docs: update Wall of Heroes with April 2026 contributions

README.md

@@ -358,9 +358,9 @@ Thanks to [kyuz0](https://github.com/kyuz0) for [amd-strix-halo-toolboxes](https
 
 ### The Resistance
 
-*   [Yasin Bursali (yasinBursali)](https://github.com/yasinBursali) — DreamServer's most prolific contributor across 80+ merged PRs spanning every layer of the stack. **Extensions portal**: built the full extensions lifecycle system — catalog generator with CI freshness validation, dream host agent for container management outside Docker (timing-safe auth, core service protection, per-service locking, setup hook execution), extensions API with 16-check compose security scanner (blocks privileged mode, docker socket mounts, dangerous capabilities, host namespaces, non-localhost port bindings) plus atomic installs with path traversal and symlink protection, Extensions dashboard page with install/enable/disable/uninstall, and comprehensive API/host agent/runtime lifecycle documentation. **Extensions library hardening**: led three waves of 50+ PRs standardizing all 33 extension manifests — security hardening (localhost binding, credential requirements, session isolation), setup hooks, image digest pinning, healthcheck fixes (IPv4 migration, tool availability, health_port for split endpoints), port conflict resolution, README standardization, platform compatibility matrix, feature ID deduplication, and compose security scan bypass closures for bare ports and security_opt normalization. **macOS portability**: fixed Apple Silicon Neural Engine detection, unified memory VRAM gating, GPU_BACKEND=apple alignment, BSD/GNU sed compatibility (`_sed_i`), portable timestamps (`_now_ms()`), Bash 4+ guards with Homebrew re-exec, readiness sidecar for native llama-server, LaunchAgent host agent integration, and WSL2 host RAM detection. **Dashboard API**: added tiered Privacy Shield auth, migrated privacy-shield toggle from Docker socket to host agent API, populated null status fields (disk/system/inference), fixed n8n health detection with shared aiohttp sessions, forced IPv4 in health checker for WSL2, added GPU service inference fallback from nvidia-smi processes, handled thinking model `<think>` blocks, and fixed version endpoint to read from .env. **Installer/CLI**: replaced deprecated n8n basic auth with v2.x admin setup, preserved .env inode during model swap (cat > instead of mv), preserved VERSION across /etc/os-release sourcing, fixed dream-cli symlink resolution, prevented double-inclusion of extension compose files, added load_env to stop/start/restart, disabled ComfyUI compose when image generation is off, fixed COMPOSE_FLAGS word-splitting, added reverse-dependency check to dream disable, and added SEARXNG_SECRET to CI fixtures. **Security**: hardened ComfyUI with loopback binding and no-new-privileges, secured OpenCode with auto-generated passwords, removed API key from token-spy HTML, added `set -euo pipefail` to the installer, and guarded nvidia-smi against [N/A] values on MIG/vGPU configurations
+*   [Yasin Bursali (yasinBursali)](https://github.com/yasinBursali) — DreamServer's most prolific contributor across 80+ merged PRs spanning every layer of the stack. **Extensions portal**: built the full extensions lifecycle system — catalog generator with CI freshness validation, dream host agent for container management outside Docker (timing-safe auth, core service protection, per-service locking, setup hook execution), extensions API with 16-check compose security scanner (blocks privileged mode, docker socket mounts, dangerous capabilities, host namespaces, non-localhost port bindings) plus atomic installs with path traversal and symlink protection, Extensions dashboard page with install/enable/disable/uninstall, and comprehensive API/host agent/runtime lifecycle documentation. **Extensions library hardening**: led three waves of 50+ PRs standardizing all 33 extension manifests — security hardening (localhost binding, credential requirements, session isolation), setup hooks, image digest pinning, healthcheck fixes (IPv4 migration, tool availability, health_port for split endpoints), port conflict resolution, README standardization, platform compatibility matrix, feature ID deduplication, and compose security scan bypass closures for bare ports and security_opt normalization. **macOS portability**: fixed Apple Silicon Neural Engine detection, unified memory VRAM gating, GPU_BACKEND=apple alignment, BSD/GNU sed compatibility (`_sed_i`), portable timestamps (`_now_ms()`), Bash 4+ guards with Homebrew re-exec, readiness sidecar for native llama-server, LaunchAgent host agent integration, and WSL2 host RAM detection. **Dashboard API**: added tiered Privacy Shield auth, migrated privacy-shield toggle from Docker socket to host agent API, populated null status fields (disk/system/inference), fixed n8n health detection with shared aiohttp sessions, forced IPv4 in health checker for WSL2, added GPU service inference fallback from nvidia-smi processes, handled thinking model `<think>` blocks, and fixed version endpoint to read from .env. **Installer/CLI**: replaced deprecated n8n basic auth with v2.x admin setup, preserved .env inode during model swap (cat > instead of mv), preserved VERSION across /etc/os-release sourcing, fixed dream-cli symlink resolution, prevented double-inclusion of extension compose files, added load_env to stop/start/restart, disabled ComfyUI compose when image generation is off, fixed COMPOSE_FLAGS word-splitting, added reverse-dependency check to dream disable, and added SEARXNG_SECRET to CI fixtures. **Security**: hardened ComfyUI with loopback binding and no-new-privileges, secured OpenCode with auto-generated passwords, removed API key from token-spy HTML, added `set -euo pipefail` to the installer, and guarded nvidia-smi against [N/A] values on MIG/vGPU configurations. **Observability (April 2026)**: added per-container CPU/memory stats endpoint to the host agent with Docker stats parsing and IEC unit handling, added read-only service logs endpoint scoped to dream-server containers via Docker Compose project label filtering, routed dashboard log viewing through host agent with status code clamping (502 for upstream errors) and Docker Compose label spoofing prevention, added per-service resource metrics aggregation endpoint with parallel fetch and split-TTL caching, added real-time bootstrap download progress tracking with background file-size monitor and atomic JSON status writes, added macOS native llama-server hot-swap with old-model rollback on health-check failure and PID reuse verification. **CLI/Installer fixes**: fixed dream-cli version display to read from .env instead of hardcoded 2.0.0, added user-extensions directory scanning to service registry with built-in-first deduplication, replaced compose-flags cache deletion with proper regeneration via resolve-compose-stack, fixed GPU assignment JSON generation for single-GPU NVIDIA systems, added compose syntax validation before container launch in phase 11, added dream_min version bounds to 15 extension manifests, and pre-created privacy-shield data directory in the installer
 *   [Youness Yachouti (y-coffee-dev)](https://github.com/y-coffee-dev) — Designed and built the full-stack multi-GPU system: NVIDIA topology detection via nvidia-smi topo matrix parsing, four-phase GPU assignment algorithm with topology-aware service placement, docker-compose.multigpu.yml overlay generation, and the dashboard GPU Monitor page with per-GPU cards, SVG sparkline charts, topology visualization, and service assignment views. Added five dream gpu CLI subcommands (status, topology, assignment, validate, reassign) with --auto/--manual/--dry-run modes and bash tab completions. Rewrote lib/safe-env.sh to split on first = only, fixing base64 value truncation in .env parsing. Added GPU environment passthrough to dashboard-api, SDXL download guard for disabled ComfyUI, and ANSI escape stripping for nvidia-smi output. Contributed 345 lines of GPU-specific tests. Tested on real multi-GPU hardware including 4x RTX 4060 Ti, 4x RTX 4080, and 8x RTX 5060 Ti configurations.
-*   [Tony363 (Tony Siu)](https://github.com/Tony363) — Raised dashboard-api test coverage to 95% with 3,500+ lines of tests across 14 files including comprehensive endpoint coverage for setup, privacy, workflows, updates, agents, and GPU monitoring, plus 7 BATS shell test suites covering logging, constants, path-utils, bootstrap-model, nvidia-topo, ui, and background-tasks. Added comprehensive architecture overview documentation (ARCHITECTURE.md) with Mermaid diagrams for service topology, installer pipeline, and compose layering. Fixed the pre-existing ThemeProvider CI failure that was blocking every PR frontend check. Reported the PyYAML import crash on Manjaro/Arch (resolve-compose-stack.sh) with clear root cause analysis. Drives developer outreach and ecosystem growth as head of Coffee and Code Philadelphia. Earlier work: hardened service-registry.sh against shell injection, improved PII scrubber with Luhn check, fixed token-spy settings persistence with atomic writes, fixed SSH command injection in session-manager.sh, narrowed broad exception catches across dashboard-api, and authored CLAUDE.md with project instructions and design philosophy. Built three AI-powered GitHub Actions workflows: consolidated code review with fork detection and protected file enforcement, label-gated issue-to-PR automation with 4-job pipeline (validate/implement/guardrails/create-pr) and prompt injection hardening (anti-injection preamble, 4000-char truncation, tool restrictions, secret scanning), and nightly AI scanners for code review/docs/autonomous scanning with budget caps and manual-only triggers. Fixed unified APU name fallback in GPU detection for Strix Halo
+*   [Tony363 (Tony Siu)](https://github.com/Tony363) — Raised dashboard-api test coverage to 95% with 3,500+ lines of tests across 14 files including comprehensive endpoint coverage for setup, privacy, workflows, updates, agents, and GPU monitoring, plus 7 BATS shell test suites covering logging, constants, path-utils, bootstrap-model, nvidia-topo, ui, and background-tasks. Added comprehensive architecture overview documentation (ARCHITECTURE.md) with Mermaid diagrams for service topology, installer pipeline, and compose layering. Fixed the pre-existing ThemeProvider CI failure that was blocking every PR frontend check. Reported the PyYAML import crash on Manjaro/Arch (resolve-compose-stack.sh) with clear root cause analysis. Drives developer outreach and ecosystem growth as head of Coffee and Code Philadelphia. Earlier work: hardened service-registry.sh against shell injection, improved PII scrubber with Luhn check, fixed token-spy settings persistence with atomic writes, fixed SSH command injection in session-manager.sh, narrowed broad exception catches across dashboard-api, and authored CLAUDE.md with project instructions and design philosophy. Built three AI-powered GitHub Actions workflows: consolidated code review with fork detection and protected file enforcement, label-gated issue-to-PR automation with 4-job pipeline (validate/implement/guardrails/create-pr) and prompt injection hardening (anti-injection preamble, 4000-char truncation, tool restrictions, secret scanning), and nightly AI scanners for code review/docs/autonomous scanning with budget caps and manual-only triggers. Fixed unified APU name fallback in GPU detection for Strix Halo. Prototyped a full Rust/Axum rewrite of the dashboard-api with 285 tests, constant-time auth middleware, 3-crate workspace, and ~25MB Docker image (work-in-progress — extension security features being ported). Fixed pipefail-safe hostname fallback in installer phase 13 for Arch/Manjaro compatibility
 *   [latentcollapse (Matt C)](https://github.com/latentcollapse) — Security audit and hardening: OpenClaw localhost binding fix, multi-GPU VRAM detection, AMD dashboard hardening, and the Agent Policy Engine (APE) extension
 *   [Igor Lins e Silva (igorls)](https://github.com/igorls) — Stability audit fixing 9 infrastructure bugs: dynamic compose discovery in backup/restore/update scripts, Token Spy persistent storage and connection pool hardening, dotglob rollback fix, systemd auto-resume service correction, removed auth gate from preflight ports endpoint for setup wizard compatibility, added ESLint flat config for the dashboard, cleaned up unused imports and linting across the Python codebase, and resolved CI failures across dashboard and smoke tests
 *   [Nino Skopac (NinoSkopac)](https://github.com/NinoSkopac) — Token Spy dashboard improvements: shared metric normalization with parity tests, budget and active session tracking, configurable secure CORS replacing wildcard origins, and DB backend compatibility shim for sidecar migration
@@ -372,7 +372,7 @@ Thanks to [kyuz0](https://github.com/kyuz0) for [amd-strix-halo-toolboxes](https
 *   [takutakutakkun0420-hue](https://github.com/takutakutakkun0420-hue) — Added log rotation to all base services preventing unbounded disk growth, and added open-webui startup dependency on llama-server health ensuring the UI never shows a broken state
 
 *   [reo0603](https://github.com/reo0603) — Fixed Makefile paths after dashboard-api move and heredoc quoting bug in session-manager.sh SSH command, narrowed broad exception catches to specific types across dashboard-api, parallelized health checks for 17× faster execution, added compose.local.yaml for dashboard/open-webui/privacy-shield service dependencies, added .dockerignore files to all custom Dockerfiles reducing build context, fixed H2C smuggling vector in nginx proxy and added wss:// for HTTPS in voice agent, added comprehensive extension integration and hardware compatibility test suites, and hardened secret management with .gitignore patterns for key/pem/credential files and SQL identifier validation in token-spy
-*   [Arifuzzaman Joy (Arifuzzamanjoy)](https://github.com/Arifuzzamanjoy) — Added cpu and none to the gpu_backends schema enum enabling CPU-only service declarations, fixed gpu_backends on 13+ extension manifests resolving schema validation failures, added missing required fields (icon, category, requirements, priority) to localai features, fixed env_vars schema compliance (name to key) in bark and rvc manifests, corrected privacy-shield service ID to match schema pattern, and fixed typo in baserow manifest tags
+*   [Arifuzzaman Joy (Arifuzzamanjoy)](https://github.com/Arifuzzamanjoy) — Pinned yq and docker-compose versions in the bootstrap Dockerfile replacing floating `/latest/` tags with reproducible ARG-based version pins, added Draft7Validator compatibility for jsonschema 3.x on Ubuntu 22.04/24.04, added compatibility blocks (dream_min version bounds) to 25 extension library manifests, added missing gpu_backends to 8 extension manifests, added cpu and none to the gpu_backends schema enum enabling CPU-only service declarations, fixed gpu_backends on 13+ extension manifests resolving schema validation failures, added missing required fields (icon, category, requirements, priority) to localai features, fixed env_vars schema compliance (name to key) in bark and rvc manifests, corrected privacy-shield service ID to match schema pattern, and fixed typo in baserow manifest tags
 *   [nt1412](https://github.com/nt1412) — Wired dashboard-api agent metrics to Token Spy with background metrics collection, added TOKEN_SPY_URL/TOKEN_SPY_API_KEY env vars, fixed missing key_management.py in privacy-shield Dockerfile, and added ui_path to dashboard sidebar links so extension services open at their correct UI page
 *   [evereq](https://github.com/evereq) — Relocated docs/images to resources/docs/images for cleaner monorepo root
 *   [championVisionAI](https://github.com/championVisionAI) — Added Alpine Linux (apk) and Void Linux (xbps) package manager support to the installer abstraction layer, hardened hardware detection with JSON output escaping and container/WSL2 detection, rewrote healthcheck.py with retries, HEAD-to-GET fallback, status code matching, and structured JSON output, hardened Docker phase with daemon start/retry logic and compose v1/v2 detection, added cross-platform python3/python command resolution with shared detection utility, and hardened env schema validation with robust .env parsing, enum validation, and line-number error reporting, added sim summary validation test suite with 10 test cases covering help, missing files, invalid JSON, and strict mode, hardened hardware detection with JSON output escaping and container/WSL2 detection, hardened healthcheck.py with retries and HEAD-to-GET fallback, hardened Docker phase with daemon start/retry and compose v1/v2 detection, fixed Windows python3/python command resolution, added extension audit workflow with 838-line Python auditor and 'dream audit' CLI command, added duplicate key detection to env validation, added compact JSON output mode and --help flag to hardware detection, and failed env validation on duplicate keys preventing silent config corruption
@@ -382,7 +382,7 @@ Thanks to [kyuz0](https://github.com/kyuz0) for [amd-strix-halo-toolboxes](https
 *   [eva57gr](https://github.com/eva57gr) — Fixed bash syntax error in Token Spy session-manager.sh SSH heredoc command, and unified port contract across installer, schema, compose, and manifests with canonical ports.json registry
 *   [cycloarcane](https://github.com/cycloarcane) — Fixed unbound variable crash by guarding service-registry.sh sourcing in install-core.sh, health-check.sh, and 04-requirements.sh
 *   [Rowan (rowanbelanger713)](https://github.com/rowanbelanger713) — Enhanced llama-server with configurable batch-size, threads, and parallel request knobs, added TTL caching and async threading to dashboard-api status endpoints, pooled httpx connections for LiteLLM, lazy-loaded React routes with memoized components, scoped CSS transitions to interactive elements, paused polling on hidden tabs, and split Vite output into vendor/icons chunks for faster loading
-*   [gabsprogrammer](https://github.com/gabsprogrammer) — Fixed llama-server default port fallback from 11434 to canonical 8080 in dream-preflight.sh, added set -euo pipefail, removed dead duplicate if/else branch, and added a 156-line preflight test suite with static analysis and runtime smoke tests
+*   [gabsprogrammer](https://github.com/gabsprogrammer) — Designed and built the dashboard's "liquid metal" visual refresh with grouped service layout, token throughput signal charts, interactive SVG visualizations, collapsible sidebar, animated splash screen with full accessibility (ARIA dialog, prefers-reduced-motion, keyboard skip, low-performance device detection), and theme-aware CSS custom properties across all four themes. Fixed Windows PowerShell 5.1 parse errors by replacing Unicode em dashes, fixed dashboard-api extension catalog timeout, fixed health-check duplicate sr_load crash, fixed backup manifest .version JSON parsing, fixed llama-server default port fallback from 11434 to canonical 8080 in dream-preflight.sh, added set -euo pipefail, removed dead duplicate if/else branch, and added a 156-line preflight test suite with static analysis and runtime smoke tests
 *   [onyxhat](https://github.com/onyxhat) — Fixed missing variable initialization in installer scripts
 If we missed anyone, [open an issue](https://github.com/Light-Heart-Labs/DreamServer/issues). We want to get this right.