chore(deps): update postgres:18.4 docker digest to 29ee7bb

apps/mealie/docker-compose.yml

@@ -54,7 +54,7 @@ services:
       - traefik.http.services.mealie.loadbalancer.server.port=9000
 
   mealie-postgres:
-    image: postgres:18.4@sha256:8ff36f3c66371cba71d20ceedccfc3de9669a68737607888c4ef0af93abe8e39
+    image: postgres:18.4@sha256:29ee7bb30d804447dc9a91fd0d74322ae1dc3a4072cc6346f70a5ed6e783b565
     container_name: mealie-postgres
     restart: unless-stopped
 

apps/nextcloud/docker-compose.yml

@@ -46,7 +46,7 @@ services:
       - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
 
   nextcloud-postgres:
-    image: postgres:18.4@sha256:8ff36f3c66371cba71d20ceedccfc3de9669a68737607888c4ef0af93abe8e39
+    image: postgres:18.4@sha256:29ee7bb30d804447dc9a91fd0d74322ae1dc3a4072cc6346f70a5ed6e783b565
     container_name: nextcloud-postgres
     restart: unless-stopped
     environment:

docs/MASTER_TODO.md

@@ -25,6 +25,7 @@ Host-Reports (`/mnt/user/backups/restore-reports/`) und in der Git-Historie.
 | Restore-Test Tailscale | Operator | State-Validierung + Reconnect nur auf Wegwerf-Host/VM, danach Geraet in Tailscale-Admin entfernen | `ops/restore-tests/tailscale-runbook.md` |
 | Authelia OIDC fuer Apps | Operator/Claude | Live: Grafana + Mealie (verifiziert), Paperless deployed (Login-Test offen). Immich + Nextcloud bewusst geparkt bis Family-Onboarding (siehe `docs/DECISIONS.md` 2026-06-06) | `docs/AUTHELIA_OIDC_PLAN.md` |
 | Glance-v2-Widgets: Tokens setzen | Operator | In Komodo Stack-ENV fuer `ops-glance` setzen: `GLANCE_KOMODO_API_KEY`/`_SECRET` (Komodo read-only API-Key), `GLANCE_GITEA_TOKEN` (read-only, scope `read:repository`), `GLANCE_PAPERLESS_TOKEN`, `GLANCE_MEALIE_TOKEN`; bis dahin zeigen die neuen Widgets Fehler/leer. Speedtest-Widget: falls weiter 0.0, API-Response pruefen | `ops/glance/config/` |
+| Home Assistant Foundation-Abnahme | Operator/Codex | Sofort: Owner-Onboarding abschliessen. Danach temporaere Authelia-Middleware von der HA-Route entfernen, Komodo-Stack-Eintrag + Webhook sauber anlegen/verifizieren, HA-MQTT-Smoke-Test und HA-native `backup.create` testen, Restore-Probe fuer HA/Mosquitto dokumentieren | `docs/runbooks/smart-home-bootstrap.md`, `docs/RESTORE_MATRIX.md` |
 | Audit-PDF aus `docs/` entfernen | Operator | `docs/KalliLab_CORE_Audit_2026-06-06.pdf` (untracked) extern ablegen (H:/ oder Documents-Share) und lokal loeschen; Binaerdateien gehoeren nicht ins GitOps-Repo | Doku-Regeln `docs/REPO_MAP.md` |
 
 ---

docs/runbooks/smart-home-bootstrap.md

@@ -78,7 +78,29 @@ docker logs --tail=100 smarthome-mosquitto
 - MQTT-Integration verbindet sich mit Host `smarthome-mosquitto`, Port `1883`.
 - HA-native Backup-Erstellung funktioniert.
 
-## 6. Abnahmebedingung
+## 6. Fachrepo-Update
+
+Das Fachrepo `/mnt/user/services/smart-home-kalli` ist kein eigener
+Komodo-Stack. Aenderungen wirken erst nach diesem Host-Ablauf:
+
+```sh
+cd /mnt/user/services/smart-home-kalli
+git pull --ff-only origin main
+docker restart homeassistant
+```
+
+Der Restart ist Pflicht, weil `configuration.yaml`, `automations.yaml`,
+`scripts.yaml` und `scenes.yaml` als Einzeldateien in den Container gemountet
+werden. Nach einem `git pull` kann Docker sonst noch den alten Datei-Inode sehen.
+
+## 7. UI-Editor-Politik
+
+`automations.yaml`, `scripts.yaml` und `scenes.yaml` sind read-only aus Git
+gemountet. Der Home-Assistant-UI-Editor fuer diese Dateien ist deshalb nicht der
+primaere Schreibweg. Automationen und Scripts werden in Git gepflegt; UI-State
+und Integrations-State bleiben in `.storage` und werden per Borg gesichert.
+
+## 8. Abnahmebedingung
 
 Vor produktiven Energie-Automationen muss ein Restore-Test fuer
 `/mnt/user/appdata/homeassistant`, `/mnt/user/appdata/mosquitto` und den Clone

infra/postgresql17/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   postgresql17:
-    image: postgres:18.4@sha256:8ff36f3c66371cba71d20ceedccfc3de9669a68737607888c4ef0af93abe8e39
+    image: postgres:18.4@sha256:29ee7bb30d804447dc9a91fd0d74322ae1dc3a4072cc6346f70a5ed6e783b565
     container_name: postgresql17
     restart: unless-stopped
 

ops/borg-ui/BACKUP_SCOPE.md

@@ -49,7 +49,7 @@ The Unraid flash configuration archive is intentional as well and must be treate
 | Filebrowser | file-backed state dump + file data | `/local/borg-dumps`, `/local/appdata/filebrowser` |
 | InfluxDB 3 Core | file data | `/local/appdata/influxdb3/data`, `/local/appdata/influxdb3/plugins` |
 | Home Assistant | HA-native backup + file state | `/local/appdata/homeassistant`, `/local/services/smart-home-kalli` |
-| Smart-Home MQTT / Mosquitto | file data | `/local/appdata/mosquitto/config`, `/local/appdata/mosquitto/data`, `/local/appdata/mosquitto/log` |
+| Smart-Home MQTT / Mosquitto | file data | `/local/appdata/mosquitto/config`, `/local/appdata/mosquitto/data` |
 | Zigbee2MQTT (planned) | file data + coordinator state | `/local/appdata/zigbee2mqtt`, `/local/services/smart-home-kalli` |
 | ESPHome (planned) | Fachrepo + optional build/runtime cache | `/local/services/smart-home-kalli/esphome`, optional `/local/appdata/esphome` |
 | Hermes Agent | file data + SSH key | `/local/appdata/hermes-agent/data`, `/local/secrets/hermes_runner_id_ed25519` |

smart-home/docker-compose.yml

@@ -28,6 +28,8 @@ services:
       - traefik.http.routers.homeassistant.entrypoints=websecure
       - traefik.http.routers.homeassistant.tls=true
       - traefik.http.routers.homeassistant.tls.certresolver=le
+      # Temporary onboarding guard: remove after the HA owner account exists.
+      - traefik.http.routers.homeassistant.middlewares=authelia@file,secure-headers@file
       - traefik.http.services.homeassistant.loadbalancer.server.port=8123
 
   mosquitto: