v0.3.5: Private blob encryption, blob prefetch, intent-based filtering, crypto refactoring

Private blob encryption:
- Encrypted posts (Friends/Circle/Direct) now encrypt attachment blobs with same CEK
- Public blobs unchanged, CID computed on ciphertext for private
- decrypt_blob_for_post/get_blob_for_post for transparent decryption on retrieval

Blob prefetch:
- Pull cycle and sync_with eagerly fetch missing blobs after post sync
- prefetch_blobs_from_peer scans for missing attachments, fetches via fallback chain
- Runs outside conn_mgr lock at Node level

Crypto refactoring:
- Extracted: encrypt/decrypt_bytes_with_cek, wrap/unwrap_cek_for_recipients
- unwrap_cek_for_recipient, unwrap_group_cek, random_cek
- encrypt_post_with_cek, encrypt_post_for_group_with_cek variants
- All existing functions refactored to delegate, 19 crypto tests pass

Intent-based filtering:
- intent_kind field on PostDto ("public"/"friends"/"circle"/"direct"/"unknown")
- Feed/MyPosts filter on intentKind !== 'direct' instead of visibility
- Messages filter with backward-compatible fallback for pre-intent posts
- get_post_intent storage method

IPC updates:
- resolve_blob_data helper using get_blob_for_post with network fallback
- sanitize_download_filename prevents path traversal
- get_blob_path accepts optional post_id_hex

Website:
- Mobile hamburger nav on all pages
- Mesh/Non-mesh N1 labels in network diagnostics

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

website/download.html

@@ -10,6 +10,7 @@
 <body>
     <nav>
         <a href="index.html" class="logo">ItsGoin</a>
+        <button class="menu-toggle" onclick="this.parentElement.querySelector('.links').classList.toggle('open')" aria-label="Menu">&#9776;</button>
         <div class="links">
             <a href="index.html">About</a>
             <a href="tech.html">How It Works</a>
@@ -24,16 +25,16 @@
         <section>
             <h1 style="font-size: 2rem; font-weight: 800; letter-spacing: -0.03em; margin-bottom: 0.25rem;">Download ItsGoin</h1>
             <p>Available for Android and Linux. Free and open source.</p>
-            <p style="color: var(--text-muted); font-size: 0.85rem;">Version 0.3.4 &mdash; March 15, 2026</p>
+            <p style="color: var(--text-muted); font-size: 0.85rem;">Version 0.3.5 &mdash; March 15, 2026</p>
 
             <div class="downloads">
-                <a href="itsgoin-0.3.4.apk" class="download-btn btn-android">
+                <a href="itsgoin-0.3.5.apk" class="download-btn btn-android">
                     Android APK
-                    <span class="sub">v0.3.4</span>
+                    <span class="sub">v0.3.5</span>
                 </a>
-                <a href="itsgoin_0.3.4_amd64.AppImage" class="download-btn btn-linux">
+                <a href="itsgoin_0.3.5_amd64.AppImage" class="download-btn btn-linux">
                     Linux AppImage
-                    <span class="sub">v0.3.4</span>
+                    <span class="sub">v0.3.5</span>
                 </a>
             </div>
         </section>
@@ -45,7 +46,7 @@
                 <h3 style="color: var(--accent);">Android</h3>
                 <ol class="steps">
                     <li><strong>Download the APK</strong> &mdash; Tap the button above. Your browser may warn that this type of file can be harmful &mdash; tap <strong>Download anyway</strong>.</li>
-                    <li><strong>Open the file</strong> &mdash; When the download finishes, tap the notification or find <code>itsgoin-0.3.4.apk</code> in your Downloads folder and tap it.</li>
+                    <li><strong>Open the file</strong> &mdash; When the download finishes, tap the notification or find <code>itsgoin-0.3.5.apk</code> in your Downloads folder and tap it.</li>
                     <li><strong>Allow installation</strong> &mdash; Android will ask you to allow installs from this source. Tap <strong>Settings</strong>, toggle <strong>"Allow from this source"</strong>, then go back and tap <strong>Install</strong>.</li>
                     <li><strong>Launch the app</strong> &mdash; Once installed, tap <strong>Open</strong> or find ItsGoin in your app drawer.</li>
                 </ol>
@@ -58,8 +59,8 @@
                 <h3 style="color: var(--green);">Linux (AppImage)</h3>
                 <ol class="steps">
                     <li><strong>Download the AppImage</strong> &mdash; Click the button above to download.</li>
-                    <li><strong>Make it executable</strong> &mdash; Open a terminal and run:<br><code>chmod +x itsgoin_0.3.4_amd64.AppImage</code></li>
-                    <li><strong>Run it</strong> &mdash; Double-click the file, or from the terminal:<br><code>./itsgoin_0.3.4_amd64.AppImage</code></li>
+                    <li><strong>Make it executable</strong> &mdash; Open a terminal and run:<br><code>chmod +x itsgoin_0.3.5_amd64.AppImage</code></li>
+                    <li><strong>Run it</strong> &mdash; Double-click the file, or from the terminal:<br><code>./itsgoin_0.3.5_amd64.AppImage</code></li>
                 </ol>
                 <div class="note">
                     <strong>Note:</strong> If it doesn't launch, you may need to install FUSE:<br><code>sudo apt install libfuse2</code> (Debian/Ubuntu) or <code>sudo dnf install fuse</code> (Fedora).
@@ -70,6 +71,16 @@
         <section>
             <h2>Changelog</h2>
             <div class="changelog">
+                <div class="changelog-date">v0.3.5 &mdash; March 20, 2026</div>
+                <ul>
+                    <li><strong>Private blob encryption</strong> &mdash; Attachments on encrypted posts (Friends, Circle, Direct) are now encrypted with the same CEK as the post text. Public blobs remain plaintext. CID computed on ciphertext preserves content addressing.</li>
+                    <li><strong>Blob prefetch on sync</strong> &mdash; When posts are pulled from peers, their attachments are eagerly fetched for offline availability. Previously blobs were only fetched on view.</li>
+                    <li><strong>Crypto refactoring</strong> &mdash; Extracted reusable primitives: <code>encrypt_bytes_with_cek</code>, <code>decrypt_bytes_with_cek</code>, <code>unwrap_cek_for_recipient</code>, <code>unwrap_group_cek</code>. Foundation for encrypted blob storage and future chunk-level encryption.</li>
+                    <li><strong>Intent-based post filtering</strong> &mdash; Feed, My Posts, and Messages now filter on the author's original visibility intent (<code>intentKind</code>) rather than encryption state. Direct messages are identified by intent, not by being &ldquo;encrypted-for-me.&rdquo; Backward-compatible with pre-intent posts.</li>
+                    <li><strong>Blob decryption on retrieval</strong> &mdash; New <code>get_blob_for_post</code> API decrypts private blobs in context of their post&rsquo;s visibility. Public blobs pass through unchanged.</li>
+                    <li><strong>Download filename sanitization</strong> &mdash; Prevents path traversal in downloaded file names.</li>
+                </ul>
+
                 <div class="changelog-date">v0.3.4 &mdash; March 18, 2026</div>
                 <ul>
                     <li><strong>Comment edit &amp; delete</strong> &mdash; Edit or delete your own comments. Trust-based: post authors can also delete comments on their posts. Propagates via BlobHeaderDiff to all holders.</li>