Punch 20250915

README.md

@@ -205,7 +205,7 @@ The setup process consists of two main phases:
 │   ├── formulae.txt           # Homebrew formulae list
 │   ├── casks.txt              # Homebrew casks list
 │   ├── logrotate.conf         # Log rotation configuration
-│   ├── iterm2.plist           # iTerm2 profile settings
+│   ├── com.googlecode.iterm2.plist           # iTerm2 profile settings
 │   └── Orangebrew.terminal    # Terminal.app profile
 └── docs/                       # Documentation
     ├── setup/                 # Setup documentation

app-setup/plex-setup.sh

@@ -645,8 +645,8 @@ _try_ssh_host() {
 
   log "SSH connection details:"
   log "  Target host: '${host}'"
-  log "  SSH options: ConnectTimeout=5, BatchMode=yes"
-  log "  Command: ssh -o ConnectTimeout=5 -o BatchMode=yes '${host}' 'echo \"SSH_OK\"'"
+  log "  SSH options: StrictHostKeyChecking=no ConnectTimeout=5, BatchMode=yes"
+  log "  Command: ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 -o BatchMode=yes '${host}' 'echo \"SSH_OK\"'"
 
   # Test basic connectivity first
   log "Checking basic network connectivity to ${host}..."
@@ -659,7 +659,7 @@ _try_ssh_host() {
   # Test SSH with verbose output captured
   log "Attempting SSH connection with detailed diagnostics..."
   local ssh_output
-  ssh_output=$(ssh -o ConnectTimeout=5 -o BatchMode=yes -v "${host}" 'echo "SSH_OK"' 2>&1)
+  ssh_output=$(ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 -o BatchMode=yes -v "${host}" 'echo "SSH_OK"' 2>&1)
   local ssh_result=$?
 
   if [[ ${ssh_result} -eq 0 ]]; then
@@ -676,7 +676,7 @@ _try_ssh_host() {
     log "Additional SSH diagnostics:"
     ssh_version=$(ssh -V 2>&1)
     log "  SSH client version: ${ssh_version}"
-    log "  SSH config test: ssh -F /dev/null -o BatchMode=yes -o ConnectTimeout=5 '${host}' 'echo test' (would use system defaults)"
+    log "  SSH config test: ssh -F /dev/null -o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=5 '${host}' 'echo test' (would use system defaults)"
 
     return 1
   fi
@@ -1435,7 +1435,8 @@ main() {
           if test_ssh_connection "${MIGRATE_FROM}" true >/dev/null 2>&1; then
             log "Manual hostname resolved successfully"
           else
-            log "⚠️  Manual hostname resolution failed - will attempt migration anyway"
+            log "❌️ ${MIGRATE_FROM} hostname resolution failed"
+            return 1
           fi
         fi
       else
@@ -1444,7 +1445,8 @@ main() {
         if test_ssh_connection "${MIGRATE_FROM}" true >/dev/null 2>&1; then
           log "Manual hostname resolved successfully"
         else
-          log "⚠️  Manual hostname resolution failed - will attempt migration anyway"
+          log "❌️ ${MIGRATE_FROM} hostname resolution failed"
+          return 1
         fi
       fi
     else

app-setup/templates/mount-nas-media.sh

@@ -70,7 +70,7 @@ wait_for_network() {
 test_mount() {
   # Test basic mount verification using user-based pattern
   if ! mount | grep "${WHOAMI}" | grep -q "${PLEX_MEDIA_MOUNT}"; then
-    log "❌ Mount not visible in system mount table for user ${WHOAMI}"
+    log "⚠️ Mount not visible in system mount table for user ${WHOAMI}"
     return 1
   fi
   log "✅ Mount verification successful (active mount found for ${WHOAMI})"

docs/apps/plex-setup-README.md

@@ -112,6 +112,22 @@ rsync -av --exclude='Cache' "~/Library/Application Support/Plex Media Server/" ~
 
 The script supports both local migration (files in `~/plex-migration/`) and remote migration via SSH.
 
+### SSH Security for Migration
+
+**SSH Host Key Verification**: For automated migration workflows, the script uses `StrictHostKeyChecking=no` to prevent blocking on unknown host keys during server-to-server transfers. This is intentional for migration scenarios where:
+
+- Target server may not have established SSH relationships with source servers
+- Migration typically occurs between trusted servers on the same network
+- Automation workflows need to proceed without manual intervention for host key acceptance
+
+**Security Context**: This setting is used specifically for:
+
+- Migration connection testing: `ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 -o BatchMode=yes`
+- Automated file transfers during configuration migration
+- One-time setup operations between known server pairs
+
+**Note**: This does not affect ongoing SSH security for regular server operations, which continue to use standard SSH host key verification.
+
 ### Post-Migration: Home Screen Setup
 
 **⚠️ Important**: After migrating from an existing Plex server, you may need to re-pin your media sources to the home screen.

docs/operator.md

@@ -12,6 +12,8 @@ The system is configured to automatically log in as the operator user after rebo
 - **Desktop with clean dock** (iTerm, Plex, essential apps)
 - **Fast User Switching menu** in the menu bar (showing current user)
 
+> **📋 First Login Dialogs**: On first operator login, you may encounter Apple Setup Assistant dialogs. For guidance on handling these, see [Apple First-Boot Dialog Guide](setup/apple-first-boot-dialogs.md#operator-account-first-login)
+
 ## Automatic Setup
 
 ### 1. First-Login Customization

docs/setup/apple-first-boot-dialogs.md

@@ -0,0 +1,197 @@
+# Apple First-Boot Dialog Guide
+
+This guide provides step-by-step instructions for navigating Apple's Setup Assistant dialogs during initial Mac Mini configuration and operator account first login.
+
+## Admin Account Setup (Initial macOS Installation)
+
+When setting up the Mac Mini for the first time, you'll encounter these Apple dialogs in sequence:
+
+### 1. Language Selection
+
+- **Action**: Select your preferred language
+- **Recommendation**: Choose your primary language
+
+### 2. Region Selection
+
+- **Action**: Select your country/region
+- **Recommendation**: Choose your current location for proper timezone and regional settings
+
+### 3. Data Transfer & Migration
+
+- **Action**: Choose transfer method
+- **Options**:
+  - **iPhone/iPad Transfer** ✅ Recommended if available (requires iOS device with backup)
+  - **Time Machine Backup** (if you have an existing backup)
+  - **Don't transfer any information now** (manual setup)
+- **Note**: iPhone/iPad transfer can pre-configure WiFi, Apple ID, and other settings
+
+### 4. Accessibility
+
+- **Action**: Configure accessibility options
+- **Recommendation**: Configure as needed for your requirements, or skip if not needed
+
+### 5. Data & Privacy
+
+- **Action**: Review Apple's privacy policy
+- **Recommendation**: Continue after reading
+
+### 6. Create Administrator Account
+
+- **Full Name**: Will be pre-populated if you used iPhone/iPad transfer
+- **Account Name**: Will be pre-populated if you used iPhone/iPad transfer
+- **Password**: Create a strong password (you'll use this for first-boot setup)
+- **Hint**: Optional password hint
+
+### 7. Apple Account Configuration
+
+#### 7.1 Terms & Conditions
+
+- **Action**: Agree to Apple's Terms and Conditions
+- **Recommendation**: Review and agree
+
+#### 7.2 Customize Settings
+
+##### 7.2.1 Location Services
+
+- **Action**: Enable or disable location services
+- **Recommendation**: Enable for timezone and system functionality
+
+##### 7.2.2 Analytics & Improvement
+
+- **Action**: Choose whether to share analytics with Apple
+- **Recommendation**: Configure based on your privacy preferences
+
+##### 7.2.3 Screen Time
+
+- **Action**: Set up Screen Time monitoring
+- **Recommendation**: Skip for server setup
+
+##### 7.2.4 Apple Intelligence
+
+- **Action**: Configure Apple's AI features
+- **Recommendation**: Configure based on your preferences
+
+##### 7.2.5 FileVault Disk Encryption
+
+- **Action**: Choose whether to enable FileVault
+- **⚠️ CRITICAL**: **Turn OFF FileVault!**
+- **Reason**: FileVault prevents automatic login for the operator account
+- **Note**: This is essential for proper server operation
+
+##### 7.2.6 Touch ID
+
+- **Action**: Set up Touch ID fingerprint authentication
+- **Recommendation**: Set up for convenient sudo access during administration
+
+##### 7.2.7 Apple Pay
+
+- **Action**: Set up Apple Pay
+- **Recommendation**: Configure based on your preferences
+
+##### 7.2.8 Choose Your Look
+
+- **Action**: Select Light, Dark, or Auto appearance
+- **Recommendation**: Auto (adapts to time of day)
+
+##### 7.2.9 Software Updates
+
+- **Action**: Configure automatic update preferences
+- **Recommendation**: Enable automatic security updates, manual for system updates
+
+### 8. Continue Setup
+
+- **Action**: Complete the setup process
+- **Result**: Proceed to desktop
+
+### 9. Desktop
+
+- **Result**: macOS setup complete, ready for first-boot script execution
+
+---
+
+## Operator Account First Login
+
+When the operator account logs in for the first time, they'll encounter a simplified Setup Assistant:
+
+### 1. Accessibility
+
+- **Action**: Configure accessibility options
+- **Recommendation**: Configure as needed, or skip if not required
+
+### 2. Apple Account
+
+- **Action**: Sign in with Apple ID
+- **⚠️ RECOMMENDATION**: **Skip this step**
+- **Reason**: Server operations don't require operator Apple ID integration
+- **Note**: You can always add this later if needed
+
+### 3. Find My
+
+- **Action**: Enable Find My for the device
+- **Recommendation**: Configure based on your security preferences
+
+### 4. Analytics & Improvement
+
+- **Action**: Choose analytics sharing preferences
+- **Recommendation**: Configure based on privacy preferences
+
+### 5. Screen Time
+
+- **Action**: Set up Screen Time
+- **⚠️ RECOMMENDATION**: **Skip this step**
+- **Reason**: Not relevant for server operation
+
+### 6. Apple Intelligence
+
+- **Action**: Configure Apple AI features
+- **⚠️ RECOMMENDATION**: **Skip this step**
+- **Reason**: Not needed for server operation, may impact performance
+
+### 7. Touch ID Setup Assistant
+
+- **Action**: Set up Touch ID
+- **⚠️ RECOMMENDATION**: **Cancel/Skip this step**
+- **Reason**: Operator account uses automatic login, Touch ID not typically needed
+
+### 8. Choose Your Look
+
+- **Action**: Select appearance theme
+- **Recommendation**: Auto or user preference
+
+### 9. Continue
+
+- **Action**: Complete operator setup
+- **Result**: Proceed to desktop
+
+### 10. Desktop
+
+- **Result**: Operator account setup complete, automatic application launch will begin
+
+---
+
+## Important Notes
+
+### FileVault Warning
+
+**CRITICAL**: Ensure FileVault is disabled during admin account setup. FileVault encryption prevents the automatic login functionality required for proper server operation.
+
+### Account Purpose
+
+- **Admin Account**: Used for system administration, setup, and maintenance
+- **Operator Account**: Used for day-to-day server operation and automatic application launch
+
+### Setup Timing
+
+- Complete Apple dialogs **before** running `first-boot.sh`
+- Operator dialogs appear automatically on first operator login after reboot
+
+### Migration Assistant Benefits
+
+Using iPhone/iPad transfer during initial setup can significantly reduce manual configuration by pre-populating:
+
+- WiFi network settings
+- Apple ID information
+- Basic user account details
+- System preferences
+
+This reduces the overall setup time and ensures consistent configuration across your devices.

docs/setup/first-boot.md

@@ -16,6 +16,8 @@ The `first-boot.sh` script performs complete automated setup of your Mac Mini se
 5. **Reach the desktop** before proceeding
 6. **Enable AirDrop:** Press Cmd-Shift-R to open AirDrop, and select "Allow me to be discovered by: Everyone"
 
+> **📋 Detailed Setup Guide**: For step-by-step instructions on navigating Apple's Setup Assistant dialogs, see [Apple First-Boot Dialog Guide](apple-first-boot-dialogs.md)
+
 ### Transfer Setup Files
 
 1. **AirDrop the complete macmini-setup folder** from your development Mac
@@ -297,3 +299,43 @@ After successful first boot setup:
 4. **Run application setup scripts** in `~/app-setup/`
 
 The Mac Mini is now ready for native application deployment and service configuration.
+
+## Post-Setup Configuration
+
+### Safari Extension Syncing
+
+To sync Safari extensions across your devices (iPhone, iPad, Mac), enable extension syncing:
+
+1. **Open System Settings** → **Apple ID** → **iCloud**
+2. **Enable Safari syncing** if not already enabled
+3. **In Safari**: Go to **Safari** → **Settings** → **Extensions**
+4. **Enable "Sync Safari Extensions"** to share extensions across all your devices
+
+This ensures your Safari extensions are available on your Mac Mini server when accessing web interfaces for applications like Plex, Transmission, or other web-based management tools.
+
+**Reference**: [Safari Extension Syncing Guide](https://ios.gadgethacks.com/how-to/safari-now-lets-you-sync-and-manage-all-your-web-extensions-across-your-iphone-ipad-and-mac-0385127/)
+
+## Known Issues
+
+The following issues are known limitations of the current setup system:
+
+### Terminal Profiles
+
+**iTerm2 Profile Syncing**: iTerm2 profiles do not sync properly during automated setup. The profile files are copied correctly, but iTerm2 may not recognize or apply the imported settings immediately.
+
+**Workaround**:
+
+* Manually import profiles via iTerm2 → **Preferences** → **Profiles** → **Other Actions** → **Import JSON Profiles**
+* Or restart iTerm2 multiple times until profiles are recognized
+
+### System Notifications
+
+**Background Item Notifications**: macOS generates numerous "background item added" notifications during Homebrew package installation and application setup. These notifications cannot be automatically suppressed by the setup scripts.
+
+**Impact**:
+
+* Users will see multiple system notifications during setup
+* Notifications are informational and do not affect setup functionality
+* No user action required - notifications will clear automatically
+
+**Future Improvement**: Apple does not currently provide an API to suppress these notifications during automated setup processes.

docs/setup/prep-airdrop.md

@@ -106,7 +106,7 @@ macmini-setup/
 │   ├── config.conf              # Server settings
 │   ├── dev_fingerprint.conf     # Safety check data
 │   ├── formulae.txt             # Homebrew packages
-│   ├── iterm2.plist             # iTerm2 profile/settings (optional)
+│   ├── com.googlecode.iterm2.plist             # iTerm2 profile/settings (optional)
 │   ├── keychain_manifest.conf   # Keychain service identifiers
 │   ├── logrotate.conf
 │   ├── mac-server-setup-db      # External keychain file

prep-airdrop.sh

@@ -831,12 +831,7 @@ if [[ -d "${SCRIPT_SOURCE_DIR}" ]]; then
   if [[ "${USE_ITERM2:-false}" == "true" ]]; then
     if command -v it2check >/dev/null 2>&1; then
       echo "Exporting iTerm2 preferences..."
-      if defaults export com.googlecode.iterm2 "${OUTPUT_PATH}/config/iterm2.plist"; then
-        add_to_manifest "config/iterm2.plist" "OPTIONAL"
-        echo "iTerm2 preferences exported to deployment package"
-      else
-        echo "Warning: Failed to export iTerm2 preferences"
-      fi
+      copy_with_manifest "${HOME}/Library/Preferences/com.googlecode.iterm2.plist" "config/com.googlecode.iterm2.plist" "OPTIONAL"
     else
       echo "Warning: USE_ITERM2 is enabled but iTerm2 is not installed (it2check not found)"
     fi
@@ -890,6 +885,10 @@ chmod -R 755 "${OUTPUT_PATH}/app-setup"
 chmod 600 "${OUTPUT_PATH}/config/"* 2>/dev/null || true
 chmod 600 "${OUTPUT_PATH}/app-setup/config/"* 2>/dev/null || true
 
+# Ensure all shell scripts are executable
+echo "Making all shell scripts executable..."
+find "${OUTPUT_PATH}" -name '*.sh' -exec chmod -v a+rx {} \;
+
 # Create Keychain manifest for server-side credential access
 create_keychain_manifest