feat(cli): make headless contributor node reproducible

[epicexcelsior]

Summary

• repair the reproducible TCP relay harness, quote generated client paths safely, and provide a single .venv-test runner
• add a truthful headless-node preflight/lifecycle launcher for laptop and Linux server contributors
• harden setup parsing, quoted filesystem paths, generated systemd unit paths, selected RNode serial values, canonical URLs, reachable hubs, unattended RNode configuration, experimental BLE/Meshtastic diagnostics, set -e recovery paths, malformed .env entries, and custom-network URL requirements
• enforce owner-only wallet, nonce, Reticulum identity, .env, Arcium payer-key, generated-launcher, and headless-state files, including legacy mode repair, unsafe-file refusal, and same-directory atomic replacement
• reject malformed gateway JSON, mesh responses, upstream JSON-RPC success bodies, Solana result shapes, scalar RPC errors, invalid wallet inputs, invalid numeric arguments, and confidentiality downgrade
• stream bounded HTTP bodies in gateway, preflight, and nonce-bootstrap paths and always close responses
• bound relay payloads (256 KiB requests, 1 MiB responses), expanded responses, simulation rendering, wallet rows, local key discovery, and nonce balance-query worker fanout
• close the beacon signing-oracle path by co-signing only the wallet-generated durable-nonce execute_payment shape: payer nonce advance, optional idempotent ATA creates, one deployed-program instruction, read-only beacon broadcaster
• validate Arcium shim/env boundaries, strict helper inputs, x25519/Rescue widths, execute-payment signatures, queued account metadata, local client configuration, stdin plaintext transport, failed-connect cleanup, Node helper credential reads, and initializer log rendering
• redact credential-bearing RPC URLs, honor configured CA bundles, and keep secrets out of Python and Node process arguments
• harden mesh lifecycle behavior: reject stale callbacks, cancel superseded attempts, refresh known identities on re-announce, preserve the first valid raced RPC response, wait for discovery after supplied-hash failures, and repair delayed transport-identity permissions
• preserve generated nonce authority keys after uncertain submission, remove runtime-generated keys after pre-submit failure, and apply non-breaking npm audit lockfile updates

Verification

Development PC:

./scripts/test.sh -q                                      544 passed in 20.90s
python compile + shell syntax + Node `.mjs` syntax         passed
pip check                                                  no broken requirements
./scripts/headless-node.sh preflight                       passed against devnet
python TCP bridge -> exit node -> Solana devnet           getBalance=1 lamports, 401ms RTT
post-TCP process sweep                                    empty

Linux server nearby:

python compile + shell syntax + Node `.mjs` syntax         passed
./scripts/test.sh -q                                      544 passed in 20.90s
pip check                                                  no broken requirements
python TCP bridge -> exit node -> Solana devnet           getBalance=1 lamports, 401ms RTT
post-TCP process sweep                                    empty

Physical Android Seeker: ADB connected, classic Bluetooth setting off, BLE-only framework state present, no reverse tunnel, LXMF foreground service active and native multi-hop announce intake observed. Mobile Tier 0 remains blocked only by three documented owner-lane TypeScript errors and was intentionally not edited from this CLI lane.

Known gaps

• Desktop peer-mesh BLE relay remains experimental: laptop BlueZ discovered and connected to the Android GATT profile, but desktop RNS has no compatible adapter.
• Confidential SOL balance lookup is not implemented end to end. The compatibility flag fails closed without relaying an address; add an MPC query handler before re-enabling it.
• Residual Solana dependency-chain advisories remain after non-force npm audit updates. npm audit fix --force proposes a breaking downgrade and was intentionally not applied.
• Before production exposure, decide authentication and rate limiting for ALLOW_ALL gateway RPC. Keep optional payer-funded post-relay Arcium stats disabled on untrusted meshes until metadata is authenticated or verifiably bound to the submitted transaction.
• Funded nonce creation, persistent systemd installation, iOS exercise, and physical RNode LoRa exercise remain manual operations.

[epicexcelsior]

Overview:
OVERVIEW-cli-pr7-2026-05-31.html