
-                                <div class="qr-scan-container qr-crop-container d-none" id="qrCropContainer">
-                                    <img class="qr-original" id="qrOriginal" alt="Original">
-                                    <img class="qr-cropped" id="qrCropped" alt="Cropped QR">
-                                    <!-- Data panel -->
-                                    <div class="qr-data-panel">
-                                        <div class="qr-data-filename">
-                                            <i class="bi bi-check-circle-fill"></i>
-                                            <span>RSA Key loaded</span>
-                                        </div>
-                                        <div class="qr-data-row">
-                                            <span class="qr-status-badge">RSA Key</span>
-                                            <span class="qr-data-value">--</span>
-                                        </div>
-                                    </div>
-                                </div>
-                            </div>
-                        </div>
-
-                        <!-- Key Password (always visible) -->
-                        <div class="input-group input-group-sm mt-2">
-                            <input type="password" name="rsa_password" class="form-control" id="rsaPasswordInput" placeholder="Key password (if encrypted)">
-                            <button class="btn btn-outline-secondary" type="button" data-toggle-password="rsaPasswordInput">
-                                <i class="bi bi-eye"></i>
+                        <!-- ================================================================
+                             STEP 2: SECURITY
+                             ================================================================ -->
+                        <div class="accordion-item">
+                            <h2 class="accordion-header">
+                                <button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#stepSecurity">
+                                    <span class="step-title">
+                                        <span class="step-number" id="stepSecurityNumber">2</span>
+                                        <i class="bi bi-shield-lock me-1"></i> Security
+                                    </span>
+                                    <span class="step-summary" id="stepSecuritySummary">Passphrase & keys</span>
                                </button>
-                        </div>
-                      </div>
+                            </h2>
+                            <div id="stepSecurity" class="accordion-collapse collapse" data-bs-parent="#decodeAccordion">
+                                <div class="accordion-body">
+
+                                    <!-- Passphrase -->
+                                    <div class="mb-3">
+                                        <label class="form-label"><i class="bi bi-chat-quote me-1"></i> Passphrase</label>
+                                        <input type="text" name="passphrase" class="form-control passphrase-input"
+                                               placeholder="e.g., apple forest thunder mountain" required id="passphraseInput">
+                                        <div class="form-text">The passphrase used during encoding</div>
                                    </div>

-                    <!-- PIN + Channel Row -->
+                                    <hr class="my-3 opacity-25">
+                                    <div class="small text-muted mb-2">Provide same factors used during encoding</div>
+
                                    <div class="row">
-                        <div class="col-md-6 mb-3">
+                                        <!-- PIN -->
+                                        <div class="col-md-6 mb-2">
                                            <div class="security-box h-100">
                                                <label class="form-label"><i class="bi bi-123 me-1"></i> PIN</label>
                                                <div class="input-group pin-input-container">
@@ -336,96 +338,75 @@
                                                        <i class="bi bi-eye"></i>
                                                    </button>
                                                </div>
-                            <div class="form-text">If PIN was used during encoding</div>
                                                </div>
                                        </div>

-                        <div class="col-md-6 mb-3">
+                                        <!-- Channel -->
+                                        <div class="col-md-6 mb-2">
                                            <div class="security-box h-100">
-                            <label class="form-label">
-                                <i class="bi bi-broadcast me-1"></i> Channel
-                                <span class="badge bg-info ms-1">v4.0</span>
-                                <a href="/about#channel-keys" class="text-muted ms-1" title="Learn about channels"><i class="bi bi-info-circle"></i></a>
-                            </label>
-
-                            <select class="form-select" name="channel_key" id="channelSelectDec">
-                                <option value="auto" selected>Auto{% if channel_configured %} (Server Key){% endif %}</option>
+                                                <label class="form-label"><i class="bi bi-broadcast me-1"></i> Channel</label>
+                                                <select class="form-select form-select-sm" name="channel_key" id="channelSelectDec">
+                                                    <option value="auto" selected>Auto{% if channel_configured %} (Server){% endif %}</option>
                                                    <option value="none">Public</option>
-                                <option value="custom">Custom</option>
-                            </select>
-
-                            <!-- Server channel indicator (compact) -->
-                            {% if channel_configured %}
-                            <div class="small text-success mt-2">
-                                <i class="bi bi-shield-lock me-1"></i>
-                                Server: <code>{{ channel_fingerprint[:4] }}-••••-···-••••-{{ channel_fingerprint[-4:] }}</code>
-                            </div>
+                                                    {% if saved_channel_keys %}
+                                                    <optgroup label="Saved Keys">
+                                                        {% for key in saved_channel_keys %}
+                                                        <option value="{{ key.channel_key }}">{{ key.name }}</option>
+                                                        {% endfor %}
+                                                    </optgroup>
                                                    {% endif %}
+                                                    <option value="custom">Custom...</option>
+                                                </select>
                                            </div>
                                        </div>
                                    </div>

-                    <!-- Custom Channel Key Input (shown when Custom selected) -->
-                    <div class="mb-4 d-none" id="channelCustomInputDec">
+                                    <!-- Custom Channel Key -->
+                                    <div class="mb-3 d-none" id="channelCustomInputDec">
                                        <div class="security-box">
                                            <label class="form-label"><i class="bi bi-key me-1"></i> Custom Channel Key</label>
                                            <div class="input-group">
-                                <input type="text" name="channel_key_custom" class="form-control font-monospace"
-                                       placeholder="XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX"
-                                       pattern="[A-Za-z0-9]{4}(-[A-Za-z0-9]{4}){7}"
-                                       id="channelKeyInputDec">
+                                                <input type="text" name="channel_key_custom" class="form-control form-control-sm font-monospace"
+                                                       placeholder="XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX" id="channelKeyInputDec">
+                                                <button class="btn btn-outline-secondary btn-sm" type="button" id="channelKeyScanDec" title="Scan QR"><i class="bi bi-camera"></i></button>
                                            </div>
                                        </div>
                                    </div>

-                    <!-- ================================================================
-                         ADVANCED OPTIONS (v3.0) - Extraction Mode
-                         ================================================================ -->
-                    <div class="mb-4">
-                        <a class="btn btn-sm btn-outline-secondary w-100" data-bs-toggle="collapse" href="#advancedOptionsDec" role="button" aria-expanded="false">
-                            <i class="bi bi-gear me-1"></i> Advanced Options
-                            <i class="bi bi-chevron-down ms-1" id="advancedChevronDec"></i>
-                        </a>
-                        
-                        <div class="collapse" id="advancedOptionsDec">
-                            <div class="card card-body mt-2 bg-dark border-secondary">
-                                
-                                <!-- Extraction Mode Selection -->
-                                <div class="mb-0">
-                                    <label class="form-label">
-                                        <i class="bi bi-cpu me-1"></i> Extraction Mode
-                                        <span class="badge bg-info ms-1">v3.0</span>
-                                    </label>
-                                    
-                                    <div class="d-flex gap-2">
-                                        <!-- Auto Mode -->
-                                        <label class="mode-btn flex-fill active" id="autoModeCard" for="modeAuto">
-                                            <input class="form-check-input" type="radio" name="embed_mode" id="modeAuto" value="auto" checked>
-                                            <i class="bi bi-magic text-success"></i>
-                                            <span class="ms-2"><strong>Auto</strong> <span class="text-muted d-none d-sm-inline">· Try both</span></span>
-                                        </label>
-                                        
-                                        <!-- LSB Mode -->
-                                        <label class="mode-btn flex-fill" id="lsbModeCardDec" for="modeLsbDec">
-                                            <input class="form-check-input" type="radio" name="embed_mode" id="modeLsbDec" value="lsb">
-                                            <i class="bi bi-grid-3x3-gap text-primary"></i>
-                                            <span class="ms-2"><strong>LSB</strong> <span class="text-muted d-none d-sm-inline">· Spatial</span></span>
-                                        </label>
-                                        
-                                        <!-- DCT Mode -->
-                                        <label class="mode-btn flex-fill {% if not has_dct %}opacity-50{% endif %}" id="dctModeCardDec" for="modeDctDec">
-                                            <input class="form-check-input" type="radio" name="embed_mode" id="modeDctDec" value="dct" {% if not has_dct %}disabled{% endif %}>
-                                            <i class="bi bi-soundwave text-warning"></i>
-                                            <span class="ms-2"><strong>DCT</strong> <span class="text-muted d-none d-sm-inline">· Frequency</span></span>
-                                        </label>
+                                    <!-- RSA Key -->
+                                    <div class="mb-3">
+                                        <div class="security-box">
+                                            <label class="form-label"><i class="bi bi-file-earmark-lock me-1"></i> RSA Key <span class="text-muted">(if used)</span></label>
+                                            <div class="btn-group w-100 mb-2" role="group">
+                                                <input type="radio" class="btn-check" name="rsa_input_method" id="rsaMethodFile" value="file" checked>
+                                                <label class="btn btn-outline-secondary btn-sm" for="rsaMethodFile"><i class="bi bi-file-earmark me-1"></i>.pem</label>
+                                                <input type="radio" class="btn-check" name="rsa_input_method" id="rsaMethodQr" value="qr">
+                                                <label class="btn btn-outline-secondary btn-sm" for="rsaMethodQr"><i class="bi bi-qr-code me-1"></i>QR</label>
+                                            </div>
+                                            <div id="rsaFileSection">
+                                                <input type="file" name="rsa_key" class="form-control form-control-sm" accept=".pem">
+                                            </div>
+                                            <div id="rsaQrSection" class="d-none d-flex flex-column">
+                                                <input type="hidden" name="rsa_key_pem" id="rsaKeyPem">
+                                                <div class="drop-zone p-2 w-100" id="qrDropZone">
+                                                    <input type="file" name="rsa_key_qr" accept="image/*" id="rsaQrInput">
+                                                    <div class="drop-zone-label text-center">
+                                                        <i class="bi bi-qr-code-scan fs-5 d-block text-muted mb-1"></i>
+                                                        <span class="text-muted small">Drop QR image</span>
+                                                    </div>
+                                                    <div class="qr-scan-container qr-crop-container d-none" id="qrCropContainer">
+                                                        <img class="qr-original" id="qrOriginal" alt="Original">
+                                                        <img class="qr-cropped" id="qrCropped" alt="Cropped">
+                                                    </div>
+                                                </div>
+                                                <button type="button" class="btn btn-outline-secondary btn-sm w-100 mt-2" id="rsaQrWebcam">
+                                                    <i class="bi bi-camera me-1"></i>Scan with Camera
+                                                </button>
+                                            </div>
+                                            <div class="input-group input-group-sm mt-2">
+                                                <input type="password" name="rsa_password" class="form-control" id="rsaPasswordInput" placeholder="Key password (if encrypted)">
+                                                <button class="btn btn-outline-secondary" type="button" data-toggle-password="rsaPasswordInput"><i class="bi bi-eye"></i></button>
                                            </div>
-                                    
-                                    <div class="form-text mt-2">
-                                        <i class="bi bi-lightbulb me-1"></i>
-                                        <strong>Auto</strong> tries LSB first, then DCT.
-                                        {% if not has_dct %}
-                                        <span class="text-warning ms-2"><i class="bi bi-exclamation-triangle me-1"></i>DCT requires scipy</span>
-                                        {% endif %}
                                        </div>
                                    </div>

@@ -433,51 +414,41 @@
                            </div>
                        </div>

+                    </div>
+
+                    <!-- Submit Button -->
+                    <div class="p-3">
                        <button type="submit" class="btn btn-primary btn-lg w-100" id="decodeBtn">
                            <i class="bi bi-unlock me-2"></i>Decode
                        </button>
-                </form>
+                    </div>

+                </form>
                {% endif %}
            </div>
        </div>

        {% if not decoded_message and not decoded_file %}
+        <!-- Troubleshooting Card -->
        <div class="card mt-4">
            <div class="card-body">
                <h6 class="text-muted mb-3"><i class="bi bi-question-circle me-2"></i>Troubleshooting</h6>
                <ul class="list-unstyled text-muted small mb-0">
                    <li class="mb-2">
                        <i class="bi bi-check-circle-fill text-success me-1"></i>
-                        Use the <strong>exact same reference photo</strong> file (byte-for-byte identical)
+                        Use the <strong>exact same reference photo</strong> (byte-for-byte identical)
                    </li>
                    <li class="mb-2">
                        <i class="bi bi-check-circle-fill text-success me-1"></i>
-                        Enter the <strong>exact passphrase</strong> used during encoding (case-sensitive, spacing matters)
-                    </li>
-                    <li class="mb-2">
-                        <i class="bi bi-check-circle-fill text-success me-1"></i>
-                        Provide the <strong>same security factors</strong> (PIN and/or RSA key) used during encoding
+                        Enter the <strong>exact passphrase</strong> used during encoding
                    </li>
                    <li class="mb-2">
                        <i class="bi bi-exclamation-triangle-fill text-warning me-1"></i>
-                        Ensure the stego image hasn't been <strong>resized, cropped, or recompressed</strong>
-                    </li>
-                    <li class="mb-2">
-                        <i class="bi bi-exclamation-triangle-fill text-warning me-1"></i>
-                        <strong>Format compatibility:</strong> v4.0 cannot decode messages from v3.1 or earlier (different format)
-                    </li>
-                    <li class="mb-2">
-                        <i class="bi bi-broadcast text-info me-1"></i>
-                        <strong>Channel key:</strong> Use the same channel (Auto/Public/Custom) that was used during encoding
-                    </li>
-                    <li class="mb-2">
-                        <i class="bi bi-info-circle-fill text-info me-1"></i>
-                        If using an RSA key, verify the <strong>password is correct</strong> (if key is encrypted)
+                        Ensure the stego image hasn't been <strong>resized or recompressed</strong>
                    </li>
                    <li class="mb-0">
                        <i class="bi bi-info-circle-fill text-info me-1"></i>
-                        If auto-detection fails, try specifying <strong>LSB or DCT mode</strong> in Advanced Options
+                        If auto-detection fails, try specifying <strong>LSB or DCT mode</strong>
                    </li>
                </ul>
            </div>
@@ -490,28 +461,92 @@
 {% block scripts %}
 <script src="{{ url_for('static', filename='js/stegasoo.js') }}"></script>
 <script>
-// Extraction mode button active state toggle
-const extractModeRadios = document.querySelectorAll('input[name="embed_mode"]');
-const extractModeBtns = { 
-    'auto': document.getElementById('autoModeCard'), 
-    'lsb': document.getElementById('lsbModeCardDec'), 
-    'dct': document.getElementById('dctModeCardDec') 
-};
+// ============================================================================
+// ACCORDION SUMMARY UPDATES
+// ============================================================================

-extractModeRadios.forEach(radio => {
+function updateImagesSummary() {
+    const ref = document.getElementById('refPhotoInput')?.files[0];
+    const stego = document.getElementById('stegoInput')?.files[0];
+    const mode = document.querySelector('input[name="embed_mode"]:checked')?.value?.toUpperCase() || 'AUTO';
+    const summary = document.getElementById('stepImagesSummary');
+    const stepNum = document.getElementById('stepImagesNumber');
+
+    if (ref && stego) {
+        const refName = ref.name.length > 12 ? ref.name.slice(0, 10) + '..' : ref.name;
+        const stegoName = stego.name.length > 12 ? stego.name.slice(0, 10) + '..' : stego.name;
+        summary.textContent = `${refName} + ${stegoName}, ${mode}`;
+        summary.classList.add('has-content');
+        stepNum.classList.add('complete');
+        stepNum.innerHTML = '<i class="bi bi-check"></i>';
+    } else if (ref || stego) {
+        summary.textContent = ref ? ref.name.slice(0, 15) : stego.name.slice(0, 15);
+        summary.classList.remove('has-content');
+        stepNum.classList.remove('complete');
+        stepNum.textContent = '1';
+    } else {
+        summary.textContent = 'Select reference & stego';
+        summary.classList.remove('has-content');
+        stepNum.classList.remove('complete');
+        stepNum.textContent = '1';
+    }
+}
+
+function updateSecuritySummary() {
+    const passphrase = document.getElementById('passphraseInput')?.value || '';
+    const pin = document.getElementById('pinInput')?.value || '';
+    const rsaFile = document.querySelector('input[name="rsa_key"]')?.files[0];
+    const rsaPem = document.getElementById('rsaKeyPem')?.value || '';
+    const summary = document.getElementById('stepSecuritySummary');
+    const stepNum = document.getElementById('stepSecurityNumber');
+
+    const parts = [];
+    if (passphrase.trim()) parts.push('passphrase');
+    if (pin) parts.push('PIN');
+    if (rsaFile || rsaPem) parts.push('RSA');
+
+    if (parts.length > 0) {
+        summary.textContent = parts.join(' + ');
+        summary.classList.add('has-content');
+        if (passphrase.trim()) {
+            stepNum.classList.add('complete');
+            stepNum.innerHTML = '<i class="bi bi-check"></i>';
+        }
+    } else {
+        summary.textContent = 'Passphrase & keys';
+        summary.classList.remove('has-content');
+        stepNum.classList.remove('complete');
+        stepNum.textContent = '2';
+    }
+}
+
+// Attach listeners
+document.getElementById('refPhotoInput')?.addEventListener('change', updateImagesSummary);
+document.getElementById('stegoInput')?.addEventListener('change', updateImagesSummary);
+document.querySelectorAll('input[name="embed_mode"]').forEach(r => r.addEventListener('change', updateImagesSummary));
+
+document.getElementById('passphraseInput')?.addEventListener('input', updateSecuritySummary);
+document.getElementById('pinInput')?.addEventListener('input', updateSecuritySummary);
+document.querySelector('input[name="rsa_key"]')?.addEventListener('change', updateSecuritySummary);
+
+// ============================================================================
+// MODE SWITCHING
+// ============================================================================
+
+const modeRadios = document.querySelectorAll('input[name="embed_mode"]');
+const modeBtns = { 'auto': document.getElementById('autoModeCard'), 'lsb': document.getElementById('lsbModeCard'), 'dct': document.getElementById('dctModeCard') };
+
+modeRadios.forEach(radio => {
    radio.addEventListener('change', () => {
-        Object.values(extractModeBtns).forEach(btn => btn?.classList.remove('active'));
-        extractModeBtns[radio.value]?.classList.add('active');
+        Object.values(modeBtns).forEach(btn => btn?.classList.remove('active'));
+        modeBtns[radio.value]?.classList.add('active');
    });
 });

-// Advanced options chevron
-const advancedOptionsDec = document.getElementById('advancedOptionsDec');
-advancedOptionsDec?.addEventListener('show.bs.collapse', () => {
-    document.getElementById('advancedChevronDec')?.classList.replace('bi-chevron-down', 'bi-chevron-up');
-});
-advancedOptionsDec?.addEventListener('hide.bs.collapse', () => {
-    document.getElementById('advancedChevronDec')?.classList.replace('bi-chevron-up', 'bi-chevron-down');
-});
+// ============================================================================
+// LOADING STATE
+// ============================================================================
+
+Stegasoo.initFormLoading('decodeForm', 'decodeBtn', 'Decoding...');
 </script>
 {% endblock %}
--- a/frontends/web/templates/encode.html
+++ b/frontends/web/templates/encode.html
--- a/frontends/web/templates/generate.html
+++ b/frontends/web/templates/generate.html
@@ -74,22 +74,32 @@
                        </div>
                    </div>
                    
-                    <hr class="my-4">
+                    <button type="submit" class="btn btn-primary btn-lg w-100 mt-4">
+                        <i class="bi bi-shuffle me-2"></i>Generate Credentials
+                    </button>
+                </form>

-                    <!-- Channel Key Generation (v4.0.0) -->
-                    <div class="mb-4">
-                        <label class="form-label">
-                            <i class="bi bi-broadcast me-1"></i> Channel Key
-                            <span class="badge bg-info ms-1">v4.0</span>
-                            <a href="{{ url_for('about') }}#channel-keys" class="text-muted ms-2" title="Learn about channel keys">
-                                <i class="bi bi-question-circle"></i>
-                            </a>
-                        </label>
+                <!-- Channel Key Accordion (Advanced) -->
+                <div class="accordion mt-4" id="advancedAccordion">
+                    <div class="accordion-item bg-dark">
+                        <h2 class="accordion-header">
+                            <button class="accordion-button collapsed bg-dark text-light" type="button"
+                                    data-bs-toggle="collapse" data-bs-target="#channelKeyCollapse">
+                                <i class="bi bi-broadcast me-2"></i>Channel Key
+                                <span class="badge bg-info ms-2">Advanced</span>
+                            </button>
+                        </h2>
+                        <div id="channelKeyCollapse" class="accordion-collapse collapse" data-bs-parent="#advancedAccordion">
+                            <div class="accordion-body">
+                                <p class="text-muted small mb-3">
+                                    Channel keys create private encoding channels. Only users with the same key can decode each other's images.
+                                    <a href="{{ url_for('about') }}#channel-keys" class="text-info">Learn more</a>
+                                </p>

-                        <div class="input-group input-group-sm">
+                                <div class="input-group">
                                    <span class="input-group-text"><i class="bi bi-key"></i></span>
                                    <input type="text" class="form-control font-monospace" id="channelKeyGenerated"
-                                   placeholder="Click Generate" readonly>
+                                           placeholder="Click Generate to create a key" readonly>
                                    <button class="btn btn-outline-primary" type="button" id="generateChannelKeyBtn">
                                        <i class="bi bi-shuffle me-1"></i>Generate
                                    </button>
@@ -97,13 +107,14 @@
                                        <i class="bi bi-clipboard"></i>
                                    </button>
                                </div>
-                        <div class="form-text">For private groups: generate, then use <strong>Custom</strong> mode when encoding/decoding.</div>
+                                <div class="form-text mt-2">
+                                    <i class="bi bi-info-circle me-1"></i>
+                                    After generating, configure this key in your server's environment or use <strong>Custom</strong> channel mode when encoding/decoding.
+                                </div>
+                            </div>
+                        </div>
+                    </div>
                </div>
-                    
-                    <button type="submit" class="btn btn-primary btn-lg w-100 mt-3">
-                        <i class="bi bi-shuffle me-2"></i>Generate Credentials
-                    </button>
-                </form>
                
                {% else %}
                <!-- Generated Credentials Display -->
@@ -498,61 +509,12 @@

 {% block scripts %}
 <script src="{{ url_for('static', filename='js/stegasoo.js') }}"></script>
-<script>
-// ============================================================================
-// GENERATE PAGE - Form Controls
-// ============================================================================
-
-// Words range slider
-const wordsRange = document.getElementById('wordsRange');
-const wordsValue = document.getElementById('wordsValue');
-
-wordsRange?.addEventListener('input', function() {
-    const bits = this.value * 11;
-    wordsValue.textContent = `${this.value} words (~${bits} bits)`;
-});
-
-// Toggle PIN/RSA options visibility
-const usePinCheck = document.getElementById('usePinCheck');
-const useRsaCheck = document.getElementById('useRsaCheck');
-const pinOptions = document.getElementById('pinOptions');
-const rsaOptions = document.getElementById('rsaOptions');
-const rsaQrWarning = document.getElementById('rsaQrWarning');
-const rsaBitsSelect = document.getElementById('rsaBitsSelect');
-
-usePinCheck?.addEventListener('change', function() {
-    pinOptions?.classList.toggle('d-none', !this.checked);
-});
-
-useRsaCheck?.addEventListener('change', function() {
-    rsaOptions?.classList.toggle('d-none', !this.checked);
-});
-
-// RSA key size QR warning (>3072 bits)
-rsaBitsSelect?.addEventListener('change', function() {
-    rsaQrWarning?.classList.toggle('d-none', parseInt(this.value) <= 3072);
-});
-
+<script src="{{ url_for('static', filename='js/generate.js') }}"></script>
 {% if generated %}
-// ============================================================================
-// GENERATE PAGE - Credential Display
-// ============================================================================
+<script>
+// Page-specific data from Jinja
+const passphraseWords = '{{ passphrase|default("", true) }}'.split(' ').filter(w => w.length > 0);

-// PIN visibility toggle
-let pinHidden = false;
-function togglePinVisibility() {
-    const pinDigits = document.getElementById('pinDigits');
-    const icon = document.getElementById('pinToggleIcon');
-    const text = document.getElementById('pinToggleText');
-    
-    pinHidden = !pinHidden;
-    pinDigits?.classList.toggle('blurred', pinHidden);
-    
-    if (icon) icon.className = pinHidden ? 'bi bi-eye' : 'bi bi-eye-slash';
-    if (text) text.textContent = pinHidden ? 'Show' : 'Hide';
-}
-
-// Copy PIN
 function copyPin() {
    Stegasoo.copyToClipboard(
        '{{ pin|default("", true) }}',
@@ -561,21 +523,6 @@ function copyPin() {
    );
 }

-// Passphrase visibility toggle
-let passphraseHidden = false;
-function togglePassphraseVisibility() {
-    const display = document.getElementById('passphraseDisplay');
-    const icon = document.getElementById('passphraseToggleIcon');
-    const text = document.getElementById('passphraseToggleText');
-    
-    passphraseHidden = !passphraseHidden;
-    display?.classList.toggle('blurred', passphraseHidden);
-    
-    if (icon) icon.className = passphraseHidden ? 'bi bi-eye' : 'bi bi-eye-slash';
-    if (text) text.textContent = passphraseHidden ? 'Show' : 'Hide';
-}
-
-// Copy passphrase
 function copyPassphrase() {
    Stegasoo.copyToClipboard(
        '{{ passphrase|default("", true) }}',
@@ -584,148 +531,13 @@ function copyPassphrase() {
    );
 }

-// ============================================================================
-// Memory Aid Story Generation - Templates by word count
-// ============================================================================
-
-const passphrase = '{{ passphrase|default("", true) }}';
-const passphraseWords = passphrase.split(' ').filter(w => w.length > 0);
-let currentStoryTemplate = 0;
-
-// Templates organized by word count (3-12 words supported)
-const storyTemplatesByLength = {
-    3: [
-        w => `The ${hl(w[0])} ${hl(w[1])} ${hl(w[2])}.`,
-        w => `${hl(w[0])} loves ${hl(w[1])} and ${hl(w[2])}.`,
-        w => `A ${hl(w[0])} found a ${hl(w[1])} near the ${hl(w[2])}.`,
-        w => `${hl(w[0])}, ${hl(w[1])}, ${hl(w[2])} — never forget.`,
-        w => `The ${hl(w[0])} hid the ${hl(w[1])} under the ${hl(w[2])}.`,
-    ],
-    4: [
-        w => `${hl(w[0])} and ${hl(w[1])} discovered a ${hl(w[2])} made of ${hl(w[3])}.`,
-        w => `The ${hl(w[0])} ${hl(w[1])} ate ${hl(w[2])} for ${hl(w[3])}.`,
-        w => `In the ${hl(w[0])}, a ${hl(w[1])} met a ${hl(w[2])} carrying ${hl(w[3])}.`,
-        w => `${hl(w[0])} said "${hl(w[1])}" while holding a ${hl(w[2])} ${hl(w[3])}.`,
-        w => `The secret: ${hl(w[0])}, ${hl(w[1])}, ${hl(w[2])}, ${hl(w[3])}.`,
-    ],
-    5: [
-        w => `${hl(w[0])} traveled to ${hl(w[1])} seeking the ${hl(w[2])} of ${hl(w[3])} and ${hl(w[4])}.`,
-        w => `The ${hl(w[0])} ${hl(w[1])} lived in a ${hl(w[2])} house with ${hl(w[3])} ${hl(w[4])}.`,
-        w => `"${hl(w[0])}!" shouted ${hl(w[1])} as the ${hl(w[2])} ${hl(w[3])} flew toward ${hl(w[4])}.`,
-        w => `Captain ${hl(w[0])} sailed the ${hl(w[1])} ${hl(w[2])} searching for ${hl(w[3])} ${hl(w[4])}.`,
-        w => `In ${hl(w[0])} kingdom, ${hl(w[1])} guards protected the ${hl(w[2])} ${hl(w[3])} ${hl(w[4])}.`,
-    ],
-    6: [
-        w => `${hl(w[0])} met ${hl(w[1])} at the ${hl(w[2])}. Together they found ${hl(w[3])}, ${hl(w[4])}, and ${hl(w[5])}.`,
-        w => `The ${hl(w[0])} ${hl(w[1])} wore a ${hl(w[2])} hat while eating ${hl(w[3])} ${hl(w[4])} ${hl(w[5])}.`,
-        w => `Detective ${hl(w[0])} found ${hl(w[1])} ${hl(w[2])} near the ${hl(w[3])} ${hl(w[4])} ${hl(w[5])}.`,
-        w => `In the ${hl(w[0])} ${hl(w[1])}, a ${hl(w[2])} ${hl(w[3])} sang about ${hl(w[4])} ${hl(w[5])}.`,
-        w => `Chef ${hl(w[0])} combined ${hl(w[1])}, ${hl(w[2])}, ${hl(w[3])}, ${hl(w[4])}, and ${hl(w[5])}.`,
-    ],
-    7: [
-        w => `${hl(w[0])} and ${hl(w[1])} walked through the ${hl(w[2])} ${hl(w[3])} to find the ${hl(w[4])} ${hl(w[5])} ${hl(w[6])}.`,
-        w => `The ${hl(w[0])} professor studied ${hl(w[1])} ${hl(w[2])} while drinking ${hl(w[3])} ${hl(w[4])} with ${hl(w[5])} ${hl(w[6])}.`,
-        w => `"${hl(w[0])} ${hl(w[1])}!" yelled ${hl(w[2])} as ${hl(w[3])} ${hl(w[4])} attacked the ${hl(w[5])} ${hl(w[6])}.`,
-        w => `In ${hl(w[0])}, King ${hl(w[1])} decreed that ${hl(w[2])} ${hl(w[3])} must honor ${hl(w[4])} ${hl(w[5])} ${hl(w[6])}.`,
-    ],
-    8: [
-        w => `${hl(w[0])} ${hl(w[1])} and ${hl(w[2])} ${hl(w[3])} met at the ${hl(w[4])} ${hl(w[5])} to discuss ${hl(w[6])} ${hl(w[7])}.`,
-        w => `The ${hl(w[0])} ${hl(w[1])} ${hl(w[2])} traveled from ${hl(w[3])} to ${hl(w[4])} carrying ${hl(w[5])} ${hl(w[6])} ${hl(w[7])}.`,
-        w => `${hl(w[0])} discovered that ${hl(w[1])} ${hl(w[2])} plus ${hl(w[3])} ${hl(w[4])} equals ${hl(w[5])} ${hl(w[6])} ${hl(w[7])}.`,
-    ],
-    9: [
-        w => `${hl(w[0])} ${hl(w[1])} ${hl(w[2])} watched as ${hl(w[3])} ${hl(w[4])} ${hl(w[5])} danced with ${hl(w[6])} ${hl(w[7])} ${hl(w[8])}.`,
-        w => `In the ${hl(w[0])} ${hl(w[1])} ${hl(w[2])}, three friends — ${hl(w[3])}, ${hl(w[4])}, ${hl(w[5])} — found ${hl(w[6])} ${hl(w[7])} ${hl(w[8])}.`,
-        w => `The recipe: ${hl(w[0])}, ${hl(w[1])}, ${hl(w[2])}, ${hl(w[3])}, ${hl(w[4])}, ${hl(w[5])}, ${hl(w[6])}, ${hl(w[7])}, ${hl(w[8])}.`,
-    ],
-    10: [
-        w => `${hl(w[0])} ${hl(w[1])} told ${hl(w[2])} ${hl(w[3])} about the ${hl(w[4])} ${hl(w[5])} ${hl(w[6])} hidden in ${hl(w[7])} ${hl(w[8])} ${hl(w[9])}.`,
-        w => `The ${hl(w[0])} ${hl(w[1])} ${hl(w[2])} ${hl(w[3])} ${hl(w[4])} lived beside ${hl(w[5])} ${hl(w[6])} ${hl(w[7])} ${hl(w[8])} ${hl(w[9])}.`,
-    ],
-    11: [
-        w => `${hl(w[0])} ${hl(w[1])} ${hl(w[2])} and ${hl(w[3])} ${hl(w[4])} ${hl(w[5])} discovered ${hl(w[6])} ${hl(w[7])} ${hl(w[8])} ${hl(w[9])} ${hl(w[10])}.`,
-        w => `In ${hl(w[0])} ${hl(w[1])}, the ${hl(w[2])} ${hl(w[3])} ${hl(w[4])} sang of ${hl(w[5])} ${hl(w[6])} ${hl(w[7])} ${hl(w[8])} ${hl(w[9])} ${hl(w[10])}.`,
-    ],
-    12: [
-        w => `${hl(w[0])} ${hl(w[1])} ${hl(w[2])} met ${hl(w[3])} ${hl(w[4])} ${hl(w[5])} at the ${hl(w[6])} ${hl(w[7])} ${hl(w[8])} ${hl(w[9])} ${hl(w[10])} ${hl(w[11])}.`,
-        w => `The twelve treasures: ${hl(w[0])}, ${hl(w[1])}, ${hl(w[2])}, ${hl(w[3])}, ${hl(w[4])}, ${hl(w[5])}, ${hl(w[6])}, ${hl(w[7])}, ${hl(w[8])}, ${hl(w[9])}, ${hl(w[10])}, ${hl(w[11])}.`,
-    ],
-};
-
-function hl(word) {
-    return `<span class="passphrase-word">${word}</span>`;
-}
-
-function generateStory(idx = null) {
-    const count = passphraseWords.length;
-    if (count === 0) return '';
-    
-    // Clamp to supported range (3-12)
-    const templateKey = Math.max(3, Math.min(12, count));
-    const templates = storyTemplatesByLength[templateKey];
-    
-    if (!templates || templates.length === 0) {
-        // Fallback: just list the words
-        return passphraseWords.map(w => hl(w)).join(' &mdash; ');
-    }
-    
-    const templateIdx = (idx ?? currentStoryTemplate) % templates.length;
-    return templates[templateIdx](passphraseWords);
-}
-
 function toggleMemoryAid() {
-    const container = document.getElementById('memoryAidContainer');
-    const icon = document.getElementById('memoryAidIcon');
-    const text = document.getElementById('memoryAidText');
-    
-    const isHidden = container?.classList.contains('d-none');
-    container?.classList.toggle('d-none', !isHidden);
-    
-    if (icon) icon.className = isHidden ? 'bi bi-lightbulb-fill' : 'bi bi-lightbulb';
-    if (text) text.textContent = isHidden ? 'Hide Aid' : 'Memory Aid';
-    
-    if (isHidden) {
-        document.getElementById('memoryStory').innerHTML = generateStory();
-    }
+    StegasooGenerate.toggleMemoryAid(passphraseWords);
 }

 function regenerateStory() {
-    const count = passphraseWords.length;
-    const templateKey = Math.max(3, Math.min(12, count));
-    const templates = storyTemplatesByLength[templateKey] || [];
-    currentStoryTemplate = (currentStoryTemplate + 1) % Math.max(1, templates.length);
-    document.getElementById('memoryStory').innerHTML = generateStory(currentStoryTemplate);
+    StegasooGenerate.regenerateStory(passphraseWords);
 }
-
-// Print QR code
-function printQrCode() {
-    const qrImg = document.getElementById('qrCodeImage');
-    if (!qrImg) return;
-    
-    const printWindow = window.open('', '_blank');
-    printWindow.document.write(`<!DOCTYPE html>
-<html>
-<head>
-    <title>Stegasoo RSA Key QR Code</title>
-    <style>
-        body { display: flex; flex-direction: column; align-items: center; justify-content: center; min-height: 100vh; margin: 0; font-family: sans-serif; }
-        img { max-width: 400px; }
-        .warning { margin-top: 20px; padding: 10px; border: 2px solid #ff9800; background: #fff3e0; max-width: 400px; text-align: center; font-size: 12px; }
-    </style>
-</head>
-<body>
-    <h2>Stegasoo RSA Private Key</h2>
-    <img src="${qrImg.src}" alt="RSA Key QR Code">
-    <div class="warning">
-        <strong>⚠️ SECURITY WARNING</strong><br>
-        This QR code contains your unencrypted RSA private key.<br>
-        Store securely and destroy after use.
-    </div>
-    <script>window.onload = function() { window.print(); }<\/script>
-</body>
-</html>`);
-    printWindow.document.close();
-}
-{% endif %}
 </script>
+{% endif %}
 {% endblock %}
--- a/frontends/web/templates/index.html
+++ b/frontends/web/templates/index.html
@@ -9,9 +9,9 @@
        <div class="d-flex align-items-end justify-content-center gap-4">
            <img src="{{ url_for('static', filename='logo.svg') }}" alt="Stegasoo" height="155">
            <div style="margin-bottom: 40px;">
-                <h1 class="display-4 fw-bold mb-2">
+                <h1 class="display-4 fw-bold mb-2 title-gold">
                    Stegasoo
-                    <span class="badge bg-success fs-6 ms-2">v4.0</span>
+                    <span class="badge bg-success fs-6 ms-2">v4.1</span>
                </h1>
                <p class="lead text-muted mb-0">Hide encrypted data in plain sight.</p>
            </div>
@@ -162,7 +162,7 @@
                    <li class="mb-1">
                        <i class="bi bi-broadcast text-success me-2"></i>
                        <strong>Channel keys</strong> for group isolation
-                        <span class="badge bg-info ms-1">v4.0</span>
+                        <span class="badge bg-info ms-1">v4.1</span>
                    </li>
                </ul>
            </div>
--- a/frontends/web/templates/login.html
+++ b/frontends/web/templates/login.html
@@ -17,7 +17,7 @@
                            <i class="bi bi-person me-1"></i> Username
                        </label>
                        <input type="text" name="username" class="form-control"
-                               value="{{ username }}" readonly>
+                               placeholder="Enter your username" required autofocus>
                    </div>

                    <div class="mb-4">
@@ -26,7 +26,7 @@
                        </label>
                        <div class="input-group">
                            <input type="password" name="password" class="form-control"
-                                   id="passwordInput" required autofocus>
+                                   id="passwordInput" required>
                            <button class="btn btn-outline-secondary" type="button"
                                    onclick="togglePassword('passwordInput', this)">
                                <i class="bi bi-eye"></i>
@@ -38,6 +38,12 @@
                        <i class="bi bi-box-arrow-in-right me-2"></i>Login
                    </button>
                </form>
+
+                <div class="text-center mt-3">
+                    <a href="{{ url_for('recover') }}" class="text-muted small">
+                        <i class="bi bi-key me-1"></i> Forgot password?
+                    </a>
+                </div>
            </div>
        </div>
    </div>
@@ -45,17 +51,5 @@
 {% endblock %}

 {% block scripts %}
-<script>
-function togglePassword(inputId, btn) {
-    const input = document.getElementById(inputId);
-    const icon = btn.querySelector('i');
-    if (input.type === 'password') {
-        input.type = 'text';
-        icon.classList.replace('bi-eye', 'bi-eye-slash');
-    } else {
-        input.type = 'password';
-        icon.classList.replace('bi-eye-slash', 'bi-eye');
-    }
-}
-</script>
+<script src="{{ url_for('static', filename='js/auth.js') }}"></script>
 {% endblock %}
--- a/frontends/web/templates/recover.html
+++ b/frontends/web/templates/recover.html
@@ -0,0 +1,129 @@
+{% extends "base.html" %}
+
+{% block title %}Password Recovery - Stegasoo{% endblock %}
+
+{% block content %}
+<div class="row justify-content-center">
+    <div class="col-md-6 col-lg-5">
+        <div class="card">
+            <div class="card-header text-center">
+                <i class="bi bi-shield-lock fs-1 d-block mb-2"></i>
+                <h5 class="mb-0">Password Recovery</h5>
+            </div>
+            <div class="card-body">
+                <p class="text-muted text-center mb-4">
+                    Enter your recovery key to reset your admin password.
+                </p>
+
+                <!-- Extract from Stego Backup -->
+                <div class="accordion mb-3" id="stegoAccordion">
+                    <div class="accordion-item">
+                        <h2 class="accordion-header">
+                            <button class="accordion-button collapsed py-2" type="button"
+                                    data-bs-toggle="collapse" data-bs-target="#stegoExtract">
+                                <i class="bi bi-incognito me-2"></i>
+                                <small>Extract from stego backup</small>
+                            </button>
+                        </h2>
+                        <div id="stegoExtract" class="accordion-collapse collapse"
+                             data-bs-parent="#stegoAccordion">
+                            <div class="accordion-body py-2">
+                                <form method="POST" action="{{ url_for('recover_from_stego') }}"
+                                      enctype="multipart/form-data">
+                                    <div class="mb-2">
+                                        <label class="form-label small mb-1">Stego Image</label>
+                                        <input type="file" name="stego_image"
+                                               class="form-control form-control-sm"
+                                               accept="image/*" required>
+                                    </div>
+                                    <div class="mb-2">
+                                        <label class="form-label small mb-1">Original Reference</label>
+                                        <input type="file" name="reference_image"
+                                               class="form-control form-control-sm"
+                                               accept="image/*" required>
+                                    </div>
+                                    <button type="submit" class="btn btn-sm btn-outline-primary w-100">
+                                        <i class="bi bi-unlock me-1"></i> Extract Key
+                                    </button>
+                                </form>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+                <form method="POST" action="{{ url_for('recover') }}" id="recoverForm">
+                    <!-- Recovery Key Input -->
+                    <div class="mb-3">
+                        <label class="form-label">
+                            <i class="bi bi-key-fill me-1"></i> Recovery Key
+                        </label>
+                        <textarea name="recovery_key" class="form-control font-monospace"
+                                  rows="2" required
+                                  placeholder="XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX"
+                                  style="font-size: 0.9em;">{{ prefilled_key or '' }}</textarea>
+                        <div class="form-text">
+                            Paste your full recovery key (with or without dashes)
+                        </div>
+                    </div>
+
+                    <hr>
+
+                    <!-- New Password -->
+                    <div class="mb-3">
+                        <label class="form-label">
+                            <i class="bi bi-lock me-1"></i> New Password
+                        </label>
+                        <div class="input-group">
+                            <input type="password" name="new_password" class="form-control"
+                                   id="passwordInput" required minlength="8">
+                            <button class="btn btn-outline-secondary" type="button"
+                                    onclick="togglePassword('passwordInput', this)">
+                                <i class="bi bi-eye"></i>
+                            </button>
+                        </div>
+                        <div class="form-text">Minimum 8 characters</div>
+                    </div>
+
+                    <!-- Confirm Password -->
+                    <div class="mb-4">
+                        <label class="form-label">
+                            <i class="bi bi-lock-fill me-1"></i> Confirm Password
+                        </label>
+                        <div class="input-group">
+                            <input type="password" name="new_password_confirm" class="form-control"
+                                   id="passwordConfirmInput" required minlength="8">
+                            <button class="btn btn-outline-secondary" type="button"
+                                    onclick="togglePassword('passwordConfirmInput', this)">
+                                <i class="bi bi-eye"></i>
+                            </button>
+                        </div>
+                    </div>
+
+                    <button type="submit" class="btn btn-primary w-100">
+                        <i class="bi bi-check-lg me-2"></i>Reset Password
+                    </button>
+                </form>
+
+                <div class="text-center mt-3">
+                    <a href="{{ url_for('login') }}" class="text-muted small">
+                        <i class="bi bi-arrow-left me-1"></i> Back to Login
+                    </a>
+                </div>
+            </div>
+        </div>
+
+        <div class="alert alert-warning mt-4 small">
+            <i class="bi bi-exclamation-triangle me-2"></i>
+            <strong>Note:</strong> This will reset the admin password. If you don't have a valid recovery key,
+            you'll need to delete the database and reconfigure Stegasoo.
+        </div>
+    </div>
+</div>
+{% endblock %}
+
+{% block scripts %}
+<script src="{{ url_for('static', filename='js/auth.js') }}"></script>
+<script>
+StegasooAuth.initPasswordConfirmation('recoverForm', 'passwordInput', 'passwordConfirmInput');
+</script>
+{% endblock %}
--- a/frontends/web/templates/regenerate_recovery.html
+++ b/frontends/web/templates/regenerate_recovery.html
@@ -0,0 +1,183 @@
+{% extends "base.html" %}
+
+{% block title %}Regenerate Recovery Key - Stegasoo{% endblock %}
+
+{% block content %}
+<div class="row justify-content-center">
+    <div class="col-md-8 col-lg-6">
+        <div class="card">
+            <div class="card-header text-center">
+                <i class="bi bi-arrow-repeat fs-1 d-block mb-2"></i>
+                <h5 class="mb-0">{{ 'Regenerate' if has_existing else 'Generate' }} Recovery Key</h5>
+            </div>
+            <div class="card-body">
+                {% if has_existing %}
+                <!-- Warning for existing key -->
+                <div class="alert alert-warning">
+                    <i class="bi bi-exclamation-triangle me-2"></i>
+                    <strong>Warning:</strong> Your existing recovery key will be invalidated.
+                    Make sure to save this new key before continuing.
+                </div>
+                {% else %}
+                <!-- Info for first-time setup -->
+                <div class="alert alert-info">
+                    <i class="bi bi-info-circle me-2"></i>
+                    <strong>What is a recovery key?</strong><br>
+                    If you forget your admin password, this key is the ONLY way to reset it.
+                </div>
+                {% endif %}
+
+                <!-- Recovery Key Display -->
+                <div class="mb-4">
+                    <label class="form-label">
+                        <i class="bi bi-key-fill me-1"></i> Your New Recovery Key
+                    </label>
+                    <div class="input-group">
+                        <input type="text" class="form-control font-monospace text-center"
+                               id="recoveryKey" value="{{ recovery_key }}" readonly
+                               style="font-size: 1.1em; letter-spacing: 0.5px;">
+                        <button class="btn btn-outline-secondary" type="button"
+                                onclick="copyToClipboard()" title="Copy to clipboard">
+                            <i class="bi bi-clipboard" id="copyIcon"></i>
+                        </button>
+                    </div>
+                </div>
+
+                <!-- QR Code (if available) -->
+                {% if qr_base64 %}
+                <div class="mb-4 text-center">
+                    <label class="form-label d-block">
+                        <i class="bi bi-qr-code me-1"></i> QR Code
+                    </label>
+                    <img src="data:image/png;base64,{{ qr_base64 }}"
+                         alt="Recovery Key QR Code" class="img-fluid border rounded"
+                         style="max-width: 200px;" id="qrImage">
+                </div>
+                {% endif %}
+
+                <!-- Download Options -->
+                <div class="mb-4">
+                    <label class="form-label">
+                        <i class="bi bi-download me-1"></i> Download Options
+                    </label>
+                    <div class="d-flex gap-2 flex-wrap">
+                        <button class="btn btn-outline-primary btn-sm" onclick="downloadTextFile()">
+                            <i class="bi bi-file-text me-1"></i> Text File
+                        </button>
+                        {% if qr_base64 %}
+                        <button class="btn btn-outline-primary btn-sm" onclick="downloadQRImage()">
+                            <i class="bi bi-image me-1"></i> QR Image
+                        </button>
+                        {% endif %}
+                    </div>
+                </div>
+
+                <!-- Stego Backup Option -->
+                <div class="mb-4">
+                    <label class="form-label">
+                        <i class="bi bi-incognito me-1"></i> Hide in Image
+                    </label>
+                    <form method="POST" action="{{ url_for('create_stego_backup') }}"
+                          enctype="multipart/form-data" class="d-flex gap-2 align-items-end">
+                        <input type="hidden" name="recovery_key" value="{{ recovery_key }}">
+                        <div class="flex-grow-1">
+                            <input type="file" name="carrier_image" class="form-control form-control-sm"
+                                   accept="image/jpeg,image/png" required>
+                            <div class="form-text">JPG/PNG, 50KB-2MB</div>
+                        </div>
+                        <button type="submit" class="btn btn-outline-secondary btn-sm">
+                            <i class="bi bi-download me-1"></i> Stego
+                        </button>
+                    </form>
+                </div>
+
+                <hr>
+
+                <!-- Confirmation Form -->
+                <form method="POST" id="recoveryForm">
+                    <input type="hidden" name="recovery_key" value="{{ recovery_key }}">
+
+                    <!-- Confirm checkbox -->
+                    <div class="form-check mb-3">
+                        <input class="form-check-input" type="checkbox" id="confirmSaved"
+                               onchange="updateButtons()">
+                        <label class="form-check-label" for="confirmSaved">
+                            I have saved my recovery key in a secure location
+                        </label>
+                    </div>
+
+                    <div class="d-flex gap-2 justify-content-between">
+                        <!-- Cancel button -->
+                        <button type="submit" name="action" value="cancel"
+                                class="btn btn-outline-secondary">
+                            <i class="bi bi-x-lg me-1"></i> Cancel
+                        </button>
+
+                        <!-- Save button -->
+                        <button type="submit" name="action" value="save"
+                                class="btn btn-primary" id="saveBtn" disabled>
+                            <i class="bi bi-check-lg me-1"></i> Save New Key
+                        </button>
+                    </div>
+                </form>
+            </div>
+        </div>
+    </div>
+</div>
+{% endblock %}
+
+{% block scripts %}
+<script>
+// Copy recovery key to clipboard
+function copyToClipboard() {
+    const keyInput = document.getElementById('recoveryKey');
+    navigator.clipboard.writeText(keyInput.value).then(() => {
+        const icon = document.getElementById('copyIcon');
+        icon.className = 'bi bi-clipboard-check';
+        setTimeout(() => { icon.className = 'bi bi-clipboard'; }, 2000);
+    });
+}
+
+// Download as text file
+function downloadTextFile() {
+    const key = document.getElementById('recoveryKey').value;
+    const content = `Stegasoo Recovery Key
+=====================
+
+${key}
+
+IMPORTANT:
+- Keep this file in a secure location
+- Anyone with this key can reset admin passwords
+- Do not store with your password
+
+Generated: ${new Date().toISOString()}
+`;
+    const blob = new Blob([content], { type: 'text/plain' });
+    const url = URL.createObjectURL(blob);
+    const a = document.createElement('a');
+    a.href = url;
+    a.download = 'stegasoo-recovery-key.txt';
+    a.click();
+    URL.revokeObjectURL(url);
+}
+
+// Download QR as image
+function downloadQRImage() {
+    const img = document.getElementById('qrImage');
+    if (!img) return;
+
+    const a = document.createElement('a');
+    a.href = img.src;
+    a.download = 'stegasoo-recovery-qr.png';
+    a.click();
+}
+
+// Enable save button when checkbox is checked
+function updateButtons() {
+    const checkbox = document.getElementById('confirmSaved');
+    const saveBtn = document.getElementById('saveBtn');
+    saveBtn.disabled = !checkbox.checked;
+}
+</script>
+{% endblock %}
--- a/frontends/web/templates/setup.html
+++ b/frontends/web/templates/setup.html
@@ -69,26 +69,8 @@
 {% endblock %}

 {% block scripts %}
+<script src="{{ url_for('static', filename='js/auth.js') }}"></script>
 <script>
-function togglePassword(inputId, btn) {
-    const input = document.getElementById(inputId);
-    const icon = btn.querySelector('i');
-    if (input.type === 'password') {
-        input.type = 'text';
-        icon.classList.replace('bi-eye', 'bi-eye-slash');
-    } else {
-        input.type = 'password';
-        icon.classList.replace('bi-eye-slash', 'bi-eye');
-    }
-}
-
-document.getElementById('setupForm')?.addEventListener('submit', function(e) {
-    const pass = document.getElementById('passwordInput').value;
-    const confirm = document.getElementById('passwordConfirmInput').value;
-    if (pass !== confirm) {
-        e.preventDefault();
-        alert('Passwords do not match');
-    }
-});
+StegasooAuth.initPasswordConfirmation('setupForm', 'passwordInput', 'passwordConfirmInput');
 </script>
 {% endblock %}
--- a/frontends/web/templates/setup_recovery.html
+++ b/frontends/web/templates/setup_recovery.html
@@ -0,0 +1,176 @@
+{% extends "base.html" %}
+
+{% block title %}Recovery Key Setup - Stegasoo{% endblock %}
+
+{% block content %}
+<div class="row justify-content-center">
+    <div class="col-md-8 col-lg-6">
+        <div class="card">
+            <div class="card-header text-center">
+                <i class="bi bi-shield-lock fs-1 d-block mb-2"></i>
+                <h5 class="mb-0">Recovery Key Setup</h5>
+                <small class="text-muted">Step 2 of 2</small>
+            </div>
+            <div class="card-body">
+                <!-- Explanation -->
+                <div class="alert alert-info">
+                    <i class="bi bi-info-circle me-2"></i>
+                    <strong>What is a recovery key?</strong><br>
+                    If you forget your admin password, this key is the ONLY way to reset it.
+                    Save it somewhere safe - it will not be shown again.
+                </div>
+
+                <!-- Recovery Key Display -->
+                <div class="mb-4">
+                    <label class="form-label">
+                        <i class="bi bi-key-fill me-1"></i> Your Recovery Key
+                    </label>
+                    <div class="input-group">
+                        <input type="text" class="form-control font-monospace text-center"
+                               id="recoveryKey" value="{{ recovery_key }}" readonly
+                               style="font-size: 1.1em; letter-spacing: 0.5px;">
+                        <button class="btn btn-outline-secondary" type="button"
+                                onclick="copyToClipboard()" title="Copy to clipboard">
+                            <i class="bi bi-clipboard" id="copyIcon"></i>
+                        </button>
+                    </div>
+                </div>
+
+                <!-- QR Code (if available) -->
+                {% if qr_base64 %}
+                <div class="mb-4 text-center">
+                    <label class="form-label d-block">
+                        <i class="bi bi-qr-code me-1"></i> QR Code
+                    </label>
+                    <img src="data:image/png;base64,{{ qr_base64 }}"
+                         alt="Recovery Key QR Code" class="img-fluid border rounded"
+                         style="max-width: 200px;" id="qrImage">
+                    <div class="mt-2">
+                        <small class="text-muted">Scan with your phone's camera app</small>
+                    </div>
+                </div>
+                {% endif %}
+
+                <!-- Download Options -->
+                <div class="mb-4">
+                    <label class="form-label">
+                        <i class="bi bi-download me-1"></i> Download Options
+                    </label>
+                    <div class="d-flex gap-2 flex-wrap">
+                        <button class="btn btn-outline-primary btn-sm" onclick="downloadTextFile()">
+                            <i class="bi bi-file-text me-1"></i> Text File
+                        </button>
+                        {% if qr_base64 %}
+                        <button class="btn btn-outline-primary btn-sm" onclick="downloadQRImage()">
+                            <i class="bi bi-image me-1"></i> QR Image
+                        </button>
+                        {% endif %}
+                    </div>
+                </div>
+
+                <hr>
+
+                <!-- Confirmation Form -->
+                <form method="POST" id="recoveryForm">
+                    <input type="hidden" name="recovery_key" value="{{ recovery_key }}">
+
+                    <!-- Confirm checkbox -->
+                    <div class="form-check mb-3">
+                        <input class="form-check-input" type="checkbox" id="confirmSaved"
+                               onchange="updateButtons()">
+                        <label class="form-check-label" for="confirmSaved">
+                            I have saved my recovery key in a secure location
+                        </label>
+                    </div>
+
+                    <div class="d-flex gap-2 justify-content-between">
+                        <!-- Skip button (no recovery) -->
+                        <button type="submit" name="action" value="skip"
+                                class="btn btn-outline-secondary"
+                                onclick="return confirm('Are you sure? Without a recovery key, there is NO way to reset your password if you forget it.')">
+                            <i class="bi bi-skip-forward me-1"></i> Skip (No Recovery)
+                        </button>
+
+                        <!-- Save button (with key) -->
+                        <button type="submit" name="action" value="save"
+                                class="btn btn-primary" id="saveBtn" disabled>
+                            <i class="bi bi-check-lg me-1"></i> Continue
+                        </button>
+                    </div>
+                </form>
+            </div>
+        </div>
+
+        <!-- Security Notes -->
+        <div class="card mt-3">
+            <div class="card-header">
+                <i class="bi bi-shield-check me-2"></i>Security Notes
+            </div>
+            <div class="card-body small">
+                <ul class="mb-0">
+                    <li>The recovery key is <strong>not stored</strong> - only a hash is saved</li>
+                    <li>Keep it separate from your password (different location)</li>
+                    <li>Anyone with this key can reset admin passwords</li>
+                    <li>If you lose it and forget your password, you must recreate the database</li>
+                </ul>
+            </div>
+        </div>
+    </div>
+</div>
+{% endblock %}
+
+{% block scripts %}
+<script>
+// Copy recovery key to clipboard
+function copyToClipboard() {
+    const keyInput = document.getElementById('recoveryKey');
+    navigator.clipboard.writeText(keyInput.value).then(() => {
+        const icon = document.getElementById('copyIcon');
+        icon.className = 'bi bi-clipboard-check';
+        setTimeout(() => { icon.className = 'bi bi-clipboard'; }, 2000);
+    });
+}
+
+// Download as text file
+function downloadTextFile() {
+    const key = document.getElementById('recoveryKey').value;
+    const content = `Stegasoo Recovery Key
+=====================
+
+${key}
+
+IMPORTANT:
+- Keep this file in a secure location
+- Anyone with this key can reset admin passwords
+- Do not store with your password
+
+Generated: ${new Date().toISOString()}
+`;
+    const blob = new Blob([content], { type: 'text/plain' });
+    const url = URL.createObjectURL(blob);
+    const a = document.createElement('a');
+    a.href = url;
+    a.download = 'stegasoo-recovery-key.txt';
+    a.click();
+    URL.revokeObjectURL(url);
+}
+
+// Download QR as image
+function downloadQRImage() {
+    const img = document.getElementById('qrImage');
+    if (!img) return;
+
+    const a = document.createElement('a');
+    a.href = img.src;
+    a.download = 'stegasoo-recovery-qr.png';
+    a.click();
+}
+
+// Enable save button when checkbox is checked
+function updateButtons() {
+    const checkbox = document.getElementById('confirmSaved');
+    const saveBtn = document.getElementById('saveBtn');
+    saveBtn.disabled = !checkbox.checked;
+}
+</script>
+{% endblock %}
--- a/frontends/web/templates/tools.html
+++ b/frontends/web/templates/tools.html
@@ -0,0 +1,756 @@
+{% extends "base.html" %}
+
+{% block title %}Tools - Stegasoo{% endblock %}
+
+{% block content %}
+<style>
+/* Tool drop zone - compact */
+.tool-drop-zone {
+    position: relative;
+    min-height: 120px;
+    border: 2px dashed rgba(255, 255, 255, 0.2);
+    border-radius: 8px;
+    background: rgba(0, 0, 0, 0.2);
+    transition: all 0.3s ease;
+    overflow: hidden;
+}
+
+.tool-drop-zone.drag-over {
+    border-color: #63b3ed;
+    background: rgba(99, 179, 237, 0.1);
+}
+
+.tool-drop-zone input[type="file"] {
+    position: absolute;
+    inset: 0;
+    opacity: 0;
+    cursor: pointer;
+    z-index: 10;
+}
+
+.tool-drop-zone .drop-label {
+    text-align: center;
+    padding: 25px 20px;
+}
+
+.tool-drop-zone .drop-icon {
+    font-size: 2rem;
+    color: rgba(255, 255, 255, 0.3);
+    transition: all 0.3s ease;
+}
+
+.tool-drop-zone.drag-over .drop-icon {
+    color: #63b3ed;
+    transform: scale(1.1);
+}
+
+/* Preview state */
+.tool-drop-zone.has-file .drop-label {
+    display: none;
+}
+
+.tool-drop-zone .preview-container {
+    display: none;
+    padding: 12px;
+}
+
+.tool-drop-zone.has-file .preview-container {
+    display: flex;
+    align-items: center;
+    gap: 12px;
+}
+
+.tool-drop-zone .preview-thumb {
+    width: 70px;
+    height: 70px;
+    object-fit: cover;
+    border-radius: 6px;
+    border: 2px solid rgba(99, 179, 237, 0.5);
+}
+
+.tool-drop-zone .preview-info {
+    flex: 1;
+    min-width: 0;
+}
+
+.tool-drop-zone .preview-name {
+    font-weight: 600;
+    color: #63b3ed;
+    white-space: nowrap;
+    overflow: hidden;
+    text-overflow: ellipsis;
+}
+
+.tool-drop-zone .preview-meta {
+    font-size: 0.8rem;
+    color: rgba(255, 255, 255, 0.5);
+}
+
+.tool-drop-zone .preview-clear {
+    position: absolute;
+    top: 8px;
+    right: 8px;
+    z-index: 20;
+    opacity: 0.7;
+}
+
+.tool-drop-zone .preview-clear:hover {
+    opacity: 1;
+}
+
+/* Result panels */
+.result-panel {
+    background: rgba(0, 0, 0, 0.3);
+    border-radius: 8px;
+    border: 1px solid rgba(255, 255, 255, 0.1);
+}
+
+/* EXIF table styling */
+.exif-table {
+    font-size: 0.85rem;
+}
+
+.exif-table th {
+    background: rgba(0, 0, 0, 0.3);
+    position: sticky;
+    top: 0;
+}
+
+.exif-table td {
+    vertical-align: middle;
+}
+
+.exif-input {
+    background: rgba(0, 0, 0, 0.3) !important;
+    border: 1px solid rgba(99, 179, 237, 0.3) !important;
+    color: #63b3ed !important;
+    font-family: monospace;
+    font-size: 0.8rem;
+    padding: 4px 8px;
+}
+
+.exif-input:focus {
+    border-color: #63b3ed !important;
+    box-shadow: 0 0 10px rgba(99, 179, 237, 0.2) !important;
+}
+
+/* Processing state */
+.processing .tool-drop-zone {
+    pointer-events: none;
+    opacity: 0.6;
+}
+
+.processing .btn {
+    pointer-events: none;
+}
+
+/* Tool section visibility */
+.tool-section { display: none; }
+.tool-section.active { display: block; }
+
+/* Green→amber gradient (12.5% lighter) */
+.tool-tabs .btn-outline-primary {
+    background-color: rgba(0, 0, 0, 0.25);
+}
+.tool-tabs .btn-outline-primary:nth-of-type(1) {
+    color: #40d770;
+    border-color: #40d770;
+}
+.tool-tabs .btn-outline-primary:nth-of-type(2) {
+    color: #96da2c;
+    border-color: #96da2c;
+}
+.tool-tabs .btn-outline-primary:nth-of-type(3) {
+    color: #fdda64;
+    border-color: #fdda64;
+}
+
+.tool-tabs .btn-outline-primary:nth-of-type(1):hover {
+    background-color: rgba(64, 215, 112, 0.15);
+}
+.tool-tabs .btn-outline-primary:nth-of-type(2):hover {
+    background-color: rgba(150, 218, 44, 0.15);
+}
+.tool-tabs .btn-outline-primary:nth-of-type(3):hover {
+    background-color: rgba(253, 218, 100, 0.15);
+}
+
+.tool-tabs .btn-check:checked + .btn-outline-primary:nth-of-type(1) {
+    background-color: #40d770;
+    border-color: #40d770;
+    color: #1a1a2e;
+}
+.tool-tabs .btn-check:checked + .btn-outline-primary:nth-of-type(2) {
+    background-color: #96da2c;
+    border-color: #96da2c;
+    color: #1a1a2e;
+}
+.tool-tabs .btn-check:checked + .btn-outline-primary:nth-of-type(3) {
+    background-color: #fdda64;
+    border-color: #fdda64;
+    color: #1a1a2e;
+}
+</style>
+
+<div class="row justify-content-center">
+    <div class="col-lg-8">
+        <div class="card">
+            <div class="card-header">
+                <h5 class="mb-0"><i class="bi bi-tools me-2"></i>Image Security Toolkit</h5>
+            </div>
+            <div class="card-body">
+                <!-- Tool Selector Tabs -->
+                <div class="btn-group tool-tabs w-100 mb-4" role="group">
+                    <input type="radio" class="btn-check" name="tool_type" id="toolCapacity" value="capacity" checked>
+                    <label class="btn btn-outline-primary" for="toolCapacity">
+                        <i class="bi bi-rulers me-1"></i> Capacity
+                    </label>
+                    <input type="radio" class="btn-check" name="tool_type" id="toolExif" value="exif">
+                    <label class="btn btn-outline-primary" for="toolExif">
+                        <i class="bi bi-card-text me-1"></i> EXIF
+                    </label>
+                    <input type="radio" class="btn-check" name="tool_type" id="toolStrip" value="strip">
+                    <label class="btn btn-outline-primary" for="toolStrip">
+                        <i class="bi bi-eraser me-1"></i> Strip
+                    </label>
+                </div>
+
+                <!-- ============================================================ -->
+                <!-- CAPACITY CALCULATOR -->
+                <!-- ============================================================ -->
+                <div class="tool-section active" id="capacitySection">
+                    <p class="text-muted small mb-3">Check how much data can be hidden in an image</p>
+
+                    <div class="tool-drop-zone" id="capacityZone">
+                        <input type="file" accept="image/*" id="capacityFile">
+                        <div class="drop-label">
+                            <i class="bi bi-image drop-icon d-block mb-2"></i>
+                            <span class="text-muted">Drop image or click to browse</span>
+                        </div>
+                        <div class="preview-container">
+                            <img class="preview-thumb" id="capacityThumb">
+                            <div class="preview-info">
+                                <div class="preview-name" id="capacityName">image.jpg</div>
+                                <div class="preview-meta" id="capacityMeta">-- × -- · -- MB</div>
+                            </div>
+                        </div>
+                        <button type="button" class="btn btn-sm btn-outline-secondary preview-clear d-none" id="capacityClear">
+                            <i class="bi bi-x"></i>
+                        </button>
+                    </div>
+
+                    <!-- Results -->
+                    <div class="result-panel p-3 mt-3 d-none" id="capacityResult">
+                        <div class="row text-center">
+                            <div class="col-6 col-md-3 mb-3 mb-md-0">
+                                <div class="text-muted small">Dimensions</div>
+                                <div class="fw-bold" id="capDimensions">--</div>
+                            </div>
+                            <div class="col-6 col-md-3 mb-3 mb-md-0">
+                                <div class="text-muted small">Megapixels</div>
+                                <div class="fw-bold" id="capMegapixels">--</div>
+                            </div>
+                            <div class="col-6 col-md-3">
+                                <div class="text-muted small">LSB Capacity</div>
+                                <div class="fw-bold text-primary" id="capLsb">--</div>
+                            </div>
+                            <div class="col-6 col-md-3">
+                                <div class="text-muted small">DCT Capacity</div>
+                                <div class="fw-bold text-warning" id="capDct">--</div>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- ============================================================ -->
+                <!-- EXIF EDITOR -->
+                <!-- ============================================================ -->
+                <div class="tool-section" id="exifSection">
+                    <p class="text-muted small mb-3">View, edit, or remove image metadata</p>
+
+                    <div class="tool-drop-zone" id="exifZone">
+                        <input type="file" accept="image/*" id="exifFile">
+                        <div class="drop-label">
+                            <i class="bi bi-card-image drop-icon d-block mb-2"></i>
+                            <span class="text-muted">Drop image or click to browse</span>
+                        </div>
+                        <div class="preview-container">
+                            <img class="preview-thumb" id="exifThumb">
+                            <div class="preview-info">
+                                <div class="preview-name" id="exifName">image.jpg</div>
+                                <div class="preview-meta"><span id="exifFieldCount">0</span> metadata fields</div>
+                                <div id="exifNotEditable" class="text-warning small d-none">
+                                    <i class="bi bi-exclamation-triangle me-1"></i>Non-JPEG: clear only
+                                </div>
+                            </div>
+                        </div>
+                        <button type="button" class="btn btn-sm btn-outline-secondary preview-clear d-none" id="exifClear">
+                            <i class="bi bi-x"></i>
+                        </button>
+                    </div>
+
+                    <!-- EXIF Data Editor -->
+                    <div id="exifEditor" class="d-none mt-3">
+                        <div class="table-responsive result-panel" style="max-height: 250px; overflow-y: auto;">
+                            <table class="table table-sm table-dark table-hover exif-table mb-0">
+                                <thead>
+                                    <tr>
+                                        <th style="width: 35%">Field</th>
+                                        <th>Value</th>
+                                        <th style="width: 40px"></th>
+                                    </tr>
+                                </thead>
+                                <tbody id="exifTable"></tbody>
+                            </table>
+                        </div>
+
+                        <div id="exifEmpty" class="result-panel text-muted text-center py-4 d-none">
+                            <i class="bi bi-inbox fs-4 d-block mb-2"></i>No metadata found
+                        </div>
+
+                        <!-- Action Buttons -->
+                        <div class="d-flex gap-2 mt-3 pt-3 border-top border-secondary">
+                            <button type="button" class="btn btn-outline-danger" id="exifClearAll">
+                                <i class="bi bi-trash me-1"></i>Clear All
+                            </button>
+                            <div class="ms-auto d-flex gap-2">
+                                <button type="button" class="btn btn-outline-secondary" id="exifDiscard">
+                                    Discard
+                                </button>
+                                <button type="button" class="btn btn-primary" id="exifSave" disabled>
+                                    <i class="bi bi-download me-1"></i>Save
+                                </button>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- ============================================================ -->
+                <!-- STRIP METADATA -->
+                <!-- ============================================================ -->
+                <div class="tool-section" id="stripSection">
+                    <p class="text-muted small mb-3">Remove all EXIF data and get a clean image</p>
+
+                    <div class="tool-drop-zone" id="stripZone">
+                        <input type="file" accept="image/*" id="stripFile">
+                        <div class="drop-label">
+                            <i class="bi bi-file-earmark-x drop-icon d-block mb-2"></i>
+                            <span class="text-muted">Drop image or click to browse</span>
+                        </div>
+                        <div class="preview-container">
+                            <img class="preview-thumb" id="stripThumb">
+                            <div class="preview-info">
+                                <div class="preview-name" id="stripName">image.jpg</div>
+                                <div class="preview-meta" id="stripMeta">--</div>
+                            </div>
+                        </div>
+                        <button type="button" class="btn btn-sm btn-outline-secondary preview-clear d-none" id="stripClearBtn">
+                            <i class="bi bi-x"></i>
+                        </button>
+                    </div>
+
+                    <!-- Format selector and action -->
+                    <div id="stripOptions" class="d-none mt-3">
+                        <div class="d-flex align-items-center gap-3">
+                            <label class="form-label mb-0 small text-muted">Output:</label>
+                            <select class="form-select form-select-sm" id="stripFormat" style="width: auto;">
+                                <option value="PNG" selected>PNG (lossless)</option>
+                                <option value="JPEG">JPEG</option>
+                            </select>
+                            <button type="button" class="btn btn-danger ms-auto" id="stripAction">
+                                <i class="bi bi-eraser me-1"></i>Strip & Download
+                            </button>
+                        </div>
+                    </div>
+                </div>
+
+            </div>
+        </div>
+    </div>
+</div>
+{% endblock %}
+
+{% block scripts %}
+<script>
+// ============================================================================
+// TAB SWITCHING
+// ============================================================================
+
+const toolRadios = document.querySelectorAll('input[name="tool_type"]');
+const toolSections = {
+    capacity: document.getElementById('capacitySection'),
+    exif: document.getElementById('exifSection'),
+    strip: document.getElementById('stripSection')
+};
+
+function switchTool() {
+    const selected = document.querySelector('input[name="tool_type"]:checked').value;
+    Object.entries(toolSections).forEach(([key, section]) => {
+        section.classList.toggle('active', key === selected);
+    });
+}
+
+toolRadios.forEach(radio => radio.addEventListener('change', switchTool));
+
+// ============================================================================
+// SHARED - Drop zone helpers
+// ============================================================================
+
+function setupDropZone(zoneId, fileInputId, onFile) {
+    const zone = document.getElementById(zoneId);
+    const input = document.getElementById(fileInputId);
+    if (!zone || !input) return;
+
+    zone.addEventListener('dragover', e => { e.preventDefault(); zone.classList.add('drag-over'); });
+    zone.addEventListener('dragleave', () => zone.classList.remove('drag-over'));
+    zone.addEventListener('drop', e => {
+        e.preventDefault();
+        zone.classList.remove('drag-over');
+        if (e.dataTransfer.files[0]) {
+            input.files = e.dataTransfer.files;
+            input.dispatchEvent(new Event('change'));
+        }
+    });
+
+    input.addEventListener('change', function() {
+        if (this.files[0]) onFile(this.files[0]);
+    });
+}
+
+function showPreview(zoneId, file, thumbId, nameId, metaText, clearBtnId) {
+    const zone = document.getElementById(zoneId);
+    const thumb = document.getElementById(thumbId);
+    const name = document.getElementById(nameId);
+    const clearBtn = document.getElementById(clearBtnId);
+
+    zone.classList.add('has-file');
+    name.textContent = file.name;
+
+    if (metaText) {
+        const metaEl = name.nextElementSibling;
+        if (metaEl) metaEl.textContent = metaText;
+    }
+
+    const reader = new FileReader();
+    reader.onload = e => thumb.src = e.target.result;
+    reader.readAsDataURL(file);
+
+    clearBtn?.classList.remove('d-none');
+}
+
+function clearDropZone(zoneId, fileInputId, clearBtnId, extraCleanup) {
+    const zone = document.getElementById(zoneId);
+    const input = document.getElementById(fileInputId);
+    const clearBtn = document.getElementById(clearBtnId);
+
+    zone?.classList.remove('has-file');
+    if (input) input.value = '';
+    clearBtn?.classList.add('d-none');
+    if (extraCleanup) extraCleanup();
+}
+
+function formatBytes(bytes) {
+    if (bytes < 1024) return bytes + ' B';
+    if (bytes < 1024 * 1024) return (bytes / 1024).toFixed(1) + ' KB';
+    return (bytes / (1024 * 1024)).toFixed(1) + ' MB';
+}
+
+// ============================================================================
+// CAPACITY CALCULATOR
+// ============================================================================
+
+setupDropZone('capacityZone', 'capacityFile', async (file) => {
+    showPreview('capacityZone', file, 'capacityThumb', 'capacityName', formatBytes(file.size), 'capacityClear');
+
+    const formData = new FormData();
+    formData.append('image', file);
+
+    try {
+        const res = await fetch('/api/tools/capacity', { method: 'POST', body: formData });
+        const data = await res.json();
+
+        if (data.success) {
+            document.getElementById('capacityMeta').textContent =
+                `${data.width} × ${data.height} · ${formatBytes(file.size)}`;
+            document.getElementById('capDimensions').textContent = `${data.width} × ${data.height}`;
+            document.getElementById('capMegapixels').textContent = data.megapixels + ' MP';
+            document.getElementById('capLsb').textContent = data.lsb.capacity_kb.toFixed(1) + ' KB';
+            document.getElementById('capDct').textContent = data.dct.available
+                ? data.dct.capacity_kb.toFixed(1) + ' KB'
+                : 'N/A';
+            document.getElementById('capacityResult').classList.remove('d-none');
+        }
+    } catch (err) {
+        console.error(err);
+    }
+});
+
+document.getElementById('capacityClear')?.addEventListener('click', () => {
+    clearDropZone('capacityZone', 'capacityFile', 'capacityClear', () => {
+        document.getElementById('capacityResult').classList.add('d-none');
+    });
+});
+
+// ============================================================================
+// EXIF EDITOR
+// ============================================================================
+
+let exifOriginalData = {};
+let exifCurrentData = {};
+let exifEditable = false;
+let exifCurrentFile = null;
+
+setupDropZone('exifZone', 'exifFile', async (file) => {
+    exifCurrentFile = file;
+    showPreview('exifZone', file, 'exifThumb', 'exifName', '', 'exifClear');
+
+    const formData = new FormData();
+    formData.append('image', file);
+
+    try {
+        const res = await fetch('/api/tools/exif', { method: 'POST', body: formData });
+        const data = await res.json();
+
+        if (data.success) {
+            exifOriginalData = JSON.parse(JSON.stringify(data.exif));
+            exifCurrentData = JSON.parse(JSON.stringify(data.exif));
+            exifEditable = data.editable;
+
+            document.getElementById('exifFieldCount').textContent = data.field_count;
+            document.getElementById('exifNotEditable').classList.toggle('d-none', data.editable);
+            document.getElementById('exifEditor').classList.remove('d-none');
+
+            renderExifTable();
+            updateSaveButton();
+        }
+    } catch (err) {
+        console.error(err);
+    }
+});
+
+document.getElementById('exifClear')?.addEventListener('click', () => {
+    clearDropZone('exifZone', 'exifFile', 'exifClear', () => {
+        document.getElementById('exifEditor').classList.add('d-none');
+        exifCurrentFile = null;
+        exifOriginalData = {};
+        exifCurrentData = {};
+    });
+});
+
+function renderExifTable() {
+    const tbody = document.getElementById('exifTable');
+    const empty = document.getElementById('exifEmpty');
+    const entries = Object.entries(exifCurrentData).sort((a, b) => a[0].localeCompare(b[0]));
+
+    if (entries.length === 0) {
+        tbody.innerHTML = '';
+        empty.classList.remove('d-none');
+        return;
+    }
+
+    empty.classList.add('d-none');
+    tbody.innerHTML = entries.map(([key, value]) => {
+        let displayVal = typeof value === 'object' ? JSON.stringify(value) : value;
+        if (typeof displayVal === 'string' && displayVal.length > 50) {
+            displayVal = displayVal.substring(0, 47) + '...';
+        }
+
+        const editableFields = ['Make', 'Model', 'Software', 'Artist', 'Copyright', 'ImageDescription', 'DateTime', 'DateTimeOriginal', 'DateTimeDigitized', 'UserComment', 'LensMake', 'LensModel'];
+        const canEdit = exifEditable && editableFields.includes(key) && typeof value === 'string';
+
+        return `
+            <tr data-field="${key}">
+                <td class="text-muted small">${key}</td>
+                <td class="font-monospace small">
+                    ${canEdit
+                        ? `<input type="text" class="form-control form-control-sm exif-input"
+                             value="${String(value).replace(/"/g, '&quot;')}" data-field="${key}">`
+                        : `<span title="${String(displayVal)}">${displayVal}</span>`
+                    }
+                </td>
+                <td>
+                    ${canEdit
+                        ? `<button class="btn btn-sm btn-outline-danger border-0 exif-delete" data-field="${key}" title="Remove">
+                             <i class="bi bi-x"></i>
+                           </button>`
+                        : ''
+                    }
+                </td>
+            </tr>
+        `;
+    }).join('');
+
+    tbody.querySelectorAll('.exif-input').forEach(input => {
+        input.addEventListener('input', function() {
+            exifCurrentData[this.dataset.field] = this.value;
+            updateSaveButton();
+        });
+    });
+
+    tbody.querySelectorAll('.exif-delete').forEach(btn => {
+        btn.addEventListener('click', function() {
+            delete exifCurrentData[this.dataset.field];
+            renderExifTable();
+            updateSaveButton();
+        });
+    });
+}
+
+function updateSaveButton() {
+    const changed = JSON.stringify(exifCurrentData) !== JSON.stringify(exifOriginalData);
+    document.getElementById('exifSave').disabled = !changed;
+}
+
+document.getElementById('exifClearAll')?.addEventListener('click', async function() {
+    if (!exifCurrentFile) return;
+    if (!confirm('Remove all metadata from this image?')) return;
+
+    const formData = new FormData();
+    formData.append('image', exifCurrentFile);
+    formData.append('format', 'PNG');
+
+    const btn = this;
+    btn.disabled = true;
+    btn.innerHTML = '<span class="spinner-border spinner-border-sm me-1"></span>Clearing...';
+
+    try {
+        const res = await fetch('/api/tools/exif/clear', { method: 'POST', body: formData });
+        if (res.ok) {
+            const blob = await res.blob();
+            const url = URL.createObjectURL(blob);
+            const a = document.createElement('a');
+            a.href = url;
+            a.download = res.headers.get('Content-Disposition')?.split('filename=')[1]?.replace(/"/g, '') || 'clean.png';
+            document.body.appendChild(a);
+            a.click();
+            document.body.removeChild(a);
+            URL.revokeObjectURL(url);
+
+            exifCurrentData = {};
+            exifOriginalData = {};
+            renderExifTable();
+        } else {
+            alert('Failed to clear metadata');
+        }
+    } catch (err) {
+        console.error(err);
+        alert('Failed to clear metadata: ' + err.message);
+    } finally {
+        btn.disabled = false;
+        btn.innerHTML = '<i class="bi bi-trash me-1"></i>Clear All';
+    }
+});
+
+document.getElementById('exifDiscard')?.addEventListener('click', function() {
+    exifCurrentData = JSON.parse(JSON.stringify(exifOriginalData));
+    renderExifTable();
+    updateSaveButton();
+});
+
+document.getElementById('exifSave')?.addEventListener('click', async function() {
+    if (!exifCurrentFile || !exifEditable) return;
+
+    const updates = {};
+    for (const [key, val] of Object.entries(exifCurrentData)) {
+        if (exifOriginalData[key] !== val) updates[key] = val;
+    }
+    for (const key of Object.keys(exifOriginalData)) {
+        if (!(key in exifCurrentData)) updates[key] = null;
+    }
+
+    if (Object.keys(updates).length === 0) return;
+
+    const formData = new FormData();
+    formData.append('image', exifCurrentFile);
+    formData.append('updates', JSON.stringify(updates));
+
+    const btn = this;
+    const originalHtml = btn.innerHTML;
+    btn.disabled = true;
+    btn.innerHTML = '<span class="spinner-border spinner-border-sm me-1"></span>Saving...';
+
+    try {
+        const res = await fetch('/api/tools/exif/update', { method: 'POST', body: formData });
+        if (res.ok) {
+            const blob = await res.blob();
+            const url = URL.createObjectURL(blob);
+            const a = document.createElement('a');
+            a.href = url;
+            a.download = res.headers.get('Content-Disposition')?.split('filename=')[1]?.replace(/"/g, '') || 'updated.jpg';
+            document.body.appendChild(a);
+            a.click();
+            document.body.removeChild(a);
+            URL.revokeObjectURL(url);
+
+            exifOriginalData = JSON.parse(JSON.stringify(exifCurrentData));
+            updateSaveButton();
+        } else {
+            alert('Failed to save');
+        }
+    } catch (err) {
+        console.error(err);
+        alert('Failed to save changes: ' + err.message);
+    } finally {
+        btn.disabled = false;
+        btn.innerHTML = originalHtml;
+        updateSaveButton();
+    }
+});
+
+// ============================================================================
+// STRIP METADATA
+// ============================================================================
+
+let stripCurrentFile = null;
+
+setupDropZone('stripZone', 'stripFile', (file) => {
+    stripCurrentFile = file;
+    showPreview('stripZone', file, 'stripThumb', 'stripName', formatBytes(file.size), 'stripClearBtn');
+    document.getElementById('stripMeta').textContent = formatBytes(file.size);
+    document.getElementById('stripOptions').classList.remove('d-none');
+});
+
+document.getElementById('stripClearBtn')?.addEventListener('click', () => {
+    clearDropZone('stripZone', 'stripFile', 'stripClearBtn', () => {
+        document.getElementById('stripOptions').classList.add('d-none');
+        stripCurrentFile = null;
+    });
+});
+
+document.getElementById('stripAction')?.addEventListener('click', async function() {
+    if (!stripCurrentFile) return;
+
+    const format = document.getElementById('stripFormat').value;
+    const formData = new FormData();
+    formData.append('image', stripCurrentFile);
+    formData.append('format', format);
+
+    const btn = this;
+    btn.disabled = true;
+    btn.innerHTML = '<span class="spinner-border spinner-border-sm me-1"></span>Processing...';
+
+    try {
+        const res = await fetch('/api/tools/exif/clear', { method: 'POST', body: formData });
+        if (res.ok) {
+            const blob = await res.blob();
+            const url = URL.createObjectURL(blob);
+            const a = document.createElement('a');
+            a.href = url;
+            a.download = res.headers.get('Content-Disposition')?.split('filename=')[1]?.replace(/"/g, '') || `clean.${format.toLowerCase()}`;
+            document.body.appendChild(a);
+            a.click();
+            document.body.removeChild(a);
+            URL.revokeObjectURL(url);
+        } else {
+            alert('Failed to strip metadata');
+        }
+    } catch (err) {
+        console.error(err);
+        alert('Failed to strip metadata: ' + err.message);
+    } finally {
+        btn.disabled = false;
+        btn.innerHTML = '<i class="bi bi-eraser me-1"></i>Strip & Download';
+    }
+});
+</script>
+{% endblock %}
--- a/minimal_flask_crash.py
+++ b/minimal_flask_crash.py
@@ -1,289 +0,0 @@
-#!/usr/bin/env python3
-"""
-Minimal Flask app to isolate the crash.
-Run with: python minimal_flask_crash.py
-
-Then test with:
-  curl -X POST -F "carrier=@xx_2.jpg" http://localhost:5001/test1
-  curl -X POST -F "carrier=@xx_2.jpg" http://localhost:5001/test2
-  curl -X POST -F "carrier=@xx_2.jpg" http://localhost:5001/test3
-"""
-
-import io
-import gc
-import os
-import sys
-import tempfile
-
-# Minimal imports first
-from flask import Flask, request, jsonify
-from PIL import Image
-import numpy as np
-
-app = Flask(__name__)
-app.config['MAX_CONTENT_LENGTH'] = 50 * 1024 * 1024  # 50MB
-
-# Check for jpegio
-try:
-    import jpegio as jio
-    HAS_JPEGIO = True
-    print("jpegio: available")
-except ImportError:
-    HAS_JPEGIO = False
-    print("jpegio: NOT available")
-
-
-@app.route('/test1', methods=['POST'])
-def test1_pil_only():
-    """Test 1: PIL only, no jpegio, no scipy"""
-    carrier = request.files.get('carrier')
-    if not carrier:
-        return jsonify({'error': 'No carrier'}), 400
-
-    data = carrier.read()
-    print(f"[test1] Read {len(data)} bytes")
-
-    img = Image.open(io.BytesIO(data))
-    width, height = img.size
-    fmt = img.format
-    img.close()
-    print(f"[test1] Image: {width}x{height} {fmt}")
-
-    gc.collect()
-    print("[test1] Returning response...")
-
-    return jsonify({
-        'test': 'pil_only',
-        'width': width,
-        'height': height,
-        'format': fmt,
-    })
-
-
-@app.route('/test2', methods=['POST'])
-def test2_multiple_opens():
-    """Test 2: Open image multiple times like compare_modes does"""
-    carrier = request.files.get('carrier')
-    if not carrier:
-        return jsonify({'error': 'No carrier'}), 400
-
-    data = carrier.read()
-    print(f"[test2] Read {len(data)} bytes")
-
-    # First open
-    img1 = Image.open(io.BytesIO(data))
-    width, height = img1.size
-    img1.close()
-    print(f"[test2] Open 1: {width}x{height}")
-
-    # Second open
-    img2 = Image.open(io.BytesIO(data))
-    pixels = img2.size[0] * img2.size[1]
-    img2.close()
-    print(f"[test2] Open 2: {pixels} pixels")
-
-    # Third open
-    img3 = Image.open(io.BytesIO(data))
-    blocks = (img3.size[0] // 8) * (img3.size[1] // 8)
-    img3.close()
-    print(f"[test2] Open 3: {blocks} blocks")
-
-    gc.collect()
-    print("[test2] Returning response...")
-
-    return jsonify({
-        'test': 'multiple_opens',
-        'width': width,
-        'height': height,
-        'pixels': pixels,
-        'blocks': blocks,
-    })
-
-
-@app.route('/test3', methods=['POST'])
-def test3_with_jpegio():
-    """Test 3: Include jpegio operations"""
-    if not HAS_JPEGIO:
-        return jsonify({'error': 'jpegio not available'}), 501
-
-    carrier = request.files.get('carrier')
-    if not carrier:
-        return jsonify({'error': 'No carrier'}), 400
-
-    data = carrier.read()
-    print(f"[test3] Read {len(data)} bytes")
-
-    # Check if JPEG
-    img = Image.open(io.BytesIO(data))
-    is_jpeg = img.format == 'JPEG'
-    width, height = img.size
-    img.close()
-    print(f"[test3] Image: {width}x{height}, JPEG: {is_jpeg}")
-
-    if not is_jpeg:
-        return jsonify({'error': 'Not a JPEG'}), 400
-
-    # Write to temp file
-    fd, temp_path = tempfile.mkstemp(suffix='.jpg')
-    os.write(fd, data)
-    os.close(fd)
-    print(f"[test3] Temp file: {temp_path}")
-
-    try:
-        # Read with jpegio
-        jpeg = jio.read(temp_path)
-        print(f"[test3] jpegio.read() OK")
-
-        coef = jpeg.coef_arrays[0]
-        coef_shape = coef.shape
-        print(f"[test3] Coef shape: {coef_shape}")
-
-        # Count positions like the real code does
-        positions = 0
-        h, w = coef.shape
-        for row in range(h):
-            for col in range(w):
-                if (row % 8 == 0) and (col % 8 == 0):
-                    continue
-                if abs(coef[row, col]) >= 2:
-                    positions += 1
-        print(f"[test3] Usable positions: {positions}")
-
-        # Cleanup
-        del coef
-        del jpeg
-        print(f"[test3] Deleted jpegio objects")
-
-    finally:
-        os.unlink(temp_path)
-        print(f"[test3] Removed temp file")
-
-    gc.collect()
-    print("[test3] Returning response...")
-
-    return jsonify({
-        'test': 'with_jpegio',
-        'width': width,
-        'height': height,
-        'coef_shape': list(coef_shape),
-        'positions': positions,
-    })
-
-
-@app.route('/test4', methods=['POST'])
-def test4_numpy_array_from_pil():
-    """Test 4: Create numpy array from PIL image (like DCT does)"""
-    carrier = request.files.get('carrier')
-    if not carrier:
-        return jsonify({'error': 'No carrier'}), 400
-
-    data = carrier.read()
-    print(f"[test4] Read {len(data)} bytes")
-
-    img = Image.open(io.BytesIO(data))
-    width, height = img.size
-    print(f"[test4] Image: {width}x{height}")
-
-    # Convert to grayscale and numpy array
-    gray = img.convert('L')
-    arr = np.array(gray, dtype=np.float64, copy=True)
-    print(f"[test4] Array: {arr.shape} {arr.dtype}")
-
-    # Close PIL images
-    gray.close()
-    img.close()
-    print(f"[test4] PIL closed")
-
-    # Do some numpy operations
-    mean_val = float(np.mean(arr))
-    std_val = float(np.std(arr))
-    print(f"[test4] Stats: mean={mean_val:.2f}, std={std_val:.2f}")
-
-    # Clear array
-    del arr
-    gc.collect()
-    print("[test4] Returning response...")
-
-    return jsonify({
-        'test': 'numpy_from_pil',
-        'width': width,
-        'height': height,
-        'mean': mean_val,
-        'std': std_val,
-    })
-
-
-@app.route('/test5', methods=['POST'])
-def test5_file_read_keep_reference():
-    """Test 5: Keep reference to file data in request scope"""
-    carrier = request.files.get('carrier')
-    if not carrier:
-        return jsonify({'error': 'No carrier'}), 400
-
-    # Don't read into local variable - read directly each time
-    # This mimics potential issues with Flask's file handling
-
-    print(f"[test5] File object: {carrier}")
-
-    # Read once
-    carrier.seek(0)
-    data1 = carrier.read()
-    print(f"[test5] First read: {len(data1)} bytes")
-
-    img = Image.open(io.BytesIO(data1))
-    width, height = img.size
-    img.close()
-
-    # Try to read again (should be empty or need seek)
-    data2 = carrier.read()
-    print(f"[test5] Second read (no seek): {len(data2)} bytes")
-
-    carrier.seek(0)
-    data3 = carrier.read()
-    print(f"[test5] Third read (after seek): {len(data3)} bytes")
-
-    gc.collect()
-    print("[test5] Returning response...")
-
-    return jsonify({
-        'test': 'file_handling',
-        'width': width,
-        'height': height,
-        'read1': len(data1),
-        'read2': len(data2),
-        'read3': len(data3),
-    })
-
-
-@app.after_request
-def after_request(response):
-    """Log after each request"""
-    print(f"[after_request] Response status: {response.status}")
-    return response
-
-
-@app.teardown_request
-def teardown_request(exception):
-    """Log during teardown"""
-    if exception:
-        print(f"[teardown] Exception: {exception}")
-    else:
-        print("[teardown] Clean teardown")
-    gc.collect()
-
-
-if __name__ == '__main__':
-    print("\n" + "=" * 60)
-    print("MINIMAL FLASK CRASH TEST")
-    print("=" * 60)
-    print("\nTest endpoints:")
-    print("  /test1 - PIL only")
-    print("  /test2 - Multiple PIL opens")
-    print("  /test3 - With jpegio")
-    print("  /test4 - NumPy array from PIL")
-    print("  /test5 - File handling test")
-    print("\nUsage:")
-    print('  curl -X POST -F "carrier=@xx_2.jpg" http://localhost:5001/test1')
-    print("=" * 60 + "\n")
-
-    app.run(host='0.0.0.0', port=5001, debug=False, threaded=False)
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"

 [project]
 name = "stegasoo"
-version = "4.0.1"
+version = "4.1.5"
 description = "Secure steganography with hybrid photo + passphrase + PIN authentication"
 readme = "README.md"
 license = "MIT"
@@ -48,10 +48,13 @@ dct = [
    "numpy>=2.0.0",
    "scipy>=1.10.0",
    "jpegio>=0.2.0",
+    "reedsolo>=1.7.0",
 ]
 cli = [
    "click>=8.0.0",
-    "qrcode>=7.30"
+    "qrcode>=7.30",
+    "piexif>=1.1.0",
+    "rich>=13.0.0",
 ]
 compression = [
    "lz4>=4.0.0",
@@ -61,10 +64,12 @@ web = [
    "gunicorn>=21.0.0",
    "qrcode>=7.3.0",
    "pyzbar>=0.1.9",
+    "piexif>=1.1.0",
    # Include DCT support for web UI
    "numpy>=2.0.0",
    "scipy>=1.10.0",
    "jpegio>=0.2.0",
+    "reedsolo>=1.7.0",
 ]
 api = [
    "fastapi>=0.100.0",
@@ -76,6 +81,7 @@ api = [
    "numpy>=2.0.0",
    "scipy>=1.10.0",
    "jpegio>=0.2.0",
+    "reedsolo>=1.7.0",
 ]
 all = [
    "stegasoo[cli,web,api,dct,compression]",
--- a/rpi/BUILD_IMAGE.md
+++ b/rpi/BUILD_IMAGE.md
@@ -0,0 +1,186 @@
+# Stegasoo Pi Image Build Workflow
+
+> **Note:** This guide is for developers building custom Pi images.
+> **End users:** Just download the pre-built `.img.zst` from [Releases](https://github.com/adlee-was-taken/stegasoo/releases), flash it, and boot. No build process needed.
+
+Quick reference for building a distributable SD card image.
+
+## Step 1: Flash Fresh Raspbian
+
+Use rpi-imager with these settings:
+- **OS**: Raspberry Pi OS Lite (64-bit)
+- **Hostname**: `stegasoo`
+- **Enable SSH**: Yes (password auth)
+- **Username**: `admin`
+- **Password**: `stegasoo`
+- **WiFi**: Configure for your network (sanitize script removes it later)
+
+## Step 2: Boot & SSH In
+
+```bash
+# Wait for Pi to boot (~60 seconds), then:
+ssh admin@stegasoo.local
+# or use IP from router DHCP list
+```
+
+## Step 3: Pre-Setup
+
+```bash
+# Take ownership of /opt (for pyenv, jpegio builds)
+sudo chown admin:admin /opt
+
+# Install git and zstd (not included in Lite image)
+sudo apt-get update && sudo apt-get install -y git zstd jq
+```
+
+## Step 4: Clone Repo
+
+```bash
+cd /opt
+git clone -b 4.1 https://github.com/adlee-was-taken/stegasoo.git stegasoo
+```
+
+## Step 5: Copy Pre-built Tarball (from host)
+
+> **Dev-only asset:** This tarball is for building Pi images, not for end users.
+> It's available on [Releases](https://github.com/adlee-was-taken/stegasoo/releases) for image builders.
+
+```bash
+# On your host machine:
+scp rpi/stegasoo-rpi-runtime-env-arm64.tar.zst admin@stegasoo.local:/opt/stegasoo/rpi/
+```
+
+This tarball contains:
+- pyenv with Python 3.12 (pre-compiled for ARM64)
+- venv with all dependencies (jpegio, scipy, etc.)
+
+Install time: **~2 minutes** (vs 20+ min from source)
+
+## Step 6: Run Setup
+
+```bash
+cd /opt/stegasoo
+./rpi/setup.sh  # Detects local tarball, skips download
+```
+
+### From-Source Build (optional)
+
+To build without the pre-built tarball:
+```bash
+./rpi/setup.sh --no-prebuilt  # Takes 15-20 minutes
+```
+
+## Step 7: Test It Works
+
+```bash
+sudo systemctl start stegasoo
+curl -k https://localhost:5000
+# Should return HTML
+```
+
+## Step 8: Sanitize for Distribution
+
+```bash
+# Full sanitize (for final image - removes WiFi, shuts down)
+sudo /opt/stegasoo/rpi/sanitize-for-image.sh
+
+# Or soft reset (for testing - keeps WiFi, reboots)
+sudo /opt/stegasoo/rpi/sanitize-for-image.sh --soft
+```
+
+This removes:
+- WiFi credentials (unless `--soft`)
+- SSH host keys (regenerate on boot)
+- SSH authorized keys
+- Bash history
+- Stegasoo auth database
+- Logs and temp files
+
+The script validates all cleanup steps before finishing.
+
+## Step 9: Pull the Image
+
+Remove SD card, insert into your Linux machine:
+
+```bash
+# Find the SD card device (CAREFUL!)
+lsblk
+
+# Pull image (auto-resizes to 16GB, compresses with zstd)
+sudo ./rpi/pull-image.sh /dev/sdX stegasoo-rpi-4.1.5.img.zst
+```
+
+The script automatically resizes rootfs to 16GB, disables auto-expand, and compresses.
+
+## Step 10: Distribute
+
+Upload `.img.zst` to GitHub Releases.
+
+Users can flash with:
+```bash
+# Option 1: rpi-imager CLI (supports .zst.zip directly)
+sudo rpi-imager --cli --disable-verify stegasoo-rpi-*.img.zst.zip /dev/sdX
+
+# Option 2: flash-image.sh (auto-detects SD card, shows progress)
+sudo ./rpi/flash-image.sh stegasoo-rpi-*.img.zst.zip
+
+# Option 3: Manual dd
+zstdcat stegasoo-rpi-*.img.zst | sudo dd of=/dev/sdX bs=4M status=progress
+```
+
+---
+
+## Creating the Pre-built Tarball
+
+After a successful from-source build, create the pre-built tarball for future installs:
+
+```bash
+# On the Pi after successful setup:
+cd ~
+
+# Strip caches and tests from venv (295MB → 208MB)
+find /opt/stegasoo/venv/ -type d -name '__pycache__' -exec rm -rf {} + 2>/dev/null
+find /opt/stegasoo/venv/ -type d -name 'tests' -exec rm -rf {} + 2>/dev/null
+find /opt/stegasoo/venv/ -type d -name 'test' -exec rm -rf {} + 2>/dev/null
+
+# Create venv tarball
+cd /opt/stegasoo
+tar -cf - venv/ | zstd -19 -T0 > ~/stegasoo-venv.tar.zst
+
+# Create combined tarball (pyenv + venv pointer)
+cd ~
+tar -cf - .pyenv stegasoo-venv.tar.zst | zstd -19 -T0 > /tmp/stegasoo-rpi-runtime-env-arm64.tar.zst
+
+# Check size (should be ~50-60MB)
+ls -lh /tmp/stegasoo-rpi-runtime-env-arm64.tar.zst
+```
+
+Pull to host and upload to GitHub releases:
+```bash
+# On host:
+scp admin@stegasoo.local:/tmp/stegasoo-rpi-runtime-env-arm64.tar.zst ./
+# Upload to GitHub releases as stegasoo-rpi-runtime-env-arm64.tar.zst
+```
+
+---
+
+## Quick Command Summary
+
+```bash
+# On Pi (after SSH):
+sudo chown admin:admin /opt
+sudo apt-get update && sudo apt-get install -y git zstd jq
+cd /opt && git clone -b 4.1 https://github.com/adlee-was-taken/stegasoo.git stegasoo
+
+# On host (copy tarball):
+scp rpi/stegasoo-rpi-runtime-env-arm64.tar.zst admin@stegasoo.local:/opt/stegasoo/rpi/
+
+# On Pi (run setup):
+cd /opt/stegasoo && ./rpi/setup.sh
+sudo systemctl start stegasoo
+curl -k https://localhost:5000
+sudo /opt/stegasoo/rpi/sanitize-for-image.sh
+
+# On host (pull image - auto-resizes to 16GB):
+sudo ./rpi/pull-image.sh /dev/sdX stegasoo-rpi-4.1.5.img.zst
+```
--- a/rpi/README.md
+++ b/rpi/README.md
@@ -0,0 +1,225 @@
+# Stegasoo Raspberry Pi
+
+Scripts and resources for deploying Stegasoo on Raspberry Pi.
+
+## Quick Install
+
+On a fresh Raspberry Pi OS Lite (64-bit) installation:
+
+```bash
+# Pre-setup (git not included in Lite image)
+sudo chown $USER:$USER /opt
+sudo apt-get update && sudo apt-get install -y git
+
+# Clone and run setup
+cd /opt
+git clone -b 4.1 https://github.com/adlee-was-taken/stegasoo.git stegasoo
+cd stegasoo
+./rpi/setup.sh
+```
+
+## What the Setup Script Does
+
+1. **Installs system dependencies** - build tools, libraries
+2. **Installs Python 3.12** - via pyenv (Pi OS ships with 3.13 which is incompatible)
+3. **Builds jpegio for ARM** - patches x86-specific flags
+4. **Installs Stegasoo** - with web UI and all dependencies
+5. **Creates systemd service** - auto-starts on boot
+6. **Enables the service** - ready to start
+
+## Requirements
+
+- Raspberry Pi 4 or 5
+- Raspberry Pi OS Lite (64-bit) - Bookworm or later
+- 4GB+ RAM recommended (2GB minimum)
+- 16GB+ SD card (pre-built images are 16GB)
+- Internet connection
+
+### Performance
+
+On a Pi 4 at 2GHz with USB 3.0 NVMe, expect ~60 seconds to encode/decode a 10MB JPEG with full encryption (passphrase + PIN + reference photo).
+
+## Pre-built Image Defaults
+
+If using a pre-built image from GitHub Releases:
+
+- **Default login**: `admin` / `stegasoo`
+- **Hostname**: `stegasoo.local`
+- **First boot**: A setup wizard runs on first SSH login
+
+> **Security note**: Change the default password after setup with `passwd`
+
+## Updating an Existing Installation
+
+To update to the latest version:
+
+```bash
+cd /opt/stegasoo
+git pull origin main
+sudo systemctl restart stegasoo
+```
+
+That's it - the editable install means Python uses the source directly.
+
+**If dependencies changed** (check release notes), also run:
+```bash
+source venv/bin/activate
+pip install -e ".[web]"
+sudo systemctl restart stegasoo
+```
+
+## After Installation
+
+### Start the Service
+
+```bash
+sudo systemctl start stegasoo
+```
+
+### Check Status
+
+```bash
+sudo systemctl status stegasoo
+```
+
+### View Logs
+
+```bash
+journalctl -u stegasoo -f
+```
+
+### Access Web UI
+
+Open in browser: `http://<pi-ip>:5000`
+
+On first access, you'll create an admin account.
+
+## Configuration
+
+Edit the systemd service to change settings:
+
+```bash
+sudo systemctl edit stegasoo
+```
+
+Add overrides:
+
+```ini
+[Service]
+Environment="STEGASOO_AUTH_ENABLED=true"
+Environment="STEGASOO_HTTPS_ENABLED=true"
+Environment="STEGASOO_HOSTNAME=stegasoo.local"
+```
+
+Then reload:
+
+```bash
+sudo systemctl daemon-reload
+sudo systemctl restart stegasoo
+```
+
+## Uninstall
+
+```bash
+sudo systemctl stop stegasoo
+sudo systemctl disable stegasoo
+sudo rm /etc/systemd/system/stegasoo.service
+rm -rf /opt/stegasoo
+```
+
+## Pre-built Images
+
+Check [GitHub Releases](https://github.com/adlee-was-taken/stegasoo/releases) for pre-built SD card images.
+
+---
+
+## Building Your Own Image
+
+To create a distributable SD card image:
+
+### 1. Flash Fresh Raspberry Pi OS
+
+Use rpi-imager to flash Raspberry Pi OS (64-bit) to an SD card.
+
+In advanced settings, set:
+- Hostname: `stegasoo`
+- Enable SSH (password auth for initial setup)
+- Username/password (temporary, will work for any user)
+- Skip WiFi for distributable image
+
+### 2. Boot and Run Setup
+
+```bash
+# SSH into the Pi
+ssh admin@stegasoo.local
+
+# Pre-setup
+sudo chown admin:admin /opt
+sudo apt-get update && sudo apt-get install -y git
+
+# Clone and run setup
+cd /opt
+git clone -b 4.1 https://github.com/adlee-was-taken/stegasoo.git stegasoo
+cd stegasoo
+./rpi/setup.sh
+```
+
+### 3. Test It Works
+
+```bash
+sudo systemctl start stegasoo
+curl -k https://localhost:5000  # Should return HTML
+```
+
+### 4. Sanitize for Distribution
+
+```bash
+# Full sanitize (removes WiFi, shuts down for imaging)
+sudo /opt/stegasoo/rpi/sanitize-for-image.sh
+
+# Or soft reset (keeps WiFi for testing, reboots)
+sudo /opt/stegasoo/rpi/sanitize-for-image.sh --soft
+```
+
+This removes:
+- WiFi credentials (unless `--soft`)
+- SSH host keys (regenerate on boot)
+- SSH authorized keys
+- Bash history
+- Stegasoo auth database (users create their own admin)
+- Logs and temp files
+
+The script validates cleanup and reports any issues.
+
+### 5. Create the Image
+
+After Pi shuts down, remove SD card and on another Linux machine:
+
+```bash
+# Find SD card device (BE CAREFUL - wrong device = data loss!)
+lsblk
+
+# Pull image (auto-resizes to 16GB, compresses with zstd)
+sudo ./rpi/pull-image.sh /dev/sdX stegasoo-rpi-4.1.5.img.zst
+```
+
+The `pull-image.sh` script automatically:
+- Resizes rootfs to exactly 16GB (consistent image size)
+- Disables Pi OS auto-expand
+- Compresses with zstd for fast decompression
+
+### 6. Distribute
+
+Upload the `.img.zst` file to GitHub Releases.
+
+Users flash with:
+```bash
+# Option 1: rpi-imager CLI (supports .zst.zip directly)
+sudo rpi-imager --cli --disable-verify stegasoo-rpi-*.img.zst.zip /dev/sdX
+
+# Option 2: flash-image.sh (auto-detects SD card, shows progress)
+sudo ./rpi/flash-image.sh stegasoo-rpi-*.img.zst.zip
+
+# Option 3: Manual dd
+zstdcat stegasoo-rpi-*.img.zst | sudo dd of=/dev/sdX bs=4M status=progress
+```
--- a/rpi/banner.sh
+++ b/rpi/banner.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+# Stegasoo Banner/Header Template
+# Source this file to use the banner functions
+#
+# Usage:
+#   source "$(dirname "${BASH_SOURCE[0]}")/banner.sh"
+#   print_banner "Raspberry Pi Setup"
+#   print_gradient_line
+
+# Colors
+STEGASOO_GOLD='\033[38;5;220m'
+STEGASOO_GRAY='\033[0;90m'
+STEGASOO_WHITE='\033[1;37m'
+STEGASOO_GREEN='\033[0;32m'
+STEGASOO_NC='\033[0m'
+
+# Gradient line (purple -> blue)
+print_gradient_line() {
+    echo -e "\033[38;5;93m══════════════\033[38;5;99m══════════════\033[38;5;105m══════════════\033[38;5;117m══════════════\033[0m"
+}
+
+# Starfield decoration line
+print_starfield() {
+    echo -e "${STEGASOO_GRAY} · .  · .  *  · .  *  · .  *  · .  *  · .  *  · .  ·${STEGASOO_NC}"
+}
+
+# ASCII logo (gold)
+print_logo() {
+    echo -e "${STEGASOO_GOLD}    ___  _____  ___    ___    _    ___    ___    ___${STEGASOO_NC}"
+    echo -e "${STEGASOO_GOLD}   / __||_   _|| __|  / __|  /_\\  / __|  / _ \\  / _ \\\\${STEGASOO_NC}"
+    echo -e "${STEGASOO_GOLD}   \\__ \\  | |  | _|  | (_ | / _ \\ \\__ \\ | (_) || (_) |${STEGASOO_NC}"
+    echo -e "${STEGASOO_GOLD}   |___/  |_|  |___|  \\___//_/ \\_\\|___/  \\___/  \\___/${STEGASOO_NC}"
+}
+
+# Full banner with optional subtitle
+# Usage: print_banner "Subtitle Text"
+print_banner() {
+    local subtitle="$1"
+    echo ""
+    print_gradient_line
+    print_starfield
+    print_logo
+    print_starfield
+    print_gradient_line
+    if [ -n "$subtitle" ]; then
+        echo -e "${STEGASOO_WHITE}                    ${subtitle}${STEGASOO_NC}"
+        print_gradient_line
+    fi
+}
+
+# Completion banner (green title)
+# Usage: print_complete_banner "Setup Complete!"
+print_complete_banner() {
+    local title="$1"
+    echo ""
+    print_gradient_line
+    print_starfield
+    print_logo
+    print_starfield
+    print_gradient_line
+    echo -e "\033[1;32m                      ${title}\033[0m"
+    print_gradient_line
+}
--- a/rpi/config.json.example
+++ b/rpi/config.json.example
@@ -0,0 +1,12 @@
+{
+  "hostname": "stegasoo",
+  "username": "admin",
+  "password": "stegasoo",
+  "wifiSSID": "YourNetworkName",
+  "wifiPassword": "YourWiFiPassword",
+  "wifiCountry": "US",
+  "locale": "en_US.UTF-8",
+  "keyboardLayout": "us",
+  "timezone": "America/New_York",
+  "enableSSH": true
+}
--- a/rpi/first-boot-wizard.sh
+++ b/rpi/first-boot-wizard.sh
@@ -0,0 +1,438 @@
+#!/bin/bash
+#
+# Stegasoo First Boot Wizard
+# Runs on first SSH login to configure the pre-installed Stegasoo image
+#
+# This script is triggered by /etc/profile.d/stegasoo-wizard.sh
+# After completion, it removes itself to prevent re-running
+#
+# Uses gum (Charm.sh) for beautiful TUI - install with:
+#   sudo apt install gum  OR  go install github.com/charmbracelet/gum@latest
+#
+
+# Configuration
+INSTALL_DIR="/opt/stegasoo"
+FLAG_FILE="/etc/stegasoo-first-boot"
+PROFILE_HOOK="/etc/profile.d/stegasoo-wizard.sh"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Source banner functions
+source "$SCRIPT_DIR/banner.sh"
+
+# Check if this is first boot
+if [ ! -f "$FLAG_FILE" ]; then
+  exit 0
+fi
+
+# Check for gum, fall back to basic prompts if not available
+if ! command -v gum &>/dev/null; then
+  echo "Error: gum not found. Install with: sudo apt install gum"
+  exit 1
+fi
+
+# Gum styling - terminal green buttons with bold dark text
+export GUM_CONFIRM_SELECTED_BACKGROUND="46"
+export GUM_CONFIRM_SELECTED_FOREGROUND="232"
+export GUM_CONFIRM_SELECTED_BOLD="true"
+export GUM_CONFIRM_UNSELECTED_BACKGROUND="238"
+export GUM_CONFIRM_UNSELECTED_FOREGROUND="255"
+
+clear
+
+# =============================================================================
+# Welcome
+# =============================================================================
+
+print_banner "First Boot Wizard"
+echo ""
+gum style --foreground 245 "This wizard will help you configure your Stegasoo server"
+echo ""
+gum style --foreground 245 "You can reconfigure later by editing:"
+gum style --foreground 214 "  /etc/systemd/system/stegasoo.service"
+echo ""
+
+gum confirm "Ready to begin setup?" || exit 0
+
+# =============================================================================
+# Configuration Variables
+# =============================================================================
+
+ENABLE_HTTPS="false"
+USE_PORT_443="false"
+CHANNEL_KEY=""
+
+# =============================================================================
+# Step 1: HTTPS Configuration
+# =============================================================================
+
+clear
+gum style \
+  --foreground 212 --bold \
+  "Step 1 of 4: HTTPS Configuration"
+echo ""
+
+gum style --foreground 245 "\
+HTTPS encrypts all traffic between your browser and this server
+using a self-signed certificate.
+
+NOTE: Your browser will show a security warning because the
+certificate is self-signed. This is normal for home networks."
+echo ""
+
+if gum confirm "Enable HTTPS?" --default=true; then
+  ENABLE_HTTPS="true"
+  gum style --foreground 82 "✓ HTTPS will be enabled"
+else
+  gum style --foreground 214 "→ Using HTTP (unencrypted)"
+fi
+sleep 0.5
+
+# =============================================================================
+# Step 2: Port Configuration (only if HTTPS)
+# =============================================================================
+
+if [ "$ENABLE_HTTPS" = "true" ]; then
+  clear
+  gum style \
+    --foreground 212 --bold \
+    "Step 2 of 4: Port Configuration"
+  echo ""
+
+  gum style --foreground 245 "\
+The standard HTTPS port is 443, which means you can access
+Stegasoo without specifying a port in the URL.
+
+  Port 443:  https://stegasoo.local
+  Port 5000: https://stegasoo.local:5000
+
+NOTE: Port 443 requires an iptables redirect rule."
+  echo ""
+
+  if gum confirm "Use standard port 443?" --default=true; then
+    USE_PORT_443="true"
+    gum style --foreground 82 "✓ Port 443 will be configured"
+  else
+    gum style --foreground 214 "→ Using port 5000"
+  fi
+  sleep 0.5
+fi
+
+# =============================================================================
+# Step 3: Channel Key Configuration
+# =============================================================================
+
+clear
+gum style \
+  --foreground 212 --bold \
+  "Step 3 of 4: Channel Key Configuration"
+echo ""
+
+gum style --foreground 245 "\
+A channel key creates a private encoding channel.
+
+  WITHOUT a key: Anyone with Stegasoo can decode your images
+  WITH a key:    Only people with YOUR key can decode
+
+This is useful if you want to share encoded images only with
+specific people (family, team, etc)."
+echo ""
+
+if gum confirm "Generate a private channel key?" --default=false; then
+  echo ""
+  # Generate key to temp file (gum spin doesn't capture stdout well)
+  KEY_FILE=$(mktemp)
+  ERR_FILE=$(mktemp)
+  VENV_PYTHON="$INSTALL_DIR/venv/bin/python"
+  gum spin --spinner dot --title "Generating channel key..." -- \
+    bash -c "'$VENV_PYTHON' -c 'from stegasoo.channel import generate_channel_key; print(generate_channel_key())' > '$KEY_FILE' 2>'$ERR_FILE'"
+
+  CHANNEL_KEY=$(cat "$KEY_FILE" 2>/dev/null | head -1)
+  KEY_ERROR=$(cat "$ERR_FILE" 2>/dev/null)
+  rm -f "$KEY_FILE" "$ERR_FILE"
+
+  if [ -n "$CHANNEL_KEY" ] && [[ "$CHANNEL_KEY" =~ ^[A-Za-z0-9] ]]; then
+    echo ""
+    gum style --foreground 82 "✓ Channel key generated!"
+    echo ""
+    gum style \
+      --border rounded \
+      --border-foreground 226 \
+      --padding "1 2" \
+      --foreground 226 --bold \
+      "$CHANNEL_KEY"
+    echo ""
+    gum style --foreground 196 --bold \
+      "*** IMPORTANT: Write down or copy this key NOW! ***"
+    gum style --foreground 196 \
+      "You'll need to share it with anyone who should decode" \
+      "your images. This key won't be shown again."
+    echo ""
+    gum confirm "I've saved the key" --default=true --affirmative="Continue" --negative=""
+  else
+    gum style --foreground 196 "Failed to generate key. Using public mode."
+    if [ -n "$KEY_ERROR" ]; then
+      echo ""
+      gum style --foreground 245 "Error details:"
+      echo "$KEY_ERROR"
+    fi
+    CHANNEL_KEY=""
+    echo ""
+    gum confirm "Continue" --default=true --affirmative="OK" --negative=""
+  fi
+else
+  gum style --foreground 214 "→ Using public mode"
+  sleep 0.5
+fi
+
+# =============================================================================
+# Step 4: Overclock Configuration
+# =============================================================================
+
+ENABLE_OVERCLOCK="false"
+NEEDS_RESTART="false"
+
+# Detect Pi model
+PI_MODEL=$(cat /proc/device-tree/model 2>/dev/null | tr -d '\0')
+
+if [[ "$PI_MODEL" == *"Raspberry Pi 4"* ]] || [[ "$PI_MODEL" == *"Raspberry Pi 5"* ]]; then
+  clear
+  gum style \
+    --foreground 212 --bold \
+    "Step 4 of 4: Performance Tuning"
+  echo ""
+
+  gum style --foreground 245 "\
+Detected: $PI_MODEL
+
+Overclocking can improve DCT encode/decode performance.
+This is ONLY recommended if you have active cooling:
+  • Heatsink + Fan
+  • Active cooler case
+
+Without cooling, the Pi may throttle or become unstable."
+  echo ""
+
+  if gum confirm "Do you have active cooling (heatsink + fan)?" --default=false; then
+    echo ""
+    gum style --foreground 245 "\
+Recommended overclock settings:
+  • Pi 4: 2.0 GHz (stock 1.5 GHz) - ~33% faster
+  • Pi 5: 2.8 GHz (stock 2.4 GHz) - ~17% faster"
+    echo ""
+
+    if gum confirm "Enable overclock?" --default=true; then
+      ENABLE_OVERCLOCK="true"
+      NEEDS_RESTART="true"
+      gum style --foreground 82 "✓ Overclock will be enabled (restart required)"
+    else
+      gum style --foreground 214 "→ Running at stock speed"
+    fi
+  else
+    gum style --foreground 214 "→ Skipping overclock (no active cooling)"
+  fi
+  sleep 0.5
+else
+  # Not a Pi 4/5, skip overclock
+  :
+fi
+
+# =============================================================================
+# Apply Configuration
+# =============================================================================
+
+clear
+gum style \
+  --foreground 212 --bold \
+  "Applying Configuration..."
+echo ""
+
+# Find the stegasoo user (whoever owns the install dir)
+STEGASOO_USER=$(stat -c '%U' "$INSTALL_DIR" 2>/dev/null || echo "pi")
+
+gum spin --spinner dot --title "Updating systemd service..." -- bash -c "
+sudo tee /etc/systemd/system/stegasoo.service >/dev/null <<EOF
+[Unit]
+Description=Stegasoo Web UI
+After=network.target
+
+[Service]
+Type=simple
+User=$STEGASOO_USER
+WorkingDirectory=$INSTALL_DIR/frontends/web
+Environment=\"PATH=$INSTALL_DIR/venv/bin:/usr/bin\"
+Environment=\"STEGASOO_AUTH_ENABLED=true\"
+Environment=\"STEGASOO_HTTPS_ENABLED=$ENABLE_HTTPS\"
+Environment=\"STEGASOO_PORT=5000\"
+Environment=\"STEGASOO_CHANNEL_KEY=$CHANNEL_KEY\"
+ExecStart=$INSTALL_DIR/venv/bin/python app.py
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+"
+gum style --foreground 82 "✓ Service configured"
+
+# Generate SSL certificates if HTTPS enabled
+if [ "$ENABLE_HTTPS" = "true" ]; then
+  gum spin --spinner dot --title "Generating SSL certificates..." -- bash -c "
+    CERT_DIR='$INSTALL_DIR/frontends/web/certs'
+    mkdir -p \"\$CERT_DIR\"
+
+    # Get local IP for SAN
+    LOCAL_IP=\$(hostname -I | awk '{print \$1}')
+    HOSTNAME=\$(hostname)
+
+    # Generate cert with SANs for IP, hostname, and localhost
+    openssl req -x509 -newkey rsa:2048 \
+      -keyout \"\$CERT_DIR/server.key\" \
+      -out \"\$CERT_DIR/server.crt\" \
+      -days 365 -nodes \
+      -subj \"/O=Stegasoo/CN=\$HOSTNAME\" \
+      -addext \"subjectAltName=DNS:\$HOSTNAME,DNS:\$HOSTNAME.local,DNS:localhost,IP:\$LOCAL_IP,IP:127.0.0.1\" \
+      2>/dev/null
+
+    # Fix permissions
+    chmod 600 \"\$CERT_DIR/server.key\"
+    chown -R $STEGASOO_USER:\$(id -gn $STEGASOO_USER) \"\$CERT_DIR\"
+  "
+  gum style --foreground 82 "✓ SSL certificates generated"
+fi
+
+# Setup port 443 if requested
+if [ "$USE_PORT_443" = "true" ]; then
+  gum spin --spinner dot --title "Setting up port 443 redirect..." -- bash -c "
+        if ! command -v iptables &>/dev/null; then
+            sudo apt-get install -y iptables >/dev/null 2>&1
+        fi
+        if ! sudo iptables -t nat -C PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5000 2>/dev/null; then
+            sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5000
+        fi
+        sudo sh -c 'iptables-save > /etc/iptables.rules'
+        sudo tee /etc/systemd/system/iptables-restore.service >/dev/null <<EOF
+[Unit]
+Description=Restore iptables rules
+Before=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore /etc/iptables.rules
+
+[Install]
+WantedBy=multi-user.target
+EOF
+        sudo systemctl enable iptables-restore.service >/dev/null 2>&1
+    "
+  gum style --foreground 82 "✓ Port 443 redirect configured"
+fi
+
+gum spin --spinner dot --title "Reloading systemd..." -- sudo systemctl daemon-reload
+gum style --foreground 82 "✓ Systemd reloaded"
+
+# Apply overclock if requested
+if [ "$ENABLE_OVERCLOCK" = "true" ]; then
+  gum spin --spinner dot --title "Configuring overclock..." -- bash -c "
+    CONFIG_FILE='/boot/firmware/config.txt'
+    # Fallback for older Pi OS
+    if [ ! -f \"\$CONFIG_FILE\" ]; then
+      CONFIG_FILE='/boot/config.txt'
+    fi
+
+    # Check if overclock already configured
+    if ! grep -q '^over_voltage=' \"\$CONFIG_FILE\" 2>/dev/null; then
+      # Detect Pi model for appropriate settings
+      PI_MODEL=\$(cat /proc/device-tree/model 2>/dev/null | tr -d '\0')
+
+      echo '' | sudo tee -a \"\$CONFIG_FILE\" >/dev/null
+      echo '# Overclock (configured by Stegasoo wizard)' | sudo tee -a \"\$CONFIG_FILE\" >/dev/null
+
+      if [[ \"\$PI_MODEL\" == *'Raspberry Pi 5'* ]]; then
+        # Pi 5 overclock
+        echo 'over_voltage=4' | sudo tee -a \"\$CONFIG_FILE\" >/dev/null
+        echo 'arm_freq=2800' | sudo tee -a \"\$CONFIG_FILE\" >/dev/null
+      else
+        # Pi 4 overclock
+        echo 'over_voltage=6' | sudo tee -a \"\$CONFIG_FILE\" >/dev/null
+        echo 'arm_freq=2000' | sudo tee -a \"\$CONFIG_FILE\" >/dev/null
+        echo 'gpu_freq=700' | sudo tee -a \"\$CONFIG_FILE\" >/dev/null
+      fi
+    fi
+  "
+  gum style --foreground 82 "✓ Overclock configured"
+fi
+
+gum spin --spinner dot --title "Starting Stegasoo..." -- bash -c "sudo systemctl restart stegasoo && sleep 2"
+
+if systemctl is-active --quiet stegasoo; then
+  gum style --foreground 82 "✓ Stegasoo started successfully"
+else
+  gum style --foreground 196 "✗ Failed to start (check: journalctl -u stegasoo)"
+fi
+
+gum spin --spinner dot --title "Cleaning up wizard..." -- bash -c "
+    sudo rm -f '$FLAG_FILE'
+    sudo rm -f '$PROFILE_HOOK'
+"
+gum style --foreground 82 "✓ Wizard complete"
+
+sleep 1
+
+# =============================================================================
+# Final Summary
+# =============================================================================
+
+clear
+
+PI_IP=$(hostname -I | awk '{print $1}')
+HOSTNAME=$(hostname)
+
+# Build the access URL
+if [ "$ENABLE_HTTPS" = "true" ]; then
+  if [ "$USE_PORT_443" = "true" ]; then
+    ACCESS_URL="https://$PI_IP/setup"
+    ACCESS_URL_LOCAL="https://$HOSTNAME.local/setup"
+  else
+    ACCESS_URL="https://$PI_IP:5000/setup"
+    ACCESS_URL_LOCAL="https://$HOSTNAME.local:5000/setup"
+  fi
+else
+  ACCESS_URL="http://$PI_IP:5000/setup"
+  ACCESS_URL_LOCAL="http://$HOSTNAME.local:5000/setup"
+fi
+
+echo ""
+print_complete_banner "Setup Complete!"
+echo ""
+gum style --foreground 82 --bold "Create your admin account:"
+gum style --foreground 226 "  $ACCESS_URL_LOCAL"
+gum style --foreground 245 "  $ACCESS_URL (fallback IP)"
+
+if [ -n "$CHANNEL_KEY" ]; then
+  echo ""
+  echo -e "\033[1;32mChannel Key:\033[0m \033[0;33m$CHANNEL_KEY\033[0m"
+fi
+
+echo ""
+gum style --foreground 82 --bold "First Steps:"
+gum style --foreground 255 "  1. Open URL → 2. Accept cert → 3. Create admin → 4. Encode!"
+
+echo ""
+gum style --foreground 245 "Commands: systemctl {status|restart} stegasoo, journalctl -u stegasoo -f"
+
+# Prompt for restart if overclock was enabled
+if [ "$NEEDS_RESTART" = "true" ]; then
+  echo ""
+  gum style --foreground 226 --bold "⚠ Restart required for overclock settings"
+  if gum confirm "Restart now?" --default=true; then
+    gum style --foreground 82 "Restarting in 3 seconds..."
+    sleep 3
+    sudo reboot
+  else
+    gum style --foreground 214 "Run 'sudo reboot' later to apply overclock."
+  fi
+fi
+
+echo ""
+gum style --foreground 212 --bold "Enjoy Stegasoo!"
+echo ""
--- a/rpi/flash-image.sh
+++ b/rpi/flash-image.sh
@@ -0,0 +1,442 @@
+#!/bin/bash
+#
+# Flash Stegasoo image to SD card
+# Uses rpi-imager if available, falls back to dd
+#
+# Usage: ./flash-image.sh <image> [device]
+#
+# Supports: .img, .img.zst, .img.xz, .img.gz, .img.zst.zip (GitHub release format)
+# If device is specified, skips auto-detection (useful for NVMe/large drives)
+#
+# Optional: Place config.json in same directory for headless WiFi setup
+#
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CONFIG_FILE="$SCRIPT_DIR/config.json"
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+BOLD='\033[1m'
+NC='\033[0m'
+
+# Load config if present (optional - for headless WiFi setup)
+HAS_CONFIG=false
+if [ -f "$CONFIG_FILE" ] && command -v jq &> /dev/null; then
+    WIFI_SSID=$(jq -r '.wifiSSID // empty' "$CONFIG_FILE")
+    WIFI_PASS=$(jq -r '.wifiPassword // empty' "$CONFIG_FILE")
+    WIFI_COUNTRY=$(jq -r '.wifiCountry // "US"' "$CONFIG_FILE")
+    PI_HOSTNAME=$(jq -r '.hostname // empty' "$CONFIG_FILE")
+    if [ -n "$WIFI_SSID" ] && [ -n "$WIFI_PASS" ]; then
+        HAS_CONFIG=true
+        echo -e "${GREEN}Found config.json - will configure WiFi after flash${NC}"
+        echo -e "  WiFi: ${YELLOW}$WIFI_SSID${NC}"
+        if [ -n "$PI_HOSTNAME" ]; then
+            echo -e "  Hostname: ${YELLOW}$PI_HOSTNAME${NC}"
+        fi
+        echo ""
+    fi
+elif [ -f "$CONFIG_FILE" ]; then
+    echo -e "${YELLOW}Note: config.json found but jq not installed (apt install jq)${NC}"
+    echo -e "${YELLOW}      WiFi will need to be configured manually after boot${NC}"
+    echo ""
+fi
+
+# Check for required tools
+for cmd in dd lsblk; do
+    if ! command -v $cmd &> /dev/null; then
+        echo -e "${RED}Error: $cmd is required but not installed.${NC}"
+        exit 1
+    fi
+done
+
+# Check for optional tools
+HAS_RPI_IMAGER=false
+HAS_PV=false
+if command -v rpi-imager &> /dev/null; then
+    HAS_RPI_IMAGER=true
+fi
+if command -v pv &> /dev/null; then
+    HAS_PV=true
+fi
+
+if [ "$HAS_RPI_IMAGER" = false ] && [ "$HAS_PV" = false ]; then
+    echo -e "${YELLOW}Warning: Neither rpi-imager nor pv found. Progress will not be shown.${NC}"
+fi
+
+# Check for root
+if [ "$EUID" -ne 0 ]; then
+    echo -e "${RED}Error: Must run as root (sudo)${NC}"
+    exit 1
+fi
+
+# Check for image argument
+if [ -z "$1" ]; then
+    echo -e "${RED}Usage: $0 <image> [device]${NC}"
+    echo ""
+    echo "Supported formats: .img, .img.zst, .img.xz, .img.gz, .img.zst.zip"
+    echo ""
+    echo "Examples:"
+    echo "  $0 stegasoo-rpi-4.1.1.img.zst             # auto-detect SD card"
+    echo "  $0 stegasoo-rpi-4.1.1.img.zst.zip         # from GitHub release"
+    echo "  $0 stegasoo-rpi-4.1.1.img.zst /dev/sdb    # specify device"
+    exit 1
+fi
+
+IMAGE="$1"
+MANUAL_DEVICE="$2"
+
+if [ ! -f "$IMAGE" ]; then
+    echo -e "${RED}Error: Image file not found: $IMAGE${NC}"
+    exit 1
+fi
+
+# Handle .zst.zip wrapper (GitHub releases workaround)
+if [[ "$IMAGE" == *.zst.zip ]]; then
+    echo -e "${YELLOW}Extracting .zst from zip wrapper...${NC}"
+    if ! command -v unzip &> /dev/null; then
+        echo -e "${RED}Error: unzip is required for .zst.zip files but not installed.${NC}"
+        exit 1
+    fi
+    TEMP_DIR=$(mktemp -d)
+    trap "rm -rf $TEMP_DIR" EXIT
+    unzip -q "$IMAGE" -d "$TEMP_DIR"
+    IMAGE=$(find "$TEMP_DIR" -name "*.zst" | head -1)
+    if [ -z "$IMAGE" ]; then
+        echo -e "${RED}Error: No .zst file found in zip archive${NC}"
+        exit 1
+    fi
+    echo -e "${GREEN}Found: $(basename "$IMAGE")${NC}"
+    echo ""
+fi
+
+# Detect compression
+COMPRESSED=false
+COMP_TYPE=""
+if [[ "$IMAGE" == *.xz ]]; then
+    COMPRESSED=true
+    COMP_TYPE="xz"
+    if ! command -v xzcat &> /dev/null; then
+        echo -e "${RED}Error: xz is required for .xz files but not installed.${NC}"
+        exit 1
+    fi
+elif [[ "$IMAGE" == *.zst ]]; then
+    COMPRESSED=true
+    COMP_TYPE="zst"
+    if ! command -v zstdcat &> /dev/null; then
+        echo -e "${RED}Error: zstd is required for .zst files but not installed.${NC}"
+        exit 1
+    fi
+elif [[ "$IMAGE" == *.gz ]]; then
+    COMPRESSED=true
+    COMP_TYPE="gz"
+    if ! command -v zcat &> /dev/null; then
+        echo -e "${RED}Error: gzip is required for .gz files but not installed.${NC}"
+        exit 1
+    fi
+fi
+
+echo -e "${BLUE}"
+echo "╔═══════════════════════════════════════════════════════════════╗"
+echo "║              Stegasoo SD Card Flasher                         ║"
+echo "╚═══════════════════════════════════════════════════════════════╝"
+echo -e "${NC}"
+
+echo -e "Image: ${YELLOW}$IMAGE${NC}"
+echo -e "Size:  ${YELLOW}$(du -h "$IMAGE" | awk '{print $1}')${NC}"
+if [ "$COMPRESSED" = true ]; then
+    echo -e "Type:  ${YELLOW}Compressed (will decompress on-the-fly)${NC}"
+fi
+echo ""
+
+# Use manual device or auto-detect
+if [ -n "$MANUAL_DEVICE" ]; then
+    # Manual device specified
+    if [ ! -b "$MANUAL_DEVICE" ]; then
+        echo -e "${RED}Error: $MANUAL_DEVICE is not a block device${NC}"
+        exit 1
+    fi
+    SELECTED="$MANUAL_DEVICE"
+    echo -e "Using specified device: ${YELLOW}$SELECTED${NC}"
+    echo ""
+    lsblk "$SELECTED" -o NAME,SIZE,TYPE,MODEL
+    echo ""
+else
+    # Auto-detect SD card candidates
+    echo -e "${BOLD}Scanning for SD cards...${NC}"
+    echo ""
+
+    declare -a CANDIDATES
+    declare -a CANDIDATE_INFO
+
+    while IFS= read -r line; do
+        DEV=$(echo "$line" | awk '{print $1}')
+        SIZE=$(echo "$line" | awk '{print $2}')
+        TYPE=$(echo "$line" | awk '{print $3}')
+        TRAN=$(echo "$line" | awk '{print $4}')
+        MODEL=$(echo "$line" | awk '{print $5" "$6" "$7}' | xargs)
+
+        # Skip if it's the root filesystem
+        if mount | grep -q "^/dev/${DEV}[0-9]* on / "; then
+            continue
+        fi
+
+        # Skip if any partition is mounted as root
+        ROOT_DEV=$(mount | grep " on / " | awk '{print $1}' | sed 's/[0-9]*$//')
+        if [[ "/dev/$DEV" == "$ROOT_DEV" ]]; then
+            continue
+        fi
+
+        # Get size in bytes for reliable comparison
+        SIZE_BYTES=$(lsblk -b -d -o SIZE -n "/dev/$DEV" 2>/dev/null | tr -d ' ')
+        SIZE_GB_INT=$((SIZE_BYTES / 1073741824))  # 1024^3
+
+        # Check if size is in SD card range (8GB - 128GB)
+        if [ "$SIZE_GB_INT" -ge 8 ] && [ "$SIZE_GB_INT" -le 128 ]; then
+            CANDIDATES+=("/dev/$DEV")
+            CANDIDATE_INFO+=("$SIZE $TYPE ${TRAN:-???} $MODEL")
+        fi
+    done < <(lsblk -d -o NAME,SIZE,TYPE,TRAN,MODEL -n | grep "disk")
+
+    if [ ${#CANDIDATES[@]} -eq 0 ]; then
+        echo -e "${RED}No SD card candidates found.${NC}"
+        echo "Looking for USB/removable disks between 8GB and 128GB."
+        echo ""
+        echo "Available disks:"
+        lsblk -d -o NAME,SIZE,TYPE,TRAN,MODEL
+        echo ""
+        echo -e "${YELLOW}Tip: Specify device manually: $0 $IMAGE /dev/sdX${NC}"
+        exit 1
+    fi
+
+    echo -e "${GREEN}Found ${#CANDIDATES[@]} candidate(s):${NC}"
+    echo ""
+
+    for i in "${!CANDIDATES[@]}"; do
+        echo -e "  ${BOLD}[$((i+1))]${NC} ${CANDIDATES[$i]} - ${CANDIDATE_INFO[$i]}"
+    done
+
+    echo ""
+
+    if [ ${#CANDIDATES[@]} -eq 1 ]; then
+        SELECTED="${CANDIDATES[0]}"
+        echo -e "Auto-selected: ${YELLOW}$SELECTED${NC}"
+    else
+        read -p "Select device [1-${#CANDIDATES[@]}]: " -r
+        if [[ ! $REPLY =~ ^[0-9]+$ ]] || [ "$REPLY" -lt 1 ] || [ "$REPLY" -gt ${#CANDIDATES[@]} ]; then
+            echo -e "${RED}Invalid selection.${NC}"
+            exit 1
+        fi
+        SELECTED="${CANDIDATES[$((REPLY-1))]}"
+    fi
+fi
+
+# Show current partitions
+echo ""
+echo -e "${BOLD}Current partitions on $SELECTED:${NC}"
+lsblk "$SELECTED" -o NAME,SIZE,FSTYPE,LABEL,MOUNTPOINT
+echo ""
+
+# Unmount any mounted partitions
+MOUNTED=$(mount | grep "^${SELECTED}" | awk '{print $1}' || true)
+if [ -n "$MOUNTED" ]; then
+    echo -e "${YELLOW}Unmounting partitions...${NC}"
+    for part in $MOUNTED; do
+        umount "$part" 2>/dev/null || true
+    done
+fi
+
+# Ask about wiping
+echo
+read -p "Wipe partition table first? (recommended if having issues) [y/N] " wipe_confirm
+if [[ "$wipe_confirm" =~ ^[Yy]$ ]]; then
+    echo "Wiping partition table..."
+    sudo wipefs -a "$SELECTED"
+    sudo dd if=/dev/zero of="$SELECTED" bs=1M count=10 status=none
+    sync
+    echo "  Wiped clean"
+fi
+
+# Final confirmation
+echo -e "${RED}╔═══════════════════════════════════════════════════════════════╗${NC}"
+echo -e "${RED}║  WARNING: ALL DATA ON THIS DEVICE WILL BE DESTROYED!          ║${NC}"
+echo -e "${RED}║  $SELECTED                                                  ║${NC}"
+echo -e "${RED}╚═══════════════════════════════════════════════════════════════╝${NC}"
+echo ""
+read -p "Type 'yes' to continue: " -r
+if [[ ! $REPLY == "yes" ]]; then
+    echo "Aborted."
+    exit 1
+fi
+
+echo ""
+echo -e "${GREEN}Flashing image to $SELECTED...${NC}"
+echo ""
+
+# Try rpi-imager first (faster, native support for compressed images)
+if command -v rpi-imager &> /dev/null; then
+    echo -e "${YELLOW}Using rpi-imager...${NC}"
+    if rpi-imager --cli --disable-verify "$IMAGE" "$SELECTED"; then
+        # rpi-imager succeeded
+        :
+    else
+        echo -e "${YELLOW}rpi-imager failed, falling back to dd...${NC}"
+        # Fall through to dd
+        USE_DD=true
+    fi
+else
+    USE_DD=true
+fi
+
+# Fallback to dd
+if [ "$USE_DD" = true ]; then
+    if [ "$HAS_PV" = true ]; then
+        echo -e "${YELLOW}Using dd with progress...${NC}"
+        if [ "$COMPRESSED" = true ]; then
+            case "$COMP_TYPE" in
+                xz)  pv "$IMAGE" | xzcat | dd of="$SELECTED" bs=4M conv=fsync 2>/dev/null ;;
+                zst) pv "$IMAGE" | zstdcat | dd of="$SELECTED" bs=4M conv=fsync 2>/dev/null ;;
+                gz)  pv "$IMAGE" | zcat | dd of="$SELECTED" bs=4M conv=fsync 2>/dev/null ;;
+            esac
+        else
+            pv "$IMAGE" | dd of="$SELECTED" bs=4M conv=fsync 2>/dev/null
+        fi
+    else
+        echo -e "${YELLOW}Using dd (no progress - install pv for progress bar)...${NC}"
+        if [ "$COMPRESSED" = true ]; then
+            case "$COMP_TYPE" in
+                xz)  xzcat "$IMAGE" | dd of="$SELECTED" bs=4M conv=fsync status=progress ;;
+                zst) zstdcat "$IMAGE" | dd of="$SELECTED" bs=4M conv=fsync status=progress ;;
+                gz)  zcat "$IMAGE" | dd of="$SELECTED" bs=4M conv=fsync status=progress ;;
+            esac
+        else
+            dd if="$IMAGE" of="$SELECTED" bs=4M conv=fsync status=progress
+        fi
+    fi
+fi
+
+echo ""
+echo -e "${GREEN}Syncing...${NC}"
+sync
+
+# Inject WiFi config if config.json was loaded
+if [ "$HAS_CONFIG" = true ]; then
+    echo ""
+    echo -e "${GREEN}Configuring WiFi from config.json...${NC}"
+
+    # Wait for partitions to appear
+    sleep 2
+    partprobe "$SELECTED" 2>/dev/null || true
+    sleep 1
+
+    # Determine boot partition
+    if [[ "$SELECTED" == *"nvme"* ]] || [[ "$SELECTED" == *"mmcblk"* ]]; then
+        BOOT_PART="${SELECTED}p1"
+    else
+        BOOT_PART="${SELECTED}1"
+    fi
+
+    if [ -b "$BOOT_PART" ]; then
+        MOUNT_DIR=$(mktemp -d)
+        if mount "$BOOT_PART" "$MOUNT_DIR" 2>/dev/null; then
+            # Create firstrun.sh for WiFi setup
+            cat > "$MOUNT_DIR/firstrun.sh" << 'EOFSCRIPT'
+#!/bin/bash
+set +e
+
+# Set hostname if provided
+if [ -n "PLACEHOLDER_HOSTNAME" ] && [ "PLACEHOLDER_HOSTNAME" != "" ]; then
+    CURRENT_HOSTNAME=$(cat /etc/hostname | tr -d " \t\n\r")
+    if [ -f /usr/lib/raspberrypi-sys-mods/imager_custom ]; then
+        /usr/lib/raspberrypi-sys-mods/imager_custom set_hostname PLACEHOLDER_HOSTNAME
+    else
+        echo PLACEHOLDER_HOSTNAME >/etc/hostname
+        sed -i "s/127.0.1.1.*$CURRENT_HOSTNAME/127.0.1.1\tPLACEHOLDER_HOSTNAME/g" /etc/hosts
+    fi
+fi
+
+# Configure WiFi
+if [ -f /usr/lib/raspberrypi-sys-mods/imager_custom ]; then
+    /usr/lib/raspberrypi-sys-mods/imager_custom set_wlan 'PLACEHOLDER_SSID' 'PLACEHOLDER_WIFIPASS' 'PLACEHOLDER_COUNTRY'
+else
+    # NetworkManager method (Trixie)
+    cat >/etc/NetworkManager/system-connections/preconfigured.nmconnection <<'NMEOF'
+[connection]
+id=preconfigured
+type=wifi
+autoconnect=true
+
+[wifi]
+mode=infrastructure
+ssid=PLACEHOLDER_SSID
+
+[wifi-security]
+auth-alg=open
+key-mgmt=wpa-psk
+psk=PLACEHOLDER_WIFIPASS
+
+[ipv4]
+method=auto
+
+[ipv6]
+method=auto
+NMEOF
+    chmod 600 /etc/NetworkManager/system-connections/preconfigured.nmconnection
+    rfkill unblock wifi
+fi
+
+# Cleanup
+rm -f /boot/firstrun.sh
+rm -f /boot/firmware/firstrun.sh
+sed -i 's| systemd.run.*||g' /boot/cmdline.txt 2>/dev/null
+sed -i 's| systemd.run.*||g' /boot/firmware/cmdline.txt 2>/dev/null
+exit 0
+EOFSCRIPT
+
+            # Replace placeholders
+            sed -i "s/PLACEHOLDER_SSID/$WIFI_SSID/g" "$MOUNT_DIR/firstrun.sh"
+            sed -i "s/PLACEHOLDER_WIFIPASS/$WIFI_PASS/g" "$MOUNT_DIR/firstrun.sh"
+            sed -i "s/PLACEHOLDER_COUNTRY/$WIFI_COUNTRY/g" "$MOUNT_DIR/firstrun.sh"
+            if [ -n "$PI_HOSTNAME" ]; then
+                sed -i "s/PLACEHOLDER_HOSTNAME/$PI_HOSTNAME/g" "$MOUNT_DIR/firstrun.sh"
+            else
+                sed -i "s/PLACEHOLDER_HOSTNAME//g" "$MOUNT_DIR/firstrun.sh"
+            fi
+            chmod +x "$MOUNT_DIR/firstrun.sh"
+
+            # Update cmdline.txt to run firstrun.sh
+            CMDLINE="$MOUNT_DIR/cmdline.txt"
+            if [ -f "$CMDLINE" ]; then
+                CURRENT=$(cat "$CMDLINE" | tr -d '\n' | sed 's| systemd.run.*||g')
+                echo "$CURRENT systemd.run=/boot/firmware/firstrun.sh systemd.run_success_action=reboot systemd.unit=kernel-command-line.target" > "$CMDLINE"
+            fi
+
+            umount "$MOUNT_DIR"
+            echo -e "  ${GREEN}✓${NC} WiFi configured for: $WIFI_SSID"
+        else
+            echo -e "  ${YELLOW}⚠${NC} Could not mount boot partition"
+        fi
+        rmdir "$MOUNT_DIR" 2>/dev/null || true
+    else
+        echo -e "  ${YELLOW}⚠${NC} Boot partition not found"
+    fi
+fi
+
+echo ""
+echo -e "${GREEN}╔═══════════════════════════════════════════════════════════════╗${NC}"
+echo -e "${GREEN}║                    Flash Complete!                            ║${NC}"
+echo -e "${GREEN}╚═══════════════════════════════════════════════════════════════╝${NC}"
+echo ""
+echo -e "You can now remove the SD card and boot your Raspberry Pi."
+echo ""
+if [ "$HAS_CONFIG" = true ]; then
+    echo -e "${GREEN}WiFi pre-configured${NC} - Pi will connect to $WIFI_SSID on boot"
+    echo -e "SSH: ${YELLOW}ssh admin@${PI_HOSTNAME:-stegasoo}.local${NC} (password: stegasoo)"
+else
+    echo -e "${YELLOW}Tip:${NC} On first boot, the setup wizard will help configure WiFi."
+    echo -e "${YELLOW}Tip:${NC} Or place config.json in rpi/ for headless setup next time."
+fi
+echo ""
--- a/rpi/flash-stock-img.sh
+++ b/rpi/flash-stock-img.sh
@@ -0,0 +1,332 @@
+#!/bin/bash
+# Flash Raspberry Pi image with headless config (Trixie/Bookworm compatible)
+# Usage: ./flash-stock-img.sh <image.img.xz> <device>
+# Reads settings from config.json in same directory
+#
+# Uses the same firstrun.sh approach as rpi-imager for compatibility
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CONFIG_FILE="$SCRIPT_DIR/config.json"
+
+# ============================================================================
+# Load config
+# ============================================================================
+if [ ! -f "$CONFIG_FILE" ]; then
+    echo "Error: config.json not found at $CONFIG_FILE"
+    exit 1
+fi
+
+PI_USER=$(jq -r '.username' "$CONFIG_FILE")
+PI_PASS=$(jq -r '.password' "$CONFIG_FILE")
+WIFI_SSID=$(jq -r '.wifiSSID' "$CONFIG_FILE")
+WIFI_PASS=$(jq -r '.wifiPassword' "$CONFIG_FILE")
+WIFI_COUNTRY=$(jq -r '.wifiCountry // "US"' "$CONFIG_FILE")
+PI_HOSTNAME=$(jq -r '.hostname' "$CONFIG_FILE")
+PI_TIMEZONE=$(jq -r '.timezone // "America/New_York"' "$CONFIG_FILE")
+PI_KEYMAP=$(jq -r '.keyboardLayout // "us"' "$CONFIG_FILE")
+
+echo "Loaded config from $CONFIG_FILE"
+echo "  Hostname: $PI_HOSTNAME"
+echo "  User: $PI_USER"
+echo "  WiFi: $WIFI_SSID"
+echo "  Timezone: $PI_TIMEZONE"
+echo
+
+# ============================================================================
+# Validate args
+# ============================================================================
+if [ $# -ne 2 ]; then
+    echo "Usage: $0 <image.img.xz> <device>"
+    echo "Example: $0 2025-12-04-raspios-trixie-arm64-lite.img.xz /dev/sdb"
+    exit 1
+fi
+
+IMAGE="$1"
+DEVICE="$2"
+
+if [ ! -f "$IMAGE" ]; then
+    echo "Error: Image file not found: $IMAGE"
+    exit 1
+fi
+
+if [ ! -b "$DEVICE" ]; then
+    echo "Error: Device not found: $DEVICE"
+    exit 1
+fi
+
+# Safety check
+echo "WARNING: This will ERASE all data on $DEVICE"
+echo "Device info:"
+lsblk "$DEVICE"
+echo
+read -p "Type 'yes' to continue: " confirm
+if [ "$confirm" != "yes" ]; then
+    echo "Aborted."
+    exit 1
+fi
+
+# Ask about wiping
+echo
+read -p "Wipe partition table first? (recommended if having issues) [y/N] " wipe_confirm
+if [[ "$wipe_confirm" =~ ^[Yy]$ ]]; then
+    echo "Wiping partition table..."
+    sudo wipefs -a "$DEVICE"
+    sudo dd if=/dev/zero of="$DEVICE" bs=1M count=10 status=none
+    sync
+    echo "  Wiped clean"
+fi
+
+# ============================================================================
+# Flash image
+# ============================================================================
+echo "Flashing $IMAGE to $DEVICE..."
+if [[ "$IMAGE" == *.xz ]]; then
+    xzcat "$IMAGE" | sudo dd of="$DEVICE" bs=4M status=progress conv=fsync
+elif [[ "$IMAGE" == *.zst ]]; then
+    zstdcat "$IMAGE" | sudo dd of="$DEVICE" bs=4M status=progress conv=fsync
+else
+    sudo dd if="$IMAGE" of="$DEVICE" bs=4M status=progress conv=fsync
+fi
+
+echo "Syncing..."
+sync
+
+# Wait for partitions
+sleep 2
+sudo partprobe "$DEVICE" 2>/dev/null || true
+sleep 1
+
+# ============================================================================
+# Find partitions
+# ============================================================================
+if [ -b "${DEVICE}1" ]; then
+    BOOT_PART="${DEVICE}1"
+    ROOT_PART="${DEVICE}2"
+elif [ -b "${DEVICE}p1" ]; then
+    BOOT_PART="${DEVICE}p1"
+    ROOT_PART="${DEVICE}p2"
+else
+    echo "Error: Could not find boot partition"
+    exit 1
+fi
+
+# ============================================================================
+# Resize rootfs to 16GB (faster imaging)
+# ============================================================================
+echo
+read -p "Resize rootfs to 16GB for faster imaging? [Y/n] " resize_confirm
+if [[ ! "$resize_confirm" =~ ^[Nn]$ ]]; then
+    echo "Resizing rootfs partition to 16GB..."
+
+    # Get current partition size in bytes
+    CURRENT_SIZE=$(sudo blockdev --getsize64 "$ROOT_PART")
+    TARGET_BYTES=$((16 * 1024 * 1024 * 1024))  # 16GB in bytes
+
+    # Get boot partition end in sectors
+    BOOT_END=$(sudo parted -s "$DEVICE" unit s print | grep "^ 1" | awk '{print $3}' | tr -d 's')
+
+    # Calculate 16GB in sectors (512 byte sectors)
+    ROOT_SIZE_SECTORS=33554432
+    ROOT_END=$((BOOT_END + ROOT_SIZE_SECTORS))
+
+    if [ "$CURRENT_SIZE" -lt "$TARGET_BYTES" ]; then
+        # EXPANDING: partition first, then filesystem
+        echo "Current partition is smaller than 16GB - expanding..."
+
+        # Delete and recreate partition 2 with 16GB size
+        echo "Expanding partition to 16GB..."
+        sudo parted -s "$DEVICE" rm 2
+        sudo parted -s "$DEVICE" mkpart primary ext4 $((BOOT_END + 1))s ${ROOT_END}s
+
+        # Refresh partition table
+        sudo partprobe "$DEVICE"
+        sleep 2
+
+        # Expand filesystem to fill the new partition
+        echo "Expanding filesystem to fill partition..."
+        sudo e2fsck -f -y "$ROOT_PART" 2>/dev/null || true
+        sudo resize2fs "$ROOT_PART"
+    else
+        # SHRINKING: filesystem first, then partition
+        echo "Current partition is larger than 16GB - shrinking..."
+
+        # Check and shrink filesystem first
+        echo "Checking filesystem..."
+        sudo e2fsck -f -y "$ROOT_PART" 2>/dev/null || true
+
+        # Shrink filesystem to 15.5GB (leave room for partition overhead)
+        echo "Shrinking filesystem to 15500M..."
+        sudo resize2fs "$ROOT_PART" 15500M
+
+        # Delete and recreate partition 2 with 16GB size
+        echo "Shrinking partition to 16GB..."
+        sudo parted -s "$DEVICE" rm 2
+        sudo parted -s "$DEVICE" mkpart primary ext4 $((BOOT_END + 1))s ${ROOT_END}s
+
+        # Refresh partition table
+        sudo partprobe "$DEVICE"
+        sleep 2
+
+        # Expand filesystem to fill the partition exactly
+        echo "Expanding filesystem to fill partition..."
+        sudo e2fsck -f -y "$ROOT_PART" 2>/dev/null || true
+        sudo resize2fs "$ROOT_PART"
+    fi
+
+    # Verify and show result
+    echo "Verifying partition size..."
+    sudo parted -s "$DEVICE" unit GB print | grep "^ 2"
+
+    # Disable Pi OS auto-expand on first boot
+    echo "Disabling auto-expand..."
+    TEMP_ROOT=$(mktemp -d)
+    sudo mount "$ROOT_PART" "$TEMP_ROOT"
+
+    # Remove resize2fs_once service if it exists
+    sudo rm -f "$TEMP_ROOT/etc/init.d/resize2fs_once"
+    sudo rm -f "$TEMP_ROOT/etc/rc3.d/S01resize2fs_once"
+
+    # Disable the systemd resize service
+    sudo rm -f "$TEMP_ROOT/etc/systemd/system/multi-user.target.wants/rpi-resizerootfs.service"
+
+    sudo umount "$TEMP_ROOT"
+    rmdir "$TEMP_ROOT"
+
+    echo "  Rootfs set to 16GB (auto-expand disabled)"
+fi
+
+MOUNT_DIR=$(mktemp -d)
+
+# ============================================================================
+# Configure boot partition with firstrun.sh (rpi-imager method)
+# ============================================================================
+echo "Mounting boot partition..."
+sudo mount "$BOOT_PART" "$MOUNT_DIR"
+
+# Enable SSH
+echo "Enabling SSH..."
+sudo touch "$MOUNT_DIR/ssh"
+
+# Generate password hash
+PASS_HASH=$(echo "$PI_PASS" | openssl passwd -6 -stdin)
+
+# Create firstrun.sh - this is exactly what rpi-imager generates
+echo "Creating firstrun.sh..."
+sudo tee "$MOUNT_DIR/firstrun.sh" > /dev/null << 'EOFSCRIPT'
+#!/bin/bash
+set +e
+
+CURRENT_HOSTNAME=$(cat /etc/hostname | tr -d " \t\n\r")
+if [ -f /usr/lib/raspberrypi-sys-mods/imager_custom ]; then
+   /usr/lib/raspberrypi-sys-mods/imager_custom set_hostname PLACEHOLDER_HOSTNAME
+else
+   echo PLACEHOLDER_HOSTNAME >/etc/hostname
+   sed -i "s/127.0.1.1.*$CURRENT_HOSTNAME/127.0.1.1\tPLACEHOLDER_HOSTNAME/g" /etc/hosts
+fi
+
+FIRSTUSER=$(getent passwd 1000 | cut -d: -f1)
+FIRSTUSERHOME=$(getent passwd 1000 | cut -d: -f6)
+
+if [ -f /usr/lib/raspberrypi-sys-mods/imager_custom ]; then
+   /usr/lib/raspberrypi-sys-mods/imager_custom enable_ssh
+else
+   systemctl enable ssh
+fi
+
+if [ -f /usr/lib/userconf-pi/userconf ]; then
+   /usr/lib/userconf-pi/userconf 'PLACEHOLDER_USER' 'PLACEHOLDER_HASH'
+else
+   echo "$FIRSTUSER:"'PLACEHOLDER_HASH' | chpasswd -e
+   if [ "$FIRSTUSER" != "PLACEHOLDER_USER" ]; then
+      usermod -l "PLACEHOLDER_USER" "$FIRSTUSER"
+      usermod -m -d "/home/PLACEHOLDER_USER" "PLACEHOLDER_USER"
+      groupmod -n "PLACEHOLDER_USER" "$FIRSTUSER"
+      if grep -q "^autologin-user=" /etc/lightdm/lightdm.conf 2>/dev/null; then
+         sed -i "s/^autologin-user=.*/autologin-user=PLACEHOLDER_USER/" /etc/lightdm/lightdm.conf
+      fi
+      if [ -f /etc/systemd/system/getty@tty1.service.d/autologin.conf ]; then
+         sed -i "s/$FIRSTUSER/PLACEHOLDER_USER/" /etc/systemd/system/getty@tty1.service.d/autologin.conf
+      fi
+   fi
+fi
+
+if [ -f /usr/lib/raspberrypi-sys-mods/imager_custom ]; then
+   /usr/lib/raspberrypi-sys-mods/imager_custom set_keymap 'PLACEHOLDER_KEYMAP'
+   /usr/lib/raspberrypi-sys-mods/imager_custom set_timezone 'PLACEHOLDER_TIMEZONE'
+fi
+
+if [ -f /usr/lib/raspberrypi-sys-mods/imager_custom ]; then
+   /usr/lib/raspberrypi-sys-mods/imager_custom set_wlan 'PLACEHOLDER_SSID' 'PLACEHOLDER_WIFIPASS' 'PLACEHOLDER_COUNTRY'
+else
+cat >/etc/wpa_supplicant/wpa_supplicant.conf <<'WPAEOF'
+country=PLACEHOLDER_COUNTRY
+ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
+ap_scan=1
+update_config=1
+network={
+	ssid="PLACEHOLDER_SSID"
+	psk="PLACEHOLDER_WIFIPASS"
+}
+WPAEOF
+   chmod 600 /etc/wpa_supplicant/wpa_supplicant.conf
+   rfkill unblock wifi
+   for filename in /var/lib/systemd/rfkill/*:wlan ; do
+      echo 0 > "$filename"
+   done
+fi
+
+rm -f /boot/firstrun.sh
+rm -f /boot/firmware/firstrun.sh
+sed -i 's| systemd.run.*||g' /boot/cmdline.txt 2>/dev/null
+sed -i 's| systemd.run.*||g' /boot/firmware/cmdline.txt 2>/dev/null
+exit 0
+EOFSCRIPT
+
+# Replace placeholders with actual values
+sudo sed -i "s/PLACEHOLDER_HOSTNAME/$PI_HOSTNAME/g" "$MOUNT_DIR/firstrun.sh"
+sudo sed -i "s/PLACEHOLDER_USER/$PI_USER/g" "$MOUNT_DIR/firstrun.sh"
+sudo sed -i "s|PLACEHOLDER_HASH|$PASS_HASH|g" "$MOUNT_DIR/firstrun.sh"
+sudo sed -i "s/PLACEHOLDER_KEYMAP/$PI_KEYMAP/g" "$MOUNT_DIR/firstrun.sh"
+sudo sed -i "s|PLACEHOLDER_TIMEZONE|$PI_TIMEZONE|g" "$MOUNT_DIR/firstrun.sh"
+sudo sed -i "s/PLACEHOLDER_SSID/$WIFI_SSID/g" "$MOUNT_DIR/firstrun.sh"
+sudo sed -i "s/PLACEHOLDER_WIFIPASS/$WIFI_PASS/g" "$MOUNT_DIR/firstrun.sh"
+sudo sed -i "s/PLACEHOLDER_COUNTRY/$WIFI_COUNTRY/g" "$MOUNT_DIR/firstrun.sh"
+
+sudo chmod +x "$MOUNT_DIR/firstrun.sh"
+
+# Update cmdline.txt to run firstrun.sh on boot
+echo "Updating cmdline.txt..."
+CMDLINE="$MOUNT_DIR/cmdline.txt"
+if [ -f "$CMDLINE" ]; then
+    # Read current cmdline, strip existing systemd.run and init= (auto-expand)
+    CURRENT=$(cat "$CMDLINE" | tr -d '\n' | sed 's| systemd.run.*||g' | sed 's| init=[^ ]*||g')
+    echo "$CURRENT systemd.run=/boot/firmware/firstrun.sh systemd.run_success_action=reboot systemd.unit=kernel-command-line.target" | sudo tee "$CMDLINE" > /dev/null
+    echo "  cmdline.txt updated"
+fi
+
+sudo umount "$MOUNT_DIR"
+rmdir "$MOUNT_DIR"
+
+echo
+echo "Done! SD card is ready."
+echo "  Hostname: $PI_HOSTNAME"
+echo "  User: $PI_USER"
+echo "  SSH: enabled"
+echo "  WiFi: $WIFI_SSID"
+echo
+echo "Insert into Pi and boot. Access via:"
+echo "  mDNS:  http://$PI_HOSTNAME.local"
+echo "  Find IP: ping $PI_HOSTNAME.local"
+echo
+echo "Once booted, SSH with: ssh $PI_USER@$PI_HOSTNAME.local"
+
+# If we resized, remind about pull-image.sh
+if [[ ! "$resize_confirm" =~ ^[Nn]$ ]]; then
+    echo
+    echo "=== After setup, use pull-image.sh to create distributable image ==="
+    echo "  ./pull-image.sh $DEVICE stegasoo-rpi-VERSION.img.zst"
+    echo
+    echo "This will only pull the 16GB partition, not the entire SD card."
+fi
--- a/rpi/host-requirements.txt
+++ b/rpi/host-requirements.txt
@@ -0,0 +1,29 @@
+# Host Machine Dependencies for Stegasoo Pi Scripts
+# =================================================
+#
+# Quick install (Debian/Ubuntu):
+#   sudo apt install parted e2fsprogs zstd zip bc pv jq unzip sshpass
+#
+# Or install with this file:
+#   sudo apt install $(grep -v '^#' rpi/host-requirements.txt | grep -v '^$' | xargs)
+
+# pull-image.sh - Create distributable images
+parted              # Partition table reading/writing
+e2fsprogs           # e2fsck, resize2fs for ext4
+zstd                # Compression (zstd -T0 -3)
+zip                 # Optional .zst.zip wrapper for GitHub
+bc                  # Floating point math for size display
+pv                  # Progress bar (optional, falls back to dd status)
+
+# flash-image.sh - Flash images to SD cards
+unzip               # Extract .zst.zip wrappers
+zstd                # Decompress .zst images
+pv                  # Progress bar (optional)
+jq                  # Parse config.json for headless WiFi (optional)
+
+# kickoff-pi-test.sh - Automated flash+test
+sshpass             # Non-interactive SSH with password
+avahi-utils         # avahi-resolve for .local hostname lookup
+
+# Optional tools
+rpi-imager          # Faster flashing (flash-image.sh falls back to dd)
--- a/rpi/inject-wifi.sh
+++ b/rpi/inject-wifi.sh
@@ -0,0 +1,200 @@
+#!/bin/bash
+#
+# Inject WiFi credentials into SD card for Raspberry Pi
+# Supports both Bookworm (NetworkManager) and older (wpa_supplicant)
+#
+# First-time setup:
+#   ./inject-wifi.sh --setup
+#
+# Then after flashing:
+#   sudo ./inject-wifi.sh              # auto-detect partitions
+#   sudo ./inject-wifi.sh /dev/sdb     # specify device (finds partitions)
+#
+
+set -e
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+CONFIG_DIR="$HOME/.config/stegasoo"
+CONFIG_FILE="$CONFIG_DIR/wifi.conf"
+
+# Setup mode - save credentials
+if [ "$1" == "--setup" ]; then
+    echo -e "${BLUE}Stegasoo WiFi Config Setup${NC}"
+    echo ""
+
+    read -p "WiFi SSID: " WIFI_SSID
+    read -s -p "WiFi Password: " WIFI_PASS
+    echo ""
+    read -p "Country code [US]: " WIFI_COUNTRY
+    WIFI_COUNTRY=${WIFI_COUNTRY:-US}
+
+    # Generate hashed PSK for wpa_supplicant (legacy)
+    if command -v wpa_passphrase &> /dev/null; then
+        HASHED_PSK=$(wpa_passphrase "$WIFI_SSID" "$WIFI_PASS" | grep -E "^\s+psk=" | tr -d '\t' | cut -d= -f2)
+    else
+        HASHED_PSK=""
+        echo -e "${YELLOW}Note: wpa_passphrase not found, legacy mode disabled${NC}"
+    fi
+
+    # Save config (includes plaintext for NetworkManager)
+    mkdir -p "$CONFIG_DIR"
+    chmod 700 "$CONFIG_DIR"
+
+    cat > "$CONFIG_FILE" << EOF
+# Stegasoo WiFi config
+WIFI_SSID="$WIFI_SSID"
+WIFI_PASS="$WIFI_PASS"
+WIFI_PSK_HASH="$HASHED_PSK"
+WIFI_COUNTRY="$WIFI_COUNTRY"
+EOF
+    chmod 600 "$CONFIG_FILE"
+
+    echo ""
+    echo -e "${GREEN}Config saved to $CONFIG_FILE${NC}"
+    exit 0
+fi
+
+# Normal mode - inject credentials
+if [ "$EUID" -ne 0 ]; then
+    echo -e "${RED}Error: Must run as root (sudo)${NC}"
+    echo "Usage: sudo $0 [/dev/sdX]"
+    echo ""
+    echo "First-time setup (no sudo): $0 --setup"
+    exit 1
+fi
+
+# Load config
+if [ -n "$SUDO_USER" ]; then
+    USER_HOME=$(getent passwd "$SUDO_USER" | cut -d: -f6)
+    CONFIG_FILE="$USER_HOME/.config/stegasoo/wifi.conf"
+fi
+
+if [ ! -f "$CONFIG_FILE" ]; then
+    echo -e "${RED}Config not found: $CONFIG_FILE${NC}"
+    echo ""
+    echo "Run setup first (without sudo):"
+    echo "  ./inject-wifi.sh --setup"
+    exit 1
+fi
+
+source "$CONFIG_FILE"
+
+if [ -z "$WIFI_SSID" ] || [ -z "$WIFI_PASS" ]; then
+    echo -e "${RED}Invalid config. Run --setup again.${NC}"
+    exit 1
+fi
+
+# Find partitions
+MANUAL_DEV="$1"
+
+if [ -n "$MANUAL_DEV" ]; then
+    # Strip partition number if given (e.g., /dev/sdb1 -> /dev/sdb)
+    BASE_DEV=$(echo "$MANUAL_DEV" | sed 's/[0-9]*$//')
+    BOOT_DEV="${BASE_DEV}1"
+    ROOT_DEV="${BASE_DEV}2"
+else
+    # Auto-detect by label
+    BOOT_PART=$(lsblk -o NAME,FSTYPE,LABEL -rn | grep -E "vfat.*(bootfs|boot)" | head -1 | awk '{print $1}')
+    ROOT_PART=$(lsblk -o NAME,FSTYPE,LABEL -rn | grep -E "ext4.*rootfs" | head -1 | awk '{print $1}')
+
+    if [ -z "$BOOT_PART" ] || [ -z "$ROOT_PART" ]; then
+        echo -e "${RED}Could not find boot/root partitions. Is the SD card inserted?${NC}"
+        echo ""
+        lsblk -o NAME,SIZE,FSTYPE,LABEL
+        echo ""
+        echo -e "${YELLOW}Tip: Specify device manually: sudo $0 /dev/sdX${NC}"
+        exit 1
+    fi
+
+    BOOT_DEV="/dev/$BOOT_PART"
+    ROOT_DEV="/dev/$ROOT_PART"
+fi
+
+echo -e "${GREEN}Found partitions:${NC}"
+echo -e "  Boot: ${YELLOW}$BOOT_DEV${NC}"
+echo -e "  Root: ${YELLOW}$ROOT_DEV${NC}"
+
+# Mount points
+BOOT_MNT="/tmp/stegasoo-boot-$$"
+ROOT_MNT="/tmp/stegasoo-root-$$"
+
+cleanup() {
+    umount "$BOOT_MNT" 2>/dev/null || true
+    umount "$ROOT_MNT" 2>/dev/null || true
+    rmdir "$BOOT_MNT" "$ROOT_MNT" 2>/dev/null || true
+}
+trap cleanup EXIT
+
+mkdir -p "$BOOT_MNT" "$ROOT_MNT"
+
+# Mount partitions
+mount "$BOOT_DEV" "$BOOT_MNT"
+mount "$ROOT_DEV" "$ROOT_MNT"
+
+echo ""
+
+# 1. Write NetworkManager config (Bookworm+)
+NM_DIR="$ROOT_MNT/etc/NetworkManager/system-connections"
+if [ -d "$ROOT_MNT/etc/NetworkManager" ]; then
+    mkdir -p "$NM_DIR"
+
+    # NetworkManager connection file
+    NM_FILE="$NM_DIR/stegasoo-wifi.nmconnection"
+    cat > "$NM_FILE" << EOF
+[connection]
+id=$WIFI_SSID
+type=wifi
+autoconnect=true
+
+[wifi]
+mode=infrastructure
+ssid=$WIFI_SSID
+
+[wifi-security]
+auth-alg=open
+key-mgmt=wpa-psk
+psk=$WIFI_PASS
+
+[ipv4]
+method=auto
+
+[ipv6]
+method=auto
+EOF
+    chmod 600 "$NM_FILE"
+    echo -e "${GREEN}Created NetworkManager config (Bookworm)${NC}"
+fi
+
+# 2. Write wpa_supplicant.conf (legacy, boot partition)
+if [ -n "$WIFI_PSK_HASH" ]; then
+    cat > "$BOOT_MNT/wpa_supplicant.conf" << EOF
+ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
+update_config=1
+country=$WIFI_COUNTRY
+
+network={
+    ssid="$WIFI_SSID"
+    psk=$WIFI_PSK_HASH
+}
+EOF
+    echo -e "${GREEN}Created wpa_supplicant.conf (legacy)${NC}"
+fi
+
+# 3. Set WiFi country in boot config
+if [ -f "$BOOT_MNT/config.txt" ]; then
+    if ! grep -q "^dtparam=cfg80211" "$BOOT_MNT/config.txt"; then
+        echo "" >> "$BOOT_MNT/config.txt"
+        echo "# WiFi country" >> "$BOOT_MNT/config.txt"
+        echo "dtparam=cfg80211" >> "$BOOT_MNT/config.txt"
+    fi
+fi
+
+echo -e "  SSID: ${YELLOW}$WIFI_SSID${NC}"
+
+echo ""
+echo -e "${GREEN}Done! WiFi credentials injected for Bookworm + legacy.${NC}"
--- a/rpi/kickoff-pi-test.sh
+++ b/rpi/kickoff-pi-test.sh
@@ -0,0 +1,193 @@
+#!/bin/bash
+#
+# Stegasoo Pi Test Kickoff Script
+# Automates: flash -> wait for boot -> setup -> test
+#
+# Usage: ./kickoff-pi-test.sh <image.img.zst> </dev/sdX>
+#
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Pi connection settings
+PI_HOST="stegasoo.local"
+PI_USER="admin"
+PI_PASS="stegasoo"
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+NC='\033[0m'
+
+# -----------------------------------------------------------------------------
+# Helper functions
+# -----------------------------------------------------------------------------
+
+# Wait for Pi to be reachable
+wait_for_pi() {
+    local attempt=1
+    ssh-keygen -R "$PI_HOST" 2>/dev/null
+
+    echo "Waiting for $PI_USER@$PI_HOST..."
+    while ! sshpass -p "$PI_PASS" ssh -o ConnectTimeout=2 -o StrictHostKeyChecking=no -o BatchMode=no -o UserKnownHostsFile=/dev/null "$PI_USER@$PI_HOST" "exit" 2>/dev/null; do
+        printf "\rAttempt %d..." "$attempt"
+        ((attempt++))
+        sleep 2
+    done
+
+    printf "\r${GREEN}✓ Ready after %d attempts${NC}\n" "$attempt"
+    printf '\a'  # Terminal bell
+}
+
+# Run command on Pi (non-interactive)
+run_on_pi() {
+    sshpass -p "$PI_PASS" ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$PI_USER@$PI_HOST" "$@"
+}
+
+# Run command on Pi (interactive/PTY)
+run_on_pi_interactive() {
+    sshpass -p "$PI_PASS" ssh -t -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$PI_USER@$PI_HOST" "$@"
+}
+
+# Copy file to Pi
+scp_to_pi() {
+    local src="$1"
+    local dst="$2"
+    sshpass -p "$PI_PASS" scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$src" "$PI_USER@$PI_HOST:$dst"
+}
+
+# Interactive SSH session
+ssh_pi() {
+    ssh-keygen -R "$PI_HOST" 2>/dev/null
+    sshpass -p "$PI_PASS" ssh -t -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$PI_USER@$PI_HOST" "$@"
+}
+
+# -----------------------------------------------------------------------------
+# Main
+# -----------------------------------------------------------------------------
+
+if [[ $# -lt 2 ]]; then
+    echo "Usage: $0 <image.img.zst> </dev/sdX>"
+    echo ""
+    echo "Example: $0 stegasoo-v4.1.img.zst /dev/sda"
+    exit 1
+fi
+
+IMAGE="$1"
+DEVICE="$2"
+
+if [[ ! -f "$IMAGE" ]]; then
+    echo -e "${RED}Error: Image file not found: $IMAGE${NC}"
+    exit 1
+fi
+
+if [[ ! -b "$DEVICE" ]]; then
+    echo -e "${RED}Error: Device not found: $DEVICE${NC}"
+    exit 1
+fi
+
+echo -e "${CYAN}╔═══════════════════════════════════════════════════════════════╗${NC}"
+echo -e "${CYAN}║              Stegasoo Pi Test Kickoff                         ║${NC}"
+echo -e "${CYAN}╚═══════════════════════════════════════════════════════════════╝${NC}"
+echo ""
+echo -e "Image:  ${YELLOW}$IMAGE${NC}"
+echo -e "Device: ${YELLOW}$DEVICE${NC}"
+echo ""
+
+# -----------------------------------------------------------------------------
+# Step 1: Flash the image
+# -----------------------------------------------------------------------------
+echo -e "${GREEN}[1/8]${NC} Flashing image..."
+echo ""
+
+# Auto-answer: "yes" for confirm, "y" for wipe, "y" for resize
+printf 'yes\ny\ny\n' | "$SCRIPT_DIR/flash-stock-img.sh" "$IMAGE" "$DEVICE"
+
+echo ""
+echo -e "${GREEN}[2/8]${NC} Flash complete! Waiting for SD card insertion..."
+echo ""
+
+# -----------------------------------------------------------------------------
+# Step 2: Wait for user to insert SD card
+# -----------------------------------------------------------------------------
+echo -e "${YELLOW}════════════════════════════════════════════════════════════════${NC}"
+echo -e "${YELLOW}  Insert SD card into Pi and power on${NC}"
+echo -e "${YELLOW}════════════════════════════════════════════════════════════════${NC}"
+echo ""
+read -p "Press ENTER when Pi is booting..."
+
+echo ""
+
+# -----------------------------------------------------------------------------
+# Step 3: Wait for Pi to be ready
+# -----------------------------------------------------------------------------
+echo -e "${GREEN}[3/8]${NC} Waiting for Pi to boot..."
+echo ""
+
+wait_for_pi
+
+# -----------------------------------------------------------------------------
+# Step 4: Pre-setup (install dependencies)
+# -----------------------------------------------------------------------------
+echo ""
+echo -e "${GREEN}[4/8]${NC} Installing dependencies on Pi..."
+echo ""
+
+run_on_pi "sudo chown admin:admin /opt && sudo apt-get update && sudo apt-get install -y git zstd jq"
+
+# -----------------------------------------------------------------------------
+# Step 5: Clone repo
+# -----------------------------------------------------------------------------
+echo ""
+echo -e "${GREEN}[5/8]${NC} Cloning Stegasoo repo..."
+echo ""
+
+run_on_pi "cd /opt && git clone -b 4.1 https://github.com/adlee-was-taken/stegasoo.git stegasoo"
+
+# -----------------------------------------------------------------------------
+# Step 6: Copy pre-built tarball
+# -----------------------------------------------------------------------------
+echo ""
+echo -e "${GREEN}[6/8]${NC} Copying pre-built tarball to Pi..."
+echo ""
+
+TARBALL="$SCRIPT_DIR/stegasoo-rpi-runtime-env-arm64.tar.zst"
+if [[ -f "$TARBALL" ]]; then
+    scp_to_pi "$TARBALL" "/opt/stegasoo/rpi/"
+    echo -e "  ${GREEN}✓${NC} Tarball copied"
+else
+    echo -e "  ${YELLOW}⚠${NC} Tarball not found at $TARBALL"
+    echo -e "  ${YELLOW}⚠${NC} Setup will build from source (takes longer)"
+fi
+
+# -----------------------------------------------------------------------------
+# Step 7: Run setup
+# -----------------------------------------------------------------------------
+echo ""
+echo -e "${GREEN}[7/8]${NC} Running setup.sh on Pi..."
+echo ""
+
+run_on_pi_interactive "cd /opt/stegasoo && ./rpi/setup.sh"
+
+# -----------------------------------------------------------------------------
+# Step 8: Test it works
+# -----------------------------------------------------------------------------
+echo ""
+echo -e "${GREEN}[8/8]${NC} Testing Stegasoo..."
+echo ""
+
+run_on_pi "sudo systemctl start stegasoo && sleep 2 && curl -sk https://localhost:5000 | head -5"
+
+echo ""
+echo -e "${GREEN}════════════════════════════════════════════════════════════════${NC}"
+echo -e "${GREEN}  Build complete! Pi is ready for testing.${NC}"
+echo -e "${GREEN}════════════════════════════════════════════════════════════════${NC}"
+echo ""
+echo -e "Access: ${YELLOW}https://stegasoo.local:5000${NC}"
+echo ""
+read -p "Press ENTER to SSH into Pi for manual testing..."
+
+ssh_pi
--- a/rpi/patches/README.md
+++ b/rpi/patches/README.md
@@ -0,0 +1,57 @@
+# RPi Patches
+
+This directory contains patches for dependencies that need modifications to build on ARM64.
+
+## Structure
+
+```
+patches/
+  <package>/
+    arm64.patch       # Standard unified diff patch file
+    apply-patch.sh    # Script with fallback strategies
+```
+
+## How It Works
+
+The `apply-patch.sh` script tries multiple strategies in order:
+
+1. **Patch file** - Apply the `.patch` file using `patch -p1`
+2. **Sed fallback** - Use sed for simple string replacements
+3. **Python fallback** - Use regex for flexible pattern matching
+
+This layered approach handles:
+- Exact matches (patch file works)
+- Minor upstream changes (sed catches variations)
+- Significant changes (Python regex is most flexible)
+- Already patched files (detected and skipped)
+
+## Adding a New Patch
+
+1. Create a directory: `patches/<package>/`
+2. Create the patch file: `git diff > arm64.patch`
+3. Create `apply-patch.sh` with appropriate fallback logic
+4. Update `setup.sh` to call the patch script
+
+## jpegio Patch
+
+The jpegio library includes x86-specific `-m64` compiler flags that fail on ARM64.
+The patch removes these flags by replacing:
+
+```python
+cargs.append('-m64')
+```
+
+with:
+
+```python
+pass  # ARM64: removed x86-specific -m64 flag
+```
+
+## Updating Patches
+
+When upstream changes break a patch:
+
+1. Clone the new version
+2. Make the necessary modifications
+3. Generate a new patch: `diff -u original modified > arm64.patch`
+4. Test on a fresh Pi install
--- a/rpi/patches/jpegio/apply-patch.sh
+++ b/rpi/patches/jpegio/apply-patch.sh
@@ -0,0 +1,111 @@
+#!/bin/bash
+#
+# Apply ARM64 patch to jpegio
+# This script tries multiple strategies to remove the x86-specific -m64 flag
+#
+# Usage: ./apply-patch.sh /path/to/jpegio
+#
+
+set -e
+
+JPEGIO_DIR="${1:-.}"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PATCH_FILE="$SCRIPT_DIR/arm64.patch"
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+cd "$JPEGIO_DIR"
+
+echo "Applying ARM64 patch to jpegio..."
+
+# Fix CRLF line endings (jpegio uses Windows line endings)
+if file setup.py | grep -q CRLF; then
+    echo "  Converting CRLF to LF..."
+    sed -i 's/\r$//' setup.py
+fi
+
+# Strategy 1: Try the standard patch file
+if [ -f "$PATCH_FILE" ]; then
+    echo "  Trying patch file..."
+    if patch -p1 --dry-run < "$PATCH_FILE" >/dev/null 2>&1; then
+        patch -p1 < "$PATCH_FILE"
+        echo -e "  ${GREEN}✓ Patch applied successfully${NC}"
+        exit 0
+    else
+        echo -e "  ${YELLOW}Patch file didn't apply cleanly, trying fallback...${NC}"
+    fi
+fi
+
+# Strategy 2: Sed replacement (handles any number of occurrences)
+if grep -q "cargs.append('-m64')" setup.py 2>/dev/null; then
+    echo "  Using sed fallback..."
+    sed -i "s/cargs.append('-m64')/pass  # ARM64: removed x86-specific -m64 flag/g" setup.py
+
+    # Verify the fix
+    if grep -q "cargs.append('-m64')" setup.py; then
+        echo -e "  ${RED}✗ Sed replacement failed${NC}"
+        exit 1
+    fi
+
+    echo -e "  ${GREEN}✓ Sed fallback successful${NC}"
+    exit 0
+fi
+
+# Strategy 3: Check if already patched
+if grep -q "ARM64: removed" setup.py 2>/dev/null; then
+    echo -e "  ${GREEN}✓ Already patched${NC}"
+    exit 0
+fi
+
+# Strategy 4: Python-based patching (most flexible)
+echo "  Using Python fallback..."
+python3 << 'PYTHON_PATCH'
+import re
+import sys
+
+with open('setup.py', 'r') as f:
+    content = f.read()
+
+original = content
+
+# Pattern 1: Direct replacement
+content = re.sub(
+    r"cargs\.append\(['\"]+-m64['\"]+\)",
+    "pass  # ARM64: removed x86-specific -m64 flag",
+    content
+)
+
+# Pattern 2: Handle variations with different quotes or spacing
+content = re.sub(
+    r"cargs\.append\s*\(\s*['\"]+-m64['\"]+\s*\)",
+    "pass  # ARM64: removed x86-specific -m64 flag",
+    content
+)
+
+if content == original:
+    # Check if already patched or pattern not found
+    if "ARM64: removed" in content:
+        print("Already patched")
+        sys.exit(0)
+    else:
+        print("Warning: -m64 pattern not found in setup.py")
+        print("This may indicate jpegio's structure has changed significantly")
+        sys.exit(0)  # Don't fail - maybe they removed it upstream
+
+with open('setup.py', 'w') as f:
+    f.write(content)
+
+print("Python patch applied")
+PYTHON_PATCH
+
+if [ $? -eq 0 ]; then
+    echo -e "  ${GREEN}✓ Python fallback successful${NC}"
+    exit 0
+fi
+
+echo -e "${RED}✗ All patching strategies failed${NC}"
+echo "Please check jpegio's setup.py manually"
+exit 1
--- a/rpi/patches/jpegio/arm64.patch
+++ b/rpi/patches/jpegio/arm64.patch
@@ -0,0 +1,20 @@
+--- a/setup.py
+++ b/setup.py
+@@ -64,7 +64,7 @@ elif sys.platform == 'darwin': # macOS
+     largs.append('-mmacosx-version-min=10.9')
+
+     if arch == 'x64':
+-        cargs.append('-m64')
+        pass  # ARM64: removed x86-specific -m64 flag
+ elif sys.platform == 'linux':
+     cargs.extend(['-w', '-fPIC'])
+
+@@ -68,7 +68,7 @@ elif sys.platform == 'linux':
+     cargs.extend(['-w', '-fPIC'])
+
+     if arch == 'x64':
+-        cargs.append('-m64')
+        pass  # ARM64: removed x86-specific -m64 flag
+     dname_libjpeg = 'libjpeg'
+
+ # end of if-else
--- a/rpi/pull-image.sh
+++ b/rpi/pull-image.sh
@@ -0,0 +1,212 @@
+#!/bin/bash
+# Pull Raspberry Pi image from SD card (after setup)
+# Resizes rootfs to 16GB for consistent image size, then pulls
+#
+# Usage: ./pull-image.sh <device> <output.img.zst>
+# Example: ./pull-image.sh /dev/sdb stegasoo-rpi-4.1.5.img.zst
+
+set -e
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BOLD='\033[1m'
+NC='\033[0m'
+
+if [ $# -ne 2 ]; then
+    echo "Usage: $0 <device> <output.img.zst>"
+    echo "Example: $0 /dev/sdb stegasoo-rpi-4.1.5.img.zst"
+    exit 1
+fi
+
+DEVICE="$1"
+OUTPUT="$2"
+
+# Check for root
+if [ "$EUID" -ne 0 ]; then
+    echo -e "${RED}Error: Must run as root (sudo)${NC}"
+    exit 1
+fi
+
+if [ ! -b "$DEVICE" ]; then
+    echo -e "${RED}Error: Device not found: $DEVICE${NC}"
+    exit 1
+fi
+
+echo -e "${BOLD}Device info:${NC}"
+lsblk "$DEVICE"
+echo
+
+# Find partitions
+if [ -b "${DEVICE}1" ]; then
+    BOOT_PART="${DEVICE}1"
+    ROOT_PART="${DEVICE}2"
+elif [ -b "${DEVICE}p1" ]; then
+    BOOT_PART="${DEVICE}p1"
+    ROOT_PART="${DEVICE}p2"
+else
+    echo -e "${RED}Error: Could not find partitions${NC}"
+    exit 1
+fi
+
+# Unmount any mounted partitions
+echo -e "${YELLOW}Unmounting partitions...${NC}"
+umount "$BOOT_PART" 2>/dev/null || true
+umount "$ROOT_PART" 2>/dev/null || true
+
+# ============================================================================
+# Resize rootfs to 16GB
+# ============================================================================
+echo
+echo -e "${BOLD}Checking partition size...${NC}"
+
+# Get current partition size in bytes
+CURRENT_SIZE=$(blockdev --getsize64 "$ROOT_PART")
+TARGET_BYTES=$((16 * 1024 * 1024 * 1024))  # 16GB in bytes
+CURRENT_GB=$(echo "scale=2; $CURRENT_SIZE / 1073741824" | bc)
+
+echo "  Current rootfs size: ${CURRENT_GB}GB"
+
+if [ "$CURRENT_SIZE" -gt "$TARGET_BYTES" ]; then
+    echo -e "${YELLOW}Resizing rootfs to 16GB...${NC}"
+
+    # Get boot partition end in sectors
+    BOOT_END=$(parted -s "$DEVICE" unit s print | grep "^ 1" | awk '{print $3}' | tr -d 's')
+
+    # Calculate 16GB in sectors (512 byte sectors)
+    ROOT_SIZE_SECTORS=33554432
+    ROOT_END=$((BOOT_END + ROOT_SIZE_SECTORS))
+
+    # SHRINKING: filesystem first, then partition
+    echo "  Checking filesystem..."
+    e2fsck -f -y "$ROOT_PART" 2>/dev/null || true
+
+    # Shrink filesystem to 15.5GB (leave room for partition overhead)
+    echo "  Shrinking filesystem to 15500M..."
+    resize2fs "$ROOT_PART" 15500M
+
+    # Delete and recreate partition 2 with 16GB size
+    echo "  Shrinking partition to 16GB..."
+    parted -s "$DEVICE" rm 2
+    parted -s "$DEVICE" mkpart primary ext4 $((BOOT_END + 1))s ${ROOT_END}s
+
+    # Refresh partition table
+    partprobe "$DEVICE"
+    sleep 2
+
+    # Expand filesystem to fill the partition exactly
+    echo "  Expanding filesystem to fill partition..."
+    e2fsck -f -y "$ROOT_PART" 2>/dev/null || true
+    resize2fs "$ROOT_PART"
+
+    echo -e "${GREEN}  Rootfs resized to 16GB${NC}"
+elif [ "$CURRENT_SIZE" -lt "$TARGET_BYTES" ]; then
+    echo -e "${YELLOW}  Rootfs is smaller than 16GB - expanding...${NC}"
+
+    # Get boot partition end in sectors
+    BOOT_END=$(parted -s "$DEVICE" unit s print | grep "^ 1" | awk '{print $3}' | tr -d 's')
+    ROOT_SIZE_SECTORS=33554432
+    ROOT_END=$((BOOT_END + ROOT_SIZE_SECTORS))
+
+    # EXPANDING: partition first, then filesystem
+    parted -s "$DEVICE" rm 2
+    parted -s "$DEVICE" mkpart primary ext4 $((BOOT_END + 1))s ${ROOT_END}s
+
+    partprobe "$DEVICE"
+    sleep 2
+
+    e2fsck -f -y "$ROOT_PART" 2>/dev/null || true
+    resize2fs "$ROOT_PART"
+
+    echo -e "${GREEN}  Rootfs expanded to 16GB${NC}"
+else
+    echo -e "${GREEN}  Rootfs already ~16GB${NC}"
+fi
+
+# ============================================================================
+# Disable auto-expand on first boot
+# ============================================================================
+echo
+echo -e "${YELLOW}Disabling auto-expand...${NC}"
+TEMP_ROOT=$(mktemp -d)
+mount "$ROOT_PART" "$TEMP_ROOT"
+
+# Remove resize2fs_once service if it exists
+rm -f "$TEMP_ROOT/etc/init.d/resize2fs_once"
+rm -f "$TEMP_ROOT/etc/rc3.d/S01resize2fs_once"
+
+# Disable the systemd resize service
+rm -f "$TEMP_ROOT/etc/systemd/system/multi-user.target.wants/rpi-resizerootfs.service"
+
+umount "$TEMP_ROOT"
+rmdir "$TEMP_ROOT"
+echo -e "${GREEN}  Auto-expand disabled${NC}"
+
+# ============================================================================
+# Pull image
+# ============================================================================
+echo
+echo -e "${BOLD}Partition table:${NC}"
+parted -s "$DEVICE" unit s print
+echo
+
+# Get the end of the last partition (partition 2 = rootfs)
+END_SECTOR=$(parted -s "$DEVICE" unit s print | grep "^ 2" | awk '{print $3}' | tr -d 's')
+
+if [ -z "$END_SECTOR" ]; then
+    echo -e "${RED}Error: Could not determine partition 2 end sector${NC}"
+    exit 1
+fi
+
+# Add a small buffer (1MB = 2048 sectors) for safety
+TOTAL_SECTORS=$((END_SECTOR + 2048))
+TOTAL_BYTES=$((TOTAL_SECTORS * 512))
+TOTAL_GB=$(echo "scale=2; $TOTAL_BYTES / 1073741824" | bc)
+
+echo -e "Image size: ${YELLOW}~${TOTAL_GB}GB${NC} (${TOTAL_SECTORS} sectors)"
+echo -e "Output: ${YELLOW}$OUTPUT${NC}"
+echo
+
+read -p "Proceed with image pull? [Y/n] " confirm
+if [[ "$confirm" =~ ^[Nn]$ ]]; then
+    echo "Aborted."
+    exit 1
+fi
+
+echo
+echo -e "${GREEN}Pulling image...${NC}"
+echo
+
+# Use pv if available for progress, otherwise fallback to dd status
+if command -v pv &> /dev/null; then
+    dd if="$DEVICE" bs=512 count=$TOTAL_SECTORS 2>/dev/null | \
+        pv -s $TOTAL_BYTES | \
+        zstd -T0 -3 > "$OUTPUT"
+else
+    dd if="$DEVICE" bs=512 count=$TOTAL_SECTORS status=progress | \
+        zstd -T0 -3 > "$OUTPUT"
+fi
+
+echo
+echo -e "${GREEN}Done!${NC} Image saved to: $OUTPUT"
+ls -lh "$OUTPUT"
+
+# ============================================================================
+# Optional: Zip-wrap for GitHub releases
+# ============================================================================
+echo
+read -p "Create .zst.zip wrapper for GitHub? [y/N] " zip_confirm
+if [[ "$zip_confirm" =~ ^[Yy]$ ]]; then
+    ZIP_OUTPUT="${OUTPUT}.zip"
+    echo -e "${YELLOW}Creating zip wrapper (store mode, no compression)...${NC}"
+    zip -0 "$ZIP_OUTPUT" "$OUTPUT"
+    echo -e "${GREEN}Done!${NC} Upload this to GitHub Releases:"
+    ls -lh "$ZIP_OUTPUT"
+    echo
+    echo "Users can flash with:"
+    echo "  sudo ./rpi/flash-image.sh $ZIP_OUTPUT"
+else
+    echo
+    echo "To verify:"
+    echo "  zstdcat $OUTPUT | fdisk -l /dev/stdin"
+fi
--- a/rpi/sanitize-for-image.sh
+++ b/rpi/sanitize-for-image.sh
@@ -0,0 +1,589 @@
+#!/bin/bash
+#
+# Sanitize Raspberry Pi for SD Card Image Distribution
+# Run this BEFORE creating an image with dd
+#
+# This script removes:
+#   - WiFi credentials (unless --soft)
+#   - SSH host keys (will regenerate on boot)
+#   - SSH authorized keys
+#   - User-specific data
+#   - Bash history
+#   - Logs
+#   - Stegasoo auth database (users will create their own admin)
+#
+# Usage:
+#   sudo ./sanitize-for-image.sh                 # Full sanitize for image distribution
+#   sudo ./sanitize-for-image.sh --soft          # Soft reset (keeps WiFi for testing)
+#   sudo ./sanitize-for-image.sh --soft --reboot # Soft reset and auto-reboot
+#   sudo ./sanitize-for-image.sh --reboot        # Full sanitize and auto-shutdown
+#
+
+set -e
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+GRAY='\033[0;90m'
+BOLD='\033[1m'
+NC='\033[0m'
+
+# Source banner functions
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/banner.sh"
+
+# Show help
+show_help() {
+    echo "Stegasoo Sanitize Script - Prepare Pi for SD Card Imaging"
+    echo ""
+    echo "Usage: sudo $0 [options]"
+    echo ""
+    echo "Options:"
+    echo "  -h, --help     Show this help message"
+    echo "  -s, --soft     Soft reset (keeps WiFi for testing)"
+    echo "  -r, --reboot   Auto-reboot/shutdown when done"
+    echo ""
+    echo "Examples:"
+    echo "  sudo $0                 # Full sanitize, prompts for shutdown"
+    echo "  sudo $0 --soft          # Keep WiFi, reset everything else"
+    echo "  sudo $0 --soft --reboot # Soft reset, auto-reboot"
+    echo "  sudo $0 --reboot        # Full sanitize, auto-shutdown"
+    echo ""
+    echo "Config override:"
+    echo "  Set STEGASOO_DIR to specify a custom install location:"
+    echo "    export STEGASOO_DIR=\"/home/pi/stegasoo\""
+    echo "    sudo -E $0"
+    echo ""
+    exit 0
+}
+
+SOFT_RESET=false
+AUTO_REBOOT=false
+for arg in "$@"; do
+    case $arg in
+        -h|--help) show_help ;;
+        --soft|-s) SOFT_RESET=true ;;
+        --reboot|-r) AUTO_REBOOT=true ;;
+    esac
+done
+
+if [ "$EUID" -ne 0 ]; then
+    echo -e "${RED}Error: Must run as root (sudo)${NC}"
+    exit 1
+fi
+
+clear
+if [ "$SOFT_RESET" = true ]; then
+    print_banner "Soft Reset (Factory)"
+else
+    print_banner "Sanitize for Imaging"
+fi
+echo ""
+
+if [ "$SOFT_RESET" = true ]; then
+    echo "  WiFi credentials will be KEPT for continued testing."
+    echo "  Everything else will be reset to first-boot state."
+else
+    echo "  This will remove ALL personal data for imaging."
+    echo "  The system will shut down when complete."
+fi
+echo ""
+
+if [ "$AUTO_REBOOT" = false ]; then
+    # Flush input buffer before prompt
+    read -t 0.1 -n 10000 discard </dev/tty 2>/dev/null || true
+    read -p "Continue? This cannot be undone! [y/N] " -n 1 -r </dev/tty
+    echo
+    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+        echo "Aborted."
+        exit 1
+    fi
+fi
+
+# Track validation results
+VALIDATION_ERRORS=0
+
+# =============================================================================
+# Step 1: WiFi Credentials
+# =============================================================================
+if [ "$SOFT_RESET" = true ]; then
+    echo -e "${GREEN}[1/11]${NC} Keeping WiFi credentials (soft reset)..."
+    echo "  WiFi config preserved"
+else
+    echo -e "${GREEN}[1/11]${NC} Removing WiFi credentials..."
+
+    # Remove from rootfs
+    if [ -f /etc/wpa_supplicant/wpa_supplicant.conf ]; then
+        cat > /etc/wpa_supplicant/wpa_supplicant.conf << 'EOF'
+ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
+update_config=1
+country=US
+
+# Add your WiFi network here on first boot:
+# network={
+#     ssid="YourNetworkName"
+#     psk="YourPassword"
+# }
+EOF
+        echo "  Cleared /etc/wpa_supplicant/wpa_supplicant.conf"
+    fi
+
+    # Remove from boot partition (headless setup file)
+    BOOT_PART=$(findmnt -n -o SOURCE /boot/firmware 2>/dev/null || findmnt -n -o SOURCE /boot 2>/dev/null || echo "")
+    if [ -n "$BOOT_PART" ]; then
+        BOOT_MOUNT=$(findmnt -n -o TARGET "$BOOT_PART" 2>/dev/null || echo "/boot")
+        rm -f "$BOOT_MOUNT/wpa_supplicant.conf" 2>/dev/null || true
+        echo "  Removed boot partition WiFi config"
+    fi
+
+    # Remove NetworkManager connections (RPi OS Bookworm+)
+    if [ -d /etc/NetworkManager/system-connections ]; then
+        # Remove all WiFi connections (files containing type=wifi)
+        for conn in /etc/NetworkManager/system-connections/*; do
+            if [ -f "$conn" ] && grep -q "type=wifi" "$conn" 2>/dev/null; then
+                rm -f "$conn"
+                echo "  Removed NetworkManager: $(basename "$conn")"
+            fi
+        done
+    fi
+
+    # Remove netplan WiFi configs (Ubuntu-based systems)
+    if [ -d /etc/netplan ]; then
+        for np in /etc/netplan/*.yaml; do
+            if [ -f "$np" ] && grep -q "wifis:" "$np" 2>/dev/null; then
+                rm -f "$np"
+                echo "  Removed netplan: $(basename "$np")"
+            fi
+        done
+        # Also remove NM-generated netplan files (contain WiFi SSIDs)
+        rm -f /etc/netplan/90-NM-*.yaml 2>/dev/null && echo "  Removed netplan NM configs"
+    fi
+fi
+
+# =============================================================================
+# Step 2: SSH Authorized Keys
+# =============================================================================
+echo -e "${GREEN}[2/11]${NC} Removing SSH authorized keys..."
+for user_home in /home/*; do
+    if [ -d "$user_home/.ssh" ]; then
+        rm -f "$user_home/.ssh/authorized_keys"
+        rm -f "$user_home/.ssh/known_hosts"
+        echo "  Cleared $user_home/.ssh/"
+    fi
+done
+rm -f /root/.ssh/authorized_keys /root/.ssh/known_hosts 2>/dev/null || true
+
+# =============================================================================
+# Step 3: SSH Host Keys
+# =============================================================================
+echo -e "${GREEN}[3/11]${NC} Removing SSH host keys (will regenerate on first boot)..."
+rm -f /etc/ssh/ssh_host_*
+
+# Create a first-boot service to regenerate SSH keys
+cat > /etc/systemd/system/regenerate-ssh-keys.service <<'SSHEOF'
+[Unit]
+Description=Regenerate SSH host keys on first boot
+Before=ssh.service
+ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/ssh-keygen -A
+
+[Install]
+WantedBy=multi-user.target
+SSHEOF
+
+systemctl enable regenerate-ssh-keys.service 2>/dev/null || true
+echo "  SSH host keys removed (will regenerate on first boot)"
+
+# =============================================================================
+# Step 4: Bash History
+# =============================================================================
+echo -e "${GREEN}[4/11]${NC} Clearing bash history..."
+for user_home in /home/*; do
+    rm -f "$user_home/.bash_history"
+    rm -f "$user_home/.python_history"
+done
+rm -f /root/.bash_history /root/.python_history 2>/dev/null || true
+history -c 2>/dev/null || true
+
+# =============================================================================
+# Step 5: Stegasoo User Data
+# =============================================================================
+echo -e "${GREEN}[5/11]${NC} Removing Stegasoo user data..."
+# Remove auth database (users create their own admin on first run)
+rm -rf /opt/stegasoo/frontends/web/instance/ 2>/dev/null
+rm -rf /home/*/stegasoo/frontends/web/instance/
+# Remove SSL certs (will be regenerated)
+rm -rf /opt/stegasoo/frontends/web/certs/ 2>/dev/null
+rm -rf /home/*/stegasoo/frontends/web/certs/
+# Remove any .env files with channel keys
+rm -f /opt/stegasoo/frontends/web/.env 2>/dev/null
+rm -f /home/*/stegasoo/frontends/web/.env
+# Reset port 443 redirect (user reconfigures in wizard)
+if systemctl is-enabled --quiet iptables-restore 2>/dev/null; then
+    systemctl disable iptables-restore 2>/dev/null || true
+    rm -f /etc/systemd/system/iptables-restore.service
+    rm -f /etc/iptables.rules
+    iptables -t nat -F PREROUTING 2>/dev/null || true
+    echo "  Port 443 redirect cleared"
+fi
+echo "  Stegasoo instance data cleared"
+
+# =============================================================================
+# Step 6: First-Boot Wizard Setup
+# =============================================================================
+echo -e "${GREEN}[6/11]${NC} Setting up first-boot wizard..."
+
+# Find stegasoo install directory (prefer /opt/stegasoo)
+STEGASOO_DIR=""
+if [ -d /opt/stegasoo ]; then
+    STEGASOO_DIR="/opt/stegasoo"
+else
+    STEGASOO_DIR=$(ls -d /home/*/stegasoo 2>/dev/null | head -1)
+fi
+
+if [ -z "$STEGASOO_DIR" ]; then
+    # Last resort fallback
+    if [ -d /root/stegasoo ]; then
+        STEGASOO_DIR="/root/stegasoo"
+    fi
+fi
+
+STEGASOO_USER=$(stat -c '%U' "$STEGASOO_DIR" 2>/dev/null || echo "pi")
+echo "  Stegasoo directory: $STEGASOO_DIR"
+echo "  Stegasoo user: $STEGASOO_USER"
+
+# Check and repair venv if needed (paths break when moving directories)
+if [ -n "$STEGASOO_DIR" ] && [ -d "$STEGASOO_DIR/venv" ]; then
+    VENV_PYTHON="$STEGASOO_DIR/venv/bin/python"
+    # Check if venv python works and has stegasoo installed
+    if ! "$VENV_PYTHON" -c "import stegasoo" 2>/dev/null; then
+        echo "  Venv broken or stegasoo not installed, rebuilding..."
+        rm -rf "$STEGASOO_DIR/venv"
+
+        # Find Python 3.12 (prefer pyenv, fall back to system)
+        USER_HOME=$(eval echo "~$STEGASOO_USER")
+        PYENV_PYTHON="$USER_HOME/.pyenv/versions/3.12*/bin/python"
+        if compgen -G "$PYENV_PYTHON" > /dev/null 2>&1; then
+            PYTHON_BIN=$(ls $PYENV_PYTHON 2>/dev/null | head -1)
+            echo "  Using pyenv Python: $PYTHON_BIN"
+        elif command -v python3.12 &>/dev/null; then
+            PYTHON_BIN="python3.12"
+            echo "  Using system Python 3.12"
+        else
+            PYTHON_BIN="python3"
+            echo "  Warning: Python 3.12 not found, using $($PYTHON_BIN --version)"
+        fi
+
+        sudo -u "$STEGASOO_USER" "$PYTHON_BIN" -m venv "$STEGASOO_DIR/venv"
+        sudo -u "$STEGASOO_USER" "$STEGASOO_DIR/venv/bin/pip" install --quiet --upgrade pip setuptools wheel
+
+        # On ARM64, jpegio needs patching before install
+        ARCH=$(uname -m)
+        if [[ "$ARCH" == "aarch64" || "$ARCH" == "arm64" ]]; then
+            echo "  Building jpegio for ARM64 (this may take a minute)..."
+            # Install build deps
+            sudo -u "$STEGASOO_USER" "$STEGASOO_DIR/venv/bin/pip" install --quiet cython numpy
+            JPEGIO_DIR="/tmp/jpegio-build-$$"
+            rm -rf "$JPEGIO_DIR"
+            if git clone https://github.com/dwgoon/jpegio.git "$JPEGIO_DIR" 2>/dev/null; then
+                # Apply patch to remove -m64 flag
+                if [ -f "$STEGASOO_DIR/rpi/patches/jpegio/apply-patch.sh" ]; then
+                    bash "$STEGASOO_DIR/rpi/patches/jpegio/apply-patch.sh" "$JPEGIO_DIR"
+                else
+                    sed -i "s/cargs.append('-m64')/pass  # ARM64 fix/g" "$JPEGIO_DIR/setup.py"
+                fi
+                # Change ownership so user can build
+                chown -R "$STEGASOO_USER:$STEGASOO_USER" "$JPEGIO_DIR"
+                sudo -u "$STEGASOO_USER" "$STEGASOO_DIR/venv/bin/pip" install "$JPEGIO_DIR"
+                rm -rf "$JPEGIO_DIR"
+            else
+                echo "  Warning: Failed to clone jpegio, DCT mode may not work"
+            fi
+        fi
+
+        sudo -u "$STEGASOO_USER" "$STEGASOO_DIR/venv/bin/pip" install --quiet -e "$STEGASOO_DIR[web]"
+        echo "  Venv rebuilt and stegasoo installed"
+    else
+        echo "  Venv OK"
+    fi
+fi
+
+# Ensure PATH hook exists for stegasoo CLI and scripts
+if [ ! -f /etc/profile.d/stegasoo-path.sh ]; then
+    echo "  Creating PATH hook..."
+    cat > /etc/profile.d/stegasoo-path.sh <<'PATHEOF'
+# Stegasoo CLI and scripts
+if [ -d /opt/stegasoo/venv/bin ]; then
+    export PATH="/opt/stegasoo/venv/bin:$PATH"
+fi
+if [ -d /opt/stegasoo/rpi ]; then
+    export PATH="/opt/stegasoo/rpi:$PATH"
+fi
+PATHEOF
+    chmod 644 /etc/profile.d/stegasoo-path.sh
+    echo "  Installed PATH hook to /etc/profile.d/"
+else
+    echo "  PATH hook OK"
+fi
+
+if [ -n "$STEGASOO_DIR" ] && [ -f "$STEGASOO_DIR/rpi/stegasoo-wizard.sh" ]; then
+    # Install the profile.d hook
+    cp "$STEGASOO_DIR/rpi/stegasoo-wizard.sh" /etc/profile.d/stegasoo-wizard.sh
+    chmod 644 /etc/profile.d/stegasoo-wizard.sh
+    echo "  Installed wizard hook to /etc/profile.d/"
+
+    # Create the first-boot flag
+    touch /etc/stegasoo-first-boot
+    echo "  Created /etc/stegasoo-first-boot flag"
+
+    # Reset systemd service to defaults (wizard will reconfigure)
+    cat > /etc/systemd/system/stegasoo.service <<EOF
+[Unit]
+Description=Stegasoo Web UI
+After=network.target
+
+[Service]
+Type=simple
+User=$STEGASOO_USER
+WorkingDirectory=$STEGASOO_DIR/frontends/web
+Environment="PATH=$STEGASOO_DIR/venv/bin:/usr/bin"
+Environment="STEGASOO_AUTH_ENABLED=true"
+Environment="STEGASOO_HTTPS_ENABLED=false"
+Environment="STEGASOO_PORT=5000"
+Environment="STEGASOO_CHANNEL_KEY="
+ExecStart=$STEGASOO_DIR/venv/bin/python app.py
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+    systemctl daemon-reload
+    echo "  Reset systemd service to defaults"
+else
+    echo -e "  ${RED}ERROR: Could not find wizard script${NC}"
+    echo "  STEGASOO_DIR: $STEGASOO_DIR"
+    VALIDATION_ERRORS=$((VALIDATION_ERRORS + 1))
+fi
+
+# =============================================================================
+# Step 7: Logs
+# =============================================================================
+echo -e "${GREEN}[7/11]${NC} Clearing logs..."
+journalctl --rotate 2>/dev/null || true
+journalctl --vacuum-time=1s 2>/dev/null || true
+rm -rf /var/log/*.log /var/log/*.gz /var/log/*.[0-9] 2>/dev/null || true
+rm -rf /var/log/apt/* 2>/dev/null || true
+rm -rf /var/log/journal/* 2>/dev/null || true
+find /var/log -type f -name "*.log" -delete 2>/dev/null || true
+echo "  Logs cleared"
+
+# =============================================================================
+# Step 8: Temporary Files
+# =============================================================================
+echo -e "${GREEN}[8/11]${NC} Clearing temporary files..."
+rm -rf /tmp/* 2>/dev/null || true
+rm -rf /var/tmp/* 2>/dev/null || true
+echo "  Temp files cleared"
+
+# =============================================================================
+# Step 9: Package Cache
+# =============================================================================
+echo -e "${GREEN}[9/11]${NC} Clearing package cache..."
+apt-get clean 2>/dev/null || true
+rm -rf /var/cache/apt/archives/* 2>/dev/null || true
+echo "  Package cache cleared"
+
+# =============================================================================
+# Step 10: Remove Overclock Settings
+# =============================================================================
+if [ "$SOFT_RESET" = true ]; then
+    echo -e "${GREEN}[10/11]${NC} Keeping overclock settings (soft reset)..."
+    echo "  Overclock config preserved"
+else
+    echo -e "${GREEN}[10/11]${NC} Removing overclock settings..."
+    CONFIG_FILE="/boot/firmware/config.txt"
+    if [ ! -f "$CONFIG_FILE" ]; then
+        CONFIG_FILE="/boot/config.txt"
+    fi
+
+    if [ -f "$CONFIG_FILE" ]; then
+        # Remove overclock-related lines
+        if grep -q "over_voltage\|arm_freq\|gpu_freq" "$CONFIG_FILE" 2>/dev/null; then
+            # Create temp file without overclock lines
+            grep -v "^over_voltage=\|^arm_freq=\|^gpu_freq=\|^# Overclock" "$CONFIG_FILE" > "${CONFIG_FILE}.tmp"
+            mv "${CONFIG_FILE}.tmp" "$CONFIG_FILE"
+            echo "  Removed overclock settings from $CONFIG_FILE"
+        else
+            echo "  No overclock settings found"
+        fi
+    else
+        echo "  Config file not found, skipping"
+    fi
+fi
+
+# =============================================================================
+# Step 11: Final Sync
+# =============================================================================
+echo -e "${GREEN}[11/11]${NC} Final sync..."
+rm -f /root/.bash_history 2>/dev/null || true
+sync
+echo "  Filesystem synced"
+
+# =============================================================================
+# Validation
+# =============================================================================
+echo ""
+echo -e "${CYAN}Validating sanitization...${NC}"
+
+# Check first-boot flag
+if [ -f /etc/stegasoo-first-boot ]; then
+    echo -e "  ${GREEN}[PASS]${NC} First-boot flag exists"
+else
+    echo -e "  ${RED}[FAIL]${NC} First-boot flag missing"
+    VALIDATION_ERRORS=$((VALIDATION_ERRORS + 1))
+fi
+
+# Check profile.d hook
+if [ -f /etc/profile.d/stegasoo-wizard.sh ]; then
+    echo -e "  ${GREEN}[PASS]${NC} Wizard hook installed"
+else
+    echo -e "  ${RED}[FAIL]${NC} Wizard hook missing"
+    VALIDATION_ERRORS=$((VALIDATION_ERRORS + 1))
+fi
+
+# Check SSH host keys removed
+if ls /etc/ssh/ssh_host_* 1>/dev/null 2>&1; then
+    echo -e "  ${RED}[FAIL]${NC} SSH host keys still present"
+    VALIDATION_ERRORS=$((VALIDATION_ERRORS + 1))
+else
+    echo -e "  ${GREEN}[PASS]${NC} SSH host keys removed"
+fi
+
+# Check Stegasoo instance data removed
+DB_FOUND=false
+if ls /opt/stegasoo/frontends/web/instance/*.db 1>/dev/null 2>&1; then
+    DB_FOUND=true
+fi
+if ls /home/*/stegasoo/frontends/web/instance/*.db 1>/dev/null 2>&1; then
+    DB_FOUND=true
+fi
+if [ "$DB_FOUND" = true ]; then
+    echo -e "  ${RED}[FAIL]${NC} Stegasoo database still present"
+    VALIDATION_ERRORS=$((VALIDATION_ERRORS + 1))
+else
+    echo -e "  ${GREEN}[PASS]${NC} Stegasoo database removed"
+fi
+
+# Check WiFi (only for full sanitize)
+if [ "$SOFT_RESET" = false ]; then
+    WIFI_FOUND=false
+
+    # Check wpa_supplicant
+    if grep -q "psk=" /etc/wpa_supplicant/wpa_supplicant.conf 2>/dev/null; then
+        WIFI_FOUND=true
+    fi
+
+    # Check NetworkManager
+    for conn in /etc/NetworkManager/system-connections/*; do
+        if [ -f "$conn" ] && grep -q "type=wifi" "$conn" 2>/dev/null; then
+            WIFI_FOUND=true
+            break
+        fi
+    done
+
+    # Check netplan
+    for np in /etc/netplan/*.yaml; do
+        if [ -f "$np" ] && grep -q "wifis:" "$np" 2>/dev/null; then
+            WIFI_FOUND=true
+            break
+        fi
+    done
+    # Check NM-generated netplan
+    if ls /etc/netplan/90-NM-*.yaml 1>/dev/null 2>&1; then
+        WIFI_FOUND=true
+    fi
+
+    if [ "$WIFI_FOUND" = true ]; then
+        echo -e "  ${RED}[FAIL]${NC} WiFi credentials still present"
+        VALIDATION_ERRORS=$((VALIDATION_ERRORS + 1))
+    else
+        echo -e "  ${GREEN}[PASS]${NC} WiFi credentials cleared"
+    fi
+else
+    echo -e "  ${YELLOW}[SKIP]${NC} WiFi check (soft reset mode)"
+fi
+
+# Check authorized_keys removed
+AUTH_KEYS_FOUND=false
+for user_home in /home/*; do
+    if [ -f "$user_home/.ssh/authorized_keys" ]; then
+        AUTH_KEYS_FOUND=true
+        break
+    fi
+done
+if [ "$AUTH_KEYS_FOUND" = true ]; then
+    echo -e "  ${RED}[FAIL]${NC} SSH authorized_keys still present"
+    VALIDATION_ERRORS=$((VALIDATION_ERRORS + 1))
+else
+    echo -e "  ${GREEN}[PASS]${NC} SSH authorized_keys removed"
+fi
+
+# =============================================================================
+# Summary
+# =============================================================================
+echo ""
+if [ $VALIDATION_ERRORS -eq 0 ]; then
+    echo -e "${BOLD}Sanitization Complete!${NC}"
+    echo -e "${GREEN}-------------------------------------------------------${NC}"
+    echo -e "  ${GREEN}All validation checks passed.${NC}"
+else
+    echo -e "${BOLD}Sanitization Complete with Errors${NC}"
+    echo -e "${RED}-------------------------------------------------------${NC}"
+    echo -e "  ${RED}$VALIDATION_ERRORS validation check(s) failed${NC}"
+fi
+echo ""
+
+if [ "$SOFT_RESET" = true ]; then
+    echo -e "${CYAN}Soft reset complete.${NC}"
+    echo "You can now reboot to test the first-boot wizard."
+    echo ""
+    if [ "$AUTO_REBOOT" = true ]; then
+        echo "Rebooting..."
+        exec reboot
+    fi
+    # Flush input buffer and pause before prompt
+    read -t 0.1 -n 10000 discard </dev/tty 2>/dev/null || true
+    sleep 0.3
+    read -p "Reboot now? [y/N] " -n 1 -r </dev/tty
+    echo
+    if [[ $REPLY =~ ^[Yy]$ ]]; then
+        exec reboot
+    fi
+else
+    echo "The system is ready for imaging."
+    echo ""
+    echo -e "${YELLOW}Next steps:${NC}"
+    echo "  1. Shut down: sudo shutdown -h now"
+    echo "  2. Remove SD card"
+    echo "  3. On another machine, copy with:"
+    echo "     sudo dd if=/dev/sdX of=stegasoo-rpi.img bs=4M status=progress"
+    echo "  4. Compress: zstd -19 stegasoo-rpi.img"
+    echo ""
+    if [ "$AUTO_REBOOT" = true ]; then
+        echo "Shutting down..."
+        exec shutdown -h now
+    fi
+    # Flush input buffer and pause before prompt
+    read -t 0.1 -n 10000 discard </dev/tty 2>/dev/null || true
+    sleep 0.3
+    read -p "Shut down now? [y/N] " -n 1 -r </dev/tty
+    echo
+    if [[ $REPLY =~ ^[Yy]$ ]]; then
+        exec shutdown -h now
+    fi
+fi
--- a/rpi/setup.sh
+++ b/rpi/setup.sh
@@ -0,0 +1,703 @@
+#!/bin/bash
+#
+# Stegasoo Raspberry Pi Setup Script
+# Tested on: Raspberry Pi 4/5 with Raspberry Pi OS (64-bit)
+#
+# Usage:
+#   curl -sSL https://raw.githubusercontent.com/adlee-was-taken/stegasoo/4.1/rpi/setup.sh | bash
+#   # or
+#   wget -qO- https://raw.githubusercontent.com/adlee-was-taken/stegasoo/4.1/rpi/setup.sh | bash
+#
+# What this script does:
+#   1. Installs system dependencies
+#   2. Installs Python 3.12 via pyenv (Pi OS ships with 3.13 which is incompatible)
+#   3. Patches and builds jpegio for ARM
+#   4. Installs Stegasoo with web UI
+#   5. Creates systemd service for auto-start
+#   6. Enables the service
+#
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+CYAN='\033[0;36m'
+GRAY='\033[0;90m'
+BOLD='\033[1m'
+NC='\033[0m' # No Color
+
+# Source banner.sh if available (for local runs), otherwise define inline
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" 2>/dev/null && pwd)"
+if [ -f "$SCRIPT_DIR/banner.sh" ]; then
+    source "$SCRIPT_DIR/banner.sh"
+else
+    # Inline banner functions for curl-pipe execution
+    print_gradient_line() {
+        echo -e "\033[38;5;93m══════════════\033[38;5;99m══════════════\033[38;5;105m══════════════\033[38;5;117m══════════════\033[0m"
+    }
+    print_banner() {
+        local subtitle="$1"
+        echo ""
+        print_gradient_line
+        echo -e "\033[0;90m · .  · .  *  · .  *  · .  *  · .  *  · .  *  · .  ·\033[0m"
+        echo -e "\033[38;5;220m    ___  _____  ___    ___    _    ___    ___    ___\033[0m"
+        echo -e "\033[38;5;220m   / __||_   _|| __|  / __|  /_\\  / __|  / _ \\  / _ \\\\\033[0m"
+        echo -e "\033[38;5;220m   \\__ \\  | |  | _|  | (_ | / _ \\ \\__ \\ | (_) || (_) |\033[0m"
+        echo -e "\033[38;5;220m   |___/  |_|  |___|  \\___//_/ \\_\\|___/  \\___/  \\___/\033[0m"
+        echo -e "\033[0;90m · .  · .  *  · .  *  · .  *  · .  *  · .  *  · .  ·\033[0m"
+        print_gradient_line
+        if [ -n "$subtitle" ]; then
+            echo -e "\033[1;37m                    ${subtitle}\033[0m"
+            print_gradient_line
+        fi
+    }
+fi
+
+# Show help
+show_help() {
+    echo "Stegasoo Raspberry Pi Setup Script"
+    echo ""
+    echo "Usage: $0 [options]"
+    echo ""
+    echo "Options:"
+    echo "  -h, --help      Show this help message"
+    echo "  --no-prebuilt   Build from source instead of using pre-built venv"
+    echo "  --from-source   Same as --no-prebuilt"
+    echo ""
+    echo "Configuration:"
+    echo "  Config files are loaded in order (later overrides earlier):"
+    echo "    1. /etc/stegasoo.conf"
+    echo "    2. ~/.config/stegasoo/stegasoo.conf"
+    echo "    3. Environment variables"
+    echo ""
+    echo "  Available variables:"
+    echo "    INSTALL_DIR       Install location (default: /opt/stegasoo)"
+    echo "    PYTHON_VERSION    Python version (default: 3.12)"
+    echo "    STEGASOO_REPO     Git repo URL"
+    echo "    STEGASOO_BRANCH   Git branch (default: 4.1)"
+    echo ""
+    echo "  Example:"
+    echo "    export INSTALL_DIR=\"/home/pi/stegasoo\""
+    echo "    ./setup.sh"
+    echo ""
+    exit 0
+}
+
+# Parse args
+for arg in "$@"; do
+    case $arg in
+        -h|--help) show_help ;;
+    esac
+done
+
+# Default configuration
+INSTALL_DIR="${INSTALL_DIR:-/opt/stegasoo}"
+PYTHON_VERSION="${PYTHON_VERSION:-3.12}"
+STEGASOO_REPO="${STEGASOO_REPO:-https://github.com/adlee-was-taken/stegasoo.git}"
+STEGASOO_BRANCH="${STEGASOO_BRANCH:-4.1}"
+JPEGIO_REPO="https://github.com/dwgoon/jpegio.git"
+
+# Load config files (system, then user - user overrides system)
+for config_file in "/etc/stegasoo.conf" "$HOME/.config/stegasoo/stegasoo.conf"; do
+    if [ -f "$config_file" ]; then
+        # shellcheck source=/dev/null
+        source "$config_file"
+    fi
+done
+
+clear
+print_banner "Raspberry Pi Setup"
+echo ""
+echo "  This will install Stegasoo with full DCT support"
+echo "  Estimated time: ~2 minutes (pre-built) or 15-20 min (from source)"
+echo ""
+
+# Check if running on ARM
+ARCH=$(uname -m)
+if [[ "$ARCH" != "aarch64" && "$ARCH" != "arm64" ]]; then
+    echo -e "${RED}Error: This script is for ARM64 systems (Raspberry Pi).${NC}"
+    echo "Detected architecture: $ARCH"
+    exit 1
+fi
+
+# Check available memory
+TOTAL_MEM=$(free -m | awk '/^Mem:/{print $2}')
+if [ "$TOTAL_MEM" -lt 2000 ]; then
+    echo -e "${YELLOW}Warning: Less than 2GB RAM detected ($TOTAL_MEM MB).${NC}"
+    echo "Stegasoo Web UI requires ~768MB for Argon2 operations."
+    echo "Consider using a Pi with more RAM for best results."
+    read -p "Continue anyway? [y/N] " -n 1 -r
+    echo
+    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+        exit 1
+    fi
+fi
+
+# Create /opt/stegasoo with proper permissions
+echo -e "${GREEN}[1/12]${NC} Setting up install directory..."
+if [ ! -d "$INSTALL_DIR" ]; then
+    sudo mkdir -p "$INSTALL_DIR"
+    sudo chown "$USER:$USER" "$INSTALL_DIR"
+    echo "  Created $INSTALL_DIR"
+else
+    # Ensure current user owns it
+    sudo chown "$USER:$USER" "$INSTALL_DIR"
+    echo "  $INSTALL_DIR exists, updated ownership"
+fi
+
+echo -e "${GREEN}[2/12]${NC} Installing system dependencies..."
+sudo apt-get update
+sudo apt-get install -y \
+    build-essential \
+    git \
+    curl \
+    zstd \
+    libssl-dev \
+    zlib1g-dev \
+    libbz2-dev \
+    libreadline-dev \
+    libsqlite3-dev \
+    libncursesw5-dev \
+    xz-utils \
+    tk-dev \
+    libxml2-dev \
+    libxmlsec1-dev \
+    libffi-dev \
+    liblzma-dev \
+    libzbar0 \
+    libjpeg-dev \
+    python3-dev \
+    btop
+
+echo -e "${GREEN}[3/12]${NC} Installing gum (TUI toolkit)..."
+# Add Charm repo for gum
+if ! command -v gum &>/dev/null; then
+    sudo mkdir -p /etc/apt/keyrings
+    curl -fsSL https://repo.charm.sh/apt/gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/charm.gpg
+    echo "deb [signed-by=/etc/apt/keyrings/charm.gpg] https://repo.charm.sh/apt/ * *" | sudo tee /etc/apt/sources.list.d/charm.list
+    sudo apt-get update
+    sudo apt-get install -y gum
+else
+    echo "  gum already installed"
+fi
+
+echo -e "${GREEN}[4/12]${NC} Cloning Stegasoo..."
+
+# Clone Stegasoo first (needed to check for pre-built tarball)
+if [ -d "$INSTALL_DIR/.git" ]; then
+    echo "  Stegasoo directory exists, updating..."
+    cd "$INSTALL_DIR"
+    git fetch origin
+    git checkout "$STEGASOO_BRANCH"
+    git pull origin "$STEGASOO_BRANCH"
+else
+    git clone -b "$STEGASOO_BRANCH" "$STEGASOO_REPO" "$INSTALL_DIR"
+    cd "$INSTALL_DIR"
+fi
+
+# Pre-built environment tarball (skips 20+ min compile time)
+# Includes both pyenv Python 3.12 AND venv with all dependencies
+PREBUILT_TARBALL="$INSTALL_DIR/rpi/stegasoo-rpi-runtime-env-arm64.tar.zst"
+PREBUILT_URL="${PREBUILT_URL:-https://github.com/adlee-was-taken/stegasoo/releases/download/v4.1.5/stegasoo-rpi-runtime-env-arm64.tar.zst}"
+USE_PREBUILT=true
+
+# Use local tarball if present, otherwise will download
+if [ -f "$PREBUILT_TARBALL" ]; then
+    echo -e "${GREEN}Found local pre-built environment - fast install mode${NC}"
+else
+    echo -e "${GREEN}Will download pre-built environment - fast install mode${NC}"
+fi
+
+# Allow --no-prebuilt flag to force from-source build
+if [[ " $* " =~ " --no-prebuilt " ]] || [[ " $* " =~ " --from-source " ]]; then
+    USE_PREBUILT=false
+    echo -e "${YELLOW}Building from source (--no-prebuilt specified)${NC}"
+fi
+
+# Fast path: use pre-built environment if available
+if [ "$USE_PREBUILT" = true ]; then
+    echo -e "${GREEN}[5/8]${NC} Installing pre-built Python environment..."
+
+    # Download if local file doesn't exist
+    if [ ! -f "$PREBUILT_TARBALL" ]; then
+        echo "  Downloading pre-built environment (~50MB)..."
+        curl -L -o "$PREBUILT_TARBALL" "$PREBUILT_URL"
+    fi
+
+    # Extract pre-built environment (includes pyenv Python + venv)
+    echo "  Extracting pre-built environment..."
+    zstd -d "$PREBUILT_TARBALL" --stdout | tar -xf - -C "$HOME"
+
+    # Setup pyenv in current shell
+    export PYENV_ROOT="$HOME/.pyenv"
+    export PATH="$PYENV_ROOT/bin:$PATH"
+    eval "$(pyenv init -)"
+    pyenv global $PYTHON_VERSION
+
+    # Add to .bashrc if not already there
+    if ! grep -q 'PYENV_ROOT' ~/.bashrc; then
+        echo '' >> ~/.bashrc
+        echo '# pyenv' >> ~/.bashrc
+        echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
+        echo '[[ -d $PYENV_ROOT/bin ]] && export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
+        echo 'eval "$(pyenv init - bash)"' >> ~/.bashrc
+    fi
+
+    # Verify Python
+    INSTALLED_PY=$(python --version 2>&1 | cut -d' ' -f2 | cut -d'.' -f1,2)
+    echo -e "  ${GREEN}✓${NC} Python: $INSTALLED_PY"
+
+    # Extract venv to install dir
+    echo -e "${GREEN}[6/8]${NC} Setting up virtual environment..."
+    if [ -f "$HOME/stegasoo-venv.tar.zst" ]; then
+        zstd -d "$HOME/stegasoo-venv.tar.zst" --stdout | tar -xf - -C "$INSTALL_DIR"
+        rm "$HOME/stegasoo-venv.tar.zst"
+    fi
+
+    # Activate and verify
+    source "$INSTALL_DIR/venv/bin/activate"
+    VENV_PY=$(python --version 2>&1 | cut -d' ' -f2 | cut -d'.' -f1,2)
+    echo -e "  ${GREEN}✓${NC} venv Python: $VENV_PY"
+
+    # Install stegasoo package in editable mode (quick, no compile)
+    echo -e "${GREEN}[7/8]${NC} Installing Stegasoo package..."
+    pip install -e "." --quiet
+
+    # Adjust step numbers for rest of script
+    STEP_OFFSET=-4
+else
+    echo -e "${GREEN}[5/12]${NC} Installing pyenv and Python $PYTHON_VERSION..."
+
+    # Install pyenv if not present
+    if [ ! -d "$HOME/.pyenv" ]; then
+        curl https://pyenv.run | bash
+
+        # Add pyenv to current shell
+        export PYENV_ROOT="$HOME/.pyenv"
+        export PATH="$PYENV_ROOT/bin:$PATH"
+        eval "$(pyenv init -)"
+
+        # Add to .bashrc if not already there
+        if ! grep -q 'PYENV_ROOT' ~/.bashrc; then
+            echo '' >> ~/.bashrc
+            echo '# pyenv' >> ~/.bashrc
+            echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
+            echo '[[ -d $PYENV_ROOT/bin ]] && export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
+            echo 'eval "$(pyenv init - bash)"' >> ~/.bashrc
+        fi
+    else
+        echo "  pyenv already installed"
+        export PYENV_ROOT="$HOME/.pyenv"
+        export PATH="$PYENV_ROOT/bin:$PATH"
+        eval "$(pyenv init -)"
+    fi
+
+    # Install Python 3.12 if not present
+    if ! pyenv versions | grep -q "$PYTHON_VERSION"; then
+        echo "  Building Python $PYTHON_VERSION (this takes ~10 minutes)..."
+        pyenv install $PYTHON_VERSION
+    else
+        echo "  Python $PYTHON_VERSION already installed"
+    fi
+    pyenv global $PYTHON_VERSION
+
+    # Verify Python version
+    INSTALLED_PY=$(python --version 2>&1 | cut -d' ' -f2 | cut -d'.' -f1,2)
+    if [ "$INSTALLED_PY" != "$PYTHON_VERSION" ]; then
+        echo -e "${RED}Error: Python $PYTHON_VERSION not active. Got: $INSTALLED_PY${NC}"
+        exit 1
+    fi
+    echo -e "${GREEN}[6/12]${NC} Creating Python virtual environment..."
+    echo -e "  ${YELLOW}Note: No pre-built venv found. Building from source (20+ min)${NC}"
+    echo -e "  ${YELLOW}To speed up future installs, add stegasoo-venv-pi-arm64.tar.gz to rpi/${NC}"
+
+    # Create venv with pyenv Python (not system Python)
+    # Use pyenv which to get actual path (handles 3.12 -> 3.12.12 mapping)
+    PYENV_PYTHON=$(pyenv which python)
+    echo "  Using Python: $PYENV_PYTHON"
+    if [ ! -d "venv" ]; then
+        "$PYENV_PYTHON" -m venv venv
+    fi
+    source venv/bin/activate
+
+    # Verify we're using the right Python
+    VENV_PY=$(python --version 2>&1 | cut -d' ' -f2 | cut -d'.' -f1,2)
+    echo "  venv Python: $VENV_PY"
+
+    echo -e "${GREEN}[7/12]${NC} Building jpegio for ARM..."
+
+    # Clone jpegio
+    JPEGIO_DIR="/tmp/jpegio-build"
+    rm -rf "$JPEGIO_DIR"
+    git clone "$JPEGIO_REPO" "$JPEGIO_DIR"
+
+    # Apply ARM64 patch
+    if [ -f "$INSTALL_DIR/rpi/patches/jpegio/apply-patch.sh" ]; then
+        bash "$INSTALL_DIR/rpi/patches/jpegio/apply-patch.sh" "$JPEGIO_DIR"
+    else
+        echo "  Applying inline ARM64 patch..."
+        sed -i "s/cargs.append('-m64')/pass  # ARM64 fix/g" "$JPEGIO_DIR/setup.py"
+    fi
+
+    cd "$JPEGIO_DIR"
+
+    # Build jpegio into venv
+    pip install --upgrade pip setuptools wheel cython numpy
+    pip install .
+
+    cd "$INSTALL_DIR"
+    rm -rf "$JPEGIO_DIR"
+
+    echo -e "${GREEN}[8/12]${NC} Installing Stegasoo..."
+
+    # Install dependencies (jpegio already in venv, won't re-download)
+    pip install -e ".[web]"
+
+    STEP_OFFSET=0
+fi
+
+echo -e "${GREEN}[9/12]${NC} Creating systemd service..."
+
+# Create systemd service file
+sudo tee /etc/systemd/system/stegasoo.service > /dev/null <<EOF
+[Unit]
+Description=Stegasoo Web UI
+After=network.target
+
+[Service]
+Type=simple
+User=$USER
+WorkingDirectory=$INSTALL_DIR/frontends/web
+Environment="PATH=$INSTALL_DIR/venv/bin:/usr/bin"
+Environment="STEGASOO_AUTH_ENABLED=true"
+Environment="STEGASOO_HTTPS_ENABLED=false"
+Environment="STEGASOO_PORT=5000"
+ExecStart=$INSTALL_DIR/venv/bin/python app.py
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+echo -e "${GREEN}[10/12]${NC} Enabling service..."
+
+sudo systemctl daemon-reload
+sudo systemctl enable stegasoo.service
+
+echo -e "${GREEN}[11/12]${NC} Setting up user environment..."
+
+# Add stegasoo venv and rpi scripts to PATH for all users
+sudo tee /etc/profile.d/stegasoo-path.sh > /dev/null <<'PATHEOF'
+# Stegasoo CLI and scripts
+if [ -d /opt/stegasoo/venv/bin ]; then
+    export PATH="/opt/stegasoo/venv/bin:$PATH"
+fi
+if [ -d /opt/stegasoo/rpi ]; then
+    export PATH="/opt/stegasoo/rpi:$PATH"
+fi
+PATHEOF
+sudo chmod 644 /etc/profile.d/stegasoo-path.sh
+echo "  Added stegasoo to PATH"
+
+# Install custom bashrc if not already customized
+if [ -f "$INSTALL_DIR/rpi/skel/.bashrc" ]; then
+    if ! grep -q "Stegasoo Pi" ~/.bashrc 2>/dev/null; then
+        cp "$INSTALL_DIR/rpi/skel/.bashrc" ~/.bashrc
+        source ~/.bashrc 2>/dev/null || true
+        echo "  Installed custom .bashrc"
+    else
+        echo "  Custom .bashrc already installed"
+    fi
+fi
+
+echo -e "${GREEN}[12/12]${NC} Setting up login banner..."
+
+# Create dynamic MOTD script
+sudo tee /etc/profile.d/stegasoo-motd.sh > /dev/null <<'MOTDEOF'
+# Stegasoo login banner
+if systemctl is-active --quiet stegasoo 2>/dev/null; then
+    PI_IP=$(hostname -I | awk '{print $1}')
+    # Check if HTTPS and port 443 are configured
+    if systemctl show stegasoo -p Environment 2>/dev/null | grep -q "STEGASOO_HTTPS_ENABLED=true"; then
+        # Check for port 443 redirect (iptables-restore service means 443 is configured)
+        if systemctl is-enabled --quiet iptables-restore 2>/dev/null; then
+            STEGASOO_URL="https://$PI_IP"
+        else
+            STEGASOO_URL="https://$PI_IP:5000"
+        fi
+    else
+        STEGASOO_URL="http://$PI_IP:5000"
+    fi
+    echo ""
+    echo -e "\033[38;5;93m══════════════\033[38;5;99m══════════════\033[38;5;105m══════════════\033[38;5;117m══════════════\033[0m"
+    echo -e "\033[0;90m · .  · .  *  · .  *  · .  *  · .  *  · .  *  · .  ·\033[0m"
+    echo -e "\033[38;5;220m    ___  _____  ___    ___    _    ___    ___    ___\033[0m"
+    echo -e "\033[38;5;220m   / __||_   _|| __|  / __|  /_\\  / __|  / _ \\  / _ \\\\\033[0m"
+    echo -e "\033[38;5;220m   \\__ \\  | |  | _|  | (_ | / _ \\ \\__ \\ | (_) || (_) |\033[0m"
+    echo -e "\033[38;5;220m   |___/  |_|  |___|  \\___//_/ \\_\\|___/  \\___/  \\___/\033[0m"
+    echo -e "\033[0;90m · .  · .  *  · .  *  · .  *  · .  *  · .  *  · .  ·\033[0m"
+    echo -e "\033[38;5;93m══════════════\033[38;5;99m══════════════\033[38;5;105m══════════════\033[38;5;117m══════════════\033[0m"
+    # Show CPU stats if overclocked (read configured freq, not current idle freq)
+    CONFIG_FILE=""
+    if [ -f /boot/firmware/config.txt ]; then CONFIG_FILE="/boot/firmware/config.txt"
+    elif [ -f /boot/config.txt ]; then CONFIG_FILE="/boot/config.txt"; fi
+    CPU_MHZ=""
+    CPU_TEMP=""
+    if [ -n "$CONFIG_FILE" ] && grep -qE "^arm_freq=" "$CONFIG_FILE" 2>/dev/null; then
+        CPU_MHZ=$(grep "^arm_freq=" "$CONFIG_FILE" | cut -d= -f2)
+        CPU_TEMP=$(vcgencmd measure_temp 2>/dev/null | cut -d= -f2)
+    fi
+    # Compact two-column layout
+    echo -e " 🚀 Stegasoo running     🌐 \033[0;33m$STEGASOO_URL\033[0m"
+    if [ -n "$CPU_MHZ" ] && [ -n "$CPU_TEMP" ]; then
+        # Temp emoji: ice<50, cool 50-70, fire>70
+        TEMP_NUM=$(echo "$CPU_TEMP" | grep -oE "[0-9]+" | head -1)
+        if [ -n "$TEMP_NUM" ]; then
+            if [ "$TEMP_NUM" -ge 70 ]; then
+                TEMP_EMOJI="🔥"
+            elif [ "$TEMP_NUM" -ge 50 ]; then
+                TEMP_EMOJI="😎"
+            else
+                TEMP_EMOJI="🧊"
+            fi
+        else
+            TEMP_EMOJI="🌡"
+        fi
+        echo -e " \033[0;35m⚡\033[0m ${CPU_MHZ} MHz             ${TEMP_EMOJI} ${CPU_TEMP}"
+    fi
+    echo -e "\033[38;5;93m══════════════\033[38;5;99m══════════════\033[38;5;105m══════════════\033[38;5;117m══════════════\033[0m"
+    echo ""
+else
+    echo ""
+    echo -e " \033[0;31m●\033[0m Stegasoo is not running"
+    echo -e "   Start with: sudo systemctl start stegasoo"
+    echo ""
+fi
+MOTDEOF
+sudo chmod 644 /etc/profile.d/stegasoo-motd.sh
+echo "  Created login banner"
+
+# Shorten the default Debian MOTD boilerplate
+echo "Debian GNU/Linux · License: /usr/share/doc/*/copyright" | sudo tee /etc/motd > /dev/null
+echo "  Shortened system MOTD"
+
+echo ""
+echo -e "${BOLD}Installation Complete!${NC}"
+echo -e "${BLUE}-------------------------------------------------------${NC}"
+echo ""
+echo -e "Stegasoo installed to: ${YELLOW}$INSTALL_DIR${NC}"
+echo ""
+
+# =============================================================================
+# Interactive Configuration
+# =============================================================================
+
+echo -e "${BOLD}Configuration${NC}"
+echo -e "${BLUE}-------------------------------------------------------${NC}"
+echo ""
+
+# Track configuration choices
+ENABLE_HTTPS="false"
+USE_PORT_443="false"
+CHANNEL_KEY=""
+
+# --- HTTPS Configuration ---
+echo -e "${GREEN}HTTPS Configuration${NC}"
+echo "  HTTPS encrypts traffic with a self-signed certificate."
+echo "  (Browser will show a security warning - this is normal for self-signed certs)"
+echo ""
+read -p "Enable HTTPS? [y/N] " -n 1 -r
+echo
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+    ENABLE_HTTPS="true"
+    echo -e "  ${GREEN}✓${NC} HTTPS will be enabled"
+
+    # --- Port 443 Configuration ---
+    echo ""
+    echo -e "${GREEN}Port Configuration${NC}"
+    echo "  Standard HTTPS port is 443 (no port needed in URL)."
+    echo "  This requires iptables to redirect 443 → 5000."
+    echo ""
+    read -p "Use standard port 443? [y/N] " -n 1 -r
+    echo
+    if [[ $REPLY =~ ^[Yy]$ ]]; then
+        USE_PORT_443="true"
+        echo -e "  ${GREEN}✓${NC} Port 443 will be configured"
+    else
+        echo -e "  ${YELLOW}→${NC} Using default port 5000"
+    fi
+else
+    echo -e "  ${YELLOW}→${NC} Using HTTP (unencrypted)"
+fi
+
+# --- Channel Key Configuration ---
+echo ""
+echo -e "${GREEN}Channel Key Configuration${NC}"
+echo "  A channel key creates a private encoding channel."
+echo "  Only users with the same key can decode each other's images."
+echo ""
+read -p "Generate a private channel key? [y/N] " -n 1 -r
+echo
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+    # Generate channel key using the CLI
+    CHANNEL_KEY=$($INSTALL_DIR/venv/bin/python -c "from stegasoo.channel import generate_channel_key; print(generate_channel_key())")
+    echo -e "  ${GREEN}✓${NC} Channel key generated: ${YELLOW}$CHANNEL_KEY${NC}"
+    echo ""
+    echo -e "  ${RED}IMPORTANT: Save this key!${NC} You'll need to share it with anyone"
+    echo "  who should be able to decode your images."
+else
+    echo -e "  ${YELLOW}→${NC} Using public mode (no channel isolation)"
+fi
+
+# =============================================================================
+# Apply Configuration
+# =============================================================================
+
+echo ""
+echo -e "${BLUE}Applying configuration...${NC}"
+
+# Update systemd service with configuration
+sudo tee /etc/systemd/system/stegasoo.service > /dev/null <<EOF
+[Unit]
+Description=Stegasoo Web UI
+After=network.target
+
+[Service]
+Type=simple
+User=$USER
+WorkingDirectory=$INSTALL_DIR/frontends/web
+Environment="PATH=$INSTALL_DIR/venv/bin:/usr/bin"
+Environment="STEGASOO_AUTH_ENABLED=true"
+Environment="STEGASOO_HTTPS_ENABLED=$ENABLE_HTTPS"
+Environment="STEGASOO_PORT=5000"
+Environment="STEGASOO_CHANNEL_KEY=$CHANNEL_KEY"
+ExecStart=$INSTALL_DIR/venv/bin/python app.py
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Generate SSL certificates if HTTPS enabled
+if [ "$ENABLE_HTTPS" = "true" ]; then
+    echo "  Generating SSL certificates..."
+    CERT_DIR="$INSTALL_DIR/frontends/web/certs"
+    mkdir -p "$CERT_DIR"
+
+    # Get local IP for SAN
+    LOCAL_IP=$(hostname -I | awk '{print $1}')
+    PI_HOSTNAME=$(hostname)
+
+    # Generate cert with SANs for IP, hostname, and localhost
+    openssl req -x509 -newkey rsa:2048 \
+      -keyout "$CERT_DIR/server.key" \
+      -out "$CERT_DIR/server.crt" \
+      -days 365 -nodes \
+      -subj "/O=Stegasoo/CN=$PI_HOSTNAME" \
+      -addext "subjectAltName=DNS:$PI_HOSTNAME,DNS:$PI_HOSTNAME.local,DNS:localhost,IP:$LOCAL_IP,IP:127.0.0.1" \
+      2>/dev/null
+
+    # Fix permissions
+    chmod 600 "$CERT_DIR/server.key"
+    chown -R "$USER:$USER" "$CERT_DIR"
+    echo -e "  ${GREEN}✓${NC} SSL certificates generated"
+fi
+
+# Setup port 443 redirect if requested
+if [ "$USE_PORT_443" = "true" ]; then
+    echo "  Setting up port 443 redirect..."
+
+    # Install iptables if needed
+    if ! command -v iptables &> /dev/null; then
+        sudo apt-get install -y iptables
+    fi
+
+    # Add redirect rule
+    sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5000
+    sudo sh -c 'iptables-save > /etc/iptables.rules'
+
+    # Create systemd service to restore rules on boot
+    sudo tee /etc/systemd/system/iptables-restore.service > /dev/null <<EOF
+[Unit]
+Description=Restore iptables rules
+Before=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore /etc/iptables.rules
+
+[Install]
+WantedBy=multi-user.target
+EOF
+    sudo systemctl enable iptables-restore.service
+    echo -e "  ${GREEN}✓${NC} Port 443 redirect configured"
+fi
+
+sudo systemctl daemon-reload
+
+# =============================================================================
+# Final Summary
+# =============================================================================
+
+echo ""
+echo -e "${BOLD}Setup Complete!${NC}"
+echo -e "${BLUE}-------------------------------------------------------${NC}"
+echo ""
+
+PI_IP=$(hostname -I | awk '{print $1}')
+PI_HOST=$(hostname)
+
+echo -e "${GREEN}Create your admin account:${NC}"
+if [ "$ENABLE_HTTPS" = "true" ]; then
+    if [ "$USE_PORT_443" = "true" ]; then
+        echo -e "  ${YELLOW}https://$PI_HOST.local/setup${NC}"
+        echo -e "  ${YELLOW}https://$PI_IP/setup${NC}"
+    else
+        echo -e "  ${YELLOW}https://$PI_HOST.local:5000/setup${NC}"
+        echo -e "  ${YELLOW}https://$PI_IP:5000/setup${NC}"
+    fi
+else
+    echo -e "  ${YELLOW}http://$PI_HOST.local:5000/setup${NC}"
+    echo -e "  ${YELLOW}http://$PI_IP:5000/setup${NC}"
+fi
+
+echo ""
+if [ -n "$CHANNEL_KEY" ]; then
+    echo -e "${GREEN}Channel Key:${NC}"
+    echo -e "  ${YELLOW}$CHANNEL_KEY${NC}"
+    echo ""
+fi
+
+echo -e "${GREEN}Commands:${NC}"
+echo "  Start:   sudo systemctl start stegasoo"
+echo "  Stop:    sudo systemctl stop stegasoo"
+echo "  Status:  sudo systemctl status stegasoo"
+echo "  Logs:    journalctl -u stegasoo -f"
+echo ""
+
+# Offer to start now
+read -p "Start Stegasoo now? [Y/n] " -n 1 -r
+echo
+if [[ ! $REPLY =~ ^[Nn]$ ]]; then
+    sudo systemctl start stegasoo
+    sleep 2
+    if systemctl is-active --quiet stegasoo; then
+        echo -e "${GREEN}✓ Stegasoo is running!${NC}"
+        if [ "$ENABLE_HTTPS" = "true" ]; then
+            if [ "$USE_PORT_443" = "true" ]; then
+                echo -e "  Create admin: ${YELLOW}https://$PI_HOST.local/setup${NC} or ${YELLOW}https://$PI_IP/setup${NC}"
+            else
+                echo -e "  Create admin: ${YELLOW}https://$PI_HOST.local:5000/setup${NC} or ${YELLOW}https://$PI_IP:5000/setup${NC}"
+            fi
+        else
+            echo -e "  Create admin: ${YELLOW}http://$PI_HOST.local:5000/setup${NC} or ${YELLOW}http://$PI_IP:5000/setup${NC}"
+        fi
+    else
+        echo -e "${RED}✗ Failed to start. Check logs:${NC} journalctl -u stegasoo -f"
+    fi
+fi
--- a/rpi/skel/.bashrc
+++ b/rpi/skel/.bashrc
@@ -0,0 +1,214 @@
+# ============================================================================
+# Stegasoo Pi - Bash Configuration
+# ============================================================================
+
+# If not running interactively, don't do anything
+case $- in
+    *i*) ;;
+      *) return;;
+esac
+
+# ============================================================================
+# History
+# ============================================================================
+
+HISTCONTROL=ignoreboth
+HISTSIZE=5000
+HISTFILESIZE=10000
+shopt -s histappend
+
+# ============================================================================
+# Shell Options
+# ============================================================================
+
+shopt -s checkwinsize
+shopt -s globstar 2>/dev/null
+shopt -s cdspell 2>/dev/null
+
+# ============================================================================
+# Colors
+# ============================================================================
+
+# Color definitions
+C_RESET='\[\e[0m\]'
+C_GREY='\[\e[38;5;241m\]'
+C_GREEN='\[\e[38;5;118m\]'
+C_YELLOW='\[\e[38;5;179m\]'
+C_BLUE='\[\e[38;5;69m\]'
+C_RED='\[\e[38;5;196m\]'
+C_BOLD='\[\e[1m\]'
+
+# Enable color support
+if [ -x /usr/bin/dircolors ]; then
+    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
+    alias ls='ls --color=auto'
+    alias grep='grep --color=auto'
+    alias fgrep='fgrep --color=auto'
+    alias egrep='egrep --color=auto'
+fi
+
+# ============================================================================
+# Prompt
+# ============================================================================
+
+# Git branch in prompt (if git installed)
+_git_branch() {
+    git branch 2>/dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/ \xe2\x8e\x87 \1/'
+}
+
+# Two-line prompt similar to zsh theme
+# ┌｢user@host｣ ｢path｣ ｢git｣
+# └$
+_build_prompt() {
+    local git_info="$(_git_branch)"
+    if [ -n "$git_info" ]; then
+        git_info="${C_GREEN}${git_info}${C_GREY}"
+    fi
+
+    PS1="${C_GREY}┌｢${C_GREEN}\u@\h${C_GREY}｣ ｢${C_YELLOW}\w${C_GREY}${git_info}｣\n${C_GREY}└${C_BOLD}${C_BLUE}\$ ${C_RESET}"
+}
+
+PROMPT_COMMAND='_build_prompt'
+
+# ============================================================================
+# Navigation
+# ============================================================================
+
+alias ..='cd ..'
+alias ...='cd ../..'
+alias ....='cd ../../..'
+alias ~='cd ~'
+
+# ============================================================================
+# Listing
+# ============================================================================
+
+alias ll='ls -lah'
+alias la='ls -A'
+alias l='ls -CF'
+alias lt='ls -lahtr'
+
+# ============================================================================
+# Safety
+# ============================================================================
+
+alias rm='rm -i'
+alias cp='cp -i'
+alias mv='mv -i'
+
+# ============================================================================
+# Shortcuts
+# ============================================================================
+
+alias h='history'
+alias c='clear'
+alias q='exit'
+alias reload='source ~/.bashrc'
+
+# ============================================================================
+# System
+# ============================================================================
+
+alias myip='curl -s ifconfig.me'
+alias ports='netstat -tulanp 2>/dev/null || ss -tulanp'
+alias df='df -h'
+alias du='du -h'
+alias free='free -h'
+alias temp='vcgencmd measure_temp 2>/dev/null || sensors 2>/dev/null | grep -i temp || echo "No temp sensor"'
+
+# ============================================================================
+# Stegasoo
+# ============================================================================
+
+alias steg='stegasoo'
+alias steglog='journalctl -u stegasoo -f'
+alias stegstatus='systemctl status stegasoo'
+alias stegrestart='sudo systemctl restart stegasoo'
+alias stegstop='sudo systemctl stop stegasoo'
+alias stegstart='sudo systemctl start stegasoo'
+
+# Quick access to stegasoo directories
+alias cdsteg='cd /opt/stegasoo'
+alias cdweb='cd /opt/stegasoo/frontends/web'
+
+# ============================================================================
+# Git (if available)
+# ============================================================================
+
+alias g='git'
+alias gs='git status'
+alias ga='git add'
+alias gc='git commit'
+alias gp='git push'
+alias gl='git pull'
+alias gd='git diff'
+alias gco='git checkout'
+alias glog='git log --oneline --graph --decorate -10'
+
+# ============================================================================
+# Functions
+# ============================================================================
+
+# Create directory and cd into it
+mkcd() { mkdir -p "$1" && cd "$1"; }
+
+# Find files by name
+ff() { find . -type f -iname "*$1*" 2>/dev/null; }
+
+# Find directories by name
+fdir() { find . -type d -iname "*$1*" 2>/dev/null; }
+
+# Quick backup
+backup() { cp "$1" "$1.backup-$(date +%Y%m%d-%H%M%S)"; }
+
+# Extract archives
+extract() {
+    if [ ! -f "$1" ]; then
+        echo "'$1' is not a valid file"
+        return 1
+    fi
+    case "$1" in
+        *.tar.bz2) tar xjf "$1" ;;
+        *.tar.gz)  tar xzf "$1" ;;
+        *.tar.xz)  tar xJf "$1" ;;
+        *.bz2)     bunzip2 "$1" ;;
+        *.gz)      gunzip "$1" ;;
+        *.tar)     tar xf "$1" ;;
+        *.tbz2)    tar xjf "$1" ;;
+        *.tgz)     tar xzf "$1" ;;
+        *.zip)     unzip "$1" ;;
+        *.Z)       uncompress "$1" ;;
+        *.7z)      7z x "$1" ;;
+        *.zst)     zstd -d "$1" ;;
+        *)         echo "'$1' cannot be extracted" ;;
+    esac
+}
+
+# Show system info
+sysinfo() {
+    echo -e "\e[1;32mHostname:\e[0m $(hostname)"
+    echo -e "\e[1;32mUptime:\e[0m $(uptime -p)"
+    echo -e "\e[1;32mMemory:\e[0m $(free -h | awk '/^Mem:/ {print $3 "/" $2}')"
+    echo -e "\e[1;32mDisk:\e[0m $(df -h / | awk 'NR==2 {print $3 "/" $2 " (" $5 ")"}')"
+    echo -e "\e[1;32mTemp:\e[0m $(vcgencmd measure_temp 2>/dev/null | cut -d= -f2 || echo 'N/A')"
+    echo -e "\e[1;32mIP:\e[0m $(hostname -I | awk '{print $1}')"
+}
+
+# ============================================================================
+# Completion
+# ============================================================================
+
+if ! shopt -oq posix; then
+    if [ -f /usr/share/bash-completion/bash_completion ]; then
+        . /usr/share/bash-completion/bash_completion
+    elif [ -f /etc/bash_completion ]; then
+        . /etc/bash_completion
+    fi
+fi
+
+# ============================================================================
+# Path
+# ============================================================================
+
+export PATH="$HOME/.local/bin:$PATH"
+
--- a/rpi/stegasoo-wizard.sh
+++ b/rpi/stegasoo-wizard.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Stegasoo First Boot Wizard Trigger
+# This file goes in /etc/profile.d/ and runs the wizard on first login
+
+if [ -f /etc/stegasoo-first-boot ]; then
+    # Find the wizard script (check /opt first, then home dirs)
+    WIZARD=""
+    if [ -f /opt/stegasoo/rpi/first-boot-wizard.sh ]; then
+        WIZARD="/opt/stegasoo/rpi/first-boot-wizard.sh"
+    else
+        WIZARD=$(ls /home/*/stegasoo/rpi/first-boot-wizard.sh 2>/dev/null | head -1)
+    fi
+
+    if [ -n "$WIZARD" ]; then
+        bash "$WIZARD"
+    fi
+fi
--- a/rpi/stegasoo.conf.example
+++ b/rpi/stegasoo.conf.example
@@ -0,0 +1,30 @@
+# Stegasoo Raspberry Pi Configuration
+# Copy this file to /etc/stegasoo.conf or ~/.config/stegasoo/stegasoo.conf
+#
+# You can also override these by exporting environment variables:
+#   export STEGASOO_INSTALL_DIR="/custom/path"
+#   ./setup.sh
+
+# Installation directory (default: /opt/stegasoo)
+#INSTALL_DIR="/opt/stegasoo"
+
+# Python version to install via pyenv (default: 3.12)
+#PYTHON_VERSION="3.12"
+
+# Git repository URL
+#STEGASOO_REPO="https://github.com/adlee-was-taken/stegasoo.git"
+
+# Git branch to checkout (default: 4.1)
+#STEGASOO_BRANCH="4.1"
+
+# Web UI port (default: 5000)
+#STEGASOO_PORT="5000"
+
+# Enable HTTPS (default: false, configured via wizard)
+#STEGASOO_HTTPS_ENABLED="false"
+
+# Enable authentication (default: true)
+#STEGASOO_AUTH_ENABLED="true"
+
+# Channel key for private channels (default: none)
+#STEGASOO_CHANNEL_KEY=""
--- a/scripts/validate-release.sh
+++ b/scripts/validate-release.sh
@@ -0,0 +1,334 @@
+#!/bin/bash
+# =============================================================================
+# Stegasoo Release Validation Script
+# =============================================================================
+# Automated pre-release validation to catch issues before tagging a release.
+#
+# Usage:
+#   ./scripts/validate-release.sh              # Local validation only
+#   ./scripts/validate-release.sh --pi         # Include Pi smoke test
+#   PI_IP=192.168.0.4 ./scripts/validate-release.sh --pi
+#
+# Exit codes:
+#   0 = All tests passed
+#   1 = One or more tests failed
+# =============================================================================
+
+# Don't use set -e as we need to handle test failures gracefully
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[0;33m'
+CYAN='\033[0;36m'
+NC='\033[0m'
+
+# Default Pi IP (can be overridden via environment)
+PI_IP="${PI_IP:-192.168.0.4}"
+PI_USER="${PI_USER:-alee}"
+INCLUDE_PI=false
+INCLUDE_DOCKER=true
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --pi)
+            INCLUDE_PI=true
+            shift
+            ;;
+        --no-docker)
+            INCLUDE_DOCKER=false
+            shift
+            ;;
+        --help|-h)
+            echo "Usage: $0 [--pi] [--no-docker]"
+            echo ""
+            echo "Options:"
+            echo "  --pi         Include Pi smoke test (requires SSH access)"
+            echo "  --no-docker  Skip Docker build/test"
+            echo ""
+            echo "Environment:"
+            echo "  PI_IP        Pi IP address (default: 192.168.0.4)"
+            echo "  PI_USER      Pi SSH user (default: alee)"
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1"
+            exit 1
+            ;;
+    esac
+done
+
+# Track results
+TESTS_RUN=0
+TESTS_PASSED=0
+TESTS_FAILED=0
+FAILED_TESTS=()
+
+# Helper functions
+pass() {
+    echo -e "${GREEN}[PASS]${NC} $1"
+    ((TESTS_PASSED++))
+    ((TESTS_RUN++))
+}
+
+fail() {
+    echo -e "${RED}[FAIL]${NC} $1"
+    FAILED_TESTS+=("$1")
+    ((TESTS_FAILED++))
+    ((TESTS_RUN++))
+}
+
+skip() {
+    echo -e "${YELLOW}[SKIP]${NC} $1"
+}
+
+section() {
+    echo ""
+    echo -e "${CYAN}━━━ $1 ━━━${NC}"
+}
+
+# =============================================================================
+# Header
+# =============================================================================
+echo -e "${CYAN}╔═══════════════════════════════════════════════════════════════╗${NC}"
+echo -e "${CYAN}║         Stegasoo Release Validation                           ║${NC}"
+echo -e "${CYAN}╚═══════════════════════════════════════════════════════════════╝${NC}"
+echo ""
+
+# Get version from pyproject.toml
+VERSION=$(grep '^version = ' pyproject.toml | head -1 | cut -d'"' -f2)
+echo -e "Version: ${YELLOW}${VERSION}${NC}"
+echo -e "Branch:  ${YELLOW}$(git branch --show-current)${NC}"
+echo ""
+
+# =============================================================================
+# 1. Code Quality Checks
+# =============================================================================
+section "Code Quality"
+
+# Ruff linting
+if command -v ./venv/bin/ruff &> /dev/null; then
+    echo -n "Running ruff check... "
+    if ./venv/bin/ruff check src/ frontends/ --quiet 2>/dev/null; then
+        pass "Ruff linting"
+    else
+        fail "Ruff linting (run: ./venv/bin/ruff check src/ frontends/)"
+    fi
+else
+    skip "Ruff not installed"
+fi
+
+# =============================================================================
+# 2. Security Audit
+# =============================================================================
+section "Security Audit"
+
+# pip-audit for known vulnerabilities
+if command -v ./venv/bin/pip-audit &> /dev/null; then
+    echo -n "Running pip-audit... "
+    if ./venv/bin/pip-audit --quiet 2>/dev/null; then
+        pass "No known vulnerabilities"
+    else
+        fail "pip-audit found vulnerabilities (run: ./venv/bin/pip-audit)"
+    fi
+else
+    echo -n "Installing pip-audit... "
+    if ./venv/bin/pip install pip-audit --quiet 2>/dev/null; then
+        echo -n "Running pip-audit... "
+        if ./venv/bin/pip-audit --quiet 2>/dev/null; then
+            pass "No known vulnerabilities"
+        else
+            fail "pip-audit found vulnerabilities (run: ./venv/bin/pip-audit)"
+        fi
+    else
+        skip "Could not install pip-audit"
+    fi
+fi
+
+# =============================================================================
+# 3. Unit Tests (if they exist)
+# =============================================================================
+section "Unit Tests"
+
+if ls tests/test_*.py 1> /dev/null 2>&1; then
+    echo -n "Running pytest... "
+    if ./venv/bin/pytest tests/ -q --tb=no 2>/dev/null; then
+        pass "Pytest unit tests"
+    else
+        fail "Pytest unit tests"
+    fi
+else
+    skip "No unit tests found (tests/test_*.py)"
+fi
+
+# =============================================================================
+# 4. Import Tests
+# =============================================================================
+section "Import Tests"
+
+# Test core library import
+echo -n "Testing stegasoo import... "
+if ./venv/bin/python -c "from stegasoo import encode, decode; print('OK')" 2>/dev/null | grep -q OK; then
+    pass "Core library import"
+else
+    fail "Core library import"
+fi
+
+# Test DCT support
+echo -n "Testing DCT support... "
+if ./venv/bin/python -c "from stegasoo import has_dct_support; assert has_dct_support(), 'No DCT'; print('OK')" 2>/dev/null | grep -q OK; then
+    pass "DCT support available"
+else
+    fail "DCT support (scipy/jpegio missing?)"
+fi
+
+# Test CLI import
+echo -n "Testing CLI import... "
+if ./venv/bin/python -c "from stegasoo.cli import main; print('OK')" 2>/dev/null | grep -q OK; then
+    pass "CLI module import"
+else
+    fail "CLI module import"
+fi
+
+# =============================================================================
+# 5. Encode/Decode Sanity Test
+# =============================================================================
+section "Encode/Decode Test"
+
+echo -n "Running encode/decode sanity check... "
+SANITY_RESULT=$(./venv/bin/python << 'EOF' 2>&1
+import sys
+sys.path.insert(0, 'src')
+from stegasoo import encode, decode
+
+with open('test_data/carrier.jpg', 'rb') as f:
+    carrier = f.read()
+with open('test_data/ref.jpg', 'rb') as f:
+    ref = f.read()
+
+# LSB test
+result = encode(message="sanity test", reference_photo=ref, carrier_image=carrier,
+                passphrase="test", pin="123456", embed_mode="lsb")
+decoded = decode(stego_image=result.stego_image, reference_photo=ref,
+                 passphrase="test", pin="123456", embed_mode="lsb")
+assert decoded.message == "sanity test", f"LSB mismatch: {decoded.message}"
+
+# DCT test
+result = encode(message="dct sanity", reference_photo=ref, carrier_image=carrier,
+                passphrase="dct", pin="654321", embed_mode="dct")
+decoded = decode(stego_image=result.stego_image, reference_photo=ref,
+                 passphrase="dct", pin="654321", embed_mode="dct")
+assert decoded.message == "dct sanity", f"DCT mismatch: {decoded.message}"
+
+print("OK")
+EOF
+)
+
+if echo "$SANITY_RESULT" | grep -q "OK"; then
+    pass "Encode/decode sanity (LSB + DCT)"
+else
+    fail "Encode/decode sanity: $SANITY_RESULT"
+fi
+
+# =============================================================================
+# 6. Docker Build & Test (optional)
+# =============================================================================
+if $INCLUDE_DOCKER; then
+    section "Docker"
+
+    if command -v docker &> /dev/null || command -v sudo &> /dev/null; then
+        DOCKER_CMD="docker"
+        if ! docker info &>/dev/null 2>&1; then
+            DOCKER_CMD="sudo docker"
+        fi
+
+        echo -n "Building Docker image... "
+        if $DOCKER_CMD build -t stegasoo:validate -q . >/dev/null 2>&1; then
+            pass "Docker build"
+
+            # Test container starts
+            echo -n "Testing container startup... "
+            CONTAINER_ID=$($DOCKER_CMD run -d -p 15000:5000 stegasoo:validate 2>/dev/null)
+            sleep 3
+
+            if curl -s -o /dev/null -w "%{http_code}" http://localhost:15000/ 2>/dev/null | grep -qE "200|302"; then
+                pass "Container responds to HTTP"
+            else
+                fail "Container HTTP response"
+            fi
+
+            # Cleanup
+            $DOCKER_CMD stop "$CONTAINER_ID" >/dev/null 2>&1 || true
+            $DOCKER_CMD rm "$CONTAINER_ID" >/dev/null 2>&1 || true
+        else
+            fail "Docker build"
+        fi
+
+        # Cleanup test image
+        $DOCKER_CMD rmi stegasoo:validate >/dev/null 2>&1 || true
+    else
+        skip "Docker not available"
+    fi
+else
+    skip "Docker tests (use --docker to enable)"
+fi
+
+# =============================================================================
+# 7. Pi Smoke Test (optional)
+# =============================================================================
+if $INCLUDE_PI; then
+    section "Pi Smoke Test"
+
+    echo -n "Testing SSH connectivity to $PI_USER@$PI_IP... "
+    if ssh -o ConnectTimeout=5 -o BatchMode=yes "$PI_USER@$PI_IP" "echo OK" 2>/dev/null | grep -q OK; then
+        pass "SSH connectivity"
+
+        echo -n "Checking stegasoo service status... "
+        if ssh "$PI_USER@$PI_IP" "systemctl is-active stegasoo" 2>/dev/null | grep -q active; then
+            pass "Stegasoo service running"
+
+            echo -n "Running smoke test on Pi... "
+            SMOKE_RESULT=$(ssh "$PI_USER@$PI_IP" "cd /home/$PI_USER/stegasoo && bash tests/smoke-test.sh --quick 2>&1" || echo "FAILED")
+            if echo "$SMOKE_RESULT" | grep -qE "All tests passed|PASS"; then
+                pass "Pi smoke test"
+            else
+                fail "Pi smoke test"
+            fi
+        else
+            fail "Stegasoo service not running"
+        fi
+    else
+        fail "SSH connectivity to Pi"
+    fi
+else
+    skip "Pi smoke test (use --pi to enable)"
+fi
+
+# =============================================================================
+# Summary
+# =============================================================================
+echo ""
+echo -e "${CYAN}━━━ Summary ━━━${NC}"
+echo ""
+echo -e "Tests run:    ${TESTS_RUN}"
+echo -e "Passed:       ${GREEN}${TESTS_PASSED}${NC}"
+echo -e "Failed:       ${RED}${TESTS_FAILED}${NC}"
+
+if [ ${#FAILED_TESTS[@]} -gt 0 ]; then
+    echo ""
+    echo -e "${RED}Failed tests:${NC}"
+    for test in "${FAILED_TESTS[@]}"; do
+        echo -e "  - $test"
+    done
+fi
+
+echo ""
+if [ $TESTS_FAILED -eq 0 ]; then
+    echo -e "${GREEN}✓ All validation checks passed!${NC}"
+    echo -e "  Ready to tag release ${VERSION}"
+    exit 0
+else
+    echo -e "${RED}✗ Validation failed - fix issues before release${NC}"
+    exit 1
+fi
--- a/src/stegasoo/COMPLETE_CHANGE_SUMMARY_V3.2.0.md
+++ b/src/stegasoo/COMPLETE_CHANGE_SUMMARY_V3.2.0.md
@@ -1,374 +0,0 @@
-# Stegasoo v3.2.0 - Complete Change Summary
-
-## Overview
-
-This update makes two major breaking changes to Stegasoo:
-1. **Remove date dependency** - Date no longer used in cryptographic operations
-2. **Rename day_phrase → passphrase** - Reflects removal of daily rotation requirement
-
-## Version Information
-
- **Previous**: v3.1.0 (date-dependent, day_phrase)
- **Current**: v3.2.0 (date-independent, passphrase)
- **Format Version**: 3 → 4 (breaking change)
- **Compatibility**: NOT backward compatible with v3.1.0
-
-## Files Modified
-
-### Core Files (MUST UPDATE)
-
-1. **crypto.py** ✅ Updated
-   - Removed `date_str` parameter from all functions
-   - Renamed `day_phrase` → `passphrase` in all functions
-   - Removed date from key derivation material
-   - Simplified header format (no date field)
-   - Updated error messages
-
-2. **constants.py** ✅ Updated
-   - Version: `__version__ = "3.2.0"`
-   - Format: `FORMAT_VERSION = 4`
-   - Added passphrase constants:
-     - `MIN_PASSPHRASE_WORDS = 3`
-     - `MAX_PASSPHRASE_WORDS = 12`
-     - `DEFAULT_PASSPHRASE_WORDS = 4` (increased from 3)
-     - `RECOMMENDED_PASSPHRASE_WORDS = 4`
-   - Kept legacy aliases for transition
-
-3. **models.py** ✅ Updated
-   - `Credentials`: Changed from `phrases: dict` → `passphrase: str`
-   - `EncodeInput`: Renamed `day_phrase` → `passphrase`, removed `date_str`
-   - `DecodeInput`: Renamed `day_phrase` → `passphrase`
-   - `EncodeResult`: Made `date_used` optional (cosmetic only)
-   - `DecodeResult`: `date_encoded` always None in v3.2.0
-   - `ValidationResult`: Added `warning` field
-
-4. **validation.py** ✅ Updated
-   - Renamed `validate_phrase()` → `validate_passphrase()`
-   - Added word count validation with warnings
-   - Recommends 4+ words for good security
-   - Updated error messages
-
-### Files Needing Updates
-
-5. **__init__.py** - Public API
-   - [ ] `encode()`: Remove `date_str`, rename `day_phrase` → `passphrase`
-   - [ ] `encode_file()`: Same changes
-   - [ ] `encode_bytes()`: Same changes
-   - [ ] `decode()`: Remove `date_str`, rename `day_phrase` → `passphrase`
-   - [ ] `decode_text()`: Same changes
-   - [ ] Update all docstrings
-
-6. **keygen.py** - Key generation
-   - [ ] `generate_day_phrases()` → `generate_passphrases()` or keep with new implementation
-   - [ ] `generate_credentials()`: Update to use single passphrase
-   - [ ] Update `Credentials` creation
-
-7. **batch.py** - Batch operations
-   - [ ] `BatchCredentials`: Rename `day_phrase` → `passphrase`
-   - [ ] Update all batch functions
-
-8. **cli.py** - Command line
-   - [ ] `--phrase` → `--passphrase` (or keep `--phrase` for simplicity)
-   - [ ] Update help text
-   - [ ] Update credentials dict creation
-
-9. **steganography.py** - No changes needed
-   - Uses keys from crypto module, doesn't directly handle phrases/dates
-
-10. **dct_steganography.py** - No changes needed
-    - Uses keys from crypto module
-
-### Optional/Documentation Files
-
-11. **utils.py** - Keep as-is (organizational functions)
-12. **debug.py** - No changes needed
-13. **exceptions.py** - No changes needed
-14. **compression.py** - No changes needed
-15. **qr_utils.py** - No changes needed
-
-## Key Changes Breakdown
-
-### 1. Function Signatures
-
-**Before (v3.1.0):**
-```python
-def derive_hybrid_key(
-    photo_data: bytes,
-    day_phrase: str,
-    date_str: str,
-    salt: bytes,
-    pin: str = "",
-    rsa_key_data: Optional[bytes] = None
-) -> bytes:
-```
-
-**After (v3.2.0):**
-```python
-def derive_hybrid_key(
-    photo_data: bytes,
-    passphrase: str,
-    salt: bytes,
-    pin: str = "",
-    rsa_key_data: Optional[bytes] = None
-) -> bytes:
-```
-
-### 2. Key Derivation Material
-
-**Before:**
-```python
-key_material = (
-    photo_hash +
-    day_phrase.lower().encode() +
-    pin.encode() +
-    date_str.encode() +  # ← REMOVED
-    salt
-)
-```
-
-**After:**
-```python
-key_material = (
-    photo_hash +
-    passphrase.lower().encode() +
-    pin.encode() +
-    salt
-)
-```
-
-### 3. Header Format
-
-**Before (v3.1.0):** 66+ bytes
-```
-[Magic:4][Version:1][DateLen:1][Date:10][Salt:32][IV:12][Tag:16][Ciphertext]
-```
-
-**After (v3.2.0):** 65 bytes
-```
-[Magic:4][Version:1][Salt:32][IV:12][Tag:16][Ciphertext]
-```
-
-### 4. Public API
-
-**Before:**
-```python
-# Encoding
-result = encode(
-    message="Secret",
-    reference_photo=photo,
-    carrier_image=carrier,
-    day_phrase="apple forest thunder",
-    pin="123456",
-    date_str="2025-01-15"
-)
-
-# Decoding
-decoded = decode(
-    stego_image=stego,
-    reference_photo=photo,
-    day_phrase="apple forest thunder",
-    pin="123456",
-    date_str="2025-01-15"
-)
-```
-
-**After:**
-```python
-# Encoding
-result = encode(
-    message="Secret",
-    reference_photo=photo,
-    carrier_image=carrier,
-    passphrase="apple forest thunder mountain",
-    pin="123456"
-)
-
-# Decoding
-decoded = decode(
-    stego_image=stego,
-    reference_photo=photo,
-    passphrase="apple forest thunder mountain",
-    pin="123456"
-)
-```
-
-## Migration Path
-
-### For Users with v3.1.0 Messages
-
-1. **Before upgrading**, decode all messages with v3.1.0:
-   ```bash
-   # Using v3.1.0
-   python decode_all.py
-   ```
-
-2. Save the decoded content
-
-3. Upgrade to v3.2.0
-
-4. Re-encode with v3.2.0 if needed
-
-### For Developers
-
-1. Update the 4 core files: crypto.py, constants.py, models.py, validation.py
-
-2. Update remaining files in order:
-   - `__init__.py` (public API - critical)
-   - `keygen.py` (credential generation)
-   - `batch.py` (batch operations)
-   - `cli.py` (command line)
-
-3. Run tests to verify:
-   ```bash
-   pytest tests/ -v
-   ```
-
-4. Update documentation and examples
-
-## Benefits
-
-### Simplicity
- ❌ Before: 3 parameters (day_phrase, pin, date)
- ✅ After: 2 parameters (passphrase, pin)
-
-### User Experience
- ❌ Before: "What date did I encode this?" "Which day's phrase?"
- ✅ After: Just use your passphrase
-
-### Asynchronous Ready
- ❌ Before: Must know encoding date
- ✅ After: Decode anytime
-
-### Less Metadata
- ❌ Before: Date stored in header
- ✅ After: No temporal metadata
-
-## Security Considerations
-
-### Entropy Comparison
-
-**v3.1.0:**
- Photo hash: ~128 bits
- Day phrase (3 words): ~33 bits
- PIN (6 digits): ~20 bits
- Date: ~33 bits (10 digits)
- **Total: ~214 bits**
-
-**v3.2.0:**
- Photo hash: ~128 bits
- Passphrase (4 words): ~44 bits
- PIN (6 digits): ~20 bits
- **Total: ~192 bits**
-
-**Mitigation:** Recommend longer passphrases (4-5 words vs 3)
-
-### Best Practices for v3.2.0
-
-1. **Use 4+ word passphrases** (increased from 3)
-2. **Keep using PINs** (additional 20 bits)
-3. **Protect reference photo** (still critical)
-4. **Consider RSA keys** for highest security
-
-## Testing Checklist
-
- [ ] Unit tests pass
- [ ] Integration tests pass
- [ ] Encode/decode round-trip works
- [ ] File payloads work
- [ ] LSB mode works
- [ ] DCT mode works
- [ ] Batch operations work
- [ ] CLI commands work
- [ ] Error messages are clear
- [ ] Validation works correctly
- [ ] No references to "day_phrase" remain
- [ ] No date parameters remain (except cosmetic)
-
-## Documentation Updates Needed
-
- [ ] README.md - Update all examples
- [ ] API documentation - Update function signatures
- [ ] Tutorials - Remove date parameters
- [ ] CHANGELOG.md - Add v3.2.0 entry
- [ ] Migration guide - How to upgrade from v3.1.0
- [ ] Examples directory - Update all scripts
-
-## Backward Compatibility Strategy
-
-### Option 1: Clean Break (Recommended)
- No compatibility code
- Clear version separation
- Users must migrate manually
-
-### Option 2: Temporary Wrapper
-```python
-def encode(
-    message,
-    reference_photo,
-    carrier_image,
-    passphrase: str = None,
-    day_phrase: str = None,  # Deprecated
-    date_str: str = None,     # Deprecated
-    pin: str = "",
-    ...
-):
-    if day_phrase and not passphrase:
-        import warnings
-        warnings.warn("day_phrase deprecated, use passphrase", DeprecationWarning)
-        passphrase = day_phrase
-    
-    if date_str:
-        warnings.warn("date_str no longer used", DeprecationWarning)
-    
-    # ... rest of function
-```
-
-## Release Checklist
-
- [ ] All files updated
- [ ] Tests passing
- [ ] Documentation updated
- [ ] Migration guide written
- [ ] CHANGELOG.md updated
- [ ] Version bumped to 3.2.0
- [ ] Git tag created: v3.2.0
- [ ] PyPI package published
- [ ] Release notes published
- [ ] Users notified of breaking changes
-
-## Quick Reference
-
-### Search and Replace Patterns
-
-Safe to replace globally:
- `day_phrase` → `passphrase`
- `day phrase` → `passphrase`
- `Day phrase` → `Passphrase`
- `DEFAULT_PHRASE_WORDS` → `DEFAULT_PASSPHRASE_WORDS`
-
-Do NOT replace:
- `DAY_NAMES` (keep for utilities)
- `get_day_from_date` (keep for utilities)
- `generate_day_phrases` (rename function itself)
-
-### Error Message Updates
-
- "Day phrase is required" → "Passphrase is required"
- "Check your phrase, PIN" → "Check your passphrase, PIN"
- "the day's phrase" → "the passphrase"
- "today's passphrase" → "passphrase"
-
-## Support
-
-For issues or questions during migration:
-1. Check the migration guide
-2. Review the comparison document
-3. Look at updated examples
-4. File an issue on GitHub
-
---
-
-**Status:** 
-✅ Core files updated (crypto, constants, models, validation)
-⏳ Remaining files need updates (__init__, keygen, batch, cli)
-📝 Documentation updates pending
--- a/src/stegasoo/init.py
+++ b/src/stegasoo/init.py
@@ -7,7 +7,7 @@ Changes in v4.0.0:
 - encode() and decode() now accept channel_key parameter
 """

-__version__ = "4.0.1"
+__version__ = "4.1.3"

 # Core functionality
 # Channel key management (v4.0.0)
@@ -45,6 +45,7 @@ from .image_utils import (

 # Steganography functions
 from .steganography import (
+    calculate_capacity_by_mode,
    compare_modes,
    has_dct_support,
    will_fit_by_mode,
@@ -92,6 +93,7 @@ from .constants import (
    EMBED_MODE_LSB,
    FORMAT_VERSION,
    LOSSLESS_FORMATS,
+    MAX_FILE_PAYLOAD_SIZE,
    MAX_IMAGE_PIXELS,
    MAX_MESSAGE_SIZE,
    MAX_PASSPHRASE_WORDS,
@@ -112,12 +114,16 @@ from .exceptions import (
    ExtractionError,
    ImageValidationError,
    InvalidHeaderError,
+    InvalidMagicBytesError,
    KeyDerivationError,
    KeyGenerationError,
    KeyPasswordError,
    KeyValidationError,
    MessageValidationError,
+    ModeMismatchError,
+    NoDataFoundError,
    PinValidationError,
+    ReedSolomonError,
    SecurityFactorError,
    SteganographyError,
    StegasooError,
@@ -145,6 +151,7 @@ from .validation import (
 MIN_MESSAGE_LENGTH = 1
 MAX_MESSAGE_LENGTH = MAX_MESSAGE_SIZE
 MAX_PAYLOAD_SIZE = MAX_MESSAGE_SIZE
+# MAX_FILE_PAYLOAD_SIZE imported from constants above
 SUPPORTED_IMAGE_FORMATS = LOSSLESS_FORMATS
 LSB_BYTES_PER_PIXEL = 3 / 8
 DCT_BYTES_PER_PIXEL = 0.125
@@ -184,6 +191,7 @@ __all__ = [
    "has_argon2",
    # Steganography
    "has_dct_support",
+    "calculate_capacity_by_mode",
    "compare_modes",
    "will_fit_by_mode",
    # QR utilities
@@ -232,6 +240,10 @@ __all__ = [
    "ExtractionError",
    "EmbeddingError",
    "InvalidHeaderError",
+    "InvalidMagicBytesError",
+    "ReedSolomonError",
+    "NoDataFoundError",
+    "ModeMismatchError",
    # Constants
    "FORMAT_VERSION",
    "MIN_PASSPHRASE_WORDS",
@@ -244,6 +256,7 @@ __all__ = [
    "MAX_MESSAGE_LENGTH",
    "MAX_MESSAGE_SIZE",
    "MAX_PAYLOAD_SIZE",
+    "MAX_FILE_PAYLOAD_SIZE",
    "MIN_IMAGE_PIXELS",
    "MAX_IMAGE_PIXELS",
    "SUPPORTED_IMAGE_FORMATS",
--- a/src/stegasoo/channel.py
+++ b/src/stegasoo/channel.py
@@ -372,6 +372,124 @@ def has_channel_key() -> bool:
    return get_channel_key() is not None


+def resolve_channel_key(
+    value: str | None = None,
+    *,
+    file_path: str | Path | None = None,
+    no_channel: bool = False,
+) -> str | None:
+    """
+    Resolve a channel key from user input (unified for all frontends).
+
+    This consolidates channel key resolution logic used by CLI, API, and WebUI.
+
+    Args:
+        value: Input value:
+            - 'auto' or None: Use server-configured key
+            - 'none' or '': Public mode (no channel key)
+            - explicit key: Validate and use
+        file_path: Path to file containing channel key
+        no_channel: If True, return "" for public mode (overrides value)
+
+    Returns:
+        None: Use server-configured key (auto mode)
+        "": Public mode (no channel key)
+        str: Explicit valid channel key
+
+    Raises:
+        ValueError: If key format is invalid
+        FileNotFoundError: If file_path doesn't exist
+
+    Example:
+        >>> resolve_channel_key("auto")  # -> None
+        >>> resolve_channel_key("none")  # -> ""
+        >>> resolve_channel_key(no_channel=True)  # -> ""
+        >>> resolve_channel_key("ABCD-1234-...")  # -> "ABCD-1234-..."
+        >>> resolve_channel_key(file_path="key.txt")  # reads from file
+    """
+    debug.print(f"resolve_channel_key: value={value}, file_path={file_path}, no_channel={no_channel}")
+
+    # no_channel flag takes precedence
+    if no_channel:
+        debug.print("resolve_channel_key: public mode (no_channel=True)")
+        return ""
+
+    # Read from file if provided
+    if file_path:
+        path = Path(file_path)
+        if not path.exists():
+            raise FileNotFoundError(f"Channel key file not found: {file_path}")
+        key = path.read_text().strip()
+        if not validate_channel_key(key):
+            raise ValueError(f"Invalid channel key format in file: {file_path}")
+        debug.print(f"resolve_channel_key: from file -> {get_channel_fingerprint(key)}")
+        return format_channel_key(key)
+
+    # Handle value string
+    if value is None or value.lower() == "auto":
+        debug.print("resolve_channel_key: auto mode (server config)")
+        return None
+
+    if value == "" or value.lower() == "none":
+        debug.print("resolve_channel_key: public mode (explicit none)")
+        return ""
+
+    # Explicit key - validate
+    if validate_channel_key(value):
+        formatted = format_channel_key(value)
+        debug.print(f"resolve_channel_key: explicit key -> {get_channel_fingerprint(formatted)}")
+        return formatted
+
+    raise ValueError(
+        "Invalid channel key format. Expected: XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX\n"
+        "Generate a new key with: stegasoo channel generate"
+    )
+
+
+def get_channel_response_info(channel_key: str | None) -> dict:
+    """
+    Get channel info for API/WebUI responses.
+
+    Args:
+        channel_key: Resolved channel key (None=auto, ""=public, str=explicit)
+
+    Returns:
+        Dict with mode, fingerprint, and display info
+
+    Example:
+        >>> info = get_channel_response_info("ABCD-1234-...")
+        >>> info['mode']
+        'explicit'
+    """
+    if channel_key is None:
+        # Auto mode - check server config
+        server_key = get_channel_key()
+        if server_key:
+            return {
+                "mode": "private",
+                "fingerprint": get_channel_fingerprint(server_key),
+                "source": "server",
+            }
+        return {
+            "mode": "public",
+            "fingerprint": None,
+            "source": "server",
+        }
+
+    if channel_key == "":
+        return {
+            "mode": "public",
+            "fingerprint": None,
+            "source": "explicit",
+        }
+
+    return {
+        "mode": "private",
+        "fingerprint": get_channel_fingerprint(channel_key),
+        "source": "explicit",
+    }
+
+
 # =============================================================================
 # CLI SUPPORT
 # =============================================================================
--- a/src/stegasoo/cli.py
+++ b/src/stegasoo/cli.py
--- a/src/stegasoo/constants.py
+++ b/src/stegasoo/constants.py
@@ -25,7 +25,7 @@ from pathlib import Path
 # VERSION
 # ============================================================================

-__version__ = "4.0.2"
+__version__ = "4.1.5"

 # ============================================================================
 # FILE FORMAT
@@ -234,6 +234,14 @@ DCT_MAGIC_HEADER = b"\x89DCT"  # Magic header for DCT mode
 DCT_FORMAT_VERSION = 1
 DCT_STEP_SIZE = 8  # QIM quantization step

+# Recovery key obfuscation - FIXED value for admin recovery QR codes
+# SHA256("\x89ST3\x89DCT") - hardcoded so it never changes even if headers are added
+# Used to XOR recovery keys in QR codes so they scan as gibberish
+RECOVERY_OBFUSCATION_KEY = bytes.fromhex(
+    "d6c70bce27780db942562550e9fe1459"
+    "9dfdb8421f5acc79696b05db4e7afbd2"
+)  # 32 bytes
+
 # Valid embedding modes
 VALID_EMBED_MODES = {EMBED_MODE_LSB, EMBED_MODE_DCT}

--- a/src/stegasoo/crypto.py
+++ b/src/stegasoo/crypto.py
@@ -1,18 +1,26 @@
 """
 Stegasoo Cryptographic Functions (v4.0.0 - Channel Key Support)

-Key derivation, encryption, and decryption using AES-256-GCM.
-Supports both text messages and binary file payloads.
+This is the crypto layer - where we turn plaintext into indecipherable noise.

-BREAKING CHANGES in v4.0.0:
- Added channel key support for deployment/group isolation
- Messages encoded with a channel key require the same key to decode
- Channel key can be configured via environment, config file, or explicit parameter
- FORMAT_VERSION bumped to 5
+The security model is multi-factor:
+┌────────────────────────────────────────────────────────────────────┐
+│  SOMETHING YOU HAVE          SOMETHING YOU KNOW                    │
+│  ├─ Reference photo          ├─ Passphrase (4+ BIP-39 words)      │
+│  └─ RSA private key (opt)    └─ PIN (6-9 digits)                  │
+│                                                                    │
+│  DEPLOYMENT BINDING                                                │
+│  └─ Channel key (ties messages to a specific server/group)        │
+└────────────────────────────────────────────────────────────────────┘

-BREAKING CHANGES in v3.2.0:
- Removed date dependency from key derivation
- Renamed day_phrase → passphrase (no daily rotation needed)
+All factors get mixed together through Argon2id (memory-hard KDF) to derive
+the actual encryption key. Miss any factor = wrong key = garbage output.
+
+Encryption: AES-256-GCM (authenticated encryption - tamper = detection)
+KDF: Argon2id (256MB RAM, 4 iterations) or PBKDF2 fallback (600K iterations)
+
+v4.0.0: Added channel key for server/group isolation
+v3.2.0: Removed date dependency (was cute but annoying in practice)
 """

 import hashlib
@@ -98,25 +106,38 @@ def _resolve_channel_key(channel_key: str | bool | None) -> bytes | None:
 # =============================================================================
 # CORE CRYPTO FUNCTIONS
 # =============================================================================
+#
+# The "reference photo as a key" concept is one of Stegasoo's unique features.
+# Most steganography tools just use a password. We add the photo as a
+# "something you have" factor - like a hardware token, but it's a cat picture.


 def hash_photo(image_data: bytes) -> bytes:
    """
    Compute deterministic hash of photo pixel content.

-    This normalizes the image to RGB and hashes the raw pixel data,
-    making it resistant to metadata changes.
+    This is the magic sauce that turns your cat photo into a cryptographic key.
+
+    Why pixels and not the file hash?
+    - File metadata changes (EXIF stripped, resaved) = different file hash
+    - But pixel content stays the same
+    - We hash the RGB values directly, so format conversions don't matter
+
+    The double-hash with prefix is belt-and-suspenders mixing. Probably
+    overkill, but hey, it's crypto - paranoia is a feature.

    Args:
-        image_data: Raw image file bytes
+        image_data: Raw image file bytes (any format PIL can read)

    Returns:
-        32-byte SHA-256 hash
+        32-byte SHA-256 hash of pixel content
    """
+    # Convert to RGB to normalize (RGBA, grayscale, etc. all become RGB)
    img: Image.Image = Image.open(io.BytesIO(image_data)).convert("RGB")
    pixels = img.tobytes()

-    # Double-hash with prefix for additional mixing
+    # Double-hash: SHA256(SHA256(pixels) + first 1KB of pixels)
+    # The prefix adds image-specific data to prevent length-extension shenanigans
    h = hashlib.sha256(pixels).digest()
    h = hashlib.sha256(h + pixels[:1024]).digest()
    return h
@@ -133,20 +154,38 @@ def derive_hybrid_key(
    """
    Derive encryption key from multiple factors.

-    Combines:
-    - Photo hash (something you have)
-    - Passphrase (something you know)
-    - PIN (something you know, static)
-    - RSA key (something you have)
-    - Channel key (deployment/group binding)
-    - Salt (random per message)
+    This is the heart of Stegasoo's security model. We take all the things
+    you need to prove you're authorized (photo, passphrase, PIN, etc.) and
+    blend them together into one 32-byte key.

-    Uses Argon2id if available, falls back to PBKDF2.
+    The flow:
+    ┌─────────────┐   ┌─────────────┐   ┌─────────────┐
+    │ Photo hash  │ + │ passphrase  │ + │ PIN + RSA   │ + salt
+    └─────────────┘   └─────────────┘   └─────────────┘
+           │                 │                 │
+           └────────────────┴────────────────┘
+                             │
+                             ▼
+                    ┌─────────────────┐
+                    │    Argon2id     │  <- Memory-hard KDF
+                    │   256MB / 4 iter │  <- Makes brute force expensive
+                    └─────────────────┘
+                             │
+                             ▼
+                      32-byte AES key
+
+    Why Argon2id?
+    - Memory-hard: attackers can't just throw GPUs at it
+    - 256MB RAM per attempt = expensive at scale
+    - Winner of the Password Hashing Competition (2015)
+    - "id" variant resists both side-channel and GPU attacks
+
+    Fallback: PBKDF2-SHA512 with 600K iterations (for systems without argon2)

    Args:
        photo_data: Reference photo bytes
-        passphrase: Shared passphrase (recommend 4+ words)
-        salt: Random salt for this message
+        passphrase: Shared passphrase (recommend 4+ words from BIP-39)
+        salt: Random salt for this message (32 bytes)
        pin: Optional static PIN
        rsa_key_data: Optional RSA key bytes
        channel_key: Channel key parameter:
@@ -155,7 +194,7 @@ def derive_hybrid_key(
            - "" or False: No channel key (public mode)

    Returns:
-        32-byte derived key
+        32-byte derived key (ready for AES-256)

    Raises:
        KeyDerivationError: If key derivation fails
@@ -163,31 +202,36 @@ def derive_hybrid_key(
    try:
        photo_hash = hash_photo(photo_data)

-        # Resolve channel key
+        # Resolve channel key (server-specific binding)
        channel_hash = _resolve_channel_key(channel_key)

-        # Build key material
+        # Build key material by concatenating all factors
+        # Passphrase is lowercased to be forgiving of case differences
        key_material = photo_hash + passphrase.lower().encode() + pin.encode() + salt

-        # Add RSA key hash if provided
+        # Add RSA key hash if provided (another "something you have")
        if rsa_key_data:
            key_material += hashlib.sha256(rsa_key_data).digest()

-        # Add channel key hash if configured (v4.0.0)
+        # Add channel key hash if configured (v4.0.0 - deployment binding)
        if channel_hash:
            key_material += channel_hash

+        # Run it all through the KDF
        if HAS_ARGON2:
+            # Argon2id: the good stuff
            key = hash_secret_raw(
                secret=key_material,
                salt=salt[:32],
-                time_cost=ARGON2_TIME_COST,
-                memory_cost=ARGON2_MEMORY_COST,
-                parallelism=ARGON2_PARALLELISM,
+                time_cost=ARGON2_TIME_COST,      # 4 iterations
+                memory_cost=ARGON2_MEMORY_COST,  # 256 MB RAM
+                parallelism=ARGON2_PARALLELISM,  # 4 threads
                hash_len=32,
-                type=Type.ID,
+                type=Type.ID,  # Hybrid mode: resists side-channel AND GPU attacks
            )
        else:
+            # PBKDF2 fallback for systems without argon2-cffi
+            # 600K iterations is slow but not memory-hard
            kdf = PBKDF2HMAC(
                algorithm=hashes.SHA512(),
                length=32,
@@ -347,9 +391,12 @@ def _unpack_payload(data: bytes) -> DecodeResult:
 # =============================================================================
 # HEADER FLAGS (v4.0.0)
 # =============================================================================
+#
+# The flags byte tells us about the message without decrypting it.
+# Currently just one flag, but the byte gives us room for 8.

-# Header flag bits
-FLAG_CHANNEL_KEY = 0x01  # Set if encoded with a channel key
+FLAG_CHANNEL_KEY = 0x01  # Bit 0: Message was encoded with a channel key
+# Future flags could include: compression, file attachment, etc.


 def encrypt_message(
@@ -361,33 +408,40 @@ def encrypt_message(
    channel_key: str | bool | None = None,
 ) -> bytes:
    """
-    Encrypt message or file using AES-256-GCM with hybrid key derivation.
+    Encrypt message or file using AES-256-GCM.

-    Message format (v4.0.0 - with channel key support):
-    - Magic header (4 bytes)
-    - Version (1 byte) = 5
-    - Flags (1 byte) - indicates if channel key was used
-    - Salt (32 bytes)
-    - IV (12 bytes)
-    - Auth tag (16 bytes)
-    - Ciphertext (variable, padded)
+    This is where plaintext becomes ciphertext. We use AES-256-GCM which is:
+    - AES: The standard, used by everyone from banks to governments
+    - 256-bit key: Enough entropy to survive until the heat death of the universe
+    - GCM mode: Authenticated encryption - if anyone tampers, decryption fails
+
+    The output format (v4.0.0):
+    ┌──────────────────────────────────────────────────────────────────────┐
+    │ \x89ST3 │ 05 │ flags │  salt (32B)  │  iv (12B)  │  tag (16B)  │ ··· │
+    │  magic  │ver │       │              │            │             │cipher│
+    └──────────────────────────────────────────────────────────────────────┘
+
+    Why the random padding at the end?
+    - Message length can reveal information (traffic analysis)
+    - We add 64-319 random bytes and round to 256-byte boundary
+    - All messages look roughly the same size

    Args:
        message: Message string, raw bytes, or FilePayload to encrypt
-        photo_data: Reference photo bytes
-        passphrase: Shared passphrase (recommend 4+ words for good entropy)
-        pin: Optional static PIN
-        rsa_key_data: Optional RSA key bytes
+        photo_data: Reference photo bytes (your "key photo")
+        passphrase: Shared passphrase (recommend 4+ words from BIP-39)
+        pin: Optional static PIN for additional security
+        rsa_key_data: Optional RSA key bytes (another "something you have")
        channel_key: Channel key parameter:
-            - None or "auto": Use configured key
+            - None or "auto": Use server's configured key
            - str: Use this specific key
            - "" or False: No channel key (public mode)

    Returns:
-        Encrypted message bytes
+        Encrypted message bytes ready for embedding

    Raises:
-        EncryptionError: If encryption fails
+        EncryptionError: If encryption fails (shouldn't happen with valid inputs)
    """
    try:
        salt = secrets.token_bytes(SALT_SIZE)
--- a/src/stegasoo/dct_steganography.py
+++ b/src/stegasoo/dct_steganography.py
@@ -1,17 +1,30 @@
 """
-DCT Domain Steganography Module (v3.2.0-patch2)
+DCT Domain Steganography Module (v4.1.0)

-Embeds data in DCT coefficients with two approaches:
-1. PNG output: Scipy-based DCT transform (grayscale or color)
-2. JPEG output: jpegio-based coefficient manipulation (if available)
+The fancy pants mode. Instead of hiding bits in pixel values (LSB mode),
+we hide them in the *frequency domain* - specifically in the Discrete Cosine
+Transform coefficients that JPEG compression uses internally.

-v3.2.0-patch2 Changes:
- Chunked processing for large images to avoid heap corruption
- Process image in vertical strips to limit memory per operation
- Isolated DCT operations with fresh array allocations
- Workaround for scipy.fftpack memory issues
+Why is this cool?
+- Survives some image processing that would destroy LSB data
+- Works with JPEG without the usual "save destroys everything" problem
+- Uses the same math that JPEG itself uses - we're hiding in plain sight

-Requires: scipy (for PNG mode), optionally jpegio (for JPEG mode)
+Two approaches depending on what you want:
+1. PNG output: We do our own DCT math via scipy (works on any image)
+2. JPEG output: We use jpegio to directly tweak the coefficients (chef's kiss)
+
+v4.1.0 - The "please stop corrupting my data" release:
+- Reed-Solomon error correction (can fix up to 16 byte errors per chunk)
+- Majority voting on headers (store 3 copies, take the winner)
+- Because some image regions are just... problematic
+
+v3.2.0-patch2 - The "scipy why are you like this" release:
+- Chunked processing because scipy's FFT was corrupting memory on big images
+- Process blocks one at a time with fresh arrays
+- Yes, it's slower. No, I don't care. Correctness > speed.
+
+Requires: scipy (PNG mode), optionally jpegio (JPEG mode), reedsolo (error correction)
 """

 import gc
@@ -49,16 +62,64 @@ except ImportError:
    HAS_JPEGIO = False
    jio = None

+# Import custom exceptions
+from .exceptions import InvalidMagicBytesError
+from .exceptions import ReedSolomonError as StegasooRSError
+
+# Progress reporting interval (write every N blocks)
+PROGRESS_INTERVAL = 50
+
+
+def _write_progress(progress_file: str | None, current: int, total: int, phase: str = "embedding"):
+    """Write progress to file for frontend polling."""
+    if progress_file is None:
+        return
+    try:
+        import json
+
+        with open(progress_file, "w") as f:
+            json.dump(
+                {
+                    "current": current,
+                    "total": total,
+                    "percent": round((current / total) * 100, 1) if total > 0 else 0,
+                    "phase": phase,
+                },
+                f,
+            )
+    except Exception:
+        pass  # Don't let progress writing break encoding
+

 # ============================================================================
 # CONSTANTS
 # ============================================================================

+# JPEG uses 8x8 blocks for DCT - this is baked into the standard
 BLOCK_SIZE = 8
+
+# The zig-zag order of DCT coefficients. JPEG stores them this way because
+# the human eye is more sensitive to low frequencies (top-left corner)
+# than high frequencies (bottom-right). After quantization, most high-freq
+# coefficients become zero, so zig-zag gives great compression.
+#
+# Visual of an 8x8 DCT block with zig-zag numbering:
+#
+#   DC  1   5   6  14  15  27  28     <- Low frequency (smooth gradients)
+#    2  4   7  13  16  26  29  42
+#    3  8  12  17  25  30  41  43
+#    9 11  18  24  31  40  44  53
+#   10 19  23  32  39  45  52  54
+#   20 22  33  38  46  51  55  60
+#   21 34  37  47  50  56  59  61
+#   35 36  48  49  57  58  62  63     <- High frequency (fine detail/noise)
+#
+# Position (0,0) is the DC coefficient - the average brightness of the block.
+# We NEVER touch DC because changing it causes visible brightness shifts.
 EMBED_POSITIONS = [
-    (0, 1),
-    (1, 0),
-    (2, 0),
+    (0, 1),   # 1st AC coefficient
+    (1, 0),   # 2nd AC coefficient
+    (2, 0),   # ... and so on in zig-zag order
    (1, 1),
    (0, 2),
    (0, 3),
@@ -91,25 +152,59 @@ EMBED_POSITIONS = [
    (6, 1),
    (7, 0),
 ]
+
+# We use positions 4-20 (mid-frequency range). Here's the reasoning:
+# - Positions 0-3: Too low frequency, changes are visible as color shifts
+# - Positions 4-20: Sweet spot - carries enough energy to survive, not visible
+# - Positions 21+: High frequency, often quantized to zero, unreliable
 DEFAULT_EMBED_POSITIONS = EMBED_POSITIONS[4:20]
+
+# Quantization step for QIM (Quantization Index Modulation).
+# This is how we actually embed bits: we round the coefficient to a grid
+# and then nudge it based on whether we want a 0 or 1.
+# Bigger step = more robust to noise, but more visible. 25 is a good balance.
 QUANT_STEP = 25
-DCT_MAGIC = b"DCTS"
-HEADER_SIZE = 10
+
+# Magic bytes so we can identify our own images
+DCT_MAGIC = b"DCTS"      # scipy DCT mode marker
+JPEGIO_MAGIC = b"JPGS"   # jpegio native JPEG mode marker
+HEADER_SIZE = 10         # Magic (4) + version (1) + flags (1) + length (4)
+
 OUTPUT_FORMAT_PNG = "png"
 OUTPUT_FORMAT_JPEG = "jpeg"
-JPEG_OUTPUT_QUALITY = 95
-JPEGIO_MAGIC = b"JPGS"
+JPEG_OUTPUT_QUALITY = 95  # High quality but not 100 (100 causes issues, see below)
+
+# For jpegio mode: we only embed in coefficients with magnitude >= 2
+# Coefficients of 0 or 1 are usually quantized noise - unreliable
 JPEGIO_MIN_COEF_MAGNITUDE = 2
+
+# We embed in the Y (luminance) channel only - it has the most capacity
+# Cb/Cr are often subsampled 4:2:0 anyway
 JPEGIO_EMBED_CHANNEL = 0
-FLAG_COLOR_MODE = 0x01

-# Chunking settings for large images
-MAX_CHUNK_HEIGHT = 512  # Process in 512-pixel tall strips
+# Header flags
+FLAG_COLOR_MODE = 0x01      # Set if we preserved color (YCbCr mode)
+FLAG_RS_PROTECTED = 0x02    # Set if Reed-Solomon protected (v4.1.0+)

-# JPEG normalization settings
-# JPEGs with quality=100 have all quantization values = 1, which crashes jpegio
-JPEGIO_NORMALIZE_QUALITY = 95  # Re-save quality for problematic JPEGs
-JPEGIO_MAX_QUANT_VALUE_THRESHOLD = 1  # If all quant values <= this, normalize
+# Reed-Solomon settings - the "please don't lose my data" system
+# 32 parity symbols per chunk means we can correct up to 16 byte errors
+# Math: RS(255, 223) where 255-223=32 parity bytes, corrects floor(32/2)=16
+RS_NSYM = 32
+
+# We store the payload length 3 times and take majority vote
+# Because if the length is wrong, everything is wrong
+RS_LENGTH_HEADER_SIZE = 8   # 4 bytes raw length + 4 bytes RS-encoded length
+RS_LENGTH_COPIES = 3        # Store 3 copies, need 2 to agree
+RS_LENGTH_PREFIX_SIZE = RS_LENGTH_HEADER_SIZE * RS_LENGTH_COPIES  # 24 bytes total
+
+# Chunking for large images - scipy's FFT gets memory-corrupty on huge arrays
+MAX_CHUNK_HEIGHT = 512  # Process in strips to keep memory sane
+
+# Fun bug: JPEGs saved with quality=100 have quantization tables full of 1s
+# This makes the DCT coefficients HUGE and jpegio crashes spectacularly
+# Solution: detect and re-save at quality 95 first
+JPEGIO_NORMALIZE_QUALITY = 95
+JPEGIO_MAX_QUANT_VALUE_THRESHOLD = 1  # All 1s in quant table = bad news


 # ============================================================================
@@ -168,26 +263,107 @@ def has_jpegio_support() -> bool:


 # ============================================================================
-# SAFE DCT FUNCTIONS
-# These create fresh arrays to avoid scipy memory corruption issues
+# REED-SOLOMON ERROR CORRECTION
 # ============================================================================
+#
+# Why do we need this? DCT embedding isn't perfect. Some image regions are
+# problematic - flat areas, high compression, edge cases. Bits can flip.
+#
+# Reed-Solomon is the same error correction used in CDs, DVDs, QR codes, and
+# deep space communications. If it's good enough for Voyager, it's good enough
+# for hiding cat pictures in other cat pictures.
+#
+# How it works (simplified):
+# 1. Take your data bytes
+# 2. Add extra "parity" bytes calculated from the data
+# 3. If some bytes get corrupted, the math lets you reconstruct them
+# 4. RS(255, 223) means: 255 byte blocks, 223 data + 32 parity
+# 5. Can correct up to 16 corrupted bytes per block (floor(32/2))
+#
+# The tradeoff: ~14% overhead (32/223). Worth it for reliability.
+
+try:
+    from reedsolo import ReedSolomonError, RSCodec
+    HAS_REEDSOLO = True
+except ImportError:
+    HAS_REEDSOLO = False
+    RSCodec = None
+    ReedSolomonError = None
+
+
+def _rs_encode(data: bytes) -> bytes:
+    """
+    Wrap data in Reed-Solomon error correction.
+
+    Takes your precious payload and adds parity bytes so we can
+    recover from the inevitable bit-rot of DCT embedding.
+    """
+    if not HAS_REEDSOLO:
+        return data  # YOLO mode - no protection, good luck
+    rs = RSCodec(RS_NSYM)
+    return bytes(rs.encode(data))
+
+
+def _rs_decode(data: bytes) -> bytes:
+    """
+    Decode Reed-Solomon protected data, fixing errors along the way.
+
+    This is where the magic happens. If bits got flipped during
+    extraction, RS will quietly fix them. If too many flipped...
+    well, we tried.
+    """
+    if not HAS_REEDSOLO:
+        return data
+    rs = RSCodec(RS_NSYM)
+    try:
+        decoded, _, errata_pos = rs.decode(data)
+        if errata_pos:
+            # Errors were found and corrected - RS earned its keep today
+            pass
+        return bytes(decoded)
+    except ReedSolomonError as e:
+        # Too many errors - the image got mangled beyond repair
+        raise StegasooRSError(f"Image corrupted beyond repair: {e}") from e
+
+
+# ============================================================================
+# SAFE DCT FUNCTIONS
+# ============================================================================
+#
+# Story time: scipy's fftpack (the old DCT implementation) has memory issues
+# when you process large images. We'd get random garbage in our output, or
+# worse, segfaults. Turns out it was reusing internal buffers in unsafe ways.
+#
+# The fix? Be paranoid. Every single array operation creates a fresh copy.
+# Is it slower? Yes. Does it work? Also yes. I'll take correct over fast.
+#
+# The newer scipy.fft module is better, but we still play it safe because
+# not everyone has the latest scipy and I don't want debugging nightmares.


 def _safe_dct2(block: np.ndarray) -> np.ndarray:
    """
-    Apply 2D DCT with memory isolation.
-    Creates a completely fresh array to avoid heap corruption.
+    Apply 2D DCT (Discrete Cosine Transform) to an 8x8 block.
+
+    The DCT converts spatial data (pixel values) into frequency data
+    (how much of each frequency component is present). It's the heart
+    of JPEG compression.
+
+    We do it row-by-row and column-by-column with fresh arrays each time
+    because scipy's built-in dct2 can corrupt memory on large batches.
+    Paranoid? Yes. Necessary? Also yes.
    """
-    # Create a brand new array (not a view)
+    # Create a brand new array (not a view) - paranoia level: maximum
    safe_block = np.array(block, dtype=np.float64, copy=True, order="C")

-    # First DCT on columns (transpose -> DCT rows -> transpose back)
+    # 2D DCT = 1D DCT on rows, then 1D DCT on columns (separable transform)
+    # First pass: DCT each column
    temp = np.zeros_like(safe_block, dtype=np.float64, order="C")
    for i in range(BLOCK_SIZE):
        col = np.array(safe_block[:, i], dtype=np.float64, copy=True)
-        temp[:, i] = dct(col, norm="ortho")
+        temp[:, i] = dct(col, norm="ortho")  # ortho normalization for symmetry

-    # Second DCT on rows
+    # Second pass: DCT each row of the result
    result = np.zeros_like(temp, dtype=np.float64, order="C")
    for i in range(BLOCK_SIZE):
        row = np.array(temp[i, :], dtype=np.float64, copy=True)
@@ -198,19 +374,22 @@ def _safe_dct2(block: np.ndarray) -> np.ndarray:

 def _safe_idct2(block: np.ndarray) -> np.ndarray:
    """
-    Apply 2D inverse DCT with memory isolation.
-    Creates a completely fresh array to avoid heap corruption.
+    Apply 2D inverse DCT - convert frequency data back to pixels.
+
+    After we've embedded our secret bits in the DCT coefficients,
+    we need to convert back to pixel values. This is the reverse
+    of _safe_dct2.
+
+    Same paranoid memory handling because same paranoid developer.
    """
-    # Create a brand new array (not a view)
    safe_block = np.array(block, dtype=np.float64, copy=True, order="C")

-    # First IDCT on rows
+    # Inverse is the same idea: IDCT rows, then IDCT columns
    temp = np.zeros_like(safe_block, dtype=np.float64, order="C")
    for i in range(BLOCK_SIZE):
        row = np.array(safe_block[i, :], dtype=np.float64, copy=True)
        temp[i, :] = idct(row, norm="ortho")

-    # Second IDCT on columns
    result = np.zeros_like(temp, dtype=np.float64, order="C")
    for i in range(BLOCK_SIZE):
        col = np.array(temp[:, i], dtype=np.float64, copy=True)
@@ -270,8 +449,25 @@ def _unpad_image(image: np.ndarray, original_size: tuple[int, int]) -> np.ndarra


 def _embed_bit_in_coeff(coef: float, bit: int, quant_step: int = QUANT_STEP) -> float:
+    """
+    Embed a single bit into a DCT coefficient using QIM.
+
+    QIM (Quantization Index Modulation) is smarter than simple LSB flipping.
+    Instead of just changing the last bit, we round to a quantization grid
+    and use odd/even to encode 0/1.
+
+    Why is this better?
+    - More robust to noise (small changes don't flip the bit)
+    - Works naturally with JPEG's own quantization
+    - The change is spread across the coefficient's magnitude
+
+    Visual example (quant_step=25):
+    - Coef = 73, want bit=0 -> round to 75 (75/25=3, 3%2=1) -> nudge to 50 (50/25=2, 2%2=0)
+    - Coef = 73, want bit=1 -> round to 75 (75/25=3, 3%2=1) -> already odd, keep at 75
+    """
    quantized = round(coef / quant_step)
    if (quantized % 2) != bit:
+        # Need to flip even<->odd. Nudge in the direction that's closest.
        if quantized % 2 == 0 and bit == 1:
            quantized += 1 if coef >= quantized * quant_step else -1
        elif quantized % 2 == 1 and bit == 0:
@@ -280,13 +476,35 @@ def _embed_bit_in_coeff(coef: float, bit: int, quant_step: int = QUANT_STEP) ->


 def _extract_bit_from_coeff(coef: float, quant_step: int = QUANT_STEP) -> int:
+    """
+    Extract a bit from a DCT coefficient.
+
+    The inverse of _embed_bit_in_coeff. We round to the quantization grid
+    and check if it's odd (1) or even (0).
+
+    This is why QIM is robust: small noise in the coefficient usually
+    doesn't change which grid point we round to.
+    """
    quantized = round(coef / quant_step)
    return int(quantized % 2)


 def _generate_block_order(num_blocks: int, seed: bytes) -> list:
+    """
+    Generate a pseudo-random order for processing blocks.
+
+    This is crucial for security - if we just went left-to-right, top-to-bottom,
+    anyone could find the message by checking blocks in order. Instead, we
+    use a keyed shuffle so only someone with the same seed can find the data.
+
+    The seed comes from the crypto layer (derived from passphrase + photo + pin),
+    so the block order is effectively part of the encryption.
+    """
+    # Use SHA-256 to expand the seed into randomness
    hash_bytes = hashlib.sha256(seed).digest()
+    # Seed numpy's RNG (we use RandomState for reproducibility across versions)
    rng = np.random.RandomState(int.from_bytes(hash_bytes[:4], "big"))
+    # Fisher-Yates shuffle
    order = list(range(num_blocks))
    rng.shuffle(order)
    return order
@@ -315,14 +533,28 @@ def _save_color_image(rgb_array: np.ndarray, output_format: str = OUTPUT_FORMAT_


 def _rgb_to_ycbcr(rgb: np.ndarray) -> tuple[np.ndarray, np.ndarray, np.ndarray]:
+    """
+    Convert RGB to YCbCr color space.
+
+    YCbCr separates brightness (Y) from color (Cb=blue-ish, Cr=red-ish).
+    This is what JPEG uses internally, and it's great for us because:
+    - Human eyes are WAY more sensitive to brightness than color
+    - We can hide data in Y without it being as visible
+    - Cb/Cr are often subsampled (4:2:0) so Y has more capacity anyway
+
+    The coefficients here are from ITU-R BT.601 - the standard for video.
+    """
    R = rgb[:, :, 0].astype(np.float64)
    G = rgb[:, :, 1].astype(np.float64)
    B = rgb[:, :, 2].astype(np.float64)

+    # Y = luminance (brightness). Green contributes most because eyes are most sensitive to it.
    Y = np.array(0.299 * R + 0.587 * G + 0.114 * B, dtype=np.float64, copy=True, order="C")
+    # Cb = blue-difference chroma (centered at 128)
    Cb = np.array(
        128 - 0.168736 * R - 0.331264 * G + 0.5 * B, dtype=np.float64, copy=True, order="C"
    )
+    # Cr = red-difference chroma (centered at 128)
    Cr = np.array(
        128 + 0.5 * R - 0.418688 * G - 0.081312 * B, dtype=np.float64, copy=True, order="C"
    )
@@ -331,6 +563,12 @@ def _rgb_to_ycbcr(rgb: np.ndarray) -> tuple[np.ndarray, np.ndarray, np.ndarray]:


 def _ycbcr_to_rgb(Y: np.ndarray, Cb: np.ndarray, Cr: np.ndarray) -> np.ndarray:
+    """
+    Convert YCbCr back to RGB.
+
+    After embedding in the Y channel, we need to reconstruct RGB for display.
+    The Cb/Cr channels are unchanged - we only touched luminance.
+    """
    R = Y + 1.402 * (Cr - 128)
    G = Y - 0.344136 * (Cb - 128) - 0.714136 * (Cr - 128)
    B = Y + 1.772 * (Cb - 128)
@@ -360,7 +598,7 @@ def _parse_header(header_bits: list) -> tuple[int, int, int]:
    magic, version, flags, length = struct.unpack(">4sBBI", header_bytes)

    if magic != DCT_MAGIC:
-        raise ValueError("Invalid DCT stego magic bytes")
+        raise InvalidMagicBytesError("Not a Stegasoo image or wrong mode (try LSB instead of DCT)")

    return version, flags, length

@@ -411,7 +649,7 @@ def _jpegio_parse_header(header_bytes: bytes) -> tuple[int, int, int]:
        raise ValueError("Insufficient header data")
    magic, version, flags, length = struct.unpack(">4sBBI", header_bytes[:HEADER_SIZE])
    if magic != JPEGIO_MAGIC:
-        raise ValueError(f"Invalid JPEG stego magic: {magic}")
+        raise InvalidMagicBytesError("Not a Stegasoo JPEG or wrong mode")
    return version, flags, length


@@ -436,7 +674,17 @@ def calculate_dct_capacity(image_data: bytes) -> DCTCapacityInfo:
    bits_per_block = len(DEFAULT_EMBED_POSITIONS)
    total_bits = total_blocks * bits_per_block
    total_bytes = total_bits // 8
-    usable_bytes = max(0, total_bytes - HEADER_SIZE)
+    # Account for header and RS overhead
+    # RS format: [24-byte length prefix (3 copies)] + RS(header + data)
+    # RS adds RS_NSYM bytes per 223-byte chunk (255 - RS_NSYM = 223)
+    # Conservatively estimate RS overhead as ~15% + one chunk minimum
+    if HAS_REEDSOLO:
+        # Overhead = 24 (prefix) + 10 (header) + RS overhead
+        # Simplify: base overhead = 24 + 10 + 32 + 15% margin for larger data
+        overhead = RS_LENGTH_PREFIX_SIZE + HEADER_SIZE + RS_NSYM + 20
+    else:
+        overhead = HEADER_SIZE
+    usable_bytes = max(0, total_bytes - overhead)

    return DCTCapacityInfo(
        width=width,
@@ -496,6 +744,7 @@ def embed_in_dct(
    seed: bytes,
    output_format: str = OUTPUT_FORMAT_PNG,
    color_mode: str = "color",
+    progress_file: str | None = None,
 ) -> tuple[bytes, DCTEmbedStats]:
    """Embed data using DCT coefficient modification."""
    if output_format not in (OUTPUT_FORMAT_PNG, OUTPUT_FORMAT_JPEG):
@@ -505,10 +754,12 @@ def embed_in_dct(
        color_mode = "color"

    if output_format == OUTPUT_FORMAT_JPEG and HAS_JPEGIO:
-        return _embed_jpegio(data, carrier_image, seed, color_mode)
+        return _embed_jpegio(data, carrier_image, seed, color_mode, progress_file)

    _check_scipy()
-    return _embed_scipy_dct_safe(data, carrier_image, seed, output_format, color_mode)
+    return _embed_scipy_dct_safe(
+        data, carrier_image, seed, output_format, color_mode, progress_file
+    )


 def _embed_scipy_dct_safe(
@@ -517,6 +768,7 @@ def _embed_scipy_dct_safe(
    seed: bytes,
    output_format: str,
    color_mode: str = "color",
+    progress_file: str | None = None,
 ) -> tuple[bytes, DCTEmbedStats]:
    """
    Embed using scipy DCT with safe memory handling.
@@ -538,9 +790,20 @@ def _embed_scipy_dct_safe(

    flags = FLAG_COLOR_MODE if color_mode == "color" else 0

-    # Prepare payload bits
+    # Build raw payload (header + data)
    header = _create_header(len(data), flags)
-    payload = header + data
+    raw_payload = header + data
+
+    # Apply Reed-Solomon error correction to entire payload if available
+    if HAS_REEDSOLO:
+        rs_payload = _rs_encode(raw_payload)
+        # Format: [length_header x 3 for majority voting] + [RS-encoded payload]
+        # Each length_header is 8 bytes: 4 for raw_payload_length + 4 for rs_payload_length
+        length_header = struct.pack(">II", len(raw_payload), len(rs_payload))
+        length_prefix = length_header * RS_LENGTH_COPIES  # Repeat 3 times
+        payload = length_prefix + rs_payload
+    else:
+        payload = raw_payload
    bits = []
    for byte in payload:
        for i in range(7, -1, -1):
@@ -568,7 +831,7 @@ def _embed_scipy_dct_safe(
        gc.collect()

        # Embed in Y channel
-        Y_embedded = _embed_in_channel_safe(Y_padded, bits, block_order, blocks_x)
+        Y_embedded = _embed_in_channel_safe(Y_padded, bits, block_order, blocks_x, progress_file)
        del Y_padded
        gc.collect()

@@ -592,7 +855,7 @@ def _embed_scipy_dct_safe(
        del image
        gc.collect()

-        embedded = _embed_in_channel_safe(padded, bits, block_order, blocks_x)
+        embedded = _embed_in_channel_safe(padded, bits, block_order, blocks_x, progress_file)
        del padded
        gc.collect()

@@ -625,6 +888,7 @@ def _embed_in_channel_safe(
    bits: list,
    block_order: list,
    blocks_x: int,
+    progress_file: str | None = None,
 ) -> np.ndarray:
    """
    Embed bits in channel using safe DCT operations.
@@ -637,8 +901,9 @@ def _embed_in_channel_safe(
    result = np.array(channel, dtype=np.float64, copy=True, order="C")

    bit_idx = 0
+    total_blocks = len(block_order)

-    for block_num in block_order:
+    for block_idx, block_num in enumerate(block_order):
        if bit_idx >= len(bits):
            break

@@ -674,6 +939,14 @@ def _embed_in_channel_safe(
        # Clean up this iteration
        del block, dct_block, modified_block

+        # Report progress periodically
+        if progress_file and block_idx % PROGRESS_INTERVAL == 0:
+            _write_progress(progress_file, block_idx, total_blocks, "embedding")
+
+    # Final progress update
+    if progress_file:
+        _write_progress(progress_file, total_blocks, total_blocks, "finalizing")
+
    # Force garbage collection
    gc.collect()

@@ -730,6 +1003,7 @@ def _embed_jpegio(
    carrier_image: bytes,
    seed: bytes,
    color_mode: str = "color",
+    progress_file: str | None = None,
 ) -> tuple[bytes, DCTEmbedStats]:
    """Embed using jpegio for proper JPEG coefficient modification."""
    import os
@@ -761,8 +1035,19 @@ def _embed_jpegio(
        all_positions = _jpegio_get_usable_positions(coef_array)
        order = _jpegio_generate_order(len(all_positions), seed)

+        # Build raw payload (header + data)
        header = _jpegio_create_header(len(data), flags)
-        payload = header + data
+        raw_payload = header + data
+
+        # Apply Reed-Solomon error correction to entire payload if available
+        if HAS_REEDSOLO:
+            rs_payload = _rs_encode(raw_payload)
+            # Format: [length_header x 3 for majority voting] + [RS-encoded payload]
+            length_header = struct.pack(">II", len(raw_payload), len(rs_payload))
+            length_prefix = length_header * RS_LENGTH_COPIES
+            payload = length_prefix + rs_payload
+        else:
+            payload = raw_payload

        bits = []
        for byte in payload:
@@ -776,6 +1061,9 @@ def _embed_jpegio(
            )

        coefs_used = 0
+        total_bits = len(bits)
+        progress_interval = max(total_bits // 20, 100)  # Report ~20 times or every 100 bits
+
        for bit_idx, pos_idx in enumerate(order):
            if bit_idx >= len(bits):
                break
@@ -791,6 +1079,14 @@ def _embed_jpegio(

            coefs_used += 1

+            # Report progress periodically
+            if progress_file and bit_idx % progress_interval == 0:
+                _write_progress(progress_file, bit_idx, total_bits, "embedding")
+
+        # Final progress before save
+        if progress_file:
+            _write_progress(progress_file, total_bits, total_bits, "saving")
+
        jio.write(jpeg, output_path)

        with open(output_path, "rb") as f:
@@ -851,9 +1147,12 @@ def _extract_scipy_dct_safe(stego_image: bytes, seed: bytes) -> bytes:
    del channel
    gc.collect()

-    h, w = padded.shape
-    blocks_x = w // BLOCK_SIZE
-    num_blocks = (h // BLOCK_SIZE) * blocks_x
+    # Use ORIGINAL image dimensions for block calculations (must match embed)
+    # Embed uses width // BLOCK_SIZE, not padded width
+    h, w = padded.shape  # Padded dimensions for bounds checking
+    blocks_x = width // BLOCK_SIZE
+    blocks_y = height // BLOCK_SIZE
+    num_blocks = blocks_y * blocks_x

    block_order = _generate_block_order(num_blocks, seed)

@@ -883,12 +1182,80 @@ def _extract_scipy_dct_safe(stego_image: bytes, seed: bytes) -> bytes:
                total_needed = (HEADER_SIZE + data_length) * 8
                if len(all_bits) >= total_needed:
                    break
-            except ValueError:
-                pass
+            except (ValueError, InvalidMagicBytesError):
+                pass  # RS-protected format has length prefix first, not magic bytes

    del padded
    gc.collect()

+    # Try RS-protected format first (has 24-byte length prefix: 3 copies of 8-byte header)
+    if HAS_REEDSOLO and len(all_bits) >= RS_LENGTH_PREFIX_SIZE * 8:
+        # Extract length prefix (24 bytes: 3 copies of 8-byte header for majority voting)
+        length_prefix_bits = all_bits[: RS_LENGTH_PREFIX_SIZE * 8]
+        length_prefix_bytes = bytes(
+            [
+                sum(length_prefix_bits[i * 8 : (i + 1) * 8][j] << (7 - j) for j in range(8))
+                for i in range(RS_LENGTH_PREFIX_SIZE)
+            ]
+        )
+
+        # Extract 3 copies and use majority voting
+        copies = []
+        for i in range(RS_LENGTH_COPIES):
+            start = i * RS_LENGTH_HEADER_SIZE
+            end = start + RS_LENGTH_HEADER_SIZE
+            copies.append(length_prefix_bytes[start:end])
+
+        # Count occurrences of each unique copy
+        from collections import Counter
+
+        counter = Counter(copies)
+        best_header, count = counter.most_common(1)[0]
+
+        # Only proceed if we have at least 2 matching copies (majority)
+        if count >= 2:
+            raw_payload_length, rs_encoded_length = struct.unpack(">II", best_header)
+        else:
+            # No majority - try first copy as fallback
+            raw_payload_length, rs_encoded_length = struct.unpack(">II", copies[0])
+
+        # Sanity check: both lengths should be reasonable
+        max_reasonable = (len(all_bits) // 8) - RS_LENGTH_PREFIX_SIZE
+        if (
+            raw_payload_length > 0
+            and raw_payload_length <= max_reasonable
+            and rs_encoded_length > 0
+            and rs_encoded_length <= max_reasonable
+            and rs_encoded_length >= raw_payload_length
+        ):
+            # This looks like RS-protected format
+            total_bits_needed = (RS_LENGTH_PREFIX_SIZE + rs_encoded_length) * 8
+
+            if len(all_bits) >= total_bits_needed:
+                rs_bits = all_bits[RS_LENGTH_PREFIX_SIZE * 8 : total_bits_needed]
+                rs_encoded = bytes(
+                    [
+                        sum(rs_bits[i * 8 : (i + 1) * 8][j] << (7 - j) for j in range(8))
+                        for i in range(rs_encoded_length)
+                    ]
+                )
+
+                try:
+                    # RS decode to get header + data
+                    raw_payload = _rs_decode(rs_encoded)
+
+                    # Parse header from decoded payload
+                    _, flags, data_length = _parse_header(
+                        [((raw_payload[i // 8] >> (7 - i % 8)) & 1) for i in range(HEADER_SIZE * 8)]
+                    )
+
+                    # Extract data
+                    data = raw_payload[HEADER_SIZE : HEADER_SIZE + data_length]
+                    return data
+                except (ValueError, struct.error):
+                    pass  # Fall through to legacy format
+
+    # Legacy format: header not protected by RS
    _, flags, data_length = _parse_header(all_bits)
    data_bits = all_bits[HEADER_SIZE * 8 : (HEADER_SIZE + data_length) * 8]

@@ -919,6 +1286,77 @@ def _extract_jpegio(stego_image: bytes, seed: bytes) -> bytes:
        all_positions = _jpegio_get_usable_positions(coef_array)
        order = _jpegio_generate_order(len(all_positions), seed)

+        # Try RS-protected format first (has 24-byte length prefix: 3 copies for majority voting)
+        if HAS_REEDSOLO and len(all_positions) >= RS_LENGTH_PREFIX_SIZE * 8:
+            # Extract length prefix (24 bytes: 3 copies of 8-byte header)
+            length_prefix_bits = []
+            for pos_idx in order[: RS_LENGTH_PREFIX_SIZE * 8]:
+                row, col = all_positions[pos_idx]
+                coef = coef_array[row, col]
+                length_prefix_bits.append(coef & 1)
+
+            length_prefix_bytes = bytes(
+                [
+                    sum(length_prefix_bits[i * 8 : (i + 1) * 8][j] << (7 - j) for j in range(8))
+                    for i in range(RS_LENGTH_PREFIX_SIZE)
+                ]
+            )
+
+            # Extract 3 copies and use majority voting
+            from collections import Counter
+
+            copies = []
+            for i in range(RS_LENGTH_COPIES):
+                start = i * RS_LENGTH_HEADER_SIZE
+                end = start + RS_LENGTH_HEADER_SIZE
+                copies.append(length_prefix_bytes[start:end])
+
+            counter = Counter(copies)
+            best_header, count = counter.most_common(1)[0]
+
+            if count >= 2:
+                raw_payload_length, rs_encoded_length = struct.unpack(">II", best_header)
+            else:
+                raw_payload_length, rs_encoded_length = struct.unpack(">II", copies[0])
+
+            # Sanity check
+            max_reasonable = (len(all_positions) // 8) - RS_LENGTH_PREFIX_SIZE
+            if (
+                raw_payload_length > 0
+                and raw_payload_length <= max_reasonable
+                and rs_encoded_length > 0
+                and rs_encoded_length <= max_reasonable
+                and rs_encoded_length >= raw_payload_length
+            ):
+                total_bits_needed = (RS_LENGTH_PREFIX_SIZE + rs_encoded_length) * 8
+
+                if len(all_positions) >= total_bits_needed:
+                    # Extract RS-encoded data
+                    all_bits = []
+                    for bit_idx, pos_idx in enumerate(order):
+                        if bit_idx >= total_bits_needed:
+                            break
+                        row, col = all_positions[pos_idx]
+                        coef = coef_array[row, col]
+                        all_bits.append(coef & 1)
+
+                    rs_bits = all_bits[RS_LENGTH_PREFIX_SIZE * 8 :]
+                    rs_encoded = bytes(
+                        [
+                            sum(rs_bits[i * 8 : (i + 1) * 8][j] << (7 - j) for j in range(8))
+                            for i in range(rs_encoded_length)
+                        ]
+                    )
+
+                    try:
+                        raw_payload = _rs_decode(rs_encoded)
+                        _, flags, data_length = _jpegio_parse_header(raw_payload[:HEADER_SIZE])
+                        data = raw_payload[HEADER_SIZE : HEADER_SIZE + data_length]
+                        return data
+                    except (ValueError, struct.error):
+                        pass  # Fall through to legacy format
+
+        # Legacy format: header not protected by RS
        header_bits = []
        for pos_idx in order[: HEADER_SIZE * 8]:
            row, col = all_positions[pos_idx]
@@ -933,7 +1371,6 @@ def _extract_jpegio(stego_image: bytes, seed: bytes) -> bytes:
        )

        _, flags, data_length = _jpegio_parse_header(header_bytes)
-
        total_bits_needed = (HEADER_SIZE + data_length) * 8

        all_bits = []
@@ -945,7 +1382,6 @@ def _extract_jpegio(stego_image: bytes, seed: bytes) -> bytes:
            all_bits.append(coef & 1)

        data_bits = all_bits[HEADER_SIZE * 8 :]
-
        data = bytes(
            [
                sum(data_bits[i * 8 : (i + 1) * 8][j] << (7 - j) for j in range(8))
--- a/src/stegasoo/encode.py
+++ b/src/stegasoo/encode.py
@@ -35,8 +35,9 @@ def encode(
    output_format: str | None = None,
    embed_mode: str = EMBED_MODE_LSB,
    dct_output_format: str = "png",
-    dct_color_mode: str = "grayscale",
+    dct_color_mode: str = "color",
    channel_key: str | bool | None = None,
+    progress_file: str | None = None,
 ) -> EncodeResult:
    """
    Encode a message or file into an image.
@@ -118,6 +119,7 @@ def encode(
        embed_mode=embed_mode,
        dct_output_format=dct_output_format,
        dct_color_mode=dct_color_mode,
+        progress_file=progress_file,
    )

    # Generate filename
@@ -158,7 +160,7 @@ def encode_file(
    filename_override: str | None = None,
    embed_mode: str = EMBED_MODE_LSB,
    dct_output_format: str = "png",
-    dct_color_mode: str = "grayscale",
+    dct_color_mode: str = "color",
    channel_key: str | bool | None = None,
 ) -> EncodeResult:
    """
@@ -215,7 +217,7 @@ def encode_bytes(
    mime_type: str | None = None,
    embed_mode: str = EMBED_MODE_LSB,
    dct_output_format: str = "png",
-    dct_color_mode: str = "grayscale",
+    dct_color_mode: str = "color",
    channel_key: str | bool | None = None,
 ) -> EncodeResult:
    """
--- a/src/stegasoo/exceptions.py
+++ b/src/stegasoo/exceptions.py
@@ -133,6 +133,30 @@ class InvalidHeaderError(SteganographyError):
    pass


+class InvalidMagicBytesError(SteganographyError):
+    """Magic bytes don't match - not a Stegasoo image or wrong mode."""
+
+    pass
+
+
+class ReedSolomonError(SteganographyError):
+    """Reed-Solomon error correction failed - image too corrupted."""
+
+    pass
+
+
+class NoDataFoundError(SteganographyError):
+    """No hidden data found in image."""
+
+    pass
+
+
+class ModeMismatchError(SteganographyError):
+    """Wrong steganography mode (LSB vs DCT)."""
+
+    pass
+
+
 # ============================================================================
 # FILE ERRORS
 # ============================================================================
--- a/src/stegasoo/recovery.py
+++ b/src/stegasoo/recovery.py
@@ -0,0 +1,453 @@
+"""
+Stegasoo Admin Recovery Module (v4.1.0)
+
+Generates and manages recovery keys for admin password reset.
+
+Recovery keys use the same format as channel keys (32 alphanumeric chars
+with dashes) but serve a different purpose - they allow resetting the
+admin password when locked out.
+
+Security model:
+- Recovery key is generated once during setup
+- Only the hash is stored in the database
+- The actual key is shown once and must be saved by the user
+- Key can reset any admin account's password
+- No recovery key = no password reset possible (most secure)
+
+Usage:
+    # During setup - generate and show to user
+    key = generate_recovery_key()
+    key_hash = hash_recovery_key(key)
+    # Store key_hash in database, show key to user
+
+    # During recovery - verify user's key
+    if verify_recovery_key(user_input, stored_hash):
+        # Allow password reset
+"""
+
+import base64
+import hashlib
+import secrets
+from io import BytesIO
+
+from .constants import RECOVERY_OBFUSCATION_KEY
+from .debug import debug
+
+
+def _xor_bytes(data: bytes, key: bytes) -> bytes:
+    """XOR data with repeating key."""
+    return bytes(b ^ key[i % len(key)] for i, b in enumerate(data))
+
+
+def obfuscate_key(key: str) -> str:
+    """
+    Obfuscate a recovery key for QR encoding.
+
+    XORs the key with magic header hash and base64 encodes.
+    Result looks like random gibberish when scanned.
+
+    Args:
+        key: Plain recovery key (formatted or normalized)
+
+    Returns:
+        Obfuscated string prefixed with "STEGO:" marker
+    """
+    normalized = normalize_recovery_key(key)
+    key_bytes = normalized.encode("utf-8")
+    xored = _xor_bytes(key_bytes, RECOVERY_OBFUSCATION_KEY)
+    encoded = base64.b64encode(xored).decode("ascii")
+    return f"STEGO:{encoded}"
+
+
+def deobfuscate_key(obfuscated: str) -> str | None:
+    """
+    Deobfuscate a recovery key from QR data.
+
+    Reverses the obfuscation process.
+
+    Args:
+        obfuscated: Obfuscated string from QR scan
+
+    Returns:
+        Formatted recovery key, or None if invalid
+    """
+    if not obfuscated.startswith("STEGO:"):
+        # Not obfuscated - try as plain key
+        try:
+            return format_recovery_key(obfuscated)
+        except ValueError:
+            return None
+
+    try:
+        encoded = obfuscated[6:]  # Strip "STEGO:" prefix
+        xored = base64.b64decode(encoded)
+        key_bytes = _xor_bytes(xored, RECOVERY_OBFUSCATION_KEY)
+        normalized = key_bytes.decode("utf-8")
+        return format_recovery_key(normalized)
+    except Exception:
+        return None
+
+
+# =============================================================================
+# STEGO BACKUP - Hide recovery key in an image using Stegasoo itself
+# =============================================================================
+
+# Fixed credentials for recovery key stego (internal, not user-facing)
+# These are hardcoded - security is in the obscurity of the stego image
+_RECOVERY_STEGO_PASSPHRASE = "stegasoo-recovery-v1"
+_RECOVERY_STEGO_PIN = "314159"  # Pi digits - fixed, not secret
+
+# Size limits for carrier image
+STEGO_BACKUP_MIN_SIZE = 50 * 1024      # 50 KB
+STEGO_BACKUP_MAX_SIZE = 2 * 1024 * 1024  # 2 MB
+
+
+def create_stego_backup(
+    recovery_key: str,
+    carrier_image: bytes,
+) -> bytes:
+    """
+    Hide recovery key in an image using Stegasoo steganography.
+
+    Uses the same image as both carrier and reference for simplicity.
+    Fixed internal passphrase, no PIN required - obscurity is the security.
+
+    Args:
+        recovery_key: The recovery key to hide
+        carrier_image: JPEG image bytes (50KB-2MB, used as carrier AND reference)
+
+    Returns:
+        PNG image with hidden recovery key
+
+    Raises:
+        ValueError: If image size out of range or invalid format
+    """
+    from .encode import encode
+
+    # Validate image size
+    size = len(carrier_image)
+    if size < STEGO_BACKUP_MIN_SIZE:
+        raise ValueError(f"Image too small: {size // 1024}KB (min 50KB)")
+    if size > STEGO_BACKUP_MAX_SIZE:
+        raise ValueError(f"Image too large: {size // 1024}KB (max 2MB)")
+
+    # Normalize key for embedding
+    formatted_key = format_recovery_key(recovery_key)
+
+    # Encode using Stegasoo - same image as carrier and reference
+    result = encode(
+        message=formatted_key,
+        reference_photo=carrier_image,  # Same image for simplicity
+        carrier_image=carrier_image,
+        passphrase=_RECOVERY_STEGO_PASSPHRASE,
+        pin=_RECOVERY_STEGO_PIN,
+    )
+
+    debug.print(f"Created stego backup: {len(result.stego_image)} bytes")
+    return result.stego_image
+
+
+def extract_stego_backup(
+    stego_image: bytes,
+    reference_photo: bytes,
+) -> str | None:
+    """
+    Extract recovery key from a stego backup image.
+
+    Args:
+        stego_image: The stego image containing hidden key
+        reference_photo: Original reference photo (same as was used for carrier)
+
+    Returns:
+        Extracted recovery key (formatted), or None if extraction fails
+    """
+    from .decode import decode
+    from .exceptions import DecryptionError
+
+    try:
+        result = decode(
+            stego_image=stego_image,
+            reference_photo=reference_photo,
+            passphrase=_RECOVERY_STEGO_PASSPHRASE,
+            pin=_RECOVERY_STEGO_PIN,
+        )
+
+        # Validate it's a proper recovery key
+        extracted = result.message or ""
+        formatted = format_recovery_key(extracted)
+        debug.print(f"Extracted recovery key from stego: {get_recovery_fingerprint(formatted)}")
+        return formatted
+
+    except (DecryptionError, ValueError) as e:
+        debug.print(f"Stego backup extraction failed: {e}")
+        return None
+
+# Recovery key format: same as channel key (32 chars, 8 groups of 4)
+RECOVERY_KEY_LENGTH = 32
+RECOVERY_KEY_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+
+
+def generate_recovery_key() -> str:
+    """
+    Generate a new random recovery key.
+
+    Format: XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX
+    (32 alphanumeric characters with dashes)
+
+    Returns:
+        Formatted recovery key string
+
+    Example:
+        >>> key = generate_recovery_key()
+        >>> len(key)
+        39
+        >>> key.count('-')
+        7
+    """
+    # Generate 32 random alphanumeric characters
+    raw_key = "".join(
+        secrets.choice(RECOVERY_KEY_ALPHABET)
+        for _ in range(RECOVERY_KEY_LENGTH)
+    )
+
+    # Format with dashes every 4 characters
+    formatted = "-".join(
+        raw_key[i:i + 4]
+        for i in range(0, RECOVERY_KEY_LENGTH, 4)
+    )
+
+    debug.print(f"Generated recovery key: {formatted[:4]}-••••-...-{formatted[-4:]}")
+    return formatted
+
+
+def normalize_recovery_key(key: str) -> str:
+    """
+    Normalize a recovery key for validation/hashing.
+
+    Removes dashes, spaces, converts to uppercase.
+
+    Args:
+        key: Raw key input (may have dashes, spaces, mixed case)
+
+    Returns:
+        Normalized key (32 uppercase alphanumeric chars)
+
+    Raises:
+        ValueError: If key has invalid length or characters
+
+    Example:
+        >>> normalize_recovery_key("abcd-1234-efgh-5678-ijkl-9012-mnop-3456")
+        "ABCD1234EFGH5678IJKL9012MNOP3456"
+    """
+    # Remove dashes and spaces, uppercase
+    clean = key.replace("-", "").replace(" ", "").upper()
+
+    # Validate length
+    if len(clean) != RECOVERY_KEY_LENGTH:
+        raise ValueError(
+            f"Recovery key must be {RECOVERY_KEY_LENGTH} characters "
+            f"(got {len(clean)})"
+        )
+
+    # Validate characters
+    if not all(c in RECOVERY_KEY_ALPHABET for c in clean):
+        raise ValueError(
+            "Recovery key must contain only letters A-Z and digits 0-9"
+        )
+
+    return clean
+
+
+def format_recovery_key(key: str) -> str:
+    """
+    Format a recovery key with dashes for display.
+
+    Args:
+        key: Raw or normalized key
+
+    Returns:
+        Formatted key (XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX)
+
+    Example:
+        >>> format_recovery_key("ABCD1234EFGH5678IJKL9012MNOP3456")
+        "ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456"
+    """
+    clean = normalize_recovery_key(key)
+    return "-".join(clean[i:i + 4] for i in range(0, RECOVERY_KEY_LENGTH, 4))
+
+
+def hash_recovery_key(key: str) -> str:
+    """
+    Hash a recovery key for secure storage.
+
+    Uses SHA-256 with a fixed salt prefix. The hash is stored in the
+    database; the original key is never stored.
+
+    Args:
+        key: Recovery key (formatted or raw)
+
+    Returns:
+        Hex-encoded hash string (64 chars)
+
+    Example:
+        >>> key = "ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456"
+        >>> len(hash_recovery_key(key))
+        64
+    """
+    clean = normalize_recovery_key(key)
+
+    # Use a fixed salt prefix for recovery keys
+    # This differentiates from other hashes in the system
+    salted = f"stegasoo-recovery-v1:{clean}"
+
+    hash_bytes = hashlib.sha256(salted.encode("utf-8")).digest()
+    hash_hex = hash_bytes.hex()
+
+    debug.print(f"Hashed recovery key: {hash_hex[:8]}...")
+    return hash_hex
+
+
+def verify_recovery_key(key: str, stored_hash: str) -> bool:
+    """
+    Verify a recovery key against a stored hash.
+
+    Args:
+        key: User-provided recovery key
+        stored_hash: Hash from database
+
+    Returns:
+        True if key matches, False otherwise
+
+    Example:
+        >>> key = generate_recovery_key()
+        >>> h = hash_recovery_key(key)
+        >>> verify_recovery_key(key, h)
+        True
+        >>> verify_recovery_key("WRONG-KEY!", h)
+        False
+    """
+    try:
+        computed_hash = hash_recovery_key(key)
+        # Use constant-time comparison to prevent timing attacks
+        matches = secrets.compare_digest(computed_hash, stored_hash)
+        debug.print(f"Recovery key verification: {'success' if matches else 'failed'}")
+        return matches
+    except ValueError:
+        # Invalid key format
+        debug.print("Recovery key verification: invalid format")
+        return False
+
+
+def get_recovery_fingerprint(key: str) -> str:
+    """
+    Get a short fingerprint for display (first and last 4 chars).
+
+    Args:
+        key: Recovery key
+
+    Returns:
+        Fingerprint like "ABCD-••••-...-3456"
+
+    Example:
+        >>> get_recovery_fingerprint("ABCD-1234-EFGH-5678-IJKL-9012-MNOP-3456")
+        "ABCD-••••-••••-••••-••••-••••-••••-3456"
+    """
+    formatted = format_recovery_key(key)
+    parts = formatted.split("-")
+    masked = [parts[0]] + ["••••"] * 6 + [parts[-1]]
+    return "-".join(masked)
+
+
+def generate_recovery_qr(key: str) -> bytes:
+    """
+    Generate a QR code image for the recovery key.
+
+    The key is obfuscated using XOR with Stegasoo's magic headers,
+    so scanning the QR shows gibberish instead of the actual key.
+
+    Args:
+        key: Recovery key
+
+    Returns:
+        PNG image bytes
+
+    Raises:
+        ImportError: If qrcode library not available
+
+    Example:
+        >>> key = generate_recovery_key()
+        >>> png_bytes = generate_recovery_qr(key)
+        >>> len(png_bytes) > 0
+        True
+    """
+    try:
+        import qrcode
+    except ImportError:
+        raise ImportError("qrcode library required: pip install qrcode[pil]")
+
+    # Obfuscate so scanning shows gibberish, not the actual key
+    obfuscated = obfuscate_key(key)
+
+    qr = qrcode.QRCode(
+        version=1,
+        error_correction=qrcode.constants.ERROR_CORRECT_M,
+        box_size=10,
+        border=4,
+    )
+    qr.add_data(obfuscated)
+    qr.make(fit=True)
+
+    img = qr.make_image(fill_color="black", back_color="white")
+
+    buffer = BytesIO()
+    img.save(buffer, format="PNG")
+    buffer.seek(0)
+
+    debug.print(f"Generated recovery QR (obfuscated): {len(buffer.getvalue())} bytes")
+    return buffer.getvalue()
+
+
+def extract_key_from_qr(image_data: bytes) -> str | None:
+    """
+    Extract recovery key from a QR code image.
+
+    Handles both obfuscated (STEGO:...) and plain key formats.
+
+    Args:
+        image_data: PNG/JPEG image bytes containing QR code
+
+    Returns:
+        Extracted and validated recovery key, or None if not found/invalid
+
+    Example:
+        >>> key = generate_recovery_key()
+        >>> qr = generate_recovery_qr(key)
+        >>> extract_key_from_qr(qr) == format_recovery_key(key)
+        True
+    """
+    try:
+        from PIL import Image
+        from pyzbar import pyzbar
+    except ImportError:
+        debug.print("pyzbar/PIL not available for QR reading")
+        return None
+
+    try:
+        img = Image.open(BytesIO(image_data))
+        decoded = pyzbar.decode(img)
+
+        for obj in decoded:
+            data = obj.data.decode("utf-8").strip()
+
+            # Try deobfuscation first (handles both obfuscated and plain)
+            result = deobfuscate_key(data)
+            if result:
+                debug.print(f"Extracted recovery key from QR: {get_recovery_fingerprint(result)}")
+                return result
+
+        debug.print("No valid recovery key found in QR")
+        return None
+
+    except Exception as e:
+        debug.print(f"QR extraction error: {e}")
+        return None
--- a/src/stegasoo/steganography.py
+++ b/src/stegasoo/steganography.py
@@ -1,21 +1,27 @@
 """
 Stegasoo Steganography Functions (v3.2.0)

-LSB and DCT embedding modes with pseudo-random pixel/coefficient selection.
+This is the core embedding/extraction module. Two modes available:

-Changes in v3.0:
- DCT domain embedding mode (requires scipy)
- embed_mode parameter for encode/decode
- Auto-detection of embedding mode
- Comparison utilities
+LSB (Least Significant Bit) Mode:
+- Classic steganography technique - hide bits in the least significant bit of pixel values
+- Works on any image, outputs lossless PNG/BMP
+- Higher capacity than DCT, but destroyed by JPEG compression
+- Great for: high-capacity needs, lossless workflows

-Changes in v3.0.1:
- dct_output_format parameter for DCT mode ('png' or 'jpeg')
- dct_color_mode parameter for DCT mode ('grayscale' or 'color')
+DCT Mode (see dct_steganography.py):
+- Hides data in frequency-domain coefficients
+- Survives some image processing, works with JPEG
+- Lower capacity but more robust
+- Great for: JPEG images, robustness needs

-Changes in v3.2.0:
- Fixed HEADER_OVERHEAD constant (65 bytes, not 104 - date field removed)
- Updated ENCRYPTION_OVERHEAD calculation
+Both modes use pseudo-random pixel/coefficient selection based on a key.
+Without the key, you don't know where to look - security through obscurity
+PLUS actual encryption of the payload.
+
+v3.0: Added DCT mode with scipy
+v3.0.1: DCT output format options (PNG/JPEG, grayscale/color)
+v3.2.0: Fixed overhead calculations after removing date field
 """

 import io
@@ -39,6 +45,31 @@ from .debug import debug
 from .exceptions import CapacityError, EmbeddingError
 from .models import EmbedStats, FilePayload

+# Progress reporting interval
+PROGRESS_INTERVAL = 1000  # Write every N pixels for LSB
+
+
+def _write_progress(progress_file: str | None, current: int, total: int, phase: str = "embedding"):
+    """Write progress to file for frontend polling."""
+    if progress_file is None:
+        return
+    try:
+        import json
+
+        with open(progress_file, "w") as f:
+            json.dump(
+                {
+                    "current": current,
+                    "total": total,
+                    "percent": round((current / total) * 100, 1) if total > 0 else 0,
+                    "phase": phase,
+                },
+                f,
+            )
+    except Exception:
+        pass  # Don't let progress writing break encoding
+
+
 # Lossless formats that preserve LSB data
 LOSSLESS_FORMATS = {"PNG", "BMP", "TIFF"}

@@ -58,24 +89,31 @@ EXT_TO_FORMAT = {
 }

 # =============================================================================
-# OVERHEAD CONSTANTS (v4.0.0 - Updated for channel key support)
+# OVERHEAD CONSTANTS
 # =============================================================================
-# v4.0.0 Header format (with flags byte for channel key indicator):
-#   Magic:   4 bytes  (\x89ST3)
-#   Version: 1 byte   (5 for v4.0.0)
-#   Flags:   1 byte   (bit 0 = has channel key)
-#   Salt:    32 bytes
-#   IV:      12 bytes
-#   Tag:     16 bytes
-#   -----------------
-#   Total:   66 bytes
 #
-# v3.2.0 had 65 bytes (no flags byte)
-# v3.1.0 had date field (10 bytes + 1 byte length) = 76 bytes header
+# Every stego image has some overhead before the actual payload:
+#
+# The encrypted message format (v4.0.0):
+# ┌─────────────────────────────────────────────────────────────────┐
+# │ \x89ST3 │ v5 │ flags │  salt (32)  │  iv (12)  │  tag (16)  │ ... │
+# │ magic  │ ver│       │             │           │            │ data│
+# └─────────────────────────────────────────────────────────────────┘
+#   4 bytes  1    1         32            12           16         var
+#
+# Plus LSB embedding adds a 4-byte length prefix so we know where to stop.
+#
+# History of overhead sizes (in case you're debugging old images):
+# - v3.1.0: 76 bytes (had date field - 10+1 bytes)
+# - v3.2.0: 65 bytes (removed date, simpler)
+# - v4.0.0: 66 bytes (added flags byte for channel key)

-HEADER_OVERHEAD = 66  # v4.0.0: Magic + version + flags + salt + iv + tag
-LENGTH_PREFIX = 4  # 4 bytes for payload length in LSB embedding
-ENCRYPTION_OVERHEAD = HEADER_OVERHEAD + LENGTH_PREFIX  # 70 bytes total
+HEADER_OVERHEAD = 66  # What the crypto layer adds to any message
+LENGTH_PREFIX = 4     # We prepend the payload length for LSB extraction
+ENCRYPTION_OVERHEAD = HEADER_OVERHEAD + LENGTH_PREFIX  # Total: 70 bytes
+
+# That 70 bytes is your minimum image capacity requirement.
+# A tiny 100x100 image gives you ~3750 bytes capacity, minus 70 = ~3680 usable.

 # DCT output format options (v3.0.1)
 DCT_OUTPUT_PNG = "png"
@@ -431,6 +469,20 @@ def compare_modes(image_data: bytes) -> dict:
 # =============================================================================
 # PIXEL INDEX GENERATION
 # =============================================================================
+#
+# The key insight: we don't hide data in sequential pixels (that's easy to find).
+# Instead, we scatter the data across pseudo-random pixel locations.
+#
+# The pixel selection key (derived from passphrase + photo + pin) determines
+# WHICH pixels get modified. Without the key, an attacker would have to:
+# 1. Know we're using LSB steganography
+# 2. Try every possible subset of pixels
+# 3. Decrypt the result (which they also can't do without the key)
+#
+# We use ChaCha20 as a CSPRNG (Cryptographically Secure PRNG). It's:
+# - Fast (faster than AES-CTR on most CPUs)
+# - Deterministic (same key = same sequence, needed for extraction)
+# - Secure (can't predict the sequence without the key)


@debug.time
@@ -438,8 +490,13 @@ def generate_pixel_indices(key: bytes, num_pixels: int, num_needed: int) -> list
    """
    Generate pseudo-random pixel indices for embedding.

-    Uses ChaCha20 as a CSPRNG seeded by the key to deterministically
-    select which pixels will hold hidden data.
+    This is the "where do we hide the bits?" function. We use ChaCha20
+    to generate a deterministic sequence of pixel indices that only
+    someone with the same key can reproduce.
+
+    Two strategies based on how much of the image we're using:
+    - >= 50% capacity: Full Fisher-Yates shuffle (sample without replacement)
+    - < 50% capacity: Direct random sampling (faster, same result)
    """
    debug.validate(len(key) == 32, f"Pixel key must be 32 bytes, got {len(key)}")
    debug.validate(num_pixels > 0, f"Number of pixels must be positive, got {num_pixels}")
@@ -450,6 +507,8 @@ def generate_pixel_indices(key: bytes, num_pixels: int, num_needed: int) -> list

    debug.print(f"Generating {num_needed} pixel indices from {num_pixels} total pixels")

+    # Strategy 1: Full shuffle when we need a lot of pixels
+    # Fisher-Yates shuffle is O(n) and gives us perfect random sampling
    if num_needed >= num_pixels // 2:
        debug.print(f"Using full shuffle (needed {num_needed}/{num_pixels} pixels)")
        nonce = b"\x00" * 16
@@ -457,8 +516,10 @@ def generate_pixel_indices(key: bytes, num_pixels: int, num_needed: int) -> list
        encryptor = cipher.encryptor()

        indices = list(range(num_pixels))
+        # Get enough random bytes to do the shuffle
        random_bytes = encryptor.update(b"\x00" * (num_pixels * 4))

+        # Fisher-Yates shuffle - swap each element with a random earlier element
        for i in range(num_pixels - 1, 0, -1):
            j_bytes = random_bytes[(num_pixels - 1 - i) * 4 : (num_pixels - i) * 4]
            j = int.from_bytes(j_bytes, "big") % (i + 1)
@@ -468,14 +529,17 @@ def generate_pixel_indices(key: bytes, num_pixels: int, num_needed: int) -> list
        debug.print(f"Generated {len(selected)} indices via shuffle")
        return selected

+    # Strategy 2: Direct sampling when we need fewer pixels
+    # Generate random indices until we have enough unique ones
    debug.print(f"Using optimized selection (needed {num_needed}/{num_pixels} pixels)")
    selected = []
-    used = set()
+    used = set()  # Track which pixels we've already picked

    nonce = b"\x00" * 16
    cipher = Cipher(algorithms.ChaCha20(key, nonce), mode=None, backend=default_backend())
    encryptor = cipher.encryptor()

+    # Pre-generate 2x the bytes we think we'll need (for collision handling)
    bytes_needed = (num_needed * 2) * 4
    random_bytes = encryptor.update(b"\x00" * bytes_needed)

@@ -489,8 +553,9 @@ def generate_pixel_indices(key: bytes, num_pixels: int, num_needed: int) -> list
            used.add(idx)
            selected.append(idx)
        else:
-            collisions += 1
+            collisions += 1  # Birthday paradox in action

+    # Edge case: ran out of pre-generated bytes (very high collision rate)
    if len(selected) < num_needed:
        debug.print(f"Need {num_needed - len(selected)} more indices, generating...")
        extra_needed = num_needed - len(selected)
@@ -514,6 +579,23 @@ def generate_pixel_indices(key: bytes, num_pixels: int, num_needed: int) -> list
 # =============================================================================
 # EMBEDDING FUNCTIONS
 # =============================================================================
+#
+# The actual bit-hiding magic happens here. LSB embedding is conceptually simple:
+#
+# Original pixel RGB: (142, 87, 201)
+# In binary:          (10001110, 01010111, 11001001)
+#                                      ^       ^       ^
+#                      These are the LSBs (least significant bits)
+#
+# To hide the bits [1, 0, 1]:
+# Modified pixel RGB: (10001111, 01010110, 11001001) = (143, 86, 201)
+#                                      ^       ^       ^
+#                      Changed!     Changed!  Already 1, no change needed
+#
+# The human eye can't see the difference between 142 and 143.
+# But we've hidden 3 bits of secret data in one pixel.
+#
+# With a 1000x1000 image: 1 million pixels * 3 channels = 3 million bits = 375 KB!


@debug.time
@@ -525,7 +607,8 @@ def embed_in_image(
    output_format: str | None = None,
    embed_mode: str = EMBED_MODE_LSB,
    dct_output_format: str = DCT_OUTPUT_PNG,
-    dct_color_mode: str = "grayscale",
+    dct_color_mode: str = "color",
+    progress_file: str | None = None,
 ) -> tuple[bytes, Union[EmbedStats, "DCTEmbedStats"], str]:
    """
    Embed data into an image using specified mode.
@@ -567,8 +650,8 @@ def embed_in_image(

        # Validate DCT color mode (v3.0.1)
        if dct_color_mode not in ("grayscale", "color"):
-            debug.print(f"Invalid dct_color_mode '{dct_color_mode}', defaulting to grayscale")
-            dct_color_mode = "grayscale"
+            debug.print(f"Invalid dct_color_mode '{dct_color_mode}', defaulting to color")
+            dct_color_mode = "color"

        dct_mod = _get_dct_module()

@@ -579,6 +662,7 @@ def embed_in_image(
            pixel_key,
            output_format=dct_output_format,
            color_mode=dct_color_mode,
+            progress_file=progress_file,
        )

        # Determine extension based on output format
@@ -594,7 +678,7 @@ def embed_in_image(
        return stego_bytes, dct_stats, ext

    # LSB MODE
-    return _embed_lsb(data, image_data, pixel_key, bits_per_channel, output_format)
+    return _embed_lsb(data, image_data, pixel_key, bits_per_channel, output_format, progress_file)


 def _embed_lsb(
@@ -603,6 +687,7 @@ def _embed_lsb(
    pixel_key: bytes,
    bits_per_channel: int = 1,
    output_format: str | None = None,
+    progress_file: str | None = None,
 ) -> tuple[bytes, EmbedStats, str]:
    """
    Embed data using LSB steganography (internal implementation).
@@ -659,8 +744,9 @@ def _embed_lsb(

        bit_idx = 0
        modified_pixels = 0
+        total_pixels_to_process = len(selected_indices)

-        for pixel_idx in selected_indices:
+        for progress_idx, pixel_idx in enumerate(selected_indices):
            if bit_idx >= len(binary_data):
                break

@@ -690,6 +776,16 @@ def _embed_lsb(
                new_pixels[pixel_idx] = (r, g, b)
                modified_pixels += 1

+            # Report progress periodically
+            if progress_file and progress_idx % PROGRESS_INTERVAL == 0:
+                _write_progress(progress_file, progress_idx, total_pixels_to_process, "embedding")
+
+        # Final progress before save
+        if progress_file:
+            _write_progress(
+                progress_file, total_pixels_to_process, total_pixels_to_process, "saving"
+            )
+
        debug.print(f"Modified {modified_pixels} pixels (out of {len(selected_indices)} selected)")

        stego_img = Image.new("RGB", img.size)
@@ -930,3 +1026,82 @@ def is_lossless_format(image_data: bytes) -> bool:
    is_lossless = fmt is not None and fmt.upper() in LOSSLESS_FORMATS
    debug.print(f"Image is lossless: {is_lossless} (format: {fmt})")
    return is_lossless
+
+
+def peek_image(image_data: bytes) -> dict:
+    """
+    Check if an image contains Stegasoo hidden data without decrypting.
+
+    Attempts to detect LSB and DCT headers by extracting the first few bytes
+    and looking for Stegasoo magic markers.
+
+    Args:
+        image_data: Raw image bytes
+
+    Returns:
+        dict with:
+            - has_stegasoo: bool - True if header detected
+            - mode: str or None - 'lsb', 'dct', or None
+            - confidence: str - 'high', 'low', or None
+
+    Example:
+        >>> result = peek_image(suspicious_image_bytes)
+        >>> if result['has_stegasoo']:
+        ...     print(f"Found {result['mode']} data!")
+    """
+    from .constants import EMBED_MODE_DCT, EMBED_MODE_LSB
+
+    result = {"has_stegasoo": False, "mode": None, "confidence": None}
+
+    # Try LSB extraction (look for header bytes)
+    try:
+        img = Image.open(io.BytesIO(image_data))
+        pixels = list(img.getdata())
+        img.close()
+
+        # Extract first 32 bits (4 bytes) from LSB
+        extracted = []
+        for i in range(32):
+            if i < len(pixels):
+                pixel = pixels[i]
+                if isinstance(pixel, tuple):
+                    extracted.append(pixel[0] & 1)
+                else:
+                    extracted.append(pixel & 1)
+
+        # Convert bits to bytes
+        header_bytes = bytearray()
+        for i in range(0, len(extracted), 8):
+            byte = 0
+            for j in range(8):
+                if i + j < len(extracted):
+                    byte = (byte << 1) | extracted[i + j]
+            header_bytes.append(byte)
+
+        # Check for LSB magic: \x89ST3
+        if bytes(header_bytes[:4]) == b"\x89ST3":
+            result["has_stegasoo"] = True
+            result["mode"] = EMBED_MODE_LSB
+            result["confidence"] = "high"
+            return result
+    except Exception:
+        pass
+
+    # Try DCT extraction (requires scipy/jpegio)
+    try:
+        from .dct_steganography import HAS_JPEGIO, HAS_SCIPY
+
+        if HAS_SCIPY or HAS_JPEGIO:
+            from .dct_steganography import extract_from_dct
+
+            # Extract first few bytes to check header
+            extracted = extract_from_dct(image_data, seed=b"\x00" * 32, length=4)
+            if extracted == b"\x89DCT":
+                result["has_stegasoo"] = True
+                result["mode"] = EMBED_MODE_DCT
+                result["confidence"] = "high"
+                return result
+    except Exception:
+        pass
+
+    return result
--- a/src/stegasoo/utils.py
+++ b/src/stegasoo/utils.py
@@ -18,6 +18,159 @@ from .constants import DAY_NAMES
 from .debug import debug


+def read_image_exif(image_data: bytes) -> dict:
+    """
+    Read EXIF metadata from an image.
+
+    Args:
+        image_data: Raw image bytes
+
+    Returns:
+        Dict with EXIF fields (tag names as keys)
+
+    Example:
+        >>> exif = read_image_exif(photo_bytes)
+        >>> print(exif.get('Make'))  # Camera manufacturer
+    """
+    from PIL.ExifTags import GPSTAGS, TAGS
+
+    result = {}
+
+    try:
+        img = Image.open(io.BytesIO(image_data))
+        exif_data = img._getexif()
+
+        if exif_data:
+            for tag_id, value in exif_data.items():
+                tag = TAGS.get(tag_id, str(tag_id))
+
+                # Handle GPS data specially
+                if tag == "GPSInfo" and isinstance(value, dict):
+                    gps = {}
+                    for gps_tag_id, gps_value in value.items():
+                        gps_tag = GPSTAGS.get(gps_tag_id, str(gps_tag_id))
+                        # Convert tuples/IFDRational to simple types
+                        if hasattr(gps_value, "numerator"):
+                            gps[gps_tag] = float(gps_value)
+                        elif isinstance(gps_value, tuple):
+                            gps[gps_tag] = [
+                                float(v) if hasattr(v, "numerator") else v
+                                for v in gps_value
+                            ]
+                        else:
+                            gps[gps_tag] = gps_value
+                    result[tag] = gps
+                # Convert IFDRational to float
+                elif hasattr(value, "numerator"):
+                    result[tag] = float(value)
+                # Convert bytes to string if possible
+                elif isinstance(value, bytes):
+                    try:
+                        result[tag] = value.decode("utf-8", errors="replace").strip("\x00")
+                    except Exception:
+                        result[tag] = f"<{len(value)} bytes>"
+                # Handle tuples of IFDRational
+                elif isinstance(value, tuple) and value and hasattr(value[0], "numerator"):
+                    result[tag] = [float(v) for v in value]
+                else:
+                    result[tag] = value
+
+        img.close()
+    except Exception as e:
+        debug.print(f"Error reading EXIF: {e}")
+
+    return result
+
+
+def write_image_exif(image_data: bytes, exif_updates: dict) -> bytes:
+    """
+    Write/update EXIF metadata in a JPEG image.
+
+    Args:
+        image_data: Raw JPEG image bytes
+        exif_updates: Dict of EXIF fields to update (tag names as keys)
+                     Use None as value to delete a field
+
+    Returns:
+        Image bytes with updated EXIF
+
+    Raises:
+        ValueError: If image is not JPEG or piexif not available
+
+    Example:
+        >>> updated = write_image_exif(jpeg_bytes, {"Artist": "John Doe"})
+    """
+    try:
+        import piexif
+    except ImportError:
+        raise ValueError("piexif required for EXIF editing: pip install piexif")
+
+    # Verify it's a JPEG
+    if not image_data[:2] == b"\xff\xd8":
+        raise ValueError("EXIF editing only supported for JPEG images")
+
+    debug.print(f"Writing EXIF updates: {list(exif_updates.keys())}")
+
+    # Load existing EXIF
+    try:
+        exif_dict = piexif.load(image_data)
+    except Exception:
+        # No existing EXIF, start fresh
+        exif_dict = {"0th": {}, "Exif": {}, "GPS": {}, "1st": {}, "thumbnail": None}
+
+    # Map common tag names to piexif IFD and tag IDs
+    tag_mapping = {
+        # 0th IFD (main image)
+        "Make": (piexif.ImageIFD.Make, "0th"),
+        "Model": (piexif.ImageIFD.Model, "0th"),
+        "Software": (piexif.ImageIFD.Software, "0th"),
+        "Artist": (piexif.ImageIFD.Artist, "0th"),
+        "Copyright": (piexif.ImageIFD.Copyright, "0th"),
+        "ImageDescription": (piexif.ImageIFD.ImageDescription, "0th"),
+        "DateTime": (piexif.ImageIFD.DateTime, "0th"),
+        "Orientation": (piexif.ImageIFD.Orientation, "0th"),
+        # Exif IFD
+        "DateTimeOriginal": (piexif.ExifIFD.DateTimeOriginal, "Exif"),
+        "DateTimeDigitized": (piexif.ExifIFD.DateTimeDigitized, "Exif"),
+        "UserComment": (piexif.ExifIFD.UserComment, "Exif"),
+        "ExposureTime": (piexif.ExifIFD.ExposureTime, "Exif"),
+        "FNumber": (piexif.ExifIFD.FNumber, "Exif"),
+        "ISOSpeedRatings": (piexif.ExifIFD.ISOSpeedRatings, "Exif"),
+        "FocalLength": (piexif.ExifIFD.FocalLength, "Exif"),
+        "LensMake": (piexif.ExifIFD.LensMake, "Exif"),
+        "LensModel": (piexif.ExifIFD.LensModel, "Exif"),
+    }
+
+    for tag_name, value in exif_updates.items():
+        if tag_name not in tag_mapping:
+            debug.print(f"Unknown EXIF tag: {tag_name}, skipping")
+            continue
+
+        tag_id, ifd = tag_mapping[tag_name]
+
+        if value is None:
+            # Delete the tag
+            if tag_id in exif_dict[ifd]:
+                del exif_dict[ifd][tag_id]
+                debug.print(f"Deleted EXIF tag: {tag_name}")
+        else:
+            # Set the tag (encode strings as bytes)
+            if isinstance(value, str):
+                value = value.encode("utf-8")
+            exif_dict[ifd][tag_id] = value
+            debug.print(f"Set EXIF tag: {tag_name}")
+
+    # Serialize EXIF and insert into image
+    exif_bytes = piexif.dump(exif_dict)
+    output = io.BytesIO()
+    img = Image.open(io.BytesIO(image_data))
+    img.save(output, "JPEG", exif=exif_bytes, quality=95)
+    output.seek(0)
+
+    debug.print(f"EXIF updated: {len(image_data)} -> {len(output.getvalue())} bytes")
+    return output.getvalue()
+
+
 def strip_image_metadata(image_data: bytes, output_format: str = "PNG") -> bytes:
    """
    Remove all metadata (EXIF, ICC profiles, etc.) from an image.
--- a/test_data/carrier2.jpg
+++ b/test_data/carrier2.jpg
--- a/test_data/rpi_20260102.jpg
+++ b/test_data/rpi_20260102.jpg
--- a/tests/RELEASE_CHECKLIST_V4_0_0.md
+++ b/tests/RELEASE_CHECKLIST_V4_0_0.md
@@ -1,528 +0,0 @@
-# Stegasoo v4.0.0 Release Checklist
-
-## Overview
-
-This checklist covers functionality testing for the v4.0.0 release.
-
-### Changes in v4.0.0
-
-| Change | v3.2.0 | v4.0.0 |
-|--------|--------|--------|
-| Python version | 3.10-3.12 | 3.10-3.12 (3.13 NOT supported) |
-| JPEG handling | Could crash on quality=100 | Normalized before jpegio |
-| Header size | 65 bytes | 65 bytes (unchanged) |
-| API | passphrase, no date_str | Same (no breaking changes) |
-| Format version | 4 | 4 (compatible with v3.2.0) |
-
-### Key Points
- **No breaking API changes from v3.2.0**
- **v4.0 CAN decode v3.2.0 images** (same format version)
- **v4.0 CANNOT decode v3.1.x or earlier images**
- **Python 3.13 is NOT supported** (jpegio C extension ABI incompatibility)
-
---
-
-## 1. Pre-Release Checks
-
-### 1.1 Python Version
-
-```bash
-python --version  # Must be 3.10, 3.11, or 3.12
-```
-
- [ ] Python version is 3.10, 3.11, or 3.12
- [ ] NOT Python 3.13 (jpegio will crash)
-
-### 1.2 Dependencies
-
-```bash
-pip list | grep -E "jpegio|scipy|pillow|argon2"
-```
-
- [ ] jpegio installed (for DCT JPEG support)
- [ ] scipy installed (for DCT mode)
- [ ] pillow installed
- [ ] argon2-cffi installed
-
---
-
-## 2. Core Library Tests
-
-### 2.1 Run Unit Tests
-
-```bash
-cd /path/to/stegasoo
-pytest tests/ -v
-```
-
- [ ] All tests pass
- [ ] No deprecation warnings for removed parameters
-
-### 2.2 JPEG Normalization Test (NEW in v4.0)
-
-```bash
-python -c "
-from PIL import Image
-import io
-from stegasoo import encode, decode
-
-# Create quality=100 JPEG (triggers normalization)
-img = Image.new('RGB', (400, 400), 'red')
-buf = io.BytesIO()
-img.save(buf, format='JPEG', quality=100)
-jpeg_data = buf.getvalue()
-
-# This should NOT crash (v3.2.0 would crash here)
-result = encode(
-    message='Test quality 100',
-    reference_photo=jpeg_data,
-    carrier_image=jpeg_data,
-    passphrase='test phrase four words',
-    pin='123456',
-    embed_mode='dct'
-)
-print('✓ Quality=100 JPEG encode OK')
-
-decoded = decode(
-    stego_image=result.stego_image,
-    reference_photo=jpeg_data,
-    passphrase='test phrase four words',
-    pin='123456'
-)
-assert decoded.message == 'Test quality 100'
-print('✓ Quality=100 JPEG decode OK')
-"
-```
-
- [ ] Quality=100 JPEG encoding works (no crash)
- [ ] Quality=100 JPEG decoding works
-
-### 2.3 Large Image Test (NEW in v4.0)
-
-```bash
-python -c "
-from PIL import Image
-import io
-from stegasoo import encode, decode
-
-# Create large image (similar to 14MB real photo)
-img = Image.new('RGB', (4000, 3000), 'blue')
-buf = io.BytesIO()
-img.save(buf, format='PNG')
-large_image = buf.getvalue()
-print(f'Test image size: {len(large_image) / 1024 / 1024:.1f} MB')
-
-result = encode(
-    message='Large image test',
-    reference_photo=large_image,
-    carrier_image=large_image,
-    passphrase='large image test phrase',
-    pin='123456'
-)
-print('✓ Large image encode OK')
-
-decoded = decode(
-    stego_image=result.stego_image,
-    reference_photo=large_image,
-    passphrase='large image test phrase',
-    pin='123456'
-)
-assert decoded.message == 'Large image test'
-print('✓ Large image decode OK')
-"
-```
-
- [ ] Large image (12MP+) encoding works
- [ ] Large image decoding works
-
---
-
-## 3. Docker Build Tests
-
-### 3.1 Base Image Build
-
-```bash
-# Build base image (one-time, 5-10 min)
-sudo docker build -f Dockerfile.base -t stegasoo-base:latest .
-```
-
- [ ] Base image builds successfully
- [ ] jpegio + scipy + numpy verification passes
-
-### 3.2 Application Build
-
-```bash
-# Fast build using base image
-sudo docker-compose build
-```
-
- [ ] Web container builds
- [ ] API container builds
-
-### 3.3 Container Startup
-
-```bash
-sudo docker-compose up -d
-sudo docker-compose logs
-```
-
- [ ] Web container starts without errors
- [ ] API container starts without errors
- [ ] No import errors in logs
-
---
-
-## 4. Web UI Tests (`http://localhost:5000`)
-
-### 4.1 Home Page
-
- [ ] v4.0 badge visible
- [ ] "Learn More" button is white/visible
- [ ] No references to "day phrase" or dates
-
-### 4.2 Generate Page (`/generate`)
-
- [ ] Default is 4 words
- [ ] Single passphrase generated (not 7 daily)
- [ ] PIN toggle shows/hides digits
- [ ] Memory aid generator works
-
-### 4.3 Encode Page (`/encode`)
-
- [ ] Passphrase field has blue glow on focus
- [ ] PIN field has orange glow on focus
- [ ] PIN box is 180px wide (fits LastPass icon)
- [ ] Passphrase font shrinks for long input (stepped)
- [ ] RSA .pem/QR toggle works
- [ ] QR image preview shows when selected
- [ ] DCT mode options appear when selected
- [ ] Encoding works (LSB mode)
- [ ] Encoding works (DCT mode)
-
-### 4.4 Decode Page (`/decode`)
-
- [ ] Same styling as encode (glowing inputs)
- [ ] RSA .pem/QR toggle works (matches encode layout)
- [ ] QR image preview shows when selected
- [ ] Copy button is below message (not overlapping)
- [ ] Decoding works (LSB mode)
- [ ] Decoding works (DCT mode)
- [ ] Auto mode detection works
-
-### 4.5 About Page (`/about`)
-
- [ ] Version history table present
- [ ] v4.0.0 entry in table
- [ ] Python 3.10-3.12 requirement noted
- [ ] No marketing language ("military-grade" removed)
-
---
-
-## 5. API Tests (`http://localhost:8000`)
-
-### 5.1 Status Endpoint
-
-```bash
-curl http://localhost:8000/
-```
-
- [ ] Returns version "4.0.0"
- [ ] No import errors
-
-### 5.2 Generate Endpoint
-
-```bash
-curl -X POST http://localhost:8000/generate \
-  -H "Content-Type: application/json" \
-  -d '{"use_pin": true}'
-```
-
- [ ] Returns single `passphrase` string
- [ ] Returns 4 words by default
-
-### 5.3 OpenAPI Docs
-
- [ ] `/docs` loads (Swagger UI)
- [ ] `/redoc` loads (ReDoc)
- [ ] All endpoints documented
-
---
-
-## 6. CLI Tests
-
-### 6.1 Version
-
-```bash
-stegasoo --version
-```
-
- [ ] Shows 4.0.0
-
-### 6.2 Generate
-
-```bash
-stegasoo generate --pin --words 4
-```
-
- [ ] Single passphrase output
- [ ] 4 words generated
-
-### 6.3 Encode/Decode Roundtrip
-
-```bash
-# Generate test image
-python -c "from PIL import Image; Image.new('RGB', (200,200), 'red').save('/tmp/test.png')"
-
-# Encode
-stegasoo encode \
-  -r /tmp/test.png \
-  -c /tmp/test.png \
-  -p "cli test phrase here" \
-  --pin 123456 \
-  -m "CLI roundtrip test" \
-  -o /tmp/stego.png
-
-# Decode
-stegasoo decode \
-  -r /tmp/test.png \
-  -s /tmp/stego.png \
-  -p "cli test phrase here" \
-  --pin 123456
-```
-
- [ ] Encode succeeds
- [ ] Decode returns correct message
-
---
-
-## 7. Cross-Version Compatibility
-
-### 7.1 v3.2.0 Compatibility
-
- [ ] v4.0 can decode v3.2.0 images (same format version 4)
-
-### 7.2 v3.1.x Incompatibility
-
- [ ] v4.0 fails gracefully on v3.1.x images
- [ ] Error message is clear
-
---
-
-## 8. Documentation Review
-
-### 8.1 Updated Files
-
- [ ] README.md - v4.0 references
- [ ] INSTALL.md - Python 3.13 warning prominent
- [ ] SECURITY.md - v4.0 changes documented
- [ ] UNDER_THE_HOOD.md - JPEG normalization section
-
-### 8.2 Template Updates
-
- [ ] All 7 templates updated
- [ ] No v3.x badges remaining
- [ ] Version history in About page
-
---
-
-## 9. Quick Smoke Test Script
-
-```bash
-#!/bin/bash
-# v4.0.0 Smoke Test
-
-set -e
-
-echo "=== Stegasoo v4.0.0 Smoke Test ==="
-
-# Check version
-echo "1. Checking version..."
-python -c "import stegasoo; assert stegasoo.__version__.startswith('4.'), f'Wrong version: {stegasoo.__version__}'; print(f'✓ Version: {stegasoo.__version__}')"
-
-# Check Python version
-echo "2. Checking Python version..."
-python -c "
-import sys
-v = sys.version_info
-assert v.major == 3 and 10 <= v.minor <= 12, f'Python {v.major}.{v.minor} not supported'
-print(f'✓ Python {v.major}.{v.minor}.{v.micro}')
-"
-
-# Check DCT support
-echo "3. Checking DCT support..."
-python -c "
-from stegasoo import has_dct_support
-from stegasoo.dct_steganography import has_jpegio_support
-print(f'  DCT (scipy): {has_dct_support()}')
-print(f'  JPEG native (jpegio): {has_jpegio_support()}')
-assert has_dct_support(), 'DCT not available'
-print('✓ DCT support OK')
-"
-
-# Test encode/decode roundtrip
-echo "4. Testing encode/decode roundtrip..."
-python -c "
-from stegasoo import encode, decode
-from PIL import Image
-import io
-
-img = Image.new('RGB', (200, 200), color='blue')
-buf = io.BytesIO()
-img.save(buf, format='PNG')
-test_image = buf.getvalue()
-
-result = encode(
-    message='Hello v4.0.0!',
-    reference_photo=test_image,
-    carrier_image=test_image,
-    passphrase='test phrase four words',
-    pin='123456'
-)
-
-decoded = decode(
-    stego_image=result.stego_image,
-    reference_photo=test_image,
-    passphrase='test phrase four words',
-    pin='123456'
-)
-
-assert decoded.message == 'Hello v4.0.0!', f'Got: {decoded.message}'
-print('✓ LSB roundtrip OK')
-"
-
-# Test DCT mode
-echo "5. Testing DCT mode..."
-python -c "
-from stegasoo import encode, decode
-from PIL import Image
-import io
-
-img = Image.new('RGB', (400, 400), color='green')
-buf = io.BytesIO()
-img.save(buf, format='PNG')
-test_image = buf.getvalue()
-
-result = encode(
-    message='DCT v4.0 test',
-    reference_photo=test_image,
-    carrier_image=test_image,
-    passphrase='dct test phrase here',
-    pin='123456',
-    embed_mode='dct'
-)
-
-decoded = decode(
-    stego_image=result.stego_image,
-    reference_photo=test_image,
-    passphrase='dct test phrase here',
-    pin='123456'
-)
-
-assert decoded.message == 'DCT v4.0 test'
-print('✓ DCT roundtrip OK')
-"
-
-# Test JPEG quality=100 (v4.0 fix)
-echo "6. Testing JPEG quality=100 handling..."
-python -c "
-from stegasoo import encode, decode
-from PIL import Image
-import io
-
-img = Image.new('RGB', (400, 400), color='red')
-buf = io.BytesIO()
-img.save(buf, format='JPEG', quality=100)
-jpeg_q100 = buf.getvalue()
-
-result = encode(
-    message='Quality 100 test',
-    reference_photo=jpeg_q100,
-    carrier_image=jpeg_q100,
-    passphrase='jpeg quality test here',
-    pin='123456',
-    embed_mode='dct'
-)
-
-decoded = decode(
-    stego_image=result.stego_image,
-    reference_photo=jpeg_q100,
-    passphrase='jpeg quality test here',
-    pin='123456'
-)
-
-assert decoded.message == 'Quality 100 test'
-print('✓ JPEG quality=100 OK (v4.0 fix working)')
-"
-
-echo ""
-echo "=== All smoke tests passed! ==="
-echo "Ready for release."
-```
-
---
-
-## 10. Release Steps
-
-### 10.1 Final Checks
-
- [ ] All tests pass
- [ ] All Docker containers work
- [ ] Documentation updated
- [ ] Version bumped in `constants.py` and `pyproject.toml`
-
-### 10.2 Git
-
-```bash
-git add -A
-git status  # Review changes
-git commit -m "v4.0.0: JPEG normalization, Python 3.12, UI polish"
-git tag v4.0.0
-git push origin main --tags
-```
-
- [ ] Changes committed
- [ ] Tag created
- [ ] Pushed to remote
-
-### 10.3 Release Notes
-
-```markdown
-## v4.0.0
-
-### What's New
- **JPEG Normalization**: Quality=100 JPEGs now work with DCT mode
- **Python 3.12**: Recommended version (3.13 NOT supported due to jpegio)
- **UI Polish**: Glowing input fields, better layout, version history
-
-### Fixes
- Fixed jpegio crash on quality=100 JPEG images
- Fixed QR code input on decode page
- Fixed passphrase font sizing (stepped instead of smooth)
-
-### Breaking Changes
- Python 3.13 is NOT supported
-
-### Compatibility
- v4.0 can decode v3.2.0 images (same format)
- v4.0 CANNOT decode v3.1.x or earlier
-```
-
---
-
-## Sign-Off
-
-| Area | Tested By | Date | Status |
-|------|-----------|------|--------|
-| Python/Dependencies | | | ☐ |
-| Unit Tests | | | ☐ |
-| Docker Build | | | ☐ |
-| Web UI | | | ☐ |
-| API | | | ☐ |
-| CLI | | | ☐ |
-| Documentation | | | ☐ |
-
-**Release Approved:** ☐
-
-**Released By:** _________________
-
-**Release Date:** _________________
--- a/tests/test_batch.py
+++ b/tests/test_batch.py
@@ -1,434 +0,0 @@
-"""
-Tests for Stegasoo batch processing module (v4.0.0).
-
-Updated for v4.0.0:
- Uses 'passphrase' instead of 'phrase' in credentials dict
- No date_str parameter
- BatchCredentials.passphrase is a single string
-"""
-
-import shutil
-import tempfile
-from pathlib import Path
-from unittest.mock import Mock
-
-import pytest
-
-from stegasoo.batch import (
-    BatchCredentials,
-    BatchItem,
-    BatchProcessor,
-    BatchResult,
-    BatchStatus,
-    batch_capacity_check,
-    print_batch_result,
-)
-
-
-@pytest.fixture
-def temp_dir():
-    """Create a temporary directory for tests."""
-    path = Path(tempfile.mkdtemp())
-    yield path
-    shutil.rmtree(path)
-
-
-@pytest.fixture
-def sample_images(temp_dir):
-    """Create sample PNG images for testing."""
-    from PIL import Image
-
-    images = []
-    for i in range(3):
-        img_path = temp_dir / f"test_image_{i}.png"
-        img = Image.new("RGB", (100, 100), color=(i * 50, i * 50, i * 50))
-        img.save(img_path, "PNG")
-        images.append(img_path)
-
-    return images
-
-
-@pytest.fixture
-def sample_reference_photo():
-    """Create a sample reference photo as bytes."""
-    from io import BytesIO
-
-    from PIL import Image
-
-    img = Image.new("RGB", (100, 100), color=(128, 128, 128))
-    buf = BytesIO()
-    img.save(buf, "PNG")
-    return buf.getvalue()
-
-
-@pytest.fixture
-def sample_credentials(sample_reference_photo):
-    """Create sample v3.2.0 credentials dict."""
-    return {
-        "reference_photo": sample_reference_photo,
-        "passphrase": "test phrase four words",  # v3.2.0: single passphrase
-        "pin": "123456",
-    }
-
-
-class TestBatchItem:
-    """Tests for BatchItem dataclass."""
-
-    def test_duration_calculation(self):
-        """Duration should be calculated from start/end times."""
-        item = BatchItem(input_path=Path("test.png"))
-        item.start_time = 100.0
-        item.end_time = 105.5
-        assert item.duration == 5.5
-
-    def test_duration_none_without_times(self):
-        """Duration should be None if times not set."""
-        item = BatchItem(input_path=Path("test.png"))
-        assert item.duration is None
-
-    def test_to_dict(self):
-        """to_dict should serialize all fields."""
-        item = BatchItem(
-            input_path=Path("input.png"),
-            output_path=Path("output.png"),
-            status=BatchStatus.SUCCESS,
-            message="Done",
-        )
-        result = item.to_dict()
-        assert result["input_path"] == "input.png"
-        assert result["output_path"] == "output.png"
-        assert result["status"] == "success"
-
-
-class TestBatchResult:
-    """Tests for BatchResult dataclass."""
-
-    def test_to_json(self):
-        """Should serialize to valid JSON."""
-        import json
-
-        result = BatchResult(operation="encode", total=5, succeeded=4, failed=1)
-        json_str = result.to_json()
-        parsed = json.loads(json_str)
-        assert parsed["operation"] == "encode"
-        assert parsed["summary"]["total"] == 5
-
-    def test_duration_with_end_time(self):
-        """Duration should work when end_time is set."""
-        result = BatchResult(operation="test")
-        result.start_time = 100.0
-        result.end_time = 110.0
-        assert result.duration == 10.0
-
-
-class TestBatchCredentials:
-    """Tests for BatchCredentials dataclass (v3.2.0)."""
-
-    def test_from_dict_new_format(self, sample_reference_photo):
-        """Should parse v3.2.0 format with 'passphrase' key."""
-        data = {
-            "reference_photo": sample_reference_photo,
-            "passphrase": "test phrase four words",
-            "pin": "123456",
-        }
-        creds = BatchCredentials.from_dict(data)
-        assert creds.passphrase == "test phrase four words"
-        assert creds.pin == "123456"
-
-    def test_from_dict_legacy_format(self, sample_reference_photo):
-        """Should parse legacy format with 'day_phrase' key for migration."""
-        data = {
-            "reference_photo": sample_reference_photo,
-            "day_phrase": "legacy phrase here",  # Old key name
-            "pin": "123456",
-        }
-        creds = BatchCredentials.from_dict(data)
-        # Should accept old key and map to passphrase
-        assert creds.passphrase == "legacy phrase here"
-        assert creds.pin == "123456"
-
-    def test_to_dict(self, sample_reference_photo):
-        """Should serialize to v3.2.0 format."""
-        creds = BatchCredentials(
-            reference_photo=sample_reference_photo,
-            passphrase="test phrase four words",
-            pin="123456",
-        )
-        result = creds.to_dict()
-        assert result["passphrase"] == "test phrase four words"
-        assert result["pin"] == "123456"
-        assert "day_phrase" not in result  # Old key should not be present
-
-    def test_passphrase_is_string(self, sample_reference_photo):
-        """Passphrase should be a string, not a dict."""
-        creds = BatchCredentials(
-            reference_photo=sample_reference_photo,
-            passphrase="test phrase four words",
-            pin="123456",
-        )
-        assert isinstance(creds.passphrase, str)
-
-
-class TestBatchProcessor:
-    """Tests for BatchProcessor class."""
-
-    def test_init_default_workers(self):
-        """Should default to 4 workers."""
-        processor = BatchProcessor()
-        assert processor.max_workers == 4
-
-    def test_init_custom_workers(self):
-        """Should accept custom worker count."""
-        processor = BatchProcessor(max_workers=8)
-        assert processor.max_workers == 8
-
-    def test_is_valid_image_png(self, temp_dir):
-        """Should recognize PNG as valid."""
-        processor = BatchProcessor()
-        png_path = temp_dir / "test.png"
-        png_path.touch()
-        assert processor._is_valid_image(png_path)
-
-    def test_is_valid_image_txt(self, temp_dir):
-        """Should reject non-image files."""
-        processor = BatchProcessor()
-        txt_path = temp_dir / "test.txt"
-        txt_path.touch()
-        assert not processor._is_valid_image(txt_path)
-
-    def test_find_images_file(self, sample_images):
-        """Should find single image file."""
-        processor = BatchProcessor()
-        results = list(processor.find_images([sample_images[0]]))
-        assert len(results) == 1
-        assert results[0] == sample_images[0]
-
-    def test_find_images_directory(self, sample_images, temp_dir):
-        """Should find images in directory."""
-        processor = BatchProcessor()
-        results = list(processor.find_images([temp_dir]))
-        assert len(results) == 3
-
-    def test_find_images_recursive(self, temp_dir):
-        """Should find images recursively."""
-        from PIL import Image
-
-        # Create nested directory
-        nested = temp_dir / "nested"
-        nested.mkdir()
-        img_path = nested / "nested.png"
-        img = Image.new("RGB", (50, 50))
-        img.save(img_path)
-
-        processor = BatchProcessor()
-        results = list(processor.find_images([temp_dir], recursive=True))
-        assert any(p.name == "nested.png" for p in results)
-
-    def test_batch_encode_requires_message_or_file(self, sample_images, sample_credentials):
-        """Should raise if neither message nor file provided."""
-        processor = BatchProcessor()
-        with pytest.raises(ValueError, match="message or file_payload"):
-            processor.batch_encode(
-                images=sample_images,
-                credentials=sample_credentials,
-            )
-
-    def test_batch_encode_requires_credentials(self, sample_images):
-        """Should raise if credentials not provided."""
-        processor = BatchProcessor()
-        with pytest.raises(ValueError, match="Credentials"):
-            processor.batch_encode(
-                images=sample_images,
-                message="test",
-            )
-
-    def test_batch_encode_accepts_passphrase_credentials(
-        self, sample_images, temp_dir, sample_credentials
-    ):
-        """Should accept v3.2.0 format credentials with passphrase."""
-        processor = BatchProcessor()
-        result = processor.batch_encode(
-            images=sample_images,
-            message="Test message",
-            output_dir=temp_dir / "output",
-            credentials=sample_credentials,  # Uses 'passphrase' key
-        )
-
-        assert isinstance(result, BatchResult)
-        assert result.operation == "encode"
-        assert result.total == 3
-
-    def test_batch_encode_creates_result(self, sample_images, temp_dir, sample_credentials):
-        """Should return BatchResult with correct structure."""
-        processor = BatchProcessor()
-        result = processor.batch_encode(
-            images=sample_images,
-            message="Test message",
-            output_dir=temp_dir / "output",
-            credentials=sample_credentials,
-        )
-
-        assert isinstance(result, BatchResult)
-        assert result.operation == "encode"
-        assert result.total == 3
-        assert len(result.items) == 3
-
-    def test_batch_decode_requires_credentials(self, sample_images):
-        """Should raise if credentials not provided."""
-        processor = BatchProcessor()
-        with pytest.raises(ValueError, match="Credentials"):
-            processor.batch_decode(images=sample_images)
-
-    def test_batch_decode_accepts_passphrase_credentials(self, sample_images, sample_credentials):
-        """Should accept v3.2.0 format credentials with passphrase."""
-        processor = BatchProcessor()
-        result = processor.batch_decode(
-            images=sample_images,
-            credentials=sample_credentials,  # Uses 'passphrase' key
-        )
-
-        assert isinstance(result, BatchResult)
-        assert result.operation == "decode"
-        assert result.total == 3
-
-    def test_batch_decode_creates_result(self, sample_images, sample_credentials):
-        """Should return BatchResult with correct structure."""
-        processor = BatchProcessor()
-        result = processor.batch_decode(
-            images=sample_images,
-            credentials=sample_credentials,
-        )
-
-        assert isinstance(result, BatchResult)
-        assert result.operation == "decode"
-        assert result.total == 3
-
-    def test_progress_callback_called(self, sample_images, sample_credentials):
-        """Progress callback should be called for each item."""
-        processor = BatchProcessor()
-        callback = Mock()
-
-        processor.batch_encode(
-            images=sample_images,
-            message="Test",
-            credentials=sample_credentials,
-            progress_callback=callback,
-        )
-
-        assert callback.call_count == 3
-
-    def test_custom_encode_func(self, sample_images, temp_dir, sample_credentials):
-        """Should use custom encode function if provided."""
-        processor = BatchProcessor()
-        encode_mock = Mock()
-
-        processor.batch_encode(
-            images=sample_images,
-            message="Test",
-            output_dir=temp_dir / "output",
-            credentials=sample_credentials,
-            encode_func=encode_mock,
-        )
-
-        assert encode_mock.call_count == 3
-
-
-class TestBatchCapacityCheck:
-    """Tests for batch_capacity_check function."""
-
-    def test_returns_list(self, sample_images):
-        """Should return list of results."""
-        results = batch_capacity_check(sample_images)
-        assert isinstance(results, list)
-        assert len(results) == 3
-
-    def test_includes_capacity(self, sample_images):
-        """Results should include capacity info."""
-        results = batch_capacity_check(sample_images)
-        for item in results:
-            assert "capacity_bytes" in item
-            assert "dimensions" in item
-            assert "valid" in item
-
-    def test_handles_invalid_files(self, temp_dir):
-        """Should handle non-image files gracefully."""
-        bad_file = temp_dir / "not_an_image.png"
-        bad_file.write_bytes(b"not a png")
-
-        results = batch_capacity_check([bad_file])
-        assert len(results) == 1
-        assert "error" in results[0]
-
-
-class TestPrintBatchResult:
-    """Tests for print_batch_result function."""
-
-    def test_prints_summary(self, capsys, sample_images):
-        """Should print summary without errors."""
-        result = BatchResult(
-            operation="encode",
-            total=3,
-            succeeded=2,
-            failed=1,
-        )
-        result.end_time = result.start_time + 5.0
-
-        print_batch_result(result)
-
-        captured = capsys.readouterr()
-        assert "ENCODE" in captured.out
-        assert "3" in captured.out  # total
-        assert "2" in captured.out  # succeeded
-
-    def test_verbose_shows_items(self, capsys):
-        """Verbose mode should show individual items."""
-        result = BatchResult(operation="decode", total=1, succeeded=1)
-        result.items = [
-            BatchItem(
-                input_path=Path("test.png"),
-                status=BatchStatus.SUCCESS,
-                message="Decoded successfully",
-            )
-        ]
-        result.end_time = result.start_time + 1.0
-
-        print_batch_result(result, verbose=True)
-
-        captured = capsys.readouterr()
-        assert "test.png" in captured.out
-
-
-class TestCredentialsMigration:
-    """Tests for v3.1.x to v3.2.0 credentials migration."""
-
-    def test_old_phrase_key_accepted(self, sample_reference_photo):
-        """Old 'phrase' key should be accepted for migration."""
-        old_format = {
-            "reference_photo": sample_reference_photo,
-            "phrase": "old style phrase",
-            "pin": "123456",
-        }
-        # Should not raise
-        creds = BatchCredentials.from_dict(old_format)
-        assert creds.passphrase == "old style phrase"
-
-    def test_old_day_phrase_key_accepted(self, sample_reference_photo):
-        """Old 'day_phrase' key should be accepted for migration."""
-        old_format = {
-            "reference_photo": sample_reference_photo,
-            "day_phrase": "old day phrase",
-            "pin": "123456",
-        }
-        creds = BatchCredentials.from_dict(old_format)
-        assert creds.passphrase == "old day phrase"
-
-    def test_new_passphrase_key_preferred(self, sample_reference_photo):
-        """New 'passphrase' key should take precedence if both present."""
-        mixed_format = {
-            "reference_photo": sample_reference_photo,
-            "passphrase": "new style passphrase",
-            "day_phrase": "old day phrase",
-            "pin": "123456",
-        }
-        creds = BatchCredentials.from_dict(mixed_format)
-        assert creds.passphrase == "new style passphrase"
--- a/tests/test_compression.py
+++ b/tests/test_compression.py
@@ -1,181 +0,0 @@
-"""
-Tests for Stegasoo compression module.
-"""
-
-import pytest
-
-from stegasoo.compression import (
-    COMPRESSION_MAGIC,
-    HAS_LZ4,
-    MIN_COMPRESS_SIZE,
-    CompressionAlgorithm,
-    CompressionError,
-    algorithm_name,
-    compress,
-    decompress,
-    estimate_compressed_size,
-    get_available_algorithms,
-    get_compression_ratio,
-)
-
-
-class TestCompress:
-    """Tests for compress function."""
-
-    def test_compress_small_data_not_compressed(self):
-        """Small data should not be compressed (overhead not worth it)."""
-        small_data = b"hello"
-        result = compress(small_data)
-        # Should have magic header but NONE algorithm
-        assert result.startswith(COMPRESSION_MAGIC)
-        assert result[4] == CompressionAlgorithm.NONE
-
-    def test_compress_zlib_reduces_size(self):
-        """Zlib should reduce size for compressible data."""
-        # Highly compressible data
-        data = b"A" * 1000
-        result = compress(data, CompressionAlgorithm.ZLIB)
-        assert len(result) < len(data)
-        assert result.startswith(COMPRESSION_MAGIC)
-        assert result[4] == CompressionAlgorithm.ZLIB
-
-    def test_compress_incompressible_data(self):
-        """Incompressible data should be stored uncompressed."""
-        import os
-
-        # Random data doesn't compress well
-        data = os.urandom(500)
-        result = compress(data, CompressionAlgorithm.ZLIB)
-        # Should fall back to NONE if compression didn't help
-        assert result.startswith(COMPRESSION_MAGIC)
-
-    def test_compress_none_algorithm(self):
-        """NONE algorithm should just wrap data."""
-        data = b"Test data" * 100
-        result = compress(data, CompressionAlgorithm.NONE)
-        assert result.startswith(COMPRESSION_MAGIC)
-        assert result[4] == CompressionAlgorithm.NONE
-        # Data should be after 9-byte header
-        assert result[9:] == data
-
-    @pytest.mark.skipif(not HAS_LZ4, reason="LZ4 not installed")
-    def test_compress_lz4(self):
-        """LZ4 compression should work if available."""
-        data = b"B" * 1000
-        result = compress(data, CompressionAlgorithm.LZ4)
-        assert len(result) < len(data)
-        assert result.startswith(COMPRESSION_MAGIC)
-        assert result[4] == CompressionAlgorithm.LZ4
-
-
-class TestDecompress:
-    """Tests for decompress function."""
-
-    def test_decompress_zlib(self):
-        """Decompression should restore original data."""
-        original = b"Hello, World! " * 100
-        compressed = compress(original, CompressionAlgorithm.ZLIB)
-        result = decompress(compressed)
-        assert result == original
-
-    def test_decompress_none(self):
-        """Uncompressed wrapped data should decompress correctly."""
-        original = b"Small data"
-        wrapped = compress(original, CompressionAlgorithm.NONE)
-        result = decompress(wrapped)
-        assert result == original
-
-    def test_decompress_no_magic(self):
-        """Data without magic header should be returned as-is."""
-        data = b"Not compressed at all"
-        result = decompress(data)
-        assert result == data
-
-    def test_decompress_truncated_header(self):
-        """Truncated header should raise CompressionError."""
-        bad_data = COMPRESSION_MAGIC + b"\x01"  # Too short
-        with pytest.raises(CompressionError, match="Truncated"):
-            decompress(bad_data)
-
-    @pytest.mark.skipif(not HAS_LZ4, reason="LZ4 not installed")
-    def test_decompress_lz4(self):
-        """LZ4 decompression should work."""
-        original = b"LZ4 test data " * 100
-        compressed = compress(original, CompressionAlgorithm.LZ4)
-        result = decompress(compressed)
-        assert result == original
-
-    def test_roundtrip_large_data(self):
-        """Large data should survive compress/decompress roundtrip."""
-        import os
-
-        original = os.urandom(50000)
-        compressed = compress(original)
-        result = decompress(compressed)
-        assert result == original
-
-
-class TestUtilities:
-    """Tests for utility functions."""
-
-    def test_compression_ratio_compressed(self):
-        """Ratio should be < 1 for well-compressed data."""
-        original = b"X" * 1000
-        compressed = compress(original)
-        ratio = get_compression_ratio(original, compressed)
-        assert ratio < 1.0
-
-    def test_compression_ratio_empty(self):
-        """Empty data should return ratio of 1.0."""
-        ratio = get_compression_ratio(b"", b"")
-        assert ratio == 1.0
-
-    def test_estimate_compressed_size_small(self):
-        """Small data estimation should be accurate."""
-        data = b"Test " * 100
-        estimate = estimate_compressed_size(data)
-        actual = len(compress(data))
-        # Should be within 20% for small data
-        assert abs(estimate - actual) / actual < 0.2
-
-    def test_available_algorithms(self):
-        """Should always include NONE and ZLIB."""
-        algos = get_available_algorithms()
-        assert CompressionAlgorithm.NONE in algos
-        assert CompressionAlgorithm.ZLIB in algos
-
-    def test_algorithm_name(self):
-        """Algorithm names should be human-readable."""
-        assert "Zlib" in algorithm_name(CompressionAlgorithm.ZLIB)
-        assert "None" in algorithm_name(CompressionAlgorithm.NONE)
-        assert "LZ4" in algorithm_name(CompressionAlgorithm.LZ4)
-
-
-class TestEdgeCases:
-    """Edge case tests."""
-
-    def test_empty_data(self):
-        """Empty data should be handled gracefully."""
-        result = compress(b"")
-        assert decompress(result) == b""
-
-    def test_exact_min_size(self):
-        """Data at exactly MIN_COMPRESS_SIZE should be compressed."""
-        data = b"x" * MIN_COMPRESS_SIZE
-        result = compress(data, CompressionAlgorithm.ZLIB)
-        assert result.startswith(COMPRESSION_MAGIC)
-        assert decompress(result) == data
-
-    def test_binary_data(self):
-        """Binary data with null bytes should work."""
-        data = b"\x00\x01\x02\x03" * 500
-        compressed = compress(data)
-        assert decompress(compressed) == data
-
-    def test_unicode_after_encoding(self):
-        """UTF-8 encoded Unicode should compress correctly."""
-        text = "Hello, 世界! 🎉 " * 100
-        data = text.encode("utf-8")
-        compressed = compress(data)
-        result = decompress(compressed)
-        assert result.decode("utf-8") == text
--- a/tests/test_stegasoo.py
+++ b/tests/test_stegasoo.py
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .12.0
 .12