Point registry at registry.snsnetlabs.com; record even=dev versioning

The Forgejo container registry now lives on a dedicated unproxied
(DNS-only) host, registry.snsnetlabs.com, so large image layers bypass
Cloudflare's ~100 MB request-body cap (the backend image's 262 MB and
317 MB layers previously hit 413 Payload Too Large through the proxied
forgejo.snsnetlabs.com host). The web UI / packages list stays on
forgejo.snsnetlabs.com behind Cloudflare Access SSO.

- build.yml: REGISTRY -> registry.snsnetlabs.com
- deploy/docker-compose.yml: image refs -> registry.snsnetlabs.com
- deploy/README.md: push/pull/login host -> registry.snsnetlabs.com
  (packages web UI URL kept on forgejo.snsnetlabs.com)

Also record the versioning convention in HANDOFF + steering: development
happens on even major versions, releases on odd; currently developing v2
(prior released line is v1, see the v1.0 git tag). package.json and the
About panel are not yet bumped to v2.

Validated end to end: built both images on the runner host, pushed to
registry.snsnetlabs.com (backend included, no 413), pulled on racknerd2,
brought the stack up, /api/health returns {"ok":true} over the mesh IP.

Co-authored-by: Samuel James <ssamjame@amazon.com>
Co-authored-by: Kiro <noreply@kiro.dev>

.forgejo/workflows/build.yml

@@ -1,9 +1,13 @@
 name: Build & Push Images
 
 # Builds the frontend + backend Docker images and pushes them to the Forgejo
-# container registry (forgejo.snsnetlabs.com/sam/...). Runs on every push to
+# container registry (registry.snsnetlabs.com/sam/...). Runs on every push to
 # main, and on-demand via the "Run workflow" button (workflow_dispatch).
 #
+# NOTE: registry.snsnetlabs.com is the unproxied (DNS-only) registry host so
+# large layers bypass Cloudflare's body cap. The web UI / packages list stays
+# on forgejo.snsnetlabs.com (Cloudflare Access SSO).
+#
 # Requirements (see deploy/README.md):
 #   - Forgejo Actions secret FORGEJO_REGISTRY_TOKEN: a package-scoped token for
 #     user `sam`.
@@ -16,7 +20,7 @@ on:
   workflow_dispatch:
 
 env:
-  REGISTRY: forgejo.snsnetlabs.com
+  REGISTRY: registry.snsnetlabs.com
   OWNER: sam
 
 jobs:

.kiro/steering/project-guide.md

@@ -70,6 +70,10 @@ bookmarks. Deployed at `archnest.snsnetlabs.com` via Docker Compose on
 
 ## Policies
 
+- **Versioning**: development happens on **even** major versions; **odd** majors
+  are released/stable lines. We are currently developing **v2** (the prior
+  released line is v1, see the `v1.0` git tag). Image/version tags should
+  reflect this — dev builds carry the even (v2) version.
 - **Zero mock data** — every number comes from a live API/SSH/DB call
 - **Design-first for big features** — write a `docs/<feature>.md` before coding
 - **No footer** on any page

HANDOFF.md

@@ -26,6 +26,8 @@ No new feature is queued. Pick up from here:
 
 ## Standing rules (read before doing anything)
 
+- **Versioning convention**: development happens on **even** major versions, releases on **odd**. We are currently developing **v2** (prior released line is v1 — see the `v1.0` git tag). Dev image/version tags carry the even (v2) number. `package.json` (root + backend) still reads `0.0.0` and the Settings → About panel is hardcoded `v1.0.0`; neither has been bumped to v2 yet.
+
 - **Branch**: never commit on `main`. Create a fresh feature branch off `main` (recent convention: `kiro/<short-feature>`). Confirm with `git branch --show-current` before starting.
 - **Workflow per change**: type-check (`npx tsc --noEmit -p .` in repo root AND in `backend/`) — and for frontend changes prefer a full `npm run build` (which runs `tsc -b && vite build`; the stricter `tsc -b` has caught errors a plain `tsc --noEmit` missed via stale incremental cache) → commit → `git fetch origin main && git rebase origin/main` → `git push -u origin <branch>` → open a PR with `gh pr create` → squash-merge (`gh pr merge <n> --squash --delete-branch`) → poll the resulting run (`gh run list --branch main`, then `gh run watch <id> --exit-status`) until `validate` and `deploy` both succeed (deploy's last step is "Health check (backend /api/health)").
 - **`git add -A` caution**: this has twice swept up unrelated untracked files (e.g. a bookmark-import JSON the user asked to be generated, not committed) into unrelated PRs. Prefer `git add <specific files>` and always check `git diff --cached --stat` before committing.

deploy/README.md

@@ -6,7 +6,7 @@ over the NetBird mesh. racknerd2 only pulls and runs — it never builds (1.9 Gi
 RAM).
 
 ```
-push to main / manual ─► [build.yml] build + push images ─► forgejo.snsnetlabs.com/sam/{archnest,archnest-backend}
+push to main / manual ─► [build.yml] build + push images ─► registry.snsnetlabs.com/sam/{archnest,archnest-backend}
                                                                       │
                                           manual dispatch ─► [deploy.yml] ssh racknerd2 ─► docker compose pull && up -d
 ```
@@ -15,10 +15,12 @@ push to main / manual ─► [build.yml] build + push images ─► forgejo.snsn
 
 | Image | From | Tags |
 |-------|------|------|
-| `forgejo.snsnetlabs.com/sam/archnest` | root `Dockerfile` (React build → nginx) | `latest`, `<commit-sha>` |
-| `forgejo.snsnetlabs.com/sam/archnest-backend` | `backend/Dockerfile` (Fastify) | `latest`, `<commit-sha>` |
+| `registry.snsnetlabs.com/sam/archnest` | root `Dockerfile` (React build → nginx) | `latest`, `<commit-sha>` |
+| `registry.snsnetlabs.com/sam/archnest-backend` | `backend/Dockerfile` (Fastify) | `latest`, `<commit-sha>` |
 
-Pushed images appear at `https://forgejo.snsnetlabs.com/sam/-/packages` (SSO).
+`registry.snsnetlabs.com` is the **unproxied (DNS-only)** registry host, so large
+layers bypass Cloudflare's ~100 MB request-body cap. Pushed images appear at
+`https://forgejo.snsnetlabs.com/sam/-/packages` (web UI, Cloudflare Access SSO).
 
 ## One-time setup
 
@@ -54,7 +56,7 @@ mkdir -p /opt/archnest
 #   ARCHNEST_JWT_SECRET   = openssl rand -hex 32
 #   ARCHNEST_SECRET_KEY   = openssl rand -hex 32
 #   ARCHNEST_GUAC_CRYPT_KEY = openssl rand -base64 24 | cut -c1-32
-docker login forgejo.snsnetlabs.com   # user: sam, password: the package token
+docker login registry.snsnetlabs.com   # user: sam, password: the package token
 ```
 
 Ports are bound to the **mesh IP only** (`100.96.217.250`) — Docker bypasses

deploy/docker-compose.yml

@@ -2,11 +2,11 @@
 #
 # Unlike the root docker-compose.yml (which BUILDS images locally), this file
 # PULLS pre-built images from the Forgejo container registry
-# (forgejo.snsnetlabs.com/sam/...) that the Forgejo Actions `build` workflow
+# (registry.snsnetlabs.com/sam/...) that the Forgejo Actions `build` workflow
 # pushes. racknerd2 only has ~1.9 GiB RAM, so we never build here.
 #
 # Usage on racknerd2 (in this file's directory, with a sibling .env):
-#   docker login forgejo.snsnetlabs.com      # once, as user `sam`
+#   docker login registry.snsnetlabs.com   # once, as user `sam`
 #   docker compose pull && docker compose up -d
 #
 # IMPORTANT: published ports are bound to the NetBird mesh IP only. Docker
@@ -16,7 +16,7 @@
 
 services:
   archnest:
-    image: forgejo.snsnetlabs.com/sam/archnest:${ARCHNEST_TAG:-latest}
+    image: registry.snsnetlabs.com/sam/archnest:${ARCHNEST_TAG:-latest}
     container_name: archnest
     restart: unless-stopped
     ports:
@@ -25,7 +25,7 @@ services:
       - archnest-backend
 
   archnest-backend:
-    image: forgejo.snsnetlabs.com/sam/archnest-backend:${ARCHNEST_TAG:-latest}
+    image: registry.snsnetlabs.com/sam/archnest-backend:${ARCHNEST_TAG:-latest}
     container_name: archnest-backend
     restart: unless-stopped
     environment: