# Milestone 6: Deployment & Automation (The Release)
**Goal:** Finalize security and automate the installation for self-hosters.

### 1. Network Encryption
- [ ] **TCP TLS:** Wrap the server's `TcpListener` and client's `TcpStream` using `rustls`. Generate or require self-signed certificates for the server.
- [ ] **AI Context Trap (Crypto Nonce):** `chacha20poly1305` is completely compromised if a Nonce is reused. To avoid tracking state or sending large random bytes over UDP, strictly cast the `SequenceNumber` (u64) padded with zeros into a 12-byte array to act as a guaranteed-unique Nonce.
- [ ] **UDP Encryption:** Add `chacha20poly1305`. After Opus encoding, encrypt the payload byte array using a symmetric key negotiated during the TLS TCP handshake, before sending over UDP.

### 2. Dockerization
- [ ] **Dockerfile:** Write a multi-stage `Dockerfile`. Stage 1: `cargo build --release` using a minimal rust alpine image. Stage 2: Copy the binary to a scratch/debian container.
- [ ] **Docker Compose:** Write `docker-compose.yml` mapping ports `8080/tcp` (Control), `8080/udp` (Voice), and `3000/tcp` (Admin Dashboard), and volume-mapping the SQLite database file.

### 3. CI/CD & Auto-Installer
- [ ] **GitHub Actions:** Create `.github/workflows/release.yml`. Trigger on tags. Cross-compile binaries for `x86_64-linux`, `x86_64-windows`, and `aarch64-macos`.
- [ ] **Security Auditing:** Add `cargo audit` to the pipeline to automatically fail the build if a known CVE is discovered.
- [ ] **Install Script:** Write `scripts/install.sh`. The script downloads the correct binary via GitHub API, creates a non-root `voiceapp` user, and writes a `/etc/systemd/system/voiceapp.service` file.

### 4. The Final Stress Test
- [ ] **Load Tester Bot:** Build a standalone Rust binary (`tests/load_tester.rs`).
- [ ] **Concurrency:** Use Tokio to spawn 100+ async tasks. Each task connects via TCP, gets a SessionToken, and then blasts pre-recorded `.wav` data over UDP to the server at exactly 20ms intervals.
- [ ] **Verification:** Use the Admin Dashboard to verify the server handles the packet throughput without CPU spiking or crashing.