Thanks for the detailed review, really appreciate it — this is exactly the kind of feedback the project needed before a public release.

You were right on two of the three points, and I’ve just pushed fixes to Codeberg (commit 93b8985):

GPG: you nailed it. config.py was silently reusing the user’s personal ~/.gnupg keyring if a key was present, which is obviously wrong for an identity-isolated app. Fixed: PeerBox now uses a dedicated keyring at system/gpg/ with --homedir enforced on every gpg call. Existing users get their key auto-migrated on next config.py run so contacts don’t break.

Dependencies: install_pysocks() was calling pip install --break-system-packages at runtime, which is indefensible. Removed entirely — it was actually dead code (never called) but still a trap. Documented PySocks in the README as a required pip dep alongside cryptography and pywebview. The broader venv/lockfile refactor is a bigger chantier, planned for phase 6.

SSH keys: here I have to push back a bit — ssh_setup.py does generate a dedicated id_rsa_peerbox key, never reuses id_rsa or id_ed25519. BUT you indirectly uncovered a real bug: request_creator.py had a silent fallback reading id_rsa.pub / id_ed25519.pub if id_rsa_peerbox.pub was missing. That’s gone now too.

Quill 1.3.7 → 2.0.3: fair point, on the roadmap for this weekend. Non-minified too for auditability.

Seriously, thanks for taking the time to read the code and call out what needed calling out. This is what keeps small projects honest.