diff --git a/.forgejo/workflows/build.yml b/.forgejo/workflows/build.yml
index 04328fc..0e9dc8a 100644
--- a/.forgejo/workflows/build.yml
+++ b/.forgejo/workflows/build.yml
@@ -1,9 +1,13 @@
 name: Build & Push Images
 
 # Builds the frontend + backend Docker images and pushes them to the Forgejo
-# container registry (forgejo.snsnetlabs.com/sam/...). Runs on every push to
+# container registry (registry.snsnetlabs.com/sam/...). Runs on every push to
 # main, and on-demand via the "Run workflow" button (workflow_dispatch).
 #
+# NOTE: registry.snsnetlabs.com is the unproxied (DNS-only) registry host so
+# large layers bypass Cloudflare's body cap. The web UI / packages list stays
+# on forgejo.snsnetlabs.com (Cloudflare Access SSO).
+#
 # Requirements (see deploy/README.md):
 #   - Forgejo Actions secret FORGEJO_REGISTRY_TOKEN: a package-scoped token for
 #     user `sam`.
@@ -16,7 +20,7 @@ on:
   workflow_dispatch:
 
 env:
-  REGISTRY: forgejo.snsnetlabs.com
+  REGISTRY: registry.snsnetlabs.com
   OWNER: sam
 
 jobs:
diff --git a/.kiro/steering/project-guide.md b/.kiro/steering/project-guide.md
index 273ca01..aeb1077 100644
--- a/.kiro/steering/project-guide.md
+++ b/.kiro/steering/project-guide.md
@@ -70,6 +70,10 @@ bookmarks. Deployed at `archnest.snsnetlabs.com` via Docker Compose on
 
 ## Policies
 
+- **Versioning**: development happens on **even** major versions; **odd** majors
+  are released/stable lines. We are currently developing **v2** (the prior
+  released line is v1, see the `v1.0` git tag). Image/version tags should
+  reflect this — dev builds carry the even (v2) version.
 - **Zero mock data** — every number comes from a live API/SSH/DB call
 - **Design-first for big features** — write a `docs/<feature>.md` before coding
 - **No footer** on any page
diff --git a/HANDOFF.md b/HANDOFF.md
index 0858663..e9c5432 100644
--- a/HANDOFF.md
+++ b/HANDOFF.md
@@ -26,6 +26,8 @@ No new feature is queued. Pick up from here:
 
 ## Standing rules (read before doing anything)
 
+- **Versioning convention**: development happens on **even** major versions, releases on **odd**. We are currently developing **v2** (prior released line is v1 — see the `v1.0` git tag). Dev image/version tags carry the even (v2) number. `package.json` (root + backend) still reads `0.0.0` and the Settings → About panel is hardcoded `v1.0.0`; neither has been bumped to v2 yet.
+
 - **Branch**: never commit on `main`. Create a fresh feature branch off `main` (recent convention: `kiro/<short-feature>`). Confirm with `git branch --show-current` before starting.
 - **Workflow per change**: type-check (`npx tsc --noEmit -p .` in repo root AND in `backend/`) — and for frontend changes prefer a full `npm run build` (which runs `tsc -b && vite build`; the stricter `tsc -b` has caught errors a plain `tsc --noEmit` missed via stale incremental cache) → commit → `git fetch origin main && git rebase origin/main` → `git push -u origin <branch>` → open a PR with `gh pr create` → squash-merge (`gh pr merge <n> --squash --delete-branch`) → poll the resulting run (`gh run list --branch main`, then `gh run watch <id> --exit-status`) until `validate` and `deploy` both succeed (deploy's last step is "Health check (backend /api/health)").
 - **`git add -A` caution**: this has twice swept up unrelated untracked files (e.g. a bookmark-import JSON the user asked to be generated, not committed) into unrelated PRs. Prefer `git add <specific files>` and always check `git diff --cached --stat` before committing.
diff --git a/deploy/README.md b/deploy/README.md
index bdedaf9..4ae523c 100644
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -6,7 +6,7 @@ over the NetBird mesh. racknerd2 only pulls and runs — it never builds (1.9 Gi
 RAM).
 
 ```
-push to main / manual ─► [build.yml] build + push images ─► forgejo.snsnetlabs.com/sam/{archnest,archnest-backend}
+push to main / manual ─► [build.yml] build + push images ─► registry.snsnetlabs.com/sam/{archnest,archnest-backend}
                                                                       │
                                           manual dispatch ─► [deploy.yml] ssh racknerd2 ─► docker compose pull && up -d
 ```
@@ -15,10 +15,12 @@ push to main / manual ─► [build.yml] build + push images ─► forgejo.snsn
 
 | Image | From | Tags |
 |-------|------|------|
-| `forgejo.snsnetlabs.com/sam/archnest` | root `Dockerfile` (React build → nginx) | `latest`, `<commit-sha>` |
-| `forgejo.snsnetlabs.com/sam/archnest-backend` | `backend/Dockerfile` (Fastify) | `latest`, `<commit-sha>` |
+| `registry.snsnetlabs.com/sam/archnest` | root `Dockerfile` (React build → nginx) | `latest`, `<commit-sha>` |
+| `registry.snsnetlabs.com/sam/archnest-backend` | `backend/Dockerfile` (Fastify) | `latest`, `<commit-sha>` |
 
-Pushed images appear at `https://forgejo.snsnetlabs.com/sam/-/packages` (SSO).
+`registry.snsnetlabs.com` is the **unproxied (DNS-only)** registry host, so large
+layers bypass Cloudflare's ~100 MB request-body cap. Pushed images appear at
+`https://forgejo.snsnetlabs.com/sam/-/packages` (web UI, Cloudflare Access SSO).
 
 ## One-time setup
 
@@ -54,7 +56,7 @@ mkdir -p /opt/archnest
 #   ARCHNEST_JWT_SECRET   = openssl rand -hex 32
 #   ARCHNEST_SECRET_KEY   = openssl rand -hex 32
 #   ARCHNEST_GUAC_CRYPT_KEY = openssl rand -base64 24 | cut -c1-32
-docker login forgejo.snsnetlabs.com   # user: sam, password: the package token
+docker login registry.snsnetlabs.com   # user: sam, password: the package token
 ```
 
 Ports are bound to the **mesh IP only** (`100.96.217.250`) — Docker bypasses
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index 6d875d6..06dd24c 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -2,11 +2,11 @@
 #
 # Unlike the root docker-compose.yml (which BUILDS images locally), this file
 # PULLS pre-built images from the Forgejo container registry
-# (forgejo.snsnetlabs.com/sam/...) that the Forgejo Actions `build` workflow
+# (registry.snsnetlabs.com/sam/...) that the Forgejo Actions `build` workflow
 # pushes. racknerd2 only has ~1.9 GiB RAM, so we never build here.
 #
 # Usage on racknerd2 (in this file's directory, with a sibling .env):
-#   docker login forgejo.snsnetlabs.com      # once, as user `sam`
+#   docker login registry.snsnetlabs.com   # once, as user `sam`
 #   docker compose pull && docker compose up -d
 #
 # IMPORTANT: published ports are bound to the NetBird mesh IP only. Docker
@@ -16,7 +16,7 @@
 
 services:
   archnest:
-    image: forgejo.snsnetlabs.com/sam/archnest:${ARCHNEST_TAG:-latest}
+    image: registry.snsnetlabs.com/sam/archnest:${ARCHNEST_TAG:-latest}
     container_name: archnest
     restart: unless-stopped
     ports:
@@ -25,7 +25,7 @@ services:
       - archnest-backend
 
   archnest-backend:
-    image: forgejo.snsnetlabs.com/sam/archnest-backend:${ARCHNEST_TAG:-latest}
+    image: registry.snsnetlabs.com/sam/archnest-backend:${ARCHNEST_TAG:-latest}
     container_name: archnest-backend
     restart: unless-stopped
     environment: