Audit fixes: key permissions, lock contention, Docker IP filter, doc updates

Security: identity.key written with 0600 permissions (Unix). Docker bridge
IPs (172.17-31.x) filtered from is_shareable_addr to prevent topology
disclosure in relay introductions.

Lock contention: ManifestPush relay and DeleteRecord CDN notify now gather
connections under lock, then send outside lock.

UI: syncBtn null guard prevents crash on hidden element.

Documentation: design.html version badge updated to v0.4.4. Self Last
Encounter threshold corrected from 3h to 4h. Multi-Device Identity section
rewritten for multi-identity-per-device (complete) + multi-device (planned)
+ post merge (planned). MEMORY.md updated to v0.4.4+ status.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

crates/core/src/network.rs

@@ -61,11 +61,22 @@ fn is_public_ip(ip: IpAddr) -> bool {
     }
 }
 
-/// Filter out addresses that are never useful to share (loopback, link-local, unspecified).
-/// Keeps LAN addresses (192.168.x, 10.x, 172.16-31.x) since peers might be on the same LAN.
+/// Filter out addresses that are never useful to share (loopback, link-local, unspecified,
+/// Docker bridge). Keeps common LAN addresses (192.168.x, 10.x) for same-WiFi discovery.
+/// Excludes 172.17-31.x (Docker/container bridges) to avoid topology disclosure.
 pub(crate) fn is_shareable_addr(addr: &SocketAddr) -> bool {
     match addr.ip() {
-        IpAddr::V4(v4) => !v4.is_loopback() && !v4.is_link_local() && !v4.is_unspecified(),
+        IpAddr::V4(v4) => {
+            if v4.is_loopback() || v4.is_link_local() || v4.is_unspecified() {
+                return false;
+            }
+            // Exclude Docker bridge range (172.17.0.0 - 172.31.255.255)
+            let octets = v4.octets();
+            if octets[0] == 172 && octets[1] >= 17 {
+                return false;
+            }
+            true
+        }
         IpAddr::V6(v6) => !v6.is_loopback() && !v6.is_unspecified(),
     }
 }