Remove some global reset styles in favor of explicit border colors, restore button cursors

upgrade tailwind
* moved to vite plugin for tailwind (it's recommended now) * removed autoprefixer (v4 uses its own CSS thing now) * postcss.config.js was used to wire up tailwind and autoprefixer, so it's gone * tailwind.config.ts is gone, because v4 stores config in app.css using css variables * fixed some renamed classes
2026-05-29 21:59:27 -07:00 · 2026-04-24 02:00:57 +02:00 · 2026-04-24 01:58:53 +02:00 · 2026-04-24 01:58:53 +02:00 · 2026-04-24 01:58:53 +02:00 · 2026-04-23 09:16:28 -07:00
54 changed files with 2544 additions and 3104 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -11,6 +11,9 @@ env:
  CARGO_TERM_COLOR: always
  FILE_ROOTSHELL: ../../rootshell/rootshell
  FILE_RAYHUNTER_DAEMON: ../../rayhunter-daemon/rayhunter-daemon
+  FILE_WPA_SUPPLICANT: ../../wpa-supplicant/wpa_supplicant
+  FILE_WPA_CLI: ../../wpa-supplicant/wpa_cli
+  FILE_IW: ../../wpa-supplicant/iw
  RUSTFLAGS: "-Dwarnings"

 jobs:
@@ -301,6 +304,30 @@ jobs:
          path: target/armv7-unknown-linux-musleabihf/firmware/rootshell
          if-no-files-found: error

+  build_wpa_supplicant:
+    if: needs.files_changed.outputs.installer_changed == 'true'
+    needs:
+      - files_changed
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Install cross-compiler
+        run: sudo apt-get update && sudo apt-get install -y gcc-arm-linux-gnueabihf
+      - name: Build wpa_supplicant (armv7)
+        run: CC=arm-linux-gnueabihf-gcc STRIP=arm-linux-gnueabihf-strip HOST=arm-linux-gnueabihf scripts/build-wpa-supplicant.sh
+      - uses: actions/upload-artifact@v4
+        with:
+          name: wpa-supplicant
+          path: |
+            tools/build-wpa-supplicant/out/wpa_supplicant
+            tools/build-wpa-supplicant/out/wpa_cli
+            tools/build-wpa-supplicant/out/iw
+          if-no-files-found: error
+
  build_rayhunter:
    if: needs.files_changed.outputs.daemon_needed == 'true'
    needs:
@@ -347,6 +374,7 @@ jobs:
    needs:
      - build_rayhunter
      - build_rootshell
+      - build_wpa_supplicant
      - files_changed
      - windows_installer_check_and_test
    strategy:
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 /target
 /book
 .DS_Store
+/tools/build-wpa-supplicant
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4556,6 +4556,7 @@ dependencies = [
 "serde",
 "serde_json",
 "telcom-parser",
+ "tempfile",
 "thiserror 1.0.69",
 "tokio",
 "utoipa",
@@ -4601,7 +4602,9 @@ dependencies = [
 "tokio-stream",
 "tokio-util",
 "toml 0.8.22",
+ "url",
 "utoipa",
+ "wifi-station",
 ]

 [[package]]
@@ -6748,6 +6751,20 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dd7cf3379ca1aac9eea11fba24fd7e315d621f8dfe35c8d7d2be8b793726e07d"

+[[package]]
+name = "wifi-station"
+version = "0.10.1"
+source = "git+https://github.com/BeigeBox/wifi-station?rev=e8ec5b4#e8ec5b491fa125bf5346b6aa84f13ed51de33044"
+dependencies = [
+ "anyhow",
+ "chrono",
+ "log",
+ "serde",
+ "tokio",
+ "tokio-util",
+ "utoipa",
+]
+
 [[package]]
 name = "winapi"
 version = "0.3.9"
--- a/daemon/Cargo.toml
+++ b/daemon/Cargo.toml
@@ -17,10 +17,11 @@ required-features = ["apidocs"]
 default = ["rustcrypto-tls"]
 rustcrypto-tls = ["reqwest/rustls-tls-webpki-roots-no-provider", "dep:rustls-rustcrypto"]
 pq-tls = ["reqwest/rustls-tls-webpki-roots-no-provider", "dep:rustls-post-quantum"]
-apidocs = ["dep:utoipa"]
+apidocs = ["dep:utoipa", "wifi-station/utoipa"]

 [dependencies]
 rayhunter = { path = "../lib" }
+wifi-station = { git = "https://github.com/BeigeBox/wifi-station", rev = "e8ec5b4" }
 toml = "0.8.8"
 serde = { version = "1.0.193", features = ["derive"] }
 tokio = { version = "1.44.2", default-features = false, features = ["fs", "signal", "process", "rt"] }
@@ -44,3 +45,4 @@ rustls-rustcrypto = { version = "0.0.2-alpha", optional = true }
 rustls-post-quantum = { version = "0.2.4", optional = true }
 async-trait = "0.1.88"
 utoipa = { version = "5.4.0", optional = true }
+url = "2.5.4"
--- a/daemon/src/config.rs
+++ b/daemon/src/config.rs
@@ -32,8 +32,24 @@ pub struct Config {
    pub enabled_notifications: Vec<NotificationType>,
    /// Vector containing the list of enabled analyzers
    pub analyzers: AnalyzerConfig,
+    /// Minimum disk space required to start a recording
    pub min_space_to_start_recording_mb: u64,
+    /// Minimum disk space required to continue a recording
    pub min_space_to_continue_recording_mb: u64,
+    /// Wifi client SSID
+    pub wifi_ssid: Option<String>,
+    /// Wifi client password
+    pub wifi_password: Option<String>,
+    /// Wifi security type (wpa_psk or sae)
+    pub wifi_security: Option<wifi_station::SecurityType>,
+    /// Wifi client mode
+    pub wifi_enabled: bool,
+    /// Vector containing wifi client DNS servers
+    pub dns_servers: Option<Vec<String>>,
+    /// Wifi client firewall mode
+    pub firewall_restrict_outbound: bool,
+    /// Vector containing additional wifi client firewall ports to open
+    pub firewall_allowed_ports: Option<Vec<u16>>,
 }

 impl Default for Config {
@@ -51,20 +67,83 @@ impl Default for Config {
            enabled_notifications: vec![NotificationType::Warning, NotificationType::LowBattery],
            min_space_to_start_recording_mb: 1,
            min_space_to_continue_recording_mb: 1,
+            wifi_ssid: None,
+            wifi_password: None,
+            wifi_security: None,
+            wifi_enabled: false,
+            dns_servers: None,
+            firewall_restrict_outbound: true,
+            firewall_allowed_ports: None,
        }
    }
 }

+impl Config {
+    pub fn wifi_config(&self) -> wifi_station::WifiConfig {
+        let (wpa_bin, hostapd_conf, ctrl_interface) = match self.device {
+            Device::Tmobile | Device::Wingtech => (
+                Some("/usr/sbin/wpa_supplicant".into()),
+                Some("/data/configs/hostapd.conf".into()),
+                None,
+            ),
+            Device::Uz801 => (
+                Some("/system/bin/wpa_supplicant".into()),
+                Some("/data/misc/wifi/hostapd.conf".into()),
+                Some("/data/misc/wifi/sockets".into()),
+            ),
+            _ => (None, None, None),
+        };
+        wifi_station::WifiConfig {
+            wifi_enabled: self.wifi_enabled,
+            dns_servers: self.dns_servers.clone(),
+            wifi_ssid: self.wifi_ssid.clone(),
+            wifi_password: self.wifi_password.clone(),
+            security_type: self.wifi_security,
+            wpa_supplicant_bin: wpa_bin.or_else(|| resolve_bin("wpa_supplicant")),
+            hostapd_conf,
+            ctrl_interface,
+            udhcpc_hook_path: Some("/data/rayhunter/udhcpc-hook.sh".into()),
+            dhcp_lease_path: Some("/data/rayhunter/dhcp_lease".into()),
+            wpa_conf_path: Some("/data/rayhunter/wpa_sta.conf".into()),
+            iw_bin: resolve_bin("iw"),
+            udhcpc_bin: resolve_bin("udhcpc"),
+            crash_log_dir: Some("/data/rayhunter/crash-logs".into()),
+            wakelock_name: Some("rayhunter".into()),
+        }
+    }
+}
+
+fn resolve_bin(name: &str) -> Option<String> {
+    let local = format!("/data/rayhunter/bin/{name}");
+    if std::path::Path::new(&local).exists() {
+        return Some(local);
+    }
+    None
+}
+
 pub async fn parse_config<P>(path: P) -> Result<Config, RayhunterError>
 where
    P: AsRef<std::path::Path>,
 {
-    if let Ok(config_file) = tokio::fs::read_to_string(&path).await {
-        Ok(toml::from_str(&config_file).map_err(RayhunterError::ConfigFileParsingError)?)
+    let mut config = if let Ok(config_file) = tokio::fs::read_to_string(&path).await {
+        toml::from_str(&config_file).map_err(RayhunterError::ConfigFileParsingError)?
    } else {
        warn!("unable to read config file, using default config");
-        Ok(Config::default())
+        Config::default()
+    };
+
+    if let Some((ssid, security)) =
+        wifi_station::read_network_from_wpa_conf("/data/rayhunter/wpa_sta.conf")
+    {
+        config.wifi_ssid = Some(ssid);
+        config.wifi_security = Some(security);
+    } else {
+        config.wifi_ssid = None;
+        config.wifi_security = None;
    }
+    config.wifi_password = None;
+
+    Ok(config)
 }

 pub struct Args {
--- a/daemon/src/firewall.rs
+++ b/daemon/src/firewall.rs
@@ -0,0 +1,92 @@
+use anyhow::{Result, bail};
+use log::{info, warn};
+use tokio::process::Command;
+
+use wifi_station::detect_bridge_iface;
+
+use crate::config::Config;
+
+async fn run_iptables(args: &[&str]) -> Result<()> {
+    let out = Command::new("iptables").args(args).output().await?;
+    if !out.status.success() {
+        bail!(
+            "iptables {} failed: {}",
+            args.join(" "),
+            String::from_utf8_lossy(&out.stderr)
+        );
+    }
+    Ok(())
+}
+
+pub async fn apply(config: &Config) {
+    let _ = Command::new("iptables")
+        .args(["-F", "OUTPUT"])
+        .output()
+        .await;
+
+    if config.firewall_restrict_outbound {
+        // Fail open on partial setup error: reachability beats restriction when recovery means physical access.
+        match setup_outbound_whitelist(&config.firewall_allowed_ports, &config.ntfy_url).await {
+            Ok(()) => info!("outbound firewall active: allowing DHCP, DNS, HTTPS only"),
+            Err(e) => warn!("firewall setup failed: {e} (fail-open, outbound unrestricted)"),
+        }
+    }
+}
+
+async fn setup_outbound_whitelist(
+    extra_ports: &Option<Vec<u16>>,
+    ntfy_url: &Option<String>,
+) -> Result<()> {
+    run_iptables(&["-A", "OUTPUT", "-o", "lo", "-j", "ACCEPT"]).await?;
+    run_iptables(&["-A", "OUTPUT", "-o", detect_bridge_iface(), "-j", "ACCEPT"]).await?;
+    run_iptables(&[
+        "-A",
+        "OUTPUT",
+        "-m",
+        "state",
+        "--state",
+        "ESTABLISHED,RELATED",
+        "-j",
+        "ACCEPT",
+    ])
+    .await?;
+    run_iptables(&[
+        "-A", "OUTPUT", "-p", "udp", "--dport", "67:68", "-j", "ACCEPT",
+    ])
+    .await?;
+    run_iptables(&["-A", "OUTPUT", "-p", "udp", "--dport", "53", "-j", "ACCEPT"]).await?;
+    run_iptables(&["-A", "OUTPUT", "-p", "tcp", "--dport", "53", "-j", "ACCEPT"]).await?;
+    run_iptables(&[
+        "-A", "OUTPUT", "-p", "tcp", "--dport", "443", "-j", "ACCEPT",
+    ])
+    .await?;
+
+    if let Some(url) = ntfy_url
+        && let Ok(parsed) = url::Url::parse(url)
+        && let Some(port) = parsed.port_or_known_default()
+        && port != 443
+    {
+        let port_str = port.to_string();
+        run_iptables(&[
+            "-A", "OUTPUT", "-p", "tcp", "--dport", &port_str, "-j", "ACCEPT",
+        ])
+        .await?;
+        info!("firewall: auto-allowed port {port} for ntfy");
+    }
+
+    if let Some(ports) = extra_ports {
+        for port in ports {
+            let port_str = port.to_string();
+            run_iptables(&[
+                "-A", "OUTPUT", "-p", "tcp", "--dport", &port_str, "-j", "ACCEPT",
+            ])
+            .await?;
+        }
+    }
+
+    run_iptables(&["-A", "OUTPUT", "-j", "DROP"]).await?;
+
+    let _ = tokio::fs::write("/proc/sys/net/bridge/bridge-nf-call-iptables", "0").await;
+
+    Ok(())
+}
--- a/daemon/src/lib.rs
+++ b/daemon/src/lib.rs
@@ -5,6 +5,7 @@ pub mod crypto_provider;
 pub mod diag;
 pub mod display;
 pub mod error;
+pub mod firewall;
 pub mod key_input;
 pub mod notifications;
 pub mod pcap;
--- a/daemon/src/main.rs
+++ b/daemon/src/main.rs
@@ -5,13 +5,13 @@ mod crypto_provider;
 mod diag;
 mod display;
 mod error;
+mod firewall;
 mod key_input;
 mod notifications;
 mod pcap;
 mod qmdl_store;
 mod server;
 mod stats;
-
 use std::net::SocketAddr;
 use std::sync::Arc;

@@ -23,10 +23,11 @@ use crate::notifications::{NotificationService, run_notification_worker};
 use crate::pcap::get_pcap;
 use crate::qmdl_store::RecordingStore;
 use crate::server::{
-    ServerState, debug_set_display_state, get_config, get_qmdl, get_time, get_zip, serve_static,
-    set_config, set_time_offset, test_notification,
+    ServerState, debug_set_display_state, get_config, get_qmdl, get_time, get_wifi_status, get_zip,
+    scan_wifi, serve_static, set_config, set_time_offset, test_notification,
 };
 use crate::stats::{get_qmdl_manifest, get_system_stats};
+use wifi_station::WifiStatus;

 use analysis::{
    AnalysisCtrlMessage, AnalysisStatus, get_analysis_status, run_analysis_thread, start_analysis,
@@ -71,6 +72,8 @@ fn get_router() -> AppRouter {
        .route("/api/config", get(get_config))
        .route("/api/config", post(set_config))
        .route("/api/test-notification", post(test_notification))
+        .route("/api/wifi-status", get(get_wifi_status))
+        .route("/api/wifi-scan", post(scan_wifi))
        .route("/api/time", get(get_time))
        .route("/api/time-offset", post(set_time_offset))
        .route("/api/debug/display-state", post(debug_set_display_state))
@@ -236,7 +239,7 @@ async fn run_with_config(
        info!("Starting UI");

        let update_ui = match &config.device {
-            Device::Orbic => display::orbic::update_ui,
+            Device::Orbic | Device::Moxee => display::orbic::update_ui,
            Device::Tplink => display::tplink::update_ui,
            Device::Tmobile => display::tmobile::update_ui,
            Device::Wingtech => display::wingtech::update_ui,
@@ -284,6 +287,15 @@ async fn run_with_config(
        config.enabled_notifications.clone(),
    );

+    let wifi_status = Arc::new(RwLock::new(WifiStatus::default()));
+    wifi_station::run_wifi_client(
+        &task_tracker,
+        &config.wifi_config(),
+        shutdown_token.clone(),
+        wifi_status.clone(),
+    );
+    firewall::apply(&config).await;
+
    let state = Arc::new(ServerState {
        config_path: args.config_path.clone(),
        config,
@@ -293,6 +305,8 @@ async fn run_with_config(
        analysis_sender: analysis_tx,
        daemon_restart_token: restart_token.clone(),
        ui_update_sender: Some(ui_update_tx),
+        wifi_status,
+        wifi_scan_lock: tokio::sync::Mutex::new(()),
    });
    run_server(&task_tracker, state, shutdown_token.clone()).await;

--- a/daemon/src/notifications.rs
+++ b/daemon/src/notifications.rs
@@ -248,10 +248,7 @@ mod tests {
    }

    async fn setup_timeout_server(timeout: u64) -> String {
-        #[cfg(feature = "rustcrypto-tls")]
-        {
-            let _ = rustls_rustcrypto::provider().install_default();
-        }
+        crate::crypto_provider::install_default();

        let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
        let addr = listener.local_addr().unwrap();
--- a/daemon/src/server.rs
+++ b/daemon/src/server.rs
@@ -38,6 +38,8 @@ pub struct ServerState {
    pub analysis_sender: Sender<AnalysisCtrlMessage>,
    pub daemon_restart_token: CancellationToken,
    pub ui_update_sender: Option<Sender<DisplayState>>,
+    pub wifi_status: Arc<RwLock<wifi_station::WifiStatus>>,
+    pub wifi_scan_lock: tokio::sync::Mutex<()>,
 }

 #[cfg_attr(feature = "apidocs", utoipa::path(
@@ -135,7 +137,9 @@ pub async fn serve_static(
 pub async fn get_config(
    State(state): State<Arc<ServerState>>,
 ) -> Result<Json<Config>, (StatusCode, String)> {
-    Ok(Json(state.config.clone()))
+    let mut config = state.config.clone();
+    config.wifi_password = None;
+    Ok(Json(config))
 }

 #[cfg_attr(feature = "apidocs", utoipa::path(
@@ -158,7 +162,12 @@ pub async fn set_config(
    State(state): State<Arc<ServerState>>,
    Json(config): Json<Config>,
 ) -> Result<(StatusCode, String), (StatusCode, String)> {
-    let config_str = toml::to_string_pretty(&config).map_err(|err| {
+    let mut config_to_write = config.clone();
+    config_to_write.wifi_ssid = None;
+    config_to_write.wifi_password = None;
+    config_to_write.wifi_security = None;
+
+    let config_str = toml::to_string_pretty(&config_to_write).map_err(|err| {
        (
            StatusCode::INTERNAL_SERVER_ERROR,
            format!("failed to serialize config as TOML: {err}"),
@@ -172,6 +181,8 @@ pub async fn set_config(
        )
    })?;

+    wifi_station::update_wpa_conf(&config.wifi_config()).await;
+
    // Trigger daemon restart after writing config
    state.daemon_restart_token.cancel();
    Ok((
@@ -400,6 +411,55 @@ pub async fn get_zip(
    Ok((headers, body).into_response())
 }

+#[cfg_attr(feature = "apidocs", utoipa::path(
+    get,
+    path = "/api/wifi-status",
+    tag = "Configuration",
+    responses(
+        (status = StatusCode::OK, description = "Success", body = wifi_station::WifiStatus)
+    ),
+    summary = "Get wifi status",
+    description = "Show the status of the wifi client."
+))]
+pub async fn get_wifi_status(
+    State(state): State<Arc<ServerState>>,
+) -> Json<wifi_station::WifiStatus> {
+    let status = state.wifi_status.read().await;
+    Json(status.clone())
+}
+
+#[cfg_attr(feature = "apidocs", utoipa::path(
+    post,
+    path = "/api/wifi-scan",
+    tag = "Configuration",
+    responses(
+        (status = StatusCode::OK, description = "Scan success", body = inline(Vec<wifi_station::WifiNetwork>), content_type = "application/json"),
+        (status = StatusCode::TOO_MANY_REQUESTS, description = "Scan already in progress"),
+        (status = StatusCode::INTERNAL_SERVER_ERROR, description = "Scan failed"),
+    ),
+    summary = "Wifi SSID scan",
+    description = "Poll for a list of available wifi networks. Returns an array of WifiNetwork objects."
+))]
+pub async fn scan_wifi(
+    State(state): State<Arc<ServerState>>,
+) -> Result<Json<Vec<wifi_station::WifiNetwork>>, (StatusCode, String)> {
+    let _guard = state.wifi_scan_lock.try_lock().map_err(|_| {
+        (
+            StatusCode::TOO_MANY_REQUESTS,
+            "WiFi scan already in progress".to_string(),
+        )
+    })?;
+    let networks = wifi_station::scan_wifi_networks(wifi_station::STA_IFACE)
+        .await
+        .map_err(|e| {
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                format!("WiFi scan failed: {e}"),
+            )
+        })?;
+    Ok(Json(networks))
+}
+
 #[cfg_attr(feature = "apidocs", utoipa::path(
    post,
    path = "/api/debug/display-state",
@@ -504,6 +564,8 @@ mod tests {
            analysis_sender: analysis_tx,
            daemon_restart_token: CancellationToken::new(),
            ui_update_sender: None,
+            wifi_status: Arc::new(RwLock::new(wifi_station::WifiStatus::default())),
+            wifi_scan_lock: tokio::sync::Mutex::new(()),
        })
    }

--- a/daemon/web/eslint.config.js
+++ b/daemon/web/eslint.config.js
@@ -22,7 +22,7 @@ export default ts.config(
        },
    },
    {
-        files: ['**/*.svelte'],
+        files: ['**/*.svelte', '**/*.svelte.ts', '**/*.svelte.js'],

        languageOptions: {
            parserOptions: {
@@ -48,6 +48,11 @@ export default ts.config(
                    format: ['snake_case'],
                },
            ],
+            // these rules should eventually be enabled, just disabled them to
+            // make dependency upgrades easier.
+            'svelte/prefer-svelte-reactivity': 'off',
+            'svelte/require-each-key': 'off',
+            'svelte/no-navigation-without-resolve': 'off',
        },
    }
 );
--- a/daemon/web/package-lock.json
+++ b/daemon/web/package-lock.json
--- a/daemon/web/package.json
+++ b/daemon/web/package.json
@@ -15,25 +15,26 @@
        "fix": "eslint --fix ."
    },
    "devDependencies": {
-        "@sveltejs/adapter-auto": "^3.0.0",
+        "@eslint/js": "^10.0.1",
+        "@sveltejs/adapter-auto": "^7.0.1",
        "@sveltejs/adapter-static": "^3.0.5",
-        "@sveltejs/kit": "^2.53.4",
-        "@sveltejs/vite-plugin-svelte": "^6.2.1",
+        "@sveltejs/kit": "^2.57.1",
+        "@sveltejs/vite-plugin-svelte": "^7.0.0",
+        "@tailwindcss/vite": "^4.2.2",
        "@types/eslint": "^9.6.0",
-        "@types/node": "^24.7.0",
-        "autoprefixer": "^10.4.20",
-        "eslint": "^9.7.0",
-        "eslint-config-prettier": "^9.1.0",
-        "eslint-plugin-svelte": "^2.36.0",
-        "globals": "^15.0.0",
-        "prettier": "^3.3.2",
-        "prettier-plugin-svelte": "^3.2.6",
-        "svelte": "^5.53.7",
-        "svelte-check": "^4.0.0",
-        "tailwindcss": "^3.4.9",
-        "typescript": "^5.0.0",
-        "typescript-eslint": "^8.0.0",
-        "vite": "^7.3.2",
-        "vitest": "^3.2.4"
+        "@types/node": "^25.6.0",
+        "eslint": "^10.2.1",
+        "eslint-config-prettier": "^10.1.8",
+        "eslint-plugin-svelte": "^3.17.0",
+        "globals": "^17.5.0",
+        "prettier": "^3.8.3",
+        "prettier-plugin-svelte": "^3.5.1",
+        "svelte": "^5.55.4",
+        "svelte-check": "^4.4.6",
+        "tailwindcss": "^4.2.2",
+        "typescript": "^6.0.3",
+        "typescript-eslint": "^8.58.2",
+        "vite": "^8.0.9",
+        "vitest": "^4.1.4"
    }
 }
--- a/daemon/web/postcss.config.js
+++ b/daemon/web/postcss.config.js
@@ -1,6 +0,0 @@
-export default {
-    plugins: {
-        tailwindcss: {},
-        autoprefixer: {},
-    },
-};
--- a/daemon/web/src/app.css
+++ b/daemon/web/src/app.css
@@ -1,3 +1,16 @@
-@import 'tailwindcss/base';
-@import 'tailwindcss/components';
-@import 'tailwindcss/utilities';
+@import 'tailwindcss';
+
+@theme {
+    --color-rayhunter-blue: #4e4eb1;
+    --color-rayhunter-dark-blue: #3f3da0;
+    --color-rayhunter-green: #94ea18;
+}
+
+/* v4 dropped the v3 preflight rule that set `cursor: pointer` on buttons.
+ * Restore it so enabled buttons get the pointer cursor. */
+@layer base {
+    button:not(:disabled),
+    [role='button']:not(:disabled) {
+        cursor: pointer;
+    }
+}
--- a/daemon/web/src/lib/components/ActionErrors.svelte
+++ b/daemon/web/src/lib/components/ActionErrors.svelte
@@ -20,7 +20,7 @@

 {#if action_errors.length > 0}
    <div
-        class="bg-red-100 border-red-100 drop-shadow p-4 flex flex-col gap-2
+        class="bg-red-100 border-red-100 drop-shadow-sm p-4 flex flex-col gap-2
        border rounded-md flex-1 justify-between fixed z-10 right-3 bottom-3 ml-3"
    >
        <div class="flex flex-row justify-between">
--- a/daemon/web/src/lib/components/ClockDriftAlert.svelte
+++ b/daemon/web/src/lib/components/ClockDriftAlert.svelte
@@ -55,7 +55,7 @@

 {#if show_alert}
    <div
-        class="bg-yellow-100 border-yellow-400 drop-shadow p-4 flex flex-col gap-2 border rounded-md"
+        class="bg-yellow-100 border-yellow-400 drop-shadow-sm p-4 flex flex-col gap-2 border rounded-md"
    >
        <span class="text-xl font-bold flex flex-row items-center gap-2 text-yellow-700">
            <svg
--- a/daemon/web/src/lib/components/ConfigForm.svelte
+++ b/daemon/web/src/lib/components/ConfigForm.svelte
@@ -1,5 +1,14 @@
 <script lang="ts">
-    import { get_config, set_config, test_notification, type Config } from '../utils.svelte';
+    import {
+        get_config,
+        set_config,
+        test_notification,
+        get_wifi_status,
+        scan_wifi_networks,
+        type Config,
+        type WifiStatus,
+        type WifiNetwork,
+    } from '../utils.svelte';
    import Modal from './Modal.svelte';

    let { shown = $bindable() }: { shown: boolean } = $props();
@@ -12,13 +21,20 @@
    let messageType = $state<'success' | 'error' | null>(null);
    let testMessage = $state('');
    let testMessageType = $state<'success' | 'error' | null>(null);
+    let wifiStatus = $state<WifiStatus | null>(null);
+    let wifiStatusTimer = $state<ReturnType<typeof setInterval> | null>(null);
+    let scanning = $state(false);
+    let scanResults = $state<WifiNetwork[]>([]);
+    let dnsServersInput = $state('');

    async function load_config() {
        try {
            loading = true;
            config = await get_config();
+            dnsServersInput = config.dns_servers ? config.dns_servers.join(', ') : '';
            message = '';
            messageType = null;
+            poll_wifi_status();
        } catch (error) {
            message = `Failed to load config: ${error}`;
            messageType = 'error';
@@ -30,6 +46,15 @@
    async function save_config() {
        if (!config) return;

+        const trimmed = dnsServersInput.trim();
+        config.dns_servers =
+            trimmed.length > 0
+                ? trimmed
+                      .split(',')
+                      .map((s) => s.trim())
+                      .filter((s) => s.length > 0)
+                : null;
+
        try {
            saving = true;
            await set_config(config);
@@ -44,6 +69,49 @@
        }
    }

+    async function poll_wifi_status() {
+        if (wifiStatusTimer) clearInterval(wifiStatusTimer);
+        try {
+            wifiStatus = await get_wifi_status();
+        } catch {
+            wifiStatus = null;
+        }
+        wifiStatusTimer = setInterval(async () => {
+            try {
+                wifiStatus = await get_wifi_status();
+            } catch {
+                wifiStatus = null;
+            }
+        }, 5000);
+    }
+
+    let scanError = $state('');
+
+    async function do_scan() {
+        scanning = true;
+        scanError = '';
+        try {
+            scanResults = await scan_wifi_networks();
+        } catch (error) {
+            scanResults = [];
+            scanError = `Scan failed: ${error}`;
+        } finally {
+            scanning = false;
+        }
+    }
+
+    function select_network(network: WifiNetwork) {
+        if (config) {
+            config.wifi_ssid = network.ssid;
+            config.wifi_password = '';
+            config.wifi_security =
+                network.security === 'WPA3' || network.security === 'WPA3 (transition)'
+                    ? 'sae'
+                    : 'wpa_psk';
+            scanResults = [];
+        }
+    }
+
    async function send_test_notification() {
        try {
            testingNotification = true;
@@ -64,6 +132,16 @@
        if (shown && !config) {
            load_config();
        }
+        if (!shown && wifiStatusTimer) {
+            clearInterval(wifiStatusTimer);
+            wifiStatusTimer = null;
+        }
+        return () => {
+            if (wifiStatusTimer) {
+                clearInterval(wifiStatusTimer);
+                wifiStatusTimer = null;
+            }
+        };
    });
 </script>

@@ -86,7 +164,7 @@
                    <select
                        id="ui_level"
                        bind:value={config.ui_level}
-                        class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-rayhunter-blue"
+                        class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-hidden focus:ring-2 focus:ring-rayhunter-blue"
                    >
                        <option value={0}>0 - Invisible mode</option>
                        <option value={1}>1 - Subtle mode (colored line)</option>
@@ -110,7 +188,7 @@
                    <select
                        id="key_input_mode"
                        bind:value={config.key_input_mode}
-                        class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-rayhunter-blue"
+                        class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-hidden focus:ring-2 focus:ring-rayhunter-blue"
                    >
                        <option value={0}>0 - Disable button control</option>
                        <option value={1}>1 - Double-tap power button to start new recording</option
@@ -124,7 +202,7 @@
                            id="colorblind_mode"
                            type="checkbox"
                            bind:checked={config.colorblind_mode}
-                            class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded"
+                            class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded-sm"
                        />
                        <label for="colorblind_mode" class="ml-2 block text-sm text-gray-700">
                            Colorblind Mode
@@ -132,7 +210,7 @@
                    </div>
                </div>

-                <div class="border-t pt-4 mt-6 space-y-3">
+                <div class="border-t border-gray-200 pt-4 mt-6 space-y-3">
                    <h3 class="text-lg font-semibold text-gray-800 mb-4">Notification Settings</h3>
                    <div>
                        <label for="ntfy_url" class="block text-sm font-medium text-gray-700 mb-1">
@@ -143,7 +221,7 @@
                            id="ntfy_url"
                            type="url"
                            bind:value={config.ntfy_url}
-                            class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-rayhunter-blue"
+                            class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-hidden focus:ring-2 focus:ring-rayhunter-blue"
                        />
                        <p class="text-xs text-gray-500 mt-1">
                            Test button below uses the saved configuration URL, not the input above
@@ -181,7 +259,7 @@
                        </button>
                        {#if testMessage}
                            <div
-                                class="mt-2 p-2 rounded text-sm {testMessageType === 'error'
+                                class="mt-2 p-2 rounded-sm text-sm {testMessageType === 'error'
                                    ? 'bg-red-100 text-red-700'
                                    : 'bg-green-100 text-green-700'}"
                            >
@@ -225,7 +303,7 @@
                    </div>
                </div>

-                <div class="border-t pt-4 mt-6 space-y-3">
+                <div class="border-t border-gray-200 pt-4 mt-6 space-y-3">
                    <h3 class="text-lg font-semibold text-gray-800 mb-4">Storage Management</h3>

                    <div>
@@ -240,7 +318,7 @@
                            type="number"
                            min="1"
                            bind:value={config.min_space_to_start_recording_mb}
-                            class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-rayhunter-blue"
+                            class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-hidden focus:ring-2 focus:ring-rayhunter-blue"
                        />
                        <p class="text-xs text-gray-500 mt-1">
                            Recording will not start if less than this amount of disk space is free
@@ -259,7 +337,7 @@
                            type="number"
                            min="1"
                            bind:value={config.min_space_to_continue_recording_mb}
-                            class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-rayhunter-blue"
+                            class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-hidden focus:ring-2 focus:ring-rayhunter-blue"
                        />
                        <p class="text-xs text-gray-500 mt-1">
                            Recording will stop automatically if disk space drops below this level
@@ -267,7 +345,219 @@
                    </div>
                </div>

-                <div class="border-t pt-4 mt-6">
+                {#if config.device === 'orbic' || config.device === 'moxee' || config.device === 'tmobile' || config.device === 'wingtech'}
+                    <div class="border-t border-gray-200 pt-4 mt-6 space-y-3">
+                        <h3 class="text-lg font-semibold text-gray-800 mb-4">WiFi Client Mode</h3>
+                        <p class="text-xs text-gray-500">
+                            Connect the device to an existing WiFi network for internet access (e.g.
+                            notifications, remote access). The hotspot AP stays running alongside
+                            WiFi client mode.
+                        </p>
+
+                        <div class="flex items-center">
+                            <input
+                                id="wifi_enabled"
+                                type="checkbox"
+                                bind:checked={config.wifi_enabled}
+                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded-sm"
+                            />
+                            <label for="wifi_enabled" class="ml-2 block text-sm text-gray-700">
+                                Enable WiFi
+                            </label>
+                        </div>
+                        <p class="text-xs text-gray-500">
+                            Unchecking stops WiFi without clearing saved credentials.
+                        </p>
+
+                        {#if wifiStatus && config.wifi_enabled}
+                            {#if wifiStatus.state === 'connected'}
+                                <p class="text-xs text-green-600">
+                                    Connected to "{wifiStatus.ssid}" ({wifiStatus.ip})
+                                </p>
+                            {:else if wifiStatus.state === 'connecting'}
+                                <p class="text-xs text-amber-600">Connecting...</p>
+                            {:else if wifiStatus.state === 'recovering'}
+                                <p class="text-xs text-amber-600">Recovering connection...</p>
+                            {:else if wifiStatus.state === 'dataPathDead'}
+                                <p class="text-xs text-amber-600">
+                                    Data path stalled, attempting recovery...
+                                </p>
+                            {:else if wifiStatus.state === 'failed'}
+                                <p class="text-xs text-red-600">
+                                    Failed: {wifiStatus.error}
+                                </p>
+                            {/if}
+                        {/if}
+
+                        <div>
+                            <label
+                                for="wifi_ssid"
+                                class="block text-sm font-medium text-gray-700 mb-1"
+                            >
+                                WiFi Network Name (SSID)
+                            </label>
+                            <div class="flex gap-2">
+                                <input
+                                    id="wifi_ssid"
+                                    type="text"
+                                    bind:value={config.wifi_ssid}
+                                    placeholder="MyWiFiNetwork"
+                                    class="flex-1 px-3 py-2 border border-gray-300 rounded-md focus:outline-hidden focus:ring-2 focus:ring-rayhunter-blue"
+                                />
+                                <button
+                                    type="button"
+                                    onclick={do_scan}
+                                    disabled={scanning}
+                                    class="px-3 py-2 text-sm bg-gray-100 hover:bg-gray-200 disabled:opacity-50 border border-gray-300 rounded-md"
+                                >
+                                    {scanning ? 'Scanning...' : 'Scan'}
+                                </button>
+                            </div>
+                        </div>
+
+                        {#if scanError}
+                            <p class="text-xs text-red-600">{scanError}</p>
+                        {/if}
+
+                        {#if scanResults.length > 0}
+                            <div
+                                class="border border-gray-200 rounded-md max-h-40 overflow-y-auto divide-y divide-gray-200"
+                            >
+                                {#each scanResults as network}
+                                    <button
+                                        type="button"
+                                        class="w-full px-3 py-2 text-left text-sm hover:bg-gray-50 flex justify-between"
+                                        onclick={() => select_network(network)}
+                                    >
+                                        <span>{network.ssid}</span>
+                                        <span class="text-gray-400"
+                                            >{network.signal_dbm} dBm &middot; {network.security}</span
+                                        >
+                                    </button>
+                                {/each}
+                            </div>
+                        {/if}
+
+                        {#if config.wifi_ssid}
+                            <div>
+                                <label
+                                    for="wifi_security"
+                                    class="block text-sm font-medium text-gray-700 mb-1"
+                                >
+                                    Security Type
+                                </label>
+                                <select
+                                    id="wifi_security"
+                                    bind:value={config.wifi_security}
+                                    class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-hidden focus:ring-2 focus:ring-rayhunter-blue"
+                                >
+                                    <option value="wpa_psk">WPA2 (WPA-PSK)</option>
+                                    <option value="sae">WPA3 (SAE)</option>
+                                </select>
+                            </div>
+                        {/if}
+
+                        <div>
+                            <label
+                                for="wifi_password"
+                                class="block text-sm font-medium text-gray-700 mb-1"
+                            >
+                                WiFi Password
+                            </label>
+                            <input
+                                id="wifi_password"
+                                type="password"
+                                bind:value={config.wifi_password}
+                                placeholder="Enter password"
+                                class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-hidden focus:ring-2 focus:ring-rayhunter-blue"
+                            />
+                            <p class="text-xs text-gray-500 mt-1">
+                                Changing the network requires re-entering the password.
+                            </p>
+                        </div>
+
+                        {#if config.wifi_ssid}
+                            <div>
+                                <label
+                                    for="dns_servers"
+                                    class="block text-sm font-medium text-gray-700 mb-1"
+                                >
+                                    DNS Servers
+                                </label>
+                                <input
+                                    id="dns_servers"
+                                    type="text"
+                                    bind:value={dnsServersInput}
+                                    placeholder="9.9.9.9, 149.112.112.112"
+                                    class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-hidden focus:ring-2 focus:ring-rayhunter-blue"
+                                />
+                                <p class="text-xs text-gray-500 mt-1">
+                                    Comma-separated. Used when WiFi is active. Defaults to 9.9.9.9,
+                                    149.112.112.112 (Quad9).
+                                </p>
+                            </div>
+                        {/if}
+                    </div>
+                {/if}
+
+                <div class="border-t border-gray-200 pt-4 mt-6 space-y-3">
+                    <h3 class="text-lg font-semibold text-gray-800 mb-4">Device Security</h3>
+
+                    <div class="flex items-center">
+                        <input
+                            id="firewall_restrict_outbound"
+                            type="checkbox"
+                            bind:checked={config.firewall_restrict_outbound}
+                            class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded-sm"
+                        />
+                        <label
+                            for="firewall_restrict_outbound"
+                            class="ml-2 block text-sm text-gray-700"
+                        >
+                            Restrict outbound traffic
+                        </label>
+                    </div>
+                    <p class="text-xs text-gray-500">
+                        Only allows DNS, DHCP, and HTTPS (port 443) outbound. Blocks all other
+                        outbound connections on every interface (WiFi and cellular). Loopback and
+                        hotspot traffic are always allowed. Changes take effect immediately.
+                    </p>
+
+                    {#if config.firewall_restrict_outbound}
+                        <div>
+                            <label
+                                for="firewall_allowed_ports"
+                                class="block text-sm font-medium text-gray-700 mb-1"
+                            >
+                                Additional Allowed Ports
+                            </label>
+                            <input
+                                id="firewall_allowed_ports"
+                                type="text"
+                                value={config.firewall_allowed_ports
+                                    ? config.firewall_allowed_ports.join(', ')
+                                    : ''}
+                                oninput={(e) => {
+                                    const val = (e.target as HTMLInputElement).value.trim();
+                                    config!.firewall_allowed_ports =
+                                        val.length > 0
+                                            ? val
+                                                  .split(',')
+                                                  .map((s) => parseInt(s.trim()))
+                                                  .filter((n) => !isNaN(n) && n >= 1 && n <= 65535)
+                                            : null;
+                                }}
+                                placeholder="22, 80"
+                                class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-hidden focus:ring-2 focus:ring-rayhunter-blue"
+                            />
+                            <p class="text-xs text-gray-500 mt-1">
+                                Comma-separated TCP ports, e.g. 22, 80
+                            </p>
+                        </div>
+                    {/if}
+                </div>
+
+                <div class="border-t border-gray-200 pt-4 mt-6">
                    <h3 class="text-lg font-semibold text-gray-800 mb-4">
                        Analyzer Heuristic Settings
                    </h3>
@@ -277,7 +567,7 @@
                                id="imsi_requested"
                                type="checkbox"
                                bind:checked={config.analyzers.imsi_requested}
-                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded"
+                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded-sm"
                            />
                            <label for="imsi_requested" class="ml-2 block text-sm text-gray-700">
                                IMSI Requested Heuristic
@@ -289,7 +579,7 @@
                                id="connection_redirect_2g_downgrade"
                                type="checkbox"
                                bind:checked={config.analyzers.connection_redirect_2g_downgrade}
-                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded"
+                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded-sm"
                            />
                            <label
                                for="connection_redirect_2g_downgrade"
@@ -304,7 +594,7 @@
                                id="lte_sib6_and_7_downgrade"
                                type="checkbox"
                                bind:checked={config.analyzers.lte_sib6_and_7_downgrade}
-                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded"
+                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded-sm"
                            />
                            <label
                                for="lte_sib6_and_7_downgrade"
@@ -319,7 +609,7 @@
                                id="null_cipher"
                                type="checkbox"
                                bind:checked={config.analyzers.null_cipher}
-                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded"
+                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded-sm"
                            />
                            <label for="null_cipher" class="ml-2 block text-sm text-gray-700">
                                Null Cipher Heuristic
@@ -331,7 +621,7 @@
                                id="nas_null_cipher"
                                type="checkbox"
                                bind:checked={config.analyzers.nas_null_cipher}
-                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded"
+                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded-sm"
                            />
                            <label for="nas_null_cipher" class="ml-2 block text-sm text-gray-700">
                                NAS Null Cipher Heuristic
@@ -343,7 +633,7 @@
                                id="incomplete_sib"
                                type="checkbox"
                                bind:checked={config.analyzers.incomplete_sib}
-                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded"
+                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded-sm"
                            />
                            <label for="incomplete_sib" class="ml-2 block text-sm text-gray-700">
                                Incomplete SIB Heuristic
@@ -355,7 +645,7 @@
                                id="test_analyzer"
                                type="checkbox"
                                bind:checked={config.analyzers.test_analyzer}
-                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded"
+                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded-sm"
                            />
                            <label for="test_analyzer" class="ml-2 block text-sm text-gray-700">
                                Test Heuristic (noisy!)
@@ -366,7 +656,7 @@
                                id="diagnostic_analyzer"
                                type="checkbox"
                                bind:checked={config.analyzers.diagnostic_analyzer}
-                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded"
+                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded-sm"
                            />
                            <label
                                for="diagnostic_analyzer"
@@ -410,7 +700,7 @@
            </form>
            {#if message}
                <div
-                    class="mt-4 p-3 rounded {messageType === 'error'
+                    class="mt-4 p-3 rounded-sm {messageType === 'error'
                        ? 'bg-red-100 text-red-700'
                        : 'bg-green-100 text-green-700'}"
                >
--- a/daemon/web/src/lib/components/DeleteAllButton.svelte
+++ b/daemon/web/src/lib/components/DeleteAllButton.svelte
@@ -5,8 +5,8 @@
 <div class="flex flex-row justify-end gap-2">
    <DeleteButton
        text="Delete ALL Recordings"
-        prompt={`Are you sure you want to delete ALL recordings?`}
-        url={`/api/delete-all-recordings`}
+        prompt="Are you sure you want to delete ALL recordings?"
+        url="/api/delete-all-recordings"
        name="all recodings"
    />
 </div>
--- a/daemon/web/src/lib/components/ManifestCard.svelte
+++ b/daemon/web/src/lib/components/ManifestCard.svelte
@@ -44,7 +44,7 @@
 </script>

 <div
-    class="{status_row_color} {status_border_color} drop-shadow p-4 flex flex-col gap-2 border rounded-md flex-1 overflow-x-auto overflow-y-hidden"
+    class="{status_row_color} {status_border_color} drop-shadow-sm p-4 flex flex-col gap-2 border rounded-md flex-1 overflow-x-auto overflow-y-hidden"
 >
    {#if current}
        <div class="flex flex-row justify-between gap-2">
@@ -82,7 +82,7 @@
        >
    </div>
    {#if entry.stop_reason}
-        <div class="bg-yellow-50 border border-yellow-300 rounded p-2 text-yellow-800 text-sm">
+        <div class="bg-yellow-50 border border-yellow-300 rounded-sm p-2 text-yellow-800 text-sm">
            {entry.stop_reason}
        </div>
    {/if}
@@ -100,7 +100,7 @@
            />
        {/if}
    </div>
-    <div class="border-b {analysis_visible ? '' : 'hidden'}">
+    <div class="border-b border-gray-200 {analysis_visible ? '' : 'hidden'}">
        <AnalysisView {entry} {manager} {current} />
    </div>
 </div>
--- a/daemon/web/src/lib/components/ManifestTable.svelte
+++ b/daemon/web/src/lib/components/ManifestTable.svelte
@@ -16,7 +16,7 @@
 {#if $screenIsLgUp}
    <table class="table-auto text-left table">
        <thead>
-            <tr class="bg-gray-100 drop-shadow">
+            <tr class="bg-gray-100 drop-shadow-sm">
                <th class="p-2" scope="col">ID</th>
                <th class="p-2" scope="col">Started</th>
                <th class="p-2" scope="col">Last Message</th>
--- a/daemon/web/src/lib/components/ManifestTableRow.svelte
+++ b/daemon/web/src/lib/components/ManifestTableRow.svelte
@@ -36,7 +36,7 @@
    }
 </script>

-<tr class="{status_row_color} drop-shadow">
+<tr class="{status_row_color} drop-shadow-sm">
    <td class="p-2">{entry.name}</td>
    <td class="p-2">{date_formatter.format(entry.start_time)}</td>
    <td class="p-2"
@@ -65,8 +65,8 @@
        </td>
    {/if}
 </tr>
-<tr class="{alternating_row_color} border-b {analysis_visible ? '' : 'hidden'}">
-    <td class="border-t border-dashed p-2" colspan="9">
+<tr class="{alternating_row_color} border-b border-gray-200 {analysis_visible ? '' : 'hidden'}">
+    <td class="border-t border-gray-200 border-dashed p-2" colspan="9">
        <AnalysisView {entry} {manager} {current} />
    </td>
 </tr>
--- a/daemon/web/src/lib/components/Modal.svelte
+++ b/daemon/web/src/lib/components/Modal.svelte
@@ -9,9 +9,11 @@
    }: { shown: boolean; title: string; children: Snippet } = $props();

    onMount(() => {
-        window.addEventListener('scroll', () => {
+        const handler = () => {
            document.documentElement.style.setProperty('--scroll-y', `${window.scrollY}px`);
-        });
+        };
+        window.addEventListener('scroll', handler);
+        return () => window.removeEventListener('scroll', handler);
    });

    $effect(() => {
@@ -33,7 +35,7 @@
 {#if shown}
    <div
        class="fixed left-5 right-5 top-5 bottom-5 z-50 bg-white border border-white rounded-md
-		flex flex-col p-2 drop-shadow"
+		flex flex-col p-2 drop-shadow-sm"
    >
        <div class="flex justify-between items-center p-1">
            <span class="text-2xl">{title}</span>
--- a/daemon/web/src/lib/components/SystemStatsTable.svelte
+++ b/daemon/web/src/lib/components/SystemStatsTable.svelte
@@ -6,7 +6,7 @@
        stats: SystemStats;
    } = $props();

-    const table_cell_classes = 'border p-1 lg:p-2';
+    const table_cell_classes = 'border border-gray-200 p-1 lg:p-2';

    let battery_level = $derived(stats.battery_status ? stats.battery_status.level : 0);
    let bar_color = $derived.by(() => {
@@ -36,29 +36,29 @@
 </script>

 <div
-    class="flex-1 drop-shadow p-4 flex flex-col gap-2 border rounded-md bg-gray-100 border-gray-100"
+    class="flex-1 drop-shadow-sm p-4 flex flex-col gap-2 border rounded-md bg-gray-100 border-gray-100"
 >
    <p class="text-xl mb-2">System Information</p>
-    <table class="table-auto border">
+    <table class="table-auto border border-gray-200">
        <tbody>
-            <tr class="border">
+            <tr class="border border-gray-200">
                <th class={table_cell_classes}> Rayhunter Version </th>
                <td class={table_cell_classes}>{stats.runtime_metadata.rayhunter_version}</td>
            </tr>
-            <tr class="border">
+            <tr class="border border-gray-200">
                <th class={table_cell_classes}> Storage </th>
                <td class={table_cell_classes}>
                    {stats.disk_stats.used_percent} used ({stats.disk_stats.used_size} used / {stats
                        .disk_stats.available_size} available)
                </td>
            </tr>
-            <tr class="border-b">
+            <tr class="border-b border-gray-200">
                <th class={table_cell_classes}> Memory (RAM) </th>
                <td class={table_cell_classes}>
                    Free: {stats.memory_stats.free}, Used: {stats.memory_stats.used}
                </td>
            </tr>
-            <tr class="border-b">
+            <tr class="border-b border-gray-200">
                <th class={table_cell_classes}> Battery </th>
                <td class={table_cell_classes}>
                    <svg
--- a/daemon/web/src/lib/ndjson.ts
+++ b/daemon/web/src/lib/ndjson.ts
@@ -19,7 +19,9 @@ export function parse_ndjson(input: string): NewlineDeliminatedJson {
            // however, if we've reached the end of the input, that means we
            // were given invalid nd-json
            if (lines.length === 0) {
-                throw new Error(`unable to parse invalid nd-json: ${e}, "${current_line}"`);
+                throw new Error(`unable to parse invalid nd-json: ${e}, "${current_line}"`, {
+                    cause: e,
+                });
            }
        }
    }
--- a/daemon/web/src/lib/utils.svelte.ts
+++ b/daemon/web/src/lib/utils.svelte.ts
@@ -19,6 +19,7 @@ export enum enabled_notifications {
 }

 export interface Config {
+    device: string;
    ui_level: number;
    colorblind_mode: boolean;
    key_input_mode: number;
@@ -27,6 +28,34 @@ export interface Config {
    analyzers: AnalyzerConfig;
    min_space_to_start_recording_mb: number;
    min_space_to_continue_recording_mb: number;
+    wifi_ssid: string | null;
+    wifi_password: string | null;
+    wifi_security: 'wpa_psk' | 'sae' | null;
+    wifi_enabled: boolean;
+    dns_servers: string[] | null;
+    firewall_restrict_outbound: boolean;
+    firewall_allowed_ports: number[] | null;
+}
+
+export interface WifiStatus {
+    state: string;
+    ssid?: string;
+    ip?: string;
+    error?: string;
+}
+
+export interface WifiNetwork {
+    ssid: string;
+    signal_dbm: number;
+    security: string;
+}
+
+export async function get_wifi_status(): Promise<WifiStatus> {
+    return JSON.parse(await req('GET', '/api/wifi-status'));
+}
+
+export async function scan_wifi_networks(): Promise<WifiNetwork[]> {
+    return JSON.parse(await req('POST', '/api/wifi-scan'));
 }

 export async function req(method: string, url: string, json_body?: unknown): Promise<string> {
--- a/daemon/web/src/routes/+page.svelte
+++ b/daemon/web/src/routes/+page.svelte
@@ -57,7 +57,9 @@

 <LogView bind:shown={logview_shown} />
 <ConfigForm bind:shown={config_shown} />
-<div class="p-4 xl:px-8 bg-rayhunter-blue drop-shadow flex flex-row justify-between items-center">
+<div
+    class="p-4 xl:px-8 bg-rayhunter-blue drop-shadow-sm flex flex-row justify-between items-center"
+>
    <!-- https://www.w3.org/WAI/tutorials/images/decorative/ -->
    <img src="/rayhunter_text.png" alt="" class="h-10 xl:h-12" />
    <div class="flex flex-row gap-4">
@@ -204,7 +206,7 @@
 <div class="m-4 xl:mx-8 flex flex-col gap-4">
    {#if update_error !== undefined}
        <div
-            class="bg-red-100 border-red-100 drop-shadow p-4 flex flex-col gap-2 border rounded-md flex-1 justify-between"
+            class="bg-red-100 border-red-100 drop-shadow-sm p-4 flex flex-col gap-2 border rounded-md flex-1 justify-between"
        >
            <span class="text-2xl font-bold mb-2 flex flex-row items-center gap-2 text-red-600">
                <svg
@@ -249,7 +251,7 @@
                />
            {:else}
                <div
-                    class="bg-red-100 border-red-100 drop-shadow p-4 flex flex-col gap-2 border rounded-md flex-1 justify-between"
+                    class="bg-red-100 border-red-100 drop-shadow-sm p-4 flex flex-col gap-2 border rounded-md flex-1 justify-between"
                >
                    <span
                        class="text-2xl font-bold mb-2 flex flex-row items-center gap-2 text-red-600"
@@ -295,7 +297,7 @@
                        type="checkbox"
                        id="filter_threshold"
                        bind:checked={filter_threshold}
-                        class="px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-rayhunter-blue"
+                        class="px-3 py-2 border border-gray-300 rounded-md focus:outline-hidden focus:ring-2 focus:ring-rayhunter-blue"
                    />
                </div>
            </div>
--- a/daemon/web/tailwind.config.ts
+++ b/daemon/web/tailwind.config.ts
@@ -1,19 +0,0 @@
-import type { Config } from 'tailwindcss';
-import { breakpoints } from './src/theme';
-
-export default {
-    content: ['./src/**/*.{html,js,svelte,ts}'],
-
-    theme: {
-        extend: {
-            colors: {
-                'rayhunter-blue': '#4e4eb1',
-                'rayhunter-dark-blue': '#3f3da0',
-                'rayhunter-green': '#94ea18',
-            },
-            screens: breakpoints,
-        },
-    },
-
-    plugins: [],
-} as Config;
--- a/daemon/web/vite.config.ts
+++ b/daemon/web/vite.config.ts
@@ -1,5 +1,6 @@
 import { defineConfig } from 'vitest/config';
 import { sveltekit } from '@sveltejs/kit/vite';
+import tailwindcss from '@tailwindcss/vite';

 export default defineConfig({
    server: {
@@ -26,7 +27,7 @@ export default defineConfig({
            },
        },
    },
-    plugins: [sveltekit()],
+    plugins: [tailwindcss(), sveltekit()],
    build: {
        // Force everything into one HTML file. SvelteKit will still generate
        // a lot of JS files but they are deadweight and will not be included
--- a/dist/config.toml.in
+++ b/dist/config.toml.in
@@ -24,7 +24,7 @@ ui_level = 1
 key_input_mode = 0

 # If set, attempts to send a notification to the url when a new warning is triggered
-ntfy_url = ""
+# ntfy_url = "https://ntfy.sh/your-topic"
 # What notification types to enable. Does nothing if the above ntfy_url is not set.
 enabled_notifications = ["Warning", "LowBattery"]

@@ -34,6 +34,27 @@ min_space_to_start_recording_mb = 1
 # Minimum free space (MB) to continue recording (stops if below this)
 min_space_to_continue_recording_mb = 1

+# WiFi Client Mode
+# Toggle wifi_enabled to connect the device to an existing WiFi network.
+# Credentials are stored separately in wpa_sta.conf and managed via the web UI.
+wifi_enabled = false
+
+# DNS servers to use when WiFi client mode is active.
+# Defaults to ["9.9.9.9", "149.112.112.112"] (Quad9) if not specified.
+# dns_servers = ["9.9.9.9", "149.112.112.112"]
+
+# Device Security
+# Restrict outbound traffic to essential services only (DHCP, DNS,
+# HTTPS, and replies to inbound connections). Applies to all outbound
+# interfaces (WiFi and cellular). Loopback and hotspot bridge traffic
+# are always allowed. Defaults to true (recommended).
+firewall_restrict_outbound = true
+
+# Additional TCP ports to allow outbound when the firewall is active.
+# DHCP (67-68), DNS (53), and HTTPS (443) are always allowed.
+# Example: allow HTTP (80) and SSH (22).
+# firewall_allowed_ports = [80, 22]
+
 # Analyzer Configuration
 # Enable/disable specific IMSI catcher detection heuristics
 # See https://github.com/EFForg/rayhunter/blob/main/doc/heuristics.md for details
--- a/dist/scripts/S01iptables
+++ b/dist/scripts/S01iptables
@@ -0,0 +1,24 @@
+#!/bin/sh
+CONFIG="/data/rayhunter/config.toml"
+
+case "$1" in
+  start)
+    if grep -q '^firewall_restrict_outbound = true' "$CONFIG" 2>/dev/null; then
+        iptables -F OUTPUT
+        iptables -A OUTPUT -o lo -j ACCEPT
+        for br in bridge0 br0; do
+            [ -d "/sys/class/net/$br" ] && iptables -A OUTPUT -o "$br" -j ACCEPT
+        done
+        iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+        iptables -A OUTPUT -p udp --dport 67:68 -j ACCEPT
+        iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+        iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
+        iptables -A OUTPUT -j DROP
+        echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables 2>/dev/null
+    fi
+    ;;
+  stop)
+    iptables -F OUTPUT
+    iptables -P OUTPUT ACCEPT
+    ;;
+esac
--- a/doc/configuration.md
+++ b/doc/configuration.md
@@ -21,4 +21,38 @@ Through web UI you can set:
  - *Low Battery*, which will alert when the device's battery is low. Notifications may not be supported for all devices—you can check if your device is supported by looking at whether the battery level indicator is functioning on the System Information section of the Rayhunter UI.
 - With **Analyzer Heuristic Settings** you can switch on or off built-in [Rayhunter heuristics](heuristics.md). Some heuristics are experimental or can trigger a lot of false positive warnings in some networks (our tests have shown that some heuristics have different behavior in US or European networks). In that case you can decide whether you would like to have the heuristics that trigger a lot of false positives on or off. Please note that we are constantly improving and adding new heuristics, so a new release may reduce false positives in existing heuristics as well.

+## WiFi Client Mode
+
+On the **Orbic**, **Moxee**, **UZ801**, **TMOHS1**, and **Wingtech**, Rayhunter can connect the device to an existing WiFi network while keeping the hotspot running. This gives the device internet access for [notifications](https://docs.ntfy.sh/) and lets you reach the web UI from any device on that network.
+
+- **Enable WiFi** turns WiFi client mode on or off. Disabling it does not erase saved credentials.
+- **Scan** searches for nearby networks. Select one from the dropdown, or type an SSID manually.
+- **Password** is required for WPA/WPA2 networks. The password is stored separately from `config.toml` (in `wpa_sta.conf` on the device) and is never exposed through the API.
+- **DNS Servers** lets you override the DNS servers used when connected. Defaults to `9.9.9.9` and `149.112.112.112` (Quad9) if not set.
+
+After saving, the connection status will show **connecting**, **connected** (with the assigned IP address), or **failed** (with an error message). If the connection fails, check that the SSID and password are correct and that the network is in range.
+
+### Crash Recovery
+
+The WiFi kernel module (`wlan.ko`) can occasionally crash or unload, taking both the hotspot and client interfaces down with it. Rayhunter includes a watchdog that detects this and automatically reloads the module, restarts the hotspot, and reconnects to the configured network. During recovery the WiFi status will show **recovering**.
+
+On the first detection of a crash, a diagnostic snapshot is saved to `/data/rayhunter/crash-logs/` on the device. You can pull these logs with `adb pull /data/rayhunter/crash-logs/` and inspect them to understand what went wrong. Each log contains:
+
+- **dmesg** output (kernel messages). Look for backtraces, `BUG:`/`Oops:` lines, or `wlan`/`wcnss` errors. The kernel ring buffer is small and gets overwritten quickly, so crash details may already be gone if the crash happened well before detection.
+- **/proc/modules** snapshot. If `wlan` is absent, the module fully unloaded. If present but interfaces are gone, the driver is stuck.
+- **ip addr** output confirming which network interfaces existed at snapshot time.
+- **ps** output showing which WiFi-related processes (`hostapd`, `wpa_supplicant`, `wland`) were still running.
+
+If recovery fails after 5 attempts, the status will change to **failed**. A reboot of the device will reset WiFi.
+
+You can also configure WiFi during installation:
+
+```sh
+./installer orbic --admin-password 'mypassword' --wifi-ssid 'MyNetwork' --wifi-password 'networkpass'
+```
+
+## Device Security
+
+- **Restrict outbound traffic** limits what the device can send over the network. When enabled, only DNS, DHCP, and HTTPS traffic is allowed; everything else is blocked. This is enabled by default and prevents the device from phoning home to the carrier over cellular. If you need to allow additional ports (for example, port 80 for HTTP or port 22 for SSH), add them to the **Additional allowed ports** list.
+
 If you prefer editing `config.toml` file, you need to obtain a shell on your [Orbic](./orbic.md#obtaining-a-shell) or [TP-Link](./tplink-m7350.md#obtaining-a-shell) device and edit the file manually. You can view the [default configuration file on GitHub](https://github.com/EFForg/rayhunter/blob/main/dist/config.toml.in).
--- a/doc/ct2mhs01-wifi-standby.png
+++ b/doc/ct2mhs01-wifi-standby.png
--- a/doc/faq.md
+++ b/doc/faq.md
@@ -22,6 +22,12 @@ Please note that this file may contain sensitive information such as your IMSI a

 If you want to use a non-Verizon SIM card you will probably need an unlocked device. But it's not clear which devices are locked nor how to unlock them, we welcome any experimentation and information regarding the use of unlocked devices. So far most verizon branded orbic devices we have encountered are actually unlocked.

+### I can't reach my Rayhunter's web UI after leaving it alone for a while
+
+Some hotspots (notably the T-Mobile TMOHS1 and Wingtech CT2MHS01) shut down their Wi-Fi access point after about 10 minutes with no connected clients to save battery. Rayhunter is still recording in the background, but you won't be able to reach the web UI until you power cycle the device or reconnect a client while Wi-Fi is still up.
+
+To avoid this, set Wi-Fi Standby to "Always on" in the hotspot's native admin UI. See [TMOHS1](./tmobile-tmohs1.md#wi-fi-auto-shutdown) or [CT2MHS01](./wingtech-ct2mhs01.md#wi-fi-auto-shutdown) for step-by-step instructions.
+
 ### How do I re-enable USB tethering after installing Rayhunter?

 If you have installed with `./installer orbic-usb`, you might find that USB
@@ -50,6 +56,14 @@ reboot
 See `/data/usb/boot_hsusb_composition` for a list of USB modes and Android USB gadget settings.


+### How do I connect my device to an existing WiFi network?
+
+The Orbic, Moxee, UZ801, and TMOHS1 can connect to a nearby WiFi network while still running their own hotspot. This gives the device internet access for ntfy notifications and lets you reach the web UI from your home network. See [WiFi Client Mode](./configuration.md#wifi-client-mode) in the configuration guide for setup instructions.
+
+### WiFi client mode is connected but I can't reach the internet
+
+Check that the **DNS Servers** field in the config has valid entries (the default is `9.9.9.9` and `149.112.112.112`). If your home network and the device hotspot use the same subnet (for example, both are on `192.168.1.x`), try restarting the daemon by saving the config again from the web UI.
+
 ### How do I disable the WiFi hotspot on the Orbic RC400L?

 To disable both WiFi bands, [first obtain a shell](./orbic.md#shell), then:
--- a/doc/installing-from-release.md
+++ b/doc/installing-from-release.md
@@ -44,6 +44,9 @@ Make sure you've got one of Rayhunter's [supported devices](./supported-devices.
   # Note: the arguments --admin-username 'myusername' and --admin-ip 'mydeviceip'
   #       may be required if different from the default.

+   # Optionally configure WiFi client mode during install (Orbic and Moxee only):
+   ./installer orbic --admin-password 'mypassword' --wifi-ssid 'MyNetwork' --wifi-password 'networkpass'
+
   # Or install over USB if you want ADB and a root shell (not recommended for most users)
   ./installer orbic-usb

--- a/doc/orbic.md
+++ b/doc/orbic.md
@@ -22,6 +22,10 @@ pay more than 30 USD for such a device (without shipping).
 | Wifi 5Ghz | a/ac/ax |
 | Wifi 6 | 🮱 |

+## WiFi client mode
+
+The Orbic's QCA6174 radio supports running the hotspot and connecting to an external WiFi network at the same time. See [WiFi Client Mode](./configuration.md#wifi-client-mode) for setup.
+
 ## Two kinds of installers

 The orbic's installation routine underwent many different changes:
--- a/doc/tmobile-tmohs1.md
+++ b/doc/tmobile-tmohs1.md
@@ -36,6 +36,10 @@ According to FCC ID 2APXW-TMOHS1 Test Report No. I20Z61602-WMD02 ([part 1](https
 |   66 | 1700 MHz (E-AWS) |
 |   71 | 600 MHz (USDD)   |

+## WiFi client mode
+
+The TMOHS1 supports WiFi client mode, allowing Rayhunter to connect to an existing WiFi network while keeping the hotspot running. See [WiFi Client Mode](./configuration.md#wifi-client-mode) for setup.
+
 ## Installing
 Connect to the TMOHS1's network over WiFi or USB tethering.

@@ -55,6 +59,21 @@ Then run the installer:
 | Paused           | WiFi LED blinks white.         |
 | Warning Detected | Signal LED slowly blinks red.  |

+## Wi-Fi auto-shutdown
+
+By default the TMOHS1 turns off its Wi-Fi access point after 10 minutes with no connected clients. Rayhunter keeps recording on the device in the background, but once the access point is down you can't reach the web UI, download captures, or see new warnings until you power cycle the hotspot.
+
+The TMOHS1's native admin UI lets you change this:
+
+1. Connect to the TMOHS1's Wi-Fi (or USB tether).
+2. In a browser open `http://192.168.0.1/` and log in with the admin password.
+3. Go to **Settings** → **Sleep** → **Wi-Fi Standby** and pick **Always on**.
+4. Click **Apply**.
+
+![TMOHS1 Wi-Fi Standby setting](./tmohs1-wifi-standby.png)
+
+Keeping Wi-Fi always on uses more battery. If you only monitor Rayhunter through the device's LEDs and don't need remote access, the default 10-minute timer is fine.
+
 ## Obtaining a shell
 Even when rayhunter is running, for security reasons the TMOHS1 will not have telnet or adb enabled during normal operation.

--- a/doc/tmohs1-wifi-standby.png
+++ b/doc/tmohs1-wifi-standby.png
--- a/doc/using-rayhunter.md
+++ b/doc/using-rayhunter.md
@@ -19,6 +19,8 @@ You can access this UI in one of two ways:
  On the **Orbic**, you can find the WiFi network password by going to the Orbic's menu > 2.4 GHz WIFI Info > Enter > find the 8-character password next to the lock 🔒 icon.
  On the **TP-Link**, you can find the WiFi network password by going to the TP-Link's menu > Advanced > Wireless > Basic Settings.

+  If [WiFi client mode](./configuration.md#wifi-client-mode) is enabled, you can also reach the web UI from any device on that network at `http://<device-ip>:8080`.
+
 * **Connect over USB (Orbic):** Connect your device to your laptop via USB. Run `adb forward tcp:8080 tcp:8080`, then visit <http://localhost:8080>.
    * For this you will need to install the Android Debug Bridge (ADB) on your computer, you can copy the version that was downloaded inside the `releases/platform-tools/` folder to somewhere else in your path or you can install it manually.
    * You can find instructions for doing so on your platform [here](https://www.xda-developers.com/install-adb-windows-macos-linux/#how-to-set-up-adb-on-your-computer), (don't worry about instructions for installing it on a phone/device yet).
--- a/doc/uz801.md
+++ b/doc/uz801.md
@@ -36,6 +36,12 @@ With the device fully booted (i.e. beaming a WiFi network, blue LED, etc.) and p

 Note: The default IP for UZ801 is typically `192.168.100.1`; if yours differs, use the `--admin-ip` argument to specify it.

+## WiFi client mode
+
+The UZ801's WCN36xx (PRONTO) radio supports concurrent AP+STA mode. The daemon has backend support for WiFi client mode on the UZ801, but this has not yet been successfully exercised end-to-end and the web UI currently does not expose the configuration surface on this device. Treat UZ801 WiFi client mode as not yet supported. See [WiFi Client Mode](./configuration.md#wifi-client-mode) for the intended setup on supported devices.
+
+The interface creation method differs from the Orbic (which uses `iw`): the UZ801 creates a P2P_CLIENT virtual interface via nl80211 and converts it to a managed STATION interface. This is handled by the daemon when the feature is enabled.
+
 ## LED modes
 | Rayhunter state  | LED indicator       |
 | ---------------- | ------------------- |
--- a/doc/wingtech-ct2mhs01.md
+++ b/doc/wingtech-ct2mhs01.md
@@ -28,6 +28,10 @@ Wingtechs are abundant on ebay and can also be found on Amazon:
 - <https://www.ebay.com/itm/127147132518>
 - <https://www.amazon.com/AT-Turbo-Hotspot-256-Black/dp/B09YWLXVWT>

+## WiFi client mode
+
+The Wingtech supports WiFi client mode, allowing Rayhunter to connect to an existing WiFi network while keeping the hotspot running. See [WiFi Client Mode](./configuration.md#wifi-client-mode) for setup.
+
 ## Installing
 Connect to the Wingtech's network over WiFi or USB tethering, then run the installer:

@@ -50,6 +54,21 @@ telnet 192.168.1.1
 adb shell
 ```

+## Wi-Fi auto-shutdown
+
+By default the CT2MHS01 turns off its Wi-Fi access point after the configured sleep timer (default 10 minutes) with no connected clients. Rayhunter keeps recording on the device in the background, but once the access point is down you can't reach the web UI, download captures, or see new warnings until you power cycle the hotspot.
+
+The CT2MHS01's native admin UI lets you change this:
+
+1. Connect to the Wingtech's Wi-Fi (or USB tether).
+2. In a browser open `http://192.168.1.1/` and log in with the admin password.
+3. Go to **Settings** → **Sleep** → **Wi-Fi Standby** and pick **Always on**.
+4. Click **Save**.
+
+![CT2MHS01 Wi-Fi Standby setting](./ct2mhs01-wifi-standby.png)
+
+Keeping Wi-Fi always on uses more battery. If you primarily monitor Rayhunter through the device's screen and don't need remote access, leave the timer at its default.
+
 ## Developing
 The device has a framebuffer-driven screen at /dev/fb0 that behaves
 similarly to the Orbic RC400L, although the userspace program
--- a/installer-gui/package-lock.json
+++ b/installer-gui/package-lock.json
@@ -19,7 +19,7 @@
                "@sveltejs/kit": "^2.57.1",
                "@sveltejs/vite-plugin-svelte": "^7.0.0",
                "@tauri-apps/cli": "^2",
-                "eslint": "^10.2.0",
+                "eslint": "^10.2.1",
                "eslint-config-prettier": "^10.1.8",
                "eslint-plugin-svelte": "^3.17.0",
                "globals": "^17.5.0",
@@ -27,9 +27,9 @@
                "prettier-plugin-svelte": "^3.5.1",
                "svelte": "^5.55.4",
                "svelte-check": "^4.4.6",
-                "typescript": "~6.0.2",
+                "typescript": "~6.0.3",
                "typescript-eslint": "^8.58.2",
-                "vite": "^8.0.8"
+                "vite": "^8.0.9"
            }
        },
        "node_modules/@emnapi/core": {
@@ -307,9 +307,9 @@
            }
        },
        "node_modules/@oxc-project/types": {
-            "version": "0.124.0",
-            "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.124.0.tgz",
-            "integrity": "sha512-VBFWMTBvHxS11Z5Lvlr3IWgrwhMTXV+Md+EQF0Xf60+wAdsGFTBx7X7K/hP4pi8N7dcm1RvcHwDxZ16Qx8keUg==",
+            "version": "0.126.0",
+            "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.126.0.tgz",
+            "integrity": "sha512-oGfVtjAgwQVVpfBrbtk4e1XDyWHRFta6BS3GWVzrF8xYBT2VGQAk39yJS/wFSMrZqoiCU4oghT3Ch0HaHGIHcQ==",
            "license": "MIT",
            "funding": {
                "url": "https://github.com/sponsors/Boshen"
@@ -323,9 +323,9 @@
            "license": "MIT"
        },
        "node_modules/@rolldown/binding-android-arm64": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.15.tgz",
-            "integrity": "sha512-YYe6aWruPZDtHNpwu7+qAHEMbQ/yRl6atqb/AhznLTnD3UY99Q1jE7ihLSahNWkF4EqRPVC4SiR4O0UkLK02tA==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.16.tgz",
+            "integrity": "sha512-rhY3k7Bsae9qQfOtph2Pm2jZEA+s8Gmjoz4hhmx70K9iMQ/ddeae+xhRQcM5IuVx5ry1+bGfkvMn7D6MJggVSA==",
            "cpu": [
                "arm64"
            ],
@@ -339,9 +339,9 @@
            }
        },
        "node_modules/@rolldown/binding-darwin-arm64": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.15.tgz",
-            "integrity": "sha512-oArR/ig8wNTPYsXL+Mzhs0oxhxfuHRfG7Ikw7jXsw8mYOtk71W0OkF2VEVh699pdmzjPQsTjlD1JIOoHkLP1Fg==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.16.tgz",
+            "integrity": "sha512-rNz0yK078yrNn3DrdgN+PKiMOW8HfQ92jQiXxwX8yW899ayV00MLVdaCNeVBhG/TbH3ouYVObo8/yrkiectkcQ==",
            "cpu": [
                "arm64"
            ],
@@ -355,9 +355,9 @@
            }
        },
        "node_modules/@rolldown/binding-darwin-x64": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.15.tgz",
-            "integrity": "sha512-YzeVqOqjPYvUbJSWJ4EDL8ahbmsIXQpgL3JVipmN+MX0XnXMeWomLN3Fb+nwCmP/jfyqte5I3XRSm7OfQrbyxw==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.16.tgz",
+            "integrity": "sha512-r/OmdR00HmD4i79Z//xO06uEPOq5hRXdhw7nzkxQxwSavs3PSHa1ijntdpOiZ2mzOQ3fVVu8C1M19FoNM+dMUQ==",
            "cpu": [
                "x64"
            ],
@@ -371,9 +371,9 @@
            }
        },
        "node_modules/@rolldown/binding-freebsd-x64": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.15.tgz",
-            "integrity": "sha512-9Erhx956jeQ0nNTyif1+QWAXDRD38ZNjr//bSHrt6wDwB+QkAfl2q6Mn1k6OBPerznjRmbM10lgRb1Pli4xZPw==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.16.tgz",
+            "integrity": "sha512-KcRE5w8h0OnjUatG8pldyD14/CQ5Phs1oxfR+3pKDjboHRo9+MkqQaiIZlZRpsxC15paeXme/I127tUa9TXJ6g==",
            "cpu": [
                "x64"
            ],
@@ -387,9 +387,9 @@
            }
        },
        "node_modules/@rolldown/binding-linux-arm-gnueabihf": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.15.tgz",
-            "integrity": "sha512-cVwk0w8QbZJGTnP/AHQBs5yNwmpgGYStL88t4UIaqcvYJWBfS0s3oqVLZPwsPU6M0zlW4GqjP0Zq5MnAGwFeGA==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.16.tgz",
+            "integrity": "sha512-bT0guA1bpxEJ/ZhTRniQf7rNF8ybvXOuWbNIeLABaV5NGjx4EtOWBTSRGWFU9ZWVkPOZ+HNFP8RMcBokBiZ0Kg==",
            "cpu": [
                "arm"
            ],
@@ -403,9 +403,9 @@
            }
        },
        "node_modules/@rolldown/binding-linux-arm64-gnu": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.15.tgz",
-            "integrity": "sha512-eBZ/u8iAK9SoHGanqe/jrPnY0JvBN6iXbVOsbO38mbz+ZJsaobExAm1Iu+rxa4S1l2FjG0qEZn4Rc6X8n+9M+w==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.16.tgz",
+            "integrity": "sha512-+tHktCHWV8BDQSjemUqm/Jl/TPk3QObCTIjmdDy/nlupcujZghmKK2962LYrqFpWu+ai01AN/REOH3NEpqvYQg==",
            "cpu": [
                "arm64"
            ],
@@ -419,9 +419,9 @@
            }
        },
        "node_modules/@rolldown/binding-linux-arm64-musl": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.15.tgz",
-            "integrity": "sha512-ZvRYMGrAklV9PEkgt4LQM6MjQX2P58HPAuecwYObY2DhS2t35R0I810bKi0wmaYORt6m/2Sm+Z+nFgb0WhXNcQ==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.16.tgz",
+            "integrity": "sha512-3fPzdREH806oRLxpTWW1Gt4tQHs0TitZFOECB2xzCFLPKnSOy90gwA7P29cksYilFO6XVRY1kzga0cL2nRjKPg==",
            "cpu": [
                "arm64"
            ],
@@ -435,9 +435,9 @@
            }
        },
        "node_modules/@rolldown/binding-linux-ppc64-gnu": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.15.tgz",
-            "integrity": "sha512-VDpgGBzgfg5hLg+uBpCLoFG5kVvEyafmfxGUV0UHLcL5irxAK7PKNeC2MwClgk6ZAiNhmo9FLhRYgvMmedLtnQ==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.16.tgz",
+            "integrity": "sha512-EKwI1tSrLs7YVw+JPJT/G2dJQ1jl9qlTTTEG0V2Ok/RdOenRfBw2PQdLPyjhIu58ocdBfP7vIRN/pvMsPxs/AQ==",
            "cpu": [
                "ppc64"
            ],
@@ -451,9 +451,9 @@
            }
        },
        "node_modules/@rolldown/binding-linux-s390x-gnu": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.15.tgz",
-            "integrity": "sha512-y1uXY3qQWCzcPgRJATPSOUP4tCemh4uBdY7e3EZbVwCJTY3gLJWnQABgeUetvED+bt1FQ01OeZwvhLS2bpNrAQ==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.16.tgz",
+            "integrity": "sha512-Uknladnb3Sxqu6SEcqBldQyJUpk8NleooZEc0MbRBJ4inEhRYWZX0NJu12vNf2mqAq7gsofAxHrGghiUYjhaLQ==",
            "cpu": [
                "s390x"
            ],
@@ -467,9 +467,9 @@
            }
        },
        "node_modules/@rolldown/binding-linux-x64-gnu": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.15.tgz",
-            "integrity": "sha512-023bTPBod7J3Y/4fzAN6QtpkSABR0rigtrwaP+qSEabUh5zf6ELr9Nc7GujaROuPY3uwdSIXWrvhn1KxOvurWA==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.16.tgz",
+            "integrity": "sha512-FIb8+uG49sZBtLTn+zt1AJ20TqVcqWeSIyoVt0or7uAWesgKaHbiBh6OpA/k9v0LTt+PTrb1Lao133kP4uVxkg==",
            "cpu": [
                "x64"
            ],
@@ -483,9 +483,9 @@
            }
        },
        "node_modules/@rolldown/binding-linux-x64-musl": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.15.tgz",
-            "integrity": "sha512-witB2O0/hU4CgfOOKUoeFgQ4GktPi1eEbAhaLAIpgD6+ZnhcPkUtPsoKKHRzmOoWPZue46IThdSgdo4XneOLYw==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.16.tgz",
+            "integrity": "sha512-RuERhF9/EgWxZEXYWCOaViUWHIboceK4/ivdtQ3R0T44NjLkIIlGIAVAuCddFxsZ7vnRHtNQUrt2vR2n2slB2w==",
            "cpu": [
                "x64"
            ],
@@ -499,9 +499,9 @@
            }
        },
        "node_modules/@rolldown/binding-openharmony-arm64": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.15.tgz",
-            "integrity": "sha512-UCL68NJ0Ud5zRipXZE9dF5PmirzJE4E4BCIOOssEnM7wLDsxjc6Qb0sGDxTNRTP53I6MZpygyCpY8Aa8sPfKPg==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.16.tgz",
+            "integrity": "sha512-mXcXnvd9GpazCxeUCCnZ2+YF7nut+ZOEbE4GtaiPtyY6AkhZWbK70y1KK3j+RDhjVq5+U8FySkKRb/+w0EeUwA==",
            "cpu": [
                "arm64"
            ],
@@ -515,9 +515,9 @@
            }
        },
        "node_modules/@rolldown/binding-wasm32-wasi": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.15.tgz",
-            "integrity": "sha512-ApLruZq/ig+nhaE7OJm4lDjayUnOHVUa77zGeqnqZ9pn0ovdVbbNPerVibLXDmWeUZXjIYIT8V3xkT58Rm9u5Q==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.16.tgz",
+            "integrity": "sha512-3Q2KQxnC8IJOLqXmUMoYwyIPZU9hzRbnHaoV3Euz+VVnjZKcY8ktnNP8T9R4/GGQtb27C/UYKABxesKWb8lsvQ==",
            "cpu": [
                "wasm32"
            ],
@@ -526,16 +526,16 @@
            "dependencies": {
                "@emnapi/core": "1.9.2",
                "@emnapi/runtime": "1.9.2",
-                "@napi-rs/wasm-runtime": "^1.1.3"
+                "@napi-rs/wasm-runtime": "^1.1.4"
            },
            "engines": {
-                "node": ">=14.0.0"
+                "node": "^20.19.0 || >=22.12.0"
            }
        },
        "node_modules/@rolldown/binding-win32-arm64-msvc": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.15.tgz",
-            "integrity": "sha512-KmoUoU7HnN+Si5YWJigfTws1jz1bKBYDQKdbLspz0UaqjjFkddHsqorgiW1mxcAj88lYUE6NC/zJNwT+SloqtA==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.16.tgz",
+            "integrity": "sha512-tj7XRemQcOcFwv7qhpUxMTBbI5mWMlE4c1Omhg5+h8GuLXzyj8HviYgR+bB2DMDgRqUE+jiDleqSCRjx4aYk/Q==",
            "cpu": [
                "arm64"
            ],
@@ -549,9 +549,9 @@
            }
        },
        "node_modules/@rolldown/binding-win32-x64-msvc": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.15.tgz",
-            "integrity": "sha512-3P2A8L+x75qavWLe/Dll3EYBJLQmtkJN8rfh+U/eR3MqMgL/h98PhYI+JFfXuDPgPeCB7iZAKiqii5vqOvnA0g==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.16.tgz",
+            "integrity": "sha512-PH5DRZT+F4f2PTXRXR8uJxnBq2po/xFtddyabTJVJs/ZYVHqXPEgNIr35IHTEa6bpa0Q8Awg+ymkTaGnKITw4g==",
            "cpu": [
                "x64"
            ],
@@ -565,9 +565,9 @@
            }
        },
        "node_modules/@rolldown/pluginutils": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.15.tgz",
-            "integrity": "sha512-UromN0peaE53IaBRe9W7CjrZgXl90fqGpK+mIZbA3qSTeYqg3pqpROBdIPvOG3F5ereDHNwoHBI2e50n1BDr1g==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.16.tgz",
+            "integrity": "sha512-45+YtqxLYKDWQouLKCrpIZhke+nXxhsw+qAHVzHDVwttyBlHNBVs2K25rDXrZzhpTp9w1FlAlvweV1H++fdZoA==",
            "license": "MIT"
        },
        "node_modules/@standard-schema/spec": {
@@ -1723,18 +1723,18 @@
            }
        },
        "node_modules/eslint": {
-            "version": "10.2.0",
-            "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.2.0.tgz",
-            "integrity": "sha512-+L0vBFYGIpSNIt/KWTpFonPrqYvgKw1eUI5Vn7mEogrQcWtWYtNQ7dNqC+px/J0idT3BAkiWrhfS7k+Tum8TUA==",
+            "version": "10.2.1",
+            "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.2.1.tgz",
+            "integrity": "sha512-wiyGaKsDgqXvF40P8mDwiUp/KQjE1FdrIEJsM8PZ3XCiniTMXS3OHWWUe5FI5agoCnr8x4xPrTDZuxsBlNHl+Q==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@eslint-community/eslint-utils": "^4.8.0",
                "@eslint-community/regexpp": "^4.12.2",
-                "@eslint/config-array": "^0.23.4",
-                "@eslint/config-helpers": "^0.5.4",
-                "@eslint/core": "^1.2.0",
-                "@eslint/plugin-kit": "^0.7.0",
+                "@eslint/config-array": "^0.23.5",
+                "@eslint/config-helpers": "^0.5.5",
+                "@eslint/core": "^1.2.1",
+                "@eslint/plugin-kit": "^0.7.1",
                "@humanfs/node": "^0.16.6",
                "@humanwhocodes/module-importer": "^1.0.1",
                "@humanwhocodes/retry": "^0.4.2",
@@ -2932,13 +2932,13 @@
            }
        },
        "node_modules/rolldown": {
-            "version": "1.0.0-rc.15",
-            "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.15.tgz",
-            "integrity": "sha512-Ff31guA5zT6WjnGp0SXw76X6hzGRk/OQq2hE+1lcDe+lJdHSgnSX6nK3erbONHyCbpSj9a9E+uX/OvytZoWp2g==",
+            "version": "1.0.0-rc.16",
+            "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.16.tgz",
+            "integrity": "sha512-rzi5WqKzEZw3SooTt7cgm4eqIoujPIyGcJNGFL7iPEuajQw7vxMHUkXylu4/vhCkJGXsgRmxqMKXUpT6FEgl0g==",
            "license": "MIT",
            "dependencies": {
-                "@oxc-project/types": "=0.124.0",
-                "@rolldown/pluginutils": "1.0.0-rc.15"
+                "@oxc-project/types": "=0.126.0",
+                "@rolldown/pluginutils": "1.0.0-rc.16"
            },
            "bin": {
                "rolldown": "bin/cli.mjs"
@@ -2947,21 +2947,21 @@
                "node": "^20.19.0 || >=22.12.0"
            },
            "optionalDependencies": {
-                "@rolldown/binding-android-arm64": "1.0.0-rc.15",
-                "@rolldown/binding-darwin-arm64": "1.0.0-rc.15",
-                "@rolldown/binding-darwin-x64": "1.0.0-rc.15",
-                "@rolldown/binding-freebsd-x64": "1.0.0-rc.15",
-                "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.15",
-                "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.15",
-                "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.15",
-                "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.15",
-                "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.15",
-                "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.15",
-                "@rolldown/binding-linux-x64-musl": "1.0.0-rc.15",
-                "@rolldown/binding-openharmony-arm64": "1.0.0-rc.15",
-                "@rolldown/binding-wasm32-wasi": "1.0.0-rc.15",
-                "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.15",
-                "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.15"
+                "@rolldown/binding-android-arm64": "1.0.0-rc.16",
+                "@rolldown/binding-darwin-arm64": "1.0.0-rc.16",
+                "@rolldown/binding-darwin-x64": "1.0.0-rc.16",
+                "@rolldown/binding-freebsd-x64": "1.0.0-rc.16",
+                "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.16",
+                "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.16",
+                "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.16",
+                "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.16",
+                "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.16",
+                "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.16",
+                "@rolldown/binding-linux-x64-musl": "1.0.0-rc.16",
+                "@rolldown/binding-openharmony-arm64": "1.0.0-rc.16",
+                "@rolldown/binding-wasm32-wasi": "1.0.0-rc.16",
+                "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.16",
+                "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.16"
            }
        },
        "node_modules/sade": {
@@ -3146,13 +3146,13 @@
            }
        },
        "node_modules/tinyglobby": {
-            "version": "0.2.15",
-            "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.15.tgz",
-            "integrity": "sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==",
+            "version": "0.2.16",
+            "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.16.tgz",
+            "integrity": "sha512-pn99VhoACYR8nFHhxqix+uvsbXineAasWm5ojXoN8xEwK5Kd3/TrhNn1wByuD52UxWRLy8pu+kRMniEi6Eq9Zg==",
            "license": "MIT",
            "dependencies": {
                "fdir": "^6.5.0",
-                "picomatch": "^4.0.3"
+                "picomatch": "^4.0.4"
            },
            "engines": {
                "node": ">=12.0.0"
@@ -3205,9 +3205,9 @@
            }
        },
        "node_modules/typescript": {
-            "version": "6.0.2",
-            "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.2.tgz",
-            "integrity": "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ==",
+            "version": "6.0.3",
+            "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz",
+            "integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==",
            "dev": true,
            "license": "Apache-2.0",
            "bin": {
@@ -3260,16 +3260,16 @@
            "license": "MIT"
        },
        "node_modules/vite": {
-            "version": "8.0.8",
-            "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.8.tgz",
-            "integrity": "sha512-dbU7/iLVa8KZALJyLOBOQ88nOXtNG8vxKuOT4I2mD+Ya70KPceF4IAmDsmU0h1Qsn5bPrvsY9HJstCRh3hG6Uw==",
+            "version": "8.0.9",
+            "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.9.tgz",
+            "integrity": "sha512-t7g7GVRpMXjNpa67HaVWI/8BWtdVIQPCL2WoozXXA7LBGEFK4AkkKkHx2hAQf5x1GZSlcmEDPkVLSGahxnEEZw==",
            "license": "MIT",
            "dependencies": {
                "lightningcss": "^1.32.0",
                "picomatch": "^4.0.4",
-                "postcss": "^8.5.8",
-                "rolldown": "1.0.0-rc.15",
-                "tinyglobby": "^0.2.15"
+                "postcss": "^8.5.10",
+                "rolldown": "1.0.0-rc.16",
+                "tinyglobby": "^0.2.16"
            },
            "bin": {
                "vite": "bin/vite.js"
--- a/installer-gui/package.json
+++ b/installer-gui/package.json
@@ -27,7 +27,7 @@
        "@sveltejs/kit": "^2.57.1",
        "@sveltejs/vite-plugin-svelte": "^7.0.0",
        "@tauri-apps/cli": "^2",
-        "eslint": "^10.2.0",
+        "eslint": "^10.2.1",
        "eslint-config-prettier": "^10.1.8",
        "eslint-plugin-svelte": "^3.17.0",
        "globals": "^17.5.0",
@@ -35,8 +35,8 @@
        "prettier-plugin-svelte": "^3.5.1",
        "svelte": "^5.55.4",
        "svelte-check": "^4.4.6",
-        "typescript": "~6.0.2",
+        "typescript": "~6.0.3",
        "typescript-eslint": "^8.58.2",
-        "vite": "^8.0.8"
+        "vite": "^8.0.9"
    }
 }
--- a/installer/build.rs
+++ b/installer/build.rs
@@ -17,6 +17,11 @@ fn main() {
        .join(&profile);
    set_binary_var(&include_dir, "FILE_ROOTSHELL", "rootshell");
    set_binary_var(&include_dir, "FILE_RAYHUNTER_DAEMON", "rayhunter-daemon");
+
+    let wpa_dir = Path::new(env!("CARGO_MANIFEST_DIR")).join("../tools/build-wpa-supplicant/out");
+    set_binary_var(&wpa_dir, "FILE_WPA_SUPPLICANT", "wpa_supplicant");
+    set_binary_var(&wpa_dir, "FILE_WPA_CLI", "wpa_cli");
+    set_binary_var(&wpa_dir, "FILE_IW", "iw");
 }

 fn set_binary_var(include_dir: &Path, var: &str, file: &str) {
--- a/installer/src/connection.rs
+++ b/installer/src/connection.rs
@@ -43,6 +43,47 @@ pub async fn install_config<C: DeviceConnection>(
    Ok(())
 }

+/// Install wifi tools (wpa_supplicant, wpa_cli, iw) to /data/rayhunter/bin.
+///
+/// Skips any binary that is already present on the device (e.g. provided by firmware),
+/// since those may be newer or better-integrated than the bundled versions.
+pub async fn install_wifi_tools<C: DeviceConnection>(
+    conn: &mut C,
+    wpa_supplicant: &[u8],
+    wpa_cli: &[u8],
+    iw: &[u8],
+) -> Result<()> {
+    let tools: &[(&str, &str, &[u8])] = &[
+        (
+            "wpa_supplicant",
+            "/data/rayhunter/bin/wpa_supplicant",
+            wpa_supplicant,
+        ),
+        ("wpa_cli", "/data/rayhunter/bin/wpa_cli", wpa_cli),
+        ("iw", "/data/rayhunter/bin/iw", iw),
+    ];
+    for &(name, dest, payload) in tools {
+        if device_has_binary(conn, name).await {
+            println!("{name} already on device, skipping");
+        } else {
+            conn.write_file(dest, payload).await?;
+            conn.run_command(&format!("chmod +x {dest}")).await?;
+        }
+    }
+    Ok(())
+}
+
+async fn device_has_binary<C: DeviceConnection>(conn: &mut C, name: &str) -> bool {
+    // `command -v` is a POSIX shell builtin, so it works on minimal busybox firmware
+    // even when /usr/bin/which is absent.
+    conn.run_command(&format!(
+        "\"command -v {name} >/dev/null 2>&1 && echo FOUND || echo MISSING\""
+    ))
+    .await
+    .map(|out| out.contains("FOUND"))
+    .unwrap_or(false)
+}
+
 /// Check if a directory exists using a DeviceConnection
 pub async fn dir_exists<C: DeviceConnection>(conn: &mut C, path: &str) -> bool {
    conn.run_command(&format!("test -d '{path}' && echo exists || echo missing"))
@@ -172,7 +213,13 @@ impl TelnetConnection {

 impl DeviceConnection for TelnetConnection {
    async fn run_command(&mut self, command: &str) -> Result<String> {
-        crate::util::telnet_send_command_with_output(self.addr, command, self.wait_for_prompt).await
+        crate::util::telnet_send_command_with_output(
+            self.addr,
+            command,
+            self.wait_for_prompt,
+            std::time::Duration::from_secs(10),
+        )
+        .await
    }

    async fn write_file(&mut self, path: &str, content: &[u8]) -> Result<()> {
--- a/installer/src/orbic.rs
+++ b/installer/src/orbic.rs
@@ -13,7 +13,7 @@ use sha2::{Digest, Sha256};
 use tokio::time::sleep;

 use crate::RAYHUNTER_DAEMON_INIT;
-use crate::connection::{DeviceConnection, install_config};
+use crate::connection::{DeviceConnection, install_config, install_wifi_tools};
 use crate::output::{print, println};
 use crate::util::open_usb_device;

@@ -53,8 +53,15 @@ pub struct AdbConnection<'a> {
 }

 impl DeviceConnection for AdbConnection<'_> {
+    /// Runs through /bin/rootshell so commands execute as root (install_wifi_tools needs
+    /// chmod on root-owned files). setup_rootshell must have succeeded before an
+    /// AdbConnection is created; callers in this module (setup_rayhunter) enforce that
+    /// ordering.
    async fn run_command(&mut self, command: &str) -> Result<String> {
-        adb_command(self.device, &["sh", "-c", command])
+        adb_command(
+            self.device,
+            &["/bin/rootshell", "-c", &format!("\"{command}\"")],
+        )
    }

    async fn write_file(&mut self, path: &str, content: &[u8]) -> Result<()> {
@@ -146,7 +153,11 @@ async fn setup_rootshell(adb_device: &mut ADBUSBDevice) -> Result<()> {
 async fn setup_rayhunter(mut adb_device: ADBUSBDevice, reset_config: bool) -> Result<ADBUSBDevice> {
    let rayhunter_daemon_bin = include_bytes!(env!("FILE_RAYHUNTER_DAEMON"));

-    adb_at_syscmd(&mut adb_device, "mkdir -p /data/rayhunter").await?;
+    adb_at_syscmd(
+        &mut adb_device,
+        "mkdir -p /data/rayhunter/scripts /data/rayhunter/bin",
+    )
+    .await?;
    install_file(
        &mut adb_device,
        "/data/rayhunter/rayhunter-daemon",
@@ -159,6 +170,13 @@ async fn setup_rayhunter(mut adb_device: ADBUSBDevice, reset_config: bool) -> Re
            device: &mut adb_device,
        };
        install_config(&mut conn, "orbic", reset_config).await?;
+        install_wifi_tools(
+            &mut conn,
+            include_bytes!(env!("FILE_WPA_SUPPLICANT")),
+            include_bytes!(env!("FILE_WPA_CLI")),
+            include_bytes!(env!("FILE_IW")),
+        )
+        .await?;
    }

    install_file(
@@ -173,8 +191,15 @@ async fn setup_rayhunter(mut adb_device: ADBUSBDevice, reset_config: bool) -> Re
        include_bytes!("../../dist/scripts/misc-daemon"),
    )
    .await?;
+    install_file(
+        &mut adb_device,
+        "/etc/init.d/S01iptables",
+        include_bytes!("../../dist/scripts/S01iptables"),
+    )
+    .await?;
    adb_at_syscmd(&mut adb_device, "chmod 755 /etc/init.d/rayhunter_daemon").await?;
    adb_at_syscmd(&mut adb_device, "chmod 755 /etc/init.d/misc-daemon").await?;
+    adb_at_syscmd(&mut adb_device, "chmod 755 /etc/init.d/S01iptables").await?;
    println!("done");
    print!("Waiting for reboot... ");
    adb_at_syscmd(&mut adb_device, "shutdown -r -t 1 now").await?;
--- a/installer/src/orbic_network.rs
+++ b/installer/src/orbic_network.rs
@@ -8,7 +8,9 @@ use serde::Deserialize;
 use tokio::time::sleep;

 use crate::RAYHUNTER_DAEMON_INIT;
-use crate::connection::{TelnetConnection, install_config, setup_data_directory};
+use crate::connection::{
+    TelnetConnection, install_config, install_wifi_tools, setup_data_directory,
+};
 use crate::orbic_auth::{LoginInfo, LoginRequest, LoginResponse, encode_password};
 use crate::output::{eprintln, print, println};
 use crate::util::{interactive_shell, telnet_send_command, telnet_send_file};
@@ -229,6 +231,15 @@ async fn setup_rayhunter(admin_ip: &str, reset_config: bool, data_dir: &str) ->
    let mut conn = TelnetConnection::new(addr, false);
    setup_data_directory(&mut conn, data_dir).await?;

+    // Ensure bin and scripts directories exist under the data dir (via symlink)
+    telnet_send_command(
+        addr,
+        "mkdir -p /data/rayhunter/scripts /data/rayhunter/bin",
+        "exit code 0",
+        false,
+    )
+    .await?;
+
    telnet_send_file(
        addr,
        "/data/rayhunter/rayhunter-daemon",
@@ -237,6 +248,14 @@ async fn setup_rayhunter(admin_ip: &str, reset_config: bool, data_dir: &str) ->
    )
    .await?;

+    install_wifi_tools(
+        &mut conn,
+        include_bytes!(env!("FILE_WPA_SUPPLICANT")),
+        include_bytes!(env!("FILE_WPA_CLI")),
+        include_bytes!(env!("FILE_IW")),
+    )
+    .await?;
+
    install_config(&mut conn, "orbic", reset_config).await?;

    telnet_send_file(
@@ -254,6 +273,13 @@ async fn setup_rayhunter(admin_ip: &str, reset_config: bool, data_dir: &str) ->
        false,
    )
    .await?;
+    telnet_send_file(
+        addr,
+        "/etc/init.d/S01iptables",
+        include_bytes!("../../dist/scripts/S01iptables"),
+        false,
+    )
+    .await?;

    telnet_send_command(
        addr,
@@ -276,6 +302,13 @@ async fn setup_rayhunter(admin_ip: &str, reset_config: bool, data_dir: &str) ->
        false,
    )
    .await?;
+    telnet_send_command(
+        addr,
+        "chmod 755 /etc/init.d/S01iptables",
+        "exit code 0",
+        false,
+    )
+    .await?;

    println!("Installation complete. Rebooting device...");
    telnet_send_command(addr, "shutdown -r -t 1 now", "", false)
--- a/installer/src/tmobile.rs
+++ b/installer/src/tmobile.rs
@@ -94,5 +94,11 @@ async fn run_install(admin_ip: String, admin_password: String) -> Result<()> {

    reboot_device(addr, "reboot", &admin_ip).await;

+    println!();
+    println!("Note: by default the TMOHS1 shuts off Wi-Fi after 10 minutes with no clients,");
+    println!("which blocks remote access to Rayhunter until you power cycle. To keep");
+    println!("Wi-Fi always on, open http://{admin_ip}/ -> Settings -> Sleep and set");
+    println!("Wi-Fi Standby to \"Always on\". See doc/tmobile-tmohs1.md for steps.");
+
    Ok(())
 }
--- a/installer/src/util.rs
+++ b/installer/src/util.rs
@@ -17,6 +17,7 @@ pub async fn telnet_send_command_with_output(
    addr: SocketAddr,
    command: &str,
    wait_for_prompt: bool,
+    command_timeout: Duration,
 ) -> Result<String> {
    if command.contains('\n') {
        bail!("multi-line commands are not allowed");
@@ -41,7 +42,7 @@ pub async fn telnet_send_command_with_output(
    writer.write_all(format!("echo RAYHUNTER_'TELNET'_COMMAND_START; {command}; echo RAYHUNTER_'TELNET'_COMMAND_DONE\r\n").as_bytes()).await?;

    let mut read_buf = Vec::new();
-    timeout(Duration::from_secs(10), async {
+    timeout(command_timeout, async {
        while let Ok(byte) = reader.read_u8().await {
            read_buf.push(byte);

@@ -57,7 +58,7 @@ pub async fn telnet_send_command_with_output(
        }
    })
    .await
-    .context("command timed out after 10 seconds")?;
+    .with_context(|| format!("command timed out after {}s", command_timeout.as_secs()))?;
    let string = String::from_utf8_lossy(&read_buf);
    let start = string.rfind("RAYHUNTER_TELNET_COMMAND_START");
    let end = string.rfind("RAYHUNTER_TELNET_COMMAND_DONE");
@@ -79,7 +80,9 @@ pub async fn telnet_send_command(
    wait_for_prompt: bool,
 ) -> Result<()> {
    let command = format!("{command}; echo command done, exit code $?");
-    let output = telnet_send_command_with_output(addr, &command, wait_for_prompt).await?;
+    let output =
+        telnet_send_command_with_output(addr, &command, wait_for_prompt, Duration::from_secs(10))
+            .await?;
    if !output.contains(expected_output) {
        bail!("{expected_output:?} not found in: {output}");
    }
@@ -93,6 +96,9 @@ pub async fn telnet_send_file(
    wait_for_prompt: bool,
 ) -> Result<()> {
    print!("Sending file {filename} ... ");
+    // Allow 30s base + 2s per MB for the nc command to complete (covers slow WiFi links)
+    let transfer_timeout =
+        Duration::from_secs(30 + (payload.len() as u64 / (1024 * 1024)).max(1) * 2);
    let nc_output = {
        let filename = filename.to_owned();
        let handle = tokio::spawn(async move {
@@ -100,6 +106,7 @@ pub async fn telnet_send_file(
                addr,
                &format!("nc -l -p 8081 2>&1 >{filename}.tmp"),
                wait_for_prompt,
+                transfer_timeout,
            )
            .await
        });
--- a/installer/src/wingtech.rs
+++ b/installer/src/wingtech.rs
@@ -26,6 +26,7 @@ pub async fn install(
    Args {
        admin_ip,
        admin_password,
+        ..
    }: Args,
 ) -> Result<()> {
    wingtech_run_install(admin_ip, admin_password).await
@@ -143,6 +144,12 @@ async fn wingtech_run_install(admin_ip: String, admin_password: String) -> Resul

    reboot_device(addr, "shutdown -r -t 1 now", &admin_ip).await;

+    println!();
+    println!("Note: by default the CT2MHS01 shuts off Wi-Fi after ~10 minutes with no clients,");
+    println!("which blocks remote access to Rayhunter until you power cycle. To keep");
+    println!("Wi-Fi always on, open http://{admin_ip}/ -> Settings -> Sleep and set");
+    println!("Wi-Fi Standby to \"Always on\". See doc/wingtech-ct2mhs01.md for steps.");
+
    Ok(())
 }

--- a/lib/Cargo.toml
+++ b/lib/Cargo.toml
@@ -32,3 +32,4 @@ num_enum = "0.7.4"
 utoipa = { version = "5.4.0", optional = true }

 [dev-dependencies]
+tempfile = "3"
--- a/lib/src/lib.rs
+++ b/lib/src/lib.rs
@@ -40,4 +40,5 @@ pub enum Device {
    Wingtech,
    Pinephone,
    Uz801,
+    Moxee,
 }
--- a/scripts/build-dev.sh
+++ b/scripts/build-dev.sh
@@ -43,6 +43,25 @@ build_frontend() {
    popd > /dev/null
 }

+build_wifi_tools() {
+    if [ -f "tools/build-wpa-supplicant/out/wpa_supplicant" ] \
+        && [ -f "tools/build-wpa-supplicant/out/wpa_cli" ] \
+        && [ -f "tools/build-wpa-supplicant/out/iw" ]; then
+        echo "WiFi tools already built, skipping."
+        return
+    fi
+
+    if ! command -v arm-linux-musleabihf-gcc &> /dev/null; then
+        echo "Error: arm-linux-musleabihf-gcc not found."
+        echo "Install with: brew install FiloSottile/musl-cross/musl-cross"
+        echo "(Required because the installer bundles wpa_supplicant, wpa_cli, and iw for orbic-family devices.)"
+        exit 1
+    fi
+
+    echo "Building WiFi tools..."
+    ./scripts/build-wpa-supplicant.sh
+}
+
 build_daemon() {
    echo "Building daemon..."
    cargo build-daemon-firmware-devel
@@ -57,6 +76,7 @@ case "$COMMAND" in
    build)
        check_dependencies
        build_frontend
+        build_wifi_tools
        build_daemon
        echo ""
        echo "Build complete! To install to a device, run:"
--- a/scripts/build-wpa-supplicant.sh
+++ b/scripts/build-wpa-supplicant.sh
@@ -0,0 +1,93 @@
+#!/bin/bash
+# Cross-compile wpa_supplicant, wpa_cli, and iw for ARMv7 (musl static).
+# Output: tools/build-wpa-supplicant/out/{wpa_supplicant,wpa_cli,iw}
+#
+# Requires: arm-linux-musleabihf-gcc (brew install FiloSottile/musl-cross/musl-cross)
+set -e
+
+WPA_VERSION="2.11"
+WPA_URL="https://w1.fi/releases/wpa_supplicant-${WPA_VERSION}.tar.gz"
+LIBNL_VERSION="3.11.0"
+LIBNL_URL="https://github.com/thom311/libnl/releases/download/libnl${LIBNL_VERSION//\./_}/libnl-${LIBNL_VERSION}.tar.gz"
+IW_VERSION="6.9"
+IW_URL="https://www.kernel.org/pub/software/network/iw/iw-${IW_VERSION}.tar.xz"
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+OUT_DIR="$SCRIPT_DIR/../tools/build-wpa-supplicant/out"
+BUILD_DIR="/tmp/wpa-supplicant-build-$$"
+
+CC="${CC:-arm-linux-musleabihf-gcc}"
+STRIP="${STRIP:-arm-linux-musleabihf-strip}"
+HOST="${HOST:-arm-linux-musleabihf}"
+
+if ! command -v "$CC" >/dev/null 2>&1; then
+    echo "Error: $CC not found. Install with: brew install FiloSottile/musl-cross/musl-cross"
+    exit 1
+fi
+
+mkdir -p "$BUILD_DIR" "$OUT_DIR"
+SYSROOT="$BUILD_DIR/sysroot"
+mkdir -p "$SYSROOT"
+
+echo "Building libnl ${LIBNL_VERSION}..."
+curl -Lf "$LIBNL_URL" | tar xz -C "$BUILD_DIR"
+cd "$BUILD_DIR/libnl-${LIBNL_VERSION}"
+./configure \
+    --host="$HOST" \
+    CC="$CC" \
+    --prefix="$SYSROOT" \
+    --enable-static \
+    --disable-shared \
+    --disable-cli \
+    --disable-debug \
+    > /dev/null 2>&1
+make -j"$(nproc 2>/dev/null || sysctl -n hw.ncpu)" > /dev/null 2>&1
+make install > /dev/null 2>&1
+
+echo "Building wpa_supplicant ${WPA_VERSION}..."
+cd "$BUILD_DIR"
+curl -Lf "$WPA_URL" | tar xz
+cd "wpa_supplicant-${WPA_VERSION}/wpa_supplicant"
+
+cat > .config <<'WPACONF'
+CONFIG_DRIVER_NL80211=y
+CONFIG_LIBNL32=y
+CONFIG_CRYPTO=internal
+CONFIG_TLS=internal
+CONFIG_INTERNAL_LIBTOMMATH=y
+CONFIG_INTERNAL_LIBTOMMATH_FAST=y
+CONFIG_CTRL_IFACE=y
+CONFIG_BACKEND=file
+CONFIG_NO_CONFIG_WRITE=y
+CONFIG_NO_RANDOM_POOL=y
+CONFIG_GETRANDOM=y
+WPACONF
+
+NL_CFLAGS="-I${SYSROOT}/include/libnl3"
+NL_LIBS="-L${SYSROOT}/lib -lnl-genl-3 -lnl-3 -lpthread -lm"
+
+make CC="$CC" \
+    EXTRA_CFLAGS="$NL_CFLAGS" \
+    LDFLAGS="-static" \
+    LIBS="$NL_LIBS" \
+    -j"$(nproc 2>/dev/null || sysctl -n hw.ncpu)"
+
+echo "Stripping..."
+$STRIP wpa_supplicant wpa_cli
+cp wpa_supplicant wpa_cli "$OUT_DIR/"
+
+echo "Building iw ${IW_VERSION}..."
+cd "$BUILD_DIR"
+curl -Lf "$IW_URL" | tar xJ
+cd "iw-${IW_VERSION}"
+PKG_CONFIG_LIBDIR="$SYSROOT/lib/pkgconfig" \
+make CC="$CC" \
+    LDFLAGS="-static" \
+    -j"$(nproc 2>/dev/null || sysctl -n hw.ncpu)"
+$STRIP iw
+cp iw "$OUT_DIR/"
+
+rm -rf "$BUILD_DIR"
+
+echo "Done. Binaries in $OUT_DIR:"
+ls -lh "$OUT_DIR"/{wpa_supplicant,wpa_cli,iw}
Author	SHA1	Message	Date
Markus Unterwaditzer	4d54ea03e8	Remove some global reset styles in favor of explicit border colors, restore button cursors	2026-04-24 02:00:57 +02:00
Markus Unterwaditzer	2b427c64d7	upgrade tailwind * moved to vite plugin for tailwind (it's recommended now) * removed autoprefixer (v4 uses its own CSS thing now) * postcss.config.js was used to wire up tailwind and autoprefixer, so it's gone * tailwind.config.ts is gone, because v4 stores config in app.css using css variables * fixed some renamed classes	2026-04-24 01:58:53 +02:00
Markus Unterwaditzer	ed3ad389d0	downgrade tailwind for now, and fix build errors	2026-04-24 01:58:53 +02:00
dependabot[bot]	e2fd9de62d	Bump the dependency-type group in /daemon/web with 18 updates Bumps the dependency-type group in /daemon/web with 18 updates: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [@sveltejs/adapter-auto](https://github.com/sveltejs/kit/tree/HEAD/packages/adapter-auto) \| `3.3.1` \| `7.0.1` \| \| [@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit) \| `2.53.4` \| `2.57.1` \| \| [@sveltejs/vite-plugin-svelte](https://github.com/sveltejs/vite-plugin-svelte/tree/HEAD/packages/vite-plugin-svelte) \| `6.2.1` \| `7.0.0` \| \| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) \| `24.7.0` \| `25.6.0` \| \| [autoprefixer](https://github.com/postcss/autoprefixer) \| `10.4.21` \| `10.5.0` \| \| [eslint](https://github.com/eslint/eslint) \| `9.37.0` \| `10.2.0` \| \| [eslint-config-prettier](https://github.com/prettier/eslint-config-prettier) \| `9.1.2` \| `10.1.8` \| \| [eslint-plugin-svelte](https://github.com/sveltejs/eslint-plugin-svelte/tree/HEAD/packages/eslint-plugin-svelte) \| `2.46.1` \| `3.17.0` \| \| [globals](https://github.com/sindresorhus/globals) \| `15.15.0` \| `17.5.0` \| \| [prettier](https://github.com/prettier/prettier) \| `3.6.2` \| `3.8.3` \| \| [prettier-plugin-svelte](https://github.com/sveltejs/prettier-plugin-svelte) \| `3.4.0` \| `3.5.1` \| \| [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte) \| `5.53.7` \| `5.55.4` \| \| [svelte-check](https://github.com/sveltejs/language-tools) \| `4.3.2` \| `4.4.6` \| \| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) \| `3.4.18` \| `4.2.2` \| \| [typescript](https://github.com/microsoft/TypeScript) \| `5.9.3` \| `6.0.2` \| \| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) \| `8.46.0` \| `8.58.2` \| \| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) \| `7.3.2` \| `8.0.8` \| \| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) \| `3.2.4` \| `4.1.4` \| Updates `@sveltejs/adapter-auto` from 3.3.1 to 7.0.1 - [Release notes](https://github.com/sveltejs/kit/releases) - [Changelog](https://github.com/sveltejs/kit/blob/main/packages/adapter-auto/CHANGELOG.md) - [Commits](https://github.com/sveltejs/kit/commits/@sveltejs/adapter-auto@7.0.1/packages/adapter-auto) Updates `@sveltejs/kit` from 2.53.4 to 2.57.1 - [Release notes](https://github.com/sveltejs/kit/releases) - [Changelog](https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md) - [Commits](https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.57.1/packages/kit) Updates `@sveltejs/vite-plugin-svelte` from 6.2.1 to 7.0.0 - [Release notes](https://github.com/sveltejs/vite-plugin-svelte/releases) - [Changelog](https://github.com/sveltejs/vite-plugin-svelte/blob/main/packages/vite-plugin-svelte/CHANGELOG.md) - [Commits](https://github.com/sveltejs/vite-plugin-svelte/commits/@sveltejs/vite-plugin-svelte@7.0.0/packages/vite-plugin-svelte) Updates `@types/node` from 24.7.0 to 25.6.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `autoprefixer` from 10.4.21 to 10.5.0 - [Release notes](https://github.com/postcss/autoprefixer/releases) - [Changelog](https://github.com/postcss/autoprefixer/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/autoprefixer/compare/10.4.21...10.5.0) Updates `eslint` from 9.37.0 to 10.2.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/compare/v9.37.0...v10.2.0) Updates `eslint-config-prettier` from 9.1.2 to 10.1.8 - [Release notes](https://github.com/prettier/eslint-config-prettier/releases) - [Changelog](https://github.com/prettier/eslint-config-prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/eslint-config-prettier/commits/v10.1.8) Updates `eslint-plugin-svelte` from 2.46.1 to 3.17.0 - [Release notes](https://github.com/sveltejs/eslint-plugin-svelte/releases) - [Changelog](https://github.com/sveltejs/eslint-plugin-svelte/blob/main/packages/eslint-plugin-svelte/CHANGELOG.md) - [Commits](https://github.com/sveltejs/eslint-plugin-svelte/commits/eslint-plugin-svelte@3.17.0/packages/eslint-plugin-svelte) Updates `globals` from 15.15.0 to 17.5.0 - [Release notes](https://github.com/sindresorhus/globals/releases) - [Commits](https://github.com/sindresorhus/globals/compare/v15.15.0...v17.5.0) Updates `prettier` from 3.6.2 to 3.8.3 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/prettier/compare/3.6.2...3.8.3) Updates `prettier-plugin-svelte` from 3.4.0 to 3.5.1 - [Changelog](https://github.com/sveltejs/prettier-plugin-svelte/blob/v3.5.1/CHANGELOG.md) - [Commits](https://github.com/sveltejs/prettier-plugin-svelte/commits/v3.5.1) Updates `svelte` from 5.53.7 to 5.55.4 - [Release notes](https://github.com/sveltejs/svelte/releases) - [Changelog](https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md) - [Commits](https://github.com/sveltejs/svelte/commits/svelte@5.55.4/packages/svelte) Updates `svelte-check` from 4.3.2 to 4.4.6 - [Release notes](https://github.com/sveltejs/language-tools/releases) - [Commits](https://github.com/sveltejs/language-tools/compare/svelte-check@4.3.2...svelte-check@4.4.6) Updates `tailwindcss` from 3.4.18 to 4.2.2 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/tailwindcss) Updates `typescript` from 5.9.3 to 6.0.2 - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](https://github.com/microsoft/TypeScript/compare/v5.9.3...v6.0.2) Updates `typescript-eslint` from 8.46.0 to 8.58.2 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.58.2/packages/typescript-eslint) Updates `vite` from 7.3.2 to 8.0.8 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.8/packages/vite) Updates `vitest` from 3.2.4 to 4.1.4 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.4/packages/vitest) --- updated-dependencies: - dependency-name: "@sveltejs/adapter-auto" dependency-version: 7.0.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: dependency-type - dependency-name: "@sveltejs/kit" dependency-version: 2.57.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dependency-type - dependency-name: "@sveltejs/vite-plugin-svelte" dependency-version: 7.0.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: dependency-type - dependency-name: "@types/node" dependency-version: 25.6.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: dependency-type - dependency-name: autoprefixer dependency-version: 10.5.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dependency-type - dependency-name: eslint dependency-version: 10.2.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: dependency-type - dependency-name: eslint-config-prettier dependency-version: 10.1.8 dependency-type: direct:development update-type: version-update:semver-major dependency-group: dependency-type - dependency-name: eslint-plugin-svelte dependency-version: 3.17.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: dependency-type - dependency-name: globals dependency-version: 17.5.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: dependency-type - dependency-name: prettier dependency-version: 3.8.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dependency-type - dependency-name: prettier-plugin-svelte dependency-version: 3.5.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dependency-type - dependency-name: svelte dependency-version: 5.55.4 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dependency-type - dependency-name: svelte-check dependency-version: 4.4.6 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dependency-type - dependency-name: tailwindcss dependency-version: 4.2.2 dependency-type: direct:development update-type: version-update:semver-major dependency-group: dependency-type - dependency-name: typescript dependency-version: 6.0.2 dependency-type: direct:development update-type: version-update:semver-major dependency-group: dependency-type - dependency-name: typescript-eslint dependency-version: 8.58.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dependency-type - dependency-name: vite dependency-version: 8.0.8 dependency-type: direct:development update-type: version-update:semver-major dependency-group: dependency-type - dependency-name: vitest dependency-version: 4.1.4 dependency-type: direct:development update-type: version-update:semver-major dependency-group: dependency-type ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-24 01:58:53 +02:00
Cooper Quintin	7daacb3b65	Revert "web: target older mobile browsers" This reverts commit `a8aae16fa1`.	2026-04-23 09:16:28 -07:00
Cooper Quintin	4a9e9c507b	ignore wifi tools builds	2026-04-23 09:16:28 -07:00
DeoJin	a8aae16fa1	web: target older mobile browsers	2026-04-22 12:03:17 -07:00
Ember	5fc6925d35	doc: document Wi-Fi auto-shutdown workaround for TMOHS1 and CT2MHS01 (#951 ) Both devices ship with a Wi-Fi Standby timer that turns off the AP after ~10 minutes with no clients, blocking remote access to Rayhunter until a power cycle. Previous attempt (this PR's earlier commits) added a Rayhunter config toggle to flip gWlanAutoShutdown in WCNSS_qcom_cfg.ini, but the same setting is already exposed in each device's native admin UI under Settings -> Sleep -> Wi-Fi Standby, so a code change is not needed. Replace the config toggle with: - Device-page walkthroughs with screenshots of each native UI setting - FAQ entry for "can't reach the web UI after leaving it alone" - Post-install hint from the tmobile/wingtech installers pointing at the docs and the setting location	2026-04-22 11:52:33 -07:00
Ember	3455adbf95	client mode added (#888 ) * client mode added * Prevent OTA daemons dmclient and upgrade from running and phoning home to Verizon * Fix workflow * WIFI changes to support moxee. May need to rebase as delivering refactoring under other PR. * code changes for rust based wifi client mode docs next * Doc changes & security fixes * Added watchdog and recover if crash occurs for wifi. * Remove changes which were from device UI work (seperate feature which snuck into this branch) * Add missing wifi and firewall module declarations * cleaning up the code a bit * Gate wpa_suplicant in installer and workflow to avoid building binary every push * fix to check diskspace * Improved support for subnet colisions, and attempts to rejoin network. * Add WiFi client support and S01iptables to T-Mobile and Wingtech installers Both installers now deploy wpa_supplicant, wpa_cli, udhcpc-hook.sh, and the S01iptables boot-time firewall script. Config generation uses the shared install_config/install_wifi_creds helpers instead of manual string replacement. * Revert "Add WiFi client support and S01iptables to T-Mobile and Wingtech installers" This reverts commit `944b369c4f`. * Fix build: ignore unused wifi_ssid/wifi_password fields in T-Mobile and Wingtech installers * Moved to a wifi crate * Add host route and arp_filter to prevent subnet collisions * add wakelock so kernel doesn't shut down wifi on battery when wifi is enabled * Move wifi to external wifi-station crate, remove wifi from installer, extract OTA blocking * fixed outdated info, moved udhcpc hook to wifi-station crate. * Update to new version of wifi-station * Address PR review feedback: replace Docker wpa build, add iw, remove OTA, revert unrelated changes - Replace Docker-based wpa_supplicant build with shell script (scripts/build-wpa-supplicant.sh) - Add iw cross-compilation and deployment to Orbic installer - Skip wifi tool install if binary already exists on device - Remove OTA daemon blocker (extracted for separate PR) - Revert unrelated UZ801 and T-Mobile installer changes - Remove connection.rs test scaffolding - Rewrite S01iptables init script to read config.toml directly - Pin url crate to 2.5.4 to fix MSRV * Fix build script: use bash for parameter substitution The ${VAR//pattern/replacement} syntax is a bash extension that doesn't work in dash (Ubuntu's /bin/sh). * Fix iw build: export PKG_CONFIG_LIBDIR as env var Passing PKG_CONFIG_LIBDIR as a make variable doesn't export it to $(shell pkg-config ...) calls. Set it as an environment variable so pkg-config finds the cross-compiled libnl. * Point wifi-station to GitHub rev 97c579a * add comment * Update daemon/src/config.rs Add decorators Co-authored-by: Andrej Walilko <walilkoa@gmail.com> * Update daemon/src/server.rs add utopia doc support Co-authored-by: Andrej Walilko <walilkoa@gmail.com> * Update daemon/src/server.rs add utopia doc support Co-authored-by: Andrej Walilko <walilkoa@gmail.com> * Update to wifi-station with utoipa doc strings * add utoipa to wifi-station * added WPA3 support * fix firewall port detection, update wifi-station to c267d37 fix ntfy port_or_known_default, comment out ntfy_url in config template, update wifi-station with resolv.conf bind mount fallback, udhcpc_bin config, and module path fix for UZ801 * show wifi UI for tmobile and wingtech, add udhcpc_bin config both devices have wifi hardware and backend support. wingtech verified on hardware (QCA6174 via PCIe). uz801 excluded for now due to driver scan limitations with hostapd active. * install wifi tools from orbic-usb installer, fix DNS default to Quad9, bump wifi-station rev * fix Modal scroll listener leak, correct file transfer timeout math, document firewall fail-open, clarify UZ801 wifi status * build-dev.sh: build wifi tools so install-dev works for orbic-family devices * update Cargo.lock for wifi-station e8ec5b4 * fix setup_timeout_server crypto provider install, apply rustfmt * Update installer/src/connection.rs Co-authored-by: Cooper Quintin <cooperq@users.noreply.github.com> * Update installer/src/orbic.rs Co-authored-by: Cooper Quintin <cooperq@users.noreply.github.com> * apply rustfmt to AdbConnection::run_command --------- Co-authored-by: Andrej Walilko <walilkoa@gmail.com> Co-authored-by: Cooper Quintin <cooperq@users.noreply.github.com>	2026-04-22 10:02:48 -07:00
dependabot[bot]	416f03159a	Bump the dependency-type group in /installer-gui with 3 updates Bumps the dependency-type group in /installer-gui with 3 updates: [eslint](https://github.com/eslint/eslint), [typescript](https://github.com/microsoft/TypeScript) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `eslint` from 10.2.0 to 10.2.1 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/compare/v10.2.0...v10.2.1) Updates `typescript` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](https://github.com/microsoft/TypeScript/compare/v6.0.2...v6.0.3) Updates `vite` from 8.0.8 to 8.0.9 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.9/packages/vite) --- updated-dependencies: - dependency-name: eslint dependency-version: 10.2.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dependency-type - dependency-name: typescript dependency-version: 6.0.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dependency-type - dependency-name: vite dependency-version: 8.0.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dependency-type ... Signed-off-by: dependabot[bot] <support@github.com>	2026-04-20 09:43:15 -07:00