Action Required: upgrade to v4.2.2

v4.2.2 ships a follow-on security advisory (MM-SEC-5/6/7/8) that patches four additional authorization bugs uncovered after the v4.2.1 disclosure, plus a new admin convenience setting and several multi-source bug fixes.

Security: MM-SEC-5/6/7/8

Four authorization issues reachable on a fresh v4.2.1 install. All MeshMonitor 4.x deployments are affected until upgraded.

• MM-SEC-5 (High) — GET /api/device/security-keys was gated on requireAuth() and returned the local node's PKI private key to any logged-in user. Now requireAdmin()-only.
• MM-SEC-6 (Medium) — GET /api/channels/debug was a SELECT * pass-through that leaked raw channel PSKs to anyone with messages:read. Route removed; /api/channels and /api/channels/all already cover the legitimate use case with PSKs stripped.
• MM-SEC-7 (Medium) — GET /api/sources/:id/channels was the sibling endpoint missed by the MM-SEC-2 fix in v4.2.1, leaking PSKs the same way. Now optionalAuth() + per-channel channel_N:read gating + the same transformChannel projection.
• MM-SEC-8 (Low) — GET /api/sources/:id skipped the password / apiKey strip the list endpoint applies, leaking source credentials to non-admins with sources:read. Both endpoints now route through a shared stripSourceSecrets() helper.

After upgrading

• Rotate your local node's PKI private key if you ran a multi-tenant or untrusted-user deployment of 4.2.1 or earlier. The leak via MM-SEC-5 cannot be undone retroactively.
• Rotate any PSKs and source credentials that were exposed while non-admin users had access.

Full per-finding write-up: SECURITY_ADVISORY.md. Reported by The Official Mesh Admin. PR: #2915.

New: Admin-Configurable Default Landing Page

Admins can now choose what users see at the root URL — Unified View (default) or any single configured source. Find it under Settings → Appearance → Default Landing Page. The Sources button (in source view) and Back to Sources buttons (Unified Messages / Unified Telemetry) always return to the unified dashboard regardless of the configured default. Resolves #2917. PR: #2921.

Other fixes

• Auto Traceroute checkbox now hydrates from the per-source value instead of a stale global (#2918).
• Multi-source routing for Exchange Node Info / Position / Neighbor Info now honors the selected source instead of the default (#2916).
• Position override now writes to the live source row instead of the legacy default row (#2913).
• Auto-upgrade sidecar now clears the stale .upgrade-status file before triggering a new upgrade (#2920).
• Desktop script storage now honors DATA_DIR (#2919).
• Desktop x64 macOS DMG now ships with x64 native binaries (#2912).
• /api/scan-remote-admin handles empty request bodies (#2910).