v2.0.0: AES-256-GCM transport, PIN lockout, HOTP, QR import/export, Astro website

Security:
- AES-256-GCM replaces XOR for all web transport
- PIN-encrypted device key via PBKDF2-HMAC-SHA256
- Persistent PIN lockout (5 attempts, survives reboots)
- Secure memory wipe before deep sleep

Features:
- HOTP support (offline, no NTP required)
- SHA1/SHA256/SHA512, 6/8 digits, 30s/60s periods
- QR code import and export for TOTP keys
- Password generator in web cabinet

Website:
- Astro static site with browser flasher, user guide, backup tools
- GitHub Actions: auto-deploy site, auto-build firmware on tag push

fix: serve firmware binaries from GitHub Pages with correct paths

chore: force-add v2.0.0 firmware binaries (override .gitignore)

Author: makepkg

.github/workflows/deploy-site.yml

@@ -0,0 +1,42 @@
+name: Deploy Website to GitHub Pages
+
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'website/**'
+      - '.github/workflows/deploy-site.yml'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: pages
+  cancel-in-progress: false
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install, build, and upload
+        uses: withastro/action@v3
+        with:
+          path: ./website
+          node-version: 22
+
+  deploy:
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

.github/workflows/release-firmware.yml

@@ -0,0 +1,93 @@
+name: Build and Release Firmware
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: master
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Cache PlatformIO
+        uses: actions/cache@v4
+        with:
+          path: ~/.platformio
+          key: platformio-${{ hashFiles('platformio.ini') }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install PlatformIO and esptool
+        run: pip install platformio esptool
+
+      - name: Build firmware
+        run: pio run -e lilygo-t-display
+
+      - name: Merge binaries
+        run: |
+          esptool --chip esp32 merge-bin \
+            -o merged-firmware.bin \
+            --flash-mode dio \
+            --flash-freq 40m \
+            --flash-size 4MB \
+            0x1000 .pio/build/lilygo-t-display/bootloader.bin \
+            0x8000 .pio/build/lilygo-t-display/partitions.bin \
+            0x10000 .pio/build/lilygo-t-display/firmware.bin
+
+      - name: Copy binaries to website
+        run: |
+          mkdir -p website/public/firmware
+          cp .pio/build/lilygo-t-display/bootloader.bin website/public/firmware/bootloader.bin
+          cp .pio/build/lilygo-t-display/partitions.bin website/public/firmware/partitions.bin
+          cp .pio/build/lilygo-t-display/firmware.bin website/public/firmware/firmware.bin
+          cp merged-firmware.bin website/public/firmware/merged-firmware.bin
+
+      - name: Update manifest version
+        run: |
+          TAG=${GITHUB_REF#refs/tags/}
+          cat > website/public/firmware/manifest.json << EOF
+          {
+            "name": "SecureGen",
+            "version": "${TAG}",
+            "new_install_prompt_erase": true,
+            "builds": [
+              {
+                "chipFamily": "ESP32",
+                "parts": [
+                  { "path": "/SecureGen/firmware/bootloader.bin", "offset": 4096 },
+                  { "path": "/SecureGen/firmware/partitions.bin", "offset": 32768 },
+                  { "path": "/SecureGen/firmware/firmware.bin",   "offset": 65536 }
+                ]
+              }
+            ]
+          }
+          EOF
+
+      - name: Commit firmware to repo
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add website/public/firmware/
+          git commit -m "firmware: update binaries for ${GITHUB_REF#refs/tags/}"
+          git push origin master
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            merged-firmware.bin
+            .pio/build/lilygo-t-display/bootloader.bin
+            .pio/build/lilygo-t-display/partitions.bin
+            .pio/build/lilygo-t-display/firmware.bin

.gitignore

@@ -8,8 +8,6 @@
 .env
 
 # ⚠️ SECURITY: Internal documentation - DO NOT PUBLISH
-SECURITY_INTERNAL.md
-docs/security/SECURITY_AUDIT_INTERNAL.md
 
 # Private assets
 assets/archive(private)/
@@ -25,10 +23,20 @@ assets/archive(private)/
 Thumbs.db
 
 # Build artifacts
+compile_commands.json
 *.bin
 *.elf
 *.map
 
 # IDE specific
 .idea/
 *.iml
+.cache
+
+# Website build artifacts
+website/node_modules/
+website/dist/
+website/.astro/
+
+# Firmware binaries (never commit, always from Releases)
+website/public/firmware/*.bin

.vscode/settings.json

@@ -0,0 +1,2 @@
+{
+}

CHANGELOG.md

@@ -0,0 +1,42 @@
+# Changelog
+
+## [2.0.0] — March 2026
+
+### Security
+- **AES-GCM transport encryption** — replaced XOR with AES-256-GCM for all web communications
+- **PIN-encrypted device key** — master key file is now encrypted with PIN + salt via PBKDF2-HMAC-SHA256 (AES-256-CBC)
+- **PBKDF2 iterations increased** to 25,000 (PIN unlock, login, export)
+- **Persistent PIN lockout** — failed attempt counter survives reboots; device locks permanently after 5 total attempts
+- **Secure memory wipe** before deep sleep — device key, TOTP secrets, passwords, and session keys zeroed from RAM
+
+### Encryption & Key Management
+- Reworked encryption and decryption system for device key, passwords, and TOTP secrets
+- Added `decrypt_export.html` — offline HTML tool for decrypting exports, editing keys and passwords, and creating key files without the device
+
+### TOTP / HOTP
+- **HOTP support** — counter-based codes work in Offline and AP modes, independent of internet or time sync
+- **Extended algorithm support** — SHA1 / SHA256 / SHA512, 6 and 8 digit codes, configurable period (30s / 60s)
+- **QR code import** — add TOTP keys by scanning a QR code (camera or file upload)
+- **QR code export** — display any TOTP key as QR code on the device screen and in the web interface
+- Hold both buttons on HOTP screen to force-refresh the current code
+
+### Web Interface & API
+- Fixed broken import/export system
+- Reduced number of requests from ESP32 to web server — improved performance
+- Added password generation support in web cabinet
+
+### Hardware & Stability
+- Fixed crashes on battery power when pressing buttons
+- Added QR code for WiFi connection in AP mode — scan to connect instantly
+- Captive portal support in AP mode and WiFi setup flow
+- Hold both buttons on PIN screen → deep sleep (shutdown)
+
+### Logging
+- Debug logging disabled in production builds
+- Runtime log level configurable without reflashing — see [Logging System](docs/development/LOGGING_SYSTEM.md)
+
+---
+
+## Roadmap
+
+See [README → Roadmap](README.md#-roadmap) for planned features.